However, with many CISOs and their teams already feeling under pressure from the mounting responsibilities of protecting organizations, coming to grips with the growing raft of regulations and requirements, can be overwhelming, said Insight Enterprises’ Rader. “There’s a lot to ingest from multiple agencies in the US, EU requirements and disclosure requirements and even certain international standards like ISO 27001 that are widely accepted are non-prescriptive,” Rader says.
To address this, he suggests uniform requirements similar to the payments industry PCI security standards may be needed. “If the hyperscalers were to get together and come out with a standard that would make things a lot easier instead of having to chase down the latest kinds of requirements and then harmonize from one country to the next,” Rader says.
Strategies for cybersecurity and GRC integration
Incorporating cybersecurity practices into a GRC framework means connected teams and integrated technical controls for the University of Phoenix, where GRC and cybersecurity sit within the same team, according to Larry Schwarberg, the VP of information security. At the university, the cybersecurity risk management framework is primarily created out of a consolidated view of NIST 800-171 and ISO 27001 standards, with this being used to guide other elements of its overall posture. “The results of the risk management framework feed other areas of compliance from external and internal auditors,” Schwarberg says.
The cybersecurity team works closely with legal and ethics, compliance and data privacy, internal audit and enterprise risk functions to assess overall compliance with in-scope regulatory requirements. “Since our cybersecurity and GRC roles are combined, they complement each other and the roles focus on evaluating and implementing security controls based on risk appetite for the organization,” Schwarberg says.
The role of leadership is to provide awareness, communication, and oversight to teams to ensure controls have been implemented and are effective. In addition, the cybersecurity team periodically brings in external consultants to evaluate compliance and assess maturity levels associated with these frameworks and regulatory compliance requirements. “GRC at the university is a team effort coordinated by the cybersecurity team.”
GRC: one more thing changing the CISO role
CISOs are already blending technical with business considerations to manage cybersecurity within their organizations, integrating GRC means adopting broader responsibilities and a risk-based approach.
It’s also harder to be a purely technical CISO, according to Rader. “You have to be a business CISO and a GRC CISO.” He likens it to being like the ambassador of security, interacting more with the board in line with SEC requirements and working across the organization, while mitigating risk. “We‘ve always had a risk mindset, but now we need to understand how to relate risk terms back to the executives in a way that they understand,” Rader says.
As cybersecurity involves organization-wide risks and protections, there’s a shift underway, impacting technical teams and risk and compliance teams, according to Nina Wyatt, security and GRC principal consultant lead at AHEAD. “Cyber roles require more soft skills and industry expertise to better support the control environment, while GRC roles require at least a baseline technology understanding to be effective in an oversight capacity,” Wyatt tells CSO.
In responding to cross-organization risks, GRC roles will need to collaborate with cybersecurity roles to structure a program that coordinates activities from both areas of the organization. “Misalignment between these two functions can result in duplicative efforts and spend, and increased complexity when it comes to work through control assessment and attestation activity,” Wyatt says.
This need to communicate technical information along with cyber risk and governance issues to board and leadership teams in a way senior leaders will understand is something that many CISOs report struggling with and it’s impacting the effectiveness of security initiatives, an FTI Consulting survey found. “The communications disconnect between business leaders and CISOs, means organizations are hindered from fully preparing for — and proactively governing — cybersecurity risks for the business,” said Onyons.
Leadership buy-in is essential to success
Leadership has a clear mandate to guide effective security and governance measures, says MetricStream’s Sabbineni. To ensure cyber risks are properly integrated into GRC considerations, there’s a need to create governance structures with clear roles and responsibilities, which must be driven from the top.
Leadership also needs to ensure teams quantify cyber risk exposure in monetary terms rather than in technical language. “This way, the investments and risks can be prioritized,” Sabbineni says.
FTI’s Onyons believes that leadership plays a pivotal role in determining how resources, both human and financial, are allocated. “It’s crucial for implementing effective and resilient cybersecurity defenses,” he says. “Without leadership support, GRC initiatives are bound to falter.”
It also means that boards and executives need to possess more cyber awareness and shift cybersecurity beyond the sole responsibility of the CISO. “It’s become a domain where general counsel, risk leaders, compliance heads, and the board must comprehend how the organization is being safeguarded,” he said.
