Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Kayne McGladrey of Hyperproof offers a deep dive into managing risk and compliance through an economic recession.
It’s no surprise that security and compliance professionals are concerned about the effects a potential recession may have on their budgets. Cyber incidents and business interruptions have been the two worldwide corporate risk concerns for two years running, according to Allianz, and the World Economic Forum recently found that cybersecurity is the fifth top risk worldwide in 2023. Yet, over 66,000 tech jobs were cut in the first two months of 2023 due to recessionary factors, and over half of organizations struggle with identifying where the critical risks are in order to figure out what remediations to prioritize. The risk of paying fines and penalties is increasing as the FTC, SEC, NYDFS, and other regulatory agencies are leaning into enforcement rather than sanctions.
Let’s examine an end-to-end process that organizations can use annually to evaluate which controls are effectively reducing risks, and which controls could be removed or replaced to create budgetary efficiencies.
The Current State of Risk and Compliance Operations
Today, compliance teams spend an inordinate amount of time and effort manually chasing security teams for evidence of control operation and effectiveness. This organizational behavior is caused primarily by misaligned financial and behavioral incentives, complicated by the sheer amount of work performed by both compliance and security teams. An underlying reason is that security control operators are incentivized to keep the business and related customer data secure. Being nice or effectively communicating with the compliance team is not a managed behavior or a goal that appears on annual performance reviews for the security team.
By comparison, the compliance team has the goal of maintaining and attesting to the compliance of the organization in the face of a potentially sprawling number of contractual, legal, and regulatory requirements, many of which carry consequences for non-compliance. The compliance team is often dependent on the security team for evidence of compliance, and, similar to the security team’s annual performance review forms, effective and friendly inter-departmental communications aren’t measured goals. This has led to the current and unfortunate perspective that the security team sees the compliance team as a nuisance that distracts or prevents them from doing their job. This can be particularly pronounced when an organization is undergoing an external audit or an investigation, which is already stressful for a compliance team.
Additionally, while many companies have formalized their commitment to risk management, they’re not measuring the effectiveness of the controls in mitigating risks. In today’s difficult economic climate, an inability to measure the control effectiveness makes it challenging to justify which controls are worth the cost or effort. This is not the fault of cybersecurity vendors, either. While many cybersecurity vendors care about an organization using their solution, this interest is primarily driven by the commercial concern of Net Revenue Retention (NRR), not how effectively their solution reduces the unique risks faced by the organization.
4 Easy Steps to Determine Which Controls Are Effectively Mitigating Risks and Identify Outliers
Step 1: Conduct a Gap Analysis
Like many projects in security and compliance, the first activity is to conduct a gap analysis. In this case, organizations begin by mapping their existing controls to their documented risks. In this analysis, all controls should have one more linked risks. Any controls that do not initially appear to map to a risk should be set aside for further analysis, which we’ll describe in detail later in this article. During this initial step, organizations should also avoid estimating control effectiveness – rather, this is about building a consolidated inventory of controls and their related risks.
Step 2: Automate Evidence Collection
The next step is to automate as much evidence collection as feasible. While this may not seem like an initially obvious action — after all, the organization hasn’t determined how effective a control is at mitigating a risk — the act of trying to automate evidence collection and the resulting evidence often informs future conversations about the effectiveness of a given control. This also isn’t fancy; this automation usually involves copying files or using an API call to automate data collection. Ideally, all of the evidence is stored in a centralized location, and the automation can notify the compliance team of a new piece of evidence, whether by email, or ticketing system, or something else.
This is also an opportunity for the compliance team to build a bridge and partnership with the security team. While the security team will probably need to help set up the script, API call, or similar automation, if done well, this is a set-it-and-forget-it arrangement. Once evidence of a control’s operation is automated, the security team won’t be bothered for evidence again by the compliance team. This reduces organizational friction and allows the security team to focus on their remit, which is securing the company. Bolstered by this, the security team may be very amenable to helping to set up more automations, as it means less busywork for them in the future.
Step 3: Automate Control Testing
Although it’s tempting at this point to assess how effective each control is at mitigating the linked risks, the next step is instead to automate testing the control effectiveness as much as possible. These are simple rules. For example, if the vulnerability scanner failed to run last week, the automation should notify a human on the compliance team, assuming that there’s a policy requirement or similar that mandates the vulnerability scanner be run weekly. Similarly, if a piece of evidence was expected from a control but doesn’t arrive at all, the compliance team should be notified. The goal is that when a test fails that an issue is identified and logged by the compliance team and tracked to resolution, preferably in an existing ticketing system that the IT or security team uses already.
