Using automation to bridge the gap between GRC and security

October 29, 2020

Charaka Goonatilake

In this blog, we discuss how security automation tech can help to bridge the divide between security and GRC teams.

Today’s GRC teams are being asked by regulators to provide an increasing amount of security-related data to them to ensure compliance with new data privacy and protection regulationsIt’s putting the GRC teams under huge pressure, due to the manual nature of gathering and producing that dataSecurity data is still a relatively new addition to the GRC purview. There are a number of changes that could be made in the way they receive and handle security data, which would make the process of reporting security data to regulators easier and, crucially, more accurate. 

We detail these in a whitepaper that we are launching todayBridging the GRC and security divide. It outlines how new technologies in automation can bring the GRC and security teams together and make regulator reporting a much less onerous process. 

Current GRC cyber reporting practices are laden with manual processes, which can be error-prone and resource-intensive. While many GRC tools have reporting functions, the GRC teams often do not have ready access to comprehensive and reliable data from them. 

Put simply, GRC tools are not designed for collecting, storing, analysing and presenting this type of security data. Also, while GRC teams have tools that manage policies, these tools are ill-equipped to take advantage of existing data from security controls to demonstrate that these policies are being followed. This disconnect leads to gaps in coverage and misplaced confidence in data. 

Having a lack of trust in the security data is a serious issue for GRC teams. They need to be able to trust and ‘stand by’ the data they are providing to regulators. Crucially, if GRC leaders don’t have confidence in their security data, then it also means they cannot be sure of their own cyber posture and their ability to combat cyber risks.  

Automation is a key tool in the GRC armoury to mitigate against this mistrust of security data and manual overload. This was illustrated in our recent GRC Peer Report, which outlined findings of a survey of 200 senior GRC professionals. 93.5% of the respondents said they thought it was important to automate security risk and compliance reporting. However, only 11% said that their risk and compliance reporting is currently automated end to end.  

The fact is automation is hard. The automation pipeline is long and complex; it entails data gathering, assessment, de-duplication, and then continuously running and finessing the cycle. GRC tools and platforms were not designed to align the amount of data that now exists within an organisation; most GRC platforms just cannot provide qualitative measures to be able to respond accurately.

Introducing Continuous Controls Monitoring

Our Continuous Controls Monitoring (CCM) platform was borne out of the industry need to automate security data on assets and controls, so that a baseline of truth is created, which can be shared with stakeholders and regulators. 

Importantly, our CCM platform gives GRC and security teams common repository that contains accurate data, that can inform reports and address any questions from regulators in minutes. It also offers a flexible, data-driven approach to compliance monitoring, with the ability to configure the measurement criteria to reflect policies and standards, so the compliance measurement can be tailored to the organisation. 

If you are interested in learning more about how automation can bridge the GRC and security divide, and how we are pioneering this new field of technology, then check out our new whitepaper – we would love to hear your thoughts.