GRC for Cybersecurity Professionals

The convergence of escalating cyber threats, intensified regulatory scrutiny, and serious legal action following high-profile cyber incidents has propelled cybersecurity-focused Governance, Risk, and Compliance (GRC) to the forefront of organizational priorities. No longer just a compliance tick-box activity, GRC has evolved into a strategic necessity that underpins business resilience and sustainability.

What this Whitepaper Covers

  • What GRC is: What GRC is; how the term came into use; and what it means in relation to cyber risk management and data privacy compliance.
  • The Current Context: The reasons for an increased focus on cybersecurity-focused GRC in recent years.
  • GRC Frameworks: How security frameworks help with streamlining GRC initiatives.
  • GRC Tools and Platforms: GRC Tools and what next-gen GRC platforms are offering to help manage cyber risk and compliance more effectively.

What is Governance, Risk and Compliance (GRC)?

Governance, Risk, and Compliance (GRC) is a strategic approach to managing an organization’s operations while meeting compliance requirements and minimizing risk that can impact mission-critical activities. It involves a structured framework for defining policies and processes (Governance), identifying and mitigating risks (Risk Management), and ensuring adherence to laws, regulations, and internal policies (Compliance).

The term GRC was first used by Forrester Research analyst Michael Rasmussen in 2002. He defined it as a capability to reliably achieve objectives while addressing uncertainty and acting with integrity. The three components – Governance, Risk, and Compliance – are interconnected and should be approached with a big-picture view to achieve long-term strategic success.

Understanding the three components of GRC

Governance

Governance sets the direction for an organization. It involves defining policies, roles, responsibilities, and decision-making processes. Effective governance ensures alignment with strategic objectives and regulatory requirements.

Risk Management

Risk Management focuses on identifying, assessing, and mitigating risks. It involves understanding the likelihood and impact of risks, and developing strategies to address them.

Compliance

Compliance ensures adherence to laws, regulations, industry standards, and internal policies. It involves implementing processes and controls to prevent violations and mitigate potential consequences.

Cybersecurity-Focused GRC: The Current Context

Over the past several years, the business and risk landscape (particularly cyber risk) has changed significantly, making GRC and the need to incorporate cyber risk into enterprise risk more critical. Several factors have contributed to this:

Cybersecurity Threats: High-profile data breaches, such as those suffered by SolarWinds and Uber, and the legal action that followed, have highlighted the devastating consequences of inadequate risk management.

Heightened Regulatory Scrutiny: The Securities and Exchange Commision’s (SEC’s) recent actions, including stricter disclosure requirements for cyber incidents, have underscored the importance of robust GRC practices.

Legal Liability: CISOs and other cybersecurity leaders are increasingly held accountable for cybersecurity incidents, emphasizing the need for strong GRC frameworks that incorporate clearly defined cyber risk management processes.

Legal Action against SolarWinds and Uber following Data Breaches

SolarWinds

  • SEC Charges: In the aftermath of the massive “Sunburst” supply chain attack in 2020 that compromised numerous government and private organizations, the SEC filed charges against SolarWinds and its former CISO, Tim Brown (in 2023). The SEC alleged that the company deliberately downplayed or failed to disclose cyber risks while overstating its security practices.
  • Allegations of Misleading Investors: The SEC contended that SolarWinds made incomplete disclosures about the cyberattack, depriving investors of crucial information about the company’s cybersecurity posture.
  • Charges Dismissed: While most of the charges the SEC brought against SolarWinds were dismissed in July 2024, the case signifies a critical change in the CISO’s role and scope of responsibility. Security leaders must work closely with business-focused execs on reducing cybersecurity risk and meeting regulatory compliance.

Uber

  • Criminal Conviction of Former CSO: Uber’s former Chief Security Officer, Joseph Sullivan, was found guilty of obstruction of justice and misprision for covering up a massive data breach in 2016.
  • Cover-up of Data Theft: It was alleged that Sullivan attempted to conceal the incident by disguising a ransom payment as a bug bounty.
  • Importance of Timely Disclosure: The case highlighted the critical importance of promptly disclosing data breaches to affected individuals.

These cases underscore the severe legal consequences for companies that fall victim to cyber-attacks and are unable to manage risk in a transparent and structured manner – before and after the breach. CISOs and other security leaders face increasing personal liability for security inadequacies and failures.

Implications of these Cases for the Cybersecurity Industry

The SolarWinds and Uber cases and other high-profile data breaches have had profound implications for the cybersecurity industry, leading to significant shifts in regulatory, organizational, and technological landscapes.

