This lecture demystifies what GRC (Governance, Risk, and Compliance) really means in practice and why it's a critical function in modern cybersecurity.

In this lecture, you'll learn:

• A clear breakdown of each GRC component: Governance (organizational structure and security decision-making), Risk (identifying and managing information security threats), and Compliance (meeting regulatory requirements)
• How the NIST Cybersecurity Framework connects to GRC with its five core functions: Identify, Protect, Detect, Respond, and Recover
• Why GRC is vital to organizations through real-world examples and business impact
• Common misconceptions about GRC work, including that it's "just paperwork" or "boring"
• How GRC fits within the overall cybersecurity organization and interacts with other security functions

This lecture provides the foundational knowledge you need to understand GRC's value and purpose. By using practical examples and analogies (like home security), complex security concepts are made accessible. You'll gain insight into how GRC professionals balance security with business needs and why this role serves as the "brain" of information security operations.

EVEN MORE DAY IN THE LIFE INSIGHTS!

So you want to work in GRC in 2025? WATCH THIS NOW!: https://youtu.be/BwjqbcOf8JQ?si=c89_sdOQQMxDg2iL



TRANSCRIPTION

Introduction to GRC (Governance, Risk, and Compliance)

Introduction

All right, let's get cooking. Right.

Welcome to the first section where we're going to absolutely demystify what GRC really means in practice. Okay.

So first of all, let's do this and get you going.

This is GRC, right.

Well, welcome. Class complete right now. I'm joking.

GRC stands for governance, risk and compliance.

It's just an acronym. I wish it was cooler, but it's not. It's just an acronym. Okay.

What does it actually look like? So first of all, let's break it down.

Governance

Governance.

This is about leadership and organizational structure. It's how decisions are made about cybersecurity. Who has the authority to make those decisions and how organizations ensure that security most importantly aligns with business objectives. Right.

So in practice this includes like developing policies and standards and procedures that guide the organization's security posture. So the way you should think about this is governance is like the rules of the business.

Right.

So like when you were growing up or maybe you're a parent now, right? You're like, this is my house, my rules. You'll be home before dark or we dinner around six or, you know, we don't, we don't kennel our dogs or, you know, whatever the rules are of your house, that's what policy is of a business. Right? And GRC in the cybersecurity space, since we're we're concerned about confidentiality, integrity and availability of data systems, applications in personnel. Right.

We want to make sure that the business continues to make money, but do it in a secure way. And that's why we have policies and standards. So to give you an example, to make this more concrete, right. A common one is you log in to your computer, right.

To do work.

Well, how many password like how long is the password. Right.

Do you even need a password? That's a policy decision. Somebody in cyber security said hey or it maybe they said listen, we can't just let everybody walk up and start using systems. We're going to have to have a username and password like email. You got to log in.

Okay.

Now another decision or standard governance would say, hey, you need multi-factor authentication for your email. We've looked at it. It's really sensitive.

A lot of bad guys get into email and start doing shenanigans. So we're going to have to make it harder for people to log in to their email, because it's going to make it harder for bad guys to log in to their email. This is a standard. This is, you know, how things go.

And this is why GRC, is involved with this governance.

Right.

And remember, you can't just apply all the controls. You can't make it like quintuple authentication, factors like you got to log in, take a blood sample, do a hair swab, like get a six digit pin biometric, like it's not all that. Right? That would be really secure.

But nobody in the business would like it. Everybody would flip out. Right.

So this is the balance in why GRC is important and why we have a seat at the table.

Also, governance is also about interfacing with the business, right? The business, the business leaders, application owners, system owners, the executive team, they don't want to go to talk to all of the different infosec people at the office. They want to talk to one person or one group of people, and that's the GRC office.

This is why the CISO or the person who's in charge of information security is considered a GRC person or in GRC. Okay.

So governance establishes the framework and direction of where the program's going.

Right. And I'll talk a minute. You can see this graphic right here.

That is the next cybersecurity framework.

Chef's kiss.

It's like undeniably my favorite information security framework. I swear to God, I know it sounds crazy to have a favorite. This baby is, it's. I'm looking at you right now.

Off the camera.

It's right over there, and it's, It's so good. Okay, listen, that's what governance does.

