Governance, Risk & Compliance

Governance, Risk & Compliance
Collaboration & Data ComplianceCollaboration & Data Compliance

Collaboration tools are vital in 2020—but are team members sharing data compliantly? 100 security and IT leaders share the truth in this Pulse survey.

Are penetration tests effective at determining risk?

Top Answer : You're going to go through this as you do your attack and penetration test management response. When you have a security researcher or an attack and penetration security researcher come in and attack you in a certain way, they will say, “We found something and it was bad.” They won’t specify the way they got through all the different protections you had around them, how fast you found them, all of those things are left out of context. As you build up your management, your response, you say, "Wait a second, wait a second I understand when you look at that with tunnel vision, it looks like we had a failure, but when you look at all these things wrapped around it, that high or critical really becomes a low. Because there's no way you would have been let in the door freely the way we let you in, because we wanted you to do this testing on us.” So that already brings it down a notch. We have all these external protections. From my perspective, it's really getting that context. It's not just this, “do you have it or don't you have it?” It's putting it in that context, what that rappers around it, to really give companies an understanding of true gaps. Because those true gaps are the things you just cannot ignore.

37 views
4 comments
3 upvotes
Related Tags
Confidential File Transfers Over Mobile DevicesConfidential File Transfers Over Mobile Devices

How are your staff transferring secure files over mobile devices today? 100 IT leaders share how they’re keeping mobile transfers compliant and secure.

If you had a magic wand to make the ideal risk management framework for the industry, what would that look like?

Top Answer : To be honest, I don't know yet. I feel we're on the cusp of being able to say, we're getting a better comfort level with what we've looked at and done so far. I constantly challenged my team to say, "You got to prove it." You have all these concepts and we have all these ideas, but I haven't seen yet the math to address mitigations. I haven't seen yet the ability to apply the time window. But we say it all the time. We say things like, "This is a three-year problem because all of these assets or versions are going to age out. So we may run out of time because this stuff may just end up retiring. Can we live like that? For how long, and what percent of the population?” So if we say, "Listen, leave the last 5% alone, because it's isolated, you can't move laterally from it, and yes, we might have a bad day and lose 5% of our laptops and it would be terrible, but it's not the whole organization." So we’re making those decisions, not within that fantastic dashboard model, which would be awesome. Imagine being able to watch the red lights pop up when you just address those on a day. So I would love to get to that level.

13 views
2 comments
1 upvotes
Related Tags
How do you determine how long to carry a certain risk?

Top Answer : Once you have that model, which is fantastic with the calculation and outcome and how much risk you incur, then the question becomes, how long do I carry the risk? That's where the intersection of the IT portfolio and the life cycle portfolio of the IT organization or product organization when you lay the lifecycle program on top of that risk. For us, we're going through a whole bunch of upgrades and decommissions. So when we lay the life cycle program on top of that risk determination, what it does is it tells you how long you're actually going to carry it until those assets are moved or sunset. I think that's another intersection that management could use.

11 views
1 comments
1 upvotes
Related Tags
Is a robust mathematical model necessary to determine your risk threshold?

Top Answer : I do think that sometimes you just need an upper threshold and a lower threshold. Where you say, "Listen, we have this much insurance, and this is where our company would be very harmed if we lost this much money or had to deal with this much liability." So you just don't allow yourself out of those bounds. So there's a little bit of math in it.

9 views
1 comments
0 upvotes
Related Tags
How do you create a holistic understanding of GRC amongst leadership?

Top Answer : I actually created a security committee and it was my opportunity on a quarterly basis to go in front of them and explain, “here are the different areas.” That's how I did it. I really focused on the different areas and said, “in this area, this is our risk.” We talked about that residual risk: What are we missing in here? How are we going to approach it? Which of those, because you can't do everything, are going to bubble up to the top for this initiative and which ones are we going to let go? So that worked out really well because it gave the opportunity to have really good dialogue, and sometimes it was different than what I thought it was.

Which departments/groups within your organization present the biggest risk for insider threats?

Top Answer : Interesting poll but the biggest risk is actually not listed on here. It would be your IT organization because they manage/own privilege accounts all over the place that can access data for whole organization. Compromise an admins account and you can have keys to the whole kingdom.

160 views
1 comments
0 upvotes
Related Tags