Infosec 2009: security as enabler of governance, risk and compliance

Security is an enabler of governance, risk and compliance (GRC) in organisations because it puts processes around information, says an IT governance expert....

Security is an enabler of governance, risk and compliance (GRC) in organisations because it puts processes around information, says an IT governance expert.

"Security drives organisations to identify what information is important," said Lynn Lawton, international president of ISACA and IT Governance Institute.

Security also determines who has access to information, ensures that it is accurate and makes an organisation trusted to hold and use information, she said.

IT security chiefs can support GRC programmes by providing leadership in the organisation's structures and processes to safeguard key information.

The biggest contribution IT security chiefs can make, said Lawton, is to help the board understand the importance of GRC by keeping it simple and relevant.

All these functions of security inform the management of information, resources, performance and value within GRC programmes.

"Many people perceive security as a barrier to doing things, but it is important to GRC because it encourages people to use information properly," said Lawton.

Another important role of IT security chiefs is to keep policies and practices in line with the goals and aspirations of the business.

"If IT is locking down information internally, but business strategy is to give suppliers more access to get better service, there would be a mismatch," she said.

Aligning IT security with business strategy is also an important way of ensuring the board takes an interest in IT security before things go wrong, said Lawton.

IT security professionals can ensure they are in tune with the business by talking to people outside IT and taking in interest in the organisation as a whole.

"The message is get out of the IT department to see what the business is doing and how they are using what you are giving them," she said.

Lawton is a member of a panel to discuss the role of security in governance, risk and compliance at Infosecurity Europe 2009 at Earls Court in London on 29 April.

Infosec 2009: an essential guide for IT professionals >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...