What is GRC in cybersecurity?

Rollback to version 1

0:00 - 0:02

governance risk compliance the grc
0:02 - 0:04

component of information security gets a
0:04 - 0:06

bad rap in the cyber security game
0:06 - 0:08

this week i'm going to throw some love
0:08 - 0:10

towards grc and tell you what you need
0:10 - 0:11

to know about it
0:11 - 0:17

to be successful coming up
0:17 - 0:19

[Music]
0:19 - 0:21

hey everybody welcome to simply cyber
0:21 - 0:23

the youtube channel designed to help you
0:23 - 0:23

make
0:23 - 0:26

or take a cyber security career further
0:26 - 0:28

faster i'm your host gerald dozier and
0:28 - 0:30

i'd like to give a special shout out to
0:30 - 0:32

our sponsor coastal information security
0:32 - 0:32

group
0:32 - 0:34

for uh being our sponsor really
0:34 - 0:36

appreciate that also in the background a
0:36 - 0:37

little shout out to
0:37 - 0:39

hacker spoiled another youtube content
0:39 - 0:41

creator and excellent excellent resource
0:41 - 0:42

on the internet
0:42 - 0:44

uh more on the bug bounty pen testing
0:44 - 0:47

side but check out his uh link below in
0:47 - 0:48

the show notes
0:48 - 0:51

just he's he does amazing work um
0:51 - 0:53

and be sure to stay tuned to the end
0:53 - 0:55

where i have my one cool thing segment
0:55 - 0:56

where i share something completely
0:56 - 0:58

um you know what i think is cool and
0:58 - 0:59

that i wanted you to know about
0:59 - 1:03

but let's get into grc so grc or
1:03 - 1:05

governance risk and compliance
1:05 - 1:08

is a critical piece of any mature
1:08 - 1:10

information security program so a lot of
1:10 - 1:12

times the red team the blue team
1:12 - 1:16

hands on hard skills technical scanners
1:16 - 1:19

you know hacking passing the hash like
1:19 - 1:20

popping shells all that stuff
1:20 - 1:23

that's all sexy and cool and it's
1:23 - 1:25

definitely an important part of
1:25 - 1:26

information security
1:26 - 1:29

however governance risk and compliance
1:29 - 1:32

has its place and it's equally important
1:32 - 1:34

in some regards now i will preface it by
1:34 - 1:35

saying
1:35 - 1:38

smaller businesses smaller programs
1:38 - 1:41

are not going to typically have a grc
1:41 - 1:43

component they will have some compliance
1:43 - 1:45

requirements in some situations
1:45 - 1:47

whether or not they're actually adhering
1:47 - 1:49

to them or doing anything
1:49 - 1:52

due diligence do care to meet them is a
1:52 - 1:55

separate issue grc
1:55 - 1:56

is going to be for more of your medium
1:56 - 1:59

size organizations and definitely
1:59 - 2:01

definitely large enterprise
2:01 - 2:04

organizations so think fortune 500
2:04 - 2:05

companies there's absolutely zero
2:05 - 2:06

question
2:06 - 2:09

that they have a grc component to their
2:09 - 2:11

information security program
2:11 - 2:12

and there's jobs there so that's why
2:12 - 2:14

it's so important
2:14 - 2:16

to a understand if you want to go into
2:16 - 2:17

that particular
2:17 - 2:20

field of information security but b
2:20 - 2:24

having the context of what that function
2:24 - 2:24

does
2:24 - 2:26

even if you are a blue team or a sock
2:26 - 2:27

analyst or something like that
2:27 - 2:30

it's important to understand that so
2:30 - 2:31

what exactly
2:31 - 2:34

is grc so grc is these three things
2:34 - 2:37

right governance risk and compliance
2:37 - 2:40

governance is basically how the
2:40 - 2:43

organization itself governs the way
2:43 - 2:44

things are done
2:44 - 2:46

and you know what does that kind of look
2:46 - 2:48

like right so that looks like
2:48 - 2:51

um can anyone in the organization
2:51 - 2:52

install
2:52 - 2:54

any software they want on any system
2:54 - 2:55

probably not
2:55 - 2:57

but there's rules around that right can
2:57 - 2:58

you go can you go to a
2:58 - 3:00

website on your lunch break can you
3:00 - 3:02

bring in an xbox and plug it into the
3:02 - 3:03

network and have a lan party
3:03 - 3:06

if people still do that um maybe maybe
3:06 - 3:07

not i don't know
3:07 - 3:09

those are acceptable use policies and
3:09 - 3:10

all of that is how
3:10 - 3:14

the organization governs both its end
3:14 - 3:14

users
3:14 - 3:18

and its it assets and it's it's um
3:18 - 3:20

itself really like what is acceptable
3:20 - 3:22

behavior what is the culture of the
3:22 - 3:22

organization
3:22 - 3:25

and that's what governance is it's not a
3:25 - 3:26

tool
3:26 - 3:28

although tools can help you implement it
3:28 - 3:30

effectively it's not it's not a skill
3:30 - 3:32

there's no github repo for governance
3:32 - 3:34

it's it's it's a
3:34 - 3:37

organizational cultural element of how
3:37 - 3:38

it's implemented okay so it's very
3:38 - 3:40

difficult to wrap your head around
3:40 - 3:42

um until you until you get it and then
3:42 - 3:45

it makes sense right
3:45 - 3:48

next is compliance compliance is
3:48 - 3:49

complying with whatever federal
3:49 - 3:50

regulations
3:50 - 3:52

industry regulations uh whatever
3:52 - 3:54

regulations and requirements you have to
3:54 - 3:55

so quick
3:55 - 3:58

quick big ones for example pci the
3:58 - 4:00

payment card industry
4:00 - 4:02

they have their own compliance standard
4:02 - 4:04

called pci
4:04 - 4:05

so if you work at a business or an
4:05 - 4:07

organization that takes credit cards
4:07 - 4:10

or you take credit cards you have to
4:10 - 4:11

comply
4:11 - 4:14

with pci you don't have to but if they
4:14 - 4:15

find out that you're not compliant
4:15 - 4:18

they the credit card companies will
4:18 - 4:19

restrict you
4:19 - 4:21

from being able to use credit cards so
4:21 - 4:23

think about your food truck
4:23 - 4:25

right and you're using credit cards but
4:25 - 4:28

you're not complying with a pci standard
4:28 - 4:29

they could take that away and now you're
4:29 - 4:31

a cash only food truck i don't know it's
4:31 - 4:32

20 20
4:32 - 4:35

where i am i don't carry cash so
4:35 - 4:37

you you're incentivized to comply with
4:37 - 4:38

that standard because you want to be
4:38 - 4:40

able to take credit cards another one
4:40 - 4:43

is hipaa right if you work in healthcare
4:43 - 4:44

or you've probably heard of it
4:44 - 4:46

hipaa compliance and basically
4:46 - 4:48

compliance standards are
4:48 - 4:51

a minimum set of security controls and
4:51 - 4:53

or privacy controls or whatever it's
4:53 - 4:55

some minimum set of standards
4:55 - 4:58

that an organization must implement
4:58 - 5:00

to be compliant with the standard and
5:00 - 5:01

then there's a whole host of like
5:01 - 5:04

um a testing that you've implemented and
5:04 - 5:06

auditing and passing an audit and having
5:06 - 5:08

an action plan for closing out
5:08 - 5:11

findings where there's gaps you know et
5:11 - 5:11

cetera
5:11 - 5:14

so that is what the compliance piece of
5:14 - 5:15

it is now
5:15 - 5:17

compliance and governance kind of work
5:17 - 5:19

hand in hand because if you have certain
5:19 - 5:21

things that you have to comply with like
5:21 - 5:24

um like i said with pci like all credit
5:24 - 5:26

card data needs to be encrypted
5:26 - 5:29

okay so then you can have some policy
5:29 - 5:30

that states
5:30 - 5:31

all cred all credit card data must be
5:31 - 5:33

encrypted or all data at rest must be
5:33 - 5:34

encrypted whatever
5:34 - 5:38

so now you like you put the policy in
5:38 - 5:39

place but if people are like oh
5:39 - 5:40

f off like i i'm not going to follow
5:40 - 5:42

that i'm like assist admin i don't have
5:42 - 5:43

time for encrypt and stuff or
5:43 - 5:47

i'm the i'm the uh the data uh analytics
5:47 - 5:48

person on our team and
5:48 - 5:50

it's like inconvenient for it to be
