Building a Sustainable Governance, Risk and Compliance (GRC) Model
No one questions the business mandates to comply with Sarbanes-Oxley (SOX) controls. Organizations had no choice but to adhere to the new regulations. Over two decades after coining the term “cybersecurity”, many still struggle with cybersecurity risk management. 88% of organizations do not believe their information security fully meets their needs.1 Data breaches also are almost commonplace, as in 2015 breaches in business, government and healthcare organizations reached near record high rates.2
So are criminals just getting smarter, or is it more likely organizations are not allocating the proper resources to address these risks? Like the implementation of SOX controls, cybersecurity is an iterative exercise. In order to stop struggling to build a sustainable cybersecurity compliance program, organizations must develop more comprehensive governance, risk, and compliance (GRC) models.
What is at risk?
For Customers – Organizations always include meeting customer expectations as a business strategy component. It then follows that the risk of losing that customer is also critical to the business. The impact of breaches on customers is rapidly evolving. Risk is more than customers’ credit card numbers. Actually, for most retailers, there is little reason to even store that data. The customer has minimal liability in the event of a breach and relatively minimal inconvenience. It is now extremely easy to have credit cards replaced and issuers will always reverse illegitimate charges. The entire process is fairly painless and absolutely manageable. However, private information such as Social Security Numbers are another story. When that information is stolen, it is forever. Companies must understand the relative value of different types of information and their impact on customers in order to develop more effective solutions.
For the Company – Not all breaches bear the same risk, but they all have the potential to impact important company assets like brand image, organizational reputation, and finances. The court of public opinion will look at two specific areas: The organization’s due diligence efforts to manage the risk prior to an incident and its ability to communicate, react, and support their customer base after an incident. These key indicators are only addressed with a comprehensive GRC business strategy. Moving your business forward with GRC as a cornerstone will support growth and innovation while keeping risk in check.
Developing stronger GRC models
At WGroup, we believe a business driven mandate surrounding GRC is essential. It has to be a part of an enterprise business model where organizations need to expand, improve and innovate in order to actively address cybersecurity risk. Cybersecurity needs to be a part of your organization’s DNA. Companies should take the opportunities to transform GRC efforts as they implement new projects.
There are several components that a GRC strategy model should include:
- – Commitment from top business leaders
– Organizational alignment
– People, Process, and Technology
– Operational Enablement
The GRC function is not just about protecting the confidentiality of information, but needs to be a more holistic methodology. In addition to safeguarding the company assets with tools such as encryption, a robust security framework should be implemented.
The National Institute of Standards and Technology (NIST) framework addresses not only protection, but other critical factors including:
- – Asset inventory, management, and governance
– Data awareness, training, protection of data, policies and procedures
– Anomaly detection and event management
– Response planning, communication, analysis, and mitigation
– Recovery plans, strategy, and lessons learned
IT security risks are relevant and growing. Companies need to understand new threats and how to take steps to manage them. By implementing more sustainable, comprehensive GRC models, organizations can significantly reduce risk of breach and reduce their cybersecurity risk profiles.
To learn more about Wavestone US’ services, visit http://www.wavestone.us/capabilities/.
- 1. EY’s Global Information Security Survey 2015
2. Identity Theft Resource Center (ITRC) data breach reports
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.