More remote. More collaborative. More productive.
More personal apps. More personal devices. More personal storage.
More data exposure. More data exfiltration. More insider risk.
More data governance, risk and compliance (GRC) challenges.
Ever-changing workforce dynamics along with the drive to digitally transform businesses to innovate and work faster introduce immense challenges for security and risk professionals – especially when it comes to data governance, risk and compliance (GRC). The massive move to cloud, collaboration and remote work has fundamentally sped the pace of nearly every organization and with it accelerated and amplified protection challenges – specifically exposure and exfiltration of sensitive digital assets, aka data. We call this Insider Risk.
Consider the major data protection challenges pre-pandemic. They centered on data privacy with the introduction of GDPR, CCPA and a whole host of others across US states and countries. The sheer mass of regulations drove organizations to a compliance-first mindset. I argue GRC became CRG (Compliance, Risk then Governance focused). Now, pile the pandemic and the overnight shift to remote and hybrid work on top of ever-increasing compliance complexity. Employees are no longer tethered to corporate offices, infrastructure or networks and as a result, corporate data, too, is untethered. What we have is a massive data governance problem – one that forces us to shift from a compliance-first approach to one rooted in data governance. In essence, we flip the formula from compliance driving people, process and technology needs to data governance being the main driver.
5 reasons why a governance-first approach is needed
- Collaboration encourages information / file sharing inside and outside the organization.
- Remote work hampers file visibility off-network and on unmanaged devices.
- The drive for individual productivity is accelerating file movement to unsanctioned cloud services and storage.
- Employees feel their files have personal value. New employees bring files in and departing employees take files out.
- All of this makes blocking file movement an ineffective compliance control.
Enter Insider Risk Management (IRM)
IRM is a modern approach to data protection rooted in three core technology principles: trust, prioritization and right-sized response. Simply put, when it comes to employees’ use of corporate data: what is considered untrusted activity, what untrusted activity poses an unacceptable risk to the organization and what is a suitable method of remediation? Answering these three questions requires GRC & security to evaluate their Insider Risk posture by identifying where data is exposed, defining what data risk is material to the business, when to prioritize exfiltration events as threats, how to investigate and respond to said exfiltration and ultimately, why a focus on optimizing and improving insider risk posture overtime proves valuable to the business.
When it comes to the data governance challenges (file exposure and exfiltration) that GRC professionals face, applying the principles of IRM to define and document processes for where data is exposed, what exposure matters, when to prioritize, how to respond and why benefits not only security & risk teams, but the business at large.
5 ways IRM helps address GRC & security data governance challenges
- Enables GRC & security collaboration with IT to identify untrusted file activity.
- Equips GRC & security with the file visibility needed to define risk tolerance by line of business.
- Arms GRC & security with the context needed to prioritize threats material to business partners.
- Enables GRC & security to define, document and automate response processes and controls.
- Empowers GRC & security to improve risk reduction over time and reinforce data compliance.
Many of us have heard, even said, “compliance does not make us secure” and that’s true, especially when it comes to data security in a cloud, collaborative and remote world. But what is it about the keepers of compliance – GRC – that would make us more secure? I argue it starts with governance and wrapping our heads around three simple questions: what is untrusted, when does it matter and how do we respond?
More often than not, the most complex challenges – GRC – require the simplest of approaches: Insider Risk Management.
Let’s start there.
More resources on IRM for GRC & security professionals: