The recent news that a former Microsoft employee was being charged by federal prosecutors for providing confidential company software code to a tech blogger raised interesting questions. While the former employee’s acts were certainly criminal, there was also controversy concerning Microsoft’s tactics to identify the software leak.
The Microsoft news spotlighted the fuzzy line between corporate data protection, information privacy and security in the digital age. It also reminded me of when I was in Boston last month for the annual GRC Summit, where I ran into one of my sources and asked if he would be available to answer a few questions on camera for a video we were shooting. I knew the answer before I even asked. When interviewing this person in the past, they were required to jump through hoops with his organization’s executive team to ensure he wasn’t revealing anything controversial that could come back to hurt him–or his company.
This has become common, as companies increasingly want to go through comments for the media with a fine-toothed comb to make sure no trade secrets or other sensitive information is leaked. And, well, because sometimes people are stupid.
This relates to a common theme at the GRC Summit — and no, I’m not referring to the “people are stupid” part. The theme was communication and transparency was key to proper governance, risk management and compliance, and to making sure employees understand their roles in these processes.
In short, a cross-disciplined, company-wide focus to maintain a “mature” GRC strategy is necessary to corporate success–and a big part of these efforts is making sure employees know their GRC strategy role.
This is sometimes difficult as business data commonly travels and is stored all over the world. A universal GRC strategy is made more difficult for global companies with sometimes conflicting privacy and compliance rules for different international offices, said GRC Summit presenter Duke Alden, vice president of global information governance at Aon plc.
As a result, making sure each and every stakeholder understands their role in the information security and risk management processes is vital to these programs’ success, Alden added.
“Unless you have some kind of program to adhere those steps and various elements to someone’s day job, then you are setting yourself up for failure,” Alden said. “Put together some kind of network to manage information risk at a ground level.”
Risks stemming from information management processes such as bring–your-own-device (BYOD) policies are no different, said Gretchen Herault, vice president of site standards and user safety and deputy chief privacy officer at Monster, during her GRC Summit presentation.
“Making sure people have that level of awareness is very important,” Herault said.
It’s also important to be clear about what the information security objectives of the company are and what it is trying to achieve with the BYOD policy, Herault added.
Implementing a top down, “pro-GRC culture” should begin with identifying IT and compliance-related threats unique to the company. The process should be a proactive and ongoing, and business leaders need to adapt as new threats evolve, said Brian Barnier, a principal analyst and adviser at ValueBridge Advisors LLC and keynote speaker at the GRC Summit.
“Training, communication and planning are really crucial,” Barnier said. “It’s important to understand the range of crises that can occur.”