What is GRC in cybersecurity?

Edit subtitles

0:00 - 0:02

Governance, risk, and compliance, the GRC
0:02 - 0:04

component of information security, gets a
0:04 - 0:06

bad rap in the cybersecurity game.
0:06 - 0:08

This week, I'm going to throw some love
0:08 - 0:10

toward GRC and tell you what you need
0:10 - 0:11

to know about it
0:11 - 0:12

to be successful. Coming up.
0:12 - 0:19

[Music]
0:19 - 0:21

Hey everybody. Welcome to Simply Cyber,
0:21 - 0:23

the YouTube channel designed to help you
0:23 - 0:23

make
0:23 - 0:26

or take a cybersecurity career further,
0:26 - 0:28

faster. I'm your host, Gerald Auger, and
0:28 - 0:30

I'd like to give a special shoutout to
0:30 - 0:32

our sponsor, Coastal Information Security
0:32 - 0:32

Group,
0:32 - 0:34

for being our sponsor. Really
0:34 - 0:36

appreciate that. Also in the background, a
0:36 - 0:37

little shoutout to
0:37 - 0:39

HackerSploit, another YouTube content
0:39 - 0:41

creator and excellent, excellent resource
0:41 - 0:42

on the internet.
0:42 - 0:44

More on the Bug Bounty and Pen Testing
0:44 - 0:47

side, but check out his link below in
0:47 - 0:48

the show notes.
0:48 - 0:51

Just he does amazing work.
0:51 - 0:53

And be sure to stay tuned to the end,
0:53 - 0:55

where I have my "One Cool Thing" segment,
0:55 - 0:56

where I share something completely,
0:56 - 0:58

you know, what I think is cool and,
0:58 - 0:59

that I wanted you to know about.
0:59 - 1:03

But let's get into GRC. So GRC, or
1:03 - 1:05

governance, risk, and compliance,
1:05 - 1:08

is a critical piece of any mature
1:08 - 1:10

information security program. So a lot of
1:10 - 1:12

times, the red team, the blue team,
1:12 - 1:16

hands-on hard skills, technical scanners,
1:16 - 1:19

you know, hacking, passing the hash, like,
1:19 - 1:20

popping shells, all that stuff--
1:20 - 1:23

that's all sexy and cool, and it's
1:23 - 1:25

definitely an important part of
1:25 - 1:26

information security.
1:26 - 1:29

However, governance, risk, and compliance
1:29 - 1:32

has its place, and it's equally important
1:32 - 1:34

in some regards. Now, I will preface it by
1:34 - 1:35

saying
1:35 - 1:38

smaller businesses and smaller programs
1:38 - 1:41

are not going to typically have a GRC
1:41 - 1:43

component. They will have some compliance
1:43 - 1:45

requirements in some situations,
1:45 - 1:47

whether or not they're actually adhering
1:47 - 1:49

to them or doing anything;
1:49 - 1:52

due diligence and due care to meet them, is a
1:52 - 1:55

separate issue. GRC
1:55 - 1:57

is going to be for more of your medium-sized
1:57 - 1:59

organizations and definitely,
1:59 - 2:01

definitely large enterprise
2:01 - 2:04

organizations. So think Fortune 500
2:04 - 2:05

companies. There's absolutely zero
2:05 - 2:06

question
2:06 - 2:09

that they have a GRC component to their
2:09 - 2:11

information security program,
2:11 - 2:12

and there are jobs there. So that's why
2:12 - 2:14

it's so important
2:14 - 2:16

to A) understand if you want to go into
2:16 - 2:17

that particular
2:17 - 2:20

field of information security, but B)
2:20 - 2:24

have the context of what that function
2:24 - 2:24

does,
2:24 - 2:26

even if you are a blue team or a SOC
2:26 - 2:27

analyst or something like that.
2:27 - 2:30

It's important to understand that. So,
2:30 - 2:31

what exactly
2:31 - 2:34

is GRC? So GRC is these three things,
2:34 - 2:37

right? Governance, risk, and compliance.
2:37 - 2:40

Governance is basically how the
2:40 - 2:43

organization itself governs the way
2:43 - 2:44

things are done.
2:44 - 2:46

And, you know, what does that kind of look
2:46 - 2:48

like, right? So that looks like:
2:48 - 2:51

Can anyone in the organization
2:51 - 2:52

install
2:52 - 2:54

any software they want on any system?
2:54 - 2:55

Probably not,
2:55 - 2:57

but there are rules around that, right? Can
2:57 - 2:58

you go can to a p***
2:58 - 3:00

website on your lunch break? Can you
3:00 - 3:02

bring in an Xbox and plug it into the
3:02 - 3:03

network and have a LAN party
3:03 - 3:06

if people still do that? Maybe, maybe
3:06 - 3:07

not. I don't know.
3:07 - 3:09

Those are acceptable use policies, and
3:09 - 3:10

all of that is how
3:10 - 3:14

the organization governs both its end
3:14 - 3:14

users
3:14 - 3:18

and its IT assets, and
3:18 - 3:20

itself really--like, what is acceptable
3:20 - 3:22

behavior? What is the culture of the
3:22 - 3:22

organization?
3:22 - 3:25

And that's what governance is. It's not a
3:25 - 3:26

tool,
3:26 - 3:28

although tools can help you implement it
3:28 - 3:30

effectively. It's not a skill.
3:30 - 3:32

There's no GitHub repo for governance.
3:32 - 3:34

It's an
3:34 - 3:37

organizational cultural element of how
3:37 - 3:38

it's implemented. Okay? So it's very
3:38 - 3:40

difficult to wrap your head around
3:40 - 3:42

until you get it, and then
3:42 - 3:45

it makes sense, right?
3:45 - 3:48

Next is compliance. Compliance is
3:48 - 3:49

complying with whatever federal
3:49 - 3:50

regulations,
3:50 - 3:52

industry regulations, or whatever
3:52 - 3:54

regulations and requirements you have to.
3:54 - 3:55

So, quick
3:55 - 3:58

big ones, for example, PCI--the
3:58 - 4:00

Payment Card Industry.
4:00 - 4:02

They have their own compliance standard
4:02 - 4:04

called PCI.
4:04 - 4:05

So if you work at a business or an
4:05 - 4:07

organization that takes credit cards,
4:07 - 4:10

or you take credit cards, you have to
4:10 - 4:11

comply
4:11 - 4:14

with PCI. You don't have to, but if they
4:14 - 4:15

find out that you're not compliant,
4:15 - 4:18

they, the credit card companies will
4:18 - 4:19

restrict you
4:19 - 4:21

from being able to use credit cards. So
4:21 - 4:23

think about your food truck,
4:23 - 4:25

right? And you're using credit cards, but
4:25 - 4:28

you're not complying with the PCI standard.
4:28 - 4:29

They could take that away, and now you're
4:29 - 4:31

a cash-only food truck. I don't know. It's
4:31 - 4:32

2020.
4:32 - 4:35

Where I am, I don't carry cash. So,
4:35 - 4:37

you're incentivized to comply with
4:37 - 4:38

that standard because you want to be
4:38 - 4:40

able to take credit cards. Another one
4:40 - 4:43

is HIPAA, right? If you work in healthcare,
4:43 - 4:44

you've probably heard of it:
4:44 - 4:46

HIPPA compliance, and basically
4:46 - 4:48

compliance standards, are
4:48 - 4:51

a minimum set of security controls and/or
4:51 - 4:53

privacy controls or whatever. It's
4:53 - 4:55

some minimum set of standards
4:55 - 4:58

that an organization must implement
4:58 - 5:00

to be compliant with the standard, and
5:00 - 5:01

then there's a whole host of, like,
5:01 - 5:04

testing that you've implemented and
5:04 - 5:06

auditing and passing an audit, and having
5:06 - 5:08

an action plan for closing out
5:08 - 5:11

findings where there's gaps, you know, etc.
5:11 - 5:14

So that is what the compliance piece of
5:14 - 5:15

it is. Now,
5:15 - 5:17

compliance and governance kind of work
5:17 - 5:19

hand in hand because if you have certain
5:19 - 5:21

things that you have to comply with, like
5:21 - 5:24

I said with PCI--like, all credit
5:24 - 5:26

card data needs to be encrypted--
5:26 - 5:29

okay. So then you can have some policy
5:29 - 5:30

that states,
5:30 - 5:31

"All credit card data must be
5:31 - 5:33

encrypted" or "All data at rest must be
5:33 - 5:34

encrypted" or whatever.
5:34 - 5:38

So now you, like, you put the policy in
5:38 - 5:39

place, but if people are like, "Oh
5:39 - 5:40

f-off, I'm not going to follow
5:40 - 5:42

that. I'm like sysadmin. I don't have
5:42 - 5:43

time for encryption and stuff," or
5:43 - 5:47

"I'm the data analytics
5:47 - 5:48

person on our team, and
