Governance, risk, and compliance (GRC) and identity and access management (IAM) are two separate disciplines with different reporting structures and distinct goals. And yet, like many of our favorite things (milk and cookies, peanut butter and chocolate, or Netflix and our sofa), when they work together, the benefits are greater than the sum of their parts.
GRC is business-driven; its goal is to align risk management efforts to high-level business strategy, often reporting up to the CFO. IAM is more technical in nature, with IAM practitioners often reporting up to the CISO. Yet whether they realize it or not, the two groups have a symbiotic relationship. When collaborating and working together in lock step, security and risk pros can do more together than they could alone, namely: (1) to set the rules for risk mitigation and more effectively comply with regulations — GRC territory — and (2) to enforce access rights, provisioning/deprovisioning of users, and automated approval workflows — IAM territory.
To manage risk effectively, organizations need a team that can understand risk, translate regulatory standards into their business, and ultimately drive and track this process with controls, documents, and evidence. That’s where the GRC team comes in. Yet the GRC team needs the IAM team to enforce the granting/revoking of access based on user roles and permissions defined in HR systems, Active Directory, or Lightweight Directory Access Protocol (LDAP) and approval workflows for application owners and managers who need to sign off on access requests. Identity governance tools can also use automation to enforce separation of duties, perform ongoing access recertifications, and enforce distinct access control and authentication policies for employees and third parties.
The IAM team is focused on implementation of managing user access rights but cannot set the administrative and security controls correctly unless they are aligned to the polices set down by the GRC team. In fact, compliance shows up as the leading driver for purchasing IAM software. We get tons of inquiries from IAM teams rushing to buy an identity governance solution or privileged identity management solution because they got dinged by the auditors. Proper alignment with the GRC team would go a long way toward avoiding knee-jerk, reactive spending.
Parting advice: Make sure your GRC and IAM teams understand their symbiotic relationship and meet regularly to update and adjust when changes in regulations or company policy are coming down the pipe or when IAM systems are being retooled.
If your firm has a GRC/IAM success story, we want to hear from you!