Risk and Compliance Governance
For a long time considered as a purely technical domain, we have been observing, for a few years now, a paradigm shift in cybersecurity management. In a context of exploding cyber risk3, increased digitalization and new challenges imposed by the Covid19 crisis (telecommuting), we are moving from an operational management to a much more strategic approach. The World Economic Forum 2022 confirms this shift in its annual Global Risks report4 by including cybersecurity breaches in the “Top 10” strategic risks for the next 5 years.
This trend is supported by the passing of new regulations: RGPD (Europe), Bill 25 (Quebec), federal bill C-26 (Canada), agreement on the application of the RGPD by American companies (US). These new texts now expressly mention the responsibility of the heads of organizations in terms of data protection and, consequently, their necessary commitment to the protection of information systems in general
Finally, the interconnection with external information systems (service providers, customers) and the new laws mentioned above are also changing the responsibilities between organizations and their third parties. Insurance, service providers, cloud computing, recent regulations largely call into question (for personal data management in particular), the notion of transferring responsibility to a third party (service providers, insurer, etc.). This aspect can only be managed at the strategic level of the company, the only one capable of having a vision of the entire organization and its environment.
Cybersecurity must now be managed at the highest level of the company, with a 3- or 5-year vision, and permanent monitoring.
This is the challenge of GRC (Risk Governance and Compliance). This area of cybersecurity is often neglected or even unknown and is sometimes associated with the legal department. Without being a mistake, it seems essential today that this area be considered, in whole or in part, by IT managers who will report directly to an executive level of the organization.
GRC brings together all the policies and provisions necessary to frame and guide cybersecurity management in a formalized and documented manner. Information security policies, risk analysis, regular assessments of the security posture, identification of security solution needs, strategic planning (business continuity, incident management), compliance, GRC is a structuring subject that allows managers to establish a roadmap (including a budget) over several years, to implement an information security management framework that includes all departments of the organization and to prove its involvement in the field (in front of investors, insurers and customers).
According to the results of cybersecurity assessments (NIST, CIS SCS), while GRC is well integrated by large companies, it is still neglected in many small and medium-sized companies, as it is not considered from a value creation point of view.
However, given the cost of computer attacks, GRC allows companies to limit the risks by working at a lower cost, on their organization and their preparation, which are imperative complements to technical solutions.
An investment essentially in time and services, GRC presents an extremely interesting “return on investment” ratio regarding its effectiveness in the face of the reputational cost of an attack. Indeed, we don’t blame an organization for suffering a cyber attack, but in 2022, we no longer forgive it for not being prepared.
Arnaud Tésorière – Team Lead Governance