Cybersecurity Threats, Data Privacy and the Important Role of Compliance
Most compliance officers will admit that they have more than enough responsibilities in their purview. They are usually not looking for more. I have some bad or good news on this front depending on your perspective.
As companies struggle with cybersecurity and data privacy issues, companies should naturally turn to compliance to play a larger role in overall risk mitigation strategies. Up to now, it appears that the new-fangled flavor of the day – the Chief Information Officer and the Chief Privacy Officer – have been designated as the leader in addressing cybersecurity issues. I do not take issue with the governance trend but there are many aspects of cyber risks and mitigation strategies that naturally fall within the compliance scope of responsibility and expertise.
My reasoning is as follows – nearly 50 percent of cyber-events or breaches are the result of internal employee conduct, some intentional and some negligence. A disgruntled employee may circumvent data security controls to cause a breach or steal trade secrets of personal information for financial benefit. More often, however, employees may trigger a phishing email by opening an email attachment containing malware or even ransomware.
Call me naïve but these issues, like many other threats, are right in the wheelhouse of compliance professionals.
First, compliance officers know how to design controls and can work with internal cyber and IT partners to ensure that employees are unable to circumvent internal information access controls. Compliance can also work with the same team and security to ensure that physical security of sensitive data processing and storage operations, if on site as opposed to the cloud, is properly secured and access is closely monitored and protected.
Second, compliance officers are excellent at designing and conducting training programs. Working with internal cyber and IT partners, compliance officers can ensure proper training of employees on cybersecurity issues, conducting real-time training to ensure employees identify and properly avoid falling for a phishing scheme, assessing the training program objectives and improving any training program.
Third, one third of cyber and data events are caused by third parties. Call me woke but last I checked compliance officers have a laser like focus on third party risks for a variety of reasons. Compliance officers are already reviewing third parties for a variety of risks – why not cyber as well?
Third, compliance officers know how to conduct risk assessments, design controls to mitigate the risks, measure the performance of the controls, and conduct testing and auditing of the program.
In other words, compliance officers are good at one important objective – ensuring compliance with company controls and procedures. The subject matter does not really matter since compliance officers are smart and often display multi-disciplinary skills.
Despite all of these natural talents, compliance officers are often minimized in their capabilities to address cyber and data privacy issues. While the stakes are very high, compliance officers are used to such situations and can bring expertise and support to the overall objectives.
Given the hype surrounding cyber, which is completely justified, boards and senior managers have lost a little bit of focus. They need to return to the bread and butter approach to compliance which requires a risk assessment, mitigation of the risks, and appropriate strategies to address evolving external cyber risks and the ever-present problem of internal cyber and data protection risks.
Compliance deserves to have a seat at the table for this important issue. Board members, CEOs and senior managers need to wake up and invite compliance into the conference room to address this important threat.