GRC (or Governance, Risk Management, and Compliance for the uninitiated) is all the rage, but I have to say I think that again Infosec has the wrong focus. My problem with making GRC the central part of Infosec programs is best summed up by Charles Harris' annual letter to shareholders. Charles Harris is the CEO of Harris and Harris (TINY) which is a venture capital firm that invests in Nanotech companies. Their portfolio is comprised of nanotech startups doing fascinating things, some example:
Cambrios Technologies Corporation develops electronic materials for the display industry. The company’s first product, a directly patternable, wet-processable transparent conductive film, is designed as a replacement for indium tin oxide (ITO), which is the current industry-standard transparent conductor material.Nanosys, Inc., is developing nanotechnology-enabled systems incorporating novel and patent-protected zero and one-dimensional nanometer-scale materials such as nanowires, nanotubes and nanodots (quantum dots).
Solazyme, Inc., is a biotechnology company focused on synthetic biology for the renewable bioproduction of fuels, industrial oleochemicals, and health and wellness ingredients from marine microbes.
But Harris & Harris itself remains a small VC company whose focus is on finding the companies building the next great thing. Nanotech is a pretty amazing space, with truly awe inspiring potential. Now here is where we get to my beef with GRC focus, from the Harris & Harris annual shareholder letter:
Another reason that our Company needs to continue growing its assets is to drive down cash expenses as a percentage of net assets. In recent years, the expenses that a publicly traded business development company must incur to meet regulatory requirements have escalated dramatically, pursuant to the Sarbanes-Oxley Act of 2002, Rule 38a-1 for investment companies, expanded compensation disclosure and analysis requirements, FASB Statement No. 157 for the valuation of assets, etc.In 2002, we had fewer investments and one office instead of two, but otherwise our business was the same
as it is now. We got along fine with one internal accountant, a single outside accounting firm, no corporate
compliance consultants, and no internal lawyers. Our business structure is very simple – no inventories, no
receivables, no off-balance sheet entities, no debt, no preferred stock, one wholly-owned subsidiary, essentially all of our assets held by one custodian – yet our independent registered public accounting firm charged us approximately $290,000 in 2007 and will charge us up to an estimated $340,000 in 2008. The same firm charged us $55,500 in 2002. Today, in order to fulfill our regulatory requirements, we find ourselves having to employ two internal accountants; three accounting firms, including our independent registered public accounting firm; three law firms for counsel unrelated to our investment activities; a compensation consulting firm; a compliance consultant; an asset-valuation consulting firm; and two internal lawyers; and we now have to hold many more Board committee meetings. In 2007, our directors' and officers' liability insurance premium expenses were $521,884, versus $68,216 in 2002. In 2007, our legal expenses were $323,366, versus $149,954 in 2002. To put all of this corporate-
governance overhead into perspective, we have only 13 full-time employees!
Wow. Those 13 employees should spend their time analyzing the incredibly complex nanotech space, find opportunities, shepherding companies, and so on. Instead there is a massive ballooning focus called compliance they are dealing with.
I realize that normal information security programs are not focused on protecting VCs, they are focused on banks, insurance, manufacturing and so on, but here is the point - Harris and Harris' core business is nanotech investing not compliance checkbox Olympics. Now normal information security programs have been underfunded for a very a long time, and when the wave of compliance regulations hit they scrambled to align their programs with the new regulations, of course you have to deal with regulations, but this does not do anything to provide security to your core business.
In the Security Architecture Blueprint that I built, we start with stakeholder goals, and those are translated into security architecture, security policy & standards, and a set of risk management actions. Compliance is important, but its a subset of risk management. The top level goal is a security architecture which in James McGovern's words "enables the strategic intent of the business."
From a security standpoint we enable the stakeholder's goals through delivering an effective, scalable security architecture communicated through real world policy & implementable standards; and further providing guidance on making informed risk management decisions.
