Subscribe
Share
Share
Embed
Let's talk IRM. The real stuff. Join Jada, a certified ServiceNow IRM practitioner, as she breaks down compliance automation, risk frameworks, and the strategies GRC professionals actually need. No fluff, no theory. Just real talk from someone who builds it. A SaaSCE Boutique Podcast.
Welcome back y'all. So, me be honest upfront. In this industry, in security or IT, there's an acronym for everything. I mean everything. And I remember when I first started out in this industry, I sat in my first meeting and I wrote what seemed like about 13 acronyms that I was not familiar with.
Jada:It's safe to say that by the end of that meeting, I was feeling completely overwhelmed and thinking, What have I gotten myself into? I hope some of you guys have connected with that or understand how that felt. But seriously, today in this space, IRM alone has its own set of different meanings and different acronyms, right? And so, at the top of my head, I can think of at least three. There's integrated risk management, there's information rights management, there's incident response management, and you can already tell they don't all mean the same thing.
Jada:So, while we have so many different acronyms in this space, one thing that I do not want the viewers of this podcast going through is trying to clarify what IREM is Jada talking about. So, I've made it my goal for this episode to break down what IRM means, at least to me as a practitioner and what I've seen in the industry. By the end of this episode, I'm hoping that you will not only understand what IRM is, what it's not, and the importance of why understanding integrated risk management is a part of implementing this process in your organization. A lack of understanding can lead you down a road of, complications, and I'll get into those a little later. But without further ado, let's get into it.
Jada:All right. So, before we jump into what IRM is, I want to start with what IRM is not. Let's get the negatives out the way first and break down what IRM is not, so that we have a clear path for what IRM is. So, starting with what IRM is not. It's not just a GRC tool rebranded, right?
Jada:It's not some tool that you take your spreadsheets, your old spreadsheets that you've been using and implementing in the tool and call it done. That is not what IRM is. It's also not a checkbox exercise. It's not meant to be used only during an audit. So, whenever you have auditors come in, and you only use the tool when auditors come, that's not what IRM is.
Jada:Lastly, it's not something you finish. A lot of times when organizations tie IRM with a tool, they have a project set up and think that, Okay, once we set up this tool, then we can say that we have an integrated risk management strategy. That, unfortunately, is not what IRM is. And honestly, let me break down those concepts a little bit deeper so you can understand why I say that. So, with the tool concept, it's not a tool because one of the biggest mistakes that I see is that once we purchase the tool, once we configure the tool, once we onboard all of our data into the tool, then we find ourselves not using the tool.
Jada:We can have the best configured IRM application in the market, but no one's using it. Or people are using it by exporting spreadsheets from it and using spreadsheets still. That is not what IRM is. Moving on to the whole we'll adopt later approach. A lot of times I've seen organizations say, Hey, you know, we have this tool.
Jada:You know, we have these groups interested in it. Let's implement the tool first. Then let's get to the different groups within the organization to implement. That, my friends, is not how you successfully implement integrated risk management strategy. Why?
Jada:Because once you configure the tool, now you need to figure out how to adopt the tool. How do you get those business units to use the tool and actually make it more efficient for their processes rather than making it an inconvenience to them to relearn a tool, relearn how to do their processes, and then still grumble about, well, how does this make us better as an organization, right? So, those ideas may be controversial to some of y'all. And to top it off, I would also say that if I was given a scenario where I had to pick working with an organization that had the perfectly best IRM application or tool in the market, perfectly configured, or going with an organization that had maybe a mediocre tool, but had strong business and leadership input, I would choose the latter. I would choose that way because IRM is not just the tool that you implement or the tool that you show when auditors come.
Jada:IRM, in of itself, is a process. So, with that understanding, that kind of gets out the misconceptions on what IRM may be and allows us to open up the road for what IRM truly is. So, let's get to what IRM is next. When I say IRM, I am saying or referring to integrated risk management. Now, what does integrated risk management mean?
Jada:It's literally the first word in the name, integration. We're literally looking at how we're integrating our risk and compliance processes. We're making our risk data more actionable. We're connecting compliance activities together rather than working in silos. So, when I say integrated risk management, I'm not just talking about a tool.
