The Stratascale GRC Security Innovation Roundtable

Security Innovation Roundtables (SIR) have become a featured aspect of Stratascale’s Cybersecurity Horizon Report process. After publishing our perspective on a critical industry topic, we host sessions for security leaders, learning from their perspectives on the issue and sharing highlights from our research. The SIR following Cybersecurity Strategy for the Looming Regulatory Quagmire was a perfect example of how this approach helps stimulate executive-level discussion, enabling security leaders to calibrate their own approaches and positions through peer-level dialogue. The session, which was at capacity with 6 guest CISOs/compliance leads and 6 Stratascale SMEs, examined 5 key assumptions underlying our Governance, Risk, and Compliance (GRC) research. The energy that all participants brought to the discussion provided vivid proof of the importance of GRC and the complexity associated with plotting a comprehensive security strategy for a major corporation.

Cyber risks and cyberthreats

The first 2 research assumptions were coupled under the header “Balancing risks and threats”: the belief that CISOs need to address what McKinsey describes as “cyber-risk” – one of many classes of risk that is managed at a senior leadership team (SLT) of board of directors level – and “cyberthreats” – the constant whirlwind of threats, attacks, and vulnerabilities that security teams deal with on a daily basis. [1] The roundtable discussion revolved around 4 major themes:

Focusing on/the importance of compliance. Key quote: “What you find is, people assume that they know what they have to comply with – ‘Oh, it’s patient records!’ and so forth – and vendors come to you and say, ‘We’re HIPAA compliant or HIPAA certified’ – but you have to understand what’s really happening, what it means to be compliant, because everybody – CMS, state inspectors, joint commission on accredited hospital organizations – comes in to audit you.”

• Takeaway: Compliance is defined by a management/governance structure. Tools can be useful in achieving and demonstrating compliance, but, in most cases, how the tools are used is more important than the features offered by the products.

“Table stakes” vs. specific requirements and actions. Key quote: “It’s almost like there are two buckets here. One is ‘doing the things you need to do from a governance standpoint’; the other is, ‘where GRC meets security practices.’”

• Takeaway: With current methods of delivering technology – and especially, with DevOps – traditional GRC areas of focus, such as controls and gatekeepers, “go out the window. Now, [what is most important to focus on is] the right information to make the right decisions,” enabling staff to make “the right risk decisions” themselves, without involving an internal decision chain. Roundtable participants didn’t declare that controls and gatekeepers don’t matter in the DevOps world, but they did agree that individual workers need to be empowered to make good decisions, and that processes involving bottlenecks are likely to fail.

Balance is achieved through a journey – and it can be upset by factors outside your planning scope. Key quote: “CISOs need to be able to effectively tie specific requirements to meaningful executive metrics – and also need to be prepared for the need to respond to wild card events.”

There is a reckoning coming. Key quote: “The finance guys can’t promise us that we’re always going to make budget. And I can’t promise you that we’re never going to get hacked.”

• Takeaways: These 2 points really work together. The first calls out 2 key points: that security isn’t defined at a single point in time but needs to apply and be built over time – time that may include unforeseen (and in some cases, unforeseeable) circumstances that throw both GRC and the path to attain it into question, or disrepair. The second was expressed in the context of a longer observation: “When I get in front of the board, they’re going to ask, ‘Are we secure?’ And I’m going to say, ‘No. What makes you think our IT is secure?’ That’s a lie we’ve been telling the business so long now that they actually believe us.” Organizational maturity with respect to security and GRC helps align the 2 observations. As one participant said, “We don’t necessarily talk about what all the risks [faced by the business] are, because they’re coming from every direction. We have a conversation about maturity. It’s a journey – what was an advanced control 4–5 years ago is table stakes today.”

Frameworks and common controls

The second half of the conversation focused on the other 3 core research assumptions: the importance of frameworks to align controls with compliance requirements, use of common tools to reduce cost and complexity, and the need for innovative thinking to hold back the regulatory quagmire.

The discussion of frameworks became quite detailed, with participants debating benefits of different approaches, and explaining how they were using frameworks (in part, in whole, or in combination) to develop and articulate their GRC approaches. The common tools discussion, which originated from a point made in the research report, also spurred spirited debate: Which tools enable businesses to meet multiple objectives – both GRC and other requirements – and what is the best way to identify and deploy them? At this juncture, we hit the end of our reserved time – if we hadn’t, the conversation might still be going! All of the roundtable guests were very focused on GRC issues and eager to discuss them in more detail. To close, participants were asked if the roundtable represented a good use of time. Responses illuminated a key reason why the Security Innovation Roundtables are so important to Stratascale clients: Even the client firms attending (all of which have billions of dollars in annual revenue, ranking as high as top 50 on the Fortune 500 list) have a need to connect with peers and validate their directions.

• “Was this a good use of time?”
  • “Oh yeah. I hate being out in the wilderness by myself, trying to figure out, am I in the right place, or am I 50 steps behind? There is great value in having some people to bounce ideas off of.”
  • “Yes – I’m always looking to mine and use information.” (This guest particularly appreciated specific references to applicable tools.)
  • “This was very helpful. Sometimes it feels like we’re off in isolation doing our own thing, but knowing that everybody else is dealing with all the same issues, just coming at it from a different perspective, is hugely helpful – thanks!”
  • “Absolutely. All the input on the different controls frameworks and tools and open source [options] is really helpful.”

Stratascale is pleased that we are able to provide a context that is helpful to senior security leaders via our Security Innovation Roundtables and committed to making these a feature of our cybersecurity research streams. The next Security Innovation Roundtables, on Zero Trust, are scheduled for July 26^th (10:00-11:30 EDT) and July 27^th (1:00-2:30 EDT). Seating is extremely limited: there are only 12 available seats, and some will be claimed by the security leaders (4 client CISOs and 3 external industry experts) who have contributed to this research series. If you would like an invitation to one of these executive-only sessions, please contact your Stratascale relationship manager, or follow this link to the registration form.  

^[1] The cyber-risk/cyberthreat distinction is used frequently by McKinsey: examples include Boehm et al., The risk-based approach to cybersecurity. McKinsey & Company, October 8, 2019 https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-risk-based-approach-to-cybersecurity and Boehm et al., Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity. McKinsey & Company, January 29, 2020