How to Leverage GRC for SecurityUnderstanding Business Context, Prioritizing Risks
Security professionals need to take full advantage of governance, risk and compliance programs to improve their understanding of their organization's risks, experts say. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.
"GRC plays a strong role in helping security teams understand the business and to protect the organization from threats," says Candy Alexander, CSO of Long Term Care Partners, a subsidiary of John Hancock Life & Health Insurance Co. that administers the Federal Long Term Care Insurance Program.
But organizations vary widely in the maturity of their efforts to integrate security with GRC, says Michael Rasmussen, a principal analyst at GRC 20/20, a research firm focused on GRC trends. And in some cases, an organization may have several different GRC programs scattered across various departments instead of a single enterprisewide program. So the insights and risk assessments gleaned from these narrower programs would not necessarily reflect the organization's overall risk, he points out.
Aligning Security with GRC
GRC has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies, experts say.
For many IT teams and security professionals, prioritizing threats and assessing risk can be overwhelming, Alexander says. But GRC can be a helpful tool. As part of their GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software, she says.
GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. GRC provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes, says Steve Schlarman, a GRC strategist at RSA, the security division of EMC. GRC is increasingly being used as part of a comprehensive enterprise risk management program, he adds.
More security pros should leverage GRC's asset management and inventory functions, Alexander suggests. Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised, Alexander says.
The inventory process may identify equipment that the IT department was previously unaware of, Schlarman notes. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.
Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.
Incident Response, Controls
Security professionals can also use GRC to improve information sharing across the organization and streamline incident response, Schlarman says. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach, he says.
Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls, says Geoff Webb, director of solution strategy at NetIQ, which provides identity and access governance software. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments, he says.
GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about," Webb says.