Security's Everyman

Security's Everyman

Tuesday, May 20, 2008

GRC is NOT dead and it also NOT a Tool.

There is a debate going on involving the validity of GRC and whether it's living, dead or was every around. You can find some of the discussions here, here, here, here and here. I'm here to tell you that GRC isn't dead. It's alive and well and living in a business near you. At the same time it also was never a viable option for a business to buy. If we look at GRC as a tool then we are missing the point of GRC.

One of the biggest problems in Information Security is that we try to throw a tool at everything. Being technology geek's we seems to think that the answer to everything is technology oriented. There is no technology that can do any of these things for you. Technology can assist you in maintaining a secure and compliant environment but they can't do it for you.

Let's look at each of the three pieces of GRC individually and talk about how we can make them work within the business. This is not intended to be an exhaustive look at GRC or any one part of it. It's a common sense look at how each piece can work for you.

Governance basically means that IT is not driving the business but is working in conjunction with the business to meet the needs. How does process help out here? It starts with an understanding throughout the business that IT has to be involved in the process of finding a solution to a problem or need. That means that IT doesn't tell the business what the solution will be but it also means that the business doesn't drop something in IT's lap and then say "Make it work and keep it running". The process involves an understanding between all parties that they have to work together to reach a solution that meets the needs of the business while fitting into the infrastructure and design of the IT program. That is the easy part. The hard part is convincing the business that this is the best way to work. I can't help you with that much. That's a fight you have to fight on your own. I've got my own battles to win. :)

Risk is looking at your environment, the threats to it and how likely you are to have some of the threats realized. This involves knowing what you have, where it's at, what's wrong with it (vulnerabilities), who has access to it, who may be able to gain access to it, do they want it and what you can do to keep your risk at bay. Now there are all kinds of technologies that will help you with this but the key to it is having the right policies in place and the ability to enforce them. Knowing your environment is vital to maintaining a successful risk program. I can't tell you the number of companies that I've worked at, seen or talked to that don't have a clue as to what they really have nor where it's at. I'm not only referring to data but even technology and systems. Servers that were deployed without being added to the server management matrix, new switches that were put in but never noted. Changes to the flow of information that doesn't get documented. Get the point? You can't manage your risk if you don't know what the risks are. The technology required to manage this is expensive to buy and can be complex to maintain so that puts it out of range for lots of companies. So having policy and process in place is necessary to try and keep control over this.

Compliance is meeting the requirements set forth by various rules, regulations and laws. People will try to sell you all sorts of tools and technologies to make you compliant. The problem there is that none of them will make you compliant. I won't spend much time on this because it's been blogged to death. The key to compliance is just good security. When you have a good security program in place then you will only have to make minor changes to ensure that you are compliant with most of the regulations that affect you. There are few regulations that get so involved that they will require you to make major changes to a good security program.

So GRC isn't dead we just have to look at it from the right perspective. If we focus on it being a technology solution then if it's not dead we need to kill it. If we look at it from a policy, process and common sense perspective then it is alive and well and will thrive for years to come.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.