No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Raising the Stakes: Preparing Your Organization for Today’s Growing Security and Compliance Risks

by Corporate Compliance Insights
June 1, 2017
in Featured, Leadership and Career
Raising the Stakes: Preparing Your Organization for Today’s Growing Security and Compliance Risks

Q&A with Steve Durbin, Managing Director, Information Security Forum

Today, Steve Durbin, Managing Director of Information Security Forum, stops by to share his insights on coming shifts in compliance given a host of ever-increasing cyber risks. Steve offers his thoughts on some of the prickliest business and regulatory risks and a bit of guidance on how organizations can manage them.

Maurice Gilbert: How did you get started on a career in security and compliance?

Steve Durbin: Quite by accident – my career has tended to focus on working in or with fast-growth organizations; I was at Gartner for a number of years and built out a global consultancy business there, I worked at EY with some great fast-growth, entrepreneurial companies and my interest has always been in trying to anticipate evolving and emerging challenges that businesses must deal with to be successful.  So, I came to security very much from a business perspective – my background is in marketing and business growth – and viewed it as a fast-growth area that was still relatively immature but would be going through explosive change in the future.  So far, that has certainly proved to be the case, and given the changes in the roles of chief security officers and, increasingly, chief compliance officers, I have found that my business-based approach and experience continues to position me well to assist business leaders in anticipating emerging trends and looking at how they might deal with them in a practical manner that supports the strategic growth of the business.

MG: Who helped shape your views?

SD: Too many to mention – I have always been a fan of entrepreneurial leaders, irrespective of the size or scope of the businesses they lead.  Similarly, I have an aversion to purely following the “teachings” of one individual; it’s far too limiting in today’s business world where some of the best ideas actually come from the youngest and freshest employees or people that you have the good fortune to meet, sometimes by chance.  I recently got some great insights on communicating security challenges from a Boston cab driver, for instance; my sons give me practical insights into how technology is used by millennials; the simplest of casual conversations can sometimes cause a lightbulb moment that makes me think “so that’s the answer, lets try it and see if it works.”

MG: How do you stay current on ethics and compliance issues?

SD: I have the great fortune of working with and meeting, often on a daily basis, many of the smartest – and most overworked – professionals in this space.  At the ISF, we are constantly challenged by our Members – many of which are Fortune multinationals – to come up with insights into how these issues affect global business, and that obviously requires both currency in the issues and a pragmatism to approach the issues with a solution-led perspective and approach.

MG: What are some of the significant issues facing Chief Compliance Officers, Risk Managers, etc.?

SD: Some would say there are no shortage here!  For me, I think there are two.  The first is the ever-increasing burden that compliance is placing on an organization.  Cyber is an emerging space, and with it comes emerging legislation, which can generate an enormous burden for a multinational business just in terms of remaining current, let alone compliant.  One that jumps out at the moment would be the EU’s General Data Protection Regulation (GDPR).  Getting a business in shape for the GDPR is a massive undertaking for most businesses since it requires a complete understanding and tracking of all data related to an EU resident across the enterprise, including third parties, before you can begin to think about compliance. And that leads to the second issue for me, which is just how do you remain current and compliant?  There are still only 24 hours in a day, and business have finite resources to dedicate to these issues.

MG: How do you see the Chief Compliance Officer role evolving within the next three years?

SD: Well, one thing that is for certain is that the role will continue to evolve.  I do see a need for specialization and an increase in collaboration with other business leaders.  And if we think about that for a moment, that may well lead to a ring fencing of audit vs. business-based compliance, if I can put it that way.  So, increasingly, I believe that compliance will need to focus on helping the business to deliver the strategy in a very practical manner.  Cyber is all pervasive – it touches every part of the business, and compliance will need to follow.  I am thinking in particular here of working with business departments on risk and compliance management and employee education, and I’m not talking about an annual compliance “test,” but in the day-to-day evolution of an individual’s role – perhaps working with marketing departments in providing guidance on what can and cannot be communicated.  This is all in addition to the day job, which involves remaining current on relevant laws and regulations, monitoring compliance with them and alongside internal policies and so on.  I see Compliance Officers necessarily needing to become well-rounded business professionals, with very high communication skills, able to translate strategy into delivery with colleagues whilst providing constructive insight into how to achieve the business goals in an increasingly compliance-focused world.

