« IT is just the rest of the world in 1’s and 0’s | Main | Putting the process back in "people, technology & process" »

01/26/2010

Enterprise GRC – now it gets deep

Now apart from being lazy and inquisitive, we humans are also generally pretty greedy and short sighted.

Now before I get comments about dissing humans, I’d like to point out that I am one, I married one, and both my children are humans. But I’m sure we’ll all admit that on occasions we are prone to taking short cuts. Now a good business, all being well, should outlast all of us. Well that’s the intention. So in order to increase the likelihood that it does, there are certain things a company needs to do to make sure the shortcuts and self-serving actions  each of us take don’t end up harming it in the long run.

A company needs an awareness of the world around it, the interdependencies of the moving parts that comprise it, the social and political environment in which it operates, and the rules by which it needs to abide.

Wow. That’s pretty deep. But no matter what the issue, at the end of the day, it comes back to the same 5 things a company needs. A company needs:

1.    A policy that reflects its goals, and make sure people know about it

2.    A way to carry out that policy

3.    A way to make sure that policy is being carried out

4.    A way to find out how well the policy is working

5.    A way to deal with the times when the policy’s not being effective

Whether the issue be around lending to uncreditworthy people, bribing foreign government officials or using carcinogens in its products, these steps still hold. Now no one tool is ever going to meet the needs across every issue, but companies use Archer for a surprising array of GRC use cases, and its flexibility to adapt to different issues is astounding.

But what does this have to do with IT security, I hear you ask? Well, when you present a business case for an IT security tool, remember that all the goals, risks and rules that you use to present a business case to an executive – you’re in competition for budget with issues that face similar challenges, but you’ve likely never considered.

The world of GRC can be both fascinating and mind-numbingly boring at the same time. But my former colleagues Chris McClean of Forrester and Michael Rasmussen of Corporate Integrity do a great job of about this space – I’d recommend you check them out.

Posted at 01:06 PM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54ed2404488330120a8127137970b

Listed below are links to weblogs that reference Enterprise GRC – now it gets deep:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Subscribe to this blog's feed
My Photo
About Paul Stamp
Paul is SIEM Solutions Evangelist with RSA, the Security Division of EMC. Prior to joining EMC, he was an analyst with Forrester Research covering security technology.
During the day, he enjoys most chatting with customers about stuff they're doing around security.
Outside of work, Paul is currently contemplating resurrecting his social rugby career.

Disclaimer
The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Twitter Updates

    follow me on Twitter

    About

    Categories