The GRC Journey Never Ends

The GRC Journey Never Ends
Author: Muhammad Asif Qureshi, CISA, ACMA, CIA, CISSP, PMP
Date Published: 31 December 2021
Related: Achieving Data Security and Compliance | Digital | English

Information security has existed since humans started sharing information. For example, Julius Caesar developed a cipher to protect information from unauthorized disclosure.1 And during both World Wars, countries used encryption techniques to secure information. A recently processed collection of documents at the US National World War I Museum and Memorial contains a list of more than 130 secret code words used by the American Expeditionary Forces during World War I.2

However, information sharing has changed drastically over the years. Before the invention of computers, information was mainly stored in physical files and folders. Use of information was governed through secured physical storage and access controls, secure sharing mechanisms, and security clearance levels. Intellectual property and copyright laws used to focus on physical aspects. Thomas Watson, former chairperson of IBM, predicted in 1943, “I think there is a world market for, maybe, five computers.”3

As computers became mainstream and evolved, cyberattacks got sophisticated. The tug of war between attackers and defenders convinced security professionals to develop additional protection mechanisms. Manual encryption mechanisms gave way to digital cryptographic techniques. Physical access controls were complemented with logical access controls, network zoning, firewalls, antimalware and multifactor authentication. The security governance journey evolved as well, with progress gained through a combination of highly skilled people, new processes and advanced technologies.

During the last decade, governments across the globe began to recognize the importance of adopting cyberlaws. So far, 154 countries (79 percent of the world) have enacted cybercrime legislation. The pattern varies by region: Europe has the highest adoption rate (93 percent), while Asia and the Pacific have the lowest (55 percent).4

The growth in popularity of these laws represents the increased necessity of governance, risk and compliance (GRC) practices in IT functions. Understanding the evolution of GRC is essential for organizations to stay ahead of the curve, especially as new risk governance models for emerging technologies are introduced.

Security Governance

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 38500:2015 defines the governance of IT as a subset or domain of organizational governance, or in the case of an enterprise, a subset of enterprise governance.5

Security governance is often confused with security management, which is focused on mitigating IT risk. Security governance provides a framework for making risk mitigation decisions and ensures that security strategies are aligned with business strategies. Effective governance of information security provides assurance that security initiatives are aligned with business strategy and controls are in place to address potential risk. In other words, effective enterprise governance leads to effective information security governance.

Historically, organizations have focused mainly on the technical aspects of security while developing security architecture. However, given the severity of cyberincidents in recent decades, security needs senior management’s attention. An information leak incident can lead to millions of US dollars in penalties, fines and other costs and may result in the loss of key customers. As part of the enterprisewide risk management process for addressing these threats, a risk-based approach should be deployed for identifying, assessing, mitigating and reporting risk and ensuring that resources are utilized effectively and efficiently.

Information Security–A Moving Target

Information security has evolved alongside the evolution of computers and the way information is processed, shared and stored. Early computers required large storage areas, and access was mostly limited to terminals hosted on the same premises. As a result, security governance processes primarily revolved around physical security and passwords.

With the advent of the Internet and personal computers, people started linking their computers to the Internet over telephone lines. This resulted in opportunities for hackers who geared up and sought ways of tricking people and stealing the information flowing over communication lines.

Effective enterprise governance leads to effective information security governance.

During the 1980s and 1990s, hacking evolved and became a potential threat for organizations and governments. Due to the lack of strict cyberregulations, hacking practices spread like wildfire. Cybersecurity professionals helped organizations with firewalls and antimalware products; however, they were often insufficient because hackers found different ways of infiltration.

Since the 2000s, cybercrime has become a significant threat, and strong measures have been taken by governments against cybercriminals. Use of cryptography has become the norm to protect data over networks.6 Figure 1 depicts the evolution of cyberthreats.

Figure 1

Constantly evolving cyberrisk poses the challenge of how to predict the motives of cybercriminals. Boards now focus on effective governance of cyberrisk through delegating responsibility and empowering the C-suite. Compliance with cyberlaws and regulations is a key factor, as is the threat of lost revenue and diminished customer confidence.

The Evolution of Security Frameworks

Following the Spring Joint Computer Conference of 1967, a widely circulated report informally known as the Ware Report first recognized computer security as a challenge.7

The Advanced Research Projects Agency Network (ARPANET), established by the US Department of Defense in 1969, was the first implementation of the Internet concept. The ARPANET was originally developed for information sharing and collaboration. During the early years of digital computers (i.e., the 1970s and early 1980s), computer threats were not that severe because knowledge of computers and networks was very limited. Over the years, computers became increasingly connected and attacks evolved. The US National Institute of Standards and Technology (NIST) (then the US National Bureau of Standards) published Audit and Evaluation of Computer Security in 1977.8 It was a milestone that led to several related publications in later years.

