Hot Topics
Security Bloggers Network 
SBN

Why GRC Needs IRM

by Alison Furneaux on February 14, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day occurrence in both business and in life. The tech ecosystem has observed and taken part in deploying large amounts of capital both in funding and purchasing cybersecurity and information security technologies with the goal of helping secure and manage all of this data. Both public and private organizations have heavily invested time and resources into implementing complex technologies and point solutions in order to reach security.  

While doing so, organizations have run into major problems- the most pertinent stemming from implementing too much too fast, with no overarching framework to measure their best practices. Either the small to medium business has implemented some best practices but hasn’t used any framework to align with, or the enterprise has chosen one of not many more frameworks or standards to align with (often adding others due to compliance requirements). Both of these execution approaches lack measurement, visibility in their cybersecurity posture, and organization. 

Governance, Risk, and Compliance (GRC) programs evolved during the early 2000s, when mandates such as the Sarbanes-Oxley Act (2002) were released and prominent. As the pace of regulatory change accelerated in parallel with the growing risk landscape, organizations began to struggle to manage a number of regulatory standards, standard frameworks, hybrid or custom frameworks, and vendor questionnaires. In short, too many redundant compliance requirements across an increasing number of unique applications.

Thus, governance, risk, and compliance (GRC) technologies were developed to aid organizations of all sizes to keep up with the pace of regulatory change, organize risk and compliance data, and help Chief Information Security Officers (CISOs) and their teams make more informed and efficient decisions. Organizations were searching for ways to reduce the redundancy of compliance requirements centralize their programs, ideally on one single platform.

Serving their purpose, but lagging behind market needs.

GRC solutions were built on a solid vision, but were not executed in a way that could evolve and change with the modern-day organization– much less the regulatory change, cybersecurity program complexity, and needs of both security and business leadership. CISOs and security leaders need to easily communicate their posture to executive management, have a single source of truth to reference all of their program data, and show program success based on metrics that both technical- and business-side leaders can understand and get behind. Operational teams within the cybersecurity program need to know where to remediate for the best return on investment (ROI), they need to manage compliance as a continuous, “always on” function and consistently be in sync on what the most effective plan of action is both now and in the future.

These objectives are difficult to achieve in a single product. Many of the first GRC technologies took a bottom-up as opposed to a top-down approach to building their technologies – focusing on operational functionalities and features that would allow risk and compliance teams to get as granular as possible with relationships between assets and risks, departments, policies and procedures. These GRC best practices, however, led to complex solutions that serve their purpose and are excellent for many functions, but rarely help organizations achieve the vision of an agile, always-on, continuous and risk-aware information security program.

According to Gartner, 69 percent of organizations are not confident that their current GRC activities will be enough to meet their future needs. In addition, enterprise organizations often take anywhere between 1,000 to more than 10,000 hours to complete a cybersecurity risk or compliance assessment. Gartner coined the term “Integrated risk management (IRM)” to speak to the future needs of information security organizations, releasing the first magic quadrant for integrated risk management in 2018 supplanting what everyone only knew as GRC at the time. We see the shift of legacy GRC to IRM in terms of messaging, but in the current state, the technology of these players remains fundamentally the same.

After combing through hundreds of reviews of leading GRC products, speaking directly with hundreds more legacy GRC users who came to CyberSaint seeking a true IRM technology, here are some lessons learned and how to see past the marketing that GRC platforms are doing to convince customers like you that they’re still worth investing in.

Free download: The Three Lies GRC Is Telling You

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day occurrence in both business and in life. The tech ecosystem has observed and taken part in deploying large amounts of capital both in funding and purchasing cybersecurity and information security technologies with the goal of helping secure and manage all of this data. Both public and private organizations have heavily invested time and resources into implementing complex technologies and point solutions in order to reach security.  

While doing so, organizations have run into major problems- the most pertinent stemming from implementing too much too fast, with no overarching framework to measure their best practices. Either the small to medium business has implemented some best practices but hasn’t used any framework to align with, or the enterprise has chosen one of not many more frameworks or standards to align with (often adding others due to compliance requirements). Both of these execution approaches lack measurement, visibility in their cybersecurity posture, and organization. 

Governance, Risk, and Compliance (GRC) programs evolved during the early 2000s, when mandates such as the Sarbanes-Oxley Act (2002) were released and prominent. As the pace of regulatory change accelerated in parallel with the growing risk landscape, organizations began to struggle to manage a number of regulatory standards, standard frameworks, hybrid or custom frameworks, and vendor questionnaires. In short, too many redundant compliance requirements across an increasing number of unique applications.

Thus, governance, risk, and compliance (GRC) technologies were developed to aid organizations of all sizes to keep up with the pace of regulatory change, organize risk and compliance data, and help Chief Information Security Officers (CISOs) and their teams make more informed and efficient decisions. Organizations were searching for ways to reduce the redundancy of compliance requirements centralize their programs, ideally on one single platform.

Serving their purpose, but lagging behind market needs.

GRC solutions were built on a solid vision, but were not executed in a way that could evolve and change with the modern-day organization– much less the regulatory change, cybersecurity program complexity, and needs of both security and business leadership. CISOs and security leaders need to easily communicate their posture to executive management, have a single source of truth to reference all of their program data, and show program success based on metrics that both technical- and business-side leaders can understand and get behind. Operational teams within the cybersecurity program need to know where to remediate for the best return on investment (ROI), they need to manage compliance as a continuous, “always on” function and consistently be in sync on what the most effective plan of action is both now and in the future.

These objectives are difficult to achieve in a single product. Many of the first GRC technologies took a bottom-up as opposed to a top-down approach to building their technologies – focusing on operational functionalities and features that would allow risk and compliance teams to get as granular as possible with relationships between assets and risks, departments, policies and procedures. These GRC best practices, however, led to complex solutions that serve their purpose and are excellent for many functions, but rarely help organizations achieve the vision of an agile, always-on, continuous and risk-aware information security program.

According to Gartner, 69 percent of organizations are not confident that their current GRC activities will be enough to meet their future needs. In addition, enterprise organizations often take anywhere between 1,000 to more than 10,000 hours to complete a cybersecurity risk or compliance assessment. Gartner coined the term “Integrated risk management (IRM)” to speak to the future needs of information security organizations, releasing the first magic quadrant for integrated risk management in 2018 supplanting what everyone only knew as GRC at the time. We see the shift of legacy GRC to IRM in terms of messaging, but in the current state, the technology of these players remains fundamentally the same.

After combing through hundreds of reviews of leading GRC products, speaking directly with hundreds more legacy GRC users who came to CyberSaint seeking a true IRM technology, here are some lessons learned and how to see past the marketing that GRC platforms are doing to convince customers like you that they’re still worth investing in.

Free download: The Three Lies GRC Is Telling You


Recent Articles By Author
More from Alison Furneaux

*** This is a Security Bloggers Network syndicated blog from CyberSaint Blog authored by Alison Furneaux. Read the original post at: https://www.cybersaint.io/blog/why-grc-needs-irm

Alison Furneaux

Secure Guardrails