If You Think Compliance is Expensive, Then Try Non-Compliance

Instagram of Risk Blog 3
5 min read

On Your Bike

Last year, just when summer was abruptly ending, I decided to buy a bike. The timing could not have been worse. At best I accomplished one week of what I classified as proficient riding, and that was navigating a flat path, as anything else in my vicinity would have been uphill and painful.

A week later I locked my bike up in a well-weathered shed that had a secure padlock. If anyone wanted my bike, they would have had to break the padlock.

I am reminded of this story as I recently had a conversation with the head of a security and risk management division, who told me that not that long ago to secure your documents you would physically place them in a filing cabinet, put a key in, turn it, and lock it-- job done.

Well naturally this still exists, but now we have more secure, efficient, and quicker ways to safeguard documents and data. The advances of digitalization have brought us so many reasons to be cheerful. Look how we can work remotely, store terabytes of files in one click, and send relevant photos, media, and documents across the world in seconds.

Just to set the record straight: when I say things have become more secure – it depends on who you ask! Cyber security is all the rage and making front news in national papers: it’s not just companies that need to secure themselves, it is even countries that are worried about their IP domains and distributed denial of service (DDoS) attacks. Networks, organizations' infrastructure, passwords, and even mobile devices have to ringfence themselves against these attacks. The stakes are high, and risk has to be managed, be it systemic or reputational.

Recently, MetricStream partnered with the International Compliance Association (ICA) on a webinar titled: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional

I was fortunate to be part of this discussion.

Some of the topics we delved into were:

  • How are risk and compliance professionals tackling cyber risk?
  • How risk quantification helps with strategic decisions?
  • The role of the compliance professionals in cyber security risk management

Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional

Cyber: The Dark Side of the Force

It’s great to see how innovation and technology can help solve so many things. Unfortunately, there is a darker side. There are cybercriminals who are trying to steal your online data and cause as much havoc as possible. It’s not just a job for CISOs or CROs to manage this. It falls to all teams including compliance professionals.

Cybercriminals may try a thousand times to infiltrate the same organization and unfortunately, it takes only one attack to be successful, and if you are breached, the results are catastrophic and you will have to re-think your entire business and cyber strategy.

There is a significant difference between information security and cyber security, the first protects your classified information whereas the latter is a component of information security and protects your networks and computer systems. You need to be in control of both.

Another cybercrime that has dominated the headlines recently is ransomware. It is the most profitable form of cybercrime and with the current geopolitical landscape, cyber-attacks and ransomware are dominating the Eastern Europe region and the world stage.

Cybersecurity is a Business Risk, Not Just a Technology One

Organizations need to show their customers that their data is secure. Being compliant is important to give your customers confidence that you are protecting their data, but it is not the same as being cyber secure. By understanding your risks, mitigating the right risks for you, and transferring residual risks, organizations can start to make and prioritize decisions based on their profile. Compliance professions should be connecting with the cyber and security professionals as in real terms the cost of compliance continues to rise and if you think compliance is expensive, then try non-compliance!

We Are in This Together

Companies don’t have to try and work this out in isolation, and sometimes using spreadsheets to manage this will not give you the breadth, depth, or real-time view that you need. To really get in front of risk you need a governance, risk, and compliance (GRC) solution that has a federated data model, meaning whether organizations need to understand their ESG score, their cyber threat vulnerabilities, and risk quantification they can have one amalgamated solution that is connected and seamless. They can thrive on risk!

Every organization will be at a different stage in its cyber maturity and development, but what if you can actively manage cyber risk through an IT and cyber risk and compliance framework that aligns with established security standards so you can pass IT audits more efficiently and obtain buy-in from top management.

MetricStream is here to help you with pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53. We can map policies to IT controls and policy exceptions so you can be set up for success. You can learn more by visiting our website or booking a demo.

The compliance professional is so much more than just compliance, they hold the integrity of the client’s data as well as the ethics of an organization. In many ways, we must go back to basics. Having a solid governance structure that considers your third-party risks and builds a threat intelligence framework is critical.

“Don’t forget it takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Stay safe.

In my next blog I will discuss what cyber means for the resilience of an organization and how you need to think three or four steps ahead of the game.

Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional

This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.

Check out Suneel’s other ‘Instagram of Risk’ ’blogs:

An Ounce of Prevention is Worth a Pound of Cure

Don’t Aim To Be Perfect, Aim To Be Anti-Fragile

Enforcements Will Come in All Directions

There is One Way Traffic – Downhill