The biggest lesson for cybersecurity professionals is to create strong connections between governance, risk management and compliance activities, so that each of the three components informs the other two. Some of the language in the legal action that followed these breaches referred to inconsistent communication and messaging internally and externally, with SEC filings going out without being vetted by cyber leaders.

It is absolutely essential for business and cyber leaders to communicate and get visibility into the others’ domains.

The organization’s business objectives need to inform risk management, and cyber risks and compliance requirements in turn need to inform strategic business planning. Without creating strong links between the three, businesses run the risk of non-compliance and legal action following breaches.

 

Regulatory Changes

  • Increased Scrutiny: Regulatory bodies worldwide are intensifying their oversight of cybersecurity practices. This includes more stringent reporting requirements, stricter penalties for non-compliance, and increased focus on supply chain security.
  • Data Privacy Laws: The importance of robust data protection measures has been highlighted, leading to the strengthening of data privacy laws and regulations like GDPR and CCPA.
  • Cybersecurity Frameworks: The adoption of cybersecurity frameworks like NIST Cybersecurity Framework and CIS Controls has become more prevalent across verticals. This year, both Frameworks were updated to include a cross-cutting Govern function to the five core functions included in earlier versions (Identify, Protect, Detect, Respond, Recover.)

Organizational Shifts

  • CISO Role Elevation: The role of the Chief Information Security Officer (CISO) has become more strategic and influential. CISOs are now expected to be deeply involved in business decision-making and risk management.
  • Increased Security Investments: Organizations are allocating more budget to cybersecurity initiatives, including advanced threat detection, incident response, and employee training.
  • Supply Chain Risk Management: Companies are focusing on assessing and managing risks associated with their supply chain to prevent incidents like the SolarWinds attack.

Technological Advancements

  • Threat Detection and Response: Investments in advanced threat detection technologies, powered by artificial intelligence and machine learning, have accelerated to improve incident response capabilities.
  • Zero Trust Architecture: The adoption of zero-trust security models has gained momentum as organizations seek to strengthen their security posture.
  • Identity and Access Management: Improved identity and access management practices are being implemented to protect sensitive data and systems.

The 2023 SEC Ruling on Cyber Incident Disclosure

On July 26, 2023, the SEC adopted rules that required registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The rules became effective starting December 2023.

The incident disclosure is due four days after the registrant determines that the incident is material.

The new rules also require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. These disclosures will be required in a registrant’s annual report on Form 10-K.

The “Govern” Function in the NIST CSF and the CIS Controls

The importance of an integrated approach to GRC activities in the cybersecurity domain is reflected in changes to the NIST Cybersecurity Framework v2.0 and the CIS Critical Controls v8.1 this year. Both cybersecurity frameworks have now added a “Govern” function to their core functions (which previously included Identify, Protect, Detect, Respond and Recover).

NIST Cybersecurity Framework 2.0

In version 1.1 of the NIST CSF, governance-related activities were included under the “Identify” function. By placing these activities under a new, cross-cutting Govern function in version 2.0, NIST elevates the importance of aligning Cybersecurity Risk with Enterprise Risk.

The Govern function includes action categories for establishing and monitoring cyber risk strategy, expectations, and policy. The strategy direction set under it will inform the implementation of the five other functions. Within the Govern function, NIST lists the following main categories: Organizational Context; Risk Management Strategy; Cybersecurity Supply Chain Risk Management; Roles, Responsibilities, and Authorities; Policies, Processes, and Procedures; Oversight.

CIS Critical Controls 8.1

The latest version 8.1 of the CIS Controls, too, added a Govern function to the other five. The addition of Governance as a core component will enable users to identify the essential policies, procedures, and processes needed to safeguard their assets.

To support the Govern function, CIS added the asset type “Documentation” which includes Plans, Policies, Processes and Procedures. This will provide organizations with the evidence required to demonstrate compliance with industry standards.

Cybersecurity Frameworks and Data Privacy Regulations

Implementing GRC initiatives in a streamlined manner can be difficult because of the multiple interoperating domains and the specialized nature of some of the activities. Cybersecurity initiatives and legal operations are all specialized functions that need domain expertise. Furthermore, tying everything together in a way that ensures every activity is designed with the end goal of meeting business objectives is complex.

To make this process smoother, organizations can leverage readymade frameworks like the NIST Cybersecurity Framework or the CIS Critical Controls discussed above. These frameworks provide a structured approach to managing GRC activities, with a cyber-focused perspective, and can be customized based on specific business needs.