5:50 - 5:52

encrypted because i have to go decrypt
5:52 - 5:52

it every time
5:52 - 5:54

i want to train an algorithm or
5:54 - 5:55

something like that well
5:55 - 5:58

now it becomes governance tone at the
5:58 - 5:59

top which is
5:59 - 6:00

absolutely critical to any
6:00 - 6:02

organization's success tone being
6:02 - 6:04

the leadership who's defining what is
6:04 - 6:07

acceptable behavior in the organization
6:07 - 6:10

um standing behind what the govern the
6:10 - 6:12

governance model of those policies and
6:12 - 6:13

procedures are
6:13 - 6:14

are you following them and then
6:14 - 6:15

ultimately if you aren't what they do
6:15 - 6:17

about it right sanctions
6:17 - 6:20

um you know terminations etc
6:20 - 6:23

that's the only way it really works okay
6:23 - 6:27

third is risk now um spoiler alert if
6:27 - 6:28

this is new to
6:28 - 6:32

you but you cannot be 100 secure
6:32 - 6:34

ever i don't care how good you are
6:34 - 6:37

national security systems
6:37 - 6:39

submarines with missiles on them like
6:39 - 6:40

there are
6:40 - 6:41

vulnerabilities whether it's human
6:41 - 6:43

vulnerabilities uh attacking the human
6:43 - 6:44

social engineering
6:44 - 6:46

whether it's technical vulnerabilities
6:46 - 6:48

through exploitation
6:48 - 6:50

not patching physical security you can
6:50 - 6:52

walk in and plug a usb drive in whatever
6:52 - 6:53

it is
6:53 - 6:56

there is going to be
6:56 - 6:58

rip some risk right but what is that
6:58 - 7:00

risk how do you how do you qualify that
7:00 - 7:01

how do you quantify that and that's what
7:01 - 7:03

this piece of the risk
7:03 - 7:06

in grc is and it's actually a fairly
7:06 - 7:07

large one
7:07 - 7:09

and one that gets a lot more attention
7:09 - 7:11

than the other two
7:11 - 7:14

so risk is either assessed either
7:14 - 7:16

qualitatively or quantitative that means
7:16 - 7:16

you
7:16 - 7:19

say like we have some risk our list our
7:19 - 7:20

risk is
7:20 - 7:21

moderate our risk is low it's some
7:21 - 7:23

qualified subjective
7:23 - 7:26

uh value that people kind of agree on
7:26 - 7:28

but it's not it's not it's difficult to
7:28 - 7:29

measure
7:29 - 7:32

quantifiable is measurable where you say
7:32 - 7:33

you know
7:33 - 7:37

our risk was uh of whatever is that 34
7:37 - 7:39

of risk and we're going to implement
7:39 - 7:40

these three controls
7:40 - 7:42

and that's going to reduce our risk to
7:42 - 7:44

17 and organizationally
7:44 - 7:46

at the governance level we're
7:46 - 7:48

comfortable with 20 um
7:48 - 7:50

risk so quantifiable is a little bit
7:50 - 7:52

harder you need to be like a much more
7:52 - 7:54

mature organization in order to have the
7:54 - 7:55

metrics to support what that
7:55 - 7:57

quantification is
7:57 - 8:00

qualitative you'll see a lot more often
8:00 - 8:03

a couple resources that i want to share
8:03 - 8:05

with you again there aren't really
8:05 - 8:10

tools necessarily within the grc space
8:11 - 8:13

but um
8:13 - 8:15

so nist has some special publications
8:15 - 8:19

that you should be aware of 800-39
8:19 - 8:21

that is kind of showing you how to
8:21 - 8:23

implement an organizational kind of
8:23 - 8:27

risk management framework it's not 837
8:27 - 8:28

which is the risk management framework
8:28 - 8:31

you can check that as well but 839 talks
8:31 - 8:33

about risk at the organizational level
8:33 - 8:35

risk at the system level which is what
8:35 - 8:36

most people think of when they think of
8:36 - 8:38

like an unpatched system and stuff like
8:38 - 8:41

that um
8:41 - 8:43

as you do audits and things like that
8:43 - 8:44

like you can you have to do an audit
8:44 - 8:45

right so
8:45 - 8:47

let's say you're going to put in some
8:47 - 8:49

controls then you have to test the
8:49 - 8:50

effectiveness of them because a they
