Governance, risk management, and compliance
Trend 7: Supply chain security and vendor risk management (VRM) gain focus
As organizations increasingly collaborate with partners and outsource work, the risk of compromise also increases in the supply chain. VRM identifies a business' vendor relationships and associated cyber risks. The tool categorizes risks from vendors and helps track and mitigate those risks. VRM also tests potential suppliers before they are approved as vendors. Multiple regulations, including the GDPR, put the onus of VRM on the organization, holding it responsible for any breach or data loss.
GRC automation platforms from RSA, MetricStream, and ServiceNow provide integrated VRM capabilities. Most solutions are now available in the cloud as SaaS models, reducing implementation time and operations costs. The challenge of large volumes of vendor assessments has led to a new category of vendors like CyberGRX and OneTrust that provide risk exchange capabilities for cost reduction. Like BitSight and RiskLens, others provide continuous vendor assessments using publicly exposed assets and information on the dark web.
A leading packaged food retailer in the U.S., in association with Infosys, defined its VRM process and the vendor tiering criteria to create tier-specific security assessments meeting its risk appetite. All workflows and processes were automated using the RSA Archer product. Post-implementation, Infosys provides vendor risk assessments and ongoing remediation governance as a managed service.
Governance, risk management, and compliance
Trend 8: New cyber controls enable effective cybersecurity governance
With evolving cyber threats, CISOs struggle to measure and track the effectiveness of their control measures. Transaction systems such as SIEMs provide only a snapshot of their status and include excessive data for a strategic review. Using GRC automation tools for cyber metrics management is a long and expensive process. Most of these tools do not provide an intuitive and flexible user interface with rich dashboards and trend analysis.
To ensure the organization's security, inputs from multiple groups and stakeholders are required. These inputs are beyond those obtained from IS or IT teams. This is possible with well-defined cyber metrics supporting data-driven governance and providing specific improvement inputs to each team. The ability to drill down to specific periods and business units/geographies helps executives measure and track the effectiveness of the control implementations.
A leading U.S.-based health care service organization was using traditional spreadsheets to manage metrics. Infosys implemented the Cyber Gaze platform to help the CISO, the CIO, and IT leadership track and analyze over 160 cyber metrics. The flexible platform allows quick implementation of new metrics (new cyber controls). It can also be used to collaborate across the IS and other teams for effective cybersecurity governance.
