What were your top IT GRC regrets from 2014?

Information security is moving up the priority list at many organizations. In this #GRCChat recap, participants look back at 2014 to discuss their top IT GRC regrets.

Francesca Sales, Site Editor

Published: 06 Jan 2015

In our year-end #GRCChat, SearchCompliance asked its Twitter followers to reflect on the past year and tell us where their organizations faltered when it came to IT governance, risk and compliance (GRC). Considering the sheer number of prominent data breaches that made news headlines in 2014, it didn't come as a surprise that many tweet chat participants' answers circled back to security, especially as IT GRC and security professionals are pushed further into the limelight.

What were your biggest GRC-related regrets from 2014?

Senior Managing Editor Rachel Lebeaux observed that, given the plethora of breaches that occurred in 2014, it looks like many organizations lacked adequate security governance. As SearchCompliance Site Editor Ben Cole pointed out, had these targeted companies looked more closely at their IT GRC processes, the attack surface available to hackers could have been limited:

@ITCompliance A1 I'll start. Given all the high-profile data breaches this year, seems orgs didn't govern security programs enough. #GRCChat
— RachelTT (@RachelatTT) December 18, 2014

A1 Many companies would prob say not embedding GRC into everyday biz process- Recent hacks prove many access pts. avail to hackers #GRCChat
— Ben Cole (@BenjaminCole11) December 18, 2014

The goal, according to Jason Smolanoff, vice president at Stroz Friedberg LLC, should be the ability to tell regulators, in the event of a breach, "that they put in reasonable security measures to prevent against a variety of attacks."

Data breaches not only mean the loss of intellectual property, but also increased litigation costs and blows to companies' reputations. As such, it's critical to push security governance higher up the corporate priority list; however, as Cole mentioned, that's a reality some in the C-suite aren't prepared to face:

. @Forvalaka41 Yes I've def heard that from others- GRC needs to be involved more but higher-ups dont often want to hear it #GRCchat
— Ben Cole (@BenjaminCole11) December 18, 2014

@BenjaminCole11 #grcchat It's much easier to pass an audit when your auditors approved the design and laid out controls from day one.
— Forvalaka41 (@Forvalaka41) December 18, 2014

Forvalaka41's comments echo Smolanoff's: By positioning information security professionals to work more closely with your company's audit function, they become an "independent security voice" for the organization, which can help with data protection.

Forvalaka41 also revealed some of his organization's IT GRC-related regrets in 2014 and the challenges that accompanied them:

A1: Lacking governance when mapping and moving 3 corp. data centers w/ rush to decomm. many apps. (M&A) @ITCompliance #grcchat
— Forvalaka41 (@Forvalaka41) December 18, 2014

@RachelatTT @ITCompliance #grcchat Tight timelines (to be generous) followed by massive staff reductions.
— Forvalaka41 (@Forvalaka41) December 18, 2014

Another big GRC regret noted by tweet chatters is the tendency of many organizations to treat compliance as just another checkbox, neglecting to fully integrate it with risk management and security functions:

A1 Also don't rely on comp to be secure. Compliance regs don't assure security, although security strategy can help compliance #GRCchat
— Ben Cole (@BenjaminCole11) December 18, 2014

A1 I'm sure many orgs found out the hard way that simple compliance isn't enough to ensure data security #grcchat
— Fran Sales (@Fran_S_TT) December 18, 2014

According to Daniel Allen, a research fellow at the Center for Climate and Security, an organization can tailor compliance controls to meet its specific security needs by conducting risk assessments that look at various factors, including its users, its unique threats and its data vulnerabilities.

As Brian O'Hara, CISO for IT security consulting firm The Mako Group, succinctly put it: "Compliance will never make you secure, but security will always lead you to compliance."

How about you? What were your biggest IT GRC regrets from 2014? Please sound off in the comments section below.

Next Steps

Head over to SearchCIO to see #CIOChat participants' biggest IT regrets of 2014. Then take a look at SearchCIO readers' IT regrets from last year to see what changed.

Dig Deeper on Managing governance and compliance

Is consumer data privacy at risk under cybersecurity legislation? #GRCChat participants discuss how cybersecurity legislation could hurt data privacy and what personal information protections should be included in the new rules.

Go beyond compliance checklists to avoid information security breaches In this #GRCChat, participants discuss the causes behind information security breaches and how enterprises can protect against them to improve IT security practices.

Changes in technology create new difficulties for GRC processes In this #GRCChat, participants discuss how changes in technology like consumerization and evolving security threats affect GRC management and consider who should be responsible for that management.

Wearables in the workplace strain existing GRC policies Have you considered the GRC implications of wearables in the workplace? In this #GRCChat recap, participants consider the impact of wearables on established policies and how businesses can ensure data security and privacy.

Enforce GRC essentials for a strong BYOD security policy In this #GRCChat, find out what GRC features to keep top of mind when designing a BYOD security policy -- and how to ensure employees are on board.

Enterprise GRC jargon you're abandoning in 2015 There are many nebulous enterprise GRC and security terms that need to be scrapped. In this #GRCChat recap, SearchCompliance followers share the lingo they can't wait to jettison this year.

Francesca Sales asks:

What IT GRC mistakes from 2014 do you want to do over?

Join the Discussion

Join the conversation

2 comments

Send me notifications when other members comment.

Oldest

[-]

Fran Sales - 6 Jan 2015 7:36 AM

What IT GRC mistakes from 2014 do you want to do over?

jennifer211 - 19 Feb 2015 9:35 AM

I'd say not making the mistake of overestimating potential risk. We want to always be sure our customers are safe, and remain on top of the game in terms of potential threats to sensitive information. But the fact is, while it's easy to race around like a chicken without its head when the next big hack breaks, we're just not in that big league. So we need to optimize our own strategies and keep calm.

What were your top IT GRC regrets from 2014?

Information security is moving up the priority list at many organizations. In this #GRCChat recap, participants look back at 2014 to discuss their top IT GRC regrets.