Transform Your GRC Strategy to Get the Most Out of the Cloud
Introduction by Mark Schwartz
In several earlier posts I discussed new strategies for governance in the cloud and the digital world in general. In the first, I talked about the kind of governance that requires standardization and rules. In the second, I wrote about governing projects and investments. The underlying point of these posts was that it’s one thing to move to the cloud, but another to fully realize its value for your business. As soon as you begin working in the cloud, you’ll realize benefits. But the cloud’s potential for delivering business value is vast. Once you’re operating in the cloud, the next step is to evolve your governance and risk management approaches to take advantage of the cloud.
In this post, John Thorp, from our AWS Security Assurance and Advisory practice, dives into Governance, Risk, and Compliance (GRC) and how AWS can help you evolve your practices in these areas.
In the words of John Thorp,
Senior Governance, Risk and Compliance Assurance Consultant,
AWS Global Professional Services, Security Assurance and Advisory Practice
Cloud is transformational. We say this a lot at Amazon Web Services—and not just in reference to how the cloud can transform technology, but how it transforms entire organisations. At AWS, we work with enterprise customers across a range of industries. We’ve noticed that the enterprises that maximize the benefits of the cloud are the ones that look beyond their IT and technology solutions for other ways to modernise their business.
Traditional governance, risk, and compliance (GRC) strategies can diminish or slow down the benefits you seek from your cloud and digital transformation programmes. By creating a new agile GRC strategy, you can realise the benefits from your cloud programme and digital transformation much more quickly.
In our experience, we have seen that 70% of challenges  in cloud adoption are nontechnical, including the following:
- Corporate culture and values: Established enterprises are realizing that the corporate culture and values that helped them become leaders in their industry may need to be revisited and changed.
- Leadership development: Organisations are starting to realise that speed and agility require leaders who understand the new rules of engagement and are comfortable operating under rapidly changing conditions.
- Operating model: The traditional fixed operating model is giving way to a dynamic operating model that uses people, processes, and technology adaptively, to create solutions faster and provide better value for customers.
- Organisation structure: Siloed organisational structures are yielding to efficient, nimble, and customer-centric units that accelerate value creation and value delivery to customers.
- Decision-making and governance: The traditional top-down command-and-control method of making decisions is giving way to distributed decision-making and governance, supporting innovation across the organisation.
- Roles, skills, and career paths: The cloud has introduced new roles and new career paths, requiring new skills. Organisations must realign roles with these new demands.
- Compensation and incentive: Traditional compensation and incentive structures don’t usually enable organisations to become innovative and disruptive leaders in their industries. These structures must be changed.
When your business makes an investment in the cloud, it’s more than just an investment in your technology. It’s an investment in your organisation. Look beyond technology to your operating model, your GRC frameworks, and the culture of your organisation, so that you can adapt them for the cloud to help you become more agile and efficient.
Why Evolve Your GRC?
To establish GRC frameworks, enterprises have traditionally developed an array of programmes and departments such as Internal Audit, Compliance, Risk, Legal, Finance, IT, and HR, as well as the line of business, the executive suite, and the enterprise’s board itself. However, this traditional approach can be disjointed. When elements of the GRC framework are siloed, it is more likely that wrong or counterproductive objectives are established, suboptimal strategies are selected, and performance is not optimized.
According to OCEG, organisations that integrate GRC processes and technology across previously siloed areas report benefits such as:
- reduced costs
- reduced redundant or duplicative activities
- reduced impact on operations
- greater information and data quality
- improved ability to gather information and data quickly and efficiently
- greater consistency in processes and approaches
A good GRC framework ensures that the right people get the right information at the right times; that the right processes are followed; and the right solutions, using technology or otherwise, are implemented in a timely fashion.
How AWS Can Support the Evolution of Your GRC Framework
Your key to success is breaking down perceived silos or functional silos. Bring the people in the silos of the GRC framework, along with other key stakeholders, together. Create a shared vision and a shared understanding of the desired business outcomes. In doing so, you can drive collaboration to achieve those outcomes. This approach supports the transition to a more effective and efficient GRC framework.
You can start by making use of the AWS Cloud Adoption Framework (AWS CAF), which draws on experiences from a wide variety of enterprises in many industries. The AWS CAF explains that cloud adoption requires fundamental changes you should discuss and consider across your entire organisation. It’s important that your stakeholders across all organisational units—both outside and within IT—support these changes.
Going beyond the AWS CAF, the Security Assurance and Advisory team of AWS Global Professional Services has developed the Enterprise Security, Risk, and Compliance Blueprint (SRC Blueprint) consultancy offering to support enterprises in examining their GRC frameworks and developing those frameworks to help accelerate cloud adoption. The SRC Blueprint provides bespoke strategic guidance and dives deeper into security, governance, risk, and compliance for large enterprises that are migrating to the AWS platform with prescriptive recommendations specific to your enterprise. The SRC Blueprint provides executive education of the cloud and a simulation of the first two years of your cloud adoption journey, as well as a workshop to introduce executives to security concepts in the cloud and the shared responsibility model. The SRC Blueprint enhances your security framework and aligns your risk operating models and control frameworks with cloud technology.
Additionally, the SRC Blueprint addresses two important nontechnical challenges that slow down cloud adoption projects: a lack of end-to-end planning to mitigate cloud risks, and the slow pace of legacy GRC evaluation and approval processes. The SRC Blueprint provides end-to-end support for enterprises to align business goals with cloud security by defining a vision, strategy, and roadmap for successful cloud migration. It also delivers a cloud security strategy, a cloud-aligned critical decision framework, and a roadmap of security and GRC capabilities to achieve your cloud migration goals.
To discuss the SRC Blueprint further and how it can support you on your cloud journey, please reach out to your AWS contact, AWS Security Assurance and Advisory team contact, or a division of the AWS Security, Risk and Compliance Professional Services team. You can also contact me directly.
View your cloud transformation as broader than a technology transformation. Look beyond your IT department to the wider organisation and determine where you may need to make other changes to support your cloud transformation. Examining your GRC frameworks is a good place to start, since legacy GRC frameworks often bar the success of your cloud adoption journey, as they’re designed for a different way of doing business and servicing your changing customers’ needs. Moving to a new agile GRC strategy can realise the benefits from your cloud programme and digital transformation much more quickly.
Governance in the Cloud and in the Digital Age: Part One
Governance in the Cloud and in the Digital Age: Part Two
Creating a Culture of Security, Mark Schwartz
Scaling a Governance, Risk, and Compliance Program for the Cloud, Emerging Technologies, and Innovation
AWS Security and Compliance Quick Reference Guide
Security on AWS Executive Insights
 Source: Results of a 2018 Executive Summit presented by Matt Wallburn at reInvent 2018.