ZenGRC

Simply Powerful GRC

Cybersecurity

Cybersecurity Management and GRC Automation

· ·

As wave after wave of cyberattacks threatens international security, cybersecurity management becomes more pressing. Although it has always been on business’s radar, the recent barrage brings the impact of cyberattacks to the forefront. With this in mind, a recent study from Crowd Research Partners found that 54% of cybersecurity professionals anticipate successful attacks within the next twelve months.

Moreover, the research found that 62% believed threat detection needed to be improved. Meanwhile, 43% wanted better analytical capabilities, and 39% wanted to focus on threat blocking.

How to Use GRC Automation for Cybersecurity Management and Threat Detection 

Cybersecurity management focuses on knowing your threats and understanding your risk profile. Security Magazine noted that there were seven steps to automating cyber threat detection and analysis. Before you can take those steps, however, you need to determine what threats your business faces. In order to do this, you need to know the value of your information and the probability of a breach—both of which can be computed with automation.

Determine Value

Determining value means understanding not only the inherent value of information, but also the monetary value of your assets and why a cybercriminal would want your them. With automation, these values are clearer because you have a single tool that visualizes your organization’s standards, regulations, and therefore the types of assets.

Probability of a Breach

Once you define your assets, you can also take a look at the probability that someone will try to attack you. While some attacks may be unrelated to specific targets, others are looking to attack critical sources, so you should determine where you sit on the spectrum of information value and critical service.

To understand your compliance stance, it is vital to see the overlap of your information assets and the probability of a breach. With spreadsheets, this can become muddled. Having to flip back and forth from one sheet to the next means that you can lose track of controls or assets. In addition, since spreadsheets can be changed or reverted to older versions, it may be difficult to keep track of the information.

ZenGRC offers a centralized repository of standards and regulations to help you find where you need to be compliant. This extensive visibility into your compliance stance provides you with an understanding of where potential vulnerabilities exist and allows you to shore up those areas.

Why Use Risk Analysis Capabilities to Support GRC?

GRC automation and risk analysis capabilities come in different packages. Combining security analytics with GRC can produce a stronger security profile than either of the two alone. By using security analytics to monitor your GRC processes, you create a common language throughout the organization. This helps establish risk appetites and allows you to build a stronger compliance stance.

Meaningful automation not only can protect you from a cyberattack, it can make your organization more resilient when, not if, the attack happens. As information security programs mature, they need to be agile in order to continually map risks to operations. An Information Systems Audit and Control Association (ISACA) journal article notes,

Information security programs seek to protect the confidentiality (access, use, and disclosure), integrity (modification or destruction) and availability of information and systems from unauthorized users, including external adversaries such as criminals, hacktivists or governments. Information security programs must identify and respond to risk in a rapidly evolving technology landscape characterized by increasing complexity, volume and variety of data and all of the associated threats to business processes, applications, and networking layers.

To effectively use your analytics, you need to match business objectives to security objectives. When you have insight into how your key performance indicators (KPI) align with the organization’s business goals, you can more effectively assess the time it will take for your company to recover from an incident. GRC automation allows you to clearly map your analytics to your risk and controls for meaningful KPI.

If you can easily update controls across multiple frameworks when your threat analytics show a weakness, you will produce both better audit outcomes and stronger security as a whole. Automating your GRC program means increasing transparency in your compliance stance to create consistency across frameworks, producing a single source of truth for your organization.

How GRC Automation Helps with Threat Blocking

Cybersecurity management needs to focus on security information and event management (SIEM) when blocking threats. Your current SIEM solution collects and logs all your data for analysis. This includes threats, which are recognized and then blocked. The purpose of a SIEM system is to act as a single point of view across systems so that trends or patterns are visible. Meanwhile, the goal of your GRC program is to define the controls that lead to these trends and patterns.

Think of your compliance program like an army fighting a war. Your GRC program acts as the War Room where all the plans are made. This is where you define your strategy and objectives. Meanwhile, your SIEM acts as the boots on the ground, or code in the cloud, getting the nitty gritty work done. To manage your cybersecurity portfolio appropriately, you need to enforce consistent controls across various platforms and frameworks.

A single source of truth provides a quick reference guide to locate where controls broke down once an event occurs. When your SIEM flags something, you want quick access to all the places that control may have failed. With controls mapped consistently across systems, you can compare one area of vulnerability to similarly situated vulnerabilities more rapidly. This allows you to block threats more effectively.

The onslaught of cyberattacks highlights the importance of cybersecurity management. In today’s environment, any company can be a target. Having an agile compliance platform offers you a clearer view of your portfolio and provides a way to make control changes efficiently across all systems and business lines. Integrating GRC automation into your compliance stance strengthens it while also protecting your assets from cyber threats.

To read about the benefits of using ZenGRC to protect against the ever-evolving risk of cyber threats, read our eBook, “The Insider’s Guide to Compliance: How To Get Compliant and Stay Agile.”

Wednesday’s Women in Infosec: Kristina Birk

· ·

This month’s profiled woman in information security is Kristina Birk. Ms. Birk has been working with technology since 19*cough-cough*, spending the bulk of her career in IT operations and architecture. After stints at General Dynamics and CSC, Ms. Birk joined Duo Security in 2013 as the first (but no longer only!) woman in the Engineering group.

ZenGRC: If you had to choose one event that led you to work in information security, what would it be and why?

Kristina Birk: Luck and circumstance – really. I was relocating from California to Michigan and had a few job offers from companies in very different verticals. I wound up choosing the government contractor because it sounded interesting. I was coming from an aerospace company that had handled government contracts in the past and heard some stories from long-time engineers that made me think I’d enjoy it. From there, it was just a hop into managing servers and services on secure networks.

ZenGRC: Why do you like working in the information security environment?

Kristina Birk: Infosec is unique in that it’s one of the few spaces where you see wild creativity mixed with total logic in a landscape that’s constantly evolving. I always feel like there’s something more to learn.

ZenGRC: If a n00b to the infosec world asked you for a piece of advice, what would it be?

Kristina Birk: Don’t be afraid to experiment, but make sure you have a safety net (e.g. a support/maintenance contract, a trusted advisor or mentor, a what-if option in your script, etc.).

ZenGRC: What is the most important issue facing professionals in the information security landscape today? Why?

Kristina Birk: It seems like the easiest way to grab attention is to try to alarm people into listening but that just confuses or scares consumers. We should focus on helping them understand and address an issue without hype not just generate FUD and leave people to wonder what their next steps should be. Nobody can fix what they don’t understand.

ZenGRC: What is the most important issue facing consumers in the information security landscape today? Why?

Kristina Birk: I think consumers have two fundamental issues. The first is understanding that information security affects *everyone*. It’s not just an issue for large enterprises, especially when those enterprises are the retailers, banks, hospitals, and government agencies that hold your individual information.

The second is figuring out whom to trust. There are a lot of sources out there ready to give you advice but how can the average user with little industry knowledge suss out quality information?

ZenGRC: What are your three “guilty pleasures” that have nothing to do with information security?

Kristina Birk: I like cooking – especially baking – reading actual printed books, and wrangling my small human (which probably takes up most of my time).

ZenGRC: What’s your favorite book-to-movie adaptation and why?

Kristina Birk: There are so many well-done adaptations out there but the ones I’ve enjoyed most recently (if I can expand the question to include TV) are the series adaptations of Diana Gabaldon’s “Outlander” and Neil Gaiman’s “American Gods” – coincidentally both on Starz. They’ve translated the stories to the screen really well, and where they’ve made changes for the most part they’ve been done with respect and helped enhance the source material.

The Cybersecurity Executive Order: What You Need To Know and Why

· ·

On May 11, 2017, the Presidential Executive Order 13636 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (“Cybersecurity Executive Order”) was released. The Cybersecurity Executive Order sets out the White House’s goals for cybersecurity compliance for federal agencies. The Executive Order’s release comes as no surprise. Even if you are not a government agency, the Cybersecurity Executive Order may have ramifications for your business in the long term.

I’m not a government agency. Why do I care?

While the Cybersecurity Executive Order does not constitute a legal requirement for the average business, it does set a precedent and standard of behavior. Any kind of regulatory act, be it executive order or legislation, has an impact on the way businesses and people are expected to act.


Although you are not a government agency and are not working with a government agency, you may want to follow the Cybersecurity Executive Order to determine what the government thinks matters when protecting its own assets. If a government agency were ever to be created to review cybersecurity, it would likely follow the standards determined in Order 13636.

What is the Cybersecurity Executive Order?

The Cybersecurity Executive Order has three sections. The first discusses the importance of agency IT and data protections specifically. By holding agency heads and executive departments accountable, the executive order places cybersecurity within executive control. Within this, the Cybersecurity Executive Order implements risk assessments and requires the use of The Framework for Improving Critical Infrastructure Cybersecurity (the Framework).


Section 2 of the Cybersecurity Executive Order focuses on critical infrastructure. Within this section, the Order focuses on electricity disruption, the defense industrial base, and of particular note, botnets.


