Ask the Expert: As we see (and expect) regulatory changes and additions, how should companies adjust?

Cyber Risk

Michael DeLoach, Solution Consultant at Iceberg Networks and Mitch Blackburn, Global Head of Energy & Utilities Industry Solutions at ServiceNow sat down to answer some more of the questions that they are hearing within the energy industry about how organizations should respond to new and changing regulations. The following is an edited transcript of the conversation.

Michael DeLoach: I would say it’s critical that organizations get a handle on their internal controls. They should be documented and wherever possible, operationalized. They should strike a rhythm whereby they test those controls on a periodic basis. The testing of the controls should be prioritized based on the risks to the controls that are intended to be protected against. The reason I would suggest to focus on internal controls is that as regulations change, having your controls well understood prevents you from having to start with a blank sheet of paper each time new regulations come out. It should be a matter of tweaking your existing controls as the new and updated regulations come out, which is much easier to do if you have them already documented.

Mitch Blackburn: Absolutely. The thing I would add to that is we’re finding more companies gain greater success as they digitize those. And not just digitize the controls themselves, but as they digitize them, one, they’re able to unify them, consolidate them, and find that one control actually solves the issue across multiple regulations, like between Sarbanes-Oxley and NERC. Change control is a common theme between all of those. The other is, as they get digitized, we can now embed those into the work processes, so if an IT person is working on an application change that has to go through change management and that’s part of their normal process, when that control is embedded, it’s now part of their real-time job and therefore part of the real-time reporting, instead of something their going to do on a monthly, quarterly or annual basis. It streamlines the overall process, lowers the overall burden, and gives them a better ability to have that real-time view of the risk and any other audit responses.

Related Discussion: A Risk-Based Approach to Bridging the Energy Sector Security Gap (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey