Here’s a headline that demands attention! 116 million individuals in the United States were impacted by large health data breaches in 2023. What’s more! According to records from the Office for Civil Rights as of December 21, 2023, the data reported to the Department of Health and Human Services shows that the number has more than doubled when compared to 2022.
The motivation for the relentless targeting of this sector is clear – healthcare institutions are treasure troves of valuable personal and sensitive data, making them lucrative targets for attacks and ransomware. However, while being substantial, the consequences of a cyberattack on healthcare go beyond financial losses; it directly impacts patient safety and security, potentially turning it into a matter of life and death. Tampered patient history, delayed life-saving tests, diverted ambulances, and compromised medical procedures are just a few examples of the real-world consequences that patients may face.
As the digital frontiers expand in 2024, with artificial intelligence (AI) becoming more integral in diagnostics, patient data management, and medical tools, healthcare organizations will need to bolster their cyber risk and resilience strategies.
Despite increased focus and investment in cybersecurity, healthcare organizations continue to grapple with persistent challenges unique to their industry. Securing patient information remains a formidable task. In 2023 alone, more than 133 million patient healthcare records in the United States were either exposed or impermissibly disclosed. Additionally, vulnerabilities in connected medical devices, reliance on outdated IT systems, and the need to manage compliance with evolving regulations contribute to the complex cybersecurity landscape.
The expansion of the attack surface through digitization, connected third-party systems, and cloud adoption has further intensified cyber risks. 73% of healthcare companies store data in the cloud, of which 43% is patient or protected health information. Amidst these challenges, human error (such as clicking on a phishing email), responsible for 85% of data breaches, persists due to resource limitations and a lack of cybersecurity training for healthcare professionals.
As healthcare systems become increasingly interconnected, the traditional siloed management of cyber risks and reliance on time-consuming manual processes are no longer effective. These outdated methods hinder the swift detection and response necessary in the face of emerging threats. In today's context, where a single phishing email can compromise millions of patient records and disrupt entire systems, the need for agility and prompt mitigation of cyber risks is more crucial than ever. Embracing an agile, continuous, and connected strategy is paramount to fortifying healthcare organizations' resilience against the rapidly evolving cyber threat landscape.
Your cyber risk management strategy in 2024 should include:
Download an infographic on this topic to explore more: Cyber Risks in Healthcare: How to Prepare
In the face of these multifaceted challenges, healthcare organizations must reassess their cyber risk management practices. As the sector strives to minimize the risk of data breaches and cyberattacks, addressing complexities and building resilience becomes paramount. The journey toward effective cyber risk management requires a strategic approach, continuous innovation, and a commitment to safeguarding patient well-being.
With MetricStream CyberGRC, your organization can:
Our latest eBook explores these questions and provides comprehensive insights to guide healthcare organizations toward a more secure future.
For a more detailed perspective on this topic, download our eBook:
IT Governance, Risk, and Compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases, including IT risk management, IT compliance, policy management, threat and vulnerability management, IT third-party vendor risk management, and more. The core promise of an IT GRC program that integrates needs across all stakeholders is the efficient management of risk against business objectives and better business performance amid an evolving threat landscape, technological and business developments, and regulatory changes; all of which can lead organizations to thrive on risk.
While many organizations have seen benefits from their IT GRC investments, it is critical to build a case for the business value of IT GRC, in order to a) understand the true impact of the GRC program against investments made into it and b) gain enterprise-wide commitment supporting the implementation of a high-value, sustainable IT GRC program. It all comes down to one point – leveraging risk information efficiently to achieve business outcomes.
Experience shows us that those organizations that manage IT GRC as an integrated program involving people, processes, and technologies are more successful in delivering value to their organizations, compared to those that simply focus on deploying technology or processes without accounting for the larger picture. Not only does an effective, integrated IT GRC program strengthen IT risk, governance, and compliance management, but it also aligns these processes with the larger enterprise governance framework.
Business value is the measure of a program’s qualitative and quantitative benefits, as well as other intangible expected benefits, such as improved decision-making through better analytics. Together, these values provide a complete picture of how business performance can improve over the long run through a portfolio of initiatives.
