One of the questions I get all the time is, “Where can I find what regulations apply to me?”  I talked this morning to Fred Diers who has created GRMpedia which tracks regulations and their retention and reporting requirements.   Regs tracked include, marketing, finance, research and development, EHS, contracts, leases, IP, governance, HR and others.  Tracking 26 countries, all the provinces in Canada, states in Aus and NZ, SEZ’s in China, major treaties in EU, NAFTA, etc.  Total over 11K regs in US and over 8K outside US – this compares to 400 total in the UCF, for instance.  Of course UCF services a different purpose for IT controls architecture and audit.

For people trying to solve records retention or regulatory change management GRMpedia looks really helpful.

Comments Off

Category: compliance GRC public policy     Tags: compliance, Financial Regulations, Privacy, records retention

Share

Tweet

I’m here at Orlando Symposium talking to a good colleague, Neil McDonald, and I ask Neil, “Why don’t IT service providers, who complain so much about the intrusiveness and costs of customer inquiries, inspections and audits of their security controls, just provide their customers an IT GRC dashboard?  That way customers can see for themselves the controls effectiveness at any given time.”

So Neil says, “Think about it.  Any heat map of controls is going to have lots of red and yellow on it.  It may be better than the customer’s own heat map if they were managing the controls themselves, but customers want to think that it’s all green all the time at the IT service provider — that everything’s patched, that configurations are perfect, changes are made, there are no vulnerabilities and no security events.  Their illusions would be smashed if they could see that it’s not really much greener on the other side.”

Comments Off

Category: Cloud GRC Risk Management     Tags: cloud, Risk Management, vendor risk management

Share

Tweet

In the last week I’ve had two calls with companies deciding how to respond to the cybersecurity letter that Sen. Rockefeller sent to the CEOs of Fortune 500 companies.  The deadline to respond is 19 October.

CEOs are not required to respond, and with the demise of the Cybersecurity Act of 2012, it’s tempting not to answer. However — as I noted in my first take on the Cybersecurity Act, this issue is not going away, and if you want to protect your standing to comment on future legislation and regulations, then at least a considerate reply is in order.

The White House is working on a draft executive order on cybersecurity, which is likely to include a rewrite of HSPD-7.  That rewrite was leaked in September.  And now Secretary of Defense Leon Panetta is stepping up the beltway rhetoric on cybersecurity – using the cyberattacks on Aramco in August as evidence of the threat.

So, what’s a CEO to do?  It’s up to each CEO, of course.  You should consult your general counsel and your  CISO.  If you don’t know know who your CISO is …, well it’s not too late to meet him or her.

Also, consult your Washington representatives — if you don’t have one, that’s fine.  Call the head of your industry association, and find out what they’re recommending as a response.

If you do reply, review your letter against the following principles.  Any future regulations should be:

1 — Risk and performance based

2 — Industry specific

3 — Voluntary to the extent possible

The bottom line here is that one sized does not fit all.

For CEOs who want to know what a great cybersecurity program should look like, I urge you to talk to my IT security colleagues Earl Perkins, Tom Scholtz, John Pescatore, and others who can help you evaluate your cybersecurity maturity and where to focus on improvements.

Note — I’m just the stray policy wonk at Gartner who happens to live inside the Capital Beltway, and in the interest of full disclosure my cybersecurity interest is primarily at the national policy, not the enterprise program level.  Many years ago Richard Hunter and I ran the first ever national cybersecurity wargame, Digital Pearl Harbor.

Comments Off

Category: Cybersecurity public policy Risk Management     Tags: cybersecurity, Public Policy, Risk Management

Share

Tweet

Wow – just as we’re starting to grapple with the future of risk from social media and along come researchers with the biological internet.  The Harvard DNA storage story broke a few months ago, and now researchers at the Stanford School of Medicine have gotten cells to communicate through DNA packets – with a range of 7 centimeters.  Obviously not a useful range for long range comms, but plenty for the internals of your smartphone – or supersmartgeniusphone if this works out.  

What new frontiers of biological risk management will IT professionals face?  Could your BYOD strategy get the flu?

Comments Off

Category: Uncategorized     Tags:

Share

Tweet

Analyst Having a Major Rant

Dear Michael –

Good to hear from you.  Thanks for sending me your latest blog post.  I have to say though that when you rant you really do go ballistic — you want to throw six months of my work on the compost pile — ooh, that hurts.  But I get it, it’s not me; you just don’t like magic quadrants.