8:50 - 8:51

might be configured wrong b
8:51 - 8:55

you might have uh end users that are
8:55 - 8:56

intentionally circumventing them for
8:56 - 8:57

whatever reason
8:57 - 8:59

once you assess them you get some score
8:59 - 9:00

uh and then you find out where the
9:00 - 9:02

weaknesses are and then you put an
9:02 - 9:04

action plan in place to
9:04 - 9:05

remediate those and then you have to
9:05 - 9:07

report that up to leadership or the
9:07 - 9:09

board or whoever
9:09 - 9:11

on where you are today and where you are
9:11 - 9:12

tomorrow and what your plan is and how
9:12 - 9:13

you implement
9:13 - 9:16

and then all of these things come with
9:16 - 9:17

financial uh
9:17 - 9:19

obligations oftentimes where you need to
9:19 - 9:21

um
9:21 - 9:24

purchase a tool or purchase some access
9:24 - 9:24

to some
9:24 - 9:26

configuration baselines for example or
9:26 - 9:28

something like that or some knowledge
9:28 - 9:30

um or or hire people in order to
9:30 - 9:32

implement or maintain appliances or get
9:32 - 9:33

contractors to do it
9:33 - 9:36

so grc is a big thing
9:36 - 9:40

it takes time again it's more angled for
9:40 - 9:41

medium to larger organizations although
9:41 - 9:43

small ones do need to really worry about
9:43 - 9:44

the compliance one
9:44 - 9:46

but from a governance and risk
9:46 - 9:48

perspective small organizations are
9:48 - 9:49

typically
9:49 - 9:50

in really even compliance they're just
9:50 - 9:52

flying by the seat of their pants
9:52 - 9:53

they're assuming that they're compliant
9:53 - 9:55

with whatever standard or they're
9:55 - 9:57

unaware of the standard
9:57 - 10:00

and they have a
10:00 - 10:04

basically a naive idea of what their
10:04 - 10:05

current risk posture is and what they're
10:05 - 10:07

willing to accept and it's really naive
10:07 - 10:08

because they're
10:08 - 10:11

unaware um and i'll just point out like
10:11 - 10:12

you know whatever shameless plug my
10:12 - 10:14

entire dissertation for my phd
10:14 - 10:16

was focused on this naivety of what
10:16 - 10:19

their risk tolerance was and what
10:19 - 10:22

actually led to why that risk existed
10:22 - 10:23

so if you're interested in digging into
10:23 - 10:26

a 200 page book i wrote on it
10:26 - 10:29

you can you can dig in there so again
10:29 - 10:31

i just wanted to spend a minute this is
10:31 - 10:33

important right so the blue team is
10:33 - 10:33

defending the
10:33 - 10:36

red team is attacking but like what are
10:36 - 10:37

like
10:37 - 10:38

where should they focus their efforts
10:38 - 10:40

they can't defend everything right so
10:40 - 10:41

governance
10:41 - 10:43

and compliance and and really what your
10:43 - 10:44

risk profile is
10:44 - 10:45

defines where they should spend their
10:45 - 10:47

efforts or how you should spend your
10:47 - 10:47

money
10:47 - 10:49

on what controls and tools just buying
10:49 - 10:52

the coolest new tool that's at black hat
10:52 - 10:53

or like the vendor that has the biggest
10:53 - 10:55

booth yeah you can do that but like
10:55 - 10:58

is it is it quantifiably is it a
10:58 - 11:00

material improvement to your wrist
11:00 - 11:02

posture or is it literally doing you
11:02 - 11:04

bought a pa firewall
11:04 - 11:06

now you're gonna buy a four net firewall
11:06 - 11:07

and you already got them so it didn't
11:07 - 11:09

actually improve your security posture
11:09 - 11:10

it just hit your budget
11:10 - 11:13

right so grc it gets complicated
11:13 - 11:15

uh but that's basically it there are
11:15 - 11:16

some tools that help you manage and
11:16 - 11:18

communicate out to organizations what
11:18 - 11:19

your policies are
11:19 - 11:23

uh but you know oh another like quick
11:23 - 11:23

pro tip
11:23 - 11:26

policies like don't write 400 policies
11:26 - 11:28

for the sake of uh
