SBN

GRC’s Complexity Bias – Do Complex Programs Need Complex Solutions?

This month, in part three of our Lies GRC Is Telling You Series, we’ll be diving in to the second lie: your cyber program is complex, therefore you must need a complex solution. I struggled with this one given the fact that it was difficult to phrase correctly given that many of the people I spoke with work with mature cyber programs. Many of them, though, suffer from a complexity bias – the more complex the solution the more value it must bring. However, as we’ll see, that is not necessarily true and, in fact, can be a hindrance to scaling and developing the program further.

Your Cyber Program Is Complex, Therefore You Must Need A Complex Solution

According to a recent survey of more than 800 audit committee and board members conducted by KPMG, the top challenge the company faces is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require “substantial work.”

As CISOs and information security teams know and have experienced, cybersecurity risk management and compliance gets quite complex. Unfortunately, what many organizations opt for is a complex tool that ends up costing them much more in the areas of time and effort that expected, just to become usable– and also average in the hundreds of thousands in dollars to license, not including implementation costs. Even then, the risk management technology architecture itself cannot meet the needs of the senior management, or the BoD. The organization of data in these platforms becomes so complex over time that the solution itself tends to be heavily fragmented and most organizations out of the hundreds we’ve spoken to who use them end up using spreadsheets, slide decks, and word documents in addition to (or sometimes instead of) those solutions for risk and compliance assessments, risk and compliance management and reporting.

The pace of regulatory change is putting pressure on organizations to respond quickly to new requirements, but these systems have not been able to take a complex program, or a complex problem, and make it simpler. Especially for larger institutions, the combination of responding to the complex regulatory landscape, managing a myriad of regulatory requirements, control sets, reporting mandates, is a necessary function.

40% of large institutions said they were extremely or very concerned about the ability of their risk technology to respond to new regulatory requirements, as did 44% of mid-size institutions and only 12% of small institutions (Deloitte).

We appreciate these legacy GRC solutions because they certainly serve their purpose, and have pioneered governance, risk and compliance for some time, but instead of pushing simplicity and ease of use, they add a volume of customization such that the end result is even today, in many cases, far too complex to be effective. The visualization, communication, and reporting aspects of GRC, now integrated risk management (IRM), are among the most pressing in today’s business landscape, yet the data within legacy systems proves too fragmented to achieve these objectives.

In our eyes at CyberSaint, IRM platforms should be able to fulfill the most fundamental GRC functions it needs to without adding to a CISO’s program complexity. IRM platforms should be built on metrics, should automate executive, Board-level, and auditor reporting, and should automate risk mitigation action planning so that everyone buys into the best path forward, and visualizes the data within risk and compliance programs so that infosec management can make more informed decisions, faster, and with more conviction from business peers.

This post is part three of CyberSaint’s series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals. Read the first and second posts.

Read the full report on the Three Lies That GRC Is Telling You here.

 

 

 

This month, in part three of our Lies GRC Is Telling You Series, we’ll be diving in to the second lie: your cyber program is complex, therefore you must need a complex solution. I struggled with this one given the fact that it was difficult to phrase correctly given that many of the people I spoke with work with mature cyber programs. Many of them, though, suffer from a complexity bias – the more complex the solution the more value it must bring. However, as we’ll see, that is not necessarily true and, in fact, can be a hindrance to scaling and developing the program further.

Your Cyber Program Is Complex, Therefore You Must Need A Complex Solution

According to a recent survey of more than 800 audit committee and board members conducted by KPMG, the top challenge the company faces is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require “substantial work.”

As CISOs and information security teams know and have experienced, cybersecurity risk management and compliance gets quite complex. Unfortunately, what many organizations opt for is a complex tool that ends up costing them much more in the areas of time and effort that expected, just to become usable– and also average in the hundreds of thousands in dollars to license, not including implementation costs. Even then, the risk management technology architecture itself cannot meet the needs of the senior management, or the BoD. The organization of data in these platforms becomes so complex over time that the solution itself tends to be heavily fragmented and most organizations out of the hundreds we’ve spoken to who use them end up using spreadsheets, slide decks, and word documents in addition to (or sometimes instead of) those solutions for risk and compliance assessments, risk and compliance management and reporting.

The pace of regulatory change is putting pressure on organizations to respond quickly to new requirements, but these systems have not been able to take a complex program, or a complex problem, and make it simpler. Especially for larger institutions, the combination of responding to the complex regulatory landscape, managing a myriad of regulatory requirements, control sets, reporting mandates, is a necessary function.

40% of large institutions said they were extremely or very concerned about the ability of their risk technology to respond to new regulatory requirements, as did 44% of mid-size institutions and only 12% of small institutions (Deloitte).

We appreciate these legacy GRC solutions because they certainly serve their purpose, and have pioneered governance, risk and compliance for some time, but instead of pushing simplicity and ease of use, they add a volume of customization such that the end result is even today, in many cases, far too complex to be effective. The visualization, communication, and reporting aspects of GRC, now integrated risk management (IRM), are among the most pressing in today’s business landscape, yet the data within legacy systems proves too fragmented to achieve these objectives.

In our eyes at CyberSaint, IRM platforms should be able to fulfill the most fundamental GRC functions it needs to without adding to a CISO’s program complexity. IRM platforms should be built on metrics, should automate executive, Board-level, and auditor reporting, and should automate risk mitigation action planning so that everyone buys into the best path forward, and visualizes the data within risk and compliance programs so that infosec management can make more informed decisions, faster, and with more conviction from business peers.

This post is part three of CyberSaint’s series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals. Read the first and second posts.

Read the full report on the Three Lies That GRC Is Telling You here.

 

 

 


*** This is a Security Bloggers Network syndicated blog from CyberSaint Blog authored by Alison Furneaux. Read the original post at: https://www.cybersaint.io/blog/the-complexity-bias-of-legacy-grc