SINGAPORE, APRIL 12, 2011—A good security risk management programme needs to be event-driven and based on actual data with clear information delivered to the right stakeholders for decision making, said Gerry Chng, Partner, Ernst & Young Advisory, to the more than 260 delegates participating at the Computerworld Singapore Security Summit 2011, held last Friday (April 8) at the Raffles City Convention Centre, Singapore. And what such a programme will give your organisation is long-term security and assured operational excellence, he essentially said.
Chng started his keynote presentation (‘GRC: Driving the power of proactive security and risk management in 2011’) by asking the audience rhetorically: How are you managing security? He followed up by listing the areas that anyone taking care of enterprise information security (infosecurity) in 2011 must cover: threat management; compliance to regulatory requirements; audit management; incident management; business continuity management; and, vendor management.
The crowd at Computerworld Singapore’s largest dedicated infosecurity event to date were then reminded of four recurrent themes in their daily struggles with infosecurity management.
One is “fragmentation” of resources, processes and tools across the organisation said Chng. “There are no linkages between system controls, policies and security standards; different risk languages are used across different divisions; tools are implemented without overall management oversight; and, security suites may not be best-in-class in all areas.”
Another is “wasted resources” stemming from the manual performance of functions such as the merging of information from multiple sources to produce desired security metrics and the maintenance of proper automation and metrics, Chng said.
The third motif Chng cited is “lack of visibility by relevant stakeholders on a timely basis,” which makes it difficult for them to make “the right decisions using updated and timely information” and ultimately leads to them providing little to no value to the business. And the fourth recurrent theme is “systemic issues,” which are difficult to detect and resolve due to an unhealthy “reliance on fragmented manual processes” common among enterprises today.
GRC Counters All
Chng then put forward a compelling case for setting in place a strong GRC (Governance, Risk and Compliance) infrastructure that could counter all these recurring issues for good. He offered up four detailed case studies illustrating how having a robust and comprehensive GRC infrastructure could solve major problems encountered in the areas of audit management, vendor risk management, security threat management, and business community management.
In closing, Chng highlighted the expected major drivers of GRC adoption by enterprises in 2011. We should expect to see regulatory compliance efforts continue to increase, not just with respect to industry-specific regulations but also cross-industry regulations (for public companies), and more aggressive enforcement of these regulations globally, he said. Additionally, “forecasting and analytics are becoming more important risk management tools, compliance efficiency will drive technological decisions, vendor risk and compliance efforts are moving further up the priority list, and systemic risks will still pose a threat requiring close attention.”
Chng will be speaking also at the Computerworld Malaysia Security Summit 2011 (April 20, 2011, Intercontinental Kuala Lumpur).
Sign up for CIO Asia eNewsletters.