I’ve noticed an interesting trend in the information security industry for a few years now: the line between risk management and compliance management is becoming more and more blurred. I think a myriad of factors contributes to this. For one, data privacy and security regulations are constantly evolving, which has sparked a boom in the IT compliance industry. And now we’re seeing industry-specific standards organizations creating new certifications that are largely based on control maturity. While measuring control maturity and compliance scores may be easier than measuring risk, those measurements should never be viewed as more important or impactful than risk measures and monitoring.

Yesterday, I read this article published by HITRUST, a privately-held data protection standards and certification organization that has gained some traction in the healthcare industry. A couple of assertions made in this article stuck out to me:

• Organizations achieving a certain level of control maturity can expect that maturity to persist over time.
• Higher levels of control maturity mean less risk to the organization and its’ customers.

What makes a control “mature”?

A mature control is one that is continuously monitored (through automation or manual checks). It’s formally implemented, designed for a specific purpose, measured, and improved when necessary. This level of focus shouldn’t be required for all controls in an organization’s security baseline, but rather for controls that answer critical business risks specified by that organization. Don’t forget that just about every compliance activity is a check-the-box exercise aimed at demonstrating that a baseline is in place. And let’s be honest, most companies get ready (rather than stay ready) for an audit or certification. Knowing this, I’m not convinced that a control that appears mature at the time of an audit truly remains in such a posture at all times of operation. And even if those controls do remain mature, that doesn’t mean the organization or its’ stakeholders have successfully reduced risk.

You can have a mature control that is ineffective at reducing relevant risks.

Let’s take a look at an example of a common security control: Antivirus (AV) Software. Most organizations utilize AV software that reports back to a central reporting console where administrators can be alerted when viruses are detected on covered endpoints. Let’s hypothesize that a well-implemented, managed and mature AV control like this is in place. Does that mean the control effectively reduces all risk of malware compromise on endpoints? Absolutely not. There are constantly brand new generations of malware being released that can circumvent even the most up-to-date AV scanning technology. Here, we have an example of a mature control that can be ineffective in reducing a relevant risk. Therefore, we cannot (and should not) conclude that control maturity is a reliable measure of risk.

The goal of risk management is to ensure the success of business objectives.

Risk management seeks to identify threats that compromise business objectives. Business objectives may include revenue goals, product launches, digital strategy execution, etc. These are strategic objectives that the board of directors and the executive team really care about. By identifying and analyzing risks to these objectives, organizations can craft controls of an appropriate maturity that reduce the impact or likelihood of those risks occurring. The key is that these controls should be appropriately matured commensurate with the risk (both upside and downside risk), associated with the business objective, else the business is wasting time perfecting controls that either do not fully mitigate risk or simply answer low-impact risks. Furthermore, organizations focused on measuring control maturity may actually be overlooking any risks that can’t be addressed with controls.

My point here? Beware of focusing too much on control maturity. Yes, it’s helpful for benchmarking and continuous improvement, but it does not paint an accurate picture of risk. Only true risk identification, quantification, and monitoring techniques can provide insight into the risks that businesses face today.

Check out my most recent webinar where I discussed ‘Why Your Vendors Are Your Biggest HIPAA Privacy Risk’ so you can gain even more insight into risk and compliance within the Healthcare industry.

About SureCloud

SureCloud connects the dots with Integrated Risk Management solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset. SureCloud has been recognized in the 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions.