Digitisation brings new risks for GRC practitioners

Read time 5min 30sec
Matimba Simango, an IT governance officer at PPC Cement, advises GRC practitioners to review all new regulations, standards and laws and incorporate them into their governance work to remain agile in the digital age.
Matimba Simango, an IT governance officer at PPC Cement, advises GRC practitioners to review all new regulations, standards and laws and incorporate them into their governance work to remain agile in the digital age.

There will always be threats that GRC practitioners have to deal with throughout their existence as active GRC practitioners.

So said Matimba Simango, an IT governance officer at PPC Cement.

Another emerging risk that has come with digitalisation is that of shadow IT, as well as a new tech-savvy generation that is eager to explore and exploit technology in the bid to optimise the way they operate or work, he states. "This is a huge threat in that this is done without consideration of consequences associated with such activity. Unfortunately, this happens outside the controls set up by GRC practitioners but within the safe buffer of immense scrutiny as internal personnel are regarded as trusted subjects," emphasises Simango.

"The growth of cyber armies and escalated interest in key strategic national infrastructure are risks that GRC practitioners should also focus on. They should engage with government institutes and other legal or judicial structures. The power of militancy no longer lies only on the amount of arsenal a country has, but the amount of data they hold about other countries and their foes. This data is usually siphoned and mined by elite cyber armies and hired hackers (hacking as a service) - HAAS. GRC practitioners should play a key role in ensuring that there are data and information technology asset protection mechanisms to mitigate such risk and exposure," he warns.

"Other risks come from legislative statutes and frameworks. GRC practitioners should ensure that the organisation and entities they operate in comply with these regulatory laws to ensure that their organisations are not exposed to legal ramifications that may emanate from noncompliance," he continued.

The growth and accelerated churning out of IOT devices has caused a mammoth task in managing risks associated with these devices, he elaborates. "Most IOT devices are aimed to be used by normal users who usually do not have exposure to risk mitigation and management. It is a given that 90% of the devices will go unpatched, with no firmware updates nor secure configuration. As these are now easy targets for hackers, it is just a matter of time when these devices will bring small and big cities to a grinding halt. These are new threats that are developing at a furious ferocious pace," says Simango.

"Ransomware is yet to evolve and mature to dimensions that are catastrophic, this is a given. Everything in the cyberspace goes through an improvement cycle and in this case the outputs will not be good," he continued.

According to Simango, the threat of robot-based automation may lead to further automation of cyber threats.

"With digitalisation, the threat vector is wide; there are threats and risks that come inherently with digitalisation and the integration of various systems and technologies to build 'Big Data', which is a direct output of digitalisation. The risks include huge data leakage, intellectual property theft, exposure of personal identifiable information. Digitalisation increases the threat landscape and extends cyber-attack reach, this means that the payload of a cyber-threat and exploit will have far reaching consequences as the payload will be able to traverse multiple systems, technologies, services and platforms. These are just but a few risks that GRC practitioners need to look out for," he says.

However there are counter regulations being created all over the world. "Globally, there are new regulations and laws that various governments and regulatory or law institutes have developed and passed in parliament and other settings. To mention a few: in America there is the CISA (Cyber Information Sharing Act). This federal law was introduced by the Obama administration. There is also the NIST CSF (Cyber Security Framework). NIST is one of the American government's oldest scientific agencies and one of its most trusted, largely for standard-setting successes such as the Federal Information Security Management Act, which governs information security standards, and the Federal Risk and Authorisation Management Program, which raised the bar for federal cloud computing adoption. Through the Federal Information Processing Standards (FIPS), NIST dictates how the government processes data, including tax records and Social Security information. This is a development by NIST which is an arm of NSA and other American law enforcement bodies. Such frameworks and regulations complement the digital era thus providing GRC practitioners with tools of the trade," explains Simango.

"Bringing it home to South Africa, the POPI act is yet to be adopted by many; this is a relatively new legal act on managing the protection of personal identifiable information. Compliancy has not been measured but as new as it is, it is a given that compliancy is low as adoption and enforcement has not taken off. The Information Regulator is only now being formed and we hopefully will see change sometime next year," he comments.

The adoption of best practice frameworks, such as King IV and the adjustment and alignment to the new proposals for good governance of listed companies, he adds, is another one of South African governance principles that need to be adhered to especially in the digital age.

"The cyber security bill is another bill that is devised to help define cyber contraventions that will be subject to prosecution and or fines if contravened," he states.

He advises GRC practitioners to review all these new regulations, standards and laws and incorporate them into their governance work, thus managing the risks and assurance thereof.

"It must be noted that a key output of GRC personnel is compliance and risk alleviation assurance. For risk assurance personnel to be successful in their workspaces, it is of paramount importance that they understand the technologies they audit in order to effectively audit and report or give business assurance that the operational activities they engage in using IT technology does not expose the business, organisation or entity to risks," he concluded.

Simango will be speaking at ITWeb's GRC event in February 2017. He will be talking about what drives GRC trends globally.

Login with