Bridging the GRC and Security Divide
June 24, 2020
As the attacks and defense technologies become more sophisticated, there’s one area that isn’t keeping speed – the organizations’ internal Governance, Risk and Compliance (GRC) team.
Cyber is still a relatively new addition to the purview of the GRC team. As regulators increasingly demand metrics on a businesses’ cyber posture, it’s consuming more and more of their time, as well as time from the security team which would be best spent focusing on security. They both face a range of problems with cyber reporting, which is why bridging the GRC and security divide must become a strategic priority.
Currently, GRC cyber reporting practices are laden with manual processes, which takes a lot of time and is also then prone to a multitude of errors. While many tools like vulnerability scanners, endpoint protection, SIEM, and IT access control systems have reporting functions, the GRC teams often do not have ready access to comprehensive and reliable data from them.
Much like the parable of the blind men and the elephant, many GRC and security teams are only able to test a small sample of security controls, or have siloed visibility into different asset types like devices, accounts, and databases. This disconnect leads to gaps in coverage and misplaced confidence in reporting.
You can read the full article by Infosecurity Magazine here.