Subscribe

Risk, compliance and cybersecurity

Combining culture and compliance frameworks with proper risk management strategies.
By Tiana Cline, Contributor
Johannesburg, 10 Aug 2023
Mari-Louise Conradie, Port443
Mari-Louise Conradie, Port443

In a world awash in data, cybersecurity risk is universal. But compliance comes at a cost. It’s not something that can be solved with a checklist, nor is it the chief information security officer’s sole responsibility. To be successful, every organisation needs to be both compliant and cybersecure. How does a business know what security measures to put in place when there’s an exhaustive amount of global and local compliance requirements?

Most compliance processes are common sense, but not necessarily commonly addressed, usually because technology teams are too busy.

Mari-Louise Conradie, Port443

According to IBM research, most organisations have to comply with 13 security or privacy regulations, which will need at least 22 employees to manage.

In order to ensure compliance with the regulations and industry standards for data protection and asset security, there are a number of best practice frameworks that companies can follow, including ISO27001, SOC2 Compliance and configurations of cybersecurity controls according to NIST, PCI and CIS best practices.

CULTURE OF COMPLIANCE

There’s no question that establishing a security and compliance mindset can fuel business growth.

From Working Backwards to Bezonomics, The Amazon Way and The Bezos Blueprint, there are any number of books that describe Amazon’s culture, leadership and best practice – but where does risk and compliance fit into the overall picture? “Compliance is everybody’s responsibility,” says Jenny Brinkley, director of Amazon Security.

To create a culture of compliance, Amazon Web Services created a programme it calls Guardians. “These are not security employees. These are people who we train and educate and are embedded in the service team. When there’s a new regulation or if there's something that we're seeing coming on the horizon, we'll build tooling, automation and technology to help the builder, as a guardian, advocate for what needs to be considered within the service team before a line of code is written, especially if it's a brand-new service.”

Amazon’s “working backwards” methodology also contributes to how it handles compliance. “When I first joined the company, I was blown away how fast we would move in areas, how we would design and create and build,” says Brinkley. “I always felt that Amazon was this huge company and it would take forever to get things done, but because of our processes and mechanisms, we will not block innovation because of security and compliance.” Brinkley says that guardrails have to be in place so employees can experiment and explore. “That’s the sweet spot, the secret sauce…I think it’s really important for people to understand the value of where security sits within the business and how everyone comes together.” Instead of deciding to do something and then later questioning security or regulatory activity that has to take place, compliance is integrated from the beginning. Another way of doing this is for different teams to work with compliance as opposed to waiting to check boxes later. “Compliance works hand-in-hand with a team as they’re architecting, as they’re making technology decisions on what needs to happen and where it needs to be documented. It’s a partnership from the get-go,” she says. This is why Brinkley says AWS emphasises ownership of a product, and with that, transparency. “It gives people an understanding of why we have regulations in place to begin with. The objective and goal is to keep infrastructure and people secure and safe.”

Brinkley believes that people get into compliance and risk roles with security in mind – they want to keep infrastructure safe. “They want to safeguard data, they want to be able to protect customer information, they want to protect our infrastructure and do the right thing,” she says. “I really believe that we're in an interesting state in the world where more people need to feel empowered and have the information and the data they need. Compliance and risk is an area that acts as those guardrails.”

“Most compliance processes are common sense, but not necessarily commonly addressed, usually because technology teams are too busy,” says Mari-Louise Conradie, the co-founder and director of Port443. “Often, the most time-consuming part of compliance is monitoring the current status of vast security estates, so that people can focus on finding and remediating vulnerabilities by running firmware updates, for instance.”

Conradie says that current and past employees, business partners, contractors, suppliers or vendors with access to a company’s IT infrastructure all pose a potential threat. “Negligent insiders cause the majority of incidents, often due to not upgrading software or following a rigorous patching process, ignoring company security policies and other non-malicious, but ultimately destructive actions,” she says.

Public cloud remains a concern among risk and compliance departments, with 95% of organisations saying they are “moderately to extremely concerned” about cloud security, according to the Cybersecurity Insiders’ Cloud Security Report from 2023. Over 70% of respondents use two or more cloud providers, and say that barriers to adoption are mostly people- and process-related, rather than technology-focused. The lack of cybersecurity staff expertise and training (53%) remains the highest barrier, while 30% said legal and regulatory compliance issues were a concern.

Because technology teams often simply don’t have the time to do audits, many have little choice but to rely on a “set-and-forget” approach.

Let’s get phygital

“The devil is in the details, in keeping the details correct and compliant,” Conradie says. Today, the convergence of digital and physical security is also affecting risk management strategies. “When physical security is breached, it can lead to a compromise of digital security. It could be as simple as leaving a laptop unlocked, allowing an unauthorised person to gain access. Ensuring physical and digital security are monitored and constantly hardened is imperative.”

Kevin Halkerd, e4’s risk and compliance manager, says that a large password solutions vendor failed to account for a key staff member’s online digital identities enumerating their physical homes and associated vulnerable devices, which led to a very serious breach.

Being compliant isn’t necessarily the same as being secure. Compliance by itself doesn’t replace effective cybersecurity or having a framework for identity and access management. “All of them boil down to the details behind one principle – least privilege access,” says Conradie. “Review and update employee access regularly and make sure access is revoked when people leave or a relationship with another business is terminated. Continuously monitor all security controls for alerts and have a response process in place.”

It may also be worth engaging a privileged access management vendor, which will help in monitoring access to your networks.

Halkerd believes that companies need to face up to risks.

“Risk is often translated as wholly adverse in nature and should always be avoided in discussions, and this only has remedy in senior leadership,” he says.

Conradie recommends putting a governance and risk committee in place where cyber and physical security risk registers are reviewed regularly and in tandem. “The operational processes [such as onboarding and offboarding of personnel] and an integrated security operations centre [where alerts for both physical and digital security are monitored] should be communicated at the committee meetings.”

Share

* Article first published on brainstorm.itweb.co.za