Waiting to reach maturity before adopting a technology may prove to be an opportunity cost. When an organization starts their GRC program on a clean slate, use of a technology may be a better choice.

Any time should be good time irrespective where the organization is on the GRC curve provided

There are well articulated problem statements

There is a benefit statement for every stakeholder

Well-articulated end results and key result indicators

There is a strong management will to get the project off the ground keeping productivity ROI in mind

There is a strong project leadership with milestones identified

The right vendor is selected

Unfortunately, selecting the right vendor and solution has become such a complex process, its reflecting on GRC as a complex discipline.

A good GRC tool should enable anyone to use it just like filing taxes online was made easier.

-A set of people are responsible for delivery
-They depend on a set of assets/resources
-They perform a set of activities and/or processes
-Supported by a set of functions, etc.

Such organizational entities are dependent on each other and share a relationship that needs to be nurtured through coordination and collaboration.
Isnt' GRC about identifying such relationships to facilitate coordination & collaboration through correlation so that People can take decisions and actions to protect and enhance value?

Given the challenges involved in GRC programs, i wonder what C really stands for?

C - Change Management

C - Coordination

C - Collaboration

C - Correlation (of various events, activities, programs, etc.)

C - Co-existence

C - Control

C - Consistency

C - Continuous

if so then C is Compliance

else

C  remains a Challenge

When it comes to GRC, there is no dearth of challenges. I believe organizational change management is one of the critical challenges, which must be faced in order to emerge successfully.

GRC being such an umbrella term, lends itself to indicate that its all about collaboration. Quite ironically, a "holistic" approach to GRC is often being talked about when GRC by itself is supposed to be holistic enough.

GRC has probably become one more silo. I think a better way to deal with change management is to harness what an organization does best. It may help demonstrate what GRC activities are already embedded within various processes and keep them as a baseline. That can give the necessary confidence to move to the next level.

GRC initiatives can effectively be used by senior management to make sure their organization remains "well-collaborated". Easier said than done!

Banks rely on usernames and passwords as a layer of protection and authentication to prevent criminals from accessing your accounts. However researchers now show that your password—even though it may be a relatively “strong” one, might not be strong enough.

When you create a password and provide it to a website, that site is supposed to then convert them to “hashes” as Ars Technica explains “Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99″ is the MD5 hashes for “password”.

But Ars did an experiment with some newbie technologist all the way up to expert hackers to see what they could do to crack the hash.

“The characteristics that made “momof3g8kids” and “Oscar+emmy2″ easy to remember are precisely the things that allowed them to be cracked. Their basic components—”mom,” “kids,” “oscar,” “emmy,” and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.”

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like “John the Ripper” or similar programs.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Protect yourself:

1. Make sure you use different passwords for each of your accounts.
2. Be sure no one watches when you enter your password.
3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

While you must do your part to manage effective passwords, banks are working in the background to add additional layers of security to protect you. For example, financial institutions are incorporating complex device identification, which looks at numerous characteristics of the online transaction including the device you are using to connect. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments. iovation knows the reputations of over 1.3 billion devices in iovation’s device reputation knowledge base. By knowing a devices reputation, banks can better determine whether a particular device is trustworthy before a transaction has been approved.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video.Disclosures.

Banks usually have relatively secure systems to maintain and protect online banking activities. They’ve spent billions to ensure that criminal hackers don’t liquidate all of our accounts. But criminals spend all their time seeking vulnerabilities and often find some way to make a fraudulent withdrawal.

Over the past decade as we have all (mostly) banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

American Banker reports an example of what can still go wrong: “the $2 billion-asset bank is suing Wallace & Pittman, a Crosstown law firm, to recover funds the firm relayed electronically to Russia after an email that purported to be from an industry group lured someone at the firm to surrender their user name and network password, the Charlotte Observer reported.”

The fraudsters used the access to install software on at least one of the firm’s computers that allowed them to hijack its account.

“Masquerading as Wallace & Pittman, the thieves instructed Park Sterling to transfer roughly $336,600 through JPMorgan Chase to a recipient in Moscow. The law firm asked Park Sterling to stop the transfer after receiving confirmation of it, but the request allegedly came too late.”

To defend against all of these hacks the Federal Financial Institutions Examination Council (FFIEC) recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat this type of crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Consumers still need to apply antivirus, antispyware and a firewall and must never respond to emails requesting usernames and passwords and avoid clicking links in emails.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video.Disclosures.

As companies cut costs, and employees desire more freedom of choice, they increasinglybring their own mobile  devices to work. . The opportunity to eliminate the significant expenses associated with corporate mobile devices excites even the most staid CFO, and the IT guys are told to “make it work.” This development has come to be known by its acronym“BYOD” (Bring Your Own Device).

Sometimes there is no enforced policy in place. Employees do what they want, and permission happens later, if at all. The nurse brings her personal iPad to the hospital and uses it to record patient data she sends via email to the doctor, in addition to reading a book during precious downtime. The salesperson plugs a smartphone into their work PC to charge or sync something, or check personal email over the corporate Wi-Fi.

Using your personal device in the office is convenient and simple, but it’s not secure. Do you have anti-virus installed? Is your iPad’s wireless connection encrypted? Is the app being used secure? What if the device is lost on the bus on the way home—the device with confidential patient information, emails, or presentations on it?

One of the IT Department’s deepest concerns is regulated data. Almost all businesses operate under some form of regulation where fines or penalties are imposed in the event of a data breach: the leak of personally identifiable information like names, addresses, account numbers, and health records.

Then there’s the issue of your device breaking something else on the network. While your company’s IT guyhas a relative lock on all the work laptops, desktops, and even some of the mobiles, the IT department quickly loses control if you bring your new Droid or iPad and then connect it to the corporate network. Now the IT guy has to worry if that last app you downloaded will infect other computers on the network.

No matter what you do, make sure whenever you use your BYOD on a wireless network that the device is protected.  I use VPN specifically when I’m on my portable wireless devices. If I’m on my PC laptop, iPhone or iPad and I’m traveling on business, I know I’m going to be connecting to various free public Wi-Fi services at the airport and in my hotel or at a coffee shop. Before I connect to any Wi-Fi, I launch Hotspot Shield VPN. It’s a free VPN, but I prefer the paid version; the expanded paid option is a little quicker and offers a cleaner interface. Either way, it’s agreat option that will protect your entire web surfing session, securing your connections on all your devices and eliminating some of the potential headaches for your IT department.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America.