GRCS: What's in a Name?


It's funny how the labels we use for things change over time. The things we're describing don't really change, but how we describe them does. A pocketbook became a purse and then, in some circles, is now just "a bag."


A few years ago, we talked about application service providers; now it's all about software-as-a-service. Terminology comes in and goes out of fashion almost as swiftly as clothes and accessories do.


The focus of this blog, governance, risk and compliance (GRC) is no exception. Three years ago I covered compliance. Compliance then morphed into risk management, and then into GRC. Now, Bloor Research's Philip Howard is calling for another name change. He's right. It's probably time for the next label.


He argues that GRC doesn't really account for external attacks or internal attacks in the form of "fraud, malicious damage or information theft." Why? Howard says, simply, "GRC, treated literally and in its entirety, is too big for most (any) vendors to handle, so they've cut it down into silos that they can treat."


But we all know that silos are bad when it comes to IT. So Howard suggests that GRC should instead be called GRCS, or Governance, Risk, Compliance and Security. It makes sense to me, because GRC and security have been inextricably intertwined from day one. Why not treat security in the same "bundle"? I'm interested to see Howard develop his take on the subject in the days to come