GRC – governance, risk, and compliance – is playing an increasingly important role in the operations of many organizations. Today we’ll discuss what GRC is, and how it can help support your cybersecurity infrastructure.
The concept of formal GRC evolved in the early 2000s after a number of high-profile corporate bankruptcies drove the need for improved internal controls and oversight. Larger enterprises, particularly those in heavily-regulated sectors like utilities, finance, and insurance now likely have entire departments devoted to GRC activities; smaller organizations may only have one or two people in the role, perhaps not even full-time. However, as regulatory obligations increase for organizations of all sizes, more and more companies are considering the benefits of having a recognized GRC function in-house. But what does GRC actually mean? Let’s look at the acronym:
Governance, simply put, refers to decision making. When a business decision is made, what are the criteria that go into that decision? Are the decisions that are taken appropriately aligned with the organization’s mandate or goals? Governance provides a thoughtful framework for the operations of a company.
Risk describes factors that could put an organization in peril. Risks can be identified as external or internal threats. They can be minor or existential. They can be factors under your control, or environmental factors that could happen whether you like it or not. Not all risk is bad – companies will develop a “risk appetite” that dictates how much risk they are willing to accept in various areas of the business. For example, it may be a risk to enter a new line of business, but the rewards may outweigh the risks involved.
Compliance covers the arena of law and regulation. Governments, industry regulators, even third parties can have sets of rules of conduct that an organization must follow in order to operate.
Reviewing these definitions through a cybersecurity lens will resonate with security and IT operations personnel in any organization. For example:
A strong governance model can be a huge help to IT and security teams when it comes to selecting and vetting potential vendors. Many organizations will develop a third-party scorecard or fact-finding document that is used to gather basic information about the vendor and its proposed relationship with the company. Details like corporate reputation, financials, history of cyber breaches, geographic location are documented and reviewed. But wider issues are considered as well – would working with this vendor create an over-reliance on a single vendor? If the vendor suddenly went out of business, how would you respond? There is an important well-defined thought process that you should use to fairly and thoroughly assess potential partners. And when you’re close to reaching an agreement with a vendor, GRC and your legal team will be there to assist with contract negotiation, review, and renewal to make sure your organization’s interests are well-protected.
Ineffective cybersecurity is currently one of the greatest risks to any company. No matter the size or industry, organizations are under constant threat of cyber attack. A GRC function can work with your IT and security teams to understand the scope of your cybersecurity framework, and document its strengths and limitations. You can outline the types of cybersecurity threats that you’ve identified from a technical perspective, and GRC can bring a business perspective to itemize additional threats. The synthesis of these two levels of thought helps develop a comprehensive understanding of risk to the enterprise. Then, the organization can make a business decision whether to invest in, say, a new firewall or managed service, or accept the potential risks of a successful cyber attack by doing nothing. Framing cybersecurity as a business decision to mitigate risk – instead of some “techie thing” that IT wants to spend money on – changes the conversation at the executive level. The IT and GRC teams can work together to help the business truly understand the risks of not having appropriate cybersecurity in place, and develop buy-in for a plan to address those risks.
Regulatory, Legislative, Business Compliance
As discussed, regulatory requirements and compliance regimes have never been more complex or onerous – and the situation won’t be getting any easier. A dedicated GRC team can investigate the ever-changing compliance landscape, and bring evolving changes to the attention of the IT team early, providing time to react and respond. GRC also understands the reporting and compliance requirements, so developing a strong working relationship with them will ultimately save time. IT systems should be designed with compliance in mind, so reporting artifacts (reports, audit summaries, and the like) are generated as part of the cybersecurity process, not an add-on after the fact.
Not in a regulated industry? You’re not off the hook. Consider the underwriting process for securing cybersecurity insurance for your company. Think of the due diligence that a prospective business partner will be doing when vetting you. Many of the dozens of questions and attestations you’ll see on the application form are the standard requirements used by regulatory bodies. Having these issues thought out, documented, and addressed provides a more comprehensive perspective on your cybersecurity strategy.
Audit Support – Internal and External
GRC can also act as a self-audit within an organization. Mature organizations will extend their own procedures and protocols to provide “proof” or audit materials to their GRC and auditors to make sure that the house is being kept in order. From documenting that patching is completed as planned, to verifying that incident response testing has been executed, to managing regular cybersecurity awareness training, the GRC can help craft an achievable and appropriate compliance structure that helps keep everyone on the right page. As mentioned previously, security controls are best designed when audit artifacts and documentations are generated as a by-product of the security process, not as an after-thought. Automated reporting dramatically reduces effort and error over manual or ad hoc processing.
Your GRC team should be on top of the ever-changing landscape of privacy regulation. For example, in Canada, federal rules, provincial rules, and special rules on particular types of data (e.g., health records) must be navigated in order for a company to do business. The GDPR in the EU has changed the playing field for doing business in and with Europe, and is driving further change in many jurisdictions elsewhere around the world. GRC can work with your IT team to ensure that appropriate protection, geographic storage, logging, reporting, etc. are in place to safeguard your customer – and employee – data. Having these insights will help you prepare your defenses today, and ensure that future IT decisions are well-informed.
Your GRC team will play an essential role in your incident response planning and response programs too. Whether they’re assisting with the co-ordination of crisis management tabletop testing exercises, or quarterbacking communications and filings with regulators in the event of an actual breach, GRC can play a key role in incident response that doesn’t involve the technical details under IT’s supervision.
It’s Good Business
If none of these factors has resonated with you, consider the fact that GRC is just plain good business. To do right by your customers and your staff, it’s important to make good decisions, avoid undue risk, and follow the rules. And, to over-simplify, that’s what GRC is all about.
If you don’t have a strong relationship with your internal GRC team, maybe it’s time to change the conversation. Using them as an extension of your IT and security teams can help protect your data and reputation more comprehensively and efficiently.