We’re all still trying to wrap our heads around just how much has changed in such a short period of time. Those changes span nearly every area of our lives and affect us in a number of personal and professional ways. From an organizational perspective, taking a granular look at the new world of hybrid-remote work, the data protection needed for the 2022 world is markedly different from the data protection of 2020. How have things changed?
Ever-changing workforce dynamics along with the drive to digitally transform the business to innovate and work faster introduces immense challenges for security and risk professionals — especially when it comes to GRC. The massive move to cloud, collaboration, and remote work has fundamentally sped the pace of nearly every organization and with it accelerated and amplified protection challenges — specifically exposure and exfiltration of sensitive digital assets, aka data. We call this insider risk.
Consider the major data protection challenges pre-pandemic. They centered on data privacy with the introduction of GDPR, CCPA, and a host of others across US states and countries. The sheer mass of regulations drove organizations to a compliance-first mindset. I argue GRC became CRG (compliance, risk, then governance focused). Now, pile the pandemic and the overnight shift to remote and hybrid work on top of ever-increasing compliance complexity. Employees are no longer tethered to corporate offices, infrastructure, or networks, and as a result, corporate data, too, is untethered. What we have is a massive data governance problem — one that forces us to shift from a compliance-first approach to one rooted in data governance. In essence, we flip the formula from compliance driving people, process, and technology needs to data governance being the main driver.
Five Reasons Why a Governance-First Approach Is Needed
Enter Insider Risk Management (IRM)
IRM is a modern approach to data protection rooted in three core technology principles: trust, prioritization, and right-sized response. Simply put, when it comes to employees’ use of corporate data, what is considered untrusted activity, what untrusted activity poses unacceptable risk to the organization, and what is a suitable method of remediation? Answering these three questions requires GRC and security departments evaluate their insider-risk posture by identifying where data is exposed, defining what data risk is material to the business, when to prioritize exfiltration events as threats, how to investigate and respond to said exfiltration, and ultimately, why a focus on optimizing and improving insider risk posture over time proves valuable to the business.
When it comes to the data governance challenges (file exposure and exfiltration) that GRC professionals face, applying the principles of IRM to define and document processes for where data is exposed, what exposure matters, when to prioritize, how to respond and why benefits not only security and risk teams, but the business at large.
Five Ways IRM Helps Address GRC and Security Data Governance Challenges
Many of us have heard, even said, “compliance does not make us secure” and that’s true, especially when it comes to data security in a cloud, collaborative, and remote world. But what is it about the keepers of compliance — GRC — that would make us more secure? I argue it starts with governance and wrapping our heads around three simple questions: What is untrusted, when does it matter, and how do we respond? More often than not, the most complex challenges — GRC — require the simplest of approaches: IRM. Let’s start there.
For 5 simple steps to get started with insider risk management, check out this brief.
About the Author Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can’t Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42, a leader in insider risk detection and response, in 2016, bringing more than 20 years of B2B data storage, cloud, and data security experience with him, including several roles in marketing and product management at Seagate.
Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.