I’ve mentioned the importance of turning over your GRC strategy to a point person, or better yet a team, but it isn’t easy.
Having real leadership in GRC isn’t just important for implementing the strategy. In my opinion, GRC leadership should be a security beacon for everyone within the company. However, a recent study shows just how much organizations are failing to promote a more data secure environment. A Kaspersky report found that 88 percent of employees are mostly clueless about their company’s security policies, with nearly a quarter stating that the company doesn’t have any security posture at all.
You can have the best GRC framework in the world, but if your employees aren’t on board or don’t even know what it is all about, you are setting yourself up for a massive fail. The Kaspersky report added that this discrepancy could be particularly dangerous for SMBs, where there is no dedicated IT security function and responsibilities are distributed among IT and non-IT employees. But also, top management, HR and finance specialists – the folks who have access to their company’s critical data and are often those tasked with the GRC framework -- are usually most at risk of being targeted by cybercriminals. As Vladimir Zapolyansky, head of SMB business at Kaspersky Lab, said in a formal statement:
The issue of unaware staff can be a major challenge to overcome, especially for smaller businesses where a cybersecurity culture is still being developed. Not only can employees themselves fall victim to cyberthreats, but they are also obliged to guard their company from those threats in the first place. In this regard, businesses should be educating staff and introducing easy-to-use – but still powerful – security solutions that make managing protection achievable for those who are not experts in IT security.
Is this something that should be built into the GRC strategy? Based on what I’ve read and learned, absolutely.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba