What these industries have in common, and have had for decades, is that they are highly regulated. SOX is one of the regulations for finance, HIIPA applies to healthcare, and FDA applies to food and drugs, PCI-DSS is applicable when payment cards are used for digital transactions.
These are just a few examples. The list of regulations has through the years increased and still does. Almost each and every industry is today, to some extent more or less regulated. GDPR for example is one of those regulations that impacts a very high span of organizations. In Europe, almost each and every organization is impacted.
Regulations related to AI are another example and when technology drives the the increased need for further compliance through regulations. As you might already know and have figured out, the last regulation that an organization will need to comply with has not been invented or developed at this point. There is more to come and the list will be made longer. The piles of regulations will increase. The requirements related to compliance will not go away.
Governance is, short and simple, about the bigger picture and less about the details. It is about setting the direction, strategy, and vision. These “ bigger picture” things are (in general and shall be) the board’s responsibility. The execution of the day-to-day activities is operationalized by the organization and starts out with the CEO. The CEO is not the one who will do all the work but will delegate the responsibility and accountability to the team around him/her, also known as the Executive Management Team, EMT (consisting of roles such as for example CFO, CMO, CIO, CISO, COO, CRO and so forth). The EMT delegates the operationalization, to some extent or fully, to their team members (Vice Presidents, Directors etcetera). The execution of the objectives to achieve the strategy, set by the governing body (the board), is managed throughout the organization.
This is somewhat of a simplified description of how the chain of delegation and governance may take place. Depending on, for example, the operational model and structure of an organization may contribute to the picture looking a bit different. The structure I have described is not set in stone but gives a good overview of the overall idea.
The takeaway is that the model I described for how Governance can be applied to several parts of an organization to achieve the same outcomes. For example IT Governance, Financial Governance, Business Governance, Security Governance, and so forth. For each part of an organizational entity, a leadership committee (I.e., governance) establishes the strategy.
The strategy for example Corporate Finance is developed by the leadership committee which delegates the accountability and responsibility for managing the execution of the objectives to the roles and responsibilities in the Finance organization to operationalize the strategy.
The Corporate Finance Strategy is not something that takes place in isolation, it is aligned as a part of the overall corporate strategy in direction with the board’s strategy for the organization.
Properly established Governance will provide control, transparency, direction, ethics, and separation of responsibilities. Generally, Governance is responsible for the “What” and Management is responsible for the “How”.
How things are carried out in reality may though take a different form between organizations. When theory meets reality those may not always align. More or less, every organization has some form of Governance in place that serves as a decision-making body for where those “bigger picture” things are discussed and decided on. And for Governance to function it need leadership.
There is certainly more that can and should be said about Governance but I will stop here for now. Let’s jump into the What, Why, When, & How explanation of Security GRC.
WHAT?
In this article, Security GRC is explained as:
A structured and holistic discipline covering the practices of Governance, Risk Management, and Compliance, ie. GRC.
As you may see there are fewer wordings in this explanation about “security” or something such as protection, resilience, detection etcetera. These things affect Security GRC or may be an outcome of the work. How the objectives are managed and actualized in alignment with the strategic direction, i.e. Governance.
Security GRC is a subset of Corporate GRC which is focused on the management and oversight of security efforts. This means that Security GRC in an organization is a part of a bigger puzzle as explained earlier in this article. It does not and shall not operate in isolation from the rest of the organization. Security GRC shall be integrated with Corporate GRC, other GRC disciplines, and the rest of the organization.
Security is a team sport and so is Security GRC. This is not something that is a one-man show or something that only is a thing taking place in a security team. This is a discipline that is established to support the organization it exists in. And yes, a tool or software for Security GRC, that helps out to automate things such as evidence collection, risk reporting, and data classification, is and can be a part of the puzzle but this is not a unicorn solution.
Before a tool or software implementation of a Security GRC tool, other things should be established. Let’s call these things foundational components of Security GRC. These things equate to for example structure, frameworks, and processes. And of course, you need to have support for the change from your stakeholders and sponsors. A tool or software should rather, as I see it, be a natural progression in an organization’s maturity journey of Security GRC rather than the absolute starting point.
This principle is not unique to Security GRC though, it applies to pretty much more or less all aspects of an organization’s maturity journey. If an organization does not have people and processes available and educated on a certain subject/discipline/skill/ technology will provide less value. I have seen this mistake several times in a bunch of different forms of projects throughout my career. IT Service Management, Risk Management, Identity & Access Management, and Cloud Security Governance just to mention a couple examples. The list could have been made longer but I will stop here for now.
WHY
The values gained for an organization that chooses to establish Security GRC can provide:
Ensured compliance, mitigation of risks, and contributed to an improved security posture, and cyber resilience in alignment with the organization’s strategic objectives.
An organization that chooses to establish Security GRC will gain positive effects and value addition from managing the three practices (Governance, Risk Management, & Compliance) in synchronization. Each of the three practices within GRC is and shall be seen as a unique perspective which all serve the same overall purpose. Go back to the picture above in the What section and study the descriptions.
The practices together form a system and a holistic structure that operates as a totality. The value generated for an organization by synchronizing and integrating the three practices may for example be:
- Reduced or elimination of duplicated efforts
- Increased efficiency through the usage of common processes and methods
- Increased insight and understanding of the organization’s security and compliance posture I
- Improved alignment of investments in relation to the organization’s strategic direction
HOW
The establishment of Security GRC in an organization:
Shall be adapted toward the organization’s culture and not the other way around.
The form of how Security GRC is established may differ between organizations. A very mature organization, for example operating in the Finance industry, will have a more “complex” setup compared to a start-up company developing software. Both these organizations need some form of Security GRC but the practical implementation will differ. The reasons for it, are for example but are not limited to:
- Culture
- Regulations
- Organizational size
- Geographical spread
- Operating model
- Organizational history
- Organizational structure
I think it is very accurate to say that there is no onesize-fits-all Security GRC setup that can be copypasted into each and every organization. There are of course general recommendations and principles that make up a good starting point, but these are just that. Even the best theoretical principle or model may not become best friends with security in reality.
In this article, I share some of my thoughts about Security in reality.