As IT security personnel are expected to do more and more with alarmingly scarce resources, even the most seasoned security vet is becoming more worn out than a 1988 Chrysler LeBaron. One area that can greatly help IT security reach new efficiencies is by aligning governance, risk and compliance under a unified framework. Governance, risk and compliance (GRC) are disparate by nature but since their objectives intersect, it can be advantageous (and downright cost effective) to look at them from a holistic perspective. The GRC road is long and arduous, but by pondering four key items (before even selecting an enterprise GRC offering) you can form a framework that will eventually lead to an environment where you can accurately determine what security controls to implement, how to gauge their effectiveness, and how to optimally support those controls (to many of you this may sound more fiction that fact).
Avoid getting sucked into a vacuum
GRC initiatives that are handled solely by internal IT security teams are doomed to fail. Business executives assume IT security staff will understand exactly what needs to be locked down to protect the most critical business assets and processes. Requirements need to be identified collaboratively and then IT security can implement those requirements and controls. IT should never solely decide policy or be left totally alone to verify procedures. When IT security is left to fend for itself with little-to-no oversight, not only will chaos reign, but this poses needless risk to the business. By bringing different business units together (ideally a cross-pollination of IT, finance, operations, and legal) we ensure that GRC truly represents the enterprise profile and not just that of IT.
Speak the same language
One of the reasons that IT security is usually left alone to die a slow and painful death when it comes to devising GRC strategies is that senior management/executives and security never learn to speak the same GRC language. Being able to define requirements and risks in terms that both IT security and business personnel can understand is vitally important. Risk has to be related in a manner that is relevant to the business. Having senior leadership embracing the need for centralized GRC structure and making it a significant mandate and priority is the most critical prerequisite to a successful GRC program. This may seem overtly obvious to many readers, but its importance cannot be understated.
Plan, plan, plan
Organizations today are bombarded with a bevy of regulatory, industrial, and legal requirements and obligations. In order to make sense from this mayhem, proper planning is absolutely instrumental. Ask yourselves: what corporate policies do we want to manage, what risks do we want to be capable of assessing and responding to, and what compliance/regulatory requirements do we need to be able to monitor? Information security will serve as the cornerstone that both feeds and receives data into the GRC programs. A poorly planned program will just increase the overhead and burden on an already overtaxed security team.
Consider free GRC tools
Even the smallest of organizations can dip their toes into the GRC waters, by measuring risk and making more informed decisions through the use of free simple GRC tools and templates. If your organization is not ready for "primetime" automated risk management frameworks or tools, you can still benefit from performing risk assessments and completing GRC planning work done in spreadsheets. Risk management templates is a great resource, offering a range of spreadsheet templates to collect the right information without having to start from scratch. Practical threat analysis is another versatile tool that aids GRC teams to locate the most beneficial and cost-effective method to secure their systems and/or applications.
I would encourage the readers to comment on any other key items that are necessary for ensuring a smooth GRC deployment. If you have any GRC stories that you'd like to share, I would love you hear from you. The next entry in our GRC series will focus on the product offerings, comparing main features, cost, usability, and company size/industry they are best suited to.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.