The Responsibility of Risk: Regulations, Certifications – What do Privacy and Data Security Mean?

At every organization, it is someone’s job to oversee the compliance and/or privacy programs relative to their products or services. In the software business, particularly security software, governance directives like SOC 2, ISO, and FedRAMP drive a compliance roadmap for new and upcoming programs. As more organizations embrace business transformation and cloud migration initiatives for both customers and vendors, keeping a close eye on changing compliance standards, measurements, and best practices are key to managing business risk.

In this article:

• Recent laws and directives
• Who owns risk?
• Enabling security practitioners
• Strategy to addresses the responsibility of risk
• What can your organization do?
• Conclusion
• Learn more about the responsibility of risk

Recent laws and directives

Recently, Exabeam published a white paper on the multiple directives, laws, and governance requirements that are globally coming out. There is a lot of focus on how these directives and guidelines are going to be enforced and codified. What does privacy mean? What data needs to be protected? And how can it be better defined? Not to mention the question in every organization: who needs to do what work, precisely? Much of this is spelled out in these various directives, laws, and governance requirements, but there is a common theme to all of these: Trust. 

And at the end of the day, it’s really about trust and assurance. We want to make sure that the software supply chain for every customer is secure. Over the past decade or so, we’ve seen a number of software supply chain attacks that have led to some very high-profile security breaches. And as a result, there’s been a lot of reactivity in terms of, “How do we secure that supply chain?” So when data leaves your environment, you have to ask, “Are your providers doing the right thing with that data?”

All of these various certifications and regulations that come into place ultimately drive the actions, testing, programs, and documentation with which providers like Exabeam must comply in order to provide you, the customer, the trust and assurance that we’re doing the things that we say we do.

There are a few common themes across all of these regulations and certifications:

• You must do access management and keep records of what happens on your network.
• You must have programs for security incident response.
• You must have written policies — and proof that you follow them — for configuration management, backup, and recovery.
• You must educate all employees on the security practices that they are required to uphold.

All of these are just basic concepts that underpin any sound information security program. At Exabeam, our approach is to make sure that we have a baseline that we can build from, where any new certifications or governance that come into play, or those that are modified, provide a solid foundation on which we can build. Let me unravel that for you.

Who owns risk?

This is the million-dollar question. I have two answers for that: 

At a micro level, this often means the board of directors. The board should own cybersecurity risk — or needs to. Owning risk is the bottom line, and stepping up to that ownership is an important agenda item for any board. The first step of ownership is to designate a qualified individual to manage cybersecurity risk.

That means there’s often a CISO-level or VP-type title of information security — but that CISO/VP-level role in the management of cybersecurity risk must follow the board-level mandates and conversations in cybersecurity, while partnering with colleagues and other critical areas of the business. So, you have other stakeholders that are involved: the rest of your C-suite, IT leadership, business operations, IT operations, legal, risk management, and, obviously, compliance management. 

All of these roles start to fill out a bigger picture of the entire company: Everyone is responsible for mitigating cyber risk. Your security leader — whoever is designated as carrying out the mandates for risk management and cybersecurity — needs to be a qualified individual in your financial statements. And they need to be team builders and evangelists, because, in the end, every member, employee, and associate of an organization has a role and responsibility for mitigating risk. 

At a macro level, we have seen new roles and/or functions emerge, or continue to emerge, based on some of these new directives and requirements, such as GDPR’s data privacy officers (DPOs). You may have an insider threat investigations team, forensic specialists (particularly if you’re in the financial sector), threat hunters or threat intelligence specialists, and, finally, cyber risk analysts. All of these new roles are specifically designed to meet these new objectives.

And then there are private industry responses. In the aforementioned white paper, we provided examples of how Google was focusing on safeguarding supply chains and expanding zero trust programs. They do a lot today, and I think it’s really transformative what they’re providing to customers. Microsoft earmarked $150 million in technical services to help federal, local, and state governments upgrade their defenses. IBM is planning to train more than 150,000 people in cybersecurity over the next three years to help shore up an underemployed industry. Amazon is externally providing some of the same cybersecurity awareness training that they provide their own employees.

