As the voice of Risk Management for the business, Governance Risk and Compliance (GRC) has a big interest in knowing if there are any hidden or unknown risks that the business may be exposed to. Since information security is an environment that can change very quickly, it is not surprising that frequent assessments and audits are one of the most valuable tools of the trade.
Meanwhile, preparing for internal assessments and third-party audits already has IT professionals feeling like they are spending too much time jumping through hoops, with less time to perform their regular day jobs.
Constant Checklists Make Good Habits
Gap Analysis? Check. Threat Risk Assessment? Check. Heath Check? Corrective Action? Maturity Assessment? Check. Check. Check. Where does it end?
While it is easy to see why third-party audits are rapidly rising in importance for every organization concerned about risk – with many industries now working on satisfying multiple regulatory frameworks – the checklists seem to be expanding and the preparation seems to be never-ending.
A Constant State of Readiness Can Make Audits Easier
Some security experts are advising organizations to go even further, with more frequent internal health checks and assessments taking place in order to better prepare for external audits. But is this new push for better preparation just code for more useless “Red Tape”?
We don’t think so. Weighing the costs against benefits, consider the following:
• The longer it takes to detect and contain a data breach, the more costly it becomes to resolve. Over the years, detection and escalation costs have increased and so the best investments currently being made are in technologies and in-house expertise to reduce the time to detect and contain any threats.
• Regulated industries, such as healthcare and financial services, have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers.
• The cost of a data breach varies by industry. The average global cost of a data breach per lost or stolen record was $158. However, healthcare organizations had an average cost of $355 and in education the average cost was $246. Transportation ($129), research ($112) and public sector ($80) had the lowest average cost per lost or stolen record.
• Hackers and criminal insiders caused the most data breaches. Forty-eight percent of all breaches in this year’s “Cost of Data Breach Study”, sponsored by IBM, were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $170. In contrast, system glitches cost $138 per record and human error or negligence was $133 per record.
- Source: 2016 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC June 2016
What is Your Risk Tolerance?
While risk management and analysis may indeed contribute to rising costs (in both time and money), there are real benefits with long-term impacts to be gained through regular assessments and audits, including:
- • Equipping organizations with the information they need to rapidly respond in the event of a security incident
- • Assuring continuous improvement in both processes and procedures
- • Documentation of any deficiencies or non-compliance leading to the establishment of real timelines for corrective action and documentation of same
If improvements in governance, risk and compliance (GRC) programs – including increases in the frequency of assessments and improvements in audit preparedness – can prevent the cost of a hack, leak or data breach, it will be time and money well spent.