In the world of Cybersecurity, there is no shortage of buzz words and techno jargon. Often many of these words are used together, causing even more confusion. One such grouping of these words is “Governance, Risk, and Compliance,” collectively known as the “GRC.” While a business needs all three of these to work together in a seamless fashion, they do have their individual purposes as well.
Exactly what do these terms mean?
The definitions for these terms can be explained as follows:
As it relates to IT, this is how an organization is run. Typically, this will be from a top-down structure. For example, at the top is the CISO, beneath him or her are the managers from the IT Department and the IT Security team, followed then by the Project Managers who are responsible for managing the employees that are getting the deliverables done for the client. A typical example of this would be a software development team. The developers report to the Project Manager, who in then reports to the Department Manager. The characteristics of an effective governance chain of command exhibits the following:
- A clear and transparent line of communication: The vision, the goals and the objectives must be transmitted all the way down to the lowest-ranking IT member, and likewise, the needs and ideas of the IT Security team must be heard, listened to, and transmitted back to the CISO for evaluation and consideration.
- Effective resource allocation: The CISO and the respective managers work together as a cohesive unit to distribute (sometimes scarce) resources to effectively manage the Cyber threat landscape as best as possible.
- A system of checks and balances: The CISO and his or her top-level managers must enforce the divisional lines of who is responsible for what, and also making sure that there is a strong sense of accountability.
- Rewards and acknowledgment: A good Governance system will reward those employees who have made an impact in protecting the digital assets of the company, as well for other employees who have maintained a good level of Cyber Hygiene. Likewise, rather than singling out and punishing employees who may have made a mistake, constructive criticism will instead be offered.
Compliance refers to your company’s policies and rules that abide by the security requirements of other entities that you deal with. Probably the best examples of this are the data privacy laws, most notably the GDPR and the CCPA. They have provisions and mandates that your company must meet, primarily to safeguard the Personal Identifiable Information (PII) datasets that you have been entrusted with. Characteristics of a good Compliance program include:
- Choosing the right framework(s) or methodologies: This will guide you in the process of selecting the best controls possible to protect confidential information and data.
- Having a change management system in place: Any adjustments or changes that you make to the controls are well-documented, and any upgrades or new tools/technologies that are to be deployed are first tested in a controlled environment before being releases to a production status.
This typically refers the amount of “pain” your company can withstand before a threat variant causes permanent damage to your IT and Network Infrastructure. There are other definitions and ways to calculate risk, but some of the common traits of a good Risk Management program are as follows:
- Your company has created a categorization scheme: With this, you take an inventory of all your digital assets, and in turn, decide (based upon both quantitative and qualitative factors) which are most prone, and least suspect to an impact if your organization becomes a victim of a security breach. For example, the database that houses the PII datasets would be a prime target and will therefore need the most controls to protect it. Because of this, it will receive a numerical ranking of 10 (with 10 being most vulnerable and 1 the least vulnerable). For example, the documented minutes from meetings held a long time ago are unlikely to be a sought-after target, thus needing a minimal number of controls, if any, giving them a ranking of about 3.
- The controls are monitored: Just like the other components of your IT and Network infrastructure, Risk Controls can go stale and lose their effectiveness if they are not kept up-to-date with the latest patches and upgrades. Therefore, a good Risk Management program will keep an eye on all of your controls on a real time basis, and alert you and your IT Security team if any of them need further attention and/or optimization.
Now that you have a greater understanding of what IT Governance, Risk, and Compliance are about, you may be motivated to craft an effective GRC plan for your company. Developing such a plan is something that you should not attempt to do on your own. A future article will take a deeper dive in how to go about this and whom you should consult in the process. Keep in mind that a GRC plan is a document that will be scrutinized by regulators and auditors, even insurance companies, as you apply for a Cybersecurity Insurance Policy.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.