Every once in a while, two trends converge, creating something much more than the sum of the two parts.
For the past two years, just about every IT organization has been aggressively cutting costs. That generally has meant consolidation, resulting in fewer servers and applications as these organizations also look to make management easier.
At the same time, the number of regulations with which these organizations must comply continues to increase. Well, a funny thing happens when you consolidate applications and servers: You reduce the complexity of your IT portfolio. And when you reduce that complexity, you also by definition lower your risk.
The complexity of 20 years or more of IT investments is one of the major reasons companies are so vulnerable to security breaches. So the economic downturn might have done everybody a favor by forcing companies to eliminate applications and servers, effectively reducing their potential targets of attack.
George Westerman pointed out this relationship two years ago in a book called "IT Risk: Turning Business Threats into Competitive Advantage." It's unfortunate, though, that we had to wait for an economic downturn to bear him out.
In the meantime, a recent survey conducted by OpenPages, a provider of software for managing governance, risk and compliance, found that only 28 percent of the IT people said their organizations have taken a holistic approach to GRC, with the rest relying on single point products or spreadsheets to manage the process.
That suggests that we still have a long way to go in terms of managing the GRC process, but at least in the wake of the economic downturn, we can at least say some progress is being made.