TheSupe87 - Fotolia

What were your top IT GRC regrets from 2014?

Information security is moving up the priority list at many organizations. In this #GRCChat recap, participants look back at 2014 to discuss their top IT GRC regrets.

In our year-end #GRCChat, SearchCompliance asked its Twitter followers to reflect on the past year and tell us where their organizations faltered when it came to IT governance, risk and compliance (GRC). Considering the sheer number of prominent data breaches that made news headlines in 2014, it didn't come as a surprise that many tweet chat participants' answers circled back to security, especially as IT GRC and security professionals are pushed further into the limelight.

What were your biggest GRC-related regrets from 2014?

Senior Managing Editor Rachel Lebeaux observed that, given the plethora of breaches that occurred in 2014, it looks like many organizations lacked adequate security governance. As SearchCompliance Site Editor Ben Cole pointed out, had these targeted companies looked more closely at their IT GRC processes, the attack surface available to hackers could have been limited:

The goal, according to Jason Smolanoff, vice president at Stroz Friedberg LLC, should be the ability to tell regulators, in the event of a breach, "that they put in reasonable security measures to prevent against a variety of attacks."

Data breaches not only mean the loss of intellectual property, but also increased litigation costs and blows to companies' reputations. As such, it's critical to push security governance higher up the corporate priority list; however, as Cole mentioned, that's a reality some in the C-suite aren't prepared to face:

Forvalaka41's comments echo Smolanoff's: By positioning information security professionals to work more closely with your company's audit function, they become an "independent security voice" for the organization, which can help with data protection.

Forvalaka41 also revealed some of his organization's IT GRC-related regrets in 2014 and the challenges that accompanied them:

Another big GRC regret noted by tweet chatters is the tendency of many organizations to treat compliance as just another checkbox, neglecting to fully integrate it with risk management and security functions:

According to Daniel Allen, a research fellow at the Center for Climate and Security, an organization can tailor compliance controls to meet its specific security needs by conducting risk assessments that look at various factors, including its users, its unique threats and its data vulnerabilities.

As Brian O'Hara, CISO for IT security consulting firm The Mako Group, succinctly put it: "Compliance will never make you secure, but security will always lead you to compliance."

How about you? What were your biggest IT GRC regrets from 2014? Please sound off in the comments section below.

Next Steps

Head over to SearchCIO to see #CIOChat participants' biggest IT regrets of 2014. Then take a look at SearchCIO readers' IT regrets from last year to see what changed.

Dig Deeper on Managing governance and compliance