Governance, Risk and Compliance, MSSP, MSP

Governance, Risk and Compliance: The Current Context

Share
Continuous compliance

The convergence of escalating cyber threats, intensified regulatory scrutiny, and high-profile legal actions has propelled Governance, Risk, and Compliance (GRC) to the forefront of organizational priorities. No longer a mere compliance function, GRC has evolved into a strategic imperative that underpins business resilience and sustainability.

  • Cybersecurity Threats: High-profile data breaches, such as those suffered by SolarWinds and Uber, and the legal action that followed, have highlighted the devastating consequences of inadequate risk management.
  • Heightened Regulatory Scrutiny: The SEC's recent actions, including stricter disclosure requirements for cyber incidents, have underscored the importance of robust GRC practices.
  • Legal Liability: CISOs and other cybersecurity leaders are increasingly held accountable for cybersecurity incidents, emphasizing the need for strong GRC frameworks that incorporate clearly defined cyber risk management processes.

Before diving into the specific incidents that have served as a cautionary tale to businesses, necessitating a focus on GRC, let’s define the term itself.

What is GRC?

Governance, Risk, and Compliance (GRC) is a strategic approach to managing an organization's operations while meeting compliance requirements and minimizing risk that can impact mission-critical activities. It involves a structured framework for defining policies and processes (Governance), identifying and mitigating risks (Risk Management), and ensuring adherence to laws, regulations, and internal standards (Compliance).

The acronym GRC was first used by Forrester Research analyst Michael Rasmussen in 2002. He defined it as a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.

Legal Action Against SolarWinds and Uber Following Data Breaches

The SolarWinds supply chain attack (2020), the Uber data breach (2016) and other high-profile data breaches in the recent past have had profound implications for the cybersecurity industry. The legal repercussions of these incidents led to significant shifts in regulatory, organizational, and technological landscapes, and brought GRC into the spotlight.

SolarWinds

  • SEC Charges: In the aftermath of the massive "Sunburst" supply chain attack in 2020 that compromised numerous government and private organizations, the Securities and Exchange Commission (SEC) filed charges against SolarWinds and its former CISO, Tim Brown (in 2023). The SEC alleged that the company deliberately downplayed or failed to disclose cyber risks while overstating its security practices.
  • Allegations of Misleading Investors: The SEC contended that SolarWinds made incomplete disclosures about the cyberattack, depriving investors of crucial information about the company's cybersecurity posture.  

Uber

  • Criminal Conviction of Former CSO: Uber's former Chief Security Officer, Joseph Sullivan, was found guilty of obstruction of justice and misprision for covering up a massive data breach in 2016.  
  • Cover-up of Data Theft: It was alleged that Sullivan attempted to conceal the incident by disguising a ransom payment as a bug bounty.  
  • Importance of Timely Disclosure: The case highlighted the critical importance of promptly disclosing data breaches to affected individuals.

These cases underscore the severe legal consequences for companies that fall victim to cyber-attacks and are unable to manage risk in a transparent and structured manner – before and after the breach. CISOs and other security leaders face increasing personal liability for security inadequacies and failures.

Implications of the SolarWinds and Uber Cases on the Cybersecurity Industry

The biggest lesson for cybersecurity professionals is to create strong connections between governance, risk management and compliance activities, so that each of the three components informs the other two. Some of the language in the legal action that followed these breaches referred to inconsistent communication and messaging internally and externally, with SEC filings going out without being vetted by cyber leaders. It is absolutely essential for business and cyber leaders to communicate and get visibility into the others’ domains.

The organization’s business objectives need to inform risk management; and cyber risks and compliance requirements in turn need to inform strategic business planning. Without creating strong links between the three, businesses run the risk of noncompliance and legal action following breaches.

Regulatory Changes

  • Increased Scrutiny: Regulatory bodies worldwide are intensifying their oversight of cybersecurity practices. This includes more stringent reporting requirements, stricter penalties for non-compliance, and increased focus on supply chain security.
  • Data Privacy Laws: The importance of robust data protection measures has been highlighted, leading to the strengthening of data privacy laws and regulations like GDPR and CCPA.
  • Cybersecurity Frameworks: The adoption of cybersecurity frameworks like NIST Cybersecurity Framework and CIS Controls has become more prevalent across verticals. This year, both Frameworks were updated to include a cross-cutting Govern function to the five core functions included in earlier versions (Identify, Protect, Detect, Respond, Recover.)

