ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
featured-blog featured-blog

IT Risk & Cyber Risk

Blogs

Power What’s Next in IT & Cyber Risk with MetricStream Intelligence and Innovations

It and cyber
3 min read

Introduction

We recently concluded our flagship event, GRC Summit, held on October 19-20 in a hybrid format comprising of virtual and in-person engagements.

Now in its ninth year, the summit is the largest gathering of risk professionals, C-suite executives, thought leaders, industry experts, and practitioners, who come together and share their experiences and best practices to navigate today’s complex and rapidly evolving risk and threat landscape.

This year, Anil Kumar, Sr. Director, Product Manager – IT and Cyber Security, MetricStream, and I got an opportunity to give a walkthrough on the latest innovations that are being done and planned in our IT & Cyber Risk products. Here are some of the key points that we discussed:

  • Current IT and Cyber Security Challenges

The key challenges faced by organizations in the area of IT & cyber today include growing supply chain attacks and data breaches, the proliferation of controls and associated costs, lack of visibility into IT & cyber risk, regulatory compliance, the need to quantify and communicate cyber risk in financial terms, and more. We recommend organizations to implement an integrated and platform-based approach across all programs for facilitating consistency and harmonization among different processes and functions.

  • Cyber Risk Quantification

We have been pioneering efforts on cyber risk quantification for a long time. Cyber risk quantification, as the name suggests, is quantifying or expressing cyber risks in financial or monetary terms. This quantitative risk assessment method essentially transforms uncertainty associated with technical aspects of threat, vulnerability, and controls into financial language that business leaders and stakeholders can interpret and act upon. Speaking of the benefits, cyber risk quantification enables

  • CISOs to communicate cyber risk exposure to the board and other executives
  • To prioritize cyber investments and decision-making (whether to accept or mitigate the risk)
  • To meet regulatory requirements associated with disclosing cyber risk factors in financial terms

The session further delves deeper into techniques of quantifying risk – discrete and probabilistic factor values, Risk Quantification Models – factors-based hierarchical models, actuarial/insurance models, AI/ML-based models, and more.

  • MetricStream Intelligence

Our products are infused with what we call MetricStream Intelligence – a combination of our AI/ML engine and calculation engine. It sits on top of our federated data model.

If you break down cyber risk management, it is basically about managing your assets, threats, vulnerabilities, issues, and control database. This forms the very first layer of our federated data model. We’ve built a platform on top of this layer that enables simplified ways of capturing the data as well as direct exchange via APIs in real time. Then we have a whole gamut of reporting and workflow around it.

On top of these layers, we have built our machine learning model, which allows you to create simulation techniques and empowers you to do statistical analysis along with machine learning techniques.

In short, the way we approach this is by enabling organizations to not just manage the workflow of risk assessment, but also to do the computation of the risk and take action driven by facts and data.

  • AI-Powered Action Plan Recommendations

Our customers have often highlighted a major challenge they face – classifying and creating relevant content for an issue. Our Issue Management System is now capable of assisting the users to tag related issues and create relevant content for an issue. This capability of our AI/ML Model is further enhanced to provide recommendations about the relevant actions that must be implemented in order to mitigate an issue.

  • Future Innovations

Going forward, we plan to bring more AI/ML-based use cases to our customers, including in the area of response recommendation, control rationalization, and more. Stay tuned!

If you missed our product innovation session “Power What's Next in IT & Cyber Risk” at the GRC Summit 2021, you can now watch it at your convenience here. To request a personalized demo, click here.

Jump to Topic
joy

Joy Bhowmick Senior Vice President, Product Development

Joy Bhowmick is Senior Vice President, Product Development at MetricStream, and has 20+ years of experience in leading institutional, retail, and commercial banking technology initiatives. He has delivered many solutions in Risk Management, Finance, Compliance, Cyber Security and Audit. He is known for his expertise in determining strategic financial direction, leveraging business and technical acumen to generate solutions for complex issues.

He specializes in championing strategic initiatives to deliver effective results, participating in critical decision-making processes while working proactively with cross-functional teams to drive competitive advantage. His mission is to stay committed to cultivating exceptional stakeholder relationships, meeting their needs and expectations at every step. His ability to provide exceptional service, resources, and methods to meet ever-changing objectives and ensure compliance with all regulatory requirements is what makes him the best at what he does.

