Cyber governance, risk, and compliance (Cyber GRC) is the core enabler of strategic cybersecurity. Cybersecurity exists to support the organization in achieving its business objectives by securing assets and minimizing cyber risk. The strategy outlines the goals and priorities, and determines actions and timelines, also stated as the roadmap. The cybersecurity strategy should be continuously updated as the organization’s goals and operating environment change. A fundamental responsibility of Cyber GRC is to reflect the cybersecurity strategy in the cybersecurity policies, standards, and operating model.

Policies are often the focus of governance and provide a foundation for GRC. The policies explain why programs are implemented and how they support the strategic goals defined for cybersecurity. Standards are also created for each policy to provide more specific requirements of what must be done. With clear strategic direction provided through documentation of policies and standards, the cybersecurity team and stakeholders are empowered to drive a security-conscious culture and proactive approach to security as new projects are implemented to achieve the business mission and objectives.

Risk management is central to keeping the cybersecurity strategy and documentation fit for purpose. Through implementing a process for identification of risks, threats, and vulnerabilitiesC yber GRC provides organization specific information regarding the operating environment which can be helpful in prioritization and updating the cybersecurity strategy as required. The process to understand high-risk areas should include input from all aspects of the business to determine reasonable risk profiles, risk ownership and risk action plans.

“Cyber GRC must be directly integrated in all cybersecurity programs to effectively enable execution of the cybersecurity strategy”

Compliance together with risk management provides key feedback that enables cybersecurity leadership to monitor strategic execution. Unfortunately, compliance is often considered and deployed as a “check the box” activity. Compliance should also provide indicators of program success and useful information much like metrics to measure results and signal areas where wider issues may exist. Controls or control objectives are implemented for each standard. In the compliance process,regular confirmation of the control’s design and effectiveness can provide benchmarks of the security posture and indicators of progress against cybersecurity objectives. Controls should be strongly aligned with the cybersecurity metrics. Both controls and metrics provide greatest value when they deliver leading and lagging indicators.

The elements of governance, risk, and compliance deliver a cyber framework for the organization. In terms of cybersecurity, a framework provides an approach to deliver on the cybersecurity program and organize requirements. This should be customized to your organization’s cybersecurity strategy and operating model. There are many frameworks available including NIST Cybersecurity Framework (NIST CSF) which provide useful approaches to organizing cyber resiliency requirements. Existing frameworks should be used as a point of reference or guide. Beware of simply copying any framework that exists regardless of how well adopted. It is highly unlikely that any industry framework, best practice, or standard will completely align with the cybersecurity strategy defined for your organization.

Cyber GRC must be directly integrated in all cybersecurity programs to effectively enable execution of the cybersecurity strategy. Ultimately, cybersecurity leadership will need to answer the question: What actions are necessary to achieve cybersecurity goals with measurable outcomes? Implementing governance (policies, standards, controls), risk(assessment, prioritization), and compliance (status, metrics) builds the foundation for delivering on the strategy and provides critical information so that the strategy can be updated to meet the organization’s mission and objectives amid the shifting operating environment.