Valuing a GRC program
Confronted with the need for strong GRC and compliance programs, companies have been forced to invest. All too often, companies have seen this investment as a pure cost.
A great example comes from the early days of Sarbanes-Oxley, when companies were truly vexed by Section 404. Their frustration was palpable as the costs mounted. These days, there is still some frustration with compliance burdens in general, even as some forward-looking companies try to turn their GRC and compliance investments into something that yields other benefits, notably actual strategic benefits. The data that results from some programs can be useful.
In the end, there are two ways to make the ROI at a company seem better. You can find ways to boost the returns of the investment, or you can limit costs. Or you can do both. Which brings up an article in Dark Reading, which offers some interesting tips on reducing the compliance "tax" and thus boosting the return. Here is an abbreviated look:
1. Think Top-Down Vs. Bottom-Up.
2. Continuous Monitoring With a Caveat.
3. Use Data Classification To Your Advantage.
4. Examine Security Tools With Circumspection.
5. Automate And Embed.
6. Don't Boil The Ocean.
7. Require Secure Software Development.
For the full details:
- here's the article