What keeps you up at night? If you’re anything like most risk and information security professionals this list is long. Your days are filled with an array of challenges coming from both within and outside your organization. Security concerns, reporting on risk data, and managing the latest regulatory requirements all add up. CISOs and their teams face these and several other challenges every day. Below we'll review the top 5 challenges infosec professionals face, and the common thread linking them all—solving for any of these issues means touching on each of them in some way.
1. Insider Error
Although external data breaches and malware attacks often make big headlines, a major source of risk actually stems from inside the organization. A company’s own employees, more commonly through negligence but occasionally through malicious intent, present one of the greatest security risks to an organization.
Though rare, employees with an intent to harm an organization for financial or personal gain may initiate data leaks by sharing, or damaging infrastructure. As these employees typically have permissioning for the systems or information they are accessing, this is one of the most difficult challenges to address. Well-managed systems will ensure that employees are appropriately vetted, and permissions and employee access are audited frequently.
Human error or employee negligence presents a much greater risk to any organization than an employee with criminal intent. Missing security patches or lax practices around device and email management create openings for external parties with malicious intent. According to IBM, 19% of malicious data breaches were due to compromised credentials or cloud misconfiguration. With the increasing practice of working from home, a growing trend even prior to the workplace disruption created by COVID, and the growing number of personal devices being used by employees to access workplace systems, the threat is further amplified.
Although basic security hygiene is standard practice, this may not be enough. Even companies that employ strong foundational security policies and procedures are not immune if policies are not systematically adopted, reviewed, and enforced. Having a comprehensive GRC management system provides an ecosystem of relevant policies, procedures, and practices that can be accessed for information, incidents, and remediation necessary to keep the organization safe.
2. Third-Party Risk
With increased outsourcing of key functions, materials procurement, and distribution to third-party contractors and vendors, the scope of risk management and information security extends beyond the walls of the organization. Any time your organization integrates with third-party systems or provides access to third parties, you open up to security risks such as third-party negligence, security breaches, misuse of data, or unauthorized access to systems. According to KPMG’s Third Party Risk Management Outlook 2020, managing cyber risk and data governance and privacy are the two most frequently cited drivers by executives when it comes to third-party risk management.
Key to managing this risk is having a consistent strategy and framework. A GRC platform such as LogicGate, can assist with identifying and assessing the risk profile of third parties, providing a centralized database of vendors, risk assessments, mitigations, and actions.
3. Evolving Regulation
Several factors make regulatory one of the most unpredictable and potentially costly risks faced by organizations. Regulatory compliance is compounded by a mix of rapidly evolving data and privacy legislation, differing frameworks and organizations, industry-specific regulatory requirements, and a potentially hefty price tag. Add in the varying standards of risks and compliance requirements in different countries and the problem becomes even broader.
A formal, yet flexible, framework and process automation tool for regulatory compliance provides a solid foundation to build on as rules and requirements evolve. It can further be modified to meet differentiated regulatory requirements across regions.
4. Data Governance
With increasing volumes of data being safeguarded and distributed all over the cloud, the risk of a data breach grows every year. According to IBM, the global average cost of a data breach in 2020 is almost $4M up from less than $2M in 2017, and takes approximately 280 days to contain. Modern technology means broader distribution of data, applications, and processes, but it also increases the risk of a breach. These two factors make data management another critical concern for infosec professionals.
One potential solution is more effective data governance, which is a framework for data management that addresses the quality of data to support understanding and usability, while also controlling its accessibility. Data governance is helpful in three ways. It ascribes value and meaning to data in order to provide for improved analysis and insights, while also scrubbing data so that repetitive or useless data is eliminated, which in turn makes the quantity of data needing to be safeguarded more manageable and cost-effective. Data governance creates responsibility for data streams while also limiting accessibility, so as to minimize the risk of data breach to specific individuals or process flows.
5. Strategic Misalignment
Infosec professionals also worry about strategic misalignment with the business. Information security, when brought in to support the core business, is often relegated to a reactive role, one focused on addressing organizational needs and missteps as they arise. When business units invite infosec professionals to strategic development planning, information security and risk management become a part of the culture, with greater awareness of threats and opportunities throughout the organization.
Organizations that proactively strategize and integrate their infosec goals alongside their business unit goals recognize the value of a robust infosec program and embed risk management in the culture. These departments are then better positioned from a relationship management, resource allocation, and enterprise risk management perspective.
For an organization to do this well requires consistent IT and GRC representation during strategy sessions, board representation, and deep collaboration with the other business and operating units.
As infosec professionals look to address the many challenges facing their organizations, a robust GRC platform provides a foundation upon which to assess organizational risks, communicate insights, and pivot to meet challenges.