Following the continuous rage of the COVID-19 pandemic, organizations face a difficult task to secure the workload and devices of the employees scattered around the world.
As a home has become the new office, it unveiled serious organizational cybersecurity gaps. Experts say that simply installing antivirus software or encrypting traffic on a company-issued MacBook is not enough – companies need to actively monitor their attack surface and be aware of the risks they are exposed to.
To discuss enterprise security, we invited Michael Peters, the CEO of Continuum GRC. Michael explains that to ensure that business operations are secure, organizations must be able to eliminate oncoming threats and have a clear view of their own cybersecurity landscape.
Can you tell us about the story behind Continuum GRC? What has the journey been like?
Our incubation story began as a software tool project inside Lazarus Alliance. You see, Lazarus Alliance is a cybersecurity audit, compliance, and risk service firm for the global business community. We had the desire to reduce as much manual labor, human error, and complexity as we could and help our customers save time, trouble, and money. A commercially available solution did not exist, so we set out to develop the solution in-house. Following a few years of work and testing with real customers, and real auditors, our solution was ready for prime time. In 2015, Continuum GRC was officially launched as a separate company from Lazarus Alliance.
Can you introduce us to what you do? What are your main areas of focus?
Auto-mapped standards, automated documentation, real-time status, risk & maturity. When it comes to Compliance Cartography, no one is more comprehensive, secure, and automated – saving you time, trouble and money. Serving the enterprise to the start-up community. Continuum GRC is a software as a service (SaaS) product that is purpose-built for users who perform audit & compliance assessments, risk assessment & risk management, governance & policy development, and all other manners of audits and assessments.
Continuum GRC modules include support for the world’s frameworks, including NIST 800-53. DoD SRG, CMMC, 800-171, 800-66, 800-30, FedRAMP, StateRAMP, CJIS, DFARS, HIPAA, ITRM, AICPA SOC 1, SOC 2, GDPR, ISO 27001, NERC CIP, EUCS, C5, PCI DSS, LADMF and hundreds of others.
In addition to pre-configured questionnaires, assessment modules, and forms, the Continuum GRC ITAM SaaS application has created tools that provide drag-n-drop easy custom creation for system administrators to construct their own assessment modules in 26 languages. Real-time reports on Compliance Status, Risk Scores, Maturity Scores, workflows, tasking records, evidence management, and historical performance help you stay proactive, not reactive.
Use Continuum GRC to replace existing tools, templates, and manual processes in place to support internal compliance and GRC requirements. The automation of Continuum GRC reduces manual labor, the complexity of and between frameworks, produces reports, SSPs, POA&Ms, graphics, dashboards, and related outputs all sustained over the entire lifecycle of the program all within a single view with a unified source for governance, risk, and compliance that supercharges performance and eliminates complexity.
What set of tools do you use to assess one’s state of cybersecurity?
We use Continuum GRC not only for our client assessments but for ourselves internally too. Sure, we utilize other tools such as vulnerability scanning or system hardening tools, but making sense of all of that data is easy in Continuum GRC. We are able to gauge compliance metrics, gaps, risks, and maturity in real-time, giving us an enterprise snapshot of where we have been and where we are going along our cybersecurity lifecycle.
How has the pandemic altered the way people perceive cybersecurity?
It has emphasized how the corporate network extends into our homes everywhere. The close proximity between working and personal computing spaces has put both at risk. The importance of cloud applications allowing our remote workforce to collaborate and be productive securely has exponentially risen. Each solution must protect the users’ and businesses’ data, which means that independent third-party certification and attestation evaluations have to be achieved to provide public assurances to consumers.
In your opinion, which industries should step up their cybersecurity compliance?
Cloud service providers must be accountable for security and privacy. Global compliance standards such as FedRAMP, SOC 2, ISO 27001, C5, and EUCS must be part of a business model and success strategy. Customers should demand it, and so should stakeholders.
Which issues can an organization run into if it doesn’t have appropriate risk management platforms in place?
Risk assessments are fundamental to understanding what core business assets are most important to a company, what poses a risk to those assets, and how to eliminate as much risk as possible while measuring value. These calculations will help guide the business decision-making towards responsible strategies to accomplish both business objectives while balancing countermeasures. Without a foundation in risk management, organizations are not going to have a clear understanding of what is at risk, what efforts to apply, and how much to spend on these efforts.
Why do you think certain companies are not even aware of the risks they are exposed to?
There are several factors that should be considered. Primarily, again, having a risk management program implemented based on globally recognized standards such as ISO 27005, 31010, or NIST 800-30 make a good place to start. The next factor is the experience of the assessor evaluating risk. While outsourcing the assessment process is not required, it does promote an unbiased evaluation of your organization. It also gives you access to practitioners with extensive experience, verifiable credentials, and referenceable capabilities.
Talking about individual users, what security solutions do you think everyone should look into?
Any solution that helps you identify weaknesses in your technical implementations is a good start. You will need to make sense of all that data too, which is where a solution such as Continuum GRC provides structure, organization, and actionable guidance towards reducing risks.
What does the future hold for Continuum GRC?
We are excited about continuing our work with bodies like the European Union Agency for Cybersecurity (ENISA), the National Institute of Standards and Technology (NIST), and dozens more. With 26 and counting, we continue to support more languages, more governance, risk and compliance frameworks and improve on our automated capabilities.
Call Continuum GRC at 1-888-896-6207 or complete the form below.