Special From CYRISMA
Heightened Focus on GRC – The Driving Factors
There has been an increased focus on Governance, Risk and Compliance (GRC) in the cybersecurity community this year. The convergence of three factors, in particular, seems to be driving this - escalating cyber threats, intensified regulatory scrutiny, and serious legal actions following high-profile breaches.
Cyber-attacks, such as those suffered by SolarWinds (2020) and Uber (2016), and the legal action that followed, have highlighted the devastating consequences of inadequate risk management.
The Securities and Exchange Commission’s (SEC’s) actions to tighten disclosure requirements and recent proceedings against cybersecurity leaders have propelled organizations across verticals into adopting a structured approach to GRC.
Legal Action Against SolarWinds and Uber Following Security Breaches
SolarWinds
In the aftermath of the massive "Sunburst" supply chain attack in 2020 that compromised numerous government and private organizations, the SEC filed charges against SolarWinds and its former CISO, Tim Brown (in 2023). The SEC alleged that the company deliberately downplayed or failed to disclose cyber risks while overstating its security practices.
Uber
In 2023, Uber's former Chief Security Officer, Joseph Sullivan, was found guilty of obstruction of justice and misprision for covering up a massive data breach in 2016. It was alleged that Sullivan attempted to conceal the incident by disguising a ransom payment as a bug bounty. This was the first time a CSO faced criminal charges for mishandling a breach.
The SolarWinds and Uber cases, other similar incidents, and an increase in supply chain attacks have necessitated organizational, regulatory and technological shifts for better risk and compliance management.
The Govern Function in NIST CSF 2.0 and CIS Critical Controls 8.1
In addition to cross-sector organizational, regulatory and technological shifts, the renewed focus on GRC is reflected in a significant change to the NIST Cybersecurity Framework (NIST CSF) and the CIS Critical Controls this year. Both cybersecurity frameworks have now added a “Govern” function to their core functions (which previously included Identify, Protect, Detect, Respond and Recover).
NIST CSF 2.0
In version 1.1 of the NIST CSF, governance-related activities were included under the “Identify” function. By placing these activities under a new Govern function in version 2.0, NIST has elevated the importance of aligning Cybersecurity Risk with Enterprise Risk. The Govern function includes action categories for establishing and monitoring cyber risk strategy, expectations, and policy. The strategy direction set under it will inform the implementation of the five other functions.
Within the Govern function, NIST lists the following main categories: Organizational Context; Risk Management Strategy; Cybersecurity Supply Chain Risk Management; Roles, Responsibilities, and Authorities; Policies, Processes, and Procedures; Oversight.
CIS Critical Controls 8.1
The latest version 8.1 of the CIS Controls, too, added a Govern function to the other five. The addition of Governance as a core component will enable users to identify the essential policies, procedures, and processes needed to safeguard their assets. To support the Govern function, CIS also added the asset type “Documentation” which includes Plans, Policies, Processes and Procedures. This will provide organizations with the evidence required to demonstrate compliance with industry standards.
Streamlining GRC Initiatives
Leveraging a Framework: One of the ways to streamline what can often become a tangled web of GRC activities is to use a pre-built framework like the NIST CSF or CIS Critical Controls. Organizations can then customize these frameworks to fit their specific requirements and risk appetites.
Leveraging Technology: In addition to using a framework, leveraging GRC tools like CYRISMA can help users simplify and tie together risk management and compliance initiatives. CYRISMA’s growing GRC module – with capabilities for comprehensive cyber risk management, compliance tracking, assessment, reporting, and cross-functional collaboration – is designed to help MSPs and MSSPs deliver a complete set of GRC management services to clients in a cost-effective manner.
CYRISMA’s GRC functions are just a part of its wider cyber risk management feature-set (all features are price-inclusive!)
Watch this three-minute platform demoto learn more about the complete feature-set
CIS Critical Controls v8 Assessment: Overview – Download Now
Microsoft Copilot Readiness Assessment: Overview – Download Now