Jada:I am talking about the platform, the process and the business units that are utilizing it together. Also, interchanging, integrating their processes together as a unit. So, to kind of dig a little deeper into what actually is, I've kind of developed a four part framework that kind of breaks down what you would see in a successful integrated risk management strategy. Those four types of integrations are data integration, process integration, framework integration, and reporting integration. Now, I want to briefly touch on each portion of those different types of integrations that you'll see in a successful integrated risk management strategy.
Jada:Starting with data integration. This is probably what's most familiar to those that are used to integrating tools between each other to pass information along to each other. But that's essentially what I mean when I say data integration. You're taking that source of where that data lives and you're integrating it into a platform that is feeding into all the data. So, for example, the SIEM tool that you might have.
Jada:You'll integrate a lot of your security tools into a SIEM so that it ingests all of that data. Another example of data integration, commonly known, commonly aware of, and commonly practiced. Now, the other three types of integration may not be as familiar. So, starting with process integration. I'm talking about embedding your processes within your work streams.
Jada:So, sometimes you might see a tool like ServiceNow IRM and think, Okay, I just need to integrate all my processes into that IRM application, and then I have an IRM strategy. That's not quite it, y'all. So, when I'm saying process integration, I am talking about meeting where your users are. So, for example, say you have a DevOps pipeline, right? Using GitHub or Bitbucket, right?
Jada:You want to meet your IOM strategy where those developers are. So, do you do? You want to integrate your DevOps pipeline with ServiceNow IRM. But you want your risk exceptions done at the pipeline. You want to set up documentation there where your developers can request to have an exception, send it for approval, which then can be sent to your IRM application where your risk team uses, have them review and approve, and send it back to the developers where they are.
Jada:This means that they're not having to go away from where they're using their tool to learn another tool just to get back to the work that they're doing. That's what I mean about process integration. We want to meet our users where they are and still keep visibility on our risk tracking. The next type of integration that you will see in an IRM strategy is framework integration. This is maybe commonly known for some, where you kind of have that attest one to many strategy, where you're an organization that you're managing several frameworks.
Jada:There's ISO 27,001, there's SOC two Type two, there's Sarbanes Oxley that you have to adhere to. All of these different frameworks and regulations, they have controls. And instead of attesting or responding to your ISO controls separately, then attesting to your SOC two controls separately, and then your SOX controls separately. We're looking at a common control framework that speaks to each of these frameworks, each of these regulations. We're more speaking to you know, how the organization is getting the job done, and then mapping that back to the framework or the regulations that we're having to meet.
Jada:This is a type of integration that not a lot of organizations participate in, but it can help immensely. If you develop your common control framework around your business first, and then map it to those frameworks and those regulations that you have to adhere to. It makes a big difference, y'all. Alright, so the last type of integration that I want to talk about is reporting integration. Now, this means that we are giving actionable visibility to those stakeholders that need to see what's going on.
Jada:So, a tool like ServiceNow on your RIM gives you reporting capability. But essentially, we are now enriching our data and making it more understandable to those that need to report on what our risk status is. So, those metrics that connect to business outcomes, not just compliance status, but something that the executives can actually look at each day and it gives them information across their whole environment and not just one. So, we're not looking at four different reports from four different systems. We want those four different systems to provide a report that we can look at and keep it seamless and understand where our risk lives in our organization so that we can proceed with what we need to do next.
Jada:So, I hope those four types of integration methods give you a better understanding of what an integrated risk management strategy really truly looks like and means behind the scenes. Now, this is just the foundation. This is just the start. And the next coming episodes, I want to dig a little deeper into each of those types and kind of how you would see those in a tool, while also incorporating your business goals and your business processes at the same time so that you're not just relying on the implementation of a tool to get you to an integrated risk management way of doing things, but how you can incorporate each of those types while also incorporating the business and having to mirror each other through your implementation process throughout as an organization. So, hopefully information I provided today resonated with you.
Jada:If you enjoyed the conversation, free to leave a comment. I definitely do plan to create more content. So, like and subscribe if you want to be notified on our next podcast talk. But thanks again, and I look forward to our next chat. We'll talk soon y'all.
Jada:Bye bye.