Often viewed as the most effective groundwork laid for a truly successful security program, governance, risk, and compliance (GRC) activities within an enterprise will not only reduce risk, but also deliver business value through improved processes and better decision-making. Dark Reading recently caught up with five consulting practitioners around the industry to discuss their views on how organizations can both achieve ROI through risk management and demonstrate it to senior management.

Make Risk Management Holistic
According to Bryan Fite, BT Assure portfolio manager in the U.S. and Canada for BT Global Services, too many organizations today fail to manage risk in a holistic way.

"Rather, they maintain silos of risk management activity that often use completely different methodologies and tools to model and treat risk," he says. "Security operations, audit/compliance, and business [risk] -- think CFO and board of directors -- are the silos most seen in the wild."

This kind of structure might have worked in the old world, but that is not the case in the age of BYOD, cloud computing, and increased regulatory demands, Fite says.

"It does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk," he says. "To stay relevant and competitive, organizations need to develop a new capability. They need to develop the ability to measure and justify trust."

New business challenges require a new way of managing risk and reward, Fite says.

"By adopting common risk management metrics, innovative controls, and trust management techniques, CSOs and other security practitioners can survive and prosper in the age of cloud computing and shared services," he says. "This will allow for a holistic view of risk across the organization that ensures that limited budgets are allocated in the optimal way."

Don't Forget All Your Quantifiable Returns While Determining ROI
Determining the ROI of IT security is all about comparing potential costs to deploy defensive countermeasures against the perceived value of the resulting reduction of risk, says Joe Fisher, president of Affinity IT Security. While it is easy to quantify those countermeasures, the real trick is to measure all of the benefits.

"It is very easy to underestimate the benefits of an IT security initiative; many are intangible and difficult to estimate," he says. "This can be very challenging until you realize that the value of avoiding negative consequences is both real and quantifiable. In other words, the ROI calculation must recognize and account for the value of avoiding the full scope of economic damages can result from a breach."

Fisher says in order to get a true ROI calculation, there are six major breach cost areas that organizations need to account for avoiding: forensic analysis, remediation, prevention of future attacks, legal liability, brand and reputation damage, and stock price damage.

"The costs of each of these can be estimated, and should be aggregated to form a comprehensive assessment of potential damage," he says. "This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate."

Typically, the resulting financial benefits dwarf the costs, making for a strong numerical case for risk management investment.

In most cases the resulting benefits dwarf the costs, making the business case for IT security a very strong one.

Match Risk Management To Business Performance Objectives
As organizations think about achieving ROI from security spend, they need to remember that the returns are very different for compliance and for risk management," says Brian Barnier, principal of ValueBridge Advisors. For compliance, cost benefits usually occur due to waste-trimming in processes, whereas risk management brings value to business decision-making processes.

"Risk management tools that make the true state of risks and returns more visible and help make better decisions more quickly naturally bring huge payoffs," Barnier says. "For example, how quickly can an IT system be reconfigured to support a new product, customer, or partner? If not fast enough, take action to change IT to easily enable profitable revenue."

He believes that the truly world-class organizations are the ones that are able to set up their decision-making through a repeatable, standardized framework, such as COBiT or ITIL.

"In this way, risk management always returns a multiple of value by focusing on growing profitable revenue," he says.

Next Page: Consistency is key. Consistency Leads To Value-Chain-Based IT Management
In addition to risk mitigation, GRC programs offer the business a lot of ROI from the consistent cataloging of processes across the enterprise. And consistency is one of the foundational elements needed in evolving IT service delivery to a value-chain-based model, says Nauman Noor, director of PwC Advisory Services.

"Use of GRC tools often results in a level of standardization and conformance when it comes to capturing processes as well as aligning the high-level representation -- value chain -- across various departments and, in case of large corporations, business units," he says.

This gives enterprise IT the ability to use information about processes gathered through GRC to offer things like activity-based costing and offer more integrated view of how the organization interacts with its customers, he says.

"The ongoing compliance and audit activities supported by such tools ensure captured processes, controls, and assessment of their efficacy are relevant and representative," Noor says.

GRC Can Reduce Gaps In IT, Increase Business Agility
It may be a little bit of a chicken-and-egg situation, but just as organizations should be looking to bust IT silos to create a good GRC program, a good GRC program can be used to bust silos.

"A well-architected GRC program can effectively bridge the gaps between various areas of a single organization, connecting the company's resources, processes and systems to reduce redundancy; resolve process, procedural, and technical inadequacies; and provide decision-makers with actionable information to drive successful business operations," says Steve Barone, president and CEO of IT advisory services and network security firm Creative Breakthroughs.

Barone believes that an effective convergence framework will increase agility within enterprises and can ultimately fuel strategic planning decisions. Ideally, it will be helping to eliminate redundant business and IT activities, and ultimately increase efficiency of spend on effective innovation. But to achieve these gains, organizations can't view GRC as a one-shot deployment.

"A GRC program shouldn't be a one-time event -- it should be an ongoing, sustainable process that empowers organizations to cultivate value from what is often perceived as a nonrevenue-generating requirement for doing business," Barone says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.