How can you turn operational risks into returns? It’s a matter of putting the right IT governance, risk management, and compliance (GRC) processes in place. And frequently, that’s not the most sought-after assignment.

“Being in charge of managing IT risk is often seen as being in the business of ‘no,’” says Scott Crawford, research director at Enterprise Management Associates. “That’s how a chief information security officer recently put it to me. But the alignment of IT governance, risk management and compliance is not the business of ‘no’—it isn’t a business inhibitor; rather, it’s actually a business enabler.”

A 2008 survey by the IT Policy Compliance Group confirms this observation.1 Firms with better IT GRC results are also enjoying much better performance when it comes to satisfying customers and growing revenues and profits. They have 17 percent higher revenues, 14 percent higher profits, 18 percent higher customer satisfaction rates, and spend 50 percent less on regulatory compliance annually. “To put it simply, the principles of good IT governance, risk management, and compliance are actually the principles of good IT management,” Crawford says.

To succeed in IT GRC management, more than half of the 224 companies surveyed in one study on the subject have, in the words of a respondent, “turned process into a strategic asset.” 2 “They’ve adopted Information Technology Infrastructure Library (ITIL) standards,” Crawford says. “ITIL’s ‘three-legged stool’ is a foundation for successful IT GRC. People are an asset—but they can also be a vulnerability. To be successful, people need processes that guide them to the desired behavior and results and technology that automates the processes and makes them easy to perform consistently.”

Greg Malacane agrees. As a senior business analyst for The Alchemy Solutions Group, Malacane works with IT organizations to analyze and measure the business value they’ve achieved, or are projected to realize, from a given initiative or solution set. “In almost every study we’ve done in the compliance area, successful organizations are meeting challenges by centralizing, standardizing, and automating compliance tasks with technology,” he reports.

So if processes and technologies are key, which ones are proving most useful? How are organizations using them to turn risks into returns? Here are key lessons learned by three top IT decision makers.

Create a single sign-on

Risk: Access control is a fundamental in compliance. Imagine running a health plan where 4,000 clinicians take laptops into the field to visit 30,000 patients a day. Each patient visit requires a clinician to access multiple applications—and each application takes a different user ID and password. Some clinicians try to recall their sign-on information from memory and get locked out. Others write down their IDs and passwords on their laptops. This was a management challenge facing Larry Whiteside, Jr. when he became chief information security officer at Visiting Nurse Service of New York.

Process: “We developed a single sign-on capability,” Whiteside explains. “We let users log in once and gain access to multiple applications.”

Technology: Whiteside worked with his development team to use Lightweight Directory Access Protocol (LDAP), taking advantage of its simple, extensible, multi-platform access to applications.

Returns: On a patient visit, clinicians sign in once—and then can devote their full attention to the patient. With 4,000 clinicians saving about 10 minutes a day, more than 3,000 hours a week are being reclaimed for patient care.

See everything

Risk: What you can’t see, you can’t manage or remediate. “We have 60 locations and 4,000 endpoints in the field,” Visiting Nurse Service’s Whiteside reports, “but when I came here, we didn’t have any way to get security intelligence about the environment. We could only see what was going in or coming out the gateway.”

Process: Whiteside chose to automate the gathering and correlation of logs from all endpoints, firewalls, hosts, virtual private networks (VPNs), intrusion detection systems (IDS), directories, and applications.

Technology: Logs from Symantec Endpoint Protection on all desktops and servers feed into a LogLogic appliance, which in turn feeds into Symantec Security Information Manager. Meanwhile, Symantec Security Information Manager captures logs directly from networkbased devices such as firewalls, routers, and switches. “Everything is correlated inside Symantec Security Information Manager, so I get a comprehensive correlated and prioritized picture of events occurring from the firewall to the desktop,” Whiteside says. “We get the view we need of what’s going on.”

Returns: Whiteside’s security team can focus on tasks more strategic than pouring through logs. “It would take at least two full-time employees to check all the logs that are correlated and prioritized automatically now,” he says. “We get the network intelligence we need to make more informed decisions.”

To err is human, to automate divine

Risk: How do you know when an endpoint is infected? If unreported, will it infect the rest of the network? That was the potential at Singapore’s Energy Market Company, the operator of Singapore’s wholesale electricity marketplace. “The uncertainty wasn’t acceptable,” says James Ng, vice president of technology.

Process: Ng chose to automate the detection and isolation of infected endpoints using Symantec Endpoint Protection and Symantec Network Access Control. The infrastructure now denies a connection to any noncompliant device that attempts to connect to the network.

Technology: The endpoint protection solution identifies any infected device. The network access control solution immediately isolates an infected endpoint from the network. It also denies a network connection to any device that is not compliant with Energy Market Company security policies or current in its antivirus protection and patches.

Return: An infected endpoint on Energy Market Company’s network is automatically isolated in seconds. “The user can’t do anything on the infected PC,” Ng says. “In the past the user may not have called us, and the infected PC could have gone unnoticed. With this system in place, there is consistency in the way we detect and remediate problems.”

Centralize endpoint administration

Risk: Quality, efficiency, and cost savings mean everything to Molina Healthcare. That’s because it’s a Medicaid managed care organization that delivers healthcare to over 1.2 million individuals and families in 10 states and 17 owned-and-operated medical clinics. Molina Healthcare has been meeting its challenges since 1980, and over the years several of its state plans have been rated best in the United States by a major news magazine.

“Our founder said this is the business of nickels,” says Sri Bharadwaj, director of infrastructure and operations. “Unlike commercial health insurers who can raise their rates if their costs go up, we can’t. The state governments tell us how much they will be paying. So, it is incumbent on us to leverage our administrative efficiency to keep costs low. We try to manage our medical costs, but control our administrative spending.”

A chief problem the IT team at Molina Healthcare faced was the complexity of managing endpoints for 2,300 employees in multiple states— and keeping them patched and protected compliantly.

Process: “We needed an easier management interface, with the ability to centrally manage all our endpoints,” Bharadwaj notes. “We needed a way to inventory them centrally and remotely, inspect their registries, install software, push out patches, and streamline our help desk.”

Technology: Molina Healthcare uses centralized standards management software to create and detect standards, assess technical controls, detect deviations, and remediate them. It also uses automated centralized helpdesk software and a client management suite for centralized, automated patch management and software management. The health maintenance network relies on Symantec Control Compliance Suite, Altiris Helpdesk Solution, and Altiris Client Management Suite for the above capabilities.

Returns: “We have 2,300 employees, and managing all our endpoints is now a part-time assignment for a single resource,” Bharadwaj says. “Had we tried to do all the management tasks on our own without the tools from Symantec, it would have required four or five employees working full time, all with a big travel budget.”

Get control of unstructured data

Risk: When employees create PST files to archive their email messages, the files are unmanaged, easily lost and corrupted, and difficult to search—creating multiple compliance and risk management issues.

Process: Molina Healthcare’s Bharadwaj chose to archive the organization’s email so that PST files are no longer needed. They’ve been banned. Existing PST files have been detected and migrated to a central repository where their contents are now indexed and easily searchable.

Technology: Bharadwaj’s team deployed an archiving solution using Symantec Enterprise Vault that enables employees to store, manage, and discover unstructured information across the organization.

Returns: At Molina Healthcare, 3,000 PST files were detected and ingested to a central vault using Enterprise Vault PST Migrator where their contents are easily searchable. “By enforcing policies and managing storage requirements using write once read-many-times (WORM) technology, we have been able to maintain storage and allow for future growth without an increase in storage cost,” Bharadwaj says.

Centralize and encrypt that backup

Risk: “We had people managing backup tapes across our multi-state environment,” Molina Healthcare’s Bharadwaj says. “It was resource intensive and not consistent. If we needed to pull certain data, it was a nightmare to find the tape.”

Process: Bharadwaj and his team decided to centralize and automate backup and deploy encryption.

Technology: Molina Healthcare chose deduplication technology in the form of Veritas NetBackup and NetBackup PureDisk to reduce bandwidth and storage consumption. This enables centralized backup over the network without disruption to production. With the NetBackup Encryption options, data is encrypted both in motion and at rest.

Returns: “We’ve reduced backup costs by about 60 percent,” Bharadwaj reports. “We can recover a production application in two hours instead of 10 to 15 hours. And we have 256-bit encryption and centralized backup— making our data more secure and helping us meet governance, risk management, and compliance obligations.”

Follow through automatically

Risk: When monitoring compliance checkpoints, any manual system is vulnerable. “We can’t just depend on people alone for security and compliance,” says Energy Market Company’s Ng. “We have a small IT staff, and we need to count on automation and technology, not just people, to fulfill our compliance obligations.”

Process: Ng sought a way to make compliance monitoring consistent. “We have a 40-page statement of IT policies, and to ensure compliance, we have to translate that into action—into who does what, quarterly, monthly, yearly,” he observes.

Technology: The 40 pages of policies at Energy Market Company have been translated into an extensive Excel spreadsheet to track steps taken. But Ng and team have other plans. “We’re evaluating an automated system— in this case Symantec Control Compliance Suite. One of its advantages is that it will eliminate ambiguity. When there’s a compliance task to be done, an employee will be automatically reminded to execute it and management alerted until it’s done.”

Returns: Everyone will be able to focus on more valuable tasks. “Automation will relieve management from chasing the IT staff,” Ng says. “The software will do the work for us.”

Who do you trust?

Progress can be quick—Molina Healthcare’s Bharadwaj has seen it. “A year ago, we identified gaps in governance, risk management, and compliance and put plans in place to address them,” he says. “We wanted to ensure that every desktop or laptop is protected, and every endpoint is managed appropriately from a central location, and all of this can occur without much disruption to the business. That was our vision. And we’ve made great progress in the past nine months.”

Now Molina Healthcare has the classic three legs to the stool, says Bharadwaj: “People and processes might not always sync up, but to a great extent, we’re using technology to automate, managing risk and guiding people into compliance in whatever they do.”

Energy Market Company’s Ng has another way to sum this up. “In people alone, because everyone is human, we can’t put our full trust,” he says. “But when people, process, and technology are integrated—we can.”

¹ “New Research Shows Benefits of Improving IT GRC Practices and Capabilities,” announcements, www.itpolicycompliance.com, May 15th, 2008.

²Scott Crawford, “EMA’s 2008 Survey of IT Governance, Risk and Compliance Management in the Real World,” Enterprise Management Associates, Inc., www.enterprisemanagement.com.

Alan Drummer is Creative Director for Content at NAVAJO Company. His work has appeared in the Los Angeles Times, San Francisco Examiner, Create Magazine, and on The History Channel.