One of the things that make any effort surrounding governance, risk management and compliance (GRC) challenging is all the duplication of GRC effort across the organization. This naturally leads to a lot of grousing about the cost of GRC and yet not many organizations appear to be making a lot of progress when it comes to getting out of their own way when it comes to anything related to compliance.
A survey of 191 GRC practitioners conducted by The Ponemon Institute on behalf of the RSA unit of EMC finds that while IT is generally involved to one degree or another in most GRC activities, responsibility for GRC in general is strewn across the organization. That generally creates cooperation issues among different departments and divisions that frequently are pursuing individual GRC strategies. Whether that results from concerns over political fiefdoms or simple inertia doesn't really matter. The end result is a lot more unfocused GRC activity and expense than is required. In fact, while the lack of resources available for GRC was cited as the number one concern of the respondents, the survey makes it plain that GRC within most companies is a minefield of competing interests that all have some say over their own GRC budgets.
Hopefully, as GRC in the cloud evolves, we'll see more centralization of GRC efforts in the future. In the meantime, as risk management becomes a bigger concern of the business as a whole, Alex Bender, director of eGRC programs and campaigns at EMC, says the immediate focus should be on assessing those risks. Once the business understands those issues, Bender says it becomes a lot easier to get everyone in the business behind a single coordinated effort.
The good news is that the survey makes it clear that risk assessment, policy management and controls assessment are widely implemented. The bad news is that the survey also indicates that many organizations don't have visibility into the operations of third-party vendors. And each day's news brings with it evidence that it's those third-party partners that wind up being the weakest link in the GRC chain of data custody. As a result, it's hard to get the business to invest as much in GRC as it should when data losses are now increasingly being seen as a cost of doing business as fatigue and malaise continue to set in.
Of course, the general response to that trend amongst the regulators is to simply ratchet up the requirements and associated penalties until everyone fully complies. That may not be the ideal approach in that it usually takes years to play out, but it does seem to be at least the most time-honored.