Assurance is the logical outcome of Governance, Risk & Compliance (GRC) practices

What is the point of a company spending significant money and effort on Governance, Risk & Compliance (GRC) activities? It is to provide stakeholders with ASSURANCE that the organization has secure, compliant and resilient operations.

Without assurance, an organization is at best mediocre from a cybersecurity perspective since everything is based on assumptions.

Assurance is something you can prove and it is the output of security, compliance and resilience practices. There are several levels of assurance:

• No Assurance is where there are no reasonable grounds to conclude controls are applicable, properly scoped, implemented correctly and/or operating as intended. No assurance is at best an assumption.
• Low Assurance is where there is reasonable confidence that applicable controls are properly scoped, implemented and free of obvious errors.
• Moderate Assurance is where there are increased grounds for confidence that applicable controls are implemented correctly and operating as intended.
• High Assurance is where there is overwhelming evidence of due diligence and due care that applicable controls are implemented correctly and operating as intended.

The more robust the rigor of an assessment, the more reasonable it is to demonstrate higher assurance. Low rigor is low assurance at best, unless scoping or evidence has been gamed and then it is No Assurance. For example, the concept of obtaining a "SOC 2 audit in 2 weeks for $5,000 " that is presented as something to be trusted is simply marketing dishonesty and is intellectually reprehensible. In their race to the bottom, the audit/certification mills promoting this nonsense do not sell trust or security. In reality, they just tarnish the concept of third-party audits/assessments and should be ashamed of passing off a minimally-scoped and low rigor assessment as a genuine assurance process that is worthy of trust.

If that sounds harsh, let's look at an authoritative source for guidance on the meaning of these key terms. The NIST Glossary is a great place to start:

• TRUST is defined as "A belief that an entity meets certain expectations and therefore, can be relied upon."
• SECURITY is defined as "A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach."
• ASSURANCE is defined as "Grounds for justified confidence that a [security or privacy] claim has been or will be achieved."

The idea of trust being the key component of something that can be relied upon is crucial. Stakeholders being presented with a SOC 2 audit report that is the result of gaming the scope of applicable controls or the evidence relied upon to demonstrate conformity with those controls is not trust. That SOC 2 audit report provides essentially no value and is the antithesis of trust since it does not accurately belay the actual security practices that exist within the organization. At best, it is security theater and at worst it is fraud.

We want GRC processes to be awesome and that means organizations need to implement security, compliance and resilience practices that can provide assurance to both internal and external stakeholders. That is how you build trust. Weakly scoped certifications that mean nothing are just a parasite feeding on the cybersecurity industry.