• United States



GRC over information security?

Dec 07, 20103 mins
Data and Information Security

Victor Leung, an IT risk consultant at Moelis & Company, starts a fascinating discussion on whether governance, risk & compliance (GRC) is overtaking information security as a main focus.

I highly recommend you check it out here:

I won’t paste the whole thread in here, but I do want to give you an excerpt:

Laurie Mack, CD, CISSP, CISM, CISA: “Risk and compliance lead to information security controls, with compliance more the flavour of the day. Effective governance is the key to achieving balance and ensuring the risks are addressed supporting business objectives. That’s the real challenge.”

D. Brent Lahaise, IT security analyst: “I think this is a necessary evolution. Info sec risks and policies nicely plug into GRC processes/frameworks/tools, and GRC helps you to manage info sec risks and policies. Plugging info sec into the corporate GRC should also improve the visibility of IT/Info security at the senior management and board levels.”

“GRC is a corporate-scale approach. It is also a top-down hierarchical approach. From an IT security perspective, the levels would look like this:

1 – Corporate Governance (the Board and Exec Mgmt) — COSO, SOX;

2 – IT Governance (IT Steering Committee) => ISO 20000, ITIL, COBIT

3 – IT Security Governance (CISO) => ISO 27001-2, Risk-based IT Sec policies.

“This can lead to confusion, as some folks only understand one of these levels/definitions for ‘governance’ and talk at cross-purposes to each other. If you are going to throw governance, risk management and compliance into one bowl, even at one level of the hierarchy, let alone all 3, you’re going to need a good GRC tool to handle all of the information and help automate the processes.”

Pete Hillier, CISSP, ISSPCS, ISO27001 LA: “GRC is about alignment around common policies and procedures to maintain the sustainability of the organization.

“Risk, is only one component of GRC and means different things to different parts of the organization. For example, I am working in the financial world. The context of risk takes a different meaning in different parts of the business. For example, the insurance company is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. IT Risk seemingly reacts to downside risk as well. Personal behavour mirrors that. When someone buys a vehicle or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and seek better returns.

“Notably, despite thse differences, nearly all risk management frameworks and professionals agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result.”

Good food for thought.

–Bill Brenner