So while compliance is important and there is a lot of investment dollars there (because large vendors have realized they can sell Provisioning suites which are really very basic Tomcat apps with a couple of hooks to arcane directories for 7 figures because its under the rubric of compliance!), this wave of investment and attention should not distract information security from the real issues - building security into systems, dealing with threats and vulnerabilities, and protecting assets.
Overfocus on compliance for short term gains, or work to build secuirty into your company, it is a classic To Be or To Do situation:
"One day you will come to a fork in the road. And you're going to have to make a decision about what direction you want to go." [Boyd] raised his hand and pointed. "If you go that way you can be somebody. You will have to make compromises and you will have to turn your back on your friends. But you will be a member of the club and you will get promoted and you will get good assignments." Then Boyd raised the other hand and pointed another direction. "Or you can go that way and you can do something - something for your country and for your Air Force and for yourself. If you decide to do something, you may not get promoted and you may not get the good assignments and you certainly will not be a favorite of your superiors. But you won't have to compromise yourself. You will be true to your friends and to yourself. And your work might make a difference." He paused and stared. "To be somebody or to do something. In life there is often a roll call. That's when you will have to make a decision. To be or to do? Which way will you go?"
Personally, I am happy sticking to classic infosec knitting - delivering confidentiality, integrity, and availability through authentication, authorization, and auditing. But if you are looking for a next generation conceptual horse to bet on, I don't think GRC is it, I would look at information survivability. Hoff's information survivability primer is a great starting point for learning about survivability.
Why survivability is more valuable over the long haul than GRC is that survivability is focused on assets not focused on giving an auditor what they need, but giving the business what it needs.
Seminal paper on survivabilityby Lipson, et al. "survivability solutions are best understood as risk management strategies that first depend on an intimate knowledge of the mission being protected." Make a difference - asset focus, not auditor focus.
Ahh...the misnomer of "SOX" as "INFOSEC". Sounds as though organizations using "SOX" as an "INFOSEC" framework have fallen prey to the old SnakeOil salesman. Unfortunately, many organizations have fallen prey to believing that SOX is a 'security framework'. The only aspect of security that SOX provides is security for public investors because companies have a problem telling the truth regarding finances; remember, SOX was a result of the Enron debacle. Some don't like it...but as an 'employee' who's 401k is 'bundled' with corporate stock...I'll take it :-). Sounds as though these public organizations need to go back to Security 101 and understand that this is "Compliance" related to being a publicly traded company; a necessary cost of doing business related to getting 'free' public investment dollars by selling 'paper worth'. It does little to provide 'Information Security'; SOX is only sold as "INFOSEC" because it is a good 'buzz word' used to sell compliance related services. Just like other 'security services', compliance doesn't have the "ROI" most organizations would like. Oh well...they could always remain 'privately funded' if they don't like having to disclose everything in a regulated manner.
Posted by: Anonymous | May 03, 2008 at 11:10 AM
(Disclosure: I work for a GRC vendor)
Interesting! The burden of financial controls for SOX is indeed scary, but I have to agree with the first poster that IT controls are a different animal.
"GRC" vendors have offerings that cover a wide spectrum: domain specific areas such as matter management; overarching enterprise concerns such as operational risk and issue reconciliation; through to IT controls, and more - it is no wonder it is confusing! It doesn't help when analysts/consultants/vendors are constantly redefining their version of the concept (oh how I despise the "2.0" moniker!).
I think the industry recognizes the problem, and changes are being made. Initiatives such as OCEG's (The Open Compliance & Ethics Group) "GRC Blueprints" project aim to provide greater definition and understanding of what constitutes a GRC ecosystem. At a OCEG Technology Council meeting I recently sat in on, confusion in the market was a top concern, and it was encouraging to me to see the level of cooperation amongst vendors to try to help straighten it out.
Posted by: Gavin Terrill | May 04, 2008 at 08:17 AM