Sponsored by

GRCWhile they lack maturity, governance, risk and compliance tools can help firms, especially as senior executives become more interested in security.

GRCGlobal companies facing a slew of regional laws, as well as small and midsized companies required to meet regulatory demands, need governance, risk and compliance solutions. David Cotriss examines the marketplace.

Governance, risk and compliance (GRC) entails a strategic blend of people, processes and software tools

that, if mixed properly, protect companies and ensures they comply with government regulations. Michael Rasmussen, GRC strategy adviser and owner of Corporate Integrity, a consultancy based in the greater Milwaukee area, claims to have coined the term in 2002 while he was an analyst at technology advisory services firm GiGa Information Group.

This was just around the time Sarbanes-Oxley (SOX) became law and the need for GRC tools became readily apparent on the heels of headline-grabbing corporate and ac-counting scandals, including those involving Enron, Adelphia and WorldCom. Since then, SOX has been supplanted by other regula-tions, such as the Health Insurance Portabil-ity and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), as drivers of compliance and governance.

For a discipline that has been around for roughly 10 years, GRC still shows a lack of maturity that frustrates many who wrestle daily with security concerns at enterprises. In fact, an increase in the number of regulatory requirements, and ambiguity in their require-ments, is the major source of pressure in enterprise risk management and compliance, cited by 48 percent of respondents to a recent survey from the Aberdeen Group.

Financial service and health care, the two most highly regulated industries, are held to a higher standard of governance and compli-ance, and require many sets of tools to meet objectives. Often these tools cannot be inte-

grated, causing companies to rely on manual solutions. GRC started out as an IT-driven discipline, but that approach has fallen out of favor. Still, many organizations continue to endorse less collaborative and more siloed approach to GRC.

“A reactive approach to GRC with si-loed initiatives results in an organization that never sees the big picture of risk,” says Rasmussen. “A mature GRC program is one in which the organization has an integrated process, information and technology archi-tecture providing visibility across risk and compliance domains.”

Tim Purtell, a partner in the IT risk and as-surance practice at Ernst & Young and a for-mer CISO, agrees that too many companies adopt the siloed approach. Besides wasting money, this tactic results in a lack of a clear enterprise strategy for compliance and risk.

Too, the overwhelming complexity of increasing and ever-changing regulations pres-ents a substantial burden to enterprises. Not to mention, boards of directors are being held accountable for issues of which they may not be very knowledgeable.

“CISOs are faced with the conundrum of making their firms both compliant and se-cure,” says Bill Sieglein, founder and CEO of the CISO Executive Network, a peer-to-peer group of information security, IT risk man-agement, audit and compliance executives. “They are not the same. Compliance require-ments drive organizations to meet specific objectives through various controls. The regu-lations are intended to make companies more secure through regulatory enforcement.”

The unfortunate side effect, he says, is that firms do only what is specifically required to meet the regulatory requirements. And, this does not always have the intended effect of making a firm more secure. “This is why we have instances of firms reporting breaches even though they have passed regulatory au-dits and are considered compliant,” Sieglein says. “Firms must move away from thinking that regulatory compliance is the goal. We

2

GR

C

48%of respondents to a 2012 study said an increase in regula-tory requirements is the major source of pressure in enter-prise risk manage-ment and compli-ance.

– Aberdeen Group

www.scmagazine.com | © 2012 Haymarket Media, Inc.

must help educate executive management that we ought to be managing security risks to data assets.”

Yet from a senior leadership perspec-tive, there is a tendency to view security as a “geek” issue or strictly a risk issue, says Jody Westby, CEO of Global Cyber Risk, a Washington, D.C.-based consultancy that assists senior leaders manage the risks chal-lenging global enterprises, and an adjunct distinguished fellow at Carnegie Mellon University CyLab in Pittsburgh. “There is a lack of understanding that this is a fiduciary issue, that it is a segregation-of-duties (SOD) issue. Boards lack clarity about their role in risk management.”

At many companies, CISOs merely report to CIOs. However this is changing as more com-panies recognize the problem. “Now CISOs report to COOs or CFOs,” says Sieglein.

Another SOD issue pointed out by Westby is when audit committees both oversee devel-opment of security programs and then grade the effectiveness of the programs.

