The Only Constant is Change. Can You Keep Up?
Last week we wrapped up the 1st guiding principle of COSO, which is Governance and Culture. Just a quick overview - COSO has 5 guiding principles:
Governance and Culture
Strategy and Objective-Setting
Performance
Review and Revision
Information, Communication and Reporting
This week, we move on to the 2nd guiding principle of Strategy and Objective-Setting.
Strategy and Objective-Setting works together within your risk management program. Organizational risk tolerance is defined and aligned to strategy. Business objectives reflect risk tolerance and strategy, laying the foundation for identifying, assessing, and treating risk.
Aligning your cybersecurity risk management program in the same manner helps you align cyber risk tolerance to organizational risk tolerance. This allows your enterprise risk management group to more easily evaluate cyber risk within the context of the overall risks that the organization faces. The four COSO points for Strategy and Objective-Setting are:
Analyzes Business Context
Defines Risk Appetite
Evaluates Alternative Strategies
Formulates Business Objectives
Let’s dive right in with the first point of Analyzes Business Context.
Things change. Constantly. Technology evolves. Internal and external factors change (COVID-19, anyone?) A substitute product or service may enter the market at less cost and offered to your customers for less money that forces your organization to pivot and change its strategy quickly.
In short, strategy changes. Enterprise risk management, and by extension, cyber risk management need to keep up. As strategy and business objectives change, they should also take into consideration the IT applications, networks, systems, data, etc. that are required to support current and future objectives.
Is your organization in crunch-mode where its primary goal is to survive a downturn in the market, or is your organization in a high-growth phase during a booming economy?
The business objectives to deliver on these strategies may require different technologies and information to be successful that will likely introduce new vulnerabilities. Taking that into consideration with the changing cyber threat landscape, means that new and changing cyber risks are introduced to your organization.
Staying ahead, or at least side-by-side, of changing business objectives is much easier said than done. You’ve likely heard the terms “shift left” or “Security by Design” where the goal is to get security engaged early and often in the Software or Systems Development Lifecycle. The ability to do so leads to reduced costs by fixing a security issue early on in the lifecycle.
Since shifting left sounds like such a no-brainer (oh, but it’s not), let’s examine five key activities you can undertake to start implementing these concepts at your organization.
Work with project managers to ensure a cybersecurity representative is engaged at the beginning of every project.
a. A cybersecurity champions program allows you to scale to meet this demand.
b. Early engagement provides defined security requirements and controls at the beginning of development to most effectively reduce risk.
c. Include cybersecurity validation testing during designated phases of development.
Awareness.
a. Create an awareness campaign, or even specialized training, for developers and system administrators around the common types of threats and vulnerabilities for software and systems they develop.
b. One idea is to host a series of lunch and learns around The Open Web Application Security Project (OWASP) framework for developers or perhaps the NIST Cybersecurity Framework geared more towards system administrators.
Automation.
a. The more you can automate security validation, the better.
b. Try to provide near real-time feedback to the developer or system administrator, and with as much enriched context as possible. A spreadsheet with a dump from your vulnerability or code scanner, is just that…a dump.
Shifting left also helps to address privacy concerns early.
a. Privacy has become increasingly front of mind over the past several years, with lawmakers passing regulations such as GDPR out of the European Union and the California Consumer Privacy Act.
Continuous improvement.
a. Take an inventory of the applications and systems your organization has developed and prioritize them from a risk perspective as you may have to go back to assess them.
b. Keep in mind that security posture is only good until the next code release or system update.
Next week, we’ll move on to the 2nd point under the COSO guiding principle of Strategy and Objective-Setting, which is Defining Risk Appetite. I get a TON of questions on this.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Have a great week.