R before C, especially after G.
Was talking with an incredibly smart friend of mine this morning, and as usual, he revved my brain into high gear and it stayed that way even after we hung up the phone.
I never could get what the deal was with GRC, and why it is supposed to be so new and hot and different from just plain compliance-with-a-dashboard. I think it’s because from what I’ve been able to grasp, the only “R” in GRC is the Risk of Not Being Compliant. And as we know, that’s only a small part of everyone’s risk factors.
Compliance is external. It’s commoditized and standardized, by design. It’s very close to being the opposite of risk management rather than just being a subset. Even when the compliance is mostly a matter of interpretation in the technical world, you’re chasing a binary answer: Are you compliant or not? And the authoritative answer will always be someone else’s, not your own. No wonder executives chafe at it and wish it would go away. They’re not going to embrace it lovingly in the form of an expensive reporting product. They really don’t care about someone else’s opinion all that much; they want to get back to making their own risk decisions.
By contract, risk is personal. It’s variable as hell. It “governs” what you spend your money on, and therefore, with or without a dashboard, your CEO is already doing risk assessment every time she decides what your security budget is going to be. Will you really be able to change her mind by showing her the dashboard and saying, “But—but—the needle is pointing to RED!” when you’re sitting there with your line items in your fiscal shopping cart?
As Rothman and others have pointed out, either you have C-cred or you don’t. Either you support your management in making their decisions, or you end up fighting them. And in decision support, it’s their questions that matter. You need to find out what those are and then choose the right instrumentation to help you answer them. (YOU, not your boss. If he wants to play with the tools himself, he doesn’t trust your answers.) He will decide how “compliant” he wants to be, based upon his other business and financial factors. And if you’re going to help him make risk decisions, the more you can help him calculate risk for the other factors besides compliance, the more valuable you will be overall.
One more thing: you will be appreciated more when you can identify the low risk as well as the high risk. Every time you can say, “I think we can get by with this solution, and here’s why,” you’ll make another (sometimes astonished) friend. Don’t bring in a GRC product and use it as a FUD machine. If you can’t use it to identify opportunities* as well as threats, it’s of very little use to you.
Remember, we’re supposed to be enablers. We’re supposed to be a service organization. (If these statements surprise you ... Sekurity—UR doin it Rong.)
*No, I do NOT mean “opportunities for security vendors to make more money.”
on 05/15 at 01:35 PM:
on 05/15 at 08:02 PM:
You make me cringe when I hear the whole “we are enablers...” bit. Not because I disagree, it’s just, said way too much. Too often it sounds more like a plea or we’re trying to convince ourselves of it.
I wholly agree that it is money in the bank to ‘settle’ for a smaller solution to a problem or completely dismiss an overblown FUD-surrounded problem. “Uhh, I know all the trade mags mentioned it this week, but this vulnerability means nothing to a company like us...” I’ve found the response to things like that far more positive from the C-level area than to me nagging, “But, but, but, we need this to protect against this...” Emphasize the real issues by contrasting them against the non-issues.
Really nice post, though. Compliance is here to stay, I think, but it’s not going to make any of us professionals feel any better at all. Compliance is for everyone else’s understanding, distilling a security stance down to some score, pass or fail. Sadly, while this forces the crappy shops to have some semblance or rudimentary security measures, I feel that the more widespread compliance becomes, the more it makes economic sense to just rubber stamp more and more people year after year. Eventually, while the standards may not change much, I feel the people making the compliance scores and audits will water down. Automation, products, “universal” reports and scanners, blah.
Great for the lowbies, but nothing to someone like me other than a way to justify some more budget.
Here’s another reality now: Everyone is compliant until proven not complient due to an incident. I base this around the people answering all the “Are you compliant?” questionnaires erring on the side of business and saying “yes” even if they have no clue.