 

Related Resources

Blog
Blog
8 mins
Patricia McParland
Cloud Security Risks in 2024: What You Need to Know to Stay Safe
Blogs

Simplified Data Import & Export

blog new
3 min read

Introduction

Prior to moving to MetricStream to manage their GRC content, our customers would have been either leveraging competitor applications or managing all their data manually via spreadsheets. This huge volume of data would be in different forms and shapes which now needs to flow into our MetricStream system. So, it becomes important for our customers to have a smooth transition from their legacy applications to the MetricStream solution.

MetricStream’s Answer: Data Import & Export

MetricStream provided the “Data Import & Export” spreadsheet-based import framework to push data to our systems seamlessly. This framework allowed:

  • Migration of data from legacy systems into the MetricStream system
  • Bulk creation and updating of data into records, bulk creation of library objects like Risks, Controls, Processes, Auditable Entities, etc. and import system entities like Users, Organizations, etc.

Data import

However, although the existing framework enabled extensive usage, it still presented a few challenges. Our customers were operating with certain limitations around configurability and upgrade safety. And especially while importing high volumes of data, import wait time was high. Hence, rather than adding new features to the existing framework and tuning it, it was identified that developing a brand-new framework from scratch would reap more benefits strategically in the long run, which led to the birth of the “Simplified Data Import & Export” framework.
 

 

 

How Will the “Simplified Data Import & Export” Framework Help?

The new simplified data import & export framework is an effort to overcome the challenges which were faced in the existing framework.

Note: Adoption of Business Rules & Business APIs is a pre-requisite to enable Forms with the new framework.

Developer Community

  • A developer tool that will allow to easily configure and upgrade Safe Data Import & Export templates with minimal development effort
  • No additional development effort to have the Data Import & Export validations written separately, since the framework now relies on Business Rules, which will act as a common validation layer across Forms and Data Import
  • Relying on the BAPI underneath, will make the framework more performant
  • Upgrade safe, thereby reducing the time taken to upgrade to future releases or patches

Users of MetricStream

The new framework will co-exist with the existing data import & export framework, i.e., specific Forms can adopt the new framework. Users intending to move to the new framework for a specific Form will require the adoption of Business Rules and Business API’s for that corresponding Form.

The new framework enables:

  • Dynamic generation and leveraging of user-friendly templates
  • Import of attachments & ability to retain rich text format during import
  • Importing data at different workflow stages
  • Improved import & export status reports

The early adopters of the brand-new framework from Products include select Forms from GRCF, CMP and LSM.

In short, if your Forms are ready with the adoption of Business Rules and Business APIs, and you plan to leverage the Data Import & Export capability in your application, then, the Simplified Data Import & Export framework should be your choice.

Stay tuned for more information on our product enhancements coming soon.

Request a demo to learn more about how MetricStream can help your organization enable risk-informed decisions that accelerate business performance.

Jump to Topic
Veeraj

Veeraj Tallur Product Manager - Platform Team at MetricStream

Veeraj Tallur, Product Manager -Platform Team at MetricStream, has over 10+ years of experience in Product Management with an additional interest to write blogs and create marketing content. Prior to joining MetricStream, he has experience of working in the news and media industry such as Thomson Reuters, responsible for creating external facing financial market related content. Academically, he has an engineering degree in Electronics and Communication. In his free time, he loves to read blogs and go for long drives with his family.

 

Related Resources

Blog
Blog
3 mins
Shampa Mani
How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
Blogs

Our European GRC Summit Roadshows and the Instagram of Risk

Blog 4
4 min read

Introduction

Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.

All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.

London Calling

 

London

The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.

Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.

It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.

Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.

Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.

Cycling through Denmark

CopenWe settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.

The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.

High-End Shopping in Zurich

ZurichAnd finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.

Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.

MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).

By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.

Until the next summit.

Suneel

Suneel Sahi

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Towards Cyber Resilience: NIST’s Cybersecurity Framework for Ransomware Risk Management

blog
4 min read

Introduction

The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.

Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.

In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on Cybersecurity Framework Profile for Ransomware Risk Management that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.

The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.

The Five Cybersecurity Framework Functions

NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.

Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:

  • Creating, reviewing, and maintaining an inventory of all organizational data, personnel, devices, systems, and facilities
  • Prioritizing organizational resources based on their classification, criticality, and business value
  • Establishing cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
  • Cataloging and mapping internal and external communications and data flows
  • Developing a comprehensive communication strategy that details the action plan in the event of an attack
  • Effectively managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
  • Establishing and managing risk management processes agreed to by organizational stakeholders
  • Conducting response and recovery planning and testing with suppliers and third-party providers

Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:

  • Documenting and managing identities and credentials for authorized devices, users, and processes
  • Managing remote access to maintain the integrity of systems and data files
  • Effectively managing access permissions and authorizations, incorporating the principles of least privilege and separation of duties
  • Providing cybersecurity awareness education and training to employees
  • Managing information and data in a manner consistent with the organization’s risk strategy

Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:

  • Detecting anomalous activity and understanding the potential impact of events
  • Continuous monitoring of information systems and assets
  • Maintaining and testing detection processes and procedures to ensure awareness of anomalous events

Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:

  • Executing and maintaining response processes and procedures to ensure a response to detected cybersecurity incidents
  • Coordinating response activities with internal and external stakeholders
  • Conducting analysis to ensure effective response and support recovery activities.
  • Performing activities to prevent the expansion of an event, mitigate its effects, and resolve the incident
  • Continuously improving organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:

  • Executing and maintaining recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents
  • Improving recovery planning and processes by incorporating lessons learned into future activities
  • Coordinating restoration activities with internal and external parties

How MetricStream Can Help

MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.

The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blog
Blog
3 mins
Shampa Mani
How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
Blogs

Frameworks to Consider for Cybersecurity

IT and Cyber GRC
4 min read

What are the Top 3 Takeaways after I’ve Finished this Article?

  • What are the controls that should be implemented to have a robust Information/Cybersecurity program?
  • How should organizations prioritize Information/Cybersecurity risk?
  • Standards that can be used as guidance in creating even better Information/Cybersecurity programs

What is the Difference, if Any?

Information Security includes protecting classified information in all forms that must be protected including, but not limited to: paper documents, photos, media, spoken information, and electronic data. Cybersecurity is a component of Information Security pertaining to the protection of critical systems such as the network and computer systems in order to ultimately protect electronic data from attacks. In creating a robust Information/Cybersecurity program, the standards treat Information/Cybersecurity as a cohesive topic.

Some organizations have put more of their resources into Information/Cybersecurity and hardening the technology because of the increase in ransomware and breaches. They are forgetting about the importance of also managing the data itself through governance and risk assessments, unless required by a regulation or standard that they must be compliant with.

Information/Cybersecurity threats are a key concern and mitigating risks is critical. At the same time, protecting data from internal sources that wish to affect the confidentiality, integrity, and/or availability of data is of prime importance.

In order to manage the risks, policies should be created and approved by top management as part of Governance. An Information Security risk assessment should be conducted in order to assess the potential consequences if vulnerabilities were to be exploited. As part of the process, Information Security risk owners should be identified.

Information Security risk treatment should consider the findings of the risk assessment.

Awareness training is essential in order to mitigate against employees unintentionally affecting the Information Security of the organization.

Guidelines to Consider

There are many guidelines and different industries have their own requirements, but ISO (International Standard Organization) Standards and NIST (National Institute of Standards and Technology span across most industries as additional if not the primary guidelines they wish to implement. The best framework is to include a combination of the different standards into your existing framework as opposed to just choosing one standard to follow.

ISO

International Standards Organization 27000 family pertains to protecting all Information Security assets. These standards include guidance for Cyber Security as well.

ISO/IEC 27001:2013

According to ISO.org, ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

ISO/IEC 27002:2013

According to ISO.org, ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).

ISO/IEC 27003:2017

According to ISO.org, ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.

ISO/IEC 27032:2012

According to ISO.org, ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information.

In addition to these three ISO standards, the ISO 27000 family of standards includes many additional standards including:

  • ISO/IEC 27004:2016 which pertains to metrics and monitoring and measuring the information security management system.
  • ISO/IEC 27005:2008, pertaining to Information security risk management

NIST

The Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity risk. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks.

SP 800-53 Rev. 5

Security and Privacy Controls for Information Systems and Organizations Per NIST, this publication provides security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Conclusion

It’s critical to have Information/Cybersecurity as part of your culture so that all employees are consistently aware and can help protect the organization’s Information / Security assets. Organizations can implement both ISO and NIST controls in perfecting your program, as well as those found in industry regulations, standards, and guidelines.

Dr. Michael C. Redmond

Dr. Michael C. Redmond, PhD

Dr. Michael C. Redmond is a recognized International Trainer, Consultant, Auditor, Speaker, and Author with twenty years of experience. She is the Director for Redmond Worldwide www.redmondworldwide.org

Michael has three published books that are sold in over 35 countries: Mastering Your Introduction to Cyber Security, Mastering Business Continuity Management and Mastering Your Work Life Balance. Her book Mastering Business Continuity Management was selected for Top 16 In the field both in 2020 and in 2021.

