CIOs have mostly ridden out the remote work surge caused by COVID-19. The employees who can work remotely are now safely settled in their home offices and CIOs have systems in place to handle the more distributed access requirements. So what should a CIO turn to next? The answer is simple: re-think your data security program.
With remote workers now accessing a number of cloud services like Zoom, Google Hangouts and Cisco’s Webex, their credentials are more likely to be a target for hackers and cybercriminals. A new report shows the volume of cyberthreats against cloud services has shot up by 630% since the start of the year, with the greatest focus on collaboration tools such as Microsoft 365. A few weeks ago we looked at why this is a good time to build out your data security program and how it can make your organization more efficient. It’s also worth considering what tools you will need for a data security program and the ROI. Building out an effective security program does not have to break the bank. If you already operate a data security program then you will find that using a tool, like the MyVCM platform, can actually help you reduce costs.
[Business Efficiency: the hidden benefit of an information security program]
Here are 5 ways you can reduce the costs of operating your security program:
1. Use one platform to handle multiple frameworks - Many organizations have to measure themselves against more than one security framework. Perhaps, they use NIST CSF as their internal measurement and that is how they built their baseline security program but what happens when they have a customer who is insisting they complete a SOC2? Maybe they also process, or have access to, credit card data, and so PCI DSS comes into play. And let’s not forget that if they operate in different states local regulations like CCPA and the New York Shield Act might also apply. Since individually each of these frameworks may contain hundreds of controls that must be implemented and tracked this can quickly grow to become an unmanageable task. Using a compliance tool, like the Ostendio MyVCM platform, allows organizations to simultaneously build and manage activities against more than 100 industry standards and regulations. In fact, an organization should look for a tool that allows them to select any base framework, e.g. NIST-800 53, and then automatically map every control to any and all other frameworks selected. This means you can build one security program but seamlessly manage multiple frameworks at the same time. No spreadsheets or cross tracking required. You can even extend this feature to your customers’ audit requests by simply mapping existing evidence to their questions. This saves your organization time and money by reducing the duplication required in answering each request individually.
2. Simplify Document Management, Approval and Acknowledgement - We have all felt the pain of sending out policy documents and then manually chasing and tracking confirmation receipts. In some cases this is a legal requirement, and has to be done every time there is a substantive change to the document. Even when no changes are made confirmation may be required annually and you need to track when new people join the company or when employees change roles. The Ostendio MyVCM platform is a fully-blown document management system that ensures the version integrity of every document is maintained and it allows you to automatically track approvals and acknowledgements to both individuals and groups on both a one-time or recurring basis. Once a document is created and approved it can be set up to automatically require acknowledgement. The platform will automatically follow up with those who are non-compliant, track role changes and ensure new employees are automatically included. Your organization will save time and money by using a tool to automate these manual and time-consuming tasks and will also be more efficient.
3. Streamline recurring task management - In order to demonstrate compliance to the 300+ controls that any information security program will have it is essential that organizations implement effective oversight. The Secure Control Framework (SCF) defines CMM 2 as the minimum threshold required to exceed what they call "the negligence threshold". To meet this minimal expectation they stipulate organizations must demonstrate the following:
- Performance of the base practices in the process area is planned and tracked.
- Performance according to specified procedures is verified.
- Work products conform to specified standards and requirements.
Many organizations will try to do this through the use of calendar reminders, service tickets and spreadsheets. Monitoring several hundred controls against hundreds and even thousands of artifacts can be a daunting task, and often well beyond a simple spreadsheet. The Ostendio MyVCM platform not only makes setting up these schedules simple but it automatically assigns tasks to artifact owners, allows for fixed and variable schedules, as well as many other required features such as defining if a task can be performed late or not, whether multiple submission can be made or just one. These features may seem simple, but they are well beyond a regular ticketing tool. The Ostendio MyCM platform then manages all follow ups and reminders and provides simple reports to highlight non-compliance. By automating all these tasks your company will run more efficiently and reduce costs.
4. Look for Auditor Savings - Ostendio established the Auditor Connect program allowing select audit partners to conduct their audit using the information you share through the Ostendio MyVCM platform. There is no need for you to copy data to a third party location saving both you and the auditor significant time and effort since evidence is already mapped and remains current. This can result in a 50% time saving and up to 40% off the retail cost of the audit from any one of our audit partners.. If you are considering an audit you should look for a tool that makes the process cost and time efficient.5. Implement a system for Vendor Risk Management: An article in Forbes indicated that organizations do business with so many suppliers that they often can’t keep track of them. Since many of these vendors may have access to, or may even be hosting your sensitive data conducting effective vendor risk management is essential. The Ostendio MyVCM platform allows you to send automated vendor assessment requests to all your critical vendors, reducing the need to chase email responses, view data on different spreadsheets and track versions. Use vendor risk templates and automated risk scoring to allow you to focus on non-performing or higher risk vendors.
The Ostendio MyVCM platform has many more modules that can contribute to reducing the overall effort of managing your security program including Learning Management, Asset Management, Vendor Management and Ticket Management. Even just focusing on the five I have outlined above it is clear to see how this can translate to significant operational savings for your business. Go to the Ostendio ROI calculator here to calculate how much you can save by using the MyVCM platform to operate your security program.
If you have any questions about building a data security program or how it could save your company money speak to an expert at Ostendio. Ostendio has been helping companies with their risk management and compliance programs for over 7 years. We’re happy to offer advice and show you how easy it is to build, operate and showcase a compliance program using the MyVCM platform.