All risk rating scales are not created equal. The new year is a good time to consider critiquing yours…and honing them, as advisable.

Here are some thoughts for severity and likelihood rating scales:

1) Mere adjectival identifiers (e.g. high, rate etc.) are worthless, open to a multitude of individual interpretations. Instead, be brutally specific.

2) Consider allowing severity to be predicated on a variety of different indicators (e.g. financial impact, brand/reputation, regulatory, strategic etc.). Whatever column particularly lends itself to the risk in question – and best resonates with the risk owner – that’s how potential severity for that risk should be viewed.

3) Likelihood rating scales should not measure the chance of incurring any risk event (why worry about fender benders?) but, rather, the likelihood of a “significant” event (rated 3 or above), based upon the severity table that you formulate.

4) Customize your likelihood scales with absolute clarity. For instance an “almost certain” rating might expect a significant event once every year and, on the other end of the spectrum, a “rare” rating might project a significant event only once every 50 years. Focus on the likelihood a significant event and establish explicit temporal measures.

5) Rating scales can be equally applied to risks both before controls (inherent) and with controls in place (residual).

6) Risk results – the multiplicative product of severity and likelihood – is an eminently justifiable and understandable approach that melds together severity and likelihood, in order to put the combined ratings of all risks in your universe on an even playing field.

In summary: Break down your rating scales. Don’t be afraid to modify them. Don’t let “good enough” be good enough.

“Be Brave” Resolution #2 – Critically Evaluate Your Risk Register Reality

Immediately investigate the possibility of implementing an automated risk register solution that is customized, straightforward, intuitive and pragmatic.

Consider leaving behind your current use-case, whether it consists of merely performing ERM by hand (e.g. excel spreadsheets) or trying to make-do by utilizing someone else’s application (e.g. audit, insurance company, claims handler) that is inflexible and ineffective.

Double-down on emphasizing the importance of the risk register to your ERM program by establishing one risk owner for every exposure in our universe and identifying and monitoring controls for each risk, by line of defense. With this ERM governance structure in place, roles and responsibilities will be defined, accountability expected and ERM risk culture will benefit.”

One possibility worth consideration: ERM One is a viable alternative for those: a) without an automated tool or b) saddled with someone else’s application.

“Be Brave” Resolution #3 – Think in Terms of 60-Second Blocks of Time

Why 60 seconds? What are some actual tangible examples of why this strategy might work?

1) Develop ERM elevator speech #1 – a succinct one-minute summary of the strategic importance of ERM, an explanation that ties together the company’s key objectives to the iterative, tactical execution of risk management. You never know when you will need this. You are well served to be ready. Clear and simple, with conviction and passion.

2) Construct ERM elevator speech #2, of the same duration, encapsulating the key strategic ERM initiative of the moment (e.g. cyber risk, ESG etc.). There’s always a hot topic for ERM – that’s the beauty of the profession. Let your voice show the excitement. Revel in describing it.

3) On every single piece of written correspondence, force yourself to lead with a Summary or a Summary Recommendation paragraph that the reader can digest in one minute. No more than 225 words. Straight to the point. Make your best case. Don’t bury your key points at the end of a meandering e-mail. Captivate the audience up-front.

4) Use the entreaty “can I have one minute of your time on the phone?” via e-mail or text. If you have built a reasonable reputation, the person being beseeched will have a tough time refusing this request…do so judiciously and respectfully. Stick precisely to a minute – be uber-prepared as to what you are looking for.

Think 60 seconds.

Be Brave Resolution #4 – Focus on “Words Matter” and Actions Count” to Achieve GRC/ERM Excellence

Two (2) maxims for ERM/GRC excellence – 1. “Words Matter” and 2. “Actions Count”. Hand-in-hand, this pair of principles drives ERM/GRC performance.

Here’s the reasoning:

” Words Matter” – The disciplines of ERM and GRC demand precision. There is no room for inaccurate, nebulous, or empty wording. Ditto for jargon or obscure acronyms. Less is more. Get and give everything in writing. Record the chronology. Be explicit and date-specific in expectations. Hold to your deadlines. When in doubt, ask questions. Don’t assume anything. This world (of ERM/GRC) is far too important to merely guess. There is no place for the esoteric, academic or hypothetical. Total clarity is the byword, whether in establishing ERM/GRC context, laying down its foundational elements such as governance or culture or explicitly detailing the steps in tactical execution. Rating scales must have exact and rigorous definitions so there is no confusion. Language should be energetic and convincing. There’s a whole lot at stake, each and every single day.

“Actions Count” – Thrive on the adjective “actionable” and the noun “deliverable”. How are you converting context, philosophy and strategy into tangible and decisive action? Does your ERM/GRC program stop at the ivory-tower, risk appetite level (e.g. high, medium, low) or does it drill down and manage to explicit tolerances, through the establishment of key risk indicators (KRIs)? What is the escalation provision associated with every exceedance of risk tolerance? Is the three lines of defense a conceptual diagram or an embedded, day-in-and-day-out demonstration of risk culture? Are risk ratings from deputized risk owners appropriately critiqued and challenged in order to ensure the validity of risk priority rankings?

Two ideas worth remembering on ERM/GRC – “Words Matter” and “Actions Count”.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Four “Be Brave” Resolutions for GRC and ERM Programs in 2024 first appeared on DoubleCheck Software.

1. Mission Statement

• Purposeful connection of strategy and tactics

2. Framework – Part A

• Strategic context (“Who are you and what are you trying to achieve?”)
• Without this, there is no reason for ERM or GRC

3. Framework – Part B

• Foundational underpinning (Culture and Governance)
• Connective tissue existing between strategy and tactics
• Underlying essence; these foundations are in place at all times

4. Framework – Part C

• Tactical Execution (4-Step iterative process: identify, assess, mitigate and monitor)

5. Governance Structure

• Clear-cut roles and responsibilities
• Best portrayal: Three lines of defense

6. Universe

• 4 categories – 3 common (“Finance”, “Operational” and “Strategic”) and 1 unique (“Core Business”)
• Dynamic; encompasses emerging risks
• Aligns with always-changing nature of risks themselves

7. Rating Scales

• Understandable
• Severity, likelihood, direction and velocity
• Inherent and residual

8. Policies

• Major risks (dozen or so)
• Each comprised of: definition; goal; roles and responsibilities (1st/2nd/3rd lines); appetite; tolerances

9. Language

• Succinct; simpler is better
• Don’t throw in unnecessary phrases (“I was able to…”)
• Precise; exact
• Iterative; over and over
• Powerful
• One shot; on the mark; needs to resonate
• Use present tense whenever possible (alive, here and now)
• Pragmatic (understands dynamics, keeps big picture in mind)
• Embedded and actionable
• Positive (figure out a way, convince)
• Purposeful and insistent
• Rigorous and disciplined
• Not merely esoteric, hypothetical or academic
• Put away the pom-poms; self-praise is no praise

10. Reporting

• Risk arrow heat map
• Risk owner report

11. Overall Cultural Model

• Code of ethics
• What do your people do when no one is watching?
• Behaviors you expect and tolerate

12. Risk Culture

• Shared understanding towards risk

13. Deputized Risk Owners

• Subject matter experts
• Hold them accountable
• Don’t be afraid to critique or challenge
• Ensure that people are not just going through the motions (e.g. no changes year-to-year)
• Educate them; understand this is not their day job
• Depend upon them, and their perceptions, heavily
• You are only as good as what they provide
• Be respectful of their time

14. Risk Owner Surveys

• Take the opportunity to ask special, “hot-button” questions each year
• Don’t overdo it

15. Risk Appetite

• High, medium, low
• Tolerances – exact point at which appetite exceeded

16. Configurability

• Collaborate with a vendor having a matching mindset

17. The Fuel of Passion Fuel

• Get excited and stay excited
• How many people have this opportunity?
• Keep turning insights into actions
• Don’t be dragged down by leanness of resources, staggering workload, sometimes-mundane nature of work or undervalued role by others

18. The Importance of Pride

• No slouching
• Do not accept a back seat
• No sloppiness or mistakes should be tolerated; prompts the question – what else is wrong? How can I have confidence in anything?
• It’s a huge job; don’t ever forget that
• Keep the mission statement in mind
• Cognizant of the overall framework that melds together strategic context and tactical execution

19. Transferability to Other Risk-Related Areas

• Every single risk-related area could benefit by adhering to these 20 elements

20. Risk Register

• Organizational (“tree”) view as well as workbench view
• workbench for risk owners
• doesn’t need to be exorbitant $
• seemingly fashionable these days to downplay or disparage importance of the risk register
• ERM One – a viable alternative to:
  • doing without an automated tool or
  • tolerating someone else’s system

Closing Thoughts:

• Get ready for the elevator speech
• Trapped in the elevator with CEO and asked to give him/her your impressions of GRC/ERM priorities in 30 seconds
• No excuses – take the time to do the dirty work beforehand
• Connect the dots, dot by dot
• Build the program, brick by brick
• Bold, presumptuous goal (“World-Class”)?
• Shoot for the moon; even if you miss, you’ll land among the stars
• Common denominators
• Better every day; better than yesterday
• Incremental improvements
• Keep attacking
• Heed the children book classic – “Little Engine That Could”
• Mission: reach the boys and girls on the other side of the mountain
• When it found itself in trouble in trouble, neither a shiny new passenger engine, with all sorts of compartments, or a big strong engine was necessary
• All that was needed was a little blue engine who “tugged and pulled”, “pulled and tugged”
• “I think I can” was converted into “I thought I could”

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Why Settle For Less? Twenty (20) Elements in a World-Class ERM or GRC Program first appeared on DoubleCheck Software.

An ice cream headache, for sure, trying to understand the similarities, differences and connectivity between all these terms.

You need to do it, however.

Simplify, simplify, simplify.

Break it down and truly comprehend everything.

Get ready for the proverbial elevator speech, if the need for one materializes.

Toward that goal, here are several recommendations:

1. Establish Enterprise Risk Management (ERM) as Your North Star

• • This is not meant to diminish or disparage other acronyms but merely to state an undeniable fact that needs to be accepted.
  • ERM is the granddaddy of them all.
  • Every component of all other risk-related acronyms or topics emanates from ERM or the framework established around ERM (Risk Management Framework).
  • In other words, the world revolves around ERM.
  • If you don’t like that fact, get over it.
  • Get on with the business of managing risk.

2. Don’t: Quibble, Be Smarter by Half, or Get Hypothetical, Esoteric or Academic with your Language

• • Every word matters.
  • Take no chances.
  • Leave nothing up in the air.
  • Use precision in all matters in such an important discipline.
  • Several useless debates, for example:

1. 1. 1. Three Lines of Defense vs Three Lines of Responsibility. Use the former.
      2. ERM vs Integrated Risk Management (IRM). Use the former.
      3. ERM vs Strategic Risk Management. Use the former.

3. It’s All About the Risks, Stupid

• • I say this with affection, and as a reminder to myself, as much as to others.
  • Easy to lose sight of.
  • Treat risks as if you are bare-naked; do not rely on the safety blanket of insurance.
  • Remember: in the long-term, you will pay all your losses.
  • Another way of saying this: if a company had the financial wherewithal, it could (and should) self-insure all risks. No insurers, no brokers – just risk managers.
  • Imagine that.
  • GULP! 

4. The Risk Register

• • It can also be termed a Risk Universe; that’s OK
  • It’s not, however, a Risk Taxonomy (ouch, that sounds painful) or a Risk Catalog (when did we end up in the library?)
  • Call it Severity, not Impact, so that everyone in the organization is on the same page.
  • Define Severity in multiple ways, Using a 1-5 Rating Scale (e.g. Financial (% of Capital), Brand/Reputation, Regulatory Intervention, Strategic)
  • For the same reason, call it Likelihood, not Frequency.
  • Define Likelihood in a temporal manner, using a 1-5 Rating Scale (e.g. significant event happening every one, 5, 10, 25 and 50 years)
  • Bottom line: the fewer terms you use and the more rock solid certain those terms and definitions are, the better

5. ERM vs GRC

• • GRC is a well-accepted, more bite-sized, subset of ERM, plain and simple.
  • The R (Risk) in both acronyms is identical – refers to ERM
  • The C in GRC is Compliance, an operational risk in the ERM risk register as well as one of the foundational components (Culture and Ethics) of ERM
  • Finally, G refers to both Corporate Governance, an ERM Operational risk, as well as to another ERM Foundational component, namely Governance. There, the various roles and responsibilities in the ERM equation are definitively laid out (e.g. Three Lines of Defense)

6. ERM vs Compliance

• • As stated above, the C refers to Compliance, an operational risk in the ERM risk register
  • There is nothing to prevent the Compliance function from deciding to further break down that exposure into sub-risks, in order to better delineate and manage on a more granular basis. (The last company I worked for broke down Compliance into 62 such sub-risks)

7. ERM vs Internal Audit

• • Internal Audit plays a vital 3^rd Line of Defense role in all risk matters
  • Audit Planning should align with risk priorities
  • Certain risks on the ERM risk register are more logically tied to Audit (e.g. Fraud); Head of Internal Audit could, in fact, be risk owner for those exposures

8. ERM vs ESG

• • The G (Governance) in ESG has already been covered, within ERM.
  • The S (Social) in ESG can be tracked to the ERM foundational component of Culture (Overall Cultural Model, Ethics and Compliance).
  • E, for Environmental, will align with the Climate Risk particulars enumerated on the ERM risk register.

9. ERM vs DEI

• • There is not a more important risk related acronym on the horizon today than DEI (Diversity, Equity and Inclusiveness)
  • Start before you are ready on this – just get going.
  • If it needs improving, do so tomorrow from the base of today.
  • All of these items (DEI) need to be embedded in your Cultural Model, a vital ERM foundational component.
  • A crucial ERM risk like Human Resources – Management Development needs to be appropriately expanded and honed to yield the type of organization you want. How do you develop diverse talent, then grow and mentor them?
  • You need to operationalize DEI throughout the culture of the organization.
  • Set up key risk indicators (KRIs) in your ERM risk register to allow you to monitor – and constantly improve – your controls.
  • Like ERM, DEI is an iterative, evergreen process.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post De-Mystifying (and Explaining the Connection Between) Risk-Related Acronyms and Phrases first appeared on DoubleCheck Software.

Where Do Your CIO and CISO Sit?
Snarky responses aside, access to the rest of your company’s executive team is an important aspect and attribute of your cyber risk management and security program. If your organization’s structure assigns them to report to other “C” level roles you’ve established a potential barrier to clarity, transparency, and responsiveness. This is not in any way a slight to any other C-level roles, but a simple statement of operational, procedural, and behavior fact. It also sends a clear message to the rest of the organization that the importance of security and risk management is a secondary concern. That may create an additional hurdle for risk and security initiatives as middle managers place more resources and attention on the requests from those “higher level” executives, relegating ones from your CISO and CIO according to their organizational pecking order. Giving your CIO and CISO a seat at the executive table makes a number of high value contributions to your company:

• Enables them to establish and validate their roles as important strategic components to your company’s success
• Communicates the importance of security, cyber risk, and technology to the entire firm
• Gives your CIO and CISO firsthand exposure to these other disciplines, issues, and management concerns so they can participate in developing strategy and measuring achievement of business goals and success
• Affords open discussion between all C-level executives of how cyber risk and security, as well as technology contribute to and add value to the company’s business achievement.
• Reinforces and encourages representation of technical, security, and risk matters in terms of business impact rather than esoteric tech-eze.
• Affords direct communication and responsiveness to address and respond to incidents and issues with greater timeliness and efficiency, strengthening overall business resiliency during unforeseen events and incidents.

Leadership By Enablement
Often, when we think about goals, achievement, and leadership, it’s from a fairly internal perspective, answering the question “what do I want to do?”. Let me offer an alternative perspective. Consider the answer to the question “What do we need to be successful?” The answer is often fairly broad. But drilling into those generalized answers quite often will yield presumptions of reliability, persistence, accuracy, validity, and resilience, to name some attributes. These may depend upon processes, tools, technologies, people, partners, and even regulators or providers of basic infrastructure such as transportation, energy, or communications. Many of those attributes, often just assumed to always be reliably present, can and often are the victims of cyber attacks, weak security, and lax attention to practices that would otherwise thwart or at least minimize the risk of their compromise. Information technology and security leaders are well attuned to the vulnerabilities, threats, and presumed reliable presence other leaders count upon to manage and deliver their own contributions to business goals and achievement. By placing them into the discussions where plans and direction are being developed at a senior executive level, businesses enrich and empower planning with a fuller view of issues, opportunities, and a more complete understanding of the resources necessary to maximize the opportunity to achieve outcomes.

Who Manages Your GRC?
The CISO and CIO roles are not the do-all end points of everything related to cyber risk and security. A governance, risk and compliance (GRC) manager is more than someone responsible for administering a software tool, conducting risk assessments and reporting findings. Often this can be a leadership role supporting those C-level executives and others, one that is responsible for the design, development, staffing and operation of enterprise-wide delivery of many security and risk related services and processes. Often, this role will take a lead in delivery of security awareness training—content and delivery. Incumbents will also participate with other compliance managers and management to assure current and upcoming products and services meet established obligations. This may include interactions with external auditors, regulators, and third parties. Your GRC manager is at the focal point of your compliance, risk, and governance processes. Often s/he will be the primary author of your governance practices, compliance efforts, manage risk assessments, and serve as a valued participant in the implementation, delivery, and monitoring of data protection, authentication, recovery and resiliency programs.

Extended Boundaries
There are two more questions, whose answers help define the extended scope of your risk, security, compliance and governance roles:

• Who is responsible for third party risk management (TPRM)?
• Who is responsible for risk, governance, and compliance oversight when acquisitions are under consideration?

The ideal answers should be your GRC manager, under the executive guidance of a CIO or CISO who is part of the executive team, and has visibility to the Board of Directors. But is this the case in your firm? There are many moving parts to TPRM. Certainly, your procurement practices are key components. On and off boarding procedures necessarily entail information exchanges to assure proper vetting of third party candidates. This goes well beyond fiscal health, service and product quality, timeliness, and contract negotiation. How well integrated and informed are these practices by your risk, information security, and compliance expertise within your company? Is reliance upon critical partners a foundation of your resiliency, recovery, and incident management strategies? How do these processes and programs integrate to assure your leadership that your third party engagements preserve, and maybe even enhance presumptions of reliability, persistence, accuracy, validity, and resilience where these third party relationships integrate with your operations? Your procurement professionals, no matter how experienced, would gain value and support from the integration and engagement with risk, security, regulation and compliance expertise offered through GRC leadership.