In 1978, Stuart Madnick, a computer scientist and IT professor, argued that necessary control policies and procedures would become increasingly critical as reliance upon computer-based information systems continued to increase.9 During the late 1980s and early 1990s, cyberattacks were ignored by Internet pioneers because the Internet was limited to trusted participants. However, when the Internet became commercialized, the relaxed attitude of previous decades was replaced with concern.

With the advent of Fourth Industrial Revolution (4IR) technologies in the 21st century, the potential for cyberattacks significantly increased. Predictions indicate cyberattacks will inflict damages totaling US$6 trillion globally in 2021. That figure would position cybercrime as the world’s third-largest economy after the United States and China.10

The information security ecosystem consists of risk originating from business strategy, practices and operating models.

To address increasing cyberrisk, several frameworks and standards have been developed. Though these frameworks and standards take diverse approaches to managing cyberrisk, they have one goal in common:

Ensure that information risks are systematically identified, assessed, prioritized, mitigated and monitored to ensure that the organization meets its goals with effectiveness and efficiency while complying with applicable laws and regulations by having appropriate policies, organization structure, and processes in place.11

Deployment of an information security governance framework is not a silver bullet, but it provides a strong foundation for developing a sustainable structure and defining roles and responsibilities, policies and practices (figure 2). During this journey, an organization can shift to a continuous improvement model that ensures quality, effectiveness and efficiency, cost minimization, and employee and customer satisfaction.

Figure 2

Trends in Technology

With no specific industry boundaries, technology has made an everlasting impact and has completely changed the enterprise risk canvas. From farmers to bankers, technology is the major enabler of business across the globe and the main source of risk. Implementation of security controls is now seen as an investment that enables secure, reliable delivery of services and products to customers.

Figure 3Outsourcing operations to third-party contractors results in cost-effectiveness. At the same time, it raises the risk profile of the outsourced operations. In the current era of cloud computing, one of the biggest concerns is to ensure that vendors implement adequate controls for securing the information they process.

Information security governance has come a long way. A typical information governance model is shown in figure 3. The information security ecosystem consists of risk originating from business strategy, practices and operating models. Risk is then mitigated through controls such as policies, procedures and organizational structure.

Emerging Technologies Risk Management

Emerging technologies have not only blurred all the borders but also have compelled governance and risk professionals to reconsider their risk management approaches. Since technology is a prominent source of risk, it is imperative to consider the risk that accompanies adoption of a new technology. Artificial intelligence (AI), robotic process automation (RPA) and cloud computing most often catch the attention of executives. When adopted, these technologies pose certain risk because they involve large amounts of data. Therefore, data governance, third-party risk management, data privacy and security compliance are areas that need attention from risk managers. Other technologies that pose their own risk include the Internet of Things (IoT), 3D printing and blockchain technologies.

Emerging technologies have not only blurred all the borders but have also compelled governance and risk professionals to reconsider their risk management approaches.

Information security governance and risk professionals are expected to take on the challenge of understanding the inherent risk when adopting these technologies. Figure 4 identifies a proposed risk management strategy for emerging technologies.12

Figure 4

While performing technology risk assessments, risk managers need to understand the business case— that is, how the new technology will bring value to the business model while the risk associated with it is identified, understood and managed. AI risk can be mitigated in several ways. However, it is critical that the governance model be tailored to fit the specific organization’s needs and scenario.

AI-Related Risk
When an organization adopts AI, senior management needs to be mindful of the risk associated with this technology. AI works with large amounts of data, which need huge computing resources. Predominantly, these computing resources are available through cloud services, which results in non-data-related risk. In addition, huge amounts of data collected from various sources need to be secured in compliance with applicable privacy laws. If an organization is developing an AI solution, then it has to take development risk into consideration (figure 5).

Figure 5

NIST has asked for public input on an AI risk management framework, which it is in the process of developing as a way to "manage the risks posed by artificial intelligence."13

RPA-Related Risk
Similarly, RPA is among the latest game-changing technologies. According to the Institute for Robotic Process Automation and Artificial Intelligence (IRPAAI):

RPA is the application of technology that allows employees in a company to configure computer software or a ‘robot’ to capture and interpret existing applications for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.14

Since RPA is engaged in process automation and developing bots, it inherits risk from both business and technology aspects. Data security, access management and change control are among the leading sources of risk, in addition to system maintenance and skills shortage. It is critical to understand the business case and the overall governance process. Data security and compliance requirements should be considered when deciding on an RPA solution. Figure 6 shows a proposed governance model for an RPA environment.

