Monday, November 1, 2021

Cyber Security ROI for the CEO - Part Three - Compliance & Audit

"...There has to be a regular performance audit to do a comprehensive analysis to determine how the funds are performing. We can't come to the bargaining table without both qualitative and quantitative performance metrics..." - the Author 

 

BOTTOM LINE UP FRONT: Compliance and Audit are expenses, yes, they are necessary and yes they can drive quantitative and qualitative value for the business, however, done without business acumen, they are almost always perceived as disruptive and overly costly for the business you serve. 

In this installment of the series, we'll discuss how to strike a meaningful balance, bring value via automation, and increase engagement and awareness with your Business Leadership Team. 

What we will discuss in this section: 

  • Who should develop a strategy for Compliance and Audit success? 
  • Do you need a "Compliance and Audit" committee? 
  • Do you need Compliance and Audit SDLC gates in your IT processes? 
  • Who will call the ball between IT and Cyber Security Disagree (yes, they will disagree) 
  • Maximize automation in your compliance requirements? 
 
Why you should develop a Compliance and Audit Strategy 

You need a way to relentlessly streamline your methodology for dealing with both internal and external auditors: as the saying goes, the best defense is a good offense. Developing a solid strategy for proactively giving the auditors what they require will reduce uncertainty within your IT organization and allow your teams to prepare audit artifacts as a normal course of doing IT business, this is a big value add to the business you are supporting, your auditors and your team members. Reducing uncertainty, allowing the IT teams to gain confidence with the generation of their assigned audit artifacts, confidence thrives in an environment where there are clear performance goals that support business drivers. 

Do everything in your power as a Leader to make Compliance and Audit support tasks (the generation of audit artifacts), part of required day-to-day IT team operations. Granted, it will be a change, however you can in the end, quantify the value of your approach to the business leadership team in dollars saved - you'll receive desirable cudo's for managing your teams like a business, and for proactively supporting the business. 

The business leadership team will forever look at you as a more valuable Leader - and that's what it's all about. 

Why you need a "Compliance and Audit" committee. 

Everything we do in Information / Cyber Security requires business buy in. Most folks in the business leadership team do not understand Security and in the back of their minds they see Governance, Risk, Compliance, Privacy and Security [GRCPS] as costs to be contained. 

This is natural, you should be aware of this and always work to increase executive awareness of the GRCPS Teams proactive role in cost containment - in all areas of the GRCPS System Development Life Cycle. 

By working with the business leadership to champion the creation of a joint, Business and Security "Compliance and Audit" Committee, you bring the business to the forefront of informed decision making for GRCPS requirements. 

By doing so, your frustration level for all things GRCPS will plummet as the business takes a leadership role in prioritizing and funding GRCPS initiatives for you. 

Let that sink in for a few minutes... 

Why you need Compliance and Audit SDLC gates in your IT processes. 

EXAMPLE: We've been patching systems since the 90's, going on thirty years now, we should be very good at patching! You most likely have a well refined process for patching each family of IT assets that support your business. Why not leverage and enhance these time tested processes to enhance the generation of audit artifacts for your GRCPS requirements? 

If you're using NIST 800-53 as your governance framework (or another time tested framework like ISO 27001) you know that there are a variety of "...vulnerability and patch management..." related controls that benefit from some well documented "stuff": 

  • Having a control owner assigned 
  • Having a control manager assigned 
  • One of these: a detective control; a preventative control or a procedural control - for every "control requirement" 

By mapping your IT tools to your compliance families and identifying audit artifacts that each tool is capable of generating, you can set a goal to have the tool automatically without labor dollars, generate high quality audit artifacts that are stored in a secure location for the auditors to review at their leisure. 

Let's look at the business advantages of this strategy: 

  • This will reduce the actual IT workload, audit artifacts that are generated without employee labor free up employee labor dollars to be repurposed for other tasks. Be sure and brief that to the business. 
  • This will break the cycle of the auditors showing up and billing your business to nag IT employees for audit artifacts. 
  • This will save alot of normal audit costs. Be sure to brief that to the business and to find a way to quantify the savings! 
  • By assigning an individual contributor who is responsible for the day-to-day operation of the tool that generates the audit artifacts as the "Control Manager" with the added responsibility of maintaining the "procedure" documentation, those documents should be always updated and relevant. 
  • By assigning a Manager as the "Control Owner", they will provide valuable oversight and quality control functions in support of your GRCPS program and the IT SDLC process "gates" that support the generation of audit artifacts. 

Who will call the ball between IT and Cyber Security Disagree? 

All of this change will make some folks hackles go up, no one likes change... the mantra of "that's the way we've always done it..." (also known as entropy) is a powerful de-motivator. 

How do you break this log jam without becoming a pariah? 

Glad you asked! You have a Super Power to help with that... bring these entropy events to the "Compliance and Audit" Committee, let the business hear the arguments, pro and con then let the business have the final word. 

You are just the messenger here, the Business Leadership Team has the absolute responsibility to manage resource allocation to drive risk management and profitability - those are powerful motivators - let the business make the decisions, then carry out their decisions. It's never personal (though change feels personal some times) it's just business. 

Maximize automation in your Compliance and Audit requirements 

By taking a long, hard look at your GRCPS and Audit requirements, inserting them into existing mature IT SDLC gates and automating the generation of audit artifacts, you are in essence differentiating yourself from the average Manager and ensuring that the Business Leadership Team sees you as a force multiplier, increasing the competitive advantage of the Business. 

Once you've made this point it will forever change the way the Business Leadership Team looks at you, your value to the Business will increase exponentially. 

The value you bring to the Business as a GRCPS Leader is not by turning a wrench on a tool, it's by effectively managing risk, resources and bringing efficiencies to the forefront in business meetings - help the business understand that you as a Leader can drive efficiency, maximize tool investment dollares, free up IT labor for other more creative tasks and increase competitive advantage, you'll get peoples attention, and I'll wager you'll also get that next promotion with alot less friction. 

You have made the transition from Manager to Leader, not alot of folks in the Technology Teams see the value in doing that, but your Business Leadership Team does...

No comments:

Post a Comment