As cloud continues to deliver speed, security and transparency, its place in GRC is becoming increasingly prominent. Amazon Web Services’ (AWS) John McDonald discusses the key components that make up a successful GRC programme
What are the greatest challenges in GRC today?
John McDonald, AWS: In migrating to cloud, the biggest challenge for firms is updating their current overall GRC programmes. The traditional models of how technology, operational and financial risks are managed will not be sufficient. Cloud is a fast-moving, always‑on environment that enables financial institutions to have full transparency of their data on the cloud, and it is important to leverage that. Standards bodies such as the Committee of Sponsoring Organizations of the Treadway Commission, Control Objectives for Information and Related Technologies, and the National Institute of Standards and Technology provide excellent baseline risk models, but these frameworks are not detailed enough. An organisation’s GRC programme update should include both internal risk management and third-party risk management objectives since many software-as-a-service (SaaS) providers are using major cloud service providers’ infrastructure to deliver offerings to customers.
What are the building blocks for a successful cloud GRC programme?
John McDonald: The first step is realising the need to update your programme, and taking an objective view of what needs to change. Many companies moving to cloud try to simply add the word ‘cloud’ to their current models, and then move forward with adoption. That is not a scalable approach and will not deliver the desired results. Creating an environment in which a firm’s team can dive deep, research new risk models, and provide open and honest feedback is critical to success. The second involves developing a cross-functional team that includes business, technology, risk and cloud experts, which is crucial to understanding all the needs of each group in the new model. Finally, it is important for organisations to take advantage of the ability to log actions that take place on the cloud. They can then use this information to provide a comprehensive view of activity in a way that is not currently available in legacy, on-premises environments.
What should organisations consider when making the decision to move to cloud?
John McDonald: We’ve seen cloud adoption increasingly gain momentum across the financial services industry. Interest has grown exponentially over the last few years as organisations look to the cloud for competitive advantages and increased agility. Overall, there are five advantages of moving to the cloud: cost, agility, elasticity, breadth of functionality and the ability to deploy globally in minutes. AWS hears this echoed when speaking with financial services customers, as they consistently express the need to innovate to keep pace in a highly competitive landscape, while cutting costs and meeting their regulatory compliance obligations.
We are seeing companies in every industry using AWS in a pervasive way, and financial services is no exception. We work with organisations of all sizes – from fintechs and challenger banks such as Starling and Monzo to the largest banks, broker-dealers, insurers and market centres in the world, including Suncorp Group, along with Capital One, Intuit Mint, Bankinter, Liberty Mutual, Pacific Life, Nasdaq, and The Depository Trust & Clearing Corporation.
One of the most important considerations from a security perspective is adopting an overall framework for migration, such as Secure by Design (SbD), a security assurance approach that formalises cloud environment design, automates security controls and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the IT management process. Another key undertaking is preparing for security events. Companies must be prepared by having an incident management process that aligns to their organisational requirements and testing it regularly. They should run incident response simulations and use automated tools to increase the speed of detection, investigation and recovery. Cloud allows red teams and other security professionals to build an exact replica of a firm’s production process, attack it, find its flaws and fix them before final production. That is not possible given the cost associated with building and tearing down exact replicas of production environments in a traditional data centre model.
Why is cloud relevant in the new era of risk management and compliance?
John McDonald: The cloud provides unparalleled transparency. Every action is an application programming interface call, so it can be logged, monitored, evaluated and acted on in real time. A key development cloud created in the GRC community is the concept of continuous compliance. Continuous compliance provides a single source of truth across GRC, enabling real-time monitoring and remediation recommendations for all cloud activities. This allows IT teams to prove to auditors that controls exist in real time. An organisation’s cloud governance teams can test new environments and applications with results almost at the push of a button, and view real-time portals to design compliance regimes for any audience. This allows the company’s leadership to sleep soundly, knowing the controls work as designed and can be reviewed at any time.
How can GRC tools be used across various business lines?
John McDonald: Since the cloud allows all actions to be viewed in a cohesive manner, both the risk framework and the tooling a financial institution uses to manage its cloud implementations can be used everywhere across all business lines that utilise cloud. Organisations migrating to cloud should take a thoughtful approach to their use of tools, evaluate their current platforms for relevance to cloud and seek industry experts to review all of the cloud-native offerings that could meet their needs. One best practice is adopting a single tool to view the entire cloud controls framework that documents everything from risks to end-implementation monitoring, and to test on an ongoing basis. This may mean decommissioning current tooling or using it only for on-premises applications. Having one source of truth will help provide organisations with the transparency of the entire operations environment, streamlining audit preparation in a way that has never been possible before.