Dos and don'ts for IT GRC success

March 07, 2011 — CSO —

DO agree on an IT-GRC implementation strategy. Moving disjointed, manual processes into an automated, centralized tool is an enormous undertaking. While a giant boa constrictor can unhinge its jaw and swallow a large mammal whole, that strategy is not advisable for your enterprise.

Choose a high-priority area for your initial implementation, preferably one that will produce a quick ROI. This will give you a record of success to build on and give you and the users a working knowledge of how to use the software, assess its value and share their knowledge with others. Take a top-down approach that will serve as a model as you expand, rather than a controls-centric tactic that won't scale well.

March 07, 2011 — CSO —

Special Report on GRC
See more in IT GRC tools: Control your environment
and eGRC vs. IT GRC

DO agree on an IT-GRC implementation strategy. Moving disjointed, manual processes into an automated, centralized tool is an enormous undertaking. While a giant boa constrictor can unhinge its jaw and swallow a large mammal whole, that strategy is not advisable for your enterprise.

Choose a high-priority area for your initial implementation, preferably one that will produce a quick ROI. This will give you a record of success to build on and give you and the users a working knowledge of how to use the software, assess its value and share their knowledge with others. Take a top-down approach that will serve as a model as you expand, rather than a controls-centric tactic that won't scale well.

This first deployment should be initiated in the context of a larger plan for rolling out the IT GRC across the enterprise. After all, the goal is a centralized, automated, standards-based enterprisewide deployment.

"Initiate a GRC road map, looking at all different GRC processes," says RSA Archer's Aldrich. "Where do I need more help in terms of automating processes? Where can I increase speed by getting more information and make sure it becomes valuable to the business?"

DON'T neglect the stakeholders. IT GRC is a massive undertaking. It cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. They know where the pain points are and how the processes work, they understand the business risks and potential benefits, and they are familiar with the polices, controls and compliance obligations.

Stakeholders include (but aren't limited to): IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance.

"You also want feedback from the lines of business," says Rasmussen. "They have to interact with the system. Look for champions out there."

DO make your case with ROI. You can make a strong argument for IT GRC based solely on ROI. Companies can save many thousands of dollars on external audits alone—Rasmussen says one company reduced its expense on external IT auditors by 18 percent. Symantec's Achard says one client made the case for its IT GRC tool based on the cost of a three-day service outage that was caused by a database misconfiguration.

You can calculate the man-hours spent collecting information from questionnaires, populating spreadsheets, gathering audit data and keeping it current, and responding to auditor requests. As you evaluate the tools on the market, you can estimate savings. These savings will increase as you implement the GRC tools for more requirements and as it becomes more deeply entrenched in the enterprise.