The risks around poor cybersecurity are rising; that’s not news. Corporations have struggled for years with an increasing number of attackers trying to penetrate your IT systems and with ever-more regulatory compliance demands that your company keep customer data secure from those threats.
Those dual pressures, related but still distinct, have increased so much in recent years that as a practical matter they’ve fused into a single, heavy burden for compliance officers and senior management teams alike. So, perhaps the most effective strategy is to fuse the efforts of compliance officers and senior management in return.
At least, that’s one conclusion that jumps out from Hyperproof’s 2023 IT Risk and Compliance Benchmark Report, released in February. Yes, effective GRC technology is important to successful compliance (that will never go away) — but more companies are reforming how people use those GRC systems, too. They are pushing for more cybersecurity awareness in the boardroom and across the C-suite.
That shift will have profound implications for compliance officers. Exactly how and why is it happening? That’s worth a close look.
Why Technology Alone Can’t Solve Everything
Let’s first remember that technology itself doesn’t respond to evolving risks and regulatory requirements; people do. The question is how people use technology to respond to those evolving demands.
For far too long, corporate leaders left compliance as an afterthought in their decisions about strategy and operations. The decisions were set first, and then the compliance team had to figure out the best way to meet the company’s regulatory obligations. More than a few companies took the cynical approach of ignoring compliance and then paying whatever monetary penalties came along as just another cost of doing business.
Lately, however, the world of cybersecurity has changed so much, especially in matters of liability for compliance violations, that the “afterthought approach” is no longer tenable. Take these key findings from the survey, for example:
74% of companies surveyed by Hyperproof had experienced an audit finding related to third-party risk management that they couldn’t promptly resolve. Third-party risk comes from your supply chain; compliance and cybersecurity teams can’t tame that risk alone. They need to coordinate with operating business units to establish and maintain a safe supply chain.
How Legal Teams Collaborate with CISOs
In 2022, former CISO of Uber Joe Sullivan was criminally convicted for mishandling a data breach the company suffered in 2016. The prospect of CISOs going to prison for mishandling a data breach has jolted the security community. Indeed, 33% of survey respondents said that in the wake of that verdict, their company has made changes to how the legal team works with the CISO to protect the company.
Changes to the Org Structure
Numerous regulators — the Justice Department, the Federal Trade Commission, and the New York Department of Financial Services, to name a few — are now pushing for compliance officers to personally certify the effectiveness of their compliance programs as part of a regulatory settlement. Sometimes the CEO must co-certify with the CCO; other times it’s the CCO alone.
So, the legal landscape is becoming more perilous for companies that don’t take compliance seriously. However, at the same time, it’s becoming easier for other parts of the enterprise to “escape” the policies and procedures you have. For example, rogue employees might set up shadow IT systems, onboard new vendors without proper vetting, or begin collecting confidential data without first implementing necessary safeguards. When compliance is treated as an afterthought, it becomes easier for employees to act recklessly and increase the company’s risk.
The most effective course of action, then, is to integrate compliance and security concerns into the company’s strategic planning and business decisions. That will still require powerful GRC technology — but it will also require consensus within senior management and a strong, responsive, security-aware culture.
Culture Requires Leadership — and Data
If companies want to integrate compliance, risk management, and business strategy into one durable fabric, that starts with the board. Companies need board directors who understand cybersecurity and how to set business objectives that consider cybersecurity risk.
The good news is that’s happening: 85% of survey respondents said their company has a board member with cybersecurity expertise; another 14% said they plan to make sure that their board has cybersecurity expertise in 2023.
Still, the board only sets priorities and affirms business objectives. Management plays the crucial role, implementing a business strategy, backed up by policies and procedures, that keeps cybersecurity front of mind for the entire organization.
That means senior management needs to forge close ties among the CISO, legal team, and other “Second Line of Defense” functions such as procurement or the finance department. The CISO also needs to work closely with operating units in the First Line of Defense; without their support, all the policies and procedures you implement to improve risk management could well come to nothing — the dreaded “paper compliance program” that everyone ignores in practice.
For example, 51% of survey respondents said they struggle with identifying critical risks to prioritize remediations. That is the result of weak collaboration, where compliance officers are trapped in organizational silos. They don’t have sufficiently strong relationships with other parts of the enterprise, and they don’t have access to the best, most informative data that can help them understand what the company’s most critical risks are.
To break free of those silos, compliance officers need two things. First, they do need that strong support from the board and senior management, to show the rest of the enterprise that cybersecurity is a critical priority. For example:
- Make the CISO a full member of the executive management team
- Have the CISO report to the board on security and compliance matters regularly and directly (not via a report passed along by the CEO or general counsel)
- Let the CISO set performance targets for good cybersecurity hygiene, rolled out to employees across the enterprise and third parties down the supply chain
Second, however, compliance officers also need data — complete, accurate, relevant data, that can help the compliance officer understand risk and assess the effectiveness of compliance.
Which brings us back to the need for strong GRC technology.
How Technology Helps the CCO
Better GRC technology can help the compliance officer in several ways, both practical and strategic. Let’s start with the practical.
First, it can automate tedious risk management tasks such as vulnerability testing, patch management, intrusion detection, and penetration testing (to name only a few). Right away, this alleviates at least some of your compliance burdens. For example, the EU General Data Protection Regulation (GDPR) requires pen testing; if your GRC tech stack runs the tests automatically, that’s one less demand on your time.
That’s the whole point of automation: it both strengthens your cybersecurity operations and frees up the time of your security personnel to focus on more sophisticated, value-added tasks such as policy development or control design.
Strong GRC technology also allows for better reporting. For example, it can generate alerts about serious incidents more quickly, so the company can activate an incident response plan. Automation also identifies gaps in your cybersecurity program more quickly and clearly: say, which suppliers are failing to meet your security requirements, or how many employees failed a phishing test.
Armed with such insights, a compliance officer can then have better discussions with the management team — and that’s the strategic advantage of strong GRC capabilities. They allow the compliance officer to show, clearly and quickly, where the company’s security risks are. They also let the compliance officer show how well the company’s compliance practices or remediation measures are (or aren’t) working.
That fosters just the sort of collaboration necessary between compliance and senior management, to survive in today’s highly regulated, highly risky landscape.
Remember the Goal
The goal is a company that’s agile and responsive to changing conditions.
Sometimes those changing conditions will be new regulations that require changes to business processes. Other times, they will be evolving external threats that force the company to scramble and activate incident response plans. And still, in other times, your company might change its own operations, with consequences that cascade through your risk profile and compliance program.
Compliance officers can no longer tackle any of those challenges while working in isolation, let alone all three. Corporate boards and senior management teams need to take a new approach that integrates the CISO and the compliance program into the heart of business operations — and CISOs will need strong GRC capabilities to put that collaboration to the best use possible.