Despite a rough year full of cyberthreats and data breaches galore, many organizations still buy into a lot of...
the enterprise governance, risk and compliance (GRC) and security misconceptions floating around in the ether. For starters, there's the myth that as long as we have antimalware and firewalls stationed at our perimeter, our data is secure. Or how about another well-circulated myth: A vendor's promise of a fantastic GRC solution that will solve all your security problems in one swoop?
And while many companies haven't been successfully breached yet, SearchCompliance's #GRCChat Twitter participants concurred that misplaced belief in false promises and jargon are dangerous amid the growing numbers of increasingly sophisticated security risks. These threats include shadow IT, advanced persistent threats, outdated security tools and the human errors that played a role in so many well-publicized breaches, including Target and Home Depot.
The deluge of data breaches that plagued businesses in 2014 was fresh in SearchCompliance Senior Managing Editor Rachel Lebeaux's mind as she suggested the enterprise GRC term she wishes to retire this year:
One of the reasons the traditional notion of a "secure perimeter" is eroding is because of bring your own device, a result of internal and external customers' need to access data securely anytime, anywhere and on any device. That's why Nathan McBride, vice president of IT at AMAG Pharmaceuticals Inc., had to shift that perimeter in his organization. "We removed the security around the corporate perimeter, and we erected perimeters around every employee. And more importantly, we erected perimeters around the data itself," he said.
Another reason? Organizations are starting to realize that they depend too heavily on tools such as perimeter firewalls and antivirus, and that it's time for new technologies and extra layers of protection. "Even though these technologies don't provide adequate advanced persistent threat protection, enterprises have been slow to adapt to the changing information security risk environment," wrote SearchSecurity expert Nick Lewis.
Lebeaux also criticized an overused term that conveys the idea that a one-size-fits-all security tool exists:
Follower Mark Underwood agreed, pointing to Home Depot's recent data breach as an example of a business placing too much faith in a security technology, in this case FireEye's malware detection software. Despite having a capable tool, Home Depot failed to respond to its alerts, which rendered the company's investment in the technology moot.
One big mistake companies make when buying GRC tools is that they're often incompatible with their infrastructure's and corporate culture's unique requirements, said Norman Marks, an author and former chief audit executive. "If you need to improve audit management, address that. If you have a variety of needs, list and prioritize them, then get the best overall solution," he said.
Follower Forvalaka, on the other hand, didn't have any GRC terms he wanted to retire, and for good reason:
A5: None. #grcchat— Forvalaka41 (@Forvalaka41) December 18, 2014
For a holistic, seamless GRC framework, organizations should focus on building an architecture that proves they're in compliance, according to consultant John Weathington. How should such a system work? "The strategic objectives of the company will spawn a governance process to make sure the objectives are met. These objectives are subject to risks, or uncertain events, that can derail the objectives. To mitigate risk, rules are built and, subsequently, controls are put in place to make sure the rules are being followed," he outlined.
On the other side of the coin, Forvalaka believes that companies should latch on to terms that stress how critical GRC is to business processes and the bottom line:
Indeed, the legal, ethical and financial curveballs today's companies must deal with have made information security a key ingredient up and down the corporate ladder. "We need to take security and embed it into development, embed security into our project management, into our business processes, our vendor relationships," explained Kevin Johnson, CEO of Secure Ideas LLC. It's no surprise that the need for GRC and security professionals who are fluent in a language that conveys this reality has gone up in the past year.
Big data management is playing a greater role in GRC processes, and the advantages of compliance programs are expanding beyond just auditing or litigation, according to Derek Gascon, executive director of the Compliance, Governance and Oversight Council. "Going forward, we're starting to see organizations realize governance programs as actually a start to taking advantage of the data that they have," he said. That's one of the reasons why, as Underwood points out below, storytelling must come into play when conveying GRC's value:
The way to successfully present the advantages of stronger GRC processes to executives is similar to how business intelligence analysts do it: Start with qualitative data, then follow up with quantitative figures, explained Tony Bodoh at the 2014 TDWI Executive Summit in Boston. "Emotion fires a half-second before logic can kick in -- logic follows emotion," he said.
And finally, for something lighthearted and non-GRC-related, a term that actually has tongue-in-cheek origins:
A5 Not that this is GRC specific, but I've never been a huge fan of the term phablet. #GRCchat— Nicole Laskowski (@TT_Nicole) December 18, 2014
Your turn: What enterprise IT, GRC and security terms are you phervently avoiding this year? (Yes, we went there, too.) Please tell us in the comments section below.
Check out our recap on #GRCChat followers' top security and GRC predictions for 2015.