The Wacky World of GRC

March 7, 2017 Douglas Barbin

Few areas of technology are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance.

For some, maintaining a focus on the governance, risk management and compliance (GRC) landscape is data security nirvana, the epitome of an ideally balanced data strategy. For others, it’s a maddingly frustrating and impossible task where conflicting geographic rules and industry standards make strict compliance untenable and the attempt counter-productive. Just to make life interesting, it turns out that both these perspectives have a semblance of truth.

The most popular suggestion for GRC compliance is to focus on the intent of regulators and standards bodies – most of which base almost everything on security and privacy best practices – and not the letter of their edicts. Many regulators, auditors and assessors are much more forgiving when they see that someone truly is trying to deliver a safe and secure environment and avoiding the checkbox mentality approach. That said, “many” does not equal “all,” which is why data security in 2017 is not for the faint of heart.

To read the full whitepaper, along with my comments on the topic, you can download direct from SC Magazine.

About the Author

Douglas Barbin

Doug Barbin is a principal (co-owner) and firm-wide cybersecurity and compliance services leader where he spends most of his time developing, launching, managing, and adapting Schellman's attestation, compliance, and certification offerings. As such, he is privileged to work with many of the world's leading cloud computing, federal, FinTech, healthcare, AI, and security provider clients. Doug has more than 24 years’ experience and maintains multiple CPA licenses, along with CISSP, CIPP, ISO 27001 Lead Auditor, and QSA certifications. He is very active in industry organizations and regularly speaks and teaches on cloud security, AI, FedRAMP, and other compliance frameworks.

More Content by Douglas Barbin
Previous Article
Compliance as Code
Compliance as Code

Codifying Your Configuration Standards If you have already gone through a PCI DSS, SOC, HIPAA/H...

Next Article
“Keep It Simple” and Just Call Me SOC
“Keep It Simple” and Just Call Me SOC

SSAE 18. You have probably seen blog articles circulating about the "new change" to SSAE 18, in...


First Name
Error - something went wrong!