The nature of doing businesses has always included the inherent risk of security breaches and vulnerability to potential harm by others. Even though technology, the internet, and other digital innovations have brought us significant increases in productivity, they have also caused us to leave more doors open for potential risk. I have asked Albertina (Betty) Cardiel, Softtek’s IT Risk and Data expert, to chat with us about the current state of IT Risk and Compliance, as well as where she sees this sector evolving in the future. Betty has over 14 years of experience in Information Security, specializing in IT Compliance and Risk Management and as of recently, the Data Privacy field.
Lilian: What do you see as the biggest challenges facing companies today, in terms of IT Risk and IT Compliance? How can companies turn these into opportunities?
Betty: We are living in a world where disruptive technologies run rampant, and with this innovation comes more risks associated with cybersecurity. Regulators attempt to lessen the risk by establishing control mechanisms and specific requirements in place, and this adds a lot of responsibilities to businesses. There is an increasing amount of technology to defend, and even with the improvements in security prevention methods, there are still plenty of successful attacks that majorly impact organizations. This reality causes businesses to focus on developing a Risk Management approach, but if not designed and implemented correctly, it can leave the organization vulnerable to security breaches due to non-compliance requirements.
Lilian: What are the trends that you see emerging in IT Compliance & Risk, and how should companies prepare for these coming trends?
Betty: There are at least five major trends keeping companies busy. They are:
- Third Party or Supplier Vendor Management risks. Third party providers have always been a part of the supply chain, but companies are finally starting to take a better look at these businesses and the overall risk they represent to the organization. To properly manage vendors, it is necessary to build a risk profile and monitor them accordingly. Often times, companies perform preliminary scans but do not continue to monitor these partners as compliance and security patterns evolve.
- Complexity of regulatory management Regulatory deadlines put businesses in reaction mode. Business areas work separately to respond to their individual compliance requirements, and as new tools and technology implementations are deployed through the organization, they aren’t always communicated effectively. The result is poor management of regulatory functions and a disjointed organization. To avoid this situation, companies must engage in e-planning across the board and create a solution that is uniform to all areas of the organization.
- Inherent danger of cyber threats In 2014, cybercrime was front and center in the news. Major enterprises in retail, entertainment and financial industries were hugely impacted by cyber criminals. In addition to covering costs such as the penalties and fines associated with the breaches themselves, affected companies also had to deal with reputational damage, legal liability and crisis communication management. As time passes, these organizations share the lessons they’ve learned and the underlining message is always the same: the interconnectedness of their business compliance, risk, IT and information security were just not sufficient. We must align our goals with the proper steps to ensure that we achieve our objectives while avoiding major obstacles along the way.
- Talented Professionals gap We often think that our main enemy is the sophistication of the attacks and the people involved. Unfortunately, our biggest downfall is the lack of skilled workers needed to combat these types of attacks. Companies still face a skills gap when attempting to fully understand the technical side as well as the overall nature of the business. There are many trends and technologies requiring new approaches to security, including BYOD, Cloud, IoT, Globalization, Social Networks, as well as other new technologies and programming frameworks. While companies are doing their best to cover their main assets, they often find themselves in a reactive versus proactive mode, where they focus on the issues at hand but neglect the fact that the risk of other attacks, including criminal activities, espionage and hacktivism, still exist.
- Executive involvement in Operational Risk, IT Compliance and Cybersecurity Boards and executives are slowly starting to understand that a customer centric model must now include Risk and Compliance measures to meet customer expectations in the adoption of the digital business model.
Lilian: What new technologies and innovations are available for successful IT Risk Management and Compliance implementations and how should companies be mindful of these for the future?
Betty: There are many platforms and vendors of Governance, Risk and Compliance (GRC) in the market, but there is still a lack of innovation in these tools since they are not yet ready for the disruptive digital world. A smart implementation must consider a strategic vision instead of a tactical one. GRC features are used only to react to the department compliance and risk requirements instead of adopting a holistic approach. When implementing services, businesses must consider the full picture when it comes to IT Compliance and IT Governance Maturity Model, and must understand the business applications that host the most critical information and processes in order to identify the risk management capabilities that need to be incorporated in the evaluation of the best GRC solutions for the company.
Lilian: What are the top three suggestions you have for companies about to embark on an IT Risk and Compliance initiatives and how can they best manage their time and resources?
Betty: I would suggest for businesses to commit to integrating risk management best practices across the board. It is important to understand and establish Business Regulatory requirements for the enterprise information process cycle through an IT Compliance landscape to define and prioritize strategic action plans as part of the organizational budget program. Also, companies should establish a compliance and third party risk procedures as part of the vendor management process to monitor and analyze risk profiles of vendors and suppliers.
Lilian: I know you have worked with several organizations to make their processes better and more secure. Are there any cases that stand out to you that you could share with us?
Betty: Sure. We had one top Fortune company that wanted to assess their supplier security and compliance practices, but did not have a clear idea of what the supplier’s risk level was. We helped that organization run a Risk Assessment to define the Third Party Risk and Compliance due diligence and monitoring strategy, through a mature vendor categorization process using practices such as Six Sigma, Lean and ISO, among other tools. We created an actionable IT Compliance framework tailored to the company supplier needs including vendors of new technologies (Cloud, Virtualization, Platforms and environments, etc.), which allowed the company to respond rapidly to business compliance requirements and decrease the third party security risk exposure. Lilian: Betty, this was great, thank you. Before we wrap up, are there any insights or suggestions you can leave us with? Betty: I am a strong believer in the “back to basics” model. This includes three main components:
- Understand that the number of cybersecurity threats, attacks and vulnerabilities is not going down. The good news is that professional surveys and reports show that companies recognize their opportunity areas and the lack of interconnectedness between the security risks and business exposure of their organizations.
- Regulations were made to establish business controls, and those need to be shifted to a technology approach. Given that close to 95% of business assets are related to information settled in an IT environments and applications, we need to start looking at things with a focus on the IT landscape.
- We should be taking an integral approach to incorporate the supply value (internal and external) in the IT Security and Compliance risk management strategy. Fortunately, IT security governance frequently appears on the business and compliance agendas of executive boards, proving that we are moving forward when it comes to the future of security and data exposure.
For more information on how Softtek can help with your IT Risk and Compliance strategies, visit our or contact us directly at [email protected]
Betty Cardiel has over 20 years of experience in IT Leadership, Project Management and Information Security and Compliance Service’s Consolidation. She holds certifications as a C|CISO, ITIL Foundations, Practitioner and Service Level Management, ISO 20000. IT infrastructure certified auditor, Six Sigma Lean Green Belt and Black Belt Mentor. She has an ample experience as an Implementation Manager for Information Security Services such as Identity Management, Access Control Management, End Point Security (SAV, Scanning, Laptop Encryption, Vulnerability Management, NAC), Information Security Awareness, Security Controllership, Compliance and Governance processes for regulatory requirements, Application Security Services, Data lost Prevention as well as the Information Security Vendor Risk Assessment. She is also Founder and leader of a non-profit organization “StarOnTheFly” since 2009, focused to design Parental Cybersecurity educational programs and awareness conferences to mentors, schools, and teachers.