To tie all the disparate systems together to provide a clear overview, organisations will need an IT GRC solution. Citing Symantec Control Compliance Suite (CCS) as an example, she said that the scores (or metrics) are determined from a combination of technical severity as well as business criticality.
"At the top end of the maturity curve, you see organisations that have developed a controls framework and they're executing on their controls and continuously assessing their controls to monitor for factors," she added. "At this level, this is where organisations are really able to connect to their business counterparts and talk about IT risks in a way that's relevant to the business."
"Any security issue has a common vulnerability severity score associated with it; what control/compliance allow is to assign virtual business asset and business criticality score to it as well," Wong explained. "There are scores for data confidentiality, integrity, and availability. If an organisation has restricted network, sensitive network and normal network, they may have the same vulnerability, same technical severity, but different business critically."
"The scores are established based on a common understanding with various departments and practices; with a combination of industry standard and unique metrics to the specific organisation," she added.
The ability to translate all this into a dashboard showing where the business vulnerability and criticality are allows the CIO to prioritise their risk management. These dashboards enables information security department to remediate "in a way that holds the team [causing the vulnerability] accountable," Wong said.
"For the risk manager, CCS provides comprehensive view of IT risk across the enterprise using a data-driven platform," she said, "through customised views for different audiences. These translate the risks into business terms -- we're talking about business critical processes, groups and functions."
"IT operations can prioritise based on business impact, not only technical severity; most importantly, they can actually do something about it. Security is an inherently asymmetrical problem," Wong said. "An attacker only has to find one issue to poke through. The CIO has to protect against every attack and he will always have limited resources. This allows them to focus those resources on the most critical risks."
In the end, GCR is not just about being lawful and data loss prevention. Awareness of information security, education and partnerships between various internal departments will play a critical part in determining whether governance, compliance and risks are adequately addressed.
Sidebar: 12 tips for implementing GRC
Sign up for CIO Asia eNewsletters.