Sponsored by Neupart, the ERP of Security

Governance, Risk Management and Compliance (GRC) could arguably be nominated as the buzzphrase of the year. Analysts, vendors and the media are touting GRC as a key overarching strategy to transform the modern corporation. What is GRC and is it useful to your business?

As popular as GRC seems to be, it defies an easy and universal definition. The conventional wisdom is that the organizational overhead from onerous governance requirements and a checklist approach to compliance hurts the organization, making it less secure and less competitive. We recommend that you think of GRC as aligning and integrating each of the three components to improve the quality of results each component provides. OCEG, a non-profit association championing GRC, uses the term “Principled Performance” to describe this concept. PwC, who first coined the term, uses “Integrity-Driven Performance”.

There clearly is some logic and common sense embedded in the definition. Take the example of a vulnerability assessment of IT assets that must be conducted for compliance purposes. A vulnerability assessment of a large enterprise will typically create a huge report of compliance tasks that will be difficult to accomplish. Using risk management can help cut down the tasks to those that really matter, streamlining compliance. (more…)

Bill Brenner posted an entry at CSOOnline, Black Hat and the Hype Machine. Bill is a good guy and I think he generally came to the conclusion that the event is worth the hype. The devil’s advocates say that the event is overly hyped, and point to several front page vulnerabilities that have come out of the event that haven’t amounted to anything.

I look at it from a different perspective, and I have a hard time thinking of significant security breaches of a technical nature that I didn’t first see the groundwork of at Black Hat. It is not as simple as crystal ball sessions called Attacks 2012, but if you connect the dots, the Zero-Day vulnerabilities, web hacking and virtually everything else has been pretty well laid out. There are several other good events, like CanSecWest, so I don’t want to single out BH for kudos, but a security event can’t control the type of hype created by the mainstream media, which is still very one dimensional about information security.

Although I do very much like Vegas and might not go to it if it were held in Outer Mongolia (are the Pussycat Dolls there?), I actually plan on attending sessions, how about you?