June 3, 2024

Redefining Security Reviews and GRC: A Multi-Dimensional Approach

Robust security reviews and Governance, Risk Management, and Compliance (GRC) practices are increasingly vital to business success. This is especially true in the current business ecosystem, where security, privacy and data related threats are ever increasing. In fact, 45% of experts say cyber incidents are the most feared cause of business interruption, surpassing natural disasters or energy concerns. However, only 35% of organizations embed security controls in all transformation initiatives from the beginning.

The responsibility of these practices doesn't solely rest on the shoulders of Compliance and Security teams. For Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), Chief Technology Officers (CTOs), and GRC professionals, it's essential to implement a  multi-team approach to enhance security and compliance.

The Current Landscape of Security Reviews

New technologies and digital platforms are continually being introduced, and with them come emerging security threats and regulatory compliance issues. With this rapid digital transformation, security and GRC must evolve at an unprecedented rate to keep up.

Traditionally, security reviews and GRC were seen as isolated functions – checkboxes that needed to be completed but were separate from wider business operations. This isolation can often result in organizations falling into a reactive posture, only addressing threats when it’s too late instead of proactively establishing preventative measures. This can be magnified in organizations that operate in silos, where communication and collaboration across departments might be limited. This creates gaps in the unified front needed to manage and mitigate risks effectively.

Redefining Security Reviews and GRC

Security and GRC aren't just tasks to be ticked off a list. It is crucial in today's complex business landscape – characterized by global connectivity, hybrid work models, and widespread use of cloud services – to align Security and GRC to business objectives. There's a growing need for unified strategies that mitigate risks, standardize best practices, and enhance inter-departmental collaboration.

But how can this integration be effectively achieved? It becomes essential to shift from a purely compliance-focused approach to a multi-dimensional, holistic approach that aligns with broader business goals in today's digital landscape. This shift is about more than just meeting standards. It's about proactively ensuring that customer data and information assets are secure.

With cyber risks, data breaches, and privacy concerns escalating, Customer Assurance is not just an added value, but a necessity. A robust security and GRC strategy, coupled with an enhanced Go-to-Market (GTM) function, is essential for addressing these evolving market dynamics. This holistic approach is vital for fostering a strong security and compliance culture, reducing risks, and gaining a competitive edge by boosting confidence among industry peers in a business environment that is increasingly focused on security.

For perspectives and approaches in risk management and security, listen to our podcast episodes featuring Clea Ostendorf (Code42), Matt Sharp (Xactly Corp) and Chris Cruz (Tanium).

Building a Strategic Approach to Security Reviews & GRC

In redefining security reviews and GRC, efforts need to extend beyond the domain of just IT, compliance, or security teams. Security and GRC are multi-dimensional, involving strategic leadership, HR and training, marketing, and product development.

A broader approach that considers every functional team’s role in maintaining security and compliance is needed. Let's look at some examples of organizations that have successfully integrated this multi-dimensional approach into their security and GRC practices.

1. Strategic Leadership: C-Suite's Role in Security and GRC

Example: Google's C-Suite Engagement in Security Practices

What is the best way to show people that you care about something? Show them that your entire leadership cares about it. In 2023, Google's CISO, Phil Venables, discussed the importance of C-suite involvement in security strategies at Google Cloud. He highlighted how this involvement is crucial for staying current with trends and prioritizing security, rather than treating it as an afterthought. Venables emphasized that regular discussions with security leaders help board members remain informed about the threats that impact their organization.

Google’s approach to security and GRC is a prime example of C-suite engagement in building B2B peer confidence. Involvement of company leadership fosters a culture of security within the organization, involving promoting awareness and responsibility for cybersecurity across all levels of the company.

2. HR and Training: Creating a Security-Conscious Workforce

Example: Deloitte's Security Awareness Programs

Human error accounts for more than half of security breaches. It’s crucial that your entire organization is trained on security best practices, but most people would rather avoid sitting through another security briefing.

In 2019, Deloitte launched an initiative to integrate security awareness into general training programs, designing them in a simplified way and aligning programs to organization culture rather than driving them in silos. These types of programs foster a culture where every employee contributes to the organization's overall security posture.

3. Marketing: Communicating a Strong Security Posture

Example: Cisco and Apple’s Security-Centered Marketing Communications

Marketing communications are probably not the first words that come to mind when you think of security and compliance. But, Cisco and Apple have notably been using marketing communications  to build confidence among industry peers, especially regarding their security posture.

Apple's marketing communications heavily emphasize their commitment to user privacy and security. This is evident in their advertising campaigns for features like user control over tracking preferences, privacy and physical device tracking. They use this messaging to reinforce their image as a privacy-centric brand.

Apple’s “iPhone 15 Face ID | Nice Try!” ad - emphasizing their commitment to data privacy.

Cisco on the other hand, approaches security-related branding with more subtlety. Cisco is known for its thought leadership and educational content in the cybersecurity space. The company leverages a variety of channels including blogs, white papers, webinars, and social media to communicate about security trends, best practices, and their own security solutions. This educational approach helps establish Cisco as a knowledgeable and trustworthy leader in the cybersecurity field.

4. Product Development: Prioritizing Security in Innovation

Example: Microsoft's Secure-by-Design Philosophy

Most businesses want to ensure that your solutions are delivered to them with a security-centric approach rather than as an afterthought. You’ll benefit from putting your money where your mouth is and incorporate security into a product early in its lifecycle. This includes the involvement of architects, developers, and designers who work on the initial feature design.

Microsoft’s Secure-by-Design philosophy brought  security enhancements, including built-in hardware-based isolation, encryption, and strong protection against malware. Essentially, they designed security into the products from software development (as with their Windows 11 operating system) to third parties (including Acer, Asus, Dell, HP, Lenovo, and Panasonic).

Foster a Culture of Security with Multi-team Approach

These examples underscore a critical realization: successful security reviews and GRC practices necessitate the participation of all teams within an organization. For CISOs, CIOs, CTOs, and GRC professionals, it is vital to adopt a comprehensive strategy that includes leadership, sales, HR, marketing, product development, customer support, and more. This holistic approach is crucial in fostering a robust culture of security and compliance. It not only helps in reducing risks but also provides a competitive edge by boosting confidence among industry peers in a business environment that is increasingly focused on security.

No items found.
No items found.
Raunak Chaudhari
Marketing Manager