It seems like an inordinate amount of time is spent assessing potential risks these days rather than working on things that add actual value to the business.
One of the reasons for this is that a lot of companies have not adopted a centralized approach to managing governance, risk management and compliance (GRC). Instead, they take on each individual GRC task separately, even though that task may be redundant because it was already dealt with when the organization complied with some previous requirement.
Fortunately, companies such as OpenPages, CA and others are making more headway with integrated application platforms that make it easier to manage a company's entire GRC portfolio of issues.
For example, OpenPages just partnered with Network Frontiers, a company that has built a Unified Compliance Framework (UCF) database that tracks all the necessary controls needed to come into compliance with thousands of regulations. But as it turns out, there are only about 2,500 unique controls needed to come into compliance with the vast majority of regulations. Unfortunately, most companies take regulations on one at a time, so they often don't realize they are essentially building the same controls over and over again.
This lack of coordination over controls usually then results in a huge waste of time for the IT staff, coupled with wasted money spent on consultants that are paid to help the IT staff develop the redundant controls.
This is the second time this week we've seen a vendor partner with Network Frontiers, so it's probably the case that UCF is well on its way to becoming an industry standard resource.
Given the huge amount of money spent on defending against the theoretical, it's nice to finally see a tool that makes a tangible difference in not only making the organization more secure, but does it in a way that can substantially reduce costs.