there’s still no evidence that the control is needed, the Chief Compliance Officer should be willing to sign off on the removal of the control, which can produce immediate savings of time and resources.
Finding Additional Efficiencies
Organizations should plan on conducting the assessment process described above on an annual basis at a minimum of three months before the organization’s budgetary cycle starts. This way, any control gap issues can be identified and incorporated into the budgetary planning process. Similarly, cost savings associated with not renewing solutions from vendors that cannot improve the health of their controls can be added back into the budget.
Organizations should repurpose this control assessment in conversations with their cyber insurance brokers as well. Having a clear perspective of how much residual risk is based on both control effectiveness and control health may drive different choices, including self-insurance against those risks that no longer exceed the organization’s risk
tolerance based on healthy internal controls. This disciplined look at control effectiveness should drive cost savings and reductions in cyber insurance premiums.
Finally, companies should plan on reusing the evidence collected automatically when preparing for their internal and external audits. As the evidence is always up to date and being tested regularly, the organization’s confidence that sampling will only uncover minor issues goes up. This reuse of evidence also makes preparing for audits more efficient and less time-consuming.
This end-to-end annual process gives organizations the confidence to lean into the controls that are effective and remediate or remove those controls that are ineffective at their price points. As CISOs and compliance officers are asked to find ways to do more with the same level of resources, a commitment to finding and removing ineffective or unhealthy controls is valuable throughout a company’s growth, not just during a recession.