Back in July, Gartner announced its “hype cycle for risk management” to highlight the new trends entering the risk management field. Among those “at the peak” was Continuous Controls Monitoring (CCM) which Gartner calls “a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications.”
According to one company, this is a natural evolution of governance, risk and compliance (GRC) as more boards and regulators seek more metrics to make better risk decisions. Nik Whitfield is CEO of Panaseer, and in a July blog, he pointed out that as well as being named as an inaugural vendor by Gartner, in the six years of its operation, “Panaseer developed a technology platform that automates that joining process; the platform pulls data from 10, 20, 50 different vendor technologies or data sources in an enterprise, stitches it all together, and creates the most valuable security metrics over that data for different stakeholders.”
He claimed this enables a user to answer the questions on ‘what have we got?’, ‘is it well defended?’ and ‘what do we need to do next to improve security?’ This is the essence of CCM, being able to provide the answers to those difficult questions.
Speaking with Infosecurity, Whitfield said understanding security posture is how CCM and compliance fit together. “The fundamental belief that we have and that Gartner have is that ‘measurement manually’ is not effective, and CCM is born of the need to automate all of your controls and your asset,” he said. This involves creating a baseline of truth that you need to give stakeholders and regulators, and CCM gives you the answers on your security posture.
“It is such an important area, as GRC people are really overwhelmed and getting caught between the regulator, the auditor, the board and the security team – and the security team have all the data but they are busy securing the company,” Whitfield said. “For all parts of GRC to work, they need accurate and complete data.”
This is where CCM fits in, Whitfield claimed, as GRC has been around for a long time, but was never designed to solve modern problems as these days there are so many demands for information and so much data inside an organization, that a GRC platform cannot provide “qualitative measures” to be able to respond accurately.
In particular, he claimed “security tools know about security things” and too many demands overwhelm the teams, and the GRC team worry about the accuracy of the data.
“The phrase that comes up time and time again is no one wants to stand behind the data, as you cannot verify the accuracy,” he pointed out.
“No one wants to stand behind the data, as you cannot verify the accuracy”
Whitfield said the challenge is that security often struggles to articulate risk to the business, and he cited one CISO who said “nobody cares about a vulnerability on a Linux machine, but everyone cares about a vulnerability in our payment process,” and these are of course the same thing, just described differently.
“Our job with CCM is to take the information and present it in a way that is aligned to critical processes,” he said.
In terms of what CCM is, Whitfield explained it is a step above monitoring to ensure controls are configured and working, knowing that the environment is being controlled and how the controls perform. “Effectively, it tells you if all the safeguards in and working effectively. When they are not, it can let us know so we can remediate that.”
Where does Panaseer fit into this? Since its formation, the company has been “born into CCM” and broadened its platform to cover more and more of CCM, which is an ongoing process.
Looking back at the past nine months of 2020, how has he seen this space change during the shift to remote working? Whitfield said has seen those companies who had invested in virtualization technology in the past have a relatively straightforward transition, but those that had not and were plugging old laptops into the network, now more IT issues and risks to manage.
“Any change to the working practises changes the risk profile to the organization, changes the attack vectors adversaries may use and therefore requires some investment from security to understand that new paradigm.”
Research released this week by Panaseer found of 200 IT governance professionals, 41% feel “very confident’ that they can fulfil the security-related requests of a regulator in a timely manner, while GRC leaders cited their top challenges in fulfilling regulator requests as: getting access to accurate data (35%), the number of report requests (29%) and the length of time it takes to get information from the security team (26%).
Whitfield said it is about being able to meet the request of the regulator with data they trust, in a time frame they want and in a format they want; “those factors are important here as not returning data to a regulator in a time frame is just a big no-no.”