Techniques for Good Cyber Governance, Compliance & IT Security Strategies

Modern businesses rely on a wide variety of digital systems, platforms, and applications to run their organisations – making cyber governance, data privacy compliance, and IT security a top priority. Recently we ran a webinar on techniques for good cyber governance, compliance and IT security strategies, featuring Head of Information Security & Compliance at Camms – Dulan Fernando, and the Chief Executive Officer at RiskNZ – David Turner.

In this blog we share some of the key insights and key take aways shared in the webinar and explain how you can implement structured process to strengthen cyber security and improve data privacy compliance in your organisation.

Cyber Governance Requires More than Technology

The duo started out by addressing the common myth that cyber security is all about firewalls and encryption and that it can be predominantly managed with the right software, and that technology itself can do all the heavy lifting. Of course, having the latest technology and firewalls can help, but organisations also need a good cyber governance structure supported by policies, training, and formalized processes to make sure staff can recognize cyber risks and that they are behaving in accordance with policies and operating procedures. Dulan pointed out that training is ‘not just a checklist objective’, and that ‘it requires continuous updates to staff regarding current and existing threats and threat intelligence, sharing the latest news on cyber security (what are the breaches), plus phishing exercises’. He noted that it’s ‘not a scare tactic, it’s just to keep everyone informed and how it can be prevented’.

When discussing cyber security in the context of people vs technology, Dulan shared that ‘The human factor is the weakest link’. He added ‘You can put all the technical controls. You can put all the frameworks in place. But if you don’t have your people on board, then you just leave yourself open’.

Cyber Governance Depends on Size and Sector

They also highlighted how the sort of cyber governance structure an organisation needs can vary based on company size and industry. Dulan highlighted that a smaller firm ‘might highly focus on cost efficiency and minimal compliance, which will result in a less formal governance structure’. Whereas large enterprise corporations will have ‘complex governance frameworks in place due to obligations to the stakeholders, regulation, and compliance’. An organisations industry can also heavily influence how they structure and manage cyber governance. For example, Dulan highlighted that, ‘in healthcare, we have HIPAA patient data protection compliance and audit requirements. When it comes to finance, banks prioritize, fraud prevention and regulated compliance requirements like PCI DSS’.

The Boards Involvement in Cyber Governance

David and Dulan also discussed the need for the Board to be involved in cyber governance. David said that during his consulting work many boards are ‘saying we need to know more as we are accountable at some level for this’. Dulan advocated for a CEO led cyber alignment to business goals. He added ‘That would be the best way, because you know that that ensures that you have the resource allocation and accountability’. A Board should be regularly updated on cyber risk exposure. They will want assurance that the organisation is compliant with any applicable data privacy and cyber regulations, and they will want visibility of the controls and policies the organisation has – along with the proof that controls are effective and tested regularly.

Dulan highlighted that ‘In Security Leadership, you need to get security leadership buy-in for cyber security initiatives from your CEO, CIO, CTO and legal department adding – ‘It is really crucial to driving a successful and effective cyber strategy, and the cyber security strategy needs to align with the business goals. You need to come out with a cyber security program, which adds value to their existing operation, rather than trying to create a roadblock’. They added that ‘Teams must also ‘address the cost aspect – as cybersecurity can be seen as a cost centre’. Dulan also shared that ‘if you align cybersecurity with the business strategy, you can demonstrate, how cyber security directly supports growth and innovation, and also how it helps to develop customer trust’.

Consequences & Examples of Weak Cyber Governance

The pair also discussed some examples of weak cyber governance and the consequences. They discussed the ‘District Health Board ransomware attack, the Australian National University data breach, and the Optus data breach and the heavy impact on citizens. Dulan stated that these examples really highlighted that ‘gaps in incident responses or weak risk management and insufficient security practices can leave an organisation really vulnerable to these cyber threats. It also underscores, and it shows the importance of having a really good framework and preparedness for cyber risks. Without proper governance, organisations face increasing disruption, data loss and reputation damage’. David added that prevention is key and that involves ‘eliminating silos’ and ‘working together and communicating’.

Multiple Data Privacy Regulations for Global Companies

During the webinar Dulan and David discussed the difficulties of managing data privacy in global companies due to the different regulations in each country. They highlighted the following data privacy frameworks:

• In the US, we have the NIST sub framework which helps federal agencies and the private sector and HIPPA for the healthcare sector.
• In the EU, we have GDPR
• For Australia, it’s the Privacy Act, or critical infrastructure Act
• For New Zealand we have the Privacy Act

Dulan highlighted the need for ‘a regulation inventory within an organisation where you capture applicable regulations to your business and where it operates. And this should capture things like, what are the specific obligations, timelines in response to certain incidents, what are the actions you really need to take, and this could also include, references to the third parties that you need to get in touch with – in case there’s some event’. He highlighted that ‘meeting that regulatory inventory is a key organisational responsibility’.

Dulan highlighted that ‘once you have that clear picture, you’ll be able to map out your operations, understand what the business processes are that you need to put in place, where you can store your data, where you can’t, what kind of protections you need to put in place – and you can even categorize it by the industry and different regions that you have’. He added ‘Incident reporting can be a complex task, there are different expectations by different regulations or legislation, so it’s important to keep those documented and have an up-to-date record of what’s expected. This proactive style of compliance management allows us to have things like regular audits to test and make sure you have these processes in place aligning with the regulatory requirements, and you can use, compliance management tools to help you with that process as well’. Dulan shared that ‘continuously monitoring those metrics that you have set, and then monitoring the baseline helps you elevate the security performance within your organisation’.

