Persistent cyber threats, the growing array of regulations and rapidly changing technology have heightened the need for cybersecurity to be integrated into governance, risk and compliance (GRC) frameworks.
GRC programs include the processes and technologies that enable organizations to meet business goals, address risk, and comply with government and industry regulations. Incorporating cybersecurity into organization-wide GRC programs means aligning technology decisions with business objectives while meeting regulatory requirements and defining cyber risks.
Organizations need to move away from security and compliance being compartmentalized and move towards coordination and alignment between the two. By aligning cyber risk with GRC the aim is to limit liability from legal and compliance, ensure a governance mode fit for audit and comply with regulating bodies like the SEC — thatâs the important thing, Jason Rader, CISO with Insight Enterprises, tells CSO.
Whatâs driving cyber risk’s integration into GRC?
Cloud adoption, hybrid workforces, the emergence of generative AI, building agile security functions and the need to secure organization-wide digital ecosystems are behind the predicted 14% growth of global spending on security and risk management in 2024. This is according to Gartner, which estimates a total $215-billion spend in this area.
Factoring cyber risk into GRC programs is seen as a way to achieve comprehensive risk management across these different technologies, while responding to increasing regulatory demands. âGRC frameworks are evolving to include specific provisions and controls aimed at addressing cybersecurity risks effectively,â RegScale CISO Larry Whiteside Jr. tells CSO. This includes following NIST standards to ensure compliance and alignment with recognized practices.
Regulations such as GDPR, Californiaâs CCPA, and others are coming to bear on organizations and mandating specific cybersecurity requirements. Consequently, GRC frameworks are having to integrate these regulatory requirements into their broader compliance initiatives, according to Whiteside. In addition, the growing reliance on third parties is also seeing GRC frameworks integrating vendor and third-party risk management to evaluate and reduce cyber risks linked to external partners and suppliers across the supply chain.
The SECâs new rules require organizations to describe the board of directorsâ oversight of risks from cybersecurity threats and managementâs role and expertise in assessing and managing material risks from cybersecurity threats. According to Whiteside this is driving directors and executive leaders to acknowledge cybersecurity as a crucial strategic business concern. âThereâs a growing demand from boards for enhanced visibility into cybersecurity risks and measures, so organizations are improving their GRC frameworks for enhanced reporting and assurance on cybersecurity issues,â Whiteside says.
There are good reasons to improve GRC efforts, a new research across the US and the UK found companies with a unified view of risks reported a lower frequency of breaches in the past 12 months, according to Hyperproofâs 2024 IT Risk and Compliance Benchmark report. While 83% of organisations now have a centralized GRC program, a sizeable jump of 15% from last year, thereâs still more work to be done, with just 18% having aligned risk and compliance activities and 19% still manage IT risks in siloed departments, tools or processes, according to the report.
The challenges in aligning cybersecurity with GRC
For cybersecurity to become integrated into the GRC framework, organizations must navigate the evolving cyber threat landscape while quantifying cyber risks, ensuring cyber risk management aligns with broader GRC objectives and meeting compliance requirements.
Although itâs important to quantify risk, the nature of interconnected risks in todayâs context makes this a significant challenge, according to Prasad Sabbineni, CEO of MetricStream. âTo address cybersecurity threats, itâs essential to build and integrate cyber risk and compliance management programs with enterprise and operational risk management, third-party risk management, and compliance management programs,â Sabbineni tells CSO. In mapping the risks and identifying the potential impact on the organization, the end goal is to develop action plans with appropriate investments.
With heavier reliance on third parties, Prasad says CISOs and security teams are becoming laser-focused on managing these risks. âThat’s why identifying vulnerabilities and blind spots throughout the entire process is critical. Thankfully, stricter regulations are also being put in place to hold these third parties accountable, adding another layer of protection.â
However, he believes GRC teams need to understand how to leverage already existing data to identify, assess, and mitigate risks and adapt their practices to address cybersecurity-related factors effectively. âIt requires a specialized focus on risk management, regulatory compliance, governance integration, technology-centric assessments, and incident response,â Prasad says.
Addressing the regulatory burden
âThe pace of [regulatory] change for multinational organizations is significant, even in the regulatory world which can be notoriously slow,â Simon Onyons, MD of FTI Consultingâs cybersecurity practice.
To effectively navigate the changing regulatory landscape, organizations must monitor new and evolving requirements on a continuous basis. Leveraging automated tools and using cutting-edge AI can help maintain real-time visibility over emerging regulatory mandates. âThe critical element is then performing gap analysis against the new requirements, to mitigate potential compliance risks introduced,â Onyons tells CSO.
