The Top Three GRC Challenges—And How You Can Overcome Them
For some years now organisations have been moving from traditional on-premise solutions to more flexible and agile ways of working, enabled by the continuous expansion of offerings from cloud service providers (CSPs).
Businesses operating in highly regulated industries must ensure that their cloud services are appropriately protected—but this isn’t always straightforward, especially as organisations contend with ever-changing market forces and hybrid or fully remote working practices.
At Contino, we’ve helped our clients embrace the flexibility of the public cloud, which has enabled them to deliver products to market far quicker and embrace collaborative hybrid working cultures. For all the benefits though, it’s vital that speed doesn’t come at the cost of security—regulatory compliance, therefore, mustn’t take a back seat.
Technology-related challenges around governance, risk and compliance (GRC) are a core part of an organisation’s transformation journey, and in this blog we’ll take you through the top three common challenges, and how you can overcome them.
What is Governance, Risk & Compliance?
GRC is an integrated approach to managing the strategic, operational and compliance risks facing organisations. It encompasses the frameworks, processes and practices that enable businesses to align their operations with legal and regulatory requirements, internal policies and industry best practices. By effectively managing GRC, an organisation can improve transparency, strengthen decision-making processes, and safeguard its reputation.
IT GRC is a subset of operational GRC, and relates to activities intended to ensure that the IT used within an organisation supports both its current and future business requirements and challenges. Many organisations look to cloud computing to aid innovation, and leverage the evolving technology solutions that CSPs are releasing at a fast pace. It’s therefore more important than ever to establish robust processes and procedures that ensure your IT aligns with your business goals, and that adoption is carried out in a controlled manner. Risks related to the use of such IT assets need to be identified, documented, scored appropriately and managed by the appropriate asset and data owners. Together, this helps ensure compliance with your legal and regulatory requirements as well as maintaining the security and resilience of assets.
So what are the common challenges to successful GRC?
1. Staff training, awareness and communication
GRC relies on effective communication. This means ensuring you have communication links in place between senior stakeholders who demonstrate compliance with a range of legal and regulatory requirements, cascading down to the technical operations staff, who are responsible for the implementation of the technical aspects for securing the cloud infrastructure and services. Each person in the organisation should be aware of their responsibilities and know how they contribute to the security of the organisation.
It’s worth putting the effort in early on to identify all relevant stakeholders involved in GRC processes, including senior management, employees, external partners, regulatory bodies and investors. Understand their needs, concerns and communication preferences, and respond to them accordingly.
Foster an environment of transparency and openness by sharing relevant GRC information, including challenges and successes. Transparency builds trust and encourages more open communication, and knowing the part you play in ensuring company success. Educate employees about the unique GRC challenges in the cloud and their responsibilities in maintaining compliance, and ensure that roles and responsibilities are defined for cloud management, security and compliance.
A key part of Contino’s engagements involves upskilling, and we empower our clients and their teams through a range of workshops and sessions; these support key stakeholders in learning key concepts and practices that ensure they operate in a secure manner protected by the appropriate security controls.
The support we provide with IT Governance processes covers:
- including change management and communication strategies
- assessing an organisation’s compliance requirements
- implementing a framework that aligns with cloud transformation activities
- ensuring that appropriate ownership is in place
- aligning policy, procedures and guidance to cloud adoption
2. Understanding and implementing the shared responsibility model
A lack of clarity around roles and responsibilities can cause confusion and leave security gaps. When moving from on-premise to cloud, it’s vital that you carry out a thorough top-down review. This is important as many policies, procedures, guidelines and standards don’t easily align to cloud environments and require some additional thought due to the split of responsibilities between the cloud supplier and the customer within the applicable shared responsibility model.
While this model offers benefits, it also introduces certain challenges that organisations need to be aware of and address. The shared responsibility model itself presents some challenges:
- Determining the exact boundaries of responsibility between the CSP and the customer can be complex and may vary based on the type of cloud service (IaaS, PaaS, SaaS)
- There can be overlap between the security controls implemented by the customer and those provided by the CSP, potentially causing redundancy or confusion
- CSPs might not always provide complete visibility into their security practices or incidents, which can impact the customer's ability to assess risk
You can overcome these challenges by controlling ownership. This requires a review of the shared responsibility model depending on the cloud provider and cloud services that have been adopted. It then remains to identify control owners and data owners from across the entire organisation for those controls that are the responsibility of the customer. These controls then need to align with the roles and responsibilities from the overarching operating model that will ensure the right level of senior stakeholder accountability and responsibility is in place.
In financial services, this is key to ensuring alignment exists to the Senior Managers and Certification Regime (SM&CR) so individuals clearly understand where responsibility lies. However, this is also applicable to all other sectors, and it’s vitally important that IT GRC doesn’t fall solely to technical IT staff to design and implement. You should clearly differentiate that control ownership is related primarily to individuals who will specify the requirement and be accountable within the organisation—however, it would be normal practice for other teams to be responsible for putting the control into practice as either a preventative or detective control. You should also engage with the CSP to gain an understanding of its security measures, incident response protocols and auditing processes, and thoroughly review any third party audit reports carried out on the CSP.
The State of Cloud Security in the Enterprise
How confident are you in your cloud security posture—and how confident should you be?
Read the full report to learn about:
- The main security threats that keep people up at night
- Which security certs can give engineers the edge
- The three signs of a good security posture
3. Data residency and jurisdiction implications
Another example would be the removal of physical boundaries that are typically only applicable with on-premise facilities that are partially obsolete. Cloud providers are responsible for physical data centre security, however with cloud consumers the boundary is no longer a tangible entity. Cloud computing allows your technical operations staff to deploy infrastructure to any corner of the globe in a matter of seconds, but your technical operations staff are no longer typically based in buildings that you own and provide physical access to. It is therefore important that the shared responsibility for the particular cloud supplier and the particular cloud deployment are fully understood to ensure that both parties' responsibilities are clear and appropriate controls in place by the relevant party. This process needs to be applied through the infrastructure levels down to the data. Thought needs to be given to how data assets are suitably protected; this stems from understanding data assets within the organisation and valuing them in line with some form of classification system with protection afforded to these assets based on their classification.
To help manage data residency and jurisdiction challenges, we recommend implementing a clear assessment process and conducting a gap analysis report.
Conduct assessments of cloud controls framework by working closely with the client's organisation to understand its requirements. This entails carrying out interviews, documentation reviews and technical evaluations to assess the implementation of controls outlined in the chosen Cloud Control Framework (CCF). The assessment process identifies any gaps or deficiencies in the cloud security posture, and Contino offers support and advice on actions required to address any shortcomings.
After the assessment, a detailed gap analysis report is generated. This report compares the client's current security controls and practices against the requirements of the CSA CCM. It identifies areas where the client needs to improve its security measures to align with industry best practices. At Contino we would then offer recommendations and guidance to help the client address the identified gaps and deficiencies, which might include suggestions for policy improvements, technical configurations and process enhancements to enhance a client’s cloud security.
Cloud Control Frameworks
A CCF provides a structured and comprehensive set of guidelines, practices and controls to help organisations manage their cloud environments securely and effectively. Such frameworks offer a range of benefits to organisations adopting cloud services.
There are a number of Control Frameworks that can be used to support secure cloud operations such as CSA CCM v4, ISO/IEC 27017 & NIST 800-53. The CSA’s Cloud Controls Matrix v4 (CCM) is a great starting point for any organisation on a cloud transformation journey as it also contains mappings to a number of other frameworks. The CCM can support cloud transformation journeys through:
- Standardised Security Controls: The CCM is considered as the de-facto standard for cloud security assurance and compliance and therefore provides a comprehensive set of security controls and best practices that support organisations with implementing in a secure and robust manner. We can then assist in using selected controls for assessing the security posture of cloud services. It offers a standardised framework to evaluate the implementation of security controls across different cloud environments.
- Risk Assessment: By utilising the CCM, we can help to put in place effective risk management processes to identify and assess the potential risks associated with adopting specific cloud services, ensuring that cloud risks are captured, understood and effectively managed within the organisation. The CCM also helps in evaluating the security capabilities of their public cloud suppliers and understanding their ability to protect customer data and infrastructure. Allowing cloud consumers to fully understand the complexities of the shared responsibility model. It also helps support the audit function being able to provide up to date documentary evidence against the 197 CCM controls that are cross mapped to a range of other regulatory control sets shown below.
- Compliance Mapping: The CCM maps various industry-accepted security standards and regulations, such as ISO/IEC 27001, PCI DSS, HIPAA, and others, to the corresponding controls within the cloud environment. This assists in aligning their compliance and supporting evidence in a central location. Additional control frameworks are currently being assessed for inclusion in forthcoming mapping exercises by the Cloud Security Alliance.
For more on CCMs, read our blog, Cloud Controls Matrix: How to Secure Your Journey to the Cloud.
Although not fully aligned to cloud computing, other frameworks are available and are widely used by a range of organisations and are summarised below.
- National Institute of Standards and Technology (NIST) Special Publication 800-53: NIST SP 800-53 is a comprehensive security and privacy control framework applicable to various information systems, including cloud computing. It provides a catalogue of controls and guidelines for federal agencies but is also widely adopted by other organisations.
- ISO/IEC 27001: ISO/IEC 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach for managing information security risks, including those associated with cloud computing. It offers a set of controls and a risk management framework.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a security standard for organisations handling credit card information. It includes specific requirements for securing cardholder data in cloud environments, such as network segmentation, encryption, access controls, and logging.
- Center for Internet Security (CIS) Controls: The CIS Controls provide a prioritised set of cybersecurity best practices. While not specific to the cloud, these controls can be applied to secure cloud infrastructure and workloads effectively.
Contino can support you irrespective of your control framework. We recommend, for the most robust approach, having a core meta-framework which maps out to the important industry frameworks as well as custom requirements capturing things that are important to our clients.
How Contino Can Help You Overcome GRC Challenges
Transformation activities often involve significant changes to processes, technologies or organisational structures. These changes introduce new risks to the transformation process that need to be identified, assessed and managed effectively. GRC frameworks help address these through methodologies and tools for risk identification, analysis and mitigation.
Transformation initiatives may require organisations to comply with new regulations, standards, or internal policies, as cloud adoption brings new challenges to many organisations and it is key to establish secure foundations in the form of controls and guardrails before developing cloud baselines. GRC is the overarching vehicle that will ensure that compliance requirements are identified and incorporated into the transformation plans and activities. It helps organisations understand and adhere to applicable regulations, reducing the risk of non-compliance and associated penalties and reducing the sleepless nights and concerns for senior stakeholders.
GRC frameworks also include change management components that support the successful implementation of transformation initiatives. Change management involves planning, communicating and managing the people side of change. GRC helps organisations identify and engage stakeholders, communicate the rationale for the transformation, address resistance, and monitor the adoption and effectiveness of the changes.
Contino is here to support your GRC journey so please get in touch to discuss your specific challenges.