5 Ways GRC & Security Can Partner to Reduce Insider Risk
In 2022, data governance, risk, and compliance (GRC) and security need to partner to implement a modern approach to data protection: insider risk management.
December 7, 2021
We're all still trying to wrap our heads around just how much has changed in such a short period of time. Those changes span nearly every area of our lives and affect us in a number of personal and professional ways. From an organizational perspective, taking a granular look at the new world of hybrid-remote work, the data protection needed for the 2022 world is markedly different from the data protection of 2020. How have things changed?
More remote. More collaborative. More productive.
More personal apps. More personal devices. More personal storage.
More data exposure. More data exfiltration. More insider risk.
More data governance, risk, and compliance (GRC) challenges.
Ever-changing workforce dynamics along with the drive to digitally transform the business to innovate and work faster introduces immense challenges for security and risk professionals — especially when it comes to GRC. The massive move to cloud, collaboration, and remote work has fundamentally sped the pace of nearly every organization and with it accelerated and amplified protection challenges — specifically exposure and exfiltration of sensitive digital assets, aka data. We call this insider risk.
Consider the major data protection challenges pre-pandemic. They centered on data privacy with the introduction of GDPR, CCPA, and a host of others across US states and countries. The sheer mass of regulations drove organizations to a compliance-first mindset. I argue GRC became CRG (compliance, risk, then governance focused). Now, pile the pandemic and the overnight shift to remote and hybrid work on top of ever-increasing compliance complexity. Employees are no longer tethered to corporate offices, infrastructure, or networks, and as a result, corporate data, too, is untethered. What we have is a massive data governance problem — one that forces us to shift from a compliance-first approach to one rooted in data governance. In essence, we flip the formula from compliance driving people, process, and technology needs to data governance being the main driver.
Five Reasons Why a Governance-First Approach Is Needed
Collaboration encourages information/file sharing inside and outside the organization.
Remote work hampers file visibility off network and on unmanaged devices.
Personal productivity gains accelerate file movement to unsanctioned cloud services and storage.
Work product has personal value with new employees bringing files in and departing employees taking files out.
All of this makes blocking file movement an ineffective compliance control.
Enter Insider Risk Management (IRM)
IRM is a modern approach to data protection rooted in three core technology principles: trust, prioritization, and right-sized response. Simply put, when it comes to employees' use of corporate data, what is considered untrusted activity, what untrusted activity poses unacceptable risk to the organization, and what is a suitable method of remediation? Answering these three questions requires GRC and security departments evaluate their insider-risk posture by identifying where data is exposed, defining what data risk is material to the business, when to prioritize exfiltration events as threats, how to investigate and respond to said exfiltration, and ultimately, why a focus on optimizing and improving insider risk posture over time proves valuable to the business.
When it comes to the data governance challenges (file exposure and exfiltration) that GRC professionals face, applying the principles of IRM to define and document processes for where data is exposed, what exposure matters, when to prioritize, how to respond and why benefits not only security and risk teams, but the business at large.
Five Ways IRM Helps Address GRC and Security Data Governance Challenges
Enables GRC and security collaboration with IT to identify untrusted file activity.
Equips GRC and security with the file visibility needed to define risk tolerance by line of business.
Arms GRC and security with the context needed to prioritize threats material to business partners.
Enables GRC and security to define, document, and automate response processes and controls.
Empowers GRC and security to improve risk reduction overtime and reinforce data compliance.
Many of us have heard, even said, "compliance does not make us secure" and that's true, especially when it comes to data security in a cloud, collaborative, and remote world. But what is it about the keepers of compliance — GRC — that would make us more secure? I argue it starts with governance and wrapping our heads around three simple questions: What is untrusted, when does it matter, and how do we respond? More often than not, the most complex challenges — GRC — require the simplest of approaches: IRM. Let's start there.
For 5 simple steps to get started with insider risk management, check out this brief.
About the Author
Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42, a leader in insider risk detection and response, in 2016, bringing more than 20 years of B2B data storage, cloud, and data security experience with him, including several roles in marketing and product management at Seagate.
You May Also Like