MG: What do you see as the greatest business risks facing companies today?

SD: The risk of being left behind, of missing the next great business opportunity.  We are becoming risk averse in business, and we are being driven there by an increased compliance focus which, if interpreted incorrectly, is stifling free thinking and entrepreneurial business practices.  To be successful today, a business must be agile; it must take risks, and I think too many business leaders are being encouraged to run their businesses in a risk-free manner.  Of course, it is understandable when every mistake is examined in minute detail and is increasingly met with a coach full of lawyers and litigators, but we need to recognize that a cyber-enabled business is one that is founded on risk management.

As soon as you cyber enable a company, you are managing risk – risks from ransomware, risks from an overdependence on the internet for business transactions, risks from cybercrime, from automated misinformation and from legislation which, whilst sometimes well-meaning, can create more potential problems than they solve – I am particularly thinking here of requirements for the collection and storage of vast reservoirs of data by communications providers which provide an Aladdin’s cave of opportunity for a cyber hacker or criminal looking to expose an organization’s secrets.  The assessment of these risks, the management of these risks and the determination of an appropriate and effective way of achieving the most appropriate risk posture for a business in light of these and other risks are key.

MG: What do you see as the greatest regulatory risks facing companies today?

SD: Certainly, the growth in the number of regulations and, sadly, the inconsistency of legislation across jurisdictions.  This is a problem for any multinational organization.  There are few globally consistent regulations in cyberspace, and this is something that we must move to address.  The EU GDPR will go some way to achieving this with its coverage of the privacy rights of EU residents and its truly global reach and implications, but it is just one example.  Compliance officers around the world are continuing to face challenges in dealing with ever-changing and growing regulations. the Thomson Reuters report into the Cost of Compliance 2016 estimates that more than one-third of firms surveyed continue to spend at least a whole day every week tracking and analyzing regulatory change.  That is down from 2015, but still a significant burden.

MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?

SD: I think remaining current is one of the challenges here, but also understanding the implications of these risks on the business for me is critical.  Doing that is, of course, easier said than done, and that is why so much time is taken up in tracking and analyzing regulatory change.  That aside, a solid understanding of how these risks could impact the business is essential.  And in this regard, there is a need for consistent understanding across the organization of the risks and the role that each and every individual has to play in mitigating such risks.  The compliance function is increasingly becoming the arm of change in the enterprise, responsible for ensuring not just compliance at the highest level in the business, but also for making sure that each individual understands the role that (s)he has to play in achieving and maintaining such compliance – and why.  Effectively communicating personal responsibility and the role of the individual is the key to turning what is sometimes seen as the weakest link in the compliance link – people – into the strongest link.

MG: How does the Information Security Forum help member companies mitigate risk?

SD: In two ways.  First, we produce an annual threat report that looks out two years to provide our members with an emerging perspective of the challenges that will be facing them over the coming two-year forecast period.  This is used by many as input into their strategy and risk management activities, often in conjunction with our threat radar tool, and I believe it is increasing in importance.  The second area is in our risk assessment approach, IRAM2, which provides members with the ability to identify emerging threats and vulnerabilities, assess the risk, often at a department or even application level if required, and to subsequently put in place a risk mitigation treatment that both addresses the risk and is also in line with the overall corporate risk appetite.  Both of these are core tools that can be used to mitigate emerging risks, and we are seeing a definite increase in their application across the global membership.

MG: You recently released Threat Horizon 2019. What do you see as some of the most significant compliance risks that Chief Compliance Officers should be prepared for over the next two years?

SD: The Threat Horizon 2019 deals with three emerging themes: disruption, distortion and deterioration.  Whilst the first two deal with issues such as fragile connectivity, an overdependence on the internet and ransomware, along with a loss of trust in the integrity of information upon which we are increasingly dependent, it is the third theme that really is of particular relevance to Chief Compliance Officers.

This theme of deterioration looks at the impact when controls are eroded by regulations and technology. Rapidly advancing intelligent technologies and conflicting demands for both heightened national security and individual privacy will inadvertently erode an organization’s ability to control information. Surveillance laws designed to secure nations against adversaries, new regulations protecting individual privacy and intelligent systems that make their own decisions will inhibit an organization’s ability to protect its assets and people. An organization will need to take steps to manage emerging risks in a complex regulatory and technological environment. However, while many factors will be beyond the direct control of the organization, business, security and compliance leaders can prepare to address these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce that is ready for the adoption of advanced technology in a highly regulated world.  Many of these tasks will fall upon the shoulders of the Compliance Officer, whether from a leadership or participation standpoint.

MG: What new service offerings have you recently announced and do you have in the queue?

SD: The ISF is committed to providing our members with timely insight and tools that enable them to understand and manage the challenges that we all face in running effective businesses in a cyber-enabled world.  Some of the more recent announcements include our guide to the EU GDPR – we are also running a number of workshops on this for members all around the world – and a new report on threat intelligence.  Businesses are constantly making decisions on how to manage cyber risks.  Requirements-driven and skillfully crafted and employed, threat intelligence informs these decisions and enables actions that equip the organization not only to react to today’s threats, but also to prepare for tomorrow’s.  This report equips an organization to gain maximum value through the effective production and use of threat intelligence, along with the examination of practical considerations (including organizational structures, use of technology, collaboration with partners and outsourcing) for implementation.

But what we have also found is that our members are increasingly time poor, so we have introduced a range of consultancy services which members are able to use as a wraparound to our products to get some of the issues I’ve been talking about – such as the management of risk and the assessment of threat applicability, for instance – implemented and embedded in their organizations.  ISF consultancy is all about helping our members get added value from the ISF. Our aim is to come in, do the work and get out as quickly and as cost effectively as possible, having made a positive, quantifiable difference to our members’ ability to operate a world-class cybersecurity function.

 

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.


Tags: Cyber RiskGDPR
Previous Post

TRACE: The Death of Sergei Magnitsky

Next Post

The Emergence of a Cognitive Risk Era: Human-Centered Risk Management

Corporate Compliance Insights

Corporate Compliance Insights

Related Posts

compliance cyber risk titanic

5 Reasons Why Compliance Alone Is Not Efficient at Reducing Cyber Risks

by Stu Sjouwerman
June 8, 2022

Understandably, most businesses prioritize compliance when it comes to security risks. But as KnowBe4 CEO Stu Sjouwerman explains, a compliance...

data privacy symbolized by padlock image comprised of people

The Key to GDPR Compliance for Fast-Growing Companies Is a “Privacy First” Culture

by Jose Costa
May 3, 2022

GDPR fines hit hard in 2021, especially hammering fast-growing and evolving businesses for accidental or careless EU GDPR violations. Tugboat...

logicgate black kite integration

LogicGate Risk Cloud Adds Black Kite Integration for Third-Party Risk Management

by Corporate Compliance Insights
March 30, 2022

LogicGate’s Risk Cloud compliance platform has added integration with Black Kite, which offers cyber ratings, Open FAIR financial risk quantification,...

Arms extended from computer screen to signify hackers

Kroll Warns: We’ve Detected a Staggering Rise in Two Key Forms of Cyber Attack

by Alan E. Brill
March 22, 2022

As part of its ongoing commitment to cyber threat research, Kroll’s threat intelligence team looked at hundreds of real-life cyber...

Next Post
man holding exclamation mark in front of his face

The Emergence of a Cognitive Risk Era: Human-Centered Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance Decision-Making DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring Ransomware RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT