“A platform won't change your culture.” This was a great quote by our COO, Stephanie Goetz, at our last offsite team meeting.
While I can't remember the exact conversation that spurred that quote, I do know that we get a lot of financial institutions that come to us with broken dreams of a GRC system that was supposed to take care of their entire information security program. They are several years in and realize that they still operate in the same way, they still have uncertainty, lack of communication, and the workload isn’t a whole lot better.
I love that quote: “A platform won't change your culture.”
Don't get me wrong, there are banks at the maturity level where they have established a culture and they have all the pieces moving together. And at that point, what they really need is something to help keep track of it all– that’s the perfect time to look at a GRC, or a “platform”.
But there are far too many banks that were sold a bill of goods stating that if you just sign on with this tool, everything's going to be taken care of. Everything's going to be a lot easier. It does the work for you.
Unfortunately, it’s not that easy – and many banks are finding out the hard way.
Anyone that works with me knows that I like to use analogies to explain concepts and thought processes. This one comes to mind in this situation:
Building an information security program is like building a house.
For banks that don't have the leadership in place to manage their information security program, purchasing a GRC platform is like buying a set of tools (hammer, drill, saw, level, square, etc.) and hoping that now you're ready to build your own home. We all know that’s ridiculous – it’s more than having the tools. You have to have blueprints, knowledge on how to build a house, the skills to properly use the tools, AND the time to do the work. The tools make it easier and faster, but they won’t do the work for you, and they certainly don’t make you an expert on home construction. The tools don’t equal a house.
In the same way, a GRC is a toolset, it does not equal an information security program.
Let’s stay with that analogy. For an experienced carpenter, who can read blueprints, who has built houses before, those same tools can build an amazing house – and helps that carpenter do a better job and be more efficient.
In the same way, for your bank’s CISO or virtual CISO, who has the structure, has built information security programs before, the right platform can do the same thing.
I would caution you this: just like you wouldn't go to your carpenter that you've hired to build your house and say, “Hey, I bought you a bunch of tools; I want you to use these.” In the same way you should be careful going out and buying a GRC platform, turning to your CISO and saying, “Here you go; I bought you some tools now go build me an information security program.”
They need to have some buy in.
I don't have anything against GRC platforms. There are some good ones out there. Heck, we even have our own systems that we use to manage all of our customers. But you have to understand that it is just a tool. And just like any other tool, it needs to be in the hands of someone who knows what they're doing with it.
Going back to the title of this blog, understand too, that a tool is not going to fix all the other things that are going on that are making it hard for you to have a good information security program.
Specifically, culture.
If you think you're going to try to fix human problems with technology, i.e., a platform, you have a really long road ahead of you.
If you ever have any questions on establishing a culture of security, building, or maintaining an information security program, or just want to know more about how we help banks be more secure, please reach out to us at support@bedelsecurity.com.
We will help you in any way we can!
Additional Resources:
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport
Culture Counts
https://www.bedelsecurity.com/blog/culture-counts
What Does it Mean to Be a Good Partner?
https://www.bedelsecurity.com/blog/what-does-it-mean-to-be-a-good-partner
Culture of Security: Critical Conversations
https://www.bedelsecurity.com/blog/culture-of-security-critical-conversations
Change, Conflict, and Culture
https://www.bedelsecurity.com/blog/change-conflict-and-culture
5 Things to Consider Before Purchasing a GRC Solution
https://www.bedelsecurity.com/blog/5-things-consider-purchasing-grc-solution