Complying With Modern-Day Cybersecurity Governance

Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

From a regulatory perspective, organisations have a number of standards to consider for cybersecurity. But what does that mean? What are cybersecurity compliance standards? Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas. These include Payment Card Industry Data Security Standard (PCI-DSS) which is a global standard and an obligation for merchants accepting payment cards, and, in the financial industry in Australia, Australian Prudential Regulatory Authority’s (APRA), Prudential Standard CPS 234 – Information Security which is an obligation for organisations licensed by APRA, or in the United States the National Institute of Standards (NIST) Cybersecurity Framework which is not an obligation but voluntary guidance. Each of these standards will have requirements for technical or configuration change management, but each will demand differing requirements to demonstrate compliance to the standard. Complying with and documenting that compliance with standards is not a capability that IT or cybersecurity has built into business as usual (BAU) operations. This is the first point of change that a CIO needs to draw on peer resources in Audit, Risk, Legal and Compliance to develop a technical and cyber risk team and a methodology for approaching cyber risk assessments and analysis.

Assessments and analysis are the cornerstones of a compliance program. As there is not one cybersecurity compliance standard to “rule them all”, there can be, for even a smaller multi-national, several compliance standards that all demand a differing level of requirement to document and demonstrate compliance. This is where developing capabilities in IT and cybersecurity for quantitative risk assessment and analysis is essential.

Tools such as the FAIR model can help where cyber risk is derived as a quantitative measure in dollars of the probable frequency and probable magnitude of a future loss. This quant-based derivation will make sense to the board and the CIO’s peers in risk management, finance, and even portfolio risk. From a tool’s perspective, organisations are currently all over the map. Some organisations have a GRC system but have not used that tool for cybersecurity compliance, and now they are trying to re-fit that tool to document cybersecurity compliance. But there can be a hefty price-tag for this work. Unless one understands what the goal is, they may spend that money more than once putting in and refitting a GRC solution.

"Cybersecurity compliance standards,unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas"

For instance, one organisation uses more than 50 spreadsheets for PCI-DSS for multiple entities, and they have two GRC systems and are struggling with reporting cybersecurity compliance. From a tool’s perspective, one should start with a solid understanding from their legal department of exactly what standards need to be complied with and by when. Once that understanding is validated, they need a solid mapping of standards such that duplication and gaps may be determined. There are a number of good free mappings that can be found at Center for Internet Security (CIS), the Payment Card Industry PCI, the Cloud Security Alliance (CSA), NIST, and there are of course non-free mappings.

Initially, it will be messy, unfamiliar, and seem incorrect and incomplete, but once done in a sustainable and methodological approach, it will improve quickly. Yes, assessments are not a “one-and-done” effort but should be a sustainable process. The CIO does need to lead the way. Without their support, the effort will be doomed, and the organisation will continue to miss the mark in both reporting on the holistic security posture of the organisation and on how the organisation complies with its obligations.

Cybersecurity compliance and improved reporting are attainable. With deliberate commitment to measuring compliance comes the ability to reduce risks and demonstrate the need for increased resources.

Read Also

Marketing Advocating for the Customers, Capturing The Essence of Customer Ambition

David Hirsch, Head of Marketing, QBE Insurance (ASX: QBE)

Use Modern Technologies To Build Trust With Your Customers

Natawat Saigosoom, EVP, Customer Experience, SCB

Combating IoT Challenges with Smart Choices

Sandeep Babbar, Head of Technology Innovation, GWA Group Ltd & Author

Security In The Cloud Requires A New Way Of Thinking

Dan Constantino, Director, Security Operations, Cox Automotive

Collaborating in the Cloud - From Public, Private to Hybrid and Multi-Cloud

Sanjay Sivam, Director, Inside Sales and Services Sales, Poly Asia Pacific

Securing Telco Cloud for the 5g Era

Srinivas Bhattiprolu, Head of Advanced Consulting Service, Nokia Software
follow on linkedin follow on twitter

Copyright © 2022 CIOReviewAPAC. All rights reserved.         Contact         |         Subscribe