Software suites that integrate governance, risk and compliance tools (usually referred to as IT-GRC) are being hyped by vendors and abetted by analysts as the next great wave of IT management solutions.

Combining these functions under one roof, IT-GRC packages promise to enable corporate management to ensure the organization is meeting enterprise risk-management goals and complying with requirements set by regulators and business partners.

But just as the best financial-management systems and a bevy of auditors have not substantially stopped the flow of financial malfeasance and misconduct, this promise will also fundamentally miss the mark without directly addressing the issue of security.

As evidenced most recently in the Hannaford data breach incident, where an estimated 4.2 million payment card holders had their trust violated through a security flaw, an organization can have a risk-management program and a compliance program and still not be secure.

Hannaford, according to public statements, used an IT-GRC package to manage its risk and compliance program, had undertaken and passed outside assessments and audits, and from all outside appearances, had been doing “the right things.” But if having a risk-management and compliance program nets the organization a very public and costly data breach, what is the point? How many dollars spent on those programs would have been better spent on addressing the fundamentals of security?

After the breach was publicized, Hannaford President and CEO Ronald C. Hodge said in a statement: “We have taken aggressive steps to augment our network security capabilities.”

Section 4.1 of the Payment Card Industry (PCI) Standard reads: "Encrypt transmission of cardholder data across open, public networks," and goes on to say "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.”

Is it “reasonable” to believe that internal networks are significantly less vulnerable to attack than public networks? Yes. Is it actually true in the real world of the large distributed network? Probably not.

Compliance is not security, and risk management does not automatically provide risk reduction.