IT and GRC – A Solution to the Gap at the Top?

Sound practices in Governance, Risk and Compliance (GRC) are the key to engaging senior management in cyber security planning.

This is the key conclusion from recent consideration of cyber security  risks by IT giant IBM and by attendees at forums in London and New York run by the Alternative Investment Management Association (AIMA).

Earlier this year, IBM released a study on corporate cyber security from the perspective of the boardroom and c-suite executives. The study crossed industries and geographies.

The key take-away was that while the top level of corporate employees regarded cyber security as a priority, their understanding and knowledge of the nature of threats was behind the curve and appeared to reflect received wisdom from popular culture.

The majority of respondents to the study saw rogue individuals as their greatest threat, when over 80% of attacks are perpetrated by criminal organisations who are run, to all intents and purposes, as businesses in themselves. Competitors were given an inappropriately high weighting as potential threats, when it is a firm’s suppliers have traditionally been a popular attack vector.

A similar disjunction was displayed in response to an informal opinion poll run at a recent AIMA (Alternative Investment Management Association) forum, Sound Practices for Operational Risk. When delegates were asked what managers should do to protect against cyber risk, the London forum majority stood behind cyber risk training; anecdotally the New York forum supported the hiring of specific staff (hackers) and stress-testing.

These two examples indicate an education issue at senior management level, and without senior management support, IT departments or teams can find it an uphill struggle to gain necessary funding or to police the behaviour of more cavalier senior employees.

It is likely the problem is more pronounced in small firms where resources are lower, or in owner-managed entities where there can be barriers to spending on perceived low return items.

The cyber security risks and lack of understanding  extend beyond the office. Outside the office, the growth of remote working and home working involving home offices, mobile phones and tablets is a further risk. Devices that are often bought and owned by staff may save a firm money in the short term, but they come with little IT control over their use.

Further, this vulnerability will tend to correlate with senior employees who can demand the flexibility new technologies give them, without necessarily accepting the security risks they raise and the greater access to sensitive information they, as senior employees, possess.

European regulation is moving on cyber security through the Network and Information Security Directive which will be directly relevant to “operators of essential services”, and whilst this will undoubtedly place cyber security on to board agendas at larger companies, it does not directly apply to many smaller firms where risks are potentially less well understood.

However, the problem if often greater in smaller and owner managed firms. Other than complying with regulations imposed, how can a smaller firm start to address this management and IT divide? Perhaps one answer could be found within Governance, Risk Management and Compliance (GRC) techniques.

By looking at the structure, direction and management oversight of the business (governance) in conjunction with ensuring that the risks the business runs to achieve this are within bounds (risk management) and resultant policies and requirements are adhered to (compliance), the business is viewed as a coherent whole, with IT and cyber security naturally fitting into the model.

By bringing together the previously separate and silo-ed functions of corporate governance, risk management and compliance into a coherent whole, all stakeholders can engage within the same forum under a common dialogue. This is the essence of what is known as Enterprise-wide Risk Management (ERM). It is a three dimensional approach to identifying and managing risks that pose a threat to the business.

The process should result in drawing the IT function into senior management discussions where previously it has been seen as a service or outsourced function. The process should also result in IT departments or teams engaging in a less-technical manner with other areas of business.

A further happy circumstance is that most IT departments will have run their own forms of GRC internally, from the governance of upgrade and deployment planning, to the risk management involved in delivering reliable and uninterrupted service, and finally to the policies and permissions ensuring compliant user behaviour.

Cyber criminals are generally very well organised, often behaving with the discipline and skill of a highly skilled and successful business. They seek and exploit gaps in a firm’s defences. One of the most significant gaps is a lack of understanding and coordination between senior management and its IT Department or Team. Good GRC practices, involving dialogue and joined up policy, processes and procedures, can ensure that such risk is minimised.

For more information on GRC and its application to cyber security issues, please contact Complyport below or view our Governance, Risk and Compliance (GRC) services page.