Best way to learn GRC? Think systems

Recently, a lot of newcomers and practitioners are asking how do I learn Security GRC?

Do I need to go for a CISSP? Do I need to read through the ISO 27001 standard? Do I need to perform mock FAIR risk assessments in my living room? Do I need to get 0.1% on TryHackMe? Maybe I need to buy a course for +￡1,000 that might allow me to digest GRC knowledge better?

It could help, but probably not how you should structure your approach.

Security GRC is a subset of information security which is a subset of the information economy. We use people, processes and technology to deliver business value.

In the digital economy, the closest role to what our added value to the business is is an architect's role.

Working in GRC is like being an architect, you need to think in systems

We are often looking to "master" specific areas through courses and conferences. Understanding specific areas is definitely useful but not as useful as being able to understand Security GRC as a fully (hopefully) functioning system.

Diving deep in something when you don't understand how it contributes to the whole piece is the best way to dig rabbit holes for a living.

What are systems anyway?

Systems are interconnected parts that interact with one another to deliver an outcome.

The role of an architect is to create systems that deliver business value, function properly, that are scalable and future proof and where all pieces perform their roles together while having enough autonomy/redundancy that the system won't fold if something breaks.

Ok, ok I get it but... What does GRC have to do with any of this? You've just described the role of a cloud/software architect, why should I care?

Business value

You deliver customer assurance, you help the business expand its market share and develop new opportunities. Reducing the attack surface overall also mitigates potential costs related to negative outcomes of a cyber attacks.

Function properly

Strong governance program ensuring security measures are enforced and stakeholders understand the current state of security.

Strong risk management practices ensuring you have proper discovery, assessment, triage and management of risks and that your risk register is usable and fit for purpose.

Strong Compliance and Assurance program ensuring internal audit and continuous control monitoring so that compliance is embedded into the engineering workflows.

Scalable and future proof

As the company grows, a strong Common Control Framework allows you to seamlessly add additional compliance programs.

Embedding Risk Management into the engineering and project management activities and through software allows strong cross-ownership and leverages strong automation capabilities

Performing roles together

GRC is all about stakeholders.

Working with Engineering, Legal, Sales, Operations, Auditors, Customers, etc. to achieve business outcomes is at the core of GRC's role.

Autonomy/Redundancy

Risk Management allows the business to understand its current exposure and the negative outcomes of bad scenarios.

Security Resilience, often managed by GRC, focuses on how the business can still function if unexpected events could undermine our ability to function.

Automated control testing and monitoring ensures any anomalies are quickly picked up and back-and-forth with engineers is down to a minimum.

What if I want a certification in the end?

Then you should go Cloud. ESPECIALLY if you are more junior.

If for instance you work on getting a AWS Certified Solutions Architect Associate certification and actually focus on learning and understanding how to architect solutions, then it would be worthwhile.

Why is this relevant? I'm just learning GRC right? Wrong.

Security GRC is a part of information security. The realm of what you should know to some extent is massive. Cloud native environments do a great job of abstracting some layers but you still have to understand a lot about software, compute, networking, storage, databases, web, DevOps, operating systems, etc.

If you focus on these areas through reading, labs, watching quick videos for specific topics you find more obscure, you'll quickly improve your understanding and believe me, this shows.

Reading is my preferred approach (I'm biased) as I think, in addition to well researched benefits of reading, the structure of a book is often very conducive to improving one's ability to think in systems.

Why books are important? What if I prefer videos?

In GRC, you have to read frameworks, control language, reports, root cause analysis and probably dozens of other critical material. Reading is already a central part of the job of someone in GRC.

Compared to for example a keynote, what a book does is organising a wealth of knowledge into a system that can be digested and working progressively on more advanced topics as the understanding of the reader expands. Tough to replicate in a keynote or even a 6 hour Youtube webinar.

I can probably name hundreds of relevant books. One good tip is to get an ACM membership which will get you access to O'Reilly catalog of books for a lot cheaper (probably under $10/month). I will work on specific book recommendations that focus on system's approach for GRC practitioners.

Small shameless plugs

The awesome-security-GRC repo has a lot of that fundamental knowledge necessary to have the right building blocks in the field, this newsletter might help as well :)

You can also check the Security GRC Demystified talk where I tried to present GRC in a more systematised way

Kind regards,