Cybersecurity typically resides in a separate world from governance, risk and compliance (GRC). Cyber teams monitor threats across networks and the digital universe, while GRC departments keep up with organizational compliance in the policy world.
But is this the best way to work? What if the information exposed in a data breach includes old policies about customer names, addresses and emails? You’ll need teams from both cyber and compliance to remediate the situation and mitigate risk moving forward. And what if the board is unable to answer lawmaker or investor questions about new cyber disclosures?
At Modern Governance Summit 2022, a panel of experts explored the growing intersection of cybersecurity and GRC, with tips for successfully bringing these two worlds together. Diligent’s Director of Global Product Marketing Erin Lemky welcomed Myrna Soto, CEO and founder of Apogee Executive Advisors, and John Zangardi, CEO of Redhorse Corporation, to share their thoughts.
An Expanding Landscape of Risks and Regulations
Last year, the big driver of first- and third-party cyber risks was remote work. This year, threats associated with the geopolitical landscape joined this roster.
“Whether you’re looking at Iran, Ukraine, or even a potential China-Taiwan Strait scenario, cyber will be a part of that,” said Zangardi, who previously worked in executive cybersecurity roles in the defense world, including as CIO of the Department of Homeland Security. “Because the United States has a vested interest in it and our allies are potentially targets, you are at risk.”
As these threats build, so does the pressure from regulators and governing bodies on organizations to be transparent and disclose more about their risk landscape. They’re expecting boards to understand a threat scenario and evaluate whether the organization is taking appropriate actions. To meet these expectations, organizations need strong GRC-related frameworks that integrate well with security.
Soto cited “a slew of SEC proposed rules around disclosures and incident reporting,” which will include the GRC function. “You need to be compliant, especially if you’re in a regulated industry,” she said.
The Case for Cyber and GRC Working Together
“Compliance drives change,” Soto emphasized. “But it doesn’t make you more secure.” Cyber is such a significant business risk that cybersecurity and tech teams help set the tone for the entire business’ risk posture. She suggested “taking the GRC function just a step further” and using it to articulate how secure the organization is and how it’s mitigating risks.
Guided by the compliance frameworks for their organization’s industry, GRC teams can work with security teams and management to understand and prioritize risk. The GRC team can work with their colleagues in cyber and IT to understand the scope of an organization’s cybersecurity framework and analyze its strengths and limitations.
Then both teams can work together to show business leaders the risks of not having appropriate cybersecurity measures in place
Soto defines such risk management as “understanding our compliance positioning, understanding our regulatory positioning, understanding our cyber security program maturity and where the gaps exist.” Then team members report to the board “so that they have a clear understanding of where the company is, where their risks are, where they may be falling behind and why.”
How to Make Cyber-GRC Teamwork Happen
Collaboration starts with culture: Zangardi stressed the importance of corporate culture in forging a partnership between cybersecurity and GRC, one that encourages working together to reach a goal. “What doesn’t work is finger-pointing, being overly technical, or just checking a box,” he said.
Soto noted that a culture of fear or shaming “alienates your partners, the same people you should be making relationships with in order to facilitate those objectives.”
“Shared accountability will lead to the most conducive partnership, and this can come with shared goals and shared objectives,” she said.
“It’s not easy, because trust just doesn't happen overnight,” Zangardi said. “It’s about understanding what you’re trying to achieve and working toward common goals.”
Understand where audit fits in: At many companies, compliance and GRC naturally fall under the purview of the audit committee. More and more, cybersecurity is joining this list.
“We absolutely cover cyber in audit,” Soto said of the companies she works with. They look at everything from the cyber security framework to artifacts and beyond, very similar to how they look at controls for SOX and financial reporting. “What this does is help the audit team share and better understand the risks, because IT systems pretty much underpin every business.”
While the audit team must ultimately remain independent, the partnership model is critical to evaluating things like mitigation controls or remediation plans and moving beyond a “check-the-box” approach.
Make risk resonate: When distilling all these frameworks, metrics, evaluations and reviews for the board, it all comes down to what Zangardi calls the “so what” effect. What’s the probability of a risk occurring? What are the consequences? And what does it all mean to operations and the bottom line?
“Putting it into business terms works magic in the organization,” he said. “When I would brief the Homeland Security Secretary I’d say, ‘Look, if this particular system goes down, that stops all transit on the St. Lawrence Seaway.’ They get that, that makes the news.”
“When you can contextualize it,” Soto said, “you have to go to a line leader or technology leader and say ‘hey, I really need you to work with me on this project and I need you to give me visibility into what you’re doing.”
Use data to resolve differing views. Gain executive support for the most strategic priorities. And move forward with a firm understanding of what a particular initiative or need truly means from a business context.
Enlist the Help of Technology
As the risk landscape continues to evolve and cybersecurity remains a top concern, solutions like Diligent’s IT Risk Management can help.
To learn more, schedule a demo.