Understanding Cyber Security GRC
GRC stands for Governance, Risk and Compliance.
☁️ Demystifying GRC
GRC job titles are very confusing! You often have the same job title doing completely different things, or different job titles doing the same thing. There is no standardisation in roles, responsibilities, titles or skills needed. Also, the industry-specific standards and regulations vary, GRC in the financial sector is very different to GRC in the healthcare sector or a SaaS company. You can also have non-technical GRC folk or very technical GRC folk - some GRC folk operate more like auditors or lawyers, and some operate more like coders and system owners/administrators.
However, you will find commonalities with every GRC role. I also, recommend diversifying your skills so you can add value in every area. I do recommend picking a speciality within GRC only after you have a well-balanced understanding and skillset.
It should be noted that if you want to climb to the top of the ladder and make a lot of money. GRC is the way to go, eventually, managers, directors, CISO’s, and other senior positions are essentially glorified GRC folk within information security.
📖 Understanding GRC (Must read for newbies!)
When working with Governance, Risk, and Compliance (GRC), it can be overwhelming to navigate the various types of laws, regulations, standards, and frameworks.
However, it is not necessary to memorise every control or clause within a specific framework. Instead, a fundamental understanding of IT controls, risk management, documentation, evidence, reading, writing, interpretation, project management, and communication skills is essential for success.
It is important not to overcomplicate GRC, as essentially, you are just following checklists. While some checklists are very strict, such as Cyber Essentials Plus or PCI-DSS, others have room for ambiguity, and you can reason your way in or out of controls depending on the context of the organisation, such as ISO27001. Some checklists can take years to fully implement organisation-wide, and one action/control can take hours or months to develop.
What is great about GRC is that you are always learning, and you can look at any new law, framework, standard, regulation, or policy and understand how it impacts you and your organisation. The overlap between them is significant, and they have a lot in common.
Once you understand the commonalities and some of the particulars, you will be able to add value to any organisation.
👑 Governance
In GRC, governance is the set of rules, policies, and processes that guide a business, with no political connotations. It involves all departments within an organisation and defines the responsibilities of key stakeholders such as the board of directors and senior management. Governance steers the organisation towards its goals.
The dictionary definition of governance is the exercise of authority over a country, organisation, institution, etc. In GRC, it is the exercise of authority over an organisation.
Governance consists of rules, policies, frameworks, standards, laws, or corporate behaviour that help achieve the organisation's goals, mainly from an information security perspective.
📈 Risk (Management)
Risk management in GRC (governance, risk, and compliance) is a comprehensive process used to determine, identify, control, and minimise the effects and consequences of potential events. It involves assessing, monitoring, and mitigating risks across the organisation. The purpose of risk management is to identify potential risks that threaten the organisation's ability to achieve its goals or operate.
Risk management aims to create treatments and implement controls, policies, and procedures that will help minimise or avoid risks completely.
👮 Compliance
Compliance in GRC refers to an organisation's level of adherence to standards, regulations, and best practices mandated by business, law, and/or regulatory bodies. It involves following both internal and external rules, laws, and regulations, and ensuring that the organisation operates ethically and follows proper practices. Compliance risk management is the process of identifying, assessing, and mitigating potential losses that may arise from an organisation's noncompliance with laws and regulations.