Our GRC Practice Director, Alex Hollis, will be presenting at Gartner’s EMEA Security and Risk Management Summit on the 10th-11th of September 2018. His keynote session will center on why it’s essential for businesses to integrate business GRC and IT GRC.
Here, he provides a sneak preview:
Many governance, risk, and compliance (GRC) projects fail because they’re deployed to support a specific compliance need or to meet the requirements of a specific department.
Typically, organizations operate in terms of business GRC (EGRC), and IT GRC. EGRC is concerned with business processes, clients, and products. Its focus is on operational risk, considering the higher-level issues and calculating the effects of particular risks on the overall business, and attributing an ROI figure to those risks.
In contrast, IT GRC is device-led and focused solely on anything with an IP address, such as applications, data, software or hardware. It rarely considers the risk environment outside of its physicality, with risks directly attributed to its assets (e.g. database).
The reality is that organizations require a comprehensive view across the entire business, which includes any external third parties.
By taking an integrated risk management (IRM) approach and connecting EGRC and IT GRC, you can start to have more joined-up, in-depth conversations about your organization, since you have greater visibility over their relationship. For example, if vulnerabilities in your IT infrastructure were to cause a web server to go down (IT GRC) it can impact your sales team, who wouldn’t be able to access their customer data (EGRC).
According to Gartner, “IRM solutions combine technology, processes, and data that fulfill the objective of enabling the simplification, automation, and integration of strategic, operational and IT risk management across an organization.”
Furthermore, the analyst specifically advises that “Security and risk management leaders involved in strategizing and planning should integrate cybersecurity and technology risks with broader operational risk, focusing on areas that are tied to strategic objectives to ensure that risk oversight is ‘forward-looking’.”
For years we have encouraged our customers to take an IRM approach, which integrates EGRC and IT GRC, because of the value you can derive from it, and the greater protection it affords an organization. And research from Gartner shows that organizations are starting to listen, as over 40% of boards now possess at least one director with cybersecurity expertise, with an additional 7% are in the process of recruiting one.
With GDPR now in effect, it means that from a regulatory standpoint you have no option but to integrate an IRM solution; GDPR requires that you identify your information assets, the physical territories in which they sit, and it forces you to identify and consider your supply chain in its entirety.
For IT GRC, which is traditionally focussed on the technology aspects, virtualization has led to the IT team abstracting away from the physical infrastructure. This leaves a hole in knowledge when the simple question over physically where data sits is asked. In addition, it requires you to consider the people element, and the potential risks they pose to an organization. For example, if they outsource their help desk function, is that third-party offshoring the call center element to a fourth party? Did you know that was happening? What are you going to do to mitigate the risk posed to your data?
In addition to regulatory compliance, business standards will also require you to integrate your EGRC and IT GRC. If your organization boasts any sort of ISO 27000 series standard, you’ll be required to have an information security management system (ISMS) to help you demonstrate and maintain your compliance. While it is an excellent base-line from an IT GRC point of view, this is largely a tick-box exercise which is heavily controls focused.
Find out more about our GRC products here.
With over 16 years’ experience in IT, mobile technology and software development, Alex has spent the last seven years specializing in governance, risk, and compliance (GRC). After just six months in the industry, Alex received a platinum-level excellence award for his work around risk bow-tie modeling, Solvency 2 and Basel 3. Now focusing primarily on operational risk, Alex has analyzed, designed and implemented GRC technology and IRM solutions into 60 companies, including some of the largest and most complex environments. His experience spans multiple sectors, including telecommunications, aviation, pharmaceuticals, manufacturing, retail, public sector, financial services and insurance. A keynote speaker at prestigious industry conferences, Alex is also currently writing a book on end-to-end GRC.
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity services that give our customers certainty – of risk management/compliance and cybersecurity. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.