Environmental Challenges in Technology GRC
Progress is man’s ability to complicate simplicity – Thor Heyerdahl
As anything grows, gets wider acceptability, and achieves success, it goes from self-regulation to being regulated by norms. However, this success attracts people who want to take advantage and profit from dubious exploitation of that success. And that finally brings in rules and regulations.
Starting with the early days of Electronic Technology in the 60s and more recently, Internet in 90s their use has followed a similar trajectory. They have moved from research labs to wider use in academia and then the field of business. And with it, it has brought in scammers and con artists.
As managers of technology who want to protect their technology assets, this gives rise to 3 specific challenges.
- The ever-evolving regulatory landscape
- Fast emerging technologies in use by organizations, and finally
- Rapidly changing techniques used by these scammers and con artists.
These 3 factors lay the foundation for Governance and Compliance framework for organizations.
The regulations are a bare minimum that an organization needs to put in place. The
other two factors, technologies in use in the organization, and an awareness of techniques being used to compromise technology infrastructure provide guidance on ‘what else’ an organization should do to have a good GRC program.
However, because all of them are fast evolving, these do not present a fixed target, and that is what makes the job of designing a good GRC program difficult.
Let’s look at them in some more detail.
The Regulatory Landscape
There are three aspects of the regulatory landscape. First, new regulatory frameworks keep coming up. Second, the existing ones keep changing. Finally, if an organization has multi-jurisdictional operations, then it is subject to multiple such regulatory frameworks.
Let’s look at the beginnings of Technology GRC. Some of the earliest technology governance regulatory frameworks are as recent as 1999-2000. PIPEDA in Canada was one of the earliest. This was followed soon after by HIPAA. The rush of technology governance regulation is however very recent, starting around 2015. And they are still evolving at a fast pace.
If an organization is subject to multiple jurisdictions, whether these jurisdictions be
defined by industry, or by type of operation, or by geography, it will be subject to multiple regulatory frameworks. Being subject to multiple jurisdictional frameworks makes it confusing because these frameworks not only have overlapping requirements, but they may also differ in their specifics with each other. This makes them difficult to understand and figure out how to apply and comply with these overlapping requirements.
The other aspect of multi-jurisdictional applicability is the review and audits by auditors and statutory authorities. We have talked to organizations that have as many as 120 audits in a year – an audit every 3 days on an average. It can be overwhelming!
The Changing Technology Landscape
We all know very well that technology is evolving at a fast pace. Internet, online commerce, apps, tablets have all come about in the last 30 years. It has changed the way we live, interact and do business.
Organizations are forced to adopt these new technologies and ‘invent’ new ways of doing business.
Every time an organization adds or changes to something to the way it does things, it opens a new flank to be exploited. For example, Malware, phishing, Ransomware, Distributed Denial of Service, SQL injection, Cross scripting, key logger, session hijacking… the list is long. Each one of them came about as new features of capabilities were introduced by organizations in the way they do business.
This presents a challenge. Every time an organization does something new, which it has to, to remain with its competition, it also has to think of the ways the new thing can be compromised, and how to defend it. The more you do something, the more you must change how you defend it.
As technology evolves, so do the associated risks, requiring organizations to continuously evaluate and adapt their GRC strategies and programs.
Evolving sophistication of the scammers
The scammers are always “one step ahead”. Ever heard of ‘Zero-day exploits’? That underscores this very point.
As I mentioned earlier in this blog post, there are many ways in which scammers will try to compromise an organization’s technology assets.
If you use browsers to deliver your service, there is always Cross scripting or key logging or session hijacking.
If you use apps on a device there are Man in the middle, insecure data storage, insufficient transport layer protection methods.
And then there is always social engineering where they can pretend to be you and get your system administrators to give up sensitive information. AI has made it worse. Have you heard about how they just need a 10 second sample of your voice to duplicate it. And then it can pretend to be you and say anything you want it to.
All this is not restricted to just audio spoofing. Did you hear about how HK$200Million was scammed on a zoom call using AI to generate an entire spoofed video call. How do you protect against that?
I am sure you realize how difficult this makes your job of safeguarding your technology assets.
I hope this highlights some of the challenges due to environmental factors that managers trying to protect technology assets face. We need to address these issues, but before we do, we should understand the problem completely.
To do so, I will talk more about strategic challenges next…
