How substantial is cybersecurity compliance to engendering reliability in data protection processes? While we may defer answering this question, the importance placed on cybersecurity for ensuring compliance with internal or external regulatory requirements is evident from increased privacy and data protection regulations. In these exciting times of the COVID-19 pandemic, the myriad of cybersecurity threats the organization face has become more distributed and heightened. There is a greater need now than ever before for reassurance that the organization is secure and in compliance with internal and external requirements. The organization’s cybersecurity posture, partners, and third parties, including suppliers, are critical parts of the jigsaw that make up the regulatory environment.
By Favour Femi-Oyewole, Group Chief Information Security Officer, Access Bank Plc
Penalties that may arise from data breaches have the potential to affect the bottom line significantly, and businesses have become more aware of this; and to ensure its visibility and mitigation, privacy and cybersecurity risk items are increasingly accorded board-level priority. Two key things that stand out in the cyber front interactions are understanding that cyberthreats cannot be approached in isolation and that parties both within and outside the organization have a part to play in contributing to its overall cybersecurity posture.
Compliance gives insight into how well an entity can follow a set of rules, orders, or requests. Typically, for larger enterprises, risks related to compliance are often integrated into and managed as part of the Enterprise Risk portfolio. While being managed holistically from this enterprise point of view, security practitioners generally accept that being compliant does not necessarily translate to being secure for cybersecurity processes. Hence, it is not so shocking that even large organizations that had previously assessed their environment as being compliant to internal policies, subscribed standards, and external regulatory requirements find themselves announcing data breaches left undiscovered for extended periods. Such is the transient state of compliance; however, this need not be. An organization can continually meet the standards for data privacy and security applicable to them in their jurisdictions if a self-compensating methodology is employed.
An enterprise compliance program built on a model that encourages compliance as a tick-the-box exercise is on the pathway to produce an effect that derails the strategic thrust and hampers the chosen cybersecurity strategy’s tactical operations. Though it is easy to lose grasp of the fit, the internal gearings that move the cybersecurity system need to have, by integrating essential building blocks and designing an internal system that maintains a dynamic state awareness (includes tracking relative deviations and adversary activities) and compensates for them intuitively, this can be checked. By going beyond a tick-the-box exercise, organizations can better integrate security and compliance into the fabric of the organization’s processes. Granted, this is easier said than done. Building security and compliance into the organization’s fabric require a multi-dimensional approach that incorporates people, processes, and technology, and these three factors are referred to as the cornerstone of organizational efficiency.
The Human Element
To produce seamless collaboration, the human angle plays an important role. While the human element is known to be the main driver for the other elements, it also sculpts the form for the environment in which these actions are carried out. The program’s effectiveness depends on behavior patterns in the organization and what is perceived as normal behavior in relation to the cybersecurity practice. Specifically, the organization should understand its external requirements, internal environment, and its peculiarities, including process dissonance. These considerations include:
• The business environment in which it operates and the pace at which business is conducted.
• How the organization is structured and how these constituent groups, divisions, and departments take decisions.
• The incentives that are likely to help its stakeholders comply with policies and regulations.
• The obstacles that would prevent them from complying.
Another consideration is to center on the principal actors in the process and have feedback on how well stakeholders within the organization understand the policies and standards they are expected to follow. Due to limited knowledge on the part of a staff, non-compliance could occur. The same applies to an omission in a critical step that could unknowingly reduce the posture level, thereby creating a false sense of security. Another key behavior to look out for is the member’s disposition to complying with these rules. This can range from: could the disposition be as a result of positive attitudes built over time? Is it because there is an incentive that makes compliance attractive or perhaps because there is a monitoring program in place, and this serves as a deterrent? These serve as input in understanding the area of concern that relates to disposition. The two previous points provide an inroads into understanding the current extent to which internal stakeholders can comply with rules. Where external regulations are concerned, there is often a zero-risk tolerance set by management, and attaining this level will depend on these factors and an understanding of the base extent of reasonably attainable compliance.
By designing the program to consider these factors, a better understanding of how to engineer the human element of the program to deliver greater reliability values towards protecting the organization and its data can be attained, enabled through tight integration between security and compliance tracking. The human element provides part of the input that initiates and sustains the dynamic state awareness and compensatory mechanism for the security and compliance program. Examples of such capabilities are evident in the analyst’s ability to review events that have either been prioritized by analytic security controls or through threat hunting efforts to detect stealthy actions, perhaps, as a result of a successful targeted social engineering attack, to cut off the malignancy before it festers. Senior management has a part to play in supporting these functions and the level of support for the Chief Information Security Officer and its programs would greatly increase the effectiveness levels.
Technological Controls Maturity
Technical controls are implemented to reduce the identified inherent risk by bolstering the defenses or increasing the protection available. The risks could be due to a vulnerability or inadequacy identified within a system, a process, or the attainment of an objective. It suffices to say that automated security protection can be achieved through the proper deployment of security controls. After deployment, the usefulness lifetime countdown begins, and throughout its lifetime, maintenance will be needed. During this period, it is important to measure control effectiveness on an ongoing basis. These actions will help improve the proactive and reactive ability of the system to, for example, mitigate attacks or detect anomalies. It is working in tandem with the human analyst, who may be supported by artificial intelligence or machine learning-based systems, a much greater fidelity of proactive stance and reactive efficiency can be achieved. These tie in towards increasing the reliability of the system to self-compensate, self-heal, and deliver effective security.
While these are being implemented, it is necessary to be aware that such capability is rarely attained in an instant; hence, it takes time and effort. In the buildup or revamp process, effective prioritization is important, and there are resources available for security architects and engineers to leverage while strengthening the security stack. Basic security hygiene should be taken care of at the initial stages, and the top five, ten, and twenty controls can be implemented progressively to strengthen posture. These controls are deployed with an aim, and how well these objectives are met should be tracked as part of a compliance program. This should take cognizance of drifts from identified measures and provide for needed re-adjustments that may be needed from time to time in response to observed events or threat intelligence.
To read the full story,download the October 2020 issue of CISO MAG. Subscribe to CISO MAG
About the Author
Favour Femi-Oyewole is a Doctoral Student at Covenant University, Ota, Ogun State, Nigeria. She is the Group Chief Information Security Officer in the Access Bank Plc overseeing the Information & Cyber Security of the Group office and the Subsidiaries. Favour also holds several certifications in the IT & Information Security and Cybersecurity field. She is a Cisco Certified Security Professional, Checkpoint Security Administrator, 1st female COBIT 5 Assessor certified in Africa, Certified Chief Information Security Officer, Certified ISO 27001 Lead Implementer, and Lead Auditor. She is also the first female in Africa to be a Blockchain Certified Professional.
Favour is a Certified ISO 27001:2013 Lead Implementer Trainer. She is an Alumni of both Harvard Kennedy School (HKS, Harvard University, and Massachusetts Institute of Technology (MIT), USA. She is a member of the Cybercrime Advisory Council in Nigeria. Favour emerged as the 1st woman in the world to win the Global Certified CISO (C|CISO) of the Year 2017 from the EC-Council in the U.S.
Favour is also an active member of the Global Certified Chief Information Security Officer (CCISO) Advisory Board & Scheme Committee of the EC-Council in the U.S. She is a certified Data Privacy Solutions Engineer (CDPSE), a certification recently awarded to her in June 2020 by ISACA.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
