Understanding IT Governance, Risk, And Compliance

woman providing it support for business


In the world of Cybersecurity, there is no shortage of buzz words and technojargon.  Oftentimes, many of them are used together, causing even more confusion.  One such grouping of these words is Governance, Risk, and IT Compliance.  While a business needs all three of these to work together in a seamless fashion, they do have their different purposes as well.

What Exactly Do They Mean?

The definitions for these terms can be broken down as follows:

  1. Governance:

As it relates to IT, this is how an organization is run.  Typically, this will be from a top-down structure.  For example, at the top is the CISO, and beneath him or her would be the managers from the IT Department and the IT Security team, followed then by the Project Managers who are responsible for managing the employees that are getting the deliverables done for the client.  A typical example of this would be a software development team.  The developers report to the Project Manager, who in turn would report to the Department Manager.  The characteristics of an effective chain of command in this regard exhibits the following:

  • A clear and transparent line of communication:  The vision, the goals and the objectives must be transmitted all the way down to the lowest ranking IT member and, likewise, the needs and ideas of the IT Security team must be heard and listened to and transmitted back to the CISO for evaluation to see if the money can be appropriated.
  • Effective resource allocation:  The CISO and the respective managers work together as a cohesive unit in order to distribute scarce resources in order to effectively manage the Cyber threat landscape as best as possible.
  • A system of checks and balances:  The CISO and his or her top-level managers must enforce the divisional lines of who is responsible for what, and also making sure that there is a strong sense of accountability.
  • Rewards/acknowledgments: A good Governance system will reward those employees that have made an impact in protecting the digital assets of the company, as well for those other employees who have maintained a good level of Cyber Hygiene.  Likewise, rather than singling out and punishing those employees who may have made a mistake, constructive criticism will instead be offered.

2. IT Compliance:

This is when your company has policies and rules that abide by the security requirements of other entities that you interact with.  The best examples of this is data privacy, most notably those of the GDPR and the CCPA.  They have provisions and mandates that you must meet in order to safeguard primarily the Personal Identifiable Information (PII) datasets that you have been entrusted with.  Characteristics of a good Compliance program include:

  • Choosing the right framework(s) or methodologies: This will guide you in the process of selecting the best controls possible to protect confidential information and date.
  • Having a change management system in place:  Any adjustments or changes that you make to the controls are well documented, and any upgrades or new tools/technologies that are to be deployed are first tested in a controlled environment before being released to a production status.

3. Risk:

This typically refers the amount of “pain” your company can withstand before a threat variant creates permanent damage to your IT and Network Infrastructure.  There are other sorts of definitions and ways to calculate risk, but some of the common traits of a good Risk Management program are as follows:

  • A categorization scheme has been created:  With this, you are taking an inventory of all your digital assets, and in turn, deciding (based upon both quantitative and qualitative factors) which are most prone and least suspect to an impact if your organization becomes a victim of a security breach.  For example, the database that houses the PII datasets would be a prime target, and thus will need the most amount of controls in order to protect it.  Because of this, it will receive a numerical ranking of 10 (where 10 would be most vulnerable and 1 would be least vulnerable on the categorization scale).  Whereas, the documented minutes from meetings held a long time ago will most likely not be a highly sought-after target. Therefore, they will only need a minimal amount of controls, if any, and will give them a ranking of about 3. 
  • The controls are monitored:  Just like the other components of your IT and Network infrastructure, Risk Controls can go stale and lose their effectiveness if they are not kept up to date with the latest patches and upgrades.  Therefore, a good Risk Management program will keep an eye on all of your controls on a real time basis, and alert you and your IT Security team if any of them need further attention and/or optimization.


Collectively, these terms are also known as the “GRC.”  Now that you have a firmer understanding of what all three are about, a future article will go into a deeper dive on how to craft an effective GRC plan.  But keep in mind that this is something that you do not want to attempt alone.  The reason for this is because this is a document that will be scrutinized by regulators and auditors, even insurance companies, as you apply for a Cybersecurity Insurance Policy. Most cybersecurity insurance payouts never happen and this is due to a failure to provide documentation about cybersecurity best practices in place. Don’t risk this and partner with an IT Compliance provider like Results Technology. Schedule your consultation today with one of our cybersecurity experts!