R before C, especially after G.
Was talking with an incredibly smart friend of mine this morning, and as usual, he revved my brain into high gear and it stayed that way even after we hung up the phone.
I never could get what the deal was with GRC, and why it is supposed to be so new and hot and different from just plain compliance-with-a-dashboard. I think it’s because from what I’ve been able to grasp, the only “R” in GRC is the Risk of Not Being Compliant. And as we know, that’s only a small part of everyone’s risk factors.
Compliance is external. It’s commoditized and standardized, by design. It’s very close to being the opposite of risk management rather than just being a subset. Even when the compliance is mostly a matter of interpretation in the technical world, you’re chasing a binary answer: Are you compliant or not? And the authoritative answer will always be someone else’s, not your own. No wonder executives chafe at it and wish it would go away. They’re not going to embrace it lovingly in the form of an expensive reporting product. They really don’t care about someone else’s opinion all that much; they want to get back to making their own risk decisions.
By contract, risk is personal. It’s variable as hell. It “governs” what you spend your money on, and therefore, with or without a dashboard, your CEO is already doing risk assessment every time she decides what your security budget is going to be. Will you really be able to change her mind by showing her the dashboard and saying, “But—but—the needle is pointing to RED!” when you’re sitting there with your line items in your fiscal shopping cart?
As Rothman and others have pointed out, either you have C-cred or you don’t. Either you support your management in making their decisions, or you end up fighting them. And in decision support, it’s their questions that matter. You need to find out what those are and then choose the right instrumentation to help you answer them. (YOU, not your boss. If he wants to play with the tools himself, he doesn’t trust your answers.) He will decide how “compliant” he wants to be, based upon his other business and financial factors. And if you’re going to help him make risk decisions, the more you can help him calculate risk for the other factors besides compliance, the more valuable you will be overall.
One more thing: you will be appreciated more when you can identify the low risk as well as the high risk. Every time you can say, “I think we can get by with this solution, and here’s why,” you’ll make another (sometimes astonished) friend. Don’t bring in a GRC product and use it as a FUD machine. If you can’t use it to identify opportunities* as well as threats, it’s of very little use to you.
Remember, we’re supposed to be enablers. We’re supposed to be a service organization. (If these statements surprise you ... Sekurity—UR doin it Rong.)
*No, I do NOT mean “opportunities for security vendors to make more money.”
Posted by shrdlu on Thursday, May 15, 2008
(6) Comments • Permalink •