Key Benefits of Using GRC Frameworks

  • Structured Approach: Frameworks offer a clear roadmap for identifying, assessing, and mitigating cybersecurity risks.
  • Industry Best Practices: They incorporate proven industry standards and best practices, ensuring alignment with established guidelines.
  • Compliance Support: Frameworks assist in meeting regulatory requirements, such as PCI DSS, HIPAA, and GDPR.
  • Risk Management: They provide a systematic way to identify and prioritize risks, enabling organizations to allocate resources effectively.

Difference Between Security Frameworks and Privacy Standards & Regulations

The key difference between a cybersecurity framework and a regulatory standard is that a framework is a voluntary set of best practices while a regulation needs to be complied with as a legal obligation or requirement.

Cybersecurity Framework

A Cybersecurity Framework is a set of best practices designed to help organizations manage and reduce cybersecurity risks. Frameworks are often voluntary and provide flexible approaches that can be tailored to an organization’s specific needs. They offer a systematic way to assess and improve security posture. Examples include the NIST Cybersecurity Framework (CSF), ISO 27001, COBIT.

Data Privacy Regulation or Standard

A data privacy regulation is a legal requirement that organizations must comply with to meet industry-specific or governmental regulations related to data protection. Compliance with regulatory standards is mandatory, and organizations face legal consequences for non-compliance. Examples include GDPR, HIPAA, PCI DSS, CCPA.

Popular Cybersecurity-focused GRC Frameworks

 

NIST Cybersecurity Framework

Developed by the National Institute of Standards and Technology, the NIST Cybersecurity Framework provides a flexible and adaptable framework for managing cybersecurity risks. It is divided into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

CIS Critical Security Controls

Developed by the Center for Internet Security, the CIS Control offers a prioritized list of 18 controls that address the most critical security risks. The controls are applicable to a wide range of organizations, and are divided into Implementation Groups for easier prioritization based on maturity level, size and specific requirements.

ISO 27001

The ISO 27001 is an international standard for information security management and provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27001 is based on a risk-based approach and requires organizations to identify and assess their risks, implement appropriate controls, and monitor their effectiveness.

COBIT 5

A framework for governance and management of enterprise IT, COBIT 5 provides a comprehensive set of principles, practices, and tools for IT governance. COBIT 5 is based on five principles: relevance, efficiency, effectiveness, reliability, and conformance.

NIST Special Publication 800-171

NIST 800-171 outlines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It provides 14 families of security controls, covering areas like access control, encryption, incident response, and risk assessment. The framework helps contractors and organizations working with the government secure sensitive data and ensure compliance with regulations such as DFARS.

The ACSC’s Essential Eight and the UK NCSC’s Cyber Essentials

The ACSC Essential Eight is an Australian cybersecurity framework focusing on eight key mitigation strategies to protect systems, including patching, backups, and access management. The NCSC Cyber Essentials, from the UK, outlines five basic security controls like firewalls and malware protection. Both frameworks aim to help organizations defend against common cyber threats and reduce risks effectively.

Data Privacy Regulations

 

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of security standards designed to protect cardholder data. It requires organizations that handle credit card transactions to implement specific security measures to prevent data breaches. These measures include protecting cardholder data, maintaining secure networks, and regularly monitoring and testing networks.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law that sets standards for the privacy and security of protected health information (PHI). It applies to healthcare providers, health plans, and their business associates. HIPAA requires covered entities to implement safeguards to protect PHI from unauthorized access, use, disclosure, or modification.

General Data Protection Regulation (GDPR)

The GDPR is a European Union regulation that governs how organizations collect, store, and use personal data. It emphasizes individual rights, requiring consent for data processing and ensuring data subjects can access, correct, or delete their information.

California Consumer Privacy Act (CCPA)

The CCPA is a U.S. regulation providing California residents with the right to know what personal data is collected, request its deletion, and opt-out of its sale. It holds businesses accountable for data protection and transparency.

Implementing a Cybersecurity Framework

  • Framework Selection: Choose a framework that aligns with your organization’s size, industry, and specific compliance requirements.
  • Mapping to Organizational Processes: Identify existing processes and procedures that can be mapped to the framework’s components.
  • Customization: Tailor the framework to fit your organization’s unique needs and risk profile. This may involve adding or removing controls, mapping controls to regulatory needs, or modifying methodology, etc.
  • Implementation: Implement the framework’s components, including risk assessment, control implementation, and monitoring.
  • Continuous Monitoring and Improvement: Regularly review and update the framework to ensure it remains effective and aligns with evolving threats and regulatory requirements.
To read more, download the complete Whitepaper here: GRC for Cybersecurity Professionals.

Download Now