GRC leaders lack confidence in security data they provide to regulators

September 28, 2020

Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer's 2020 GRC Peer Report. Results from a global external survey of over 200+ GRC leaders* reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.

The results indicate a wider issue with cyber risk management. If GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.

Less than half (41%) of risk leaders feel ‘very confident’ that they can fulfil the security-related requests of a regulator in a timely manner. Just over a quarter (27.5%) are ‘very satisfied’ that their organization's security reports align to regulatory compliance needs.

GRC leaders cited their top challenges in fulfilling regulator requests, as:

Getting access to accurate data (35%)
The number of report requests (29%)
The length of time it takes to get information from security team (26%)

The issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance. This does not reflect the current challenges from cyber. 92% of senior risk and compliance professionals believe would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5% believe it’s important to automate security risk and compliance reporting. However, only 11% state that their risk and compliance reporting is currently automated end to end.

In addition, 96% said it is important to prioritize security risk remediation based on its impact to the business, but most can't isolate risk to critical business processes composed of people, applications, devices. Only a third (33.5%) of respondents are ‘very confident’ in their ability to understand all the asset inventories.

Charaka Goonatilake, CTO, Panaseer: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests. These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing. The challenge is being exacerbated by new risks introduced by IoT sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”

Andreas Wuchner, renowned GRC leader and Panaseer Advisory Board member: “To face the new reality of cyberthreats and regulatory pressures requires many organizations need to fundamentally rethink traditional tools and defenses. GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing Continuous Controls Monitoring, an emerging category of security and risk, which has just been recognized in the 2020 Gartner Risk Management Hype Cycle.”

To read Panaseer's full 2020 GRC Peer Report, please visit: https://panaseer.com/reports-papers/report/2020-grc-peer-report/

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

GRC leaders lack confidence in security data they provide to regulators

Related Articles

Report Abusive Comment