Navigating the Complex Web of GRC and Privacy in Cybersecurity: Insights from 6 Experts

The intricate world of cybersecurity with insights from 6 CISOs, mastering GRC, privacy, and threat management

Cybersecurity is an intricately woven web of several threads, including governance, risk management, and compliance (GRC), vendor relations, and data privacy. If any one of these areas falters, the whole structure can fall apart.

A seemingly minor oversight, like missing a software update or a vendor accidentally opening a harmful email, can jeopardize IT systems, setting off a chain reaction of cyber attacks that threaten to bring down your entire network and damage your company's reputation.

It falls upon the shoulders of the CISO to navigate this delicate situation. Luckily, others are walking this path, too.

This piece offers insights from industry experts, focusing on managing human vulnerabilities, compliance, and vendor risks. It breaks down key elements, showing their evolution and interconnection, and provides strategies to help you align security with organizational goals. 

Using this knowledge, you’ll feel empowered to navigate this complex web with confidence and foresight.

Governance: Robyn Marsi’s GRC Priorities

Robyn Marsi, Senior Director of Risk & Technology Services at Lynx, imparts crucial guidance for CISOs. Her approach, emphasizing the seamless integration of governance with business operations, aims to fortify cybersecurity, compliance, and organizational resilience.

Marsi's key priorities offer a strategic roadmap:

1. Think business-first: CISOs should embrace a more executive role, maintaining a close relationship with organizational leaders and aligning security strategies with business goals.

2. Categorize risks based on business criticality: Regular risk assessments and stakeholder analyses are key for prioritizing risks and tailoring cybersecurity defenses.

3. Craft an adaptable risk management blueprint: Following risk identification and prioritization, CISOs must develop strategic plans to minimize the impact of potential vulnerabilities, integrating short-term and long-term tactics.

4. Stay updated with worldwide compliance standards: CISOs must monitor global compliance standards to ensure their company’s cybersecurity practices align with international regulations, minimizing legal risks and maintaining trust with partners and customers.

5. Prioritize ESG: Integrating Environmental, Social, and Governance (ESG) factors into risk management – and transparently reporting on sustainability – is crucial. These aspects heavily influence public opinion, meaning CISOs need to consider them.

6. Lean on experts: Many companies are adopting Governance, Risk, and Compliance as a Service (GRCaaS) to meet compliance cost-effectively, leveraging expert resources and proven technologies for peace of mind.

Executing Marsi’s priorities reinforces CISOs’ governance practices and ensures leaders take a proactive approach to protection against current and future threats, steering companies towards secure and sustainable growth.

Where It’s Headed: The Future of Cybersecurity Governance 

Robyn Marsi's emphasis on adopting a "business-first" mindset means that CISOs should align security strategies with broader strategic objectives, integrating cybersecurity into the fabric of organizations.

Crafting adaptable risk management blueprints will likely become more data-driven, with AI and machine learning predicting emerging threats. Staying updated on global compliance standards will extend to new regulations, like AI ethics standards, reflecting the evolving digital landscape.

In essence, the future of cybersecurity governance is about enhancing strategic alignment, harnessing technology and external experts for proactive risk management, and staying ahead of emerging compliance requirements.

Risk Management: Chris Lehman on Human Vulnerability

In this section, we turn our attention to the insights of Chris Lehman, CEO of SafeGuard Cyber, who emphasizes the crucial aspect of human vulnerability in cybersecurity.

82% of cyberattacks target human factors, emphasizing the need for a shift from purely technical defenses to strategies that include employee awareness and behavior.

Lehman advocates for a balanced approach, focusing on both technology and people. 

But, despite the risks associated with human factors, organizations often prioritize securing their infrastructures, overlooking the complexities of human-related security.

The recent social engineering attack on Uber exemplifies this. An attacker, posing as an IT staff member via WhatsApp, tricked an employee into sharing their login credentials, gaining access to critical systems, including Uber's source code and internal comms. 

This incident underscores the need for comprehensive employee education on cybersecurity risks, extending beyond the cybersecurity team to all departments.


Lehman's holistic strategy stresses the importance of understanding and mitigating risks associated with human behavior in cybersecurity. This approach fortifies the organization's internal defenses, ensuring a more resilient cyber environment.