Despite the negativity, you’ve got some interesting points — some valid, some inflated.  So let’s take a look at your points:

1 — “There is no transparency or clarity on how vendors are scored.”

Inflated

There are 12 criteria in the Magic Quadrant for Enterprise GRC Platforms.  They are described in the research note, and the weightings are given as well.  A client could take these criteria and do their own magic quadrant if they wanted.  I’ve even had audience members follow the methodology during my presentations and score vendors in real time.  It’s amazing how close they come to the analysts’ scores.

For more on how magic quadrants are created, see: “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market”

2 — “The current Magic Quadrant is a mile wide and an inch deep.”

Valid

My colleague John Wheeler and I worked for over six months with input from 19 vendors and 211 customer references to create an evaluation that is concise and readable.  When using the magic quadrant, analyst advice can help clients to extract the details for each enterprise’s particular requirements, and to develop a decision framework for choosing which vendors are most appropriate for a given enterprise to consider — including vendors who are not leaders or who may not be in the magic quadrant itself.

Based on your rant you must not know this, but for the last two years we’ve followed up the magic quadrant with critical capabilities notes providing more details on how vendors rank in core use cases like audit management, enterprise risk management, financial reporting integrity compliance, and policy management.   However, the number of use cases is growing rapidly — case management, regulatory change management, vendor risk management, anti-bribery compliance, privacy compliance, sustainability reporting, IT risk management, etc., are all use cases that we commonly see, and there are more.   So this time, instead of critical capabilities notes, we’re following up with additional notes on audit management, vendor risk management, transactional controls monitoring, ERM applications and many more.

To meet the demand for the breadth and depth of risk management and compliance analysis, Gartner has enlarged our risk management team and our industries and supply chain teams have expanded their risk management and compliance research.

To see some of the new focus on audit, take a look at Khushbu Pratap‘s research, and for enterprise risk management take a look at what Paul Proctor is doing with risk value management.  We’re also expanding into related legal IT areas — besides e-discovery where we’ve had a strong research base for sometime thanks to Debra Logan and Shelia Childs,  John Wheeler is addressing Enterprise Legal Management.  And we have analysts leading research communities for privacy, Carsten Casper, and BCM, Roberta Witty.

Oh, gosh, I shouldn’t forget that Jacqueline Heng and John Wheeler are tracking the consultancies that support GRC services and have a Marketscope for Global ERM Consulting Services.  Man — so much stuff ….

I could go on — but you get the point, right Michael — there’s an ocean of depth under that inch of magic quadrant.

3 — “Gartner has a script and gives a vendor a short time period to demo their GRC product to Gartner.  They do not allow you to go off script – I have heard this from multiple vendors frustrated with the process. “

Valid

For two hours of one of 365 days in the year, we hold the vendors to a demonstration script.  The vendors have the other 364 days of the year to communicate to us all the breadth and depth of the capabilities that they have and those are considered in the magic quadrant.

A vendor does not have to be a Gartner client to do a vendor briefing.  They talk, they show us what they do, and we listen to them the  rest of the year — but for two hours of one day, they follow our script.  Michael, is that really unreasonable?

When establishing a baseline of capabilities for evaluation, we compare apples to apples.  But the demo script is fairly open — any vendor who can’t find a place in it to demonstrate their best differentiators is slipping up.

By the way, we’ll share that script with Gartner clients who want to build their own customized script.  We tell them to have the vendors follow their customized script first, but then to give the vendors plenty of time afterwards to demonstrate additional capabilities that were not in the script — just as we encourage the vendors to demonstrate their capabilities throughout the year — most take advantage of that open door, some don’t.

Everything we learn about the vendors over the course of the year is considered in the magic quadrant evaluation — not just the two hour demo, or the vendor questionnaire.

4 — “I also take issue with how Garter defines and presents the GRC market.  While they give lip service to a lot of areas of GRC throughout the document they assume that an EGRC platform is comprised of only the four categories of risk management, audit management, compliance and policy management, and regulatory change management. “

Heavily inflated

On one hand, Michael, you’re mixing markets with the core functions on the platform, and on the other hand with broad categories of related markets — what we call a marketplace.  The Enterprise GRC Platform is just one of many GRC-related markets.