“A well-functioning GRC group provides risk guidance to the executives and gives them the tools to make the risk-based decisions,” says Eugene Fredriksen, CISO at Tyco, a global manufacturing company with U.S. headquarters in Princeton, N.J. “My job as a CISO is to give guidance and advice to the people who ultimately make risk decisions

3

35%of responding companies said the audit committee was responsible for over-sight of risk, down from 53 percent in 2010.

– Carnegie Mellon CyLab, May 2012 (108 respondents at senior

executive level from Forbes

Global 2000 companies)

GR

C

www.scmagazine.com | © 2012 Haymarket Media, Inc.

GRC: Best practicesn Establish a board risk committee separate from the audit committee and assign it respon-

sibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.

n Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The chief information officer (CIO), chief information security officer (CISO)/chief security officer {CSO) and chief privacy officer (CPO) should report independently to senior management.

n Evaluate the existing organizational structure and establish a cross-organizational team that meets at least monthly to coordinate and communicate on privacy and security is-sues. The team should include senior management from human resources, public rela-tions, legal and procurement, as well as the chief financial officer (CFO), the CIO, CISO/CSO, chief risk officer (CRO), the CPO, and business line executives.

n Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based on key aspects of the organization’s security program, including annual audits and control requirements.

n Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

n Conduct an annual review of the enterprise security program and effectiveness of con-trols, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

n Conduct annual privacy compliance audits and review incident response, breach notifica-tion, disaster recovery, and crisis communication plans.

n Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

– Jody Westby, adjunct distinguished fellow, CyLab; CEO, Global Cyber Risk

4

30%of the respondents indicates the risk committee has re-sponsibility for risk, whereas in 2010 it was only five per-cent.

– Carnegie Mellon CyLab, May 2012 (108 respondents at senior

executive level from Forbes

Global 2000 companies)

for the company. Because Tyco is [partly] in the security business, privacy and protec-tion of client information are the main board interests.” From a business perspective, a company should understand the risk profile, conduct an analysis to find gaps and try to shrink exposure, he adds.

“Smart CISOs are only advisers,” says Sieglein. “They should never own the risk because they don’t own the data. It’s best for the CISO to make recommendations to the governance and risk committee.” He says too many CISOs at midsize companies don’t seem to accept that concept and subsequently get into trouble.

Sieglein predicts that CISOs in the fu-ture will focus less on IT and more on risk. “They may become risk advisers because IT is being outsourced.”

Over the years, enterprise GRC solutions (EGRC) have joined with financial and IT point solutions. EGRC implies a top-down approach, with all business units on the same platform. It encompasses financial, IT and operational functions. However, EGRC offers less automation for IT functions. Instead, these capabilities are tailored to higher-level reporting to executives and boards. While some experts argue that point solutions will be a part of GRC for the next several years, others believe that EGRC will eventually become robust enough that it will eliminate the need for specific tools. Linda Cooper Angles, corporate information security and governance officer at New York-based Guardian Life Insurance, says vendors are not at a level of sophistication where they can cover all aspects of GRC. Her company uses

two GRC tools – one for IT security controls and mapping to regulations, and another for enterprise risk management. Even with these two sets of solutions, not everything can be automated. She says reports to her board still involve a manual process.

“GRC tools have been disappointing because they require so much manual inter-vention that the tools are not worth buying,” says Sieglein.

Tyco’s Fredriksen says that because his company is a distributed business, it uses sev-eral point solutions. “We don’t have a com-mon GRC tool that works across the enter-prise, but we are talking about it,” he says.

Chris McClean, senior analyst of security and risk at research firm Forrester, says that while EGRC has fewer product integration ca-pabilities, the tools are not really that unique. “They all have an underlying database, work-flow, document management and reporting,” he says. But he says companies in regulated industries may still need point solutions.

Meanwhile, Phil Agcaoili, CISO at Atlan-ta-based Cox Communications, says vendors have enhanced their products to include unified compliance so that multiple tools are not necessary.

And, cloud GRC solutions may be on the horizon, says Forrester’s McClean. This might make it easier to offer standalone functional solutions at reduced cost.

Can GRC demonstrate ROI? Cooper Angles says ROI doesn’t work for GRC. “It’s more about demonstrating efficiencies and automating manual processes,” she says.

Others agree. “I don’t believe it is possible right now to demonstrate ROI,” says Fre-driksen. “I look at the business requirements, but I don’t look for cost savings. Security and compliance need to be a business enabler.”

However, Ernst and Young conducted a global study and found that companies with more mature risk management practices financially outperform their peers. Based on nearly 600 interviews, the company assessed the maturity level of risk management prac-

GR

C

www.scmagazine.com | © 2012 Haymarket Media, Inc.

We haven’t done a good job of educating employees about

appropriate custodial care of data.”

– Eugene Fredriksen, CISO at Tyco

5

27%of respondents indicated that the board has an outside director with cyber security expertise in 2012, up from 18 percent in 2010.

– Carnegie Mellon CyLab, May 2012 (108 respondents at senior

executive level from Forbes

Global 2000 companies)

tices. “The top-performing companies (from a risk maturity perspective) implemented on average twice as many of the key risk ca-pabilities as those in the lowest-performing group.” Companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, 20.3 percent versus 7.4 percent from 2004 through 2011.

The Aberdeen Group suggests that ROI be measured by cost savings generated from the reduction of regulatory fines and penalties through achieving compliance, as well as sav-ings from streamlined financial and opera-tional processes. Others also argue that new market revenues can result from compliance measures that enable more global business.

It’s always difficult to determine what is the right amount to spend on GRC. Companies should identify their most valuable assets and protect them, experts say. The business units are the entities that have to accept the risk responsibility for vulnerable assets.

Cooper Angles agrees that it is unreal-istic to carry no risk. Each company has to determine its risk appetite. “The best performing companies are risk-aware,” she says. “You can’t eliminate all risk, but it’s important to document residual risk and implement compensatory controls and monitors to minimize impact.”

In the European Union, which has harmo-nized policies, each member country still has its own laws. Asian countries are increasing their regulations as well. “India and South Korea recently enacted new privacy regula-tions,” says Tyco’s Fredriksen. His company

operates in more than 80 countries, thus understanding privacy and compliance regu-lations in each one is a full-time job, he says. “There is no single source of global regula-tion information.”

Westby adds that corporations need to think globally, but act locally. “Look at con-flict of laws between countries and choose which law you are not going to comply with,” she says. Sometimes this means a company can no longer do business in a particular country.

Too, boards may not be paying enough attention to outsourcing, particularly off-shore outsourcing to countries with no laws regarding security and privacy. India, China and the Philippines are the most popular countries for offshore installations. How-ever, says Westby, outsourcing vendors are moving to satellite locations, such as Eastern Europe and Mexico, because of wage issues and talent shortages. With this arrangement, companies can expose themselves to vulner-abilities, including a lack of privacy, as well as economic espionage laws and limited law enforcement cooperation.

In addition, companies can lose control of data because they have no input into third-party personnel selection or data monitor-ing. Third parties may have a contractual obligation to protect data, but no statutory requirement. Westby suggests extending company security requirements to all third-party contractors.

Forrester’s McClean suggests that GRC implementations should start small. “Com-panies should have a big vision, but roll out slowly,” he says. “Start with one function or business unit. And it’s important to know who owns the process.”

View the technology aspect of GRC only as a tool, says Purtell. Pay more attention to business strategy issues and take a more holis-tic approach to achieving goals.

Rasmussen says it is important to estab-lish responsive policies and culture. Policies should be communicated across the business

GR

C

www.scmagazine.com | © 2012 Haymarket Media, Inc.

We are seeing increasing interest from [ratings agencies] about how

we are doing enterprise risk management.”

– Linda Cooper Angles, Guardian Life Insurance

to establish a risk and compliance culture. And, they should be kept current and re-viewed and audited on a regular basis. Risk appetite and tolerance should be established and studied in the context of the business, and continuously mapped to business perfor-mance and objectives. Accountability and risk ownership are key features of GRC. Every risk at the enterprise and business-process level should have clearly established owners. Risk must be communicated to stakeholders, and the organization’s track record should il-lustrate successful tolerance and management.

Ernst & Young recommends transparent and timely communication with stakehold-ers through the offering of relevant informa-tion that conveys the decisions and values of the organization. Companies should adopt a common risk framework and implement it across the organization. Businesses should embed risk management practices into busi-ness planning and performance. They should have a formal method for defining accept-

able risk thresholds within the organization. All employees should undergo risk-related training. Risk monitoring and reporting tools should be standardized across the organiza-tion. Greater technology integration allows the organization to manage risk and eliminate or prevent redundancy.

Fredriksen suggests companies align them-selves with ISO standards, such as 27000, a series of best practice guidelines on informa-tion security management, risks and controls. This makes it easier to comply with new or changed regulations. He also says a puni-tive approach to governance and compliance does not work. Rather, he would prefer to see government provide incentives to companies that perform well.

The consensus is that GRC tools are imper-fect, and it is unlikely that one tool will ever meet the needs of an enterprise, especially one in a highly regulated sector. However, as GRC transforms from a single solution into an operational guide, it will become a more useful instrument for companies, especially large ones, struggling to meet governance and compliance requirements. n

For more information about ebooks from SC Magazine, please contact Illena Armstrong, VP, editorial director, at illena.armstrong@haymarketmedia.com.

6

73% of respondents said the board had an outside director with risk expertise, compared with 59 percent in 2010.

– Carnegie Mellon CyLab, May 2012 (108 respondents at senior

executive level from Forbes

Global 2000 companies)

GR

C

www.scmagazine.com | © 2012 Haymarket Media, Inc.

Companies should have a big vision, but roll out slowly.”

– Chris McClean, senior analyst of security and risk at Forrester Research

7

Sp

onsorsM

asth

ead

Courion delivers software solutions that effectively and securely man-age access risk. Organizations rely on Courion’s access risk manage-ment technology to align user access privileges with corporate and reg-ulatory governance policies. Courion’s cloud and on-premise solutions provide a full range of identity and access management functionality while demonstrating compliance and achieving quick time-to-value.

For more information, visit courion.com.

EDITORIAL VP, editorial director Illena Armstrong illena.armstrong@haymarketmedia.comexecutiVe editor Dan Kaplan dan.kaplan@haymarketmedia.com managing editor Greg Masters greg.masters@haymarketmedia.comDESIGN AND PRODUCTION art director Brian Jackson brian.jackson@haymarketmedia.comProduction manager Krassi Varbanov krassi.varbanov@haymarketmedia.com

U.S. SALESVP, sales director David Steifman (646) 638-6008 david.steifman@haymarketmedia.com eastern region sales manager Mike Shemesh (646) 638-6016 mike.shemesh@haymarketmedia.comwestern region sales manager Matthew Allington (415) 346-6460 matthew.allington@haymarketmedia.comaccount executiVe Dennis Koster (646) 638-6019 dennis.koster@haymarketmedia.com sales/editorial assistant Roo Howar (646) 638-6104 roo.howar@haymarketmedia.com

www.scmagazine.com | © 2012 Haymarket Media, Inc.

HP Enterprise Security is a leading provider of security and compli-ance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on market-leading products from ArcSight, Fortify and TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection and network defense technology to protect today’s applications and IT infrastructures from sophisticated cyber threats.

For more information, visit hpenterprisesecurity.com.

Identify Access Risk Within Your

Organization

www.courion.com/IAGReport

Courion's Access Governance and Compliance solutions provide the ability to automate verification and remediation of access rights, role creation and on-going role manage-ment, as well as review and certify user activity.

Copyright © 1996-2012 Courion Corporation. All Rights Reserved.

View the latest report on Identity and Access Governance by a leading analyst firm.

Risk

©2012 Hewlett-Packard Development Company, L.P.

Need to see everywhere at once?You can.

You can’t stop threats if you can’t see them. Gain context-aware visibility into security risks with HP Enterprise Security’s proven solutions. See how to protect your IT environment from sophisticated threats with the integrated correlation, application protection, and network defenses delivered by the HP Security Intelligence and Risk Management platform.

See everywhere at once. Arm yourself with advanced protection against advanced threats.

For more information go tohpenterprisesecurity.com

See. Understand. Act.