In my previous post Risk does not walk alone – I noted both the importance and often ignored lack of relevance of internal audit and corporate risk management to the business of cyber security.
Are you really ready to run a clinical trial? How can you best assess your clinical trial readiness? We work with C-level executives and management
At a site monitoring visit, the CRA works on assuring protocol compliance. Assuring protocol compliance is one of the 3 pillars of GCP: The 3
1 in 7 American adults live alone COVID and social isolation is part of our lives. During COVID, it became easier to recruit patients for
Counterfeiting is old as money itself. Drug counterfeiting is no exception. In this post, we’ll share an analytical approach that you can use to estimate
Is there a “black-box” risk management solution for your clinical trial? What clinical trial risks are the most important for you and your company? Risk
DecentraIized clinical trials software vendor Medable is doing an outstanding job in understanding and executing an online work-flow between sites and patients at home.. This understanding and
Clinical data made radically simple and affordable.
Copyright © 2022 Flask Data Ltd. All Rights Reserved.
Audit and risk management are central to the financial services industry
Just because audit and risk management are central to the financial services industry does not make them cyber security countermeasures. Imagine not having a firewall but having an extensive internal audit and risk management activity – the organization and all of it’s paper, policy and procedures would be pillaged in minutes by attackers.
Risk management and audit are “meta activities”
In the financial industry you have risk controls which are the elements audited by internal audit and managed by risk management teams. The risk controls are the defenses not the bureaucracy created by highly regulated industries. So – you can have a risk control of accepting (deciding not to have end point security and accepting the risk of data loss from employee workstations), or mitigating (installing end point DLP agents) or preventing (taking away USB ports and denying Internet access) etc…This is analogous to a bank accepting risk (giving small loans to young families), mitigating (requiring young families to supply 80% collateral), and preventing (deciding not to give loans to young families).
The important part is to understand that risk management and audit are “meta activities” and not defenses in their own right.
Why risk management often fails in cyber security operations
We note that attempts to apply quantitative risk management to cyber generally do not work because the risk management professionals do not understand cyber threats and equate people and process with mitigation.
Conversely – cyber-security/IT professionals do not have the tools to estimate asset value. Without taking into account asset value, it is impossible to prioritize controls as every car owner knows: you don’t insure a 10 year old Fiat 500 like you insure a late model Lexus RC F.
Unfortunately for the lawyers and regulatory technocrats – while they are performing cross-functional exercises in business alignment of people and processes – the bad guys are stealing 50 Million credit cards from their database servers having hacked their way through the air conditioning systems.
Why cyber, regulatory and governance need to be integrated
Because these 3 areas (cyber, regulatory and governance) are increasingly entangled and integrated (you can’t comply with HIPAA without dealing with all 3) – it becomes supremely important to integrate the 3 areas because A) it’s expensive no to and B) it creates considerable exposure because it creates “cracks” in compliance. Witness Target.
At a major Scandinavian telco – we counted over 25 separate functions for security, compliance and governance a few years ago – and it was clear that this number needed to converge to 2 – risk and cyber and an independent audit unit. Whether or not they succeeded is another story.