Figure 6

Conclusion

The GRC profession has come a long way. Its evolution so far has been technology driven, with risk vectors remaining unchanged. However, every day brings new challenges in the life of a GRC professional.

Boards and C-suite executives are overwhelmed with financial reporting and compliance requirements that revolve mostly around technology controls.

Governance and compliance professionals are constantly faced with the uphill task of simultaneously interpreting the risk inherent in business operations and ensuring compliance with data security and privacy requirements.

As organizations adopt the latest technologies, governance and risk managers are continuously faced with the challenge of understanding the technology risk and its potential impact on the business. GRC professionals are expected to keep themselves up to date with recent developments in the technology environment and to meet business expectations.

It is clear from history that the governance profession will adapt to changes in business and operating environments. There is no doubt that organizations must react quickly in the digital world to stay ahead of the curve. Enterprises are expected to be more transparent in their practices while maintaining traditional product quality and customer service. In the future, GRC will not be limited to reducing risk but will likely be a growth enabler, thanks to its focus on key business practices.

In the future, GRC will not be limited to reducing risk but will likely be a growth enabler, thanks to its focus on key business practices.

Endnotes

1 ChurchHouse, R, F.; Codes and Ciphers: Julius Caesar, the Enigma, and the Internet, Cambridge University Press, UK, 2002
2 The National WWI Museum and Memorial, “Secret—List of Coded Words,” 19 March 2018, www.theworldwar.org/explore/collections/spotlight/codes
3 Fogarty, K.; “Tech Predictions Gone Wrong,” Computerworld, 22 October 2012, www.computerworld.com/article/2492617/tech-predictions-gone-wrong.html
4 United Nations Conference on Trade and Development, “Cybercrime Legislation Worldwide,” 4 February 2020, http://unctad.org/page/cybercrime-legislation-worldwide
5 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 38500:2015 Information Technology—Governance of IT for the Organization, Switzerland, 2015, http://www.iso.org/standard/62816.html
6 Patel, P.; “Principal of Information System Security: History,” GeeksforGeeks, 20 December 2019, www.geeksforgeeks.org/principal-of-information-system-security-history/
7 The Rand Corporation for the Office of the Director of Defense Research and Engineering, Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security, US Department of Defense, USA, 11 February 1970, http://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf
8 Ruthberg, Z.; R. McKenzie; Audit and Evaluation of Computer Security, National Institute of Standards and Technology (NIST), 1 October 1977, www.nist.gov/publications/audit-and-evaluation-computer-security
9 Madnick, S.; “Management Policies and Procedures Needed for Effective Computer Security,” Sloan Management Review, vol. 20, iss. 1, Fall 1978, http://pubmed.ncbi.nlm.nih.gov/10239542/
10 Morgan, S.; “Cybercrime to Cost the World $10.5 Trillion Annually By 2025,” Cybercrime Magazine, 13 November 2020, http://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
11 International Organization for Standardization (ISO), “Management System Standards,” http://www.iso.org/management-system-standards.html
12 Hedrich, W.; M. Wakeling; A. Ferguson; From Risk to Strategy: Embracing the Technology Shift, Marsh and McLennan Companies, Inc., USA, 2019, http://www.marshmclennan.com/content/dam/mmc-web/insights/publications/2019/may/from-risk-to-strategy-embracing-the-technology-shift-digital.pdf www.mmc.com/insights/publications/2019/may/from-risk-to-strategy.html
13 National Institute of Standards and Technology (NIST), “NIST Requests Information to Help Develop an AI Risk Management Framework,” 29 July 2021, www.nist.gov/news-events/news/2021/07/nist-requests-information-help-develop-ai-risk-management-framework
14 Institute for Robotic Process Automation and Artificial Intelligence, “Definition and Benefits,” http://irpaai.com/definition-and-benefits/

Muhammad Asif Qureshi | CISA, ACMA, CIA, CISSP, PMP

Is an experienced governance, risk and compliance (GRC) professional with a background in information systems auditing. He is a GRC manager at Tawazun Economic Council. Qureshi worked with a dedicated team to build the information security architecture and establish an information security department in his organization from ground zero. He actively participates in mentoring and coaching activities for young learners in schools and colleges and has been a guest speaker on cybersecurity-related topics for young students on numerous of occasions.