Bottom Line: Excelling at compliance doesn’t protect any business from being hacked, yet pursuing a continuous risk management strategy helps.
With a few exceptions (such as spearphishing), cyberattacks are, by nature, brutally opportunistic and random. They are driven to disrupt operations at best and steal funds, records, and privileged access credentials at worst. Conversely, the most important compliance event of all, audits, are planned for, often months in advance. Governance, Risk, and Compliance (GRC) teams go to Herculean efforts to meet and exceed audit prep timelines working evenings and weekends.
Wanting to learn more about the relationship between GRC and cybersecurity strategy, I searched for webinars on the topic. I found Improve Your Compliance Posture with Identity-Centric PAM, a recent webinar-on-demand offered by Centrify. The webinar brought up several interesting insights, including shared pains companies experience with compliance and cybersecurity, yet require drastically different approaches to solving them.
Rationalizing Compliance Spending with Cybersecurity
The truth is organizations are attempting to rationalize the high costs of compliance by looking for how GRC spend can also improve cybersecurity. This is a dangerous assumption, as Marriott’s third breach indicates. Marriott is an excellently managed business and sets standards in compliance. Unfortunately, that hasn’t thwarted three breaches they’ve experienced.
Why are organizations assuming GRC spending will improve cybersecurity? It’s because both areas share a common series of pains that require different solutions, according to the webinar. These pains include:
- Updates to regulations are exponentially increasing today, averaging 200 or more per day from approximately 900 oversight agencies worldwide, leading to a quickly changing, heterogeneous landscape. Dr. Torsten George, Cybersecurity Evangelist at Centrify, said that when he worked in the GRC space, the midsize clients he worked with had to deal with 17 different regulations. Larger organizations that operate on a global basis are dealing with, on average, 70 or more regulations they need to stay in compliance with. Dr. George provided an overview of the compliance landscape, differentiating between the levels compliance requirements every organization needs to abide by, which is shown below:
- Compliance is, by nature, reactive to a known event (audit), while cybersecurity is also entirely reactive to random events (cyberattacks). GRC teams need to ramp up their staff and equip them with the apps and tools they need at least six months before an audit. For cybersecurity, the threat is random and will most likely be more severe in terms of financial loss. Preparing for each takes entirely different strategies.
- The lack of continuous risk monitoring by GRC teams and identity management by IT cybersecurity leads to systemic failures in achieving compliance and securing an organization. The webinar makes an excellent point that for compliance to succeed, it needs to be based on continuous risk management, not just checking off the boxes or categories of a given GRC approach. The same holds for cybersecurity. Identity-Centric Privileged Access Management (PAM) provides GRC and IT professionals mutual benefits when it comes to achieving the mission of being and staying compliant, and shows how securing enterprises drive better compliance, not vice versa.
- Manually updating compliance mapping tables showing the interrelationships of requirements by industry is not scaling – and leaving gaps in GRC coverage. The more regulated a business is, for example manufacturing medical products, the more important it is to automate every aspect of compliance. A great place to start is automating the process of creating mapping tables. Taking a manual approach to creating mapping tables comparing standards often leads to errors and gaps. And in highly regulated industries like medical products manufacturing, the accuracy, speed, and scale of staying compliant can be turned into a competitive advantage, leading to more sales.
How To Resolve The Conflict Between GRC and Cybersecurity Spending
According to the webinar, 80% of today’s data breaches are caused by default, weak, stolen, or otherwise compromised credentials. GRC and cybersecurity strategies’ best efforts need to be put on securing privileged access first. The webinar makes a strong argument for prioritizing privileged access security as the initiative that can unify GRC and cybersecurity strategies.
Key insights from the webinar include the following:
- Industry standards and government regulations are calling for identity and access management as a requirement, with several specifically naming privilege access controls.
- Identity-Centric Privileged Access Management (PAM) approaches help meet compliance mandates, while at the same time hardening cybersecurity to the threat surface level.
- Attaining greater compliance by taking an Identity-Centric PAM approach ensures machines have secured identities as well, and the use of anonymous access accounts is limited to break-glass scenarios only, while organizations should otherwise be leveraging enterprise directory identities for the authentication and authorization process.
- Improving accountability and segmentation by establishing granular security controls and auditing everything helps bridge the gap between GRC and cybersecurity initiatives.
Continuous risk management is key to excelling at compliance, just as securing privileged access credentials is foundational to an effective cybersecurity strategy. Dr. Torsten George ended the webinar saying, “In the long term, I believe that the current situation that we’re dealing with and its associated spike of cyber-attacks will lead to even stricter compliance mandates; especially when it comes to secure remote access by key IT stakeholders and outsourced IT.” The bottom line is that compliance and cybersecurity must share the common goal of protecting their organizations’ privileged access credentials using adaptive approaches and technologies if both are going to succeed.