5:48 - 5:50

it's like inconvenient for it to be
5:50 - 5:52

encrypted because I have to go decrypt
5:52 - 5:52

it every time
5:52 - 5:54

I want to train an algorithm or
5:54 - 5:55

something like that." Well,
5:55 - 5:58

now it becomes governance--tone at the
5:58 - 5:59

top, which is
5:59 - 6:00

absolutely critical to any
6:00 - 6:02

organization's success. Tone meaning
6:02 - 6:04

the leadership, who's defining what is
6:04 - 6:07

acceptable behavior in the organization.
6:07 - 6:10

Standing behind what the
6:10 - 6:12

governance model of those policies and
6:12 - 6:13

procedures--are
6:13 - 6:14

you following them? And then,
6:14 - 6:15

ultimately, if you aren't, what they do
6:15 - 6:17

about it? Right? Sanctions,
6:17 - 6:20

you know, terminations, etc.
6:20 - 6:23

That's the only way it really works. Okay?
6:23 - 6:27

Third is risk. Now, spoiler alert if
6:27 - 6:28

this is new to
6:28 - 6:32

you, but you cannot be 100% secure,
6:32 - 6:34

ever. I don't care how good you are--
6:34 - 6:37

national security systems,
6:37 - 6:39

submarines with missiles on them, like
6:39 - 6:40

there are
6:40 - 6:41

vulnerabilities. Whether it's human
6:41 - 6:43

vulnerabilities, attacking the human
6:43 - 6:44

social engineering,
6:44 - 6:46

technical vulnerabilities
6:46 - 6:48

through exploitation,
6:48 - 6:50

not patching, or physical security--you can
6:50 - 6:52

walk in and plug a USB drive in. Whatever
6:52 - 6:53

it is,
6:53 - 6:56

there is going to be
6:56 - 6:58

some risk, right? But what is that
6:58 - 7:00

risk? How do you qualify that?
7:00 - 7:01

How do you quantify that? And that's what
7:01 - 7:03

this piece of the risk
7:03 - 7:06

in GRC is. And it's actually a fairly
7:06 - 7:07

large one
7:07 - 7:09

and one that gets a lot more attention
7:09 - 7:11

than the other two.
7:11 - 7:14

So, risk is either assessed either
7:14 - 7:16

qualitatively or quantitatively. That means
7:16 - 7:16

you
7:16 - 7:19

say, like, "We have some risk. Our
7:19 - 7:20

risk is
7:20 - 7:21

moderate. Our risk is low." It's some
7:21 - 7:23

qualified, subjective
7:23 - 7:26

value that people kind of agree on,
7:26 - 7:28

but it's difficult to
7:28 - 7:29

measure.
7:29 - 7:32

Quantifiable is measurable, where you say,
7:32 - 7:33

you know,
7:33 - 7:37

"Our risk was, of whatever is at 34%
7:37 - 7:39

of risk, and we're going to implement
7:39 - 7:40

these three controls.
7:40 - 7:42

And that's going to reduce our risk to
7:42 - 7:44

17%. And organizationally,
7:44 - 7:46

at the governance level, we're
7:46 - 7:48

comfortable with 20%
7:48 - 7:50

risk." So quantifiable is a little bit
7:50 - 7:52

harder. You need to be, like, a much more
7:52 - 7:54

mature organization in order to have the
7:54 - 7:55

metrics to support what that
7:55 - 7:57

quantification is.
7:57 - 8:00

Qualitative, you'll see a lot more often.
8:00 - 8:03

A couple resources that I want to share
8:03 - 8:05

with you: Again, there aren't really
8:05 - 8:10

tools necessarily within the GRC space, but
8:13 - 8:15

NIST has some special publications
8:15 - 8:19

that you should be aware of. 800-39,
8:19 - 8:21

that is kind of showing you how to
8:21 - 8:23

implement an organizational kind of
8:23 - 8:27

risk management framework. It's not 837,
8:27 - 8:28

which is the risk management framework--
8:28 - 8:31

you can check that as well--but 839 talks
8:31 - 8:33

about risk at the organizational level,
8:33 - 8:35

risk at the system level, which is what
8:35 - 8:36

most people think of when they think of,
8:36 - 8:38

like, an unpatched system, and stuff like
8:38 - 8:39

that.
8:41 - 8:43

As you do audits and things like that,
8:43 - 8:44

like, you can, you have to do an audit,
8:44 - 8:45

right? So
8:45 - 8:47

let's say you're going to put in some
8:47 - 8:49

controls, then you have to test the
8:49 - 8:50

