GRC Trends for 2010 - Chris McClean, Forrester Research
In an exclusive interview on GRC trends, Chris McClean, analyst with Forrester Research, discusses:
Specific trends in governance, risk and compliance; How organizations are most challenged to respond to these trends; Corporate Social Responsibility - what it is, and how information security leaders should respond.
McClean contributes to Forrester's offerings for the Security & Risk professional, leading the company's coverage of governance, risk, and compliance (GRC). He is also a thought leader on the related issues of corporate social responsibility (CSR) and sustainability. He is a frequent speaker on these subjects at vendor events as well as conferences run by industry organizations such as the Risk Management Association.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about governance, risk and compliance, GRC, and we are talking with Chris McClean, Analyst with Forrester Research. Chris, thanks so much for joining me today.
CHRIS McCLEAN: Sure Tom.
FIELD: Chris just to get us started maybe you can tell us a little bit about yourself and your specialty at Forrester.
McCLEAN: Sure. I am an analyst at Forrester working with the security and risk professionals, and in that role I deal primarily with governance, risk and compliance, or GRC, as a topic. That primarily means that I work with GRC practitioners, helping them with best practices and trying to set up a GRC program in their organization.
A lot of that also deals with working with the technology vendors that are helping professionals set up their GRC program, so I have a pretty good understanding of what software technology vendors are out there and how they are being used at various organizations.
FIELD: So, Chris, prior to last fall when the economy kind of fell apart, I heard a lot of people in information security talking about making investments in GRC. So my question to you is, having been through the recession and now coming out of it, what has the trend been there? What are the top GRC issues that you are watching?
McCLEAN: Well, in information security specifically you are right, a lot of the practitioners were looking at GRC as sort of a mixed level of maturity where they are starting to combine a central control framework and starting to look at all the different regulations and controls that they have in place and trying to consolidate their efforts and making it more of a risk management approach ,where it is not just kind of firefighting, and trying to identify what the key problems are from day to day. They are really looking at it from a risk standpoint where they have the most exposure.
So you are right, with the economy kind of spiraling a little bit out of control last year, a lot of those projects were still on the table but kind of put on hold for a little while, while budgets kind of got tightened, and a lot of times the human resource aspect was diminished as well.
So, coming out of the recession, a lot of those priorities are still in play. A lot of the regulatory issues, the PCI's, and the HIPAA's and the Sox and the sort of changing nature of regulations, are still a big difficulty for information security practitioners. So there is still that idea that consolidating all of those requirements into a single control framework, consolidating the number of controls they have, the number of times they have to conduct audits and control assessments -- those priorities are still there.
And then the nature of the recession, some of the problems that are perceived to have led to the economic downturn, things like fraud, consumer protection and things like that -- things that are of concern not just to the big financial institutions, but different organizations across industries as well as in government, Congress -- those are all priorities, too.
So more protection around fraud, around privacy, those are newer priorities, but to your point, the GRC efforts with things like consolidating control frameworks and consolidating efforts for audits and control testing, those are still priorities as well.
FIELD: Well, I have got to think that at the same time the economy might have taken some of these items off budgets, that they must also have exposed some of these vulnerabilities even more so.
McCLEAN: And that is exactly right. And certainly as much as we talk about these issues on an ongoing basis, it is things like the news items that are going to elevate them to a more of a CEO/CFO or even Board of Directors type of an issue.
FIELD: Now, Chris, I would like to talk with you about each of the elements of GRC because I know in information security especially, each one of these is vitally important. So when you are looking at trends going into 2010, what do you specifically look at in terms of governance?
McCLEAN: Great question. I would say actually governance of the three -- GRC -- governance tends to be, at least in the IT sector, one of the areas that is probably a little bit less mature than the others. IT governance has been around for a while, and you have some standards like ITIL out there and you know, different methodologies for basically governing the IT department.
When I think of GRC and then specifically the governance aspect of it, I see a trend moving toward the kind of focus on looking at the performance of IT alongside aspects of risk and compliance. This is, as I mentioned earlier, probably not happening as often or in as a mature way as I would like to see, but there are organizations that are looking at tracking the performance of different IT infrastructure and IT systems where you can say we have had an increase in the number of online transactions, for example, and associated with that increase in performance awe are also seeing an increase in risk or increase in compliance issues.
