Beyond Risk Assessments: Building and Running a Cybersecurity GRC Program

In 2024, I wrote about the importance of cybersecurity risk management and its role in helping organizations move from uncertainty to strategy. At the time, my focus was on the challenge of helping students understand how to conduct risk assessments and how to use them to make better decisions. That problem still exists. Organizations continue to struggle with understanding which safeguards matter, how to prioritize them, and how to communicate those decisions to leadership.

What has become clearer over the last two years is that the challenge extends beyond performing risk assessments. Many organizations can produce assessments, reports, and gap analyses. The difficulty is turning that information into a system that consistently drives decisions, actions, and measurable outcomes. Assessments are often treated as a deliverable rather than part of an ongoing process. As a result, they provide insight, but they do not always lead to sustained improvement.

This realization is what drove the update to LDR519. The course is no longer positioned solely as a deep dive into cybersecurity risk management. LDR519 has been expanded into a full lifecycle course on cybersecurity Governance, Risk, and Compliance (GRC). The goal is to provide a structured approach to build and operate a cybersecurity program, not just to analyze it.

GRC as a Lifecycle

At a practical level, cybersecurity programs require a defined approach to making decisions, setting priorities, implementing safeguards, and validating and communicating outcomes:

Governance defines how decisions are made and who is accountable.

Risk management provides the mechanism for selecting and prioritizing safeguards.

Compliance ensures that those safeguards align with external requirements and that evidence exists to demonstrate that alignment.

When these functions are treated separately, programs tend to become fragmented. When they are integrated, they form a system that can be operated and improved over time.

The updated LDR519 course is built around that system. It focuses on the lifecycle required to run a cybersecurity GRC program. This includes:

• Defining the program structure
• Understanding the organization’s assets and business priorities
• Selecting and prioritizing safeguards
• Implementing those safeguards
• Validating safeguards are working as intended
• Communicating results to stakeholders

Each of these activities exists in most organizations today. The difference is whether they are performed in isolation or as part of a coordinated process.

One of the most significant changes in the course is the incorporation of SANS LDR419: Performing A Cybersecurity Risk Assessment. Risk assessment is still a critical component of the lifecycle, but it is no longer treated as a standalone objective. Students still learn how to perform different types of assessments and how to scope and execute them effectively. The emphasis, however, is on how those assessments feed into decision making. This includes understanding when to perform assessments, what level of rigor is required, and how to translate assessment results into actionable priorities. The intent is to move beyond producing assessments and toward using them as a consistent input into the broader program.

AI and GRC

Another important change is the role of artificial intelligence. AI is already influencing how cybersecurity work is performed, and GRC activities are no exception. In practice, AI is most effective when it is used to accelerate tasks that are already well understood. This includes analyzing regulatory requirements, mapping those requirements to safeguards, reviewing and improving policies, assisting with risk analysis, and supporting validation activities such as documentation review and evidence analysis. These are areas where large amounts of structured and semi-structured information need to be processed, and where AI can reduce the time required to perform the work.

At the same time, the use of AI introduces new considerations that must be governed. Data can be exposed through prompts and integrations, outputs may not always be accurate or verifiable, and there is often limited transparency into how conclusions are generated. For that reason, the course does not treat AI as a replacement for existing processes. It is treated as an additional capability that must be incorporated into the governance model, with clear expectations for its use and validation.

Outcomes Define Your Program

The underlying problem has not changed. Organizations are still trying to determine which safeguards are most effective, how to allocate limited resources, and how to communicate cybersecurity decisions in ways that support the business. What has changed is the expectation that these activities be performed in a structured and repeatable way. It is no longer sufficient to understand risk. Organizations are expected to demonstrate that they are managing it.

That expectation is what defines a cybersecurity GRC program. It is the difference between performing isolated activities and operating a system that produces consistent outcomes over time.

When I wrote the original version of LDR519: Cybersecurity Governance, Risk, and Compliance (GRC), my goal was to bring clarity to a topic that is often misunderstood. That goal has not changed. The update reflects what I have seen in practice. Organizations do not need more assessments. They need a way to connect the work they are already doing into a program that can be operated, measured, and improved. I hope everyone enjoys the update and finds it useful, and they mature their GRC programs.