The third section focuses on establishing reviews of the country’s infrastructure and the strategic options for protecting data. Moreover, this section also includes reviews of the cybersecurity workforce and the future of training to ensure cybersecurity going forward.

Are there any other executive orders I should know about?

The Cybersecurity Executive Order came 10 days after another executive order established the American Technology Council (ATC). The ATC’s purpose is to  

(i) coordinate the vision, strategy, and direction for the Federal Government’s use of information technology and the delivery of services through information technology;

(ii) coordinate advice to the President related to policy decisions and processes regarding the Federal Government’s use of information technology and the delivery of services through information technology; and

(iii) work to ensure that these decisions and processes are consistent with the policy set forth in section 1 of this order and that the policy is being effectively implemented.

When reviewing these two orders together, analysts see a trend. The current administration wants to start reviewing and setting policy decisions regarding the government’s technology. Both executive orders focus on federal data. This means that unless you are an agency or a business that handles federal agency data, your organization is completely out of this loop.

So, the Cybersecurity Executive Order requires use of NIST? Do I have to comply?

The quick answer is that unless you are a government agency or a critical infrastructure business, this does not impact you immediately.
The longer answer is that this executive order is just the first step in the cybersecurity process. As Dan Lohrman noted on May 14,

These reports and other deliverables will be essential building blocks with much more to come. This is a foundational EO on cyber that continues the momentum that was built in the Obama administration but also adds much more federal agency director accountability. This is a good thing since every cyberexpert knows that true management buy-in and support is a critical success factor.

Basically, the government has the same problems you have. Management does not want to think about cybersecurity issues, so it ignores them or pushes the responsibility onto someone else. The Cybersecurity Executive Order creates a trend that may have a broader impact on the allocation of responsibilities.

Great! I don’t deal with federal data, so the Cybersecurity Executive Order doesn’t apply to me, right?

As an immediate function? You’re right.


As a long-term issue, however, you want to pay attention to what’s happening. Between these Executive Orders and the GDPR, government entities are taking a deeper interest in the state of cybersecurity. With this in mind, it might be smart to keep an ear to the ground and eyes on the internet.


The GDPR has far reaching tentacles. By attempting to enforce standardized information security compliance across all businesses that interact with European Union citizens, the legislation attempts to create a multinational social norm of security behavior.


Meanwhile, as the United States government begins evaluating its own information security standards, a move towards standardization may be afoot. With the right experts and government stance, these standards could be used later on as the basis for legislation regulating the information technology industry.

Inconceivable!

With the current industry as a patchwork quilt of standards and cyberattacks on the rise, people are worried. When people are concerned about safety, they turn to their government to fix things. With overlapping industry standards and niche regulations, it is possible that the idea of an overarching cybersecurity legislation similar to legislation for banking will take hold.


Remember that the GDPR looks to industries to create best practices and incorporates approval of these practices into the legislation. By doing this, the GDPR sets out an overall standard but also makes allowances for the needs of individual industries. This could work similarly to the way banks and credit unions function differently in their reporting and dividend provisions. Although both are financial institutions, their underlying individual industries allow for differences. This could be used as a model in other countries, like the United States, in the future.  

What can I do?

This means that it is important to follow along closely and have an agile response. Many of the different standards and regulations already overlap. As government eyes start to gaze on information security, they will turn to places where compliance is already delineated.


If you’re still relying on a series of spreadsheets, those may not only end up irrelevant but may also make more work in the long run. The goal here is to focus on the long game, not the short term. An automated system is a great preparation for future changes.


Automation provides visibility across standards. This allows you to see the overlaps in your protocols. To the extent that future regulations may rely on current protocols and then spin off to address industry-specific needs, an automated GRC tool will speed up the transition. By creating consistency across your organization, you will be more than a step ahead for any future regulatory changes—you will be several steps ahead.


You need to be tenacious and meticulous. Be prepared.  Whether or not the United States chooses to adopt its own legislation, the future of compliance is moving towards overarching requirements while allowing for industry idiosyncrasies. The easiest way to get and stay compliant in the long term is to find a system that allows for the transparency of records while also giving you an opportunity to make system-wide changes easily.


Read how ZenGRC can help you prepare for any regulatory changes that may come in our eBook “Insider’s Guide to Compliance: How to Get Compliance and Stay Agile.”

Hidden Cost of Cyberattacks: What Automation Can Do to Save You Money

· ·

In 2016, Deloitte published its white paper on the hidden cost of cyberattacks. The firm reported that of the fourteen “impact factors,” some are obvious while others are less so. Cyberattacks are not simply single moments in time. Their life cycles can take months or years to come to an end.

