Over the last 25 years that I have been managing technology, and more specifically, security technology, the one predominant battle that many of my peers have been waging, and generally losing, is the battle over accurate and effective documentation. Accurate in the sense that the documentation accurately reflects the current state of the public or private sector enterprise with regards to assets, capabilities, and value, and effective in the sense that the stated policies and procedures ensure the continued viability of the enterprise. While this issue unto itself may not be first and foremost on the minds of most executives, it is symptomatic of a much greater dilemma; a pervasive lack of effective and efficient Governance, Risk, and Compliance (GRC) in the enterprise.
In today’s technology driven world, as new and emerging technologies shape the way we live and do business, cyber criminals employ equally new and emerging capabilities for exploiting them. In response, our governments and industry leaders attempt to develop rules, regulations, and guidelines for implementing security controls to offset the onslaught of evolving cybercrime capabilities. In response, cyber criminals employ equally creative capabilities for exploiting those new and emerging technologies, which then in turn begin yet another reactive wave of rules, regulations, and guidelines, and so on and on the cycle goes.
As the demand for executive leadership to reduce costs and raise profit margins increases, reduced staffing levels and lower cost resources is the typical, reflexive strategy employed to reflect revenue gains and at the same time appease shareholders. The negative effect is that this reflexive response exponentially increases the burden on operational management to provide effective and efficient services. Look no further than Target and eBay as just a few examples of where the cumulative effect of reduced staffing, overworked resources, and the inability of security analysts to recognize indicators of compromise contributed to breaches in security that may have been avoided with advanced training in the integration and automation of tools and technologies that manage risk.
We have long ago passed the point where an effective and efficient Enterprise Governance, Risk, and Compliance Program are desirable. We have arrived at that place in time where an effective and efficient Enterprise Governance, Risk, and Compliance (eGRC) Program is essential for any organization, public or private, where transparency and accountability is integral to its existence.
So what’s the solution? In order to manage Governance, Risk, and Compliance effectively and efficiently within the enterprise, organizations must make a significant investment in GRC tools that offer automation and integration capabilities that align with the GRC program established for that organization’s enterprise. Additionally, organizations must make a significant investment in GRC program development training for their staffs as well as the technical training necessary to maximize the features and benefits of their chosen GRC tools.
Faced with the harsh realities of diminished operating budgets, reduced staffing, and lack of training, we can only achieve eGRC effectiveness and efficiency through the use of tools and technologies to automate what has predominantly been a manually driven exercise. That being said, a tool is only as good as what that tool was designed for. You can use a pair of pliers to tighten a screw, but the most effective way to tighten a screw is to use a screwdriver. The most efficient way to tighten many screws is to use a power screw driver. Most eGRC tools on the market today are effective out of the box if your organization has defined a GRC program and most of the relevant work flows associated with your GRC program are able to fit within the confines of the chosen GRC tool. Most GRC tools in the market today offer API’s for customization of features and functionality which in turn enables greater efficiency.
Integrating GRC tools with other platforms such as security analytics, identity management, and business continuity, as just a few examples, offers the opportunity for greater visibility into the total enterprise. Having a “single pane of glass” or “dashboard” offers senior leadership the real-time situational awareness they need in order to make informed critical decisions regarding Governance, Risk and Compliance within their organizations.
Let’s take security analytics as an example. By integrating the data from security analytics tools such as vulnerability management, intrusion detection, log management, and security information and event management (SIEM) tools into a GRC dashboard view, an organization can potentially identify and respond to patterns of anomalous behavior that may be an Indicator of Compromise (IoC). This type of visibility into the enterprise will enable an organization to proactively avoid breaches before they occur.
In the case of identity management, policies regarding access management such as role-based access controls and recertification reports of current, disabled, and deleted user ID’s can be effectively enforced to meet compliance mandates. From a business continuity perspective, data from the business impact analysis can be correlated with risk reports to reflect the resiliency of an organization.
I’ve taken a fairly circuitous route, but we needed to understand the challenges facing organizations today, the advantages of a sound Governance, Risk, and Compliance program and ways to leverage eGRC tools to gain operational effectiveness and efficiency throughout the enterprise.
There is no magic bullet, and every eGRC solution has its strengths and weakness. As long as an organization is clear about its mission, is clear about its vision, and is clear about how it needs to maintain its viability as an entity, only then can the organization employ the tools and technologies necessary to support GRC in the enterprise.