APAC CIO Outlook
  • Home
  • CXO Insights
  • CIO Views
  • Vendors
  • News
  • Conferences
  • Whitepapers
  • Newsletter
  • Awards
Apac
  • Agile

    Artificial Intelligence

    Aviation

    Bi and Analytics

    Big Data

    Blockchain

    Cloud

    Cyber Security

    Digital Infrastructure

    Digital Marketing

    Digital Transformation

    Digital Twin

    Drone

    Internet of Things

    Low Code No Code

    Networking

    Remote Work

    Singapore Startups

    Smart City

    Software Testing

    Startup

  • E-Commerce

    Education

    FinTech

    Healthcare

    Manufacturing

    Retail

    Travel and Hospitality

  • Dell

    Microsoft

    Salesforce

    SAP

  • Cognitive

    Compliance

    Contact Center

    Corporate Finance

    Data Center

    Data Integration

    Digital Asset Management

    Gamification

    HR Technology

    IT Service Management

    Managed Services

    Procurement

    RegTech

    Travel Retail

Menu
    • Cyber Security
    • Software Testing
    • Procurement
    • Managed Services
    • Gamification
    • Blockchain
    • CRM
    • E-Commerce
    • MORE
    #

    Apac CIO Outlook Weekly Brief

    ×

    Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Apac CIO Outlook

    Subscribe

    loading

    THANK YOU FOR SUBSCRIBING

    • Home
    • Cyber Security
    Editor's Pick (1 - 4 of 8)
    left
    IAM May Help Secure Data, But It Needs to be Protected as Well

    Marc Ashworth, Chief Information Security Officer, First Bank

    The Changing Landscape of Cyber Security

    Scott Brandt, CIO & Director of IT, Texas Office of the Secretary of State

    Cyber Security - Integrated enterprise approach required to address the multifaceted challenges

    Sumit Puri, CIO, Max Healthcare

    Leadership Framework for Building Elite Teams

    Douglas Duncan, CIO, Columbia Insurance Group

    Four Cybersecurity Weak Spots You Should Care About When Others Don't

    Marc Probst, CIO & VP, Intermountain Healthcare

    Enterprise Security And The Elusive

    Andre' Allen, CISO, City of Houston

    Secure Text Messaging in an Academic Medical Center - Experience and Lessons

    Kari Cassel, SVP & CIO, UF Health

    It's Time to Turn Security Inside Out

    Gilad Raz, CIO, Varonis

    right

    Complying With Modern-Day Cybersecurity Governance

    Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

    Tweet
    content-image

    Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity

    The ongoing problem that boards of directors in most organisations are facing today is how to judge cybersecurity governance and compliance. At a simplistic level, judgement implies prediction. To boards, the balancing act between spending on risk and controls effectiveness, and assurance seem elusive for cybersecurity as compared to other disciplines such as finance, where evidence-based decision-making is more traditional. Is it possible for the organisation to get their arms around the domains of security in a meaningful way to ease both board discomfort and provide assurance (or reassurance) of cybersecurity compliance? The answer is ‘yes’.

    Boards of Directors, particularly those of regulated entities and banks, are habituated to receiving compliance reporting as a part of their organisational reporting and decision-making data. Interestingly, in the area of IT, compliance and effectiveness of controls testing undertaken for financial audits were the first point of contact for many boards, with the potential impact of IT failures on financial reporting obligations. With the rise in cybercrime and the success of many criminal enterprises to mainstream their focus on areas such as phishing, ransomware and mass-market fraud, boards and executives have almost daily reminders of the financial, organisational and reputational risk presented by cybersecurity. Yet, as cybersecurity is different from IT, boards are now calling for cybersecurity to be reported differently from IT. Now boards and board sub-committees routinely have meetings dedicated to reporting on cybersecurity risk, controls, events, and governance. An Osterman Research survey commissioned by Bay Dynamics notes that “the majority(85 percent) of board members believe that IT and security executives need to improve the way they report to the board.” The Osterman report goes on to note the most important reporting points from their research which indicate what boards and executives want:

    • Reports with understandable language that does not require boardmembers to be cyber experts.

    • Quantitative information about cyber risks.

    • Progress that has been and is being made to address the company’s cyber risk.

    Why is cybersecurity struggling with reporting these points and representing a holistic picture of compliance? While there are several reasons for this, I would like to explore two main point—regulations and tools.

    Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas

    From a regulatory perspective, organisations have a number of standards to consider for cybersecurity. But what does that mean? What are cybersecurity compliance standards? Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas. These include Payment Card Industry Data Security Standard (PCI-DSS) which is a global standard and an obligation for merchants accepting payment cards, and, in the financial industry in Australia, Australian Prudential Regulatory Authority’s (APRA), Prudential Standard CPS 234 – Information Security which is an obligation for organisations licensed by APRA, or in the United States the National Institute of Standards (NIST) Cybersecurity Framework which is not an obligation but voluntary guidance. Each of these standards will have requirements for technical or configuration change management, but each will demand differing requirements to demonstrate compliance to the standard. Complying with and documenting that compliance with standards is not a capability that IT or cybersecurity has built into business as usual (BAU) operations. This is the first point of change that a CIO needs to draw on peer resources in Audit, Risk, Legal and Compliance to develop a technical and cyber risk team and a methodology for approaching cyber risk assessments and analysis.

