Can Enterprises execute a GRC Movement?

Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.

The only place I can say more risk = more gain
would be in the entrepreneurship space…because in the enterprise cyber security
kingdom, it is just the opposite! So let me explain…

Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and Cyber security market is 150 Billion which makes cyber security 4% of the total IT industry and growing at 10% CAGR …of all the various solutions under cyber security like Identity & Access, Application security, Network security, Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.
Ref: https://www.gartner.com/en/information-technology/insights/cybersecurity Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

GLOBAL CYBER SECURITY MARKET

Ref:
https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

The need of the hour in the organization is the
identify and mitigate risks that will seriously prohibit the growth of the
business. Any business is run with governance framework and various industry regulatory
compliance. Any issue in corporate governance or compliance leads to increase
in risk…Hence a Platform is required whose purpose is to reduce the risk in the
organization. GRC Automation platform or an Integrated Risk Management solution
serves the purpose!

Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!

Governance Risk and Compliance (GRC) is about
managing your enterprise data effectively but with data comes its security and
privacy concerns too. So why not think of outsourcing or transferring the
risk?…well not a good idea! Enterprises can outsource cyber security, but not
risk. Risk will always be within your organization. Hence you need to contain your
risk…by continuously monitoring your enterprise data. So now the challenge in
managing your inhouse data! (yes data the buzz word…”whoever controls the data
..controls the world!”)

To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)

Also with digital transformation and internet
proliferation cyber frauds and crime will only increase! Which means the threat
to people and their privacy would always increase!

So where do we start?

The starting point is always the internal policies
or external regulations that guard the organizational boundaries or in social
life the human rights! These policies are the key to governance or success of
the entire GRC Program in an organization. Policies define the boundaries which
would act as the perimeter defence which needs to be continuously monitored. Policies
not only help govern a nation but also govern an enterprise.

Once an appropriate policy is created, we need to
ensure that implementation of the policy is managed and any non-compliance to
these policies are tracked to closure according to the risk appetite. This
standardization could be achieved through a platform called GRC!

But there are many challenges in GRC adoption…even
after more than a decade of GRC presence, I still hear incoherent objections
from clients.

3 major objections are as follows: –

  1. Why shift to automation when current manual process
    is efficient enough?
  2. We only want Audit Management Automation so why invest
    in Integrated Risk Management or GRC solution?
  3. Internal team consuming the GRC features in day to
    day activities is very less which means the adoption by the internal risk or
    compliance team itself is less. So how to change this behaviour? (faced this
    with one of the world’s biggest stock exchanges)

The challenge is the adoption rate of GRC platform…many
think its an added cost and hence continue with manual process…only to create
more risk in their organization which keeps piling up!

To add to this with various automation products,
document management platforms available, the GRC purpose is lost a bit among
the chaos…

Hence I feel it’s time to create a larger awareness
campaign for GRC… I call it ‘The GRC Movement’

If you look at all the world’s biggest historical
events that have happened (be it the Martin Luther King, Jr. Civil Rights
movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the
invention of Printing Press), are primarily triggered by a mass movement. Every
global movement had a common goal to achieve…this collective purpose is missing
in the GRC space today.

Source: AFP/Getty
Images
/ Pic Courtesy: Wikimedia Commons
/ https://www.pinterest.com/pin/803048177275425019/

Why are social movements important in the
world…because the collective actions of the social movement play an important
role in bringing social change and also there was a need for the movement since
a common message was not articulated or there was a lack of direction.
Similarly, there is a need to creating a GRC movement in the
enterprises. This movement will bring about risk cultural change which will
ensure every process in the enterprise is standardized and optimized. This
would ultimately be demonstrated by a reduction in the count of risks in the
organization.

I feel we can create a GRC movement in 3
simple ways:-

Organization need a better approach to tackle
cybersecurity and risk! I propose an approach to having a 360 degree view to
make a GRC Movement happen.

This 360 degree GRC movement can be
achieved using three aspects as follows:-

GRC for Enterprise:- (Contextual)

Are applications or use cases of GRC platforms
or products for enterprises going to be different for different organisations?
If yes then what kind of use cases? Might not be different but would be architectured
or developed or configured differently.

Example: Every traffic signal has 3 alert lights
globally but the traffic model in India is different than US or Australia or
Europe (Parameters like traffic density, road width, peak time etc are all
different for various economy) and similarly Autonomous driving in China and
Germany might be different…

When a new technology or workflow is developed…you
need to renegotiate the new policy…coz there is no right way of doing it but
multiple wrong ways of doing it.

