Governance, Risk Management and Compliance

Trend 7 – Greater focus is placed on supply chain security and vendor risk management

As organizations increasingly collaborate with partners and outsource work, the risk of compromise also increases in the supply chain. A single weak link can impact an organization’s security and reputation. Multiple high-profile third parties have experienced breaches, including consumer retailer Target, showing any business could be at risk.

VRM is a comprehensive approach to identify the different vendors an organization has relationships with and the cyber risks they are exposed to. VRM tiers the risk of each vendor and then tracks and mitigates these risks. VRM also vets potential suppliers before they are approved as vendors.

Multiple regulations, including GDPR, put the onus of VRM on the organization, holding them responsible for any breaches or data loss.

GRC automation platforms such as RSA Archer, MetricStream and ServiceNow provide integrated VRM capabilities. Most solutions are now available in the cloud and as SaaS models, reducing implementation time and operations costs. The challenge of large volumes of vendor assessments has led to a new category of vendors like CyberGRX and OneTrust that provide risk exchange capabilities for cost reduction. Others, like BitSight and RiskLens, provide continuous vendor assessments using publicly exposed assets and information on the dark web. We expect to see more integration across tools and automation through AI and bots to reduce the efforts and costs of VRM.

For a leading packaged food retailer in the U.S., Infosys defined their VRM process and the vendor tiering criteria to create tierspecific security assessments that met the organization’s risk appetite. All workflows and processes were automated using the RSA Archer product. Post-implementation, Infosys provides vendor risk assessments and ongoing remediation governance as a managed service.

Governance, Risk Management and Compliance

Trend 8 – Cyber metrics lead security governance enabling enterprise-wide stakeholder collaboration

As cyber threats increase and organizations deploy multiple security tools, chief information security officers (CISOs) struggle to understand the impact of their security posture and track the effectiveness of their initiatives. Transaction systems such as SIEMs provide only a snapshot of their current status and include excessive data for a strategic review. Using GRC automation tools for cyber metrics management is a long and expensive process. Most of these tools do not provide an intuitive and flexible user interface with rich dashboards and trend analysis.

To ensure the organization’s security requires understanding and input from multiple groups and stakeholders beyond the IS or IT teams. This is possible with well-defined cyber metrics that support datadriven governance and provide specific improvement inputs to each team. The ability to drill down to specific periods and business units/geographies also helps executives measure and track the effectiveness of the control implementations across the organization.

Most organizations use manual spreadsheets and PowerPoint slides to track cyber metrics, making the process cumbersome and unreliable. Similarly, it takes time and resources to develop a cyber metrics management tool using reporting and analytics platforms. To combat this challenge, Infosys developed Cyber Gaze.

A leading U.S.-based healthcare service organization was using traditional spreadsheets to manage metrics, so Infosys implemented the Cyber Gaze platform to help the CISO, CIO and IT leadership track and perform trend analysis of more than 160 cyber metrics. The flexible platform allows for quick implementation of new metrics as new cyber controls are implemented, allowing agility that was not available before. This platform can be used to collaborate across the CISO and other teams for effective cybersecurity governance.

Subscribe

To keep yourself updated on the latest technology and industry trends subscribe to the Infosys Knowledge Institute’s publications

Infosys TechCompass