New data privacy regulations are being added all the time – including statewide, national and industry-specific requirements – and they each come with standards that must be met to remain compliant. One of the most significant changes in the past year has been the Securities and Exchange Commission’s (SEC) new mandate that public companies disclose cybersecurity incidents within a few business days. But that’s far from the only new set of regulations.

Governance, risk and compliance (GRC) professionals have their work cut out to keep pace with all new and updated regulations. This is where a security data fabric approach can play a key role.

Exploring the Data Challenges of GRC

One of the biggest challenges for the GRC function is gathering all the relevant data they need from across the business and getting it into one place where it can be analyzed and easily accessed by all key stakeholders. The data needs to be clean and in a format that enables GRC and security professionals to understand what they have. Ideally, they don’t want the full raw data format; whether they’re looking at dynamic host configuration protocol (DHCP) or domain name system (DNS) logs, GRC managers need the data in a format they can easily query via a table or a visualization tool. With these options, a report can consistently be generated on a timely basis, such as daily or weekly, so that they’re continually able to monitor controls and catch any potential compliance gaps. Manually collecting and reporting on data from several different security and IT controls makes this kind of timeline almost impossible – and requires dedicated analysts to complete this repetitive work.

Not only is data difficult to corral, but the sheer amount of it keeps growing. As organizations adopt more tools and applications, all of these are producing large amounts of data. By 2025, total global data creation will grow by more than 180 zettabytes. For context, that amount was 64.2 zettabytes in 2020. Although GRC data is a subset of this total number, grappling with having to make sense of almost triple the amount of data in a fraction of the time. With some mandates coming down, organizations might have only seven days to report a breach.

The bottom line is that meeting ever-expanding compliance mandates requires quick, easy access to all the data in a usable way. Ultimately, the GRC function will be responsible for compliance, so getting this right is essential.

Introducing a Security Data Fabric Approach

Taking a data fabric approach means bringing data into one location — like a security data lake — correlating and enriching it, then making it easily accessible to people on teams across the business who need access to the data to do their job. Rather than having multiple parts of a business create their reporting processes and dashboards for the same type of control with a slightly different definition, organizations can do that all within the data fabric via governance and other mechanisms. This same concept can be applied to security data specifically. The security data fabric can weave together disparate data from across an organization’s security controls, place it in one location, correlate and enrich it, and then provide it via a simple-to-use interface that makes the data easily accessible. It also makes the data more accurate and trustworthy because it’s much more complete.

Currently, many GRC teams and functions spend time pulling manual reports from multiple systems and applications. If they want to look at secure configuration, they might go to application A. If they want to look at their asset management inventory, they go to application B.

As part of their oversight, GRC teams need to understand things like:
• What are the applications and controls being used in the organization?
• Where do these applications and controls live? On-premises, in the cloud, or both?
• Where are there overlaps that might suggest some controls could be streamlined?
• Are they performing as they should?
• Who’s responsible for fixing any issues?

Discovering all of this manually is extremely time-consuming. With a data fabric, GRC pros have this information in one place rather than having 50 screens open, constantly pivoting between them to determine how to tie the thousand assets in one application to the 50 assets from the secure configuration tool. It’s all in one place, normalized, enriched and available in a report that makes it much easier to see and understand where there might be issues.

Beginning Your Security Data Fabric Journey

To successfully implement a security data fabric approach for GRC, here are several best practices:

Meet with the key stakeholders from the teams that oversee the controls you need to monitor: This might mean meeting with people who are on the infrastructure team, the application owners, or people from functions like human resources or finance, to identify where the data for each of the controls lives within your organization. Examples of controls in the security realm, for example, might include products providing capabilities such as endpoint detection and response (EDR), or asset management and vulnerability management, to name just a few.

Get your data from the source: It might seem easier to get something from a CSV file that someone’s managed for the last five years or grab it from some other report, but it’s important to get this information directly from the source system. Otherwise, it’s less trustworthy. Getting data straight from the source, rather than from secondary or tertiary levels within an organization, is a must for success.

Establish relationships with these key stakeholders: These are the people responsible for the systems and applications used and managed by different teams across the organization. Talk with them regularly about how they’re sourcing their data, determine what they’re looking at, and understand their roadmap. Build and cultivate these relationships so that when there’s an issue with the data, or a group is non-compliant for a specific control, reaching out is easier.

Encourage commitment to a one-stop shop: A benefit of a security data fabric approach is it will help ensure that all the data lives in one spot, normalized, correlated and enriched. Ensure that if you’re moving forward with the security data fabric, other areas of the business join you on this journey and commit to the approach. Otherwise, it will be hard to get alignment on what the controls are, where the data will be sourced from, who owns the report once it is built and so on. By cultivating the relationships with key stakeholders and data owners, you can work in partnership to implement a centralized strategy – where it doesn’t feel like you’re taking something away from them or butting into their jurisdiction.

A Stronger GRC Function

Regulations are increasing, not decreasing, and so is the volume of data to sort through. A security data fabric approach can transform the work of governance, risk and compliance analysts. This approach makes it much easier to identify and fix compliance issues. It supports a continuous approach to compliance after that centralized reporting strategy has been built – rather than a once-a-year scramble during an audit to find and fix issues to avoid fines.

Creating a security data fabric protects an organization’s investment in its security and other IT controls by identifying performance issues so they can be fixed. It also saves money by identifying overlaps in controls. Ultimately, a security data fabric approach makes collaboration between GRC and other teams easier, and compliance more of a sure thing.