Request Demo

Integrated Risk Management

GRC's Complexity Bias - Do Complex Programs Need Complex Solutions?

down-arrow

This month, in part three of our Lies GRC Is Telling You Series, we’ll be diving in to the second lie: your cyber program is complex, therefore you must need a complex solution. I struggled with this one given the fact that it was difficult to phrase correctly given that many of the people I spoke with work with mature cyber programs. Many of them, though, suffer from a complexity bias - the more complex the solution the more value it must bring. However, as we’ll see, that is not necessarily true and, in fact, can be a hindrance to scaling and developing the program further.

Your Cyber Program Is Complex, Therefore You Must Need A Complex Solution

According to a recent survey of more than 800 audit committee and board members conducted by KPMG, the top challenge the company faces is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require "substantial work."

As CISOs and information security teams know and have experienced, cybersecurity risk management and compliance gets quite complex. Unfortunately, what many organizations opt for is a complex tool that ends up costing them much more in the areas of time and effort that expected, just to become usable-- and also average in the hundreds of thousands in dollars to license, not including implementation costs. Even then, the risk management technology architecture itself cannot meet the needs of the senior management, or the BoD. The organization of data in these platforms becomes so complex over time that the solution itself tends to be heavily fragmented and most organizations out of the hundreds we’ve spoken to who use them end up using spreadsheets, slide decks, and word documents in addition to (or sometimes instead of) those solutions for risk and compliance assessments, risk and compliance management and reporting.

The pace of regulatory change is putting pressure on organizations to respond quickly to new requirements, but these systems have not been able to take a complex program, or a complex problem, and make it simpler. Especially for larger institutions, the combination of responding to the complex regulatory landscape, managing a myriad of regulatory requirements, control sets, reporting mandates, is a necessary function.

40% of large institutions said they were extremely or very concerned about the ability of their risk technology to respond to new regulatory requirements, as did 44% of mid-size institutions and only 12% of small institutions (Deloitte).

We appreciate these legacy GRC solutions because they certainly serve their purpose, and have pioneered governance, risk and compliance for some time, but instead of pushing simplicity and ease of use, they add a volume of customization such that the end result is even today, in many cases, far too complex to be effective. The visualization, communication, and reporting aspects of GRC, now integrated risk management (IRM), are among the most pressing in today’s business landscape, yet the data within legacy systems proves too fragmented to achieve these objectives.

In our eyes at CyberSaint, IRM platforms should be able to fulfill the most fundamental GRC functions it needs to without adding to a CISO’s program complexity. IRM platforms should be built on metrics, should automate executive, Board-level, and auditor reporting, and should automate risk mitigation action planning so that everyone buys into the best path forward, and visualizes the data within risk and compliance programs so that infosec management can make more informed decisions, faster, and with more conviction from business peers.

This post is part three of CyberSaint's series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals. Read the first and second posts.

Read the full report on the Three Lies That GRC Is Telling You here.

 

 

 

You may also like

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...

What to Expect from the Security ...
on June 26, 2019

Digital Society is Real, and Security and Risk Management Solutions Must Embrace Digital to be Successful Digital Society: “The collection of people and things that are engaged in ...

Alison Furneaux
Integrating GRC: Compliance, ...
on June 25, 2019

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to ...

George Wrenn
Integrating GRC: Risk, ...
on June 19, 2019

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to ...

Padraic O'Reilly
CyberSaint at Gartner Security and ...
on June 13, 2019

Next week, forward-thinking security and risk leaders will congregate in National Harbor for Gartner’s annual Security and Risk Management Summit. As the preeminent voice in the ...