How to Operationalize Cybersecurity: Takeaways from Speaking at the 2019 ISACA NA CACS Conference
Steven Minsky | June 4, 2019
ISACA, a leading nonprofit organization dedicated to the development, adoption, and use of industry-leading information security knowledge and best practices, opened up its 50th anniversary celebration this year with their 2019 North America CACS Conference. I was fortunate enough to be invited to speak to the more than 1,500 cybersecurity professionals in attendance about how to operationalize their cybersecurity programs and turn policy into action.
The North America CACS Conference is the premier conference for Audit/Assurance, COBIT, Compliance, Risk, Security, and Strategy/Governance professionals. These professionals are charged with not only protecting their organizations from information security risks through the use of internal controls, but ultimately the company’s reputation, essentially making them the superheroes of their businesses. And with cybersecurity on everyone’s mind, from frontline employees to board members to the general public, it’s important as ever to ensure these professionals have the support and knowledge they need.
Below, I’ll recap some of the key challenges and takeaways from my session and include tools you can use in your own organization.
Challenge #1: Third Party and Vendor Risks
Undoubtedly, the number one challenge faced by IT professionals is the complexity of managing vendor risks. With the number of different SaaS providers increasing every year, it can seem impossible to know who the vendors are, let alone effectively manage the security risks forming in all parts of the business. Determining and defining this organizational data has proven to be an additional challenge since many information security teams are managing vendor data they may not understand or even have access to.
In light of this, organizations are starting to realize they must take an integrated, risk-based approach. Gone are the days of IT Security being solely responsible for the cyber security of the business. Effective and successful cybersecurity risk management is an enterprise endeavor. It cannot be owned by a single team or department because the data needing protection comes from countless departments.
For instance, User Access Rights may seem like an IT-only problem on the surface. But cloud applications, while convenient, come with their own risks. They can often be set up by anyone in the organization, so IT may not even be aware of an application’s existence, much less have access to provide oversight of its configurations or user access rights. This type of information comes from the business. So, cross-functional accountability must be determined, documented, and implemented at the organization level. Otherwise, IT would never know when Marketing, for example, begins or is no longer working with a vendor and their network rights need to be revoked.
Challenge #2: Engagement with Business Operations
As I mentioned above, understanding the activities of various departments can add another layer of challenge to data and vendor management. More often than not, different departments use different language to describe the exact same thing, making it difficult to develop and apply policies across the organization.
That’s where the risk-based translator comes in.
Developed by the LogicManager team, this handy tool maps key terms from each department, using traditional, siloed language to its relevant activity using a common risk-based language that can be leveraged by the company as a whole.
Take “Vulnerability Analysis” for example. Within the information security department, everyone speaks the same language. You’re all on the same page and everyone knows what needs to be done. Head over to the vendor management team to discuss your requirements however, and you might lose them instantly. That’s because they call this analysis “Vendor Due Diligence.”
Using the tool, you can now easily determine the activity type (in this case, “assess”), translate your words to theirs and work with vendor management, or any other department, using a common language.
A risk-based approach doesn’t just help with developing and applying policies. It can also help with another aspect of cybersecurity that often bogs down information security professionals: reporting. Ultimately, engaging across departments helps achieve strategic objectives set by the board, however departments differ in how they prefer to share their progress on those initiatives. Without an efficient process in place, IT can feel like they are spending all their time generating reports on data they don’t understand. With a risk-based approach, data can be aggregated using a central framework, prioritized, and reported out on in many different ways.
In other words, choose a standard of reporting, assess the data once, and then slice and dice into any other way the business needs to see it.
The Solution: A Risk-Based Approach to Cybersecurity
Ineffective cyber policies are often the result of assuming that cybersecurity is the responsibility of the IT department alone which, as I’ve shared, is not the case. A risk-based approach to cybersecurity is the best way to engage employees; from front-line employees to process owners to the board of directors.
To help get you started within your own organization, another useful tool that I shared in my session is the risk-based approach wheel. This tool illustrates the process and how you can engage departments across the various stages.Since enterprise risk management is a cycle, you will find yourself within different areas of the wheel at different times. You can then use the risk translator to involve departments across your organization as you work through the iterative process.
With new technologies, ever-increasing data and vendor onboarding, and new regulations being introduced all the time, risk is as inevitable as ever. In our current See Through Economy, breaches of any kind are subject to public scrutiny, which could result in disastrous outcomes for companies. For IT Governance professionals striving to develop and implement successful cyber security programs to avoid these potential disasters, the case for adopting a risk-based approach is clear.