Why GRC matters to IT security teams

 

 

 

 

 

Expectations of IT security have never been higher. I talked about this a bit in my last blog . But if you don’t believe me there’s a great paper by Enterprise Strategy Group (ESG) that nicely sums up why businesses are calling for much more sophisticated, business-oriented approaches to IT security. You can find it here (look under ‘white papers’ in the right-hand navigation area)

So if you’re in charge of IT security in your organization, what do you do to meet these expectations?

If you said ‘convince the business to invest in eGRC’ then you’re ahead of the innovation curve and are taking your program to the next level.

What happens without eGRC?

Organizations that haven’t invested in eGRC are typically mired in manual processes, trying to manage security using Word documents, spreadsheets and email. They can’t connect anything to anything and have to duplicate work all the time. One IT security manager told me that his team asks the operations team to answer questions specific to FFIEC regulations in January; and then in February asks the same questions of the same people for the purposes of SOX compliance.

This kind of thing is happening in a million different ways all the time. A recent article from Computerworld, titled “Feds want uber cybersecurity compliance standard”, illustrates this as well.

It quotes Jerry Archer, CISO at Sallie Mae, who is presenting his IT-GRC strategy at the RSA Archer eGRC Roadshow in Indianapolis tomorrow (October 13). Speaking at the SINET Innovation Summit in Boston, Jerry said his agency spent 40% of its budget on complying with regulations. “What is needed is automating compliance to reduce the bite it takes from the budget,” he said.

The kicker is the response that Jerry’s remark got from Josh Corman, director of security intelligence at Akamai. He congratulated Jerry on the 40% figure, saying: “For some it’s 100%.”

The article goes on to note that “the trouble with regulations is that they drive security architectures and prevent data loss that may have little real impact, while ignoring thefts that could be devastating.”

What happens with eGRC?

So how does GRC help? For one thing, it helps you automate compliance processes and efforts so security teams can focus attention, budget and strategy on the threats that truly matter to their business.

Organizations that have invested in eGRC (assuming they’ve adopted best practices and made careful strategy and technology choices) can:

  • Automatically map policies, control standards, control procedures, authoritative sources and assessment questions to one another and see the relations between any and all
  • Track the whole life-cycle of security incidents, reliably prioritize incidents in line with business impact and objectives, automatically assign actions to respond to incidents, and report on incidents in a way that provides meaningful business context to senior management
  • Identify gaps in compliance and satisfy common compliance requirements with a ‘one-to-many’ approach

I’ve said it before and I’ll say it again: eGRC is about enterprise-wide collaboration, visibility and control. It’s time for IT security functions to lead the charge to achieve these things. Not only is it the only way to deliver value to the business, but it will make life so much easier for you!

Recommended Reading:

The ESG Information Security Management Maturity Model, a paper by Jon Oltsik, Senior Principal Analyst, ESG (July 2011)

Advertisements

The pressure’s on for IT security

Pressure is on for IT Security

 

 

 

 

I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”

No pressure, then, right!?

The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.

Here are some more expectations I’m hearing from C-level executives and board members:

  • We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
  • We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
  • We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
  • We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.

In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.

‘I didn’t see you!’ or, why visibility and control are vital to eGRC

By Alex Bender, Director, eGRC Programs and Strategy, EMC

The other day I saw a car accident. It made me think back to an accident I had years ago, which involved a car appearing so fast I didn’t see it until we were about to collide. The only thing I could do was to swerve wildly to avoid the collision, thereby losing control of my car and crashing — but at least not into the other car.

Thinking back to that accident and the aftermath — the hours spent on a litany of phone calls to my insurance company, getting repair quotes, getting the car to the garage, making alternative arrangements while I was without my car — I couldn’t help but think about the importance of visibility and control in business, as much as in life. The impacts of the lack of visibility and control are extremely apparent in the car accident example – life changing.

See more, act faster, spend less

When you have visibility you can see where you’re headed and plan appropriately to get there. When you have control you don’t have to just react wildly to changes in your environment; you can act with efficient deliberation to avoid situations that are harmful to your organization.

Lack of visibility and control, conversely, can result in a car crash for your organization; and the crash itself is just the beginning of the toll taken on time and resources. If, despite your best efforts, you’ve been unable to avoid an incident, then visibility and control play a vital role in helping you to respond effectively to the aftermath: to minimize the time and money spent identifying what went wrong, fixing the problem and dealing with the legal, operational and financial fallout.

Requirements for visibility and control

In a previous ‘two-part’ blog I wrote about the importance of collaboration across departments for effective eGRC. Well, visibility and control are the fundamental enablers of effective collaboration. So the question becomes: how do you achieve them? You can’t just wave a magic wand. Organizations of all sizes and types are struggling with eGRC issues precisely because they don’t have the visibility and control they need.

I think that for any strategy, approach or tool to give you eGRC visibility and control, it needs to have three attributes:

  • Integration. As long as information relating to eGRC is held in disparate and disconnected systems or dealt with through disconnected processes (probably using ad-hoc tools, excel spreadsheets, word docs and many times just quick conversations), you can never get a clear view of what you know, what you’ve don’t know, what’s happening and how it all relates. Conversely, if you can bring everything together in one place, not just as a central dumping ground but in a way that lets you connect it in meaningful ways, then you’re most of the way to having the visibility you need — to be proactive, rather than always firefighting, and to see the big picture that lets you take a strategic approach to solve your business needs.
  • Automation. One of the difficulties in achieving integration and in dealing with the results is that there’s just so much to integrate and manage in a manual way. Too much to have a hope of doing it effectively without technological help. With the best will in the world, spreadsheets won’t cut it. Manually pulling data from hundreds and or thousands of systems won’t cut it.

