In today’s world of rising geopolitical and privacy risk, we cannot afford to rely on compliance frameworks alone to ensure our organization’s safety or operation. Around the world, new regulations are surfacing to mitigate cybersecurity threats to avoid significant economic consequences. Organizations must ensure that they move from a compliance-based focus to a risk-first approach to align resources to best implement these new rules. Taking a risk-first attitude to meet goals may avoid financial or legal penalties arising from lack of attestation due to stricter budgets, untrained personnel and lapse processes.
In an individual approach to change, mindset is key. For enterprises, this starts with leadership and transcends to the rest of the organization. In this way, boards and the C-level understand the major threats facing their business and are involved with risk leaders to identify impacts to the bottom line to triage emerging risk. Audit teams can then measure the effectiveness of cybersecurity controls put into place and report back to the board on recommendations that are more impactful to the organization’s security posture. The IT team, the custodian of data and support to the business, then have better measures by which to update procedures and processes to enhance cybersecurity controls.
However, this is only part of the picture. Third-party risk, often a subject of concern and out of regular purview, must also be addressed. Organizations often utilize contracts and policies as the stick by which to measure vendors’ adherence to their standards, but they should look to external compliance audits such as system and organization controls (SOC) 2, Payment Card Industry Data Security Standard (PCI-DSS) and International Organization for Standardization (ISO) standard 27001 for continual assessment as well. In this way, they are combining the efforts of independent attestations and their own standards as they respond to new risk – for example, new technologies, changes in personnel and updates to controls to meet industry standards.
Bringing together the ecosystem of individuals representing leadership, risk, audit, IT, compliance and vendor management builds a stronger cyberdefense for an organization, creating synergy, which is “the combined effect of individuals in collaboration that exceeds the sum of their individual effects.” Each team enhances the value of the other to synergize on the objective of protecting and defending the organization from rising geopolitical and privacy risk that have severe financial and systemic impacts. It is time for organizations to change their mindset from checking boxes to embracing continuous collaboration to reduce residual risk and better prepare for today’s and tomorrow’s threats.
Editor’s note: For further insights on this topic, read Karen MacDougall’s recent Journal article, “Avoiding a Compliance-First Mindset and Choosing a Risk-First Attitude,” ISACA Journal, volume 5, 2023.