CISOs should advance the maturity of GRC programs through these seven steps.
Robyn Marsi, Senior Director Risk & Technology Services | Lynx Technology Partners
Originally published on IT Pro Today.
In 2022, CISOs were asked to manage more governance, risk and compliance (GRC) issues across the enterprise with less resources than ever before. Ransomware, supply chain attacks, growing attack surfaces (web, mobile, social, physical, wireless, and cloud), hybrid workforces, nation-state attacks, the Log4j vulnerability, and endpoint security were just a handful of the top risk challenges of 2022.
For CISOs and their teams, the pace of change is constantly accelerating. Modern business’ reliance on technology forces IT to respond agilely to every new trend and business demand. Adding to the challenge, CISOs are often asked to maintain tight budgets and find creative ways to do more with less. Maintaining competitiveness requires CISOs to wage a constant battle between risk versus cost.
Related: What Is IT Risk Management?
By tackling these seven priorities, CISOs can deliver robust risk and compliance programs and elevate governance as a framework that keeps the business on track and operating efficiently in 2023.
1. Adopt a business-first perspective.
CISOs must understand the business they are in and the risks that come with the territory. This means not only understanding technology requirements but also the regulatory environment, competitive landscape, and the company’s own internal processes. To do so, CISOs must find their seat at the executive table.
CISOs should make a 2023 resolution to build better relationships with business leaders and gain a clear understanding of the organization’s risk appetite. To demonstrate value, CISOs should create and implement an information security strategy that aligns with the company’s overall strategic objectives. Finally, CISOs should advocate for information security awareness and help employees understand why they should be doing everything in their power to protect sensitive data.
2. Categorize risks based on business criticality.
It’s impossible to avoid every risk. CISOs must prioritize which risks need to be managed based on business criticality. This includes both external risks, such as those posed by cyberattacks or data breaches, and internal risks, which may result from things like outdated systems or employee errors.
As a first step, CISOs should assess their organization’s risks and objectives. Then continue the assessment regularly to make sure the program remains up to date and relevant. Conducting a stakeholder analysis can help CISOs identify which individuals or groups will be affected by the decisions made during the risk assessment process. Once the stakeholders are known, security teams can assess the organization’s risks using a variety of methods, including interviews, focus groups, surveys, or data collection. As risks are identified, they should be prioritized based on their potential business impact. The analysis should include the likelihood of each risk occurring and the level of control the organization has over mitigating it.
3. Develop a living plan to manage the risks.
After prioritizing risks, CISOs must develop the right plan to manage them.
The plan should include both short-term and long-term strategies for dealing with each type of risk. The goal should be to minimize the impact of each risk on the business while still allowing the company to continue to operate effectively. To keep up with changes in the GRC landscape and ensure that the company’s risk management strategy remains effective, the plan should be treated as is a living document that that is reviewed and updated on a quarterly basis.
4. Keep a pulse on global compliancy requirements.
Achieving continuous compliance is a daunting task. It requires the ability to continuously monitor the company’s security posture to ensure compliance with global regulatory requirements and industry best practices.
A good compliance management system can make it easier to track and manage global compliance data. Also, investments in quality resources, such as industry reports and newsletters, can keep CISOs up to date on any changes. Reviewing sites like the World Customs Organization, subscribing to email alerts or RSS feeds, and using technology solutions to automate and manage compliance processes can be useful, too. When in doubt or short on time, CISOs should ask an experienced attorney or compliance consultant to help them navigate changing regulatory landscapes.
5. Give attention to ESG.
A wide range of stakeholders are looking at ESG performance, which means CISOs should be, too. ESG refers to the examination of a company’s environmental, social, and governance practices; their impacts; and the company’s progress against benchmarks. For example, investors and lenders may rely on ESG scores or ratings to assess a firm’s risk exposure as well as its possible future financial performance. Communities and customers may want to know about a company’s environmental and social practices to inform their advocacy and purchasing decisions. Much of this responsibility will fall squarely on a CISO’s shoulders.
There are a number of ways to incorporate ESG into a GRC program. One is to create an ESG policy or framework that outlines the actions the company will take to address these concerns. Another is to integrate ESG data into the existing risk management processes. CISOs should establish key performance indicators related to sustainability and report on them regularly.
6. Find the right resources.
While the talent pool of good security trained technical resources is shrinking, the number of attacks and GRC issues are growing. It is imperative for CISOs to find IT professionals that are trained specifically in cybersecurity to handle the deluge of evolving threats. GRC can be a complex and time-consuming task, but it is essential for any organization that wants to operate in a compliant and safe manner.
To save time and money while still maintaining a high level of compliance, some businesses are turning to GRCaaS. Outsourcing GRC can provide businesses with the peace of mind that comes with knowing that all compliance requirements are being met using proven technologies and people.
7. Become a GRC ninja.
The ever-changing GRC landscape requires a strong and agile CISO. They must be responsive to the demands of a competitive business while also focused on growing threats and evolving compliance requirements.
Professional organizations can help CISOs cope with their changing role and develop the soft skills they need to succeed by providing a forum for networking, sharing best practices, and developing industry-wide standards. In addition, many professional organizations offer continuing education and certification programs that can help CISOs stay up to date on the latest security technologies and strategies.
For example, the International Information Systems Security Certification Consortium provides a variety of resources to its members, including articles, whitepapers, and webinars. It also offers the CISO Assessment Program, which is a self-assessment tool that helps CISOs identify their strengths and weaknesses so they can focus on areas where they need improvement.
It’s hard for CISOs to imagine how they will overcome more sophisticated risk challenges year after year. Unfortunately, 2023 will provide no relief for those who hold this title. Like years past, 2023 will bring a new level of risk, which must be prioritized to keep the business thriving despite any unforeseen GRC challenges the year may bring. CISOs that focus on advancing the maturity of their GRC programs through these seven steps will reap the rewards in the years to come.
Robyn Marsi, Senior Director Risk & Technology Services at Lynx Technology Partners, is a solution-driven executive with over 33 years of experience providing strategic direction and program oversight in developing and delivering large-scale enterprise and international solutions. Robyn has worked primarily in the financial services industry, where she has established a strong proven track record of successfully implementing GRC programs and technology platforms on an enterprise-wide basis. She was part of a team recognized by RSA as an Industry Leader in GRC three years in a row.