By David Williamson, CISSP, CGEIT, CRISC, Vice President – Professional Services, MetricStream
For business managers, moving portions of our company’s most valued information assets into the public cloud, while compelling economically, raises a thicket of difficult risk and compliance questions.
- From a business perspective, considering reputational and other risks, do the economic advantages outweigh the risks?
- Can anybody in my company really answer: if we move these processes and data into the cloud, will we still be fully compliant with all of the necessary “legs and regs” we must comply with? How do we really prove that?
- Frankly, our IT partners are hardly impartial in the decision; we’re allocating our IT shop’s funds to buy cloud services. Are their security concerns perhaps a little overblown?
To answer these questions, risk and other professionals need to perform the business equivalent of alchemy: transforming security “bits and bytes” into business data we can understand and operate upon. This is where a good GRC framework can be pure gold.
An integrated GRC framework will allow you to understand how security threats and vulnerabilities affect the systems that support your core business processes.
Security “sensors” which detect malicious behavior in the networks, or the existence of threats and vulnerabilities, can be viewed through a risk and compliance lens. Different types of IT risks can be assessed for probability and impact, mitigated, transferred, or accepted, and the residual risk impact compared against the economic consequences of other risk types.
It’s just a simple fact that there will always be some degree of risk in systems. The Executive Suite craves objective data about how these risks, including the risks of non-compliance with key regulatory requirements, compare against other risks to the enterprise. An integrated GRC framework can allow executives to meaningfully weigh IT risks and opportunities against other corporate risk and opportunities, and make informed decisions about where to invest scarce corporate assets.