Like other disciplines, security has a love/hate relationship with new concepts that are quickly bundled into an acronym. Often initiated to express a new approach, methodology, or software class it can quickly gain traction (or not) and along the way can evolve from its intent. One such entrenched example is GRC – Governance, Risk, and Compliance. In this series, we’ll examine GRC and its critical role in USPM – Unified Security Posture Management (yup, another acronym) to discuss what we believe works, and where there’s opportunity to do things better.
A Brief GRC Primer
In 2002, the Open Compliance and Ethics Group (OCEG) coined the GRC concept and defined it as the integrated collection of capabilities that enable an organization to achieve Principled Performance - the ability to reliably achieve objectives, address uncertainty, and act with integrity. We’ll leave it to the good folks at OCEG to for a deeper dive into GRC as it was envisioned, but I do want to call out a few of the important and recurring themes. GRC tied to their concept of achieving Principled Performance is about preserving and protecting value. It’s about taking a holistic and integrated approach to avoid the trap of silos. It places risk at the center of the conversation and emphasizes a whole-of-organization approach. It is NOT just about meeting one’s compliance obligations. Security, and more specifically USPM is grounded in many of these same themes, and more on that later. For now, we’ll focus on the first letter – Governance.
Management and Systems
After a maddening search to find a definition of governance that did not include the word in the explanation, I’ve settled on the way organizations are managed at the highest level and the systems for doing this. Earlier this year, NIST CSF 2.0 was also released. Arguably long overdue, but hey it wouldn’t be a proper government update if it weren’t years in the making. One critical change was the addition of a sixth function to the CSF core – Governance. It brings into sharp focus the role of cybersecurity as a key enterprise risk demanding executive attention and oversight. It finally aligns this global standard with the realities of living and operating in a digital economy where cyber is no longer just a good idea, but in fact a business imperative.
Security governance is more than just another layer of oversight which naturally evokes concerns on added bureaucratic layers, impacts to productivity, and potentially stifling innovation. It’s about reducing the light between the security team, the c-suite, and the board where cyber risk is understood and managed as a whole-of-organization responsibility. Naturally, the CISO and their team own the operational reality of building and maintaining a strong security posture. There are the burdens of security program management and all that is associated – people, process, technology, but there are also increasingly other dimensions that demand attention. From the outside, it’s growing regulatory pressure to demonstrate with evidence the thoughtfulness of the organization’s cyber risk management strategy. Internally, it’s heightened executive awareness of cyber threats and their desire to better understand how much cyber risk their organization is carrying, how much could potentially be bought down and what the security team is doing to manage and/or reduce related exposure.
Codifying effective governance is more than implementing a set of processes or binary controls to satisfy oversight. It’s the foundational mechanism to drive absolute alignment with business objectives so that security strategies do not conflict with overall business objectives. This helps balance security needs with other organizational priorities because there is a common starting point between practitioner risk managers and organizational risk owners. Other benefits include:
- Enabling informed decisions about risk tolerance and mitigation strategies.
- Establishing clear accountability frameworks by sharing risk management responsibility for cybersecurity across the organization.
- Improved preparedness and resilience to security incidents, which can help increase investor, partner, and customer confidence.
- Fostering a cyber risk aware organization by building structures for continuously reviewing and updating security policies and controls to address evolving threats and technologies.
- Improving resource optimization by more effectively by aligning security investments with business priorities and risk levels.
- Elevating to a board-level concern, ensuring it receives appropriate attention and resources.
- Driving maturity through consistent and standardized reporting/metrics to proactively identify and address areas for improvement.
For governance to be effective, all parties must have near unrelenting certainty in understanding issues that face them and the decisions that need to be made. In security specifically, it means moving beyond simply identifying what’s wrong to understanding why it matters and having the data-driven confidence to take proactive action.
To learn more on how Pellonium’s approach to Unified Security Posture Management can enable better governance, please visit www.pellonium.com.