For GRC Decisions, Avoid The ROI Discussion If Possible . . . But If You Can't, Here Are Some Tips

This week we published the first in a series of reports I'll be writing to help clients calculate the return on investment of GRC technologies. This report, How To Measure The ROI Of A GRC Platform, outlines the key factors and suggested metrics to show what GRC can do for your organization. 

Of course, my first recommendation is to exhaust your arsenal of arguments before falling back into ROI terrain. GRC is about improving oversight, strengthening controls, and finding ways for the business to succeed within the boundaries of risk tolerance. But these board-level issues can quickly give way to questions of costs and savings... so it's good to be prepared.

The considerations for costs (software, hardware, maintenance, implementation, etc.) are not much different than other large IT projects, nor are the associated risks (requirements, scope, adoption, integration, etc.). What's tough is articulating the benefits. The report offers much more detail, but generally the success factors of a GRC implementation fall into three categories. These are:

  • Efficiency, which includes product and process consolidation as well as facilitation of processes such as policy development and distribution, risk and control assessments, incident/issue management, data/report aggregation.
  • Risk reduction, which  includes decreases in audit and examination findings, reduction in regulatory fines, faster remediation of issues, and the secondary benefits of these improvements, such as deceased cost of capital and lower insurance costs.
Read more

Dell To Acquire SecureWorks

Dell announced Tuesday its intent to acquire managed security services provider (MSSP) SecureWorks for an undisclosed amount. SecureWorks, which acquired VeriSign's Managed Security Services in July 2009, has been growing their business significantly over recent years. Dell on the other hand, has been strengthening its services arm and moving towards a more solutions-centric approach. SecureWorks will continue to act as a separate business unit and will maintain its offerings, keeping its consulting and services intact. This deal was surprising but not shocking. As information security becomes an integral part of the infrastructure, large system vendors strive to build or buy security capabilities into their products and services. Here are our initial thoughts on the acquisition:

  • Dell builds a security foundation through SecureWorks capabilities. Dell doesn’t have a strong security presence - And similar to the RSA/EMC acquisition, SecureWorks will become the security division of Dell. This acquisition will enrich Dell’s portfolio with a well-respected managed security services company with expertise in threat intelligence, infrastructure security, and strong customer service.
  • SecureWorks and Dell find new revenue streams through security offerings. Infrastructure security is becoming ever more important as organizations embrace data center consolidation and the cloud. SecureWorks offerings will strengthen the business case for Dell while keeping customers secure. On the other hand, SecureWorks will find new industries and geographies beyond government, utilities, and retail services.
Read more