If you are going to be in Orlando in the beginning of April and are an information security professional, why wait in humid 90-minute long Disney lines when you can enjoy Orlando indoors at the Infosec World 2016 conference? Another benefit of the conference is that vendors at the expo give you t-shirts. This is the only free thing you'll find at Disney.
On Monday, April 4, I will be giving a presentation on Selecting an eGRC software tool and not living to regret it.
eGRC (enterprise governance, risk, and compliance) software is a management system for compliance requirements, policies, risk assessment, and remediation tracking, spanning across multiple domains.
Deployment of an eGRC system is not a trivial endeavor. Far too many firms have invested huge amounts of time and money with very little to show for it.
Some of the key points I will expound in this session are:
1. e in eGRC stands for enterprise - any enterprise purchase or endeavor will invariably be expensive and time consuming. Be cognizant of this before venturing down the eGRC path.
2. There is no magic here – if you have broken processes before eGRC, they will still broken after deployment. If you haven't identified your requirements, eGRC is not a mindreading tool.
3. Budget and staff – do you have enough? - By the time you finish your eGRC deployment, you will likely have spent a lot more than you anticipated. Even though the tools may promise to automate many of your processes, you still need administrators and programmers for the eGRC platform. Don't forget about these vital staff members.
4. Integration – you may have hundreds of data points you want to populate into the tool. Do you know exactly how you are going to integrate different data sets?
Of these, the first point is the most important. Far too many firms have failed in their enterprise rollouts because they failed to consider the challenges involved in these large-scale product deployments.
We all know the problems of trying to schedule a meeting for a large group of people. Finding a date when, say, twelve senior people are all available is not easy. Now imagine a software product that can support different groups across the enterprise; now an easy thing.
Some of the many groups the product must support and interact with are:
• information security
• internal audit
• audit committee
• risk and compliance managers
• legal
A significant issue is factoring in issues of turf, different risk metrics, politics, and a whole lot more. Also, risk means very different things to each of these groups. The product must simultaneously support varying requirements while also providing a risk output that has overall meaning.
When focusing on an enterprise solution, many organizations focus on just getting the product installed and initially running, without thought to creating an eGRC program that can be sustained over the long-term. Even with a complex enterprise solution, a good team can invariably get something up and running, but creating a plan to ensure long-term sustainability requires significant consideration.
Many non-trivial elements in an eGRC rollout that must be managed. Critical items such as programming, day to day support, administration (upgrades, patching, etc.), integration with the help desk, and more need to be built into the plan.
Conclusion
eGRC can be a powerful solution, but even if it's deployed in the Magic Kingdom, it still must be designed, deployed, and maintained effectively if you expect it to produce any benefit.
This conference session will give you the guidance and prudent decision-making to show what it takes to ensure there's no regret in your eGRC rollout.
About the author: Ben Rothke, CISSP, is a Senior eGRC Consultant at The Nettitude Group. He has over 15 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, cloud security, design & implementation of systems security, encryption, cryptography and security policy development.
