![\"\"](\"https:\/\/tynesideinnovation.com\/grcfincrimetoday\/wp-content\/uploads\/2025\/10\/Screenshot-5-1-300x177.png\")
<\/p>\r\n
Charles Robert Darwin, 1809 \u2013 1882<\/p>\r\n<\/blockquote>\r\n\r\n\r\n\r\n
Change is constant, we may like it or not. But it is the truth. It can not be stopped. Change may come from both internal and external forces and requirements. They may be small or big and more or less impactful. What we know, is still, that change is constant. And this is one of those things that Security GRC when it comes to the security universe, can support to manage in a more controlled and systematic way. Managing change is only one part of the benefits that may come from Security GRC. But before we dive further into the benefits and the rest of this article, I will put some more context around the subject \u2013> Security GRC.<\/p>\r\n
GRC stands for Governance, Risk Management & Compliance. This article is about Security GRC.<\/p>\r\n
The purpose of this article is to put my own words on the subject. I have already kind of, in several articles talked about it and explained what it is from each letter in the acronym. But this article will serve as a short summary of what Security GRC is and also shine some light on the why, how, and when.<\/p>\r\n
Security GRC is not something unique to the security industry or discipline. It is a discipline and practice that the security industry has adopted. GRC has been a thing in several other industries before it reached security. Some of these are:<\/p>\r\n
- \r\n
- Finance<\/li>\r\n
- Medical<\/li>\r\n
- Healthcare<\/li>\r\n
- Insurance<\/li>\r\n
- Energy<\/li>\r\n<\/ul>\r\n
What these industries have in common, and have had for decades, is that they are highly regulated. SOX is one of the regulations for finance, HIIPA applies to healthcare, and FDA applies to food and drugs, PCI-DSS is applicable when payment cards are used for digital transactions.<\/p>\r\n
These are just a few examples. The list of regulations has through the years increased and still does. Almost each and every industry is today, to some extent more or less regulated. GDPR for example is one of those regulations that impacts a very high span of organizations. In Europe, almost each and every organization is impacted.<\/p>\r\n
Regulations related to AI are another example and when technology drives the the increased need for further compliance through regulations. As you might already know and have figured out, the last regulation that an organization will need to comply with has not been invented or developed at this point. There is more to come and the list will be made longer. The piles of regulations will increase. The requirements related to compliance will not go away.<\/p>\r\n
![\"\"](\"https:\/\/tynesideinnovation.com\/grcfincrimetoday\/wp-content\/uploads\/2025\/10\/grc-what-why-how-when-adaptable-300x201.png\")
<\/p>\r\n\r\n\r\n\r\nChange is constant. Adaptability is key. Security GRC<\/p>\r\n\r\n\r\n\r\n
A commonly confused practice within GRC is the G, Governance. Many confuse Governance with Management. There is a difference and it\u2019s pretty obvious when put into context.<\/p>\r\n
Governance is, short and simple, about the bigger picture and less about the details. It is about setting the direction, strategy, and vision. These \u201c bigger picture\u201d things are (in general and shall be) the board\u2019s responsibility. The execution of the day-to-day activities is operationalized by the organization and starts out with the CEO. The CEO is not the one who will do all the work but will delegate the responsibility and accountability to the team around him\/her, also known as the Executive Management Team, EMT (consisting of roles such as for example CFO, CMO, CIO, CISO, COO, CRO and so forth). The EMT delegates the operationalization, to some extent or fully, to their team members (Vice Presidents, Directors etcetera). The execution of the objectives to achieve the strategy, set by the governing body (the board), is managed throughout the organization.<\/p>\r\n
This is somewhat of a simplified description of how the chain of delegation and governance may take place. Depending on, for example, the operational model and structure of an organization may contribute to the picture looking a bit different. The structure I have described is not set in stone but gives a good overview of the overall idea.<\/p>\r\n
![\"\"](\"https:\/\/tynesideinnovation.com\/grcfincrimetoday\/wp-content\/uploads\/2025\/10\/grc-what-why-how-when-corporate-grc-300x167.png\")
<\/p>\r\nSorry, I know! The text is very small and might be hard to read. Use the zoom function if possible, I think the illustration is valuable to study.<\/pre>\r\n
The takeaway is that the model I described for how Governance can be applied to several parts of an organization to achieve the same outcomes. For example IT Governance, Financial Governance, Business Governance, Security Governance, and so forth. For each part of an organizational entity, a leadership committee (I.e., governance) establishes the strategy.<\/p>\r\n
The strategy for example Corporate Finance is developed by the leadership committee which delegates the accountability and responsibility for managing the execution of the objectives to the roles and responsibilities in the Finance organization to operationalize the strategy.<\/p>\r\n
The Corporate Finance Strategy is not something that takes place in isolation, it is aligned as a part of the overall corporate strategy in direction with the board\u2019s strategy for the organization.<\/p>\r\n
Properly established Governance will provide control, transparency, direction, ethics, and separation of responsibilities. Generally, Governance is responsible for the \u201cWhat\u201d and Management is responsible for the \u201cHow\u201d.<\/p>\r\n