    Assessments and analysis are the cornerstones of a compliance program. As there is not one cybersecurity compliance standard to “rule them all”, there can be, for even a smaller multi-national, several compliance standards that all demand a differing level of requirement to document and demonstrate compliance. This is where developing capabilities in IT and cybersecurity for quantitative risk assessment and analysis is essential.

    Tools such as the FAIR model can help where cyber risk is derived as a quantitative measure in dollars of the probable frequency and probable magnitude of a future loss. This quant-based derivation will make sense to the board and the CIO’s peers in risk management, finance, and even portfolio risk. From a tool’s perspective, organisations are currently all over the map. Some organisations have a GRC system but have not used that tool for cybersecurity compliance, and now they are trying to re-fit that tool to document cybersecurity compliance. But there can be a hefty price-tag for this work. Unless one understands what the goal is, they may spend that money more than once putting in and refitting a GRC solution.

    For instance, one organisation uses more than 50 spreadsheets for PCI-DSS for multiple entities, and they have two GRC systems and are struggling with reporting cybersecurity compliance. From a tool’s perspective, one should start with a solid understanding from their legal department of exactly what standards need to be complied with and by when. Once that understanding is validated, they need a solid mapping of standards such that duplication and gaps may be determined. There are a number of good free mappings that can be found at Center for Internet Security (CIS), the Payment Card Industry PCI, the Cloud Security Alliance (CSA), NIST, and there are of course non-free mappings.

    Initially, it will be messy, unfamiliar, and seem incorrect and incomplete, but once done in a sustainable and methodological approach, it will improve quickly. Yes, assessments are not a “one-and-done” effort but should be a sustainable process. The CIO does need to lead the way. Without their support, the effort will be doomed, and the organisation will continue to miss the mark in both reporting on the holistic security posture of the organisation and on how the organisation complies with its obligations.

    Cybersecurity compliance and improved reporting are attainable. With deliberate commitment to measuring compliance comes the ability to reduce risks and demonstrate the need for increased resources.
    tag

    Financial

    GRC

    Information Security

    Data Security

    Weekly Brief

    loading
    Top 10 Cyber Security Companies - 2022

    Featured Vendors

    I-Sprint Innovations

    Dutch Ng, CEO

    HP

    Richard Bailey, President - Asia Pacific & Japan (APJ)

    ON THE DECK

    Cyber Security 2022

    Top Vendors

    Cyber Security 2021

    Top Vendors

    Cyber Security 2020

    Top Vendors

    Cyber Security 2019

    Top Vendors

    Cyber Security 2018

    Top Vendors

    Cyber Security 2017

    Top Vendors

    Previous Next

    I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

    Read Also

    Deliver Resiliency with Managed Services

    Deliver Resiliency with Managed Services

    Edy Salim, Head of Technology Services & Enterprise Architecture, PT Adira Dinamika Multifinance Tbk
    Sustainable Future through Innovative Technology Solutions

    Sustainable Future through Innovative Technology Solutions

    Faisal Parvez, CIO and Director, BT
    How to align Supply Chain with Corporate Strategy

    How to align Supply Chain with Corporate Strategy

    Chanaka Rathnayake, Senior Production Manager (Packaging) at The HEINEKEN Company
    A dose of our own medicine

    A dose of our own medicine

    SABINA JANSTROM, IT DIRECTOR, DYNO NOBEL
    Insider Threat

    Insider Threat

    AI is America's best weapon for disrupting health inequities

    AI is America's best weapon for disrupting health inequities

    Michael Dowling, President & Ceo, Northwell Health and Tom Manning, Chairman, Ascertain
    Combating IoT Challenges with Smart Choices

    Combating IoT Challenges with Smart Choices

    Sandeep Babbar, Head Of Technology Innovation, Gwa Group Limited
    Artificial Intelligence regulations and its impact on medical devices

    Artificial Intelligence regulations and its impact on medical devices

    Leo Hovestadt, Director Quality Assurance Elekta
    Loading...

    Copyright © 2023 APAC CIOoutlook. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy and Anti Spam Policy 

    |  Sitemap |  Subscribe |   About us

    follow on linkedinfollow on twitter follow on rss
    This content is copyright protected

    However, if you would like to share the information in this article, you may use the link below:

    https://cyber-security.apacciooutlook.com/cxoinsights/complying-with-modernday-cybersecurity-governance-nwid-7504.html