Something we’ve struggled with for many years is getting value out of our compliance frameworks beyond the obvious certifications we gain from being audited. Some standards, like ISO 27001, or PCI, require implementing controls that manage known cyber risks, but just because a business is compliant, it does not mean they are secure.
The disconnect between the GRC world and the technical world is wide since most frameworks focus on information security management systems, which are process models aligned to how businesses operate, rather than the deep technical architectures and systems within their environments. Unfortunately, our adversaries thrive in technical systems, gaining access and stealing data via the technical weeds growing beneath the polished GRC process structures.
GRC frameworks often dictate manual processes, reviews, and reliance on intermittent external audits to evaluate the implementation status. Yet these frameworks are being outpaced and outdated by the rapid, dynamic nature of cyber threats, especially as more businesses head into the cloud and build entirely new models for how the business operates.
Unfortunately, our adversaries thrive in technical systems, gaining access and stealing data via the technical weeds growing beneath the polished GRC process structures.
The future of GRC requires a more progressive approach – one of continuous assessment and real-time risk management, where cybersecurity risks and issues are identified, understood, and managed as they manifest. In this paradigm shift, solutions must focus beyond meeting compliance requirements of procedures and policies; instead, the approach needs to dig into the core cyber risks, aiming to manage them effectively rather than just adhering to prescribed processes.
This shift is critical because attackers don’t care if you have a robust classification policy or acceptable use policy, and they certainly don’t give a hoot if you run security awareness training. What matters to the attacker is the vulnerability on your web server that allows them to exploit your systems and jump into your network, where they can steal information.
Even with a process for vulnerability management in place, how can you know it’s functioning as required? This would require you to continually monitor the patch state and assess each vulnerability against the context of your architecture and risk management framework.
Continuous Authority to Operate
The US Government developed a Continuous Authority to Operate (cATO) model that authorises software components throughout the development lifecycle using automated DevSecOps technologies and processes123. The continuous assessment process against the current risk profile allows the development team to monitor the security posture against a target state. However, challenges exist when trying to implement this, including:
- Time and resource constraints
- Complexity
- Lack of standardisation
- Resistance to change
- Lack of ownership
- Limited visibility
- Inadequate documentation
These issues can all be addressed with good process governance, solid monitoring, and keen-eyed management, and as such, the entire model can be expanded to include the delivery of security requirements, such as the controls proffered by compliance frameworks, such as ISO 27001, to an entire organisation.
Continuous Assessment—The Game Changer
Continuous assessment will undoubtedly replace the traditional, manual methods of GRC.
Instead of periodic audits and reviews that provide only a snapshot of a company’s cyber risk posture at a particular moment, the continuous assessment method provides ongoing, dynamic insights and the ability to react when things change, thus managing exposures in real time across people, processes, and technology. Any future solution should harness the power of automation, artificial intelligence, and machine learning to monitor and assess risks quickly. This enables businesses to understand their evolving risk landscapes, react promptly, and stay one step ahead of cyber attackers. We are not there today, and while we continue to follow good practice regarding GRC projects and delivery of management systems, we should look to the future to understand how we transition to better, more continuous models of assurance.
The Power of Convergence
This shift towards real-time risk management and ongoing continuous assurance should expand to cover all aspects of security management – GRC, technical assurance and process reviews. This isn’t just a transformation in GRC; it’s a business-wide evolution of how security becomes a temperature gauge for business hardening and resilience to attacks.
Technology Integration: One aspect of this convergence involves integrating various technologies into a comprehensive GRC system. AI and machine learning can analyse data, identify patterns, and predict potential threats. We can integrate blockchain technology into the solution to provide transparent, tamper-proof documentation of activities. IoT sensors may collect data from multiple endpoints, including the systems we don’t’ include today, such as the sensors, physical devices, CCTV, alarms, HVAC systems, etc., thus giving comprehensive visibility across the whole enterprise. All these need to be brought together in a seamless, interoperable ecosystem.
To the Cloud: The future of cloud GRC must lean heavily on cloud computing platforms to leverage their inherent tools. Take Microsoft 365, for example, it has a comprehensive compliance monitoring capability built in, but the uptake across Microsoft customers who have that at their fingertips is minimal (in my experience) as the GRC models are still manually driven by spreadsheets aligned to antiquated process-oriented controls.
Security Culture: Beyond technology, the convergence of GRC requires a holistic cybersecurity culture, but this is only possible when the business implements a broad and engaging awareness program. Employees must be aware of their role in maintaining the company’s security posture, and building an engaging education and awareness program with tools like gamification and simulation is essential to maintain that engagement. Like with a well-written novel, security awareness learners should come away with an emotional connection to the impact of a breach, so the messaging sticks and assists in the behavioural economics changes needed to improve the organisation’s security posture.
The future destination of GRC is a journey of convergence. It involves the continuous evolution of technologies, regulations, and corporate culture and takes us to a better, safer, and more secure cyber environment where risks are managed dynamically and proactively. We have a long way to go, but it’s time to start looking at how we get there and building programs that take us down the right path.
Tony Campbell
Director of Research & Innovation, Sekuro
Tony has been in information and cyber security for a very long time and delivered projects and services across a bunch of different industries through a variety of different roles. Over the years, Tony has always tried to bridge the growing skills gap through his employment, by mentoring, teaching and working with other disciplines to help them understand the complexities of what we do.
More Articles
Facing post-tech stack consolidation blues head on
Selling the Strategic Imperative of Zero Trust to Your Board
