Governance, Risk and Compliance (GRC) plays a vital role in any organization’s approach towards business, operational, third party or technology risk management. In this age of digital transformation, it is even more critical as businesses go perimeterless. A couple of months ago I had an opportunity to speak to Sam O’Brien, Director, and Business Leader GRC RSA APJ. In an hour-long conversation Sam spoke about the various facets of having a GRC framework and also the fallouts of not having one.
Below are the excerpts:
The notion of perimeter is irrelevant today. In this scenario, what relevance do you attribute to the Governance, Risk & Compliance framework without compromising on the fundamentals of agility and flexibility?
It is absolutely true that the perimeter view of network is a passé. Professionals are mobile; working on devices and places of their choice. This makes the physical perimeter totally blurred. Where GRC comes into play is in enabling organizations coping with new regulations and risks that come up time to time. Where GRC comes most handy is in recognizing the crown jewels that need to be protected. It is vital for the security organizations to understand the new business contexts and work on a business-driven security. There is also need for establishing a context between what’s happening at the technology layer versus the risk that opposes it at the business layer. GRC has a major role to play in this scenario.
As opposed to a few industry sectors like BFSI and Telecom, most others aren’t covered by regulation and thus GRC isn’t critical for them. What can be done to educate those orgs on the disadvantages of not having a GRC framework?
The fundamentals of GRC don’t change whether the industry is regulated or not regulated. An organization has to understand its key objectives and business strategies. What are the crown jewels of an organization? What are the potential risks that could impact those business strategies? This needs a set of controls to minimize the risks to an acceptable level. Over time, you gain confidence that those controls are working well in your favour. Regulatory aspect is one key factor where GRC is being followed as a norm because of the implications. In other organizations there may be little or no regulatory driver but they still need to manage risks in some way. For example, while managing cyber risks, you really don’t look for regulations to be in place before you put a GRC policy/framework. These are best practices.
How we help our customers is by highlighting to them their crown jewels and data assets. We help them ensure they have a good coverage of controls. In case those industries are regulated, we ensure they comply with regulations. In case they aren’t, we help instill confidence that they are prepared to fight the risks appropriately.
How have you seen RSA Archer evolve over a period of time meeting the changing needs of businesses?
RSA Archer has been providing technology in the GRC space for over 15 years. Several of its capabilities are running for that entire time. One of the key domains that it addresses is IT/Cyber risk. It provides organizations a great visibility of the controls that they need to have in place. Some of the drivers for investment in technology like Archer were acts like Sarbanes Oxley. Over time it has adapted to similar standards like PCI-DSS or ISO 27001. We, at RSA, ensure that organizations are living and breathing those solutions and not using them merely for statutory documentation purposes. We help organizations engage with their people to know how those controls are performing. We do timely assessments to ensure that nothing is falls apart.
If we look at the whole solution today, we address seven key domains of risk, which includes audit management, business resiliency, enterprise and operational risk, IT and security risk, regulatory and compliance management, public sector solution, and third party governance. A key element of Archer is third-party risk management. Who are our suppliers? What kind of risks do they carry? Are they meeting your control requirements? RSA helps a lot of organizations run their Operational Risk Frameworks. We are the pioneers in addressing regulatory and corporate compliance, which includes privacy and legislative requirements too.
How has the Cyber Risk horizon changed over time and how are the new cyber threats being dealt with?
What has emerged most prominently over the last 3-4 years is making a connection between the cyber risk portfolio and seeing how it exists within the broader portfolio of enterprise risk management. The reason for that is both company boards and senior management teams have now got a sharp focus on cyber risks. It is no longer a conversation within the IT and security teams. This elevation has happened due to the constant threat of data breach looming large over companies. The boards understand the potential of the threats emerging from data breaches. Therefore, the security and business teams have an additional ask on them to ascertain the cyber rick posture. The whole portfolio of cyber risk management has become very important.
In the wake of rampant data breaches and cyber attacks, what could be the key tenets of a sound information governance program?
From a security practitioner’s perspective, it all starts with information.
- What are we trying to protect?
- Why are we trying to protect them?
These are the two basic questions that one needs to ask when it comes to data governance and thinking about data in the broader sense of risk and compliance.
RSA has recently launched a new RSA Archer module specifically to help organizations run their data governance activities. There is a suite of new offerings that we have launched in the privacy space.
The benefits of technology adoption versus the cost of technology acquisition are two distinct factors. The prohibitive cost causes low adoption. How does RSA address this?
I personally don’t believe that cost of acquiring the technology like RSA Archer is prohibitive. However, we take a very step-wise approach in helping our customers create GRC framework over a period of time. Not many organizations are keen on a big bang approach. They are often very agile; focus on phases and deliverables over a period of time so that they can show return on investment to the business. We offer technology to our customers in a similar fashion. An example of it is the privacy capability of RSA Archer that I mentioned before. The first step in that is data governance. The next step after that is an overall privacy program. The capabilities that an organization builds by investing in phases bring into other aspects like risk management or third-party programs as they see the ROI over time. So, businesses can start very small and grow gradually.
Certainly the board and senior management of an organization have become aware of the risk scenarios but aren’t so well versed with technology. The ultimate responsibility lies with a CRO, CFO CIO or a CISO. How can these folks make GRC a core component of the business operations?
The lack of technology awareness at the top level is a global phenomenon. We call it the “gap of grief.” On one side there are technical issues like exploits, zero-day vulnerabilities, and on the other there are broader business issues like data breaches. It is therefore vital for anyone to establish a connection between the two and that’s where RSA talks of “business-driven security”. The several capabilities that we offer to the users help bridge this gap.
Another aspect is about creating the awareness of the need for risk and compliance in the organization. While that’s a very big issue but one can try and make it simple. Ultimately it comes down to living and breathing the values of GRC. It has to start from the top. The top management of the company must know why does security and privacy matter to them and they should help percolating it down to the last employee. An appropriate example of it is Elon Musk’s (CEO of Tesla) email that he sent in Aug 2017 to the organization in which he told employees he wants direct reports about factory injuries. That’s how he wants to elevate the safety standards. Similar approach shall be taken for the Cybersecurity and Privacy matters by the CEOs.
What can RSA Archer do for the Indian CIOs/CISOs as far as GRC is concerned?
We have a proven path and have been providing technology and solutions in the GRC space for over 15 years. There are close to 1000 deployments globally. There is a global heritage attached to it not only globally but in India too. RSA is proud to receive the leadership status in all four Gartner Magic Quadrants (MQ) in areas like operational risk, IT and security risk, third party vendor risk, and business continuity and management. A lot of organizations look at insights and reports as a result of having a risk and compliance framework. Getting this kind of information isn’t easy and that’s where RSA Archer can step in. It is not only a great system for getting those insights to prepare reports and dashboards but also a great system of engagement. It is designed to help engage not just the front line of risk managers but also anyone in the business that has got something to do or say about risk and compliance. We are enabling the organizations with making risk a business conversation.