A Security Pro's Guide To Governance, Risk, and Compliance

[Excerpted from "A Security Pro's Guide to GRC," a new report posted this week on Dark Reading's Risk Management Tech Center.]

Organizations today are being asked to comply with a host of regulatory requirements—from federal laws such as the Health Insurance Portability and Accountability Act, to state laws covering areas such as breach disclosure, to industry requirements such as the Payment Card Industry Data Security Standards (PCI DSS), to specific contractual obligations.

At the same time, they are trying to do more with less by operating in as lean a fashion as possible. As you can imagine, this creates many challenges.

To address these competing pressures, organizations are increasingly realigning the way they’re organized to optimize efficiency. This happens both in the trenches (for example, technical staff being asked to wear more than one hat) and at the highest echelons of the organizational hierarchy.

One effective strategy organizations are adopting is the alignment of governance, risk and compliance under a unified framework—GRC. The disciplines of governance, risk and compliance are disparate and have historically been treated as such. But because their interests overlap (and very often share resources), it can be advantageous to look at them holistically.

This is true at the organizational level, with enterprise GRC, or EGRC, bringing together the three disciplines for corporate governance, but it’s also true when it comes to IT. The management of technology-related aspects of governance, risk and compliance (known as IT GRC) is an extension of this same paradigm.

With most companies still in the early stages of adopting—or even thinking about—the GRC model, there is still opportunity for security professionals to get in front of it. Security pros should be thinking about capitalizing on GRC integration efforts to gain traction for security-related efforts, carving out a seat at the table during planning efforts and championing GRC efforts in their companies.

And the advantages for security practitioners can be huge. For example, security professionals have struggled for years with questions of how to determine the right security controls to implement, how to gauge effectiveness of the controls they do choose to deploy and how resources should be optimally deployed to support those controls. IT GRC promises to help alleviate many of these concerns.

But for security pros who wish to be a part of this effort—and be instrumental in gaining these advantages for their companies— planning is required. A well-planned program requires a symbiotic relationship: Information security is a linchpin that both informs—and is informed by—GRC programs. A poorly planned program just creates extra layers of reporting and overhead for already-overworked security staff.

Many security practitioners are coming to understand that an IT GRC program can ultimately be a benefit to their own organizations. For example, technology controls for many programs are selected based on industry best practice, peer adoption and vendor pitches. None of these approaches, however, takes into account the unique needs of the organization.

Having an IT GRC program that accounts for risks that the organization actually has, includes compliance requirements in those discussions and ties directly to executive intent helps ensure that relevant controls are prioritized. IT GRC can also help ensure more effective metrics gathering, better coordination of security and compliance, and more proactive planning, among other things.

For more information on how GRC programs work -- and how you can harmonize your security initiatives with a broader GRC program -- download the free report on IT security and GRC.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.