ZenGRC

Simply Powerful GRC

Libby Bevin

Mixpanel Sees Swift Value from ZenGRC

· ·

Discover how Mixpanel, a leading product analytics software company, leaned on Reciprocity’s Onboarding Services, resulting in an efficient implementation, fast adoption and a streamlined SOC audit.

All Eyes on SOC Prize

When Mixpanel’s security team was tasked with completing its first SOC Audit, the team got it done. While it was successful, it wasn’t exactly efficient, relying on manual processes and spreadsheets.

For our first audit, I acted as the middleman between the auditors and our company’s control owners. It was a constant game of requesting information, managing document formats and figuring out how to securely
collaborate. We made it work but I said, ‘Never again,’ thus starting our search for a GRC solution.

– Thomas Clark, Senior Information Security Manager with Mixpanel

One Platform for Compliance, Audit and Risk? Check!

Clark knew Mixpanel needed a comprehensive GRC solution to address immediate SOC audit requirements and better manage operational risk. While conducting research, Mixpanel discovered ZenGRC and wanted to learn more about the platform’s ability to support the company’s infosec team via a single, integrated user experience, leading Clark to reach out to Reciprocity for a product demo.

“Once we found ZenGRC, we engaged quickly with Reciprocity, ready to move – or so we thought,” adds Clark. “Our own internal procurement process stretched out to nearly a year, with the Reciprocity sales team sticking with us through multiple demos and stops and starts, proving their commitment to helping us elevate our GRC program.”

From Slow to Let’s Go

After purchasing the ZenGRC platform, the clock was ticking, with the kick-off to Mixpanel’s SOC audit just weeks away. Reciprocity’s Product Implementation team moved swiftly, streamlining the onboarding process with hands-on implementation and user training to deliver the fastest time-to-value.

“From getting our controls loaded into ZenGRC, to assisting with single sign on and Slack integration, the support we received from Reciprocity is the number one reason we were up and running so quickly and efficiently,” continued Clark.

Third-party Auditors Off and Running

One of Mixpanel’s primary business objectives was to streamline its audit process, allowing third-party auditors and control owners to work together more effectively. The integration with Slack proved critical for Mixpanel, allowing individuals to comment on audit-related tasks and evidence, then kicking off a dialogue within Slack for fast feedback and remediation.

“Our auditors were already familiar with ZenGRC, having used the solution with other clients,” Clark added. “There was no ramp-up needed, they simply asked for log-in rights and were off to the races – an early sign of efficiency gains to come.”

25% Reduction in Audit Effort, Time

Reciprocity’s ZenGRC platform has streamlined Mixpanel’s SOC audit process, eliminating the need to manually collect data, track documentation and follow-up on evidence requests – reducing time spent on audit-related activities by 25 percent.

“ZenGRC automates critical tasks and data sharing, doing the bulk of the work for us,” Clark shares. “We upload evidence, hit submit and know that the workflows will assign tasks and drive reviews and approvals through to completion – it’s that easy.”

Operationalizing Risk Management

Mixpanel is also using the ZenGRC platform for improved enterprise risk management, going beyond its traditional penetration testing to better identify, report on and remediate risk.

“We are increasing the KPIs we use to measure risk and this is where ZenGRC is really going to shine,” Clark continued. “Having a central repository where we see current risk status, actions taken and the controls in place, we leverage control from one risk towards another.”

A Foundation for Future Frameworks

As the company continues to grow, Mixpanel plans to look at other control frameworks and certifications, such as HITRUST. Having the ability to cross-map controls, rather than reinventing the wheel to collect evidence, will allow the organization to drive more compliance efficiencies with less effort.

“Adding more compliance certifications to our repertoire, opens up new business ventures to us and shortens our sales cycle,” concluded Clark. “As we expand our use of ZenGRC, the business value is only going to increase, earning its keep as a strategic asset that’s critical to our operations.”

Download Case Study

Aera Technology Drives Compliance Efficiency with ZenGRC

· ·

Discover how Aera Technology, a cognitive automation company, rapidly ramped up its enterprise-level certifications, including SOC, HIPAA and ISO, leveraging automation, one-to-many control mapping and program-wide visibility with ZenGRC.

Results

  • Rapidly scaled compliance and risk program — without adding headcount
  • Conducted audits for 5 compliance frameworks simultaneously
  • Created foundation to enable easy addition of new compliance frameworks
  • Cost savings of $84,000 by investing in a SaaS platform instead of adding 2 additional headcount

A Quest for Additional Certifications

Aera Technology helps customers be more agile, using cognitive technology driven by artificial intelligence (AI) and machine learning to bring scale and accuracy to decision-making processes. To broaden its footprint within additional vertical markets and Fortune 100 companies, Aera wanted to expand its enterprise-level compliance certifications beyond SOC 2 and HIPAA — retiring manual compliance processes to help make it happen.

“We wanted to introduce the same agility we bring to customers into our own compliance program. It was time to say goodbye to spreadsheets and embrace a GRC platform to help us quickly ramp and expand.”

— Benjamin Fisher, Director of Governance and Compliance with Aera Technology

From POC to Purchase

Soon after completing SOC certification with its existing manual processes, Aera recognized the level of complexity required to achieve additional certifications and quickly kicked off a search for a solution. Reciprocity’s ZenGRC platform came highly recommended by an industry peer, who cited it as a cost-effective and feature-rich way to deliver much-needed efficiency.

“We wanted a solution to make our life easier, that could be easily implemented and managed with our team’s resources, reducing our administrative burden,” said Fisher. “We did a Proof of Concept (POC) of ZenGRC — an ideal way to really understand the solution and put it to the test — and purchased it soon thereafter.”

Immediate Value and ROI

The ZenGRC platform is pre-loaded with compliance framework content, supporting more than 30 standards and regulations. This provides significant time savings, while also helping to identify the gaps and overlaps caused by running multiple programs at the same time.

“For small to mid-sized companies with stretched infosec resources, scaling a compliance program on your own eats up too much time and money. It’s a testament to ZenGRC and the platform’s ability to manage multiple frameworks that we saw value soon after implementation. The solution just makes sense from a cost benefit.”

— Benjamin Fisher, Director of Governance and Compliance with Aera Technology

Clarity and Control

With ZenGRC in place, Aera achieved certifications for SOC 2 and ISO simultaneously, then expanded to five frameworks at the same time: SOC, HIPAA, ISO 27001 and 27018. In addition, the company used the platform for vendor and customer risk assessments, leveraging the visual risk heatmap and customizable risk weighting and scoring to mitigate business exposure.

“For us, the clarity and knowledge ZenGRC provides is priceless, particularly once you start to connect the dots across controls and workflows,” said Fisher. “Being able to quickly assess the acceptability of risk controls and have workflows in place to drive audit management, that’s when the solution becomes incredibly powerful.”

Scale Faster with Fewer Resources

Aera reflects on the resources that would have been needed to run five audits across five frameworks had the organization continued with its previous manual approach.

“If you’re trying to do it manually, it’s possible but you’d better have a really big team,” Fisher shared. “The biggest benefit to us is not having to scale our department in order to manage an expansive compliance program. This alone makes the case for purchase as the cost of ZenGRC is certainly less expensive than adding another headcount to the mix.”

Just Getting Started

Aera is planning to add an additional compliance framework annually, with ISO 9001 next on the list, driven by the needs of the business, customer demand and a push into other vertical markets. For organizations wishing to expand their compliance program as quickly as Aera, Fisher has a bit of advice.

“The speed with which we’ve grown our compliance footprint has a lot to do with ZenGRC and our ability to automate, map controls and workflows and eliminate manual processes,” Fisher added. “If you do that, and you track your gap assessment to completion, you’ll get certified quickly — something not in the cards if you’re chasing spreadsheets.”

Download Case Study

What a Cybersecurity Risk Management Process Entails

· ·

Organizations today are at greater risk of a cyberattack than ever before, and that risk will only grow as new technologies keep emerging in the future. That means an ever greater need for cybersecurity risk management — that is, the process of identifying, analyzing, prioritizing, and mitigating your organization’s cybersecurity risks.

Ideally, your cybersecurity risk management plan should identify and protect the organization’s most critical IT assets from cybersecurity threats: the malicious actors trying to exfiltrate data, inflict harm, or disrupt operations by exploiting vulnerabilities in your IT systems.

In this article we’ll take a closer look at the cybersecurity risk management process, starting with how to prioritize cybersecurity risks; and then review the steps you can take to create a cybersecurity risk management framework that works for your business.

What Is Cybersecurity Risk?

Before introducing cybersecurity risk, let’s first define a few terms that are often used interchangeably: threats, vulnerabilities, and risks. Although these terms do overlap, they each represent something different in cybersecurity.

A threat generally involves a malicious act that aims to destroy sensitive data, inflict harm on the organization, or disrupt operations. Some of the most common cybersecurity threats today are ransomware, phishing, and malware. Most organizations will experience at least one of these potential threats at some point.

Vulnerabilities are flaws in an IT system that leave it exposed to potential attack. They exist in all IT systems. In software applications, the manufacturer can often patch vulnerabilities to harden and prevent exploitation of the weakness.

A risk is the likelihood that your organization will suffer from disruptions to data, finances, or online business operations. More simply, a risk is the chance that a threat comes to pass. A company can reduce its risk by implementing various measures such as firewalls, training, patch management, and other steps. 

Risks can be expensive if they come to pass. One study from IBM pegs the average cost to remediate a data breach at $4.45 million, and that doesn’t include other costs such as lost productivity, lost sales, harm to reputation, and other costs.

As industry standards and regulatory obligations for strong cybersecurity keep shifting, it’s more important than ever for your organization to understand the cybersecurity risk management process, so you can predict and prioritize information security risks to protect your organization from future cyberattacks.

A robust risk management strategy includes a systematic, disciplined cybersecurity plan and a method to secure vital infrastructure and information systems. Ultimately, your program will need to have specific policies and procedures for managing risk to reduce the company’s exposure to cyberattacks.

How Do You Prioritize Cybersecurity Risk?

As mentioned in the previous section, threats, risks and vulnerabilities are different. Still, these three elements can be combined to quantify your cybersecurity risk. To calculate cyber risk, many use this simple framework:

Cyber Risk = Threat x Vulnerability x Information Value

Once you’ve calculated your cyber risk, you can prioritize the security measures. Those measures that address your largest risks should come first, since they will deliver the greatest improvement in the organization’s cybersecurity.

Before you begin those calculations, however, you must complete other steps in the risk management process. Let’s look at the steps necessary to create and maintain an effective cybersecurity risk management program.

The Cyber Risk Management Process

Before we review the cybersecurity risk management process, understand that there is no one-size-fits-all approach to cybersecurity. The following steps are intentionally general so any reader can fine-tune them to meet your organization’s specific needs.

Step 1: Set yourself up for success

Begin by assembling the right team. These people will be responsible for creating, implementing, and maintaining the organization’s cybersecurity risk management process, so select them carefully.

Ideally, your team should include senior management, a compliance officer, departmental or operating unit managers, and any other IT or information security professionals who should be involved.

Next, set specific objectives for cybersecurity risk management with your team. To help you set these objectives, use existing cybersecurity frameworks. Probably the most important and widely recognized cybersecurity framework in the United States is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

The NIST framework covers five broad domains: identify, protect, detect, respond, and react. It is designed so that organizations can measure the relative security and level of compliance provided by their existing cybersecurity architecture.

NIST is also a great source of white papers and publications that can help you develop a method to assess risk and create a cybersecurity risk management strategy. Before you perform a cyber risk assessment, you’ll also need to decide which metrics you’ll use to measure risk. Most risk assessments use qualitative high-, medium-, and low-risk measurements to calculate risk, but quantitative metrics, including statistical analysis, are becoming increasingly popular.

Step 2: Conduct a cybersecurity risk assessment

The next step in the cybersecurity risk management process is a cybersecurity risk assessment.

A cyber risk assessment aims to identify and analyze cybersecurity risks to inform stakeholders and decision-makers about the issues the organization faces and what a good response might be. Cyber risk assessments also provide an executive summary to help stakeholders make informed decisions about which security measures should be taken to combat identified risks. (For more information on how to use statistical analysis to measure cyber risk, check out this other post.)

As mentioned above, you’ll use quantitative or qualitative measurements to calculate risk. The rest of our steps for a risk assessment assume that the organization will use high/medium/low metrics.

Here are the steps that are most often taken during a cybersecurity risk assessment:

Determine information value. First, develop a standard for determining the importance of an asset, so you can limit the scope of the assessment to the most business-critical assets. Then, use the standard metrics to classify each asset as critical, major, or minor. (The NIST CSF can help with this.)

Identify and prioritize assets. Next, identify the assets and determine the scope of the assessment. You won’t need to assess every single asset because they don’t all have the same value. Start with the most valuable assets and work your way down the list.

Identify cyber threats. Look for threats that could harm the organization. Start with “bad actors” who might exploit vulnerabilities, where the threats might be hackers, malware, man-in-the-middle attacks, and so forth. Also include other threats such as natural disasters, negligent or malicious employees, and third-party vendors. After identifying cyber threats, you’ll also need to assess their potential impact.

