Year: 2015

Posted on

GRC Maturity: Results + Reach = Value

Today’s business environment is fraught with risk. Economic, technology and market conditions affect organizations on a daily basis. The constantly “changing risk landscape” is a discussion point in headlines, industry forums, media outlets and board rooms. We are moving to a world where risk management will become the primary source of competitive advantage. Rather than avoiding risk, organizations need the ability to embrace risk with confidence.

Risk management will become the core capability which separates winners from losers. Organizations that understand and manage risk effectively will prosper, while those that cannot will fail. Success starts with the ability to manage operational risk in a manner that frees up resources to focus on the company’s long term, strategic objectives. This does not happen overnight.

Executives need relevant, up-to-date information to pursue the right opportunities. But, they also need a balanced approach to manage the major risks facing the organization to acquire the insight to make the right business decisions, address risk and explore new opportunities with predictability. A governance, risk and compliance (GRC) program is the backbone that keeps the organization prepared to manage issues and reduce risk. A GRC strategy that focuses on sharing data, leveraging processes and breaking down organizational barriers builds efficiencies across the organization to effectively transform compliance, manage risk and exploit opportunity.

Whether executives like it or not, all risk and compliance functions are expected to add value to the organization. These days, you cannot invest in anything that does not bring value to the company. Risk and compliance functions are no different. You can gauge your GRC program’s value by two simple measurements, and the first is results. GRC programs are expected to drive a constant increase of effectiveness in managing risk and compliance. The second measurement is reach. As the risk and compliance function matures, ideally it protects more and more of the organization. These two factors, as they increase, are key measurements of the risk and compliance function and how it brings value to the organization.

Organizations are looking to improve their results and expand their reach by maturing programs beyond check-the-box compliance. They must mature from first meeting the company’s compliance obligations, progressing to managing risk and, ultimately, reaching the point where the organization can use compliance and risk as a competitive advantage—truly bring value to the organization by helping drive opportunity.

I invite you to join me at ISACA’s 2015 North America CACS conference to explore this topic in more depth in my presentation titled “GRC Maturity Models.” I hope that these ideas will help you find conversation tools that help you determine your path to a mature, sustainable GRC program that helps fuel your enterprise toward opportunity.

Steve Schlarman, CISM, CISSP
GRC Strategist, IT and Security, RSA, The Security Division of EMC

[ISACA]

Posted on

What Is a Security Expert?

I’ve been called a “security expert” many times and I’ve heard many times other people around me called the same.

The reason I am writing this article is that I am frustrated by how some security experts are seing and implementing security in their every day jobs.

But, let’s start with the beginning:

What does actually make someone a security expert? Or, when does someone become a security expert?

The first thing that comes into my mind is, of course, his or her level of knowledge in this area. The more he knows, the better. I guess that things like certifications in IT Security, articles written, books published are counting.

An important factor should also be some “on the field” experience (practical).

But is it enough to just be able to get a job properly done? Getting the job done properly, is translating usually to “make the system as secure as it can be”. We all know that this doesn’t mean anything these days because anything you do it is only valid for a very short period of time.

What about communication? It is not a secret that the biggest problem with IT security in companies is the fact that the security people are sometimes not doing a good job in “selling” security to those in the board. Often, this has as consequence that companies take security seriously only after it is too late. Fortunately, according to various media sources that performed surveys, security topics are now more often on the board meetings agendas. This is good, because it helps us become proactive and not reactive.

This phenomenon applies to the large masses of consumers as well: they also don’t get security seriously until it is too late. However, the reason for this is a bit different than in companies. Most of the time not the budget or other priorities are the problem, as it is the case with the companies. Here the problem is that they are not able to properly understand the consequences of their digital life. Many end users still treat their online life as if would be a game of some kind, where their actions don’t have a reaction in the real life (a.k.a. offline life). A security expert must be able to talk and work with persons who are using computers as a tool to do their job. He has to clearly explain the risks and help them to improve their security using a language they can understand.

It is important to understand from this rant that the reduce interest in security of most people (consumers or not) is as it is, not because they are stupid or less educated. People don’t like to deal with the topic because it is complicated, it changes very often, it is never finished, and, the most important of all, because it reduces the usability of whatever they want to do.

In my opinion, a real security expert must be able to create a trade-off between security and usability. A security expert has to master the art of defining the point where a system is “secure enough” but still usable for its users.

 

It has to be clear that it is not possible to achieve both in the same time: maximum security and maximum usability. This is why I think that securing a system is a job that is never finished: the systems to be protected, their users and the environment around them change as well as the security risks they face.