Not all controls support automated testing, however. For example, consider a control that requires senior management to demonstrate a commitment to security, and that commitment is measured by their having signed one or more policy documents within a defined timeframe. The evidence collection — copying the latest signed files from one location to another — should be automated or scripted, and a notification should be sent to a compliance analyst to review the files. All that’s required is for the analyst to evaluate who signed each document, and if they have adequate organizational authority to demonstrate that commitment.
Step 4: Estimating Control Effectiveness at Mitigating Risks
Now that the organization has linked controls to risks and is automatically collecting and evaluating as much evidence of control effectiveness as feasible, it’s possible to apply some simple rules to estimate how effective each control is at mitigating linked risks. First, the organization needs to determine if a control is healthy. You can determine if a control is healthy if it has regularly updated evidence that shows the control is effective.
A control is unhealthy if:
- It has evidence that isn’t regularly updated despite requirements
- It has evidence that regularly fails one or more tests
- It has no evidence and cannot be tested (in this instance, the control might not exist)
The organization can then estimate the percentages of risk mitigation based on each control’s health. This includes risks that have only a single mitigating control, and risks that have multiple controls. If the organization already has a recent internal risk assessment or similar instrument, this data can be reused. One rule of thumb: a healthy control reduces more risk than an unhealthy control.
The next step is nuanced: the compliance team should gently approach each control owner to get the control owner’s professional opinion on how effective each control is at mitigating a risk. Having evidence about the control’s health (or lack of health) makes this about facts, not opinions. The goal is that each control operator can provide additional context that may increase or decrease the effectiveness of each control at mitigating a risk, with the usual rules that not all controls will mitigate 100 percent of a risk, and not all risks will be reduced to 0 percent probability or impact.
Evaluating Outlying Controls for Possible Budgetary Efficiencies
Following the process above allows the compliance team to develop three lists of controls for additional scrutiny and possible cost reductions:
- Controls that regularly are not healthy
- Controls that mitigate less than 20 percent of a risk and are one of several controls that are mitigating a risk
- Controls that aren’t associated with any documented risk
Controls that appear on the first two lists that are based on commercial solutions are leverage for renewal negotiations with vendors. If a vendor cannot help to improve the effectiveness or health of their control, the organization should consider removing it from their environment and replacing it by either strengthening another control or by deploying an alternative control. If a vendor disagrees with the mapping of their solution to the control and associated risk, consider if the solution is being used appropriately. For example, a multifactor authentication solution would be a good fit for reducing the risks of account takeovers, but be a poor fit to detect data exfiltration.
For those internal controls that appear on the first two lists of controls but do not use a technology solution, the compliance team should partner with the control operators to determine the root cause. Often, it will be training or staffing, though it can be another, less-obvious factor, such as a lack of awareness of the control.
Controls that appear on the third list, which aren’t associated with any documented risk, should be carefully scrutinized for their point of origin. Often, the source of the control may be a current or former commercial contract, regulatory requirement, or local legal requirement. However, if there’s still no evidence that the control is needed, the Chief Compliance Officer should be willing to sign off on the removal of the control, which can produce immediate savings of time and resources.
Finding Additional Efficiencies
Organizations should plan on conducting the assessment process described above on an annual basis at a minimum of three months before the organization’s budgetary cycle starts. This way, any control gap issues can be identified and incorporated into the budgetary planning process. Similarly, cost savings associated with not renewing solutions from vendors that cannot improve the health of their controls can be added back into the budget.
Organizations should repurpose this control assessment in conversations with their cyber insurance brokers as well. Having a clear perspective of how much residual risk is based on both control effectiveness and control health may drive different choices, including self-insurance against those risks that no longer exceed the organization’s risk tolerance based on healthy internal controls. This disciplined look at control effectiveness should drive cost savings and reductions in cyber insurance premiums.
Finally, companies should plan on reusing the evidence collected automatically when preparing for their internal and external audits. As the evidence is always up to date and being tested regularly, the organization’s confidence that sampling will only uncover minor issues goes up. This reuse of evidence also makes preparing for audits more efficient and less time-consuming.
This end-to-end annual process gives organizations the confidence to lean into the controls that are effective and remediate or remove those controls that are ineffective at their price points. As CISOs and compliance officers are asked to find ways to do more with the same level of resources, a commitment to finding and removing ineffective or unhealthy controls is valuable throughout a company’s growth, not just during a recession.
- Managing Risk and Compliance Through a Recession - March 24, 2023