The transformation of GRC responsibilities
The GRC landscape is shifting considerably due to the increasing complexity of both regulations and business risks, and this obviously has an impact on responsibilities. Karolien Vanhuffel explained the evolution from the perspective of risk management: “We are moving much more towards a risk-based approach, contextualized views and enforcing of shared responsibility. The risk-based approach is about shifting from reactive to proactive risk management, recognising the landscape and business priorities. The contextualized view involves a focus on understanding what the risks mean and how do they interact with other risks in a region or business, as it is not one size fits all. And lastly, shared responsibility revolves around business leaders realising the criticality and their own accountability.”
Vincent Defrenne highlighted the shifting responsibilities from another angle: the rapidly changing nature of the GRC role. He sees this as a major challenge, as GRC professionals and CISOs are increasingly facing executive committees or boards: “We’re seeing GRC professionals, often unprepared, facing executive committees on topics such as NIS2. This new role demands strong managerial and stakeholder management skills, which aren’t easy to acquire. I believe we must prioritise training, especially in soft skills, and encourage GRC professionals to actively develop themselves. Coaching is also critical, particularly for CISOs interacting with C-level and boards. Furthermore, educating executive committees on cybersecurity is essential for mutual understanding and support.”
GRC as a business enabler
A significant evolution in the perception of GRC is the shift from a purely restrictive function to one that actively enables business objectives. Johan Claessens commented on this opportunity for GRC: “Previously security and GRC were mostly about saying ‘no’ to the business. Now we are enabling business. Security is one of the top three priorities for companies. But there is a considerable shortage of skills, especially in cybersecurity. We need more budget to do our job properly. Yet, unlike HR and marketing, security is very process-driven, so we need to integrate security and GRC from the top down and bottom up.”
New skills and competencies for GRC professionals
The evolving GRC landscape necessitates a broader skillset beyond traditional GRC expertise. Karolien Vanhuffel observed: “Cybersecurity expertise, business acumen and data–driven decision making are all key for GRC professionals. But more importantly, today they need soft skills or better ‘power skills’ such as the ability to translate technical risks into business risks. They need to be inventive and resourceful. Other important skills are strategic and risk-based thinking as well as understanding the regulatory landscape so that they can influence some of the investments that need to be made. And finally, it’s all about collaboration, forming a coalition and be holistic.”
“We need to be a bit more geeks and look at how technology can change and sometimes make our life more efficient. There are some very good specific GRC tools out there, and we should start looking at those, “ concluded Vincent Defrenne.
The evolution of GRC skills
The panel further discussed how GRC professionals need to adapt and evolve their skill sets. Vincent Defrenne advised professionals to “be curious, make sure they have the right reporting line and get support or coaching.” Karolien Vanhuffel stressed the importance of collaborating with different teams and not working in silos to get a better understanding of what the business needs from GRC. Johan Claessens concluded by stressing the impact of the current geopolitical situation: “You need to be ready and secure all the time. Previously, you just needed to report on compliance every quarter. Now it is day-to-day business.”
The panellists collectively agreed that one of the new skills GRC professionals need to have is an understanding of human psychology and how human behaviour changes and can be changed. Indeed, people know that controls are important, but they do not always seem to apply them.
“A lot of companies have awareness and engagement departments around risk training and risk or cybersecurity awareness. But that is only the start. A more extensive approach is required, involving thorough testing of your audience, employees, and partners,” said Karolien Vanhuffel.
Shifts from the recent past
Reflecting on wat has changed in recent years, the panel concluded their discussion by identifying significant differences in the approach and focus of GRC. Karolien Vanhuffel observed: “Years ago, we were very internally focused. We were trying to get our act together around user access management. Does everyone have access? Do we have a firewall? Now, we are looking at the outside to see what we need to make sure we are safe on the inside.” Johan Claessens noted: “I see that business and people are more aware than before. Some prominent security cases have hit the headlines in the media and that creates more general awareness.” Vincent Defrenne concluded that “every business has become massively digital, much more than before. It’s only going to increase. And now with the booming of AI, it is going even faster.”
On the picture Vincent Defrenne (NVISO) and Johan Claessens (NIPRO)