And Then There’s The GRC Platform
A GRC platform is a critical technology tool that enables and strengthens these business and operational practices. For many who have followed these blogs this assertion will seem obvious, as will notations that GRC platforms facilitate data integration, validation, and reporting. There are some other, equally important but less recognized opportunities utilizing a GRC platform makes easier. A GRC is well suited to store, maintain, and serve as a consolidation point for compliance, risk and related process and remediation project data. Feeds from incident management, audits, compliance reviews, remediation projects, risk assessments, and more can all reside logically within its data stores. Using a GRC as a single point authoritative source for such data also simplifies data security, validity, distribution, and resiliency practices. Whether the system relies upon cloud storage, or more traditional means, there are tools and services available to assure data management and integrity. Much of the content of a GRC system is likely sensitive and would be considered highly confidential. Having this consolidation makes implementation and utilization of technologies such as data loss prevention (DLP), tighter multifactor authentication and access management, and backup and restoration services more economical to implement and operate.

Analysis, data mining, and reporting are facilitated by consolidating related GRC data streams onto the stores of your GRC platform. Data analysis tools can easily relate, and also identify discrepancies between alternative data views of specific operating practices or organizations. You can also explore specific controls or risks to see where recommended practices are consistently ignored. Doing so points out potential problems with control design, implementation, or understanding which afford focused and positive remediation strategies. Control management is an important aspect of risk management, one that’s often overlooked in binary pass/fail scoring. That’s why risk registers are an important design element of your risk and security programs.

Don’t Forget The Risk Register
Remember that your risk program needs to identify, assess, mitigate, and monitor risk to demonstrate “management”. Having a list of risks, whether identified through statements, measurements of control adherence, findings of audits or compliance reviews, or more, offers a scaffold upon which to design and construct your risk program. It’s a tool that presents context, direction, and definition, while also useful to manage scope and measure maturity. Risk registers aren’t static. They need to be elastic and flexible to reflect the changing nature of your business and the threat environment you operate within.

The risk register’s content is something your own senior risk and security leadership must work to explain to other senior business leadership and gain consensus to its alignment with your company’s goals and mission. This discussion needs to be an ongoing dialogue, and the exchange of ideals, opinions, priorities, and concerns is one reason why senior information technology, risk, and security professionals need a seat at executive leadership meetings. These experts need to understand the perspectives of the business from the views of operations, finance, marketing, compliance, product and brand management, and more. Likewise, those business leaders need to understand the integration of their own processes with those of their technology risk and security peers.

Without question, alignment of business goals with your risk register is a key foundational step to building, developing, and managing a comprehensive risk program that’s relevant and effective. But more on that in an article to come.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Cyber Security and Risk Management—Who’s Responsible first appeared on DoubleCheck Software.

While there are no absolute, easy answers, there are some strategies we’ll explore here. Also, there are some basic best practices to apply to any shopping effort for a GRC software solution that can limit your financial exposure and save you a lot of money—often enough to make the whole exploration and evaluation worth your while when you think it’s out of reach. We’ll look at some of those too so you are fully “ready” to make the best choices for your business regardless of how your risks and resources measure up today.

Making The Impossible Possible
Sometimes you are faced with a seemingly impossible situation, where you cannot do without but cannot make do either. I’ve been there. It’s where the spreadsheet approach grew up. It’s where lists and manual processes thrive. It’s not ideal. Even those folks who can script in “Excel-eze” cannot provide all the detail and robust data capture, analysis, and organization needed today. In other articles I’ve noted the value of leveraging data from other processes, particularly ones associated with audits, regulatory and compliance reviews, and even incident management. Those areas may have some software you can somehow borrow services from to configure risk assessments and share data. Such arrangements may not give you ideal flexibility or control, but, in an impossible situation, there needs to be elasticity in solutions. This approach might create something of a sneaker-net scenario where you are running from one platform to another to launch a risk assessment, manage progress, extract data, transfer to an analysis platform elsewhere, take the result to publish and distribute through another borrowed internal service, and so on. It won’t be easy, but any amount of automation you can offer for your stakeholders will likely be received well, even if you’re “spinning a lot of plates behind the curtain” so to speak. There is a potential gem buried here, if you survive this—you know what everyone else has, needs, and already counts upon for similar automated services. Hold onto that information; it will become most valuable later on in this story.

Know What You Need
The beginning to any journey or task is knowing where you want to go. In this case, knowing which features of a GRC platform are most critical to the operation of your risk management program is key. Like shopping for anything laden with features and unique approaches to perceived needs (ever shop for a new car?), it could be easy to get side tracked by the glistening marketing messages and materials crafted to attract your attention. If managing risk assessments and sharing the results in a manner that your senior business leadership can understand is critical, focus upon that before other features. Also, pay attention to what it may take to enable what you want. Some attractive features in some products require robust database management and query skills. Others require scripting or programming through application programming interfaces (API’s). If you don’t have those resources readily available to your risk program at this point, something more out-of-the-box or configurable rather than customizable might be in order. So, build of list of truly “must-haves”, and one of “desirables”. Make certain you hit as many musts as you can. Don’t trade them off for desirables, no matter how many are offered. Be patient, and diligent.

Become An Informed Shopper
There’s no way I know of the acquire GRC software by the pound. But there are strategies to gradually acquire functionality over time as your risk program’s needs mature and become more sophisticated or complex. I have a long standing rule about avoiding redundant or “throw away” efforts wherever they can possibly be eliminated. Repeating an effort because you “didn’t have time” to do it thoroughly the first time wastes time, money, and many other participating or supporting resources. So, if you need to start small, seek solutions that can grow with you at your pace. Many software solutions will present themselves as meeting this requirement. Don’t take a “yes we can” at face value. It’s important to ask “how”! The specifics and details offered will tell you whether the solution you’re exploring truly can gradually grow, or requires a complete reinstall from scratch or something else. What do I mean by growing? Adding capacity for data, support for an increased number of users, revealing or enabling new features or capabilities without having to reinstall or redeploy the software demonstrates a product designed for incremental growth. This growth may also include the ability to integrate other data sources from external systems. Be careful here. Again, ask how. Understand what requirements beyond configuration and set up might be required to make such integration work.

There’s another aspect to being an informed shopper—seeking input from your stakeholders. In addition to being a good partner, there may be useful information to help shape your list of much needed features. You may also discover details about other systems already part of your company infrastructure that can be leveraged now and could feed your new GRC later to help establish it as the system of record for all risk related information. Stakeholder preferences for disseminating risk data analysis and reporting might also reveal features to value and take note of in your search.

Consider Your Vertical
Every business has its own unique risk portfolio. And it changes with time and circumstances as does the business itself. Some industries have specific legal, compliance, and regulatory obligations that demand rigorous, detailed attention to particular sets of controls and practices. Two of these that often are sited as particular examples are financial services and healthcare. Both are heavily regulated. Both have Federal regulations and agencies (FFIEC, NCUA, FINRA, FinCEN, to name just a few) serving as oversight vehicles. Compliance is a big part of their competitive, legal, reputational, financial, and operational risk portfolios. They are also diverse verticals. Financial services take many forms; banks, credit unions, investment firms, stock and bond trading services form a commonly perceived bulk. But there’s also the whole payments industry, credit cards, check cashing services, small lenders, and of course insurance of all different forms. Even the automotive industry blurs the lines with auto lease and purchase financing, often initiated at retail dealerships and “car stores”. There are also all the surrounding advisory professionals operating as financial investment and management consultants. And, for international organizations, there are expanded sets of obligatory controls set by host countries. Each has its own unique flavor of obligatory standards and guidelines that must be followed.

Likewise for healthcare services, there are many regulations, Federal ones well known, like HIPAA and somewhat less known HITECH (Health Information Technology for Economic and Clinical Health Act), but also the Medicare Access & & Children’s Health Insurance Program Reauthorization Act of 2015, or MACRA, to name some more, that require compliance. Some healthcare providing organizations operate through multiple third party relationships and those entwine and complicate compliance efforts too. Medicare and Medicaid themselves have regulations and requirements that CMS (Centers for Medicare & Medicaid Services) imposes upon providers and other supporting healthcare services billing those programs. So there may be a significant third party risk management (TPRM) component to compliance and risk management here.

And of course, online retailers of all sizes have their own bits of compliance. Online wine sales are subject to stringent state regulation, licensing and more. Other retailers are subject to state tax laws, permits, licensing, and of course PCI for those credit card payments. A partial list for sure.

