An Insight into Cyber Security Compliance Standards with Opeoluwa Akinsanya

Opeoluwa is Proud to be CyberGirls Mentor

Robust defense strategy! This is what every company needs and wants but with minimal effort. Companies are always confused about their “Cyber Essentials,” a foundational framework that serves as a bedrock for digital defense, and the “GDPR Gap Analysis,” a strategic tool ensuring data protection remains paramount.

As organizations navigate the complexities of today’s world, the ability to adapt and secure their digital assets becomes imperative. This entails recognizing the significance of a robust compliance posture, specifically with data security and protection. Yet, as with every task challenges arise, and companies grapple with aligning their practices to the standards set forth by Governance, Risk Management, and Compliance (GRC) frameworks.

Ultimately, cyber security is not just a buzzword. It is the most important part of our digital presence today.  Today, we have Mrs. Opeoluwa Akinsanya, Information Security Subject Matter Expert, GRC. Mrs. Akinsanya has worked with many clients and helped them to comply with security standards. Let’s have our queries discussed with her.

Q1: What are the current emerging threats and trends in online security, and how should organizations prepare to address them effectively?

Akinsanya: Top threats and trends in cyber security would be supply-chain/value-chain attacks, social engineering, malware & ransomware, AI-enabled disinformation & deepfakes, zero-day exploits, national hacks, and DDoS attacks. Research has identified that the weakest link in information security is humans. Hence, in addition to the adopted technical controls within organizations, it is important that employees undergo information security training. This ensures security is considered during their daily activities while performing their roles. It is also important that regular security awareness communications are maintained. In addition, I would say senior management have to cultivate the right security culture within their organizations. They have to lead by example, provide resources required, and engage in information security responsibilities. Security cannot be seen as an add-on to address these threats and trends effectively, it has to be integrated into the organizational culture. Overall, organizations should work towards complying with relevant information security standards and frameworks.

Q2: Can you provide examples of successful cases of which we are not aware where a robust GRC framework significantly improved an organization’s online security posture?

Akinsanya: I have seen times and times again where organizations’ online security postures have been improved by seeking compliance with a robust GRC framework. Some robust GRC frameworks are ISO 27001, NIST, COBIT, PCI DSS, SOX, and SOC 2. Here is an example of successful implementation of an Information Security Management System (ISMS) which complies with the requirements of the ISO 27001. An SME seeking to expand clientele decides to obtain the ISO 27001 certification to enhance their bids for government contracts.

On this project, the SME obtained the requirements for this project, and ensured required resources were provided. A consultant was hired to support the SME, a project lead/information security manager was appointed, and budget for technology required to meet compliance was approved and adopted. The project till certification lasted 6 months. The significant changes this project brought are the senior management recognized that information security topics was not a silo reserved for the IT team only, the technology that would provide returns on investment were adopted, risks is now addressed proactively instead of reactively, the organizational culture supports information security, senior management are involved in information security communications and discussions, information security awareness is not seen as an add-on but embedded into daily practices, and the organizations’ processes and documents are adequately controlled with information security considerations.

Complying with the requirements of this robust GRC framework has significantly improved this SME’s online security posture. Likewise, another organization purchased by a large corporation was required to comply with the SOC 2 framework so that the organization could extend to markets in the USA. Building on the existing security baseline the organization already had, ISO 27001 certification, which was used as a rock to meet compliance with several relevant frameworks such as SOC 2. The additional requirements for compliance with SOC 2 were easier to obtain because there was an existing security awareness and knowledge amongst employees and senior management that would support the required changes/improvement in organization processes. Compliance with SOC 2 requirements further improved the integrity and privacy processes, risk management process, system operations, and ethical values, of the organization resulting to an improved online security posture and more opportunities for profitable business. While SOC 2 is primarily focused on proving the implemented security controls that protect customer data, ISO 27001 is focused on proving there is an operational ISMS to manage the information security program continuously.

Q3: What are the critical components of an effective GRC strategy for information security, and how do they contribute to overall risk reduction?

