What is GRC and Why Is It Important? An intro to GRC’s
What is a GRC?
A GRC or Governance Risk and Compliance is the process of aligning security and IT procedures with compliance requirements in an effort to reduce risk. Today’s business environments, especially with the rise of remote workers due to covid-19, are especially challenging to ensure proper compliance. In its simplest form, a GRC is a tool / process for capturing all the controls that your organization needs to comply with.
Why is GRC Important?
In the Wizard of Oz, Dorthy and the gang fretted as they navigated their way to Oz: “Lions, Tigers, and Bears – oh my”. Today, IT Security professionals, C-Level leaders and board members are similarly fretting: “Remote workers, ransom attacks, and static spreadsheets for compliance – oh my”
A perfect storm has been brewing over the last 12 to 24 months. Covid-19 has caused most organizations to allow for remote work. Most organizations were not prepared for this and IT teams had to scramble to secure all these endpoints where they don’t control the network or even the devices. These home networks being shared with other family members, kids, etc. are often ripe with ‘dirty’ virus ladened systems. Combine this with the rise of cyber criminals that have figured out how to get a bitcoin payday by attacking and ransoming whatever they can. IT Security professionals are left struggling to see where real risk exists. How do you survive and make it to Oz?
Often we see organizations simply use spreadsheets to track their security controls. Spreadsheets are easy and cheap (free) to set up. BUT… and this is the catch, they’re virtually impossible to automate, they’re manual, do not capture compliance evidence, and more often than not are forgotten about until audit time. A GRC tool is a good start however most GRC tools are cost prohibitive. OpsEase was created to provide a powerful GRC tool that’s affordable. Now you can build out your security framework and automate core controls.
Why a GRC tool? So why is it important to have a GRC tool vs. just a spreadsheet? Most organizations rely heavily on spreadsheets for their security framework and control tracking. When organizations were static, mostly centralized and had on-premise systems, this approach worked okay. But in 2021, organizations are more and more powered by public cloud and hyper scale platforms. They have IT assets in multiple geographic locations and information is accessible by numerous devices from anywhere in the world. Furthermore, many organizations are relying more heavily on outside entities or contractors as part of their own products or services. This reliance on downstream vendors requires diligent control and security framework.
Can’t I just use a Spreadsheet?
Spreadsheets simply don’t cut it any longer. A good GRC tool allows you to create automation, workflows, and ultimately gives a near real-time view into your potential risk. It allows you to assign specific controls and tasks to individuals and/or vendors. It tracks outstanding or open items that haven’t been completed. It captures evidence of completion and gives a single pane of glass view of potential risk. Spreadsheets are static. They track controls but they can’t collect evidence, they can’t be automated, and workflows are not easy to set up. And integration with other systems like Slack, ServiceNow, a ticketing system?? Forget it.
What should I look for in a GRC?
When evaluating GRC solutions, you need to factor in a number of things.
1) OPEX or CapEX?
Subscription solution or enterprise software agreement. Do you want a monthly OpEx subscription or do you want more of a CapEx enterprise agreement? Often CapEx solutions are more expensive when fully factoring in employee costs. Subscriptions tend to have slightly less customization ability but offer lower cost, month-to-month subscription solutions.
2) Complexity.
How complex a solution is really needed? The cloud has brought about many great changes including robust web-based solutions that harness hyper scale platforms to offer scale, and processing power but requires a bit of consistency in features and functionality. The sheer fact that many organizations, including fortune 100 companies, leverage spreadsheets to track their controls and compliance signifies that highly customized GRCs are mostly unnecessary. What’s important is the ability to create your security framework either by creating the controls in the GRC, by uploading an existing control template, or choosing a framework template and customizing to your specific needs.
3) Ease of Implementation.
A GRC should be easy to set up and implement across your various teams. There’s a reason spreadsheets are so prevalent. They’re easy to use and easy to deploy. Highly customized GRC solutions often require added overhead and ongoing administration costs.
