Cybersecurity is a balancing act, bridging the perceptual dichotomy between protection and productivity. It’s not an easy task but it can be made easier by considering it in the context of organisational Governance, Risk and Compliance (GRC) measures.
Fundamentally, GRC is a combined approach towards governance, risk, and compliance, aided by information technology. While GRC is more frequently considered from a whole-of-operations perspective, it also has a substantial connection to cybersecurity governance due the numerous intersecting areas such as data privacy and risk management.
Data privacy and its management is a significant factor that increases the relevance of GRC in cybersecurity. Consumers are becoming more aware of the need to ensure their data remains private and in their control. Governments have responded via the introduction of better data protection policies which, in turn, requires organisations to adapt to additional Information Security (InfoSec) requirements imposed by regulation.
In Australia, the implementation of the Consumer Data Right (CDR) is a recent example. The CDR requires certain industries, such as Banking and Financial Services, to adopt a formal governance framework for managing information security risks relating to CDR data, setting out the policies, processes, roles and responsibilities required to facilitate the oversight and management of information security. In this context, InfoSec is now a whole-of-organisation risk and must be managed within the GRC framework.
Cybersecurity and organisational risk are inherently connected. With the increasing frequency and sophistication of cyber attacks, the risk to business function, profitability and customer trust is pronounced. Accordingly, organisations that do not have appropriate InfoSec systems, controls, and plans as part of their overall risk management strategy are leaving the door open for potential disaster.
With cybersecurity breaches becoming increasingly front-of-mind for the broader community, organisations need to ensure the appropriate proactive emphasis is placed on cybersecurity in order to avoid exposure to a quadruple impact: the cost of disruption; cost of cessation; cost of remediation; and cost to reputation. Organisations that introduce proactive, robust cybersecurity functions in their GRC framework, underpinned by “the six Ps” (planning, policy, programs, protection, people, and project management), are better placed to defend against malicious attacks .
Often a cultural shift is required before organisations can build stronger cyber defences. This can be achieved by ensuring that all staff are educated regarding the interaction between regulatory requirements and cybersecurity. As an example, cybersecurity personnel in a regulated industry should have contextual knowledge regarding the regulatory requirements of their organisations so as to develop and manage systems in line with requirements. Inversely, administrative functions such as legal and finance should have contextual knowledge of the organisations’ cybersecurity operations in order to ensure the organisational risk management framework and associated treatments align to current ICT capability and informs future InfoSec technical development.
Creating an environment where incorporating cybersecurity into the GRC framework makes business processes more secure. While hardware and software can catch and stop many adverse events, GRC takes IT risk mitigation to a higher level through the close integration of policy, people and technology aligned to business vision and regulatory requirements.
1-www.oaic.gov.au/consumer-data-right/what-is-the-consumer-data-right/
2-(M E Whitman – Management of Information Security, 2018)
