Interview

How GRC can support your cybersecurity ploy

Apart from buying the best security measures, cybersecurity strengthening needs to get the basics right --precisely what Governance, Risk, and Compliance (GRC) offers.

As businesses are increasingly becoming technology-dependent, it is essential that tech is ingrained with business and the former isn't treated as a separate cost center. To bridge any gap existing in this process, GRC comes to aid.

Huzefa Goawala, head–GRC, India and SAARC, RSA, sheds light on why GRC should be the epicenter of your cybersecurity strategy.

Why is it essential to get GRC right? Are multiple vendors leading to weakening the security gameplay? 

There's definitely a threat that arises out of having multiple security vendors. Though the ideal state requires a single vendor, it isn't possible at the ground level. This is because of the proliferation of various technologies, comfort factor of the CIOs and the understanding of the stakeholders in the organization. 

Security has to be business-driven. Leaders have to understand the implications of security threats that an organization faces. A GRC tool like Archer can help log the security incidents that come in.

If you analyze the security incidents that come in, having a GRC solution will help manage the processes and the workflow, and understand the criticality of the business. It also helps in providing business implications to security incidents that happen.

When we talk about the three lines of defense from a GRC perspective, it's integrating the business operation, which is the first line; the people focused on controlling these risks are the second line of defense; and the third line are people in audit functions and those who re-verify information.

                                                            Huzefa Goawala       

                                                Head-GRC, India & SAARC, RSA  

Now once you have information about the incidents, that's when you can take a call on what kind of technologies should be deployed. 

GRC helps businesses get that clarity on the deploying solutions with the best RoI. 

Keeping in mind the recent spate of ransomware attacks, like Petya and WannaCry, how would a robust GRC model help in this situation?

We're talking about the risk and security culture in an organization. It's not that an external entity hacked into the organization and injected ransomware. Somebody on the inside opened up messages, clicked on attachments that opened up gateways for the ransomware to proliferate internally.

Now it all boils down to the attitude and culture in an organization. So no matter what amount of technology you put in place, it will not help the organization develop an appropriate culture.

It doesn't matter if the organization spends millions of dollars; it won't help you unless and until you have the basic culture in place. 

So we talk about culture from an information security and risk perspective as well. It's a combination of people, processes, and technologies.

So when we talk about a GRC solution, we talk about the integration of these three lines of defense. 

When we talk about the three lines of defense from a GRC perspective, it comprises of  integrating the business operation, which is the first line; the people focused on controlling these risks are the second line of defense; and the third line are people in audit functions and those who re-verify information.

A platform which cuts across the organization also brings in an element of culture as to how the organizations works towards cyber risks and cyber threats, because it gives visibility to everyone while giving business related data to the management and the board as well.

What are your takeaways for CISOs on rolling out a holistic, robust GRC strategy?

From a GRC perspective, I'd say start with the low hanging fruit. Start small and don't try to look for a big bang approach; they don't work. Start small and grow with the maturity of the organization.  

Second, it's imperative to have business in the loop. GRC definitely helps you in getting the business intelligence, but there should be data that you can provide to the business for them to make a decision and to sanction budgets accordingly.

Most commonly, we see CISOs dropping the ball when it comes to using GRC for managing and reporting security incidents that come in. That's one of the most common used cases we see.

The other area we see CISOs failing is around compliance. When a CISO has to comply with ISO standards, or PCI compliance, that's where they would reach out for a GRC solution. But what slips through is managing the risk factor.

While you are managing your security incidents, it is essential to quantify the risks that come out of security incidents. This is one of the most important factors, as it gives a view to the business in terms of what it stands to lose.

Sharing risk assessment findings with the business can also help CISOs procure a better cybersecurity budget. And this gap between business and IT is something a GRC solution could bridge.

This is one gap I see CISOs typically miss out in terms of providing the risk element to security incidents.

And it’s not just this. Sharing risk assessment findings with the business can also help CISOs procure a better cybersecurity budget. And this gap between business and IT is something a GRC solution could bridge.

What does RSA have to offer organizations to build a robust GRC platform?

Organizations are mitigating the incidents that happen, overlooking the risks that arise due to the proliferation of newer technologies.

We look at cyber threats in four quadrants. The first is external malicious; the second is external unintentional threats; the third: internal, malicious; and the last being internal, unintentional.

When you look at the external malicious, we've solutions that exist to look at any anomalies around user behavior, in addition to end point security. A combination of these two technologies can give an organization intelligence in case an employee violates set guidelines and tries accessing information that he or she is not authorized to.

So, a combination of Security Information and Event Management (SIEM) and identity access management can give you intelligence around that.

From an internal malicious perspective, we've end point monitoring systems. So in case there's an employee displaying abnormal behavior, that's something that can be detected.

To monitor all of this and give you overall intelligence and to give you a business context, is where the GRC fits in.