How things are carried out in reality may though take a different form between organizations. When theory meets reality those may not always align. More or less, every organization has some form of Governance in place that serves as a decision-making body for where those \u201cbigger picture\u201d things are discussed and decided on. And for Governance to function it need leadership. Governance can\u2019t exist without leadership. Establishing Governance does not equate to that leadership being accomplished. These are two different things but they go hand in hand.<\/p>\r\n
There is certainly more that can and should be said about Governance but I will stop here for now. Let\u2019s jump into the What, Why, When, & How explanation of Security GRC.<\/p>\r\n
WHAT?<\/strong><\/h1>\r\n
In this article,\u00a0Security GRC<\/em>\u00a0is explained as:<\/p>\r\n
A structured and holistic discipline covering the practices of Governance, Risk Management, and Compliance, ie. GRC.<\/em><\/p>\r\n
\u00a0<\/div>\r\nAs you may see there are fewer wordings in this explanation about \u201csecurity\u201d or something such as protection, resilience, detection etcetera. These things affect\u00a0Security GRC<\/em>\u00a0or may be an outcome of the work. How the objectives are managed and actualized in alignment with the strategic direction, i.e.\u00a0Governance<\/em>.<\/p>\r\n
Security GRC<\/em>\u00a0is a subset of\u00a0Corporate GRC<\/em>\u00a0which is focused on the management and oversight of security efforts. This means that\u00a0Security GRC<\/em>\u00a0in an organization is a part of a bigger puzzle as explained earlier in this article. It does not and shall not operate in isolation from the rest of the organization.\u00a0Security GRC<\/em>\u00a0shall be integrated with\u00a0Corporate GRC<\/em>, other\u00a0GRC\u00a0<\/em>disciplines, and the rest of the organization.<\/p>\r\n
![\"\"](\"https:\/\/tynesideinnovation.com\/grcfincrimetoday\/wp-content\/uploads\/2025\/10\/grc-what-why-how-when-grc-expalined-300x134.png\")
<\/p>\r\nSorry, I know! The text is very small and might be hard to read. Use the zoom function if possible, I think the illustration is valuable to study.<\/pre>\r\n
Security is a team sport and so is\u00a0Security GRC<\/em>. This is not something that is a one-man show or something that only is a thing taking place in a security team. This is a discipline that is established to support the organization it exists in. And yes, a tool or software for\u00a0Security GRC<\/em>, that helps out to automate things such as evidence collection, risk reporting, and data classification, is and can be a part of the puzzle but this is not a unicorn solution.<\/p>\r\n
Before a tool or software implementation of a\u00a0Security GRC<\/em>\u00a0tool, other things should be established. Let\u2019s call these things foundational components of\u00a0Security GRC.<\/em>\u00a0These things equate to for example structure, frameworks, and processes. And of course, you need to have support for the change from your stakeholders and sponsors. A tool or software should rather, as I see it, be a natural progression in an organization\u2019s maturity journey of\u00a0Security GRC\u00a0<\/em>rather than the absolute starting point.<\/p>\r\n
This principle is not unique to\u00a0Security\u00a0<\/em>GRC though, it applies to pretty much more or less all aspects of an organization\u2019s maturity journey. If an organization does not have\u00a0people\u00a0<\/em>and\u00a0processes\u00a0<\/em>available and educated on a certain subject\/discipline\/skill\/<etcetera>\u00a0technology\u00a0<\/em>will provide less value. I have seen this mistake several times in a bunch of different forms of projects throughout my career. IT Service Management, Risk Management, Identity & Access Management, and Cloud Security Governance just to mention a couple examples. The list could have been made longer but I will stop here for now.<\/p>\r\n
WHY<\/strong><\/h1>\r\n
The values gained for an organization that chooses to establish\u00a0Security GRC<\/em>\u00a0can provide:<\/p>\r\n
Ensured compliance, mitigation of risks, and contributed to an improved security posture, and cyber resilience in alignment with the organization\u2019s strategic objectives.<\/em><\/p>\r\n
\u00a0<\/div>\r\nAn organization that chooses to establish\u00a0Security GRC<\/em>\u00a0will gain positive effects and value addition from managing the three practices (Governance, Risk Management, & Compliance<\/em>) in synchronization. Each of the three practices within\u00a0GRC\u00a0<\/em>is and shall be seen as a unique perspective which all serve the same overall purpose. Go back to the picture above in the\u00a0What<\/em>\u00a0section and study the descriptions.<\/p>\r\n
The practices together form a\u00a0system<\/em>\u00a0and a holistic structure that operates as a totality. The value generated for an organization by synchronizing and integrating the three practices may for example be:<\/p>\r\n
- \r\n
- reduced or elimination of duplicated efforts<\/li>\r\n
- increased efficiency through the usage of common processes and methods<\/li>\r\n
- increased insight and understanding of the organization\u2019s security and compliance posture<\/li>\r\n
- improved alignment of investments in relation to the organization\u2019s strategic direction<\/li>\r\n<\/ul>\r\n
<\/p>\r\n
HOW<\/strong><\/h1>\r\n
The establishment of\u00a0Security GRC<\/em>\u00a0in an organization:<\/p>\r\n
Shall be adapted toward the organization\u2019s culture and not the other way around.<\/em><\/p>\r\n
\u00a0<\/div>\r\nThe form of how\u00a0Security GRC<\/em>\u00a0is established may differ between organizations. A very mature organization, for example operating in the Finance industry, will have a more \u201ccomplex\u201d setup compared to a start-up company developing software. Both these organizations need some form of\u00a0Security GRC<\/em>\u00a0but the practical implementation will differ. The reasons for it, are for example but are not limited to:<\/p>\r\n
- \r\n
- Culture<\/li>\r\n
- Regulations<\/li>\r\n
- Organizational size<\/li>\r\n
- Geographical spread<\/li>\r\n
- Operating model<\/li>\r\n
- Organizational history<\/li>\r\n
- Organizational structure<\/li>\r\n<\/ul>\r\n
![\"\"](\"https:\/\/tynesideinnovation.com\/grcfincrimetoday\/wp-content\/uploads\/2025\/10\/grc-what-why-how-when-grc-change-231x300.png\")
<\/p>\r\n