Where It’s Headed: Human-Centric Cybersecurity and the Evolving Role of CISOs

Chris Lehman points towards a future where CISOs will increasingly take a holistic approach to risk management. This evolution will see CISOs developing strategies that extend beyond technical defenses, integrating employee behavior and awareness into cybersecurity protocols.

For instance, in a remote working scenario, CISOs can implement AI-driven training programs to educate employees on cyber threats and use data analytics to tailor these programs based on individual susceptibility patterns.

Also, expect the future role of CISOs to involve closer collaboration with HR departments to embed cybersecurity awareness into organizational cultures. 

This integration could involve continuous learning modules for all employees, reinforcing the idea that cybersecurity is a shared responsibility. Specialized roles within cybersecurity teams focused on human behavior analysis may also emerge.

Compliance: Kevin Coppins on the Limitations of Check-Box Security 

Kevin Coppins, President and CEO of Spirion, brings a crucial point to the table in cybersecurity discussions: Compliance doesn't automatically guarantee security. 

Coppins uses a helpful analogy here to illustrate this:

High school students have to place their physical examination forms in an envelope outside the gym teacher’s office. The envelope is marked “Confidential” and has a wrap-around tie securing its contents. From a compliance perspective, this container checks all of the boxes: It’s clearly classified with a measure of security associated with it. 

But is it actually secure? 

No, says Coppins. Someone could rip it off the wall and steal hundreds of students’ private information. 

In other words, checking off compliance boxes is important, but it's not enough. It's like having a state-of-the-art alarm system but leaving your back door unlocked. 

Look at what happened with Duolingo. They experienced a data breach affecting 2.6 million users, where sensitive details ended up on a hacker forum due to an API vulnerability.


True cybersecurity is about understanding all the nuances of your security landscape and going the extra mile to ensure every potential entry point is secure.

Where It’s Headed: Advancing Cybersecurity Beyond Standard Compliance 

Kevin Coppins' approach steers the focus towards a nuanced approach that balances compliance with in-depth risk management and proactive governance. 

In practice, this means going beyond the basics – i.e., encrypting data to meet compliance standards and then also implementing advanced threat detection systems. 

For example, a financial institution, while compliant with industry regulations, chooses to employ AI-driven behavioral analysis to preemptively identify and thwart unusual transaction patterns, going beyond what’s legally required.

This proactive, future-oriented approach also encourages collaboration across various departments, integrating insights from legal, marketing, and sales into cybersecurity strategies. 

Vendor Risk: Erik Decker on Proactive Strategies in Cybersecurity

Erik Decker, CISO at the University of Chicago Medicine, emphasizes the need for healthcare organizations to manage the security risks posed by vendors, especially in light of major data breaches. 

He advocates for:

  • Rigorous third-party risk assessments to understand the security practices of vendors and the types of shared data
  • Vendor contracts that include detailed terms about data management and connectivity protocols

By evaluating vendors' security setups and improving contracts, organizations can set strict compliance standards, identify vulnerabilities early, and incentivize vendors to uphold higher cybersecurity measures.

Third-party risk assessments have far-reaching implications because they affect various departments, including sales, marketing, legal, and the C-suite. 

For example, if the sales department rushes a contract and then the vendor experiences a security breach, legal consequences arise for the organization. Reputational damage can impact brand trust and customer relationships – and necessitate a response from the C-suite to manage the crisis and return to compliance. 

Hence, comprehensive third-party risk assessments are pivotal in safeguarding not only cybersecurity but also an organization's legal standing, reputation, and governance standards.

Where It’s Headed: Evolving Cybersecurity with Advanced Third-Party Risk Management

Erik Decker's emphasis on rigorous third-party risk assessments sets a precedent for the future of risk management and broader GRC aspects. 

Tools like Vendict's vendor security assessment questionnaire, which allows vendors to detail their security questionnaire and management procedures, are pivotal in this evolution. Such technology will empower organizations to understand and continuously monitor vendor risks. 

This approach will become more prevalent as organizations recognize the need for dynamic, comprehensive evaluations of third-party interactions to safeguard against evolving cyber threats.

A specific area where this evolution is evident is the integration of AI in risk assessment processes. AI can play a significant role in third-party risk management by automating the analysis of vendor security postures, streamlining the evaluation of large amounts of data, and providing predictive insights about vulnerabilities. 