Akinsanya: An effective GRC strategy begins with assessing the potential risks associated with its existing business context and identifying its specific compliance requirements. Then the key stakeholders whose interests may be affected have to be identified and consulted. Thirdly, the business’ strategic requirements are used to develop actionable objectives.  A communication plan to provide visibility to the operations must be created, this ensures transparency and credibility with the stakeholders. Additionally, the organization must establish, implement, and enforce effective cybersecurity policies, procedures, and controls to ensure GRC strategies are effective. These components contribute to overall risk reduction by ensuring there is assessment of the potential threats and vulnerabilities that could affect the organization, as well as implementing adequate security controls to mitigate these risks.

Q4: How can organizations balance the need for agility and innovation with maintaining strong security controls?

Akinsanya: I would say begin by ensuring the organization culture supports risk-based approach to any innovation to be adopted. Prioritize the most critical risks, apply appropriate security controls, and monitor and review the risk profile regularly. Additionally, for any implementation, security by default/design should be leveraged. This would ensure secure design and development methodologies are adopted. In summary, while innovation could present the organization with new market opportunities, it is important to be innovative in a safe and sensible way.

Q5: Can you share insights on organizations’ most common mistakes or misconceptions about GRC and its impact on online security?

Akinsanya: Common misconceptions about GRC would be an optimal GRC tool ensures adequate management of the GRC processes, and as a small organization, we do not need the GRC program. While it is true that tools could provide meaningful integration between functions supporting enterprise-wide oversight, and empower strategic decisions around GRC, without the right organization’s approach to GRC, the tool cannot bring about a positive impact on its effectiveness to the organization. Many small organizations consider the resources required versus the benefits of GRC to make the decision they do not require GRC program. However, quantifying the benefits would provide return-on-investment to the organization. With the innovation in technologies and reliance on suppliers, these have created more vulnerable online access points that could cripple business operations.

Q6: What strategies do you recommend for effectively identifying, prioritizing, and mitigating risks while aligning them with short-term+strategic business objectives?

Akinsanya: The risk management strategy would be suitable for identifying, prioritizing, and mitigating risks. The strategy would include these components: identification of risk, assessment of risk, mitigation of risk, and monitor and review risk profile. Additionally, adopting frameworks such as COSO ERM or ISO 31000 could help organizations achieve alignment of the risks with their business objectives.

Q7: How does the GRC framework contribute to incident response and recovery plans, and how can organizations ensure these plans are regularly tested and updated?

Akinsanya: GRC framework contributes to incident response and recovery plans by providing best practices that outline incident response and recovery operations. The framework ensures the key components of the related operations are considered and established to develop an appropriate incident response program – planning and preparation, detection and reporting, assessment and decision, incident response and restoration, evidence collection, post incident review to identify lessons learnt, incident close. Incident response plans should be tested regularly and results from the tests should be used to update the incident response playbook. Testing the plan validates its effectiveness which is essential to business continuity and disaster recovery, ensures the required resources in the event of an incident are identified, and to ensure the incident response program is compliant with GRC framework. Organizations can ensure regular test of their incident response plan by creating a schedule for incident response test to be performed, and adopting various methods for performing the test, such as tabletop exercise, and simulation exercise.

Q8: In light of remote work and cloud adoption, what are some best practices for maintaining a robust security posture while embracing modern technologies?

Akinsanya: As mentioned previously, I would suggest a best practice for maintaining robust security posture to be secure by design and secure by default for every technology adopted. With organizations working with cloud and remote work environments, it would be best practice to incorporate the environments/vendors into your regular cybersecurity risk assessment to ensure compliance with the organization’s level of security. Next, automated cybersecurity solutions may be adopted to support threats intelligence and stop proposed events. Lastly, continuous education and examination of employees about information security best practices would also ensure the security posture of the organization is maintained.

Q9: What certifications or training programs do you recommend for professionals interested in specializing in GRC information security?

Akinsanya: Common certifications in GRC are CISM, CISA, CRISC, and CISSP. These would be aside the various framework-related certifications.

Q10: Looking ahead, how do you foresee the role of GRC evolving in the context of rapidly advancing cybersecurity threats and regulatory changes?

