In a world brimming with more smart devices than people and with a growing percentage of us tethered to the internet, GRC has become far more than an acronym buzzword. GRC systems target a fusion of three elements that should harmoniously exist in business: Governance (the way an organization is controlled and directed), Risk (possible hazards or losses the organization faces), and Compliance (the measurement and implementation of controls to ensure an organization is following set standards). When harnessed strategically, GRC helps businesses effectively align IT activities to their organization’s goals while managing risk and meeting compliance regulations.
In fact, successful implementation of GRC also provides a host of more specific benefits, including improved decision-making, more optimal IT investments, elimination of silos and redundancies, and reduced department fragmentation. However, its effective execution has and continues to depend on cultivating an active work culture that supports GRC activity and enables GRC professionals to evolve. As global best practice consultant Joseph Mathenge notes, any organization seeking to meet its objectives continues to face a myriad of challenges involving regulation, people, technology (IoT, AI), processes, etc., owing to the ever-changing complexity of the business environment. In the same vein, GRC cannot become stagnant to remain an effective and holistic strategy. As the internet and the IoT evolve, expand, and formulate an ever-more complex and hazardous landscape, GRC systems and practitioners must also adjust.
But addressing the needs of GRC and keeping up with evolving technologies also mandates a binary approach of keeping GRC processes and practices relevant while aligning with new technologies—to execute such, organizations must increasingly turn to technology solutions and GRC practitioners must adapt more IoT-specific expertise.
“Technology has become a strategic business enabler, and IT GRC professionals are taking the lead in guiding business to navigate the digitalized global marketplace where cyber risks prevail and great opportunities for growing businesses abound.” -Moses Segaetsho, ISACA South Africa Chapter
A rapidly evolving landscape of opportunity and risk
In 2021, this is all made more complicated as GRC professionals face increasing challenges due to growing regulations, a “new normal” perpetuated by the pandemic—and, hopefully soon, post-pandemic—environment, and the twofold expectation of preventing crime without infringing on customer experience. Rapidly shifting regulations must be navigated amidst projections of increased AI, automation, and simplification of compliance-related processes. According to international IT security service provider Infopulse, leveraging digital transformation initiatives into compliance management can resolve these issues, helping organizations proactively manage and comply with evolving regulations. Infopulse predicts this year’s compliance trends will include optimizing compliance with AI-driven chatbots, driving efficiency and compliance with RPA tools, adoption of automated GRC solutions, and a growing demand for remote audits.
As has been well-established, data security is not for the faint of heart, and while protection measures and compliance regulations can be a huge help, they don’t 100% eliminate risk. That certainly doesn’t mean that businesses can’t—or shouldn’t—be as proactive and knowledgeable as possible. “Technology has moved far faster than our laws,” notes Tim McCreight, director of advisory services at Above Security. “As a CISO, if you have an understanding of the critical systems – where unstructured data could occur – you have a fighting chance to understand your risk.” All three legs of the GRC triangle are essential and mutually supportive; as French Caldwell, former cybersecurity adviser to the White House, notes: “Without compliance, there is no governance. And without risk management, you really don’t know how much compliance you really need.”
Though all three legs are critical elements, some would say that compliance—that which tackles issues of privacy and security—has been undervalued until recently. To help with that, Karl Mattson, CISO of City National Bank, argues that one of the biggest arenas that businesses must invest in is their knowledge and training of information security: “Lack of talent is a big issue in keeping pace with ever-increasing industry regulations and requirements. The industry is just not producing enough high-caliber risk management specialists who understand this space.” The result? An inability to keep up with compliance changes, a growing vulnerability to digital attacks, and the “GRC boogeyman” of IoT devices, with their own growing multitude of vulnerabilities.
That is the crux of the matter: not only is training across the board proving more and more important, but providing GRC practitioners with additional IoT-specific expertise is no longer just an option—it’s a necessity.
“Information security has become critical to understanding an enterprise, its risk, and its processes. To add increased value now, IT audit and GRC professionals have to build solid information security skills. This is the golden ticket to short-term success and long-term career sustainability.” - Caitlin McGaw, Candor McGaw Inc.
Benefits of adding IoT-specific expertise
Across the global economy, the Internet of Things comes with a vast array of potential benefits and challenges, and the digitization of various elements—machines, vehicles, etc.—of our physical world has so far proven hugely promising. According to McKinsey Digital, the IoT offers a potential economic impact of US$4-11 trillion a year by 2025—roughly 11% of the world economy. Yet with great power—and efficiency and effectiveness—comes great responsibility. “It’s much more than creating, capturing, and analyzing tons of new data from billions of connected devices,” argues cybersecurity expert Jamison Utter. “… It’s about securing critical infrastructure that ensures our water is clean, our election results are legitimate, our traffic lights work properly, and our physical health is protected.” And this, he points out, places an ever-increasing emphasis on anyone looking to integrate the IoT into their processes, products and services “to re-imagine and re-engineer their approach to IoT security.”
To start, GRC makes for a good cornerstone, but it must be about far more than simply meeting compliance policies. As Alice Baker, consultancy manager at IT Governance, states: “[it’s] also about providing assurance that significant risks that could impact the future viability and profitability of the organization have been addressed. Increasingly this includes the reliance on information and cyber activity.” Thus, she argues, businesses must view GRC as an opportunity to promote good cyber governance throughout their organization to provide effective foundation for cybersecurity. When incorporating IoT-specific expertise, many Fortune 500 companies have already acknowledged the growing need thanks to mounting external threats, emerging tech, outsourcing, and new regulations like GDPR, that, in turn, has led to a tremendous uptick in the requirement for information and cybersecurity knowledge in candidates for IT audit and GRC roles.
Similarly, Caitlin McGaw, president of Candor McGaw Inc., contends that GRC professionals must also break down silos and add value themselves if they wish to be a part of a business’s holistic vision, and doing so means strengthening their information and cyber security skills. She argues that critical thinking skills and innovation “require the ability to leverage knowledge and experience to develop pragmatic and, when necessary, creative solutions to risk and controls. Information security is a key domain that supports critical thinking in IT audit and GRC.” Even the smallest steps are a start, McGaw points out: reading, online coursework, setting up a tech sandbox in your basement, conferring with information security colleagues, participating as a guest resource within IT or information security, volunteering at the corporate information security roundtable, or earning a security-focused certification or certificate.
Taking these steps are beneficial, as GRC practitioners who are better-versed in IoT-specific risks and challenges are better able to proactively prevent or remedy them when a potential crisis pops up. A GRC approach that focuses on multiple business arenas is better able to provide a solution that encompasses each arena. By combining knowledge of security risks and regulatory requirements, IoT-savvy GRC practitioners can introduce better data protection approaches. With updated expertise, staff can optimize testing, managing, and resolving internal risks — data breaches, internal data governance, etc. — while the business implements the appropriate tools and practices to improve and assess information and communication across the board.
Given the ever-evolving challenges, technology, and regulations, investing in IoT-specific expertise is beneficial to both individual GRC practitioners and to organizations seeking to shore up their data security. When employing a GRC approach, businesses must leverage digital transformation initiatives into compliance and successfully navigate an alternating regulatory landscape. But to ensure a complete and effective strategy while remaining flexible, innovative, and compliant, it is essential to embrace opportunities and prepare for risks. That includes the non-exhaustive list of IoT risks, which can be mitigated if organizations make security a primary concern and enlist—or provide—GRC practitioners who are knowledgeable and competent in emerging disruptive technologies and the ways in which they impact business.