The business value can be realized at two levels through an integrated IT GRC program:
It’s important to remember that any business value derived from an IT GRC program, is ongoing and continuously improving – it accrues over the years with substantial returns stacking up as the adoption of the IT GRC program grows, and as processes are continuously improved. Only when benefits are realized can the initial value proposition of the IT GRC program be achieved, but also perhaps exceeded. As these benefits become “business as usual,” new initiatives and continuous improvements will drive constant upward revisions to the overall value equation.
Let’s understand this with the help of an example.
Consider an organization’s IT risk management team of 12 people that is not able to complete risk assessments at the required depth due to the lack of time and resources. Management reporting is difficult and incomplete with only a few metrics and, occasionally, with errors that take time to be hunted down and resolved.
Let’s assume that 400 risk assessments need to be performed in the organization; of which only 200 are currently being completed with a team of 12. It can be implied that the organization can achieve the goal of performing 400 risk assessments if it increases its team size by 100%, from 12 to 24.
Further, assuming the average time to complete an assessment is 10 days, 400 assessments will be completed in 4,000 days. But, assuming 200 working days per year, the total number of team annual days is 2,400 (for a 12-member team) for 200 assessments and 4,800 (for a 24-member team) for 400 assessments.
Also, from the budget standpoint, assuming the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the total cost of 200 assessments with a 12-member team will be $400*10*200*12 = $96,00,000.
Considering the organization can increase the team size to 24, the total cost of 400 assessments would be $400*10*400*24 = $3,84,00,000.
This, however, is not realistic. An organization will not have infinite human and financial resources to continue scaling up the team and assessments to meet the growing demand, especially if it is using manual methods, spreadsheets, and emails to perform the risk assessments. What is needed is to lower the average cost per assessment and improve the efficiency of the current team by automating the process.
Implementing an integrated IT GRC solution, such as MetricStream CyberGRC, can help achieve this goal. Based on MetricStream’s customer feedback and business value calculator, an organization can achieve a 66% reduction in the time taken to complete risk assessment. This is mainly attributable to:
In the above example, where the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the organization can
In this example, factors such as travel expenses, errors and remediation efforts, financial losses due to fines/failures, etc. have not been taken into account. So, realistically, the cost would be much more than calculated here.
Of course, there will be costs associated with an IT GRC solution as well, such as consulting fees, people costs, technology implementation costs, and ongoing direct costs for cloud services. If the deployment is internal, the team can consider additional hardware and infrastructure costs, as well as support and maintenance costs.
But the payoff is significant. By building an integrated IT GRC program with supporting frameworks, processes, governance, information architecture, and working groups, organizations can achieve better business performance as we can see above.
IT GRC implementation is a journey that can span several months with multiple tracks/initiatives and stakeholders. It’s important to regularly review the implementation plan/roadmap and maintain a living document that demonstrates the benefits that have been realized as each initiative is launched and fully adopted.
MetricStream CyberGRC helps organizations implement and elevate their IT GRC program with automated and autonomous capabilities, integrated approach, and advanced risk quantification and analytics. It offers several benefits:
Interested in learning more? Request a personalised demo now!
The roles and responsibilities of the board of directors (boards) in ensuring the security of their organizations is expanding – both due to the increasing perilousness of the cyber risk and threat landscape and as the result of new regulatory requirements.
Boards today are interested not only in the business side of it, for example, knowing the return on investment in cyber risk management activities, but also in the technology side of it – the IT infrastructure comprising of on-premises and cloud-based assets, networks, applications, and resources, the third-party ecosystem, the cyber defense and resilience mechanism including the control environment and security measures in place, and more.
The onus to effectively communicate the security and risk-related information to the board and the C-suite in a timely and lucid manner primarily falls on the CISO. Although there is a blossoming trend of appointing Business Information Security Officers (BISOs), the key responsibilities still lie firmly with the CISO. Since boards majorly consist of non-technical executives, it is essential that this risk information is conveyed in easy-to-understand, business-oriented language, which may enable them to first, understand the true potential of risks and their impact, and second, to be able to make strategic decisions that can keep the organization protected while managing budget and resource constraints.
