By Ben Tomhave, Lockpath, MS, CISSP, Principal Consultant
When analyzing your business, it is important to look at what is core and key to business functions. Rather than starting with compliance requirements, it is instead imperative that practitioners start with the business. How does the business operate? What is most important in keeping the doors open and the paychecks printing? In the vast majority of cases, the answer here will be topics like business processes, access to key data resources, enabling collaboration and communication, and other non-security, non-compliance areas. Why, then, do so many businesses spend significant resources chasing externally applied requirements? Now is the time to get a handle on your organization’s own risk profile, rather than living in perpetual reaction to prescribed requirements. Start by understanding what is vital to ensuring the continuation of business operations. Once you understand the fundamental asset picture (i.e., people, process, and technology), then and only then should you start considering how compliance directives apply to your organization.
Start by understanding what is vital to ensuring the continuation of business operations.
As soon as you start digging into the resource picture, you may start feeling overwhelmed by all the work that needs to be done to help ensure the survival of the business. Start by getting organized, and only leverage tools where appropriate and useful. It is important to understand what problems need to be solved before looking for technical solutions, and just where you can gain efficiencies from automation. This means starting with a governance, risk management and compliance (GRC) program before moving on to GRC solutions.
Building a GRC program starts with a few key steps. First, you need to collaborate with business leaders across multiple areas (including Legal, HR, and executive leadership) to articulate a prime strategy for ensuring business survivability. This first step will include gaining a solid understanding of how the business operates and what capabilities underpin its continued survival. Second, formalize methods and policies. This step includes relegating “operational security” responsibilities to IT operations, gathering up only those security-related duties that truly make sense in a centralized organization (e.g., incident response, access management, risk management). Formalization relates to defining processes, updating job descriptions to assert security responsibilities for all personnel, conducting better security awareness campaigns and helping maintain an accountability culture.
Once these two key steps are complete, then and only then will you be ready to take the next step: adding technical solutions. For example, policy management can be a bit unwieldy using simple tools like a Sharepoint server, which provides an opportunity to look for better document and policy management capabilities. Similarly, centralizing access management will inevitably necessitate a need for better Identity and Access Management tools. Along with these functional tools, you may also find it worthwhile to start looking at tools that relate more to business intelligence functions, such as those that help track risk factors, exceptions, incidents and asset information.
The primary driver should be to focus on the need to manage your organization’s risk profile, rather than churning through an unending string of audit and compliance fire drills. Now is a good time to right the ship, getting a handle on business survival, and stiff-arming overly aggressive auditors and regulators who are helping their masters manage risk factors that are external to you.