Brad Friedman
Brad Friedman

Building a Sustainable Governance, Risk and Compliance (GRC) Model

No one questions the business mandates to comply with Sarbanes-Oxley (SOX) controls. Organizations had no choice but to adhere to the new regulations. Over two decades after coining the term “cybersecurity”, many still struggle with cybersecurity risk management. 88% of organizations do not believe their information security fully meets their needs.1 Data breaches also are almost commonplace, as in 2015 breaches in business, government and healthcare organizations reached near record high rates.2

So are criminals just getting smarter, or is it more likely organizations are not allocating the proper resources to address these risks? Like the implementation of SOX controls, cybersecurity is an iterative exercise. In order to stop struggling to build a sustainable cybersecurity compliance program, organizations must develop more comprehensive governance, risk, and compliance (GRC) models.

What is at risk?

For Customers – Organizations always include meeting customer expectations as a business strategy component. It then follows that the risk of losing that customer is also critical to the business. The impact of breaches on customers is rapidly evolving. Risk is more than customers’ credit card numbers. Actually, for most retailers, there is little reason to even store that data. The customer has minimal liability in the event of a breach and relatively minimal inconvenience. It is now extremely easy to have credit cards replaced and issuers will always reverse illegitimate charges. The entire process is fairly painless and absolutely manageable. However, private information such as Social Security Numbers are another story. When that information is stolen, it is forever. Companies must understand the relative value of different types of information and their impact on customers in order to develop more effective solutions.

For the Company – Not all breaches bear the same risk, but they all have the potential to impact important company assets like brand image, organizational reputation, and finances. The court of public opinion will look at two specific areas: The organization’s due diligence efforts to manage the risk prior to an incident and its ability to communicate, react, and support their customer base after an incident. These key indicators are only addressed with a comprehensive GRC business strategy. Moving your business forward with GRC as a cornerstone will support growth and innovation while keeping risk in check.

Developing stronger GRC models

At WGroup, we believe a business driven mandate surrounding GRC is essential. It has to be a part of an enterprise business model where organizations need to expand, improve and innovate in order to actively address cybersecurity risk. Cybersecurity needs to be a part of your organization’s DNA. Companies should take the opportunities to transform GRC efforts as they implement new projects.

There are several components that a GRC strategy model should include:

    – Commitment from top business leaders

    – Organizational alignment

    – People, Process, and Technology

    – Operational Enablement

The GRC function is not just about protecting the confidentiality of information, but needs to be a more holistic methodology. In addition to safeguarding the company assets with tools such as encryption, a robust security framework should be implemented.

The National Institute of Standards and Technology (NIST) framework addresses not only protection, but other critical factors including:

    – Asset inventory, management, and governance

    – Data awareness, training, protection of data, policies and procedures

    – Anomaly detection and event management

    – Response planning, communication, analysis, and mitigation

    – Recovery plans, strategy, and lessons learned

IT security risks are relevant and growing. Companies need to understand new threats and how to take steps to manage them. By implementing more sustainable, comprehensive GRC models, organizations can significantly reduce risk of breach and reduce their cybersecurity risk profiles.

To learn more about Wavestone US’ services, visit


    1. EY’s Global Information Security Survey 2015

    2. Identity Theft Resource Center (ITRC) data breach reports

Brad Friedman
Lead Principal

Brad Friedman brings over 30 years of IT experience with an established record of successfully developing, executing, and implementing IT strategies and tactical initiatives across all disciplines within the IT organization. He has specialized expertise within the healthcare, retail, manufacturing, and apparel industries, with significant concentration in IT infrastructure, sourcing, procurement, and financial management. Brad is passionate about transforming the operating model between IT and external vendors and has authored numerous white papers and blogs on the topic.

4 Strategic Mistakes to Avoid When Defining Service Level Management Processes

Jun 01, 2023

Strategic errors made when defining service levels can have a detrimental, cascading effect on service level operational performance - leading to additional costs and service delays. Here are 4 strategic errors to avoid when defining service levels and instituting the SLM processes to govern them.

Optimizing the 3 Stages of Your Cloud Software Development Lifecycle

May 25, 2023

Your Cloud Optimization Strategy requires seamless coordination between optimization levers throughout the SDLC to produce and maintain effective cloud solutions. Discover best practices and improvement opportunities for each lever, where they fit in the SDLC, and how to synergize them effectively.

Have a Question? Just Ask

Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone