ANX Corporate Blog

What does 2011 hold in store for your GRC program? My post on Tuesday, December 7th, defined my first prediction - Greater Focus on Risk Management Capabilities.

Read below for my second prediction for 2011 GRC programs.

Prediction #2 | Redeployment of Internal Resources

According to recent studies, risk and compliance functions spend the majority of their time on tactical administrative tasks. Indeed, studies show that as much as 62% of effort is spent on data collection versus 36% on analytics/risk mitigation, and 2% on other tasks. 

I’ve found that when tactical activities dominate a program, there are 3 main issues that arise – audit fatigue, low value outcomes, and low level of executive participation.

Audit fatigue: Let’s face it – facilitating an assessment...

Read more

It’s certainly not news that 2010 has been a tough year for organizations looking to establish and maintain an effective GRC program as they face the ongoing challenges of balancing GRC obligations with budget and resource constraints.  In 2011, as the number of applicable regulations and standards increase and organizations look to protect themselves against security breaches, I expect the importance of GRC to increase in the coming year. 

So, where should your organization start? Over my next five blogs posts, I will share my five predictions for what 2011 holds in store for your GRC program.

Prediction #1 | Greater Focus on Risk Management Capabilities

Although many pundits have predicted more focus on risk management for years, in my discussions with clients, I haven’t...

Read more

As part of my daily ritual, I search security news for interesting articles to see how other organizations are approaching compliance and risk management.  I stumbled upon this article from ITnew.com.au – How Woolworths made IT risk a business issue – and there was a quote that stuck out:

"It's easy to become [PCI DSS] compliant, but it's really hard to maintain compliance," [Peter Cooper, Woolworths’ risk manager] noted. "You see regularly companies that have PCI breaches; it's the sustainability that's really important."

I think this is partially true.  I disagree that becoming PCI compliant is easy.  Becoming PCI DSS compliance is only easy if you either designed your payments infrastructure to be PCI compliant from the beginning.  When this is not the case, becoming PCI...

Read more

Steve Akers, Director of Managed Risk and Compliance Services, to join GRC thought leaders in the Next Generation of GRC Products and Services Panel Discussion

Farmington Hills, MI – November 29, 2010 – TruArx®, a leader in cost-effective, easy-to-implement governance, risk and compliance (GRC) solutions, today announced that Steve Akers, director of managed risk and compliance services, will be speaking at the MIS Training Institute (MISTI) GRC 2010 Conference. Beginning November 30^th at the Omni Berkshire Place Hotel in New York City MISTI GRC 2010 is an exclusive two-day training conference covering essential components of a successful GRC strategy.

“Ensuring that security professionals are able to leverage the best tools and services in the marketplace to meet their...

Read more

HA! Remember when I said that Google Buzz posed a serious privacy flaw? Well, on Tuesday I received an email from Google personally! (Along with several million other users):

Google rarely contacts Gmail [or any] users via email, but we are making an exception to let you know that we've reached a settlement in a lawsuit regarding Google Buzz (http://buzz.google.com), a service we launched within Gmail in February of this year.

Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case.

The settlement acknowledges that we quickly changed the service to address users' concerns. In addition, Google has committed $8.5 million to an independent fund,...

Read more