The incident response lifecycle starts with the reactive phase of incident triage and occurs in the days or weeks following an attack’s discovery. This means contacting those impacted and getting the business back online. The second step, impact management, involves finding ways to fix any problems that led to the breach, or to adjust internal processes. Finally, the business recovery phase includes rebuilding or redesigning assets to help rebuild trust and revenue streams.

With this in mind, companies should look at the way compliance, and particularly automating compliance, can lower the impact of a cyber attack. While some cyberattack costs are obvious, Deloitte noted that they have seven hidden costs. Compliance, and its automation, can help keep those costs at a minimum.

How Compliance Lowers the Hidden Cost of Cyberattacks

Insurance Premium Increases

Companies increasingly invest in cyberinsurance. The problem for many insurance companies lies in the inability to value the premiums, so aninsurance company may increase your premium in response to any cyberattack. In theory, this is the same type of impact a fender bender has on automobile insurance premiums, but since cyberattacks are a relatively new phenomenon, insurance companies cannot accurately estimate costs.

One of the biggest problems with risk estimation is the case-by-case nature of cyberattack impacts. The insurance industry may raise individual premiums in ways that seem disproportionate to the damage done. Compliance is one way to show that you have not been negligent. Automating compliance provides rapid, easy to follow documentation of how you protect your information assets. This helps the insurance company evaluate more clearly the risk your institution poses.

Increased Cost to Raise Debt

Another hidden cost of cyberattacks involves higher interest rates on borrowed capital. Unsurprisingly, cyberattacks can cause major stock drops. In terms of both governments and financial institutions, cyberattacks potentially impact credit ratings negatively. In 2015, Standard & Poor’s noted that

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber-attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event. Looking at our case studies in financial services with major data breaches, all targeted companies emerged intact after a cyber-attack. However, we are increasingly wary about the persistence of cyber-attacks and what that might mean for consumer confidence to engage in commerce with the brand.

A strong compliance stance can help mitigate the negative impact of a cyberattack. If credit opinions take into account the effectiveness of a response plan and the attempt to lower risk through solid controls, then this can potentially save your credit rating.

Automating your compliance provides greater visibility across programs. You can ensure that your organization has no gaps in their compliance. Being able to prove preparedness may end up saving your company financially.

Impact of Operational Disruption or Destruction

Cyberattacks often shut down business activities, but operational disruption often flies under the cost radar. Quantifying these costs seems amorphous. However, in 2013, Michael Bell at Risky Thinking offered the following hypothetical:

A large utility bought an expensive laser printing and folding system to send out its monthly invoices. It was a unique and expensive system. The company could only afford one of them.  With the anticipated workload, it was expected to operate 24×7 and be 99% occupied. When one of its parts failed, the system was down for a week. How long did it take before the bills are once again sent out on on time? At the time interest rates were high – around 10% –  so the supplemental question was to estimate how much the company would lose if it had a million customers and the average monthly bill was $100.

With the rise of the Internet of Things, a ransomware or malware attack that shuts down the printing system is more likely. However, the result would be the same, and the costs would remain the same.

A 2015 survey on corporate risk and opportunity noted that 41% of GRC executives said control failure was their number one threat to financial success. In addition, 37% said that the biggest consequence was business disruption, and 75% of the same GRC executives said accessing a “single version of the truth” was of the utmost importance for financial stability.

Automating your GRC program provides this one truth. When everyone in an organization communicates effectively, all business areas use a common language and have continuity across processes to ensure compliance. By eliminating organizational silos with a SaaS GRC program, you provide one repository of information that can reduce or eliminate control failures. This leads to lowered business disruption costs.

Lost Value of Customer Relationships

Customers entrust you with their information. They expect that you will protect that information, even when they are not sure how that protection happens. In reality, these are unreasonable expectations, but your customers do not understand that. Research increasingly argues that breaches are inevitable regardless of your best attempts so you need to focus on lowering the hidden cost of cyberattacks.

When a breach happens, you need to rebuild customer confidence. A strong compliance stance can help in several ways. As Oracle noted in a 2008 whitepaper, research suggests that companies must adopt a more proactive approach to rebuilding public trust in their organizations, based on areas identified by consumers as those needing the most improvement:

  1. Greater transparency about business practices.
  2. Less risk associated with products and services.
  3. Better pricing and accessibility of products and services.
  4. More emphasis on the development of socially and environmentally responsible products and services.

Although the information security landscape has changed, customer feelings remain static. Using an automated system, you can more easily articulate your compliance stance in a way that provides customers with a sense of transparency. This demonstrates to them that despite the breach, you were lowering the risk as much as possible. That can help build back customer confidence and lower one hidden cost of cyberattacks.

