What are You Looking for?

March 30, 2023

G before RC

The order of the letters in “GRC” is not arbitrary. If you don’t Govern your environment well, you cannot manage Risk and Compliance well. 

It doesn’t mean that governance is more important, but it does mean that it is an enabler for managing risk and compliance effectively.

There’s a reason NIST have added a Governance pillar to v2 of their Cybersecurity Framework. Hands-down when I work with an organisation that is struggling to manage risk and/or compliance, the most common cause is inadequate technical governance.

This is particularly true in the cloud environment. Most large companies have multiple business units, often with their own development and engineering teams, and these roll up to different leaders and budgets. There is often no effective governance mechanism…strategic, architectural, operational…which extends across them all. 

Consequently, the cloud environment is a fractured wild west show, where disparate corporate cultures, operational approaches, security priorities, and risk management methodologies converge and collide. The engineers and architects get caught in the middle—between the leadership above, unwilling to extend the required governance mechanisms (with teeth) across these business verticals—and the relentless upward drive from the business beneath, where the adoption of cloud outpaces the security organisation’s ability to keep up.

Related posts:

  1. Security and Compliance Aren’t the Same—But They Both Have the Same Objective
  2. Honest Self-Reflection for Security Leaders, Post-Breach: 3 Important Questions to Ask Yourself
  3. Connect/Okta and Identity Sync Hardening
  4. How (not) to Waste Your Time Chasing Vulnerabilities
  5. “Materiality” Relies on Risk Quantification—Which Is Why Many Businesses Struggle to Understand It

In my experience working with companies in the midst of digital transformation programmes, change often fails (i.e. risk is not adequately managed, and/or the right kind of value is not created) not because they have the wrong tech, but because they cannot, or will not, prioritize effective governance. Maybe you’ve heard this one before: “We set up the platform. It’s up to the application owners to ensure that it is run in a secure and compliant way.

It sounds sensible, except…the fallout from a compromise isn’t contained within the sphere of a single application or business unit. It affects the entire organisation. Without a parallel commitment to ensuring effective technical governance, devolution is dangerous. 

Unless the application owner or business unit owns the risk and impact of a compromise—which means they are the ones standing in front of the cameras when the s*** hits the fan—then the organisation must retain the ability to govern the most critical technical and security controls centrally.

Leave a Reply

Your email address will not be published. Required fields are marked *