InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
GRC teams’ capabilities within organizations today are facing new challenges from broader trends in the industry. Recent trends affecting GRC teams in the past few years have involved pivoting to make complex decisions, be connected and stay agile.
Strong GRC teams must now actively address better business collaboration, remote work standards, Environmental, Social and Governance (ESG) policies and third-party risk management across the organization.
This piece details evolving trends and provides guidance for teams to plot them against their organization’s maturity level to build a strong GRC maturity roadmap that aligns with business objectives.
There has been mounting pressure on GRC to improve coordination with the business and with other teams within the security function. The three lines of defense (front-line business activities, risk and compliance, and internal audit) continue to be a
strong model for governance. However, siloing of the GRC function has limited its impact within security, and increasing integration with other security functions to create a common governance model is recommended.
Forward-looking leadership should use GRC as a platform to support and align with business objectives. Teams should emphasize:
Risk reduction is a result of IT and the business taking appropriate action. In recent years, GRC has matured its analysis of risk through the application of methodologies such as Factor Analysis of Information Risk (FAIR), Operationally Critical Threat,
Asset and Vulnerability Evaluation (OCTAVE) and others.
Yet analysis is not action. GRC capabilities must shift from reporting to achieving outcomes. This is especially crucial as organizational risk has been re-scoped to include the broader supply chain, increasing the demand on the capability. GRC teams
should increase integration with other security teams and collaborate to reduce risk in measurable and cost-effective ways.
To improve overall risk management, teams should consider:
READ: How to Establish Data Ownership and Governance Roles
Compliance requirements continue to evolve. From privacy regulations such as the EU’s GDPR in 2018 and the California Consumer Privacy Act (CCPA) in 2020, to industry-specific regulations such as the New York Department of Financial Services (NYDFS)
Cybersecurity Regulation (2018) and the ongoing HIPAA revisions, the bar continues to rise. We see indications this pace will continue and accelerate in the coming years. The systemic risks 2020 identified will likely result in increased oversight
and obligations and GRC teams should include the following:
Shift from Reporting to Demonstrable Risk Reduction
GRC often excels at auditing, identifying and reporting on risk. If this is not yet the case, focus on these areas. GRC functions that are excelling here, however, should shift from analysis to action by collaboratively reducing risk with other teams.
To reduce risk:
Staff Up for an Increased Workload
GRC capabilities remain under-staffed, with many organizations having between one and three full-time employees (FTEs). However, the workload is likely to increase in the coming years with inclusion of third-party risk and expansion of regulations. Where
possible, consider adding people to the team, and create capacity within the existing team through training and standardization. To do this:
Get the Most from Your Current Technology
The GRC market is relatively mature and is unlikely to see significant disruption requiring investment. Teams are advised to focus on getting more from their existing GRC platform. Specifically, reporting and remediation are ripe for enhancement. Teams
can look at:
READ: Key Features to Look for in a GRC Tool
A roadmap tells the story about where the capability has come, where it is going and how progress will be demonstrated. Yet there are common mistakes we all make with roadmaps—from using them to list all our features or tools, to avoiding addressing
broader problems in favor of addressing easier problems to solve. Some common pitfalls to avoid include:
Successful GRC teams will:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms
in connection with such information, opinions, or advice.
June 30, 2022
By IANS Faculty
Understand how zero-click attacks work and find best practices to help detect and prevent common zero-click techniques from harming your organization.
June 28, 2022
Find guidance on how to create meaningful security metrics and KPIs for measuring risk improvement across a variety of security areas, including vulnerability management, product security and more.
June 23, 2022
Gain an understanding of the latest insider data exfiltration threats, motivations and methods. Learn best practices for insider threat detection and data exfiltration prevention to protect your organization.