Request Demo

Integrated Risk Management

GRC's Complexity Bias - Do Complex Programs Need Complex Solutions?

down-arrow

This month, in part three of our Lies GRC Is Telling You Series, we’ll be diving in to the second lie: your cyber program is complex, therefore you must need a complex solution. I struggled with this one given the fact that it was difficult to phrase correctly given that many of the people I spoke with work with mature cyber programs. Many of them, though, suffer from a complexity bias - the more complex the solution the more value it must bring. However, as we’ll see, that is not necessarily true and, in fact, can be a hindrance to scaling and developing the program further.

Your Cyber Program Is Complex, Therefore You Must Need A Complex Solution

According to a recent survey of more than 800 audit committee and board members conducted by KPMG, the top challenge the company faces is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require "substantial work."

As CISOs and information security teams know and have experienced, cybersecurity risk management and compliance gets quite complex. Unfortunately, what many organizations opt for is a complex tool that ends up costing them much more in the areas of time and effort that expected, just to become usable-- and also average in the hundreds of thousands in dollars to license, not including implementation costs. Even then, the risk management technology architecture itself cannot meet the needs of the senior management, or the BoD. The organization of data in these platforms becomes so complex over time that the solution itself tends to be heavily fragmented and most organizations out of the hundreds we’ve spoken to who use them end up using spreadsheets, slide decks, and word documents in addition to (or sometimes instead of) those solutions for risk and compliance assessments, risk and compliance management and reporting.

The pace of regulatory change is putting pressure on organizations to respond quickly to new requirements, but these systems have not been able to take a complex program, or a complex problem, and make it simpler. Especially for larger institutions, the combination of responding to the complex regulatory landscape, managing a myriad of regulatory requirements, control sets, reporting mandates, is a necessary function.

40% of large institutions said they were extremely or very concerned about the ability of their risk technology to respond to new regulatory requirements, as did 44% of mid-size institutions and only 12% of small institutions (Deloitte).

We appreciate these legacy GRC solutions because they certainly serve their purpose, and have pioneered governance, risk and compliance for some time, but instead of pushing simplicity and ease of use, they add a volume of customization such that the end result is even today, in many cases, far too complex to be effective. The visualization, communication, and reporting aspects of GRC, now integrated risk management (IRM), are among the most pressing in today’s business landscape, yet the data within legacy systems proves too fragmented to achieve these objectives.

In our eyes at CyberSaint, IRM platforms should be able to fulfill the most fundamental GRC functions it needs to without adding to a CISO’s program complexity. IRM platforms should be built on metrics, should automate executive, Board-level, and auditor reporting, and should automate risk mitigation action planning so that everyone buys into the best path forward, and visualizes the data within risk and compliance programs so that infosec management can make more informed decisions, faster, and with more conviction from business peers.

This post is part three of CyberSaint's series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals. Read the first and second posts.

Read the full report on the Three Lies That GRC Is Telling You here.

 

 

 

You may also like

The Guide To A CEOs First ...
on May 16, 2019

One of the greatest challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on ...

Jerry Layden
What The NIST Privacy Framework ...
on May 14, 2019

On Wednesday May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on May 9, 2019

With high profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front row seat to the impact that cybersecurity can have on ...

Jerry Layden
The NIST Privacy Framework Is More ...
on May 17, 2019

In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s ...

The Road To An Internet Of Things ...
on May 2, 2019

As we’ve seen before, one of the greatest cybersecurity threats facing both consumer- and enterprise-focused organizations is the rise of connected devices - the internet of ...

George Wrenn
Is The NIST CSF Replacing HIPAA In ...
on April 30, 2019

In the recently released Cynergistek report on the state of healthcare sector cybersecurity framework adoption, I noticed an interesting trend - the rise in NIST CSF adoption and ...

George Wrenn