'Inside Security' with Justin Pagano (Director of Security Risk & Trust, Klaviyo)

Governance, Risk, and Compliance otherwise also known as GRC is a critical component of an organization's security framework, ensuring that security practices are robust, comprehensive, and aligned with business objectives. GRC encompasses the establishment of policies, procedures, and standards (i.e. Governance), the identification and mitigation of risks (i.e. Risk Management), and adherence to laws, regulations, and internal policies (i.e. Compliance).

The thing about GRC is that it's a process requiring constant attention, collaboration, and adaptation. This process is not static; it evolves as new threats emerge and as the organization's goals and regulatory landscapes change. Implementing GRC effectively demands an ongoing commitment to monitoring, evaluation, and continuous improvement. This involves not just setting up the initial policies and controls, but ensuring they remain effective and relevant over time.

Effective GRC work is closely intertwined with security operations and security engineering. It requires collaboration with all stakeholders, from IT teams, DevOps, SRE teams, software engineering teams to everyone else. These collaborations ensure that security controls are not only theoretically sound but practically implementable and maintainable.

In this edition, we feature Justin Pagano, Director of Security Risk and Trust at Klaviyo, who has built his career around the principles of effective GRC. We capture his valuable insights on GRC, its increasingly crucial role within the security landscape and how organizations can adapt GRC best practices to meet the challenges of today's dynamic security environment.

GRC as a Function Within Security

GRC is like the seatbelt of an organization’s security car — essential, often overlooked, but you'll be glad it’s there when things get bumpy.

Before we dive into all things GRC, let's take a step back and look at what each of these terms mean:

• Governance establishes policies, procedures, and standards that align with organizational objectives and regulatory requirements, defining the overall security strategy.
• Risk management identifies, assesses, and mitigates risks, including security threats and operational risks, to proactively address vulnerabilities and reduce incidents.
• Compliance ensures adherence to relevant laws, regulations, and internal policies through regular audits, assessments, and reporting, promptly correcting any deviations.

Together, these elements form a cohesive framework that not only protects the organization but also supports its strategic goals. GRC functions as the first line of defense in an organization's security framework, embodying frontline defensive security thinking and practices. It ensures that security controls are not only implemented but also continuously monitored and evaluated for effectiveness.

Just like an orchestra needs a conductor, musicians, and a well-coordinated effort to create harmonious music, GRC requires governance, risk management, and compliance working in unison to ensure the organization runs smoothly and securely. Governance sets the direction like a conductor, risk management identifies and mitigates issues like musicians tuning their instruments, and compliance ensures everyone follows the score, creating a cohesive and effective security strategy.

However, GRC is often perceived as less critical within the security domain for several reasons. One of the most common, frequently mentioned in conversations with practitioners, is its historical roots in the accounting profession, which has traditionally led to a focus on compliance and auditing rather than proactive threat management.

Problems with Traditional GRC

Roots in Accounting

Historically, GRC practices have been shaped by the accounting profession, particularly through frameworks like SOC 1, SOC 2, and SOC 3 reports developed by the American Institute of Certified Professional Accountants (AICPA). The influence of accounting on GRC has led to some practices that may now be considered outdated or overly rigid.

Much of GRC thinking, philosophy, and culture have been heavily influenced by the field of accounting, which, while valuable in ensuring the integrity of transactions, may not be fully aligned with the dynamic and technology-driven nature of today's business environment. In addition to that, there's a lot of bias in thinking and behavior that stems from the traditional accounting culture embedded in GRC. This bias is something we need to overcome because it often holds us back and fails to provide the value it once did. There are more effective ways to achieve better outcomes.

The emphasis was on documentation, audits, and static controls, for example the common requirement to provide screenshots as proof that a control has been operating effectively over the past six months, which, while important, does not fully address the dynamic and evolving nature of modern threats. Consequently, GRC was often perceived as bureaucratic and inflexible, lagging behind more agile and proactive security functions.

Justin also points out that this approach delays feedback and doesn't address the dynamic nature of modern risks.

To overcome a few of these limitations, GRC needs to embrace real-time monitoring through APIs, ensure data integrity with advanced security measures, focus on continuous improvement, adopt a holistic view of risk management, and foster a cultural shift towards modern, technology-driven methodologies. This will enhance the effectiveness and value of GRC practices in today's fast-paced business environment.

Siloed Nature of Security Roles

Traditionally, GRC has been seen as a compliance-driven function, primarily focused on ensuring that organizations adhere to regulatory requirements and internal policies. This perspective often resulted in a siloed approach, where GRC was treated as a checkbox exercise rather than an integral part of the overall security strategy.

It's clear that an inside-out thinking approach has artificially constrained GRC into a narrow, vertical focus on policy, standard compliance, and audits. This perspective often overlaps with the goals of various security teams internally. Our policies and standards shouldn't be generic documents downloaded from the SANS Institute, customized to state what we shall do and must do with best practices. Instead, there should be a direct, one-to-one relationship between the standards we document and the technical controls we implement.

This shift necessitates a cultural change towards greater collaboration and a thorough understanding of the significance of each policy and standard.

Standards should be specific, measurable, and clearly communicated to everyone responsible for their implementation. The security teams must go beyond mandating practices as best practices; they need to articulate why these standards are important and how they enhance the organization's overall security and risk management objectives.

Shifting GRC to an Evidence-Based, Threat-Driven Approach

Another major issues with GRC is that it often lacks an evidence-based or threat-driven approach. Policies and standards are typically established without a clear understanding of the specific problems they aim to solve.

Justin reiterates that to be effective, GRC should focus on identifying and addressing real threats. With a thorough understanding of the problem, better solutions can be devised that gain easier buy-in from all stakeholders, thereby reducing friction between security teams and partner teams.

Smart engineers often push back against security processes, perceiving them as backward or regressive, even when they are beneficial. The absence of a clear, rational explanation for security measures leads to resistance, as people prefer building value-adding features over spending time on security tasks. By clearly communicating the rationale behind security actions, GRC teams can better facilitate cross-functional alignment and drive change.

As threats evolve and regulations become more stringent, the need for a more integrated, evidence-based approach to GRC has never been more apparent.

What Effective GRC Should Look Like

While each component of GRC is important on its own, the true effectiveness of GRC comes from the synergy between governance, risk management, and compliance.

Justin explains how these integrate at a high level:

1. Integrated Framework: An integrated GRC framework ensures that governance policies guide risk management and compliance efforts. For instance, a governance policy on data privacy will influence both the risk management strategies for protecting data and the compliance measures to adhere to data protection regulations.
2. Cross-Functional Collaboration: Effective GRC requires collaboration across various departments, not just traditional IT, finance, legal, and operations but also buy-ins from siloed security teams. Recognizing the incentives that drive people's behavior helps in fostering buy-ins and smoother adoption of new practices.
3. Culture of Integrity and Resilience: Ultimately, effective GRC fosters a culture of integrity and resilience. Employees at all levels understand the importance of governance, actively engage in risk management, and comply with regulations not out of obligation but out of a commitment to the organization’s values and objectives.

GRC is multifaceted, encompassing not only technical aspects but also organizational engineering, positive social engineering, and influence engineering. It's about understanding and influencing organizational behavior to drive change. When implementing new policies, standards, or control monitoring processes that require additional effort, it's crucial to recognize the underlying motivations and incentives that drive people's behavior. Without this understanding, efforts to introduce changes may be met with resistance, as people may not see the value in doing additional work. Effective GRC requires a strategic approach to align organizational goals with individual incentives, ensuring smoother adoption of new practices and controls.

Effective GRC is not about ticking boxes; it’s about creating a robust framework that integrates governance, risk management, and compliance into the very fabric of an organization.

The Future: GRC Engineering & Automation

Over the past couple of years, a new buzz has been in the air, centered around a transformative shift in GRC known as GRC engineering.

GRC engineering integrates GRC with advanced engineering principles to enhance the effectiveness and efficiency of security practices. This approach leverages automation, real-time monitoring, and data-driven methodologies to ensure that GRC activities are proactive, dynamic, and seamlessly integrated into the overall security framework of an organization.

Much like how DevSecOps revolutionized traditional application and product security, GRC engineering is now at the forefront of innovation, driving significant changes in how organizations manage risk and ensure compliance.

To understand the impact of this shift in GRC, it's essential to reflect on the DevSecOps movement.

DevSecOps seamlessly integrated security into the DevOps pipeline, making security a continuous and integral part of the software development lifecycle. This approach broke down silos, encouraged collaboration, and ensured that security was not an afterthought but a fundamental aspect of development from the very beginning. As a result, DevSecOps improved security outcomes, reduced vulnerabilities, and accelerated the delivery of secure products.

Similarly, Justin believes GRC is now set to transform traditional approaches, especially as engineering and automation become more prevalent.

A significant aspect of my current mindset revolves around the use of automation for GRC use cases and how the industry is organically redefining GRC in various ways. This evolving perspective challenges conventional thinking in the GRC world and resonates with my past experiences, particularly around root cause analysis and unfolding deeper issues. The traditional methods of security risk management often fall short. So, what does it really mean for GRC to be effective in all its components—the G, R, and C? It means leveraging the tools of today (and tomorrow), say AI, automation and engineering concepts to create a more proactive and responsive GRC framework, where real-time monitoring and data-driven insights guide our actions.

Justin has also written think pieces on GRC engineering which you can read here.

Conclusion

GRC is on the brink of a significant transformation, driven by the integration of AI, automation, and advanced engineering principles. This evolution is not only enhancing the efficiency and effectiveness of GRC practices but also redefining its role within the larger security framework.

At the forefront of this revolution are thought leaders like Justin Pagano, who are restructuring and reimagining what GRC can be. By leveraging new-age tech, they are turning GRC into a proactive, dynamic, and integral part of security operations. This new approach moves away from traditional, compliance-driven methods to a more engaging and impactful function.

We think this shift will make GRC an exciting field that attracts top talent and drives forward-thinking strategies, ultimately contributing to a stronger, more resilient organizational security posture.

To connect with Justin, you can reach out to him via his LinkedIn.