Example: what if a new camera comes which sees through
the walls? You would want to renegotiate your corporate privacy policy! It’s a
continuous improvement cycle.

The true value of a GRC technology for the end users
or stakeholders is in its user experience. The comfort with which the users can
create reports, dashboards or conduct a risk assessment would be the key for
the enterprise. This would decide the adoption rate and consumption rate of the
GRC solution within the enterprise users.

Any innovation doesn’t hurt users…users are hurt
coz change happens and the user experience changes!

So what’s your ‘GRC for Enterprise’ vision?

GRC of Enterprise: (Ownership)

The organization goes
through complete chaos if risk process is handled manually …hence if you digitise
risk…then you are in more control over your data which would lead to more
visibility!

As the GRC Platform of the enterprise
matures, it would become the protected property or IP of the organization…its
too risky for any organization to handle the governance & compliance
aspects or tasks manually…as even a single miss of an event or an incident can
bring the organization down financially. The enterprises need to be alert 24×7
but the hackers need to get in just once! The Risk or compliance team within
the enterprise know the genesis of every problem and only they can solve it
using automation to reduce the efforts and manual error for the long-term
gains.

Privacy and Accountability of the data
of GRC tool…is a critical aspect hence various compliance to
regulations like GDPR would be the key for a successful GRC journey! Without
mapping the controls to the policy or corporate objective to check which policy
violation has happened, the core purpose of integrated GRC platform will never
be achieved! This will lead to accountability in the org!

All executives and senior leadership should have
more knowledge of the regulations in their industry as all their actions are
linked to the risk and compliance of their enterprise.

By simply training employee would not be enough and
hence its crucial to take the process maturity and standardization achieved through
the GRC platform ahead consistently. Revisiting the various workflows, KPI and
metrics and fine tuning it to suit the ever-changing cyber world is the key!

GRC platform for an already established and matured
organization would be different as compared to newly formed organization.

For this the GRC management would need to have a VC
v/s PE mindset depending on the organizational maturity.

A Venture Capitalist would take a start-up and grow
it exponentially…A PE will take an already established company to grow it multi-fold.

So what’s your ‘GRC of Enterprise’ vision?

GRC by Enterprise (Contribution)

How can enterprises contribute to
the GRC field…how do we as an entire ecosystem
develop GRC talent and skills in an enterprise…

Can a unique problem in the enterprise be solved by
a unique workflow configured by an enterprise…which could be a case study for
the industry to learn from!

Has there been an increase in the adoption of using
the GRC platform for risk and compliance records after the enhancement in the
user experience. The GRC group within the enterprise can contribute to the external
world their learnings…

In the GRC space every organization hunts for the best practices which
is implemented by other organization, but this data is publicly not available
as many hesitate to share information. Hence I believe there is a need for a
global social contract for our information
security economy
! Like climate change can be dealt with policy changes globally. Also we need
to remember that no policy is written in stone as evolution needs to happen! So
a common database of best practices in GRC is the need of the hour!

The success of the GRC movement would be in its
adoption by all parties simultaneously. Its in everyone’s interest to
collaborate and share the success stories with other enterprises without which the
GRC solution will soon be outdated! Let the world know your uniqueness and let
others learn from your innovation. Let others build the platform further which
would be the true spirit of collaboration!

So what’s your ‘GRC by Enterprise’ vision?

Hence for a successful GRC Program an organization
needs to have a GRC vision which comprises of all 3 above dimensions.

This will create a GRC Democracy!

Note: Opinions expressed are solely my own and do not
express the views or opinions of my employer.

Author: Deric
Karunesudas
 is
currently working with RSA (Cyber Security division of Dell) handling the
presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity
Evangelist and a GRC Architect.

Starting his
consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional
with end to end experience of delivery, sales and presales. He has managed
various markets like US Europe and Middle east in his previous avatar.

His proposal
paper on “Internet of Things” was selected for ISF Copenhagen World congress
Nov 2014 and Atlanta World Congress 2015.

He is a technology enthusiast and has keen interest in Entrepreneurship. Deric believes in the power of Cloud, Blockchain & data-driven disruption!

Twitter – @thisisderic


Pierluigi Paganini

(SecurityAffairs – GRC, cybersecurity)

The post Can Enterprises execute a GRC Movement? appeared first on Security Affairs.