Align your Security Program with your Risk and Compliance Program

Have you ever found yourself in a position where you’ve been presented with a long list of vulnerabilities but have little or no knowledge as to how they might impact your business? This is probably because your security program is working in a bubble and that’s a potentially dangerous place to be when your threat landscape is continually evolving and the number of risks to your business processes is arguably at an all-time high. This bubble is compounded by a constantly changing regulatory landscape.

According to research conducted by Accenture, 68 percent of business leaders feel cyber risks are increasing. The UK government and European Commission  both recently outlined new legal requirements for wireless devices to better protect businesses’ privacy and data. With more and more overlap, there is a growing number of organizations starting to see the value in linking compliance and security programs together to ensure its business interests are sufficiently protected, but it’s not without its issues.

In this blog, we will look at the importance of contextualizing complex vulnerability data as a way to better protect your busines

The disconnect between vulnerability data and compliance systems

Data gathered from Security Assurance activities such as penetration testing or security scanning can be extremely useful to an organization. It highlights the vulnerabilities and threats that present the most significant risk. However, a common issue for many organizations is the under-utilization of this data due to a disconnect between business outcomes and the IT processes which underpin them. This is particularly significant when you consider that cyber apathy to proactively defend against breaches affects an estimated 42 percent  of companies worldwide.

If your security test data indicates multiple vulnerabilities within your network, yet your compliance and risk programs show no sign of any issues, you could have a critical data problem. This disconnect could be because of:

• Lack of context – IT resources are underpinning critical business processes and services, creating complex problems for technical teams. They are unable to prioritize vulnerabilities and gap remediation activities in an organization that doesn’t necessarily believe there is a threat.

• Lost in translation – The language of business doesn’t always translate well to technical assets and vice versa. Unless you’re an expert in both, it’s very difficult to connect the dots making it virtually impossible to fully protect the business.

• Knowledge gap – Lack of communication between business owners and technical staff results in poor decision-making. Both parties are doing what they believe to be best for the business, but they are not working towards a common goal.

So, what’s the solution? Developing a clear understanding of how IT processes support and communicate with business outcomes will apply much needed context to the most complex vulnerability data. Whether those processes are customer retention, demand generation or brand awareness, they all need to be very clearly mapped to the IT assets that underpin them.

Developing a clear understanding and mapping of IT processes to business outcomes is a nirvana worth fighting for.

Aligning risk, compliance and vulnerabilities

If you reach the point where processes and outcomes have been mapped, your business will become more informed and better protected. Decision-making can be devolved as everyone is aware of the threat levels inherent in their processes.

It will also have a positive impact on individuals’ cybersecurity awareness as the entire organization builds an understanding of the vulnerabilities and the impact they have on the business as a whole.

Critically, it allows technical teams to prioritize fixes and justify security spend. This is because they gain access to critical vulnerability contextualization and can clearly demonstrate its wider impact on business objectives.

To contextualise complex vulnerability data, you need to:

1. Agree on a service-centric view of the world – This is key when it comes to creating a mapping between your business objectives and IT assets.

2. Invest in the right tools to support the journey – You need the correct tools to help you build, view and maintain this mapping.

3. Continuously test, prioritized by business value – Implement appropriate testing mechanisms that prioritize tasks by business value and threat level.

Prioritize risk by business value and threat level, not based on whoever is shouting the loudest.

 

Aligning your cybersecurity strategy with risk and compliance objectives is essential to any threat management system. It should incorporate key security regulations while also securing sensitive data that could be critical to your business operations. Failure to do this and the consequences could be severe, for both you and your organization.

To find out more about the importance of a joined up Security and Risk & Compliance program, check out this episode from our Capability-Centric GRC & Cyber Security podcast.