IT GRC Management by Design Workshop, San Diego

Blueprint for an Effective, Efficient & Agile IT GRC Management Program

[button link=”https://www.eventbrite.com/e/it-grc-by-design-workshop-tickets-28235404856″]REGISTER[/button] [tabs style=”default”] [tab title=”Overview”]
Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world. Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization. Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.
[/tab] [tab title=”Objectives & Benefits”]
Attendees will take back to their organization approaches to address:
  • IT GRC Management Strategy.Understand IT GRC in the context of business performance, strategy, objectives as well as culture and values.
  • IT GRC Management Processes. Flowing from strategy are the IT GRC management processes integrated into the organization and how it operates. Good IT GRC management is done in the rhythm of the business.
  • IT GRC Management Information Architecture. Defining an information architecture that enables IT GRC management strategy and processes by providing 360° situational awareness of IT GRC in context of business strategy and operations
  • IT GRC Management Technology Architecture. The necessary technology components needed to bring together diverse and distributed risk and compliance management roles and integrate IT GRC management into the operations of the organization.
Benefits to attendees:
  • Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
  • Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.
[/tab] [tab title=”Who Should Attend”]
  • IT GRC managers and officers responsible for leading and managing IT GRC and information security
  • Business managers whose job responsibilities include IT GRC responsibilities
  • Executives and governance personnel who have to oversea and govern IT GRC
  • Audit personnel that provide assurance on IT security and GRC
[/tab] [tab title=”Workshop Agenda”]
Part 1: What is IT GRC Management?
Understanding IT GRC in the Context of the Organization
  • Different views of IT GRC and information security throughout the organization
  • Who owns IT GRC?
  • Understanding IT GRC and its role in assurance to business strategy, objectives, performances, and operations
  • Workshop Project & Discussion
Part 2: IT GRC Management
Blueprint for IT GRC Management Collaboration and Strategy
  • Developing an IT GRC committee (or herding cats), bringing together the range of GRC roles with a stake in IT GRC across the organization
  • Defining an IT GRC management charter
  • Developing a collaborative and enterprise view of IT GRC and how it relates to performance, risk, and compliance
  • Workshop Project & Discussion
Part 3: IT GRC Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Provide Assurance on IT GRC
  • Identification – Collaborative process to identify IT GRC risks and controls from both the bottom and the top
  • Analysis – Defining effective and operational controls to provide assurance while mitigating risk
  • Management – Strategies to manage IT GRC risk and controls in context of performance, risk, and compliance
  • Communication – Assign and manage IT GRC ownership and accountability
  • Workshop Project & Discussion
Part 4: IT GRC Management Information & Technology Architecture
Providing an Integrated View of IT GRC to the Enterprise
  • Developing an IT GRC taxonomy and attributes of risks and controls
  • Mapping IT GRC to objectives, risk, policy, and compliance
  • Monitoring IT GRC in a changing environment
  • Technology capabilities and considerations to support IT GRC management
  • Workshop Project & Discussion
[/tab] [tab title=”Instructor”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Workshop Sponsor”]
LockPath-LogoLockPath® was created by GRC experts who recognized the need for intuitive GRC software that was flexible and scalable to serve ever-changing and expanding organizations. In addition to the company’s founders, LockPath’s executive team comprises top industry professionals in the fields of software development, accounting and consulting, cybersecurity, financial services, market development and other industries. LockPath employs dozens of talented professionals and has several open positions. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises across industries. Along with their ecosystem of technology and channel partners, LockPath provides unparalleled customer satisfaction from initial project discovery discussions to ongoing customer support.
[/tab] [/tabs]

Information Security: A Risk Management Foundation

[button link=”http://www2.modulo.com/Rasmussen”]Register[/button]

The CISO as a Transformational Role in Risk Management

[tabs style=”default”] [tab title=”Summary”] Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization. This webinar explores how understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Specific topics that will be explored are:
  • Pervasive use of information and technology across the organization provides a natural path for information security to step up to lead enterprise risk management strategies.
  • CISOs role in managing information security risk to stay competitive in today’s economy.
  • How organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
logo-modulo1-1Modulo is a provider of GRC and Smart Government solutions. Over 1,000 customers globally leverage Modulo to monitor IT risk through automated workflow; report compliance against industry regulations, standards, and policies; prioritize operational risk through analytics and consistent business metrics; secure cloud environments; identify and remediate the most critical vulnerabilities; and more. Modulo is the first company in the world to obtain ISO 27001 certification – the international standard for the governance of information security management systems – which guides Modulo’s product development and proven risk reduction life-cycle methodology. Modulo continues to actively lead the creation and definition of International Standards in the GRC space. [/tab][/tabs]
Posted on Leave a comment

Information Security in Context: The CISO as a Transformational Role in Risk Management