Organizational Shifts

  • CISO Role Elevation: The role of the Chief Information Security Officer (CISO) has become more strategic and influential. CISOs are now expected to be deeply involved in business decision-making and risk management.
  • Increased Security Investments: Organizations are allocating more budget to cybersecurity initiatives, including advanced threat detection, incident response, and employee training.
  • Supply Chain Risk Management: Companies are focusing on assessing and managing risks associated with their supply chain to prevent incidents like the SolarWinds attack.

Technological Advancements

  • Threat Detection and Response: Investments in advanced threat detection technologies, such as artificial intelligence and machine learning, have accelerated to improve incident response capabilities.
  • Zero Trust Architecture: The adoption of zero-trust security models has gained momentum as organizations seek to strengthen their security posture.
  • Identity and Access Management: Improved identity and access management practices are being implemented to protect sensitive data and systems.

The “Govern” Function in NIST CSF 2.0 and CIS Critical Controls 8.1

The importance of an integrated approach to GRC activities is further reflected in changes to the NIST Cybersecurity Framework and the CIS Critical Controls this year. Both cybersecurity frameworks have now added a “Govern” function to their core functions (which previously included Identify, Protect, Detect, Respond and Recover).

NIST CSF 2.0

In version 1.1 of the NIST CSF, governance-related activities were included under the “Identify” function. By placing these activities under a new, cross-cutting Govern function in version 2.0, NIST elevates the importance of aligning Cybersecurity Risk with Enterprise Risk. The Govern function includes action categories for establishing and monitoring cyber risk strategy, expectations, and policy. The strategy direction set under it will inform the implementation of the five other functions. Within the Govern function, NIST lists the following main categories: Organizational Context; Risk Management Strategy; Cybersecurity Supply Chain Risk Management; Roles, Responsibilities, and Authorities; Policies, Processes, and Procedures; Oversight. 

CIS Critical Controls 8.1

The latest version 8.1 of the CIS Controls, too, added a Govern function to the other five. The addition Governance as a core component will enable users to identify the essential policies, procedures, and processes needed to safeguard their assets. To support the Govern function, CIS also added the asset type “Documentation” which includes Plans, Policies, Processes and Procedures. This will provide organizations with the evidence required to demonstrate compliance with industry standards.

Simplifying GRC with Frameworks and Tools

Implementing GRC initiatives in a streamlined manner can be difficult because of the multiple interoperating domains and the specialized nature of some of the activities. Cybersecurity initiatives and legal operations are all specialized functions that need domain expertise. Furthermore, tying everything together in a way that ensures every activity is designed with the end goal of meeting business objectives is complex.

  • Leveraging Frameworks: To make this process smoother, organizations can leverage readymade frameworks like the NIST Cybersecurity Framework or the CIS Critical Controls discussed above. These frameworks provide a structured approach to managing GRC activities, with a cyber-focused perspective, and can be customized based on specific business needs.
  • GRC Tools and Technology: Another way to simplify GRC is to use a tool that can automate and streamline various aspects of the process, such as risk assessment, compliance tracking, inter-departmental collaboration, and reporting. By offering a centralized platform for various GRC functions, these tools significantly enhance efficiency and effectiveness.

While GRC tools offer immense benefits, it's essential to remember that they are not a standalone solution. Human judgment, expertise, and ethical considerations remain indispensable in navigating complex GRC challenges.

How CYRISMA can Help

The CYRISMA Cyber Risk Management Platform brings together essential risk management and compliance assessment capabilities in a single SaaS ecosystem. Developed for MSPs and MSSPs looking to reduce risk for customers in a holistic, measurable and cost-effective manner, CYRISMA makes GRC simpler by providing all-round visibility into both cyber risk and evolving compliance needs.

Platform features include internal, external, agentless and agent-based vulnerability scans, patching for Windows-based third-party apps, sensitive data discovery in both on-prem and cloud environments, dark web monitoring, secure configuration scanning, compliance tracking and assessment, and much more. With CYRISMA, you can not only run scans to discover, assess and mitigate risk, but also track and assess compliance with multiple frameworks (CIS Critical Controls, NIST CSF, HIPAA, PCI DSS, Essential Eight, Cyber Essentials, Microsoft Copilot Readiness, and more.) All features and future updates are included in the standard pricing.

Watch a three-minute demo here.

Blog courtesy of CYRISMA. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more CYRISMA news and blogs here.