Value of Lost Contract Revenue

When your customers are companies and not individuals, the loss of relationships come in larger chunks. Lost contracts not only come with immediate revenue loss but with future opportunity loss as well. Loss is calculated in terms of the current value as well as  the investment that could have been made with that money.

With a strong compliance stance, you can reassure to your customers. Often, a contract cannot be canceled immediately, so—unlike with other types of customers—you have more time to prove your IT governance stance. With an automated GRC system, you can offer better assurances to your contract customers because you can get the information they request more quickly.

Devaluation of Trade Name

Valuing a trade name is difficult. Most valuations use the “relief from royalty method.” This method estimated the present value of futures savings based on not having to pay royalties or license fees for the use of the name. This means that you look at how much someone else would need to pay you to use your name. The decrease in trade name value after a breach is an often-missed hidden cost of cyberattacks.

A quick response to a breach means knowing how to locate the exploited weakness, and n order to do so quickly, you need to have a strong compliance stance. A strong compliance program requires ongoing monitoring and constant vigilance.

Loss of Intellectual Property

When people think about cyberattacks, they assume that the hackers are attempting to obtain customer information. However, in some cases, a breach that compromises a company’s intellectual property may be more valuable.

When you have a strong compliance stance, you can find an intrusion more effectively. CSOOnline suggests, “Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful.” With an automated GRC tool, each area that notices an incident can record it. If a breach still occurs, it may be quicker to track the cause.

Breaches are going to happen. While no one wants to admit it, everything that makes organizations successful also puts them at risk. If you are looking to lower the hidden cost of cyberattacks, trying an automated GRC program may be the solution.

To learn more about how ZenGRC can help you reduce these costs, read our eBook, How to Get Compliant and Stay Agile.

Wednesday’s Women in Infosec: Michelle Schafer

· ·

Last month, we began a series of profiles of women in infosec to try to explore the different voices in the industry. This month’s profile focuses on Michelle Schafer one of the women in infosec profiled in our 119 Twitter Infosec Experts post.

Currently the senior vice president of security practice for Merritt Group, Ms. Schafer has over thirteen years of experience in the information security industry. After earning her bachelor’s degree in Communications from George Mason University, she worked in media relations for several organizations including PricewaterhouseCoopers. Over the course of the last thirteen years with Merritt Group, Ms. Schafer had become one of the leading voices of women in infosec.

Michelle Schafer, Sr. Vice President, Security Practice, Merritt Group
If you had to choose one event that led you to work in information security, what would it be and why?
Luck! I had been in technology for a few years, mainly focused on telecom and wireless, in a corporate communications role. After spending about a year and a half at an analyst firm, I wanted to try out agency life. Lucky for me, Merritt Group’s one opening for an Account Executive just happened to be in their growing Security Practice. I’ve grown my entire career here at Merritt and built something pretty unique with our dedicated Security Team.

Why do you like working in the information security environment?
What we do in the security field every day is meaningful and impactful. I believe that I’m making a difference in the fight against cyber criminals, even on the marketing side of things. My team has worked with over 70 cybersecurity companies over two decades to help build awareness for solutions that are helping to stop the bad guys. The threatscape is so much more pervasive now – impacting businesses and consumers everywhere – and it’s nice to see that people finally are starting to understand the problem.

If a n00b to the infosec world asked you for a piece of advice, what would it be?
Stick with it. Security threats are constantly evolving so you’ll never be bored in this field.

What is the most important issue facing professionals in the information security landscape today? Why?
We need more cyber warriors – both men and women – and we need them now. There is a dire shortage of information security pros and we need the next generation to step up and help us fight this never-ending battle.

What is the most important issue facing consumers in the information security landscape today? Why?
Consumers need to understand that protecting your own personal data is your own responsibility, not someone else’s. Data protection and privacy should become a way of life – from being mindful of what you post on social media channels to shredding your bank statements to using strong passwords and staying off public wi-fi – you must constantly be thinking about data compromise. Unfortunately for many, security doesn’t become real until it’s too late and your identity is stolen. We need to always be thinking about points of exposure in our daily lives.

What are your three “guilty pleasures” that have nothing to do with information security?
People who know me think of me as the “Starbucks Queen.” Yes, it’s true that I do love a good caramel macchiato! I also am completely sucked into watching The Bachelor series on ABC (yes, even Bachelor in Paradise!) – I probably shouldn’t admit that one! 🙂 Finally, most weekends you can find me in sitting on the bleachers, cheering on my kiddo at his baseball games. Being in infosec is awesome but being a mom is second to none!