Companies must establish the accuracy and truthfulness of information, including from third parties, in their organisations to achieve an appropriate cybersecurity risk posture, says information technology (IT) services multinational Accenture head of cyber security practice Clive Brindley.
Knowing the veracity of information instantiated through digitalised business processes is critical to ensure that suitable decisions are taken about risks and potential gaps in cybersecurity are determined to allow for risk mitigation to within acceptable levels.
Achieving an acceptable cybersecurity risk posture aligned to the company’s risk appetite and regulatory landscape, especially in a large enterprise, also requires the engagement and input of all stakeholders, including third-party service providers where necessary, he adds.
“Information risk management requires the collaboration of numerous stakeholder groups, from business and technology, to ensure an appropriate risk posture is achieved.”
Organisations must have full knowledge of data regulations and laws, and use enterprise-wide organisational knowledge to further strengthen their compliance posture. The integrated organisational, technology and information governance operating model is a key enabler to information veracity, he states.
Further, the veracity and strategic value of information also have finite life spans and this informs how it should not only be protected throughout its life cycle but also deleted when it becomes obsolete or of negligible value to an organisation.
“Companies must consider the way in which information is acquired, such as from a client filling in a Web-based application or via third-party data interchanges, and the process to validate the information, such as leveraging commercial and governmental information verification services,” says Brindley.
Subsequently, the way the information is used and processed, and when it is handed over to third parties, must be assessed to determine its life cycle, accuracy, truthfulness and value, and how it will be protected and disposed of.
Achieving a secure information posture requires an understanding of the business and core processes, and identification of the most important and high-risk areas to protect. Further, a business should have formal information and data governance operating models, including data ownership, accountability and stewardship, in place, says Brindley.
“Controls to prevent data breaches and leaks must be developed via due process, which requires accurate and reliable visibility of the use, management and governance of information.”
This process is more intricate for multinational companies, because they have to understand the regulatory and compliance landscape of each territory they operate in, which often requires local specialists to translate the regulations into responses, such as deploying additional controls.
However, all these actions – investigating the flow of data, determining the veracity of information and implementing controls to mitigate regulatory, compliance and cybersecurity risks – have a cost implication.
Therefore, when multinational organisations move to select appropriate, fit-for-purpose information security standards, frameworks and controls, the reuse of existing, standardised processes should prevail over in-house-developed methods, states Brindley.
“The significance of data and its risk to an organisation, typically determined by its risk appetite and local and transnational regulations, will determine the scope of the mitigation measures deployed, including the resources allocated to effect this.”