India's GRC ChallengeMetricStream's Phalke on How to Grow the Practice
Governance, risk and compliance efforts have failed to evolve in the Indian marketplace, says Vidya Phalke of MetricStream. He believes most organizations lack a proper framework, and they must build a robust GRC culture.
See Also: Dynamic Detection for Dynamic Threats
MetricStream believes GRC must be used as part of a comprehensive enterprise risk management program and viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards.
Unfortunately, this is not so in India, says U.S.-based Phalke, chief technology officer at MetricStream, a GRC technology provider working closely with Indian R&D teams on "Make in India" GRC products for global consumption.
"While some large Indian institutions driven by regulatory mandates have adapted to GRC frameworks, a majority are yet to build a governance and risk culture," Phalke says.
"GRC is well-understood by Indian security professionals, a positive sign; but they haven't been able to create a framework articulating clearly how to run various business programs, in a way business can understand," he says.
In this interview with Information Security Media Group, Phalke discusses the lackadaisical approach to adhering to GRC. He also throws light on:
- Steps to drive GRC as a platform;
- GRC best practices for India;
- "Make in India" for GRC
As CTO, Phalke is responsible for MetricStream's technical architecture and strategy. Earlier, as vice president of product management and engineering at the company, he led development of its GRC software platform.
GEETHA NANDIKOTKUR: How do you see the evolution of GRC in India?
VIDYA PHALKE: From a distance, GRC doesn't seem much aligned with IT or security tasks across enterprises. But some large institutions with global presence have leveraged GRC to provide the business context necessary to improve asset and patch management, incident response and assessing the impact of changes in technical controls on business processes. However, most must build a GRC culture. A couple of things they can do:
- Create a framework on how to run various business programs in clear terms which the business understands;
- Tie programs to compliance and regulatory frameworks to make them secure;
- Create visibility of the processes among stakeholders;
The focus should be about how investments must be aligned with GRC strategies to get a holistic view of the processes and evolve risk evaluation methods.
NANDIKOTKUR: What constraints do security practitioners face in evolving governance and risk frameworks?
PHALKE: It's not about constraints, but the timing and pace at which security practitioners adapt to the GRC culture. Most organizations store huge amounts of records and information manually, or use easily accessible traditional methods; not on cloud or in any secured format with tight controls. Businesses don't realize the magnitude of loss if such information is leaked or the sophistication of attacks.
Most Indian enterprises adhere to processes and risk frameworks only when there's a financial audit. There's a lackadaisical approach, since mega events haven't occurred in India; besides, there are no regulatory mandates. However, Indian E-commerce companies face greater vulnerabilities where GRC practices are critical, given the volume of customer data compiled. CIOs and security teams must be time-sensitive and protect against mega breaches, not wait for one to happen.
Also, risk functions are not clearly defined, deterring formulation of a risk management strategy aligned to business strategy. While CISOs play a critical role, there must be someone at a global and enterprise level responsible for risk.
Technology and Governance Approach
NANDIKOTKUR: Where do you see the opportunity for India to leapfrog its governance and compliance infrastructure into the future?
PHALKE: An organization should follow safety procedures at the coding level. This sets the process right and secure. Technologies and platforms should be able to articulate the risk to business and financial loss; codification must be followed. Technology can be leveraged at the design and coding level, as a regulatory safety practice.
Practitioners can leverage GRC, which is nothing more than a big data issue which pulls together data from all endpoints and brings it together in a way that's meaningful to the business. This enables them to get alerts and apply the right resource to take action.
GRC is still nascent. Indian organizations will have the opportunity to use the tools to formalize a GRC program, to create a framework, vision and scope, prepare a document, create benchmarks, optimize processes for multiple domains, identify gaps, consolidate silos of information, and enable and align with stakeholders.
Best Practices for India
NANDIKOTKUR: How are security teams leveraging GRC in protecting organizations from cyberthreats? What best practices would you recommend?
PHALKE: Understanding about GRC exists. What's missing is the right approach. It's about learning from past incidents, taking serious note of deficits that led to them, understanding how new platforms like cloud influence organizational culture. Gauging the risk appetite and inculcating a risk culture is missing.
So, security practitioners must:
- Recognize that automating processes gives impetus for scaling up;
- Align GRC agenda with the organization's threat landscape;
- Share information between stakeholders and IT teams with precise reports on material risks and suggestions;
- Involve risk managers in the business strategy formulation stage to focus on strategic risks;
- Evaluate all modules of technology for better business processes;
- Understand that cost of poor compliance is huge;
- Have an executive at a higher level looking at all the risks for which security is critical.
'Make in India'
NANDIKOTKUR: Many start-ups are opting to make products in India. How do you size up the "Make in India" trend for GRC products?
PHALKE: There have been several discussions about "Make in India." It's not just about cost, but the ecosystem of creative people leveraging open source to work out effective GRC tools. Most enterprises are building Web applications, cloud applications and mobile-enabled solutions to be used on iPads and iPhones among various GRC frameworks. Indian researchers are capable of innovating end-to-end products more than that found in Silicon Valley.