When someone asks what I do, I generally just say, “I work in cybersecurity.” What they envision I do invariably differs from what I actually do. In their minds, I must be managing a bank of monitors, filled with a multitude of active windows, and fighting off hackers. That is what some cybersecurity professionals do, but alas, that’s not my preferred area of focus. While I’ve filled almost every role at some point in my career, one of my current favorite is actually very cool, too. It’s called Governance, Risk and Compliance (GRC). I know. Even the title is exciting, right? While it may be something I enjoy, it’s definitely not every cybersecurity professional’s dream role.
What exactly is GRC? It’s a strategic framework to define and document a technology infrastructure and standardize policies and processes to ensure it’s securely implemented and sustained. It also involves identifying the risks associated with the infrastructure and mission and then removing or at least mitigating them to an acceptable level of residual risk. Finally, it should also include a process to continuously assess compliance with applicable regulations. In the Federal and Defense sector, this would be compliance with National Institute of Standards and Technology (NIST), any other specialized regulations, and overarching Federal Information Security Modernization Act (FISMA) law. In the health sector, it would be compliance with HIPAA and HITRUST requirements. Financial institutions, managed service providers, and many other private sector entities also require informal or formal certification, whether it be by the government, clients, or stakeholders.
If you’ve ever worked with me, you know how much I love to enhance a written report with a data-driven graph, aesthetically pleasing table, or smoothly laid out flowchart. In this instance, I think a flowchart is the most helpful in explaining GRC.
The flowchart lays out a process that, although relatively simple, is very often difficult to successfully implement and sustain. Why? It’s essentially a formal project that goes from start to finish and then repeats over and over…and over. Like any project, it requires detailed analysis, careful planning, sequential and parallel execution, and actively participating team members. While each of these elements has its complexities, it’s the last one that determines the ease (or difficulty) of the process and the successfulness of the project. It requires active participation by all internal and external stakeholders to include:
- Cybersecurity team members
- Network & system administration teams
- Human resources & logistics teams
- Clients & customers
- C-Level staff
As with any project, you need a project manager to bring everyone to the table and move toward successful completion. In this respect, securing the participation and support of everyone involved in or impacted by the process will ultimately be the difference between a GRC program taking flight or crashing and burning. As you may have heard me say before, many people see cybersecurity as an unattractive product that costs money, time and effort and is completely devoid of fun (unless you’re the cyber geek implementing or sustaining it). For this reason, organizational cybersecurity leaders, the GRC project manager, and the cybersecurity team members rolling it out have to actively market it and sell the non-cybersecurity stakeholders on the idea that supporting GRC will reduce system outages, process failures, and the probability of negative reports by external auditors.
If you’re new to the GRC game, then you should definitely start with basic training. You could of course skip straight to the execution by asking your AI tool of choice something like, “How do I plan and execute a Governance, Risk, and Compliance program?” Call me old school, though, but I recommend learning the theory before trying to execute the process. Below is a list of a few companies and organizations offering free or low-cost training:
- Oracle University
- International Information System Security Certification Consortium (ISC2) – Free for limited time
- LinkedIn Learning
- Coursera
- National Institute of Standards and Technology (NIST)
What’s the most important thing to take away from this? GRC is a critically important element in building a good cybersecurity program and a sustainable and dependable infrastructure. Cybersecurity software, hardware, and appliances serve as the blocks in your infrastructure’s walls, but clearly defined processes, procedures, and best business practices are the mortar that holds the structure together. So instead of seeing GRC as scarlet letters of cybersecurity, wear them proudly knowing that you’re part of a process that makes the digital world safely and securely go ’round.