Businesses are increasingly dependent on technology to automate processes in order to remain competitive and operate efficiently and effectively. However, these new opportunities create new risks and threats to the business. These risks not only originate from outside the organization, but also from within. According to the 2009 CSI/FBI Computer Crime and Security Survey, most reported security breaches are launched from trusted individuals hired by the organization.
A security breach to the organization's computer systems may cause:
- Business disruption and denial of services
- Leak of corporate and internal sensitive data
- Exposure of private customer information
- Legal repercussions due to regulatory non-compliance
- Loss of goodwill
All stakeholders like partners, client, shareholders etc would require that information systems must have adequate internal controls and are effectively addressing security challenges. Needless to say, a security breach can be very embarrassing and costly. This is where an organization can leverage a well established GRC process to monitor security issues as well. GRC requires the organization to examine IT and operational processes, which gives management a roadmap of what's wrong and how to improve their company. However it is up to management to either take the risk or put into place appropriate processes and systems (including consulting, software and hardware to implement these systems) to manage the risks based on reasonable business decisions. Effectively the IT auditor can highlight where the company has stored value and highlight if the controls needed to protect those assets are deficient.
The first step is to recognize GRC as an asset and the IT audit organization as a friend of the company as a whole. Organizations should understand that GRC is a continuous process and not a onetime activity since risks are constantly evolving. The audit process is a constant process, not something that is done once a year. Also there is no pass or fail in GRC or an IT security audit. Organizations may also need to look at resources outside the company to test their security and consider the use of outside consultants to periodically check the strength of their systems and processes and also immediately remediate high risk areas where security measures are found wanting. Organizations also need to think in terms of investing in technology and also contact various vendors and consider the use of multiple firms to provide GRC services and products.
GRC also continuously educates users about threats and how they can be part of the solution, not the problem. The GRC process provides the knowledge necessary to build a more secure and risk aware/risk respondent company. "Assume the worst and hope for the best" are the best watchwords that are said of GRC. Risks may materialize any day, servers may get hacked, and employees may gain access to sensitive data and may get tempted to share company secrets looking for a quick buck. Organizations should not assume that the laws will protect their interest the important thing is to always keep auditing and testing.
Conclusion:
CEOs, CIOs sometimes see GRC as a strain on the bottom line and they fail to understand the implications of corporate risk and its consequences. For those organizations, GRC provides no benefits, only costs. To organizations that are able to see the long term survival of the organization as part of their business plan, GRC is a welcome framework to operate in a dynamic world where IT runs just about every aspect of their business and the nature of risks and threats are also ever-changing.