Cyber Roles - What Is GRC?
And why it's great to work in a GRC role
Immediate Spoiler - GRC is Governance, Risk, and Compliance.
In talking with students, friends, and people in general, I’ve noticed that when I say that I work in cybersecurity in a GRC team, many of them have no idea what GRC means. This may be the case for a number of cybersecurity roles. People who are not in this field or a related IT field, have no reason to be familiar with, or interested in, cyber job roles. Some of them may picture all these roles as mostly wearing a hoodie and hacking people’s passwords :)
For those of you who are interested in knowing what a GRC role is all about, or maybe even interested in pursuing a job in this area, I’ll provide a quick overview here. As mentioned above, GRC stands for Governance, Risk, and Compliance. Just before I flesh out each of those a little, I want to say a little about …
Why Is GRC a Great Area To Work In
If you enjoy variety in the work you do, new challenges across a number of different areas, GRC provides a broad range of rewarding activities. I especially enjoy working in GRC because it offers opportunities to “move the needle”, to have a lasting impact, in terms of the overall strength and maturity level of a cybersecurity program. I’ll cover some of these needle-moving efforts in the breakdown below.
Governance
The governance piece of GRC covers a lot of ground. Like many cyber roles, it includes monitoring and working through a ticket queue on a daily, ongoing basis. The types of tickets in a GRC queue include requests from users and teams to have higher levels of administrative rights (control) on their own computers and/or other systems; access to or higher level of access to files and folders on the organization’s network; access to websites blocked by security controls; and methods to securely share data with external parties.
Governance also involves creating information security policies, standards, and procedures for the organization. Areas covered within InfoSec policies, standards, and procedures include:
Acceptable Use - of technology (e.g. not using a work email address to sign up for that new sports betting site)
Access Management - often based on the principles of Least Privilege and role-based access- as in, only the permissions needed to carry out a specific job role
Asset Management - ensuring that we have continually updated, current inventories of all of our hardware and software - “we can’t defend what we can’t see”
Incident Response - to increase the ability to contain and respond effectively to cybersecurity events and incidents, there needs to be an incident response plan in place that is regularly updated and tested
Security Awareness and Training is often part of GRC governance responsibilities as well. This is crucial in our efforts to defend against attacks that target humans, not technology.
Building a strong culture of security through awareness and training activities and having policies, standards, and procedures that are adhered to and updated regularly to address business needs and evolving threats, are solid foundational elements in a cybersecurity program.
Risk
The R in GRC is my favorite part of GRC to work on, and I’ve been fortunate enough to have had plenty of opportunities to work on cyber risk assessments of applications, vendors, and even a few power plants.
Cyber risk assessments have a holistic (apologies for the jargon term) approach. They review and assess people, process, technology, as well as vulnerabilities and the threats and threat actors that can exploit any of our gaps and weaknesses. To put it more clearly, I’ll steal a chunk of words from my friend Ernie Hayden’s great book ‘Critical Infrastructure Risk Assessment’:
Risk assessments attempt to answer three primary questions:
What can go wrong?
What is the likelihood of it going wrong?
What is the impact of it going wrong?
One of the most valuable results of a cyber risk assessment is that it identifies and ranks the most critical cyber risk items, and delivers data that allows senior leadership to make risk-informed decisions on allocating human and financial resources to address them.
Compliance
Compliance generally means staying in line with applicable laws, regulations, and standards. These can be at local, national, and international level. Depending on the nature of an organization’s business they may need to be able to prove their compliance with standards set by private industry or federal / government entities. It is often critical for businesses to stay in compliance because if they fail to they may lose customers and/or be subject to (sometimes significant) financial penalties.
Compliance assessments - and particularly security controls assessments - can often be done in tandem with cyber risk assessments, or the results of a controls assessment may be a feeder item into a cyber risk assessment.
There’s a common criticism of compliance from a cybersecurity perspective which says that “compliance is just checking a box” - not striving to embrace best security practices, doing the minimum so to speak. I believe there’s some truth in that, but there’s nothing stopping us from doing better, always going beyond the minimum and making our compliance efforts another core element in cybersecurity programs.
Each of these GRC areas could be the subject of a longer post, and I may write a little more on some of that in future posts, especially on cyber risk assessment/cyber risk management and security awareness and culture building.
I hope this overview is useful, and would love to hear thoughts from any of you who are thinking about GRC roles.