She has been an ISO International Standards instructor for PECB for 6 years. She is also currently an Adjunct Professor for St. Thomas MBA Program in Cyber Law. She teaches Risk Management and the course covers Information/Security, Business Continuity and Disaster Recovery, and Privacy

 

Related Resources

Blog
Blog
8 mins
Patricia McParland
Cloud Security Risks in 2024: What You Need to Know to Stay Safe
Blogs

Power What’s Next in GRC with MetricStream’s Brazos Software Release

Brazos-release-homepage
3 min read

Introduction

The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.

Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.

Simplifying Regulatory Complexity

Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:

  • Fully packaged, real-time curated regulatory intelligence from 1,000 supervisory bodies and 2,500 collections of regulatory/legislative materials facilitating efficient management of regulation overload.
  • Certification and sub-certification processes enabling the creation of accountability chains.
  • Contextual intelligence on policies allowing compliance teams to easily identify the policy section related to regulations, risks, and controls.
  • Artificial Intelligence (AI)-powered action plan recommendations based on semantically similar compliance issues reported in the past for quick and easy resolution.
  • Multiple enhancements to the Mobile App that simplify searching policies, tracking regulatory changes, and managing compliance assessments and regulatory engagement activities.

Quantifying the Impact of Cyber Risks

Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.

Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.

Powering Next-Gen Vendor Risk Management with AI

Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.

We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.

With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:

  • High configurability capabilities across the MetricStream Platform.
  • Enhanced frontline capabilities to anonymously report compliance cases.
  • Improved mobile capabilities for regulatory compliance, IT compliance, and audit.
  • Content Integration Service that leverages REST APIs to import content from external sources.
  • Better collaboration and improved cross-referencing in audit workpapers within Microsoft Word.

We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.

To know more about Brazos Release features, click here.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Organizations Look to Adopt Integrated IT GRC Solutions to Ward Off Cyberattacks, Survey Finds

IT-and-Cyber-Risk-Survey-Report
3 min read

Introduction

Cyber risk has undoubtedly moved up the priority list and taken the center stage in boardroom discussions with the rapid pace of digital transformation of organizations and amplified data-dependency and interconnectedness. The COVID-19 pandemic and the resulting remote working environment have only aggravated the challenges for security teams as the entire workforce moved home—beyond the reach of the office firewall. In these unprecedented times, ensuring robust cyber defense infrastructure to protect critical assets is of paramount importance.

We recently conducted a survey to take a pulse of the current state of IT and cyber risk management programs at organizations. Here are the key takeaways from the survey:

  • Most survey respondents (45%) identified a lack of visibility on cyber risks across the enterprise as the major challenge faced by their organization.
  • A majority of organizations (83%) still depend on basic office productivity software, knowledge management software, and point solutions for their cyber risk management requirements. The implementation of an integrated IT GRC solution is at a low level across industries.
  • Only 28% of the respondents said that their organization's cyber risk and compliance program is fully aligned with the broader enterprise risk and compliance management programs.
  • Most respondents (45%) said that they changed their plans and approaches to cyber risk and compliance management and reprioritized their activities to contend with the pandemic-driven new operational landscape, while 33% of the participants said they deployed new tools and systems to enhance their efficiency.
  • 41% of the respondents said that they are going to implement specific solutions in FY 2021 to ensure compliance with regulatory requirements and standards.
  • 30% of the respondents said that they are interested in implementing a centralized cyber risk and compliance solution.

It is encouraging to see that switching to digitized and centralized GRC solutions is among the top priorities of organizations this year. These solutions can help improve risk visibility and foresight, facilitate continuous monitoring of IT and cyber controls, and streamline overall cyber risk and compliance management. Innovative features, such as support for mobility, real-time reporting, advanced risk analytics, regulatory notifications, and more, further assist executive management and board in quick and efficient decision-making.

“The ultimate goal isn’t to avoid cyber risk but rather transforming it into strategic advantage—because things can and will inevitably go wrong at some point. But if organizations build their cyber resilience—the ability to not just prevent cyberattacks but also minimizing the impact of security incidents and ensuring continued business operations in the aftermath of attacks—that’s when they can truly thrive and create business value,” an excerpt from the report reads.