Akinsanya: GRC requirements would continuously change with changes in laws, industry standards, and regulations. The role of GRC began to evolve with the industry standard changes introduced in 2022 (ISO 27001), more standards are presently being reviewed (NIST, PCI DSS) and changes are anticipated. The changes are because of ensuring there are best practices to address the rapidly advancing cybersecurity threats landscape. This will further impact on compliance for organizations by ensuring their practices can be adaptable to the compliance requirements of the evolving changes and threats. With the appropriate tools, strategies, awareness of risks and opportunities that new technologies present, and regular training and awareness, there would be adaptability for compliance with the rapidly changing GRC landscape.

Q11: Can you share examples of key performance indicators (KPIs) that companies can use to measure the effectiveness of their GRC information security initiatives?

Akinsanya: Percentage of staff awareness training completed annually >90%, Percentage of business continuity/incident response tests carried out to schedule >90%,

Number of security incidents within a quarter compared to the previous quarter,

System uptime should not be lower than 25 minutes annually,

Internal Audits carried out to schedule.

Q12: How can organizations ensure that third-party vendors and partners align with their security standards and contribute to a secure ecosystem?

Akinsanya: A third party risk management program can be used to ensure that third-party vendors align with and contribute to the organizations’ secure ecosystem. The third-party risk management program would ensure due diligence is conducted for the vendor prior to signing of contract, that is, the vendor has the same level of security as the organization. Based on the result from due diligence, the risk assigned to the vendor has to be monitored and reviewed regularly by a designated contact within the organization.

Q13: Can you elaborate on the role of senior leadership in driving a strong security culture throughout the organization?

Akinsanya: Senior leadership team have a critical role to play when establishing an organization’s security culture. They will be able to share their diverse insights based on their relationship with key stakeholders, which would determine the success of driving the culture throughout the organization. Additionally, when information security is been complied with and communicated from senior leadership, it is seen as been implemented from the senior leadership team, it reveals commitment and provides a sense of direction and responsibility for the employees. When senior leadership communicates on their personal cybersecurity stories and its impact on business, it further reassures the employees that compliance with the cybersecurity requirements is across all tiers of the organization. Lastly, senior leadership can show their personal commitment to keeping the organization secure by being involved in the security-related discussions, and providing resources required for the security procedure.

Q14: How do you recommend companies prioritize their security investments to ensure they allocate resources to the most critical risk areas?

Akinsanya: Prioritization of security investments would be based on the organization’s strategic priorities, key risks, key markets, key transformation initiatives, etc. Hence business drivers and initiatives would be utilized when deciding allocation of resources. To assess the key risks, the organization’s critical assets, data and processes and its impacts upon compromise would be determined. This would be aligned with the organizational strategic priorities and stakeholders’ expectations. The investment would be prioritized to address the most critical risks that would yield the most realistic return.

Q15: How can companies effectively manage and document their security incidents and remediation efforts for regulatory reporting purposes?

Akinsanya: Companies can effectively manage their security incidents by having an incident management process integrated with their disaster recovery plan. When an incident occurs, documentation is required for compliance. The incident reporting mechanism must document the contact details of the reporter, description of the incident, (potential/) impact of the incident, category of the incident/ classification of information involved, personnel to be notified, further details of the incident assessment/analysis and any evidence obtained, resolution of the incident, and signature of the responsible personnel to show the incident has been closed satisfactorily. The reporting mechanism may be achieved through the use of a defined incident reporting template in a ticketing system. The incident must be documented in the Incident Log.

Q16: How should companies approach the challenge of maintaining security in a BYOD (Bring Your Own Device) and remote work environment?

Akinsanya: Additional layers of security such as encryption, two-factor authentication, granular permissions, and content filtering should be implemented on personal devices used by remote workers. Precautions must be taken to ensure that organizational data is not transmitted to personal devices. All these additional layers are usually implemented through the use of mobile device management (MDM) software. The MDM can be used to remotely wipe the registered BYOD device, in addition to the BYOD or Remote working policy that would be required to be signed by the employee.

Q17: What role does continuous monitoring and assessment play in maintaining a proactive and resilient security posture, and how can companies and individuals implement these practices effectively?

Akinsanya: Continuous monitoring can be considered as a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and threats to support organizational decisions and maintained security posture. Organizations can implement continuous monitoring through regular patching of security vulnerabilities, monitoring of compliance within the organization’s endpoints, monitoring logs of user activities when alerted, monitoring information security objectives, and monitoring vendor’s security compliance.