For as long as digital information has needed to be secured, security and risk management (SRM) leaders and governance, risk and compliance (GRC) leaders have asked: Are all of my controls working as expected? Are there any gaps in security coverage, and if so, where? Are we at risk of not meeting our compliance requirements? How can I collect and analyze data from across all my controls faster and better?
From “reactive” to “proactive”
Rather than assessing security controls at infrequent points in time, such as while preparing for an audit, a more useful approach is to implement continuous monitoring. However, it takes time to manually collect and report on data from a disparate set of security tools, making “continuous” a very challenging goal. How can SRM and GRC teams evolve from being “reactive” at audit time, to “proactive” all year long? Implement a data-centric continuous controls monitoring (CCM) solution.
According to Gartner®, CCM tools are described as follows:
“CCM tools offer SRM leaders and relevant IT operational teams a range of capabilities that enable the automation of CCM to reduce manual effort. They support activities during the control management life cycle, including collecting data from different sources, testing controls’ effectiveness, reporting the results, alerting stakeholders, and even triggering corrective actions in the event of ineffective controls or anomalies. Furthermore, the automation they support enables SRM leaders and IT operational teams to gain near real-time insights into controls’ effectiveness. This, in turn, improves situational awareness when monitoring security posture and detecting compliance gaps.” Gartner, Inc., Innovation Insight: Cybersecurity Continuous Control Monitoring, Jie Zhang, Pedro Pablo Perea de Duenas, Michael Kranawetter, 17 May 2023
The use of a CCM solution offers significant advantages over point-in-time reviews of multiple data sources and reports. This blog identifies five of the key benefits of using a CCM solution.
-
Share the same view of the data with all teams in the three lines of defense.
A shared and consistent view of data facilitates better coordination between operations teams that are accountable for compliance with organizational security policy, the process owners who manage the tools and data used to measure compliance, and the GRC team that oversees compliance.
A set of CCM dashboards can provide that common view. Without a shared view of compliance status, teams may be looking at different reports, or reports created similarly, but at different points in time, resulting in misunderstandings; in effect, a cybersecurity “Tower of Babel.” Consistent reporting based on a mutually recognized source of truth for compliance data is an essential first step.
Furthermore, without a consistent view of compliance data, it will be challenging to have a productive conversation about the quality of the data and its validity. If operations teams are pulling their own reports, or even if they are consuming reports provided by the process owners or GRC team, inconsistencies in data are likely to be attributed to differences in report formats, or differences in the dates when the reports were run. If all the teams are looking at the same set of CCM dashboards displaying the same data, it is easier to resolve noncompliance issues that may be assigned to the wrong team, or to find other errors, such as missing or incorrect data, that need to be fixed.
-
Bring clarity to roles and responsibilities.
Job descriptions may include tasks such as, “Ensure compliance with organizational cybersecurity policy.” But ultimately, what does that mean, especially to a business manager for whom cybersecurity is not their primary responsibility? In contrast, a set of CCM dashboards that an operations level manager can access to see what specifically is compliant or noncompliant for their department provides an easily understood view of that manager’s responsibilities. Managers do not need to spend unproductive time trying to guess what their role is, or trying to find the team that can provide them with information about what exactly is noncompliant for the people and assets in their purview.
Compliance documents and frameworks typically include requirements for documenting “roles and responsibilities,” for example, the n.1.2 controls (e.g., 1.1.2, 2.1.2, etc.) and 12.1.3 in PCI-DSS v4.0. Similarly, the “Policy and Procedures” controls, such as AC-01, AT-01, etc. in NIST SP 800-53 state that the policy “Addresses… roles, [and] responsibilities.”
Ultimately, roles and responsibilities for operations managers and teams can be presented to them in an understandable format by displaying compliant and noncompliant issues for the people and assets that they manage. This is not to say that cybersecurity related roles and responsibilities should not be listed in job descriptions. However, a display of what is or is not compliant for their department will complement their job description by making the manager’s responsibilities less abstract and more specific.
-
Making compliance and security a shared responsibility
Cybersecurity is Everyone’s Job according to the National Initiative for Cybersecurity Education (NICE), a subgroup on Workforce Management at the National Institute of Standards and Technology (NIST). At the operations level, a manager’s primary responsibility for the business may be to produce the product that the business sells, to sell the product, or something related to these objectives. But the work of the business needs to be done with cybersecurity in mind. Business operations managers and the staff that report to them have a responsibility to protect the organization’s intellectual property, and to protect confidential data about the organization’s customers. So, even if cybersecurity is not someone’s primary job responsibility, cybersecurity is in fact everyone’s job.
At times, business managers may take a stance that “cybersecurity is not my job,” and that it is the job of the CISO and their team to “make us secure.” Or business managers may accept that they do have cybersecurity responsibilities, but then struggle to find a team or a data source that can provide them with the specifics of what their responsibilities are.
A CCM solution can give business managers a clear understanding of what their cybersecurity “job” is without requiring them to track down the information about the security measures they should be taking, as the data alerts them to security gaps they need to address.
-
Enhance cybersecurity by ensuring compliance with regulations and internal policies
Compliance may not equal security, but the controls mandated by compliance documents are typically foundational requirements that, if ignored, are likely to leave the organization both noncompliant and insecure. An organization that has good coverage for basic cybersecurity hygiene is likely to be in a much better position to achieve compliance with any regulatory mandates to which they are subject. Or, conversely, if the organization has gaps in their existing cyber hygiene, working to achieve compliance with their regulatory requirements, or an industry recognized set of security controls, will provide a foundation on which the organization can build a more sophisticated, risk-based cybersecurity program.
The basics are the basics for a reason. Using a CCM tool to achieve consistent coverage for the basics when it comes to both compliance and cybersecurity provides a more substantial foundation for the cybersecurity program.
-
Creating a progressive and positive GRC feedback loop using CCM
A CCM solution does not take the place of or remove the need for a GRC team and a GRC program. But it is a tool that, if incorporated into a GRC program, can help by saving time formerly used to manually create reports, and by facilitating coordination and cooperation by providing teams a consistent view of their compliance “source of truth.” Implementing a CCM solution may uncover gaps in data (missing or erroneous data), or gaps in communication between teams, such as the business teams that are accountable for compliance, and the process owners who are managing the tools and data used to track compliance. Uncovering any such gaps provides the opportunity to resolve them and to make improvements to the program. As gaps in data, policy or processes are uncovered and resolved, the organization is positioned to make continuous improvement in its compliance posture.
If there are aspects of the organization’s current GRC program that have not achieved their intended level of maturity, a CCM solution like DataBee can help by providing a consistent view of compliance data that all teams can reference. CCM can be the focus that teams use to facilitate discussions about the current state, and how to move forward to a more compliant state. Over time, the organization can draw on additional sources of compliance data and display it through new dashboards to continue to build on their compliance and cybersecurity maturity.
Get started with DataBee CCM
For more insights into how a CCM solution can ease the burden of GRC teams while improving an organization’s security, risk and compliance posture, read the recent interview of Rob Rose, Sr. Manager on the Cybersecurity and Privacy Compliance team here at Comcast. Rob and the Comcast GRC team use the internally developed data fabric platform that DataBee is based on, and they’ve achieved some remarkable results.
The DataBee CCM offering delivers the five key benefits described here and more. If your organization would like to evolve its SRM and GRC programs from being “reactive” to “proactive” with continuous, year-round controls monitoring, be in touch and let us show you how DataBee can make a difference.
Download the CCM Solution Brief to learn more, or request a personalized demo.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.