Enterprises Eye Integrated Risk Management to Replace Aging GRC Platforms

According to a whitepaper from Enterprise Strategy Group, commissioned by Agiliance, 78% of the enterprises surveyed are in the process or planning to replace GRC systems with integrated risk management (IRM) platforms. It's a complex undertaking, ESG warned, but one that's well worth it.

GRC is often carried out by multiple teams within an organization, such as the governance and compliance teams or the IT security team. ESG noted that because each team operates with different information and resources, it can be difficult to make decisions and take actions in the best interest of the entire organization.

Also, ESG’s research indicates that security risk management tools leave much to be desired too. More than half of all organizations depend upon two to five different systems/tools to collect, consolidate, and analyze data to support their risk management program, while an additional 13% use more than six tools. An array of point tools forces security teams to piece together data, metrics and reports to calculate IT risk across the enterprise.

“This is a time-consuming and error-prone process at best”, noted Jon Oltsik, senior principal analyst at ESG, in the white paper.

So, looking to increase operational efficiency and audit accuracy, streamline remediation, improve visibility into enterprise risk and make better investment decisions, enterprises are recognizing the need for consolidated IRM. However, IRM requires harmonization of multiple frameworks to marry top-down risk modeling for regulatory audit compliance with bottom-up controls automation for closed-loop threat, vulnerability and incident remediation.

At the same time, organizations are struggling with multiple disconnected tools, manual processes, security staff shortages, and a host of other problems that are crippling their efforts to mitigate risks.

The paper noted that an integrated risk management platform can provide a single pane of information and comprehensive reporting for the entire organization. It can collect and collate information from numerous security tools, leveraging the investments that the organization has already made and filling visibility gaps by detecting meaningful relationships among the data collected from these tools. An IRM platform may also be able to manage a larger volume of data and perform faster risk analysis than IT or security staff could possibly do, reducing the organization’s dependence on manual processes or the need to hire more staff.

The catch is that implementing IRM is a complex endeavor that often requires customization and consultation for the enterprise.

"This white paper describes how organizations can be more effective in managing their risks as they proceed beyond traditional GRC and move to a top-down governance risk and a bottom-up security risk perspective”, said Oltsik. "Implementing an IRM solution is not a simple undertaking.”

Security managers should first define the risk management tasks they need to automate first, and the timeframe for completing their automation and integration project, he recommended.. With a commercial product, the organization can choose some aspects of risk management to automate right away. For example, the solution may collect and automatically analyze data from within the organization’s data centers at first, leaving other IT domains and applications for phase two. Alternatively, the organization may choose to automate reporting for PCI compliance now, leaving HIPAA compliance for phase two of the integration project.

“This process also favors a commercial solution which will allow CISOs to design and execute IRM projects that align with their business and IT strategies”, said Oltsik.


What’s Hot on Infosecurity Magazine?