SOX News

Aberdeen Group Report: Automated Compliance Platforms Emerging as Key Enablers to Effective Security Governance and Risk Management

(Dec 11, 2007)-- Companies that have developed superior capabilities in security governance and risk management have demonstrated an ability to improve the productivity of their existing IT resources, make faster decisions, optimize their business processes, and improve the visibility of the compliance function across organizational and geographic “silos.”

These findings are among the highlights of Security Governance and Risk Management: The Rewards of Doing the Right Things, and Doing Things Right, a comprehensive research report released today by Aberdeen Group of Boston, a Harte-Hanks company. Polivec, Inc. of Mountain View, provider of industry’s first policy-driven Governance, Risk and Compliance (GRC) platform, co-sponsored the report.

“The ‘Best in Class’ companies identified in the report have all taken a number of strategic steps that have given them a leg up on the competition with respect to IT security. These same measures are equally applicable and necessary for success in the broader field of governance, risk management, and regulatory compliance,” said Polivec CEO Kim Nelson.

“We’re pleased to note that those measures all dovetail exactly with the approach we’ve taken in helping clients cope with the tremendous and growing burden of complying with hundreds of government regulations as well as with industry standards and practices,” he continued.

The report’s Best-in-Class Organizations compiled aggregate performance scores within the top 20 percent of those organizations surveyed by Aberdeen. Nelson cited the following accomplishments of these leading organizations and stated that the Polivec method for success in regulatory compliance specifies a virtually identical set of steps, such as:

* Charging a senior executive or senior team of executives with overall responsibility for security compliance, thereby elevating the function to an appropriate strategic level
* Building a sustainable compliance infrastructure through automating and streamlining of business processes, as also described in Polivec’s recent whitepaper Achieving Efficient Governance, Risk and Compliance (GRC) through Automation
* Centralizing the collection and dissemination of regulatory and compliance information, and mapping risks and controls to relevant regulations and policies
* Ensuring that all employees know and understand what the company’s policies are, and why as employees they are required to perform their specified duties relating to compliance

While incorporating a technology-based compliance platform has emerged as a differentiator, the report also states that only one-third of the Best-in-Class organizations in the survey have developed such a platform to date. Use of “point” solutions and spreadsheet-based documentation is still the norm. “This presents a promising catch-up opportunity for organizations that realize they need to tackle the compliance issue but see it as overwhelmingly complicated and don’t know where to begin,” according to Polivec vice president Tom Grubb.

“As we have seen with our clients such as Banco Santander International and the State of Montana, and as the report also points out, the best way to get started is to zero in on one very specific, pressing problem and get a quick win that shows demonstrable results,” said Grubb. “Then with the solution, processes, and controls already in place, you can address additional problems when you’re ready. You don’t have to do it all at once or make a large upfront investment.”

Report author Derek Brink, Aberdeen’s vice president and research director for IT security, agreed, pointing out “The Best-in-Class organizations covered in this study have a philosophy of ‘Crawl, Walk, Run,’ and they are starting to pick up the pace. They’re clearly starting to get ahead of the curve instead of reacting to every regulatory requirement individually. We’re witnessing their real and growing sense of ‘taking back the business’ from the tyranny of spending on compliance for its own sake, and not necessarily in direct support of their business objectives.”

Share or bookmarklet this web page at: