Evolving InfoSec Program from a Manual Cost to a Managed Strategy

Consider two Chief Information Security Officers: both are at mid-sized companies, contending with finite resources and evolving corporate security needs, while grappling with emerging threats that could incapacitate the business. Both lead understaffed teams; they meet day-to-day demands, but are approaching a crossroads and must decide how to scale.

One CISO embraces digital transformation and starts evaluating information security GRC software to adopt within the next quarter. This CISO strives to automate risk and compliance tasks that are time consuming, tedious, and repetitive and build a centralized system-of-record to eliminate the current folder system. This CISO knows that the current ad hoc practices won’t be sustainable long-term and suspects they won’t withstand the increasing regulatory scrutiny.

The other CISO is reluctant to change, because implementing new technology can often consume too much time and budget the team doesn’t have. This CISO feels under fire because the department is a cost center, not a revenue generator, so they try to operate as lean as possible. Their spreadsheets and foldering system have been sufficient so far, so this CISO elects to stay with the status quo and postpone digital transformation until next year.

How can a business achieve governance, risk, and compliance objectives with conflicting priorities and constrained resources?

Introducing InfoSec GRC Software as a Service Solution (SaaS)

The CISO who decided to implement an InfoSec GRC software solution knows the organization must be able to adapt to evolving requirements and complexity. This CISO advocates for a platform that can be deployed quickly and adapt to their existing control processes. Because the new platform will reduce the time the team has been spending on tedious manual tasks, the CISO estimates that the software investment will be more cost-effective than the current approach. Moreover, in an era of continual data breaches, investing in cybersecurity may help build customers’ trust and enable the business to distinguish itself from competitors that haven’t invested in modernizing their management approach.

The solution the CISO selects easily integrates with some of the existing applications the team uses for ticketing, vulnerability management, and collaboration. In addition, the reporting features will improve C-Suite and board-level visibility without adding additional burden on the team. Harmonizing these interdependencies throughout the company and enhancing transparency — both for the Board, in their oversight role, and for customers who want to understand how their information is protected — can better demonstrate emphasis on data security and management.

The CISO successfully conveys to the executive team that, with these improvements, the improved InfoSec program reflects the company’s own value proposition; it’s not just about what the company does, but also how they do it, and what that means for its customers.

Digital Transformation in Progress

When we check back in with the CISO who opted out of a technology solution, the team has been challenged to keep up with the growing business. Its larger presence means greater risk exposure: more employees, more vendors, more customers, more accounts. The existing method will eventually require the team to hire more full-time staff to scale up to the increasing workload. In addition, the new business applications used across the company have added significant complexity in evidence collection. Now audits take even longer, and the CISO is concerned about the costs of completing an SOC 2 audit.

Meanwhile, at the business whose CISO adopted GRC software, they are beginning to realize value from the automation. A better-managed workflow streamlines audit assessments and a centralized system makes it easier to map controls to compliance frameworks. They’ve been able to identify gaps and find overlaps that have reduced redundancy in programs. In addition, the team has an easier time disseminating information and statuses, and reports improved collaboration. With the number of hours saved for each team member, the CISO is able to accomplish more with the same team.

These factors are developing into performance benefits: the business is more informed, with better visibility and more timely data. This translates to a more agile and prepared security organization; with faster and more accurate response time, the CISO is better positioned to detect, respond to, and prevent risks.

In addition, leaders throughout the organization have benefited from the improved visibility into the organization’s risk and compliance posture. Now, the CISO is able to present a more holistic security strategy to the Board and provide up to date information on the organization’s overall risk profile. The CISO no longer feels confined to the IT department.

Looking Forward

The return on investment is already clear to the CISO who adopted GRC software. The CISO anticipates future gains, as well — particularly in how the improved program aligns with business operations and long-term strategy.

As hoped, the staff is spending much less time on mundane and time consuming tasks. In addition to the savings in labor costs, the automated approach improves data quality by reducing opportunities for human error. Yet, across the organization, the foremost benefit is insight into risk — and the risk reduction that flows from it. The spreadsheets previously-used didn’t provide sufficient visibility into risk, but the GRC software organizes information in a way that facilitates use. Heat maps present data on risk exposure, probability, and potential impact and how they relate to the organization’s risk profile. This risk visibility and streamlined reporting functionality were difficult for staff to picture in advance, but now that they have experienced it, they don’t want to go back.

Because the software enables GRC staff to design controls to match compliance needs, the organization is able to reduce process and transaction-costs. Not only has the business avoided significant fines and the costs of responding to additional incidents, but it is able to negotiate better insurance rates. And, because the software is scalable, the organization is equipped to respond to business opportunities without project-specific InfoSec expenditures.

With these benefits developing, InfoSec is increasingly perceived as a strategic partner within the organization. Particularly as customers and suppliers interact with a streamlined and secure GRC program, they raise their expectations. How the business interacts with its partners becomes a part of that business’s value proposition to its own customers — they are buying not only the good or service, but also security in the transaction.

It is these benefits, evolving over time, that are near-impossible for the “status quo” CISO to duplicate. The business that embraced a modern solution gained an early-mover advantage. Through automation and security, the CISO who adopted the software solution positioned their company to differentiate itself from competitors.

Smart investments are the deciding factor that can transform perceptions of a GRC program from a cost center into a competitive advantage.

-

Continue the conversation with author Scott McCormick on ZenGage, the only global peer-to-peer Slack community for people in Information Security GRC.

Share your thoughts, ask questions and engage in discussion directly on Slack. Join over 300 InfoSec GRC Professionals on ZenGage for free!

Join Scott McCormick on February 5th at 1:00p pt for a LIVE #AMA about how to select and integrate a modern InfoSec GRC Strategy.