Lack of effective communication not only leads to insufficient or inappropriate action, but may also lead to conflicts and reputational issues and exposes the organization to higher risks. It is imperative for CISOs to choose the relevant and essential metrics to report on, which can aid in fulfilling the above requirements.
Cyber risk and IT compliance metrics are essential not only to gauge the effectiveness of an organization’s cyber governance, risk, and compliance (Cyber GRC) strategy and program, but also to manage and effectively communicate risks to the board. They are also critical indicators of overall status, unresolved issues, and potential risk events that can adversely impact organizations.
The CISO and security team measure and track a plethora of such metrics – risk appetite and tolerance, security incidents, configurations, mean time to detect, control maturity, business continuity planning and impact analysis, employee awareness, frequency of training programs, and many more. When reporting these to the board, the CISO should be clear about the objectives behind the reporting. Since the board is responsible for implementing strategies that drive business value, they must receive and review the cyber metrics in a manner that helps them in this process.
Which brings us to the question – what information should the board be made aware of?
The most common and obvious answer is, of course, understanding the security and compliance posture. However, there are several other aspects too.
First, there is no one-size-fits-all metrics reporting template. Understanding the information sensitivity, domain, sector, size, culture, and resources of the organization should be the foundation of all such metrics reporting. As an example, the nature of data being handled, the regions being operated in, the regulations in those regions, and so on will affect the kind of metrics being reported to the board.
Further, the metrics will depend on the ecosystem of the organization. For example, if a company were to scale its operations by engaging a network of third parties, then metrics concerning such third-party activity and their SLAs must also find prominence in any reports to the board.
In another scenario, say, if a company were downsizing and facing budget cuts, the decision-makers would want to know the best way to do so without impacting the overall security posture. This would require looking at metrics such as IT team headcount, productivity, use of AI technology, IT vendors, spending on cyber projects, etc.
Another aspect to consider is the purpose of the report. There are regular review processes that help to determine the cybersecurity strategy, budget, and program. This involves metrics such as the number of security incidents in a year, the total number of critical assets, top risks, threats, and vulnerabilities, the number of access control violations, control maturity practice score, the number of critical and non-critical third parties, mean time to respond to security incidents, total third-party spend, compliance status, number of open issues, and many more. Then there are particular use-case reports such as detailing an incident or planning for a corporate acquisition/merger or entering a new line of business. In these cases, different types of reports with specific metrics need to be reported on and this should be in addition to (and not instead of) the regular reports.
Keeping it simple always works best. Not all board members will have the technical expertise to understand the relevance or criticality of every metric that is being reported. It is therefore crucial to report the metrics in terms that anyone can interpret and understand. For example, in addition to presenting them with the risk assessment matrix, color-coded for depicting high, medium, and low risk, communicate the risk exposure in monetary or dollar terms using risk quantification.
Another best practice is to segregate the metrics into different categories, such as
One of the best ways to communicate technical information to non-technical people is to use analogies. As an extremely simplified example, instead of trying to highlight the benefits of ECC encryption over RSA, one can simply portray it as ECC having a 12-lever lock versus RSA, which has a 6-lever lock. The use of real-world examples can go a long way in ensuring board understanding and makes the most fact-based decisions.
Regulations around cybersecurity and cyber risk management are increasing quickly. In recent months, we saw the adoption of the SEC’s cybersecurity rules in the US, following the introduction of the Digital Operational Resilience Act (DORA) in the EU, to be fully adopted by 2025.
The SEC’s rules require annual reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, as well as how the board/subcommittee is informed about cyber risks. The rules, set to come into force in December 2023, are applicable to publicly-listed organizations.
For a deeper dive, read our recent blog, Achieve Compliance with SEC’s New Cybersecurity Rules.
EU’s DORA was enforced on January 16, 2023 and financial sector organizations will be required to be compliant by January 17, 2025. The act mandates the “management body” of financial entities to define, approve, oversee, and be responsible for the implementation of all arrangements related to the information and communication technology (ICT) risk management framework.