Identify vulnerabilities. A vulnerability assessment is a systematic review of the security weaknesses in information systems. It aims to evaluate whether your system is susceptible to known vulnerabilities, assigns a severity level to each one, and recommends remediation. You can also find known vulnerabilities through audit reports, vulnerability databases, vendor data, incident response teams, and software security analytics.

Analyze and implement security controls. Determine which security controls are already in place and whether they’re working effectively to reduce these risks. Security controls could be technical controls (hardware, software, encryption, intrusion detection mechanisms, multi-factor authentication, automatic updates, continuous leak data detection) and nontechnical controls (security policies or physical mechanisms like locks or keycard access.) Then, classify and categorize the controls as preventative (which attempts to stop attacks before they happen) or detective (which work to discover when and how an attack occurred.)

Prioritize risks. Prioritize risks based on the cost of prevention versus information value. This will help the organization decide what actions to take to reduce cyber risks, including the possibility of taking no action because the cost isn’t worth the effort.

One possible priority scale:

  • High risk: Take corrective measures as soon as possible
  • Medium risk: Implement corrective measures within a reasonable period of time
  • Low risk: Decide whether to accept the risk or mitigate it.

Document results. Develop a risk assessment report to help make decisions about budget, policies, and procedures. This report describes the risk, vulnerabilities, and value for each threat, and the impact and likelihood of occurrence and control recommendations.

Once you’ve completed a cybersecurity risk assessment and documented the findings, it’s time to turn them into a cybersecurity risk management strategy that is reflected in your comprehensive cybersecurity risk management program.

Step 3: Mitigate risks

Once the cybersecurity risk assessment is done, your team can begin to mitigate the most pressing risks (based on whatever decisions senior management makes once they’ve read your risk assessment report).

Mitigation can be done with technology, such as encryption, firewalls, threat-hunting software, and engaging automation, as well as best practices for employees, including:

  • Cybersecurity training programs
  • A patch management program
  • Identity and access management
  • Multi-factor authentication
  • Dynamic data backup

An important part of risk mitigation is incident response, and specifically an incident response plan. For instance, what will your organization do during a data breach? Who will be responsible for contacting affected customers? How will you assure that the event won’t happen again? For all of the most pressing risks, the company should have a written response plan to guide employees through specific steps to resume normal operations as quickly as possible.

The risk that remains after applying all the possible mitigation measures is called residual cybersecurity risk. To deal with this residual risk, you have two choices: learn to live with it (accept the risk), or transfer it to an insurance provider who will absorb that risk for a fee.

Step 4: Continuously monitor

The risk management process isn’t over after you’ve identified, assessed, prioritized, and mitigated cybersecurity risks. Your security team will also need to monitor your IT environment to assure that your security controls are working.

Here are some things your organization should monitor:

  • Regulatory change. Keep current with any changes to compliance requirements or industry standards to assure that your security controls align with outside expectations.
  • Vendor risk. A third-party risk management program is also necessary if you don’t already have one. You’ll need to assess and document your security and compliance controls each time you onboard a new vendor, and you’ll need to monitor those vendors throughout the vendor lifecycle.
  • Internal IT usage. To stay ahead of potential risks in your security posture, you should know what technology your internal teams use and how they use it. Assess new technology any time there is a change to a workflow or process.

Step 5: Choose tools

For most organizations, the cybersecurity risk management process is overwhelming. It’s expensive, time-consuming, and resource intensive. For this reason, many organizations opt to skip the process entirely. However, that isn’t a viable long-term strategy given the possible costs of cybersecurity failure.

Fortunately, governance, risk management, and compliance (GRC) software can automate the worst parts of the process.

Manage Cybersecurity Risks with RiskOptics ZenRisk

To stay ahead of ever-evolving security threats, you need a solution that can help you better manage risks and mitigate business exposure by providing greater visibility across the organization.

The RiskOptics ZenGRC platform is an integrated cybersecurity risk management solution designed to provide actionable insights to gain the visibility you need to stay ahead of threats and communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats, and controls for you so you can spend less time setting up the application and more time using it.

A single, real-time view of risk analysis within the business allows you to communicate to the board and key stakeholders in a way framed around their priorities, keeping your risk posture in sync with the direction your business is moving.

It will notify you automatically of any changes or required actions so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.

Schedule a demo today to learn more about how ZenGRC can help your organization mitigate cybersecurity risk and stay ahead of threats.