“Cloud computing is happening in a big way,” confirms Michael Hugos, author of “Business in the Cloud: What Every Business Needs to Know about Cloud Computing” (Wiley, 2010). The widespread adoption of cloud solutions follows four years of increasingly intense tire-kicking by organizations, many of which still harbor concerns about data security.
These concerns are legitimate, and should be addressed in governance, risk management and compliance (GRC) programs, notes Ben Tomhave, principal consultant of LockPath, a software and services firm. Tomhave chatted about the growing need for companies to unite their GRC and cloud capabilities.
Eric Krell: Why is GRC a crucial component of a company's cloud security strategy?
Ben Tomhave: Moving data and applications to the cloud means losing direct control over those resources. No longer can you call IT and demand that better security practices be adopted. Instead, better security practices must be planned for in advance and then incorporated into contracts and service-level agreements. It's essential that your GRC program be mature enough to assess these agreements and situations, properly setting the bar for risk tolerance and risk capacity, and then ensuring through continuous monitoring and compliance practices that these benchmarks are being met.
Eric Krell: Why do many companies neglect the cloud in their GRC capabilities? And how can CFOs and chief risk officers address this neglect?
Ben Tomhave: "Neglect" implies a degree of capability maturity that doesn't necessarily exist with GRC programs today. A common problem plaguing organizations is playing catch-up with the latest tech trends. The opportunity with cloud-based solutions is to jump the curve, putting aside traditional approaches and instead moving into a progressive, mature GRC program that establishes a reasonable front-end process to analyze and proactively manage the risk inherent in giving up direct control over infrastructure, applications, and data. Unfortunately, the security industry has done such a poor job communicating GRC program value with traditional in-house solutions that the business falsely assumes that outsourcing to cloud providers will involve less hassle and risk liability. Sometimes just the opposite is true as the business retains the responsibility to customers and other stakeholders while losing the ability to directly improve security once the contract is signed.
Eric Krell: What are some of the problems that can arise when organizations move toward cloud-based services or platforms without addressing this shift within their existing GRC programs?
Ben Tomhave: One common problem is the fact that businesses can far too easily circumvent current policies and controls with a simple credit card transaction that bypasses GRC processes. When GRC programs are not adequately integrated into business decision processes that enable awareness of and the ability to influence these buying decisions, this problem worsens. A GRC program that is not directly connected with finance and legal departments will not have the necessary insight to foresee emerging risk areas, let alone be able to properly and positively influence the associated decisions.
Eric Krell: At a high level, what are some key steps involved in developing a cloud-intelligent GRC program?
Ben Tomhave: There are three key attributes of a cloud-intelligent GRC program. First, the program must be integrated into all key decision paths within the business. That includes having touch points within finance and legal. Second, the program must have teeth to enforce its role in the business. People who make decisions without including the GRC program in due diligence should be held accountable. Third, the GRC program must be elevated out of the IT dungeons and brought into better alignment with the business leaders of the organization.