Strengthening the Core: GRC Integration for Enhanced Project Security

In March, our journey towards fortified security and compliance began with an article highlighting the critical importance of aligning efforts towards these essential goals. We outlined a five-step approach for better security and compliance, and this month we’re taking a deeper dive into step 2: organising the project team within a matrix structure, with Governance, Risk, and Compliance (GRC) principles at its core. Key to this approach is successfully integrating Identity Access Management (IAM) strategies with the goal of eliminating confusion and complaints and saving both time and money. This process transcends mere role assignments; it’s a pivotal step towards seamless communication, enhanced collaboration, and agile decision-making processes.

What is Identity Access Management (IAM)?

We hear industry buzz words so much they can become like white noise, their complete meaning masked in a fog of familiarity. So, in the interest of clarity, let’s break it down.

IAM is built on four key pillars: Authentication, Authorisation, Administration and Audit. Each pillar plays a vital role in establishing a secure and effective access management framework.

• Authentication makes sure that you know who each user is, and only legitimate users can gain system access.
• Authorisation determines the access level for each authenticated user, ensuring they can only access resources which are necessary for their work.
• Administration streamlines IAM complexity for IT administrators by efficiently managing user accounts, roles, and access privileges.
• Audit involves ongoing monitoring and recording of access events to identify security risks, enforce compliance, and maintain comprehensive user activity records.

According to this 2023 scholarly article, cyberattacks and resulting data breaches frequently have their root cause in enterprises’ IAM systems. Adopting these pillars will form the foundation of a resilient IAM strategy, shielding organisations from unauthorised access and potential cyber threats.

The article goes on to explore the technological aspects of IAM systems, particularly the potential benefits of an emerging, passwordless paradigm in identity management known as Self-Sovereign Identity (SSI). It’s an approach to digital identity that gives individuals control over the information they use to prove who they are to websites, services, and applications across the web. It leverages decentralised ledger technology, similar to blockchain, to store and manage your digital identity. SSI can improve manageability and usability aspects and help implement acknowledged best practices such as the Principle of Least Privilege (PoLP). Although the authors warn that “SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face”.

The Importance of Team Alignment

The alignment of security and compliance goals throughout an organisation is paramount. Organising the project team within a matrix structure serves as a robust foundation for this alignment. To be effective, the matrix should have budgetary decision-making authority and the capability to issue instructions seamlessly. For this reason, it’s essential the matrix is fortified with GRC and IAM principles.

There is a fantastic feature about ‘Why security-IT alignment still fails’ on CSOOnline. The author observes that one of the most cited roadblocks to IT-security alignment is the perception that the security team can slow down, or even stop progress. According to Sushila Nair, senior security portfolio director at NTT Data Corp. and a board member with ISACA’s Greater Washington, D.C. chapter:

“Cybersecurity developed a reputation as the department of no, so there’s a reluctance to loop in security.”

Do you recognise this attitude from your own organisation?

But we shouldn’t really be surprised by this. Just a few years ago in the corporate world, cybersecurity had a distinctly siloed role. Business and IT worked to grow the company, while cybersecurity was tasked with keeping everyone safe. These are two very different goals, which is bound to cause a misalignment in your teams if attitudes are not addressed.

The Benefits of a Matrix Structure

If you get it right, the matrix approach goes beyond traditional role assignments, laying the groundwork for seamless communication, enhanced collaboration, and agile decision-making processes. By embedding GRC and IAM at the core of the organisational structure, enterprises set the stage for effectively managing risks, ensuring compliance across all business functions, and safeguarding sensitive data access.

You will find some great advice about role-based access control and access policy enforcement in this blog, but to summarize, the author defines three fundamental steps:

1. Define Role-Based Access Control (RBAC): Establish roles based on organisational functions. Assign precise permissions to each role for detailed access control. Utilise role collections for efficiency.
2. Regularly Review and Update Roles: Review and adjust user roles and permissions to match organisational changes. Remove excess access promptly.
3. Implement Principle of Least Privilege (PoLP): Assign minimum necessary permissions to roles, reducing unauthorised actions. Avoid over-provisioning roles, mitigating future issues.

Establishing roles according to functional responsibilities and assigning suitable permissions enables a granular level of access control that frees you up from a lot of day-to-day maintenance and monitoring. Instead, it restricts users to only the resources needed for their tasks, minimising unauthorised actions.

Enhancing Collaboration and Communication Channels

Introducing a project organisation matrix, infused with GRC and IAM principles, marks a significant milestone in enhancing collaboration and communication channels within the team. According to this article by training provider KnowledgeHut:

“Companies with matrix organizational structure have a dynamic reporting structure for their employees, where an employee has two managers – Functional and Project. The functional manager is responsible for their expertise or department, and the project manager is responsible for the specific project they are working on.”

So, how can this improve communication and foster greater collaboration?

• Clear Roles and Responsibilities: In a matrix structure, each team member has a clear role and set of responsibilities. This clarity reduces confusion and enhances efficiency.
• Streamlined Communication: The matrix structure fosters streamlined communication pathways, ensuring that stakeholders are always on the same page regarding security and compliance objectives. With clearer communication channels, collaboration flourishes.
• Efficient Decision-Making: The improved collaboration and communication foster more efficient decision-making processes. Each team member becomes an integral part of the cohesive unit, working towards shared goals with clarity and purpose.
• Controlled Access to Sensitive Information: IAM principles ensure that only authorised individuals have access to sensitive information. This not only enhances security but also ensures that team members have the information they need to perform their roles effectively.
• Shared Goals: The GRC principles ensure that all team members are working towards the same compliance and risk management goals. This shared focus can improve collaboration and communication as everyone understands the objectives and how their role contributes to achieving them.

With these steps in place, each team member becomes an integral part of the cohesive unit, working towards shared goals with clarity and purpose, while also ensuring controlled access to sensitive information.

This article from recruitment specialist BorderlessHR offers 20 ways to make these positive changes in your own organisation. It points out that:

“When team members work together effectively, they can achieve greater outcomes, solve complex problems, and drive innovation. However, enhancing teamwork within a team requires deliberate effort and the implementation of strategies that promote communication, trust, and shared goals.”

This will all lead naturally to a more efficient workflow. Redundancies are eliminated, processes are streamlined, and the risks of costly security breaches or compliance violations are minimised. Which in turn will lead to greater profitability. It’s amazing what a little teamwork can do!

Addressing Soft Factors and Protecting Against Sabotage

While technological solutions play a crucial role in bolstering security measures, soft factors such as organisational culture and employee awareness add layers of complexity that cannot be underestimated. According to Verizon’s 2023 Data Breach Investigations Report, 19% of data breaches involved internal actors. These security breaches can be categorised in two ways:

• Malicious – caused by an intent to harm an organisation.
• Non-malicious – caused by human error or negligence.

The good news is that 62% of internal security breaches are found to be non-malicious, and this is a problem we can tackle more easily.

This feature from Deloitte has some great advice about improving staff awareness. It’s worth a read, but we’ve pulled out a few highlights to make the point here:

• While physical and technical security measures can be put in place, if employees lack sufficient awareness of the risks posed, these measures become redundant.
• Deloitte believes having employees with a sense of belonging to a concerted effort aimed at preventing security threats where personal accountability is the norm, is the most effective tool in tackling insider risk.
• It is impossible to train for every situation, but if employees operate in a security culture that continues to nurture individual awareness and attitudes, then an organisation can build in resilience to deal with unprecedented changes.
• Cultures are grown, as opposed to installed or bought.

Let’s Talk About AI

Finally, when we speak about the complexities of modern risk, we can’t ignore the boom in generative AI tools being used across every organisation.  It’s already being embedded in everyday tools, like email, word processing applications, and meeting software. However you feel about it personally, and it’s a topic that is still quite polarising, this technology will only play an increasing role in your staffs’ daily work.

“Generative AI can empower people—but only if leaders take a broad view of its capabilities and deeply consider its implications for the organization.”

This is good advice from McKinsey.

When it comes to GRC and IAM the subject becomes even more polarised.

The ultimate function of generative AI is to allow computers to learn, adapt and create new data – and this data must be protected just as fiercely as your native data. But how do you protect something if you don’t know it exists?

It is for this reason that instilling all the GRC and Identity Access Management principles we have explored in this article, should be paramount when you are strategizing how to use generative AI. Then, you must ensure all staff are on board with these security measures. Establishing a baseline for AI-driven solutions now, provides protection against potential sabotage or misuse of these technologies in the future, whilst allowing you to fully take advantage of the benefits they bring. That must be good for business.