At the Computerworld Singapore Security Summit held at the Raffles City Convention Centre on April 8, 2011, the key strategies discussed to thwart the increasingly global and malignant IT threats included the necessity of risk and compliance management as well as a slew of security technologies.
According to Computerworld, CSO Magazine and business consulting house PricewaterhouseCoopers’s Global State of Information Security report, executives across industries and markets worldwide are more optimistic about their expected security spend for 2011 than in recent years with the focus on data protection being the single most common strategy worldwide.
While much has been said about the capabilities of technology to keep businesses and individuals connected and yet still ensure the security and accuracy of information assets, infrastructures are continually being breached by malware, corporate data stolen and corrupted, and even national secrets released and distributed all over the world, as was the case in the famous Wikileaks Cablegate episode late last year.
One of the reasons such issues recur, according to the event’s keynote speaker, is the current approach to have security managed in a piecemeal way. “There are many different aspects of technology advances like cloud, devices, all of which focus on information,” said Gerry Chng, Partner, Ernst & Young Advisory. “However, because most of them operate independently of each other, the way most organisations manage threats is to use different solutions resulting in multiple reports.”
Such a fragmented situation results in manual processes when it comes to reconciling reports for audit or compliance purposes.
According to Chng, one possible solution is a standards-based proactive security posture that integrates people, processes and technology together, and for this he advocates Governance, Risk Management, and Compliance (GRC).
“A good security risk management programme needs to be event-driven based on actual data with clear information delivered to the right stakeholders for decision making,” he said. “GRC has been picking up in the past two years and it reflects a new integrated approach to these aspects of their business.”
GRC is a self-explanatory umbrella term covering an organisation’s approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps.
While interpreted differently in various organisations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.
“The basic premise is to solve the issues of fragmentation and manual processes and provide visibility into business activities,” said Chng. “Only when you have visibility can you analyse and manage it.”
Sign up for Computerworld eNewsletters.