GRC analysts have the responsibility of speaking about security from a business point. Their work is designed to help the organization, bolster its defenses, be in a place to quickly react and handle bad situations, and limit the number of negative consequences and impacts.
The GRC analyst fully operates within identify and protect section of the NIST cybersecurity framework. The work largely falls around these areas, compliance, and audit.
Oftentimes, before business partners, third parties, external entities, and government bodies engage in business with an organization, they will want to ask the organization what its current state of security is. What are they doing right? How are they protected from this or that? Are we compliant with HIPAA? Are we compliant with PCI DSS? The question is, are they compliant? Can they demonstrate compliance? Whatever it is, the GRC analyst is oftentimes the one that is tapped to help answer those questions.
Another really important piece of work that GRC analysts do is Security awareness. This has evolved quite significantly in the last couple of years. This basically involves communicating to the end-user population of a business, whether it’s frontline staff workers, whether it’s external staff before they’re allowed to get access to your network or your business, that they go through some type of training.
Another really important piece of work that GRC analysts do is Assessing risk. They are essentially responsible for managing risk for the organization regarding information security or cybersecurity. The questions people asked when they are doing risk work include: Are we at risk of this? Should we invest in security? How much should we invest in security?
Another really important piece of work that GRC analysts do is Governance. This is fairly straightforward. It encompasses writing policy, documenting procedures, and helping define standards. For example, if you think that the password length standard for your business should be eight characters long, and 12 characters long for administrators, and 25 characters long for service accounts, well, then those are your standards, and you have to define them. And the policies and procedures would support that. It’s developing the behaviors of the organization, and working with senior leaders and executives, to make sure that those policies, procedures, and standards are aligned with business objectives, and risk appetite.