As regulations proliferate regarding the risks posed by our increasingly digital economy, companies face a choice: make cyber compliance the responsibility of existing teams or build a brand-new function: cybersecurity GRC, seated at the intersection of business, IT, privacy and cybersecurity. Security risk and compliance director Yasmine Abdillahi of Comcast clearly favors the latter, as she explores here.
The digital revolution has given rise to cybersecurity governance, risk and compliance, which sits at the intersection of business, IT, privacy and cybersecurity. This function creates and oversees the processes and policies that organizations put into place to manage and mitigate the risks associated with the technologies and data they use.
As more emerging technologies are integrated into organizations — and as new and updated compliance regulations are continually being introduced — cybersecurity GRC is becoming increasingly complex to navigate. It’s crucial to understand the difficulties these teams face, as well as some of the best practices for cybersecurity these teams can employ today.
Evolving challenges for cybersecurity GRC teams
Governance is a core function of all GRC — creating policies, standards and oversight — so the introduction of updated or new security regulations impacts how an organization enforces policies. Some of the most prominent new regulations impacting this function are PCI-DSS 4.0 or the new SEC disclosure requirements, which mandate that any publicly traded company disclose material cybersecurity incidents to the agency within four days.
Existing regulations are often updated annually, and with new regulations being introduced, cybersecurity GRC leaders must track these changes constantly. With security and privacy in particular, new regulations are being added all the time. Policies and standards need to meet at least the minimum requirements of the organization, but they also need to meet at least the minimum requirements of the industry (i.e., PCI for credit cards, HIPAA for healthcare).
While staying current with regulations is challenging, so is the convergence of cloud, IoT, AI and generative AI. With the emergence of these new technologies — and their convergence — cybersecurity GRC teams are grappling with greenfield territory, as these have introduced new security risks they must take into account.
Limited regulation exists specific to many of these technologies, especially in the U.S. There’s a 2023 executive order regarding AI, but there aren’t any frameworks yet that talk about compliance. The National Institute of Standards and Technology (NIST) has published a risk management framework, but it’s high-level. On the other hand, the European Union’s new AI law marks the biggest early effort to regulate AI, and it’s expected to become fully applicable in a couple of years. Now the clock is ticking for companies to conduct gap assessments and develop compliance roadmaps.
While specific and universal regulations continue to evolve, cybersecurity GRC teams must support their businesses in securely deploying and adopting new technology to realize expected benefits. It’s a sort of GRC no-man’s-land that these teams have to navigate.
Challenges exist with collaborating across the organization to ensure that policies are enforced, compliance mandates are being met and security gaps are being addressed. Cybersecurity GRC teams don’t create the data they use, but they need to be able to trust its accuracy, completeness and timeliness. That’s critical.
There is also sometimes a need for realignment in terms of incentives and goals between GRC and other teams/departments across the business. A GRC team in any area of the business can be seen as a gatekeeper; its role is to help limit liabilities, while business teams want to do business and make more sales. These two goals can seem at odds when new controls may hinder the business from operating efficiently.
Ultimately, GRC teams interact with people and teams from across the business, including what’s traditionally referred to as the three lines of defense:
- The first line, which operates the controls; they own the risk, they face the external environment
- The second line, which provides the capabilities and tools that enable the first line
- The third line, which is often internal audit; this group is more independent and is mandated by the board
These three groups need to have feedback loops and collaboration with cybersecurity GRC; they have different objectives and goals, but ultimately, they all want the company to protect the crown jewels and operate securely. It can sometimes be a challenge to determine who is accountable for what and have that clearly delineated.
Proactive Boards Enable More Reliable Cyber Governance
Complying with new SEC requirements could mean reshuffling boardroom
Read moreDetailsGetting cybersecurity GRC right
Cybersecurity GRC presents a new set of challenges compared to other types of GRC; namely, an ever-growing threat landscape, massive amounts of data and nascent regulations. And what’s more is that compliance won’t necessarily prevent an attack; instead, relevant and proactive compliance may help reduce the frequency and/or the impact of an attack.
To get cybersecurity GRC right, three elements must be in place. First, there must be trust in the data. Being able to trust the data used to measure compliance and to make risk management decisions is essential for the cyber GRC team’s success. But as noted above, this can be a challenge. How do you make trust happen? Having ongoing conversations with the owners/creators of the data is key to establishing rapport and strong relationships.
Second, there must be alignment on accountability and risk appetite. Accountability is difficult when you have multiple people and roles in the mix. It’s important to have a well-defined structure for who is responsible for the different areas as well as a clear path established for remediation if you aren’t compliant.
Providing actionable data is the third element. It’s more effective to report on control gaps with sufficient business context and when there are immediate insights into how to close them. Cybersecurity GRC teams need to be able to speak in business terms to assist control owners and leadership with relevant and actionable insights.
Where growth and security meet
Cybersecurity GRC has emerged as its own discipline. While security and privacy compliance requirements are growing, cybersecurity GRC teams need to be strategic while crushing complexity to help their organizations achieve business goals. There’s an ongoing perception that compliance is a time-consuming, heavy lift, which means it too often continues to be viewed and treated as a burden. This ignores the fact that compliance and the process of meeting requirements brings many benefits to the organization and can ultimately be a strategic advantage.
There is an opportunity to enable and support secure policy development and enforcement while responsibly supporting the growth goals of the business. Growing compliance requirements may hinder certain efficiencies, but the cybersecurity GRC team are business partners who can help solve this problem.