Cyber Risk to Dominate Risk Strategies

Our flagship event, GRC Summit, was held recently and brought together the best in the industry to share risk management strategies and best practices, and how to build better governed, more risk-aware, compliant, and resilient enterprises that thrive on risk.

Unsurprisingly, cyber risk has emerged as one of the top risks faced by organizations today, and risk leaders believe that it will continue to dominate the risk strategies going forward. To that end, security experts discussed some of the key considerations for ensuring a robust cybersecurity program:

  • Aligning cyber strategy with business goals and objectives.
  • Positioning CISO and security leaders at the right level so that they can better focus on their core responsibilities.
  • Ensuring that CISOs and the security team provide frequent updates on the cybersecurity posture to the board so that there is no communication gap.
  • Quantifying cyber risks for prioritizing risks and controls and determining how much to spend on each control.
  • Increasing transparency into employee communications so that they have clarity not only on corporate policies but also how a crisis is being managed

The best-prepared organizations in the world today are those that use risk as their competitive advantage. Quantifying cyber risks in a manner that makes sense to the executive board and helps them make sound cybersecurity investment decisions is critical for organizations to thrive in today’s digital world. The Cyber Risk Quantification capability of MetricStream IT and Cyber Risk Management can make it considerably easier for organizations to quantify cyber risks in monetary terms, which can then be easily communicated to the top management and board.

To download the report, click here. To watch the summit, click here.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
3 mins
Shampa Mani
How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
Blogs

Making the Right Investments by Quantifying your Risks

Making the Right Investments
3 min read

Introduction

Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.

When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.

At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.

In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.

What are some of the key challenges?

Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.

Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.

How to start with Cyber Risk Quantification?

The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.

Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.

How MetricStream helped one of the largest telecom companies in their decision making

With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.

MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.

This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.

Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.

Conclusion

CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
3 mins
Shampa Mani
How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
Blogs

Cyber Resilience in 2021

Michael-Redmond-blogpage-banner
3 min read

Introduction

Resilience is the ability to adapt to change and respond quickly and effectively. Cyber resilience is more than just preparing—it is ensuring that your business will still thrive in an attack. Too many organizations only concern themselves with ensuring that they have a SIEM (Security information and event management) and or SOC (Security operations center) in place. This is of course very important, but it will not ensure reliance in the event of an attack.

[Read More: Resilience Management as The New Paradigm for Cybersecurity]

Resiliency requires so much more. Risk assessments should include how vulnerable the business itself is there is a breach or ransomware attack. What confidential information could impact the business if it were to be breached? Some examples include blueprints for a new product design that is going to be launched or plans to purchase another organization.

In addition to a SIEM and SOC, the business units should also be trained on recognizing irregularities that could signal that the integrity of data has been affected. They also need to know how to report it so that the event can be investigated.

Each business unit needs a cyber response plan to allow for resiliency. There have been many organizations that were not able to respond effectively to a ransomware incident. A business unit cyber response plan is different than the business continuity response plan. It includes action steps of each business unit will follow when they are affected by a cyberattack.

The organization also needs a great cybersecurity incident response program, which includes policy and program documentation as well as playbooks for insider threat activities, regulator audits, lapses on data governance, and cyberattacks that are applicable to their domain.

[Read More: Four Key Areas to Achieve Cyber Resilience]

ISO 22316 Security and Resiliency Management and ISO/IEC 27035 Incident Response are two of the recommended standards to consider implementing as part of an organization’s cyber resiliency preparation. ISO/ IEC IT Corporate Governance is a good guideline for senior management and the board to implement in order to avoid hefty fines for poor governance. MetricStream enables organizations to align with established standards, empowering with pre-packaged content for necessary frameworks, making the solution up and running on Day 1.

Business continuity management and information/cybersecurity have to be more aligned in identifying risks. The business units understand what information they have in a database that is more likely to be sought in a cyberattack. Business continuity departments should include questions in their risk assessment surveys and interviews pertaining to what information does each business unit has that is PII or PHI or organizational confidential and work with disaster recovery teams to document which databases it resides.

While a business continuity plan may list an application as tier 1, in an incident where a database has been attacked, the cybersecurity teams may not release it in recovery when the business units need it. Cyber teams may need to do forensics or if they deem that there is malware the backups may need to be checked before they can be used. For instance, in the case of an attack was made months ago, even if just identified, all of the backups from the time of the attack may also be affected.

In summary, a good cyber governance program is needed coupled with a good cyber resilience program.

