Cyber security and regulatory compliance are becoming increasingly intertwined, which is forcing organizations to rethink how they manage corporate risk.
One of the affects of the trend, as potentially dangerous threats proliferate, is that collaboration between IT, security, and compliance is tighter than ever. That’s one of the findings of a recent study by market research provider IDG Research and Actiance, a provider of communications compliance, archiving, and analytics technologies.
As the report noted, organizations today are faced with an unprecedented volume and variety of information risks that have enterprise-wide impact. These include the increased frequency of data breaches carried out by advanced, targeted attacks; leaks of sensitive or high-value information from departing employees; aggressive sanctions from regulators over the lack of supervisory compliance controls; and business use of social media and messaging tools that are not under IT controls.
“Unfortunately, organizational scale and complexity has forced some firms to continue to rely upon existing technologies, buying processes, and functionally-driven priorities that have plagued companies for the past 15 to 20 years and have resulted in solution overlap, IT redundancy, and ineffective risk management processes,” the study said.
But for some, this approach to risk management appears to be evolving toward a more holistic, collaborative model that incorporates the priorities of IT, security, and compliance stakeholders.
The study found that nearly all key technology stakeholders surveyed agree on the importance of cross-functional collaboration in managing risk, and the value of establishing common control processes. Organizations are increasingly moving toward a shared view of information risk.
That’s a sound move, considering that enterprises today are facing an unprecedented amount and variety of information risks that have organization-wide impact. These include increasingly sophisticated cyber security incidents, information leaks, aggressive regulatory sanctions, and a proliferation of communication channels outside the control of IT or security.
“IT, security, and compliance personnel are seeing more and more of these risks possessing corporate-wide impact, which has led to greater overlap in their duties in fighting these threats,” the report said.
As a result, a majority of the 150 IT, security, compliance, and other risk management professionals surveyed for the study highlighted the greater need for collaboration in the planning and execution of defense, monitoring, and recovery strategies.
The survey shows that these three stakeholders are increasingly aligned in several key areas:
- Top priorities. Managing the risk and impact of a data breach was ranked highest across all three functions, with the only exception being risk/compliance professionals who ranked the loss of sensitive customer information slightly higher.
- What’s working. Respondents across all the functions overwhelmingly said clearly defined policies is an area that is working well today. Risk/compliance professionals differed from others in highlighting monitoring and alerting process controls as an area that is also working well.
- What’s not working. All of the functions, particularly cyber security, reported a lack of budget and sufficient resources to carry out their duties.
- Collaborating across functions in the evaluation and selection of risk management solutions appears to be a practice applied by the vast majority of respondents. Three quarters of the respondents report that their function collaborates with at least one or both of the other two departments in evaluating and selecting risk management solutions, whereas only 5% say their function alone is responsible for those tasks.
- Future collaboration priorities. All three functions highlight the definition of common control processes as a top priority for the future. Security respondents differ from others in highlighting the definition of business requirements for technology solution selection as a top priority.
In addition, across all functions, adding personnel is not seen as a solution. The addition of staff was mentioned the least as a strategy for managing risk moving forward, according to the report.
As the researchers concluded, the survey indicates that the views of information risk held by security and compliance stakeholders continue to converge. This is not unexpected, they said, given the organization-wide concern over data breaches and cyber security.
All stakeholders are prioritizing solutions that can reduce the probability of a bad event from occurring over those that provide improved productivity or promises of cost reduction. Security and compliance continue to differ due to their functional responsibilities in managing data breaches and the potential loss of sensitive.
information. But the desire for common process controls and policies will continue to drive more organizations toward shared views of information risks created by today’s business environment.
The study also highlighted the importance of collaboration, with IT playing a critical role in coordinating with both security and compliance stakeholders.