GRC Becomes Critical, as Cyberattacks, Data Frauds Emerge as High-Impact Threats

SAP | May 13, 2020

  • The last year WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future.

  • New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities.

  • GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before.


2020 will be remembered as the year of an almost worldwide lockdown caused by a virus. What could be next? The 2019 WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations, and the stakes are higher than ever should businesses fail to get it right. We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working.


New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation, more than ever before, and are embracing new agile technologies and methodologies in doing so. GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools. Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, as an entire system, is able to move, react, adapt and so forth. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.



Learn more: NEW CYBER THREAT INDEX SHOWS INDUSTRIES ARE UNDER ATTACK IN UNCERTAIN TIMES
 

“GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools”.

~ SAP organisations


Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities. Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.

" In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations".


Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework. So, what is the correct approach then for agile GRC? Given that organisations differ vastly by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer. Here are a few agile GRC descriptors. Agile GRC realises the need for engaged business users, and hence puts business users at the centre of the process. GRC language is converted into a language that business users can understand.


This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks. A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital than ever given the fluidity of organisational environments today. GRC must become a team sport. If business users are unengaged, it falls to the GRC team to ensure that access risk remains healthy. This is usually done in an episodic fashion, frequently timed to coincide with an audit. In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows.


Learn more: WHAT YOU NEED TO KNOW ABOUT THE CYBERSECURITY SOLARIUM COMMISSION REPORT .
 

Spotlight

More than ever before, the discussion of network security is intersecting with the interests of business, government, and popular media. The Transport Layer Security (TLS) protocol is perhaps the best modern example of this. There are stakeholders on all sides who demand both a secure end-to-end connection for clients, as well as the tools necessary to inspect and control the content of traffic in their private networks.


Other News
PLATFORM SECURITY

Contrast Security Achieves AWS DevSecOps Competency Status

Contrast Security | May 13, 2022

Contrast Security (Contrast), the leader in code security that empowers developers to secure-as-they code, announced today that it has achieved Amazon Web Services (AWS) DevOps Competency for development, security, and operations (DevSecOps) garnered by demonstrating technical proficiency and proven customer success specializing in DevSecOps. Contrast was selected as one of the official launch partners of the DevSecOps Competency by AWS, which is an extension of the DevOps category. Achieving the AWS DevOps Competency for DevSecOps differentiates Contrast Security as an AWS Partner with deep domain expertise in delivering software products that integrate security across every stage of the development and delivery cycles, including pre-, during, and post-deployment. Contrast Security is part of a small group of innovative security technologies to achieve the AWS DevSecOps Competency in its inaugural year. "We're honored to achieve AWS DevSecOps Competency status on top of the DevOps Competency status that we received last year. It is a true testament to our efforts in helping large enterprises ensure security and compliance across the entire lifecycle of their web applications and APIs running on AWS. We're looking forward to expanding our AWS capabilities so that organizations garner continuous visibility and centralized point-of-control for software risk through a single platform." Surag Patel, Chief Strategy Officer at Contrast Security By using instrumentation technology, Contrast Security is embedding self-assessment and self-protection capabilities directly into AWS applications during run-time. This enables DevSecOps teams to detect accurate code-level vulnerabilities (both custom code and open source libraries) in development and quality assurance (QA) environments, and monitor and block production applications from threats and attacks in real-time. Envestnet | Yodlee, the leading data aggregation and data analytics platform, helps consumers live better financial lives through innovative products and services created for more than 1,400 financial institutions and financial technology (FinTech) companies. The company revolutionizes financial services with its intelligent APIs, innovative applications, and advanced analytics products. With the help of Contrast Security and AWS, the company was able to seamlessly integrate new applications and accelerate its time-to-market. The AWS offerings have helped Envestnet | Yodlee launch products to market quickly and effectively. By implementing Contrast as part of their DevSecOps initiatives, Envestnet | Yodlee further secured its financial software solutions and by adopting a DevSecOps methodology, security and development teams are jointly responsible for bolstering security by essentially bringing development and operations together. "Envestnet | Yodlee requires an application security framework that is repeatable, scalable, and can find and remediate vulnerabilities by using the best software security solutions," said Saran Makam, Director of Application Security at Envestnet | Yodlee. "My team chose Contrast Security because their solution was well received by our development and security teams and because it works continuously and in real-time." About Contrast Security Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection to cloud and on-premise applications in production.

Read More

DATA SECURITY

ITC Secure and Cassava Technologies Announce Joint Venture to Expand Industry Leading Security Operations and Microsoft Cloud Security Expertise

ITC Secure | December 16, 2021

ITC Secure (ITC), a leading advisory-led cyber security services company and a Microsoft Gold cyber security partner, and Cassava Technologies, the pan-African technology leader, announced today that they have entered into a Joint Venture (JV) to build and launch an extensive portfolio of cyber security services, powered by Microsoft Azure cloud technologies in Africa. Hardy Pemhiwa, the CEO of Cassava Technologies said: “Digital transformation in Africa is accelerating the adoption of cloud services which is creating an urgent need to better protect users and business-critical data. Cassava Technologies footprint covering more than 15 countries in Africa, we are well-positioned to meet the growing needs of businesses and individuals and expand access to cybersecurity and other digital services. We look forward to bringing ITC’s world-class cyber expertise, coupled with Microsoft’s industry-leading technology, to build Africa’s digital future.” “The strategic partnership between ITC Secure and Cassava Technologies, as a pan-African technology leader, will bring Microsoft’s cutting-edge cloud security solutions to the African market to drive the growth of the technology sector and innovation across Africa.” Andre Pienaar, the Chairman of ITC Secure Admiral Mike Mullen, the Chairman of ITC Secure USA said: “The combination of ITC Secure and Cassava Technologies will help guide us to the future while addressing the growing needs of individuals and organisations in the African market for a secure digital world, built on the best solutions and delivered by the best experts.” Replicating best practice of a leading UK SOC to build a cutting-edge SOC in Africa ITC’s 24/7 Operations Centre, based in London, is at the forefront of delivering managed security services. As part of the JV, ITC and Cassava Technologies will build a state-of-the-art SOC in Africa. The centre will leverage Cassava Technologies’ in-depth knowledge of the African continent and ITC’s extensive experience in cybersecurity, to enable the rapid delivery of cyber services and operations on the continent. Steering the future ITC’s mission to ‘make the digital world a safer place to do business’ echoes Cassava Technologies’ vision of a digitally connected future that leaves no African behind. This JV addresses the growing need to ensure that individuals and organisations are safe and secure online and will further demonstrate how cyber security can be a business enabler, helping to drive growth and create jobs across Africa. Facilitating knowledge transfer locally The skills gap in the cyber security industry continues, with recruitment and retention an ongoing challenge. The JV will facilitate access to experts globally and close collaboration and knowledge transfer locally. This will enable faster on the ground response, the sharing of cyber security best practice and streamlined sharing of internal resource. Extended portfolio of cyber security services ITC’s integrated delivery model provides access to the best cyber security skills, technology, and governance. Encompassing a unified suite of solutions that start with an advisory-led approach, including Identity and Access Management capabilities and managed security services like Managed Detection and Response. At the heart of ITC’s integrated delivery model is PULSE, an extended detection and response platform powered by Microsoft Sentinel, that integrates specialist knowledge and expertise. ITC is a Microsoft Gold partner in Security and Cloud and a member of the Microsoft Intelligent Security Association. Organisations will gain access to a level of expertise recognised by Microsoft as the “highest, most consistent capability” – underpinned by a cohesive set of services that scale. About ITC Secure ITC Secure is an advisory-led cyber security services company. We have a 25+ year track record of delivering business-critical services to over 300 blue-chip organisations - bringing together the best minds in security, a relentless focus on customer service and advanced technological expertise to help businesses succeed. With our integrated delivery model, proprietary platform and customer-first mindset, we work as an extension of your team throughout your cyber journey and always think not only about you, but also your customers and the reputation of your brand. ITC Secure a certified Great Place to Work® and is headquartered in London, UK. With a dynamic balance of the best in people, technology, and governance, we make cyber resilience your competitive advantage. About Cassava Technologies Cassava Technologies is a pan-African technology leader providing a vertically integrated ecosystem of digital solutions, designed to significantly accelerate connectivity and drive digital transformation across the African continent. Cassava Technologies creates the enabling digital infrastructure with cross-border fibre, renewable energy solutions, and a state-of-the-art network of data centres that provides access for millions to complementary digital services of Wi-Fi, Cloud, cybersecurity and fintech solutions. This ecosystem aims to transform the lives of individuals and businesses across the continent by enabling social mobility and economic prosperity.