I think when you get to a point where you can look at performance alongside risk, that is when you are going to see really good governance because that allows the CIO, or even a higher level of executive, to start making decisions that say, 'You know what, our risk is too high here, so we are going to ratchet back our performance a little bit, or we are going to increase the amount of control because performance in certain aspects of a system is really important.' That aspect of decision-making is really where governance comes into play, and that is really where the work needs to be done.
FIELD: Well, let me ask you about trends in risk as well. It strikes me that this is the area that probably most ratchets up to the CEO's attention just based on the news stories we have read about risk.
McCLEAN: That is true, and this has been a struggle for security for a long time. That is, security people are usually pretty good at understanding things like threats and vulnerabilities, when you look at the risk standards like the Australian-New Zealand 4360, when you measure risk a lot of times, you are going to want to look at both the impact and the likelihood of certain risks.
Usually, as I mentioned, security folks are pretty good at understanding what the risks are to the organization, things like what are the threats, what are the vulnerabilities, but understanding what those threats and vulnerabilities mean to the organization if there is a breach or if there is an attack -- what is the business impact? You know, if there is a certain server that is down or a certain application or other system that is down for four hours or eight hours, or two days, understanding what the business impact of that risk is - it is usually a tough thing to do and then requires a lot of interaction and discussion with the business itself, with the sales team or with the marketing team or with the finance team.
So a trend in risk is certainly trying to elevate the conversation and work more closely with the business and start establishing some of those metrics. And again, that is going to help the IT risk professionals, the CISO's and those folks basically be able to associate and prioritize some of their risks and make sure that they are spending their efforts and their resources on the things that are going to have the biggest business impact.
FIELD: Now finally I want to talk about compliance, and certainly when we talk about financial institutions, compliance is a huge part of an information security professional's job, and it is the same in government, where you have got FISMA and discussions of FISMA reform. What do you see as being the biggest trends in compliance for these organizations?
McCLEAN: Well, the biggest trend is certainly just the number of different requirements, if it is legal standards or regulatory requirements or a growing number of third party security requirements, or even internal policies that they have to abide by. So there are a lot of different control frameworks out there, and as I mentioned before, a lot of the trend here is trying to create a single control framework that maps to all of these different sets of requirements. So, basically, you have a single control and a single sort of level of control testing, and that control testing will map to the requirements of several different legislations or partner requirements and things like that. A lot of the compliance trends that we see there are still a lot of question marks around, ... things like how to take better care of shareholders or consumers and making sure that financial controls are in place, anti-fraud, anti-money laundering controls are in place. They have been around for a while, but I think we have seen over the last year or so that there is still a lot to be done with IT controls. We are not exactly sure how that is going to translate into new compliance requirements, but I think over the next six to ten, twelve months or so, I think we are going to see some changes there as well.
FIELD: So when you put these elements back together as GRC, again Chris, where do you see organizations being most challenged to respond to some of the trends you have outlined? In my simplistic view, it seems like they have got a challenge of too few resources and too many solution options, but...
McCLEAN: To be fair, that is the challenge of any department and any section of the business, you are going to have not enough resources and too many priorities. In GRC specifically it is really about organization. So there is a lot of data out there, there is a lot of data about threats and vulnerabilities and controls and changing requirements and things like that, so the GRC priority is really about how to organize this data and organize all the different efforts that are going on within the business. That includes being able to set up a consistent process for risk assessment, so all of your different groups are assessing risks in the same way and measuring risks in the same way.
It is about organizing a control framework, as I mentioned earlier. It is about organizing the key performance indicators and key risk indicators so that if you look at the top executives like the CIO or the CFO, they can look across the board and compare different departments, different lines of businesses to say 'Here are the ones that are most at risk, here are the ones that are performing the best,' and things like that. So the organization is a challenge. There are a lot of technical challenges when it comes to security. You know, the privacy, Web 2.0, cloud computing, so a lot of trends like that kind of come and go, but it is really the organization, that sort of central control and oversight that is going to be the biggest problem across the board.
FIELD: Well, it sounds like the marching order for these organizations and over the last part of this year is just to get a handle on what their challenges are and then start tackling them.
McCLEAN: That's exactly right. You know, the biggest question that we get from our customers a lot of times is 'Who should be involved, what should they be doing?,' and just trying to track down all the different efforts going on within the business; that tends to be a major hurdle.
FIELD: Sure. Chris, I want to take you in another direction. I noticed that as I was going through your biography you have also got a specialty in corporate social responsibility and sustainability.
