The widespread use of both business and personally owned technology in the workplace, due toIT consumerization, has created new security risks and complications for compliance processes. From acceptable use policies to bring your own device (BYOD) and beyond, enterprises must find a way to adapt their GRC management to the changing ways that employees and consumers interact with technology every day.
Curiously, in Accenture's recent survey of compliance officers from 150 financial services companies, 59% of respondents said that they do not consider understanding technology trends to be a key skill for a compliance officer.
Is that thinking shared by SearchCompliance followers and editors? In this #GRCChat recap, participants discuss how enterprises should adjust their GRC management policies to keep up with new technology and who should be responsible for that management in the first place.
How has the rise of consumer-centric technology use for business gain complicated GRC management processes?
Many enterprises find it difficult to keep their GRC policies in step with the rapid changes in technology and the new threats those changes create. However, #GRCChat participants quickly pointed out that although it is difficult, enterprises must still invest in keeping GRC processes up-to-date:
A1 But because new tech – and the threats that come with them – change so quick, biz budgets and resources struggle to keep up #GRCChat— SearchCompliance.com (@ITCompliance) March 26, 2015
A1 Companies must designate time and resources to make sure GRC processes are keeping up with new tech their customers are using #GRCchat— SearchCompliance.com (@ITCompliance) March 26, 2015
GRC policies are not only suffering because of rapid developments in technology, though. Many of these new technologies are consumer-focused, so employees become accustomed to utilizing these tools in their personal lives before bringing them into the workplace; often without the enterprise's approval or possibly even knowledge. Employees using technologies that are not supported by the enterprise's IT department, a concept known as shadow IT, further complicates GRC management.
A1 Tougher to implement controls and enforce policy #GRCChat— Dan Sanders (@dansanders) March 26, 2015
A1: Tough to guarantee GRC constraints while satisfying user wants for convenience and ease of use. #grcchat— Forvalaka41 (@Forvalaka41) March 26, 2015
SearchCompliance Site Editor Francesca Sales and SearchCIO Senior News Writer Nicole Laskowski both wondered how these changes in technology will affect C-level positions and their responsibilities:
A1 I'd be interested to hear how businesses can create agile GRC processes. Where does the CIO need to start? #GRCchat— Nicole Laskowski (@TT_Nicole) March 26, 2015
Who should be responsible for compliance and consumer risk management strategy? Legal counsel? CIO? CISO? Someone else?
In order to keep pace with changes in technology, someone first needs to be in charge of the enterprise's GRC processes and strategy. Different companies have different people at the helm of this task, but most participants seemed to agree that the leadership responsibilities should be collaborative, whether that be between specific C-level executives or the C-suite as a whole:
A5 Should be a partnership between the Chief Risk Officer and the CISO. Depends on the size of the org. #GRCChat— Elliott Franklin (@elliottfranklin) March 26, 2015
A5: Seems like the whole C-suite would have roles to play or requirements to consider. GRC/audit/sec/etc. should all get visibility.#grcchat— Forvalaka41 (@Forvalaka41) March 26, 2015
A5 All will likely be involved in compliance/RM strategy, but one should be chosen to lead/make sure goals are met #GRCchat— SearchCompliance.com (@ITCompliance) March 26, 2015
SearchCompliance Site Editor Ben Cole -- via the SearchCompliance Twitter handle -- went a step further by suggesting that legal counsel would be a good option to head this collaboration, which sparked a conversation among participants:
Focusing on the C-suite's relationship with security and compliance, one participant wondered if companies can capitalize on good GRC management and turn it into a marketing opportunity:
A5: (Q) Will we start seeing the CMO authorizing marketing campaigns that hinge on better GRC/sec. than their breached competitors? #grcchat— Forvalaka41 (@Forvalaka41) March 26, 2015
Who do you think should be in charge of an enterprise's GRC strategy? Why do you think consumer-centric technology has complicated GRC management? Sound off in the comments section below.
For more on how consumer technology is complicating GRC management, check out this #GRCChat recap about wearables in the workplace. Then, watch this video of risk management professionals discussing technological trends that are influencing enterprises' risk management policies. Finally, learn more about the role of a GRC professional from the TechTarget IT Salary and Careers Survey 2014.