I’m not a cyber expert, but as a compliance professional with accountability for internal investigations of employee and third-party misconduct I’ve had a front row seat to the evolution of risk that has mirrored the mass adoption of new technology.
Protecting information used to be less complex. Keeping bad actors outside of an organization meant fences, door locks and security guards. While managing the risk of employees and other insiders misusing or stealing assets and information was a little tricky; but good hiring practices, security cameras and simple physical access limitation policies worked pretty well. After all, stealing information meant physically taking or copying actual documents and walking out with them – or taking pictures with a camera and then getting the film developed. Pretty cumbersome and inefficient.
Now, that all sounds like ancient history although it’s really not – the iPhone debuted in 2008 and, while the first banks appointed the first chief information security officers in the 90s, the position wasn’t mainstream until the last decade or so.
Today we all walk around with a combination computer/camera/recording device in our pocket. Laptops replaced bulky PCs, and every business tool is generally smaller, faster and more capable of being both weaponized and breached.
The observation of Intel co-founder Gerald Moore, that the computer processing power of computers doubles every two years (Moore’s Law) is often referenced to note the speed of technological advancement – and is, if anything, understated.
New technology, driven by the near universal connectivity of information via the internet, spawned a perpetual cycle of software development and other sophisticated products that drive productivity and efficiency.
The latest must-have technologies and software tease companies both large and small with endless ways to innovate and become more efficient and profitable. Which in turn, challenged the ingenuity of threat actors and encouraged governments to raise their expectations that companies meet the new information security risks.
As artificial intelligence (AI) deploys and the risk of quantum computing looms, the push-pull of progress and risk has nudged corporate compliance and security functions, both relative newcomers to the intense spotlight of government oversight and stakeholder accountability, from close associates, towards best friend forever status.
The evolving (and essential) relationship between Security and Compliance
As new BFFs, cyber professionals and their compliance counterparts increasingly see their areas of expertise and responsibility intersect and overlap. As greater swaths of critical information (e.g., customer data and other PII) are exposed, new compliance policies and cyber tools are rolled out to meet the risk. Tools launched by cyber insider threat programs spawn fresh categories of internal investigations and highlight new risk areas for compliance teams to address.
Government oversight expectations are also increasing as well. For example, the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs clearly contemplates the assessment and mitigation of risks presented by weak cyber controls including data loss, privacy, and operational impact. Further, the U.S. Securities and Exchange Commission recently adopted rules requiring publicly traded companies to disclose material cybersecurity incidents as well as their strategy for managing their cybersecurity risks.
So, the risks are real, the landscape is changing rapidly, and stakeholders- government, customers, employees and otherwise- are watching. Building and maintaining a corporate culture that embraces the vigilance necessary to meet those stakeholder expectations requires a strong partnership between compliance and cyber programs.
Embedding cybersecurity-related compliance into an organization’s DNA isn’t necessarily easy. Practically, trying to warn people about the risks of utilizing the tools they have purchased as part of their push for innovation, cost savings, or even organizational transformation can make cyber and compliance professionals feel at odds with business partners. This can be exacerbated when exercising the proper security hygiene requires the purchase of additional tools or use of other limited resources.
But a strong partnership between cybersecurity and compliance teams helps advance the cultural imperatives of both groups and the overall organization in a more effective and efficient way. Here are a few best practice areas where boots on the ground cooperation and integration pays off.
Compliance risk assessments
If you are doing comprehensive compliance risk assessments (and of course you should be) cybersecurity should be an independently assessed risk and not bundled with other operational or departmental risks. Additionally, if your core compliance team does not have cyber expertise, consider involving a cyber professional on the compliance risk assessment team.
Training
Compliance training and cybersecurity training should be complimentary and target overlapping objectives. Both teams should know what the other is rolling out and, where possible, should reinforce each other’s critical messaging.
Joint training projects, particularly regarding areas of overlapping accountability, can help punctuate a message and allow sharing of technical resources.
Communication
Similar to training, avoiding silos when communicating about cyber risk and related compliance expectations or initiatives is essential to avoiding confusing or contradictory messaging.
Mature organizations know that accountability extends far beyond discipline for policy violations. Deliberate and regular communication efforts are particularly important, versus only communicating in the aftermath of a security and/or compliance failure.
Joint communications from cybersecurity and compliance leaders can increase both readership and the impact of essential messaging. Additionally, partnership with a strong communications team (if you are lucky enough to have one), can optimize message timing and prevent subject matter fatigue.
Third-party suppliers
Third parties are often the back door friends of the company family. Contractors and vendors often have significant access to company systems and technology and are frequently essential to the completion of important projects or initiatives. Yet, compliance expectations, oversight and training of third parties often lag far behind that of employees.
Cybersecurity and compliance professionals, working with internal supply chain stakeholders, as well as legal, should share the responsibility of defining acceptable training, oversight, and accountability of third parties with systems access. This means going beyond contractual terms and conditions to ensure vendors and contractors are trained with the same standards employees, and failures and missteps are tracked and become an accepted component of evaluating third-party performance.
Supplier codes of conduct, which have proliferated as a result of ESG initiatives, are another potential vehicle for highlighting evolving cyber risk and compliance expectations.
Data sharing
As organizations continue to employ more sophisticated tools, growth often happens sporadically and in silos. HR systems, investigation databases and multiple GRC-related platforms are switched out or upgraded with increasing frequency. Often these systems are not integrated and sometimes can’t be. Most companies recognize sharing data from these sources across traditional governance functions offers expanded opportunities for trend spotting and potentially more reliable evidence to support (or disprove) anecdotally-based conclusions about potential risks. All of which makes the data more actionable overall.
Providing cyber leaders meaningful access to broader risk related data enhances their tool kit and allows for more effective risk mitigation and cyber resource planning and deployment.
2024 and beyond
As the cyber threat landscape intensifies and regulatory expectations increase, the partnership between cybersecurity and compliance leaders with be key to mitigating insider threats, protecting confidential information, and fortifying programs that can withstand governmental enforcement scrutiny.
Cyber and compliance professionals can (and should) play a joint role in breaking down silos, maximizing the use of available data and bringing key business stakeholders to consensus to ensure a nimble response to emergent issues and thoughtful cyber defense planning.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.