Information Security at the Center of Risk Chaos

Inevitable Failure: Managing Information Risk in a Silo

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business. The dynamic, distributed, and disrupted nature of business is particularly challenging to information risk management. It is like the hydra in mythology: the organization combats risk only to find more risk springing up to threaten it. As an organization expands operations and business relationships (e.g., vendors, outsourcers, service providers, consultants, and staffing) it’s risk profile grows exponentially because of the interconnected multifaceted risk environment. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world. Managing information security and other risk activities in disconnected silos leads the organization to inevitable failure. Information risk has a compounding and exponential impact on the business. Business operates in a world of chaos. Risk exposure is an intricate web of risk and vulnerability interrelationship that interweaves through departments, functions, processes, technologies, roles, and relationships. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wing creates tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. What may seem as an insignificant IT or information risk in one area of the organization can have profound impact on other risks.  Information security is at the center of the organizations most significant risk and compliance issues and has become a critical and interrelated business challenge that transcends just the IT department. When the organization approaches information risk as a silo disconnected from other enterprise risk areas that do not collaborate with each other there is no possibility to be intelligent about risk decisions that could impact business strategy and operations. Siloed initiatives never see the big picture and fail to put information security in the context of organization strategy, objectives, and performance; resulting in complexity, redundancy, and failure. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization. A nonintegrated approach to risk management with information risk as a foundation impacts business performance and how it is managed and executed, resulting in:
  • Redundant and inefficient processes. Organizations take a Band-Aid approach and manage risk in disconnected silos instead of seeing the big picture of risk, and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent risk systems: projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach with siloed initiatives results in an organization that never sees the big picture. It ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk assessments asking the same questions in different formats. The result is poor visibility across the organization and its environment.
  • Overwhelming complexity. Varying risk frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently: introducing more points of failure, gaps, and unacceptable risk. Inconsistent risk management not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A disconnected risk management strategy handicaps the organization as it manages systems and processes encumbered with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This is exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic.
  • Greater exposure and vulnerability. The result, the organization does not see risk holistically. The focus is on what is immediately before each department and not getting a handle on the complex relationship and interdependencies of information risk intersecting with other risks. This creates gaps that cripple risk management, and an organization that is ill-equipped for aligning risk management to the business.
Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization. The Bottom Line: Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Given the pervasive use of information and technology across the organization, it is a natural path for information security to step up to lead enterprise risk management strategies. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, and data) and externally (e.g., threat, competitive, legal, and geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

GRC 20/20 Related Resources on this topic are . . .

IT GRC Management by Design Workshop, New York

Blueprint for an Effective, Efficient & Agile IT GRC Management Program

[button link=”https://www.eventbrite.com/e/it-grc-by-design-workshop-tickets-27092590668″]REGISTER[/button] [tabs style=”default”] [tab title=”Overview”]
Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world. Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization. Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.
[/tab] [tab title=”Objectives & Benefits”]
Attendees will take back to their organization approaches to address:
  • IT GRC Management Strategy.Understand IT GRC in the context of business performance, strategy, objectives as well as culture and values.
  • IT GRC Management Processes. Flowing from strategy are the IT GRC management processes integrated into the organization and how it operates. Good IT GRC management is done in the rhythm of the business.
  • IT GRC Management Information Architecture. Defining an information architecture that enables IT GRC management strategy and processes by providing 360° situational awareness of IT GRC in context of business strategy and operations
  • IT GRC Management Technology Architecture. The necessary technology components needed to bring together diverse and distributed risk and compliance management roles and integrate IT GRC management into the operations of the organization.
Benefits to attendees:
  • Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
  • Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.
[/tab] [tab title=”Who Should Attend”]
  • IT GRC managers and officers responsible for leading and managing IT GRC and information security
  • Business managers whose job responsibilities include IT GRC responsibilities
  • Executives and governance personnel who have to oversea and govern IT GRC
  • Audit personnel that provide assurance on IT security and GRC
[/tab] [tab title=”Workshop Agenda”]
Part 1: What is IT GRC Management?
Understanding IT GRC in the Context of the Organization
  • Different views of IT GRC and information security throughout the organization
  • Who owns IT GRC?
  • Understanding IT GRC and its role in assurance to business strategy, objectives, performances, and operations
  • Workshop Project & Discussion
Part 2: IT GRC Management
Blueprint for IT GRC Management Collaboration and Strategy
  • Developing an IT GRC committee (or herding cats), bringing together the range of GRC roles with a stake in IT GRC across the organization
  • Defining an IT GRC management charter
  • Developing a collaborative and enterprise view of IT GRC and how it relates to performance, risk, and compliance
  • Workshop Project & Discussion
Part 3: IT GRC Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Provide Assurance on IT GRC
  • Identification – Collaborative process to identify IT GRC risks and controls from both the bottom and the top
  • Analysis – Defining effective and operational controls to provide assurance while mitigating risk
  • Management – Strategies to manage IT GRC risk and controls in context of performance, risk, and compliance
  • Communication – Assign and manage IT GRC ownership and accountability
  • Workshop Project & Discussion
Part 4: IT GRC Management Information & Technology Architecture
Providing an Integrated View of IT GRC to the Enterprise
  • Developing an IT GRC taxonomy and attributes of risks and controls
  • Mapping IT GRC to objectives, risk, policy, and compliance
  • Monitoring IT GRC in a changing environment
  • Technology capabilities and considerations to support IT GRC management
  • Workshop Project & Discussion
[/tab] [tab title=”Instructor”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Workshop Sponsor”]
LockPath-LogoLockPath® was created by GRC experts who recognized the need for intuitive GRC software that was flexible and scalable to serve ever-changing and expanding organizations. In addition to the company’s founders, LockPath’s executive team comprises top industry professionals in the fields of software development, accounting and consulting, cybersecurity, financial services, market development and other industries. LockPath employs dozens of talented professionals and has several open positions. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises across industries. Along with their ecosystem of technology and channel partners, LockPath provides unparalleled customer satisfaction from initial project discovery discussions to ongoing customer support.
[/tab] [/tabs]
Posted on Leave a comment

IT GRC Management by Design, New York

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world. Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization. Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks. September 13th in New York, NY USA [button link=”http://grc2020.com/event/it-grc-management-by-design-workshop-chicago/”]REGISTER[/button]
Posted on 1 Comment

IT GRC > IT Security

If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security. IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed.  However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage. Consider . . .
  • IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
  • IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
  • IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).
What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management. To put it in a formula:

IT GRC ≠ Security Management

IT GRC > Security Management

What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities. IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management. As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context. On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management. The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations. If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-it-grc-platforms/” color=”default”]REGISTER:How to Purchase IT GRC Platforms[/button]

NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.