Shostack + Friends Blog Archive


For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.


15 comments on "For Blog/Twitter Conversation: Can You Defend "GRC"?"

  • Mark C. Wallace says:

    In an effort to continue the discussion, I’ll argue that the claim is false.

    “Number of security incidents in the past six months” is useful, is not risk based, but is based on governance.

    Or “% of anomalies detected by internal monitoring over external monitoring”. Not risk based, based on compliance, and useful.

    Conversely “Number of risk assessments written” is not useful, nor is “Number of risk items examined”. (Of course I admit those are simply bad metrics, not bad risk).

    Well practiced risk is good. Well practiced compliance is good. Badly practiced, either of these can result in hair pulling.

  • dunsany says:

    I wish that C was subservient to risk. But when some auditor orders me to spend down a large part of my budget to control a minor risk (like database encryption), I don’t see how C and R are connected in anything other than perception. And telling me that my auditor doesn’t understand risk is a tautology.

  • alex says:


    Sweet. See I would say that

    ““Number of security incidents in the past six months” and “% of anomalies detected by internal monitoring over external monitoring”.

    are simply useful inasmuch as they help you understand how to manage your security program (risk management) moving forward.

    Also, I’ve purposefully kept myself ignorant of compliance requirements, but to me it really doesn’t feel like “% of anomalies detected by location” is required to be certified in any of the major compliance regulations that I’m aware of. Can you help me out on that one?

    Finally, I don’t think that # of risk assessments is something I’d measure on an ongoing basis as it would tend to be incentive to do meaningless work.

  • alex says:

    @dunsany – hey, your auditor doesn’t understand risk


    Really, I agree that in real world practice these days C is *the* driver. That’s why I advocate trying to change the compliance culture to serve our desire for more newschoolish risk management:

  • dunsany says:

    The fun part – remember that your company is one of my auditors. 🙂

    The piece that I think Vzn is missing is they do let me do “risk exceptions” and leave a lot of leeway for their pretty knowledgeable field auditors (hat tip, Jas) BUT, I’ve yet to see you guys ever ask to review my risk register. If I were doing an audit focused on risk, the two things I’d ask for would be an complete inventory of whatever was in scope (hw, sw, info) and the results of the last risk analysis. Vzn never asks for either of those things.

  • alex says:

    @dunsany – LOL, touche’

  • dunsany says:

    I only bring it up because I want a better product from your guys. Having been an outside consultant & auditor for many years, it’s nice having a dual perspective and helping make the industry better.

  • Chris Hayes says:

    Sweet. First, give a reasonable definition / explanation of GRC; other then an acronym definition 🙂 I would submit it is defendable as long as the company’s (and maybe external auditor’s) expectations and / objectives are being met. Am I addressing my most significant risks, do I have a repeatable risk assessment / management process and do I have adequate governance? Also, GRC can account for more then just IT / Regulatory / Compliance risks (legal, regulatory, investment, etc..). ERM.

  • Chris Hayes says:

    Clarification. To answer the question that was posed: True – Depending on how a company – or a standard / regulatory body – defines GRC and a company’s ability to demonstrate its compliance with an interpretation of a definition. The challenge is determining what does governance from a goodness perspective look like. It will change depending on the stake holder (consumers, business owner, CEO, board, etc..). Risk “tolerances” are different between stakeholders at various levels of the organization – so it is perfectly plausible that risk can be adequately managed through the eyes of one type of stakeholder and not be considered adequately managed by a different type of stakeholder. In today’s regulatory landscape – just the fact you are able to prove you are managing risk seems to be the differentiator between goodness and no-so-good (this assertion may have a legal / privacy bias to it).

  • Gautam says:

    I am not sure if I agree with your statement “A metric for Governance is only useful inasmuch as it describes an ability to manage risk”.
    In addition to Risk Management, Governance focus areas may be Strategic alignment, Value delivery, Resource and Performance management.
    Agreed that all of these areas are linked to each other and to Risk Management – but the whole is greater than the sum of the parts, right?
    Best Regards

  • Mark C. Wallace says:


    Despite my best efforts to disagree (in an attempt to spark dialogue), we’re going to wind up agreeing here.

    You state “are simply useful inasmuch as they help you understand how to manage your security program (risk management) moving forward.”

    The key here is the word “useful”. I could cite the controls that those metrics support – but in doing so, I’d be subverting the intent of compliance. And that’s the key of my argument – that compliance is one of a set of tools that can be used to move a program forward.

    (Interrupted at this point by operational needs)

  • Marty says:


    I’ll turn the conversation in another direction for others to comment/think about.

    Your Risk Management program/method/framework is incomplete unless it integrates Governance/Compliance.

    Unless Risk Management can show how an identified or intended level of G/C translates into a level of risk/risk mitigation to identified threats, it is not complete.

    My assertion is the problem really isn’t G/C. It is RM’s inability to bridge the G/C-Risk gap. Since we have done a poor job at translating how checkbox G/C efforts actually affect risk overall – we can’t place the onus on G/C.

  • jared pfost says:

    Great question. IMO, the term GRC was promoted heavily by software vendors and grew into a juggernaut. For IT security, G/C are features of a healthy risk management program. When I was able to define and defend my risk landscape, G/C were results of the process. Fortunately I had a supportive exec team who tired of being lead around by C.

    Disclosure: I’m building an application to manage and prioritize enterprise IT sec risks.

  • Jeremy Wilde says:

    Compliance is something you have to do.
    Governance is something you ought to do well.
    Risk is a storytelling technique that is useful to a lot of people.

    Security is testing and then trust.



Comments are closed.