Comments on: For Blog/Twitter Conversation: Can You Defend “GRC”? http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/ The Blog Inspired By The Book Wed, 16 May 2012 16:05:54 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Jeremy Wilde http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-1030 Jeremy Wilde Mon, 22 Feb 2010 12:07:16 +0000 http://newschoolsecurity.com/?p=1205#comment-1030 Compliance is something you have to do. Governance is something you ought to do well. Risk is a storytelling technique that is useful to a lot of people. Security is testing and then trust. atb jeremy Compliance is something you have to do.
Governance is something you ought to do well.
Risk is a storytelling technique that is useful to a lot of people.

Security is testing and then trust.

atb

jeremy

]]> By: jared pfost http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-690 jared pfost Thu, 17 Dec 2009 05:50:52 +0000 http://newschoolsecurity.com/?p=1205#comment-690 Great question. IMO, the term GRC was promoted heavily by software vendors and grew into a juggernaut. For IT security, G/C are features of a healthy risk management program. When I was able to define and defend my risk landscape, G/C were results of the process. Fortunately I had a supportive exec team who tired of being lead around by C. Disclosure: I'm building an application to manage and prioritize enterprise IT sec risks. Great question. IMO, the term GRC was promoted heavily by software vendors and grew into a juggernaut. For IT security, G/C are features of a healthy risk management program. When I was able to define and defend my risk landscape, G/C were results of the process. Fortunately I had a supportive exec team who tired of being lead around by C.

Disclosure: I’m building an application to manage and prioritize enterprise IT sec risks.

]]> By: Marty http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-687 Marty Wed, 16 Dec 2009 14:34:12 +0000 http://newschoolsecurity.com/?p=1205#comment-687 Alex: I'll turn the conversation in another direction for others to comment/think about. Your Risk Management program/method/framework is incomplete unless it integrates Governance/Compliance. Unless Risk Management can show how an identified or intended level of G/C translates into a level of risk/risk mitigation to identified threats, it is not complete. My assertion is the problem really isn't G/C. It is RM's inability to bridge the G/C-Risk gap. Since we have done a poor job at translating how checkbox G/C efforts actually affect risk overall - we can't place the onus on G/C. Alex:

I’ll turn the conversation in another direction for others to comment/think about.

Your Risk Management program/method/framework is incomplete unless it integrates Governance/Compliance.

Unless Risk Management can show how an identified or intended level of G/C translates into a level of risk/risk mitigation to identified threats, it is not complete.

My assertion is the problem really isn’t G/C. It is RM’s inability to bridge the G/C-Risk gap. Since we have done a poor job at translating how checkbox G/C efforts actually affect risk overall – we can’t place the onus on G/C.

]]> By: Mark C. Wallace http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-686 Mark C. Wallace Wed, 16 Dec 2009 13:45:47 +0000 http://newschoolsecurity.com/?p=1205#comment-686 @Alex, Despite my best efforts to disagree (in an attempt to spark dialogue), we're going to wind up agreeing here. You state "are simply useful inasmuch as they help you understand how to manage your security program (risk management) moving forward." The key here is the word "useful". I could cite the controls that those metrics support - but in doing so, I'd be subverting the intent of compliance. And that's the key of my argument - that compliance is one of a set of tools that can be used to move a program forward. (Interrupted at this point by operational needs) @Alex,

Despite my best efforts to disagree (in an attempt to spark dialogue), we’re going to wind up agreeing here.

You state “are simply useful inasmuch as they help you understand how to manage your security program (risk management) moving forward.”

The key here is the word “useful”. I could cite the controls that those metrics support – but in doing so, I’d be subverting the intent of compliance. And that’s the key of my argument – that compliance is one of a set of tools that can be used to move a program forward.

