You are currently viewing Complexity of a GRC Program – Are You Losing 4% of Your Workforce Without Noticing?

Complexity of a GRC Program – Are You Losing 4% of Your Workforce Without Noticing?

4% of your workforce.

On an ongoing basis!

This is what GRC tasks will exact from you if they are not managed well.

This is the magnitude of ‘things’ that an organization must deal with just to ensure it is in line with the generally accepted practices to keep its data and computing infrastructure safe and secure.

No wonder the issue of keeping the organizational digital asset base and wondering if everything that needs to be done is being done or not is top of the mind of every executive these days.

Boiling frogs?

I have been deeply involved in managing this issue for over 20 years, and even I did not think it would become such a gargantuan task. This may have been because it has crept up on me, like it has on all of us. Twenty years back, digital protection used to be 5 questions asked once a quarter.

In some ways I seem to have been like the proverbial frog in a pot of water that is brought to a slow boil but never thinks about taking evasive action. The temperature has been rising slowly to a level today where it seems to have reached a fever pitch… with no end in sight.

I hope you are not like me!

How gargantuan?

Let’s start with the number 8.

Depending on how you count, there are approximately 8 areas of operations that directly concern safety and security of your information assets and infrastructure. Areas like Perimeter Security, Data Security, Business Continuity, Incident Response, Human Resource Preparedness, Partner Readiness, Change Management, AI leakage safeguards.

There are between 10-15 controls for each of these operational areas. That means as an organization you must deal with 120-150 controls for securing you information assets and infrastructure.

A quick check shows that a standard like ISO 27001 has about 150 controls across various domains. Keep in mind that the count of 150 is just a starting point because there is a multiplicity of domains and controls from different standards and regulations like SOC2, PCI-DSS, HIPAA, HiTech, GDPR and many others. There are about 100-odd widely recognized such standards and regulations

So… 150?

That doesn’t seem Gargantuan!

150 controls don’t seem to boggle one’s mind. Till we think about what we apply these controls to, and if…

We apply it to our organizations, this is how it looks.

Let’s take a relatively small set up. A small company or a department of about 100 employees. With about 25 (computer) servers. And 10 vendors for various services that require data handling. And each of the employees has 3 devices – a laptop, a tablet, and a phone, all of which are capable of, and probably are storing data.

About 10% of the controls apply to the organizational entity. 15.

Another 20% apply to people. 300.

And the balance 70% apply to servers and devices. About 34,000.

So… 35,000 things “to-do”. Give or take

Still manageable. Right?

Till you consider who will do these 35,000 odd things.

 There are various people responsible for these tasks, and they are often assisted by different teams. Therefore, these tasks must be assigned to them. And the progress of these tasks must be managed.

In our experience, on an average about 3 people and engaged with each. This means that these 35,000 to-dos touch about 100,000 work queues.

So… this is now starting to get serious – 100,000 to-do items across 3 work-queues if these tasks were to be done just once. But are they?

Of course not, there is more!

These controls are not applied just once. Depending on the control, they must be applied regularly over time and must be tracked.

Some of these controls are applied once in a year. Others on a quarterly, monthly, weekly, daily … or even more frequent basis.

About 10% of the controls are annual. 3,500

20% are quarterly. 28,000.

50% are monthly. 210,000.

20% are daily or more frequently. 84,000

Which means… 320K+ to-dos in one year.

Which means… 3.2M minutes if one spends an average of 10 minutes per task including planning, executing, gathering and storing evidence, and providing audit support for these tasks.

Which is 54K hours

Which is 6750+ man days

Which is almost 4 Full time employees.

In other words, about 4% of your workforce would end up being occupied on just compliance related tasks.

4% of productive time is a significant number to merit our attention. Yes?

 

 

 

Tags: , , , , , , , , , , ,

Leave a Reply