This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
GRC: Over-Hyped or Legit?
While governance, risk and compliance tools over-promise, organizations need to streamline and break away from their siloed approaches.
One of the most hyped terms today is GRC or governance, risk and compliance. It is being used as a catch-all phrase for most information security strategies and tagged onto various products, adding even more confusion in the market as to what it truly means or promises to corporations.
First and foremost, GRC, or GRC "tools," is not a new market or technology category a la IPS or SIM or IAM. Unfortunately today there are technology solutions that claim to be turnkey GRC solutions with others taking existing technology and positioning them as a GRC fix. Not surprisingly the products' capabilities don't truly deliver on helping an organization create and track its GRC strategy.
Rather, GRC is a process that includes three distinct (IT governance, risk management and compliance) but related activities intended to solve different problems for different stakeholders within an organization. Today vendors will sell the tool that may automate manual tests or provide good reporting, but will fail to link IT risk to business risk. And they don't really address governance.
Governance is the big-picture strategy and needs to be led from
| the very top of the organization. It focuses on creating business value and organizational transparency. It is a set of processes through which leaders ensure that the business implements their policies and directives. Risk management focuses on balancing the risk associated with losses and gains, and compliance focuses on meeting regulatory requirements. If implemented correctly, good governance will align the goals of risk management and compliance into the overall goals of the organization, but the responsibilities or goal of each is distinct.
As illustrated in our story on "Push-Button Compliance," some innovative companies such as McKesson Corp. are creating all-encompassing strategies that move them away from silos typically found in organizations today and toward an overarching GRC strategy.
But this is a journey not a destination and it's more process than technology. McKesson estimates it will be at a standardized state three years from now, already working on it for more than a year.
While I am disparaging the marketing hype around the GRC acronym, it is a process that needs to be considered and embraced in organizations today. And a combination of tools, along with processes and frameworks, will help you move in the right direction. Since governance, risk and compliance are interdependent, it will be more costly to address each in isolation, and with the difficult market conditions we are experiencing today, organizations will be forced to streamline and do more with less.
By understanding what GRC is and is not and reading about those who have gone before you, you'll be farther along in the process than you think.
This was first published in September 2008