I’d like to kick off my new weekly blog, aptly titled “ServiceNow GRC Topic of the Week”,
with a timely subject – Cyber Awareness and GRC. The theme for week 2 of Cyber Awareness Month, according to the Homeland Security website, is “Cybersecurity in the Workplace is Everyone’s Business”. Creating a culture of cybersecurity is critical for all organizations ‒ large and small businesses, academic institutions, non-profits, and government agencies – and must be a shared responsibility among all employees. The website mentions several resources to help organizations strengthen their cyber resilience, including the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
When we think of cybersecurity in the workplace it’s easy to imagine educating workers about strong passwords and being aware of suspicious emails that could be phishing schemes. It’s even pretty easy to think about the security measures that must be put in place for NIST. What we don’t think about is Governance, Risk, and Compliance (GRC).
However, an effective GRC program is one of the best ways to ensure a strong security posture and compliance really is everyone’s business. Let me walk you through it…
GRC is the way to a strong security posture
First you must get into a proactive mindset. You can put password mandates in place to ensure critical assets are protected against improper access, or use endpoint protection - then when it begins to catch attacks declare it a success. But how do you actually know the password mandates you’ve made are being followed across all critical systems; and that endpoint protection is installed on all employee’s devices. Are you really complying with the areas of the NIST framework you intended to comply with?
If you had a GRC program in place, you would know – way before an attack succeeded and you discovered your protection wasn’t good enough. When a GRC program is implemented not only do you define policies, best practices, and risks, but you also test them. You may have decided to use the NIST framework to build your cyber resilience, but it’s through testing of the policies that you discover the gaps – and what the risks are of those gaps. And it’s by tracking to resolution the issues that were created, that you can see your cyber resilience grow. Proactively monitoring the compliance to policies related to password strength, configuration changes, patches, and protection mandates allows you to address vulnerabilities before they turn into breaches. The ability to react quickly to the unexpected is necessary, but a proactive approach to security, like that offered by GRC, will pave the way to an even stronger security posture.
Compliance is everyone’s business
Compliance, in many cases, is dependent on employee’s adhering to the policies that were defined. However, to do so they must first become aware of what’s expected. One of the basic tenants of GRC is to educate your employees regarding the policies they should follow – and measure whether employees have been trained. At ServiceNow we are mandated to complete a variety of training courses to comply with different regulations and internal initiatives including security best practices. Through the ServiceNow product we receive email reminders until the training is complete. The human factor is one of the weakest links in any security program. Regularly scheduled training is vital and GRC can help ensure its appropriately tracked, creating a shared responsibility among all employees.
Cybersecurity in the workplace is everyone’s business. Strengthen your cyber security and build a cyber aware culture with a proactive approach including compliance testing and training using ServiceNow GRC. Use the Stop Think Connect industry resource page for more ideas on how to stay safe.