As a conclusion, here is my summary of what I think are the characteristics that make a security practitioner an expert in his field:

  • Advanced theoretical knowledge proven by international certifications
  • Practical experience in applying security
  • Ability to communicate with all levels, according to their level of understanding, from board level to end-user
  • Ability to find solutions which are not in books and prioritize them
  • Ability to view the risks beyond the obvious and act upon – be proactive and not reactive
  • Ability to choose a solution which represents a fair trade-off between security and usability

 

Do you agree with these? Do you have more to add ?

I would be glad to see your comments either in this blog or in my personal one.

 

Sorin Mustaca, CSSLP, Security+, Project+

Independent IT Consultant

Author of the “Improve your security” free eBook.

[(ISC)² Blog]

Posted on

Why Handshakes Are Not Enough—Vendor Risk Management Is in the Details

The days of doing business with a handshake and a smile are long gone. However, one thing continues to remain constant—how few vendor contracts are updated, even if the scope of service changes. This can be detrimental to an organization, particularly if the vendor is handling sensitive data such as personally identifiable information (PII), protected health information (PHI), cardholder data (CHD), or confidential, intellectual property and strategic data (also known as CIPS).

Periodically reviewing—and appropriately updating—master services agreements ensures both parties are aware of the processes, data elements and where the data processing is being performed. In other words; contracts must be continuously reviewed and revised as scopes of work change. The best way (or at least, the cleanest way) to update the master services agreement is via addendums that are signed and dated by both parties.

Effective vendor risk management is in managing the details. A key consideration in developing a durable vendor contract also means identifying the success criteria for the vendor and includes:

  • The business unit’s requirements for the vendor
  • The technical requirements involved (e.g., data elements, IT components, connectivity)
  • The vendor’s requirements for the customer

To ensure that all expectations (performance, compliance, regulatory, etc.) are met—and no one is blindsided—it is important for the organization to identify early and manage the following key vendor risk operational points:

  • Coordination between sourcing and vendor management
  • Vendor risk classification
  • The monitoring of vendor performance
  • Effective use of assessment results
  • Responding to and managing vendor performance issues

But what do you do if the vendor is not living up to the agreed-upon expectations documented in the contract?

An exit strategy is a must when a vendor does not meet its contractual expectations. It is a prudent step for the organization to ensure that a backup plan exists to either redirect the work to an already existing vendor used by the organization or to find a new vendor (one that most likely went through the previous request for proposal [RFP] process).

In my upcoming session (#145—“Contracting for the Full Vendor Lifecycle”) at ISACA’s 2015 North America CACS taking place 16-18 March 2015 in Orlando, FL, I will discuss these and other challenges during the contract phase of the third-party relationship. Hope to see you there!

Tom Garrubba, CISA, CRISC, CIPT, CTPRP
Senior Director, The Santa Fe Group
Program Director for the Shared Assessments Program

[ISACA]

Posted on

Doing Our Part for Public Sector Cybersecurity

With our data-driven culture, data must be and is everywhere. But public sector networks that secure this government information are being targeted by cyber criminals, terrorists and nation states. Cyber threats are growing against government IT and control systems running critical infrastructure and sensors, and the sense of urgency is real. It’s vital to our way of life and livelihoods that governments are able to keeps these systems secured.

At Palo Alto Networks, we continue to contribute to these efforts by creating the Palo Alto Networks Public Sector Advisory Council (formed in 2014), which is a consulting body made up of retired military and civilian officers that advise Palo Alto Networks on the cyber security challenges and technology needs of the world’s governments.

This year, we’ve continued our momentum in the public sector by adding Ryan Gillis to the Palo Alto Networks team. Ryan, formerly Director of Legislative Affairs and Cybersecurity Policy at the White House National Security Council, joins as Vice President of Government Affairs and Policy. His expertise in cybersecurity, and public policy are a valued addition to the team. Welcome, Ryan!

In other public sector news, Palo Alto Networks President and CEO Mark McLaughlin was recently selected by President Obama to serve as Chairman of the National Security Telecommunications Advisory Committee (NSTAC).  The Committee’s mission is to provide the U.S. Government with advice from industry leaders on matters related to national security and emergency preparedness.

Lastly, on Friday, February 13, Mark will join President Obama at the Summit on Cybersecurity and Consumer Protection at Stanford University, speaking on the Public-Private Collaboration on Cybersecurity panel at 9:15 a.m. PT. To learn more about the event, visit the press releasehere.

To learn more about the Palo Alto Networks’ Public Security Council, please see today’s press release or visit here.

[Palo Alto Networks Blog]

English
English
Exit mobile version