Risk management provides the information needed to make good decisions, and compliance ensures that those decisions do, in fact, meet the required sets that you have. So let's talk really quick.

Before I go on to the next slide here about this cybersecurity framework.

So really quick you see the outside edge, starting at the blue and working our way around identify protect detect respond recover. Really those should be they go around but really they should be kind of like a bar chart. And I'll start over here. Right.

It's identify and protect those you should think of as things you can do before bad happens in your environment, before an active compromise happens or an intrusion, or someone detonates malware or whatever and then detect, respond. Recover is what you do after bad happens. So we we oftentimes use the terms left of boom for before bad happens and right of boom after bad happens. These are the phases that we think of when we think of an information security program.

Right.

So identifying protect identify is like what systems do we have here. Who works here. What's important.

What applications like getting our arms around it. Because if we don't know about things we can't secure them. So first things first we got to know what's going on.

As a parallel, imagine, if you will, you are going to like clean your clean a house, right? You're going to show up and clean a house. You would want to know what how many rooms are there? What's the condition of the house. Is there like, am I going to be cleaning bathrooms because you would be bringing different types of cleaners if you were going to clean a bathroom versus, you know, a living room or something like that, right? Are they are there hard to reach places? Do I need to bring a ladder? Okay. So the identify is important.

So you make sure that you have all the right tools or else you're not going to you're not you're going to miss something. And that's actually bad because that's actually going to reduce some real risk.

The protect this is the one most people think of. This is where you're putting controls in place. It's things that you set up before bad happens. Okay.

Again, I like to use parallels, but think of, like your own home. Right.

So if you were going to identify all the entry points into your home, you've got windows, you've got the chimney, you've got the front door, the back door, maybe a bulkhead, right windows. And you're like, oh, well, who would go through my chimney? My chimney doesn't, you know, whatever. Well guess what? It's a probably a very low risk that someone enters your house through the chimney, but not impossible, right. Maybe they they send down a little drone, something small, they can get through there, and then they fly the drone over and they, like, smash it through a window or like, do recon or.

Anyways, the protect would be in this little metaphor would be like putting door locks on your house, right? Single door lock, single factor. Imagine if you had to turn your door lock with a key and then put your thumb on a thumbprint scanner. That's multi-factor authentication, right? Maybe the windows on the first floor, you double pain them, right? And you put sensors on that go off. If they break.

But on the second floor, you don't put them because the chances of someone punching through the second floor window is pretty low, right? It's a lower risk than the first floor. Now you're beginning to see where we're talking about making those risk based decisions.

I just did an example right there on the fly. It cost let's say it cost $1,000 for double pane window that alerts you via text message if it breaks. And a regular window cost $100. Well, that's ten x expensive.

So you don't want to put those really expensive windows on all of the house because you want to have more money left over to put other controls and other, you know, security in other places, like a closed circuit TV system or maybe like a bear trap or something, I don't know. My point is this is this is a risk based decision.

The likelihood of someone breaking into the first floor is high.

Someone break into the window on the second floor.

It can happen, but it's lower.

Okay, so you can spend your money more wisely. Now detect. Respond, recover.

This is like knowing that an act of compromises happen again. Like I mentioned, you bust through the window on the first floor.

You get notified via text message. Hey, someone's, broken in.

Or you get a motion sensor on a camera and it notifies you, hey, like, your camera just detected motion. This is detection. This happens a lot of times.

Say a threat actor logs into your environment or detonates malware or something like that. If you don't have detection, you don't know what's happening. So even if they get around some of your controls from the protect phase, you need to know that they got in there. Once you know, then you have to respond.

You got to do something about it, right? That's where these controls end. And then recover is like, you know, restoring from backups and stuff like that, all of that. You'll see the governance in the middle.

All of that requires governance.

Again, all of those things cost money to do. They take human resources and time to do. Some of them are more effective than others. How do you choose? Again, this is an introduction foundation for GRC, but I hope just from this brief lecture that I've just given you right here, you can appreciate like how impactful and how awesome GRC can be.

All right. So that's just slide one. Let's go to slide two. All right.

Why is GRC important right.

It's critical guys the stakes are really high really high. You can see I've got a picture there of the 2024 data breach investigations report from Verizon. They put out a great report every year capturing all sorts of telemetry and, insights into the current threat environment. Data breaches, guys, they cost millions of dollars.

There can be regulatory fines. There can be reputational damage. Businesses can go out of business.

It doesn't happen all the time, but it can happen, right. One report had that an average data breach, could cost up to $4 million for business between, you know, ransom and notifying victims and all these other things. So, they do range in price, but we're talking about, if you could spend $10,000 on a control, right. Let's say you buy a $30,000, firewall, and it could potentially stop a multi-million dollar data breach.

That seems like a good investment, right? Also, it's not just about, avoiding bad outcomes, right? That's normally what we think of. But there's more to GRC.

That's pretty good.

Risk

Now the second one, risk risk management dealing with cyber risk.

This focuses on identifying and assessing and then prioritizing risk to the information's assets like software, hardware, you know, critical data, employee records, secret formulas, whatever. Right.

So understanding what threats exist, what vulnerabilities and weaknesses you might have in your environment, and what the potential impact would be if something went wrong. Right.

So it's important to point out like it's like making informed decisions on how to address those risks. And I said it in the intro of the course, that risk is where you get that sweet, sweet cash.

Let me explain why with risk, right.

You're not going to be able to spend infinite money, right? Like let's say a business makes $1 million to make number even. They're not going to give you $1 million to secure the business. Right? That would be stupid. They'd be spending all their money.

They'd be a nonprofit. Right.

So let's say they go, all right, listen, Jerry, you get $20,000 to secure our business. How do you spend that money? This is another thing with GRC.

And this is why risk makes all that cash is because you need to say, listen, we can't do a lot with 20 grand, but the most important things that we can do that give us the biggest risk reduction for the highest value are these things putting multi-factor authentication in place, buying licenses for anti-malware for all the endpoints, educating our end users. Right.

Again, it's all about you're never going to get rid of all risk okay.

So like except that is a fact.

You will always have some risk choosing which risk you have.

That is a GRC decision.

You can help with better business decisions and better, Making better choices with investments based on risk, right. Which is kind of where the whole risk things in comes in.

And again, why you make so much money with that particular phase. Right.

You can have improve trust with partners, say someone wants to do business with you or acquire you, right? And they're like, well, what's your security posture? Like if you have a tight program in place, you can just send them a snapshot and be like, here's where we are. This is what it looks like.

If you're a complete yard sale, you might not be a desirable target or the acquisition might be a lower cost. Right? Dude, I've been in a business before where we acquired a business, and when we merged our networks together, they were actively compromised. And as soon as we merged their networks, the malware was started banging on the door. The proverbial firewall door that we had set up just in case.

Thank goodness. So you got to be careful with that.

You can consolidate compliance if you're trying to comply with, like, a bunch of different frameworks and a bunch of different regulatory things by having a program that's in place and governance around it, you can just say like, oh yeah, like, no problem. I can show you how we are with PCI.

I can show you how we are with HIPAA, etc.. And, you know, there's so much more you can get competitive advantages and security conscious markets. You can get, you know, you can just like have

faster audits if you have regulatory requirements for audits and stuff like that. So it's just it's cool.

GRC is important.

Okay.

Now, GRC professionals can serve, as connective tissue between the technical team and the business team and help basically translate technical execution into business objectives. Right.

So, I'll give you a perfect example that the the engineers at a company I worked at wanted to work on the weekends. The business loved it. Right. Oh, hey.

Free labor. Let's go set them up.

Well, they needed to remote into the business to do work, and they'd show they picked some solution that they found, which was not secure at all. It was actually quite gross.

Now, you might think, oh, like, the answer is they have to come to work. Well, that's not going to fly. They're not going to drive in.

And the business wants them working for free if they want to work for free. So it became incumbent on me to talk to the technical team to figure out what their needs were, then understand the businesses, tolerance for them working remotely. And then I found a security solution that allowed remote access that was quite effective. And, you know, we implemented that.

Okay. So that's what's up.

Now let's talk a little bit about misconceptions. Right? A lot of people have assumptions on what GRC is.

Let's, dispel those right now. Number one Grcs only paperwork.

Hey nerd. Like nice clipboard.

Well, there is a lot of paperwork in GRC, but it's not exclusively that GRC is dynamic.

