Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
GRC teams’ capabilities within organizations today are facing new challenges from broader trends in the industry. Recent trends affecting GRC teams in the past few years have involved pivoting to make complex decisions, be connected and stay agile.
Strong GRC teams must now actively address better business collaboration, remote work standards, Environmental, Social and Governance (ESG) policies and third-party risk management across the organization.
This piece details evolving trends and provides guidance for teams to plot them against their organization’s maturity level to build a strong GRC maturity roadmap that aligns with business objectives.
There has been mounting pressure on GRC to improve coordination with the business and with other teams within the security function. The three lines of defense (front-line business activities, risk and compliance, and internal audit) continue to be a
strong model for governance. However, siloing of the GRC function has limited its impact within security, and increasing integration with other security functions to create a common governance model is recommended.
Forward-looking leadership should use GRC as a platform to support and align with business objectives. Teams should emphasize:
Risk reduction is a result of IT and the business taking appropriate action. In recent years, GRC has matured its analysis of risk through the application of methodologies such as Factor Analysis of Information Risk (FAIR), Operationally Critical Threat,
Asset and Vulnerability Evaluation (OCTAVE) and others.
Yet analysis is not action. GRC capabilities must shift from reporting to achieving outcomes. This is especially crucial as organizational risk has been re-scoped to include the broader supply chain, increasing the demand on the capability. GRC teams
should increase integration with other security teams and collaborate to reduce risk in measurable and cost-effective ways.
To improve overall risk management, teams should consider:
READ: How to Establish Data Ownership and Governance Roles
Compliance requirements continue to evolve. From privacy regulations such as the EU’s GDPR in 2018 and the California Consumer Privacy Act (CCPA) in 2020, to industry-specific regulations such as the New York Department of Financial Services (NYDFS)
Cybersecurity Regulation (2018) and the ongoing HIPAA revisions, the bar continues to rise. We see indications this pace will continue and accelerate in the coming years. The systemic risks 2020 identified will likely result in increased oversight
and obligations and GRC teams should include the following:
Shift from Reporting to Demonstrable Risk Reduction
GRC often excels at auditing, identifying and reporting on risk. If this is not yet the case, focus on these areas. GRC functions that are excelling here, however, should shift from analysis to action by collaboratively reducing risk with other teams.
To reduce risk:
Staff Up for an Increased Workload
GRC capabilities remain under-staffed, with many organizations having between one and three full-time employees (FTEs). However, the workload is likely to increase in the coming years with inclusion of third-party risk and expansion of regulations. Where
possible, consider adding people to the team, and create capacity within the existing team through training and standardization. To do this:
Get the Most from Your Current Technology
The GRC market is relatively mature and is unlikely to see significant disruption requiring investment. Teams are advised to focus on getting more from their existing GRC platform. Specifically, reporting and remediation are ripe for enhancement. Teams
can look at:
READ: Key Features to Look for in a GRC Tool
A roadmap tells the story about where the capability has come, where it is going and how progress will be demonstrated. Yet there are common mistakes we all make with roadmaps—from using them to list all our features or tools, to avoiding addressing
broader problems in favor of addressing easier problems to solve. Some common pitfalls to avoid include:
Successful GRC teams will:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms
in connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.