Go beyond compliance checklists to avoid information security breaches

If enterprises have learned anything in the past year, it's that data breaches are in and they're only getting worse. From Home Depot to JPMorgan Chase to Sony Pictures, the numbers were staggering: Gemalto's 2014 Breach Level Index report stated that there were 1,541 information security breaches in 2014, with a total of over 1 billion records breached overall for the year.

The regularity of these information security breaches is forcing many enterprises to take a long, hard look at their GRC and security processes. Are enterprises doing something wrong, or are breaches just inevitable? In this #GRCChat recap, participants discuss why these data breaches occur so often and how companies can reconcile their GRC management to changing technology, regulations, and threats.

With compliance a big concern, why are breaches still so common? Is there too much disconnect between GRC and security?

Enterprises put a lot of effort and resources into being compliant, and yet information security breaches are still occurring at an alarming rate. The consensus among #GRCChat participants was that this is due to companies focusing too much on the compliance aspect of GRC and not paying enough attention to their security as a whole:

a2 because compliance is only one component of #GRC & not an end all be all #GRCchat

— Fran Sales (@Fran_S_TT) March 26, 2015

A2 Compliance shouldn't be the focus. Organizations need a security framework that will lend itself to being compliant. #GRCchat

— Elliott Franklin (@elliottfranklin) March 26, 2015

A2 Some biz rely too much on #compliance checklists for data security – being compliant does not mean data is adequately protected #GRCchat

— SearchCompliance.com (@ITCompliance) March 26, 2015

It's easy for enterprises to concentrate on compliance because there are rules and regulations that act as guidelines for what exactly needs to be done. However, if companies really want to safeguard their data, they need to take the extra step of looking at security outside the context of compliance. #GRCChat participants discussed why that is easier said than done in today's businesses:

A2 But getting C-suite to move past compliance checklist is hard work. #GRCchat

— Dan Sanders (@dansanders) March 26, 2015

@TT_Nicole That, and profit/shareholder-attention, and actual understanding of infosec metrics is hard. #GRCChat

— Dan Sanders (@dansanders) March 26, 2015

@dansanders @ITCompliance This is challenging. When I present security to the board, I present a total security risk score, not a PCI score

— Elliott Franklin (@elliottfranklin) March 26, 2015

More than just looking at compliance and security separately, enterprises must also be willing to add extra security measures that may not be required in order to be compliant, but are still needed nonetheless:

A2 While there should be communication/cooperation betwn compliance/sec, each still need to make sure unique data needs being met #GRCchat

— SearchCompliance.com (@ITCompliance) March 26, 2015

A2 CIOs need to transition from guarding the perimeter to something much more nuanced. #GRCchat

— Nicole Laskowski (@TT_Nicole) March 26, 2015

However, this type of distinction is often not found in GRC and security processes. Participants pointed to a lack of resources and representation in the systems development life cycle as some explanations for this omission:

A2 Also goes back to lack of cash/resources to adequately respond to rapidly evolving tech/threats #GRCchat

— SearchCompliance.com (@ITCompliance) March 26, 2015

A2: There are huge disconnects between both GRC and security and the SDLC. Not many proj.s invite GRC/sec. to submit requirements. #grcchat

— Forvalaka41 (@Forvalaka41) March 26, 2015

Even with the best security measures, there is still the possibility of an information security breach:

A2 When I've talked to CISOs and security professionals they say that it is impossible to be 100% secure #GRCchat

— Kristen Lee (@Kristen_Lee_34) March 26, 2015

How can companies balance compliance and risk management while adapting to rapidly changing IT, regulations and cyberthreats?

Every time a new technology develops, resulting risks and regulations also emerge. This can be a lot for enterprises to balance, but SearchCompliance Site Editor Ben Cole -- via the SearchCompliance Twitter handle -- suggested that assessments and reviews could be the solution to keeping the balance, and may even reveal some points of intersection:

A3 Risk assessments are key to identify where compliance/RM lacking + where processes overlap. Biz can then consolidate resources- #GRCChat

— SearchCompliance.com (@ITCompliance) March 26, 2015

A3 Regular, periodic review of compliance/RM processes are needed as well- Will help stay on top of new tech/threat developments #GRCchat

— SearchCompliance.com (@ITCompliance) March 26, 2015

#GRCChat participant Elliot Franklin took this idea of reviews one step further and advocated for continuous monitoring as a way to keep the compliance and risk management processes abreast of new developments:

A3 Continuous monitoring. There are some great SIEM products that help. Nothing beats a dedicated team with ownership. #GRCChat

— Elliott Franklin (@elliottfranklin) March 26, 2015

@TT_Nicole Security Ops should monitor. Depends on the size of the org. Many will outsource but this is a critical function. #GRCChat

— Elliott Franklin (@elliottfranklin) March 26, 2015

@TT_Nicole @elliottfranklin #grcchat IT is great at IT stuff, but GRC (and BC/DR, etc.) are wider concerns

— Forvalaka41 (@Forvalaka41) March 26, 2015

Still, some participants thought other solutions were best, whether it was a concrete idea like developing a new process, or something more intangible like changing the way the company thinks about GRC:

a3 moving beyond compliance and adding things like a solid incident response plan #grcchat

— Fran Sales (@Fran_S_TT) March 26, 2015

A3: GRC and security have to be seen as investments with real (qualitative) return in compliance, audit, and freedom from breaches. #grcchat

— Forvalaka41 (@Forvalaka41) March 26, 2015

How do you think enterprises should balance GRC with evolving technologies, regulations, and cyberthreats? Sound off in the comments section below.