(Interrupted at this point by operational needs)

]]> By: Gautam http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-685 Gautam Wed, 16 Dec 2009 06:41:28 +0000 http://newschoolsecurity.com/?p=1205#comment-685 Alex, I am not sure if I agree with your statement “A metric for Governance is only useful inasmuch as it describes an ability to manage risk”. In addition to Risk Management, Governance focus areas may be Strategic alignment, Value delivery, Resource and Performance management. Agreed that all of these areas are linked to each other and to Risk Management - but the whole is greater than the sum of the parts, right? Best Regards Alex,
I am not sure if I agree with your statement “A metric for Governance is only useful inasmuch as it describes an ability to manage risk”.
In addition to Risk Management, Governance focus areas may be Strategic alignment, Value delivery, Resource and Performance management.
Agreed that all of these areas are linked to each other and to Risk Management – but the whole is greater than the sum of the parts, right?
Best Regards

]]> By: Chris Hayes http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-684 Chris Hayes Wed, 16 Dec 2009 01:42:29 +0000 http://newschoolsecurity.com/?p=1205#comment-684 Clarification. To answer the question that was posed: True - Depending on how a company – or a standard / regulatory body - defines GRC and a company’s ability to demonstrate its compliance with an interpretation of a definition. The challenge is determining what does governance from a goodness perspective look like. It will change depending on the stake holder (consumers, business owner, CEO, board, etc..). Risk “tolerances” are different between stakeholders at various levels of the organization – so it is perfectly plausible that risk can be adequately managed through the eyes of one type of stakeholder and not be considered adequately managed by a different type of stakeholder. In today’s regulatory landscape – just the fact you are able to prove you are managing risk seems to be the differentiator between goodness and no-so-good (this assertion may have a legal / privacy bias to it). Clarification. To answer the question that was posed: True – Depending on how a company – or a standard / regulatory body – defines GRC and a company’s ability to demonstrate its compliance with an interpretation of a definition. The challenge is determining what does governance from a goodness perspective look like. It will change depending on the stake holder (consumers, business owner, CEO, board, etc..). Risk “tolerances” are different between stakeholders at various levels of the organization – so it is perfectly plausible that risk can be adequately managed through the eyes of one type of stakeholder and not be considered adequately managed by a different type of stakeholder. In today’s regulatory landscape – just the fact you are able to prove you are managing risk seems to be the differentiator between goodness and no-so-good (this assertion may have a legal / privacy bias to it).

]]> By: Chris Hayes http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-683 Chris Hayes Wed, 16 Dec 2009 01:05:08 +0000 http://newschoolsecurity.com/?p=1205#comment-683 Sweet. First, give a reasonable definition / explanation of GRC; other then an acronym definition :-) I would submit it is defendable as long as the company's (and maybe external auditor's) expectations and / objectives are being met. Am I addressing my most significant risks, do I have a repeatable risk assessment / management process and do I have adequate governance? Also, GRC can account for more then just IT / Regulatory / Compliance risks (legal, regulatory, investment, etc..). ERM. Sweet. First, give a reasonable definition / explanation of GRC; other then an acronym definition :-) I would submit it is defendable as long as the company’s (and maybe external auditor’s) expectations and / objectives are being met. Am I addressing my most significant risks, do I have a repeatable risk assessment / management process and do I have adequate governance? Also, GRC can account for more then just IT / Regulatory / Compliance risks (legal, regulatory, investment, etc..). ERM.

]]> By: Adam http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-681 Adam Tue, 15 Dec 2009 20:55:41 +0000 http://newschoolsecurity.com/?p=1205#comment-681 Just a nit: Alex isn't representing his employer here. Just a nit: Alex isn’t representing his employer here.

]]> By: dunsany http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-680 dunsany Tue, 15 Dec 2009 20:26:54 +0000 http://newschoolsecurity.com/?p=1205#comment-680 I only bring it up because I want a better product from your guys. Having been an outside consultant & auditor for many years, it's nice having a dual perspective and helping make the industry better. I only bring it up because I want a better product from your guys. Having been an outside consultant & auditor for many years, it’s nice having a dual perspective and helping make the industry better.

]]> By: alex http://newschoolsecurity.com/2009/12/for-blogtwitter-conversation-can-you-defend-grc/#comment-679 alex Tue, 15 Dec 2009 20:24:16 +0000 http://newschoolsecurity.com/?p=1205#comment-679 @dunsany - LOL, touche' @dunsany – LOL, touche’

]]>