Assessing risk, compliance with controls, organizing and documenting evidence, and supporting regulatory compliance reviews can be a time consuming, tedious process that becomes very costly without support of the automation and administrative control offered by a GRC platform. This regulatory environment thwarts many by creating a significant barrier to entry for some startups and small business ventures, by creating a barrier to growth. If only there was a simple, cost effective entry point into managing this complex governance, risk, and compliance arena that could grow with a company in size and capability as those services were necessary…

Out-Of-The-Box GRC
Out-Of-The-Box GRC, or OOB-GRC is neither a unicorn, nor the offering of a case of snake oil elixir by an alley way “expert”. There are vendors that offer simple GRC solutions, based upon pre-configured instances of their software. They cover a wide array of OOB readiness and can be ready to put to use and begin delivering value in very short timeframes. Most often they are based upon the platform that’s capable of providing the full array of services available in a quality full featured GRC. It’s just that only the basics are “turned on”. Those are usually the ability to conduct and manage a risk assessment, report basic findings, maybe manage some workflow, or include a control standard, and manage the process. They may include access to well known control sets incumbent to standards such as NIST’s Cyber Risk Standard, or HIPAA and/or HITECH’s control sets, or others generally required by one vertical or another. There are several immediate values to such OOB solutions:

• support rapid deployment with minimal client effort
• are cost effective and affordable
• allow you to work as you learn, (helping you determine what’s most needed next, why and when)
• are simplified versions, so training users is streamlined
• may be hosted, reducing reliance upon internal IT resources, while providing security
• incorporate maintenance support
• are capable of expanding in scale, feature richness and scope (without encountering “throw
  away re-work)

This is a representative example of the gains and opportunities afforded by OOB GRC offerings, but not an exhaustive one. Some firms may include more of their features in a pre-configured OOB offering. Ones that favor configuration over customization have a clear advantage here. Also, security is a significant concern. A great deal of your risk related data is likely highly confidential. A GRC solution will offer much more detailed and granular security than a collection of local databases and spreadsheets. This is a feature often overlooked that is really important to consider. And if you have done your own homework and know what you essentially need to get started, your ability to pinpoint which solution offerings OOB may be best for you will be more straightforward and precise. Remember what I noted you might have learned while “making the impossible possible” in that section above? Here’s where it offers to pay you back for all you gleaned. You know what you need right away. You also know where the value trade-offs might exist while comparing solution offerings.

There is, of course, a buyer’s caveat here. Some vendors say they offer an OOB solution, but in reality, they only offer a pre-configured reduced feature set, or one so minimal it’s inoperative without customization and development. And, they may not readily reveal that to perform one function, you need to purchase one or more additional modules holding dependent code. These are not true OOB solutions. A genuine OOB box solution should be able to be launched, configured, and ready for you to begin using, training users, and performing useful work in 30-45 days or less, assuming you have clarity on what you need and how you operate. Remember, an OOB solution may not do things exactly as you have in the past, using makeshift tools and tons of sweat equity. One purpose of bringing a software solution to bear is to introduce new practices through automation, streamline processes and practices, and enable your company to do more, get more, while making the effort more flexible and elastic to growth in scope, size, and complexity over time. The OOB solution delivers that promise in an affordable package, one you can enrich and expand in the future.

The OOB GRC solution is a great way to introduce positive change, improve the overall cost effectiveness and quality of managing risk, while enhancing your ability to manage compliance and provide the best possible alternative to the plate spinning, spreadsheet gathering, manual processes in the past. The OOB GRC is also a great way for companies of all sizes to grow past those interim efforts to enhance the professionalism of risk management, compliance, and the overall operating performance of their companies now and into their tomorrows.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Shopping For a GRC Platform first appeared on DoubleCheck Software.

• The Lapus$ hacking group is reported to have recently leaked proprietary information about Samsung and Nvidia
• Agence France-Presse reported that France’s Space Command, was hit with a cyberattack
• German officials say a cyberattack that targeted Viasat caused its customers to lose their Internet on Feb. 24, and also prevented thousands of German wind turbines from connecting to the internet, blocking operators from controlling the turbines remotely.

Companies large and small can easily become collateral damage; disruptive, hurtful, but aside and apart from direct military actions, adding to the total impact of modern military and political conflict. Past cyberattacks on Colonial Pipeline, US banks, and other national infrastructure components demonstrate the eagerness of malicious actors to disrupt normal business. These attacks are often aimed at critical infrastructure, that our own companies and families rely upon for important and often essential services. So, you may be a healthcare provider, or a small school, or a retailer; you may be in the US, or the EU or elsewhere, it really doesn’t matter. Any of us can get caught up in the action, by intent, or through unintentional activities. Our societies have grown increasingly reliant on our digital technology to function throughout our daily lives. Disruption or destruction can be deeply damaging.

There are three (3) basic vectors of cyberattack we all need to address now; those that gather information, disable or destroy data or infrastructure, and those that seek to discredit fact, authority, and purpose. Let’s look at each in a bit more detail, along with the cyber risk controls and practices to apply to reduce our vulnerability and address each threat vector.

Gathering Information
Intelligence gathering has always been an important aspect of a ground war, or even a cold war. It’s also a common first step towards launching a successful, malevolent cyberattack. There are two shades of intelligence gathering; accumulation of private information to discover vulnerabilities, gain advantage, or avoid confrontation, by copying information and transferring those copies, OR to take possession of data assets to otherwise compromise another party. Real professionals favor copying data. Since nothing is “taken”, nothing is missing, and it makes detection and determination of exactly what’s compromised harder to determine. There are many tools to aid the malicious actor in pursuing these efforts. Phishing emails have long been a part of this effort. And now, smishing—the text based alternative to phishing has become a great means of trying to cajole information, sometimes through social engineering efforts. These techniques are also used to introduce malware that can take advantage of a user’s credentials and authentication to extend the information gathering reach into all the devices in a network domain.
By the way, just how segmented and secure is your network? (More on this later.)

Destroying Credibility
Aside from data theft, discrediting facts, and truth while promoting falsehood in its place may be the most damaging and long lived threat a malicious actor of any size and sophistication may promote. There is no lack of examples of evidence that misinformation, once carefully and creatively promoted, distributed, and repeated, can and does gain traction and acceptance regardless of the strength of facts to the contrary. Take the Flat Earth believers for example, and the numerous conspiracy theories that have clear evidence to the contrary, but still foster belief. I won’t name them here, but every reader knows at least one or more clear examples. Promoting “alternative facts,” outright lies, or just misinformation that draws truth into question are frequent missions for governments and political activists seeking to manipulate public opinion, behavior, or the outcome of elections and legislation. There’re also the personal attacks where malware or ransomware takes possession of private data and threatens to publicize it unless paid a ransom of money or involuntary actions by its victim.

Destroying Assets
Pretty straightforward. Whether physical devices, critical infrastructure like pipelines or electrical grids, or internet service providers, information websites, hospital records, banks, market exchanges, or almost any data resources of importance, they are all tempting targets for malicious actors seeking to disrupt an adversary of any size. Whether through ransomware, malware, or other electronic means where one attack leads to a cascading assault upon another (no electrical power can ultimately lead to no internet, heat, healthcare, manufacturing, retail, or other activities). There have also been successful attacks on SCADA systems. Supervisory control and data acquisition (SCADA) is a system of software and hardware elements crucial for industrial organizations since they help maintain efficiency, process data for informed decisions, and communicate system issues to help mitigate downtime. SCADA systems are the backbone of many modern industries, including energy, manufacturing and transportation.

Countering The Risks Of Cyberattack
Let’s look at the controls and counter measures readily available to begin to mitigate the risks to you and your businesses in this challenging cyber environment.

Gathering Information:
There are four (4) primary control practices here you should be actively practicing. Leading the list is education and training. Effective user education is one of the best means for avoiding the risks associated with phishing and smishing attacks that most often lead to successful penetration of your infrastructure defenses. Next up, comprehensive monitoring. Employing tools to monitor efforts by brute force or other means to break into your periphery, or to access internal assets without valid credentials. These should where practical, include monitoring for unauthorized or unexpected changes to infrastructure. Coupled tightly with this are strong access and authentication controls. Also, explore your network design and device configuration. Have you created segments to require specific authorization to access assets and resources on a “need to” basis, or are your controls just a barrier to a wide open interior, sometimes called a “moat and castle” design? Segmentation can slow down or minimize the damage a successful penetration of your network may inflict. Lastly, if you have the means, data loss prevention (DLP) tools to detect the unauthorized movement of sensitive data. These systems alert monitors to efforts to extract or move protected confidential data and can be configured to take preventative action in some instances.

Destroying Credibility:
These attacks are often behavioral and emotional in substance, making them difficult to thwart using technology alone. These threats seek to discredit authority, facts, or psychologically confuse wherever they may. Certainly, pay attention to your access controls, validation and authentication practices to assure users in fact are who they present themselves to be. Where there is an opportunity, certainly filter access (at least through business provided assets) to questionable sources and locations online. As a business, you have the right to monitor and manage how your resources are used. So, monitoring tools that may block access to offensive or otherwise questionable online resources is certainly within your authority. There’s also an increased need for transparency and consistency wherever practicable. A strong, consistent track record is one of the best defenses here.

Destroying Assets:
A recent blog post discussed resiliency, and certainly it applies here. Backups may seem boring, but they are a clear, effective means to protect sensitive digital assets. So too, are alternative sources of services and goods. Do you have solutions in place, tested and ready to deploy, if you lose electrical power, cell and/or internet services, transportation, or other services vital to your business? Do you have backup generators, solar arrays, or even backup power storage (i.e., battery) options? What if one or more key suppliers or partners falls victim to attack? Will you become collateral damage or do you have alternatives ready to step in? How are you managing third party risk (TPRM)? If your work-from-home staff depend upon these or their own resources, what are your plans? The best way to address risk of destruction is to prepare for alternative resources before you need them, paying particular attention to those truly essential services first.

