Cyber Consulting Room

The Best Practices for Navigating Governance, Risk, and Compliance in Cybersecurity with Chris Hows

Gordon Draper Season 1 Episode 16

Is your cybersecurity strategy truly protecting your business, or just checking boxes? In today’s fast-paced digital landscape, threats evolve faster than updates, and staying compliant can feel like a maze.

In this episode of the Cyber Consulting Room podcast, host Gordon Draper speaks with Chris Hows, Principal Governance, Risk, and Compliance (GRC) Consultant  at Mercury Information Security Systems. Chris shares his unconventional journey into cybersecurity, emphasizing the importance of GRC in enhancing organizational cybersecurity. He discusses the significance of understanding various standards, risk management, and aligning security controls with business objectives. Chris also highlights the challenges of compliance, the necessity of tailoring GRC frameworks to specific needs, and offers practical advice for aspiring cybersecurity professionals. The episode provides valuable insights into the critical role of GRC in cybersecurity.


In This Episode:

  • (00:28) Chris's journey into cybersecurity
  • (01:14) Educational path to GRC
  • (02:07) Advice for aspiring cybersecurity professionals
  • (02:54) Defining governance, risk, and compliance
  • (04:19) Understanding compliance challenges
  • (14:39) Benefits of the ASD essential framework
  • (16:30) Challenges of implementing ISO frameworks
  • (17:40) Understanding control intent
  • (22:44) Zero trust principle
  • (24:14) Identifying cybersecurity risks
  • (29:47) Shared responsibility model
  • (39:33) Software compliance and updates
  • (41:11) Regulatory evolution in cybersecurity
  • (42:18) Accountability for cybersecurity
  • (43:37) Best practices for compliance
  • (45:17) Intent behind compliance frameworks


Notable Quotes

  • [05:10] “If you just try to tick a box, potentially you might actually miss one of the core foundational things of what you're trying to do.” - Chris 
  • [11:42] “Each business does need to sit down and decide how much risk is appropriate for them based on their context and based on how much they're potentially able to lose.” - Chris 
  • [21:19] “You really need to understand what your threat is and tailor your risk assessment and controls to your needs.” - Chris 
  • [24:14] “Phishing is so insidious because it’s very simple to double-click on that document someone sent you, and then the game’s already over.” - Chris 
  • [37:02] “Privacy is an ever-increasing area of regulation. In Australia, it's being looked at again, and we might see something like GDPR coming in the future.” - Chris 
  • [45:17] “A lot of the things that I've seen is, what would a reasonable person do? If it was your information, would you be happy with these controls in place?” - Chris 


Resources and Links

Cyber Consulting Room

Gordon Draper

  • https://cybermarket.com/
  • https://www.linkedin.com/in/gordondraper/

Chris Hows

People on this episode