Curated list of resources for security Governance, Risk Management, Compliance and Audit professionals and enthusiasts (if they exist).
This is a list of resources for security GRC folks.
Each of you probably has a different title. Cyber Risk Managers, Security Compliance Program Managers, Business Information Security Officers, Head of the Department of No, etc.
This variety makes it more challenging to come together as a community compared to software engineer to organize knowledge and share information.
Our field is pretty new and has exponentially grown in the past five years.
We can work for SaaS companies (me! :bowtie:), financial services, healthcare, government, retail or a dozen other industries. Scope, budget, stakeholders and degrees of resentment can vary but some work activities are common to all of us (the resentment as well).
So the thought was, why not build a knowledge bank for GRC. I know it's a GitHub repo but that gives the endeavour some illusion of grandeur. I just thought content curation lists were amazing and that we should have one!
This is GitHub which means, Pull Requests are more than welcome! Nothing here is gospel, definitions are often subject to debates and heated discussions on LinkedIn and everyone has a different opinion on G, R and C (hatred for C is probably consensual IMHO).
Feel free to share your resources or add cooler emojis.
This might include expert expert puns and boomer jokes
The security GRC field is covering lots of ground and include a varied number of tasks and responsibilities. Some of them will sound exciting, some will reignite painful memories.
Governance, as the name implies, focuses on how security is managed and its oversight. This could include building the security strategy, managing the security programme and ensuring continous monitoring of workstreams.
This would also be the area responsible for orchestration and metrics for your security programme. In other words, the always useful dashboard with 15 graphs and thousands of data points would be include in the governance efforts. Your policies and procedures are also part of Governance as they help shape your vision of security and detail what is expected from everyone.
Managing stakeholders is also central to Governance efforts. Relationship with the different teams, managing upwards and delivering the right level of information to senior executives.
How do I know what's the priority for my security programme? Lockdown end-user access or focus on patching? (probably both lol) The only way to make rational decisions regarding what to do is to perform risk assessments.
Risk is traditionally explained as a factor of a threat and a vulnerability. Pretty simplistic (probably false as well) but it gets the job done:
A robust risk management program would also include some quantitative features to make sure senior management and business executives understands the financial costs associated with some of the identified risks. Nothing has to be too precise or too detailed, having numbers in the right ballpark and being able to evidence why you chose them is well more than enough.
A risk management framework describes the vocabulary, tools and techniques for a coherent approach and ensure that all stakeholders are on the same page.
Enterprise frameworks identifies any type of risk that could prevent the company from achieving its business objectives while others focus on information security, cybersecurity and privacy protection.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) help organizations improve internal control with the ERM Framework (2020).
Fair is a quantitative model for information security and operational risk.
ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks provides guidelines to managing information security risks faced by organizations. The application of these guidelines can be applied to an Information Security Management System (ISMS) specified in ISO/IEC 27001 and ISO/IEC 27002.
A technical committee named ISO/IEC JTC 1/SC 27 focus on the development of standards for the protection of information and ICT.
ISO 31000 provides a common approach to managing any type of risk faced by organizations. The application of these guidelines can be customized to any organization and its context.
The ISO 31000 Risk Management umbrella include some specifications still under development: ISO 31000:2018 Risk management — Guidelines
A technical committee namedISO/TC 262 focus on the development of standards in the field of risk management. Visit the Technical Committee's own website for more information.
The NIST Risk Management Framework provides a process that integrates security, privacy and risk management activities into the system development life cycle to meet the requirements of the Federal Information Security Modernization Act (FISMA).
Note that NIST Special Publications 800-53 revision 5 describe the Security and Privacy Controls for Information Systems and Organizations and the special publication 800-53B describe the control baselines.
Related initiatives*
The OCTAVE method was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University on behalf of the Department of Defense.
The Rapid Risk Analysis (RRA) methodology developed by Mozilla helps formalize decisions in 60 minutes.
Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. TARA is part of a MITRE portfolio of systems security engineering (SSE) practices.
riskquant is a python library used for risk quantification. It can be used to do cool things like calculate annualized loss and generate loss exceedance curve charts.
You can use it to assess individual risks or even build automation to run calculations and build charts for all risks where data are available. For example, you can set up a GitHub Action to pull risks from your GRC tool, get the data to run the calculations, and put the results back into your GRC tool.
Once you know what your direction is and you know what to focus on, how do you know you're on track? There's two ways:
Often hated (often for good reasons), audit and compliance folks have to be annoying by nature. They assess how things you said you'd do are actually done in the real world. More often than not, things are either not done as they should or not done at all. Probably because no one has read the policies you took six months to write!
Well... There are a lot. Your organization likely uses some of these, but certainly not all. Executive leadership drives policy at a high level based on business objectives. Certain regulations are mandatory. For instance Sarbanes-Oxley Act (SOX) for US publicly traded companies or General Data Protection Regulation (GDPR) applies to any organisation handling data from EU citizens. This is a non-exhaustive alphabet soup of frameworks and regulations:
Added to that, each country would have specific cybersecurity regulations and standards companies would have to comply with. They could be specific to certain industries (critical infrastructures or financial services) or applicable to every company. As our planet is made of a lot of countries, we won't list the specifics here and as is often the case, US standards are picked up in most of the world anyway!
Security Risk Management, Evan Wheeler, 2011
Measuring and Managing Information Risk, Jack Freund & Jack Jones, 2014
How to Measure Anything in Cybersecurity Risk, Douglas Hubbard & Richard Seiersen, 2016
Transformational Security Awareness, Perry Carpenter, 2019
Foundations of Information Security, Jason Andress, 2019
ISO 27001 controls – A guide to implementing and auditing, Bridget Kenyon, 2019
A Leader's Guide to Cybersecurity, Thomas J. Parenty and Jack J. Domet, 2019
The Cybersecurity Manager's Guide, Todd Barnum, 2021
A great foundational talk to understand how every framework are working into one another:
I have a full playlist of over 80 videos focus on Risk Management and Cyber Risk Quantification, will update it soon but it already has a lot.
:dvd: Everything written by Ryan McGeehan.
:bank: Everything written by Phil Venables.
:rotating_light: Everything from Adobe's Tech GRC Team.
:ticket: Everything from Atlassian's Risk & Compliance Team
Troy Fine, GRC general knowledge and SOC focus.
AJ Yawn, GRC general knowledge and SOC focus.
Aron Lange, ISO 27001 focus.
Jacob Horne, NIST and CMMC focus.
Ayoub Fandi, GRC general knowledge and cloud-native GRC focus.
Security & Compliance Weekly - Hosted by Jeff Man, Scott Lyons and Josh Marpet
Risk, Governance and Cyber Compliance - Hosted by Dr. Bill Souza
The GRC Podcast - Hosted by Mark Graziano
Getting Over Our "Security ≠ Compliance" Obsession, CISO-Security Vendor Relationship Podcast - Featuring David Spark, Mike Johnson and special guest Chris Hymes (Head of Infosec, Riot Games)
Is Governance the Most Important Part of GRC?, Defense in Depth Podcast - Featuring David Spark, Allan Alford and special guest Mustapha Kebbeh (CISO, Brinks)
Should Risk Lead GRC?, Defense in Depth Podcast - Featuring David Spark, Allan Alford and special guest Marnie Wilking (Head of Security and Technology Risk Management, Wayfair)
IT Governance, CISO Tradecraft Podcast - Featuring G Mark Hardy and Ross Young
Cyber Frameworks, CISO Tradecraft Podcast - Featuring G Mark Hardy and Ross Young
Probably the only resource you'll need for certifications. Paul Jerimy has done an incredible job with input from lots of practitioners and experts in InfoSec. If one certification had to be mentioned, it would be the CISSP for obvious reasons (:heavy_dollar_sign::heavy_dollar_sign::heavy_dollar_sign:).
We are offered jobs but we have a career. We're the only one accountable for our career path and the best way to make the best of this is to continuously learn.
This section might seem out of place for a content curation repository but I'm passionate about this, sorry.
Security is a very young field and ours is even younger. Career pathways are still developing and no one actually knows the sureway to a GRC leadership role or a CISO position.
The only thing that's certain is that this is the best thing that could happen to us. We can build our own paths. The only way we do this is through learning. Our field is about understanding, managing and translating. We understand the technical, manage security projects and translate into security terms business requirements.
If you're a jack-of-all-trades, love learning new things, being inquisitive but always having the business goals in mind, then it's the field for you. If you're not, it's probably the field for you anyway or you wouldn't be here!
Understanding the technical landscape.
How do we know GRC is being done at all? It is measured! Put simply, businesses collect and measure data to make decisions. GRC broadly ensures that decision makers "appetite" for risk is being achieved.
Measurement can occur in many ways, though primarily GRC is concerned with audit.
Understanding the security measures.
Understanding the business language.
Business can be empowered by a strong, comprehensive, and adaptive GRC foundation. GRC largely exists to support business objectives and corresponding legal (but not always) requirements.
Some regulations are compulsory to conduct business within geographic areas - Such as Sarbanes-Oxley (SOX) for publicly traded US companies... While some requirements are set within industry without governmental oversight (see - Payment Card Industry Data Security Standard (PCI DSS)).