The daily challenge for many IT leaders is figuring out how to deal with a constant barrage of security risks and an ever-growing regulatory compliance landscape.
It's a challenge Alissa Johnson has dealt with throughout her career. Johnson is currently the Chief Information Security Officer (CISO) at Xerox, a post she has held since October 2016. Previously, Johnson was the Deputy Chief Information Officer (CIO) in the White House from 2012 until 2015.
In a video interview with eSecurity Planet, Johnson provides some insight into how she balances governance, risk and compliance (GRC).
Tip #1: Anticipate more compliance regulations
New rules and regulations for IT security and privacy are a common occurrence. In 2018, organizations faced the challenge of figuring out the European Union's General Data Protection Regulation (GDPR), which helped raise awareness of data privacy issues.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"GDPR, like it, love it or hate it, gave us a wake-up call in how people are starting to think about privacy," she said.
Johnson said there is an intersection between privacy and security that GDPR has helped to highlight. From a compliance perspective, she said that it has made IT professionals anticipate that more privacy compliance requirements will be coming (and indeed, one soon followed in California). Johnson said it is inevitable that additional national and state privacy compliance efforts will be coming in the years ahead.
"I think that as a community, we have to continue to anticipate what's to come, so we're not reactionary," she said.
Tip #2: Map existing controls
Given that there are multiple privacy and cybersecurity compliance requirements that a global company like Xerox faces, it already has many different security controls. Mapping existing controls to see how they can be used for different compliance efforts is a key step.
"We found that we had done a really good job at Xerox in terms of our security policies, so if you followed the policies, there wasn't a technology investment that had to be made in terms of GDPR," Johnson said. "We made policy changes and we shored up some areas, but we anticipated correctly."
Tip #3: Leverage tools
At Xerox, Johnson said she has a GRC tool to help the IT organization figure out governance and compliance mandates that need to be addressed and associated risks. Measuring all the variables and seeing how the organization is mitigating and eliminating risk is also part of the Xerox GRC tool. Johnson said she uses a vendor tool that has had some customization for Xerox's specific needs.
She said that by looking at governance, compliance and risk at the same time, with the right technology, it's possible to figure out the right balance and have things work together succinctly.
"Sometimes we do the governance and compliance piece and we miss out on the risk cause we're trying to answer to all the regulatory bodies," she said. "Compliance with regulatory requirements does not equal security."
Tip #4: Embrace AI and automation
Most organizations are challenged by a cybersecurity talent shortage that makes it difficult to accomplish all the tasks needed to improve security and governance, risk and compliance efforts.
"The only way we're going to shore up the talent shortage is by allowing AI [Artificial Intelligence], bots and machine learning to do certain processes for us," Johnson said.
Johnson said automation technologies can be useful for lowering risk-based processing, which can also be useful in helping to improve cyber-hygiene.
"We can definitely have bots that will close ports, remind people of password changes and things like that where I'm spending lots of resources," she said.
Watch the full video interview with Alissa Johnson, CISO of Xerox, below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.