Driven largely by compliance requirements for the Sarbanes-Oxley Act of 2002, many organizations are adopting a governance, risk and compliance (GRC) tools to help manage their activities in these three areas. GRC suites and toolsets automate the collection, correlation and reporting of information to offer a broader picture of how well the company is not only performing, but also how well it is complying with the law and managing risk.
But there are many factors to consider -- from initial steps, like whether or not to invest in the technology, to making the case for ROI on the software, to evaluating how well the GRC suite is giving you the information you seek.
We asked members of Wisegate, an invitation-only, business-social-networking group launched last year and comprised of CSOs and CISOs who want to privately share information with each other. Several of their veteran security-professional members offered the following tips for getting GRC right.
Dave Notch, CISO, Thomson Reuters
The big tip for me is don't try to get it perfect, even though you may know what you want. Take an iterative approach. This lets you make progress and learn what yours and others' requirements really are. Which leads me to my second point:
Expect to throw away some of your work. As you learn what the different audiences need, you will have to throw away some of your work. Don't take it personally -- this is just part of the learning process.
Get a handle on your assets (and this has nothing to do with tool selection.) Unless you know what you have, it will be difficult to quantify what is wrong. We tiered our assets into 3 categories and those became the lenses we used to look at things.
Build a team that spans legal, HR, product, IT, and security. Work together regularly. This will help keep all of you from duplicating each other's work, such as policy development. Also, this makes it easier when you step on each other's toes. We are so matrixed in big companies these days that this is going to happen. Don't take it personally if you step on each others' toes -- and work together deliberately which makes this a lot easier to work through when it does happen.
Kristen Knight, Privacy Director/Sr. Privacy Officer, NA Philips Electronics North America
Make sure you understand the operational impacts of the product before you commit to it. GRC products are all-encompassing by nature. Even your company's top executives will be impacted by a GCR implementation, so make sure they are willing to go through training and to adapt to the new system. If I had fully understood the product when I was purchasing it I would have realized the unlikelihood of training a busy executive on how to use it.
It takes a mature organization with well-defined processes to deal with the work-flow capability that a GRC tool provides. The work flow aspect of some solutions may require everyone in the organization to understand how to use it. The workflow of the product we chose meant that everyone had to learn how to use it, like, for example an organization's expense reporting tool. That didn't work for us since only a small number of privacy officers were the ones who had the expertise to accurately respond to the survey/questions.
Recognize that implementations can take much longer than expected. At the same time, don't be afraid to pull the plug if the implementation isn't going well. You just to make it work because we wanted it to be a success.
Tom Malta, Senior Technology Risk Executive in financial services, including Goldman Sachs, Morgan Stanley, and BNY Mellon
Understand that this is a tool that requires care and feeding. A program around GRC must be in place with proper policies, procedures and workflow. If you don't have procedures and workflow around GRC, it can be easy to use what the tool has built-in.
Communicate extensively. Make everyone aware of the phased approach to using the toolset.
Getting a good GRC framework in place doesn't have to be all about new tooling -- there are some simple things you can introduce immediately to your program to help manage your risk and compliance initiatives, such as the addition of reporting dashboards tied to (functional or corporate) key risk or key performance indicators (KRI/KPI).
Jeff Bardin, veteran CISO from Investor's Bank & Trust, State Street Bank and Hanover Insurance Group.
Perform a proof of concept deploying all modules of the tool as part of the PoC. If the PoC is successful, then you should try to use the instance for your production. If at all possible, following this process helps you cut costs and develop a working toolset quicker.
Most GRC tools come with connectors that enable quick integration with other security technologies and data feeds. Use them to reduce time and costs.