As organisations become increasingly reliant on digital infrastructures, they are turning to the governance, risk management and compliance (GRC) model to ensure a comprehensive and integrated approach to cybersecurity. As a subset of GRC, the term “cyber GRC” reflects the policies in place to manage and reduce cybersecurity-specific risks, and the adherence to relevant standards, which encompass information security requirements, data privacy laws and industry-specific regulations.
For example, cyber GRC frameworks can be seen incorporating the regulatory requirements of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Organisations are also adopting NIST and ISO standards as part of their compliance initiatives. While adherence hardly guarantees a breach-proof cyber posture, these frameworks do provide the basis for security teams to handle things methodically. Once companies are audited by regulators, certifications likewise help instil confidence among customers and investors.
However, the growing prominence of cyber GRC presents CISOs with new challenges. Indeed, cyber GRC frameworks are by nature dynamic, due to the evolving threat landscape, use of new technologies, and regulatory shifts. It is therefore no easy task to ensure compliance over time.
>Here we’ll take a look at issues that have been taking shape in recent years, changing what it means to keep up with the demands of cyber GRC.
Digitalisation has exposed today’s businesses to a wide range of cyber threats: every modern organisation has the potential to become the victim of malware attacks, data theft, DDoS, and social engineering. However, every situation is different, and generic or “one size fits all” solutions don’t work. Every company has its own sets of circumstances, vulnerabilities, and attack predispositions. Different risk profiles call for specific frameworks to most effectively and efficiently manage threats.
What’s more, not every organisation has the same compliance requisites. The differences in location and industry entail differences in regulations. For example, healthcare-related organisations serving US-based patients have to deal with the requirements of HIPAA. Organisations that only operate in Asia are not necessarily subject to the GDPR. Matrices of GRC frameworks have to be formulated according to the specific circumstances of an organisation and the applicable regulatory requirements.
Moreover, the threats affecting organisations continue evolving along with the compliance requirements. They are never constant, as they are influenced by various factors including technological advancement, the cunning ingenuity of threat actors, and changes in government policies.
These circumstances emphasise the need to customise security frameworks to match the unique requirements of every business. Generic GRC frameworks rarely deliver the intended benefits. Organisations that solely adopt frameworks created and used by other organisations are setting themselves up for an inevitable failure in cybersecurity.
Cypago’s cyber GRC automation solution can help security teams to formulate custom GRC frameworks through a platform that makes it easy to integrate security programs and controls. Automate the process of reconciling standards, regulations, and risk priorities to ensure comprehensive processes that specifically address the unique requirements of your organisation. Select the frameworks that apply to you, upload your custom requirements, and let the automation engine surface areas that call for mitigation, allowing you to remain audit-ready and compliant with applicable regulations – including your own.
Data is both an asset and a liability – it’s crucial for informed decision-making and strategic planning, but it must be protected constantly to avoid leaks.
Organisations are compelled to maintain data privacy at all times. This is certainly a daunting task, but regulatory frameworks support CISOs’ efforts to protect both customer and company information, while also disclosing all data use cases and requiring consent. For example, the CCPA includes a provision that requires organisations to take reasonable security measures in the case of compromised data, and to notify those who may have been affected. Similarly, HIPAA and the NIST Cybersecurity Framework both call for assessments of the potential risks to health data confidentiality and integrity.
This fusion of data privacy and cybersecurity calls for compliance teams to make significant changes in organisational structures, resource allocation, incident response plans, and management. It is no longer adequate to deal with data privacy and cybersecurity separately. Rather, data privacy stakeholders must collaborate with wider cyber defence teams to ensure a holistic approach to security and privacy.
One tool that helps cyber teams to tackle data privacy and their overall security in tandem is Cyberhaven, whose cloud-native platform protects data in cloud environments by securing it even in transit. This mitigates the threats of data exfiltration and unauthorised sharing, such as when data is transferred from one device to another. Cyberhaven’s “Data Detection and Response” functionality leverages tracing data lineage, advanced analytics, and behavioural analysis to safeguard sensitive data from both internal and external threats, thus ensuring that user data handling is in line with data privacy and cybersecurity regulations.
Artificial intelligence (AI) is quickly becoming a staple of the tech stacks adopted by organisations. Its use cases continuously expand as it gains new capabilities, but AI does come with its own risks.
It’s therefore no surprise that we’re now seeing the introduction of new regulations like the EU AI Act, which seeks to make AI systems transparent, safe, traceable, nondiscriminatory, and environmentally friendly. But that’s just the tip of the iceberg – Deloitte has identified over 1600 AI policy initiatives originating from 69 of the world’s nations.
AI is being regulated because of the real risks it poses. For one, AI tech has been associated with privacy violations because of the improper handling of training data. There are also worries about the factual errors or inappropriateness of the advice given out by generative AI products. Additionally, threat actors have already started taking advantage of AI to aid them in their attacks, and to use it for disinformation purposes.
The regulation of artificial intelligence, particularly the emergence of more compliance requirements, are complicating cyber GRC for organisations. Notably, the rise of different geo-dependent regulations and frameworks is making it difficult for companies that develop or even use AI to remain compliant. There is a need for a straightforward but powerful solution to facilitate the discovery of AI use in an organisation and implement policy changes to address compliance concerns.
Using a technology adoption management solution like Harmonic Security allows organisations to track their adoption of Generative AI (GenAI) solutions, manage the risks that come with GenAI use, and identify shadow AI. This helps ensure that the use of innovative tools does not result in security compromises.
When it comes to cybersecurity, today’s businesses face a changing governance, risk, and compliance management landscape mired by various challenges, from the melding of data privacy and cybersecurity to the need for company-specific frameworks and evolving AI compliance requirements. It is important to adapt to these challenges on an agile basis to maximise operational efficiency and cyber protection.
A proactive and integrated GRC strategy provides security teams with the best way to maximise operational efficiency while addressing risks and keeping up with compliance requirements. The importance of specific GRC frameworks to match the specific needs of an organisation cannot be overstated in view of the rise of regulations related to AI development and use and the merging of data privacy and cybersecurity.
The post Emerging Issues Shaping The Future Of Cyber GRC appeared first on Real Business.