To learn more about this new regulation, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.
Given the fast pace at which the cyber risk landscape is evolving, the board’s role and interest in cyber risk management will only grow. For CISOs and security teams, this will require presenting a clear, simple, and accurate picture of the Cyber GRC program. Additionally, it requires effective collaboration and regular communication between the board and the CISO to make the reporting process meaningful, streamlined, and aligned with business goals and objectives. This requires time and effort from both sides, and the best time to start is now.
To learn how MetricStream can help with cyber metrics reporting to the board, contact us today!
It has become trite to say that cyber risks are evolving at a fast pace or that it has become a top area of concern for organizations. Businesses today are required to navigate not just the digital era but the era of cognitive intelligence and generative AI (GenAI). While these technological advancements are helping organizations significantly improve their cyber risk management and gain process efficiencies, the easy access to these tools has made them a favorite among bad actors and cyber adversaries who can use them as easily to plan and launch sophisticated attacks with far-reaching consequences.
The best cyber risk management strategy is to ensure that innovation and security measures go hand in hand. But in practice, it is not so. In an IBM survey, while 94% of CEOs said that it is important to secure AI solutions before their implementation, 69% said that innovation takes precedence over cybersecurity for GenAI.
While AI is on everyone’s mind as we step into 2024, what are the other cyber risks that organizations need to prepare for? Before we get to that, here’s a quick recap of the major happenings from 2023 for all things cyber.
One of the most important cyber developments in 2023 was undoubtedly the adoption of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules for public companies by the U.S. Securities and Exchange Commission (SEC). Though there are a lot of unanswered questions and “grey” areas regarding determining the “materiality” of a cyber incident or terms like “without unreasonable delay”, it is a landmark regulation nevertheless and a step in the right direction.
For deeper insights into the new rules, you can read my previous blog “Achieve Compliance with SEC’s New Cybersecurity Rules” or leave a comment below to let us know your thoughts.
With AI implementation gathering steam across sectors, the National Institute of Standards and Technology (NIST) released the AI Risk Management Framework in January 2023. The framework is intended to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.”
We also saw the Digital Operational Resilience Act (DORA) being enacted in the European Union on 16 January 2023. EU-based financial sector organizations will be required to demonstrate DORA compliance from 17 January 2025. Aimed at enhancing the digital operational resilience of financial sector entities, DORA covers key areas including ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, the management of ICT third-party risk, and cyber threat information sharing.
Our eBook “Demystifying DORA: Understanding and Preparing for the EU’s Digital Operational Resilience Act” discusses various aspects and requirements of DORA in detail.
Throughout the year organizations around the world also faced a growing number of cyber attacks and data breaches. Some of the major ones include the hack of MOVEit which affected over 1000 organizations and the personal data of at least 60 million individuals, the distributed denial of service (DDoS) attacks on a number of banks across Italy, ransomware attack on entertainment company MGM Resorts which led to operational disruptions, uncovering of a 38 terabyte data leak at Microsoft that happened in 2020, data breach at the Indian Council of Medical Research (ICMR) which exposed the personal data of 815 million Indian residents, and many more.
It goes without saying that the cyber risks will increase in number, sophistication, and severity. Here are some of the top Cyber GRC trends for 2024:
Download now: Top Cyber Risk Trends in 2024 and Beyond
We at MetricStream are hard at work to help organizations stay one step ahead of cyber risks. 2023, in particular, has been a milestone year as we rolled out a number of solutions and capabilities to help organizations drive an effective Cyber GRC strategy. These include:
To explore MetricStream’s cyber risk and IT compliance management capabilities and to prepare for the trends of 2024, request a personalized CyberGRC demo today!
As businesses migrate to the cloud or expand their cloud adoption, security risks and compliance are always among the chief concerns, and critical challenges that must be addressed, especially in today’s volatile risk climate.
AWS Cloud users have access to AWS Audit Manager, which continuously audits AWS Cloud service usage, and streamlines the assessment of risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to assess operational effectiveness of internal controls frameworks and provides audit-ready reports. It’s a powerful tool. And it just got more powerful, by integrating MetricStream’s CyberGRC solution.
