Regulation drives care. Without significant penalties, some organisations would not prioritise security or risk management. However, regulation alone is not enough. Governance, Risk and Compliance (GRC) professionals need to communicate better how their work aligns with business goals and strive for more harmonised practices that reduce complexity and lead to better security outcomes.
The future of GRC lies not just in more sophisticated tools or stringent regulations but also in nurturing the human capital that connects these elements to create resilient, ethical, and successful organisations.
Context
At its core, GRC is about understanding and managing an organisation's external and internal environment. It involves assessing risks from technical, human, process, and regulatory perspectives based on geographical locations, stakeholders, and operational contexts.
Here's a breakdown of each component:
- Governance refers to the policies, roles, and structures that guide decisions and ensure alignment with the organisation's goals and ethical standards.
- Risk management involves identifying, assessing, and responding to potential threats that could disrupt operations, harm the business, or negatively impact stakeholders.
- Compliance ensures that the organisation adheres to legal regulations and industry standards.
In recent years, the field of Governance, Risk and Compliance has gained increasing prominence across industries. Organisations face mounting pressure to implement robust GRC practices to deal with complex regulatory landscapes, cyber security threats, and corporate social responsibility.
However, the complexity and growth rate of all the above often outpace the development of standardised frameworks, leaving practitioners to manage ambiguous territories.
According to a 2023 Thomson Reuters Risk & Compliance Survey Report, many compliance teams often lack the necessary personnel, resources, or specialised knowledge to effectively manage complex regulations and cyber security risks. Despite growing team sizes, they struggle with underfunding for technology and training. For example, another 2023 study from Coalfire found that 60% of surveyed GRC practitioners still managed compliance manually with spreadsheets.
To better understand the challenges organisations face, we turn to the knowledge and experience of Gaurav Vikash, Head of Security and Risk (APAC) at Axon, and Dan Haagman, CEO of Chaleit, both seasoned experts in the cyber security and risk management space. Together, they offer valuable insights into the current state of GRC and solutions for paving better practices.
Challenges
Overloaded regulatory environment
Organisations often face a "top-heavy" risk pyramid, where both internal stakeholders and regulators compete for attention. This can make it difficult for organisations to prioritise the most critical risks, as they feel pressure from multiple sides to address everything at once. The result can be a scattergun approach to compliance that consumes resources but doesn't necessarily reduce risk effectively.
Moreover, regulations themselves can pose challenges to businesses in some cases, especially in their early stages of implementation. When regulations are in their infancy, while well-intentioned, they can impede business operations through lack of clarity, limited industry support, and broad applicability.
For example, when The General Data Protection Regulation (GDPR) was first introduced, its requirements were often perceived as convoluted and difficult to understand. Gaurav emphasises that this complexity wasn't limited to large corporations but extended to even "mom-and-pop shops" trying to navigate the hundreds of pages of regulatory text.
What's more, as regulations multiply globally, businesses operating in multiple jurisdictions must comply with various, sometimes contradictory, regulations. This makes it hard for companies, especially multinational ones, to create consistent, secure systems without getting bogged down by differing requirements.
Organisational resistance
Observing how risk management is often suboptimal, Dan questions whether organisations and people inherently resist common-sense measures due to corporate pressures / greed or urgency.
Gaurav explains that in many cases, decision-makers are driven by key performance indicators (KPIs), which may prioritise business outcomes over security outcomes.
He points out that many professionals feel insecure about driving meaningful agendas, fearing being perceived as misaligned with the organisational objectives. This insecurity can lead to an organisational culture where people continue on ineffective paths rather than pivoting strategies.
This cultural challenge is exacerbated by reward systems that often conflict with good governance practices. Many organisations reward employees for achieving business or financial outcomes, potentially at the cost of security or risk management capabilities. This misalignment can create tension between short-term business goals and long-term risk mitigation strategies.
The human element in GRC
One of the most significant challenges in GRC practice is the human factor.
Risk management decisions are often subjective, based on individual biases, education, and experiences. Additionally, leaders may not always be self-aware enough to recognise their own limitations, which can lead to poor decision-making.
Gaurav highlights the subjective and often inaccurate nature of qualitative risk management. This subjectivity stems from the diverse backgrounds, experiences, and perspectives of GRC practitioners. Two professionals with similar years of experience might approach the same risk scenario differently based on their unique "soak cycles" — the immersive experiences and opportunities they've had in various organisations.
The talent gap in GRC
The GRC talent market presents a paradoxical situation, Dan and Gaurav agree. On one hand, there's a high demand for experienced professionals. On the other, many talented individuals find themselves out of the job market for extended periods.
This situation arises from several factors:
- Financial constraints — Organisations may struggle to afford highly experienced professionals, especially in a suppressed global economy.
- Candidate caution — Experienced professionals are increasingly picky about potential employers, considering factors such as organisational culture, reputation, and commitment to ethical practices.
- Personal liability — According to the Thomson Reuters Risk & Compliance Survey Report cited above, 49% of respondents believe that compliance professionals will face greater personal liability in the coming years, with 13% predicting a significant increase. This increase makes candidates more cautious about the organisations they join.
- Unrealistic expectations — Many organisations seek candidates with extensive experience for entry-level positions, creating barriers for new entrants to the field.
This talent challenge requires an industry-wide reassessment of hiring practices, career development pathways, and the valuation of diverse experiences in GRC roles.
Complex vendor relationships
The complex relationship between GRC practitioners and vendors often involves a sense of caution due to the perceived repackaging of existing ideas or creative sales tactics, despite the potential value that vendors can bring.
