Data security is a significant consideration for consuming applications and services via the cloud and GRC as a service is no different. Data sensitivity is critical for companies or services where confidentiality is mandatory. The fact that we are discussing consuming GRC and security related processes as a managed service shows just how far the trust has grown within the arena of managed services. I deliberately use the term managed services here, as I believe “cloud” to be misleading in this case.
When it comes to security of data, I believe it important to split the discussion between cloud and managed services. With cloud, there isn’t really a difference in traditional on-premise deployments. Regardless of whether the solution is hosted in your own data centre or someone else’s data centre, the requirements for securing the information remains the same. Business critical applications have been hosted in cloud based servers for many years and with the right level of encryption, this can be equally secure as a physical server.
Corporate applications are very rarely hosted on public cloud servers, so this comes down to an economic decision about whose data centre is best placed to host the application.
The question is whether GRC and security related data is significantly more risky than any other corporate information stored in your enterprise applications. It is certainly considered sensitive due to the potential for reputational damage if the level of access risks or compliance failures become public knowledge.
If the GRC system is used to perform more tightly integrated operational tasks such as automated user provisioning or continuous monitoring of key control operating in the business processes, there is an increased risk of process disruption should the GRC system be targeted for attack. However, this does not prohibit putting GRC in a cloud environment any more than any other system. It just reinforces the need to have a coherent end to end security strategy to ensure that your company assets and information are securely maintained throughout.
GRC as a Managed Service is a slightly different proposition. In this case, a third party supplier is being invited into a position of significant trust with a potentially business critical system. There is a long-standing precedent for this to occur. It is rare to find a company that does not use contingent workforce to support their needs. Similarly, it is very common to find some sort of outsourced function either in a technical support capacity or performing a niche business function. Again, we should be asking whether GRC is significantly different to other applications.
Whilst Turnkey Consulting is offering a GRC service, there is still a requirement to retain governance within the customer organisation or at least ensure with SSAE16 (transference of risk & responsibility alongside the operation of tasks) and similar due diligence requirements, that the supplier is capable and effective in the operation of such key business process steps.
Many companies have managed to successfully outsource and achieved significant benefits. In the same way as deploying on a cloud server, treating GRC as a managed service does not in itself represent a greater risk to the organisation. Instead, the focus needs to be on ensuring the supplier is the correct fit for your business and that the roles and responsibilities of the agreement are clearly understood from both sides. As well as that, the supplier must fully understand the importance of the service they are providing and the sensitivity of operating as part of a compliance capability.
We do not see our GRC as a Service being a total outsourced function but rather a platform and complimentary services which reduce the need to duplicate the niche and expert skills that Turnkey Consulting can provide to your organisation.
Data security needn’t be a concern as long as you consider it properly and work with an organisation that truly understands it. However, there is more to consider.