In addition to cloud infrastructure controls, almost every organization has application-specific controls and organization-specific policy and procedure controls with which they also need to demonstrate compliance. Even AWS Cloud customers often have requirements for infrastructure controls for other cloud providers and on-prem solutions. Often these controls are maintained and assessed manually, in Excel sheets, with point solutions, or using GRC tools that are not integrated with AWS Audit Manager. These manual processes are resource-intensive and themselves fraught with risk.
Now, with the integration of CyberGRC, AWS Audit Manager customers can automatically solve their IT and compliance challenges and lower their cyber risk exposure. And for existing CyberGRC users already on AWS, the integration with Audit Manager brings automated evidence collection, to afford a complete view.
AWS Audit Manager users will now be able to demonstrate compliance not just with AWS Cloud infrastructure controls, but also with custom controls, application-specific controls, and controls for multiple cloud providers, as well as benefit from MetricStream’s complete suite of cyber risk, policy, and compliance and functions.
So, instead of trying to manage reporting from multiple systems, users will finally have a centralized repository and view of control results – from AWS Audit Manager and across other controls – in one place, including automated evidence gathered from AWS, as well as control data and evidence stored in CyberGRC.
The benefits of this integration are clear:
In short, the co-innovation between MetricStream’s CyberGRC solution and AWS Audit Manager will not only reduce risk and maintain compliance across all systems in real time, it will also create organizational efficiencies by reducing manual processes and breaking down internal silos. It is a major step forward in IT Risk and Compliance for cloud-based businesses.
The above blog was originally published as an article by the author on LinkedIn. Read the original version here.
Learn more about the MetricStream CyberGRC and AWS Audit Manager Integration.
Download the Tech Brief: Automate Control Testing and Evidence Collection with AWS Audit Manager and MetricStream CyberGRC
While cyber attacks remain the plague of the modern corporate world, there are historical similarities that date back to a pre-computer era.
In 1988, Cornell University graduate Robert Morris was the first person to be successfully charged under the Computer Fraud and Abuse Act. It could however be argued that the first actual cyber-attack was launched over 150 years earlier by French brothers François and Joseph Blanc.
In the 1830’s the equivalent of the internet was the telegraph. This used semaphore to deliver vital government communications as well as share prices from the Paris Stock Exchange.
The brothers hatched a plan to ‘front run’ the markets by hiring an agent in Paris to deliver coded messages disguised as packages to the telegraph operators. If the paper wrapping was white, the market had gone up, if the wrapping was grey then the market had moved down. They bribed telegraph operators to send messages based on the colour of the wrapping. The messages were disguised as deliberate errors that would be disregarded by operators. The brothers hired an agent who understood what an ‘error’ signal looked like. He sat on an adjacent hill and read the signals as they came in revealing the market news.
The brothers exploited the markets for 2 years and made a significant sum of money. When the scam was exposed, they were arrested for bribery. Back then, France had no laws against the misuse of a telegraph system, and they were only forced to pay court costs. This meant they got to keep their ill-gotten gains.
I know what you’re thinking…but, I can confirm that this loophole was rapidly closed!
We are still faced with the same issue even with modern advances in technology. There are still those who are willing to exploit others for their own gain. Organizations and legislature are lagging the curve and stuck in a constant battle of catch-up.
In 2021, Gartner forecasted that spending on Security and Risk Management would exceed US$150 billion. This is a drop in the ocean considering the cost of cyber-crime is estimated to have breached the US$1 trillion mark. Yet despite this, technology phishing attacks remain the most common hacking technique.
Ensuring organizations stay ahead requires proactive risk assessment, mitigation, and monitoring of IT and cyber risks, threats, and vulnerabilities, across various IT compliance requirements. MetricStream’s CyberGRC solution can streamline cybersecurity efforts to actively manage cyber risk and support cyber resilience.
Built as an intelligent, intuitive, and interconnected program, CyberGRC enables your organization to:
Although your cyber risk and security tools may be sophisticated, phishing requires one simple lever - the ignorance of human beings. There are many different risk factors to manage, minimize, and protect against. It does make you think - could the invisible enemy be sitting next to you?
Want to learn more on how you can build your organization’s cyber resilience? Request a demo now.
Check out more resources related to cybersecurity:
The Ultimate Guide to Cyber Security and IT & Cyber Risk
How can I automate IT compliance management when I have a mix of manual, custom, on-premises, and cloud controls? How can I get a single view of my IT compliance status and risks? Can I create a single repository of my compliance evidence across my multiple IT infrastructures and environments?
These questions often come up in our conversations with CISOs, IT Risk/Compliance Directors, IT auditors, and compliance officers from across industries.
Organizations today use resources, services, and applications across on-premises and multi-cloud environments, which necessitate efficient assessment, monitoring, and reporting of controls across these domains to mitigate risk and ensure compliance. That, however, is easier said than done, for many reasons.
With varied controls across different environments, tracking and reporting on the status and risks arising from each are bucketed into their own respective methods/processes. As an example, cloud controls are viewed only in the cloud account dashboard, network/application controls in the respective software solution, and custom controls may be viewed in excel sheets.
As a result, control testing and assessment are often a manual exercise as many organizations rely on offline, fragmented systems and processes. More often than not, companies customize some controls to better align them to their unique requirements, which further impedes automated testing and evidence collection. The result is an inconsistent, siloed control testing and assessment process – wherein an organization has different workflows and systems for manual, automated, custom, on-premises, and cloud controls – and no single source of truth.
Collating data from all these disjointed systems and mapping them against industry standards and frameworks, such as PCI DSS, HIPAA, NIST CSF, ISO 27001, SOC2, and others, can be exceptionally challenging. Resource and budget crunch adds to the challenges of the IT risk and compliance managers.
What organizations need is a one-stop solution that automates control testing and evidence collection against compliance requirements for all enterprise-wide controls and provides consolidated reports.
With CyberGRC’s integration with Amazon Web Services (AWS) Audit Manager, we, at MetricStream, are taking a step in that direction.
Through MetricStream’s partnership with AWS, we now offer our customers a complete and integrated solution for managing and testing organization-wide controls through the integration of MetricStream CyberGRC and AWS Audit Manager.
AWS Audit Manager continuously audits AWS Cloud product/service usage and streamlines the assessment of risk and compliance with regulations and industry standards. It automates evidence collection to assess the operational effectiveness of an organization’s internal controls framework (policies, procedures, and controls).
Read more about how the solution works: AWS Audit Manager now supports first third-party GRC integration
One of the key benefits lies in the single source of truth the integration provides for all org-wide controls. The solution’s single repository provides comprehensive visibility into controls, test results, and evidence for all controls – custom, application-specific, and multiple infrastructure controls (multi-cloud and on-premises) – all in one place. No more switching between multiple dashboards and spending time consolidating reports.
Most important, the control testing results and evidence on pass/fail are tied to relevant standards and frameworks. At one quick glance, the solution provides insights into the number of active assessments created and executed, control testing results by area of compliance – which controls are compliant and which are non-compliant along with JSON evidence for each, the number of controls and accounts in scope for each of the assessments, the specific resources on which the controls were executed, and much more.
Prasad Sabbineni, co-CEO, MetricStream, discusses the benefits in detail in the article: CyberGRC Just Got More Powerful with AWS Audit Manager
This integration is live now and can be accessed directly by customers using CyberGRC and AWS Audit Manager. We have also worked closely with AWS to ensure the integration process is quick and simple.
The MetricStream CyberGRC and AWS Audit Manager integration enables you to:
To learn more about the MetricStream CyberGRC and AWS Audit Manager integration, request a personalized demo today!
Before I jump into that, let’s look at the various c-suite titles that currently fall under the umbrella of a cyber risk leader – chief security officer, chief information officer (CIO), information security officer (ISO), and chief information security officer (CISO). In some organizations, managing cybersecurity risk and compliance processes rolls up to the chief risk officer (CRO).
