The 7 Myths of GRC Initiatives

Today’s Agenda - 35 minutes

About Lightwave Security

Why GRC

GRC Myths

Countering the Myths

Our Solution

2

About Lightwave Security

Lightwave Security is:

A privately held Strategic IT Security Services Company Established in 2006 and comprised of industry veterans

Servicing Global Enterprise, Commercial and Government

Located in Atlanta, GA with multi-location presence in USA

Focused on Automated IT GRC Solutions and Services

Exclusive distributor of SecureAware® in North America

Learn more at www.lightwavesecurity.com

3

SecureAware®

SecureAware®, an all-in-one platform for compliance, best practices and security

awareness that incorporates an automated compliance workflow system built in

accordance with ISO international standards.

It currently supports ISO 2700x, PCI DSS, and CoBIT 4.1 frameworks out-of-the

box

4

Webinar Series: Effective GRC Management

Part 1: “The 7 Myths of GRC Initiatives”

Today

Part 2: “Defining a Best-In-Class GRC Program”

Thursday, February 10th, 2010 - 1:00 PM

5

What is GRC?

Manage

Risk exposures

Security practices

Compliance requirements

Satisfy the Auditors

Communicate with Regulators

6

Aberdeen Group Report

7

Effective GRC ManagementPositioning Your Company for Growth

December 2010

In-depth and comprehensive look into

process, procedure, methodologies, and

technologies with best practice identification

and actionable recommendations.

Download from

http://www.lightwavesecurity.com/grc_report.html

Aberdeen Effective GRC Report

Over 100 companies were surveyed between

November and December 2010:

Guidance on implementing effective Governance,

Risk, and Compliance (GRC) management

Review of capabilities and enabling technologies that

help improve financial and operational control

Identify best practices and current initiatives in

enterprise GRC management

8

Setting the Stage for GRC

Ongoing corporate consolidations and new

regulatory requirements amidst a recovering

economy has introduced a series of new liabilities for

organizations

Parent companies continue to be concerned about

management standards across their constituent

companies, operational risks, and the ability to

comply in a dynamic regulatory environment

9

New Economy Challenges

Today’s companies must comply or be fined /

banned from selling their products in a state or

region

Organizations must closely track and manage their

processes against regulations that vary widely

The global economy necessitates expediting key

processes and mitigating risks

10

Key Definition - Governance

Method in which executives:

“Conduct" their organizations

Provide clear visibility of management directives to

the staff

Ensure initiatives are properly executed in a timely

manner

Maintain top priorities on the executive's agenda

11

Understanding GRC Drivers

Internal:

Measure impact of proper governance and risk mitigation

External

Quantify the impact of tightened regulations

12

The Executive’s Role

Responsible for:

Identifying liability associated with any business

decision

Performing an accurate risk assessment to formulate

mitigation strategies

Work effectively with government and regulatory

bodies to ensure business compliance

13

The GRC Challenge

Implementing GRC management can significantly

improve operational and financial control

BUT

Many organizations lack the initiatives, capabilities,

and technological enablers to realize the benefits

14

Myth #1 – GRC is a Cost Center

GRC management has traditionally been viewed as a

means to:

Reduce liability-related costs

Address problems associated with financial and

operational control

This traditional approach relegates GRC to a Cost

Center, not a business enabler

15

Myth #1 - Busted by GRC Enablement

Given the dynamic regulatory environment, GRC

management is now setting the stage for new revenue

opportunities:

Improving access to selling into global markets

Attracting new customers through liability-reduction

Best-in-class companies view GRC solutions and

services as key elements to their growth strategy

16

Myth #2 – GRC Misunderstands Risk

GRC processes are not able to identify risk reliably,

let alone mitigate them quickly enough to compete in

today’s economy

GRC prevents executives from being able to

understand the impact of risk on overall corporate

performance in a timely manner

17

Myth #2 - Busted GRC Counters Risk

Top companies have taken the initiative to

standardize GRC processes to enable better trade,

safety, and environmental compliance, as well as

improve their abilities to quickly identify risk elements

to expedite mitigation actions

In these organizations, executives are able to

understand the impact of risk on overall corporate

performance

18

Myth #3 – GRC Can’t Fit My Organization

GRC is a straight-jacket that will prevent

management and executives from correcting

problems as they occur

GRC is too generic and can’t generate enough data

to identify the sources of issues in my complex

organization

We need both Quantitative and Qualitative data and

GRC can't supply both

19

Myth #3 – Busted GRC Can Fit Everyone

Executive driven GRC allows them intervene and

provide a corrective paths quickly

Both qualitative and quantitative feedback can be

collected from various departments, at various

levels, to validate the success of the strategy

GRC scales to large, complex organization

20

Myth #4 – GRC Data is Too Dispersed

GRC efforts result in data scattered all across an

enterprise preventing timely stakeholder access

Management can’t get easily get mission-critical risk

data that impacts corporate objectives

21

Myth #4 – Busted GRC Centralizes Data

Effective GRC centralizes risk data and compliance

information to facilitates stakeholder access,

particularly in situations where the organization is

dispersed geographically and operating in different

time zones

Best-in-Class companies leverage this centralized

repository to maintain GRC information to provide

visibility into to management directives, risk

elements, and regulatory changes

22

Myth #5 – GRC Impacts Performance

There is too much overhead in GRC programs to

monitor all my risks and compliance needs, so it

can’t really tell us what is going on

Getting real-time data out of a GRC program is

nearly impossible, so I can’t get actionable

information

23

Myth #5 – Busted GRC Enhances Performance

Effective GRC programs systematically monitors key

risk indicators, so organizations can consistently get

a pulse on the health of the business

Best-in-Class companies are therefore better at

measuring how well their staff is following

management directives

Timely tracking of corporate governance

effectiveness enables executives to ensure the

alignment of staff execution to enterprise objectives

24

Myth #6 – GRC is NOT a Technology Problem

We need to rely on our employees to manage risk

due to the highly regulated nature of our business

Our data is created by people, and they understand

it best

Our executives are tired of technology solutions

25

Myth #6 – Busted Technology Enables GRC

Companies relying completely on people for

communication are at a disadvantage when

compared to software-enabled organizations

Effective GRC provides an infrastructure that allows

executives to concurrently access GRC data /

information

GRC tears down silos of information, allowing

decisions to be made in a quick and informed

manner

26

Myth #7 – GRC is just another “Me Too” project

Everyone has tried it, and the benefits don’t exceed

the costs

The ROI for GRC just isn’t there

27

Myth #7 – Busted GRC Differentiates

Implementing a GRC program will help to

differentiate a company from its competitors

GRC provides a quantifiable ROI due to increased

agility and growth

GRC = Governance, Risk and Compliance

OR

“Guard Assets, Revenue Enhancement, Cost Reduction”

28

GRC Truths

Initiatives foster growth

Is a competitive differentiator

Protects innovation

Attract new customers in new markets

Facilitates stakeholder action

Designed for Executive involvement

29

Key GRC Management Benefits

Driving organizational alignment of executive and

staff agendas through effective governance

Understanding risks in terms of dollar-value impact

and corporate brand equity

Prioritizing organizational initiatives based on risk

level

Creating additional revenue opportunities by meeting

compliance requirements for selling into new

markets / regions

30

Enterprise Benefits

Companies can better position themselves for

growth if they become proactive in their GRC

management initiatives:

making sure that objectives, risk, regulatory information,

and accountability information are made visible to

stakeholders ahead of time to enable informed decisions

31

Call to Action for Effective GRC

Best-in-Class Companies:

Define a workflow from Risk Identification to

Mitigation

Align staff accountability to corporate objectives

Establish platforms to promote visibility and

collaboration on strategic, financial and operational

plans

32

SecureAware – Our GRC Solution

• Policies, rules, and procedures

• PCI, ISO, and COBIT templates

• Import existing policies

• Create new policies

• Rapidly deploy SAT training

• IT risk management

• Risk assessment

• Vulnerability assessment

• Business impact assessment

• Business process map with IT systems

• Compliance gap analysis

• Internal audit

• Self assessments

• Tasks linked to policies

• Workflow for review & approval

• Recurring tasks

• Documents performed activities

• Gap analysis

• Business continuity plans

• BCP structures

• BCP templates

• Tasks with compliance

Complete customization (skins)

Multiple portals

Multiple languages

API for integration

Interfaces with Active Directory

Automated security awareness

Mapped to policies and procedures

Certificate of completion

33

Contact Information

Thank you for attending our webinar!

Erik Rolf

Vice President Enterprise GRC

Lightwave Security

erolf@lightwavesecurity.com

For a copy of this presentation please send an email to:

34