GRC Tuesdays: Building Digital Trust, what does it really mean?
There are a few definitions of Digital Trust out there, so I won’t create a new one. Instead I’ll simply refer to PwC’s that I think is very clear and straight forward: “the level of confidence in people, processes and technology to build a secure digital world”.
Knowing what it is though, doesn’t really help in knowing how to address it. So, let me try and suggest a few options in this blog.
Start with Governance and Risk Management
To me, this is the first step: documenting the processes and then identifying the risks that could manifest if there are any deviations in the process or if the process itself has flaws.
To reduce the likelihood of the risks, process owners would then document controls that can be manually assessed regularly – or better even, be connected to the source systems and run automatically. What’s great with automated controls is that the only effort is in the original design and setup. Once this is done, the company can move to a “manage by exception” type of approach where control owners only must look at it in case the control has raised issues.
Instead of creating new controls though, I would strongly suggest reviewing what’s already in place. Indeed, some reports state that over 40% of the Financial Compliance type requirements actually relate to IT Controls (like the IT General Controls for SOX). Why not reuse these instead of creating new ones that could very well be simply duplicates?
Let’s of course not forget to lower the impacts of the risks. If controls reduce the likelihood, action plans and other risk response strategies can help mitigate the impact of the risk.
Finally, raising awareness via a sound risk culture should be included in this phase. Here, the intent is to ensure that all stakeholders (employees, contractors, etc.) acknowledge and understand the policies in place and respect them. In a sense, this acts as a proactive human firewall.
Go for Application Security
Controls are great, and necessary to ensure that the process functions as designed. But they are after the fact. What most Security departments – and company executives – are asking for today is to move the reaction time to real time in case of an issue and, when possible, to simply remove the driver that could cause the risk or the security incident itself. The quicker you catch it, the less damage can be done. Here’s where Application Security plays a big role.
By monitoring both business transactions and security risks in parallel, companies can detect anomalies earlier and reduce the losses they could incur or even avoid them.
Take it as a mix between NCIS and Criminal Minds where you combine activity monitoring and behavioural analysis to correlate actions by users and machines across different systems and highlight outliers that need to be investigated.
Results of these investigations can then be used to determine how to eradicate the root causes directly. Is it by reviewing permissive access rights? Is it by enforcing new field masking policies?
In case you are still wondering if this really applies to all organizations or just major international corporations, let me leave you with a last thought: if data is the new oil as many say, how do you think shareholders of an oil company would react if the CEO states that they are loosing crude oil but that the company is unable to explain how, where and to whom… The very same applies to information regardless of the business and its size.
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard