CCM: offering a unified approach to the 3 lines of defence.

In your organisation, who is responsible for cyber risk? As organisations grow the answer to this question becomes less clear. In smaller organisations a single person inevitably looks after security and as decisions are mainly based upon perceived risk then they also manage cyber risk. But as organisations grow these roles get split. Naturally the boundaries between different roles and responsibilities can become blurred. Similarly, the approaches to risk, and interpretations of the signals that indicate risk, can vary. Everyone’s right, so what’s wrong? Managing risk is all about making the right decisions with the information available but getting multiple teams to agree on risk is not an easy feat. Even if the teams have an agreed set of risks, how they perceive this risk, and its potential severity can be—and usually is—quite different. How they believe they can mitigate this risk is equally up for discussion. The challenge is further complicated in that all teams can be ‘right’ and carrying out their roles correctly. They just have different perspectives on the same problem. Manual, error-prone, open to interpretation For cyber risk we also need to take into account the unique skills of the security team who not only manage day-to-day the tools that lower risk but report back with data to be assessed on how these tools are operating. Generally speaking, this work but it’s often very manual in its approach, while also being prone to human error and perception. Ironically, this can heighten the very risks that security and cyber risk teams are meant to be jointly working on mitigating. In larger organisations, to avoid these pitfalls another team is often added to the mix to ensure that no other team incorrectly assesses a risk. Typically called audit, this team provides critical checks and balances. Layers of defence, layers of complexity Getting back to our initial question—who is responsible for cyber risk?—we can see how the whole subject of managing cyber risk can get increasingly complex. Yes, we need all these roles but getting them to work in unison and consistently is the key to having an effective cyber risk management strategy. If we break down the roles and responsibilities into more detail it helps us understand how to better manage risk. The common three lines of defence First there’s the CISO, together with their team. They’re often responsible for managing the controls, and managing the operation of the overall security process. In security terms, they’re the first line of defence. They have responsibility for deciding on the technology that is used, the companies they partner with, and overall investment areas where they wish to bolster their defences. Next, there are the organisation’s risk and compliance professionals, acting in concert with the CISO. These people advise on—or set—the organisation’s security tolerances. In short, they look at the relative criticality of the various security risks that the organisation faces, and the level of mitigation that is appropriate. They’re the second line of defence. Finally, there’s the third line of defence. This is made up of the relevant internal audit staff, who make sure that things are happening as they are supposed to and pull together risks from all over the organisation, not just IT. Three different perspectives As we’ve touched on earlier, there are several difficulties with all this. The first is that all of these lines of defence view IT security—and risk—slightly differently. And they don’t always speak the same language. So there isn’t a consistent means of monitoring and measuring and managing risk, which can obviously pose a problem. When risk-based decisions are being taken, clarity of communication—and clear and consistent risk-based criteria—are vital. Compounding this, all three lines of defence are making judgements, and reaching decisions, on a qualitative basis. It’s very subjective, based on ‘feel’, and experience, and a sense of what is important and what isn’t. So, not only can the three lines of defence all be speaking different languages when it comes to risk and IT security, they’re also viewing what they believe to be ‘facts’ very differently. Is there a single unifying solution? The answer: yes, thanks to a paradigm shift in how cutting-edge IT organisations can approach IT security—looking at it objectively and quantitatively, rather than subjectively and qualitatively. Put another way, it’s now possible for hard measurable facts to replace opinions, viewpoints, and ‘gut feel’. It means that all three lines of defence can finally speak the same language, and view risk and IT security from the same, fact-based quantitative viewpoint. And they can do it all thanks to automated data gathering from your organisation’s controls and via role-based dashboard views. That last point is critical. Each line of defence gets complete controls visibility for their organisation in a single pane of glass— and all from an advanced, automated, evidence-based platform. But they see it via role-specific dashboards tailored to their needs. This advanced, unifying solution is known as Continuous Controls Monitoring (or CCM for short). It’s an approach that is already in use among leading organisations, providing hard, quantified data on the performance of IT controls and risk management systems on a real-time basis, continually monitoring them via real-time telemetry. CCM is also a Gartner-recognised risk management technology with a “High” benefits rating. Continuous Controls Monitoring: continuous compliance, reduced risk, automated assurance and more That CCM has emerged as a solution for the security, risk and compliance and audit challenges we’ve outlined is a gamechanger. Even better, Quod Orbis has developed a unique CCM managed solution that is a CCM platform and managed service in one. So not only do you get complete, real-time controls visibility 24/7—from operational level to board level—via user-friendly dashboards, you also get a unique wrap-around service. This means the client organisation benefits from ongoing platform management and risk identification by Quod Orbis experts. Such a blend of technology and expert ongoing support can dramatically reduce your business risk and enhance your security posture, allowing you to manage risk with accuracy and confidence and make better business decisions. And that’s aside from the huge time and cost savings that flow from security compliance automation and audit automation, both of which are also compelling features of the solution. Seeing CCM is believing All of this becomes real and relatable when you see a CCM demo. Perhaps even go a step further? Arrange a simultaneous demo—online or on your premises—for the various lines of defence in your organisation. It’s a bold claim but we’ll stick our necks out anyway: we’re confident that every line of defence will be equally impressed and talking the same language afterwards. To request a Quod Orbis CCM demo, call Alastair Dickson on 020 3962 2206.