Information Security GRC vs Information Technology GRC – Who Owns It?

Do you consider IT governance, risk and compliance (GRC) a function of IT or Information Security (IS)? It’s a fundamental question that could impact the success of your program. For one, it can dictate who has decision-making, accountability and jurisdiction over the tools you use to manage IT-GRC.

Confusion about ownership often arises because the industry analysts long ago coined the term  ‘IT-GRC’ even though the majority of the GRC matters involve information security and privacy.

It’s safe to assume that most CISOs would say IT-GRC issues belongs under their domain because they inherently involve the handling of sensitive data. There are significant downstream implications if data isn’t managed appropriately. IS teams are experts in this area; typically not IT.

Things to consider when deciding who owns GRC:

  • What functional area is best equipped to handle sensitive information that includes privacy incidents and compliance?
  • In the event of a security incident, which functional are is best equipped to deal with it?
  • When it comes to information privacy, which functional area is accountable?

When deciding on the right GRC tool, consider the following:

  • Was the technology developed to manage IT related activity (ticketing, cases, etc.) or InfoSec related activity (assessments, risk rankings, security incident management, etc.)
  • Does the technology accommodate intricate role access rights and capabilities and complex workflows?