Evolution of IT Security to Risk; driving IT GRC acceptance?

Great summary by Michael Rasmussen of Corporate Integrity on the 2008 State of the GRC market was posted earlier this month.

I believe the title of one of the sections itself summarizes one of the biggest benefits of GRC, "GRC is About Organization Collaboration." He is 100% correct from my perspective - independent of the people, technology and process - GRC solutions are about using software automation to help enterprises collaborate to reduce their exposure to the big three buzz areas each of those letters in the acronym represent (Governance, Risk, Compliance).

Now, GRC solutions can't and won't solve these problems alone. They are part of an overall ecosystems of technical control products, best practice processes and people communication/expertise. You still need your Vulnerability, SIEM, IDS/IPS, Firewalls and other security products. You still need your COBIT, ISO, ITIL and other best practice processes. And of course, you still need the people who should know the overall business goals and priorities and then apply their expertise on how IT can help achieve those goals. GRC as mentioned before is the organization collaboration construct that can successfully bring all these complex areas together into a tight and cohesive Governance, Risk and Compliance strategy.

Another article I came across starts to highlight how some organizations are starting to elevate beyond operational security to strategic risk centric in culture. Tim Wilson over at Dark Reading just put out this great write-up yesterday titled; Market's Message to Security Pros: Adapt or Die.

-snip-
"...the question now is not how precarious the security manager's job is, but what it may evolve into, Schmidt observed. "As it becomes more about risk, security is not necessarily an IT problem. More and more, you see companies creating positions such as chief risk officer, who may report to a chief operating officer, and in some cases, the CSO might report to the [risk officer]."
-snip-

This trend points directly at GRC solutions that can provide the common construct to help all aspects of the organization collaborate. A decent analogy may be what ERP was to the CFO, GRC is to the CRO.

One last article that also points towards the trend around moving operational security tasks back into IT operations and thus security analysts evolving into internal Risk Consultants to the IT organization would be this blog from Trent Henry over at Burton Group. Once these "Risk Consultants" are created, GRC provides the collaborative platform to conduct their more strategic initiatives mentioned; policy, risk & compliance monitoring, assessment program development, etc.

Circumventing Enterprise Security Policies

Interesting article on how employees are circumventing IT Security Department policies.

This of course as we know exposes the company to IT GRC concerns (Governance, Risk & Compliance). A couple hard numbers that jumped out at me.

"80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user's identity and surfing habits from IT monitoring tools."

:...half of the enterprises studied by Palo Alto are supporting Tor or other methods for encrypted "tunneling" through the corporate network. Tunneling enables the user to bypass IT traffic enforcement mechanisms."

A comprehensive security policy starts from the top down with an IT-GRC solution. It then incorporates all the scoring, controls and assessment automation products into a unified view to help expose situations like those identified in this study. Once exposed and the risks understood, the priorities can be set to help quickly resolve these issues.