Posted by: David Schneier
Audit, compliance, GLBA, governance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, SOX, UCF
The very first prediction was that the Iomega Zip Drive was going to accelerate the push into portable mass storage devices. For about two years it blazed the trail soon followed by others but I knew the first time I laid eyes on the device I was looking at the future.
The second prediction was that Borland was going to be bought by either Microsoft or IBM. They had launched their new Delphi development software and it was blindingly fast and easy to use and clearly set them apart from the competition in the client-server domain. For reasons still unknown it never happened and so while I was wrong I still think I read things correctly (it’s my ego, it won’t let me be wrong for too long).
The third prediction changed my career direction. As Y2K was nearing I outlined a concept where companies could leverage all the repositories they developed and maintained to ensure a smooth transition into the new millennium and convert it into an ongoing management tool. It was a discipline that eventually matured into what we now call portfolio management. While I wasn’t in a position to pursue my theory I knew I was onto something and as it turned out I was right. Why this prediction changed my career is because it gave me the confidence to both trust my instincts and pursue new ideas even when no one else thought it would work.
Which leads me to my fourth prediction. Back in 2002 while with Metlife I was put in charge of a bizarre project that came to be referred to as “Server Consolidation”. After working with a vendor not of my choosing for six months and with nothing to show for my time I discovered VMware about ten minutes after they went public and knew this was what the company needed. I immediately brought it to my bosses attention and instead of trusting me to make us all look brilliant I was instead admonished for not doing what I was told and VMware had to wait another five years before the company embraced the technology. But while it indirectly cost me my job (I was laid-off six months later) I knew I was right and still believe it was worth taking the risk.
My instincts are screaming at me again and so allow me to share my fifth bold prediction.
My readers know that I’m a huge believer of GRC as a concept. I write about it almost monthly and at least quarterly and track its progress closely. I’ve participated in several related projects and constantly try and insinuate myself into newly emerging GRC-based initiatives. The idea that each of the three core disciplines break out of their silo’s and work together is just flat out the right approach. But that’s not the prediction.
Almost all of GRC-related activity now is driven by regulatory and/or industry compliance requirements. While most companies would publicly reject that statement and insist that their approach is based on risks that they identify and manage, the truth is most of those risks are already being targeted by one of the many compliance requirements they operate under and need to comply with. And after nearly a decade of dealing with one new set of requirements after another quite literally every company I’ve encountered has multiple frameworks and related initiatives to ensure compliance. It’s resulted in massive duplication of effort and wasted time, money and bandwidth. And because those same companies can barely keep up with supporting these activities there’s little chance they’ll ever find a way to reorganize and consolidate their efforts so that they can reuse steps to satisfy multiple requirements.
And so here comes the prediction. Network Frontiers Unified Compliance Framework will become to GRC what COBIT became to SOX.
For those of you who aren’t familiar with the UCF it’s a series of documents that basically maps every single regulation, requirement and framework known to man (including coincidentally COBIT) and reveals the many points of intersection that exist but are almost impossible to identify while on the ground. While there’s more to their library than just the mapping it’s really where their bread gets buttered. I first discovered UCF in 2009 while working on a governance project and have been a fan ever since continuing to follow their progress and trying to spread the word about what they’re doing.
Here’s what they ‘re doing: They examine every regulation and requirement and map them to a set of generic control activities so that they identify where one activity satisfied multiple requirements. They follow a fairly extensive process in doing so and all of their work is vetted through legal review to ensure they’re not overreaching during the process. And they’re constantly updating the framework to make sure that as existing regulations change and newer ones emerge the UCF captures it. Considering the accelerated pace at which regulations are being enacted these days that’s no small task. The way the framework is leveraged is by finding the appropriate control activity that matches what you’re working on and reading across the line (it’s delivered in spreadsheet format) to find out which regulations or requirements it satisfies. So if you’re reviewing application access in support of SOX it’s possible that same test would also satisfy GLBA requirements. Imagine how much time and effort can be reclaimed if your GRC program was whittled down to testing a control only once and using it many times? Also imagine how that might look to senior management.
So why am I making my bold prediction now? Last week I learned that Network Frontiers is making their content more readily available in an online format and for free. This will allow a broader audience to begin accessing their impressive content without first having to get someone in their management food chain to approve its purchase. I’ve tinkered with it a bit and while I still prefer the spreadsheet format (I’m a geeky kind of guy) I love knowing that someone can read this blog post and immediately signup at their website and begin exploring. By making it easier for the masses to access their content it will likely accelerate broader acceptance throughout the corporate world – once that happens, once program offices start relying on the content provided there will be no turning back.
I realize that GRC is way more than testing controls but consider that the UCF will also allow a company to identify where risk assessments, policies, procedures and programs hit multiple targets as well. It truly allows for economies of scale to be realized in ways that were just never as easy to pursue in the past. While the framework doesn’t tell you how to build or manage a GRC initiative it will become one of its primary tools, I’m certain of it. I’ve pointed several people in the direction of the UCF over these past two years and almost to a person their initial reactions is “wow”. They all immediately saw its value and started considering how best to exploit it’s offerings. And until I meet someone who upon viewing the framework shrugs their shoulders and says something along the lines of “I don’t get it” you’ll find me standing behind my prediction.