To avoid being swamped by information and actions, to be able to act and respond in a controlled way, you need tools that will help you up the eGRC learning curve and that will automate processes wherever possible. But you do not want to automate a bad process since that will just make bad things happen efficiently. Sometimes it is important to revamp a process while you are implementing your eGRC solutions and strategy. Questions to ask yourself are:  Do you have to respond to each new policy or regulatory requirement from scratch or do you have access to eGRC content that prevents you from having to continually reinvent the wheel? Do your processes depend on someone remembering to email someone else or do you have workflow management tools that automatically enforce standard processes? It’s obvious which answers suggest an organization more in control of eGRC.

  • Usability. However integrated and automated your eGRC efforts are, it will be of little avail if it’s too hard for people, especially non-experts in eGRC, to understand what’s going on or what they need to do. Usability is a critical requirement because visibility is only valuable if people understand what they’re seeing; and control is only valuable if people are willing to pick up the ball and do something useful with it. So you want the flexibility to be able to adapt automated processes to fit the way you work; you want to be able to present information to busy executives in ways that they understand; you want to make it easy for people to collaborate, not put them off with impenetrable technology.

When you’re looking at approaches to eGRC and assessing tools that might help you develop eGRC strategies and processes, keep these criteria in mind.

Recommended Reading:

OCEG – Red Book 2.0 (GRC Capability Model)

Don’t we all work for the same company? Part 2

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Yesterday’s blog started talking about how important collaboration is to eGRC issues such as privacy of information. I asked you to consider any kind of information breach and looked at why IT and legal will inevitably be involved and have to work together. I recently spoke to Barb Mosher about the Ponemon Survey and she wrote a great article titled: GRC Initiatives Critical, Yet Enterprise Strategy, Collaboration Lacking which outlines the key issues I have described in this blog series. Let’s now look at the other two key functions to get drawn in: operations and finance.

Operations in the firing line

The effect of a breach on an organization’s operations will very much depend on the nature of the breach and the organization’s business. As data-breach notification laws become more common, every breach will at least require customers to be informed — especially those customers directly affected. Many breaches will also have a direct effect on the organization’s ability to continue to deliver its products or services, whether because a network or website must be taken offline, product functionality must be reengineered, or a back-office process must be suspended until the issues have been investigated and remediated.

If an organization is lucky, any disruption to business-as-usual will be brief; but we’ve seen that it can take weeks to restore affected services, giving customers more to complain about and reporters and bloggers more to write about. Collaboration between IT and operations is critical to managing the timelines for service restoration or product remediation, and for the related task of managing customer expectations.

Customer (and media) communications following a breach are fast becoming a minefield for organizations, with the potential to explode no matter what they do. Pressure is mounting for notification to happen as soon as an organization becomes aware of a breach, whereas even a year ago it was not unusual for months to pass between breach identification and notification. This new demand is perfectly understandable: if private information relating to you has been compromised, you’d rather know sooner than later. But it means that organizations may not have time to understand what’s really happened before they have to tell customers; which in turn may necessitate embarrassing corrections as the picture becomes clearer. It’s really not unusual for the investigation of a breach to reveal that it’s more serious than the organization first realized.

If pressure continues to mount to speed up the notification process, it will become more vital than ever for IT, operational and legal teams to work together to clarify understanding across the organization of what’s known, what isn’t known, and what might be subject to further discovery and possible revision.

Finance in the command center

Ultimately, organizations need to know what the total financial implications of a breach are, because risk management is ultimately about weighing the cost to prevent a risk against the likelihood of it happening and the cost to the organization if it does. When a breach happens, the finance department needs accurate information in order to validate the organization’s approach in relation to this kind of risk, or to adjust it going forward.

Reporters will pounce on any movement of a company’s stock price in the days and weeks following a breach. If the price drops, it will be loudly proclaimed as a sign that the company’s brand has suffered as a result of the breach. We may never know how far that is true. Just as one cold winter doesn’t imply anything one way or the other about the reality of global warming, so a momentary stock price movement can’t really tell us anything about whether a company’s reputation has been significantly or permanently damaged. But in measuring the true financial cost of a breach, organizations do need to find ways to measure the effect on customer, investor and shareholder perceptions and behavior; as well as the more obvious costs of investigating, reporting on and remediating the breach, financing legal battles or settlements, and meeting the cost of fines or other sanctions.

To be able to accurately assess these costs, the finance department needs to be able to see and clearly understand what effect the breach is having on IT, legal, operations and other functions across the business.

So what department do you work for?

Thinking through the implications of any privacy-related incident, it becomes apparent that privacy is no longer (if indeed it ever was) purely a legal issue or an IT issue — no matter who is regarded as being its ultimate ‘owner’ from an organizational point of view. And as with privacy, so it is with most eGRC issues.

So the next time you need to talk to someone in another part of the organization to respond to an eGRC initiative, and someone asks what department you’re from, say you’re from the ‘legal unification department’ or the ‘IT unification department’ and your responsibility is to work across the organization to get everyone headed in the direction the organization as a whole needs you to go.

Further reading:
1. The Ponemon survey


 [S1]Or ‘My last blog’ or ‘Tuesday’s blog’ or whatever. And link to it.