×
Blogs

Cybersecurity vs Cyber Risk Management: What are the Similarities and Differences?

1902760141-blog-banner
7 min read

Introduction

Cybersecurity and cyber or IT risk management are essential components of any organization's strategy to navigate the complex and ever-evolving landscape of cyber threats. 

But while the two terms – cybersecurity and cyber risk management-- are often used interchangeably, they are two distinct practices that work in conjunction to protect an enterprise from cyber attacks. As the threat landscape evolves further, it is crucial to have calculated and robust strategies for both to maintain a strong, secure, and proactive digital environment. And to do so, it is important to clearly understand the similarities and differences between the two.

Understanding Cybersecurity

As the word implies, cybersecurity practices aim to protect and safeguard not just information/data, networks, and digital infrastructure but also physical devices and even premises from malicious attacks and damage. 

Cybersecurity includes a set of people, methods, processes, practices, and technologies that are put in place to protect an enterprise’s data, systems, and networks from threats ranging from unauthorized access and damage to attacks, disruptions, and theft, among others. Cybersecurity is a broad strategy that includes factors like infrastructure security, data protection, network application security, disaster recovery, and end-user education and awareness. It focuses on threat prevention, vulnerability management, and incident response to protect information and information systems and ensure confidentiality, integrity, and availability of data.

Specifically, this includes four key aspects:

  • Physical security

    or measures to protect computer systems and networks from unauthorized physical access and/or damage from events like fire or vandalism, and to safeguard from breaches resulting from theft. Some methods employed include security guards, access controls, fencing, and boundaries, among others.

  • Network security

    that focuses on protecting computer networks from unauthorized access. This is achieved through measures like firewalls, antivirus systems, intrusion detection systems, and encryption. 

  • Application security

    that aims to protect software applications from attacks and manipulations. Modern applications are being developed with intrinsic security measures – where security is built into the design rather than being added on later. Despite this, there can still be vulnerabilities within an application that hackers can exploit. Cybersecurity strategies are designed to protect applications from such attacks/manipulations. 

  • Information/Data security

    that protects enterprise data – which includes the enterprises’ own information and even customer and third-party data. Cybersecurity practices focus on protecting sensitive enterprise data from unauthorized access, disclosure, or modification, and some methods to achieving this are encryption, access control, firewalls, authentication protocols, backups, and regular purging, among others.

Understanding Cyber/IT Risk Management

Cyber and IT risk management involves identifying, assessing, prioritizing, managing, and responding to the various risks associated with information/data, IT assets, and the use of digital technologies, and their potential impact on an organization. Identifying and mitigating risks of this nature requires strategic planning and informed quick decision-making.

The key steps/processes involved in cyber / IT risk management are:

  • Identify

    – In this step, it is crucial to identify and inventory the digital assets, potential threats, and vulnerabilities, and to determine the criticality and value of each asset in terms of its impact on business operations.

  • Risk Assessment

    – This is a systematic process that evaluates an organization's vulnerabilities, threats, and potential impacts related to its information systems and digital assets. It involves defining the scope, identifying critical assets, and pinpointing potential threats. The assessment also includes examining system vulnerabilities and analyzing risks based on likelihood and impact. Mitigation strategies are then developed to reduce or address the identified risks, and an action plan is created. Ongoing monitoring ensures the effectiveness of implemented controls and the need for adjustments. Through this process, organizations can gain a clearer understanding of their cyber risk posture, enabling informed decisions and improved resilience against cyber threats.

  • Risk Mitigation

    - This is followed by risk mitigation or the development and implementation of strategies to address identified risks. These may include measures like implementing robust security controls, adopting best practices, creating processes to be followed, and even inculcating a risk-aware culture within the enterprise.

  • Risk Monitoring and Response

    – This stage involves continuous monitoring of assets, systems, and networks to detect potential cyber incidents. It also includes the implementation of a bespoke incident response plan and processes to analyze incidents and contain and remediate them, communicate with essential stakeholders, and conduct post-incident analysis.

  • Review and Update

    – in this stage, regular review and updates to the cyber risk assessment should be carried out to account for changes in the threat landscape, technology landscape, and business environment. Cyber risk teams must assess the effectiveness of implemented controls and adjust mitigation strategies as needed and consider conducting periodic comprehensive assessments to ensure ongoing risk management effectiveness.

Examining the Similarities

Evidently, there is some overlap and similarities between cybersecurity and cyber risk management strategies, and they complement each other:

  • Protection

    - Both practices aim to protect enterprise assets—including systems, devices, networks, and data—from cyber threats. 

  • Threat Awareness

    - Both practices aim to improve threat awareness as they require a thorough understanding of the evolving risk landscape and the threats facing the organization. 

  • Minimize Impact

    - Both practices aim to minimize not just the likelihood of threats and risks, but also their impact on the organization.

