Territoriality, denial confounding chances at IT-security improvement, risk expert warns

Businesses may broadly aspire to improve their security and risk management but, in the absence of real organisational appetite for change, many still need “a rude awakening” to finally muster the will to improve their processes and procedures, a global compliance expert has warned.

Governance, risk and compliance (GRC) expert Cliff Huntington, the global director for RSA's Archer GRC solution, told CSO Australia that natural self-defensive mechanisms often stymie attempts to build frank and productive internal discussions around IT security responses: “There are a lot of people whose job description has been to make sure this type of thing doesn't happen,” Huntington said.

“The first thing that always happens in an investigation is root-cause analysis. There are a lot of folks that don't want a light shined on their lack of preparedness. It takes someone with authority to come to the organisation and put the pedal to the metal, and say that [inaction] is unacceptable.”

Recognising that institutional inertia can be a significant confounding factor in efforts to maintain proper governance and compliance, many organisations had implemented multi-disciplinary steering committees that often succeeded in creating new momentum for change.

“In many organisations you have one group that is incredibly aware of management best practice and they don't even talk to each other internally,” he said.

“We see a marked difference in performance in organisations where they have a governance structure with something like a monthly or quarterly steering committee. It lets leaders from various functions come together to discuss the top risks and what they can do to mitigate them.”

One increasingly salient corporate risk was the growing focus of cybercriminals on weak spots in target companies' supply chains – an area that has been repeatedly flagged as potentially compromising even the most IT-security conscious organisation.

Many members of these supply chains are small businesses who, recent studies show, often struggle to achieve IT-security confidence due to a lack of resources. Many also think their size protects them from attention by cybercriminals – and yet their commercial relationships with larger targets can often put them right in the crosshairs.

“If you look at the larger cyber events that have happened recently, third parties are almost always involved in some shape or form,” Huntington said.

Dealing with these issues had hardly been helped by what is often “largely aspirational” security policies, which were doing little to effect real change in organisations where institutional inertia was hindering efforts to improve GRC position.

Perception was also often to blame, with many organisational leaders overestimating their capabilities and high-profile successes distracting from the true magnitude of the deficiencies within an organisation.

“We always have some government program that leads from the front, and everyone fixates on those and says they're great,” Huntington explained. “Over time we start to think that best practice is where the market sits – but the truth of the matter is that they're in the top 1 or 2 percent of maturity, and the rest are well below that.”

Education and awareness building were particularly important in dispelling these perceptions, he added, with efforts to simplify “standards that are 1000 pages of 'thou shalts'” and instead to focus on establishing “strategic best practice”.

Dealing with organisational denial was critical if this is ever to happen, Huntington continued, noting that the key “is bringing all the various stakeholders to the table and getting them to accept that there is a problem.”

“That's the first step towards recovery and acceptance, and an evaluation of where you are helps identify where the gaps are and where you're most exposed to risk,” he said.

“We're never going to mitigate all risk, but the idea is that if you have $10 to spend, where do you spend it to most effectively change your risk posture? It's just common sense – but it can be a monumental task in organisations that are often just so disorganised.”

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementIT-securityCliff HuntingtongovernanceCSO AustraliaRisk and Compliance (GRC)

More about CSORSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place