According to the Verizon Data Breach Investigation Report, over 285 million personal records were compromised last year in 90 confirmed security data breaches. If each lost record represented one person, then 93% of the U.S. population had their personal data lost, stolen or exposed.

So, how are data breaches related to IT GRC? Personal data is protected by various regulations, standards and best practices such as HIPAA, PCI, and numerous other Federal and State privacy laws. Lapses in security are a violation of those laws and could result in fines, bad publicity and follow-up incident reporting and mitigation plans. All of which can have a significant direct and indirect financial and reputational impact on the organization.

Being compliant with a standard or best practice is great, but that it is NOT a guarantee of protection. IT GRC also entails doing risk assessments to ensure policies, procedures and security measures continue to protect valuable data assets. In a blog post, Arno Kapteyn describes the importance of integrating IT security with the information/business owners:

"This new IT security function can be defined as "˜the function responsible for discussing the information risks with the information owner and designing, implementing and assuring the risk responses for the IT domain."

In another example, Robert Whiteley writes in a blog post:

"Your challenge is to rethink the role of security within your enterprise by finding ways to get close to the business; create efficiencies with governance, risk and compliance (GRC); establish the right set of priorities; and implement an architecture that responds to these security shifts."

I agree with the statements from both posts. IT Security must be integrated with the business, thus creating a more transparent and effective GRC program. But how can that happen? Security is a huge domain that includes topics like Identity and Access Management, Segregation of Duties, Role Management, Records Management, Threat Management, Data Loss Prevention and many more. How can one GRC platform deal with all the security topics?

Philip Howard, in his post "GRC is not enough" says that today's GRC vendors don't recognize all types of risks and thus fall short in things like cyber attacks. Philip is right. Today, most end users would be hard-pressed to find a single vendor that represents the best of breed for all the security products on the market today, and across the many security domains I noted above. But, I think GRC vendors (of course CA is included in that group) are listening and they "get it." There is a growing need for customers to be able to obtain data from a host of security solutions they use, giving them a single, central dashboard for all of their governance, risk and compliance data. This is the next wave of development in the world of GRC+S.

Am I living in a GRCS dream world? Imagine real-time dashboards that show:

• Percentage of computer user accounts assigned to personnel who have left the organization
• Average time elapsed between vulnerability discovery and implementation of corrective action
• Percentage of mobile computing devices using encryption for critical information
• Percentage of security management roles properly assigned
• Put your desired dashboard here

The GRC acronym may morph to GRCS, but you shouldn't wait for that. With or without my "GRCS Dream Dashboard," rethink the security role in your organization by getting closer to the business. There is a new wave of regulations on the horizon. We don't know what the actual regulatory requirements will be tomorrow, but it would be practical to start thinking about and building your (integrated) GRCS function today.