Is Information Security Risk part of eGRC?
I was invited to the Information Security Workshop of the Saudi Arabian Monetary Agency (SAMA) in Riyadh. I presented a vision on information security relative to GRC. The first half of Day One, five keynote speakers were on the program; two of which came from The Netherlands. Apparently the historic ties between my country and the Kingdom still resonates. My fellow countryman represented the Dutch National Bank and explained the "Dutch" way of everyone working together to fight the ever-increasing risk to banking information systems by professional criminal organizations. In our country people from various entities in financial services, law enforcement and the government share resources and knowledge to develop best practices for defense. A governance structure organizes the sensitive exchange of specific information.
Information Security is a Risk Topic
I took a bit of a different angle but also talked about working together. Often Information Security is seen as the domain of IT people, consisting of information security officers and their teams who create technical defense technology systems and distributing security policies throughout the organization. In my vision Information Security is a risk topic the same as all other risks that need to be embedded throughout the enterprise and should be connected to processes. IT risks should be identified, measured and continuously assessed just as any other risks by the second line of defense and the business community. The controls that are in place to mitigate the risks should be embedded in the risk and control framework and included in the aggregated risk reporting.
In my daily work I often see that IT related risks are treated differently and are supported by "IT Risk only" tools rather than being part of an eGRC strategy, platform and implementation. IT departments are keen to "tick a box" against standards such as ISO 27000 but don't really participate in the broader risk programs and/or join eGRC programs and deployments. Whether it has a logical fit with my Dutch culture or not, I do think that the global trend is that IT GRC/Information Security Risks are merging into eGRC.