Many companies start assessing innocently enough in order to respond to government and/or industry regulations, laws, and certifications with all the right intentions. They want to be in compliance, protect their business, and hopefully use these as differentiators in the market.
Then begins the assessment process. Companies might start out with internal assessments or audits, or if they have complex and large supply chains, they might start with 3rd Party or vendor risk management. However, they don't realize that they entered the trap, lured by the safety of being in compliance and “protected”. Then begins a painful and costly slide into the assessment trap, which is fraught with pitfalls every step of the way.
There are two strategy pitfalls when assessing, either internally or externally.
The first strategy pitfall is to try to do it manually by throwing people at the problem thinking this is cheaper, using Excel spreadsheets, email with nested folders, or file sharing accounts, all in a manual process which cannot scale.
The second strategy pitfall happens when firms throw technology at the problem. This results in a conundrum for the CISO, as we will discuss later in our blog series. This conundrum usually results in spending $1M+ for a large company or $100K+ for a small to mid-size company, for an all-encompassing, legacy GRC solution. This can take an army of consultants and lots of money to get it configured, deployed, modified as needed, and maintained.
In next week’s blog, we will cover what happens to the company that takes the “manual approach” and tries to solve the problem using legacy GRC systems.