In an era marked by escalating cyber threats and complex regulatory landscapes, the role of IT Governance, Risk Management, and Compliance (GRC) has never been more crucial. Preeti Singh, Director of Information Security and GRC at OSTTRA, highlighted how organizations can ensure that their IT governance frameworks are prepared to navigate these challenges effectively. With cybercriminals generating substantial economic damage and regulatory requirements becoming increasingly stringent, Singh highlights the necessity of robust IT GRC practices to protect sensitive data, ensure compliance, and maintain organizational resilience. In this discussion, she shares insights into the evolving landscape of IT GRC in India, explores the impact of recent regulatory changes, and shares insights into strategies for enhancing data protection and mitigating IT risks in a rapidly changing digital environment.
TAM: How much headway has IT GRC made in the Indian market? What factors are driving the increasing importance of IT GRC in India today?
Preeti Singh: Did you know that cyber criminals generated almost $1.5 trillion in recent years? To combat this, India is investing around $4.7 billion in cybersecurity in 2024, with an expected year-on-year growth of 18%. By 2029, the cybersecurity management market is projected to expand to nearly $11 billion. This highlights the critical need for effective governance, risk management, and compliance (GRC). Effective GRC is not just an operational necessity; it is a strategic enabler for sustainable growth and resilience in businesses. By investing in GRC, organizations not only safeguard against potential risks but also build trust with their customers and stakeholders.
GRC helps companies manage global cybersecurity standards and meet regional regulatory requirements. For instance, while India’s privacy bill is still in progress, the US has its own privacy regulations, and the UK and European nations adhere to GDPR. In Indian banking, compliance includes IRDI, and in the UK, new regulations like DORA are emerging. GRC facilitates the evaluation and compliance with these diverse regulatory needs based on different regions.
IT GRC is not merely about meeting requirements; it is about fostering a culture of continuous security improvement and ethical integrity within organizations. This includes managing data privacy, cybersecurity, and ethical practices among employees to ensure the protection of data and assets.
GRC has become essential for every organization. Effective information security teams are crucial for establishing the right policies and procedures, but a good GRC team is necessary to implement these policies with discipline. The importance of GRC is recognized across various sectors, including financial institutions, banking, and insurance, and it is increasingly being implemented in other industries as well. In summary, GRC is vital for driving sustainable growth and resilience in organizations by ensuring robust security and compliance practices.
TAM: Can you discuss the impact of recent regulatory changes on IT GRC practices in India?
Preeti Singh: IT GRC is increasingly vital in the rapidly evolving digital and cybersecurity landscape. Indian regulatory changes significantly impact IT governance, risk, and compliance practices, emphasizing the need for robust risk methodologies, regular scanning, and frequent assessments.
The Digital Privacy and Data Protection Act in India enforces strict data handling requirements, compelling companies to continuously upgrade their data protection measures. Regulations such as IRDI, and other IT mandates require rigorous cybersecurity measures to prevent data breaches and cyberattacks. These regulations are closely linked with IT GRC, which governs how security frameworks are implemented, assigns roles and responsibilities, and ensures compliance with mandatory requirements.
These regulations stress accountability and transparency in corporate governance, necessitating detailed compliance reports from organizations. They also mandate regular monitoring of incidents and require timely reporting to regulators if any incidents occur. Without effective governance, meeting these regulatory timelines becomes challenging. Regulators may impose penalties for security breaches, which can be substantial, sometimes up to 2% of a company’s global revenue, as seen with GDPR.
To avoid such financial penalties, effective GRC is crucial. It helps organizations track compliance, submit reports on time, and conduct regular risk assessments to identify potential issues early. This proactive approach safeguards companies from data breaches and significant financial losses.
TAM: What are the most significant IT risks that organizations in India are currently facing? How can companies effectively identify, assess, and mitigate these IT risks?
Preeti Singh: There are numerous risks in cybersecurity today, but a few are particularly concerning. One major issue is the use and vulnerabilities of generative AI. Another critical concern is the complexity of regulatory requirements and the potential breaches of those regulations. Business disruptions caused by cyberattacks are also a significant risk, as advanced technologies are not only enhancing our defenses but also those of hackers. Phishing emails, once easily identifiable, have become increasingly sophisticated and difficult to distinguish from legitimate messages. As a result, phishing risks have grown.
Employees remain one of the weakest links in cybersecurity, often unwittingly exposing their organizations to threats. To address these issues, effective governance, risk management, and compliance (GRC) are crucial. Here are some key strategies to mitigate these risks:
- Implement a Risk Management Framework: Establish a robust risk management framework that includes timely risk assessments, appropriate controls, and regular reporting. This helps identify and address open risks within the organization.
- Regular Scanning: Continuously scan crucial systems, network devices, and internet-facing applications. Address any vulnerabilities identified during these scans, focusing particularly on critical and high-level vulnerabilities.
- Access Control: Use multi-factor authentication to enhance access security. This adds an extra layer of protection to sensitive information beyond traditional access controls.
- Adhere to Industry Standards: Follow established standards such as ISO 27001, PCI DSS for payment data, and the NIST framework. Ensure compliance with these standards and that their controls are effectively implemented.
- Utilize Risk Management Frameworks: Apply industry-specific risk management frameworks to support comprehensive risk management. These frameworks aid in timely risk identification, mitigation, and reporting to regulators if required.
- Establish Policies and Procedures: Develop and implement strong policies and procedures that address risk management. Ensure these policies are integrated across all functions within the organization, including people, technology, and infrastructure. Align procedures with policy objectives to ensure effective information security risk management.
By focusing on these areas, organizations can better manage IT risks and strengthen their cybersecurity posture.
TAM: With the rising importance of data privacy, how are Indian organizations addressing data protection within their IT GRC frameworks?
Preeti Singh: We are increasingly prioritizing data privacy within our Governance, Risk, and Compliance (GRC) framework by aligning with GDPR and the Data Privacy Act requirements from various nations. To ensure compliance, we implement robust encryption methods for data at rest and in transit, enforce strict access controls with rule-based permissions, and conduct regular security assessments and internal audits during risk evaluations. These measures help us identify and address gaps in personal data protection requirements promptly.
We also have a clear incident response plan in place to manage data breaches effectively. Employee training is a crucial component of our strategy, as it educates staff about Personally Identifiable Information (PII) and underscores the importance of its protection. Data minimization is a critical aspect of privacy standards, and we have implemented policies that limit data collection and retention to reduce potential exposure.
Furthermore, we ensure that our vendors and third-party partners comply with privacy standards through stringent contracts and regular assessments. We conduct thorough security evaluations during vendor onboarding and apply various security controls that align with GDPR and privacy standards. Collectively, these measures enhance data privacy and secure sensitive information in accordance with established privacy standards.
TAM: What best practices should Indian organizations adopt to strengthen their IT governance frameworks?
Preeti Singh: Developing a comprehensive IT security framework involves the following steps:
- Define Roles and Responsibilities: Establish a matrix detailing who is responsible for implementing and managing these policies. Ensure that everyone in the organization knows their specific roles and responsibilities.
- Policy Rollout: Distribute your policies across the organization. These policies should be visible and applicable to all employees, not just those in IT. Everyone should understand what is expected of them regarding device management, workspace security, and organizational entry.
- Conduct Regular Risk Assessments: Build a framework for regular risk assessments to identify potential cyber threats and vulnerabilities. Proactively manage these risks within defined timeframes.
- Continuous Monitoring and Audits: Implement ongoing monitoring and internal audits for critical systems and IT processes. This helps ensure systems remain secure and up to date.
- Employee Training and Awareness: Develop a robust employee security awareness program. New hires should receive training on security protocols, with regular refresher courses for all staff. Tailor training to specific roles, such as executives, analysts, developers, and administrators, to address their unique risk exposures.
- Vendor Management: Given the reliance on third parties, establish a strong vendor management framework. Ensure vendors adhere to security standards and regularly assess their compliance.
- Incident Response Planning: Prepare for potential cyber attacks with a well-defined incident response plan. This will help your organization quickly recover from incidents.
- Stakeholder Involvement: Involve all relevant stakeholders in the GRC framework. Ensure that everyone understands their role in governance, risk management, and compliance.
- Leadership Engagement: Conduct regular committee meetings with leadership to review the security landscape and future risks. Align information security objectives with organizational goals and ensure the infosec management committee reports to the board.
By adopting these practices, organizations can build a robust IT governance framework to effectively manage and mitigate cybersecurity risks.