GRC Challenge for Security Pros

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

July 16, 2010 - Upasana Gupta, Contributing Editor

Phillip Foley is a senior security analyst for the governance, risk and compliance program with Verizon Cybertrust Security. He harbors the dream of becoming a chief security executive one day and is happy to see his role transitioning more to the business side, integrating internal controls and risk functions to the company's business objectives.

Bigger picture, Foley sees that his transition is one shared by other information security professionals now working in GRC.

"GRC is making the security professional look at areas normally not associated with information security," Foley says. "Earlier it was all about risk and compliance with certain mandates."

Foley's experience is common in organizations seeking new GRC leadership, says Chris McClean, GRC analyst with Forrester Research. He sees organizations looking for GRC professionals who can make the connections among security, IT risk and business, then contribute significantly toward the organization's bottom line. "More and more companies are looking for individuals who have a business mindset and excel in collaborative skills," McClean says.

GRC Today

At its core, GRC refers to the practice that coordinates the information and processes across an enterprise relating to organizational governance, risk and compliance needed to achieve improved business performance. Components of GRC include people, processes, strategy and technology.

In organizations today, GRC is building steam because it is focused on business performance and removing duplication or delay in individual processes. This focus has made GRC a hot career option for security professionals looking to get into management and advisory roles within businesses.

"IT security and risk professionals can benefit and enhance their career by jumping on this train -- and further build steam by pinpointing risks to bottom-line and coordinating better across the IT risk silos to really reduce the risk," says Brian Barnier, ISACA board member and principal at ValueBridge Advisors, a consultancy. "While other individuals still talk about technology and software, it's the GRC-focused practitioner who becomes a friend of the business and ultimately shares a senior seat with management."

"In GRC specifically, the focus is business," says McClean. There is a lot of data out there, "so the GRC priority is really about how to organize this data and organize all the different efforts that are going on within the business." This includes being able to set up a consistent process for risk assessment, so all of the different groups are assessing and measuring risks in the same way.

Therefore, professionals influencing and implementing GRC in their organizations are constantly seen as adding value to business by thinking and questioning business leaders about bottom-line impact on revenues, new products and services. "It makes them look better to management," Barnier says.

The Skills Gap

In his own company, Foley is currently involved in convergence of all areas within audit, compliance and risk. He uses the International Organization for Standardization 27002 controls, mapping them to regulatory and compliance functions such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, which overlaps and runs cross multiple business processes while driving the entire business.

This integration with a broader spectrum of compliance and business processes requires a security professional to be well versed in different areas of business processes, IT risk and control standards such as the ISO and the IT governance framework known as the Control Objectives for Information and related Technology.

Among the skills gap that practitioners often face in trying to implement a GRC solution: