How Governance, Risk and Compliance Platforms Can Support, Enhance Cybersecurity (Industry Perspective)

A top cybersecurity priority for all organizations is to ensure that they use their talents and resources in the most productive and lasting ways possible, and these types of platforms act as that cybertalent force multiplier.

by Sam Abadir / November 7, 2016

It’s been a busy time for the U.S. Office of Personnel Management (OPM). More than a year after the agency's 2015 data breach that impacted at least 18 million government employees' highly sensitive personnel records, it has been in the news for better reasons — for a plan that addresses crucial challenges shared by the public and private sectors alike.

In July 2016, OPM announced its Strengthening the Federal Cybersecurity Workforce plan, which seeks to "identify, recruit, develop, retain and expand the pipeline of the best, brightest and most diverse cybersecurity talent for federal service and for our nation." 

Cybersecurity skills are scarce worldwide. A recent in-depth report from the Center for Strategic and International Studies highlighted some alarming statistics: 82 percent of all IT executives surveyed reported a shortage of cybersecurity skills, with 71 percent claiming the shortage results in direct and measurable damage. An analysis of 2015 numbers from the Bureau of Labor Statistics shows that 209,000 cybersecurity jobs went unfilled, with demand expected to grow 53 percent through 2018.

In other words, the gap between demand and supply is widening, outpacing the education and government initiatives aimed at addressing it. Government agencies struggle to compete with corporate salaries, benefits, and retention and development efforts, leaving them even further behind in the talent race. 

Clearly, identifying effective solutions with more immediate impact is imperative. Public and private organizations are developing products and strategies to better leverage the existing workforce. The difficulty in hiring dedicated cybersecurity professionals is one of the driving forces behind the explosive adoption of cloud technologies. Using cloud services helps public agencies and businesses leverage cybersecurity expertise without the challenges associated with hiring and retaining internal employees.

When it is possible or necessary to hire top-tier talent, it is essential to protect the investment by systematizing their knowledge and processes. Automation helps make optimal use of information security (infosec) professionals’ time and expertise. And comprehensive governance, risk and compliance (GRC) platforms support these strategies by centralizing and correlating infosec data, integrating policies and standards, analyzing and prioritizing IT risk and incidents, and automating security-related processes designed by top talent to protect the organization. These efficiencies allow IT professionals to spend less time on manual tasks and more time on building a holistic security and risk management program that provides visibility and value to the organization.

Cybersecurity processes require analyzing volumes of data from dozens of sources. GRC platforms that include an IT risk focus collect and correlate all this data, including scanned asset inventories, threat intelligence feeds, and configuration and security information and event management (SIEM) data. They triage the information so immediate action can be taken, determined by business priorities, data sensitivity and organizational strategy. Best-practice processes designed by the organization's cybersecurity experts are modeled and automated using workflow. These workflows route, track and document all aspects of remediation efforts.

For even deeper risk management activities, second-generation solutions, most of which are cloud-based, integrate this IT risk information with policy and compliance requirements, vendor risks, and operational risks. Some provide plans for when IT or the business fails and manage the complete incident lifecycle. Audit performance time can be cut by months. 

Forward-thinking organizations that know how risky it is to rely solely on cyberexperts to protect their data and infrastructure are using GRC platforms to systematize intelligence, standardize procedure and streamline infosec activities. Next-generation GRC solutions scale easily, evolve alongside security and risk programs, and adapt to existing processes. The solutions are designed for quick implementation and ease of use, are continuously updated, and are linked to outside repositories of regulatory standards and security intelligence.

GRC platforms enable organizations to mature their cybersecurity capabilities by systematizing cybersecurity best practices; automating the costly, low-production initial triage tasks; providing immediate visibility to vulnerabilities and violated controls; and correlating risk and compliance data from across the enterprise to provide actionable information to people in their business/operational context.

A top cybersecurity priority for all organizations is to ensure that they use their talents and resources in the most productive and lasting ways possible. GRC platforms act as that cybertalent force multiplier.

Sam Abadir is the director of product management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions.