Closing the Gap Between Assessment and Defense
Verizon's Hutton first referred to implementing a GRC program without any measurement as governance and compliance via superstition. Without measurement, an organization has nothing of substance to point to in order to confirm that what it is doing, it is doing well; that it is indeed mitigating risk. "We can't talk about what we can't see -- we can't see what we don't talk about," added Paypal's Miller.
Hutton also suggested that, in order for organizations to succeed in managing risk, they must embrace and promote cross-functional collaboration and trusted community information disclosure. (This is a common theme in many of this year's BlackHat sessions, including the conference's opening keynote.)
Defining 'systems' that capture every aspect of the information flow allows PayPal to expose all potential areas of risk to its business, said Miller, who is responsible for minimizing exposure to fraud for PayPal users. The systems that she defined in her sample scenario at the Black Hat session included internal business machines and perimeter protection appliances, as well as the partner and end-user machines that access the network.