GRC’s role put simply

Security teams build trust with customers, regulators, and investors through externally audited industry standards. Without this, it’s just a case of “trust me bro” and self-attestation.

Security teams can hire all the engineers in the world to develop and implement world class security tools and controls, but no regulator, customer, or investor really sees or understands the work at that level. External parties expect you to prove you’ve met an industry standard as the minimum bar by going through an independent audit.

Security Governance, Risk, & Compliance (GRC) is the critical function that showcases all the work Security has done to prove the minimum bar has been met. Embedding GRC program goals into the broader Security goals means the work the Security team has done can actually be recognized externally and build trust as intended. You might even improve your security and maturity along the way. 🙃

View this post and associated discussion on LinkedIn as well.