|
|
|
Features
< Back
Sarbanes Oxley : Thought Leader
GRC: The Wave That Will Put Companies Into Motion
By
Alberto Bastos
|
|
Alberto Bastos
CTO and Founder
Modulo
|
Companies from around the world have invested $30 billion in GRC- Governance, Risk, and Compliance – during 2007, an increase of about 8.5% in relation to the previous year. This acronym, new for some, is already part of the vocabulary of chief security officers and other professionals in the area of information security. This is a model with new uses that will significantly alter the functioning structure of corporations.
GRC also promises to redesign the profile of the information security department, which will start to have attributes which are even more important. In the past, each sector was almost independent with its own respective attributions; today the key word is integration. And will fit with the CSO’s running on a contract basis.
This is, without a doubt, a positive change. As needed to anticipate the most diverse risks of this type and guarantee the continuation of business, the security and information professional must have a broad vision of the corporation, not being restricted only to the area of IT.
In an integrated culture, the principle advantages are efficiency and transparency in the company’s processes, which is what will occur. And, by means of an infrastructure using common technology, it’s possible to obtain more collaboration between the areas of auditing, finances, risk management, legal and information technology.
The first challenge of professionals today is to perceive the benefits of this change. The second is implementation of the new culture. After all, this is a trend that, sooner or later, will arrive at the companies. Noting a study by the Gartner Group, more than 75% of companies have inefficient IT governance. With this, the majority of companies will be obliged to review their models. In 2008, according to the research institute, 80% of IT services will present some imperfections. The justification for this is exactly the lack of integration between IT and the rest of the organization.
In the context of information security, the CSO must acquire a holistic vision, or either sees the company not as isolated and incommunicable parts, but like a single unit that presents interactivity between the sectors. This change in perception is the most complex because it acts against their professional academic formation, which generally focused on the technical parts. The development of new competencies, like personal skills, will be greatly demanded.
It is important to separate that the practices of GRC are not summarized to the area of IT. The concept involves, for example, financial, strategical, and operational risks attached to the company’s policies relative to privacy. Working together, governance, risk management, and compliance certainly are essential to increase the possibility of success for the organization. For this, it fits for the companies to implant intelligent tools that make possible the convergence between the areas and functions involved with GRC, exceeding the barriers of purely technological control and embracing the factors of business tied to risk.
|
|
|
|