It is strategic.

It does involve a lot of critical thinking, problem solving, a lot of collaboration across departments. I'm talking to general counsel.

I'm talking to HR, I'm talking to the engineering team, the developers, the frontline workforce, the finance department. You know, you got to talk to them, dude. Threat actors want to get that sweet, sweet cash, right? They want to rob businesses. Easiest way to do that is go right to the CFO.

So we got to talk to all of them. It is way more than paperwork.

Today's GRC professionals are using, tools for continuous monitoring and automation for vulnerability management. You do get your hands dirty, so don't just think that you're wearing a pocket protector, walking around, pushing your glasses up, talking about paperwork. We're not talking about paperwork. Okay, another misconception.

You need to be a technical expert.

Okay? Now, technical knowledge is really valuable. And you will need to get some GRC professionals can excel without being a, you know, computer science graduate because of their communication skills, their business acumen, and their ability to translate between technical and non-technical stakeholders. Right.

Your background in IT security, compliance, or even business can be leveraged to be effective at GRC. So we see a lot of people who transition out of whatever field they're in into cybersecurity, and they do well, because of the existing skills they picked up in their other career. Around communication and empathy and these type of, you know, business understandings. Right? So you again, you will need to get technical chops, because you need to be able to like, help understand, risk and choose where to spend money and what gives the biggest risk reduction and stuff like that.

But you don't need to be an engineer.

You don't need to be able to sit down in program and stuff like that. So that is a bit of a misconception.

Another misconception, this one, this one hits a little deep. Okay. This one, this one hits a little deep.

I might need to take a moment with this one. Okay.

GRC is boring, right? I gotta tell you, for many professionals, GRC offers intellectual challenges variety, the satisfaction of seeing how your work can actually directly impact the organization's success, and you get to engage with, like, pretty much every department, you're like the face of information security. You get to tackle problems when because you're the face. When the workforce has issues, they typically call you. So you get to see all sorts of really interesting, unusual challenges as well.

So, it is not boring, I promise you.

The cool thing is, you can work 9 to 5, right? If that's boring, then sure, call me boring. But, when there's an active incident on Christmas Day, they don't call the people. They call the incident response team of the SecOps people. Or, you know.

So, not not to make light of that.

It sucks that they have to go in, but, GRC people, we would just we would just get in the way, like, our work is to identify and protect and helping set up the sack ops team to be successful during compromises, but not to be there when they are. All right, let's keep going.

So let's how does GRC fit in the overall cyber security office? Okay.

Well I got a little graphic here.

I made it, you can see here the CISO is at the top and then on the left is GRC director.

And then we have a SOC manager and, security technologies. Right.

And under that I have like firewall engineers, mobile device management. That's MDM like the mobile phone managing that the SoC are the people who are security operations. They're like watching for bad to happen in real time. They respond to those incidents.

On your GRC.

We have things like vulnerability management. We have risk analyst.

Security awareness, interfacing with third parties, stuff like that, interfacing into the business.

That's what those do. All right.

So and you can see here like security operations, they they are like the engineers. They're actively working on defending systems. Their security architecture people.

They're providing the structure in the design of, like what, the, how things will interface with, existing technologies and sunsetting things and stuff like that. You should think of GRC as, like, the brain kind of the nervous system.

Of an information security office, like directing activities, processing information, understanding what's coming in from, like, third parties and new business ventures, what's going out like data going out to third parties and stuff like that for you. So you got to introduce data governance, right? Think of like a good example of that is like think of like, a pharmaceutical company that does collaborative research with a university, like a research university or something like that. If you're sending your data out to the research university in order to do things, or the pharmaceutical company is going to use some cool AI SaaS product to do things, well, the data you send out like you're not in control of it anymore. It's in control of that company that's processing it or doing the AI thing on it or whatever.

So it's still your data though, right? So this is another thing that GRC is going to be thinking about. GRC, as I said multiple times, now connects technical objectives or technical activities with business objectives. And really ensures that security and security efforts align with the overall business. Organization structure and strategic objectives.

Right.

Again, this is kind of unfortunate, but it's really information security is a cost center, which basically means we do not make money for the business. We cost money for the business, which is why we have to beg, borrow and steal in order to get funding for our initiatives. Which again is why