Governace, Risk & Compliance - a clear picture from the Infosec perspective

Wikipedia defines GRC or Governance, Risk Management, and Compliance as the "umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations."

"Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk management is the set of processes through which management identifies, analyses, and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

Widespread interest in GRC was sparked by the US Sarbanes-Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance beyond the SOX world."

Now, we all know that there can be as many Governance frameworks as organisations - afterall it's a management driven approach and it will be hard to replicate it between two companies. And there are a plethora of of international standards pointing towards Governance frameworks, although these are in finite number. Risk Management frameworks are also a plenty and within each of them, one could adopt one or more out of several methodologies for a specific organisation, or a part of the organisation, be it a business process, or an installation or any other logical entity of the organisation. Compliance is about adherence to controls which are nothing but technology/process/people based procedures and they can be configured in any number of ways.

Thus, in normal times GRC is a huge challenge in itself. Now, to that we add technology complexity, outsourcing and mobility as also increasing regulatory stipulations and privacy concerns. The stage is thus set for a highly dynamic and complex environment with huge liability in case of non-compliance while there is little comfort from easy or even simple alternatives for compliance.
On top of this, GRC responsibles, who are often CISOs or CIOs, present this domain to their audiences in not a very simple manner; thus GRC becomes to enterprises what IT is to business - simply too much of jargon or machine language. It does not provide any comfort to management or stake holders when such a contentious subject is presented to them in such a complex manner. It is not for management or business to find meaning of the jargonic mumbo-jumbo that CISOs/CIOs use to address their audiences. It is rather the latter understand business needs on GRC from a 360 degree perspective and meet them by employing choice Governance and Risk methods deploying the right mix of people, process and technology controls to achieve the desired business objectives. Certain aspects to bear in mind are:
1. Garneringing management participation through a steering committee.
2. Ensuring creation of an asset and functionality inventory.
3. Defining and documenting the organisation's risk appetite and conducting a RA.
4. Mitigating risks and complying policies using Assets and functionalities.
5. Innovating business sensitive resolutions for uncovered areas.
Two aspects for key consideration are - experiences and perception. GRC is almost synonymous with Security and to make it an enabler, the audience must experience the wow from it and also perceive it positively. Security should not be seen or heard; it should be felt. And the approcah should focus on the strategic triads of Business focus, Revenue sensitivity and Cost consciousness. Ultimately Security should get ingrained in every. Product, every Project and every Process.

This can make a CISO the Chief Innovation Specialist Officer, instead of the Chief In-house Sadist Officer.

Enterprise Protection​, Assurance and Continuity (EPAC) - A Holistic and Risk Based Data Security, Privacy, Disaster Recovery Framework

Every enterprise has a plethora of these functions with overlapping domains and interdependent responsibilities. Governed by different (and sometimes non-complimentary though not necessarily conflicting) international standards, each of these functions provide adequate ammunition to their practicing professionals to conceive, plan and implement independent frameworks on their respective areas. Many a times these different frameworks are not aligned with each other and more importantly not aligned to business strategy and operational realities.

As a result, most of these important support functions often do not reach a position of direct business relevance. Thus, they fail to get mind share of business leadership and consequently never reach strategic relevance. In effect they never reach their ultimate destination of business enablement and remain relegated to a regulatory compliance mandated compulsion for the enterprise.

However, in the rapidly transforming business landscape in the ICT defined global markets, the reality is that these support functions, which comprise of the entire risk universe of an enterprise, can contribute directly to business objectives of most organisations, play the role of business differentiators and thus be of strategic relevance.

Thus, there is a scope in many enterprises to re-examine the construct, structure, role and functioning of all these support functions with a view to work out a holistic, business aligned, and uniquely positioned Enterprise Protection, Assurance and Continuity (EPAC) framework which provided integrated and Risk Based Data Security, Privacy, Disaster Recovery assurance to the organisation. As a result of this exercise, besides business enablement, there is a substantial scope of cost savings for enterprises in the form of removal of manning of overlapping domains, outsourcing of non-core function (those not contributing to business enablement) and overall reduction of head count owing to integration.

Hence, it would be worthwhile to undertake in-depth examination of enterprise framework of support functions and provide a holistic picture to executive management comprising of a current status snap shot, gap areas, scope of re-work towards an integrated and business enabled function, and suggested detailed implementation road map with milestones and deliverables. Also important would be handholding through out the implementation and helping the enterprise reach business specified integration targets with periodic reporting through suitable metrics and dashboards.

Emergence of Information Security & the role of CISO

In the last decade or so, Information Security has emerged from within the IT function as an important element with business critical and even strategic ramifications. The emerging direct business relevance of IS has created a leadership role which has come to be known as the CISO. International standards, IT frameworks and several regulations have also sanctified the criticality of IS and thus made the role of CISO even more relevant and legitimate.


In India, IS compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufactuing, Retail etc create IS teams, primarily to protect IP and safeguard operations.

The current drive of IS is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS intent and content in it's march to join the big league of powerful nations. However, all along IS has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS think-tanks like ISACA and ISC2 forecast the emergence of IS as a strategic function and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance.

The contributing factors to this situation are:
1. Lack of a Security conscious and compliant culture in India.
2. Low levels of legal/regulatory enforcement.
3. Varying Security requirements and postures across different industry sectors.

In light of the above, it may be worthwhile to deliberate on the nuances of the CISO's role in an Indian enterprise and suggest measures to bring it at par with global standards and provide higher business value. It is also recommended to study industry/sector specific security requirements and suggest a sectoral security model as a best practice for adoption by Indian enterprises Pan-India.