Governance & Risk Management
,
GRC
,
Standards, Regulations & Compliance
CISO Sean Atkinson on Moving From ‘GRC Theater’ to Continuous GRC Engineering
As compliance obligations multiply, many organizations are becoming better at passing audits but not necessarily better at reducing risk. Sean Atkinson, CISO at the Center for Internet Security, calls it “GRC theater,” a performative model of governance that “looks impressive on paper, but at the end of the day, nothing meaningful has changed.”
See Also: New Automated Approach to Compliance, Business Risk
“We’re shifting goals from trying to really reduce risk to looking like we’ve tried to,” he said. In some cases, the objective becomes “an incentivized approach to pass audits and not be secure.”
Atkinson argues that GRC must evolve into an engineering discipline grounded in continuous assessment and continuous improvement. That shift includes infrastructure as code, policy as code and telemetry that shows what actually happened, not simply documentation produced for audit season.
“The byproduct of good security is compliance,” he said.
In this video interview with Information Security Media Group, Atkinson discussed:
- Why audit cadence conflicts with continuous threat activity;
- How continuous control monitoring proves control effectiveness;
- What GRC engineering looks like in a cloud-first, artificial intelligence-enabled environment.
Atkinson uses his broad cybersecurity expertise to direct strategy, operations and policy to protect the Center for Internet Security’s enterprise of information assets. His responsibilities include risk management, communications, applications and infrastructure. Prior to CIS, he served as global information security compliance officer for GLOBALFOUNDRIES. Prior to that, he led the security implementation for the New York state statewide financial system implementation.