Understanding the Key Differences

For all the similarities, there are significant differences between the two. They vary significantly in their focus, strategic approach, and scope, as listed below:

Point of DifferenceCybersecurityCyber Risk Management
Scope and FocusPrimarily focuses on protecting computer systems, networks, and data from unauthorized access, attacks, and damage. It involves implementing preventive measures, such as firewalls, encryption, access controls, and security patches, to safeguard against potential threats.The focus is broader and involves the identification, assessment, and prioritization of potential risks and vulnerabilities in an organization's digital infrastructure. It encompasses not only technical aspects but also the business impact and financial consequences of cyber threats. It aims to manage risks proactively, considering a range of factors such as threat likelihood, potential impact, and risk tolerance.
ObjectivesTo establish a secure environment, protect sensitive data, maintain confidentiality, integrity, and availability of information, and prevent unauthorized access and malicious activities.To identify, assess, and mitigate potential risks to the organization's information assets. It involves understanding the likelihood and potential impact of various cyber risks and implementing strategies to minimize or transfer those risks.
ApproachFocuses on implementing security measures, policies, and technologies to prevent and detect security breaches. It involves deploying firewalls, antivirus software, intrusion detection systems, and other security controls to protect against known threats and vulnerabilities.Takes a holistic approach that goes beyond technical controls. It involves risk assessment, risk analysis, risk treatment, and risk monitoring. This includes identifying and prioritizing risks, implementing risk mitigation strategies, developing incident response plans, and regularly monitoring and updating risk management practices.
PerspectiveTypically takes a narrow view from a technical standpoint, emphasizing the protection of systems and networks. It focuses on defending against specific threats and vulnerabilities using technical controls and measures.Takes a broader organizational perspective. It considers business objectives, regulatory compliance, legal implications, reputation management, and financial consequences.

One can consider cyber risk management as the strategic foundation that assesses a wide variety of risks and identifies ways in which to mitigate each one, while cybersecurity is a tactical, hands-on approach to defending assets against whatever threatens them. Managing cyber risk requires a deep understanding of the potential consequences of a cyber incident and effective implementation of risk mitigation strategies to minimize the impact on an organization's objectives and stakeholders. 

Cybersecurity and cyber risk management align in their objective of safeguarding organizations against cyber threats, yet they adopt distinct perspectives and methodologies. The practices complement each other and have equally important roles in ensuring comprehensive protection and effective risk mitigation. By integrating both disciplines into their overall cybersecurity and risk management strategies, organizations can build a robust and proactive defense posture against a continuously evolving risk landscape.

Proactively Manage Cyber Risk with MetricStream

MetricStream’s IT and cyber governance, risk, and compliance solution, CyberGRC empowers organizations to connect all types of cyber risk data from across the enterprise and leverage actionable business intelligence to make data-driven decisions to build cyber resilience. With CyberGRC, your organization can:

  • Gain a single, consolidated, and comprehensive view of your cyber risk posture across all risk areas and objects 
  • Complement the cyber security tools to reduce the risk of cyber breaches with active risk management 
  • Ensure compliance with cyber-related regulations and frameworks, thereby reducing compliance risk 
  • Streamline the management of IT and cyber policies and documents and ensure compliance with all 
  • Identify, assess, mitigate, and monitor third-party IT risks, while also proactively managing vendor compliance 
  • Measure cyber risk exposure in quantified terms, leading to better investment decisions and effectively determining ROI on controls and tools
  • Continuously monitoring IT controls and processes for improved compliance and security

Want to learn more about how CyberGRC can help your organization build an effective and resilient cyber risk management program? Request a demo now. 

Check out our latest eBooks on cyber risk:

Cyber Risk Management for Energy Companies

7 Top Cyber Risk Strategies for Banking and Financial Services 

5 Connections Every Cyber Risk Leader Must Make for Driving Cyber Resilience

10 Cyber GRC Trends to Watch in 2025 | eBook

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Navigating the NIS2 Directive: Essential FAQs for Compliance Success

navigating-the-nis2-directive-compliance-success-dsktop
5 min read

Introduction

The NIS2 Directive, effective as of October 17, 2024, marks a significant milestone in the European Union's efforts to bolster cybersecurity. This directive is a crucial update from its predecessor, the NIS Directive (2016), expanding requirements and strengthening cybersecurity obligations for critical sectors across the European Union (EU).

The new directive has expanded scope, new risk management and incident reporting requirements, and stricter financial penalties. We answer some of the top FAQs on NIS2 to guide your organization through compliance.

What is the NIS2 Directive?

The NIS2 Directive is the EU's enhanced regulatory framework for cybersecurity network and information systems, setting a high common level of security to protect essential and important entities in sectors like energy, healthcare, digital infrastructure, and finance. These organizations are now required to implement stronger security measures to ensure resilience against cyber threats.

How Does the NIS2 Directive Differ from the Earlier NIS Directive (2016)?

NIS2 expands both the scope and depth of regulatory requirements. Key changes include:

  • Stricter Cybersecurity Obligations: Enhanced security measures now apply across an expanded range of sectors.
  • Extended Scope: The directive applies to medium and large enterprises, with a focus on critical infrastructure and suppliers, even if they are outside the EU.
  • Incident Reporting Requirements: New timelines mandate that incidents be reported within 24 hours, with a follow-up report due in 72 hours.
  • Increased Accountability: Leadership is held accountable for compliance failures.
  • Stricter Penalties: Fines can reach up to €10 million or 2% of global turnover, whichever is greater.

Which Organizations Are Subject to NIS2?

NIS2 targets medium and large organizations, especially those involved in critical national infrastructure, with some exemptions. It applies to organizations with a minimum of 250 employees and €50 million in annual turnover for essential services, or at least 50 employees and €10 million in turnover for important services. Member states have the discretion to make exceptions for high-risk entities that fall outside of these parameters.

List of essential sectors covered under NIS2

  • Energy (electricity, oil, gas, district heating and cooling, and hydrogen)
  • Transport (air, rail, water, and road)
  • Healthcare
  • Water supply (drinking water, wastewater)
  • Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers)
  • Finance (banking, financial market infrastructure)
  • Public administration
  • Space

List of important sectors covered under NIS2

  • Digital providers (online markets, search engines, social networks)
  • Postal services
  • Waste management
  • Foods
  • Manufacturing (medical devices, electronics, machinery, transport equipment)
  • Chemicals (production and distribution
  • Research

NIS2 regulations cover not only essential and important services but also extend to their entire supply chain. This means that subcontractors and suppliers, regardless of location, must meet the same security standards as required by NIS2.

What Are the Core Requirements of NIS2?

The NIS2 Directive mandates:

  • ICT Risk Management: Proactive identification, assessment, and management of cybersecurity risks.
  • Supply Chain Security: Organizations must assess and manage risks from third-party vendors.
  • ICT Incident Reporting: Timely and structured reporting of incidents, with specific deadlines.
  • Corporate Accountability: Leadership is directly responsible for compliance.
  • Business Continuity: Robust business continuity and resilience plans are essential to maintain operations during disruptions.

What are the Incident Reporting Timelines Under NIS2?

Under the new essential and important entities must notify any incident with significant impact without undue delay.

  • Within 24 hours: An early warning, including initial assumptions about the incident type, should be sent to the competent authority or CSIRT.
  • Within 72 hours: A full notification report is required, detailing the incident assessment, severity, impact, and indicators of compromise.
  • Within 1 month: A final, comprehensive report must be submitted.

To streamline this process, the Directive encourages Member States to:

  • Simplify incident reporting through a single-entry point, minimizing administrative burdens
  • Facilitate easier reporting for cross-border incidents within the EU

Does NIS2 Impact Non-EU Companies?

Yes, NIS2 also applies to non-EU companies that provide essential services within the EU. Sectors like healthcare, digital infrastructure, and transportation are particularly impacted, even if services originate outside the EU.

What is the Role National Governments in NIS2 Compliance?

Member states oversee enforcement by designating authorities to monitor compliance, enforce penalties, and ensure that all organizations within their jurisdiction align with NIS2 standards. Additionally, national governments guide organizations in adhering to the directive’s rules.

Has the NIS2 Directive come into effect?

Yes, the NIS2 was formally adopted in 2022, and EU member states were required to implement the directive into national law by 17th October 2024.

(Source: European Commission’s Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

Preparing for NIS2: How to Get Started

To meet NIS2 mandates, organizations must strengthen cyber resilience by focusing on proactive risk management and robust incident response. Start your NIS2 compliance journey by:

  • Mapping your compliance status by assessing and aligning current risk management practices with NIS2 standards to bridge compliance gaps.
  • Adopting proactive risk management by regularly assess and mitigate cyber risks with clear accountability and thorough incident response procedures.
  • Establishing a unified risk view by centralizing risk data, aligning digital risks with organizational assets, processes, and compliance needs.
  • Managing vendor risks by maintaining oversight on ICT vendor risks, ensuring continuity and compliance through systematic assessments.
  • Developing business continuity plans by preparing recovery plans with prioritized assets and tested crisis communication strategies.

How Can MetricStream Help?

MetricStream’s CyberGRC platform simplifies NIS2 compliance with built-in frameworks, automated incident reporting, vendor risk management, and robust continuity planning tools. With MetricStream, organizations can efficiently manage cyber risks, streamline compliance processes, and respond swiftly to incidents, aligning seamlessly with NIS2 requirements.

The NIS2 Directive signals a new era of cybersecurity compliance. As the directive takes hold, staying informed and proactive is essential. For more detailed guidance on the next steps and how to ensure compliance, download our comprehensive eBook today.nis2-directive-next-steps-for-your-organization

Request a personalized demo today.

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 
Blogs

5 CISO Must Reads For This Cybersecurity Awareness Month

blog-dsk-Weekly-Blog-Upload-10-oct-2024
4 min read

Introduction

As we mark October as Cybersecurity Awareness Month, this year's theme, Secure Your World, highlights the growing importance of robust cyber risk management practices and an increased focus on cyber resilience as threats evolve. For CISOs (Chief Information Security Officers) and CSOs (Chief Security Officers) staying informed about the latest cyber risk management strategies and cyber regulatory updates is essential to building and maintaining robust cyber risk frameworks.

To help you strengthen your cyber resilience, we’ve compiled a list of 5 MetricStream must-reads that offer valuable insights into the evolving landscape of cyber risk management, governance, and compliance. These resources will equip you with the knowledge to better safeguard your organization in today's complex digital environment.

1. 5 Connections Every Cyber Risk Leader Must Make for Driving Cyber Resilience

The role of CISOs is transforming. They no longer serve solely as enforcers of cybersecurity rules but now take on a strategic role, integrating cybersecurity with broader business goals. This eBook dives into the expanding responsibilities of modern CISOs and outlines the critical connections they must build to drive resilience.

Key insights include:

  • The evolution of the CISO’s role in today’s business landscape
  • Five crucial connections to build—internally, externally, and with industry trends
  • Strategic advice on aligning cyber risk with business objectives

This guide is invaluable for CISOs looking to adopt a more integrated, business-aligned approach to cyber resilience.cyber-risk-leader-cyber-resilience-AD-banner

2. The Ultimate Guide to IT Governance, Risk, and Compliance (IT GRC)

As organizations aim to consolidate their IT governance, risk, and compliance (IT GRC) programs, this white paper provides a deep dive into how an integrated approach can optimize risk-based decision-making. It outlines the critical components of a successful IT GRC strategy and provides practical insights for building a robust cyber risk management framework.

Highlights include:

  • What IT GRC entails and why it’s critical for business success
  • Top challenges in implementing IT GRC strategies
  • Best practices for developing a successful IT GRC program

For those looking to advance their IT and cyber risk management programs, this is must-read.the-ultimate-guide-to-it-grc-AD-banner-ebook

3. Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act

With the EU’s Digital Operational Resilience Act (DORA) deadline fast approaching, financial institutions must prepare for this significant regulatory change. DORA aims to enhance digital resilience and tighten regulations around Information and Communications Technology (ICT). This eBook helps security and compliance professionals understand DORA's core requirements, its impact on cyber risk strategies, and how to align IT systems with new regulations.

Key takeaways:

  • A comprehensive overview of DORA and its key implications
  • Five steps to enhance digital resilience and meet DORA compliance
  • Practical ways technology can streamline compliance processes

This resource is perfect for CISOs in the financial sector who need to fortify their ICT frameworks against operational disruptions.dora-eu-digital-operational-resilience-act-ebook-ad-banner

4. The Cyber Governance, Risk, and Compliance Journey: Understanding and Advancing Your Cyber GRC Maturity Levels

A well-rounded Cyber GRC strategy requires more than just technology—it demands organizational maturity. This eBook explores how businesses can assess their current Cyber GRC posture and outlines a structured approach to advancing their GRC maturity levels. It offers a holistic view of the journey toward integrated cyber risk management.

Key topics covered:

  • An overview of the Cyber GRC Maturity journey and its stages
  • Checklist of capabilities for each maturity stage
  • How to use technology to accelerate progress on this journey

This resource is designed for organizations at any stage of their Cyber GRC journey, helping them elevate their cyber governance and risk strategies.https://info.metricstream.com/cyber-governance-risk-compliance-journey.html

5. IT and Cyber Compliance: 5 Best Practices for Navigating Today’s Regulatory Landscape

With the increasing complexity of cyber regulations, staying compliant has become one of the biggest challenges for CISOs. This eBook provides practical best practices for navigating today’s fast-evolving regulatory environment, from recent SEC cybersecurity rules to EU DORA.

What you’ll learn:

  • The latest updates on key IT and cyber regulations
  • Best practices for managing regulatory compliance in a dynamic landscape
  • A real-world case study showing how automated control assessments helped a financial services company improve its compliance process

For any CISO tasked with maintaining compliance in the face of evolving regulations, this eBook is a critical resource.it-and-cyber-compliance-best-practices-ad-banner-ebooks

Streamline Cyber Risk Management and Build Cyber Resilience with MetricStream CyberGRC

MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent connected GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.

With MetricStream CyberGRC, you can:

Need more reading material? Download the complete overview of what CyberGRC can do for you https://info.metricstream.com/cyber-grc-product-overview.html

Or, let us show you the capabilities to you in action! Request a personalized demo now.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Cybersecurity Month Spotlight: 5 Must-Know Cyber Risk Trends

blog-dsk-Weekly-Blog-Upload-01-oct-2024
7 min read

Introduction

Every year, since 2004, the month of October is globally recognized Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. This year’s theme provided by Cybersecurity and Infrastructure Agency (CISA) is Secure Our World, which recognizes the urgent need to build cyber resilience in the growing interconnected risk landscape that enterprises operate in today. Whether it is keeping IT vendor risk in check with intelligent issue management or proactively improving cloud security with continuous control monitoring, enterprises need to build connected risk management strategies to become more resilient.

The cyber risk landscape is showing no signs of de-escalating, and as a result, cyber risk management is growing increasingly complex and challenging. On an average, the world faces 2200 cyberattacks a day, or an attack every 39 seconds. The average cost of a data breach is USD 4.5 million. 44 percent of businesses have suffered a third-party data breach in the last year and 82 percent of data breaches took place in the cloud.

We explore some of the biggest cyber risks facing organizations in 2024 and how these trends will shape cyber resilience strategies in the year to come.

The Risks Keeping CISOs Up at Night

A large number of data breaches over the last couple of years were caused by vulnerabilities in their third-party vendor ecosystems. For example, earlier this year, American Express warned cardholders about a cyber-attack at one of their merchant processors that may have compromised their data. And more than 28000 customers were impacted by a data breach at Fidelity Investments as a result of an cyber-attack on their services provider Infosys McCamish Systems. In an increasingly interconnected world, third party vulnerabilities are a serious challenge for organizations. A breach somewhere in the ecosystem can expose vast volumes of sensitive data from across organizations. The problem is that even with due diligence, and contractually mandated obligations, it is difficult to completely prevent third party breaches.

5 Emerging Cyber Risk Management Trends

Organizations today operate within a highly complex risk landscape, and they must address new risks like third party risks or interconnected systems risks. Older cyber risk management approaches are no longer effective, and strategies are changing rapidly to keep pace with this evolving risk landscape. Here are some of the trends shaping cyber risk management in 2024:

  1. The Changing Role of the CISO

    In the past, cyber risk was considered to be a purely technological issue. Today, organizations understand that cyber risk is inextricably linked with business and operational risk, with escalating cost of data breaches, and impact to reputation. Cyber risk is now a CXO concern and a top priority for board discussions. This shift in priorities and understanding of the impact of cyber risks has led to a shift in the role of the CISO. The role is no longer purely operational or technical but has evolved to include business risk management. The CISO who now has a seat in the boardroom is expected to align cyber security strategies with business goals. They are expected to integrate cyber risk management and security practices across the entire enterprise as well as its external third-party ecosystem.

