Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Management & Strategy

Why Integrated Risk Management is Replacing GRC

As Integrated Risk Management Initiatives Mature, Business Patterns and Models Which Capture Compelling Metrics and Demonstrate Business Impact are Emerging…

As Integrated Risk Management Initiatives Mature, Business Patterns and Models Which Capture Compelling Metrics and Demonstrate Business Impact are Emerging…

Many organizations are grappling to find the best way to leverage their knowledge of risk to optimize business investments and performance. Cyber-attacks, insider threats, monetary fraud, and data breaches – affecting some of the world’s most renowned organizations – make headlines every day. At the same time, the worst economic downturn since the 1930s has focused intense scrutiny on inadequate risk management and governance practices.

In the past, organizations had two options to address this complex, interlocking problem. The first involved hiring a legion of staffers to tackle governance and security risks using a silo-based approach, often leveraging antiquated tools such as spreadsheets to document their findings. The other was to implement Governance, Risk, and Compliance (GRC) processes using outside consultants and traditional GRC solutions that require high levels of customization.

Risk Management DiagramA recent white paper written by global advisory firm Enterprise Strategy Group (ESG) entitled, “Beyond GRC: SRM and the Move to Integrated Risk Management” found that a majority of respondents view the traditional mix of GRC systems as inflexible, slow, and incapable of delivering on the promise of automating governance and security risk management processes. In fact, a whopping 78 percent of the enterprises surveyed are in the process or planning to replace them with advanced Integrated Risk Management (IRM) platforms in order to increase operational efficiency and audit accuracy, streamline remediation, gain improved visibility into enterprise risk posture, and ultimately make better investment decisions. What’s going on?

The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack. In light of this fact, many organizations have concluded that to gain insight into their risk posture, they must go beyond assessing compliance by taking threats and vulnerabilities, as well as business impact, into account. Only a combination of these three factors assures a holistic view of risk.

Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

Based on these benefits, organizations have started to transition from a core compliance-driven approach, whereby they adopted a check-box mentality to implement minimum requirements to fulfill their governance risk mandates, to a risk-based approach, streamlining governance processes, continuously monitoring compliance and security posture, and correlating it to business criticality. By doing so, businesses are moving to a closed-loop process that encompasses the definition, evaluation, remediation, and analysis of an organization’s risk posture on an ongoing basis.

As mentioned earlier, risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business impact. As a result, it is essential to aggregate critical intelligence about risk and compliance postures with current, new, and emerging threat information to calculate impacts on business operations and prioritize remediation actions.

To gain an integrated view of risk, organizations are starting to leverage Integrated Risk Management solutions. These are designed to harmonize multiple frameworks and marry top-down risk modeling for enterprise domains and regulatory audit compliance (Governance Risk Management) with bottom-up controls automation for closed-loop threat, vulnerability, and incident remediation (Security Risk Management).

Advertisement. Scroll to continue reading.

Governance Risk Management (GRM) supports oversight functions that typically bridge information to support IT and non-IT leadership for decision making. Typical use cases include enterprise risk management, outsourced risk management, policy management, and business continuity management. Meanwhile, Security Risk Management (SRM) supports information security operations requirements through a closed-loop, data automation process driving intelligence, business unit criticality assessment and IT operations remediation. Example use cases are threat and vulnerability management, continuous monitoring, as well as IT compliance and incident management.

According to ESG, organizations are moving beyond traditional GRC framework toolkits and deploying modern commercial Integrated Risk Management products that provide the following benefits:

• Single, context-aware platform that manages both governance and security risks.

• Higher scalability as it relates to users, data, processes, and multi-geographic availability.

• More flexibility as it relates to customization, context-awareness, and expandability.

• Faster time-to-value.

• Lower total cost of ownership.

While companies are placing big bets on Integrated Risk Management, the payoff, so far, has been difficult to measure. The fact is, given its ad hoc nature, organizations have long struggled with measuring the impact of Integrated Risk Management. However, as risk management technologies become increasingly pervasive and early pilots mature to enterprise-wide deployments, this is changing. The gut feeling that, “we need to do this to optimize investment and streamline operational efficiency” is giving way to a growing body of evidence that measurable business value can be achieved from Integrated Risk Management investments. More importantly, as Integrated Risk Management initiatives mature, business patterns and models which capture compelling metrics and demonstrate business impact are emerging.

Companies can overcome their governance and security risk management challenges by implementing an Integrated Risk Management approach, which can substantially reduce the time needed to review policy controls and produce risk profiles. The payback has the potential to be millions of dollars in overhead savings, as well as increased credibility with management, regulators, and board members.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...