Mind Your Metrics

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no…

Read More
business team work

GRC Integration = Business Value

Governance, Risk and Compliance efforts at companies are nothing new. Organizations have implemented processes and technologies to identify, manage and report on risks and compliance for decades. Only in the last 10 years or so has the term GRC been invoked to capture the overall concept of an organized, methodical approach to this core business…

Read More
PARSIFAL Draft Ontology

A Common Language for Risk Management

Speaking at OpRisk World 2015 recently, I was struck by the way in which the complexity of issues is increased by the disparity of terminology when talking about risk. For example, during the panel session on the “three lines of defense” strategy for GRC, much of the discussion focused on what that term actually means.…

Read More
van den Dool

Risk and Security Spotlight: Accenture

We caught up with Floris van den Dool, Managing Director for Information Security Services across Europe, Africa and Latin America for Accenture at the RSA Archer EMEA GRC Summit in London in November to get his take on what’s happening in the security industry. Van den Dool explained that traditional ways of security are no…

Read More
How Focusing on GRC Processes Can Improve the Business

Rightsizing GRC Implementations

Many GRC programs were initiated out of fear of noncompliance with a specific regulation and the sanctions and penalties that the organization could face. When implemented to address specific pain points, GRC efforts can be added in an ad hoc and often siloed manner as other pain points emerge. Organizations need to focus on rightsizing…

Read More

The Twelve Days of GRC

Greetings and Happy Holidays.   As this year draws to a close, we can all take a deep breath as this has been a big year in the world of GRC.  Collectively as an industry, we have seen the advent of new laws and industry regulations; we have embraced new technologies; we have weathered financial storms…

Read More

Avoiding the Brittle Strategy

“Protection in isolation is a brittle strategy.”* At the end of September, I attended and presented at the ISACA/ISSA joint conference in Phoenix.  During one of the keynote sessions, the quote “Protection, in isolation, is a brittle strategy” was used to highlight the importance of recognizing no defensive or preventive measure is 100% effective.  Organizations…

Read More

The Power of AND

I have always been a “fan” of words.  Meaning: I read a lot and I write a lot.  I have this notion that “if” is the most powerful word pound for pound.  For only two letters, “if” sure packs a lot of punch.  “If” has fueled exploration (“if the world isn’t flat…”).  “If” has driven…

Read More

RSA Archer GRC Summit 2014 Daily Digest – Day 1

As expected, the 2014 RSA Archer GRC Summit is off to another record-setting start, hosting 1,000 Summit attendees here with me at the JW Marriott Desert Ridge in Phoenix, AZ. With the largest gathering of GRC professionals and 100+ degree temperatures, the heat is definitely on!

Read More