The emergence of enterprise risk compliance (ERC) The silos between IT compliance and risk and the rest of the enterprise are breaking down and becoming more tightly integrated. Thankfully, the outdated concept of IT-driven "GRC" (governance, risk, compliance) is diminishing. Rather than solely being the domain of IT, boardrooms are actually driving this change as they are coming to realize the damage from data breaches has increased from regulatory fines to the potential of business collapse.
As enterprise security professionals are grappling to better anticipate new cyber security regulations and map their budgets and controls to the evolving threat and regulatory landscape accordingly, GRC is being fundamentally morphed with higher emphasis on risk-driven compliance management. This new centralized enterprise-wide intelligence allows organizations to assess and evaluate security posture from an enterprise risk or compliance (ERC) perspective.
The latest in ERC (or GRC 2.0) solutions, such as RiskVision from the security vendor Agiliance, manages enterprise risk by making measurable and actionable data across all business units (not just IT). This more holistic view of risk and compliance shifts the mentality away from the reactive threat driven stance to more proactive risk based posturing. Offerings such as Agiliance's RiskVision, demonstrates risk in terms of business criticality (as it applies to the business not just to a particular asset as many GRC offerings do). Focusing on risk from an enterprise perspective (rather than the myopic IT-only view) allows for greater enterprise adoption and is more indicative of the risks facing the business. Proactive ERC is a continuous process keeping identified risks and compliance managed.
Compliance is still the main driver for security budget (as most companies are audited on a regular basis). The checklist mentality, while good for gap analysis, is not suitable for a more proactive risk analysis. Blindly answering spread sheet questions does not make your organization more secure. A little known fact is that auditors are actually okay with compliance gaps as long as they see the rationale and explanation behind the decision. One should not be wildly adding controls in the hopes of satisfying an audit (doing so can be a detriment to an organization's risk posture). To be more secure one needs to prioritize the gaps and IT security pros need to take more of a risk based approach, assessing where the most sensitive data is located.
By following the data, you gain a more accurate inventory of all the critical business applications and the corresponding access levels to your most valuable data. Organizations need to take a risk based approach when dealing with compliance and regulations. You shouldn't develop your security structure according to a particular regulation or mandate. Start with comprehensive risk assessment. Use the results of the assessment to build a dynamic security framework and implement anodyne core controls. Once the foundational blocks have been laid, then address the additional controls depending on the specific compliance/regulatory mandate.
Given the current limited resources and restraints most IT security shops face, how can one best meet their security needs? Security vendors such as RSAM and Agiliance are leading the charge in ERC (GRC 2.0, ERM, or whatever you want to label it), by providing risk and compliance within the business context and greatly helping with risk prioritization so resource-stricken IT security departments can figure out where to best focus their security efforts.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.