In today’s world of rising geopolitical and privacy 风险, we cannot afford to rely on compliance frameworks alone to ensure our organization’s safety or operation. 世界各地, new regulations are surfacing to mitigate cybersecurity threats to avoid significant economic consequences. Organizations must ensure that they move from a compliance-based focus to a 风险-first approach to align resources to best implement these new rules. Taking a 风险-first attitude to meet goals may avoid financial or legal penalties arising from lack of attestation due to stricter budgets, 未经培训的人员和失效流程.
In an individual approach to change, mindset is key. For enterprises, this starts with leadership and transcends to the rest of the organization. 以这种方式, boards and the C-level understand the major threats facing their business and are involved with 风险 leaders to identify impacts to the bottom line to triage emerging 风险. Audit teams can then measure the effectiveness of cybersecurity controls put into place and report back to the board on recommendations that are more impactful to the organization’s security posture. IT团队, the custodian of data and support to the business, then have better measures by which to update procedures and processes to enhance cybersecurity controls.
然而,这只是问题的一部分. Third-party 风险, often a subject of concern and out of regular purview, must also be addressed. Organizations often utilize contracts and policies as the stick by which to measure vendors’ adherence to their standards, but they should look to external compliance 审计s such as system and organization controls (SOC) 2, Payment Card Industry Data Security Standard (PCI-DSS) and International Organization for Standardization (ISO) standard 27001 for continual assessment as well. 以这种方式, they are combining the efforts of independent attestations and their own standards as they respond to new 风险 – for example, 新技术, changes in personnel and updates to controls to meet industry standards.
Bringing together the ecosystem of individuals representing leadership, 风险, 审计, IT, compliance and vendor management builds a stronger cyberdefense for an organization, 创建 协同作用, which is “the combined effect of individuals in collaboration that exceeds the sum of their individual effects.” Each team enhances the value of the other to synergize on the objective of protecting and defending the organization from rising geopolitical and privacy 风险 that have severe financial and systemic impacts. It is time for organizations to change their mindset from checking boxes to embracing continuous collaboration to reduce residual 风险 and better prepare for today’s and tomorrow’s threats.
编者按: For further insights on this topic, read 凯伦MacDougall’s recent Journal article, “Avoiding a Compliance-First Mindset and Choosing a Risk-First Attitude,” ISACA杂志,第5卷,2023年.
