The convergence of escalating cyber threats, intensified regulatory scrutiny, and high-profile legal actions has propelled Governance, Risk, and Compliance (GRC) to the forefront of organizational priorities. No longer a mere compliance function, GRC has evolved into a strategic imperative that underpins business resilience and sustainability.
Before diving into the specific incidents that have served as a cautionary tale to businesses, necessitating a focus on GRC, let’s define the term itself.
What is GRC?
Governance, Risk, and Compliance (GRC) is a strategic approach to managing an organization's operations while meeting compliance requirements and minimizing risk that can impact mission-critical activities. It involves a structured framework for defining policies and processes (Governance), identifying and mitigating risks (Risk Management), and ensuring adherence to laws, regulations, and internal standards (Compliance).
The acronym GRC was first used by Forrester Research analyst Michael Rasmussen in 2002. He defined it as a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.
Legal Action Against SolarWinds and Uber Following Data Breaches
The SolarWinds supply chain attack (2020), the Uber data breach (2016) and other high-profile data breaches in the recent past have had profound implications for the cybersecurity industry. The legal repercussions of these incidents led to significant shifts in regulatory, organizational, and technological landscapes, and brought GRC into the spotlight.
SolarWinds
Uber
These cases underscore the severe legal consequences for companies that fall victim to cyber-attacks and are unable to manage risk in a transparent and structured manner – before and after the breach. CISOs and other security leaders face increasing personal liability for security inadequacies and failures.
Implications of the SolarWinds and Uber Cases on the Cybersecurity Industry
The biggest lesson for cybersecurity professionals is to create strong connections between governance, risk management and compliance activities, so that each of the three components informs the other two. Some of the language in the legal action that followed these breaches referred to inconsistent communication and messaging internally and externally, with SEC filings going out without being vetted by cyber leaders. It is absolutely essential for business and cyber leaders to communicate and get visibility into the others’ domains.
The organization’s business objectives need to inform risk management; and cyber risks and compliance requirements in turn need to inform strategic business planning. Without creating strong links between the three, businesses run the risk of noncompliance and legal action following breaches.
Regulatory Changes
Organizational Shifts
Technological Advancements
The “Govern” Function in NIST CSF 2.0 and CIS Critical Controls 8.1
The importance of an integrated approach to GRC activities is further reflected in changes to the NIST Cybersecurity Framework and the CIS Critical Controls this year. Both cybersecurity frameworks have now added a “Govern” function to their core functions (which previously included Identify, Protect, Detect, Respond and Recover).
NIST CSF 2.0
In version 1.1 of the NIST CSF, governance-related activities were included under the “Identify” function. By placing these activities under a new, cross-cutting Govern function in version 2.0, NIST elevates the importance of aligning Cybersecurity Risk with Enterprise Risk. The Govern function includes action categories for establishing and monitoring cyber risk strategy, expectations, and policy. The strategy direction set under it will inform the implementation of the five other functions. Within the Govern function, NIST lists the following main categories: Organizational Context; Risk Management Strategy; Cybersecurity Supply Chain Risk Management; Roles, Responsibilities, and Authorities; Policies, Processes, and Procedures; Oversight.
CIS Critical Controls 8.1
The latest version 8.1 of the CIS Controls, too, added a Govern function to the other five. The addition Governance as a core component will enable users to identify the essential policies, procedures, and processes needed to safeguard their assets. To support the Govern function, CIS also added the asset type “Documentation” which includes Plans, Policies, Processes and Procedures. This will provide organizations with the evidence required to demonstrate compliance with industry standards.
Simplifying GRC with Frameworks and Tools
Implementing GRC initiatives in a streamlined manner can be difficult because of the multiple interoperating domains and the specialized nature of some of the activities. Cybersecurity initiatives and legal operations are all specialized functions that need domain expertise. Furthermore, tying everything together in a way that ensures every activity is designed with the end goal of meeting business objectives is complex.
While GRC tools offer immense benefits, it's essential to remember that they are not a standalone solution. Human judgment, expertise, and ethical considerations remain indispensable in navigating complex GRC challenges.
How CYRISMA can Help
The CYRISMA Cyber Risk Management Platform brings together essential risk management and compliance assessment capabilities in a single SaaS ecosystem. Developed for MSPs and MSSPs looking to reduce risk for customers in a holistic, measurable and cost-effective manner, CYRISMA makes GRC simpler by providing all-round visibility into both cyber risk and evolving compliance needs.
Platform features include internal, external, agentless and agent-based vulnerability scans, patching for Windows-based third-party apps, sensitive data discovery in both on-prem and cloud environments, dark web monitoring, secure configuration scanning, compliance tracking and assessment, and much more. With CYRISMA, you can not only run scans to discover, assess and mitigate risk, but also track and assess compliance with multiple frameworks (CIS Critical Controls, NIST CSF, HIPAA, PCI DSS, Essential Eight, Cyber Essentials, Microsoft Copilot Readiness, and more.) All features and future updates are included in the standard pricing.