GRC: From the Top Down

The winds of change blow at gale force speed when we talk about the IT industry and the need for information security that is becoming accepted as essential to doing business; recent high profile cases of large scale corporate hacks have shown how essential it is to have security programs in place. In this two-part post, we will focus on Governance, Risk, and Compliance (GRC)– an increasingly important aspect of a mature information security program, and how you can begin to apply the concepts of GRC to your organization. First, we will discuss GRC at a high level, and how GRC should be applied from the top down in an organization, since governance, risk, and compliance ultimately falls on the executive team’s areas of responsibility. Next weeks post will provide information on three of the top GRC platforms and will discuss the strengths and weaknesses of these products in supporting the automation and measurement of your information security capability.

Applying Information Security Governance

This can be a daunting task for many businesses as it’s no longer adequate enough (not that it has ever been) to only have a flimsy security policy written, while primarily focusing on trying to secure your network, typically in a reactive way. However, the policy is an important aspect of governance, as it sets the requirements for what capabilities and controls will be applied. It is absolutely imperative that the security policy is not only robust but also needs to be mapped to other external factors such as the key business drivers, your local/national regulatory and legal requirements, and of course the internal and external threat and risk tolerance of the business. Beyond that, a security policy should serve to govern all security program aspects, and align with documented procedures, implemented capabilities, and measurability of security programs effectiveness.

So how does it all work? Information security is similar to other governance procedures a business may have in place such as IT and Corporate governance, and there will always be overlapping goals between these three entities. The companies organizational structure and formally defined interfaces and control gateways will determine how these departments interact with each other and how the goals of each department align. Communication is key and careful consideration should be taken by the most senior roles in the organization to ensure proper stakeholder involvement and oversight are in place across the functional areas. The main goal being that security should not operate without alignment to other areas of the business. Security as a function should be involved in other areas of the business to promote the culture of security, integrate itself procedurally, and operate as a program that has measured effectiveness while continuously and proactively aligning with the goals of the entire business.

“Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”


As you can see from the quote above this clearly articulates the need for leadership involvement in the process of security governance. If you don’t currently have this level of involvement in your organization, then it is recommended that executive teams with security and compliance objectives seek out the help of a professional within this area of expertise. Let the experts at CyberSheath help you establish a security governance model appropriate for your business and executive team.