GRC cybersecurity fusion: Insights from experts for 2024 risk management
GRC cybersecurity is an integrated approach for today’s modern businesses. Traditionally, cyber teams monitor threats across networks and the digital universe, while GRC departments keep up with organizational compliance in the policy world.
But is this traditional approach the best way to work?
Imagine old customer data policies are exposed in a breach. You'll require both cyber and compliance teams to act. Also, consider if the board can't address new cyber disclosure inquiries from lawmakers or investors.
Use this GRC cybersecurity integration guide, packed with tips from two industry experts and former Diligent Modern Governance Summit panelists, to help improve your entire business’ risk posture.
In this article, we’ll cover:
- What is GRC in cybersecurity?
- Growing intersection of cybersecurity and GRC
- A case for cyber and GRC working together
- Cybersecurity GRC framework
- The 4-step process to make GRC cybersecurity teamwork happen
What is GRC in cybersecurity?
Governance, risk and compliance (GRC) has a critical role to play in managing cybersecurity risk. The three dimensions of GRC empower businesses to track their performance against objectives, assess and mitigate risk, and maintain compliance with internal policies and growing security regulations.
Integrating cybersecurity with your GRC program allows companies to take a holistic approach to risk management — from an internal policy and digital risk standpoint. GRC cybersecurity involves establishing a framework of policies, procedures, and controls to ensure that cybersecurity objectives support business goals.
Growing intersection of GRC & cybersecurity
In recent years, cyber risk has become one of the biggest concerns for board directors as cyberattacks increase at an alarming rate. The pandemic prompted more remote work for office employees, upending IT infrastructures and putting more systems at risk of data breaches.
The geopolitical landscape has also become more fraught in recent years.
“Whether you’re looking at Iran, Ukraine, or even a potential China-Taiwan Strait scenario, cyber will be a part of that,” said John Zangardi, who previously worked in executive cybersecurity roles in the defense world, including as CIO of the Department of Homeland Security. “Because the United States has a vested interest in it and our allies are potentially targets, you are at risk.”
Cyberattacks can have dire impacts on the viability of a company and its financial health. Therefore, integrating GRC and cybersecurity has become critical for strategic, forward-thinking organizations.
Expanding risks and regulations
Cyber risk is becoming more dangerous for businesses. As a result, we’re seeing increasing pressure from regulators and government bodies demanding transparency and disclosures about the business’ risk posture. That means corporate boards in regulated industries face heightened expectations that directors understand the threat risk and take appropriate action.
Myrna Soto, CEO and founder of Apogee Executive Advisors, highlighted the now approved “slew of SEC rules around disclosures and incident reporting,” which include the GRC function. “You need to be compliant, especially if you’re in a regulated industry.”
A robust cybersecurity GRC framework helps boards establish a comprehensive and proactive approach to cybersecurity — while effectively managing cyber risk and complying with increasing regulations.
The case for cyber and GRC working together
— Myrna Soto, CEO and founder of Apogee Executive Advisors
Cyber is such a significant business risk that cybersecurity and tech teams help set the tone for the entire business’ risk posture. Soto suggested “taking the GRC function just a step further” and using it to articulate how secure the organization is and how it’s mitigating risks.
Soto defines such risk management as “understanding our compliance positioning, regulatory positioning, cyber security program maturity and where the gaps exist.” Then team members report to the board “so that they have a clear understanding of where the company is, where their risks are, where they may be falling behind and why.”
36% of directors interviewed for Diligent's Director Confidence Index say that their boards would benefit from better information to help them manage cyber risk. This indicates the board as an appetite for knowledge and presents an opportunity for the organization. Through GRC and compliance teams partnering together, you can give the board that holistic view that they’re after.
We’ll come back to cross-functional collaboration tips. First, let’s look at considerations for developing your new cybersecurity GRC framework.
Cybersecurity GRC framework
A cybersecurity GRC framework creates a structure for organizations to manage and address cybersecurity risks while meeting industry standards and regulations. A solid cybersecurity GRC framework should cover:
- Governance: Set roles, responsibilities and accountability for cybersecurity. Define policies, procedures and guidelines.
