Following the news media frenzy around the data breaches at Experian and complaince failures at Home Depot, organizations are facing heightened demand for data privacy and compliance regulation. In Grant Thornton LLP's survey of more than 400 chief audit executives from US organizations, 31% of respondents ranked compliance risks as their top concern, and 42% believe that data privacy has the most potential to impact company growth.
Despite these findings, only 29% of respondents are using a governance, risk, and compliance (GRC) technology tool, and only 22% believe their organization is leveraging GRC technology effectively. Why is there such disconnect between what is important and what is occurring? Businesses often create policies, practices, and controls without a true understanding of life on the ground in the company. Best practices for security -- especially when dealing with highly sensitive financial information -- traditionally have focused on building walls around the perimeter to keep people out and keep information in. However, when you build a 10-foot wall, your opponent brings an 11-foot ladder.
Though perimeter-based security is important, it is only one strategy in a layered approach. Financial organizations must also look at information as it is managed throughout their information gateways -- via file shares, the web, enterprise collaboration systems, communication systems, and social platforms. Thinking holistically about managing compliance and maintaining visibility, data classification, and control makes the walls less penetrable.
How can we close the gap between what is needed and what is available? To understand what capabilities are needed for ongoing operations, practitioners should conduct vulnerability assessments. These can be helpful when beginning an audit and are valuable in identifying what information requires heightened attention and what programs are used to store it -- including enterprise collaboration systems and interactive gateways, such as file shares, SharePoint portals, cloud platforms, social networks, and websites.
However, identifying these issues across thousands or millions of documents is impossible without automation. It is important to look beyond features that only check the boxes. Because information is constantly being created, vulnerability assessments must be ongoing to create a comprehensive lifecycle approach to risk mitigation. When choosing the technology, look for a solution that can do the following.
- Discover data across multiple gateways to shed light on dark data and other potential risks. Sensitive information may not be obvious but can open up an organization to issues if leaked, especially when it concerns a customer's finances.
- Scan content in motion or at rest against out-of-the-box or customized checks for a wide range of privacy, information assurance, operational security, sensitive security information, and accessibility requirements. Financial organizations often require heightened security based on government regulations, but security requirements can also be affected by subject matter and size. Select a technology with a solid framework that can be customized for your needs.
- Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
- Take corrective action automatically to secure, delete, move, quarantine, encrypt, or redact risk-defined content. These actions can reduce costs by eliminating the need for increased hiring to monitor information security initiatives.
- Enhance incident tracking and management with an integrated incident management system, in addition to trend reports and historical analysis to measure improvements over time.
- Monitor data and systems on an ongoing basis to demonstrate and report on conformance across your enterprisewide information gateways and systems.
Traditional approaches for return on investment include cost reductions and productivity increases, but smaller themes can also result in technology investment. For example, many companies now think of their data (particularly customer information) as an unrealized asset. However, much of that data may be lost in file shares or data silos. So what can be seen as a risk may also be viewed as an asset when accessed and protected appropriately.
Bridging the gap between current GRC use and desired use does not happen overnight. Organizations and their IT teams not only need to adopt the tools, but they must also successfully implement the technology and promote sustainable adoption. Despite the road ahead, GRC platforms and applications can foster safe, effective, and productive business environments at financial institutions. It's time that we take the steps to make GRC a staple in all businesses and better our relationships, not only with our customers, but also with our employees.Dana Simberkoff is the Chief Compliance and Risk Management Officer at AvePoint, Inc. She is responsible for executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for ... View Full Bio