There are also relatively new roles that you might have heard of – business information security officer (BISO), business aligned security executive (BASE), and technical information security officer (TISO) – the list goes on.
As the scope of responsibilities of a cyber risk leader is evolving and expanding, new monikers are emerging to truly represent what the role entails. Today, cyber risk leaders are not just tasked with protecting the IT and cyber infrastructure of organizations – the role has become one of a business enabler.
In a previous blog on building cyber resilience, I discussed some of the top roles played by CISOs today. A quick search on LinkedIn for CISO, CSO, and cyber-related job requirements yielded further insights into what companies are looking for today in these roles.
Here are some interesting ones that I came across:
Which brings us to the question – how can cyber risk leaders prepare for the next level?
“Realize that everything connects to everything else.”
Leonardo da Vinci said this in a different context, but it applies to today’s corporate world, too. The business environment is becoming increasingly convoluted with interconnected organizations, processes, functions, and even risks!
The growing digital dependencies are exposing organizations to new, high-velocity cyber risks. In turn, businesses are expecting more and more from cyber risk leaders – the core objective still being protecting the enterprise from cyber adversaries.
To better align to the evolving business expectations, CISOs, CSOs, and equivalent title holders need to undertake a connected approach – connecting not just internally within the enterprise with various stakeholders but also externally with the latest developments in technology, AI, and automation, trends in cybersecurity best practices, new and emerging cyber risks, and more.
Connecting internally is essential to raise risk and security awareness across organizational hierarchies, keep the executive management informed about the overall cyber risk posture, and drive well-formed cybersecurity investment decisions. All of these elements are essential for ensuring a robust cyber risk strategy.
At the same time, the next-gen cyber risk leader needs to connect externally to secure all the touchpoints of the organizations, including the extended enterprise comprised of third-party vendors, customers, partners, and other stakeholders.
A well-rounded approach requires cyber risk leaders to not only understand the interconnectedness of risks and their cascading impacts but also keep up with the latest technological developments, such as APIs, automation, cloud, and artificial intelligence (AI), embracing industry best practices for IT and cyber risk management, and ensuring open and efficient communication across the organization and extended enterprise.
For a deeper dive, read our eBook on “5 Connections Every Cyber Risk Leader Must Make for Driving Cyber Resilience”.
With AI ushering in a new paradigm for cyber risk management, the role of cyber risk leaders will continue to gain prominence in the corporate hierarchy and become increasingly aligned with the strategic leadership role. There is an urgent need to take on a continuous approach involving constant learning, improving, and adapting to meet evolving business expectations.
If you’re in a cyber risk leader role, how are you preparing and staying current for what’s next? Drop us a line in the comments, and as always, let us know how we can help you anticipate and thrive on risk.
In 2014, NIST released the Cybersecurity Framework (CSF) to set a standard for organizations to understand, manage, and reduce cybersecurity risk. Created through collaboration between the US government and private sector, the CSF provides a series of flexible cybersecurity guidelines that can be tailored to each organization’s unique needs. It has been downloaded more than two million times across 185+ countries, and translated into at least nine languages.
Since it was last updated in 2018, a lot has changed in the world. We’ve witnessed a pandemic-fueled surge in digital transformation, the coming of age of AI, the rise of the metaverse, and datafication – all of which have amplified cybersecurity risks. Last year, global cyber-attacks increased by 38%. Ransomware alone hit 66% of organizations, compared to 37% in 2021.
In response, regulators have issued a slew of cybersecurity mandates – be it the SEC’s rules on cybersecurity risk management, or the EU’s proposed Cyber Resilience Act or the upcoming EU Digital Operational Resilience Act and not to mention the various cybersecurity related legislations in over 150 countries worldwide.
All these events and changes perhaps nudged NIST to revisit, refresh and update the CSF. Which is exactly what NIST has done. In August 2023, the agency announced its biggest reforms yet to the CSF with the release of a draft of the CSF 2.0. The new framework is expected to address both current and future cybersecurity challenges, while also making it easier for organizations to put the CSF into practice.