[Read More: CYBER RESILIENCE BEST PRACTICES: Connecting the Dots beyond Cybersecurity]

Jump to Topic
Dr. Michael C. Redmond

Dr. Michael C. Redmond, PhD

Dr. Michael C. Redmond is a recognized International Trainer, Consultant, Auditor, Speaker, and Author with twenty years of experience. She is the Director for Redmond Worldwide www.redmondworldwide.org

Michael has three published books that are sold in over 35 countries: Mastering Your Introduction to Cyber Security, Mastering Business Continuity Management and Mastering Your Work Life Balance. Her book Mastering Business Continuity Management was selected for Top 16 In the field both in 2020 and in 2021.

She has been an ISO International Standards instructor for PECB for 6 years. She is also currently an Adjunct Professor for St. Thomas MBA Program in Cyber Law. She teaches Risk Management and the course covers Information/Security, Business Continuity and Disaster Recovery, and Privacy

 

Related Resources

Blog
Blog
8 mins
Patricia McParland
Cloud Security Risks in 2024: What You Need to Know to Stay Safe
Blogs

Kaseya Ransomware Attack: Is Your Organization Prepared for Third-Party Cyber Risk?

cyber-attack-blog
3 min read

Introduction

Yet another cybersecurity incident has highlighted the vulnerabilities of the extended enterprise. Just ahead of the Fourth of July weekend, up to 1,500 businesses worldwide fell victim to a ransomware attack centered on U.S. information technology firm Kaseya.

 

Understanding the Kaseya Ransomware Attack

What happened:

Kaseya is a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs). In a statement dated July 05, the company said that its VSA product was compromised in a sophisticated cyberattack, allowing the hackers to cripple the end customers with a massive ransomware attack.

Who is responsible:

As per reports, hackers from a cyber adversary group, REvil—the threat actors who were purportedly also behind the ransomware attack on JBS last month, were able to compromise one of Kaseya’s tools. They have reportedly demanded $70 million to restore the data.

The impact:

In a press release, Kaseya said, “While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure...Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”

In a statement, the U.S. Cybersecurity and Infrastructure Agency (CISA) said that it was taking action to “understand and address the recent supply-chain ransomware attack against Kaseya VSA”, adding that it “encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.”

The UK's National Cyber Security Centre also issued a statement saying that they are “working to fully understand this incident and mitigate potential risks to the UK.”

The Growing Third-Party Cyber Risk

Security breaches via third parties are growing at an alarming rate both in terms of volume and sophistication. The major underlying reasons are the growing reliance on third parties for mission-critical goods and services and the amplified digital interconnectedness of organizations, further spurred by the COVID-19 pandemic.

The SolarWinds hack, the security breaches at Microsoft and Accellion, and now Kaseya, underscore the increasingly precarious digital environment businesses operate in today and how a security incident at one organization can quickly travel and paralyze several other connected businesses. According to the 2021 Ponemon Institute report, more than half of the survey respondents said that their organization has experienced a data breach caused by third parties.

Technology-Driven Approach to Third-Party Risk Management (TPRM)

Organizations today need to be proactive regarding the management of their third-party relationships and extended enterprise. Here are few key considerations for an effective TPRM program:

  • Establishing a common nomenclature for onboarding, assessing, monitoring, and off-boarding third parties and centralized repository of all related information
  • Ensuring clear and comprehensive documentation with well-defined clauses that provide clarity to third parties on what they need to do, including how to handle sensitive data after the contract has terminated.
  • Implementing an effective third-party onboarding process which will help ascertain if the third parties are financially stable, secure, regulatory compliant, and more.
  • Categorizing the third-party vendors based on the extent of their access to critical assets and impact on an organization’s margins and profitability
  • Ensuring efficient fourth-party risk management to ensure visibility into the portfolio of the fourth and subsequent parties, identify the critical ones, and perform due diligence and raise red flags on an ongoing basis

Read More: Explore how MetricStream enabled Mastercard to gain a unified, holistic view of all third- and fourth-party risks (Case Study)

A technology-based TPRM solution, embedded with these capabilities, can considerably simplify, structure, and streamline managing the entire third-party lifecycle—from their onboarding to contract termination. This approach will help organizations enhance their visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events.

MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. Its key capabilities, including Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards, and Reports, empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance. To request a demo, click here.

Read More: Boosting Third-Party Risk Management in a Time of Uncertainty (eBook)

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
8 mins
Patricia McParland
Cloud Security Risks in 2024: What You Need to Know to Stay Safe