Tackling GRC Includes Working with the Board
Tackling GRC Includes Working with the Board

The increase in mobility, fueled by trends such as BYOD, enterprise-focused apps and the cloud, mean there are now more ways in which corporate data can be lost; whether through employee mistakes, malicious theft, or the sale of confidential information.

GRC (Governance, Risk Management and Compliance) is currently one of the biggest issues facing companies of all sizes. To date, GRC has not always found billing in boardrooms across the country, but the fallout of major data breaches in the past two years have sent a clear message: the responsibility for data breaches is being laid on the board of directors and C-level employees. The fallout of preventable data breaches often results in a replacement of the CEO at the very least.

According to a survey by the National Association of Corporate Directors, and discussed on the Wall Street Journal, only 5.2% of public company boards have a technology committee, with scant few board members with a background in technology at all. The composition of board members makes for challenges in proper technology and security oversight, no matter what industry they operate in.

Gartner’s John A. Wheeler offers some advice in creating successful IT risk management programs, laying out a 7-staged approach:

  1. Speak substantively about risk at every board meeting
  2. Define and deploy leading risk indicators
  3. Explicitly link major risk areas to elements of strategy
  4. Align risk management and performance management
  5. Clearly articulate risks encountered versus authorized risk appetite
  6. Organize for enterprise-wide risk identification and accountability
  7. Use technology as an enabler of risk oversight activities

Without board-level support, many CIOs question whether mobile working policies and BYOD are worth the hassle, but the truth is that employees will use mobile devices with or without a policy, so ignoring mobile devices does not erase the risks (or opportunities) that they present. Instead, your organization can implement preventative measures to ensure compliance from employees.

As John Wheeler’s approach suggests, taking a proactive stance on security without board-support does not mean giving up on the board, but can help speed up the process. Inevitably, the most secure organizations are ones where there is a culture of security that is embedded top-down, where every employee, from the board to the mail room, understands their role in protecting corporate data, with tools that both support, enable and protect data wherever it resides.

To learn about how Absolute can help with your GRC initiatives for the endpoint, visit our website.