Victor Leung, an IT risk consultant at Moelis & Company, starts a fascinating discussion on whether governance, risk & compliance (GRC) is overtaking information security as a main focus.I highly recommend you check it out here: http://linkd.in/dWwWJwI won’t paste the whole thread in here, but I do want to give you an excerpt:Laurie Mack, CD, CISSP, CISM, CISA: “Risk and compliance lead to information security controls, with compliance more the flavour of the day. Effective governance is the key to achieving balance and ensuring the risks are addressed supporting business objectives. That’s the real challenge.” D. Brent Lahaise, IT security analyst: “I think this is a necessary evolution. Info sec risks and policies nicely plug into GRC processes/frameworks/tools, and GRC helps you to manage info sec risks and policies. Plugging info sec into the corporate GRC should also improve the visibility of IT/Info security at the senior management and board levels.”“GRC is a corporate-scale approach. It is also a top-down hierarchical approach. From an IT security perspective, the levels would look like this: 1 – Corporate Governance (the Board and Exec Mgmt) — COSO, SOX; 2 – IT Governance (IT Steering Committee) => ISO 20000, ITIL, COBIT 3 – IT Security Governance (CISO) => ISO 27001-2, Risk-based IT Sec policies. “This can lead to confusion, as some folks only understand one of these levels/definitions for ‘governance’ and talk at cross-purposes to each other. If you are going to throw governance, risk management and compliance into one bowl, even at one level of the hierarchy, let alone all 3, you’re going to need a good GRC tool to handle all of the information and help automate the processes.” Pete Hillier, CISSP, ISSPCS, ISO27001 LA: “GRC is about alignment around common policies and procedures to maintain the sustainability of the organization. “Risk, is only one component of GRC and means different things to different parts of the organization. For example, I am working in the financial world. The context of risk takes a different meaning in different parts of the business. For example, the insurance company is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. IT Risk seemingly reacts to downside risk as well. Personal behavour mirrors that. When someone buys a vehicle or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and seek better returns. “Notably, despite thse differences, nearly all risk management frameworks and professionals agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result.”Good food for thought.–Bill Brenner Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe