How CISO roles have evolved with GRC

CISOs wear many hats, including managing the company’s cybersecurity-related Governance, Risk, and Compliance (GRC) program.

However, as cybersecurity and data protection laws and regulations grow more numerous and prescriptive, CISOs are increasingly called to act as GRC experts as well as offering their critical security knowledge and business acumen.

How has the role of a CISO evolved?

The role of the CISO has always been to act as the head of an organization’s cybersecurity program.

 This involves protecting it against potential cyberattacks while maintaining compliance with the requirements of cybersecurity-related regulations, such as PCI DSS, GDPR, HIPAA, and others.

The high-level job description of a CISO has remained relatively constant, but it has changed significantly in the details, even over the last few years. Some of the more significant trends include:

• C-suite presence: Historically, CISOs often reported to the CIO or head of IT, reflecting their role as one part of the “technology” part of the business. More recently, CISO roles are reporting directly to the CEO as cyberattacks become a top-of-mind concern. In fact, nearly half of CISOs now report directly to the CEO.

• Compliance creep: CISOs have always been required to maintain compliance with regulatory requirements. And these responsibilities are expanding over time. When the EU enacted GDPR, this kicked off a wave of data protection laws. Meanwhile, new technologies such as artificial intelligence (AI) have driven the creation of many new laws and standards governing security.

• Prescriptive requirements: As data privacy laws evolve, they increasingly include requirements that mandate that a CISO implement certain security solutions or capabilities. For example, the SEC ruling on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies and the EU’s NIS2 law created new breach reporting deadlines (four days and 24 hours, respectively) that require CISOs to have certain incident response plans and capabilities in place.

• Rising stakes: The growth of regulations also comes with higher stakes for non-compliance and security incidents. While many penalties for data breaches amount to a slap on the wrist, new regulations are expanding enforcement powers and maximum allowable penalties. For example, NIS2, which goes into full effect in Europe later this year, allows executives to be held personally responsible for gross negligence and takes a “name and shame” approach to incentivizing compliance.

How can GRC and cybersecurity work together?

GRC makes up only a fraction of a CISO’s duties. And cybersecurity regulations are only one aspect of a corporate compliance program. Collaboration between the two functions offers significant benefits for both.

The GRC function is all about protecting data and systems, which falls squarely within the CISO’s wheelhouse. If a CISO does their job well—implementing strong cyber defenses, preventing breaches, and maintaining full visibility into what’s going on in their systems—then cybersecurity GRC becomes easier.

A GRC program also supports CISOs who are asking themselves questions like:

• What do I need to do to secure my systems?

• How do I demonstrate value and ROI to the business?

• Is purchasing X worth the money?

• How do we improve?

As cybersecurity regulations become more numerous and prescriptive, they also lay out a roadmap for how an organization can architect its cybersecurity programs. 

If a regulation requires a firewall, then the business needs a firewall. If the company needs to be able to prove that its data hasn’t been breached, then the CISO needs to know: 

• What data they have.

• Its classification level.

• How it’s protected.

• And who has accessed it.

That said, taking a check-the-box approach to cybersecurity compliance is a bad idea because cybersecurity regulations define the minimum acceptable level of security, so they often lag behind the technology. There are also an increasing number of regulations, so the checklist keeps growing.

However, the CISO can get ahead of the regulations by following some of the great cybersecurity standards out there such as the NIST CSF 2.0. These frameworks lay out the structure of a cybersecurity program, metrics for evaluation, and a path to strong security. 

Building around a framework like NIST and mapping its controls to various regulations creates a secure, sustainable cybersecurity program. Doing this also requires the help of GRC.

Benefits for CISOs aligned with GRC

CISOs and GRC programs have complementary skill sets and overlapping priorities. A CISO who prioritizes compliance and works to maintain a close relationship with your GRC teams can reap various benefits, including:

Enterprise-wide alignment 

CISOs are responsible for the cybersecurity aspect of GRC, but this is only a portion of an organization’s regulatory responsibilities. Working to align the CISO's responsibilities with GRC provides CISOs with access to more resources and support and makes the GRC portion of their job easier.

Streamlined compliance management

Whether they like it or not, CISOs will need to generate compliance reports and undergo regular audits for various regulations. Maintaining a tight partnership with your GRC teams helps ensure that they’re ready for these and can help eliminate last-minute scrambling or potentially failing an audit.

Improved security posture: 

The goal of data protection regulations and other cybersecurity laws is to prevent data breaches and other security incidents. While regulations outline minimum security requirements, they offer a solid foundation and guidelines for improving a corporate cybersecurity program.

Improving cybersecurity and GRC with HTB

Achieving and maintaining compliance with a patchwork of regulatory requirements poses a significant challenge for CISOs. One vital aspect of this is verifying that existing security controls and processes both meet regulatory requirements and effectively protect the business against data breaches and other cyber threats.

HTB offers enterprises the tools they need to build core skills and effectively test their cybersecurity and compliance programs. For example, the DFIR labs for incident response provide valuable skills training for blue teams looking to meet strict new incident reporting deadlines.

Choose HTB to boost your cyber performance