The latest buzz in Information Technology is IT-GRC, hyped by vendors and abetted by analysts as the next great wave of IT management solutions.

GRC stands for Governance, Risk, and Compliance, and IT-GRC packages claim to be able to integrate these three domains under one roof. The underlying promise is that finally the board and management can get control of IT and appropriately govern and manage the IT operations to ensure that enterprise risk management goals are met. Regulators and business partners will be kept satisfied by the organization and its partners in regards to compliance.

But just as the best financial management systems and a bevy of auditors have not stopped the flow of financial misconduct by motivated perpetrators, this promise will also fundamentally miss the mark without directly addressing the issue of security.

As evidenced most recently in the Hannaford data breach incident, where the trust of an estimated 4.2 million payment card holders was violated through a security flaw, an organization can have a risk management program and a compliance program and still not be secure.

According to public statements, Hannaford used an IT-GRC package to manage their risk and compliance program, had undertaken and passed outside assessments and audits, and from all outside appearances, had been doing "the right things." But, if having a risk management and compliance program nets the organization a very public and costly data breach, exactly what is the point? How many dollars spent on those programs would have been better spent on addressing the fundamentals of security?

After the breach was publicized, Hannaford president and CEO Ronald C. Hodge said in a statement: "We have taken aggressive steps to augment our network security capabilities."

Section 4.1 of the PCI Standard reads, "Encrypt transmission of cardholder data across open, public networks," stating further, "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit." Is it arguably "reasonable" to believe that internal networks are significantly less vulnerable to attack than public networks? Yes. Is it actually true in the real world of the large distributed network? Probably not.