I was recently discussing IT GRC program implementation with the CIO of a growing, mid-sized software company when he presented the question, "But HOW do you do it? I mean, how do you get employees to follow the rules in a GRC program?" My response to his question...
Change resistance is perhaps one of the biggest hurdles companies face when implementing large, complex security and IT GRC programs. A phased approach to implementation is necessary because these programs and the change that accompanies them are not established or embraced overnight. IT GRC implementation is a process and an evolution. There is no magic switch; however, there are many magic "lessons learned" gained from already having implemented IT GRC programs that certainly speed up the process and improve the outcome.
We recommend companies simultaneously follow a top-down and bottom-up approach to drive IT GRC initiatives. After receiving expert guidance and coaching, executive-, director-, and staff-level management teams are equipped to become champions and cheerleaders of the program from kick-off forward. Next, a matrix team of process owners, control owners, and team leads should be established across the organization. The members of this matrix team become the champions and cheerleaders at their respective levels, as the IT GRC security program is developed and implemented from the bottom-up. Establishing department and employee performance goals, incentives, and individual and team recognition related to program success can also help motivate change. Following a top-down and bottom-up approach is essential to establishing immediate ownership of the program and mitigating the problem of change resistance throughout the organization.
To be continued...