GRC Challenge for Security ProsWhat it Takes to Succeed in Governance, Risk and Compliance
Bigger picture, Foley sees that his transition is one shared by other information security professionals now working in GRC.
"GRC is making the security professional look at areas normally not associated with information security," Foley says. "Earlier it was all about risk and compliance with certain mandates."
Foley's experience is common in organizations seeking new GRC leadership, says Chris McClean, GRC analyst with Forrester Research. He sees organizations looking for GRC professionals who can make the connections among security, IT risk and business, then contribute significantly toward the organization's bottom line. "More and more companies are looking for individuals who have a business mindset and excel in collaborative skills," McClean says.
GRC TodayAt its core, GRC refers to the practice that coordinates the information and processes across an enterprise relating to organizational governance, risk and compliance needed to achieve improved business performance. Components of GRC include people, processes, strategy and technology.
In organizations today, GRC is building steam because it is focused on business performance and removing duplication or delay in individual processes. This focus has made GRC a hot career option for security professionals looking to get into management and advisory roles within businesses.
"IT security and risk professionals can benefit and enhance their career by jumping on this train -- and further build steam by pinpointing risks to bottom-line and coordinating better across the IT risk silos to really reduce the risk," says Brian Barnier, ISACA board member and principal at ValueBridge Advisors, a consultancy. "While other individuals still talk about technology and software, it's the GRC-focused practitioner who becomes a friend of the business and ultimately shares a senior seat with management."
"In GRC specifically, the focus is business," says McClean. There is a lot of data out there, "so the GRC priority is really about how to organize this data and organize all the different efforts that are going on within the business." This includes being able to set up a consistent process for risk assessment, so all of the different groups are assessing and measuring risks in the same way.
Therefore, professionals influencing and implementing GRC in their organizations are constantly seen as adding value to business by thinking and questioning business leaders about bottom-line impact on revenues, new products and services. "It makes them look better to management," Barnier says.
The Skills GapIn his own company, Foley is currently involved in convergence of all areas within audit, compliance and risk. He uses the International Organization for Standardization 27002 controls, mapping them to regulatory and compliance functions such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, which overlaps and runs cross multiple business processes while driving the entire business.
This integration with a broader spectrum of compliance and business processes requires a security professional to be well versed in different areas of business processes, IT risk and control standards such as the ISO and the IT governance framework known as the Control Objectives for Information and related Technology.
Among the skills gap that practitioners often face in trying to implement a GRC solution:
- Lack of Business Perspective -- "The chief information security officer still talks about how many attacks his team was able to thwart and block in a board meeting and gets to hear 'that's great, but isn't this your job?' says Alex Bender, director, Archer Technologies GRC Marketing. What is missing in these individuals is the business perspective -- security professionals need to quantify what these attacks mean in financial terms, using suitable metrics to evaluate cost.
- Thinking in Silos -- Often security professionals focus on individual goal accomplishment and separation of duties - to the point where holistic approaches to security and risk operations get sidelined. Each function looks at implementing tools and technology to ease their operation without considering how this may impact the overall internal controls or risks within the organization. "Thinking from a higher strategic level is clearly missing in professionals," says Bender.
- Understanding True Risk -- Organizations frequently do not have the right person in the right role within information security and risk, which then causes a hindrance in GRC implementation, says Barnier. These individuals have a good IT background, but no understanding of what enterprise risk means. What information is crucial to risk mitigation? How can the risk posture of the company be improved? How can IT risk controls be tied to business processes? The GRC leader must know these answers.
The Right StuffGiven these challenges, organizations seek the right mix of qualified professional to fill GRC roles. Certifications such as the Certified Information Systems Security Professional and Health Information Systems Programme, which work hand-in-hand with standards such as the ISO and COBIT, are largely preferred in potential candidates. Also, credentials offered by ISACA, such as the Certified Information Security Manager and Certified Information Systems Auditor, help in understanding the business and management requirements within GRC and add weight to a candidate's profile. "Knowledge and certifications that back up the field is a must," says Foley. "Academic education such as a master's in information assurance or related discipline is an enhancement that can not be passed."
Key skills to focus on include:
- Know the interrelationships -- among compliance, risk and security - how they work together to strengthen internal controls and increase operational efficiencies. GRC professionals need to constantly ask themselves: How is security and compliance tied to overall corporate policies and objectives? Is there a process for how information gets into the decision making? How is my job impacting the overall business? What can I do better to collaborate with other team members to get a unified solution to existing issues?
- How to audit IT governance -- In other words, how can one capture crucial elements such as security, recovery, availability, change, compliance and controls in one's overall assessment of IT governance to reflect an integration of controls and processes?
- Look at risk in the big picture -- The risk practitioner needs to spell out risks across the organization, not just in terms of specific technology or geographical areas such as cloud computing or a particular state. Think in terms of revenues, profits, customer satisfaction and distribution. Also, GRC pros need to utilize relevant risk assessment and response techniques that tie things to the business. "They need to shift gear from focusing on what a malware threat to a server is to techniques on what does selling product 'x ' to the world depend on, and how does the security piece tie into that?" Barnier says.
- Compliance in context -- professionals should focus on compliance associated with business changes that change their exposure to new products, jurisdiction, suppliers and customers.
"The integration and convergence of GRC can only happen," Barnier says, "when security and risk professionals get on the other side and understand a company's business and are able to pinpoint which security breaches and risks most threaten its bottom line."
It can be a daunting challenge, moving into the GRC space. But for Foley at Verizon Cybertrust Security, the move is rewarding.
"This is the growth toward senior management I have always wanted," Foley says.