Current state of IT GRC
So how is the industry doing in terms of the overall IT GRC movement?
BusinessFinance interviewed LockPath CEO Chris Caldwell about a range of IT governance, risk management and compliance issues, which proved to be quite telling.
"As it once was with information security, there initially wasn't a recognized need for a formal GRC program and GRC tasks were buried deep within the list of IT department to-do's. However, as regulations and other compliance requirements have increased (there have been at least 15 major regulatory changes in the last decade), GRC specialists have emerged with a focus on better managing IT, information risk and compliance programs. From there, these programs have slowly begun to evolve and mature until they reach a point when they are highly functional. Today, many organizations are seeing their dedicated 'infosec' teams split-up, with their operational security personnel relegated back to IT. The risk and compliance management components are then organized into dedicated GRC teams where they can be aligned with their cousins in legal and finance."
My sense is that while progress has been made, the rapid pace of innovation and change will keep GRC professionals in a constant state of catch-up. A good example of this right now is the BYOD movement. As often happens, the technology trend, which emerged in response to employee demand, has run ahead of the security capabilities, leaving many companies a bit vulnerable as they scramble for solutions.
- here's the interview, with five suggested steps toward optimized GRC