effectiveness of them because, a) they
8:50 - 8:51

might be configured wrong, b)
8:51 - 8:55

you might have end users that are
8:55 - 8:56

intentionally circumventing them for
8:56 - 8:57

whatever reason.
8:57 - 8:59

Once you assess them, you get some score,
8:59 - 9:00

and then you find out where the
9:00 - 9:02

weaknesses are, and then you put an
9:02 - 9:04

action plan in place to
9:04 - 9:05

remediate those. And then you have to
9:05 - 9:07

report that up to leadership or the
9:07 - 9:09

board or whoever,
9:09 - 9:11

on where you are today, where you are
9:11 - 9:12

tomorrow, and what your plan is and how
9:12 - 9:13

you implement.
9:13 - 9:16

And then all of these things come with
9:16 - 9:17

financial
9:17 - 9:19

obligations, oftentimes, where you need to
9:21 - 9:24

purchase a tool or purchase some access
9:24 - 9:24

to some
9:24 - 9:26

configuration baselines, for example, or
9:26 - 9:28

something like that, or some knowledge,
9:28 - 9:30

or hire people in order to
9:30 - 9:32

implement or maintain appliances or get
9:32 - 9:33

contractors to do it.
9:33 - 9:36

So GRC is a big thing.
9:36 - 9:40

It takes time. Again, it's more angled for
9:40 - 9:41

medium to larger organizations, although
9:41 - 9:43

small ones do need to really worry about
9:43 - 9:44

the compliance one.
9:44 - 9:46

But from a governance and risk
9:46 - 9:48

perspective, small organizations are
9:48 - 9:49

typically,
9:49 - 9:50

and really even compliance, they're just
9:50 - 9:52

flying by the seat of their pants.
9:52 - 9:53

They're assuming that they're compliant
9:53 - 9:55

with whatever standard, or they're
9:55 - 9:57

unaware of the standard,
9:57 - 10:00

and they have a
10:00 - 10:04

basically naive idea of what their
10:04 - 10:05

current risk posture is and what they're
10:05 - 10:07

willing to accept. And it's really naive
10:07 - 10:08

because they're
10:08 - 10:11

unaware. And I'll just point out, like,
10:11 - 10:12

you know, whatever, shameless plug: My
10:12 - 10:14

entire dissertation for my PhD
10:14 - 10:16

was focused on this naivety of what
10:16 - 10:19

their risk tolerance was and what
10:19 - 10:22

actually led to why that risk existed.
10:22 - 10:23

So, if you're interested in digging into
10:23 - 10:26

a 200-page book I wrote on it,
10:26 - 10:29

you can dig in there. So, again,
10:29 - 10:31

I just wanted to spend a minute. This is
10:31 - 10:33

important, right? So the blue team is
10:33 - 10:33

defending. The
10:33 - 10:36

red team is attacking. But like, what are,
10:36 - 10:37

like,
10:37 - 10:38

where should they focus their efforts?
10:38 - 10:40

They can't defend everything, right? So,
10:40 - 10:41

governance,
10:41 - 10:43

compliance, and really what your
10:43 - 10:44

risk profile is
10:44 - 10:45

defines where they should spend their
10:45 - 10:47

efforts or how you should spend your
10:47 - 10:47

money
10:47 - 10:49

on what controls and tools. Just buying
10:49 - 10:52

the coolest new tool that's at Black Hat
10:52 - 10:53

or like the vendor that has the biggest
10:53 - 10:55

booth--yeah, you can do that. But like,
10:55 - 10:58

is it quantifiably a
10:58 - 11:00

material improvement to your risk
11:00 - 11:02

posture, or is it literally doing you
11:02 - 11:04

bought a PA firewall,
11:04 - 11:06

now you're going to buy a Fortinet firewall,
11:06 - 11:07

and you already got them? So, it didn't
11:07 - 11:09

actually improve your security posture,
11:09 - 11:10

it just hit your budget,
11:10 - 11:13

right? So GRC, it gets complicated,
11:13 - 11:15

but that's basically it. There are
11:15 - 11:16

some tools that help you manage and
11:16 - 11:18

communicate out to organizations what
11:18 - 11:19

your policies are,
11:19 - 11:23

but, you know, oh, another, like, quick
11:23 - 11:23

pro tip:
11:23 - 11:26

Policies, like, don't write 400 policies
