Understanding how GRC teams can use a Business Intelligence Strategy
Business Intelligence and Analytics teams are well aware of the need for robust and up-to-to-date information. Aside from data they use daily – such as lists of users with domain access, vulnerabilities to be patched, or policies that must be attested to – there is also the data supplementary to these pieces of information. The applications they use retain how often certain reports are accessed, track who gets sent email notifications of changes, and measure impacts to integrations to legacy systems based on changes in API. This world we live in retains and utilizes so much data – data that can further help to make better informed decisions around the objectives of businesses. The availability of this data has highlighted the need for Data Fabric.
What is Data Fabric and Compliance Data Fabric
Gartner has introduced the concept of data fabric, which is the underlying “net” that stitches together data from multiple repositories and application sources and delivers newly integrated and enriched data to those who need it to do their jobs or make decisions.
The GRC world can leverage this idea to:
- Identify gaps
- Understand processes, and
- Forge relationships between different data sets.
As detailed in our annual Compliance report, 88% of organizations face significant obstacles when implementing their Security Compliance program, regardless of size, seniority, or maturity. Compliance teams need a continuous flow of enriched data to support their Compliance objectives and determine their controls’ health. Data is the key to understanding risk. A Compliance data fabric’s primary goal is to continuously deliver integrated and enhanced data to collaborators (like control owners, subject matter experts, application owners, and others) of the GRC function. Having an automated and continuous data fabric in place ensures that the right control owner can support a range of use cases such as risk, policy, Compliance, and user access review. It allows organizations to scale and customize their data modeling to be used in the future for new use cases and frameworks that are currently out of scope.
What are Some Common GRC Examples of Data Fabric?
As part of a data management strategy for GRC teams, data fabric can be implemented in various ways. Here are some popular use cases:
Machine Learning Applications: Because the underlying data that is used in GRC programs can often expand to very large data sets, machine learning can be used to further understand the relationships between meta information of different sources (this is called knowledge graphs). Eventually consumers of data fabric will be made aware of GRC-related trends and relationships, for example:
- Risks that are affected by certain business unit changes
- Policies that may need to change because of user behavior, or
- Controls that need to be re-assessed because of gaps in source data.
Preventative Controls: As harmonization of the data and the use of knowledge graphs express the relationship between several entities, teams are able to leverage this structure to better implement preventative controls. As data is continually being collected and standardized, configurable rules can lead to identified gaps from the data. Proactive preventative controls can then be put in place such as using network scanning and device management data sources to check whether a specific computer deviates from an approved baseline configuration.
Strict Governance: Adhering to strict governance for organizationally-adopted sources (think of entity level business applications like Salesforce, Servicenow, Jira, etc) can allow teams to proactively protect the organization from regulatory fines due to breach in compliance. Let’s say your organization is doing business in the EU and is required to have a customer personal breach notification within 72 hours of occurrence in accordance with GDPR. Using data fabric will make it easier to understand relationships (knowledge graph), extract the data set, configure the rule, and send out the required communication from approved channels.
{{banner-image}}
Benefits of Data Fabric for GRC Teams
Just as organizations plan their data architecture and technology around their desired business outcomes, a Compliance data fabric should follow in the same vein. All stakeholders should have complete visibility into the “why” and clearly understand the value proposition that the data offers in meeting the main business goals/business outcomes of key stakeholders/teams. Here are some examples of how Data Fabric can help GRC teams:
Better Time to Value: Having a Compliance data fabric in place enables both the Compliance team and the control owners responsible for the data to find, access, integrate, and collaborate on data quickly. One of the advantages of data fabric is that it allows subject matter experts in the business to become a part of the GRC process, thereby hastening the time-to-value ratio.
Optimized Cost and Performance: Automating the data management and administration of data to be streamlining access and integrations using data fabric enables efficiencies in cost. Additionally, automated data fabric reduces performance gaps to access the data since it is a single unified repository that is accessing the data.
Improved Collaboration with Stakeholders: One of the benefits of data fabric for Compliance is the deeper communications between GRC managers and GRC consumers, like auditors and the application owners, which create a collaborative culture. This enables communication of available data and identification of gaps to “shift left” and be rectified early in the process. Improved communication reduces the friction of misplaced emails, and eliminates the fatigue felt often by key stakeholders.
Ease of Adoption via Automation: With shrinking IT budgets and the unavailability of highly skilled data engineers and data management experts, automation is inevitable. Over 60% of Security Compliance leaders surveyed said that using automation with a constantly evolving and growing tech stack would help them achieve their GRC goals faster and easier, recognizing that effort expended to gather data for one framework could be leveraged for another. Automated data fabric can therefore be used to attain GRC objectives.
Scalable Source of Truth: One of the hardest hurdles to overcome with data fabric is centralizing and standardizing disparate data sets. They may be coming from different sources (cloud, on-prem, hosted, etc) or in different structures (XML, Json, CSV); this requires a scalable approach for all of these data sets to coexist and for users to have a consistent way of interacting with the data.
The No-code Revolution for Data Fabric
GRC teams still play an important role in data analysis. They are provided with the data at the right times, and are expected to derive insights by using the filter/sort function within the Data Fabric. As typical GRC teams do not have coding skills, data fabric strategies that make it simple for users to complete their analysis without the use of code is highly sought after.
ETL is a good use case example. This refers to the process that extracts, transforms, and loads data from multiple sources to the data fabric, typically in high-volume data use environments. For ETL to be successful, the data must be prepared and integrated properly in the right format so that the data fabric can incorporate and consolidate multiple data integration styles. But after the data has been delivered, the users may still need to make some last-minute changes to the data. Now they can do so quickly and with minimal IT support thanks to the no-code revolution -- where enterprise-grade application software can be easily created through graphical user interfaces (GUIs) and configuration instead of traditional computer programming. Effective data fabrics offer a low-code/no-code UI that allows GRC teams to shape their datasets before analyzing their data. This self-service capability allows non-technical GRC professionals to slice and dice the data they need when they need it.
The Future of Data Fabric for Compliance
Organizations are drowning in data, and Business Intelligence groups are increasingly using data fabrics in their data management strategy to indicate whether the data is updated, check if it has been tampered with, and help teams gain insight from the data without too much effort. Compliance teams can take inspiration from the same approach.
The benefits of data fabric for GRC teams are huge; enabling them to tap into the organization’s underlying data fabric and take advantage of the existing data gives them greater visibility across the organization’s Compliance posture and helps them work more efficiently to achieve their Compliance goals, similar to the advantages of a Unified Control framework. Instead of dedicating an untold number of resources and endless hours performing manual mapping work or chasing control owners – yet again – for data they asked for months ago (for a different framework!), a data fabric empowers Compliance professionals to do their job more efficiently.