Managing Your Cyber GRC Strategy to Comply With Fast-changing Regulations
- By Arik Solomon, Cypago
- August 19, 2024
It’s never been a more challenging time to work in cybersecurity governance, risk management, and compliance, also known as cyber GRC.
IT environments, third-party connections, and data processing systems keep growing more extensive and complex. Business risks are evolving and widening at mind-bending speeds. And all the while, new and updated regulations are arriving from all directions – on international, national, and industry-specific levels.
A flurry of framework updates and rollouts
Regulators seem to be changing and enacting new frameworks at a dizzying pace.
Early in 2024, California’s CPPA privacy regulations came into force, and NIST released its first CSF update since its launch a decade ago. In addition, the U.S. House Committee on Energy and Commerce recently began discussing a draft of the American Privacy Rights Act of 2024 (APRA), which could become law within the year.
AI is sparking a host of regulations on its own. NIST recently issued the first AI Risk Management Framework (AI RMF 1.0). U.S. President Joe Biden signed an Executive Order on the safe, secure, and trustworthy development and use of AI, and the E.U. passed the Artificial Intelligence Act, a provisional agreement regulating AI use. Numerous individual countries are also in the process of issuing AI-related regulations.
Many industries face their regulations, too. Healthcare organizations need to remain cognizant of ongoing HIPAA updates, among others. Financial organizations in the U.S. must adhere to SOX, with its GLBA-Safeguards Rule, updated in recent months to shorten required breach reporting times while obligating financial institutions to explain data-sharing practices.
Elsewhere, PCI DSS v4.0 came into effect in March 2024, affecting all retailers as well as financial services providers.
Stakes are high
If anyone is considering attempting to fly under the radar of regulations and legislation, be warned that enforcement is real. GDPR alone has seen penalties rise to a cumulative EUR4.6 billion as of summer 2024, and those levied in 2023 were higher than the previous three years put together.
The risks of a lack of compliance go beyond fines and penalties as if those were insufficient deterrents. After all, cybersecurity regulations and frameworks help and support organizations in protecting themselves from cyber threats.
Lack of compliance could indicate serious vulnerabilities to cyber thieves and fraud. Organizations that are found to be in breach of relevant regulations could suffer a loss of consumer trust, while other companies are understandably reluctant to partner with businesses whose GRC policies fall short of requirements.
It can sometimes feel like GRC teams are running up the down escalator in their attempts to evaluate and adjust their GRC policies to stay compliant with the raft of international, national, and industry-specific regulations. However, a structured approach makes it possible and prevents your GRC personnel from feeling overwhelmed by the work before them.
Below are my recommendations.
Assess your territory
The first step is the same as with any business task: understand the situation before you. You’ll need to scan your organization’s infrastructure and digital resources to identify various entities that must be considered within your cyber GRC posture. This should include everything under use by all product lines, business units, and geographic locations like branch offices or overseas headquarters.
Once you’re clear on the relevant entities, you can establish which frameworks and regulations relate to each and formulate your organization’s policies accordingly. Ensure that your GRC procedures and policies consider all the best practices and recommendations and adhere to legally required minimums.
Keep up to date with GRC needs
Laying the foundations of GRC policies is vital, but it’s not enough to remain compliant. You need to stay abreast of evolving regulatory requirements and industry standards to know when and how legislation has changed — and get a feel for where it’s headed.
GRC services can provide dynamic information about new compliance requirements, ensuring that you can respond swiftly to changes in the regulatory environment. Knowledge is power, and once you know what’s expected of you, you can proactively update your policies and procedures accordingly to maintain your compliance standards.
Survey the situation frequently
In parallel with monitoring the regulatory landscape, you must also be aware of your organization’s current GRC posture, which can change often. It’s important to conduct dynamic, ongoing audits, including user access reviews (UARs) and continuous control monitoring. Automating these processes allows you to streamline data collection while notifying you about gaps in your compliance.
You should also consider feedback from stakeholders such as internal teams, regulatory bodies, and external auditors. These surveillance processes and assessments enable your GRC personnel to gauge the effectiveness of existing policies and identify any gaps or areas where you need improvement.
Monitor the landscape
Last but not least, continuous control monitoring is a vital tool in your constant struggle to be GRC compliant. Automated monitoring can track transgressions to your policies and alert you to breaches or potential vulnerabilities.
With the help of continuous monitoring, you can identify emerging risks and promptly adapt your policies to mitigate those risks as much as possible.
GRC compliance is a surmountable challenge
It’s true that the burden of legislation is only increasing, and remaining compliant with it all is only getting more difficult. But cyber GRC teams don’t need to lose heart. You can stay on top of compliance with a comprehensive and structured approach.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Moor Studio
Arik Solomon, Cypago
Arik Solomon is the chief executive officer and co-founder of Cypago, enabling companies to streamline and automate their processes and workflows around cyber governance, risk, and compliance (GRC). He has over 30 years of executive experience in cybersecurity, consulting, and software development, including as chief technology officer of EY Israel, vice president of R&D and security & deep learning at Deep Instinct, and vice president of services at Mirato.