Organizations face multiple challenges regarding their IT Risk and Compliance (ITRC) programs. It’s difficult keeping up with changes to requirements and regulations. Assessments are often rushed and lack the proper thoroughness. Compliance, audit, and risk teams aren’t seamlessly communicating due to operational silos that lead to decentralized data and disaggregated reporting, making data-driven decisions impossible.
Meanwhile, such programs are usually implemented manually, using annual or twice-yearly company-wide internal risk assessments, evaluations of third-party vendors, and, sometimes, external audits. Staffers and vendors must fill out long questionnaires that are then ingested and analyzed by risk and compliance teams. These practices may work for smaller organizations but are too burdensome for larger enterprises with thousands of employees and assets and dozens of third-party vendors.
IT Risk & Compliance: A Buyer’s Guide provides insight into finding an ITRC management platform that can automatically implement framework changes, provide visibility for all stakeholders and enable continuous, up-to-date monitoring of your IT Risk and Compliance posture. Download the guide here.
What ITRC Software Platforms Can Do for You
An IT risk and compliance management platform that automates many GRC processes, integrates different teams, and enables continuous monitoring and internal auditing may be the solution.
If an organization uses a point system outside of an overall GRC, they might have different tools to help manage different parts of their program, Mary Tarchinski-Krzoska, Market Advisor on Risk and Compliance at AuditBoard, says. With AuditBoard, knowing that one’s IT risk and compliance solution is part of the overall GRC is reassuring because they now have a single source of truth for their IT risk and compliance that can be integrated across all the different areas of the organization that fall under GRC.
Continuous automated monitoring enables your organization to recognize and remediate new risks and threats more quickly. Continuous automated assessment relieves the workforce from having to fill out questionnaires every six or 12 months. Risk-based decisions will be informed by real-time data, not outdated information.
An ITRC management platform will also empower siloed teams to work together with access to the same data on a shared dashboard, a crucial advantage when different groups are striving toward a common goal.
“Creating that single-pane-of-glass interface is definitely important,” says Dr. Jonathan Creekmore, VP, and Information Security Manager at Pacific Western Bank. “It can be an automated enabler. I hate to use this word in a civilian context, but it’s a combat multiplier, if you will, for awareness and education and training.”
When you’re buying a GRC IT Risk and Compliance solution, remember that it should not just be a point solution. Instead, the core priority is to have access to a platform that ties in with your audit and risk teams, because there’s so much collaboration and cross-functional work that needs to happen for a risk and compliance program to be executed with those teams, Karp says.
The fact that an automated ITRC platform will keep your company updated with regulatory and framework changes in real-time is equally important.
“Within the last two years alone, PCI has been updated, ISO 27001, 27002, NIST has been updated, along with [the U.S. Department of Defense’s] CMMC, et cetera,” says Tarchinski-Krzoska. “For all of those changes, you have to adopt them, understand what they are, and bring them into your environment. It takes a lot of time to get up to speed, perform gap assessments, and work around it. Our product is purpose-built to help you manage these challenges.”
ITRC Platform Challenges
That doesn’t mean there aren’t a few potential challenges associated with using an ITRC platform. For starters, an ITRC platform isn’t a set-it-and-forget-it solution. While it will make you more compliant and result in less risk, there will likely be some initial investment to lay the groundwork.
“It requires a fair amount of care and feeding in order to make that system work and be effective. And if you don’t care for and feed it regularly, it’s quickly going to become garbage,” says Willett. “You’ve got to have the people on it and the process around it in order to make that a valuable tool.”
Another potential pitfall is forgetting that all automated processes, even those handling GRC, are fallible and should be closely supervised.
“As you entrust more of these things to machines and those capabilities to these platforms, you need to understand the variables and inputs and make sure you’re not getting false positives,” says Patteson. “And that also needs to be audited as part of compliance.”
Preparing Your Organization
Even though most modern ITRC platforms are SaaS (software-as-a-service) solutions, there’s still a fair amount of preparation that an organization must do before implementing one.
With any new software, that means change management, says AuditBoard’s Tarchinski-Krzoska. It’s something that’s different and takes time both to implement and to get your team acclimated. “A lot of the time, people will revert back to manual ways because change is scary,” she adds.
The chief principle, perhaps counterintuitively, is to not put technology first.
“Technology should be the last decision. And for many organizations, it’s the first decision, because it’s easy. ‘We’ll buy the bright, shiny thing that’s going to fix our GRC problem,'” says Rica. “Ideally, what you want to do is build the organization, understand the assets, understand the controls, understand your risk tolerance — and then go look for a technology that best matches up to your requirements.”
CyberRisk Alliance’s new guide, sponsored by AuditBoard, examines how proper implementation of the right ITRC management program can enable continuous monitoring, provide visibility for all stakeholders, and prioritize compliance. For a deeper dive, download the full guide here.