mnovelo - Fotolia

Go beyond compliance checklists to avoid information security breaches

In this #GRCChat, participants discuss the causes behind information security breaches and how enterprises can protect against them to improve IT security practices.

If enterprises have learned anything in the past year, it's that data breaches are in and they're only getting worse. From Home Depot to JPMorgan Chase to Sony Pictures, the numbers were staggering: Gemalto's 2014 Breach Level Index report stated that there were 1,541 information security breaches in 2014, with a total of over 1 billion records breached overall for the year.

The regularity of these information security breaches is forcing many enterprises to take a long, hard look at their GRC and security processes. Are enterprises doing something wrong, or are breaches just inevitable? In this #GRCChat recap, participants discuss why these data breaches occur so often and how companies can reconcile their GRC management to changing technology, regulations, and threats.

With compliance a big concern, why are breaches still so common? Is there too much disconnect between GRC and security?

Enterprises put a lot of effort and resources into being compliant, and yet information security breaches are still occurring at an alarming rate. The consensus among #GRCChat participants was that this is due to companies focusing too much on the compliance aspect of GRC and not paying enough attention to their security as a whole:

It's easy for enterprises to concentrate on compliance because there are rules and regulations that act as guidelines for what exactly needs to be done. However, if companies really want to safeguard their data, they need to take the extra step of looking at security outside the context of compliance. #GRCChat participants discussed why that is easier said than done in today's businesses:

More than just looking at compliance and security separately, enterprises must also be willing to add extra security measures that may not be required in order to be compliant, but are still needed nonetheless:

However, this type of distinction is often not found in GRC and security processes. Participants pointed to a lack of resources and representation in the systems development life cycle as some explanations for this omission:

Even with the best security measures, there is still the possibility of an information security breach:

How can companies balance compliance and risk management while adapting to rapidly changing IT, regulations and cyberthreats?

Every time a new technology develops, resulting risks and regulations also emerge. This can be a lot for enterprises to balance, but SearchCompliance Site Editor Ben Cole -- via the SearchCompliance Twitter handle -- suggested that assessments and reviews could be the solution to keeping the balance, and may even reveal some points of intersection:

#GRCChat participant Elliot Franklin took this idea of reviews one step further and advocated for continuous monitoring as a way to keep the compliance and risk management processes abreast of new developments:

Still, some participants thought other solutions were best, whether it was a concrete idea like developing a new process, or something more intangible like changing the way the company thinks about GRC:

How do you think enterprises should balance GRC with evolving technologies, regulations, and cyberthreats? Sound off in the comments section below.

Next Steps

Learn more about how breaches are forcing enterprises to adapt their GRC and security processes by checking out these pieces on the increase of formal GRC programs and the benefits of security programs. Then head over to SearchSecurity for more on balancing compliance and security to prevent breaches.

Dig Deeper on Risk management and compliance