Governance, Risk, and Compliance in an Age of Uncertainty

Anthony Freed
By | December 14, 2012

Posted in: Network Security Trends

Having complete visibility, transparency, and control over the entire IT landscape is next to impossible these days, and CISOs everywhere are finding themselves increasingly under pressure to operate effectively in this age of uncertainty.

We are doing business in a complex world where big data, hyper-connectivity, and mobility reign supreme. Threats span the gamut from malware to data theft, employee fraud to the risk intellectual property loss, and attackers are becoming more stealthy and sophisticated in their operations. Further complicating matters are the prospect of new federal cybersecurity regulations that have the potential to aggravate the already difficult mission of enterprise compliance.

CEO Shellye Archambeau of MetricStream, which provides governance, risk and compliance solutions to companies such as Procter & Gamble, Kellogg's, Dell and Twitter, discusses the evolving challenges facing enterprise security professionals and the need for greater stakeholder collaboration efforts where crafting new regulations are concerned.

“Recognizing that an attack against critical enterprise IT infrastructure can bring an entire organization to its knees, the CISO's job has never been more important,” Archambeau told SearchSecurity. “CISOs today are faced with complex IT risks, compounded by a blurred line between our personal and professional lives and devices.”

Archambeau notes that with the adoption of BYOD (Bring Your Own Device) options by many companies, there are all kinds of new hardware and applications entering the virtual infrastructure of the enterprise on a daily basis. CISOs are constantly faced with the task of triaging the additional risks to make certain that scarce resources are directed appropriately in order to maintain a robust security posture.

“Ensuring that the right people, processes, and systems are in place and by adopting an integrated IT GRC program that can provide continuous monitoring can enable the CISO to have a broader purview into all areas of the business in order to effectively prioritize the risks that are most likely to impact the company’s ability to achieve its critical objectives,” Archambeau explained.

A factor that will influence the CISOs task of prioritizing those risks to the enterprise is the prospect that Congress may enact a new set of regulations next year, such as those that that were proposed in the Cybersecurity Act of 2012, which broadly sought to protect critical physical and IT infrastructure from a potentially devastating cyber-attack. The bill, which had garnered bipartisan support, was ultimately blocked in a vote last summer and again failed to pass in the post-election lame duck session of Congress.

While the future of the Cybersecurity Act and similar bills remains uncertain, they are indicative of what will undoubtedly be a series of legislative actions over the next few years that will most likely lead to heated debates about the need to balance civil liberties for both individuals and businesses with national security demands.

“Cyber legislation forces us to think about privacy and national security, two very different and oftentimes clashing ideals. Though the Cybersecurity Act was recently voted down in the Senate, this is just the beginning of a slew of legislation aimed at protecting against cyber threats," Archambeau said.

As deliberation over which are the best strategies to pursue continues to be prolonged, in spite of the imminent nature of the threats that need to be addressed, Archambeau  believes the possibility only becomes greater that an unforeseen incident of some magnitude could occur which will act as a catalyst for the passage new security legislation.

“Given our increasingly vulnerable IT environments, it is only a matter of time before there is a serious incident, thereby justifying the demand for some baseline regulations which protect the interests of a diverse set of stakeholders,” Archambeau speculates.

Archambeau says that while government regulation is often necessary, how it is ultimately designed, enforced, and managed will have a significant impact on our businesses, our economic growth, our nation's security, and our individual freedoms.

“Understanding all of the risks at hand and striking a balance between too little and too much regulation is critical to protecting our online infrastructures and assets, now and far into the future,” said Archambeau.

While every faction in this fray has their respective constituents and interests to protect, the key to resolving some of our toughest and most complex security challenges lies in the fostering of greater stakeholder collaboration, and Archambeau insists that all interested parties must seek to find the common ground for the efforts to be successful.

“Political views aside, we must all continue to find ways to come together to make the U.S. and the world at large less risky, more compliant, more ethical, and better governed,” Archambeau concluded.

You May Also Be Interested In: