As the attacks and defense technologies become more sophisticated, there’s one area that isn’t keeping speed - the organizations’ internal Governance, Risk and Compliance (GRC) team.
Cyber is still a relatively new addition to the purview of the GRC team. As regulators increasingly demand metrics on a businesses’ cyber posture, it’s consuming more and more of their time, as well as time from the security team which would be best spent focusing on security. They both face a range of problems with cyber reporting, which is why bridging the GRC and security divide must become a strategic priority.
Currently, GRC cyber reporting practices are laden with manual processes, which takes a lot of time and is also then prone to a multitude of errors. While many tools like vulnerability scanners, endpoint protection, SIEM, and IT access control systems have reporting functions, the GRC teams often do not have ready access to comprehensive and reliable data from them.
Much like the parable of the blind men and the elephant, many GRC and security teams are only able to test a small sample of security controls, or have siloed visibility into different asset types like devices, accounts, and databases. This disconnect leads to gaps in coverage and misplaced confidence in reporting.
Also, while GRC teams have GRC tools that manage policies, these tools are ill-equipped to take advantage of existing data from security controls to demonstrate that these policies are being followed. Bringing control data into GRC tools also requires cybersecurity experts to capture and input data manually. If you had to categorize the relationship between GRC and cyber, you’d at best have to say: ‘it’s complicated.’
The ideal solution is one where GRC teams are capable of confidently meeting regulators’ demands in a timely fashion, with data that is automated rather than manual, and where they can access security data to ensure complete assessments of every instance of every security control is available automatically.
With a consistent up-to-date view of control deployments, accuracy and confidence is improved since assessments will be based on facts instead of subjective opinions.
What is described here is a shift towards Continuous Controls Monitoring (CCM), which integrates with existing security, IT, and business tools in order to obtain consolidated information on security control posture. However, not all CCM solutions are created equal and there is a number of critical capabilities to look for in a CCM solution to enable the GRC team to more easily meet regulatory demands, with confidence in their data.
Firstly, it needs to be seamlessly integrated with tools, to provide access to all of an organization’s existing controls, wherever they are located – whether on-premise or in the cloud. Also, by integrating with all security and business systems, the CCM tool can enable a 360-degree view of all controls and their business context at an asset level.
Secondly, it’s important to remember that no one data source is 100% comprehensive. A CCM tool must sit on top of existing tooling and ingest data from across security, IT and business tools. It should then use an entity resolution process to clean, normalize, and de-duplicate data and then correlate aggregated data to individual assets. This reconciliation is challenging to implement without an automated tool. If done manually, this process is labor intensive, time-consuming and potentially full of mistakes.
A CCM tool should also enable the GRC team to quickly identify gaps in controls, check them against policies, and make it clear what remediation efforts need to be implemented prioritized by business impact.
While no one should be naïve enough to think that they are 100% secure, regulators have been shown to be more lenient with companies that have experienced security breaches if they can demonstrate that they had reasonable security controls in place and were taking due care in protecting their customers’ personal data. Also, by being able to align security controls with framework standards, it means the GRC teams can track and report adherence to best practice standards and regulatory mandates.
Lastly, it’s important to remember the pressure GRC teams are under. Requests from regulators are often urgent. For example, the head of GRC at an American bank told us that a Middle Eastern regulator recently asked them to fill out a 200-point questionnaire in just two days. When working manually, this can put security teams in a very difficult position, at a time when they are already short staffed.
A CCM solution should provide GRC teams with self-service reporting capabilities that enable them to access data from a common repository containing real-time data and build reports that address any questions from regulators in minutes without having to rely on the security team.
In an ideal world, GRC and security could work together with common data and information to make each of their tasks seamless. This won’t happen overnight – CCM can help, but it’s not a silver bullet without ensuring the solution can tick a multitude of boxes… but when sorted, it can become the common denominator that moves the situation on so that both teams can work together ‘in a relationship.’