The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Over the past year, NIST has conducted workshops with thousands of stakeholders across countries to develop and refine the CSF 2.0. The final version is expected to be published in early 2024.
Here’s what has changed in the framework:
For years, organizations across industries have been using MetricStream’s CyberGRC suite of solutions to simplify compliance with the NIST CSF, as well as multiple other cybersecurity standards and regulations. With MetricStream, you can proactively identify, assess, and mitigate cybersecurity risks to achieve the outcomes of NIST CSF.
CyberGRC enables you to:
Want to know more about how MetricStream can help you strengthen NIST compliance?
The clock is fast ticking for public-listed organizations to ensure compliance with Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules (rules) recently adopted by the U.S. Securities and Exchange Commission (SEC). The rules, set to come into force from December 2023, are expected to improve transparency for investors, customers, and other stakeholders in matters related to a company’s cybersecurity risk management and governance processes.
One of the key requirements under the new rules is for public companies to report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident. However, what constitutes “material” is somewhat of a gray area.
Let’s take a closer look.
As per the final rules:
In the press release, the SEC relied on the definition set by judicial precedent, “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available.”
Further, the SEC explained that companies should consider both qualitative and quantitative factors to determine the material impact of an incident. It explained:
“By way of illustration, incidents violating a company’s security policies or procedures, or affecting a company’s reputation, financial condition, operations or causing harm to a company’s customer or vendor relationships, or competitiveness may all be considered as examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.”
While these are good examples of cybersecurity incidents, it leaves ample scope for subjective judgment on the part of organizations as to what constitutes “materiality”. It will also vary from organization to organization depending on factors such as the scale of their operations, nature of business, type of products, and criticality of the information residing in their systems.
So, in the absence of a clear definition, it is advised that CISOs, IT risk professionals, and other executives in charge of compliance with the rules, display complete honesty and transparency, erring on the side of caution.
The other aspect to consider is that the rules require organizations to make their materiality determinations “without unreasonable delay” – which, again, seems open to interpretation. The SEC explains:
“A company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality. Similarly, if the materiality determination is to be made by a board committee, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay.”
To put things into perspective, the mean time to identify a breach in 2023 is 204 days, according to IBM’s Cost of a Data Breach Report 2023. So, the timelines for an organization to detect a breach, determine its materiality, and then report it to the SEC – could be ambiguous in practice.
Nonetheless, the final rules are a great initiative in the right direction. Among other things, it will compel organizations to improve the maturity of their incident detection & response and overall cyber risk management and governance processes. We could see future revisions that offer more clarity and/or more requirements for companies to adhere to.
Join our upcoming webinar on September 13th, where we will analyze the SEC’s new cybersecurity rules and discuss key strategies and best practices to achieve compliance, along with domain experts:
In a previous blog, I delved into the key requirements that organizations need to meet and the strategies that can help them achieve this goal. Here’s a look at how MetricStream CyberGRC can help you achieve compliance:
Under the SEC Rules, You Need to | With MetricStream CyberGRC, You Can |
---|---|
Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion | - Establish consistent procedures for incident documenting, analyzing, and remediating all the way till closure - Maintain a single source of truth for incident lifecycle for quick and efficient reporting |
Annual Reporting on the processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so | - Assess and manage IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST - Generate comprehensive reports providing in-depth visibility into the overall security posture |
Annual Reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks | - Leverage user-configurable reports with role-based views into relevant risk, threat, vulnerability, and control data in real-time – which can be presented to the board and top management - Record and maintain the expertise of the members of the management team or cyber risk committee/subcommittee members |
Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes | - Document and maintain information on third parties mapped to relevant details such as IT assets, business units, products or services, contracts, spend, certifications, ongoing assessments, country, risk or compliance issues, due diligence status, etc. - Generate reports that provide insights into risks, compliance, and performance of third-party vendors |
Describe whether and how cybersecurity processes have been integrated into the overall risk management system or processes | - Implement an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes |
Learn more about how MetricStream can help achieve compliance with the SEC’s cybersecurity rules:
Subscribe for Latest Updates
Subscribe Now