Governance, Risk,
& Compliance (GRC)





Governance, Risk, & Compliance (GRC)

Many companies are seeking methods to meet regulatory and compliance requirements as cost-effectively as possible.

As example, for the healthcare industry it means complying to HIPAA. For any business that processes credit cards they must protect their customers’ credit card data by being PCI compliant. Other companies must comply with GDPR.

This can add entire layers of time and cost to implement or worse, cost-prohibitive fines if requirements are not met. Almost all industries are effected, including non-profit and education. Each having their own compliance requirements to meet the magic check box.

Compliance can become this burden that can literally put entire companies out of business.

– Brian Self

As example the DOD requires compliance with NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.  I’ve had customers tell me they can’t afford to meet these requirements and have stopped bidding on DOD contracts.

Compliance requirement can directly impact the bottom line and will not necessarily lower risk or help a company be more secure. The end result is you can be compliant and still have huge security holes and risks.  For example, Target years ago was supposedly PCI compliant. On paper they were doing everything right.  In the real world they experienced a very costly breech.

Risk Management vs Compliance

I see a significant difference between compliance and risk management. A good analogy of compliance is of a picture taken at a point in time.  I can look great in a picture, but it only captured that moment in time, it doesn’t guarantee I still look the same. That is one of the dangers of “being compliant”. A company can meet compliance requirements without really lowering risk at all.  So it’s possible to be compliant without being secure.

It can be costly to not be compliant though.  GDPR and HIPAA are both examples of GRC (compliance) requirements that could result in a very costly fines.  I know one hospital that was given a million dollar fine for being out of compliance with HIPAA.  The stakes are real.

A Governance, Risk, and Compliance (GRC) Program

Security is seen as a cost with no return on investment by most companies, Governance, Risk and Compliance (GRC) requirements do not help this perspective.  Since becoming compliant does not guarantee security, security breaches continue to occur.  Large companies such as Equifax pay whatever fine might result, do a PR campaign and move on. Smaller companies can go out of business.

Therefore developing and maturing a Risk Management program becomes even more significant.

For those looking for a solid cyber security risk management roadmap and program, I recommend the National Institute of Standards and Technology CyberSecurity Framework (NIST CSF).  The NIST CSF has 5 main sections that I have found resonates with executive management: identify, protect, detect, respond and recover.  Under the hood of the NIST CSF is all the security controls from NIST SP 800-53, so it has all the detail as well.

Book Brian

Identify whether we’re a fit and check availability in only 15 minutes: 720-271-8221