McCLEAN: Uhm-hum. That's right.
FIELD: Could you outline what some of the key issues are here for information security leaders?
McCLEAN: Yeah, definitely. I think one the biggest or easiest places to look is I did a report about a year and half or so ago on the largest hundred companies in the world and basically what are the things that they put into their corporate social responsibility and sustainability report. When it comes to information security, the things that really pop out, privacy is really probably the biggest one. That is, being able to show not just that you have the security controls sort of deeply ingrained in the technology, but that you have this sort of external description to your customers and even employees that says 'We care about you as a customer or as an employee and we take responsibility for protecting your private information.'
So translating privacy controls into that sort of corporate social responsibility message is something that happens quite a bit. Other areas, that I think I mentioned earlier, are things like anti-fraud, anti-money laundering, those are certainly very applicable to some of the security controls that are in place, especially among big financial institutions, insurance companies and government agencies as well. So things like anti-fraud and money laundering certainly play a role in corporate responsibility and sustainability.
FIELD: Now when you talk about social responsibility and sustainability, is the green movement a big part of this?
McCLEAN: Definitely, and we have actually several other analysts at Forrester that cover green IT in a lot of depth. Green IT, there are a lot of different aspects of it; it is things like making good decisions around your server farms, how you are managing your power usage and having components of your IT systems that are recyclable or renewable in some way. So the green aspect affects a lot of different areas of IT.
From a security standpoint, there are actually some difficulties -- things like patching systems or IT management systems that have security as part of them. A lot of times they take up a lot more energy than other systems. So scaling back the power usage might introduce new security vulnerabilities, and there are a lot of considerations here, and I think it is really about creating a dialog with different parts of IT, especially to the people that are focused on power usage and green IT, making sure security is part of that discussion so that as green IT becomes more of a priority, you don't want to sacrifice security in any way.
FIELD: So, for organizations that are really looking seriously at corporate social responsibility and sustainability, what are the trends that you are focused on going into the next year?
McCLEAN: I think people have to realize that when you talk about CSR, there are so many different aspects. You know the environmental management tends to get a lot of focus, but as I mentioned, protecting consumers, protecting employees, preventing things like anti-fraud and money laundering certainly play a big factor. Even larger issues like supply chain management, fair labor and fair wages, a lot of different areas of the business are impacted by CSR, and IT is going to be playing a large role in supporting those different efforts, whether it is work flow, documentation, reporting, things like. IT has to be involved. From an IT security perspective, there are certain issues of what IT security does that play a role in CSR, as I mentioned privacy and anti-fraud and money laundering. But also, in support of other CSR issues, things like green IT or the other sort of broader CSR efforts, security has to be a part of that conversation to make sure, again, that you are not introducing new vulnerabilities.
Making sure that the accuracy of the information you are reporting is valid and is also a key element. When you are talking about these very detailed CSR reports and sustainability reports, a lot of times financial factors come into play. People are making an investment based on these CSR reports, though a lot of times it is going to be up to security to make sure the information that is gathered can't be tampered with. Very similar to financial controls, you have to have these controls in place to make sure that data is accurate.
So again, I think IT security folks are really going to have to be a part of that conversation to make sure that they are supporting the gathering of information and the recording of that information for CSR.
FIELD: So, Chris, final question for you.
FIELD: For organizations that are looking at GRC and CSR initiatives in 2010, if you could boil it down to just a piece or two of advice, what would you offer them?
McCLEAN: I would always say in every case there are a lot of great technologies out there that help with the work flow, with the data gathering, with the documentation and reporting. I would always recommend first to have a conversation with your internal groups, with the CIO's, with audit, if you have CSR or GRC professionals that are starting to bring together these programs. Have the conversations first and figure out the roles and responsibilities and the processes that you want to follow, and then go and look for the technologies. For the most part the technologies out there are pretty good, but you need to get the internal objectives down first, -- the roles and responsibilities and the processes that you want to follow. And then go looking for the technology. If you start talking to vendors immediately, I think you are going to have a pretty skewed vision of what CSR or GRC can offer. So figure that out first, and then go talk to the vendors.
FIELD: Chris, I appreciate your time and your insight today.
McCLEAN: No problem, Tom.
FIELD: We have been talking with Chris McClean with Forrester Research. For Information Security Media Group, I'm Tom Field. Thank you very much.