from Navigating the Compliance Headwinds Webinar – December 6, 2022
Carlos (Industry Expert): I think being able to demonstrate the speed of delivery for us is something that probably makes a lot of sense. So, to address the initial question about how machines can help us, let's talk in a very practical sense. Ideally, an organization has a good sense of what policies you have in place. Those policies need to be predicated to meet or exceed all the laws, rules, and regulations. What I would recommend to the individual is to gather all the policies, pick one as a topic of choice, let's say access control or something like that and then work with some of the service providers such as 4CRisk, and there's a couple of other GRC providers of tools, to request their partnership and really understand what are all the laws, rules and regulations associated with access control for all the locations and regulatory bodies subject to it. And then you are going to start actually receiving some data.
Again, the machine learning associated with 4CRisk, and the like can help start getting the output. Then you not only have a policy in hand, but you also have a list of all the different regulations with actually the reference code and the actual the language and everything. The digestion of that because could become very comprehensive that's where the machine learning is going to come and help you to try to extract the juice. What matters, right? And then there's still a bit of a manual analysis that needs to be done. Someone needs to output to what your GRC tool is telling you, and someone needs to look at policy and that the convergence of both is still needs to a human to do (i.e., is my policy addressing my regulatory obligations and if it's not, do I need to update the policy? and who, how do we go about that?). So hopefully that addressed the question. I want to make sure that the user receives some sort of headwind.
Grace (Industry Expert): Yes, so for us and what I've done in the past is I'm looking not only at the things that I'm excited about what 4CRisk.ai is doing is that's the first level of artificial intelligence and looking at the many different regulatory and framework environments looking at the commonality and the lowest common denominator that we can set things like key controls, determine what our baseline controls are, but then equally testing those. So, for me, where technology advances beyond the control and the regulatory framework is actually going out and testing them. So rather than having manual or swivel chair processes, let the computers do it.
So, most of our companies have many, many different security tools doing things from IM to configuration management and compliance management to vulnerability management and the list goes on. When you take all those tools and integrate them together with your GRC or however you're bringing that together with your controls testing then you can really look at either the scope and the scale of compliance that you have and you're not doing it with manual efforts.
Michael mentioned earlier that even with just reading the regulations that your mind wanders or you have errors when we're testing controls or doing compliance testing. The same thing is going to happen. You'll have human error either they test it incorrectly or they don't get to it or they read it wrong. Whereas when you have computers or technology doing that, you can bring that in, and you can bring it in a massive scale as well. So that's just that whole continuum from the point that you figure out what your regulations are that you need to comply with your frameworks like NIST and ISO and the like, and so where you can look at overlapping controls and then doing that test once use many. That's the other thing you can do with technology around looking at frameworks is looking at test once use many to find the controls that are common. With that you also create efficiencies of limiting audit fatigue, so a lot of us will hear that from our delivery staff, is that I don't hear from people that they don't understand or agree with the notion of being involved in the audit, they just simply don't have the time to do it on the scale that we need, and so when you can use technology to do a test, once use many, you also create efficiencies.
Michael (Industry Expert): And on that point, the physicist Fritjof Capra stated “the more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. There are systemic problems, which means that they're interconnected and interdependent.” I mean, the physicist who was talking about biological ecosystems, but it really applies to risk and compliance in today's business environment and the test once and complaint many is that same thing; that things are interconnected. I might be able to meet multiple regulations as well as multiple risks with a single control or this policy maps to multiple things and we need to be able to see these complex, many-to-many relationships in the organization to do with a human perspective, it takes a lot of time and energy. Machines are tools to be able to gather and map and be able to present this to us, and then we can use our intuition and be able to see things from different perspectives and tell us what it's not saying as well.