- Risk management: Identify, assess and prioritize cybersecurity risks. Conduct risk assessments, apply risk mitigation strategies, and monitor risk control efficacy.
- Compliance: Adhere to cybersecurity regulations and industry standards. Understand and apply controls to meet compliance standards.
- Security controls: Implement operational and technical controls to protect digital assets — network security, data encryption, access controls and incident response plans.
- Continuous monitoring: Conduct security assessments, penetration testing, vulnerability scanning and monitor security events. Learn more about continuous monitoring.
4 steps to make GRC cybersecurity teamwork happen
There are several ways to foster this new partnership between GRC and cybersecurity:
1. Address your corporate culture
Collaboration starts with culture. John Zangardi, CEO of Redhorse Corporation, stressed the importance of corporate culture in forging a partnership between cybersecurity and GRC, one that encourages working together to reach a goal. “What doesn’t work is finger-pointing, being overly technical, or just checking a box,” he said.
Soto noted that a culture of fear or shaming “alienates your partners, the same people you should be making relationships with in order to facilitate those objectives.”
“It’s not easy, because trust just doesn't happen overnight,” Zangardi concluded. “It’s about understanding what you’re trying to achieve and working toward common goals.”
2. Make risk resonate
When distilling all these GRC cybersecurity frameworks, metrics, evaluations and reviews for the board, it all comes down to what Zangardi calls the “so what” effect. What’s the probability of a risk occurring? What are the consequences? And what does it all mean to operations and the bottom line?
“Putting it into business terms works magic in the organization. When I would brief the Homeland Security Secretary I’d say, ‘Look, if this particular system goes down, that stops all transit on the St. Lawrence Seaway.’ They get that, that makes the news.” John Zangardi, CEO of Redhorse Corporation
“When you can contextualize it,” Soto said, “you have to go to a line leader or technology leader and say ‘hey, I really need you to work with me on this project and I need you to give me visibility into what you’re doing.”
Use data to resolve differing views. This can help gain executive and board director support for strategic priorities and enhance understanding of what needs to be done from a business context.
3. Understand where audit fits in
Since compliance and GRC typically fall under the purview of the audit committee, bring cyber into the fold to provide a better understanding of IT risks.
“We absolutely cover cyber in audit,” said Soto regarding the companies she works with. They look at everything from the cyber security framework to artifacts and beyond, very similar to how they look at controls for SOX and financial reporting. “What this does is help the audit team share and better understand the risks, because IT systems pretty much underpin every business.”
While the audit team must ultimately remain independent, the partnership model is critical to evaluating things like mitigation controls or remediation plans and moving beyond a “check-the-box” approach.
4. Enlist GRC cybersecurity technology
Having the right technology is key for collaboration between cyber and GRC teams to gather information, share it across teams and present it in a single view to the board. This can drive focused action by the board and senior leaders.
Aside from the benefits of faster data sharing and congruent metrics, an integrated technological approach to GRC and cyber brings other distinct advantages.
Having a single platform to capture GRC information minimizes manual input and therefore reduces the potential for human error. It can save organizations hours in data entry and reduce costly errors that can allow cyberthreats to slip through the net.
A strong GRC platform also helps the board visualize the state of play, with clear and comprehensive MI. By telling the cross-functional risk story — including cyber risk — in this way, you can improve board understanding, enable data-driven decisions and equip directors to act on priority risks.
Key takeaways
In summary, collaboration between cybersecurity and GRC teams is the key to identifying, mitigating, and effectively reporting cyber risks to the board. Boards are hungry for better information to make decisions. You can satisfy this through collaboration.
However, to succeed, organizations must foster the right culture, adopt effective communication methods, and leverage the appropriate technology.
As we move into 2024, integrating GRC and cybersecurity isn’t merely an option but a strategic imperative. This fusion enables organizations to enhance security, meet regulatory demands, and thrive in an interconnected digital landscape.
Learn more about selecting the most critical cybersecurity metrics to give your C-suite and board.Or dig into the 7 crucial building blocks for building a culture of compliance.