Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


New Focus On Risk, Threat Intelligence Breathes New Life Into GRC Strategies

Security is a central driver in enterprise Governance, Risk and Compliance initiatives, experts say

A growing need for security discipline and the availability of better threat data are changing the monolithic Governance, Risk and Compliance (GRC) concept into a near-term enterprise risk management project, experts say.

GRC, a methodology for building global IT policies, priorities, and practices around key risk and compliance factors, has long been viewed as a framework that was too complex and resource-intensive for all but the largest enterprises. But driven by a need to improve security and add some means of measuring risk, many businesses are pushing past these old perceptions and implementing elements of the technology, without necessarily tagging their efforts with the GRC name.

"The market for [GRC] management is growing, as more companies recognize the value in safeguarding their business practices -- not just because doing so is good for business, but because it's necessary for protection against specific economic and market conditions," says William Jan, vice president and practice leader at research firm Outsell, in the company's 2013 GRC market assessment.

Chris Caldwell, CEO and founder of GRC firm LockPath, agrees. "Security and risk are driving enterprises to contact us, even if they don't necessarily call what they are doing GRC," he says. "What they are really looking for is business visibility -- a clear way to show what assets are at risk, what needs to be patched, and how to get more budget [for security]. Every IT department is overwhelmed right now. They need a structure for prioritizing remediation."

GRC vendor Agiliance reported last month that its revenues grew 65% between Q1 2012 and Q1 2013, with more than 415% growth in the financial services sector. But like LockPath, Agiliance is increasingly stepping away from calling its technology GRC.

"GRC is not a good term for this market," says Torsten George, chief product strategist at GRC vendor Agiliance. "GRC is an internal process, and an internal process shouldn't drive a software category. We have been calling what we do 'integrated risk management' because we're tying together IT operations and security risk management.

Gartner analyst Paul Proctor concurred in a blog earlier this month, entitled "Why I Hate the Term GRC." "GRC is the most worthless term in the vendor lexicon," Proctor wrote. "Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I'm losing the battle."

Whether they call it GRC or not, however, enterprises are investing more in the concept of adding structure and metrics to the assessment of risk and the IT security choices they make.

"The early implementations of GRC were mainly built around compliance and checking off the boxes for the auditors," says Steve Schlarman, eGRC solution manager at RSA Archer, the oldest and largest of the GRC technology vendors. "Today, companies are getting beyond the crust of compliance and getting into deeper inspection of the infrastructure -- they want a broader sampling of data so that they can get a more accurate measure of risk."

One of the most significant recent shifts in GRC is the addition of threat intelligence as a variable in the calculation of risk and the subsequent decisions on what steps to take, experts say. In the past, most GRC initiatives calculated threats only internally to the enterprise, but the emergence of new threat intelligence data feeds and services means that businesses can now add factors such as growing Internet threats -- and the likelihood that they will strike a particular enterprise -- into the risk management equation.

LockPath, for example, recently added a new module called Threat Manager, which integrates internal security information with a variety of data feeds, recording key information about secured assets and creating an audit history. Agiliance is also feeding a variety of data into its Threat and Vulnerability Manager module.

"Tying threat data to vulnerability data and overlaying risk and business-criticality is the trend," says Vivek Shivananda, CEO of GRC technology vendor Rsam." As we see it, risk-driven compliance management is the future model of GRC. "Security Risk Intelligence is the answer -- creating an architecture and a process that ties threat data to vulnerability/incident data and overlays risk and business-criticality is the answer to intelligently allocating resources against appropriate threats/incidents."

Experts also generally agree that while compliance initiatives provide most of the funding behind GRC, it is IT security issues that create the most variables in the risk equation -- and keep both IT and business executives awake at night. "Companies are now looking at legal defensibility when a compromise or a compliance failure occurs," says Caldwell. "They want to be sure that they are doing all they can to prove that they doing their due diligence -- they don't want to be asking, 'Could I have done more?'"

Schlarman agrees. "Security is playing a bigger role in the [GRC] picture," he says. "Enterprises are still looking at the criticality of their information assets -- putting them in business context -- but they also want to take that data and push it down to security operations and security analytics, so that they can filter out asset data and figure out whether a particular infection has touched a particular group of assets."

But for GRC to help with the management of current threats and new security risks, Caldwell says, its implementation and adaptation will need to become much faster. "Some of the early [GRC] products had a ramp-up time that was completely insane -- it could take six, 12, 18 months just to stand up the product and get a viable report. That's one of the reasons why GRC got a bad name. But now we're making that quicker. We're making separating the products from the program, and making the products more immediately useful."

GRC technology is also moving down market and becoming available for smaller companies that don't have huge IT organizations, says Agiliance's George. "We are working with [managed security services providers] to provide a managed services offering that's accessible to businesses that are smaller, but still need some of these functions," he says. "Again, they might not necessarily call it GRC, but these are functions -- things like measuring compliance posture and security posture -- that are important no matter what the size of your organization."

But for GRC technology to grow faster, it will have to cast off its perception as a monolithic, expensive, and complex initiative, experts agree.

"IT pros are seeking to steer toward the same risk, compliance, and security goals, but they are avoiding the use of the GRC moniker and the perception that GRC is exclusively an 'enterprise-level' project," says Rsam's Shivananda. "This perception also can make it more difficult to select and acquire the necessary tools in highly political environments, or competing departmental agendas."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.