    CISOs are approaching cyber risk management the same way as financial risks management with quarterly engagements with CXOs including the CFO and CEO. This demonstrates the increasing relevance of cybersecurity in controlling operational costs, aligning security initiatives with sales, marketing, and overall profit protection. It also helps to integrate cybersecurity efforts with broader business objectives and strategies.

  2. AI: Risk, Reward, and Governance

    Artificial Intelligence (AI) is changing the way cyber security strategies are crafted and implemented. On the one hand, AI poses a significant risk, as bad actors have equal access to the technology and can use it to mount highly sophisticated attacks. The fact that AI models leverage vast volumes of data compounds the cyber security challenge, as a single breach can expose vast volumes and range of confidential information.

    On the other hand, AI is a tool that when used correctly can greatly augment cybersecurity management. It can automate routine and manual tasks, help prioritize threats and vulnerabilities accurately and improve threat detection capabilities. In fact, 70 percent of organizations surveyed by the Ponemon Institute say that AI is highly effective in detecting previously undetected threats. This will enable cybersecurity teams to focus on higher value projects that can drive business outcomes.

    53 percent of organizations are in the early stage of adoption of AI within their cyber risk management and security strategies. As the use of AI increases further, organizations must focus on training their teams to leverage the technology effectively and securely. Cross functional teams that focus on governance can help drive the responsible and secure use of AI in cyber risk management.

  3. Increasing Regulations – SEC Rules, DORA, EU AI Act

    Regulators worldwide are trying to keep pace with the evolving cyber risk landscape by passing new laws and frameworks for improving cyber risk management and security. Data privacy and security is a key focus area and most regulations aim to ensure comprehensive data protection strategies, covering not only internal operations but also third-party interactions. Many regulations like SEC's cybersecurity rules for public companies and the Digital Operational Resilience Act (DORA) in Europe require organizations to report incidents and risks more transparently. This is necessitating a shift from decentralized data security measures to a more structured framework, with some organizations even appointing Chief Privacy Officers to ensure compliance.

    The emergence of AI and IoT have also significantly impacted cyber risk management and data security, as these technologies deal with vast volumes of potentially sensitive data. There are complex privacy and legal issues to be addressed that requires close collaboration with legal teams to ensure third party risks are managed effectively.

  4. Focus on Resilience

    Cyber attacks are showing no signs of slowing down, and cyber risk management strategies are expanding to incorporate resilience and recovery. This is especially significant in critical sectors like healthcare where interconnected systems face catastrophic disruptions in the case of breaches within the third-party ecosystem. No organization is immune from cyberattacks and the focus must be on continuous monitoring, proactive recovery planning, operational resilience, and recovery strategies.

    Third party risks must be monitored, their preparedness and recovery plan in the event of breaches must be evaluated, and basic cyber hygiene must be enforced. Resilience, must be embedded into daily operations. Only then can critical functional areas quickly recover and get back to business as usual in case of disruption.

  5. Consolidation of Resources

    Redundant platforms and systems can hinder operational efficiency and organizations are now moving to consolidate resources to improve cyber risk management. For example, consolidating platforms for managed detection and response (MDR) services can provide a unified view of the environment and reduce the need for different teams to access different systems.

    Organizations are also consolidating data for advanced analytics and AI. This helps to reduce storage costs, eliminates unnecessary data retention, which can also in turn reduce the possibility of sensitive data breaches. For example, a company may have stored volumes of visitor records. This may include sensitive data like driver’s licenses, which in the wrong hands can lead to significant problems. The company does not require to store this data for its own operations and can easily delete it to free up storage and make data analytics processes more efficient.

    The modern evolving role of the CISO also encompasses resource consolidation as they are not just responsible for cyber security but also operational efficiency which in turn is linked with business outcomes.

How MetricStream can Help

A rapidly evolving cyber risk landscape has driven some changes in the way cyber risks are managed and security postures maintained. Emerging cyber risk management trends call for greater focus on resilience, third party risk management and linking business outcomes with cyber risk management and security. Organizations cannot ensure effective cyber risk management or cyber security without a robust technology platform that can automate key processes.

MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers enterprises to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.

With MetricStream CyberGRC, you can:

Request a demo now.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Meet the Next-Gen CISO: What’s Driving the CISO's Changing Role

Cyber Risk
5 min read

Introduction

The role of the Chief Information Security Officer (CISO) is quickly becoming one of the fastest-evolving roles in the modern enterprise. Today’s CISOs and CSOs (Chief Security Officers) are responsible for formulating robust cybersecurity and critical cyber risk management strategies that are closely aligned with overall business objectives. Their responsibilities have extended beyond the technical realm and include a strategic presence at the C-level table. So, what is driving this change, and how can CISOs best prepare as they transition into their expanded role?

