DigitalXRAID

We’ve Been Fighting the Fire: Why Governance (Not Compliance) Should Light Security’s Way

In the information security world, GRC (Governance, Risk management, and Compliance) is often viewed as the unwelcome gatekeeper. The department that says “no” and creates obstacles rather than enabling progress. Even within the technical side of information security, GRC professionals are sometimes seen as checkbox-focused “jobsworths” who hinder rather than help. 

But this perception misses a fundamental truth: these three elements are critical foundations for effective information security. The problem isn’t GRC itself, it’s that most organisations are implementing it backwards. 

Table of Contents

Key Takeaways

  • Most organisations implement GRC backwards—prioritising Compliance over Governance—leading to ineffective security strategies.
  • Governance should come first: setting clear, measurable security objectives aligned with business goals.
  • Risk Management builds on Governance by prioritising threats based on organisational risk appetite and tolerance.
  • Compliance should be the result—not the driver—of strong governance and risk processes, not a tick-box goal.
  • A Governance-first approach enables proactive security, supports business innovation, and creates a more resilient security culture.

DigitalXRAID - What is GRC

The Upside-Down World of Security Priorities

Currently, the majority of organisations approach GRC in reverse order, letting compliance drive their security decisions rather than starting with governance and risk management. It’s like building a house by starting with the roof instead of the foundation. 

Organisations typically begin with Compliance, move to Risk management when they mature, and only consider Governance as an afterthought. This creates a backwards approach: CRG instead of GRC. 

But why does this happen? And why does it matter? 

The Compliance Trap

Compliance gets excessive attention for an obvious reason: it carries immediate consequences. Regulatory and legal fines create a compelling business case that’s easy to understand: “If we don’t implement these controls, we’ll face penalties.” 

This approach strikes at the heart of what executives care about: Revenue protection and shareholder value. The “if we don’t comply with XYZ, then fines and penalties will happen” mentality creates immediate action, but often for the wrong reasons. 

Think of Tesco’s 2018 £16.4 million fine from the Financial Conduct Authority (FCA) following their 2016 cyberattack that compromised 40,000 customer accounts. While Tesco had many compliance controls in place, they failed to address the fundamental security vulnerabilities that allowed the attack to succeed. They were technically compliant but insufficiently secure. 

Compliance is like the speed limit on a motorway. It tells you the legal requirement, but doesn’t necessarily represent the safest speed for all conditions. During heavy rain or fog, the posted limit might be dangerously fast despite being legally compliant. 

Organisations fixated on compliance often implement just enough security to satisfy auditors without truly addressing their unique risk landscape. They’re legally driving the speed limit in a blizzard. 

Risk Compliance and GRC

The Risk Management Evolution

As organisations mature, they typically begin to assess risks, though this depends heavily on organisational size and maturity. Smaller or less mature organisations understandably focus first on staying afloat. Their leadership concentrates on core business functions rather than security unless they happen to be security practitioners themselves. 

But risk management is critical because it represents the intersection of vulnerability and threat. Without either of these elements, there is no risk. 

British Airways’ 2018 data breach exposed 500,000 customers’ data and resulted in a £20 million fine from the Information Commissioner’s Office (ICO). The vulnerability existed in a third-party script on their payment page – a risk that wasn’t properly identified or managed, despite BA’s compliance with numerous regulations. Their risk management processes failed to detect this critical vulnerability in their customer payment journey. 

Risk determines everything. Not just in organisations, but in life. Think about walking down a street, you unconsciously assess your environment and take appropriate actions to minimise risks. During your commute, you’re performing constant risk assessments without even realising it. 

When managing organisational risk, two factors are vital: risk tolerance and risk appetite. Tolerance represents how much risk an organisation can manage and accept, while appetite indicates how much risk they’re willing to accept. 

Think of it like borrowing money from a friend. If you ask to borrow £10, which they’re happy to lend (their appetite), but they would actually be comfortable lending you up to £20 if needed (their tolerance), you can see how these two factors create boundaries for acceptable risk. 

Organisations that advance to this stage transform their approach from simple Compliance to Compliance and Risk Management (CR). This represents progress, but still misses a crucial element. 

Leveraging GRC for effective security protection

The Governance Afterthought

Most organisations incorporate aspects of governance during their compliance journey through policies, standards, and guidelines. However, many miss or misunderstand key aspects of governance, particularly around setting measurable security objectives. 

The 2017 Equifax breach that exposed 147 million people’s personal data illustrates this perfectly. Despite having compliance controls and some risk management processes, Equifax lacked the governance framework to ensure that critical vulnerabilities were patched in a timely manner. Their security objectives weren’t clearly defined with specific metrics and deadlines, leading to confusion about priorities and accountability. 

Security objectives should align with business goals, but without defining them with quantitative measures and deadlines, they become arbitrary and ineffective. What does “our goal is to be secure” actually mean, without metrics to measure success? 

Without clear governance, security teams lose strategic direction, leading to misaligned priorities and wasted resources. This is where most security programmes falter. They’ve checked the compliance boxes and have some risk management processes, but lack the governance framework to tie everything together. 

