THANK YOU FOR SUBSCRIBING
The ongoing problem that boards of directors in most organisations are facing today is how to judge cybersecurity governance and compliance. At a simplistic level, judgement implies prediction. To boards, the balancing act between spending on risk and controls effectiveness, and assurance seem elusive for cybersecurity as compared to other disciplines such as finance, where evidence-based decision-making is more traditional. Is it possible for the organisation to get their arms around the domains of security in a meaningful way to ease both board discomfort and provide assurance (or reassurance) of cybersecurity compliance? The answer is ‘yes’.
Boards of Directors, particularly those of regulated entities and banks, are habituated to receiving compliance reporting as a part of their organisational reporting and decision-making data. Interestingly, in the area of IT, compliance and effectiveness of controls testing undertaken for financial audits were the first point of contact for many boards, with the potential impact of IT failures on financial reporting obligations. With the rise in cybercrime and the success of many criminal enterprises to mainstream their focus on areas such as phishing, ransomware and mass-market fraud, boards and executives have almost daily reminders of the financial, organisational and reputational risk presented by cybersecurity. Yet, as cybersecurity is different from IT, boards are now calling for cybersecurity to be reported differently from IT. Now boards and board sub-committees routinely have meetings dedicated to reporting on cybersecurity risk, controls, events, and governance. An Osterman Research survey commissioned by Bay Dynamics notes that “the majority(85 percent) of board members believe that IT and security executives need to improve the way they report to the board.” The Osterman report goes on to note the most important reporting points from their research which indicate what boards and executives want:
• Reports with understandable language that does not require board members to be cyber experts.
• Quantitative information about cyber risks.
• Progress that has been and is being made to address the company’s cyber risk.
Why is cybersecurity struggling with reporting these points and representing a holistic picture of compliance? While there are several reasons for this, I would like to explore two main point—regulations and tools.
"Cybersecurity Compliance Standards, Unlike Other Industry Standards, Have Developed Over Time With Different Levels Of Detail, Requirements, And Goals To Judge Or Assess The Same Areas"
From a regulatory perspective, organisations have a number of standards to consider for cybersecurity. But what does that mean? What are cybersecurity compliance standards? Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas. These include Payment Card Industry Data Security Standard (PCI-DSS) which is a global standard and an obligation for merchants accepting payment cards, and, in the financial industry in Australia, Australian Prudential Regulatory Authority’s (APRA), Prudential Standard CPS 234 – Information Security which is an obligation for organisations licensed by APRA, or in the United States the National Institute of Standards (NIST) Cybersecurity Framework which is not an obligation but voluntary guidance. Each of these standards will have requirements for technical or configuration change management, but each will demand differing requirements to demonstrate compliance to the standard. Complying with and documenting that compliance with standards is not a capability that IT or cybersecurity has built into business as usual (BAU) operations. This is the first point of change that a CIO needs to draw on peer resources in Audit, Risk, Legal and Compliance to develop a technical and cyber risk team and a methodology for approaching cyber risk assessments and analysis.
Assessments and analysis are the cornerstones of a compliance program. As there is not one cybersecurity compliance standard to “rule them all”, there can be, for even a smaller multi-national, several compliance standards that all demand a differing level of requirement to document and demonstrate compliance. This is where developing capabilities in IT and cybersecurity for quantitative risk assessment and analysis is essential.
Tools such as the FAIR model can help where cyber risk is derived as a quantitative measure in dollars of the probable frequency and probable magnitude of a future loss. This quant-based derivation will make sense to the board and the CIO’s peers in risk management, finance, and even portfolio risk. From a tool’s perspective, organisations are currently all over the map. Some organisations have a GRC system but have not used that tool for cybersecurity compliance, and now they are trying to re-fit that tool to document cybersecurity compliance. But there can be a hefty price-tag for this work. Unless one understands what the goal is, they may spend that money more than once putting in and refitting a GRC solution.
For instance, one organisation uses more than 50 spreadsheets for PCI-DSS for multiple entities, and they have two GRC systems and are struggling with reporting cybersecurity compliance. From a tool’s perspective, one should start with a solid understanding from their legal department of exactly what standards need to be complied with and by when. Once that understanding is validated, they need a solid mapping of standards such that duplication and gaps may be determined. There are a number of good free mappings that can be found at Center for Internet Security (CIS), the Payment Card Industry PCI, the Cloud Security Alliance (CSA), NIST, and there are of course non-free mappings.
Initially, it will be messy, unfamiliar, and seem incorrect and incomplete, but once done in a sustainable and methodological approach, it will improve quickly. Yes, assessments are not a “one-and-done” effort but should be a sustainable process. The CIO does need to lead the way. Without their support, the effort will be doomed, and the organisation will continue to miss the mark in both reporting on the holistic security posture of the organisation and on how the organisation complies with its obligations.
Cybersecurity compliance and improved reporting are attainable. With deliberate commitment to measuring compliance comes the ability to reduce risks and demonstrate the need for increased resources.