Top security challenges: data accuracy in GRC reporting

We recently released a new GRC Peer Report looking into the interactions between financial services companies and regulators. The key findings of this report suggest, among other things, that there is a lack of data accuracy in GRC reporting. The study surveyed 200 senior risk and compliance professionals working at large financial services companies in the US and UK.

In the foreword to this report, renowned IT Security and Risk Management thought leader Andreas Wuchner said: ‘The fundamental foundation from which a company can build an effective, risk-based cybersecurity programme is instant access to trustworthy data.’

It is problematic then, that GRC leaders do not fully trust their security data. That leads to financial services organisations providing information to the regulator that could be incomplete, out of date, or based on subjective assumptions from sample data. It’s not just about reporting to the regulator, though. The same holds true for the security reporting within the organisation itself, meaning these leaders will be unable to fully understand and combat internal cyber risks.

Perhaps that has been standard procedure for some time, but that’s a type of GRC reporting doesn’t support actual, real reduction in security risk.

Report Findings

The report found that data accuracy (or lack thereof) is the top challenge for risk and compliance teams, with 35% of respondents saying so.

On top of that, only 39% are very confident in the accuracy of the security data provided when answering a regulatory request. 54% are somewhat confident. While it shows a degree of confidence, it is hardly an exciting prospect to think that over 60% of security leaders aren’t very confident in the security data they’re providing to regulators.

Why is this a challenge?

So, what are the key challenges when it comes to data accuracy in GRC reporting?

At a basic level, as with many security and compliance challenges, organisations lack a complete asset inventory. In order to fully ascertain whether the policies (whether internal or external) and controls you have established are in place are working effectively across the organisation, it is essential to establish and maintain an accurate asset inventory. Ideally, that inventory would also establish relationships between assets, whether they are devices, people, accounts, applications, vulnerabilities.

Many traditional GRC and IRM tools could be holding you back. While typical GRC tools allow teams to manage policies, they aren’t able to prove that those policies are being followed. GRC tools can be reliant on qualitative questionnaires that build an approximated picture of compliance from representative samples, rather than hard data from a range of security tools deployed in the organisation.

They may capture quantitative data analysis, but this data must be input manually. This additional challenge of manual data input has an inherent potential for bias and human error. To really highlight that, I actually wrote ‘eroor’ in my first draft of this blog.

GRC tools have not traditionally been designed to ingest large data volumes from hundreds of tools and manage data, which means that they often rely on data sampling to work at an advanced scale. But that is exactly what is required if one wants to have a consolidated view of all the controls in place to protect every asset type across the organisation.

We can see from the report that some issues with data accuracy could stem from some of the other challenges that risk and compliance teams are facing. 26% of respondents highlighted the length of time taken to get information from the security team – a challenge in itself, but one that has a knock-on effect on data accuracy. Such requests can be an overload on security teams, who already spend over a third of their time on reporting. If reports and information take too long to get to the GRC team from the security team, by the time those reports are re-purposed and sent to regulators, chances are the data in them will be out of date.

All this is compounded by the advent of new and stricter than ever regulations. To take an oft-used example, MAS Notice 655 Cyber Hygiene for banks in Singapore (effective August 2020) requires that controls are to be in place ‘on every system’ (whether that is malware protection, patches for discovered vulnerabilities, or compliance with internal security standards). Previously it would likely have been enough to simply have a control or tool in place in the organisation, but it is entirely different to demonstrate that that control or tool is working as intended on every asset in the estate.

While this regulation is relatively new, anecdotal evidence (that is to say: conversations with cybersecurity thought leaders) suggests that in coming years such regulations requiring proof of controls on every asset will become the norm, and thus it will be imperative for organisations to demonstrate compliance to an asset level.

A new level of automation

This is where Continuous Controls Monitoring for Risk and Compliance comes in. These challenges around data accuracy in GRC reporting can all be relieved, at least to some extent, by introducing a new level of automation. In the study, 92% of risk and compliance leaders recognised the importance of automation in security risk and compliance reporting.

As the aim of Continuous Controls Monitoring is to provide end-to-end automation, which is hugely beneficial when it comes to data accuracy in GRC reporting.

Continuous Controls Monitoring provides security measurement with automated metrics around the performance of controls. It allows risk and compliance users to rely on automated quantitative analysis to conduct audits, assess internal policy and compliance, and substantiate regulatory compliance to an asset level with historical time-stamped data held in perpetuity.

For further details, see how Continuous Controls Monitoring can help risk and compliance teams.