Where Do You Turn For Answers?
Answers reside within the findings of your risk assessments, the remediations planned, and actions underway, if they were well done, current, and accurately documented. How does your most recent assessment evaluate your readiness based upon some of the issues and recommendations noted above? Did you make use of a control framework such as NIST’s Cyber Security Framework to help you organize and assure you addressed all the control areas that comprise a comprehensive cyber risk assessment? Were results quantified, compared to past assessments and rated for criticality against your core business operations and goals? Are your assessment findings compared to your relevant audit findings, contractual and regulatory obligations? Does your risk program readily help you answer questions about your cyber preparedness, critical vulnerabilities, and areas for attention? Can you accurately estimate the resources you need and where they may most effectively be applied? Can you track and report the status of remediations already planned or underway? If not, you may be approaching this effort without a roadmap, or a dashboard to guide your efforts.

A quality GRC tool implemented and employed to support your cyber risk program would help you satisfy these requirements, give you a clear picture of where you stand, point out strengths as well as critical weaknesses, and help you manage risk effectively and economically. Their data presentation tools, data visualization and analytical, make communication of meaningful findings, presented in business context, a straightforward activity. Today there are GRC options and implementations scaled to the needs of many business sizes and scopes. Some even offer “out-of-the-box” operating functionality that requires little more than a turn key service. These can offer some real value to businesses just getting started, and may offer the ability to build upon those systems as your needs require more.

Final Thoughts
Our information lives, business, social, and personal are all more transparent and more intertwined through our shared technologies than they were in generations recently past. And, we’ve all become more dependent upon resources such as mobile devices, the internet, cellular services, and “smart” technologies that connect our homes, vehicles, workplaces, and “selves” in ways unimaginable even 15 years ago. Businesses have become just so blended, interconnected, and reliant. Third party services are more widely employed and tightly integrated. So too, are our clients and customers. The threat of disruption to these services and relationships can often lead to existential consequences. Our need for cyber diligence in times of peace as well as political upheaval are growing, and will continue to expand well past the horizons of today.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

—-

Some observations from DoubleCheck Software on Cyber Security Risk Management and Third Party Risk Management (TPRM) tools:

Using the NIST framework or your own, make sure your GRC system provides tools to assess and report on your cybersecurity risk profile, with insights into specific areas of focus for the firm or for individual areas within the firm, including a summary gap analysis and associated details.

And for Third Party Risk Management (TPRM) programs, ensure that your reporting tools can provide an accurate picture, in real-time, of the status of your vendors and the risks associated with each one. 

To learn more, click on Cyber Security Risk Management or Third Party Risk Management.

—

The post When The Cyber War Comes Home first appeared on DoubleCheck Software.

Today’s tools are dramatically more powerful, as are the portable systems on which they run. Beyond power, the diversity of data manipulation tools, visual display options, formats, presentation options of color, perspective, and style all capable of publication and distribution through multiple electronic means create limitless opportunity to create and present compelling representations of structured and unstructured data to managers and executives eager for reports on performance, profit, customer preferences, brand value, opportunity, and risk. And that brings us to a significant problem facing contemporary business leadership in the 21st century.

A triad of questions defines the problem:

“Do you know what you need to know to effectively run your business?”

coupled with

“As a result of knowing _____, what action would you take?”

The third question is one rarely asked by senior leadership, in my experience…

“If you had answers to the first two questions, would your management team know what to do with the information?”

A Data Feast Amidst Information Hunger
We have plenty of facts and details about all sorts of macro and micro measures. The proliferation and transformation of business processes into digital methods has given rise to volumes of raw data businesses in the late 20th century could only dream of capturing, storing, and exploring. Risk data was far more subjective, unstructured and lacked the precision available today. The same was generally true for many other data categories covering operating, financial, customer, partner, regulatory and compliance data. Facts alone are often incomplete communicators. And while associations possible through data manipulation tools may be novel and “interesting”, they may not be actionable. For example, relating new customer location data with lunar phase data might create something interesting. But, “As a result of knowing this what action would you take?” We cannot manage the phase of the moon. Also, data presented in charts and graphs doesn’t always tell you something useful. Let’s look at a very simple instance and see how a small alteration can lead data down the road toward useful information.

Here’s a simple bar chart in figure 1: By itself it really doesn’t provide much more than a representation of a distribution of values. Perhaps that’s useful, but the measure of actionable information is nearly zero. Now, let’s add a “goal line” to Figures 2 and 3, where values above the line represent clear success and those below opportunities and challenges that should be explored and addressed. Your results, areas for attention and likely next steps vary greatly even between figure 2 and 3. These are very simplistic examples. Today’s graphical arrays are visually more sophisticated, and analytically often more complicated. The point is, the tool alone is not where the “intelligence” is expressed in Business Intelligence software. The intelligence comes from the interpretation and useful combination of data, which requires prerequisite understanding of what the data is, where it came from, how it was created, and when. While these examples are oversimplified, figures 2 & 3 begin to offer some useful and actionable information by pointing out performance against a standard of expectation, leading to follow-up on what is working well, and what is not, and what performance drivers may be adjusted to help marginal performance cases improve. Those answers may lead to changes in a variety of operating, policy, or process directions to correct performance concerns.

This is an example about one very simple metric, using a very simple graphical representation. Today’s business intelligence (BI) tools can do much more with much more complicated data. If you tracked every possible metric you could measure, and presented results this way, you’d overwhelm even the most knowledgeable stakeholder or leader. Knowing and applying context and conditional relationships helps narrow focus, support drill down detail where beneficial, and bring the real power of business intelligence tools to bear.

What Do You Need To Know?
The oft cited, but very wrong answer is “everything”! It’s just not functional. And you’d be buried in data points that told you nothing useful. Do you drive a car? Examine your dashboard. Where is the indicator for each cylinders’ compression ratio? Where is your brake pad temperature monitor? What?! You don’t know the precise volume of fuel remaining in milliliters and ounces? How are you possibly functioning? But you are. You have all the key performance and status indicators needed to operate and direct your car safely to your intended destination. You have transportation. If there was a problem, and your mechanic were to seek out some of these answers as part of a diagnostic exercise, that more concise and focused context brings in the need for different, and more specific detail. You need to know when something is and isn’t working as intended and designed. When you learn of a problem, you need to inform your specialists with the information needed to diagnose the root cause, proscribe solutions, and test remediated functions. Go back to the questions at the start of this article, to test the utility of the metrics you wish to gather. See how many pass successfully through no.’s 2 & 3. Start with that subset.

You also need to know the key driving chains that influence the metrics you do monitor. This is a kind of technical perspective upon context. For each of your key performance indicators (KPI’s) and key risk indicators (KRI’s) you need to map out what business processes influence those measures, where the source data is gathered that is used to calculate each indicator, how often, where it’s stored, and how it’s validated. This is vital context, that can provide actionable direction should an indicator’s value suddenly shift from expected norms.

So, Where Does BI Fit?
Business Intelligence software is a tool. And, like any other tool, its value is in the thoughtful, careful application by its handler. BI software is really good at helping you explore data relationships. It works best when applied in conjunction with your own knowledge of how your business works. Often the relationships between data values and different metrics may be obvious, and some may offer new insights to how seemingly unrelated processes impact one another. Use these features to explore these unique key driving chains. They may reveal important metrics to incorporate onto your standard “dashboard” of key operating metrics.

There’s an implicit benefit here that may not be obvious. Data silos, created by and supporting of dedicated systems for a specific discipline or purpose may be present across your enterprise. One of the key features of a BI tool is its ability to aggregate, interpret, and represent data from a consolidated variety of sources. This is significant. Without this capability the potential to identify useful key driving chains, letting you identify and represent the most insightful KRI’s and KPI’s would be seriously hampered. Embedding BI functionality within a platform that can collect and store data from a variety of disciplines or functions, such as an Enterprise Resource Planning (ERP) or an enterprise Integrated Risk Management (IRM) solution can deliver significant value through its ability to provide a single, authoritative resource for decision data. Value is created in part through streamlined processes, enhanced efficiency, and simplified system management. Additionally, the ability to manage access, protect confidential data, provide vetted information, and efficiently publish business information through a consistent, reliable portal cannot be overestimated.

BI tools can offer insight into how clients and customers engage your business, help inventory managers fine tune reorder horizons to minimize overstocks and stock-outs, and inform you of sales trends, client preferences, and campaign reactions far sooner than training periodical reporting. Having data and BI tools proximate helps polish efficiency in getting actionable information into managers and leaderships’ hands sooner, so that your business runs with clear vision of the road before you.

Visual Tools, Actionable Information
Visual representation of data is a valuable characteristic of BI tools. We are a visual society. While there are some of us who relate best to columns and arrays of numbers or symbols, for the most part people relate to visual representations of data. Pictures over words. It’s a very powerful method for effectively communicating fact, concept, and relationships. Pictures often traverse the boundaries and nuances of words and speech. Pictograms and charts form an almost universal language of their own. Whether you are working with simple heat maps representing significant risk areas, or double axis charts depicting client attributes and revenues, or more complex and sophisticated arrays, data visualization helps you highlight and pinpoint key messages and information. They are able to take large amounts of relatively complex data and create images that simplify and communicate actionable information messages your leadership can employ to manage your business, and maximize its potential to achieve stated goals. Great visualizations are clear pictures of declarative statements. As a best practice, I recommend visuals be titled by a declarative remark stating exactly what the visual is illustrating. Figure 4 reuses our example from earlier in this article, but  note the clarity the title now adds to the image from figure 3. There can be no doubt about the message, and it immediately leads to a discussion of what’s work so well so often, and why not in the one location with disappointing results. More sophisticated visuals can convey other relationships, changes over time, year over year comparisons, the driving chain influences implicit in your KP/RI’s and more.

BI Tools and Your GRC
Your GRC is an integration platform that can host data about many different risk categories, including operational, financial, third party and cyber to name a few. It’s also a place where regulatory and contractual obligations, compliance, and audit processes may be managed, remediation specified, tracked and reported. This single point repository for overall governance, risk, and compliance is a great place to house BI tools to explore the consolidated data, across these disciplines and actions, to help you identify, explore, analyze, and communicate current performance, key relationships, and potential opportunities to protect and enhance your overall performance. BI tools help you realize and maximize the value inherit within your consolidated data. Product and service performance, both current and predictive are within its grasp. Likewise, critical risks, vulnerabilities and opportunities for leveraged remediation become clear. Potential third party issues, whether supply chain related, or implicit in vulnerabilities they impose on your infrastructure become visible. And so much more.

The investment in a GRC tool is enhanced and brought to maximum value in large part through the business questions it answers, the proactive vision it affords, and the informative support it provides leadership. Your BI tools are the glasses that clarify this world and sharpen your vision of your current state, with enhanced acuity to look towards the horizon and anticipate tomorrow.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

—

Some observations from DoubleCheck Software on Business Intelligence tools :

It is critical to have flexibility and simple tools for extracting BI data from your GRC system into comprehensive, visually informative documents and slideware. Reports 1 & 2 below demonstrate different ways to render information to Management, Board of Directors, and team members. Report 1 (Risk Dashboard) provides a snapshot of the entire Risk Register, including overall Risk Status, Risk Distribution via a Heat Map with drillable values, Risk Distribution over Time, and monetary Risk Impact over Time. Report 2 (Enterprise Risks) goes deeper and provides more specific Risk Details.

Report 1

Report 2

The post Harvesting Information From GRC Data—The Promise of Business Intelligence Tools first appeared on DoubleCheck Software.

• What has worked quite well in the past year?
• What has not, and why?
• What unique challenges do you anticipate for 2022?
• Are there processes that bear attention and refinements
• Are there gaps in what you do that should be addressed?
• Are you aligned to your firm’s business goals and strategy for 2022?

It can be useful to get some input from your stakeholders and key users. Their perceptions, insights, and priorities may offer other perspectives for you to consider. The information you provide to inform decisions and direct actions only realizes its full value if it’s readily available and comprehensible for them. Also include your support resources, in IT, staff education, contributing departments, and management. And if there’re gaps in the program from their perspectives, it’ll be made clear from their feedback. Just including your primary audiences in your review process incorporates them into shared program ownership, which is important of itself.

Features and Processes
Improving your GRC program’s usefulness requires consideration of both. Basically, what and how, and also when. Tailoring here is not so different than tailoring of good clothing (confession: I’m the grandson of a master tailor). You examine fit, identify areas that need alteration, determine what that adjustment needs to be, examine the resources available to employ, decide what you can do to create the best “fit” result, size and mark your adjustments, and execute from there. The first two steps are accomplished through review and feedback. Those help you identify which changes would refine your program to a more perfect “fit” for your business.

Next, consider what’s missing or imperfect. The content here generally falls into two categories, features and processes. For your GRC, features would likely include modules you might want to add, like third party risk management (TPRM), (or activate if you’ve not yet made use of them), or interfaces to other data, internal or external, extended security provisions, even changes to labels and language to reflect norms and culture within your firm. Processes may relate to risk assessment methods, workflows, communications, training practices, even alterations to authentication and permission granting.

Features
Answer these simple questions: “what do we need to know that we cannot today?”, and “How can we get that information?”. Armed with those answers you can evaluate whether you need to adjust a configuration or setting in what you already use, need to integrate a data source that already exists somewhere else within your infrastructure, or in fact, you need to acquire something that will enable you to do what you cannot. This is not just a cost saving exercise. It’s also a design and maintenance management practice to keep your infrastructure as straightforward and contained as possible. Security plays a role here too. Internal data feeds are easier to validate, manage, and secure. Configuration management is a more straightforward approach too, helping to assure your software maintenance path remains relatively linear. Adding modules to your GRC is also a great way to extend functionality, when it’s represented through features designed for that specific purpose. Modules likely will open doors for opportunity to do more than you may need at this moment, but present greater flexibility and resources to continue to refine and extend your capabilities as they continue to evolve. They are also a “hedge” against any perceived desire to insert custom code into your platform as a way to get that information or perform a required process.

I’ve often spoken out against custom code unless your vendor commits to incorporating and supporting it in subsequent releases. (This is sometimes called an advanced feature by some). Many of the biggest maintenance and performance issues I’ve seen have their root cause in some piece of unsupported custom code interfering with a future product release. It’s something to avoid if at all possible. Instead, explore your available configuration settings and work with your vendor to seek a supportable solution. Also keep in mind that custom code is not always the same as customization. Many vendors offer you options (configuration capabilities) and allow you to create custom fields, and to rename existing fields to use language and conventions consistent within your own company’s and industry’s culture. All those changes are consistent with the “no custom code” approach mentioned above. Also, when you do change field names, look for functions that support global changes, so you maintain consistency across panels, modules, and processes. That will keep user training much easier and adoption more rapid.

Processes
Often times, for control or regulatory purposes, or just to further tailor a system to do things “your way,” how you get somewhere is of equal importance to arriving where you were headed. One obvious place to start is with workflow configurations. Have you identified any process bottlenecks from your risk assessments, vendor assessments or onboarding processes (if you have some TPRM functions incorporated within your platform), or compliance management? If so this is the time of year to review feedback from participants and stakeholders, to address those concerns by making adjustment to step sequence, escalation paths, timing, routing, and reporting. If you don’t have a dashboard or some other means for a risk program manager to identify workflow issues and intervene when needed, consider setting up something to make those situations easier to identify. In like manner, you could address any other process workflows in any other areas.

Consider the interfaces your program employs to incorporate data from other sources, i.e., suppliers and partners, regulatory and compliance reviews, internal and external audits, industry data stores (like Dun & Bradstreet), or any others you may use. Have you had any timeliness or interface issues? Is maintenance of these interfaces straightforward? Automated? Do you have clear escalation practices in place if there is a problem? Are these practices documented so backup staff can implement them if necessary? Add these to your review checklist too.

Some other processes to review and tune are end user training, risk assessment, TPRM onboarding, and subject matter expert (SME) reviews wherever they occur. Consider what seemed to be easily grasped by your GRC’s end users, and what required frequent post training support. Also, keep your training aligned with any adjustments made to your processes, features, interfaces, or security provisions. Alterations to user training may have positive impacts upon the performance and experience in those other processes. It’s a good time to examine your risk scoring methods to assure they are clear, make sense for your line of business, and provide a level of clarity and specificity useful to managing the risks under review.

Security is somehow often left behind in these review practices. It shouldn’t be. Your GRC holds a lot of potentially sensitive, and perhaps proprietary data—content you and your partners, clients, customers and stakeholders would not be pleased to openly share. So, are your authentication methods current? How are you segregating and assigning permissions? Do you employ a role based security model? Have you or are you integrating a single sign on (SSO) means of enabling access? How are you administering this? How do you terminate access when the situation merits? Are you using a hosted or cloud based solution? How are you ensuring security there is in line with your needs? Do your processes generate the audit trails and documentation you need to meet regulator’s requirements? Again, tailoring and tuning some of these processes as you look forward to 2022 will add efficiency and strength to your risk management program.

Reporting
Some think there can never be too much reporting. I disagree. There is always room for specific targeted reporting that answers important business questions. The rest is just confusing and disruptive volume…noise. Needing or wanting to know “everything” just means you don’t know what’s important. If a report, dashboard, or other information device doesn’t answer this question, consider discontinuing it: “As a result of knowing this information I can and will now take ____ action.” If the report doesn’t answer a clear business question that leads to a decision to act or not in a specific manner, what value does it provide? Proof you could produce the report? So? I’ve seen many businesses buried in reporting while actionable information starved. Don’t become one of these. The practice wastes money, time, and drains valuable resources best applied to other aspects of your program.

Also, look over your access, publication, and distribution processes for the information reporting you create. Does everyone with current access need it? How difficult is it to access if entitled? Do you push reports out to people or post them securely and enable access? Are they produced in formats that support repurposing where and when it might be wanted? Can recipients create their own ad hoc queries? Or drill into or restrict the scope of distributed information?

Last, are the reports free of jargon, clear and easy to understand, and do they provide meaningful, actionable information within the context of your business? Have you asked your key audiences and stakeholders if they might want new, or additional information, in different forms, or in different frequencies? This is a good time to gather such input and plan for any adjustments in the coming year. Don’t hesitate to challenge requests with that key question. It helps avoid what’s referred to as “report creep”.

Alignment To Your Mission
Annual goals change, missions are less volatile. Was your risk program aligned with either? Both? How does the configuration and capability of your GRC contribute to your risk program’s support of your company’s mission and goals? One approach you may consider is to list your company’s mission and key goals for the coming year. Then list, based upon your 2021 efforts in cyber and IT risk management, the key risks you determine pose the greatest threats to accomplishing those goals and staying true to the mission. Look at the array. Are there areas where your program has identified risks that are not well addressed, do not have methods and resources to monitor, evaluate, prevent or remediate those threats, should they materialize? There are your “hot spots” for 2022! Would you need assets, features, processes or some combination of them to improve your program’s alignment? This kind of analysis positions requests for resources in the context of the business, bypassing the argument of “professional polishing” of a good program for its own sake. The value of your risk program is in its contribution to your business’ mission and success. This is a way to illustrate where you are, how you contribute (beyond the obvious “keep us safe”), where and why you want to refine the program from its current state.

Looking Ahead…
There will always be new challenges, unexpected events, and situations that are completely outside your control you will need to respond to in useful ways. Nobody saw a pandemic coming. Nobody forecasted the “great resignation”, and by sometime very soon there will be additional events or situations to add to that list. Looking forward, assessing risk potential, monitoring the trends of malicious behavior by threat actors inside and outside your company is what cyber risk management is all about. But with careful planning, thoughtful maintenance and refinement of tools, processes and practices, and a critical look to emerging new methods such as AI based monitoring and assessment, digital twins, careful third party management, and automated detection tools, you will position your cyber and IT risk management programs to serve your company, its investors, client and customers well into tomorrow. With a little tailoring, your fit and performance will suit you well, and continue to mature and improve with age.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post When Comes December; Tailoring Your GRC Programs For The Coming Year first appeared on DoubleCheck Software.

Finding Zero Trust
When most of us designed and build our “enterprise” networks, regardless of their size and complexity, most shared a common philosophy—secure the boundaries and access through them, and all that’s inside can then communicate freely. This is often referred to as a “castle and moat” approach. It made sense in a world of emerging technical scope and sophistication. It presumed that only people with a want or business “need to know” would seek entrance, and if they did and it were granted, they’d make use of the resources needed to conduct their business and be done. It also meant that security was relatively easy to administer, limited only to access from without. For people who worked within the boundaries, all that was necessary was authentication to the network, except for a few designated resources whose management required additional authorization. Changes to the “innards” didn’t otherwise require adjustments to anyone’s internal security; adding devices or resources, such as a printer, a server, or a data store, didn’t require additional authentication or entitlement. We all lived largely that way for some time. But times changed. The internet happened. Remote working happened. Extended boundaries created by logistics, international commerce, third party partnerships and providers happened. Electronic payments, banking, and transactions happened. And grew in volume, ease of execution, and value. And then, of course, the malicious actors followed. We needed something better. The “moat” was too big, too thin, and too oddly shaped—it constantly changed. And the castle wasn’t one asset, but many; each offering an entryway to others of equal value. The secure wall became porous.

Zero trust is a completely different approach. In it each asset requires its own permissions and authentication, it “trusts no one” simply because it’s asked, or because you’re present. Perimeter boundaries are still in place, but within them each and every asset, service, or resource requires proof you have been granted rights to be there. So now security needs to be layered, specific, and discrete. Role based approaches are an administrative method to simplifying administration to such an environment. But there’s more. There needs to be the means to enable all devices to challenge access and reject the unauthorized. Further, access to devices itself may be layered to enable access but not to change data, to print but not to alter configuration of a printer, and so on. You can see where this is going. And, in a zero trust environment, every device, every asset must require such authentication and permission vetting. And of course, there needs to be the tools to effectively manage such an environment. The intent is to slow down and minimize the damage a malicious actor might create through gaining entrance through the perimeter boundary. It’s not perfect, but it’s a step forward. But it’s not easy to migrate from one approach to the other.

Migration To Explicit Vs Implicit Trust
Some pundits offer that the only path forward is wholesale teardowns and reconstruction of the enterprise. Sorry, I reject that approach as unrealistic for almost any size business. Zero trust requires users prove they require access. For example, this could mean logging into a corporate account with a hardware security key or some other authentication method in addition to a username and password combination to make it harder for attackers to impersonate users. And even if someone passes the perimeter, access from there is on a need-to-know or need-to-access basis. So, if you don’t invoice clients or customers as part of your job, your enterprise account shouldn’t allow your access to the billing systems. In some firms such access is already restricted with respect to sensitive assets such as client data, billing, etc. In a zero trust scenario, your needs-to-access-permissions must specifically incorporate everything.

Zero trust is an approach to security. It’s a way of doing things, not a product, nor an end result. Despite what some vendors may state, there are no specific “zero trust” boxed products for you to purchase that deliver zero trust upon opening and installing. You still must implement things like device and software inventories, segmented networks, and role based access controls. You still need to replace default credentials that ship with hardware. Access must still be managed and change management practices need to be followed with rigor. You evolve your infrastructure and operation to an increasingly zero trust environment as you make changes, as you grow, as your business matures. Like the human body, you don’t wipe out the circulatory system or replace your muscular structure at once. You alter eating and exercise habits and improve them over time, building one advance upon another, based upon following an approach to health. You need to function while you change. You cannot take a break from existence and service to completely recast how you do business all at once. It’s neither practical, reasonable, nor likely affordable.

Now, a word about complexity. If your “enterprise” is composed of many different companies, each operating with relative independence, but connected through some kind of spoke and hub consolidation to a corporate entity, you may have some additional complexity and opportunity. The complexity comes from the need for creating some standard approach to doing like things common throughout each enterprise entity. This is often a human, behavioral and emotional rather than a technological problem to solve. There are no pat easy resolutions, but value in each success. The path for one will suggest a means for the next. Further, you can experiment with changes in entity discreet before extending them to others. This supports a phased introduction of zero trust, through stages of “lesser trust” to “almost no trust”.

Zero Building Blocks
Great, more buzz phrases! This one’s mine (sorry). When you add something new to your operation, a process, asset, or method, try to embrace a zero trust means from the outset. This allows you to create building blocks of zero trust compliance incrementally, ones that are reusable and can be integrated easily to existing systems, yet also to other such “zero trust building block” or “zero blocks” for short. It’s a way of avoiding rework as you progress towards a fully zero trust operating environment. Migrating some aspect of your operation to a cloud service? Great opportunity to build it out as an encapsulated zero block, or assembly of zero blocks. And, as you extend or expand it, create additional discreet zero blocks, creating a set of zero trust components you can reapply as you need them going forward.

Thought: Considering a new GRC tool? Make its implementation a zero trust instance. It can then become a zero trust building block you can apply as you extend its scope or expand the platform’s feature/module set wherever used in your enterprise.

And Then There Were Digital Twins
Digital Twins is a catchy new name on a concept somewhat older. A digital twin is a virtual replication of a real world asset or resource, such as a machine, or a process, like a supply chain, or a facility, like a factory, even like a complex device such as a car. Virtualization of hardware has been an established practice for a while. Today’s cloud technologies offer the ability to virtualize whole processes, assets, and data stores. This gives you a test environment to model threats, attacks, and the effectiveness of responses. You can even model in the current state of your environment, leveraging recent risk assessment, remediation, and vulnerability data from your GRC. This can be particularly valid if your risk data is integrated with those from audits, incidents, and regulatory findings—yet one more item to list in the reasons to invest in a GRC platform if you do not already have one. Creating digital twins of key resources and assets in your enterprise would enable your cyber risk and security staff to mimic the behavior of malicious actors and determine the risks and associated vulnerabilities of business processes. Simulations will enhance your understanding of your cyber readiness, letting you modify the complexity of the cyberattack surface based upon your own threat modeling or experience in your industry. They are usually designed to function from use cases. If you have third party suppliers or service partners critical to executing your business model, you could create digital twins for each and explore the impact of attacks or even disaster losses of service. This is a further extension of third party risk management (TPRM), one that would work best if based upon comprehensive data from a robust TPRM process and supporting software, integrated into your GRC, if present.

Many, if not most environments are far from homogenous, and the diversity of platforms and processes, particularly in complex extended environments, can be a problem for digital twin developers. The Object Management Group’s Digital Twin Consortium is working with standards groups including ISO and IEC to help create consistent vocabularies, architectures and security for digital twin development. They describe themselves as “…a global ecosystem comprising industry, government, and academia. It was founded to accelerate the development, adoption, interoperability, and security of digital twins and enabling technologies.”

Integrating Zero Trust and Digital Twins With Your GRC’s Help
Migrating your philosophy of security from a “moat and castle” to a “trust nothing” approach requires a process, and patience. It does not happen overnight. And the processes will leave you with a timeline of transition or transformation. Since many enterprises are heterogeneous in nature, built up from layers of technology accumulated over time some systems will be easier to adapt than others. Understanding the shifting vulnerability points to your business throughout is an important risk management obligation. Digital twins may offer additional data for your risk analysis to help determine where to begin with zero trust changes. And as you establish zero trust components, you could use digital twins to revisit, test, and prioritize your critical areas for attention along the way.

Don’t forget to consider the data in your GRC platform, from risk assessments, audit findings, incidents, regulator’s reviews and comments, internal control and performance metrics, and any other indicators you may have vetted and monitor regularly. Also keep in mind that changes you make may impact those third party services and partners tied most closely to your infrastructure. Pay particular attention to ones with access to internal assets, regardless of the current controls and provisions in place. Note that as part of TPRM seemingly subtle and unrelated changes to your processes and methods may create temporary vulnerabilities in unforeseen ways. Finding these is one of the great benefits of digital twins, allowing you to identify and address such anomalies before they create a significant risk.

Between the guidance offered by data from your GRC, and leveraging it to inform configurations of digital twins, you will have a clear advantage in your efforts to strengthen security and reduce risk while increasing the extent of zero trust presence across your enterprise. Such an approach will help you achieve migration in process and control, while managing and minimizing the associated risks of an environment in transition. It’s a worthy effort to explore and pursue.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Moving To Zero Trust—A Process Or A Practice? first appeared on DoubleCheck Software.

Business continuity planning is often met with yawns accompanied by apprehensions over extensive, boring, even pointless detail. “We haven’t had an earthquake in 120 years!” “It never rains heavily here!”. “Why are we wasting valuable resources to plan for something that may never happen?” I’ve heard these remarks and many others like them over and again. Then something that’s “never happened before” occurs. And the fingers begin to point accompanied by voices raised in frustration and a bit of fear, neither of which helps advance anything towards a more positive state.

Velocity is Key
Often when we assess risk we think about some formulaic product of likelihood and impact. This leads us, sometimes, to dismiss high impact events of very low probability as virtually risk free situations. At least, they are so low on the risk score scale they receive very minimal attention, planning, or consideration of any kind. We ignore another variable that completely changes the analysis—velocity! Simply, velocity is an estimate of how quickly an event, once it starts, will reach maximum impact. Pandemics take a while to get there, but persist. Hurricanes, earthquakes, terrorist attacks, and tornadoes, to name a few, can achieve maximum impact in little time. These events, if they happen, offer little room for thoughtful reaction and response. Only implementing actions planned for and prepared in advance have a chance of any meaningful offset to the disruption and damage inflicted. Your risk scoring and assessment should consider velocity in their processes. As a suggestion consider modifying the simple standard

To one incorporating velocity

If you are using numeric scales to assign likelihood and impact, simply extend that practice to velocity too. For those who prefer visual representations of data, one can consider the traditional 2 dimensional heatmap to be transformed into a 3 dimensional one that might look like this:

Doing so will help place a more accurate determination of the risk posed by some low frequency but very high impact events that may result in significant disruption to normalcy.

Continuity, Recovery, It’s All In The Planning
Business continuity planning came to the forefront early in the COVID pandemic. While some businesses’ operating models already encouraged remote working, and the infrastructure was in place, for many others it was an uphill sprint to figure out how they could operate and then set up the means to do so. After-the-event planning and execution is always more expensive. And it’s hard to measure lost opportunity and business. But the costs are real. When the interruption results from a disaster, such as may be inflicted by extreme weather events, it’s even more complicated.

Disaster recovery is different than continuity planning. In a disaster you have likely lost key physical resources, infrastructure, and possibly even data on top of the potential loss of services from key staff and leadership. So, in addition to replacing the means to work, or switching to alternative operating practices, suppliers, etc., you may also be dealing with succession chains for key personnel, skills, knowledge and expertise. And you may be doing this in an unfamiliar environment absent of basic services that may be unreliable and unsafe for indeterminant periods.

The point being that while such planning is complex in nature, wide in scope, and best done thoughtfully before there’s a need to put it into action, your risk management process has a significant gap if left undone. It’s also important to note this is not just about writing a plan, putting it in a binder on a shelf, and dusting it off annually for a tabletop review to then re-shelve. It touches almost everything you do, and certainly can be a component of many basic aspects of your risk planning and operation. As already noted, it can touch your staffing, location, technology infrastructure, supplier and partner choices, and more.

Here’s a short list of questions (security and risk related, of course) that should be addressed in your planning. This is by no means complete, but a useful sampling:

• Are your facilities (and perimeters if enclosed), secure if the power fails?
• What communications tools used to reach staff, their families, and critical services will survive an event?
• When was the last time you successfully tested a backup by trying to restore a device from it?
• Are your systems and data safe from a sudden local loss of connectivity and/or power? For how long? How do you know?
• Do you have a succession plan in place with designated alternates for each key position and skill?
• Do you know what roles are key, what skills or knowledge is key, and who has them? Do you know where they are?
• Do you have alternate sources for goods and services provided by your trusted third parties? Do you know and examine their own preparedness as part of your third party risk management (TPRM) process? (hint: if they exchange data with you, or have access to your infrastructure, this is critical to your risk management planning.)
• How does your management of operational infrastructure; data, software, processes, and hardware determine when to engage continuity practices, who and how to initiate disaster recovery, and what authority is assigned to whom for what?
• What cyber specific practices are in place to protect possibly exposed or weakened assets during recovery?

As you can see, the scope of content ranges far and wide throughout your organization. It requires a thorough understanding of what and who are important, essential, and require strategy and planning to assure they remain or regain presence in your company when events require them. Examining your business, making these determinations, crafting and implementing plans to address each aspect is not an overnight task. Even once created and implemented, the plans and processes require periodic testing where feasible, and review to assure they remain valid and current.

Resilient Security In A Remote Operating Environment
Having a workforce that is a mix of onsite and remote presence is a challenge and an opportunity. Significant weather, malicious, or geographic events may be centered in a specific location limiting their impact. Or, they may target a critical piece of infrastructure impacting the ability of staff to access remote data or processes. From a cyber risk perspective, there’s a lot to consider. For example, how resilient are your monitoring tools and perimeter defenses? Would they still be functioning in the event of a significant disaster? If not do they dynamically transfer control to some cloud-based service hosted in a geographically different, and therefore unaffected locale? If not, how would you regain control of your perimeter defenses? And monitoring? And any tool you use to analyze their discovery and take corrective action? Would you be completely vulnerable to cyber attack in addition to whatever event lead to your weakened security?

Your remote workforce likely has whatever security controls and services you offer largely localized to the devices they use. But some might be lost or left behind in an emergency evacuation. Can you remotely disable them? Are they even registered with you so that if you had tools to do so you could try? Are any portable data storage devices all encrypted? Are staff well informed of what to do in case of emergency, so they can react without thought, having planned for an event when their first concern is going to be the safely of family and self, not your hardware or data assets?

Cloud based services offer solutions to address some if not many of these needs. By off-loading the host source of cyber security tools and services you can establish a level of resilience and rapid recovery from significant, even disastrous events. Cloud services, often by intent and design, offer services across geographically disperse locations to sustain service continuity in the event of any incident or happening at a specific site; AWS’s “availability zones” are an example of this concept. Other cloud services offer similar location diversity. Such cloud based services could be used to keep those perimeter monitors and other security protections in place even in the face of a local disaster. They could also host some of the tools remote workers might employ to keep assets safe throughout any evacuations or relocations.

And Then There’s Your Third Parties
As part of your planning don’t forget to examine the readiness of you most important third parties. First, you need to determine which ones are critical to your own business. But that should be a component in the early vetting of prospective candidates in your third party risk management (TPRM) process. In evaluating their own security preparedness, include a review and understanding of the provisions and planning they have to sustain service to you in the event of disruptions. Asking questions about whether they have a business continuity or disaster recovery plan is not enough. Ask about the frequency of testing for key components. How do they protect your data if they have access to it? Do they have backup power, and if so, how often has it been tested? See if they have any related findings from their own SOC reviews or other assessments of their controls and capabilities. Remember, tabletop reviews of plans, by themselves, are not adequate preparations for such events—they are a foundation, but not a fully implemented or operation-ready feature. Third Party business continuity, and disaster recovery efforts are as important to you as their availability to deliver. If they are vital, but not sustainable, be sure you have a quality alternate identified that can step in for the duration of any disruption. Review and reconfirm that alternate’s willingness and capability at least annually.

Leveraging Your GRC
As you may suspect, reviewing these plans and controls, internal and external, is well supported by a comprehensive GRC platform. If it’s one that may incorporate TPRM then the vetting and evaluating of third party suppliers and partners can directly feed into your overall risk assessments and cyber risk evaluations, including planning for the coming year. This kind of data sharing across modules within a GRC is one of the data leveraging powers that these platforms offer. They reduce the time needed to incorporate input from related processes, eliminate duplicate efforts and redundant data collection and entry. As a result, findings and recommendations are based upon consistency and completeness greater than a series of individual efforts may deliver on their own. They help assure context as well as content, and foster a trustworthy foundation for executive actions.

So, When It Rains…
The rains and floods and other incidents may come now, and perhaps even increase their frequency in years to come. But reasonable planning and care for the kind and placement of resources, plus establishment of methods to monitor the effectiveness of your actions, can prepare you to weather those storms and incidents, avoiding your company’s listing with other unfortunate casualties of catastrophe or malice at any level. As always, your choices and actions are the determinants of your future. Manage your risk wisely.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post When Come The Rains, Floods, Hurricanes, Earthquakes, and More first appeared on DoubleCheck Software.