Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The latest buzzword to emerge from FinTech is RegTech, which brings with it the promise of technical solutions that ensure organisations remain compliant in raising financial risk management to an effective business process.
Most organisations need to meet certain regulatory obligations set by the government, even if it’s just filing a tax return or submitting an annual report. Yet on top of those requirements, certain industries such as financial services also have their own rules that must be adhered to.
In the financial services sector, there are strict rules as to how organisations operate and behave (covering people, processes and technology) and the rules are clear about what they should and should not do. In many cases, if organisations do not meet these requirements they could be fined or lose their license to operate. For example, organisations who take and process credit card payments have an obligation to meet the security guidelines published by a consortium of credit card companies, known as the Payment Card Industry Data Security Standard (PCI DSS). If an organisation fails its annual PCI DSS audit or is breached and found to be lacking in areas of the standard’s implementation, they could have their credit card capabilities revoked until the appropriate fixes have been implemented.
It is for these reasons that the promise of RegTech is getting the attention of the C-suite. With so many obligations to fulfil, organisations are now looking for solutions that give their business a current view of their security status and highlight any residual risk for investigation and response.
It’s easy to hand a compliance requirement such as PCI DSS to the head of IT and expect them to implement and maintain it, but IT teams are not always equipped to understand the nuances of governance requirements. Governance is the framework of organisational behaviours, processes and technology systems that direct, enable and monitor the organisation’s ability to comply with regulatory requirements. Governance does not cover management activities, nor does it ensure that requirements are being met, rather it sets the standards that must be adhered to, leaving the doing to managers in day-to-day operations.
Looking at PCI DSS, again as an example, any organisation adhering to those rules has a strict set of requirements to meet to keep credit card information safe and secure. The governance model adopted by a PCI DSS organisation lays down the processes and practices that should be adopted to meet those requirements. However, security managers and operations managers don’t always have the underlying knowledge and capability to monitor compliance, especially as ICT systems frequently change – patches, upgrades, complex system integration and external influences such as changes in cloud systems can contribute to a loss of compliance.
Managers need to find a way to implement the requirements of a compliance standard, so the governance aspect of their organisation is satisfied and they remain on the right side of an audit, and that is the promise of RegTech.
So let’s look at how a scorecard approach to security can help managers monitor compliance and react in time to fix issues before they get out of hand.
PCI DSS requires certain underlying requirements are met, such as how security log events are collected and stored, how credit card processing networks are kept separate from corporate networks, and how customers’ personal information should be stored and transferred over the corporate network or Internet. A security manager’s role is to take these requirements and ensure they are addressed in the systems they protect, typically beginning with an audit or technical assessment of system architectures, running tests and implementing security controls to meet their needs. A governance audit at this stage, once the control is implemented, would hopefully pass, since the project has delivered a working solution to meet the requirements set out in the regulatory standard.
The security manager can now move on to other activities, safe in the knowledge that this requirement meets the needs of the governance model the originations adheres to (since the duties of that role as security manager demand it). Three months later, the firewall vendor who provides the system that maintains separation between the payment card network and the corporate network provides the network team with an update containing a whole new set of features for remote management. The network team, understanding the value this will bring to their team, follow the internal technical change process and get the update implemented and everyone is happy.
Now, fast forward to the next PCI DSS audit, and a serious issue is uncovered, whereby the new management software on the firewall has allowed the network team remote access to the PCI DSS compliant network from outside of the organisation, over the Internet. A technical issue in the connection means the browser interface is leaking information. Until this issue is fixed, the company are told they must switch off their firewall management interface, causing major operational issues for the business. The question is, how can these issues be avoided by the security manager to ensure they remain compliant with all governance requirements, without spending every minute of every day looking at each control? The answer is RegTech.
Security scorecards are designed to monitor and report on the efficacy of important security controls. They give security managers peace of mind that technology implementations remain compliant and maintain the desired strategic security alignment (can pass the audit). Scorecards that operate within an organisation’s environment give customers visibility of the security controls status. Some technologies even alert upon any changes and reflect those changes in a security dashboard.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.