Avoid Putting IT In A GRC Vacuum

When infosec pros are asked to set security and compliance policies with no line-of-business input, problems are inevitable
While IT personnel should have significant input in developing governance, risk and compliance (GRC) strategies, organizations that depend on the technologists to handle it all themselves are setting themselves up for failure, compliance and risk experts warn.

“We need to get out of the mode of compliance just being the responsibility of the IT organization,” says Scott Laliberte, managing director with security consulting firm Protiviti, who says that gaps inevitably arise when business executives assume IT workers will understand exactly what needs to be locked down to protect the highest priority business interests. "Really getting those two groups together so that the requirements are being identified up front and then it can implement those requirements and controls and also making sure as change is envisioned in the business that the security implications are being thought through." “

According to Glenn Phillips, president of Forte Inc., an audit firm that does IT security and HIPAA assessments, IT should never decide policy or left totally alone to verify procedures.

“Many business leaders think they are delegating IT responsibility because they don't understand it. What they end up really doing is ignoring the people and processes around IT,” he says. “IT is left to set their own rules with little-to-no oversight. And IT may prefer this even though it causes great risk for the business.” A good start to bringing both groups together is to bestow compliance responsibility on a single person or small team, preferably people with cross-pollinated business and technology skills. They can act as a liaison between groups.

“Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals,” says below Jon Heimerl, director of strategic security for consultancy firm Solutionary. “Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.”

This liaison can also act as a translator of sorts. According to Laliberte, one of the reasons that IT is usually left to its own devices in devising compliance strategies is that the executives and the technologists never learn to speak the same language.

“Being able to define requirements and risk in terms that both technologists and business personnel can understand is a big one,” he says. “Risk has to be related back to the business.” As line-of-business and technology groups work to cooperate, they’re more likely to succeed if they remember that compliance is a "living" thing, Heimerl says. Neither IT nor business worlds stand still.

“Systems change, people change, your environment changes, so you can’t just get compliant and stay there,” he says. “Enforce change control on your key systems, especially those systems that impact compliance. Monitor your environment to actively watch for changes, as well as for abhorrent behavior, which can serve as indications that something changed that you didn’t see.”

All of these suggestions, of course, are dependent on how upper level management sets the tone for collaboration, Laliberte says.

“Having the senior leadership at the company embracing the need for that governance structure and really making it a significant mandate and a significant priority to the business is probably most important of all,” he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.