David added that training employees on data privacy requirements should also be a priority and ‘having good inductions, having good refreshers for people who are already inducted’ is key along with having measures to ensure the processes the organisation has in place are working to prevent cyber threats and issues.

The Importance of Data Privacy Certifications and Accreditations

Dulan and David also touched on the importance of data privacy certifications and accreditations like ISO 27001, CPS 234, Cyber Essentials, and SOC Type 1&2 on top of complying with local data privacy regulations like GDPR, NIST, and the Data Privacy Act. Dulan added ‘The purpose of accreditations and certifications, one is to have a third-party independent assessment on your framework. But also, what customers are looking for is mainly the assurance side of it, to build the trust, so you need to set measurable goals, while aligning it to the business strategy’.

Developing a Cybersecurity Compliance Strategy

On the webinar, Dulan talked about the importance of ‘developing your cyber security compliance strategy. He noted that this ‘involves creating a road map of integrations to the organisation goals. Establishing – what are the initiatives you want to take up within the organisation, so you can collaborate with these different departments, bring them into the process, learn their objectives, how cyber security can help them identify key business risk, put that on your risk assessment, go through the risk assessment process, and then tailor the security to business needs and establish a risk appetite with clear risk tolerances and priorities’. He shared that cyber risk needs to be reported up to the board level ‘they should be really aware of what are the key and non-key risks that are existing within an organisation so they can make an informed decision on the way forward, or if any changes need to take place within the strategy of the organisation’. He added that ‘maintaining that regulatory risk list while partnering with legal teams is one of the key aspects of building a compliance strategy as well’.

Dulan highlighted that your cyber security should ‘not be a brand recognition exercise’ it should be ‘security by design’ based on what you want to do and what your goals are. He added that firms need to ‘continuously monitor these regulations and the business changes continuously as well’. He added that ‘as a cybersecurity leader, you need to align yourself continuously with the business leaders so that you can give a better outcome when it comes to your cyber security compliance strategy’. In addition, David highlighted the need for the cybersecurity plan to be ‘flexible and nimble’ enabling firms to adjust quickly and adapt.

Developing a Cybersecurity Compliance Framework

The duo also discussed the challenges of developing a compliance framework, Dulan highlighted that you should ‘develop a baseline within the organisation’ – let’s say you use ISO 27001 as your baseline, but you also need to manage SOC 2 and PCI DSS. Some of the frameworks will overlap, so you need to work out what the additional requirements are from the other standards on top of you baseline standard, then you can adapt your controls to meet the multiple requirements – so you don’t end up with multiple controls covering the same things. Dulan added ‘understanding where it aligns and then having shared controls will really help along with having a comprehensive control register in a system so that you can easily connect them to your risks, your incidents, and your assets’. Dulan also highlighted that ‘it’s important to have cyber security champions within the organisation, to help you understand how we can improve the cyber security operations within that department’.

Scenario & Vulnerability testing and Red Team Exercises

David and Dulan also discussed the importance of testing your cyber security framework against different scenarios and vulnerabilities. Dulan highlighted that red team exercises are ‘one way to really assess a real-world simulation of a threat actor, and these exercises go beyond your traditional vulnerability assessments and penetration testing’. He added ‘this will help you identify security gaps, which help you patch that baseline and then improve your incident response for future actual attacks’.

Dulan also shared that ‘establishing a good vulnerability program is key as well, ensuring you have visibility of all the vulnerabilities within your organisation, either through internal detections or external facing ones’. He added that firms can ‘use third party tools as well to run these external scans and monitor them continuously, and you can have manual tests done internally, using your internal security team to make sure your infrastructure is secure’. Dulan touched on the importance of ‘keeping in touch with the business owners, process owners or people – the individuals who actually run the controls and the processes that we establish. They are the key players who can give you insights into what are the issues in terms of security that are taking place in their day-to-day operations.’ IT security teams must also be ‘regularly collaborating with control owners, and then looking at new emerging threats within their business, so they can put those mitigation controls in place’.

The Use of AI in Cybersecurity

The webinar panel also addressed the use of AI in cyber security. They touched on how it could be potentially used for ‘threat detection’. But warned that companies must consider ‘Who else would have access to this information that you input?’ as it could be private data. Dulan also highlighted that ‘if you’re maintaining your own AI model, it’s important to have bias detection in place and continuously review your algorithms and data sets that you use just to mitigate that risk of accidentally giving misinformation’. He also mentioned that ‘there are threat detection tools which have AI built in, which helps detect threat actors in your network’ and that ‘continuously monitoring that risk through those tools, helps you detect issues faster’.

Conclusion

In conclusion, effective cyber governance, compliance, and IT security strategies are crucial for organisations to safeguard their digital assets, ensure data privacy, and mitigate cyber risks. By adopting a proactive, structured approach to governance, involving key stakeholders, and continuously monitoring regulatory requirements, businesses can build a robust cybersecurity framework. At Camms, we specialize in supporting organisations to implement best-practice processes for cyber risk management, cyber incident management, cyber governance, and data privacy compliance. With our solutions, we can help your business strengthen its security posture and ensure compliance across various regulations, enabling a more resilient and trustworthy digital environment. Reach out to Camms and request a demo to learn how we can support your organisation to improve cybersecurity.