Information security is often an afterthought in an organisation’s planning and spending. And as a subset of that, Governance, Risk and Compliance (GRC) struggles to get the high-level attention it needs.
In part this stems from the fact that GRC activities have traditionally been spread around various departments and functions within the organisation, with no overall control or strategy.
There has been a trend to bring these activities together under the umbrella of an IT or security function within the organisation, and this is being driven by the need for regulatory compliance. But how effective is this? And does it introduce its own problems, in that GRC is too often now seen as an IT problem rather than a concern for the whole business?
In this interview, Danielle Jackson, CISO at SecureAuth, explains that the picture is improving, as security issues are more commonly represented at board level through the appointment of C-level executives with responsibility in these areas.
However, many firms still need to grapple with GRC issues and Jackson feels the best place to start with this is to look at risk.
In most cases this isn’t optional. More and more organisations are becoming subject to compliance requirements. While many regulations are specific to certain sectors or business activities – for example, PCI DSS affects you only if you handle card payments – with the advent of things such as data protection regulations, most firms are now in a position where they must to meet some standards. Firms are finding themselves having to meet standards of data governance that they’ve never considered before.
One big issue remains, though – where is the money coming from? Getting budget for GRC activities, even with regulatory bodies breathing down the necks of organisations, is always going to be a struggle.
We’re seeing an ever-increasing number of data breaches and perhaps companies are waking up to the potential damage these can cause. Add to that the possibility of huge fines, such as those enabled by the EU’s General Data Protection Regulation (GDPR), and maybe we’ll start to see a shift in the importance given to GRC, says Jackson. But this may involve a cultural shift in the organisation that will require buy-in from everyone.