GRC: Reach Beyond the Acronym

Print Friendly, PDF & Email

In the age of the acronym—from OMG to, well, GRC (governance, risk, and compliance) — every firm has some form of alphabet soup that shapes the decisions about information security programs. As enterprises exercise their appetite for risk, their ability to assure the board of directors (and inherently the shareholders) that the appropriate controls are in place to protect their critical information and assets is crucial. The days of setting, forgetting, and burying our heads in the proverbial sand are long past.

Why unbury our heads?

We understand the motivations, the wants, and the needs, yet the reality of the situation doesn’t always align with what we would expect. Cybercrime is not just the elephant in the room; it’s the elephant in the room that’s been tagged with a Banksy-esque portrayal of modern gangsters kicking back and laughing. Criminal organizations are swelling like a tidal wave that is crashing down on the corporate landscape, yet many businesses are still operating under a reactive as opposed to proactive methodology when it comes to their Information Technology/Information Security (IT/IS) GRC needs.

Now we combine that reactive approach to traditional spreadsheet-based GRC with understaffed, over-used personnel. How can one or two people in an enterprise tackle the elephant in the room and drag it outside where it belongs?

What about this elephant?

It is likely that the challenges and pain derived from GRC activities will continue to grow, which will further motivate market trends that we are already seeing. In the IT/IS GRC market segment, my clients face a lack of time to dedicate towards keeping up with the rapidly changing onslaught of privacy and data security regulations.

In addition to the external changes shaping the internal governance policies that businesses put into place, the IT/IS systems within enterprise architectures are in a state of regular flux. And with every change, the same question must be asked: “Is the current machine state compliant?” Answering this question becomes its own burden, without the correct tools in place, and any manual tracking in a spreadsheet becomes impossible at a certain point.

Don’t worry—there’s hope.

Thankfully, we are living in a time where the options available for GRC tools are growing. However, as with any tool selection, there is a fair amount of vendor fatigue that can come from evaluation. It is best to have a short list of what you want to get out of this investment. When navigating the path of GRC vendor courtship, I advise to check off as many as the following boxes as possible:

  • Affordability
    • Ask yourself, “is this affordable?” Not everyone can afford a high-end global enterprise-class implementation, but most organizations will benefit from a tool.
  • Mitigation, Remediation, and Delegation
    • Does the tool support tracking of remediation efforts, risk analysis processes, and an ability to seamlessly delegate accountability to system owners for remediation and mitigation of identified risks?
  • Streamlined Vendor Risk Management
    • Can this tool help reduce the probability of a Target-like breach by giving you the ability to semi-automate the evaluation of a third-party vendor’s risk profile?
  • Policy Libraries
    • Does the tool support dynamic updates of policies within a library to ease the burden of manually tracking changes to governing regulations, standards, and other best practice publications?
  • Policy Mapping
    • Can internal policies be easily mapped or overlaid with regulating policies or standards such as HIPAA, COBIT, ISO, etc.?
  • Views
    • Can multiple views be established for critical visibility to information that is reasonably valuable for multiple business organizations within your enterprise?

The end goal of any tool is to streamline the day-to-day processes of GRC activities, support efforts between departments, and offer a central repository for documentation. An effective GRC disciple requires a company-wide buy-in. That way, when the time comes to jump into the next audit wave, you can prove that GRC isn’t just another three-letter word.

Contributed by: Corey Wilburn, Security Practice Manager at DataEndure. He specializes in the design of strategic solutions, aimed at delivering high-value operational intelligence, leveraging best-in-class products as well as services built around current and emerging standards. Corey has a passion for infosec policies, processes and procedures. He loves working with clients to help them realize the potential for their security strategy, maximizing ROI while reducing their attack surface, and helping them become more resilient in the face of an ever-evolving threat landscape.


Sign up for the free insideBIGDATA newsletter.


Speak Your Mind