Why is GRC Important?

If you examine most security breaches, you’ll find that some failure occurred related to security controls and/or the security GRC functions that could have identified concerns prior to their ultimate failure. That doesn’t mean that every breach is the result of a failure. In some cases, breaches occur even though organizations made perfectly reasoned risk management decisions, installed controls correctly, and governed their controls effectively. In some cases, the smallest risk ends up being the cause of a breach, but these cases seem to be few and far between. In most cases, control failure and multiple opportunities to remediate the failure cause breaches and make them more extensive than necessary.

Take, for example, three of the most publicized breaches of all time (Target, Equifax, and the Office of Personnel Management). That was the case with each of these breaches. Control failures occurred, but opportunities along the way for GRC professionals to remediate those failures were missed.

• Target
• Equifax
• Office of Personnel Management or OPM

These are great examples of why Security GRC is so important. GRC can help identify issues before they become breaches or work to minimize the overall impact of a breach.