Why do we need GRC?
The well-rounded governance, risk, and compliance (GRC) framework facilitates the formulation and sustained management of information security risks. We understand that all security requirements stem from a need to manage risk. Risk drives and shapes all business activity.
If we compare corporate IT security to securing your home, we should ask ourselves; why is it that we close our doors and windows when we leave? Why do we invest in high fences, intruder detection lighting, burglar alarms, safes, panic rooms?
All of these are defensive measures that can be deployed to help control risk. The risk of burglary, theft, kidnap etc. As these crime types increased, perhaps due to other causation factors, the need arose to invent solutions that would reduce the risk of the crime occurring and the impact it may have if it does occur.
Closed doors and windows are like putting in place a firewall or intrusion prevention solution at the perimeter of your network. Intruder alarms and lights could be linked to endpoint detection and response or intruder detection systems. Safes or panic rooms could be akin to encryption or Identity and Access Management (IAM) solutions. Again, all of these solutions exist to help reduce risk. In the IT world, risk could relate to critical digital assets (the recipe for Coke or a new prototype electric car) or perhaps personally identifiable information which is now highly regulated through privacy legislation.
For companies to function normally and ensure that they, their investors, their customers and their supply chain all feel safe, they must identify the risks that threaten their organisation and in turn, digital assets. In order to identify these risks, the organisation must first understand what they have, how valuable their assets are and then decide how to protect them. Much like when you are applying for home and contents insurance, you must assess all the building, its structure, its entry points and its contents.
Understanding assets is key, but it is equally important to understand the threat landscape. The threat landscape is all about knowing who the threat actors are, what motivates them and what techniques they may use to steal your property. In other words, there is little point in spending thousands of pounds to secure a £100 shed with one £5 shovel in it. If that shed were now a jewellery store in London’s Hatton Garden, there would be every point in applying a defence strategy, utilising security guards, panic alarms, secure vaults etc.
IT security, risk and compliance
That having been said, even a secure vault in Hatton Garden is vulnerable to a breach. The same applies to IT security, risk and compliance. There is no such thing as 100% secure, risk-free or compliant. The journey is all about identifying risks and applying appropriate controls according to the risk rating. It is all about prioritising risks and not getting overwhelmed by the amount of risk discovered.
If discovery/identification of assets/risks and applying controls are the first two stages of a GRC journey, then change management will almost certainly be the third most important activity. Change management is vitally important.
Using the home protection example, if you were to move home, all of the controls that you had applied are now redundant and your personal property is now at risk. It would be pointless to simply transfer all the controls across to the new home. You went through a bespoke process to evaluate your estate, identify risks and apply controls that were unique to that home. The new home may have more doors/windows, no driveway, a separate annex etc. All new things should be considered to see if the previous controls are still needed, appropriate, adequate and fit for purpose. It may be that more controls are required, or even less. The new home could have a new, state of the art, built-in safe, so there is no need to go and buy your own!
Our experienced team at Nomios UK can assist you at every stage of your compliance journey. We are able to assess your current state of readiness and advise on areas that require remediation. Taking a risk-based approach, we can help implement technologies, processes and policies that will meet the most stringent compliance and security requirements.
Solutions
Cyber Essentials
Helps you to guard against the most common cyber threats and demonstrate your commitment to cybersecurity.
PCI DSS
To enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation.
ISO/IEC 27000
A series of best practices to help organisations improve their information security.
COBIT 5
A framework for the governance and management of enterprise IT.
NIST
A cybersecurity framework that consists of standards, guidelines, and best practices to manage cybersecurity risks.
GDPR & DPA
Legislation that came to force in order to unify data protection laws across Europe.
MiFID II
A legislative framework instituted by the European Union (EU) to regulate financial markets in the bloc and improve protections for investors.
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.
