{"id":1936,"date":"2019-09-07T03:19:18","date_gmt":"2019-09-07T03:19:18","guid":{"rendered":"http:\/\/kusuaks7\/?p=1541"},"modified":"2024-04-17T15:38:04","modified_gmt":"2024-04-17T15:38:04","slug":"the-two-factors-killing-grc-practices","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/the-two-factors-killing-grc-practices\/","title":{"rendered":"The Two Factors Killing GRC Practices"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Excessive complexity and lack of first line integration render many GRC metrics useless<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany CISOs complain of communication problems with their business<\/a>. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt has been a recurring theme amongst information security professionals for the best part of the last 15 years, and it is rooted in a wide range of factors, amongst which the profile of the CISO is often a dominant limitation.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany CISOs are simply too technical: They know they need to bridge the gap with their business, but they often return to their comfort zone at the first opportunity: For them, \u201cthreats\u201d is often translated into malware, phishing and hackers, while the business wants to hear insider fraud or intellectual property theft.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\nThis often leads to the CISO role being ringfenced and limited to its first line technical remit, while GRC functions develop in second line of defence.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nBut those functions themselves very often struggle to develop meaningful conversations with their business around cyber security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tGRC teams tend to have an ivory-towered view of the problem and to rely on ready-made overly complex methodologies, loosely related to the reality of first line activities.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nThey rush into buying some tech platform which is supposed to \u201cenable\u201d the GRC process, but in reality, the jargon of those products and methodologies is often meaningless to the business. Impact assessments and risk assessments can be inextricably complex. The quality of the data collected is often questionable as a result, and many of those approaches never scale up for good in large firms due to the sheer human cost of deploying them.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe lack of hard-wiring to first line activities make the GRC metrics produced artificial, and unusable in practice to recommend, justify or manage first line investment. If, in addition, the scope covered is limited due to deployment or acceptance issues, the overall value of such metrics can be highly disputable \u2013 beyond the proverbial \u201ctick-in-the-box\u201d which they will invariably provide.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNone of that helps the business understand and manage their cyber risk posture. Over time, distrust sets in and, as the \u201cwhen-not-if\u201d<\/a> paradigm around cyber-attacks takes root in the boardroom, senior executives need to find a way out.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt can only involve refocusing GRC practices towards simplicity so they can be effectively and efficiently deployed on a large scale across the real breadth of the firm \u2013 and possibly towards its supply chain.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt will also involve refocusing GRC practices towards a proper and meaningful integration with first line cyber security data, so that GRC metrics reflect the reality of the first line of defence.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe \u201cwhen-not-if\u201d paradigm makes the Board increasingly willing to invest to ensure the protection of the firm from cyber threats, but it also shifts priorities towards measuring<\/a> progress and ensuring things get done.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn particular, first line and second line must work together on this. They must trust<\/a> each other and look beyond absurd and arbitrary \u201cseparation of duties\u201d concepts, to produce meaningful data for the business, around which meaningful decisions will be made to protect the firm.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Excessive complexity and lack of first line integration render many GRC metrics useless Many CISOs complain of communication problems with their business. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.It has been a recurring theme amongst information<\/p>\n","protected":false},"author":529,"featured_media":3866,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[100],"ppma_author":[3178],"class_list":["post-1936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-fraud-amp-risk"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1936"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1936\/revisions"}],"predecessor-version":[{"id":36649,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1936\/revisions\/36649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3866"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1936"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}