I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”
No pressure, then, right!?
The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.
Here are some more expectations I’m hearing from C-level executives and board members:
- We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
- We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
- We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
- We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.
In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.