GRC Thought Leaders Debate Enterprise Security Risk Management for Critical Infrastructure

Share Article

Two-part webinar series featuring Doug Powell and Steve Hunt explores the need to converge Physical Security, IT Security and Risk Management, and Operational Technology.


Comparing and contrasting a CISO view and an industry analyst view, the debate explored the problem that Enterprise Security Risk Management (ESRM) for complex Critical Infrastructure (CI) requires a new methodology.

Modulo, a leading provider of Technology Governance, Risk and Compliance (GRC) solutions, today shared highlights from a two-part webinar series featuring industry thought leaders Doug Powell and Steve Hunt. Powell, CPP and PSP, is a Security Manager protecting critical infrastructure and working within the Canadian energy and utilities sector. He is also the Council Vice-President at ASIS International. Hunt, CPP and CISSP, is an industry analyst with Hunt Business Intelligence and a strategist spanning the breadth of the security industry: physical, homeland, and cyber security.

Comparing and contrasting a CISO view and an industry analyst view, the debate explored the problem that Enterprise Security Risk Management (ESRM) for complex Critical Infrastructure (CI) requires a new methodology. ESRM needs to converge the three common, yet siloed, elements of a CI environment:

1.    Physical Security: Assessment methodologies do not include cyber risk.
2.    IT Risk Management: Focuses on network based anomalies only.
3.    Operational Technology, such as SCADA or Industrial Control Systems (ICS): Risk management is nearly non-existent.

These key requirements emerged for ESRM in a critical infrastructure environment:

  •     GRC is the best starting point for a converged and integrated process and view

o    The GRC model applies equally to Physical Security, IT Security, and Operational Technology
o    GRC also provides a good inventory of assets and assigning criticality around them, a process that is not done well today

  •     Real-time and intelligence-led inputs must drive risk management assessments and analysis in order to make risk relevant

o    Historical evidences and annualized loss events are not enough

  •     “An IT outage is as good as knocking out a tower”

o    IT infrastructure presents a risk where it supports operations in critical roles; such as energy management systems, head-ends, access control and video systems, or access to the Disaster Recover process.

  •     People, Process and Technology are all equally critical

o    Need to protect people as well as protect against people
o    Need to consider that technology is embedded everywhere
o    Need to be careful not to remove key processes that can lead to disastrous consequences

  •     Advanced Persistent Threats (APTs) are the biggest concern

o    Also need to understand relationships to everyone else in the world
o    We could be a weak link to a higher value target such as a nuclear device

  •     Adaptability and fluidity are key to ESRM success, especially in response to new threats

o    Need to respond to business needs and support business agility

The key debate that emerged was “What is more important: Risk, Compliance or Governance?”

According to Doug Powell, “This is all about GRC with a big ‘C’.”

“By ‘compliance’ I mean more than audits and regulatory frameworks. It is about every policy and standard that supports the organization’s objectives. It is a rules-based approach to security. It is about nurturing a culture of compliance and getting people to do what they are supposed to do every day. Lack of compliance is what will lead to the problems that we experience in our risk management strategy. Therefore risk is an outcome of effective compliance. And a strong governance layer drives the standards.”

Steve Hunt responded, “Ultimately I like ‘governance’ because it’s about making an organization run efficiently, effectively and getting the best policies aligned with how the business actually works and how people actually work. We can’t have 100% compliance. That’s why we have a risk view."

The common conclusion of the webinar is that there the need for a unified GRC model to make business run better. The speakers pointed to an example of Modulo Risk Manager as a potential platform for this unified model, in particular where it is being extended into a Command and Control model for the upcoming FIFA World Cup.

To hear the full recorded webinars visit:
Part I:
Part II:

About Modulo
Modulo is a leading global enterprise provider of Technology Governance, Risk and Compliance (GRC) management solutions. Modulo’s award-winning Risk Manager™ provides hundreds of organizations worldwide with the tools they need to automate the entire GRC management process to monitor, manage and sustain adherence to policy and regulations while reducing enterprise risk and complexity. Customers span the financial, health care, retail, manufacturing, higher-education, telecom, energy and government sectors and include BASF, BC Hydro, Commercial Bank of Dubai, Microsoft, New York University Medical Center, Synovus Financial, and Schlumberger. Modulo has earned industry recognition as a 2012 Innovator of the Year and “5-Star” product review rating for three consecutive years by SC Magazine.

Visit and follow Modulo on Twitter @Modulo_Intl.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Leslie Kesselring
+1 (503) 358-1012
Email >
since: 06/2009
Follow >
Modulo Security - International Headquarters

Visit website