Last week I received an email from a marketing firm wanting to know if I'd like to talk to Symantec about IT GRC and an upcoming announcement that they were going to be making. Usually I ignore these emails because my blog is NOT an advertisement for vendors. It's my place to voice my thoughts, good or bad, on technology and security. I try to stay as focused as possible and not get off on tangents regarding politics, religion, personal life, food, or anything else. That includes free advertising for vendors. Plus, I usually am not that interested in talking to marketing people about their product. If I want information on a product I want to talk to the engineers that designed it and support it. Not the marketers and sales guys.
Anyway, since I do have an interest in GRC and like the concept of it I decided to take the bait and have a conversation with them. So we scheduled a time and spent about an hour talking about what Symantec is doing in the GRC space. Of course they have a product that helps manage and maintain your program and that was they jest behind the conversation. They let me in on the announcement that they were making on Wednesday of this week and we had a good conversation. Then they invited me to sit in on a conference call of Wednesday this week where they were having a round table discussion about their offering and getting ready to make their big announcement as part of their Vision Conference. I wasn't sure if I'd get to because of the audit that we were having but I did find time to join in on the call. In preparation for the call they sent me an advance copy of the announcement and a report on IT GRC.
I tried to be a good blogger and read the report before the call but just didn't get the time to do more than skim it quickly. It looked interesting and like it had some good information in it, but I just didn't get the time to really read it. Then the time for the call came and I dialed in, pen in hand (my new Cross fountain pen that I LOVE to write with) ready to take notes and hear some good stuff regarding GRC. Of course you know that didn't happen. I was tired from lack of sleep and 2 1/2 days of audit and my mind wandered. I kept trying to bring it back and just as I'd get focused someone would talk who wasn't close enough to the mic and I couldn't hear them very well and I'd fade again. After about 45 minutes I gave in and hung up.
Today I see that Neil Roiter over at Search Security has a write up on the report and the Symantec Round table. You can check it out if you have any interest in what the report or Symantec has to say regarding this. There are a couple of things that I want to point out myself. It seems that the report seems to validate many of my thoughts regarding IT GRC. Mainly that it isn't about technology but about process. The longer I work in IT and especially dealing with security and compliance the more I appreciate how effective good processes can be in your program.
Here are the things in the Search Security write up that I really like. My comments are in blue.
- The panel identified bridging that gap between senior management's business goals and IT operations as one of the keys to a successful IT GRC program, especially in complex global business environments with disparate regulatory requirements and a wide range of costs in different parts of the world. No program is going to work if there is not an understanding between the business and IT as to what needs to be accomplished.
- "A framework is a framework is a framework," said KPMG's Lesser. "It's taking the key portions and figuring out what are most important to your organization; what are the outside threats, risks and vulnerabilities that you need to consider, and what is going to provide the most value to your organization; defining a framework based on these industry standards that really fits your specific needs." This is so true. There are several good methods that work equally well. It all depends on what works for you and your organization. As long as the business agrees across the board what they are going to use they can all be equally effective.
Implementing automation tools, the panel agreed, was the last step in building IT GRC in an organization. See my post here for my thoughts on this.
"The poor approach is to say we're going to do IT GRC, and there are some automated tools available," said ISACA's Hale, "and let's implement these without really understanding what GRC is, what their objectives are, who's going to use the information, and how does it support their decision making." Unfortunately this mind set isn't limited to GRC programs. Tools can't fix everything and without good process and policy to back it up they can't really fix anything.
"There's no finish line with IT GRC; it's cyclical because the risks, and the threats and the landscape outside is constantly going to be changing." There is no finish line with much in technology especially security and compliance. If you ever get to the point where you think you are finished then you are likely to quit paying attention to it and you will end up in worse shape than before you started.