In this day and age, it seems as though every business has some form of alphabet soup or acronym salad that shapes the decisions they make as it pertains to their information security programs. Between data privacy laws, regulations on the financial industry, calls for a healthcare focused cybersecurity framework, and regular updates to the PCI DSS, the ever-growing need for a well-established information security program is apparent.
As enterprises exercise their appetite for risk, their ability to assure the board of directors (and inherently the shareholders) that the appropriate controls are in place to protect their critical information and assets is crucial. The days of setting, forgetting, and burying our heads in the proverbial sand are long past. Accountable parties are under ever-increasing pressure to validate the effectiveness of the programs they have in place and provide actionable assurances that due care was taken.
Where is this heading?
We understand the motivations, the want, and the need, yet the reality of the situation doesn’t always align with what we would expect. Cybercrime is not just the elephant in the room; it’s the elephant in the room that’s been tagged with a Banksy-esque portrayal of modern gangsters kicking back and laughing. Criminal organizations are swelling like a tidal wave that is crashing down on the corporate landscape, yet many businesses are still operating under a reactive as opposed to proactive methodology when it comes to their Information Technology/Information Security (IT/IS) GRC needs. Perhaps this is because we have yet to see a nation-wide regulation mandate that controls across multiple business verticals instead of specific industry-related specifications.
Now we combine that reactive approach to traditional spreadsheet-based GRC with understaffed, over-used personnel. Too often these employees are slammed with audits out of nowhere—from business leaders who trickle down high-level policies such as “We’re gonna be ISO certified”—without truly understanding the workloads they just tossed down the org-chart. The elephant grows. How can one or two people in an enterprise tackle the elephant in the room and drag it outside where it belongs?
Give me some hope
It is likely that the challenges and pain derived from GRC activities will continue to grow, which will further motivate market trends that we are already seeing. In the IT/IS GRC market segment, my clients face a lack of time to dedicate towards keeping up with the rapidly changing onslaught of privacy and data security regulations.
As I hinted above, it is good that governments are impressing a need to protect the private information trusted unto businesses by its customers. However, those businesses will continue to be burdened, either through time sink or fines, by this trend.
In addition to the external changes shaping the internal governance policies that businesses put into place, the IT/IS systems within enterprise architectures are in a state of regular flux. It is rare that a system is in a static state for any significant period, and with every change, the same question must be asked: “Is the current machine state compliant?” Answering this question becomes its own burden, without the correct tools in place, and any manual tracking in a spreadsheet becomes impossible at a certain point.
Still waiting for that hope…
Thankfully, we are living in a time where the options available for GRC tools are growing. The market was traditionally dominated by large scale—and expensive—systems. We are now seeing disruptive companies entering and offering reasonable alternatives to the status quo. However, as with any tool selection, there is a fair amount of vendor fatigue that can come from evaluation.
It is best to have a short list of what you want to get out of this investment. When navigating the path of GRC vendor courtship, I advise to check off as many as the following boxes as possible:
Affordability – Ask yourself, “is this affordable?” Not everyone can afford a high-end global enterprise-class implementation, but most organizations will benefit from a tool.
Mitigation, Remediation, and Delegation – Does the tool support tracking of remediation efforts, risk analysis processes, and an ability to seamlessly delegate accountability to system owners for remediation and mitigation of identified risks?
Streamlined Vendor Risk Management – Can this tool help reduce the probability of a Target-like breach by giving you the ability to semi-automate the evaluation of a third-party vendor’s risk profile?
Policy Libraries – Does the tool support dynamic updates of policies within a library to ease the burden of manually tracking changes to governing regulations, standards, and other best practice publications?
Policy Mapping – Can internal policies be easily mapped or overlaid with regulating policies or standards such as HIPAA, COBIT, ISO, etc.?
Views – Can multiple views be established for critical visibility to information that is reasonably valuable for multiple business organizations within your enterprise?
The end goal with the implementation of any tool is to streamline the general day-to-day processes of GRC activities, support collaborative efforts between departments, and offer a central repository for documentation that validates compliance with both internal policies and external regulatory governance. The key part is the collaborative portion. An effective GRC disciple requires a company-wide buy-in. The easier you make it for your colleagues, the easier you make it for yourself. That way, when the time comes to jump into the next audit wave, you can prove once and for all that GRC isn’t just another four-letter word.