Businesses face risks on many fronts, particularly in cybersecurity, for which Gartner predicts spending will grow by 2.4% in 2020 despite the pandemic. Executive leadership knows that these risks must be managed, but wants reassurance that mitigation efforts are implemented efficiently and effectively. This requires a systematic understanding of the controls in place – a controls assurance program -- to guard against threats.
A well-crafted and executed controls assurance program has significant benefits, including:
- More complete understanding of risk-remediation efforts, including security gaps to close
- Improved spending and ROI by focusing on critical areas
- Enhanced cybersecurity and organizational resilience
- Reassurance regarding compliance with overlapping regulations, standards and frameworks
- Greater confidence in decision-making
The Sources and Nature of Risk Controls
Controls should enable companies to achieve their business objectives (adhering to relevant rules and regulations among them) as well demonstrate compliance with universal security standards. While compliance alone does not guarantee security, following best-practice standards serves as a baseline for properly guarding against risks. Such controls can be developed by aligning with such regulations, standards and frameworks as ISO 27001, NIST, COSO and CIS 20. In fact, the Center for Internet Security says that implementing just the first five of its CIS 20 controls can reduce the risk of a cyberattack by 85%.
Additionally, organizations can create their own cyber assurance frameworks based on company policies or contracts with business partners or customers. Often organizations use a combination of external and internal controls to establish cybersecurity protocols appropriate to their business.
Once these controls are in place, a company needs assurance that they are working effectively, which requires regular testing. There may be hundreds of controls to be implemented, so the questions become where to start and how to prioritize among them. This is where an integrated, risk-based approach proves its worth.
The necessity of an integrated, risk-based controls system
A centralized system for risk and compliance provides organizations a bird’s eye view of their security across the enterprise. This includes visibility of the controls themselves, their effectiveness and their compliance status. By mapping similar controls in different frameworks, organizations can reduce duplicate efforts when it comes to reporting on compliance. But not all controls require the same level of attention.
A risk-based cybersecurity program establishes priorities, focusing on critical areas first to effectively allocate limited resources. Actions are taken to mitigate the biggest risks and protect the assets of the highest value– the company’s “crown jewels.” A compliance-focused approach may not result in such an outcome; it concentrates on implementing controls, not improving performance.
As both cybersecurity threats and regulations expand, it’s critical that organizations have tangible insights on the risks they face and confidence that these risks are under control. While compliance with regulations is mandatory, compliance alone is not sufficient…
Many organizations feel paralyzed by the sheer numbers of risks to address, so they struggle with where to start their risk-mitigation efforts. Acuity has been helping organizations develop systematic, cost-effective risk-management programs. We’re eager to pass along our insights, and so we’re offering a free webinar on the topic on Dec 2nd to discuss risk-based controls assurance. We hope you’ll be able to join us!