But this requires visibility of threats, another element that poses significant challenges for many organizations. âWe canât protect against what we canât see, whether the threat originates within our internal capabilities or externally.â
Optimizing threat intelligence capabilities, ensuring the elimination of shadow IT and technology debt, and being contextual and relevant in risk management are all necessary, Onyons says. Yet itâs important to be threat-focused, but only towards those most relevant to the organization. Particularly as cybercrime represents an asymmetric threat, where the cost of launching an attack is often lower than the cost of defending against it. âThis requires an intelligence-led approach to understanding the specific threats targeting them and the potential impacts on the business.â
However, with many CISOs and their teams already feeling under pressure from the mounting responsibilities of protecting organizations, coming to grips with the growing raft of regulations and requirements, can be overwhelming, said Insight Enterprisesâ Rader. âThereâs a lot to ingest from multiple agencies in the US, EU requirements and disclosure requirements and even certain international standards like ISO 27001 that are widely accepted are non-prescriptive,â Rader says.
To address this, he suggests uniform requirements similar to the payments industry PCI security standards may be needed. âIf the hyperscalers were to get together and come out with a standard that would make things a lot easier instead of having to chase down the latest kinds of requirements and then harmonize from one country to the next,â Rader says.
Strategies for cybersecurity and GRC integration
Incorporating cybersecurity practices into a GRC framework means connected teams and integrated technical controls for the University of Phoenix, where GRC and cybersecurity sit within the same team, according to Larry Schwarberg, the VP of information security. At the university, the cybersecurity risk management framework is primarily created out of a consolidated view of NIST 800-171 and ISO 27001 standards, with this being used to guide other elements of its overall posture. âThe results of the risk management framework feed other areas of compliance from external and internal auditors,â Schwarberg says.
The cybersecurity team works closely with legal and ethics, compliance and data privacy, internal audit and enterprise risk functions to assess overall compliance with in-scope regulatory requirements. âSince our cybersecurity and GRC roles are combined, they complement each other and the roles focus on evaluating and implementing security controls based on risk appetite for the organization,â Schwarberg says.
The role of leadership is to provide awareness, communication, and oversight to teams to ensure controls have been implemented and are effective. In addition, the cybersecurity team periodically brings in external consultants to evaluate compliance and assess maturity levels associated with these frameworks and regulatory compliance requirements. âGRC at the university is a team effort coordinated by the cybersecurity team.â
GRC: one more thing changing the CISO role
CISOs are already blending technical with business considerations to manage cybersecurity within their organizations, integrating GRC means adopting broader responsibilities and a risk-based approach.
Itâs also harder to be a purely technical CISO, according to Rader. âYou have to be a business CISO and a GRC CISO.â He likens it to being like the ambassador of security, interacting more with the board in line with SEC requirements and working across the organization, while mitigating risk. âWeâve always had a risk mindset, but now we need to understand how to relate risk terms back to the executives in a way that they understand,â Rader says.
As cybersecurity involves organization-wide risks and protections, thereâs a shift underway, impacting technical teams and risk and compliance teams, according to Nina Wyatt, security and GRC principal consultant lead at AHEAD. âCyber roles require more soft skills and industry expertise to better support the control environment, while GRC roles require at least a baseline technology understanding to be effective in an oversight capacity,â Wyatt tells CSO.
In responding to cross-organization risks, GRC roles will need to collaborate with cybersecurity roles to structure a program that coordinates activities from both areas of the organization. âMisalignment between these two functions can result in duplicative efforts and spend, and increased complexity when it comes to work through control assessment and attestation activity,â Wyatt says.
This need to communicate technical information along with cyber risk and governance issues to board and leadership teams in a way senior leaders will understand is something that many CISOs report struggling with and itâs impacting the effectiveness of security initiatives, an FTI Consulting survey found. âThe communications disconnect between business leaders and CISOs, means organizations are hindered from fully preparing for — and proactively governing — cybersecurity risks for the business,â said Onyons.
Leadership buy-in is essential to success
Leadership has a clear mandate to guide effective security and governance measures, says MetricStreamâs Sabbineni. To ensure cyber risks are properly integrated into GRC considerations, thereâs a need to create governance structures with clear roles and responsibilities, which must be driven from the top.
Leadership also needs to ensure teams quantify cyber risk exposure in monetary terms rather than in technical language. âThis way, the investments and risks can be prioritized,â Sabbineni says.
FTIâs Onyons believes that leadership plays a pivotal role in determining how resources, both human and financial, are allocated. âItâs crucial for implementing effective and resilient cybersecurity defenses,â he says. âWithout leadership support, GRC initiatives are bound to falter.â
It also means that boards and executives need to possess more cyber awareness and shift cybersecurity beyond the sole responsibility of the CISO. âItâs become a domain where general counsel, risk leaders, compliance heads, and the board must comprehend how the organization is being safeguarded,â he said.