Top Factors Driving the Change in the CISO’s Role

The role of the CISO is currently being influenced by various regulatory, technological, and market dynamics. Key factors driving this change include:

  • Greater emphasis on cyber transparency: New regulations from the U.S. Securities and Exchange Commission (SEC) have placed a greater emphasis on cyber transparency. Publicly traded companies are now required to disclose significant cybersecurity incidents and outline their approach to managing cyber risks. This shift is pushing CISOs to not only focus on safeguarding systems but also on effectively communicating cyber risks and incidents to stakeholders.
  • Increased focus on cyber resilience: The Digital Operational Resilience Act (DORA) in the European Union highlights the importance of resilience over prevention. This requires a shift in strategy from reactive to proactive, building systems that are flexible and durable. Cyber resilience focuses on the continuity of operations even when an attack occurs, and CISOs are tasked with overseeing this broader, more strategic approach to managing risks in the digital ecosystem.
  • Benefits and challenges of AI-powered tools: Artificial intelligence (AI) can now predict, detect, and respond to threats in real time. For CISOs, this presents immense opportunities. However, integrating AI introduces new risks, such as bias in data, AI-generated vulnerabilities, and the need for specialized talent to manage these advanced tools. Navigating the balance between leveraging AI’s benefits and mitigating its risks is becoming a crucial part of the modern CISO’s role.
  • Customer Trust Expectations: In today’s digital economy, consumers expect organizations to handle their data securely and transparently. Any breach can not only severely damage a company's reputation but negatively impact customer loyalty. CISOs are now playing a key role in shaping customer trust by ensuring robust data protection policies, communicating effectively with the public when breaches occur, and implementing privacy-focused solutions.
  • Influence Business Strategy: Cyber risks directly impact operational and financial outcomes, which means that CISOs are increasingly participating in high-level business discussions. Whether it’s advising on mergers and acquisitions, guiding digital transformation projects, or steering new product developments, CISOs now have a seat at the strategy table, influencing decisions that shape the future of the business.

Meet the Next-Gen CISO

As CISOs and CSOs adapt to the changing landscape and embrace new responsibilities, they have now taken on several roles. The next-gen CISO of today wears many hats.

  • The executive sponsor for security change: CISOs now drive security from a business perspective. This requires aligning with and understanding the business strategy, managing end-to-end cyber risk management, and building cyber resilience. As the leader of cyber risk management and GRC at the organization as well as the owner of the information technology roadmap, the CISO must map organizational strategy, technology, infrastructure, compliance requirements, and core cyber risks to embed cyber security into the culture, process, and technology. The CISO also leads security change by maintaining a line of sight into technology trends and disruptions and aligning information security investments and cyber risk mitigation steps with business priorities.
  • The builder of information security and data protection assurance: The CISO plays a key role in building a robust information and data protection program, leveraging the information security of the organization to enable business objectives. This includes establishing the cyber risk management framework for sustainable protection assurance for all intangible assets and strategic advantages. Regular network monitoring, performing of cyber audits, and training both cyber security and general employees in security protocols and safe practices are now CISO responsibilities.
  • The leader of third-party and IT vendor relationship management: With third and fourth IT vendors now part of the extended ecosystem, the CISO is responsible for identifying risk through third parties and managing third-party security. Identifying and ranking vendor relationships, performing due diligence, conducting regular security evaluations, monitoring vendor compliance with cyber security standards, tracking updates, etc., are some of the key priorities that the CISO steers.
  • The director of continuous IT compliance and governance: In the era of cyber GRC, a CISO’s role now includes enabling continuous regulatory and standards compliance across all digital assets and processes. Cyber governance, including overseeing the smooth running of cyber resilience initiatives and regular reporting to corporate leadership, also falls under the purview of the CISO.
  • The chief communicator of cyber risk: With cyber risk being such a critical area, the CISO holds the unique responsibility of communicating cyber risk in a language that the board and the rest of the C-suite can understand. Technical cyber security details are often not easily comprehended, and risk expressed in heat maps can be vague. Cyber risk exposure quantified in monetary terms, on the other hand, can effectively paint a clearer picture of the cyber risk.

MetricStream CyberGRC – Empowering Next-Gen CISOs

MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.

With MetricStream CyberGRC, you can:

Being a CISO is hectic and stressful – but it’s also incredibly important, and I for one look forward to watching the continued evolution of the role, as CISOs grow to become more and more business as well as IT and security champions. Cyber is one of the biggest existential risks enterprises face today. The next-gen CISOs are here to lead us through – even as they dodge the many arrows. We’re rooting for you!

Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Try our customized demo to see how our product works.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

The Underestimated Cyber Threat: Anticipating and Combatting Supply Chain Attacks

Blog-31-07-2024-desktop
4 min read

Introduction

Cybersecurity threats are multi-faceted, often connected, and accelerating fast. Ransomware, nation-state attacks, employee errors, and third parties – all pose risks for enterprises seeking to safeguard their organizations and customers from cyber attacks and the resulting consequences.

One particularly insidious threat is the supply chain attack. Particularly in today’s interconnected, digital world that favors diverse sourcing, supply chains are increasingly vulnerable to cyber breaches. Even a seemingly small entry point – say, an outdated password on a legacy system – can open the door to massive havoc that can impact and even shut down an entire business.

What is a Supply Chain Attack and How Do They Happen?

A supply chain attack is an orchestrated strike by cybercriminals to find and take advantage of vulnerabilities in the connected network of suppliers, vendors, and contractors that support an organization’s operations – sometimes called the extended enterprise, or the 3rd/nth parties.

Bad actors use a “back door” approach by targeting these downstream suppliers or third parties with the goal of getting to the ultimate organization. Usually, the ultimate target is larger or more desirable and theoretically harder to breach. By using the smaller or less protected supplier, hackers can gain access through malware or other malicious code, such as viruses, ransomware, or other programs designed to steal data or disable systems. 

SolarWinds, for example, was hit via a devastating attack on a software supplier impacted numerous organizations, including government agencies. Another would be the attack Log4j was dealt due to a vulnerability in a widely used open-source logging library that exposed many organizations to potential attacks. There are countless other examples over the years, and hackers have only become smarter especially as supplier networks have continued to multiply exponentially due to the many benefits they bring to an organization. 

Vulnerabilities are on the rise, too: up 180% from 2022 to 2023, according to Verizon’s 2024 Data Breach Investigations Report. The same report shows vulnerability exploitation of web applications specifically represented roughly 20% of data breaches, with VPN vector exploitations expected to take up an increasing share by 2025.

Assessing the Impacts of Supply Chain Attacks

A supply chain data breach has obvious immediate implications: compromised data, the potential need to shut down systems, the cost of remediation and recovery, and the likely decline of customer trust.

Longer-term implications include financial losses, reputational damage, regulatory penalties, and operational disruptions. In industries such as healthcare or critical infrastructure, where safety is paramount, the consequences can even become life-threatening.

Supply chain attacks also have a “ripple effect”: rarely is just one supplier impacted. Think of the chip shortage in 2023. While not the result of a data breach, Tesla was severely impacted in 2023.

Strategies to Stay Ahead of Supply Chain Attacks

To stay ahead of cyber attacks, including supply chain attacks, organizations must carefully manage their cyber and IT risk as part of coordinated risk strategy that includes:

  • Vetting and monitoring of third parties: All third parties, including suppliers, vendors, and contractors, must be assessed when onboarding to understand their security posture and risk management practices. Ongoing monitoring is a must for continued due diligence and alerting to potential security issues. And ensure you have a robust program for offboarding third parties and suppliers. Old credentials provide an easy entry for malicious actors.
  • Enterprise-wide risk assessment: Connect risk data across divisions and globally for a complete view of risk. Use autonomous monitoring to detect potential risks and control failures to prevent malicious entry.
  • Incident preparedness: Tailor incident response plans to identify and monitor the critical suppliers in the supply chain. Ensure coordinated efforts are in place to effectively respond to security incidents. Most critically, protecting against supply chain attacks requires proactive collaboration, coordination and communication.

Why Short-Term and Long-Term Risk Management Matter

Cyber risk management is essential because cyber threats are accelerating along with vulnerabilities, and organizations can’t afford to be complacent.

Consequences of lackadaisical risk management include immediate impacts of a breach – lost data, downtime, and costs of remediation – as well as longer-term consequences.

Brand reputation and competitiveness are at stake, as are relationships with other suppliers. Regulatory repercussions are real, especially with the advent of resilience legislation like the EU’s Digital Operational Resilience Act (DORA) and the SEC’s Cybersecurity Rule, both of which come with stringent consequences for not managing and reporting cyber attacks.

Finally, risk leaders can even be held personally accountable for the consequences of attacks. CISOs are the most obvious candidate, but Chief Compliance Officers also may be liable. And even non C-level leaders may not be exempt.

Stay Prepared – And Stay Ahead of Risk

With interconnected risks growing fast and technologies like AI making bad actors even smarter, the stakes in cyber risk have never been higher. Proactive, collaborative cyber risk management can’t completely prevent cyber and supply chain attacks, but it can empower organizations with agility and resilience to lessen their inevitability – and rebound with confidence.

This blog was initially featured as an article on ET CISO. Read the original version here.

Find out more about MetricStream CyberGRC. Request a personalized demo now.

Prasad MetricStream

Prasad Sabbineni Co-Chief Executive Officer

Prasad Sabbineni serves as the Co-Chief Executive Officer at MetricStream. As the head of products and engineering, Prasad leads our product vision and execution of our market leading GRC products.

Prior to joining MetricStream, Prasad was a Managing Director at Citigroup. He oversaw technology for enterprise functions of Risk Management, Finance, HR, Data, Information Security, Compliance Risk, Internal Audit, Enterprise Supply Chain and Third-Party Management. He was the senior technology executive responsible for implementing regulatory initiatives, such as Basel, CCAR, CLAR, BCBS 239, Volcker, Recovery and Resolution Planning at Citigroup. Prior, Prasad led technology for Market Risk, Credit Risk, Prime Services Risk, Portfolio Risk Margin, and Operational Risk functions at Lehman Brothers. Preceding Lehman, Prasad rolled out derivative trading systems globally and as a Risk Manager, he was also responsible for managing market risk of fixed income and equity derivatives at Bear Stearns.

 
Blogs

Healthcare Risk and Compliance: 5 Key Challenges to Address in 2025

blog-dsk-healthcare-risk-compliance-key-challenges
7 min read

Introduction

Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.

In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.

What Are Compliance Issues in Healthcare?

Healthcare Compliance Issues refer to instances where healthcare organizations fail to adhere to relevant laws, regulations, and industry standards. Non-compliance can lead to severe consequences, including fines, penalties, legal actions, and reputational damage.

1. Regulatory Compliance

The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.

Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.

Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.

Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.

2. Enterprise Risk and Incident Management

Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.

3. Data Privacy and Cyber Security

Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.

Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.

Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.

The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.

4. Third-Party Risk Management

Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.

Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.

5. Continuous Monitoring and Reporting

Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.

Power-Up Your GRC Program with MetricStream

MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.

