Transforming Your IT Risk Management from Reactive to Proactive in 5 Steps
This blog was originally published on Hyperproof's blog.
Written by Jingcong Zhao, Director of Content Strategy at Hyperproof
As a seasoned IT risk management professional, you already know that staying on top of security is a constant battle. You probably also know that managing IT risks proactively and consistently is incredibly difficult to do. In Hyperproof’s 2021 IT Benchmark Survey (completed by 1,029 IT security assurance/compliance professionals), we found that 65% of global tech companies are still managing IT risks in an ad-hoc way, in siloed departments, with disparate processes and multiple disconnected tools.
This method of reactive compliance operations management ultimately results in unwanted risk exposure: 61% of all surveyed said their organization has experienced a data breach or a privacy violation in the last three years.
If these statistics resonate with you, and if you want to get a better handle on your information security compliance program, we’re here to help. In this article, we’ll tell you about a framework we’re calling “Compliance Operations” (or “ComOps” for short) you can deploy in your organization to get things into better shape.
Compliance Operations is a business methodology that recognizes that managing information security compliance and security assurance programs consistently and on a day-to-day basis is a critical component of effective IT risk management. It operates on the understanding that cyber risks can change by the minute, regulatory volatility isn’t going away, and zero trust is now the default security (and B2B purchase) model. As such, compliance and security assurance professionals need to apply more rigor and discipline to their day-to-day activities. The Compliance Operations methodology provides a way for organizations to manage IT risks in a more disciplined, proactive manner and efficiently prove to their customers that they can keep sensitive customer data safe.
Connecting disparate information silos across the IT risk management processes has to be the first step if an organization wants to manage IT risks in an agile, proactive way. All of your company’s risks, control objectives and requirements, controls, and compliance artifacts can be documented in a single location and these information objects can be mapped.
It’s hard to plan tasks and resources and manage workloads if you are not able to clearly see the full set of work that needs to be done to support security assurance and compliance objectives. The starting point has to be a disciplined approach to finding out what work needs to be done.
With that understanding, you can begin to estimate the workload and resources required to meet those objectives and design the allocation of key tasks within, and outside of, the security assurance and compliance function. Knowing the schedule, and being able to stay ahead of it, is key. What’s the cadence for internal and external audit activities? When do controls need to be implemented, reviewed, and tested? Who’s responsible for critical tasks and how do we monitor that? And finally, how can we quickly see if there’s a potential issue, like a control not being tested on schedule or if we failed to remediate a key finding?
- Define a process for collecting and reviewing evidence
If you don’t have access to up-to-date evidence, you can’t assess whether controls you’ve implemented are functioning properly or not, which may leave a key IT system exposed. For many compliance professionals, collecting evidence tends to be so tedious and time-consuming that it holds security assurance professionals back from tackling more strategic tasks. Hyperproof’s 2021 IT Compliance Benchmark Survey found that half of the IT security compliance professionals surveyed spend 50% or more of their total time at work on repetitive administrative tasks around preparing for audits.
By having a clearly defined process for collecting and reviewing evidence, you can save a significant amount of time, money, and frustration and minimize the risk of control failures.
4.Automate processes to make them more efficient (and support a more efficient operating environment for the entire organization)
When security compliance teams spend much of their time on manual repetitive tasks, they're left with little time to focus on other important tasks aimed at improving security and resiliency (e.g., testing controls on high risk areas, talking to business units to understand what’s changing in the business and how those changes may create new risks or amplify existing risks). Manual, repetitive tasks, such as evidence collection, controls monitoring, and reporting, should be automated.
Further, at the controls level, it’s easy to become “over-controlled” as compliance professionals try to meet different but somewhat similar framework requirements. This issue has driven the move towards unified controls frameworks. Automation and good processes can help us get there and remain there in light of new or changing requirements.
Security assurance/IT compliance work is an iterative process. Controls can quickly become obsolete when a change occurs in an organization, such as when an existing IT system is retired and a new one is implemented. To achieve continuous compliance, every organization needs to have a reporting and monitoring system that provides real-time insight into the status of internal controls, risks, audits, and automatic flagging of issues that need attention. For instance, one report should help you identify which controls need review because evidence isn’t fresh anymore. You should have an easy way to see which security objectives aren’t met yet because controls haven’t been implemented or tested. There should be a way to track issues and tasks so that those involved in compliance know what they need to do next.
When you put these steps in place, it becomes possible to scale up your infosec compliance programs efficiently, without having to reinvent the wheel.
The advantages of taking an operational approach, as opposed to a traditional approach (e.g., rushing to check controls, collect evidence, and fix controls right before an audit) are three-fold.
First, by reviewing things on a cadence, you effectively minimize the chances of experiencing security and compliance lapses and of leaving risks unaddressed.
When your team can easily collect evidence on an ongoing basis, no one needs to scramble or go into fire-drill mode right before an audit, which helps keep your team’s stress levels down. When the team keeps track of all of their work in a single compliance operations platform, it becomes easy to prove to customers, auditors, and regulators that your organization has been operating in a secure and compliant way all along. When your organization is good at proving your compliance posture, you win and retain more business.
Meet the Author
My bio: Jingcong Zhao is Director of Content at Hyperproof: At Hyperproof where she leads the development of thought leadership content on topics such as cybersecurity, data privacy and compliance.