How COVID-19 is Changing Compliance Operations and How CISOs Should Respond
If CISOs need just one example of how COVID-19 makes corporate compliance harder to achieve, consider the mundane task of identifying all the devices on your network.
Performing that chore was difficult enough before coronavirus came along and forced businesses everywhere to scramble. Workers were sent home by the tens of millions, without much plan for how we’d maintain cybersecurity under such a radically different work environment.
How do you identify all those new assets tapping your corporate network and data? What’s the right mix of policy and training for employees to think carefully about security, versus security controls that block new devices?
In many cases, nobody knows. CISOs, business leaders, and boards are improvising those answers every day.
That’s the challenge that COVID-19 presents for compliance today, several months into the pandemic. CISOs are confronted with how to wrestle those hurry-up decisions from earlier this year into a sustainable compliance program — because we’re likely to live with COVID-19 for many months to come.
Addressing those compliance challenges won’t be easy. CISOs face a triple whammy of more external threats to address, more internal uncertainty to resolve, and in many cases, fewer resources to do the work.
COVID-19 has created, frankly, a perfect storm of economic pressure and operational disruption. To prevail, CISOs will need every bit of compliance proficiency they can find.
First, Strengthen Your Risk Assessment
Every compliance program rests upon a solid risk assessment, so security teams should devote plenty of time to thinking about which risks Covid-19 changes for your organization, and how the virus is changing them. For example:
- External threats. Covid-19 is a bonanza for hackers looking to infiltrate your network. They are stepping up everything from Covid-19 inspired phishing attacks (“Click here to read about lockdowns in your area!”), to business email exploits, to network penetration attacks.
- External demands. As attacks against corporate data increase, regulators and business partners will want more assurances that your organization has its privacy and data security processes in order.
- Internal configuration changes. Employees working remotely might be accessing your data using new devices, on unknown networks, with applications you never authorized.
- New operating procedures. Even if employees are using authorized devices on authorized networks, how they use IT systems might change — say, cutting and pasting data from one application to another, or leaving user access controls valid even after someone has been laid off.
In other words, Covid-19 will create new risks that your business might not have had to worry about before; and it will change the number of existing risks, perhaps to the point that those risks now exceed whatever controls you previously used.
CISOs will need to think expansively about risk assessment because we are only in the first few months of what is likely to be a long period of life with coronavirus. Risks we identify today might not last long, and new risks might emerge next quarter that nobody is anticipating today.
What does that mean in practice? For starters, review any risk libraries you use to see how those libraries reflect the new reality coronavirus is forcing upon us. Work more closely with other parts of the business to understand how those employees and operating units are responding to Covid-19. Consider going through risk assessments more than once a year, because coronavirus is not a threat that stays still.
Second, Consider Mitigation Challenges
Even as you develop a more comprehensive and rigorous risk assessment, other questions will emerge. Chief among them: how much mitigation is enough?
After all, if Covid-19 is changing the inherent risk that your business faces (more cybersecurity threats; more vendor risk; more IT configuration complexity), that has implications for the residual risk your business is willing to accept. Some processes might need more internal control because the risk has increased. For others, those additional steps might not be worth the expense.
In the ideal world, your board of directors would guide the answer to this question, because the board’s responsibility is to set risk tolerance levels for the organization. Here in the real world, however, boards might not have any good answers; most were as unprepared for a global pandemic and ensuing recession as everyone else.
Along similar lines, a standard principle of compliance is that the business unit owns the risk, rather than the compliance function; the compliance function is just there to help the business unit manage the risk wisely and appropriately. But how well can that principle apply today, where COVID-19 is changing risks so widely and rapidly?
So as CISOs consider how much mitigation is appropriate, the importance of communication and collaboration will soar. Everyone will need to work together to identify business objectives, acceptable risk, and appropriate mitigation — because, honestly, we’re all making this up as we go along. (For example, we recently had a post about CISOs reporting to the board on security, and framing that exercise as an ongoing conversation about security issues. Covid-19 only makes such an approach more urgent.)
Third, Develop a Sustainable Compliance Plan
As you develop a better sense of what mitigation is necessary, next come the practical challenges of building a sustainable compliance program — one that can monitor these new risks effectively, test and document controls as necessary, and guide remediation efforts. So what priorities become more important in this phase?
First, focus on automation. The more compliance processes you can automate, the better. Automation frees up the time you’ll need for more complicated tasks and preserves resources in a budget-constrained environment.
For example, you can automate reminders that go to business executives to test or execute a certain control; and automate alerts to you or other compliance officers when that work isn’t done in a timely manner. Results of those tests can be fed into standard reports or risk dashboards to let you see and report security compliance quickly.
Second, focus on integrating compliance into operations. One considerable threat is the risk that some parts of the business change their operations without telling the compliance team, so existing internal controls no longer fit their original purpose.
For example, the company might lay off employees and neglect to tell the security team, so user access controls might remain valid when they should be deleted. Or the company might begin processing certain transactions on new apps, exposing confidential data to vendor risk. In both cases, the security risks there are well understood and can be controlled. The true risk is poor integration that leaves the security team isolated from the company’s changing risk profile.
Third, focus on documenting your responses. Any policy changes you make or new controls you introduce should be documented and organized in a central, secure location, so you can demonstrate the company’s attention to Covid risks to other parties — auditors, regulators, customers, or consumers, for example.
The more quickly you can provide such documentation, the more quickly you can soothe skittish customers, answer regulators’ questions, and prove that your business takes a thoughtful approach to risk. In the era of COVID-19, that ability is more important than ever before.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.