11:28 - 11:29

compliance right you should write
11:29 - 11:31

minimum a couple policies that are
11:31 - 11:33

important to your organization
11:33 - 11:36

and uh communicate them uh throughout
11:36 - 11:37

the organization and have governance
11:37 - 11:39

and senior leadership buy-in or else
11:39 - 11:41

you're never gonna succeed
11:41 - 11:43

with that okay if you've got any
11:43 - 11:44

questions about grc
11:44 - 11:46

put them in the uh comments below i'll
11:46 - 11:48

i'll answer them i love engaging with
11:48 - 11:49

you all
11:49 - 11:51

um and i'm happy to have spent some time
11:51 - 11:52

throwing some
11:52 - 11:54

throwing some love and showering it uh
11:54 - 11:56

the the grc to the side of the house
11:56 - 11:58

instead of just new tools and cool
11:58 - 12:01

uh hacks and stuff like that so now it's
12:01 - 12:03

time for our one cool thing
12:03 - 12:05

my one cool thing is i can't remember
12:05 - 12:07

the name of it right now but it's going
12:07 - 12:09

it's a netflix show i watched last night
12:09 - 12:10

and it's actually really
12:10 - 12:13

interesting i'll put it right here i
12:13 - 12:14

forget the title
12:14 - 12:17

but it's basically about how social
12:17 - 12:19

media companies have developed
12:19 - 12:22

um how like basically how engineers have
12:22 - 12:24

engineered user interfaces to
12:24 - 12:27

promote uh interaction and the time
12:27 - 12:28

spent on the platform
12:28 - 12:30

uh there is like a whole kind of
12:30 - 12:32

dramatic use case that they they splice
12:32 - 12:35

in periodically about like the abuse of
12:35 - 12:36

um
12:36 - 12:37

of how it could affect a family it's a
12:37 - 12:39

dramatization and i didn't care for that
12:39 - 12:40

part
12:40 - 12:41

but they're interviewing like the
12:41 - 12:43

president of uh
12:43 - 12:45

uber and the the ceo of pinterest or
12:45 - 12:47

former president of pinterest and
12:47 - 12:49

lead engineers at google and interface
12:49 - 12:50

engineers at twitter like
12:50 - 12:53

high-end really smart you know stanford
12:53 - 12:54

graduate type people
12:54 - 12:58

who are talking about the humane uh
12:58 - 13:00

humane elements of technology and how
13:00 - 13:01

you know
13:01 - 13:04

like it it's it's it's it's interesting
13:04 - 13:06

i'll put it this way it's worth checking
13:06 - 13:08

out i personally
13:08 - 13:11

um spent a lot of time on my phone you
13:11 - 13:12

know it's the first thing i look at when
13:12 - 13:14

i wake up i typically check it when i go
13:14 - 13:16

to bed like
13:16 - 13:17

i went in right after i was watching
13:17 - 13:18

this or while i was watching it and
13:18 - 13:20

disabled notifications on just about
13:20 - 13:22

everything that i don't really care
13:22 - 13:23

about i left my
13:23 - 13:24

you know messages and my email because
13:24 - 13:26

that's how people normally communicate
13:26 - 13:26

with me but
13:26 - 13:29

just all the superfluous app that wants
13:29 - 13:31

to send you notifications and
13:31 - 13:33

steal your attention and disrupt um your
13:33 - 13:36

your focus on whatever it is i
13:36 - 13:37

i disabled all those and i felt better
13:37 - 13:40

about it so uh great little documentary
13:40 - 13:42

i recommend checking it out
13:42 - 13:45

okay thanks everybody uh love love
13:45 - 13:46

engaging with you love
13:46 - 13:49

uh doing the show and until next week
13:49 - 14:02

stay secure

Title:: What is GRC in cybersecurity?
Description:: more » « less
Video Language:: English
Duration:: 14:00

	OEVIDEOS edited English subtitles for What is GRC in cybersecurity?
	OEVIDEOS edited English subtitles for What is GRC in cybersecurity?

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

What is GRC in cybersecurity?

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)