The only place I can say more risk = more gain would be in the entrepreneurship space…because in the enterprise cyber security kingdom, it is just the opposite! So let me explain…
Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and
The need of the hour in the organization is the identify and mitigate risks that will seriously prohibit the growth of the business. Any business is run with governance framework and various industry regulatory compliance. Any issue in corporate governance or compliance leads to increase in risk…Hence a Platform is required whose purpose is to reduce the risk in the organization. GRC Automation platform or an Integrated Risk Management solution serves the purpose!
Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!
Governance Risk and Compliance (GRC) is about managing your enterprise data effectively but with data comes its security and privacy concerns too. So why not think of outsourcing or transferring the risk?…well not a good idea! Enterprises can outsource cyber security, but not risk. Risk will always be within your organization. Hence you need to contain your risk…by continuously monitoring your enterprise data. So now the challenge in managing your inhouse data! (yes data the buzz word…”whoever controls the data ..controls the world!”)
To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)
Also with digital transformation and internet proliferation cyber frauds and crime will only increase! Which means the threat to people and their privacy would always increase!
So where do we start?
The starting point is always the internal policies or external regulations that guard the organizational boundaries or in social life the human rights! These policies are the key to governance or success of the entire GRC Program in an organization. Policies define the boundaries which would act as the perimeter defence which needs to be continuously monitored. Policies not only help govern a nation but also govern an enterprise.
Once an appropriate policy is created, we need to ensure that implementation of the policy is managed and any non-compliance to these policies are tracked to closure according to the risk appetite. This standardization could be achieved through a platform called GRC!
But there are many challenges in GRC adoption…even after more than a decade of GRC presence, I still hear incoherent objections from clients.
3 major objections are as follows: –
The challenge is the adoption rate of GRC platform…many think its an added cost and hence continue with manual process…only to create more risk in their organization which keeps piling up!
To add to this with various automation products, document management platforms available, the GRC purpose is lost a bit among the chaos…
Hence I feel it’s time to create a larger awareness campaign for GRC… I call it ‘The GRC Movement’
If you look at all the world’s biggest historical events that have happened (be it the Martin Luther King, Jr. Civil Rights movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the invention of Printing Press), are primarily triggered by a mass movement. Every global movement had a common goal to achieve…this collective purpose is missing in the GRC space today.
Source: AFP/Getty Images / Pic Courtesy: Wikimedia Commons / https://www.pinterest.com/pin/803048177275425019/
Why are social movements important in the world…because the collective actions of the social movement play an important role in bringing social change and also there was a need for the movement since a common message was not articulated or there was a lack of direction. Similarly, there is a need to creating a GRC movement in the enterprises. This movement will bring about risk cultural change which will ensure every process in the enterprise is standardized and optimized. This would ultimately be demonstrated by a reduction in the count of risks in the organization.
I feel we can create a GRC movement in 3 simple ways:-
Organization need a better approach to tackle cybersecurity and risk! I propose an approach to having a 360 degree view to make a GRC Movement happen.
This 360 degree GRC movement can be achieved using three aspects as follows:-
GRC for Enterprise:- (Contextual)
Are applications or use cases of GRC platforms or products for enterprises going to be different for different organisations? If yes then what kind of use cases? Might not be different but would be architectured or developed or configured differently.
Example: Every traffic signal has 3 alert lights globally but the traffic model in India is different than US or Australia or Europe (Parameters like traffic density, road width, peak time etc are all different for various economy) and similarly Autonomous driving in China and Germany might be different…
When a new technology or workflow is developed…you need to renegotiate the new policy…coz there is no right way of doing it but multiple wrong ways of doing it.
The true value of a GRC technology for the end users or stakeholders is in its user experience. The comfort with which the users can create reports, dashboards or conduct a risk assessment would be the key for the enterprise. This would decide the adoption rate and consumption rate of the GRC solution within the enterprise users.
Any innovation doesn’t hurt users…users are hurt coz change happens and the user experience changes!
So what’s your ‘GRC for Enterprise’ vision?
GRC of Enterprise: (Ownership)
The organization goes through complete chaos if risk process is handled manually …hence if you digitise risk…then you are in more control over your data which would lead to more visibility!
As the GRC Platform of the enterprise matures, it would become the protected property or IP of the organization…its too risky for any organization to handle the governance & compliance aspects or tasks manually…as even a single miss of an event or an incident can bring the organization down financially. The enterprises need to be alert 24×7 but the hackers need to get in just once! The Risk or compliance team within the enterprise know the genesis of every problem and only they can solve it using automation to reduce the efforts and manual error for the long-term gains.
Privacy and Accountability of the data of GRC tool…is a critical aspect hence various compliance to regulations like GDPR would be the key for a successful GRC journey! Without mapping the controls to the policy or corporate objective to check which policy violation has happened, the core purpose of integrated GRC platform will never be achieved! This will lead to accountability in the org!
All executives and senior leadership should have more knowledge of the regulations in their industry as all their actions are linked to the risk and compliance of their enterprise.
By simply training employee would not be enough and hence its crucial to take the process maturity and standardization achieved through the GRC platform ahead consistently. Revisiting the various workflows, KPI and metrics and fine tuning it to suit the ever-changing cyber world is the key!
GRC platform for an already established and matured organization would be different as compared to newly formed organization.
For this the GRC management would need to have a VC v/s PE mindset depending on the organizational maturity.
A Venture Capitalist would take a start-up and grow it exponentially…A PE will take an already established company to grow it multi-fold.
So what’s your ‘GRC of Enterprise’ vision?
GRC by Enterprise (Contribution)
How can enterprises contribute to the GRC field…how do we as an entire ecosystem develop GRC talent and skills in an enterprise…
Can a unique problem in the enterprise be solved by a unique workflow configured by an enterprise…which could be a case study for the industry to learn from!
Has there been an increase in the adoption of using the GRC platform for risk and compliance records after the enhancement in the user experience. The GRC group within the enterprise can contribute to the external world their learnings…
In the GRC space every organization hunts for the best practices which is implemented by other organization, but this data is publicly not available as many hesitate to share information. Hence I believe there is a need for a global social contract for our information security economy ! Like climate change can be dealt with policy changes globally. Also we need to remember that no policy is written in stone as evolution needs to happen! So a common database of best practices in GRC is the need of the hour!
The success of the GRC movement would be in its adoption by all parties simultaneously. Its in everyone’s interest to collaborate and share the success stories with other enterprises without which the GRC solution will soon be outdated! Let the world know your uniqueness and let others learn from your innovation. Let others build the platform further which would be the true spirit of collaboration!
So what’s your ‘GRC by Enterprise’ vision?
Hence for a successful GRC Program an organization needs to have a GRC vision which comprises of all 3 above dimensions.
This will create a GRC Democracy!
Note: Opinions expressed are solely my own and do not express the views or opinions of my employer.
Author: Deric Karunesudas is currently working with RSA (Cyber Security division of Dell) handling the presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity Evangelist and a GRC Architect.
Starting his consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional with end to end experience of delivery, sales and presales. He has managed various markets like US Europe and Middle east in his previous avatar.
His proposal paper on “Internet of Things” was selected for ISF Copenhagen World congress Nov 2014 and Atlanta World Congress 2015.
He is a technology enthusiast and has
Twitter – @thisisderic