The Gartner “Hype Cycle for GRC Technologies” lists over three dozen technology markets.  And then there’s the “Hype Cycle for Legal and Regulatory Information Governance” that lists over two dozen technology markets.  For more background on how we view the broad GRC marketplace, take a look at “A GRC Marketplace Comparison Model, 2011 – 2013.”

You’ll find, Michael, that you and I are not so different in our points of view on the elements of the GRC marketplace — but with dozens of contributing analysts, Gartner just has loads of depth.

5 — “Gartner states that there are many businesses implementing a single EGRC platform.”

Inflated

Michael  — where’s the integrity, the transparency.  That’s selective quoting.  Here’s the full sentence from the magic quadrant (italics added): “Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs.“

So yes, there are often many solutions for specific compliance and risk management needs, but lots of enterprises are using the platform to get that holistic top level enterprise view for the board and senior executives.  Otherwise, it’s not really enterprise, is it?

Okay, Michael — I hope this helps.  I haven’t seen you in a few months, and I look forward to seeing you soon.  I’d like to talk to you about my new GRC 4G concepts.

Cordially — French

PS — Remember the time in Rio when our hotel was taken over by an armed drug gang.  Who’d have put that in their risk assessments?  Fortunately we had skipped town!  See ya on the circuit, buddy.

1 Comment »

Category: Applications compliance GRC Risk Management     Tags: compliance, GRC, Risk Management

Share

Tweet

Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.”

SSAE 16 (aka SOC 1) like SAS 70 before it is a standard focused on financial reporting integrity — a fact that Prolexic clarifies in a note at the bottom of its press release. To the extent that Prolexic’s customers must ensure that Prolexic has adequate controls to support Sarbanes-Oxley or similar rules, then SSAE 16 is appropriate — but you have to read the press release carefully to glean that context.

However, Prolexic’s president Stuart Scholly went further and stated in the press release: “Completing these examinations assures enterprises that Prolexic has adopted relevant controls that are well designed and operating properly.”

That’s just not true.

SSAE 16, aka SOC 1, does not contain a list of control objectives. The controls to be audited are specified by the vendor and agreed upon by the auditor, and thus it is not easily comparable between vendors.  And the SOC 1 report is not supposed to be shared with prospects.

So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.

SOC 2 and SOC 3, a short form of SOC 2 that can be used in marketing, do have a set of control objectives that can be objectively audited, and the results compared to other companies. INetU is an example that has used SOC 2 and SOC 3 to communicate its controls assurance.  And the SOC 3 can be shared with prospects.

Now, Prolexic goes on to state that they have PCI DSS certification. Good on ‘em — PCI DSS is one of several alternatives for vendors who want to demonstrate effective controls. Other standards and certifications include ISO 27001 certification, Shared Assessments, Cloud Security Alliance, and many more.

For more on SSAE 16 (SOC 1), SOC 2, SOC 3, and alternatives see:

Cloud Security and Risk Standards, by Jay Heiser and Rob McMillan

IT Audit Standards, Frameworks, and Guidelines for Auditees and Auditors, by Khushbu Pratap

SAS 70 Is Gone, So What Are the Alternatives?, by French Caldwell

5 Comments »

Category: Cloud compliance GRC Standards Vendor Contracts     Tags: cloud, compliance, vendor risk management

Share

Tweet

Living inside the capital beltway, you meet all kinds of people that have jobs that just don’t have any equivalency anywhere else:  Like the lady I talked to last week who provides advice on safety issues associated with the modernization program for the nation’s nuclear weapons stockpile.  I mentioned to her a recent GAO report about how the Navy is using risk management to support its strategic basing decisions for aircraft carriers, and I said it was welcome news to see the federal government starting to use risk management strategically.  So we started talking about risk management for her program, and I asked her what the primary KPI, key performance indicator, was for nuclear weapons modernization.  She said it was the number of incidents.  Right then I knew we were going to have a disagreement on risk management.

You see, she was approaching risk management from a safety and security standpoint.  That’s not helpful strategically, since if number of incidents is the KPI, then the most effective way to achieve that KPI  is to stop modernization.  I suggested to her that the real KPI would be something that represented the time it took to achieve some milestone in modernization — it could be the time until the first new warhead was produced, or the time until the old stockpile was retired, or something in between that reflected the time to value of modernization.  She was aghast that I of all people, a retired nuclear submariner, would not put safety or security first!

But — here’s the problem — if safety and security are first, then your business goals are secondary and potentially will never be reached.  So I explained that her suggested KPI was really a KRI, key risk indicator.  As illustrated in the Gartner Business Risk Model, to determine an acceptable risk threshold it needs to be compared to the key performance indicator.  What over the thirty year period of modernization are the number and severity of incidents that can be effectively managed — what’s the acceptable risk index?   As a nuclear weapons professional in my past life, I can tell you it is not zero.

It’s really tough for safety and security professionals to think this way — zero tolerance is a much cleaner concept.  Anything short of zero tolerance implies that the safety and security people are not on the ball.  But by not addressing the real risks, and the analysis of those risks on performance, it’s impossible to determine what are the most significant risks to monitor.  And thus a zero tolerance mentality increases uncertainty in the achievement of business objectives, rather than decreasing them — in other words, zero tolerance sets you up for a major incident.

Comments Off

Category: GRC public policy Risk Management Strategic Planning     Tags:

Share

Tweet

With the growing number of business failures attributable to IT, it’s getting hard to keep up with them all.  Who can forget the IT-enabled bungling of the Facebook IPO.  And now we have the Knight Capital hash – where a mistake in a high frequency trading program has created an existential threat to the firm.  IT-led business failure at RBS has also contributed to an existential threat, with government leaders now considering full nationalization.

Notably, the IT problems at Nasdaq, Knight and RBS were not IT security problems.  Rather they were problems in the use or the quality of the software itself.  Traditional IT security methods of focusing on threats and vulnerabilities, operational security, will not help in managing these types of systems risks.

In the Gartner CEO survey, just 9% identified IT systems and security risks as one of their top risk management priorities — and they were split half and half between the systems risks and the security risks.  Since IT can maim or kill your business, perhaps corporate leaders need to think a bit harder about IT risks as business risks.

Comments Off

Category: public policy Risk Management Strategic Planning Uncategorized     Tags:

Share

Tweet

Risk management and compliance is a hot topic and no where is it hotter than in banking.  And with all the banking scandals which illustrate more and more risk management failures in banking, it’s easy to overlook a fairly innocuous story on how one bank is taking the leap into social media in a big way.  Morgan Stanley has given the okay for all 17,000 of its financial advisers to use Twitter and other types of social media to communicate with clients.  While the regulators have recognized that social technologies are legitimate tools for stockbrokers and other financial advisers to communicate with clients and prospects, there are pretty onerous advertising and marketing requirements on financial services institutions to prevent misrepresentation of financial products.  These restrictions have led most firms to just avoid blogs, Twitter and other social media altogether.  However, as social media are becoming the primary means for most companies to communicate with customers, financial services firms have to find some way to engage more effectively through social media and at the same time meet the requirements of the regulations.  Congratulations to Morgan Stanley for being the first to break new ground!

1 Comment »

Category: Uncategorized     Tags: compliance, social

Share

Tweet

For many years I’ve claimed that there are critical uncertainties of IT-led globalization that affect all business decision making:  These being the confidence in the connected economy, the pace of globalization, regulatory change, the nature of warfare, the race for resources, and social e-governance.   It is to sustain growth in the face of these critical uncertainties that businesses must embrace enterprise risk management.  I shared these thoughts recently on a NYSE sponsored webcast, which is available for replay.

Of the six critical uncertainties, the most pressing recently has been the impact of regulatory change.  If you are a banker at a large bank, regulators in the U.S. and U.K. have been in your face quite literally about ERM, but is this really the best reason to improve your ERM?  According to the recent Gartner Global CEO survey, the greatest single category of business risk on the minds of senior executives is regulatory risk.  Once again, is that the best reason to invest more in ERM?  This focus on regulatory risk can cause an ERM program to become another compliance function focused on value preservation rather than on value creation.

A strong ERM program will place just as much emphasis on improving the business’ ability to achieve its growth objectives as it will on preserving current value.  Understanding how risk affects business performance, that is knowing what risk-adjusted performance is for critical business objectives, is just as important as knowing what is being done to meet regulatory demands — more important really.

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet