The complexities and evolving nature of governance, risk and compliance (GRC) compliance can make it seem like an insurmountable challenge. That’s why more and more small and medium-sized businesses (SMBs) are turning to MSSPs for help.

Often, this is based on a lack of understanding of key GRC components and some of the many ways an MSSP can streamline compliance.

The G in GRC

In terms of GRC, governance is thinking about what drives an organization and how your MSSP can use those drivers to develop or define a client’s GRC program.

This can be the result of asking customers (or asking you) about what is in place to manage and mitigate risk (think in terms of security or compliance questionnaires) or specific government or regulatory mandates.

Governance is the first step in GRC. It’s a way to help your client get their hands on a GRC program. It understands the people, processes and technologies they will need to get there.

As your client thinks about governance, help them look through a policy-making lens. Ask him:

  • What are you doing that sets your compliance bar?
  • What outcomes do you expect from people, processes and technology?

Your client’s governance plans should develop key policies that hold teams accountable for specific outcomes, such as a governance policy on employee awareness and training. This policy should specify clear processes to ensure employees understand the risk and how to mitigate it.

Simplify governance

To ensure effective governance, consider using a framework that underpins and guides the program, along with controls that align and support key program areas.

If your client is pursuing DoD contracts, for example, it might be worth starting with NIST 800-171 then aligning with CMMC.

Or, if the customer doesn’t have those requirements, it might work well to align with the NIST Cybersecurity Framework (CSF) or CIS, depending on the specific needs of the organization. NIST CSF tends to be more focused on policy and program while CIS focuses more on controls.

After helping your client choose a framework, conduct an assessment of current levels of control, identify gaps and focus on areas for improvement.

With a GRC tool, you can help your client gain more visibility into what is needed to drive maturity. Depending on the stage of development, the program may be as immature as using pencil and paper or spreadsheets to track framework controls and compliance. However, the more mature the program becomes, coupled with the more frameworks used, the more difficult it will be to reach maturity without a GRC technology.

A SaaS-based GRC platform really shines here. Offer your customers often unrealized benefits. For example, a GRC solution can help centralize and standardize processes and tasks instead of chasing people or paperwork to manually calculate performance.

A GRC platform can also make it easier to map control and sub-control across multiple frameworks simultaneously. For example, if the organization uses NIST 800-171 controls, without duplicating work, a GRC platform can align the same controls with other select frameworks.

An advantage here? An updated control or sub-control in one framework is automatically updated in the others.

This saves time and eliminates duplicate work, which can ultimately lead to cost savings. It also offers a more holistic view of your entire security and compliance program, ultimately helping you better manage multiple frameworks more effectively.

The ability to streamline mapping across multiple frameworks, especially in light of multiple regulatory requirements or customer requests, means you can quickly see where you stand, what you need to accomplish, and can then drill down to a granular level, down to sub-controls .

Understanding and simplifying risk mitigation

In terms of GRC, risk is not isolated from governance or compliance. All three work in tandem.

In terms of risk management, you need to understand your client’s risk universe. You can use spreadsheets to do this, but you need to view risk in a more holistic view, such as how it relates to the people, procedures, and technologies used to mitigate risk. It all goes hand in hand, and a GRC platform can give you that visibility instantly and with greater precision.

For effective risk mitigation, your customers need a comprehensive view of their risks, risk types, technical controls for mitigation, as well as inherent and residual risks.

All organizations live with some acceptable level of risk. Once you know your customer’s inherent risks and develop a risk register, you and your customer will need to determine whether or not the residual risk is acceptable. From there, your customers can make better business decisions, such as:

  • Do we want to invest in a specific mitigation technology?
  • Do we need to conduct penetration testing?
  • Should we invest in a specific type of vulnerability scan?

Risk management is a driving force in ensuring that adequate measures are in place to maintain operations and meet customer needs.

Here, a risk assessment is essential and a GRC platform makes it more manageable. A GRC solution can help capture risk down to a specific sub-control level. This goes beyond a compliance perspective to a programmatic level that could be more security-focused.

Allocating risk mitigation resources is likely to be a challenge for your clients, especially in terms of ensuring they have the right people, finances and technical resources. When you have all of your client’s risk identification in a single source of truth like a GRC platform, you get that holistic view. From there, you can see the most critical areas and then plan for appropriate resources.

Key Compliance Factors

For most organizations, there are four key factors to compliance:

  • Insurance
  • Cards
  • Government Regulations
  • Customers

Today, acquiring cyber insurance is a challenge. Therefore, we are seeing an increase in expectations of what that insurance is and who and what it will cover. Many vendors now require clearly defined security controls and may also require validation of those controls.

With these changes, your customers should expect to be subject to continuous audit monitoring, which brings with it a set of additional requirements and expectations, especially as the attack surface evolves.

While insurance mandates can be challenging, the reality is that vendors don’t ask for very different things from security executives: it’s the same information, just requested in different terms.

Program maturity

The more an organization embraces a holistic view, the more security controls will drive maturity and make it easier to meet the expectations of all key GRC drivers. This can help your client build an endorsement and trust from key stakeholders. As a result, as an MSSP you may see increased opportunities to win more contracts, win new business and drive validation with customers by demonstrating that you are committed to protecting and protecting their data as well.

A GRC solution can help address all of these areas simultaneously. Harmonization will take this direction forward more efficiently.

Across the board, whether it’s governance, risk, or compliance, you’re likely to see a lot of synergies between challenges and driving forces. It depends on the company specifics. It’s all about a clear-cut approach, understanding the drivers, and being prepared to effectively address your customers’ security, risk, and compliance issues.

Those forces are ultimately your end game:

  • Be able to answer.
  • Be proactive.
  • Mature beyond a responsive security and compliance state.

Learn More: If you’d like to learn more about the Apptega platform, schedule a customized tour. Learn more about how Apptega can simplify the day-to-day management of cybersecurity and compliance for your customers.


Guest blog courtesy of Apptega. See other Apptega guest blogs here. Regularly contributing guest blogs are part of the MSSP Alert sponsorship program.

Leave a Reply

Your email address will not be published. Required fields are marked *