Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/15/2020
10:00 AM
Matt Kunkel
Matt Kunkel
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Top 5 Questions (and Answers) About GRC Technology

For the first time in a long time, we must shift from managing localized risks against a landscape of economic growth to managing those issues under much less certain circumstances.

According to Google Trends, searches for "business continuity planning" skyrocketed on March 12, around the same time the US declared a national emergency in response to the coronavirus outbreak. The pandemic forced this oft-overlooked back-office function into the spotlight, bringing along with it economic turmoil.

For the first time in a long time, we must shift from managing localized risks within third-party supply chains, infosec, and operations against a landscape of economic growth to managing those issues under much less certain circumstances. If you haven't already, now is the time to build your contingency plan.

Business continuity plans (BCP) — and solid governance, risk, and compliance (GRC) policies, in general — can help businesses prepare for and navigate many disruptive events, including natural disasters, cybersecurity breaches, terrorist attacks, fraud, and embezzlement.

We believe in the benefits of implementing technology to streamline policies, automate processes, and create repeatable workflows so organizations can quantify risk into digestible dashboards to gain a singular source of truth. [Editor's note: The author's company is one of several providers of GRC technology.] Most businesses, we've found, have the same questions about implementing tech to strengthen their GRC programs. So we asked our customer success team, who all come from GRC consulting backgrounds, what they're typically asked.

Here's what they told us.

What should I be thinking about before implementing a GRC tool?
Before spending money on a tool intended to solve an ongoing problem, most businesses want to know what they need to have in place as an organization so the implementation will be successful. Before choosing to implement any GRC technology, it's important that organizations align people and teams to a common goal and define the existing processes surrounding GRC. One of the biggest mistakes we see GRC leaders make during an implementation is overcomplicating a process that should be simple. Don't get distracted by shiny bells and whistles at initial go-live. Instead, nail down your must-haves, build around those, and continue innovating on your processes with agility as the regulatory landscape evolves.

How does my GRC process compare to others?
Even the most sophisticated organizations, with the most beautifully defined processes, want to know how what they are doing compares to what their peers have in place. In a space like GRC, which changes by the minute to reflect industry requirements and government and consumer concerns (most recently surrounding data privacy), no enterprise wants to be left behind. In order to stay agile in response to emerging threats and proactive to prevent new ones, seek out technology that allows you to easily modify policies and procedures in your workflow without the need to pay huge consultation fees. Additionally, lean on your partners to provide templates and best practices for common regulatory or compliance workflows in your industry.

How can my organization work cross-functionally to manage risk?
Building partnerships between organizational silos is key to creating a culture of risk inside your company. A strong culture of risk, from top to bottom, is essential to the overall success of any risk management program — and it doesn't build itself. Start with identifying gaps in the existing risk culture. Involve key stakeholders and create a few core statements about the desired culture, pointing out areas of growth. Commit to those changes, and create policies and procedures that reflect a strong risk culture.

Most importantly, communicate about risk often. Educate everyone in the organization on their individual roles and responsibilities when it comes to risk management. You'll know you have a strong risk culture when all decisions align with ethical principles, and there is clear and consistent accountability of risks throughout the organization.

What should I be doing in terms of risk-scoring methodology?
Because each organization has its own appetite for risk, each organization will have to define methodology for themselves. There are many resources out there about how to score and what kind of calculations to use. A common simple calculation for risk is probability of event x magnitude of loss, where a high probability is between 80% and 100%, and a low probability is less than 30%. At the end of the day, it's up to each individual organization to decide for itself how to score risk.

How can I encourage adoption and help everyone consider risk in everything they do?
Getting the business to buy into the GRC processes leadership has agreed on can be the biggest hurdle, with the potential to completely ruin an implementation months in the making. This is why involving end users early in the build is key. Get their feedback on tool selection and customization, and encourage them to challenge the status quo in GRC. Ask questions such as "Why do we need to centralize risk?" along the way to ensure no stone is left unturned.

Feedback shouldn't stop when the tool is "live" either, as the changing nature of risk doesn't stop evolving just because a tool is in place. GRC leaders can also consider some gamification, as well. Giving users visibility into the data collected can help provide access to the bigger picture and answer questions like, "Which department is clearing the most risk capital?"

With the cost of compliance on the rise, tackling risk can seem daunting. But instead of fearing it, accept it as inevitable and shift your viewpoint to look at risk through the lens of growth. If you were able to quantify and mitigate 20% of the risk associated with running your business, what additional risks would you be able to take on to grow your business?

Related Content:

Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. Kunkel regularly speaks and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.