The prevalence of third-party breaches exacerbates this caution. A Cyentia Institute and SecurityScorecard Research Report found that nearly all firms (98%) had partnered with a vendor that had experienced a data breach in the past two years.
It's no wonder that nearly 60% of senior decision-makers believe that third-party relationships pose the greatest corruption risk to their organisation, according to White&Case and KPMG. However, only 22% of organisations regularly audited their third parties, mostly when triggered by specific events.
For a better vendor-practitioner relationship, Dan and Gaurav advocate for a more collaborative approach. They suggest that honest, open conversations can lead to mutual learning and industry advancement, requiring transparency from both vendors and practitioners.
With that approach in mind, let's move on to solutions and more constructive approaches that can help mend some of the broken defences.
Solutions
Prioritising key risks through strategic GRC
Both Gaurav and Dan maintain that businesses need to focus on the most meaningful risks.
A crucial GRC aspect often overlooked is that not every risk needs to be fully addressed. Organisations must understand the point of diminishing returns where community or business expectations, and security benefits start tapering off. Instead, they should prioritise compliance and risk mitigation efforts directly impacting security maturity, business growth, or community trust.
With discernment and prioritisation, companies can start with the highest-priority risks and work their way down. It's not about eliminating all risks but about identifying and addressing the most impactful and meaningful ones within the constraints of limited resources.
This perspective shifts the focus from a checkbox compliance mentality to a more strategic, value-driven approach to risk management.
The "care factor" of regulation
While regulations can initially appear as threats or challenges, they evolve and improve through iterations, industry feedback, and the development of supporting ecosystems.
Though sometimes difficult to implement, regulations often drive positive change in the long run.
Gaurav highlights that regulations can instil a "care factor" in organisations, compelling them to prioritise security initiatives they otherwise may not find relevant. Regulations often serve as catalysts for improved practices, increased awareness, and more robust risk management strategies.
Moreover, regulatory convergence is beneficial because it reduces complexity for organisations operating in multiple jurisdictions. Simplifying regulations can reduce the burden on businesses while promoting better risk outcomes.
The experts advocate for a proactive approach to regulations proactively, where organisations seek to understand their underlying intentions and leverage them as opportunities for improvement rather than viewing them solely as burdens.
Authenticity, vulnerability, and self-awareness in GRC
To address the inconsistencies in risk assessment, Dan and Gaurav advocate for more education and awareness among GRC professionals, including leaders.
They suggest fostering a culture of authenticity and vulnerability, where professionals feel safe introspecting, proposing changes to existing strategies, and prioritising long-term security over short-term gains.
By acknowledging that no one person has all the answers, organisations can create more collaborative environments that factor in multiple perspectives.
Bridging the experience gap
The experts argue for a more inclusive approach to talent acquisition and development in GRC.
They observe that the industry often creates unrealistic barriers, such as requiring extensive experience in other IT fields before allowing entry into cyber security roles. This approach deprives companies of fresh perspectives and the energy of young, ambitious, and yet skilled professionals.
Dan and Gaurav suggest that individuals from nontraditional backgrounds, such as state emergency services or the airline industry, can bring valuable insights to risk conversations.
Drawing an analogy from cricket, Gaurav highlights how lowering age barriers for entry into professional sports has led to the discovery of exceptional talent. The GRC field could benefit from a similar openness to young, talented individuals who may lack traditional experience but have the drive and aptitude for the role.
Towards a more consistent GRC Practice
Gaurav emphasises the need for more consistency in GRC practices across the industry. The current state of GRC is described as "democratised to the point of shambles", which can lead to disjointed, incoherent practices across organisations and industries.
Dan and Guarav draw attention to the need to develop a more standardised body of knowledge and education in the GRC. This doesn't mean eliminating diversity of thought but rather creating a common foundation upon which practitioners can build.
The industry can become more effective at addressing critical risks by becoming more consistent and predictable in how risks are identified, qualified, and managed.
Key takeaways
GRC should not be seen as a barrier to growth but rather as a framework that can help businesses manage risks while continuing to thrive.
Moving forward, organisations and industry leaders can take actions to manage and prioritise risks better, such as:
- Foster organisational cultures that encourage authenticity, learning from failures, and long-term thinking in risk management.
- Rethink talent acquisition and development strategies to welcome diverse perspectives and nurture young talent.
- Promote collaboration between practitioners, vendors, and other stakeholders in the GRC ecosystem.
- Work towards more consistent, standardised practices while maintaining room for diverse perspectives and innovative thinking.
As regulations shift and new risks emerge, adaptability and strategic thinking will ultimately determine the success of GRC initiatives.
At Chaleit, we believe that simple is not easy. Through genuine conversations and a focus on outcomes, we build long-term partnerships that put the "care factor" front and centre. Let's connect.
About the authors
Gaurav Vikash
Gaurav Vikash is a senior member of the Australian Computer Society, and an information technology leader with over 16 years of experience across diverse global organisations. Gaurav has held leadership positions at many large organisations, where he led major digital and cyber transformations.
Gaurav regularly speaks at and chairs key ICT events across the APAC region. He serves as a board advisor to some large organisations, driving advancements in cybersecurity and digital resilience. He actively mentors with NSW Cyber Business Exchange and Australian Women in Security Network (AWSN) to help develop the next generation of ICT professionals.
Gaurav holds an Engineering degree in Electronics and an MBA from Melbourne Business School. Combining deep technical expertise with strategic business acumen, he helps organisations effectively navigate technology and business challenges.
Beyond his professional life, Gaurav is committed to giving back to the community through his volunteer work with the SES.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Gaurav Vikash. Dan Haagman's views also reflect the official stance of Chaleit, while Gaurav Vikash's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
