For regulated industries (which isn’t in the age of GDPR?), blind trust will never be enough and being able to demonstrate a sufficient degree of due-diligence on key vendors will always be essential to defend against any liability in case of a data breach.
Author: Jean-Christophe Gaillard
Security products consolidation and integration become key factors, as the “when-not-if” paradigm around cyber attacks takes centre-stage with senior executives and their focus shifts away from risk and compliance, towards execution and delivery.
Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture from the top down around cyber security.
The current business paradigm, structured by big tech firms over a decade ago by which individuals willingly provide their personal information in exchange for a service may be reaching crisis point.
Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it. This realisation changes fundamentally the dynamics around cyber security.
In many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders.