For many years, compliance and security professionals viewed threats through a strictly technical lens. Although cybersecurity threats still require technical solutions, treating them solely as technical problems to be solved by IT pros and security engineers is no longer sufficient in today’s increasingly complex risk environment.
Today, a security incident creates all kinds of risks. For instance, a successful ransomware attack isn’t just a security issue for the breached organization. The organization has also breached privacy laws within several jurisdictions because they didn’t follow their contractual obligations to protect their customers’ data. Meanwhile, normal operation has ground to a halt while the breached systems are taken offline and the damage is being contained, leading to customer frustration and a loss of revenue.
Compliance and security teams have historically been quite reactive.
To get out of a state of constant reactivity, and to be able to systematically address IT risk and add business value, compliance and security teams need to solve a governance challenge. CISOs and compliance leaders need to develop a cross-functional, control-focused governance approach.
What is Cyber Governance?
Cyber governance is the way in which an organization manages and responds to IT, cybersecurity, and data privacy risks.
Typically led by the CISO but also involving stakeholders across an organization, cyber governance helps an organization deal with security and data privacy risks at scale via the strategic management of people, policies, processes, and technology. Modern governance programs need to be strong in:
- Third-party identification — Who are these parties? Why are they present? What data of yours do they access?
- Security risk assessment — Understand specific new threats, as well as persistent, systemic weaknesses, such as an inability to map all your critical data.
- Policy management and security education — Ensure that employees know how to behave while working remotely and that third parties know what is expected of them.
- Documentation — Keep track of attestations and audit evidence that might be needed in reports to senior management or external parties.
- Reporting — Easily brief the board on risks, meet regulatory compliance burdens, or even convince a prospect that your business is trustworthy.
To be successful, a cyber governance program needs to be cross-functional — it is difficult to proactively prevent many security issues without support from across the organization.
The Shift to Controls-Focused Compliance
For years, compliance professionals asked their business stakeholders, “How are we meeting X and Y requirements from this regulation?” However, business stakeholders frequently have trouble understanding how regulatory requirements translate to how they’re operating their own processes. Needless to say, this can cause friction between teams and ultimately lead to inefficient or incomplete compliance and security work.
Innovative compliance professionals have realized that to speak the same language as their business stakeholders, they need to stop talking about requirements but rather, talk to business stakeholders about controls. Controls are the specific policies, procedures, and activities a business function is doing in order to meet compliance requirements and mitigate risks. Effective cyber-governance is about effective management of controls. For instance:
- Are controls implemented over our most risky business processes and the digital points of entry that attackers are most likely to break in through?
- Are these controls clearly documented? How would we prove to an auditor that the controls are operating effectively?
- Are all controls being managed by specific teams and/or individuals?
- Do these teams/individuals know exactly what they’re responsible for?
A Dec. 2021 survey conducted by Hyperproof found evidence that many tech companies have already made a shift to a controls-centric approach to meeting their compliance obligations. Consider the following findings:
- When asked “How does your organization deal with regional variances in data security and privacy regulations?”, 57% of all respondents said they utilize a Common Controls Framework (CCF) that aggregates and rationalizes compliance requirements from different laws and regulations to organize their security and privacy risk management practices. Using this approach streamlines compliance efforts and eliminates duplicative work from one audit to the next.
- When asked “How would you describe the actual testing of controls within your organization around security and compliance?”, 56% of all respondents said they’re testing all controls.
- Half of all surveyed organizations are using a combination of methods on a regular basis – including external and internal audits – to monitor the efficacy of controls designed to mitigate IT risks.
Look at how companies manage IT risks and compliance efforts in a time when requirements are increasing
How Does a Controls-Centric Cyber Governance Approach Add Business Value?
The shift to controls-focused compliance is already happening across the industry. While taking this approach might be a challenging transition for some, in the long run, it could support organizations by increasing business value in the following ways:
- Achieve regulatory compliance more easily — With cross-departmental stakeholders working to manage controls (as opposed to all the work falling to the compliance function), completing regulations and requirements becomes easier and more efficient.
- Better understanding of control operations — By focusing on controls, compliance teams have a clear, real-time understanding of how controls are operating and whether key risks are being adequately mitigated.
- Less evidence collection work — When you rationalize and streamline your set of controls (e.g., identify the key controls that satisfy multiple compliance requirements) and then use a software tool to provide instructions to control operators on how to operate controls, you’ll have less evidence collection work to complete. An added bonus — this will free up line-of-business employees’ time to focus on other high-impact work.
- Being ready for a spot audit at any time — When evidence of control activities are collected and reviewed on a continuous basis (via integrations between your compliance operations software and an organization’s existing IT and operational systems), an organization can be ready for an audit at any time.
- Better risk management resulting from greater alignment between risk management and compliance activities — Controls is the object that ties risks and compliance requirements together. If you’re able to link existing controls to the risks they’re meant to mitigate, and you’ve set up a continuous controls monitoring system, the level of actual risk your organization is facing would be monitored in real-time.
How Hyperproof can Support You in Building a Controls-Focused Compliance Program
Interested in cyber governance with a controls-focused approach? Our Compliance Operations platform can help you to get started today.
- Standardize evidence collection: It can be exhausting having to repeat the same instructions to control operators over and over again. With Hyperproof, you can create Tasks that inform people how to operate a control, show examples of what “good” evidence looks like, and dictate when “fresh” evidence needs to be submitted.
- Assign controls and define cadences for control monitoring: Hyperproof makes it easy to distribute control management work to individuals and teams best suited to do that work. Control owners can see all controls and their health in real-time within our platform.
- Automate evidence collection with Hypersyncs: By utilizing Hypersyncs — our automated proof collection feature — you can effortlessly collect evidence from many of the cloud-based apps and services you already use.
- Set up a continuous controls monitoring system: Once Hypersyncs are set up to automate evidence collection, you can then set up tests on specific pieces of evidence to run automatically and configure Hyperproof to generate notifications to alert your stakeholders when a control test has failed.