Manifesto
GRC Engineering is a step-change evolution in security governance, risk, and compliance (GRC), and related disciplines such as trust and assurance. As a community-led movement, GRC Engineering seeks to propel GRC into the modern era so it can
- keep pace with the rapid acceleration in software engineering and security engineering spurred by Agile, DevOps, DevSecOps, continuous integration, continuous delivery, continuous deployment, security guardrails, and paved roads.
- adapt to an ever-changing landscape of security threats, defensive security practices, and business and technology innovation
- overcome the limitations of "Legacy GRC” practices and programs that typically result in mere checkbox compliance, security theater, and frustrating experiences for organizational stakeholders.
This manifesto defines what we see as the foundational problems with Legacy GRC, what makes GRC Engineering fundamentally different, and how GRC Engineering can lead to far better outcomes that deliver on the promise that GRC was always meant to provide.
Fundamental problems with Legacy GRC
Complacency with manual toil and trivial outputs
Settling on manual and often disconnected activities leads to wasted time, error-riddled results, and limited effectiveness of GRC practices. And because manual activities don’t scale, GRC practitioners find themselves settling for trivial outputs and accepting them as “good enough” outcomes.Transactional stakeholder relationships
Shallow and narrow problem solving mindset
Excessive focus on closed source frameworks and “industry standards”
Commoditization of compliance
GRC Engineering Values
- Automate early on and often over settling for manual processes and workflows
- Measurable and meaningful risk-focused outcomes over commodotized compliance outputs
- Evidence, logic, math, and reason over fear, uncertainty, and doubt
- In-depth continuous assurance over shallow continuous monitoring and point-in-time assessments
- Stakeholder-focused solutions over doing what works best for GRC teams
- “Shared fate” partnerships over transactional relationships