Written by Richard Blanford, CEO, Fordway
As organisations adapted to new ways of working during the pandemic, they opened themselves up to new information security risks. Some were quickly resolved, while others resulted from criminals incorporating COVID-related issues in ‘traditional’ scams. However, some risks have not yet manifested themselves, and may not become clear until much later. To quote Warren Buffett: “Only when the tide goes out do you discover who’s been swimming naked.”
With home working increasingly integrated into routine working, organisations now need to review whether they have appropriate governance and compliance in place for the long term. They require policies and processes that will provide assurance that data is secure, maintain customer trust and protect the organisation’s reputation. These need to be integrated across all channels to ensure nothing slips through the gaps.
Getting this right means first understanding that information security issues are not just IT risks but business risks. Tackling them requires the support and commitment of the board and senior management.
Assessing Risk Appetite
Organisations should begin by classifying and prioritising the risks they face and assessing them in the light of their own Risk Appetite. Defining Risk Appetite requires a full understanding of the organisation’s assets, threats and vulnerabilities i.e. the impact on its activities if a risk was realised. This means considering:
- the organisation’s ethical stance and culture
- the legal and potentially moral frameworks it operates in
- the organisation’s security operations and requirements, which will depend to some extent on the sector in which it operates.
A measure of an organisation’s Risk Appetite could be the threshold value above which it treats each of the risks identified as a potential disruptor to operations, or the approval mechanisms in its change management.
When organisations understand their Risk Appetite, decision-making becomes simpler because leaders understand the parameters within which they operate. This enables them to make informed choices about where to invest to protect against the most critical risks to their business and where, with respect to security, they can realise value. By understanding which risks are most relevant to their business, they can implement systems and processes to actively manage them without restricting innovation and collaboration.
For example, patching is a key aspect of protecting against cyber risk, but should it be done weekly, or is monthly sufficient? Does a weekly process provide significantly greater benefit for the additional cost and time required? Being too averse to risk can be extremely costly, but too few controls can put an organisation’s reputation, and potentially its very future, in jeopardy.
With potential risks identified and classified, and organisational Risk Appetite agreed, the next step is to develop appropriate policies to manage the highest rated risks. These might include both corporate values and behaviours, which frame how staff operate, and the processes required to carry out day-to-day operations. In developing them, organisations need to assess how their users work and how new ways of working can be aligned to organisational strategy without compromising security. For digital risks the ITIL framework for service management can assist; the recently released version 4 has been updated to better address security, cloud computing and digital transformation processes, all of which will help organisations make change at pace while maintaining integrity.
How good governance and compliance increase credibility
Having defined policies and procedures, organisations should apply governance to review their compliance to these policies. This is not a one-off activity but requires continual monitoring, reporting and service improvement to steer the organisation in the right direction. Governance is not about ticking boxes but means actively understanding and managing risk through reviewing how the organisation operates, thinking about the impact of actions, and establishing and following appropriate policies for those actions. Compliance then sets out how the organisation shows that it is following the policies it has defined.
Governance and compliance are often seen as an organisational burden – a means of ensuring that an organisation meets the regulatory and legislative standards of the environment it operates in. However, they should be considered as a statement of organisational values and an investment in future growth, as well as an integral part of risk management strategy. They are a vital part of ensuring that an organisation moves in the desired direction.
Proof of effective governance and compliance can be used to increase an organisation’s credibility and enable it to respond to changing markets while providing assurance to its customers – particularly if the organisation demonstrates compliance to external, audited standards.
There are also internal benefits. Operating best practice policies and processes that are externally audited will generate internal confidence, improving morale and increasing staff retention. External certification will reduce cyber insurance costs, in the same way that having effective, tested business continuity plans reduces insurance costs in the event of a disaster.
However, done badly, compliance frameworks can become overbearing and inhibit agility. They should be constantly reviewed to ensure that they meet changing organisational needs.
The need for buy-in
Implementing effective governance and compliance to embed effective risk management requires support and buy-in throughout an organisation. It requires a team comprising different levels of capabilities to plan, design, build, operate, monitor, react and improve. Some of these skills may not be available in-house, particularly in smaller organisations, so this may mean engaging external organisations to supplement internal knowledge. This could include an initial audit to assess the current situation; support for implementing specific systems where the organisation does not have existing in-house expertise; and working with experts on specific standards and regulations which the organisation would like to achieve.
All staff should be trained so that they are fully aware of their responsibilities, the threats that exist and the importance of complying with the correct processes to reduce risks. This means putting place cyber security training and awareness, with acceptable use policies linked to HR policies.