Addressing cost and complexity in cybersecurity compliance and governance – CRN

By Brijesh Balakrishnan, Vice President & Global Head of Cybersecurity Practice, Infosys

In 2025, global end-user spending on information security will climb 15 percent to $212 billion, says a leading market intelligence firm. As enterprises deploy more technologies in more use-cases, protecting the business from cybersecurity threats is a critical priority. But it is also becoming challenging to keep up with a growing regulatory pantheon (think GDPR, HIPAA, PCI DSS), which in 2024, saw major additions including the European Union’s Network and Information Security Directive 2 (NIS2), EU AI Act, Singapore’s Operational Technology Cybersecurity Masterplan 2024, and new orders under the U.S. National Cybersecurity Strategy.

What’s worse, organisations are hamstrung by gaps in governance capabilities. Our 2022 Cloud Radar survey found that 40 percent of organisations lacked adequate cloud governance policies, negatively impacting both security spends and risk exposure. Weak governance leads straight to non-compliance, and potentially, to security breach, financial loss, reputational damage, penalties and lawsuits, in an evolving ecosystem of regulations and standards across industries and geographies. Much of this can be averted with a streamlined approach to cybersecurity compliance, risk management and governance.

Cybersecurity governance provides a framework for enterprises to interconnect their security, risk management, compliance, and business goals across people, processes and technology. Governance facilitates compliance with regulations and standards to improve management of security risks. Effective governance is not just about drafting policies in a rulebook, but a constant exercise in adapting the organisation’s security measures, policies, and controls to an evolving threat landscape, through the most-pressing cyber risk management related metrics.

Policies, processes and people

The road to compliance and governance involves a number of steps, starting with a risk assessment of the enterprise IT landscape to identify vulnerabilities and remediation measures; next comes the setting up of clear policies and procedures – for example how to encrypt data, respond to adverse events, manage identities and access, etc. Finally, enterprises should regularly monitor and have a comprehensive view of the state of cybersecurity controls and the critical cyber risks., ensuring they remain compliant with all applicable laws.

But ultimately, it is people who are responsible for governance, starting from the top. The role of senior executives is to provide leadership and resource support to cybersecurity programs, driven by the increased board focus and accountability expected in emerging regulations and standards. Employees across the ranks need to be trained in cybersecurity practices and made aware of their responsibilities towards security, compliance and governance. There has to be an effective mechanism for ensuring compliance and fixing accountability, and at the same time, a communication, feedback and recognition process for encouraging employee involvement. Most importantly, organisations should think of cybersecurity as not just a compliance requirement, but a way to strengthen integrity and ethical behaviour, as a business enabler and market differentiator.

Technology is key

Advanced security solutions automate routine tasks to reduce the burden on compliance teams and improve efficiency by reducing cost, improving speed, and eliminating manual errors. GRC (governance, risk and compliance) platforms can integrate with existing systems to provide an integrated, real-time view of risk and compliance across the enterprise, enabling the concerned personnel to make timely, informed decisions. Organisations can proactively safeguard their data and assets by addressing risks early, and scale compliance initiatives to keep up with growing regulatory requirements.

Efficiency apart, technologies such as artificial intelligence (AI), machine learning (ML), cloud, and blockchain are making cybersecurity operations smarter. AI and ML can identify anomalous patterns indicative of potential threats in real-time, and recommend mitigative actions. Cloud provides the required storage and computing infrastructure to house GRC data and applications, and the scalability to expand cybersecurity operations across business entities and geographies. Blockchain provides a secure, transparent and immutable record of GRC data and transactions that can be easily audited.

Universal problem, unique solution

The need for cybersecurity compliance and governance is universal, but enterprises need to craft the strategy that’s right for them based on objectives, size, resources, nature of business, compliance obligations in line with applicable jurisdictions operating from, technology landscape etc. That said, every organisation would benefit from a clear cybersecurity vision outlining priorities, risk tolerance, and the assets that must be protected, as well as clear assignment of roles and responsibilities. Also, cybersecurity compliance and governance should be embedded within business operations and organisational culture to achieve its purpose.