, , , , ,

Understanding GRC: How to Navigate Risks and Compliance Standards

written by Sean Reilly || Guest Author

This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

“GRC” isn’t all witchcraft and administrative nonsense — it’s the core that drives security initiatives, connects security spend to business outcomes, and powers a well-functioning security team.

GRC in a Nutshell

  • Stands for Governance, Risk Management, and Compliance.
  • Translates business risk appetite into a target risk profile, creates policies and mandates controls to achieve that risk, measures compliance, and gets business agreement on residual risk.
  • Helps businesses understand security’s activities, justifies spend, and enables riskinformed decisions.
  • The goal is to manage risk, not eliminate it completely.

Measuring Risk – Numbers or Opinions?

There are 2 core approaches to assessing risk:

  • Quantitative Assessment: Measuring risk in actual $$ values or similar quantifiable measures. Challenging, requiring a mature business and security program.
  • Qualitative Assessment: Rating risk on a scale (e.g., 1-5) through expert opinions and measurable tests. Easier — therefore, more common.

Most frameworks consider impact and likelihood, often including assets (determining impact), vulnerabilities (determining likelihood), and threats. GRC considers a broad range of risks, including tech flaws, insider threats, natural disasters, and external market conditions.

Managing Risk

Risk management is what GRC is all about. GRC defines policies and controls based on business risk tolerance, assesses implementation, and identifies residual risk.

When risk is outside tolerance, we typically either:

  • Remediate the source of the risk – Address the cause or vulnerability, often with temporary risk acceptance during the fix.
  • Accept the risk as an exception – Document and accept isolated exposures.
  • Adjust the target risk profile – Reevaluate and adjust overall tolerance.

Decisions are based on both impact and current or potential mitigations. Risks over agreed thresholds will be directly communicated to or signed off by business stakeholders.

Interested in Getting Into GRC?

Become the driving force behind security and a key interface between business and security leaders.

Educational Background

A bachelor’s degree is generally required. Focus on analytical, technical, or risk-oriented fields like engineering, computer science, or business administration. Combine business acumen with technical skills.

Early Career & Company Selection

Good initial roles include:

  • Junior Auditor / Analyst
  • IT Helpdesk or Systems Support: Though not “GRC,” these roles build analytical thinking and communication abilities while sharpening tech skills.

Look for employers in regulated industries like finance and healthcare, who need regular compliance assessments. Also, consider consulting firms (e.g., the “Big 4” – Deloitte, KPMG, PwC, and EY), who employ small armies of auditors and have career tracks from junior analyst to team lead.

Certifications

Certifications can help, but experience trumps all. Here are some helpful ones that won’t break the bank:

  • CompTIA Security+
  • ISACA CISA

As you gain experience, consider:

  • ISACA CRISC
  • ISC2’s CISSP or ISACA’s CISM – both are management focused
  • Pursue other niche certs only if you want to focus in a specific area

Helpful GRC Resources

NIST

ISO27001

PCI-DSS

HIPAA

ITIL & COBIT

Explore the Infosec Survival Guide and more… for FREE!

Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.

You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/