Read More

DATA SECURITY

S2W has signed contribution agreement with INTERPOL for CTI solution XARVIS ENTERPRISE

S2W | January 03, 2022

Data Intelligence company S2W announced that INTERPOL has recently signed a contribution agreement introducing S2W's cyber threat intelligence (CTI) solution "S2-XARVIS ENTERPRISE" to strengthen its ability to analyze new cyber threats such as dark web and ransomware. S2W has been supporting INTERPOL to identify and prevent "third-world dark web crimes" as part of its "binding the gap among member countries for a safer world," and recently conducted international ransomware organization arrest operation such as Revil, Cl0p, and GandCrab. "INTERPOL is strengthening the use of advanced information and communication technologies such as artificial intelligence and big data and expects that the introduction of S2W's cyber threat intelligence (CTI) solution – S2 XARVIS Enterprise will directly help to prevent nationwide cybercrime through real-time threat detection and dark web/deep web coverage," Robert Han, Head of Global Business of S2W Sangduk Suh, CEO of S2W said "We are focusing on providing services to institutions and companies so that we can build a strong security environment using threat intelligence (TI) information, and through this, we will contribute to eradicating international cybercrime." About S2W S2W is a Data Intelligence company, established in 2018, that extracts and provides actionable intelligences optimized for each client's needs from numerous data. Specialized intelligence provided by S2W can cover multiple industries with its unique data collection and big data analysis for the Dark Web and Deep Web. S2W solutions protect clients from various cyber threats and data leakage, such as personal information, financial information, confidential information within organizations through top-notch data collection and detection technologies.

Read More

DATA SECURITY

Noetic Cyber Partners with SentinelOne to address growing cybersecurity asset management challenges

Noetic Cyber | February 03, 2022

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, today announced a partnership with autonomous cybersecurity platform company SentinelOne (NYSE:S). This partnership delivers an end-to-end cybersecurity asset management solution that leverages SentinelOne's endpoint and cloud workload telemetry, combined and correlated with information from other information sources, to generate a high-fidelity, continuously updated, multidimensional map of all assets and their cyber relationships. The current fragmentation of IT management, DevOps and security tools makes it difficult for security teams to see all the assets in the business and to understand the relationships between them. In fact, 71% of global IT leaders admit to finding new endpoints in their environment on a weekly basis. Endpoint and cloud workload telemetry is a vital part of this information, providing high-fidelity, relevant insights into threats and cyber assets. The integration of SentinelOne Singularity XDR and the Noetic platform enables teams to extend the visibility, detection and endpoint insights of SentinelOne into a wider asset inventory and management architecture, maximizing their value. "We are very excited to be partnering with Noetic Cyber on this integrated solution," said Chuck Fontana, SVP of Business Development, SentinelOne. "There is a significant security challenge in not understanding the cyber risk of all assets in your environment. Together with Noetic, we're able to close that gap and ensure a hygienic cybersecurity environment for organizations across industries." The SentinelOne Connector for Noetic is an API-based integration. Joint customers install the SentinelOne Connector into the Noetic platform and provide it with API credentials to establish a bi-directional integration between the two platforms. The Noetic platform periodically polls SentinelOne, looking for information indicating new, updated or removed endpoints. This information is ingested, aggregated and correlated with information from other data sources, presented to security teams via innovative graph database technology. Pre-packaged queries and dashboards help analysts to uncover coverage and compliance gaps and hidden risks. The Noetic platform also includes a comprehensive automation workflow engine, which allows security teams to pre-determine corrective action, such as deploying the SentinelOne agent to unprotected machines, triggering a scan or disconnecting a machine from the network. "Through this innovative partnership with SentinelOne, we are able to jointly address security coverage gaps and automatically correct misconfigured endpoints that could otherwise leave organizations vulnerable,Leveraging the high-fidelity data provided by SentinelOne, Noetic provides unparalleled insights into your cyber assets, identifies security risks and uses automation to continuously close them." Paul Ayers, CEO of Noetic About SentinelOne SentinelOne's cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform. About Noetic Cyber Noetic Cyber enables security teams to make faster, more accurate decisions to detect coverage gaps and reduce cyber risk. The Noetic solution is a cloud-based Continuous Cyber Asset Management & Controls Platform that provides teams with unified visibility of all assets across their cloud and on-premises systems, and delivers continuous, automated remediation to close coverage gaps and enforce security policy. Noetic improves security tools and control efficacy by breaking down existing siloes and improving the entire security ecosystem. Founded in 2019, Noetic is based in Boston and London.

Read More

Spotlight

More than ever before, the discussion of network security is intersecting with the interests of business, government, and popular media. The Transport Layer Security (TLS) protocol is perhaps the best modern example of this. There are stakeholders on all sides who demand both a secure end-to-end connection for clients, as well as the tools necessary to inspect and control the content of traffic in their private networks.

Resources