<< Back to article Print this page Loading page, please wait...

Territoriality, denial confounding chances at IT-security improvement, risk expert warns

David Braue (CSO Online)
11 December, 2015 10:09

Businesses may broadly aspire to improve their security and risk management but, in the absence of real organisational appetite for change, many still need “a rude awakening” to finally muster the will to improve their processes and procedures, a global compliance expert has warned.

Governance, risk and compliance (GRC) expert Cliff Huntington, the global director for RSA's Archer GRC solution, told CSO Australia that natural self-defensive mechanisms often stymie attempts to build frank and productive internal discussions around IT security responses: “There are a lot of people whose job description has been to make sure this type of thing doesn't happen,” Huntington said.

“The first thing that always happens in an investigation is root-cause analysis. There are a lot of folks that don't want a light shined on their lack of preparedness. It takes someone with authority to come to the organisation and put the pedal to the metal, and say that [inaction] is unacceptable.”

Recognising that institutional inertia can be a significant confounding factor in efforts to maintain proper governance and compliance, many organisations had implemented multi-disciplinary steering committees that often succeeded in creating new momentum for change.

“In many organisations you have one group that is incredibly aware of management best practice and they don't even talk to each other internally,” he said.

“We see a marked difference in performance in organisations where they have a governance structure with something like a monthly or quarterly steering committee. It lets leaders from various functions come together to discuss the top risks and what they can do to mitigate them.”

One increasingly salient corporate risk was the growing focus of cybercriminals on weak spots in target companies' supply chains – an area that has been repeatedly flagged as potentially compromising even the most IT-security conscious organisation.

Many members of these supply chains are small businesses who, recent studies show, often struggle to achieve IT-security confidence due to a lack of resources. Many also think their size protects them from attention by cybercriminals – and yet their commercial relationships with larger targets can often put them right in the crosshairs.

“If you look at the larger cyber events that have happened recently, third parties are almost always involved in some shape or form,” Huntington said.

Dealing with these issues had hardly been helped by what is often “largely aspirational” security policies, which were doing little to effect real change in organisations where institutional inertia was hindering efforts to improve GRC position.

Perception was also often to blame, with many organisational leaders overestimating their capabilities and high-profile successes distracting from the true magnitude of the deficiencies within an organisation.

“We always have some government program that leads from the front, and everyone fixates on those and says they're great,” Huntington explained. “Over time we start to think that best practice is where the market sits – but the truth of the matter is that they're in the top 1 or 2 percent of maturity, and the rest are well below that.”

Education and awareness building were particularly important in dispelling these perceptions, he added, with efforts to simplify “standards that are 1000 pages of 'thou shalts'” and instead to focus on establishing “strategic best practice”.

Dealing with organisational denial was critical if this is ever to happen, Huntington continued, noting that the key “is bringing all the various stakeholders to the table and getting them to accept that there is a problem.”

“That's the first step towards recovery and acceptance, and an evaluation of where you are helps identify where the gaps are and where you're most exposed to risk,” he said.

“We're never going to mitigate all risk, but the idea is that if you have $10 to spend, where do you spend it to most effectively change your risk posture? It's just common sense – but it can be a monumental task in organisations that are often just so disorganised.”