Imagine giving your car to someone who drives merely for pleasure, without consulting a map or having a specific destination in mind. In this scenario, fuel is burned, tires wear down, and the driver becomes increasingly fatigued.

Moreover, there's a risk that the driver might reach a point where returning becomes challenging. Why does this happen? It's because the driver lacks a map and a clear purpose for the journey. Their sole focus is on the enjoyment of driving itself.

Now, consider this scenario:
•   The car represents an organization’s information security program
•   The driver symbolizes an InfoSec (Information Security) professional or an SME (Subject Matter Expert).
•   The tires and fuel represent resources that are being wasted.

Coming from a technical background, I understand that technical professionals often enjoy just “playing” with technology. Their primary role, depending on their specific position, is to ensure the delivery of a functional service. And nobody likes “RTFM” (for my technical friends).

SMEs may be adept at navigating their domain's 'traffic laws', skillfully 'driving' their projects. But, are they consuming resources excessively and wearing out their “tires”? These are questions that a responsible car owner (organization) would typically ask.

GRC (Governance, Risk Management, and Compliance) is a function that assists other departments in achieving organizational goals.

GRC significantly elevates the capabilities of your “hobbyist” driver. It aids an SME in gaining a clear sense of direction and utilizing resources more efficiently.

You may ask, how so, and the answer is simple. GRC knows the answers to the following six questions:

Governance
•   Why are we doing this?
•   Who needs to do that?

Risk Management
•   What is required?
•   To what level should this be done?

Compliance
•   How and when is this done?
•   Is it done as expected?

In conclusion, the journey of an InfoSec professional within an organization can be likened to a driver navigating unknown roads. Without proper guidance and a clear sense of purpose, even the most skilled drivers can be lost, wasting valuable resources.

This is where GRC steps in as the indispensable GPS, providing the direction and ensuring that the journey is efficient, compliant, and aligned with the organization's overarching goals.

What are your thoughts on the GRC function? Would you agree that any organization building a cybersecurity program without a proper strategy for GRC is wasting resources?

Photo: Amsterdam, summer 2024

• ShareCopied to clipboard