The Book
Membership
Explore MembershipGlobal Expansion Program
S3M2Journey to AppSec Maturity
Resources
Resource LibraryAppSecConPodcastBlogState of AppSec 2023
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Contact Us
The Book
Membership
Explore Membership
Global Expansion Program
S3M2
Journey to AppSec Maturity
Resources
Events
Contact Us

4 GRC Mistakes That Can Derail Your Risk Management Plan

By 
Piyoush Sharma
,
and
April 19, 2022
  • Non-compliance with data-related regulations can cost organizations dearly
  • Between Jan 2020 and Jan 2021, GDPR fines totaled up to US$191.5 bn
  • Companies such as Google, British Airways and H&M were on the receiving end of penalties
  • Organizations generally have GRC regulations and measures in place, meaning that poor
  • Implementation may be worse than an absence of frameworks

1. Creating a long-term GRC schedule with rigid rules

  • Businesses may tend to have a fixed "best practices" rule-list for GRC
  • Long-term schedules reduce the need for investment, thereby saving costs
  • Rigidity often leads to susceptibility during crisis situations
  • Businesses must opt for evolving, explainable rule sets for data governance and management
  • Short term, flexible GRC schedules on a project-to-project basis reduces business vulnerability to compliance-related problems

2. Having poorly-defined Service Level Agreements (SLA)

  • An inadequate SLA affects the quality of GRC solutions
  • Communication gaps between your organization and GRC solution vendors
  • Your business will be unable to ascertain whether the service received is satisfactory or not
  • Businesses must have a clearly defined SLA to evaluate vendor performance
  • Service expectations, penalties and termination clauses must be clarified before signing service

3. Lacking an integrated, holistic GRC framework

  • On-the-surface GRC norms demonstrate a lack of attention to detail
  • Businesses may have different rules for different departments, not adequately integrated with all business operations
  • This may lead to inconsistencies when it comes to data management and handling in different business units
  • GRC regulations need to be made with the business as a whole in mind
  • Comprehensive GRC frameworks need time to develop. Businesses must update norms from time to time to improve the flexibility of frameworks

4. Missing automation tech for GRC implementation

  • Old, manual mechanisms only add lag in business operations, especially for medium and large corporates
  • Risk management is affected due to lack of GRC automation
  • Lack of automation may lead to Segregation of Duties (SoD) conflicts
  • Competent data handling involves the evaluation of thousands of data files for errors
  • Automation through AI and machine learning reduce data handling errors
Piyoush Sharma
Head of Enterprise Security & Technology Operations, Zuora
Uniting security professionals on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
S3M2
Podcast
Blogs
Membership
Explore Membership
Resources
Contact Us
Powered By ArmorCode Inc.
Copyright © 2024. All rights reserved.
|
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.