What is Cybersecurity GRC?
Cybersecurity Governance, Risk, & Compliance (GRC) is an integrated approach organizations use to align cybersecurity and data privacy requirements with business objectives.
Which comes first? Governance, Risk or Compliance? This has been a hotly-debated topic since GRC was first coined over two (2) decades ago. However, there is a logical order to GRC processes that must be understood to avoid siloes and an improperly scoped security program. First, it is necessary to level-set on the terminology of what GRC functions do:
- Structures the organization’s controls to align with business goals and applicable statutory, regulatory, contractual and other obligations. Develops necessary policies and standards to ensure the proper implementation of controls.
- Risk Management. Identifies, quantifies and manages risk to information and technology assets, based on the organization’s operating model.
- Oversight of control implementation to ensure the organization’s applicable statutory, regulatory, contractual and other obligations are adequately met. Conducts control validation testing and audits/assessments.