Software suites that integrate governance, risk and compliance tools (usually referred to as IT-GRC) are being hyped by vendors and abetted by analysts as the next great wave of IT management solutions.
Combining these functions under one roof, IT-GRC packages promise to enable corporate management to ensure the organization is meeting enterprise risk-management goals and complying with requirements set by regulators and business partners.
But just as the best financial-management systems and a bevy of auditors have not substantially stopped the flow of financial malfeasance and misconduct, this promise will also fundamentally miss the mark without directly addressing the issue of security.
As evidenced most recently in the Hannaford data breach incident, where an estimated 4.2 million payment card holders had their trust violated through a security flaw, an organization can have a risk-management program and a compliance program and still not be secure.
Hannaford, according to public statements, used an IT-GRC package to manage its risk and compliance program, had undertaken and passed outside assessments and audits, and from all outside appearances, had been doing "the right things." But if having a risk-management and compliance program nets the organization a very public and costly data breach, what is the point? How many dollars spent on those programs would have been better spent on addressing the fundamentals of security?
After the breach was publicized, Hannaford President and CEO Ronald C. Hodge said in a statement: "We have taken aggressive steps to augment our network security capabilities."
Section 4.1 of the Payment Card Industry (PCI) Standard reads: "Encrypt transmission of cardholder data across open, public networks," and goes on to say "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit."
Is it "reasonable" to believe that internal networks are significantly less vulnerable to attack than public networks? Yes. Is it actually true in the real world of the large distributed network? Probably not.
Compliance is not security, and risk management does not automatically provide risk reduction.
Many security firms have been telling enterprises for years that the best way to address IT Compliance and Risk is to assess where the organization's security program is from a maturity standpoint and then use compliance requirements and risk objectives to inform and advise the actions they need to move their security program where it needs to be.
The best IT shops know that the way to optimize the scarce resources at their disposal is to include security in the architecture and design process, make the most of the security features and functions available in the products and tools they are already using, and judiciously apply additional capital and outside assistance for new functionality and the tasks they cannot or would rather not do themselves.
However, without a firm understanding of where their security program stands in terms of IT frameworks such as ISO or CobIT/COSO, and in terms of their industry peers, security efforts tend to be misdirected, piecemeal, wrong-sized or inefficient.
Without the full inclusion of the organizations' security staff, compliance and risk-management efforts will continue to fall short, and it will only become evident after the fact that carts should not drive horses.