• CPA to Cybersecurity
  • Posts
  • Why is GRC Underrated, and What Problems does NIST Cybersecurity Framework Solve?

Why is GRC Underrated, and What Problems does NIST Cybersecurity Framework Solve?

Canadian Cybersecurity Network Live Event January 30 at Noon Eastern Time

Author

Steve McMichael
January 14, 2025

Hey there, đź‘‹ 

Did you vote in this grc-teamers Canadian Cybersecurity Network Discord poll, or are you curious to learn more about these topics?

If so, come join the live event stage on January 30 at noon Eastern Time, for great learning and networking. Here’s a link: https://discord.gg/USpFdMNa?event=1329036501237104662

I’ve added some material to guide our discussion below, but I’m also wide open to general questions about GRC before, during or after this event.

Can’t wait to see you there.

Steve

Contents

Why is GRC Awesome and Underrated?

Opinion: The untapped potential of business skills in cybersecurity governance, risk and compliance

Breaking into cybersecurity from a business background is not only possible, but valuable.

financialpost.com/technology/tech-news/opinion-the-untapped-potential-of-business-skills-in-cybersecurity-governance-risk-and-compliance

When outsiders typically think of cybersecurity careers, they imagine hackers and technical wizards battling it out in cyberspace. It’s an intimidating image, especially for those coming from non-technical backgrounds. But what if I told you that your business skills could be the key to a successful career in cybersecurity?

When I pivoted from accounting to cybersecurity governance, risk and compliance (GRC), it felt like stepping into an entirely new world. But I soon realized two important things: first, that cybersecurity is fundamentally a business problem and, second, that it’s a team sport that benefits from diverse skills.

The cybersecurity industry is moving away from alchemy and toward chemistry, from wizardry to accounting. This is where the business skills of GRC team members can make a big impact. Those skills are essential to helping companies reliably achieve their business objectives while managing cyber risk.

Despite this, GRC often gets overlooked. It didn’t make the cut for a poster of the top 20 coolest cybersecurity jobs created by the SANS Institute, “the world’s largest cybersecurity research and training organization,” and it doesn’t have a spot in the Cyberseek.org career pathway tool.

20 Coolest Cyber Security Careers | SANS Institute

Computer security training, certification and free resources. We specialize in computer/network security, digital forensics, application security and IT audit.

www.sans.org/cybersecurity-careers/20-coolest-cyber-security-careers

But those are missed opportunities for SANS and CyberSeek. Here are six reasons why GRC is underrated and a great place to consider for a career:

First, GRC is revenue-enabling.

Security assurance work directly supports sales reps in the field and occasionally interfaces with customers. That’s where you want to be to understand customer needs, how your company can meet them, and how to make a business impact.

Second, GRC offers exposure working with top experts across all departments — the control owners.

That includes business operations, finance, legal, HR, privacy, security operations, architecture, engineering, product security and more. You get to learn about diverse topics ranging from revenue accounting to software development — both very technical, very complicated and very interesting to get a front-row seat to observe and understand.

Third, GRC gives you exposure to top management

which is a great opportunity.

Fourth, GRC immerses you in the business.

When you’re exposed to all the departments, you get to learn through immersion and practical application. Even if you want to specialize in something technical, it might be helpful to your career to rotate into GRC and then rotate out, because when you go into your specialty, you’ll bring with you that bigger picture perspective on how your function fits into the rest of the company.

Fifth, demand continues to ramp up for customer trust and assurance

due to digital transformation, the cost of cybercrime and the proliferation of flawed and complicated technology.

Sixth (my favourite):

GRC is a great way to get your foot in the door in cybersecurity.

So how can you break into cybersecurity GRC from a non-technical background?

Consider these steps:

1. Adopt a continuous learning mindset

Cybersecurity evolves rapidly, so staying updated is crucial.

2. Get technical

While you don’t need to become a technical expert, having a basic understanding of technical concepts will help you communicate effectively with your technical colleagues.

3. Leverage business skills

Your understanding of business operations, risk management and how to apply decision making frameworks to business problems can help you bridge the communication gap between technical and business teams.

4. Pursue training and certifications

These can help you get past application tracking systems and demonstrate your commitment to the field.

Breaking into cybersecurity from a business background is not only possible, but valuable. So don’t be intimidated by the technical wizardry. Cybersecurity needs diverse skill sets to tackle its complex challenges. Whether you’re an accountant, a business analyst or come from another “non-technical” background, your transferable skills might be exactly what a cybersecurity team needs to succeed.

Must Watch! Simply Cyber GRC Career Video

Features CPA to Cybersecurity and some great learning resources

www.cpatocybersecurity.com/p/sc-grc-career

What Problems does NIST Cybersecurity Framework Solve?

Applicability of the Cybersecurity Framework 🌎️ 

Bottom line:

  1. Cybersecurity risk continues to increase, with no signs of slowing down

  2. Costs of cybersecurity risks continue to grow

Why? 🤔 

âťť

The greatest threat that faces any of us today is the threat of complexity: Trillions of lines of code in billions of devices, with ubiquitous connectivity across the globe.

