Search Intranets
Current Issue
January/February 2012
Editorial
Columns
Features
News & Tools
Read_Me_File

Services
About Intranets
Subscribe to
Intranets
Past Issues
Sample Issue (PDF)
Ponemon Study: eGRC Strategies Are Down, Risks Are Up
By Kate Poole - November/December 2011 Issue Posted Nov 1, 2011 Print Version  
Page 1

Privacy and security are pressing issues in the digital age. This year alone, data breaches ranged from a Bank of America employee leaking confidential information to celebrity cellphones getting hacked. Enterprises have more reason than ever to implement strategies to reduce the risks.

Earlier this year, EMC Corp., a provider of information infrastructure solutions, teamed up with the Ponemon Institute, a research center focused around privacy, data protection, and information security policy. The two firms released a study sponsored by RSA, EMC's security division, that examined the challenges global organizations face in meeting enterprise Governance, Risk, and Compliance (eGRC) objectives.

Based on responses from almost 200 individuals working in the global financial services, technology, healthcare, and pharmaceutical industries, the survey revealed that 20% of organizations have a clearly defined eGRC strategy for the entire enterprise, but 33% of organizations have no clearly defined eGRC strategy at all.

According to Alex Bender, director of eGRC programs and strategy at EMC, the reason the firms wanted to conduct this survey is that when it comes to privacy and risk, people always think they know what is going on, but asking basic questions often unveils quite a bit of unknowns.

Collaboration Is Key

The key finding of the study was that collaboration is the biggest struggle for organizations when it comes to implementing or carrying out a clear eGRC strategy. Larry Ponemon, chairman and founder of the Ponemon Institute, says that the biggest issue is the ability of the various functional areas within an organization to cooperate on establishing a framework for meeting eGRC goals.


"The four GRC domains, IT, operations, finance, and legal, often have conflicting priorities," says Ponemon. "While IT is concerned with creating a strong security posture, finance is focused on the bottom line. There is often tension between IT and legal because of the different perspectives of the importance of privacy versus security when protecting an organization's information assets."

Often, when these different domains of a company operate, they work in different "silos," which in turn creates a data conflict. According to Bender, when an organization operates in silos, it is more difficult to have discussions pertaining to risk because each group has their own ways of working and their own priorities.

Michael Rasmussen, an eGRC lecturer, author, and advisor, agrees that collaboration between silos is challenging but is a necessary component of eGRC. "The hurdles are political issues-who is going to control the eGRC strategy. Without executive sponsorship and direction this means a lot of turf wars," says Rasmussen. "Also, many parts of the business do not want to get involved as they do not want to expose how bad their GRC information and processes really are."

Oftentimes, the organizations that handle eGRC objectives correctly, when dealing with situations such as a data breach, have cross-functioning teams from different parts of the enterprise that tackle issues such as privacy and collaboration. The key is to be able to break down all of the technical and legal language."I've talked to many customers who have done this. They get rid of legalese, get teams to tackle a single subject like privacy, and come up with, say, 15 policies that are written quick, like a sixth grader could read," says Bender. "You have to make sure that everybody can understand these policies, and once you've got these very clean policies written, you then extend it out and communicate it out to the organization."

Another area that organizations were found to struggle with is internal privacy processes. The study found that the biggest eGRC issue for 51% of respondents is ensuring that data they share with third parties remains safe and secure.

"As [organizations] continue their effort of streamlining IT and maybe allowing service providers to actually back up their systems and hold their data, it's like ‘OK, are these services providers actually adhering to the policies and regulation that we adhere to, and how can we prove that they're adhering to it?'" says Bender. Bender added that visibility and control starts to wane very quickly when organizations are dealing with third parties, and the biggest challenge for them is figuring out how to gain the transparency that they need.

The First to Know

To Bender's surprise, when respondents were asked where compliance eGRC activities resided within their organizations, besides the 43% where compliance was the main residence, IT and legal were the other areas where compliance issues are top of the line. This reiterated the importance of collaboration across these domains.

"Think about certain breaches that have occurred with organizations lately around privacy-related data. Who is the first to know? It's IT," says Bender.

When data breaches occur, the IT team informs its bosses as well as legal in order to decide what it means for the organization from a legal standpoint. This process of how to respond to a privacy issue is going to get bogged down though, because there will be translation issues between the IT and legal departments.

"This is a big find for us because GRC technology helps organizations collaborate most definitely, but if you think about it, it just points to the fact that we're still far from that nirvana state," says Bender.

First Priority

On the other hand, Ponemon was surprised when only 15% of respondents said that maintaining customer trust is their organization's most salient privacy-related challenge or issue.

"Our annual ‘Most Trusted Companies' study affirms that consumers are becoming increasingly concerned about the steps organizations take to safeguard their personal information," says Ponemon. "My recommendation to organizations is that if they are concerned about customer loyalty they should make customer trust a higher priority."

Many organizations do not have a clear eGRC strategy, or they struggle to maintain their current one because there are many barriers that take time to maneuver. According to 52% of respondents, the biggest obstacle is lack of resources (which can include tight budgets), followed by 44% that said lack of cooperation and collaboration was again the problem.

"To have collaboration you have to have joint goals," says Bender. "It's hard for different divisions to start to normalize on those goals." There are, in fact, a handful of organizations that are carrying out eGRC strategies in a way that Bender calls "spot on" that range from agricultural firms and financial services organizations to manufacturing and media and entertainment.

"Organizations that can actually say, ‘Here's our corporate objective; here's how we map to our policies and standards,' those types of organizations are going to be much more quick to get there," says Bender.
Rasmussen gives credit to companies such as Visa, Humana, and Constellation Energy Group, Inc., which were all winners of the 2011 GRC Achievement Awards presented by the Open Compliance and Ethics Group (OCEG). The awards go to companies each year that have made strides in improving and integrating their eGRC approaches.

While the barriers to creating an enterprisewide eGRC strategy are great, the risks of not having one may be greater. Bender says that the biggest risk is that an organization will never know what's going on and what's wrong, so they will be in a constant mode of "reactive fire-fighting."

According to Ponemon, "The biggest risk is not having a cohesive and comprehensive approach to meeting complex regulatory requirements and increasingly sophisticated cyber attacks."

The institute conducted another survey earlier this year focused on security and found that more than half of the respondents had two or more breaches in the 12 months prior to the survey. Ninety percent of the respondents said that they had at least one breach in those 12 months, which shows that the threat of security breaches are no longer an if situation but a when.

As for technology, the eGRC survey found that the main solution used to support eGRC strategies is risk assessment, followed by policy management and controls. Bender found it as "pretty telling" that this technology already exists within organizations.

"It's not something you can do within a week; it's going to take years to bring all of these technologies together to really start to give you that view of risk or that view of compliance or the view of governance that you need within an organization," says Bender. "So we are definitely a maturing market."

For Bender, the trends and issues that came out of the survey are things that organizations need to address now but are going to struggle with for the long haul. "It's not just a 2011 issue; you can't just say from now on we are going to have all of our data secure and inaccessible and we're going to start collaborating," says Bender. "It takes years of strategy to accomplish this." 

Print Version  
Page 1

Copyright 2004-2012: Information Today, Inc. 143 Old Marlton Pike, Medford, NJ 08055-8750
Phone: 609-654-6266 · Fax: 609-654-4309 · custserv@infotoday.com