In our year-end #GRCChat, SearchCompliance asked its Twitter followers to reflect on the past year and tell us...
where their organizations faltered when it came to IT governance, risk and compliance (GRC). Considering the sheer number of prominent data breaches that made news headlines in 2014, it didn't come as a surprise that many tweet chat participants' answers circled back to security, especially as IT GRC and security professionals are pushed further into the limelight.
What were your biggest GRC-related regrets from 2014?
Senior Managing Editor Rachel Lebeaux observed that, given the plethora of breaches that occurred in 2014, it looks like many organizations lacked adequate security governance. As SearchCompliance Site Editor Ben Cole pointed out, had these targeted companies looked more closely at their IT GRC processes, the attack surface available to hackers could have been limited:
A1 Many companies would prob say not embedding GRC into everyday biz process- Recent hacks prove many access pts. avail to hackers #GRCChat— Ben Cole (@BenjaminCole11) December 18, 2014
The goal, according to Jason Smolanoff, vice president at Stroz Friedberg LLC, should be the ability to tell regulators, in the event of a breach, "that they put in reasonable security measures to prevent against a variety of attacks."
Data breaches not only mean the loss of intellectual property, but also increased litigation costs and blows to companies' reputations. As such, it's critical to push security governance higher up the corporate priority list; however, as Cole mentioned, that's a reality some in the C-suite aren't prepared to face:
Forvalaka41's comments echo Smolanoff's: By positioning information security professionals to work more closely with your company's audit function, they become an "independent security voice" for the organization, which can help with data protection.
Forvalaka41 also revealed some of his organization's IT GRC-related regrets in 2014 and the challenges that accompanied them:
Another big GRC regret noted by tweet chatters is the tendency of many organizations to treat compliance as just another checkbox, neglecting to fully integrate it with risk management and security functions:
A1 Also don't rely on comp to be secure. Compliance regs don't assure security, although security strategy can help compliance #GRCchat— Ben Cole (@BenjaminCole11) December 18, 2014
A1 I'm sure many orgs found out the hard way that simple compliance isn't enough to ensure data security #grcchat— Fran Sales (@Fran_S_TT) December 18, 2014
According to Daniel Allen, a research fellow at the Center for Climate and Security, an organization can tailor compliance controls to meet its specific security needs by conducting risk assessments that look at various factors, including its users, its unique threats and its data vulnerabilities.
As Brian O'Hara, CISO for IT security consulting firm The Mako Group, succinctly put it: "Compliance will never make you secure, but security will always lead you to compliance."
How about you? What were your biggest IT GRC regrets from 2014? Please sound off in the comments section below.