What were your top IT GRC regrets from 2014?

What were your biggest GRC-related regrets from 2014?

Senior Managing Editor Rachel Lebeaux observed that, given the plethora of breaches that occurred in 2014, it looks like many organizations lacked adequate security governance. As SearchCompliance Site Editor Ben Cole pointed out, had these targeted companies looked more closely at their IT GRC processes, the attack surface available to hackers could have been limited:

@ITCompliance A1 I'll start. Given all the high-profile data breaches this year, seems orgs didn't govern security programs enough. #GRCChat

— RachelTT (@RachelatTT) December 18, 2014

A1 Many companies would prob say not embedding GRC into everyday biz process- Recent hacks prove many access pts. avail to hackers #GRCChat

— Ben Cole (@BenjaminCole11) December 18, 2014

The goal, according to Jason Smolanoff, vice president at Stroz Friedberg LLC, should be the ability to tell regulators, in the event of a breach, "that they put in reasonable security measures to prevent against a variety of attacks."

Data breaches not only mean the loss of intellectual property, but also increased litigation costs and blows to companies' reputations. As such, it's critical to push security governance higher up the corporate priority list; however, as Cole mentioned, that's a reality some in the C-suite aren't prepared to face:

. @Forvalaka41 Yes I've def heard that from others- GRC needs to be involved more but higher-ups dont often want to hear it #GRCchat

— Ben Cole (@BenjaminCole11) December 18, 2014

@BenjaminCole11 #grcchat It's much easier to pass an audit when your auditors approved the design and laid out controls from day one.

— Forvalaka41 (@Forvalaka41) December 18, 2014

Forvalaka41's comments echo Smolanoff's: By positioning information security professionals to work more closely with your company's audit function, they become an "independent security voice" for the organization, which can help with data protection.

Forvalaka41 also revealed some of his organization's IT GRC-related regrets in 2014 and the challenges that accompanied them:

A1: Lacking governance when mapping and moving 3 corp. data centers w/ rush to decomm. many apps. (M&A) @ITCompliance #grcchat

— Forvalaka41 (@Forvalaka41) December 18, 2014

@RachelatTT @ITCompliance #grcchat Tight timelines (to be generous) followed by massive staff reductions.

— Forvalaka41 (@Forvalaka41) December 18, 2014

Another big GRC regret noted by tweet chatters is the tendency of many organizations to treat compliance as just another checkbox, neglecting to fully integrate it with risk management and security functions:

A1 Also don't rely on comp to be secure. Compliance regs don't assure security, although security strategy can help compliance #GRCchat

— Ben Cole (@BenjaminCole11) December 18, 2014

A1 I'm sure many orgs found out the hard way that simple compliance isn't enough to ensure data security #grcchat

— Fran Sales (@Fran_S_TT) December 18, 2014

According to Daniel Allen, a research fellow at the Center for Climate and Security, an organization can tailor compliance controls to meet its specific security needs by conducting risk assessments that look at various factors, including its users, its unique threats and its data vulnerabilities.

As Brian O'Hara, CISO for IT security consulting firm The Mako Group, succinctly put it: "Compliance will never make you secure, but security will always lead you to compliance."

How about you? What were your biggest IT GRC regrets from 2014? Please sound off in the comments section below.