11:26 - 11:28

for the sake of
11:28 - 11:29

compliance, right? You should write a
11:29 - 11:31

minimum of a couple policies that are
11:31 - 11:33

important to your organization
11:33 - 11:36

and communicate them throughout
11:36 - 11:37

the organization and have governance
11:37 - 11:39

and senior leadership buy-in, or else
11:39 - 11:41

you're never going to succeed
11:41 - 11:43

with that. Okay. If you've got any
11:43 - 11:44

questions about GRC,
11:44 - 11:46

put them in the comments below. I'll
11:46 - 11:48

answer them. I love engaging with
11:48 - 11:49

you all,
11:49 - 11:51

and I'm happy to have spent some time
11:51 - 11:52

throwing some,
11:52 - 11:54

throwing some love and showering
11:54 - 11:56

the GRC to the side of the house
11:56 - 11:58

instead of just new tools and cool
11:58 - 12:01

hacks and stuff like that. So now it's
12:01 - 12:03

time for our "One Cool Thing."
12:03 - 12:05

My one cool thing is I can't remember
12:05 - 12:07

the name of it right now, but it's
12:07 - 12:09

a Netflix show I watched last night,
12:09 - 12:10

and it's actually really
12:10 - 12:13

interesting. I'll put it right here. I
12:13 - 12:14

forgot the title.
12:14 - 12:17

But it's basically about how social
12:17 - 12:19

media companies have developed,
12:19 - 12:22

how, like, basically, how engineers have
12:22 - 12:24

engineered user interfaces to
12:24 - 12:27

promote interaction and time
12:27 - 12:28

spent on the platform.
12:28 - 12:30

There is, like, a whole kind of
12:30 - 12:32

dramatic use case that they splice
12:32 - 12:35

in periodically about, like, the abuse of
12:36 - 12:37

how it could affect a family. It's a
12:37 - 12:39

dramatization, and I didn't care for that
12:39 - 12:40

part.
12:40 - 12:41

But they're interviewing, like, the
12:41 - 12:43

president of
12:43 - 12:45

Uber, the CEO of Pinterest, or
12:45 - 12:47

former president of Pinterest,
12:47 - 12:49

lead engineers at Google, and interface
12:49 - 12:50

engineers at Twitter. Like,
12:50 - 12:53

high-end, really smart, you know, Stanford
12:53 - 12:54

graduate-type people
12:54 - 12:58

who are talking about the humane
12:58 - 13:00

elements of technology and how,
13:00 - 13:01

you know,
13:01 - 13:04

like, it's interesting.
13:04 - 13:06

I'll put it this way: It's worth checking
13:06 - 13:08

out. I personally
13:08 - 13:11

have spent a lot of time on my phone. You
13:11 - 13:12

know, it's the first thing I look at when
13:12 - 13:14

I wake up. I typically check it when I go
13:14 - 13:16

to bed. Like,
13:16 - 13:17

I went in right after I was watching
13:17 - 13:18

this or while I was watching it, and
13:18 - 13:20

disabled notifications on just about
13:20 - 13:22

everything that I don't really care
13:22 - 13:23

about. I left my,
13:23 - 13:24

you know, messages and my email because
13:24 - 13:26

that's how people normally communicate
13:26 - 13:26

with me. But
13:26 - 13:29

just all the superfluous f****** app that want
13:29 - 13:31

to send you notifications,
13:31 - 13:33

steal your attention, and disrupt your
13:33 - 13:36

focus on whatever it is. I
13:36 - 13:37

disabled all those, and I felt better
13:37 - 13:40

about it. So, great little documentary.
13:40 - 13:42

Recommend checking it out.
13:42 - 13:45

Okay. Thanks, everybody. Love
13:45 - 13:46

engaging with you, love
13:46 - 13:49

doing the show, and until next week,
13:49 - 13:50

stay secure.
13:50 - 14:00

[Music].

Title:: What is GRC in cybersecurity?
Description:: more » « less
Video Language:: English
Duration:: 14:00

	OEVIDEOS edited English subtitles for What is GRC in cybersecurity?
	OEVIDEOS edited English subtitles for What is GRC in cybersecurity?

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

What is GRC in cybersecurity?

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)