Where GRC Platforms Struggle with Cyber Risk and Control
Updated: May 19, 2021
Most business leaders would struggle to articulate their organisation’s Information Security Posture – i.e., how well they protect their information assets and how well they would re-act to a security incident. Furthermore, they would probably be shocked to understand the risks to which their businesses are exposed to on a daily basis. Even companies with large IT security organisations do not manage their Cybersecurity risks well because the information provided to senior managers and the Board is not meaningful (typically too little or too much) and does not provide a basis for action.
The old adage of “if you can’t measure it, you can’t improve it” is particularly apt in the case of managing information security. Without up-to-date business-level visibility of an organisation’s Information Security Posture it is unrealistic to expect senior management to understand where gaps and weaknesses exist that threaten the organisation.
GRC (Governance, Risk Management & Compliance) solutions have been in existence for over a decade now and have a large install base across enterprises worldwide. The remit of these tools is typically broad and therefore they are unable to deliver the depth required in certain areas, e.g., Cyber.
One of the original aims of GRC was to provide better visibility into a company’s risk posture and thus enable improved decision making. It is perhaps ironic that the failure of many GRC projects is due to a disconnect from risk – GRC oriented risk programs tend to focus on compliance objectives to the detriment of risk and of course compliance to any standard does not necessarily remove any risk. Businesses that have embarked upon GRC projects have however definitely benefited from an increase in maturity across both Cybersecurity and operational resilience even if they have not achieved the visibility to allow them to make better decisions.
Measuring the effectiveness of an organisation’s Information Security Management program must include an assessment of the technology used to support the business information assets if it is to be considered accurate and representative. The reconciliation of security instrumentation implemented across an organisation’s technology environment is the only conclusive proof that security policy is being correctly enforced – i.e., the Acid Test. Extending this even further, a fully representative understanding of an organisation’s security posture would include attestation across all parts of the organisation to testify that security policy was indeed compliant. Tracking all security controls across an organisation would in theory provide a complete dataset upon which a comprehensive information security posture could be derived. This nirvana is beyond the capability of today’s GRC toolsets.