GRC stands for governance, risk and compliance and packages claim to integrate these three function, dangling that promise with a tantalizing image of an integrated IT function in harmony with the needs of the enterprise.
But just as new financial management systems and a bevy of auditors have not substantially stopped the flow of financial malfeasance by motivated perpetrators, this promise will also fundamentally miss the mark without directly addressing the issue of security.
For years now, security firms have been telling enterprises that the best way to address IT compliance and risk is to assess where the organization's security program is from a maturity standpoint and then use compliance requirements and risk objectives to advise the actions they need to take to move their security program where it needs to be. The best IT shops know that the way to optimize scarce resources is to include security in the architecture and design process and to judiciously apply additional capital and outside assistance for new functionality and the tasks they cannot or would rather not do themselves.
Without first having a firm understanding of where their security program is currently, security efforts tend to be misdirected, piecemeal, wrong-sized or inefficient. A house is still only as good as its foundation. Many organizations would be better served ensuring that their security program is of a sufficient maturity before trying to add yet another layer of management and technology.