Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

How to Avoid Worst Case GRC

Governance, risk, and compliance (GRC) solutions are intended to help organizations reduce the complexities associated with information management, process execution, and stakeholder coordination in light of increasing volatility, regulatory complexity, and security challenges. However, the broad reach of GRC solutions creates a unique set of deployment challenges from both a technical and business perspective.

Governance, risk, and compliance (GRC) solutions are intended to help organizations reduce the complexities associated with information management, process execution, and stakeholder coordination in light of increasing volatility, regulatory complexity, and security challenges. However, the broad reach of GRC solutions creates a unique set of deployment challenges from both a technical and business perspective. Delays, missteps, and spiraling costs can erode the value of GRC deployments and even lead to abandoned projects. This raises the question – how can organizations avoid common GRC pitfalls?

Based on the dynamic changes in the threat landscape, board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. Accordingly, GRC solutions have seen increased demand as a means to provide greater visibility into an organization’s risk posture and reduce manual efforts in the context of policy and compliance management, risk assessments, and mitigation efforts. In turn, assessments of GRC solutions increasingly scrutinize realizable business benefits as well as cost of ownership. As outlined in recent Blue Hill Research reports such as the Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario (PDF) and GRC Vendor Implementation Success Strategies (PDF), these changes place greater emphasis on the time, effort, scalability, and cost of implementation as contributors to time-to-value and total value realized.

According to Blue Hill’s research, the biggest inhibitors of a successful GRC implementation are:

Limited Consideration of Underlying Business Needs and Process Change

By design, GRC is a broad-reaching solution platform that can support a wide variety of stakeholders and needs, from basic functionality such as policy management, risk register management, process management, and automated reporting, among other capabilities. As a result, many organizations make the mistake of focusing on solution features rather than evaluating their existing business processes for efficacy before considering software functionality. This leads to both missed opportunities for improvement as well as scenarios where the need for process change was discovered later in the process, requiring rework, setbacks, and cost overruns. A better approach is to integrate business process optimization with the implementation of a GRC solution. In addition, organizations should focus beyond just short-term gains to address any impending event (e.g., regulatory change, reported audit failures, data breach suffered by industry peers), and tie the implementation to clear business objectives and operational goals.

Lack of Involvement by All Stakeholders

During the implementation planning phase, many organizations overlook the need to enlist all of the key stakeholders, including those in Information Technology. Without the participation of all stakeholders in the process, higher adoption rates are typically tough to achieve. Primarily because many users and implementers feel forced to abandon existing tools or processes and often adopt an adverse stand, which hampers the overall success of the GRC implementation. Establishing an all-encompassing user council during the solution selection process and acceptance testing will greatly improve the project’s prospects for success.

Boil-the-Ocean Rollouts

Advertisement. Scroll to continue reading.

Since GRC solutions promise to cover a variety of use cases, many businesses attempt to implement most or all of the desired functionality at once, or to roll out the solution to users in one effort. This boil-the-ocean approach requires tremendous discipline and attention to detail, which many organizations unfortunately lack. This often leads to an unfocused and chaotic process. Even in best case scenarios, a tremendous number of operations must be reconciled in a compressed timeframe in order to coordinate the needs and dependencies between tasks. Working out these processes can create additional delays and increase costs, as well as add to the difficulty of demonstrating clear value from the implementation. While it is tempting to implement many use cases at once, organizations should carve up their roll outs into digestible phases, ensuring proper oversight and high return on investment.

Customization Overkill

Another challenge standing in the way of successful GRC implementations is the amount of customization required compared to solution configurability. Obviously, some customization may be unavoidable, however, trying to tailor the GRC tool completely to an organization’s needs, can lead to excessive cost and time delays and make the solution very rigid to future adjustments. Blue Hill Research discovered that those organizations that demonstrated a preference for solutions that provided a high degree of software configurability, were not only able to yield better time-to-value and lower total cost of ownership, but ensure that flexibility persists throughout the life of the deployment.

While the above mentioned pitfalls relate more to the selection and implementation planning and strategy processes, Blue Hill’s research study reveals the following vendor-specific key factors that make for a higher chance for implementation success:

Efficient Implementation Support – In addition to strategic planning, customization, training, and other professional services, organizations should consider those vendors that supplement these traditional offerings with rapid deployment programs, best practices guidance, and roadmap planning support.

Solution Configurability – Organizations should account not just for configurability of reporting / dashboards and process workflow, but also take into account factors such as data elements, data relationships, and user interface.

Out-of-the-Box Capabilities – Organizations should ensure that besides embedded content sources (e.g., HIPPA, FERC, ISO, COBIT, NIST), the GRC tool in question also comes with embedded best practices, pre-built questionnaires and workflows, email templates, reports, data models, etc.

Cloud and Hosted Deployments – Organizations should take advantage of vendors offering cloud-based solutions, as they help minimize internal deployment requirements and minimize costs.

Organizations that follow the best practices outlined above stand to benefit from shorter time-to-deployment, lower cost of implementation, and higher end-use satisfaction, as well as the anticipated business impacts from their GRC deployment.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.