The Governance, Risk & Compliance (GRC) Team is usually the team that aligns the Cybersecurity strategy with the Business objectives, and then creates the policies to support them and ensure that Cybersecurity requirements are included. However, I’ve noticed that this team is not usually held in very high regard by the rest of the Cybersecurity and IT teams. Why is this and what can be done to improve the situation? Thank you for your thoughts on this subject.
Fantastic question @Swissmiss3110 !! The GRC team is often seen as a bunch of living spreadsheets who check boxes, and sadly some in GRC do act like that. I think part of the problem is that members of GRC teams, even when knowledgeable, are not very technical. They know what should be done, but not how to do it.
Some of the failure though comes from management. They allow the GRC team to be seen as “outsiders” who are coming in and making waves for the sake of appearance. Good managers help both GRC and technical team members work in harmony and appreciate that security is a valuable process and not a useless/perfunctory exercise.