Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

GRC: CISOs must crawl, walk and run, says MetricStream's Gunjan Sinha

Yogesh Gupta | June 29, 2016
Governance, Risk, and Compliance (GRC) is fast becoming an important part of the security of organizations.

Last year noted Gartner analyst French Caldwell joined our team as chief evangelist at MetricStream. Just as SAP created ERP and salesforce introduced CRM, we worked closely with analyst firms to define GRC as a three letter acronym because it sits one level above ERP and CRM.

Just like it's said 'men are from Mars, women are from Venus,' I have the phrase 'businesses are sitting on Mars, regulators and government are sititng on Venus' for GRC.

I have the phrase, 'Businesses are sitting on Mars, regulators and government are on Venus' for GRC.

Through technology, our job is to bring them together on the same planet. This way, the cost of compliance and the consequence of breaches will be reduced.  That will bring down the risk and make the country--and the economy--better governed. And this is on every senior government official's agenda. That is the plan by PM Modi around governance and we want to make sure we feed on that. That's Caldwell's job as part of the leadership team.

GRC appears an expensive proposition for price sensitive SMBs...

Not really. MetricStream GRC platform is very modular. We have customers who are paying literally few thousand dollars a month to companies spending several million dollars.

There is an absolute array of things you can do. If you have few users and specific needs, you can get started in a matter of few weeks on the cloud. There are people who are building a complete global infrastructure. That's the other end of the spectrum. We are serving the entire range, from the small company in the cloud to large enterprises.

What are the Dos and Donts for CISOs and their organizations on the GRC journey?

This is an area where you have the maximum failure rates in GRC - if you are not careful about how you think about your GRC journey, you could end up biting more than you can chew.

My recommendation for companies is to map out a journey through a modular and phased approach. I am a big proponent of crawl, walk and run. CISOs have to understand their company's GRC maturity level today. Just like CMM quality model, think about GRC maturity model today and three or five years from now. Don't try to boil the ocean with many different things simultaneously, as it will lead to disappointment or cost issues or system failures.

No security vendor has a silver bullet to halt security breaches. Do GRC solutions deliver TCO / RoI for organizations?  

Firstly, GRC cannot be done manually because of the monitoring of numerous data sets. It is like the big data problem of 'finding a needle in a haystack'. Number of bodies thrown at the problem is not viable. This is only possible through technology to gauge what's wrong in the company, which door is open and needs to be closed for attacks, what dataset is prompting potential breach risk. We mine all the data in an automatic manner to give the red, yellow and green alerts to CISOs.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.