Making the Case for GRCMetricStream's Caldwell Says GRC Goes Beyond Automation
Organizations today are increasingly global, operating in multiple jurisdictions and compliance regimes. The risk surface has increased exponentially, and it is challenging to track all the risks and controls using spreadsheets and email.
"Getting out of spreadsheet chaos is the number one reason organizations opt for a governance, risk and compliance initiative," says French Caldwell, chief evangelist for GRC specialists MetricStream - a governance, risk and compliance cloud apps company headquartered in Palo Alto, California. "There is a well-defined need to automate beyond the spreadsheet when you find yourself being overwhelmed trying to manage these activities through spreadsheets."
Beyond this basic automation to get all these activities onto a common system of record, there is then the opportunity to identify and minimize overlap resulting in significant cost savings, he says. Having to audit fewer, more consolidated controls means your cost of audit goes down. The reduction in redundancy in compliance reduces the cost of compliance without compromising it - in fact it improves it.
The third benefit is the huge improvement in confidence that a GRC program brings, Caldwell Says. "You get more trust, more confidence when the executives can see that there is a clear certification and audit trail around your risk assessments and compliances and the reporting associated with it," he says. GRC today is being used to align risk assessments with business goals and objectives to determine how key risk indicators impact key performance indicators, Caldwell says.
In this interview with Information Security Media Group, Caldwell shares insight on the GRC landscape globally and the significant returns that a successful GRC program can bring - especially in maturing markets such as India (see: India's GRC Challenge), and on how the line between enterprise GRC and IT GRC is blurring for the CISO.
Caldwell speaks about:
- The importance of GRC to business today;
- GRC in the context of disruptive technologies such as IoT and M2M;
- GRC opportunities in India.
Caldwell is chief evangelist at MetricStream. Caldwell has been decisively shaping the GRC market for the past 12 years and is a former fellow and vice president at Gartner, where he led their GRC research, including the influential Gartner Magic Quadrant on GRC, as well as research into disruptive technology. He also worked with the White House and U.S. Naval War College in 2002 to develop the Digital Pearl Harbor war game, the first ever strategic assessment of cyber war strategies. Caldwell is also a retired naval officer and a nuclear submariner.