Page 278 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 278
databases. Within these databases, risks are tied to assessments, which are tied to mitigation plans,
which are tied to incidents. An organization that wants to understand which risks have resulted in
incidents would need to follow that hierarchical path—and understanding how a change to one element
would impact the others requires the entire pathway to be reexamined. That sort of regular reevaluation
demands a significant investment of resources (especially time and labor), making it cumbersome. That
made achieving a truly “holistic” view of GRC difficult, bordering on impossible.
But as data management has evolved, so has the ability to create and manipulate the relationships
between different data sets. Modern graph databases use nodes that emphasize how data interacts
rather than focusing on neatly organized tables. This makes it significantly easier to share information
across the organization and customize the underlying data architecture. With relational databases, it was
extremely difficult to customize a program according to an organization’s specific compliance needs,
often demanding the involvement of outside specialists over a long span of time (if it was possible at all).
Worse, changes and updates would be difficult (or impossible) to make in-house, demanding further
outside involvement and investment.
Now, the pendulum has swung in the other direction. The use of graph databases means organizations
can examine data relationships in a more tailored way—one that can evolve alongside the organization
as its security and compliance programs become more mature. Because businesses can now see the
impact of changes in real time, they can use that information to better understand how different actions
or strategies will impact their overall risk profile. For businesses, this has always been the goal—but now
it’s within reach.
Getting started with holistic GRC
While the advantages of holistic GRC are clear, that doesn’t mean the transition is simple. For many
organizations—especially large ones—resistance to change can be a real problem. Because holistic
GRC requires organizations to look at security from a “big picture” perspective, certain stakeholders may
perceive it as neglecting their own needs. On a micro scale, this is sometimes true: an executive in
security, compliance, or legal might not receive funds for a specific solution they want. But when that
happens, it isn’t because their needs aren’t important—it’s because allocating those resources elsewhere
benefited the organization as a whole.
That mentality is critical when it comes to generating the buy-in needed to implement holistic GRC
practices. For risk professionals, it starts with having conversations with peers across departments like
risk, cybersecurity, and privacy. It starts with asking what sort of culture the business wants to promote—
one of siloed data and walled gardens? One that lives with inefficiencies? Or one based on mutual data
sharing, collaboration, and a unified vision for the business? That might sound overly simplistic, but it
really is the core of the message, and it’s attainable. The main argument against holistic GRC is simple
inertia—and inertia is never a good excuse. Risk professionals need to help shake their fellow business
leaders out of the habit of thinking about what’s best for their individual business units and into thinking
about what’s best for the entire organization.
278
