Excessive complexity and lack of first line integration render many GRC metrics useless
Many CISOs complain of communication problems with their business. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.
It has been a recurring theme amongst information security professionals for the best part of the last 15 years, and it is rooted in a wide range of factors, amongst which the profile of the CISO is often a dominant limitation.
Many CISOs are simply too technical: They know they need to bridge the gap with their business, but they often return to their comfort zone at the first opportunity: For them, “threats” is often translated into malware, phishing and hackers, while the business wants to hear insider fraud or intellectual property theft.
This often leads to the CISO role being ringfenced and limited to its first line technical remit, while GRC functions develop in second line of defence.
But those functions themselves very often struggle to develop meaningful conversations with their business around cyber security.
GRC teams tend to have an ivory-towered view of the problem and to rely on ready-made overly complex methodologies, loosely related to the reality of first line activities.
They rush into buying some tech platform which is supposed to “enable” the GRC process, but in reality, the jargon of those products and methodologies is often meaningless to the business. Impact assessments and risk assessments can be inextricably complex. The quality of the data collected is often questionable as a result, and many of those approaches never scale up for good in large firms due to the sheer human cost of deploying them.
The lack of hard-wiring to first line activities make the GRC metrics produced artificial, and unusable in practice to recommend, justify or manage first line investment. If, in addition, the scope covered is limited due to deployment or acceptance issues, the overall value of such metrics can be highly disputable – beyond the proverbial “tick-in-the-box” which they will invariably provide.
None of that helps the business understand and manage their cyber risk posture. Over time, distrust sets in and, as the “when-not-if” paradigm around cyber-attacks takes root in the boardroom, senior executives need to find a way out.
It can only involve refocusing GRC practices towards simplicity so they can be effectively and efficiently deployed on a large scale across the real breadth of the firm – and possibly towards its supply chain.
It will also involve refocusing GRC practices towards a proper and meaningful integration with first line cyber security data, so that GRC metrics reflect the reality of the first line of defence.
The “when-not-if” paradigm makes the Board increasingly willing to invest to ensure the protection of the firm from cyber threats, but it also shifts priorities towards measuring progress and ensuring things get done.
In many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders.
In particular, first line and second line must work together on this. They must trust each other and look beyond absurd and arbitrary “separation of duties” concepts, to produce meaningful data for the business, around which meaningful decisions will be made to protect the firm.