But there is more that can be done, and I’ll offer some raw thoughts around this. If I’m a customer purchasing a software as a service (SaaS) solution, I want more prepackaged cybersecurity capabilities. I don’t want to have to pay extra for multifactor authentication (MFA). And how about more prepackaged training and controls on an infrastructure buildout? Can we limit the mistakes or misconfigurations that an engineer or developer could make by default? As security starts to shift left into the development space, I think all big tech companies should seriously consider the commitment they offer their customers for compliance and security. 

Enabling security practitioners

When we start to talk about organizational cybersecurity, we’re talking about a combination of people, process, and technology. On the people side, we all need to enable and empower our staff to be security practitioners. The more that you enable the individuals within your organization to be a security practitioner, the safer and more secure your organization will be by default — and that goes from top to bottom. It’s not just the engineers; it’s not just secure development training or role-based training on how to securely operate a cloud service; it’s down to HR, Legal, and Customer Support on how to be more security minded and, more importantly, security enabled. 

Every person in the organization has a role to play in the implementation of some sort of security practice. Collectively, organizations want to make sure that they’re driving security in everything that they do. That has to be the message, and the message has to be a consistent one. 

Then we get into the ownership of who’s doing what. The moment you make an unvalidated assumption that someone else is operating within some sort of secure process, that becomes a potential point of failure. One of the things we do at Exabeam if we’re unsure about the security of a process or operation is to create a RACI for it. RACI is a responsibility assignment, called that because of the four most common roles to answer the questions: Who is Responsible? Who is ultimately Accountable? Who should be Consulted? Who merely needs to be Informed? You can sketch a quick version in any spreadsheet:

• Responsible: The person/team doing the work to complete the task
• Accountable: The person who ultimately answers for the results of an activity, who has the power of delegation on who does the work
• Consulted: The person(s) who ought to be heard on the related activity, and has/have specific knowledge on the topic, to create two-way communication
• Informed: The person(s) who must be kept up-to-date on the progress of the activity, usually implying one-way communication

And then on the tooling side, tool bloat and tool sprawl can be as equally detrimental as ambiguity. If you have too many tools and they’re not implemented or configured properly, then you can get into a scenario where there are gaps in critical processes. From that perspective, you want to make sure that you have the right tools to ensure that the top questions on mitigating risk are answered, and to make the most out of those tools. It’s all about visibility and monitoring of critical systems and events — so by identifying and eliminating redundancy to focus on the right tools that support your activities, you can focus the activity of those responsible for tasks to make sure that you are operating a secure environment and a secure cloud/SaaS service.

Strategy to addresses the responsibility of risk

So how does Exabeam meet the responsibilities of risk? I start by focusing on the key objectives. I don’t think focusing on every regulation is the right answer, but focusing on your key objectives across all the compliance needs will allow you to really dive into the underlying milestones that are going to aid you in meeting any of your security control requirements. Here are the three I think about: 

1. Reduce the cyberattack surface, meaning prevent as much as we can. 
2. Identify and block any potential cyber threats, if and when they try to get through our defenses. 
3. Provide cyber assurance to our customers and our partners, as well as our third-party supply chain.

At Exabeam, the first strong program we implemented was around risk management. We employed a network of security champions across every functional area from sales and marketing to development that has the eyes, ears, and voice to evaluate and manage or mitigate cybersecurity risk. We built a program around responding to emerging threats, and we partner very closely with our security research team on that. We have a cloud security center of excellence to manage both traditional cloud security risks, as well as application security risks. Lastly, we have a data governance program dedicated to discussing and documenting how we handle and protect Exabeam data, customer data, and the rest.

What can your organization do?

A key success path is to promote an open and transparent process, rather than blaming or pointing fingers if we identify gaps. The goal is not to get anyone in trouble, but rather to respond appropriately and lower the risk posture of our organization. Everyone has a part to play in driving that message. 

To reiterate my previous statement, creating cybersecurity ownership with the board starts with board-level awareness of emerging cyber threats, then ensuring they have direct involvement to determine a response to a security threat or a breach. You don’t want to be deciding at the last minute whether you are going to pay a ransom, under what circumstances, or who has to do it. So there are four key questions a board could ask itself: 

1. How do we move from reacting to anticipating a cyberattack? 
2. How do we make sense of the cyber threats that we do face? 
3. Is cybersecurity part of our strategy discussions? 
4. How do we demonstrate that there’s an appropriate return on investment from security measures? 

We talked a bit about this in our webinar and blog post on the CISO’s Guide to Communicating Risk, so be sure to check those out. But the above are some of the key questions that the board should be asking.

Risk and compliance programs

Here at Exabeam, we strive to make sure that everything that we do is compliant by design — a common industry term. This starts with understanding the practical requirements, so programs like SOC 2 and ISO 27001, in which we got certified earlier this year, provide clarity on how to craft those controls. There’s a design test to make sure that we’re not just writing our own controls, but making sure there’s alignment between our process and our control language.

There are also programs that are a little bit more prescriptive, like PCI and FedRAMP, which inform what needs to happen and how. With those in hand, there are going to be the people, processes, and technology as listed above that drive the implementation of those controls and measure their success. 

Automate aggressively

From my perspective, one of the more important qualities of the tools and process is to automate aggressively. Anytime you have a manual process, up to and including investigating potential security breaches and risk, it’s an opportunity for a control gap. So when you deploy a system or a product, or build a feature, you want to make sure that compliance is baked into that process from the beginning. That means application security as much as system security. 

It’s a constant work in progress to get to the point where our implementation, validation, remediation monitoring, and reporting are as automated as possible. In that way, we eliminate as many manual processes and human interactions as possible. In this way, when periodic audits occur, we have the necessary artifacts that we need to prove compliance and process implementation. 

Putting it all together: understand the requirements of compliance and governance; make sure that the people, process, and technology ultimately play into those requirements; and then automate everything you possibly can to make sure that you eliminate manual processes. That’s something we do very aggressively here at Exabeam.

Technical, executive, and employee champions

In your organization, have you identified who is your “big-c” Champion? You can split this into two areas: namely, product security and a security champions program that encompasses everyone throughout the organization. That includes clarifying communication, methods of reporting problems, or asking questions. Anyone who can see something should have clarity on how to say something in a direct line to the security champion. 

And that’s really about adhering to a cyber risk-aware culture. Management-wise, our entire executive team, CEO, and board are my champions. So a question you should ask is: Does your management team know what to do if the organization’s attacked — or rather, when it’s attacked? Focusing on a few questions at the board level can help you quickly identify where those gaps exist within your cybersecurity strategy, then try to encourage more of an organization-wide response: 

• What should your response be? 
• How effective has your response been previously? 
• Are there patterns regarding cyberattacks that make any more information assets more vulnerable at a very specific time? 
• Who should you be sharing threat intelligence with, and do you have what you need to have an effective security operations nerve center? 

Mitigation vs. risk acceptance

First and foremost, even if you don’t have full board or “big-c” Champions for security, there are mitigating controls that you could put in place to potentially reduce the risk to a more tolerable level. One example would be network segmentation regarding critical assets. If there is no skill or funding for the right equipment or tools, then put it on paper and get a formal risk acceptance. 

A formal risk management program can be your ally in improving the security posture and processes of your organization, not to mention waking up the executive-level awareness of their influence and capability in these areas. Written correspondence vetted through your governance, risk, and compliance (GRC) team — your security Champion  — is saying, “Hey, I’ve done my homework. Here’s the data and I have the people to back up what the risk is and the impact and likelihood of that risk. Can I get you to own the acceptance of this risk?” Often, this step can magically get the right funding for tools and programs.

Conclusion

In the end, the compliance or governance you need to follow depends on what you’re trying to accomplish within a region — and it depends on what customers are asking for. We live in a time when there are changing privacy laws and data compliance initiatives. As regulatory standpoints change, organizations need to be nimble and prepared — from their security Champion down to every department — on how to remain compliant, document risks, and figure out either an acceptance strategy or mitigation. The more you can apply that to your roadmap as well as your current offering, the better (and cheaper) your security program maintenance becomes. 

Learn more about responsibility of risk

Check out the Responsibility of Risk white paper and on-demand webinar, or read the transcript.