The pressure is coming from all sides – there’s the growing threat of cyberattack due to more complex IT environments and attack surfaces; increasingly rigorous compliance rules and guidelines like the ASD Essential Eight and ISO27001 IS framework; and internal pressure to empower tech decision-makers to drive business strategy, react to market demands, and improve process efficiency against known and accepted risk frameworks.
Laying the foundations
A paradigm shift is needed, to adopt a more comprehensive view of governance, risk, and compliance (GRC) across the entire organisation, beyond just cybersecurity. With the right GRC framework ensuring alignment of information security strategy, IT and business strategy, better decisions will be made at every level of the organisation.
Providing this confidence in decision making, begins with a solid foundation, which can be achieved by addressing a combination of three fundamentals:
Ultimately, it’s the business strategy and objectives which define its process and, in turn, gives rise to requirements of people and technology. As these people and technology begin to interact, information and data is generated. Risks emerge as to where information is stored, how it’s accessed, used, and transmitted from system to system and place to place.
People are arguably the businesses most important asset; however, they can also have the biggest bearing on an organisation’s security. Industry experts suggest that up to 85 per cent of breaches involved a human element. It is critical to focus on equipping them with better ways to interact with each other, their customers, and their systems – providing instruction, training, and tools which allow them to make the right decisions when faced with potential risks. This is more than just security awareness training, it extends to how we manage the authentication and identification of people, systems, and applications.
Organisations must develop fail-proof systems, by developing automated process flows and digital pathways, or at the very least well documented processes. It’s imperative to consider the information that is being used and transferred at each level of the organisation and understand how best to secure it. Technology is needed to implement and govern these processes, safeguarding the business from unexpected events, both malicious and mistaken. These controls need to apply at all levels of the technology environment, as each layer is potentially a target for attack and intrusion or breach.
Implementing the security strategy
Understanding and implementing these foundations start with a series of discovery exercises that create an inventory of all assets and processes that contribute to an organisation’s security and governance procedures, and records how they align to the strategy and feed into the risk management plan. Once this process has taken place, it becomes possible to use this asset and risk register to build a roadmap of activities. These will fall into two broad sections. The first of these is remediation and mitigation tasks, to address identified risks. The second is to compare the organisation’s current state to its desired state, which provides a well-qualified and quantified set of requirements, opportunities for improvement, and future initiatives.
Organisations worldwide recognise the need for an improved approach to GRC. When Gartner surveyed more than 200 US organisations it found almost two thirds were already using multiple GRC solutions, with IT & Security Risk Management solutions, a key component of a comprehensive GRC strategy, being among the most common.
Domestically, in 2021 the NSW Standards Harmonisation Taskforce called on governments across Australia to adopt internationally recognised ISO and/or IEC standards as a baseline requirement for information security. These frameworks are proving critical for building confidence in the modern era. Not only do they provide strong guidance regarding how organisations can best invest in security and compliance for their own protection, but they can also form a key component and differentiator of an organisation’s ‘ticket to play’ in certain markets, in terms of meeting the expectations of regulators, partners, and customers.
According to Brennan’s Head of Cybersecurity, Daniel Hayes, organisations of all sizes, across all sectors and industries are looking to set (and meet) information security benchmarks against domestically and internationally defined frameworks, to underpin their GRC strategy. “Modern GRC frameworks represent the realisation that security and governance are not blockers to an organisation’s ambitions, but instead enable it to make decisions faster by providing greater confidence that new actions are taken on top of solid foundations. Organisations can explore new markets or launch new offerings and capabilities with the knowledge they are secure by design from the outset.”
Choosing an MSP that understands, adopts, and implements these frameworks is critical in protecting your organisation and your people.