Unfortunately due to a last minutes change in plans I did not make it to this years Catalyst Conference, so I am working my way through the slides online and chatting with those who did attend.

One thing that caught my eye was Bob Blakley's Thursday talk on "Governance, Risk [Management] and Compliance" - a four letter word as he describes it.

This peaks my interest for several reasons based on the customers and industry pundits that I have spoken to... Bob postulates, ney, demands that you "Just say no to 'GRC'" to which I say nay (to say no)!

Why?

I have a great deal of respect for Bob, and acknowledge that he would be talking to many more folks in the industry than I, and while this could well be flamebait, I do not agree with his premise... Bob stated that thinking of GRC as one big thing will confuse you - Semantics are important here so the words "one big thing" are important. I say this is simply a point where you need to carefully think about the requirements of each disciple in toto, however by not bringing them together as "one big thing" as a long term initiative, you will end up with disconnects across each of these disciplnes- taking your organization down anyway. Execs don't tend to like that.

Fundamentally the security (and identity management) industry has spent years trying to manage each of these disciplines/requirements individually, and found issues specifcially because we were not joining up and aligning these disciplines when rolling out solutions. Having a single app, or set of applications, that coaliesces the planning and delivery of these disciplines allows an organization to manage their GRC requirements better. The "seperate people are responsible for each discpline" discussion is a red herring if you end up with seperate teams and disconnected products..

I discssed this with a couple colleagues who consult every day on these things - we see the following:

• Companies are generally doing really well (or much better depending on your perspective) at Compliance.
• Companies are doing OK at Governance
• Companies are concerned with Risk.

So we have a catch 22 if we believe what Bob has put forth.

Companies NEED to link GRC together to manage governance, minimize risk, and ensure compliance.

My view here is that while these MAY be considered as seperate disciplines and requirements per se, it would be a mistake to do so. This may be the result of pontification, or even the reality that different people/departments inside an organizaton are repsonsible for different components of GRC... HOWEVER, it is critical to consider them like we do many linked items (eg security approaches such as CIA and PDR)!

Bob does lay out a lot of great things here.in the middle - for example, Bob says that many risk management approaches are wrong. They take only one tack such as focus on maximizing gain rather than minimizing losses only, consider the portfolio, consider wildcards and build in transperancy. Interestingly this is what is wrong with the beginning and end of Bob's overall thesis. By not linking GRC together (properly of course), you increase your risk.

A loss in any part of GRC systematicaly and dramitcally affects the other - pick you analogy as needed (pillars of support, legs of the stool, corners of the triangle).

In the end Bob offers a number of recommendations including:

I agree, but the lead in for this set is based on the wrong premise.

Going forward the requriements in each of these areas will become greater, as a result, the importance of these disciplines being aligned becomes much greater still - just say no, to saying no to GRC...

Be smart, don't buy what you don't need.