Dr. Ron Ross, Distinguished Fellow of NIST

Why Cybersecurity is Hard

#1. Technology is Everywhere, #2. Technology is Inherently Flawed, #3. Technology is Rarely Secure by Default, #4. Technology is Complicated, #5. Cyber is a Dynamic Threat, Not Static, #6. Cyber is a Silent Killer, #7. Economics Drive More Actors and Capability, #8. Early Innings: The Science Isn’t Settled, #9. There is a Skills Shortage, #10. What Did I Miss?

https://www.cpatocybersecurity.com/p/why-cybersecurity-is-hard

Characteristics of the Framework đź“Ź

Voluntary Framework

âťť

The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates.

Flexible, Adaptive

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

âťť

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

Focus on Risk Instead of Controls

âťť

Organizations will continue to have unique risks — including different threats and vulnerabilities — and risk tolerances, as well as unique mission objectives and requirements. Thus, organizations’ approaches to managing risks and their implementations of the CSF will vary.

Focus on Risk Instead of Compliance

  • While compliance with regulations and standards is important, an organization’s goal is first to reduce risk, and to foster a risk-based mindset

  • Next, from that point compliance will naturally follow

Facilitates Communication and Collaboration

âťť

When implementing the CSF, managers will focus on how to achieve risk targets through common services, controls, and collaboration, as expressed in the Target Profile and improved through the actions being tracked in the action plan (e.g., risk register, risk detail report, POA&M)

âťť

Preparing to create and use Organizational Profiles involves gathering information about organizational priorities, resources, and risk direction from executives. Managers then collaborate with practitioners to communicate business needs and create risk-informed Organizational Profiles.

  • Common language and structure for discussing cybersecurity risks, enabling different teams and departments to communicate effectively and align their efforts.

  • This characteristic fosters a culture of collaboration, ensuring that cybersecurity considerations are integrated into various aspects of the organization’s operations.

Continually Improving and Evolving

Cyber Resilience đź’Ş

Term

Definition

So What?

Cyber Resilience

An organization’s ability to withstand and adapt to cyber threats by implementing proactive measures, effectively responding to and recovering from cyber attacks or disruptions, and maintaining essential functions while minimizing damage.

This encompasses a range of strategies, including robust security controls, regular vulnerability assessments, employee education on cybersecurity best practices, and the establishment of incident response plans.

Probably a better name than “Cybersecurity,” where secure seems narrowly PROTECT focused

Think both left and right of boom

“It’s not if, but when”

“There’s two types of organizations”

Be proactive to prevent or minimize impact of cyber incidents

Also be able to quickly detect, isolate, restore and recover systems if when a cyber incident occurs

Intended Audience & Purpose of CSF đź‘Ą

Critical Infrastructure ⚙️

Term

Definition

So What

Critical Infrastructure

“Any physical or virtual infrastructure that is considered so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these” - DHS

The Department of Homeland Security (DHS) lists 16 Critical Infrastructure sectors

  1. Chemical - Organizations and companies that manufacture, store, use, and transport potentially dangerous chemicals used by other critical infrastructure sectors

  2. Commercial Facilities - Buildings, facilities, and spaces used for commercial purposes, including retail, entertainment, and hospitality

  3. Communications - Networks, systems, and assets involved in providing communication services, including broadcasting, telecommunications, and internet service providers

  4. Critical Manufacturing - Facilities and processes involved in the production of essential goods, such as metals, machinery, transportation equipment, and pharmaceuticals

  5. Dams - Structures, systems, and resources related to dam operations and water control, including hydroelectric power generation .

  6. Defense Industrial Base - Companies and assets involved in the research, development, production, and maintenance of defense-related equipment, systems, and services

  7. Emergency Services - Agencies, organizations, and personnel responsible for emergency management, firefighting, medical services, and public safety

  8. Energy - Resources, systems, and infrastructure involved in the production, transmission, and distribution of energy, including electricity, oil, and natural gas

  9. Financial Services - Institutions and systems providing financial services, including banking, insurance, investment, and payment systems

  10. Food and Agriculture Sector - Facilities, systems, and resources related to the production, processing, and distribution of food, beverages, and agricultural products

  11. Government Facilities - Buildings, offices, and structures used by federal, state, local, tribal, and territorial governments for administrative and public services

  12. Healthcare and Public Health - Facilities, personnel, and networks involved in providing healthcare services, medical research, and public health support

  13. Information Technology - Systems, networks, and infrastructure used for information processing, storage, and communication, including software development and cybersecurity

  14. Nuclear Reactors, Materials, and Waste - Facilities, processes, and materials associated with nuclear power generation, research, and waste management

  15. Transportation Systems - Infrastructure, networks, and assets involved in the movement of people and goods, including aviation, maritime, rail, and road transportation

  16. Water and Wastewater Systems - Facilities, systems, and resources responsible for providing drinking water and managing wastewater treatment and disposal

Valuable beyond Critical Infrastructure

Non-Critical Verticals

CSF Benefits

Retail

Protect their customer’s data, secure the company’s online transactions, and manage their supply chain vulnerabilities

Manufacturing

Address industrial control system security and intellectual property protection and to help secure product development

  • CSF is a series of best practices and guidelines and not a compliance standard that must be strictly adhered to

    • It can be scaled up or down

  • Only 32 pages long in version 2.0!

    • Concise and relatively quick to implement

  • BUT – official NIST documents tell you what to do, without telling you how to do it

    • That is why A/CCRF and A/CCRP are important to your career growth and progression!

Purpose

CSF helps organizations:

  • Describe current cybersecurity posture

  • Describe target state for cybersecurity

  • Identify and prioritize opportunities for improvement

  • Assess progress toward the target state

  • Communicate among internal and external stakeholders