Navigating the Evolving Landscape of Cybersecurity: Insights from Andry Rakotomalala on Governance, Risk, and Compliance (GRC)
In the latest episode of our Lexicon podcast, we had the privilege of sitting down with Andry Rakotomalala, a seasoned expert in cybersecurity and compliance. Our conversation delved into the rapidly evolving cybersecurity landscape, focusing on the critical components of governance, risk management, and compliance (GRC). As organizations increasingly grapple with data protection and regulatory requirements, understanding GRC’s role has never been more vital.
What on Earth is GRC Anyway?
Andry kicked off our discussion by breaking down the acronym GRC, which stands for governance, risk, and compliance. He explained that GRC professionals are tasked with overseeing regulatory standards and managing risks to ensure that organizations protect sensitive data while adhering to industry regulations. “I see GRC as one of the areas that will have a big boom, especially in 2025,” Rakotomalala noted, highlighting the growing importance of this field.
The essence of GRC lies in its ability to help organizations minimize the risk of data breaches and other cyber incidents. “At the end of the day, GRC is about protecting data, and really, cybersecurity is about protecting people, places, and things,” he emphasized. This protection is not limited to the tech industry; any organization handling sensitive financial, health, or customer-related data stands to benefit from implementing GRC strategies.
GRC and Its Role in Cybersecurity
When discussing the connection between GRC and cybersecurity, Andry shared a poignant industry adage: “It’s not just about if you get hacked; it’s when you get hacked.” This inevitability underscores the necessity for a robust GRC framework that not only reduces the likelihood of a security breach but also mitigates its potential impact.
A core aspect of GRC’s role in cybersecurity is ensuring that security practices align with company goals and client expectations. “If you’re a client-centric company, you have to say, ‘We want to protect our customers, and doing this will help us do that,’” Andry explained. By tying GRC practices to customer-centric goals, organizations can align their risk management strategies with broader organizational values.
Andry also highlighted the significance of established frameworks such as COBIT, NIST, and ISO 27001, which provide structured guidance on assessing and mitigating risks. “COBIT, for example, gives you a guide to find out what risks are and how to address them,” he stated. These frameworks assist organizations in identifying vulnerabilities, deciding which risks to mitigate, and establishing ongoing practices to maintain security and compliance.
GRC to Help Build Trust and Manage Reputation
A critical aspect of GRC is managing reputational risk. Andry explained that a cyber incident can have far-reaching consequences, eroding public trust in a company. He cited high-profile breaches, such as those experienced by SolarWinds, Target, and LastPass, as examples of how negative media coverage can lead to significant reputational damage. “Back in 2013, when Target leaked a bunch of credit card data, people were wary of shopping there,” he recalled.
Establishing a GRC program is a proactive way for companies to protect their reputation and data. Compliance with standards and obtaining certifications like ISO 27001 or SOC 2 signals to stakeholders and customers that an organization takes security seriously. “Accreditation does several things. It legitimizes the business and helps stakeholders and end-users feel safer knowing that, ‘Hey, we’re accredited,’” Andry explained.
GRC is Not Just for Tech
While GRC is often associated with technology companies, Andry clarified that it is relevant across various industries. “Every industry has regulations,” he noted, pointing out that even restaurants and automotive companies must adhere to specific standards. In the realm of cybersecurity, compliance regulations are crucial for protecting sensitive information.
Andry highlighted the differences in regulations across regions, such as GDPR in the EU and CCPA in California, which focus on end-user privacy. Despite these variations, many compliance standards overlap, making it easier for organizations accredited in one framework to comply with others. “Compliance with one or two standards sets you up well to be compliant with others,” he said.
AI and Automation in GRC
Looking ahead, Andry discussed the transformative potential of AI and automation in GRC. “AI will be a big player in automating compliance and improving precision in risk management,” he explained. While humans can perform many cybersecurity tasks, they often have a higher error rate. AI can provide real-time insights and enhance accuracy.
Andry mentioned tools like ServiceNow and LogicGate, which leverage AI to automate compliance processes, simplifying the task for organizations. “You could manually check each device for security settings, but AI can scan the entire network in seconds and find any issues,” he said, emphasizing the time-saving benefits of automation.
Automated penetration testing tools also allow companies to regularly assess their vulnerabilities without needing a large security team. “There are tools that can do one-click tests to see how your vulnerabilities stand, which is a requirement in many compliance standards,” he added.
Company Culture and Training Are Essential
Implementing GRC goes beyond technology and policy; it requires fostering a culture of security awareness throughout the organization. Andry stressed the importance of employee education in cybersecurity: “Humans are the biggest weak link in cybersecurity breaches. About 80% of incidents happen because of a human mistake, like clicking on a phishing email.”
To make cybersecurity training engaging, Andry described tools like Hacker Rangers, a gamified platform that promotes cybersecurity awareness. “It’s competitive and makes learning fun,” he said. By integrating cybersecurity education into the company culture, organizations can empower employees to recognize threats and protect both company data and customer trust.
Continuous Monitoring and Improvement
One of the ongoing challenges of GRC is the need for continuous monitoring and improvement. “It’s not enough to say, ‘We’re compliant,’ and be done with it,” Andry warned. Continuous documentation and monitoring should be established as an expectation from the outset.
Choosing the right tools and partners is crucial in this process. “Some vendors will help you achieve compliance and then leave, but others provide monitoring support, making reaccreditation easier,” he explained. By setting these expectations, companies can ensure their GRC efforts remain effective.
The Future of GRC
In closing, Andry shared his optimistic outlook on the future of GRC, particularly as technology continues to advance. “The future of GRC is bright, especially with AI on the horizon,” he said. While AI promises to automate tasks and improve accuracy, he cautioned that ethical considerations, such as privacy concerns and potential biases, must be addressed.
Overall, Andry believes that the integration of AI will drive efficiency and precision in compliance and risk management. He concluded with valuable advice for those considering a career in cybersecurity: “Not all cybersecurity professionals need to know how to hack or code, but a technical understanding is crucial. GRC and privacy roles are booming, and they’re key to the future of cybersecurity.”
As the cybersecurity landscape continues to evolve, understanding the principles of GRC will be essential for organizations striving to protect their data, maintain compliance, and build trust with their stakeholders. For more insights and educational resources, be sure to check out our platform, IE Academy.