The Growing Impact of Enterprise Governance, Risk and Compliance (eGRC)

16 October 2019 |  Matt Gutierrez, Senior Managing Director, CenturyLink Asia Pacific 
Malware, ransomware, botnets, phishing, and DDoS attacks have become as much a part of today’s lexicon of threats. 
Today’s digital business faces a diverse and a dynamic threat landscape, one that constantly changes and evolves in sophistication and frequency.

The level of cyber attacks in today’s context has posed a dire need for stronger controls and policies, constant monitoring, and deflection of malicious activity, bringing on a different set of challenges for organizations in terms of resourcing and expertise. Establishing the right protections against these threats is now one of the most crucial business considerations and concerns, no longer limited to IT decision makers, but involving the entire board of directors. This is because the conversation around managing IT risk and ensuring compliance is no longer just an issue of how technology is used. Rather, the scope of cybersecurity risk extends to organizational goals, reputation, customer loyalty, profits, share price and much more.

The Board’s responsibilities in risk oversight and governance have always been on the agenda, but the global financial crisis of 2007-2008 cemented how critical these are to strategic planning, operations and profitability, and ultimately business survival. There are several determining factors when assessing corporate risks and putting control frameworks in place; the company’s vulnerabilities, current risk management systems and future requirements, people and process governance, ongoing awareness and mitigation policies are just some of the areas that come into consideration and need to be understood. In the digital age, cybersecurity has become a core component of risk control and mitigation strategy. For the reasons discussed, the onus for better IT governance and control is now on the entire Board and not just with the CIO. 

Cyberattacks in Asia Pacific (APAC) have reached all time highs, accounting for over a third of global cybersecurity events. Singapore has been at the forefront of concern lately for having a “weak first line of defense” that have prompted calls by the Cyber Security Agency for heightened vigilance. The city state is still reeling from its worst data breach, suffered by SingHealth, when the personal data of some 1.5 million patients was compromised. Not only were SingHealth’s lax cybersecurity practices subsequently laid bare, hefty fines were also imposed for lapses in securing data. Other notable cases from the APAC region include aviation’s largest known data breach, impacting 9.4 million Cathay Pacific passengers and Japanese car maker Toyota, whose IT systems were breached twice in five weeks. 

6 out of the top 10 C2 hosts issuing attack commands

Despite high risk operating environments, organizations cannot stop tracks in their digital transformation journey. Instead they continue to make investments in cloud, mobile, and IoT to drive competitive advantage and customer experience – bringing new opportunity to their offerings, but adding complexities to the IT ecosystem and altering security needs. By 2023, the average CIO will be responsible for more than three times as many endpoints as they did in 2018, just imagine the resource strain this entails! Other challenges can include shadow IT, unsecured devices, and digital applications prompting organizations to cast a far-reaching net in uncovering critical issues that can compromise enterprise security and business continuity.  

I have previously discussed that as digital transformation accelerates, it is critical to strike balance between growth and risk management. Let’s take a closer look at how IT governance, risk management, and compliance (GRC) will grow in prominence towards strengthening an organization’s security posture. 

GRC for better enterprise security

IT security and GRC are rapidly being thrust into the spotlight as a key oversight framework for company management and business operations. While GRC encompasses many areas separate from IT (for example, legal and finance), it fundamentally works to ensure that an organization's IT ecosystem supports and enables its strategic objectives. 
Data protection regulations and customer privacy expectations are driving how businesses conduct themselves in the marketplace.
Added to these are stringent regulations in an organization’s home country as well as global standards, such as the EU General Data Protection Regulation (GDPR), which need to be adhered to. These responsibilities lie within the greater organization and as I have mentioned before, is an extensive effort across several departments and decision-makers. There are several reasons why GRC is increasingly important and being championed by CIOs and executive leadership, including:

GRC can be implemented in organizations of every type and size to manage risk effectively.  Noncompliance brings big risks to organizations, impacting profitability and even the survival of business. There are several cases we can refer to when it comes to GRC lapses: China’s ICBC was fined US$6.1m for inadequate money laundering systems failing to monitor and detect suspicious transactions; Marriott suffered a massive data breach affecting the records of up to 500 million customers, revealing information such as payment details, mailing addresses and phone numbers. To make things worse, the breach response was less than ideal leaving them open to further vulnerabilities.
The right plan, processes, and technologies are fundamental to addressing an organization’s security and compliance weaknesses.
Organizations in Asia Pacific view executive management as having the greatest clout to further the GRC agenda; however there remains key differences in how the business and IT teams approach GRC. For many large organizations, fully developed GRC plans are mostly in place. However, smaller and mid-sized businesses may not necessarily have the resources nor expertise in place to develop a GRC strategy. This is when a trusted global technology leader such as CenturyLink can help to create and implement a holistic plan to protect their business. 

Security and the network must be connected 

CenturyLink works closely with customers to help identify critical areas of security concern and defend against evolving cyber threats with an approach that adapts to the dynamic landscape. By tapping into our expertise and resources, we have provided security strategy, risk and compliance consulting offerings to uncover areas of high risk and offer remediation, helping businesses improve, maintain compliance and meet standards that are critical to customers. 

Based on our global threat intelligence, we take down nearly 63 command and control (C2s) networks and criminal infrastructures per month and remove malicious traffic from our network to help keep the internet clean. This means less malicious traffic hitting customer firewalls and entering the internal customer network, reducing the number of alarms and events security teams must investigate. 

Security is not a ‘bolt on’ service to network applications. 

Protecting the digital business demands that security is built-in and embedded, to maintain and help improve data performance on the network.

A network-based approach to security is a big step in providing the advanced protection needed to keep business running, by reducing a threat before it reaches the organization’s systems (such as if a DDoS attack slows connectivity and access to services). I’ve previously discussed at length about how the network must act as a threat sensor and an active defense platform, enabling the digital business to more accurately prevent, detect and respond to cyber-threats. If security gets in the way of the digital business to acquire, analyze and act upon application data, value is eroded.

Digital transformation and risk management are entwined 

For today's digital business, managing risk will continue to be at the forefront during the process of transforming technologies and processes. Embracing risk as opposed to being risk-averse will shift thought and planning processes towards a more holistic approach that brings together GRC efforts and investments in security.  

As organizations continue to digitally transform, detecting and deflecting threats 24/7 will become an increased burden. By adopting the right security measures and ensuring proper compliance mechanisms are in place, today's digital business is well on its way to securing its survival in the future. 

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided "as is" without any warranty or condition of any kind, either express or implied. Use of this information is at the end user's own risk. CenturyLink does not warrant that the information will meet the end user's requirements or that the implementation or usage of this information will result in the desired outcome of the end user. Links to CenturyLink's products and offerings are represented as of the date of issue.  Services not available everywhere.  Business customers only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2019 CenturyLink. All Rights Reserved.

Related Articles

Where digital business goes to network
Where digital business goes to network