However, the incorporation of AI also introduces new complexities. As AI systems reshape cybersecurity, they can themselves become conduits for cyber threats.

In the future, we can also expect more detailed vendor contracts and clearer liability terms to become the norm, creating a legally robust framework for vendor management.

Privacy: Charles Brooks on Zero Trust in High Turnover Scenarios

In 2021, cybersecurity teams faced significant challenges with employee retention – average security staff turnover rate hit 20% in the US, with 64% of companies observing a rise in turnover. Contributing factors included skill shortages and burnout, exacerbated by the pandemic and rising cybercrime. 

So how can organizations maintain data privacy in this high-turnover environment? 

According to Charles Brooks, Adjunct Professor at Georgetown University’s graduate Cybersecurity Programs, it’s all about zero trust

The zero trust strategy enhances data privacy protection by adopting a “never trust, always verify” approach, guaranteeing strict access controls and continuous verification for every device accessing organizational data.

This approach represents a shift in cybersecurity from traditional, static network defenses to a dynamic focus on users, assets, and resources. 

During high employee turnover, zero trust helps maintain data privacy by strictly controlling access to data on a need-to-know basis, thus reducing the risk of data breaches or unauthorized access.

Identity Access Management (IAM) is also crucial in controlling system access within an organization. It encompasses technologies and policies that manage and monitor who has access to specific data and resources. 

Where It’s Headed: Balancing Zero Trust with Business Collaboration in Cybersecurity 

The implementation of Charles Brooks' advocated zero-trust approach in cybersecurity signals a broader evolution in the field, extending well beyond privacy concerns. 

It demonstrates that CISOs need to take an integrated approach to cybersecurity, where privacy, vendor risk, and compliance are interdependent – and essential – across all business functions.

As organizations adopt this strategy, a key challenge will be to strike a delicate balance between stringent security measures and maintaining robust business partnerships. 

For instance, while zero trust significantly strengthens data protection and compliance within governance frameworks, CISOs must also ensure that these rigorous security protocols do not hinder collaboration or operational efficiency. 

In practice, this might involve deploying user-friendly identity verification processes that secure sensitive data without disrupting workflow, thus preserving business agility.

Unraveling the Web of Cybersecurity: Michael Scott's Strategic Approach to GRC and Vendor Risk Management

Michael Scott, a seasoned CISO, exemplifies the shift toward integrating cybersecurity with business objectives. 

During his time at Wendy’s, Scott streamlined the cybersecurity team and infused cybersecurity governance with a business-minded approach. 

This transition, from 16-20 contractors to just four, enhanced security and liberated resources for broader business initiatives, illustrating that effective cybersecurity is as much about human vulnerability and organizational culture as it is about technical defenses.

His partnership with the CIO and ability to advocate for security needs, especially in areas like data protection, demonstrated compliance goes beyond just checking boxes. It's about embedding security in every facet of the business, from legal compliance to customer trust. 

Scott’s focus on aligning vendor relationships with stringent privacy and compliance standards further highlighted the need for strong vendor risk assessments and detailed contracts, ensuring that all aspects of cybersecurity are in harmony with the company’s core values and objectives.

His holistic approach also went beyond mere budget optimization; he skillfully navigated the intricate web of GRC and privacy, weaving security strategies into the fabric of his organization. 

This reinforced the CISO’s essential role at Wendy’s – becoming a strategic partner for both cybersecurity and business growth.


Key Takeaways for CISOs Navigating the Complex Web of Cybersecurity

We've explored the complex world of cybersecurity, touching on crucial themes like human vulnerabilities, strategic partnerships, compliance, privacy, and vendor-related risks.

The web of cybersecurity is about more than guaranteeing your data is safe; by properly balancing each of these elements, you ensure the ongoing success of your business.

Prioritize a business-centric approach by staying abreast of global compliance standards and using the latest advancements in cybersecurity tools. This helps you and your team stay well-positioned to navigate a dynamic cybersecurity landscape and protect your organization.

Share & Subscribe

Ready to Get Your Time Back?

Give us only 20 minutes and we will show you how to get 20 hours back.

Book a Demo
We use cookies and similar technologies that access and store information from your browser and device to enhance your experience, analyze site usage and performance, provide social media features, personalize content and ads. View our Privacy Policy for more information.