APAC CIOOutlook

Advertise

with us

  • Technologies
      • Artificial Intelligence
      • Big Data
      • Blockchain
      • Cloud
      • Digital Transformation
      • Internet of Things
      • Low Code No Code
      • MarTech
      • Mobile Application
      • Security
      • Software Testing
      • Wireless
  • Industries
      • E-Commerce
      • Education
      • Logistics
      • Retail
      • Supply Chain
      • Travel and Hospitality
  • Platforms
      • Microsoft
      • Salesforce
      • SAP
  • Solutions
      • Business Intelligence
      • Cognitive
      • Contact Center
      • CRM
      • Cyber Security
      • Data Center
      • Gamification
      • Procurement
      • Smart City
      • Workflow
  • Home
  • CXO Insights
  • CIO Views
  • Vendors
  • News
  • Conferences
  • Whitepapers
  • Newsletter
  • Awards
Apac
  • Artificial Intelligence

    Big Data

    Blockchain

    Cloud

    Digital Transformation

    Internet of Things

    Low Code No Code

    MarTech

    Mobile Application

    Security

    Software Testing

    Wireless

  • E-Commerce

    Education

    Logistics

    Retail

    Supply Chain

    Travel and Hospitality

  • Microsoft

    Salesforce

    SAP

  • Business Intelligence

    Cognitive

    Contact Center

    CRM

    Cyber Security

    Data Center

    Gamification

    Procurement

    Smart City

    Workflow

Menu
    • Cyber Security
    • Hotel Management
    • Workflow
    • E-Commerce
    • Business Intelligence
    • MORE
    #

    Apac CIOOutlook Weekly Brief

    ×

    Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Apac CIOOutlook

    Subscribe

    loading

    THANK YOU FOR SUBSCRIBING

    • Home
    • Cyber Security
    Editor's Pick (1 - 4 of 8)
    left
    IAM May Help Secure Data, But It Needs to be Protected as Well

    Marc Ashworth, Chief Information Security Officer, First Bank

    The Changing Landscape of Cyber Security

    Scott Brandt, CIO & Director of IT, Texas Office of the Secretary of State

    Cyber Security - Integrated enterprise approach required to address the multifaceted challenges

    Sumit Puri, CIO, Max Healthcare

    Leadership Framework for Building Elite Teams

    Douglas Duncan, CIO, Columbia Insurance Group

    Four Cybersecurity Weak Spots You Should Care About When Others Don't

    Marc Probst, CIO & VP, Intermountain Healthcare

    Enterprise Security And The Elusive

    Andre' Allen, CISO, City of Houston

    Secure Text Messaging in an Academic Medical Center - Experience and Lessons

    Kari Cassel, SVP & CIO, UF Health

    It's Time to Turn Security Inside Out

    Gilad Raz, CIO, Varonis

    right

    Complying With Modern-Day Cybersecurity Governance

    Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

    Tweet
    content-image

    Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

    The ongoing problem that boards of directors in most organisations are facing today is how to judge cybersecurity governance and compliance. At a simplistic level, judgement implies prediction. To boards, the balancing act between spending on risk and controls effectiveness, and assurance seem elusive for cybersecurity as compared to other disciplines such as finance, where evidence-based decision-making is more traditional. Is it possible for the organisation to get their arms around the domains of security in a meaningful way to ease both board discomfort and provide assurance (or reassurance) of cybersecurity compliance? The answer is ‘yes’.

    Boards of Directors, particularly those of regulated entities and banks, are habituated to receiving compliance reporting as a part of their organisational reporting and decision-making data. Interestingly, in the area of IT, compliance and effectiveness of controls testing undertaken for financial audits were the first point of contact for many boards, with the potential impact of IT failures on financial reporting obligations. With the rise in cybercrime and the success of many criminal enterprises to mainstream their focus on areas such as phishing, ransomware and mass-market fraud, boards and executives have almost daily reminders of the financial, organisational and reputational risk presented by cybersecurity. Yet, as cybersecurity is different from IT, boards are now calling for cybersecurity to be reported differently from IT. Now boards and board sub-committees routinely have meetings dedicated to reporting on cybersecurity risk, controls, events, and governance. An Osterman Research survey commissioned by Bay Dynamics notes that “the majority(85 percent) of board members believe that IT and security executives need to improve the way they report to the board.” The Osterman report goes on to note the most important reporting points from their research which indicate what boards and executives want:

    • Reports with understandable language that does not require boardmembers to be cyber experts.

    • Quantitative information about cyber risks.

    • Progress that has been and is being made to address the company’s cyber risk.

    Why is cybersecurity struggling with reporting these points and representing a holistic picture of compliance? While there are several reasons for this, I would like to explore two main point—regulations and tools.

    Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas

    From a regulatory perspective, organisations have a number of standards to consider for cybersecurity. But what does that mean? What are cybersecurity compliance standards? Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas. These include Payment Card Industry Data Security Standard (PCI-DSS) which is a global standard and an obligation for merchants accepting payment cards, and, in the financial industry in Australia, Australian Prudential Regulatory Authority’s (APRA), Prudential Standard CPS 234 – Information Security which is an obligation for organisations licensed by APRA, or in the United States the National Institute of Standards (NIST) Cybersecurity Framework which is not an obligation but voluntary guidance. Each of these standards will have requirements for technical or configuration change management, but each will demand differing requirements to demonstrate compliance to the standard. Complying with and documenting that compliance with standards is not a capability that IT or cybersecurity has built into business as usual (BAU) operations. This is the first point of change that a CIO needs to draw on peer resources in Audit, Risk, Legal and Compliance to develop a technical and cyber risk team and a methodology for approaching cyber risk assessments and analysis.

    Assessments and analysis are the cornerstones of a compliance program. As there is not one cybersecurity compliance standard to “rule them all”, there can be, for even a smaller multi-national, several compliance standards that all demand a differing level of requirement to document and demonstrate compliance. This is where developing capabilities in IT and cybersecurity for quantitative risk assessment and analysis is essential.

    Tools such as the FAIR model can help where cyber risk is derived as a quantitative measure in dollars of the probable frequency and probable magnitude of a future loss. This quant-based derivation will make sense to the board and the CIO’s peers in risk management, finance, and even portfolio risk. From a tool’s perspective, organisations are currently all over the map. Some organisations have a GRC system but have not used that tool for cybersecurity compliance, and now they are trying to re-fit that tool to document cybersecurity compliance. But there can be a hefty price-tag for this work. Unless one understands what the goal is, they may spend that money more than once putting in and refitting a GRC solution.

    For instance, one organisation uses more than 50 spreadsheets for PCI-DSS for multiple entities, and they have two GRC systems and are struggling with reporting cybersecurity compliance. From a tool’s perspective, one should start with a solid understanding from their legal department of exactly what standards need to be complied with and by when. Once that understanding is validated, they need a solid mapping of standards such that duplication and gaps may be determined. There are a number of good free mappings that can be found at Center for Internet Security (CIS), the Payment Card Industry PCI, the Cloud Security Alliance (CSA), NIST, and there are of course non-free mappings.

    Initially, it will be messy, unfamiliar, and seem incorrect and incomplete, but once done in a sustainable and methodological approach, it will improve quickly. Yes, assessments are not a “one-and-done” effort but should be a sustainable process. The CIO does need to lead the way. Without their support, the effort will be doomed, and the organisation will continue to miss the mark in both reporting on the holistic security posture of the organisation and on how the organisation complies with its obligations.

    Cybersecurity compliance and improved reporting are attainable. With deliberate commitment to measuring compliance comes the ability to reduce risks and demonstrate the need for increased resources.
    tag

    Financial

    GRC

    Data Security

    Information Security

    Weekly Brief

    loading
    Top 10 Cyber Security Companies in APAC - 2024
    ON THE DECK

    Cyber Security 2024

    I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

    Read Also

    Digital Transformation in Fashion Retail - From Efficiency to Experience

    Digital Transformation in Fashion Retail - From Efficiency to Experience

    Le Van, CTO, YODY Fashion
    Driving It Transformation at Lactalis Australia

    Driving It Transformation at Lactalis Australia

    Sabina Janstrom, Chief Information Officer, Lactalis Australia
    AI Adoption in Hospitality: Striking the Balance Between Innovation, Excellence and Trust

    AI Adoption in Hospitality: Striking the Balance Between Innovation, Excellence and Trust

    Phiphat Khanonwet, Head of IT, Onyx Hospitality Group
    The AI Rat Race - Keeping Up with New Technologies or Waiting for Maturity?

    The AI Rat Race - Keeping Up with New Technologies or Waiting for Maturity?

    Andreas Kurz, Global Head of Digital Transformation, ALFAGOMMA Group
    The Role Of Digitalization In Transforming Airport Customer Experiences

    The Role Of Digitalization In Transforming Airport Customer Experiences

    Kebebew Bulto, Director Addis Ababa Bole International Airport, Ethiopian Airlines
    From Chemical Solutions to Data Center Innovations

    From Chemical Solutions to Data Center Innovations

    Akmal Zharif Bin Abdullah, Datacenter Manager, Aeon Credit Service (M) Berhad [KLSE: AEONCR]
    Ethics & Compliance in a Digital World: Navigating HCP Engagement in APAC

    Ethics & Compliance in a Digital World: Navigating HCP Engagement in APAC

    Sherene Cham, Regional Director, Ethics & Compliance – APAC, Menarini Group
    How AI is Driving Innovation and Customer-Centricity in Insurance

    How AI is Driving Innovation and Customer-Centricity in Insurance

    Xinfa Cai, Chief Innovation Officer, AIA Group
    Loading...
    Copyright © 2025 APAC CIOOutlook. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy and Anti Spam Policy 

    Home |  CXO Insights |   Whitepapers |   Subscribe |   Conferences |   Sitemaps |   About us |   Advertise with us |   Editorial Policy |   Feedback Policy |  

    follow on linkedinfollow on twitter follow on rss
    This content is copyright protected

    However, if you would like to share the information in this article, you may use the link below:

    https://cyber-security.apacciooutlook.com/cxoinsights/complying-with-modernday-cybersecurity-governance-nwid-7504.html