Chief enablers or compliance gatekeepers?

Compliance vs. Security?

Security doers vs. security paper pushers?

What if instead of managing those risks we start fixing them?

You can't be secure without being compliant vs. you can be compliant without being secure?

What good would a steering committee do us? We have holes everywhere to fix! Less talking, more doing.

Being ISO compliant does not mean you're secured, look at XXX company who got breached, they were compliant.

Security has been in the forefront for a decade or so.

Security GRC might have emerged some time ago, but has gained traction for the past couple of years only.

Ask legal what your job is. Ask HR what your job is. Ask Engineering Management what your job is. Ask Finance what your job is. Ask executives what your job is (asking for more budget?).

Everyone has a partial picture of your job, no one knows everything you're responsible for and for what you are accountable. Your job is to tell them.

This is where Security GRC shines.

Engineers love solving problems, designing, architecting solutions, implementing fixes, corrections and enhancements to improve the overall security posture of the company. Let me ask a couple of questions though:

• How can our external customers trust our security posture without an independent assurance level? (compliance?)
• How can our internal customers understand if we're more prepared to face attacks and protect our crown jewels? (governance?)
• How can we, in security, showcase we are making the right decisions based on our collective understanding and prioritising the right programs/initiatives (risk management anyone?)

Thinking of GRC as gatekeepers and paper pushers is short-sighted. They are often the closest to the other areas of the business. A lot of them have came from varied and diverse background which helps in building a wide net of relationships.

This should be treasured and built upon instead of seen as a profanation against the purity of information security/computer security/cybersecurity/etc.

Chief Enablers?

Security GRC plays a lot of roles for security overall but its main goal is to enable security to thrive in the company.

Of course GRC has to change for this. Not enough emphasis is put on understanding the specific layout of the infrastructure of the company and its architecture. So engineers can sometimes see GRC as just looking to fill spreadsheets and point out vague and sometimes irrelevant issues based on compliance standards.

This translation exercise from the standard to the specifics of the business has to be done by Security GRC. For it to be performed, you need to understand in-depth how the business works and how business value is delivered to customers from a functional and technical standpoint.

Then and then only we'll be the chief enablers we have to be for our companies and our customers.

Regards,