Cyber Security Awareness Month is an excellent opportunity to shed light on the important role GRC plays in IT organizations. I recently sat down with a few of my Verterim colleagues to share and discuss insights on this topic. My experience as a former CISO has certainly influenced our approach as a GRC company. Through a unique lens of former practitioners, we deliver solutions that are attainable in the short term and effective in setting our clients up for long-term success and scalability.
Q: October is Cybersecurity Awareness Month. How have you seen GRC in IT organizations change over time, and where is it going in the future?
A: Rapid advancements in technology and improvements to methodology make today’s most effective GRC and cyber programs almost unrecognizable to those of 15 years ago. The introduction of AI will likely continue the positive trend at an even more accelerated pace. However, there is a big variance in adoption and maturity from company to company. Very few organizations are realizing their full potential, and perhaps the majority are closer to the gold standard of 15 years ago than the gold standard of today. A lot of what Verterim does is use our institutional knowledge and awareness of best practices to help companies move along that path from crawl to walk to run, but whatever pace you go, it’s still a journey and not a destination.
Q: What advice do you have for IT and cybersecurity leaders working to start or improve their GRC programs?
A: The most advanced GRC programs can continuously monitor their risks and controls with little to no manual intervention. Efficient, intuitive, and automated workflows, integrated data sources, and effective data visualization help employees spend less time managing a process and more time using analytical prowess for key decision-making. It is easy to envision the optimal end-state, and the execution from crawl to run can be facilitated by industry experts who understand common pitfalls and how to avoid them. The journey can be made much easier with a realistic strategic roadmap that reflects the people, processes, and technologies available to the organization, identifies and implements quick wins at each step to demonstrate incremental progress and drive adoption, and supports cultural and organizational change. The best advice I can give, get support from the top if you can and just start.
Q: From the perspective of organizational change, is there anything important to keep in mind?
A: Organizations are usually either influenced from the top down or from the bottom up. Consensus-driven organizations have some unique challenges that we can discuss another day. In my experience, the companies with the most cohesive GRC programs tend to deploy a top-down leadership approach where stakeholders across the enterprise, not just within IT, are aligned and bought-in to a common vision. Establishing a centralized steering committee where the vision can be defined and ultimately held accountable is one step in the right direction.
Q: In this economic climate, how would you suggest employees and stakeholders look at the relative cost and complexity of starting or improving an GRC program?
A: It might seem that this is not the time to spend money. Most of our clients are holding back on discretionary purchases, travel, and expenses. I would debate with anyone that GRC NOT be considered a discretionary expense or a program to withhold funding for innovation. There are so many advancements in technology that can bring immediate time to value for an organization, not to mention the awareness of risk for both avoidance and investment and of course, the ongoing requirements for compliance. Saying GRC is a need-to-have investment puts a negative spin on it. I would tell you that having a program in place builds a process and if that process is built well, the process scales, unlike ad-hoc activity. GRC could be what companies need to survive, no, thrive, in today's economic climate.
Author's Note: When I originally wrote this article, I was reminded of some wise words from Henry Ford: "Vision without execution is just hallucination.” Keep up the momentum of your GRC program!