Blog
Application Security in a Modern World: Why AppSec, ASPM, and Visibility Matter More Than Ever
Read More
Governance, Risk, and Compliance (GRC) can stir up a lot of emotion in people. It’s atechnology and process that has been around for decades yet has not aged well. Many years ago, teams once had the manpower and time to dig in, understand the policies and controls of frameworks in conjunction to their environment. The reality is legacy technology, outsourcing, and workforce reduction has spurred a new reality of check box compliance. Lean teams, difficult to use technology, and the constant growth of cybersecurity and industry regulations have teams racing to get through the controls too quickly to show evidence, so they can move onto the next task they are managing.
I would like to shift our perception of GRC in a few ways to make it the true overseer of the environment. Not so much a governor, but a coach.
A Coach with…
• Support from Leadership, top-down and clear alignment to business goals in its utilization.
• Ownership in association to controls and risks. This allows for clarity and accountability.
• Organizational Commitment as emerging trends and regulatory changes will require agility and endurance.
Every coach needs a game plan to work with and for GRC, those are your frameworks – i.e. NIST, ISO, PCI, CMMC. Even organizations that are not regulated typically adhere to a framework; or they should as a best practice. These frameworks were designed, to help organizations align to a set of known standards depending upon their businesses function. The intent was never for organizations to check a box but rather to use them to improve the security posture of an environment to meet the security challenges of today’s world. By doing so it can help accelerate the business goals, objectives, and growth.
Here are ways you can help transform your GRC program beyond compliance checks and into a valuable operational and business decision making tool.
Evaluations/Assessments: Often a missed opportunity. Every sport has an off season and when the next season spins up all the players are re-evaluated. In business there is never an off season, so there should be continual re-evaluations throughout a year. Ideally in a few different forms such as business impact, incident response tabletops, pen testing, cloud security, etc, to better assess the health and resiliency of the organization. These all contribute to a distinct analysis of communication, controls, policies, and procedures that can feed into the frameworks for greater clarity and transparency.
Ownership: Easily one of the greatest outcomes a GRC program can deliver. Today’s businesses are made up of various teams and supporting roles. Many businesses offload aspects to contractors or third parties. GRC will track ownership for different controls and risks to allow the business to make more informed decisions. To know who owns what, allows for direct communication to understand the challenges the owner is facing and whether it’s an acceptable risk or clarity on why a remediation has not occurred. Additionally, for those organizationsleveraging contractors and third parties it accounts for mapping and auditing their access, roles, and areas of ownership to regulate those relationships and dependencies meet the businesses expectations and regulations.
Technology Advancement: It’s fascinating to me, how many people see GRC solutions as ineffective, time consuming, and arduous to manage. I will certainly agree many of the legacy vendors have not made some aspects easy. However, there is a new type of GRC technology developed in the last several years, that is pushing the envelope on innovation and ease of useover many of the legacy vendors. Shifting to a model that works smarter, not harder leveraging built-in asset, control, and risk mappings, with evidence reuse across various regulations. The controls and associated mappings allow for inherent exposure of gaps and inconsistencies within the environment. Many of the controls in the frameworks are often best practices, that a lot oforganizations can struggle executing for one reason or another. This is why I believe a GRC program is critical to the risk strategy of the business.
These will enhance how the business can improve upon its risk strategy:
Continuous Control Monitoring for automated evidence collection and validating controls. This is only for areas where cloud-based delivery solutions are used. For many organizations thiscan mean a significant amount of automated collections.
Additional benefits of CCM:
• Detecting inappropriate user access privileges or control failures as they happen.
• Re-enforcing accountability, consistent execution, and adherence to policies, fostering stronger internal controls.
• Data driven decision making by identifying trends in operational inefficiencies before they get out of control.
Risk Registers understand and record all areas of risk. To know areas of weakness makes an organization stronger, knowing where to focus increase protections or monitoring. Risk Registers also align with ownership, who is internally responsible and most knowledgeable on the risk to the business. This allows the business to track and monitor risks in accordance with the business’goals and objectives, guiding the best use of spend associated to risk buy down.
To optimize is to audit. The word audit is another word that fills people with dreadful thoughts of long-drawn-out methods and time-consuming menial tasks.
This is another aspect where I would like to change the narrative. Going back to sports, when a game is over win or lose, the coach and team watch film to see how they can improve or what can be done better. So, the next time you hear audit, think about it in the context of a processused to improve the business posture. Not something that creates an abundance of work with a pass/fail delivery. Instead, how using it will make the organizations policies and controls more effective leading the way to a stronger and securer business posture.
Areas in which to further expand the objectives of GRC. *Note both TPRM and AI Governance are very comprehensive spaces that warrant their own independent conversations.
Incident Response Plans: The business is in the game 24/7/365. GRC will bring focus to areas of weakness, risk levels, and ownership. It’s essential you have IR plans in practice, so your teams have procedures and communication channels to lean into when threats come in.
Third-Party Risk Management: Our interconnected world heavily promotes use of third-party relationships in association with business growth. The importance of vendor management and posture monitoring is becoming a critical area of the businesses brand, compliance, and resiliency. TPRM comes in a few different forms, both in GRC platforms and point solutions.
AI Governance: This technology is in heavy growth mode with many similarities to GRC attributes – continuous control monitoring, risk register, audit trail, and compliance mapping. In most cases, this will be a separate tool that will feed evidence and results into your GRC solution for overall visibility.
A GRC program can bring tremendous value and impact to business decisions if properly developed and consumed.
• GRC should be considered the “Coach” of the environment.
• It helps organizations align to industry frameworks.
• Extends assessment findings into policies and controls.
• Identifies control and risk ownership – internally and externally.
• Records and prioritizes risks, for more informed business decisions.
• Implements policies and controls in adherence to regulation frameworks.
• Uses continuous control monitoring for consistent adherence and resilient controls.
• Optimization with internal auditing to ensure controls are functioning as expected and address any inconsistencies.
If you haven’t yet implemented a GRC program or are struggling with your current deployment, Sayers is able to help build or grow the right “Coach” for your organization. Please reach out to hello@sayers.com for more information on GRC, Assessment options, TRPM, or AI Governance.
