ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Cyberattack Defense Strategy: Integrate Security Analytics With GRC

Cyberattack Defense Strategy:  Integrate Security Analytics With GRC

| Published: 2/24/2014 8:58 AM | Category: Risk Management | Permalink | Email this Post | Comments (2)
Yo DelmarYo Delmar, CISM, CGEIT
The 2013 Data Breach Investigation Report reveals some alarming statistics about the rising incidence of cyberattacks and overall enterprise awareness and response strategies to cyberattacks. In 2012, there were several cases of intrusions that were successfully carried out within a matter of minutes. Yet nearly 66 percent of breaches remained undetected for several months, and 69 percent were first detected by an external party. These numbers reveal just how defenseless organizations can be against cyberattacks, irrespective of their organization’s size, location or industry.

The heightened likelihood and effects of threats, alongside mounting regulatory complexity, has put IT and risk professionals under unprecedented pressure from across all levels of the organization. Fortunately, there are tools and technology that can support a more collaborative, proactive and analytics-driven security program that aligns internal stakeholders, prioritizes resources, and protects business-critical processes and sensitive assets. However, many organizations still lack the necessary 360-degree near real-time view of their emerging potential threats and the associated defense strategies needed to counter those threats.

CyberAttack Defense Strategy

Organizations increasingly require security analytics that deliver insights into the size, scale and scope of the risk, in addition to providing the basis for root-cause analysis and remediation strategies across policies, processes and technologies. Strong metrics and security analytics frameworks can act as catalysts, transforming risk identification to more sophisticated risk intelligence. Leveraging technology can provide automation and can support ongoing threat monitoring, identification and analysis processes.

By integrating security analytics with GRC programs, organizations can establish a mature security program. By taking it one step further and aligning the program with broader business objectives and business performance metrics, organizations can achieve greater stakeholder engagement and support for additional security-related resources and investments.

A long-term and tightly integrated security and GRC program requires a clear road map that outlines the firm’s objectives, stakeholder roles and responsibilities, and key milestones. Executive involvement, ownership and accountability, especially amongst the security, risk and business teams, can lower overall enterprise risk exposure and ensure a more sustainable enterprisewide approach.

Tomorrow’s most trusted, reputable and financially sound organizations are the ones that are working today to integrate security analytics with their enterprise GRC program and technology ecosystem. Gaining the risk intelligence needed to protect the business, sustain operations and support performance is no easy feat. But establishing the vision and embarking on the journey promises a payoff that will prove to be well worth it in the end.

Read Yo Delmar’s recent Journal Online article:
Integrating Security Analytics into Governance, Risk and Compliance Programs,” ISACA Journal, volume 1, 2014.


Re: Cyberattack Defense Strategy:  Integrate Security Analytics With GRC

I truely believe that a foundation of IT Risk Mgmt. needs to be established such as Policy Mgmt., Enterprise Mgmt., and Risk Mgmt., and Corporate Security Risk Culture.  If a comapny has the foundation, they can demonstrate a higher ROI to ingtreate Secrurity Analytics into a GRC program.  AM
amurana at 2/24/2014 6:04 PM

Response to Amurana

AM – You are correct – organizations are increasingly demonstrating more maturity with regards to their IT Risk Management Programs. Without the foundation of Policy, mapped to both regulatory and business requirements, risks cannot be seen in context – making it difficult for leadership to make decisions on necessary security investments. Security Analytics can help shed light on what’s important. --Yo Delmar
Yo McDonald at 3/10/2014 6:40 PM