GRC and the Importance of Cybersecurity Framework

By Dave Trader, Field CISO | USMC Veteran | FBI CISO Academy, Presidio

Technology is complex. Cybersecurity compounds that complexity. An important way we find common ground is through frameworks. Frameworks provide a language that IT professionals understand and helps align teams under a commonality. Instead of just throwing everything at a dartboard and hoping something sticks, frameworks provide a concrete starting point for organizations looking to bolster their cybersecurity strategy.

Governance, Risk, and Compliance (GRC) is typically an area we focus on to establish the set of cybersecurity controls an organization chooses to adopt. Being familiar with frameworks such as  CIS18, NIST-CSF, NIST 800-53, NIST 800-171, CMMC, or ISO27001 in the context of security allows us to quickly gain understanding of progress or maturity in any given environment.

Alignment to any given framework is a journey. We should approach GRC with a mindset that once a particular framework is selected, the journey to stay within that framework is continuous. As frameworks, these are not certifications. There is no magic wand that automatically makes you certified. Rather, frameworks are something that are ever-changing, requiring continuous integration, verification, and validation from organizations managing cyber risk.

The controls associated with any given framework provide a template for best practice. They offer a common language that represents approaches proven to make networks more secure. In doing so, organizations make strides to better protect their networks from attack.

NIST-CSF is a common framework that covers five categories; Identify, Detect, Protect, Respond, Recover. In each of these categories, a subset of controls is represented. It’s a lifecycle approach and is meant to be continuous. For many organizations, NIST-CSF represents a baseline framework to strive towards. It’s important to note not every organization will be at the same starting point for reaching this baseline. For instance, one company might have a greater level of risk than another or might have existing policies in place, but oversight suffered amid staff turnover during the Great Resignation.

Regardless of starting point, at Presidio our team believes that it’s important to develop a flexible approach to align with this framework. In our view, this means working with organizations to understand their environment and the gaps that might exist in their current cybersecurity strategy. Once we have this understanding, we can help prioritize controls based on both budget and time. While the strategies used to reach these controls might vary based on numerous organizational factors, the solutions will all circle back to the requirements needed to meet the standard framework of NIST-CSF.

Another useful benefit of frameworks for GRC is cyber insurance. Cybersecurity attacks are on the rise, with one report finding that cyber incidents increased 47 percent in the first half of 2021 alone. As more organizations fall victim to attacks, the insurance industry has begun to get more stringent on cyber policies. In fact, the ACA has found that the supply of cyber insurance policies has dwindled as insurance providers become more selective with their policies. In reviewing standards that should be implemented to prevent attacks, many insurance companies have also looked to GRC for assistance. In most cases, the minimum framework requirement will be the controls associated with CIS18 or NIST-CSF. This will allow those insurance companies to assign premiums based on progress or verifiable controls. Absent these controls, premiums could be incredibly high to maintain the policy, or an organization could even be uninsurable. By having the right controls in place and meeting the requirements set out by insurance providers, organizations can potentially limit the devastating financial impact of a cybersecurity attack.

GRC also plays a role within Incident Response as there are regulatory agencies that need to be notified in a timely manner. There are penalties associated with not informing those agencies and knowing what rules your organization must follow is the responsibility of the organization. In times of crisis, GRC serves as a guide for organizations, ensuring that the necessary reporting steps are taken in a timely manner.

As we continue to see loss associated with attacks, we will continue to see increased cybersecurity regulation. More strict guidelines will be outlined for organizations in every vertical and every organization will be required to have a robust cybersecurity strategy. This will require fast action on the part of companies and organizations that have been reluctant to make investments in protecting their networks.

GRC and frameworks like NIST-CSF allow us all to rally under a common goal in a standardized manner, and I hope that organizations will adopt these best practices so that all of us can stop cyber adversaries.


Please enter your comment!
Please enter your name here