The Right Order: Governance First

GRC is written in this specific order for a reason. It represents the logical sequence for implementing an effective information security programme: 

  1. Governance: Start by establishing the foundations that steer daily operations. Define clear objectives using the SMART methodology (Specific, Measurable, Achievable, Relevant, Time-bound). Create strategies to achieve these objectives, which then influence the policies, processes, and procedures implemented throughout the organisation. 
  2. Risk Management: Once governance is established, assess potential risks and opportunities using a repeatable risk management process. This enables organisations to prioritise threats and allocate resources appropriately. 
  3. Compliance: When governance and risk management are properly implemented, compliance with regulations and standards largely falls into place. At most, there may be some additional documentation required to satisfy auditors. 

This approach transforms GRC from a reactive, checkbox-driven exercise, into a strategic enabler that aligns with business objectives while effectively managing risk. 

GRC in cybersecurity

The Living Ecosystem of Modern Security

Consider the modern enterprise as a living ecosystem rather than a fortified castle. Each interaction, each user, and each connection, represents both a potential vulnerability and an opportunity for resilience. 

Look at Microsoft’s security transformation journey. After years of reactive security, they implemented a governance-first approach that established clear security objectives aligned with business goals. This shift resulted in Windows 10 having 40% fewer security vulnerabilities than Windows 7, despite operating in a more complex threat landscape. Their governance framework created alignment across the organisation that technical controls alone couldn’t achieve. 

By starting with governance, organisations create a shared understanding of digital risk that resonates across all levels. Technology adoption consistently outpaces security awareness, which is why governance must establish the cultural foundation for security decisions. 

The governance and risk management of an organisation are the most important parts of the GRC triad. Through using appropriate governance and risk management, compliance naturally falls into place. 

Beyond Compliance: Security as Enablement

Our industry’s challenge isn’t just implementing controls but creating security practices that enable rather than restrict business operations. Security must move to become a business enablement tool that makes life easier for individuals to complete their daily tasks. 

Monzo Bank exemplifies this approach. Rather than focusing solely on compliance with financial regulations, they built security practices that enhance customer experience. Their governance prioritises both security and user experience, allowing customers to freeze cards instantly, report fraud through in-app chat, and set spending limits. All features that improve security while enhancing the customer experience. 

Ideally, security should be largely invisible to non-technical users and reduce barriers employees encounter when accessing relevant information. This requires the strategic approach that proper GRC sequencing provides. 

Rethinking Our Approach

Currently, most organisations let compliance requirements drive information security priorities and resource allocation. By shifting this perspective and focusing first on governance aligned with business objectives, then on managing relevant risks and opportunities, compliance requirements will “fall into place.” 

The frameworks and standards provided by compliance frameworks offer useful benchmarks and best practices, but they should never be seen as a finish line. They represent the minimum required, not the optimal security posture for your unique organisation. 

The Path Forward

For security leaders looking to implement a more effective approach: 

  1. Align security governance with business objectives using quantifiable metrics 
  2. Develop a consistent, repeatable risk management methodology 
  3. Use compliance requirements as guidelines rather than drivers 
  4. Create security policies that enable rather than restrict business functions 
  5. Recognise that cultural transformation is more critical than technical controls 

By implementing GRC in its intended sequence, security becomes a strategic enabler rather than a necessary evil. The challenge isn’t just implementing controls but creating a shared understanding of digital risk that empowers everyone in the organisation to make security-conscious decisions. 

compliance GRC

A Call to Arms: Transform Security Through Proper GRC

The time has come for security professionals to challenge the backwards implementation of GRC that has become the industry norm. We must be courageous enough to shift the conversation from compliance checkboxes to strategic governance alignment. 

As security leaders, we have a responsibility to: 

  1. Educate executives about the limitations of compliance-driven security and showcase the business benefits of proper GRC sequencing 
  2. Transform security culture from a department of “no” to a team that enables secure business innovation 
  3. Measure what matters by creating governance metrics that align with business objectives rather than just compliance requirements 
  4. Tell compelling stories that demonstrate how governance-first approaches have protected organisations and enhanced their competitive advantage 
  5. Build communities of practice that share governance frameworks and success stories across organisations 

The future of our industry depends on this transformation. We must move beyond the narrow constraints of compliance-driven security to embrace the full potential of strategic, business-aligned GRC. 

Remember: frameworks and standards provide useful information that can serve as best practices and benchmarks, but they should never be seen as the ultimate goal. True security comes from a holistic approach that starts with governance, manages risk effectively, and views compliance as a natural outcome rather than the primary objective. 

The future of information security depends on our ability to break free from the compliance-first mindset and embrace the true power of properly sequenced GRC. The time for this transformation is now. Will you lead it? 

If you would like to speak to DigitalXRAID’s information security and compliance consultants about your own GRC goals or challenges, get in contact 

Drew Heron, Information Security Consultant at DigitalXRAID, is an experienced GRC Specialist, who excels in maintaining Information Security Management Systems (ISMS) and overseeing various cybersecurity governance and risk functions. 

Previous Article

Threat Pulse – April 2025

Next Article

Benefits of SIEM as a Service

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.