Posted by: David Schneier
Audit, compliance, governance, GRC, regulations, Regulatory Compliance, risk, risk assessment
I just had an article published in Information Security magazine on GRC titled “Demystifying governance, risk and compliance.“ It’s a piece I’ve sort of had kicking around in my head for a while now and was glad for the opportunity to put my thoughts down on paper. For anyone who has been following my blog posts over the years, you know that GRC is something I’ve had what can best be described as a mild obsession with; it just makes sense to me.
I don’t need to recite the article’s contents, you can click on the link above and read it for yourself. I mention it here because there were a few things that didn’t make it to the final version that I wanted to share with you.
I had asked two associates of mine to be interviewed for the article; they agreed but were traveling out of the country for several weeks and we could never get together. I selected them because they were instrumental in applying some of the key concepts of GRC to ease the suffocating burden compliance work had placed upon their IT organization. Not only were they successful, but they also proved that GRC works. And the best part was that they didn’t rely upon complex theories or expensive software solutions but rather good old-fashioned common sense. Although their stories didn’t make it to print, I’ve asked them to honor their commitment to me and be interviewed for a GRC follow-up article right here in a future Regulatory Reality post; stay tuned.
I had also invited Michael Rasmussen from Corporate Integrity to participate. It’s sort of difficult to separate Mr. Rasmussen from any conversation about the GRC movement because while he may not be its official leader, there’s certainly no greater advocate of its myriad benefits. Plus, his perspective is broader than what I typically cover as he targets the entire organization and not just information security and the underlying technology architecture. I plan to loop back to him in the near future for an interview; once I do, you’ll hear about it right here.
Lastly I wanted to shine just a little bit more spotlight on the folks at Network Frontiers who bring us the Unified Compliance Framework. It was shortly after I first discovered the UCF collection of mappings that the idea for an article about GRC started forming. GRC is all about gaining efficiencies and reducing effort and there’s no more significant tool available to consolidate the number of controls and related tests than the UCF. Every practitioner I’ve shared this product with has become an instant fan.
Oh, one more thing. I have a bit of a track record in spotting trends or technologies that are about to hit the mainstream. I don’t pick many, but those that I have all panned out. GRC is going to continue to grow and become huge in corporate America about 30 seconds after the economy bounces back. If you’re not already doing so, start keeping an eye on how things are developing around it. Trust me on this.