Excessive complexity and lack of first-line integration render many GRC (Governance, Risk, Compliance) metrics useless.
Many CISOs complain of communication problems with their business. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.
It has been a recurring theme amongst information security professionals for the best part of the last 15 years, and it is rooted in a wide range of factors, amongst which the profile of the CISO is often a dominant limitation.
Many CISOs are simply too technical: They know they need to bridge the gap with their business, but they often return to their comfort zone at the first opportunity: For them, “threats” is often translated into malware, phishing and hackers, while the business wants to hear insider fraud or intellectual property theft.
This often leads to the CISO role being ringfenced and limited to its first line technical remit, while GRC functions develop in second-line of defence.
But those functions themselves very often struggle to develop meaningful conversations with their business around cybersecurity.
GRC teams tend to have an ivory-towered view of the problem and to rely on ready-made overly complex methodologies, loosely related to the reality of first line activities.
They rush into buying some tech platform which is supposed to “enable” the GRC process, but in reality, the jargon of those products and methodologies is often meaningless to the business. Impact assessments and risk assessments can be inextricably complex. The quality of the data collected is often questionable as a result, and many of those approaches never scale up for good in large firms due to the sheer human cost of deploying them.
The lack of hard-wiring to first line activities make the GRC metrics produced artificial, and unusable in practice to recommend, justify or manage first-line investment. If, in addition, the scope covered is limited due to deployment or acceptance issues, the overall value of such metrics can be highly disputable – beyond the proverbial “tick-in-the-box” which they will invariably provide.
None of that helps the business understand and manage their cyber risk posture. Over time, distrust sets in and, as the “when-not-if” paradigm around cyber-attacks takes root in the boardroom, senior executives need to find a way out.
It can only involve refocusing GRC practices towards simplicity so they can be effectively and efficiently deployed on a large scale across the real breadth of the firm – and possibly towards its supply chain.
It will also involve refocusing GRC practices towards a proper and meaningful integration with first line cybersecurity data, so that GRC metrics reflect the reality of the first line of defence.
The “when-not-if” paradigm makes the Board increasingly willing to invest to ensure the protection of the firm from cyber threats, but it also shifts priorities towards measuring progress and ensuring things get done.
In many firms, the equation between Governance, Risk and Compliance around cybersecurity is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders.
In particular, first line and second line must work together on this. They must trust each other and look beyond absurd and arbitrary “separation of duties” concepts, to produce meaningful data for the business, around which meaningful decisions will be made to protect the firm.
The Business Transformation Network has posted this article in partnership with Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.