TL;DR
Have you noticed how narrowly many companies define cybersecurity? For these organizations, cybersecurity often means little more than detecting external threats, putting up proper defenses, and keeping out bad actors. But this strategy ignores the fact that threats often don’t have to come from the outside. In fact, according to Cybersecurity Insiders’ 2024 Insider Threat Report, as many as 83 percent of organizations experienced at least one insider attack in the last year.
What can organizations do about this? For one, they can adopt more proactive measures that make heavy defenses less necessary. This is one of the ways a Governance, Risk, and Compliance (GRC) framework can help. In fact, with the GRC field projected to grow by as much as $44 billion in the next few years, it seems like this is something many organizations are finding out — which makes this an excellent time to dive into what you might want to know if you’re interested in GRC.
What is the GRC Framework?
You can think of a GRC framework as an overarching strategy organizations can utilize to ensure their business operations remain compliant with industry regulations and don’t take on unnecessary risk. A GRC framework does this by helping establish strong governance processes, building out systems people can follow for identifying and managing different types of threats (e.g., financial, legal, security), and creating programs that help the organization track and follow various industry laws, regulations, and standards.
But what is it that makes GRC so important right now? If the pervasive threat of insider attacks isn’t enough, then there is the growing list of stringent regulations that companies must comply with. In nearly every industry, from healthcare to finance, new rules and laws are being enacted in order to keep up with new technology practices and the fraud that often follows. Because of this, it’s becoming more common for highly regulated sectors to require companies to put in place a GRC framework.
Of course, GRC is becoming more popular because of its own benefits as well. For example, by giving organizations a more structured framework for assessing and managing risk, it can help improve how they make decisions. Likewise, a program that helps simplify the regulatory process will not only streamline workflows, but also provide companies with significant cost savings. By avoiding compliance breaches and other threats, a robust GRC framework can help bolster an organization’s reputation as well.
Questions to ask when beginning a GRC program
While the particularities of your organization or industry may dictate many of the specifics of your GRC program, there are a few standard questions every company should be asking themselves. So says Alan White, author of several foundational books on cybersecurity, including the recently published Forensic Team Field Manual, as well as the creator of our upcoming GRC career path.
“If you took 20 frameworks out there, most of them will overlap in some capacity,” he said. So instead of worrying over the details, White recommends getting started by going through the following questions first.
1. Who are the people involved?
The effectiveness of your GRC program will largely be measured by how well it addresses the needs and challenges of the people involved. For this reason, it’s smart to begin by considering the people who will be working within the framework daily.
“There's a very standard statement out there: People, process, and technology,” said White. “This means that, in order to build an ecosystem that works for everyone, we need to understand the roles that everyone plays, how they will interact with the GRC framework.”
For instance, start out by determining who the key stakeholders are who will be most affected by a GRC framework. What are their goals and responsibilities? What are their short- and long-term goals? Being able to map out a full picture of the organization like this will make it easier for you to properly assess what shape your GRC framework should take.
2. What processes are already in use?
The people in your organization are probably already employing numerous methods to manage their various duties. And, more than likely, these methods lack any sort of real coherence.
“Chances are, they have no real policy, no real delegation of responsibilities, “ said White. “This can be everything from how they onboard employees to how they consistently manage information and control access.”
So just as you’ll want to know what people are trying to do, you’ll also want to know how they’re trying to do it. This will make it possible for you to identify processes that need to be improved, problems that have not been addressed, and other operational shortfalls — all essential information to have when taking a strategic approach to building your GRC program.
3. What technology is in place?
After considering the people and processes involved, you should next move onto the technology. This is where you can start looking at the specific ways in which the organization is handling its data and start identifying tangible ways you can make improvements.
“For example, what technology do they have in place for third-party management?” White said. “Like, do they connect to your environment? How are they managed? How are they monitored? All this should be examined.”
Once you fully understand the technology being used (or the lack thereof) to process data, manage compliance, and reduce risk, then you can finally start determining what you can leave alone, what you can adapt or build upon, and what you need to start anew.
The reward of building out an effective GRC framework
Although GRC frameworks may not be the first thing many people think of when it comes to cybersecurity, they are nevertheless essential to a well-rounded security program. “An effective GRC framework means an organization can be compliant,” said White. “It means they can effectively manage risk. It means they can make better decisions.”
And for those helping develop these GRC programs, this means it can be rewarding. “You can see something that’s tangible,” White said. “Whether that means helping them deliver SOC reports or HIPAA requirement reports, there's a reward to achieving that. It means they can be in business.”
Interested in learning more about how you can get a GRC program started at your org? Stay tuned for the official announcement of our GRC career path soon!
