Organizations typically pursue the implementation of a Governance, Risk, and Compliance (GRC) program through a circular series of activities:
- Embracing standards and defining policies
- Running tests and validations against those policies
- Uncovering and classifying ‘issues,’ prioritizing and fixing some of those issues based on risk/impact guesses
- Doing it all again in hopes that the state of compliance and risk level stayed at least as good as it was the last time around
This method produces results demonstrating a point-in-time state, but it does little to measure the real risk to the business. If the organization is mature in its implementation, executives may be able to roll some of their findings into the next iteration in order to improve results. If the firm is really on top of its game, executives may be able to analyze multiple iterations to identify trends or patterns, which can be used to further adjust future program activities.Even with relevant trends and patterns emerging, however, those results are based on limited, isolated data and can only be measured against previous results; the analysis does little more than prove that the organization is doing better, or worse, than in the previous period.
In an attempt to help organizations improve their risk management programs, Allison Miller, Group Product Manager, Account Risk at eBay’s PayPal, and Alex Hutton, Principal in Research & Risk Intelligence with Verizon Business, jointly noted that both collaborative information sharing and measurable information analysis are critical aspects of a successful risk management program. During their panel session, "Ushering in the Post-GRC World: Applied Threat Modeling," at the BlackHat USA 2010 Security Conference in Las Vegas July 24-27, 2010, Miller and Hutton discussed the need to close the gap between information security assessments and information security defenses.