While implementing it sounds like business restructuring, Chng noted, a GRC initiative should not mean complete overhauls. “It must coexist with technology and processes and could mean installing an ERP system or templates,” he said. “It could also be about putting in a reengineered process to capture relevant information, or talking to people about key performance indicators to be managed like risk levels.”
According to Tee Chun Meng, Manager, Ernst & Young Advisory, relevant metrics must be designed and used to better assess the dynamic information and IT security risks to enable organisations to better manage their risks.
“A top down approach is required to develop meaningful metrics for the various levels of operations and management,” he said. These include loss of staff productivity, and increases in instances of security outage, IT downtime, the number of malware events as well as their mean time to recovery. The extent of the damage could encompass the entire organisation.
“IT GRC solutions can help organisations to operationalise the security management effort,” Tee added. Some factors that Ernst & Young Advisory expects will drive GRC is a heavier regulatory and compliance climate, and the importance of addressing systemic risks like security.
“Security as status quo is not sustainable,” said Chng. “This is especially since the most challenging security issues come from within rather than outside, and GRC increases internal visibility and improves decision making.”
New Security Threats
While internal risks need to be addressed, the external threat landscape is also a major concern with malware proliferation over the last few years increasing at exponential rates.
According to security vendor Symantec, the number of viruses has increased from about 250,000 in 2007 to over 286 million at the end of last year.
“Most of the action was in the last two to three years,” said Eric Lam, Sales Director Enterprise, Symantec Protection Suites, Symantec APJ Specialist Group. “We expect to see the number jump to 600 million at the end of this year with about two million new viruses every day.”
In addition, the threats have also evolved in tandem with technology paradigms with the new vectors trending towards focused attacks, particularly on social networks and mobile devices.
“Through social engineering, attackers make use of trust on social networks, which is exploited through knowledge [gained from] those social networks,” said Lam. “Also, mobile threats are expected to be significant in 2011 because of Android and Apple. If more transactions take place on such devices, you can be sure that malware will be right there.”
At the same time, the Web continues to be the single biggest point of contact with Symantec reporting a 93 percent growth in attacks in 2010 over 2009.
Sign up for Computerworld eNewsletters.