Changes in technology create new difficulties for GRC processes
In this #GRCChat, participants discuss how changes in technology like consumerization and evolving security threats affect GRC management and consider who should be responsible for that management.
The widespread use of both business and personally owned technology in the workplace, due toIT consumerization, has created new security risks and complications for compliance processes. From acceptable use policies to bring your own device (BYOD) and beyond, enterprises must find a way to adapt their GRC management to the changing ways that employees and consumers interact with technology every day.
Curiously, in Accenture's recent survey of compliance officers from 150 financial services companies, 59% of respondents said that they do not consider understanding technology trends to be a key skill for a compliance officer.
Is that thinking shared by SearchCompliance followers and editors? In this #GRCChat recap, participants discuss how enterprises should adjust their GRC management policies to keep up with new technology and who should be responsible for that management in the first place.
How has the rise of consumer-centric technology use for business gain complicated GRC management processes?
Many enterprises find it difficult to keep their GRC policies in step with the rapid changes in technology and the new threats those changes create. However, #GRCChat participants quickly pointed out that although it is difficult, enterprises must still invest in keeping GRC processes up-to-date:
A1 Simply put, new tech creates new breach vulnerabilities-biz must constantly review + revise #GRC management strategy to adapt #GRCChat
— SearchCompliance.com (@ITCompliance)
March 26, 2015
A1 But because new tech – and the threats that come with them – change so quick, biz budgets and resources struggle to keep up #GRCChat
— SearchCompliance.com (@ITCompliance)
March 26, 2015
#grc processes are going to have to keep up w/ the pace of tech change! #grcchat easier said than done, i'm guessing
— Fran Sales (@Fran_S_TT)
March 26, 2015
A1 Companies must designate time and resources to make sure GRC processes are keeping up with new tech their customers are using #GRCchat
— SearchCompliance.com (@ITCompliance)
March 26, 2015
GRC policies are not only suffering because of rapid developments in technology, though. Many of these new technologies are consumer-focused, so employees become accustomed to utilizing these tools in their personal lives before bringing them into the workplace; often without the enterprise's approval or possibly even knowledge. Employees using technologies that are not supported by the enterprise's IT department, a concept known as shadow IT, further complicates GRC management.
A1 Tougher to implement controls and enforce policy #GRCChat
— Dan Sanders (@dansanders)
March 26, 2015
A1 Easy-to-access consumer tech has given rise to shadow IT, which can certainly complicate corporate #GRC strategy. #grcchat
— Nicole Laskowski (@TT_Nicole)
March 26, 2015
A1: Tough to guarantee GRC constraints while satisfying user wants for convenience and ease of use. #grcchat
— Forvalaka41 (@Forvalaka41)
March 26, 2015
SearchCompliance Site Editor Francesca Sales and SearchCIO Senior News Writer Nicole Laskowski both wondered how these changes in technology will affect C-level positions and their responsibilities:
also curious how #GRC officers' relationships w/ rest of c-suite change with these tech developments #GRCChat
— Fran Sales (@Fran_S_TT)
March 26, 2015
A1 I'd be interested to hear how businesses can create agile GRC processes. Where does the CIO need to start? #GRCchat
— Nicole Laskowski (@TT_Nicole)
March 26, 2015
Who should be responsible for compliance and consumer risk management strategy? Legal counsel? CIO? CISO? Someone else?
In order to keep pace with changes in technology, someone first needs to be in charge of the enterprise's GRC processes and strategy. Different companies have different people at the helm of this task, but most participants seemed to agree that the leadership responsibilities should be collaborative, whether that be between specific C-level executives or the C-suite as a whole:
A5 Should be a partnership between the Chief Risk Officer and the CISO. Depends on the size of the org. #GRCChat
— Elliott Franklin (@elliottfranklin)
March 26, 2015
A5: Seems like the whole C-suite would have roles to play or requirements to consider. GRC/audit/sec/etc. should all get visibility.#grcchat
— Forvalaka41 (@Forvalaka41)
March 26, 2015
A5 All will likely be involved in compliance/RM strategy, but one should be chosen to lead/make sure goals are met #GRCchat
— SearchCompliance.com (@ITCompliance)
March 26, 2015
SearchCompliance Site Editor Ben Cole -- via the SearchCompliance Twitter handle -- went a step further by suggesting that legal counsel would be a good option to head this collaboration, which sparked a conversation among participants:
@ITCompliance Respectfully disagree on A5: legal should be top SME, but they are too diffuse to focus on #GRC #GRCChat
— Dan Sanders (@dansanders)
March 26, 2015
@ITCompliance Are we going to start seeing the rise of the CLO? Chief Legal Officer? #GRCchat
— Nicole Laskowski (@TT_Nicole)
March 26, 2015
@TT_Nicole @ITCompliance #grcchat Good Q. How many people can be "chief" before the C-suite becomes too granular?
— Forvalaka41 (@Forvalaka41)
March 26, 2015
Focusing on the C-suite's relationship with security and compliance, one participant wondered if companies can capitalize on good GRC management and turn it into a marketing opportunity:
A5: (Q) Will we start seeing the CMO authorizing marketing campaigns that hinge on better GRC/sec. than their breached competitors? #grcchat
— Forvalaka41 (@Forvalaka41)
March 26, 2015
Who do you think should be in charge of an enterprise's GRC strategy? Why do you think consumer-centric technology has complicated GRC management? Sound off in the comments section below.