With MetricStream, your organizations can effectively:

  • Improve risk visibility with faster response to perceived risks, automate capture and management of regulatory changes
  • Streamline and digitalize GRC activities across the three lines of defense
  • Enhance cyber resilience with 360-degree visibility into cyber risks, threats, vulnerabilities, risk exposures, and compliance violations
  • Simplify and improve third-party risk management with automated processes for onboarding, real-time monitoring and control assessments
  • Prioritize internal audits with risk-based audits and automate audit reporting

Interested to find out more? Request a demo now.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 

Related Resources

Blogs

Apple Bank Enhances and Streamlines Cyber Risk Management Program with MetricStream

Weekly-Blog-Upload-16-May-2024-dsk
5 min read

Introduction

At the 2023 GRC Summit, MetricStream’s annual flagship event, Jonathan Ruf, First Vice President - Head of Cyber and Information Risk, Apple Bank, discussed how the organization leveled up its cyber risk management program with MetricStream. Apple Bank is the largest state-chartered savings bank in New York.

Here are the key takeaways from Jonathan’s session at the summit.

Getting Started

Jonathan: We started the Journey with MetricStream about four years ago, and the use case was more so around the operational risk. It wasn't necessarily a decision that we were going to use it in cyber and information security. But we realized that there were a lot of synergies, so we took this on.

So, at the beginning, we relied on a GRC process. But what does that really mean if you don't have a framework or a tool? Great value was given, but we needed something to scale, and early on, the selection was made that MetricStream was going to be the tool for Apple Bank. It fit our needs, and it had a roadmap that definitely appealed to us.

Challenges

Jonathan: As we began this journey, my cyber and information risk management team found a lot of opportunities for improvement.

What did we have? Manual processes, spreadsheets all over the place, disparate data sources. There was no central inventory of applications, or even a well-populated CMDB. It was very difficult to understand what was available and what was being done ad hoc.

We had control validations. For each of the risk assessments, the controls needed to be validated, and they were stored in file shares -- again, decentralized.

Issues and exceptions were PDF documents. You can't report on them.

And the assessments. If you aren't centrally managing your assessments, then how are you reporting them? At the end of the day, it’s about reporting, it’s about system integration, and it's about moving to the next level to reduce the manual efforts and to increase the automation of your security monitoring tools for the organization.

The Journey So Far

Jonathan: We standardized and automated the process for initiating the risk assessment of application services and infrastructure services.

Let’s look at the risk assessment lifecycle. We're also going to see in this lifecycle how we have integrated systems through APIs.

A GRC isn't an inventory. It's not where you should be holding your assets or your infrastructure components, it's not a CMDB, it's none of those things. You need a source of truth for everything. So, your vendors, your applications, your CMDB, those are in-source systems. But we want to ingest this information. Ingesting this information is difficult because it was manual, and manual processes are prone to errors. But now, we have the ability to pull directly from our inventory sources and schedule assessments.

Considering we're a bank, we are highly regulated. We're also a New York State Bank, so we're even more scrutinized with DFS. We have the GLBA and we have DFS risk assessments that need to be done on in-scope applications on an annual basis. But this information is stored in our application inventory, not in our GRC. So, what we need to do is we need a push-pull mechanism we can schedule those assessments based on the date the last assessment was completed, and it will automatically send out those notifications -- never touching the integrity of the source system data within a GRC.

So, why are we not using this information to validate these controls? We have it. Let's use it. I had just one source here, which was Qualys. So, I could say, okay, an infrastructure comes in and it could scan it for vulnerabilities. That's pretty simple.

But we also want to look at -- Is it integrated with SSO? Does it have MFA? Is data encrypted? Is the database connection pool secure? We can bring all of this information in through our APIs, and this is all living in MetricStream. So, we got our source systems and we got our security monitoring tools feeding assessment. It's reducing the burden on the lines of business and providing a more accurate and realistic depiction of risk to the organization.

We just finished with a wonderful, smooth upgrade from Arno to Danube. Now, in every release moving forward, we'll have a low-code/no-code API framework. That's a game changer because if you don't put that in place, creating one-off integrations is going to be a nightmare. Now, you have a low-code/no-code methodology to integrate these systems.

Business Value Realized

Jonathan: We have made such tremendous progress in our cyber risk management portfolio. It just really is truly inspirational and light years from where we first started.

MetricStream solution currently supports 500+ employees. This extends all the way to our 86 branches, to our multiple headquarters. It provides us with qualitative and quantitative cyber risk information. This is stuff that we can really use, and that drives decisions because ultimately, at the end of the day, we want to provide enriched information to our C-level and our board.

Business Value and Realized Benefits

  • Supports 500+ employees – centralized and streamlined risk assessment, issue tracking for critical processes and IT assets
  • Provides qualitative and quantitative cyber and information risk assessment results, centralized risk register, detailed metrics, and KRIs for senior management and board committees
  • Facilitates continuous control monitoring of 100+ processes
  • Significant increase in risk visibility through centralized and streamlined reporting
  • Reduced time taken to manage and close issues and action plans
  • Reduced the risk of compliance violations, penalties, and reputational damage with timely insights on compliance readiness at each organizational level
  • Prescriptive control recommendations for issue management

You can watch the complete session here:

 

Also Read:

  1. How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
  2. How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions
Shampa-mani

Shampa Mani Assistant Manager – Marketing

Shampa Mani, Assistant Manager - Marketing, at MetricStream, has over 9 years of experience in content writing and editing. Prior to joining MetricStream, she worked in the news and media industry, covering news on fintech, blockchain technology, and digital currencies. Academically, she has an MBA in Business Economics and an MA in Economics. In her free time, she loves to cook, read, and delve into the world of UFOs and extraterrestrials.

 

Related Resources