Is GRC a Subset of Cybersecurity?
After nearly two decades in tech, including stints at the Big Four security firms, Scott Jordan is on his 148th governance, risk, and compliance (GRC) implementation.
Now the principal and partner at Agile GRC Solutions, Scott puts it simply on this episode of GRC & Me: “I’ve seen a few things in the market.”
Specifically, he’s watched as companies large and small have become more vulnerable to ransomware and other types of cyberattacks. While assessing the damage, he’s spotted a few common mistakes, which he calls “security landmines.”
GRC tools like LogicGate are powerful and necessary, but they work best when the humans wielding them are doing their due diligence. That’s where Scott and his experience come in.
That is if he can resist the tempting job offer from his eight-year-old daughter...
🔐 What he does: Scott is partner and principal at Agile GRC Solutions, where he helps companies of all sizes implement technical and strategic GRC approaches.
🏢 Company: Agile GRC Solutions
💬 Key quote: “You need cyber insurance. The industry is relatively new, so you can get it for pretty cheap. If you get breached, those insurance carriers will pay for up to seven figures, so you're moving the financial risk off your books.”
🔎 Where to find him: LinkedIn
💻 Scott’s 18-year career in the tech industry has taken him to the East and West Coasts, the Big Four security firms, and into GRC for healthcare IT as well as “every other vertical that you could probably think of.”
💻 Many people conflate GRC with security, but Scott is very clear that while the two are related, they are distinct. He compares GRC with an HR dress code or code of conduct: something that establishes order but not something that can protect you from attacks by itself.
💻 Before the mid-2000s, having GRC systems was seen as good business practice. But at that point, an increase in hacks led to a flurry around cybersecurity — which Scott thinks left GRC neglected. He’s also seen disconnects between security and ERM teams, which can make companies vulnerable.
💻 During his years as a consultant, Scott noticed that companies that had experienced cybersecurity breaches often had issues with at least one of four things, which he labeled “security landmines.” Namely, they had federated data stores and didn’t have a clear business hierarchy, a unified compliance framework and/or a comprehensive and objective understanding of their own assets.
💻 One underrated thing Scott wants everyone to have as part of their GRC program is cyber insurance. It removes financial risk and is relatively inexpensive — especially considering that the average data breach cost $3.86 million last year.