Compliance

How Compliance Automation Can Turn Your Risk Register into a Valuable Business Tool

Ethan Altmann
January 5, 2023

We’re about to talk about risk, but let’s put it in context for a moment. Do you get your news online? Or from a good old-fashioned newspaper? Maybe you read both. The hard copy to get the weather and the broad view—but the online version if you want to know what’s happening now. Sometimes you don’t need to know the latest. In business, you often do.

Security-related risk is one of the key elements of an organization’s operational risk. So for a security Compliance leader, up-to-date knowledge of their company’s risk posture is essential. Of course, knowing the risks is not enough; unless they are also addressed properly, the company won’t be in a healthy state for long. So let’s get into the meat of this discussion. In brief, a Compliance leader should know:

  1. What exactly are the organization’s risks?
  2. How are you addressing them?
  3. Are your mitigations working?

And in all this, how does a Compliance automation solution help? (Spoiler: It really does.)

Building a risk register

Time is tight, information is scant. Risk identification is essential, but where do you start?

Create a baseline. One possibility: have a lot of conversations with stakeholders throughout your company, and at each level, you’ll find out where the relevant risks are clustered. The trouble with all this talk: It involves a lot of people and time. 

Better: You can get a solid, faster assessment of your security needs by looking to your Compliance requirements, because most security practices align to requirements for Compliance. So look to risk identification methodologies, such as Secure Controls Framework’s™ (SCF) Security & Privacy Risk Management Model (SP-RMM); Center for Internet Security Risk Assessment Method (CIS RAM); and the NIST Risk Management Framework (NIST RMF), to help you identify risks in your own organization.

Example: Access control. You might find that, in order to conform to the requirements of sections 6.1 and 6.2 of CIS Critical Security Controls v. 8, user access provisioning and deprovisioning procedures should be in place and should be guided by several principles, including least privilege, RBAC, separation of duties, etc. If your organizational procedures are not meeting those principles, risks arise—such as that of a data breach due to a disgruntled employee that did not have their access revoked as part of offboarding.

Tailor risks to your business. Frameworks are good for creating a baseline of risks. But the goal in creating a risk register is to reflect the risks that apply to your unique business, in order for you to figure out how to address them. So as your company matures—or sooner—you’ll want to refine your risk register, based on the facts that apply to your business. Here is where those conversations with other teams can uncover issues that you could not otherwise know. See our Risk Management Guide for a more detailed discussion.

Now that you’ve got it, what do you do with it?

Congratulations. You created a risk register. Now what? You can avoid, accept, or transfer risk, but Compliance is most useful when you want to mitigate risk, i.e., reduce risk by using controls. To do that, you’ll map controls to the relevant risks, and that’s easier when you have a Compliance automation solution.

Determining the controls needed to respond to risk. Many frameworks, such as SCF, map controls to the risks they cover, making it relatively easy to determine the controls that will help respond to specific risks in those cases. For other frameworks, such as NIST RMF, you’ll have to go further to identify risks that are unique to your organization and to determine the appropriate controls. In that case, you might use a framework as a first step, but not the only step.

The work doesn’t end with knowing that you have controls that are relevant to specific risks in your register. To have a better understanding of how each control is impacting the risk at hand, you need a Compliance automation solution that allows you to link the relevant controls to the risk. In managing controls at the framework level (think ISO/IEC 27001, SOC 2, NIST CSF), you are directly impacting the residual risk level of any mapped risks. Without having visibility into this, this relationship is purely theoretical, rather than actionable.

How effective are your controls?

By now, you’ve assessed your risks using frameworks to guide you; with risks identified, you’ve mapped controls to them and implemented those controls to mitigate risk. And you’re done, right? Not quite. Once you’ve invested in controls, you need to show they are effective. And you really need to know if your controls aren’t working optimally, so that you can invest in other controls. So how do you know how effective your controls are?

Justifying your investment in controls. Your Compliance automation solution must provide data to prove that controls are working. Only data proves whether you are managing risk and meeting Compliance frameworks today, not your last audit. So the ideal Compliance solution includes a risk application or dashboard that shows not just the risks with the controls linked (as we mentioned above), but also has data that shows whether and how those controls are working to reduce risk. That’s how you can tell, at any time, based on continuous data, whether your investment in controls is giving you the ROI you’re relying on. The knowledge that comes from continuously monitoring risk and controls is essential, because it lets you course-correct more quickly if the data shows that controls aren’t effective. It also lets you give leadership up-to-date information for informed decision-making on investments in risk reduction. 

That’s why Compliance automation tools are increasingly used in order to provide continuous, real-time, data-based evidence that controls are working and are therefore actually mitigating risk.

Example: Using NIST Cybersecurity Framework (NIST CSF) to understand security Compliance posture. One of the controls in NIST CSF is Anomalies and Events Detection (DE.AE-2), which requires that events from critical security tools are being logged and alerts are being triggered and analyzed. This data, collected from tools such as AWS CloudWatch, PagerDuty, and Lacework, would confirm that a control is working effectively by indicating, for example, an excessive number of failed authentication attempts. Because we have mapped the control (DE.AE-2) to the risk, users are able to determine the residual risk because of how effective the control is. If the data is favorable, the control is good, and we’ve gone from theoretically knowing that a given control will mitigate risk to having proof that risk is actually lower. 

An organization that assumes it is safe because it implemented a control may be unknowingly facing as great a risk as if it had not implemented the control at all. A Compliance solution that gives us data to prove a control is working to reduce risk is the only way we can know that our investment in controls actually makes our organization more secure.

No news is…no news

As a Compliance leader, you can’t assume that no news is good news, because you have to be alert to your company’s risk posture at all times. It all starts with risk identification: using frameworks for a streamlined first pass at creating a risk register, then making the risk register more relatable to your organization through conversations with relevant stakeholders. Compliance frameworks help you relate controls to those identified risks. Finally, your system of Compliance, and particularly Compliance automation, provide the real-time data for defining the quality of the controls you’ve implemented, so you can know the extent of risk mitigation you’ve achieved for your organization.

So here’s the latest: Positive, reliable data means controls are good, which means risk is lowered. Now that’s good news.

Ethan Altmann
Compliance Product Owner - Chief framework cross-referencer, Control-understander, Evidence-mapper

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.