Thank you for Subscribing to Insurance Business Review Weekly Brief
Manual Compliance Pitfalls
It certainly goes without saying, but I will say it anyway—manually managing compliance tasks is a highly resource-intensive effort with very little return on investement (ROI). This not only includes the analyses, implementation and maintenance of compliance requirements, but also the monitoring, validation and reporting as well. It’s an endless landscape of spreadsheets and slide decks strewn across a Who’s Who of first—and second-line teams.
When looking at these challenges through the lens of People, Process and Technology (PPT), we as leaders often struggle to secure the funds to throw ‘People’ at the problem. This is where strengthening and enhancing our ‘Processes,’ further supported by ‘Technology,’ becomes crucial.
Automation Benefits
The core benefit of automation lies in leveraging technology and workflows to free up our resources to focus more on value-driven outcomes while leaving monotonous, repetitive tasks to technology.
Automation isn't the ‘magic bullet’ to solve all of our professional woes, but it can significantly extend our limited resources to better address the daily challenges of IT and security.
Instead of needing a team of 10 people to manage all the minutiae of everyday tasks, fewer people can now oversee the automation of the repetitive and mundane. Those resources are additionally able to provide continuous monitoring and reporting more easily on compliance status for governance, risk and compliance (GRC) teams, internal audits and external regulators. No more grabbing the same screenshot every week because it needs to be just alittle bitdifferent for the next auditor knocking on our door.
Furthermore, automation provides consistency across systems, driving strong information security without the added risk of human error. This allows us as leaders to confidently report on current state security and resource utilization to executives and the Board.
Practical Implementation
This is where the rubber meets the road. First, you need to take an inventory of existing processes. How much time are your teams spending on daily, weekly, or monthly tasks? How many of those tasks are repetitive? Which processes have the highest risk of human error? Much of this endeavour comes down to simply cataloguing tasks and hosting workshops with process managers.
To implement automation, you are looking at a wide breadth of tooling across different functions. Historically, tools have filled single-purpose roles. Today, tooling can serve multi-faceted purposes across process lifecycles. An example of this is with Endpoint Detection & Response (EDR). Instead of the old anti-malware or Intrusion Detection System tooling from yesteryear, EDR can not only detect anomalous behaviour but also respond to it. Other examples include Security Orchestration, Automation and Response (SOAR), ‘Next-Gen’ SIEM, automated patch management solutions and GRC platforms, especially those with integrated regulatory compliance feeds. The idea with the latter is automating compliance and control mapping, which can then lead to a ‘test once, comply many’ capability.
There may not be a tool for your specific use case or, you simply may not have the budget for the newest, hottest tool on the market. By leveraging in-house engineering and development expertise, you can create purpose-built tools with Python or Golang and then leverage REST API to connect the right systems and workflows. With this option, the biggest limitation is the imagination.
Final Thoughts
Start small, tackle the big fish and low-hanging fruit first and plan for scaling & maturity over time. We don’t need to spend hours, days, or weeks toiling away over the implementation and monitoring of controls and we certainly have better things to do than spend that time collecting metrics and drafting reports for the revolving door of auditors. Let’s start working smarter, not harder.
Automation isn't the ‘magic bullet’ to solve all of our professional woes, but it can significantly extend our limited resources to better address the daily challenges of IT and security.
Instead of needing a team of 10 people to manage all the minutiae of everyday tasks, fewer people can now oversee the automation of the repetitive and mundane. Those resources are additionally able to provide continuous monitoring and reporting more easily on compliance status for governance, risk and compliance (GRC) teams, internal audits and external regulators. No more grabbing the same screenshot every week because it needs to be just alittle bitdifferent for the next auditor knocking on our door.
Furthermore, automation provides consistency across systems, driving strong information security without the added risk of human error. This allows us as leaders to confidently report on current state security and resource utilization to executives and the Board.
Practical Implementation
This is where the rubber meets the road. First, you need to take an inventory of existing processes. How much time are your teams spending on daily, weekly, or monthly tasks? How many of those tasks are repetitive? Which processes have the highest risk of human error? Much of this endeavour comes down to simply cataloguing tasks and hosting workshops with process managers.
To implement automation, you are looking at a wide breadth of tooling across different functions. Historically, tools have filled single-purpose roles. Today, tooling can serve multi-faceted purposes across process lifecycles. An example of this is with Endpoint Detection & Response (EDR). Instead of the old anti-malware or Intrusion Detection System tooling from yesteryear, EDR can not only detect anomalous behaviour but also respond to it. Other examples include Security Orchestration, Automation and Response (SOAR), ‘Next-Gen’ SIEM, automated patch management solutions and GRC platforms, especially those with integrated regulatory compliance feeds. The idea with the latter is automating compliance and control mapping, which can then lead to a ‘test once, comply many’ capability.
There may not be a tool for your specific use case or, you simply may not have the budget for the newest, hottest tool on the market. By leveraging in-house engineering and development expertise, you can create purpose-built tools with Python or Golang and then leverage REST API to connect the right systems and workflows. With this option, the biggest limitation is the imagination.
Final Thoughts
Start small, tackle the big fish and low-hanging fruit first and plan for scaling & maturity over time. We don’t need to spend hours, days, or weeks toiling away over the implementation and monitoring of controls and we certainly have better things to do than spend that time collecting metrics and drafting reports for the revolving door of auditors. Let’s start working smarter, not harder. 