Glance at the information technology (IT) security section of CIO Magazine's site, and the breadth and depth of security issues quickly seems staggering. On any given day, this page features alarming new reports on hackers, printers with security holes, cyber security lapses at top global companies, intrusion prevention systems, cloud security issues, BYOD and much more.
BYOD, which stands for "bring your own device," is interesting in that it represents a potentially large internal information security risk. As part of the so-called "consumerization" of corporate IT functions, more employees throughout the enterprise are clamoring to replace company-issued devices (i.e., old cell phones, laptops, desktops, etc.) with their own smart device (usually smart phones or tablets).
A July survey of 8,360 global employees (and interviews with 29 business executives and consultants) conducted by Dell and Intel indicates that business leaders view "the consumerization of IT – including greater employee input in IT provision, bring-your-own-device initiatives and workplace flexibility – as a way to generate additional employee productivity and loyalty." At the same time, these leaders say their companies are wrestling with the security risks that BYOD and other elements of IT consumerization pose.
BYOD figured among the topics LockPath CEO Chris Caldwell identified when I asked him several questions about the IT elements of governance, risk management and compliance (GRC) programs during a recent e-mail chat.
Historically, how have organizations typically evolved when it comes to their IT-GRC programs?
Chris Caldwell: As it once was with information security, there initially wasn't a recognized need for a formal GRC program and GRC tasks were buried deep within the list of IT department to-do's. However, as regulations and other compliance requirements have increased (there have been at least 15 major regulatory changes in the last decade), GRC specialists have emerged with a focus on better managing IT, information risk and compliance programs. From there, these programs have slowly begun to evolve and mature until they reach a point when they are highly functional.
Today, many organizations are seeing their dedicated 'infosec' teams split-up, with their operational security personnel relegated back to IT. The risk and compliance management components are then organized into dedicated GRC teams where they can be aligned with their cousins in legal and finance.
What trends are driving organizations to prioritize the IT elements of GRC programs?
Caldwell: Despite best efforts, defensive security technologies are well behind the times. It could be argued that little true innovation has occurred in the space in the last five years. Most advancements have been either incremental improvements in existing tools, or reactive measures that apply traditional approaches to new problems.
Compounding this issue, businesses are struggling to keep pace with technology advances. For example, many companies have quickly adopted BYOD policies that allow personnel to use personally owned devices within the corporate network. Unfortunately, these programs are often adopted with a focus on the financial upside, but without conducting complete risk analyses that examine associated legal and information risk factors.
In light of this, it is clear that waiting for GRC programs to emerge from infosec and eventually become aligned with financial and legal GRC programs is not a luxury businesses can afford. Businesses need to accelerate the evolution of GRC program development to survive the current digital industrial revolution.
What are the five steps to optimized GRC?
Caldwell: Step 1: De-operationalize
Companies must remove operational elements and return them to their roots. In most cases, IT risk and compliance teams are still part of infosec teams. The latter should be split up, transferring operational players to IT teams and formally establishing the IT GRC team. Risk management, compliance management, policy management and audit management personnel can all be included in the GRC team.
Step 2: Elevate
Once the IT GRC program has been created, the next critical step is to elevate it within the organization, thus officially recognizing the importance of operational risk management as part of the overall risk management suite. If GRC is left in IT or infosec, it will be unable to contribute in a meaningful way to conversations. GRC programs need to report directly into the C-suite.
Step 3: Integrate
The IT GRC program should be integrated with other GRC programs, such as those traditionally operated by finance and legal. It may not be necessary to fully integrate these programs into a single hybrid team, but it is essential that everyone works together. Consistency and compatibility are essential when it comes to risk management processes and risk analyses should produce results for simple comparisons on the same reports and dashboards.
Step 4: Optimize
To optimize the GRC program, improvements should occur in three areas: process, reporting and tools. Aligning processes is vital to ensure that a complete risk analysis can be completed in a timely fashion for key decisions. Additionally, reporting must be optimized by modernizing tools instead of reliance on spreadsheets, etc. Advanced tools can help GRC vastly improve reporting capabilities by aggregating a wide range of related data sources and easing the burden associated with current manual practices.
Step 5: Educate
Once the GRC program is functional, it is important to ensure that the entire company is aware of the processes they must follow, analyses that must be conducted and finally the consequences that come with failing to make reasonable, well-informed decisions. Companies need to clearly state expectations and employees must be held accountable when they fail to meet them.
Related Articles:Risk Chat: How Are GRC Capabilities Maturing?
Risk Chat: How to Traverse the Great Data Divide
Risk Chat: Content is a Kingly Asset