Crossed Wires: The GRC Gap Threatening Critical Infrastructure

Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to give us a leg up when the feds are slow to share, and security information and event management (SIEM) platforms to better aggregate security information.

Often in these efforts, cybersecurity dominates the conversation. But I believe we can “walk and chew gum at the same time” and make sure that physical security efforts are equally addressed in these efforts. 

For more than two decades, enterprises have leveraged advanced technology to automate IT governance, risk and compliance (GRC), ensuring regulatory adherence and safeguarding critical data. Yet when it comes to physical GRC—managing physical access reviews, recertifications and identity governance—many organizations still rely on manual processes that belong in the Stone Age.

This technological lag is particularly concerning as the threat landscape grows more complex and dynamic. Today’s adversaries adapt in real time, while many companies continue to operate with fragmented physical security frameworks, perpetuating silos between IT cybersecurity, physical security, and operational technology (OT) teams. These silos not only create inefficiencies but also increase the risk of security gaps that can be exploited.

The Importance of GRC
GRC is made up of deeply interconnected elements that together form the backbone of a robust security posture for organizations. Governance sets the strategic direction and policies for security; risk management identifies and mitigates potential threats to the enterprise; and compliance ensures that the organization meets external legal and regulatory requirements, as well as internal policies and standards. This synergy ensures that an organization’s security efforts are aligned with its business objectives, legal obligations and risk appetite.

The time to modernize is now. Organizations can no longer afford to treat physical security governance as an afterthought. Fortunately, the digital transformation wave—driven by the desire for security convergence, Artificial Intelligence (AI) excitement and increased regulatory pressures—presents an unprecedented opportunity to bridge these gaps. By integrating physical GRC into the broader IT and OT risk management ecosystem, enterprises can unlock holistic, real-time security capabilities. Automation in physical GRC means no more outdated, manual processes. Instead, we can leverage intelligent technologies to continuously validate access, manage risk dynamically and respond to threats faster.

Utilities operate at the heart of national security, economic stability and daily life. And yet, despite heavy investments in cybersecurity and compliance programs, many utilities are leaving themselves exposed to massive risk because they’re not addressing the gaps between physical access, identity governance, third-party risk management and regulatory compliance.

The truth is, failing to implement a modern physical governance, risk and compliance strategy is costing utilities millions in regulatory fines, operational disruption and potential reputational damage. Worse still, it’s opening the door to insider threats, sabotage and even coordinated attacks on critical infrastructure.

As we enter the AI era, integrating comprehensive cyber and physical security measures within the GRC framework is essential for modern organizations. By developing a holistic security strategy, implementing comprehensive risk assessments, enhancing incident response plans, ensuring regulatory compliance and promoting a culture of security awareness, organizations can effectively manage risks and uphold high standards of governance and compliance. As threats continue to evolve, these imperatives will help organizations stay resilient and secure in an increasingly complex security landscape.

Strategies That Lead to Better Resilience and Security
To overcome these challenges, organizations can adopt several strategies. Implementing a unified GRC platform can facilitate the integration of processes and data across governance, risk management and compliance functions, providing a holistic view of the organization’s cyber and physical security posture.

Additionally, establishing cross-functional teams can enhance communication and collaboration between departments, ensuring that GRC efforts are aligned and cohesive. Furthermore, ongoing training and awareness programs can help embed a culture of security throughout the organization, ensuring that all employees understand their role in supporting GRC objectives. With GRC software, companies can track resources, assess risks and implement policies based on real-time data, helping them make smarter decisions with confidence. 

Features to Consider
As with every technology implementation, it’s important that you find a solution that aligns with your organizational needs. You’ll want to consider functionality that allows for:

• Automation for efficiency – The more you can remove the manual processes, the better
• Integration with existing systems – Application without communication leads to failure. Make sure you identify a platform that can “talk” to your existing systems.
• Ease of use – Complexity creates confusion and risk. Make sure your solution is something that your users can master using.
• Adoption of predictive analytics – By blending historical data, machine learning and statistical strategies, it gives your utility an edge to be ahead of the curve in identifying potential threats. 

In Conclusion: It’s Time to Accelerate Digital Solutions in the Physical Space
Embracing a unified, automated approach to physical GRC isn’t just a strategic necessity—it’s an imperative for resilience. Let’s harness the same digital accelerators that revolutionized IT GRC and bring physical security into the modern era.

When these elements work in concert, they create a comprehensive framework that addresses security from all angles. After all, with threats evolving as fast as they are, why should our defenses remain stuck in the past? The risks of not modernizing physical GRC are no longer theoretical. They’re operational. They’re financial. They’re legal. The integration of GRC is crucial for enhancing an organization’s security posture. It’s about protecting your workforce, securing your assets and demonstrating control to regulators, shareholders and the communities you serve.

About the Author

Brian currently serves as a chief security officer for a large energy company. He is responsible for the company’s cybersecurity, physical security, privacy and business continuity units. In 2018, Brian was appointed by the president of the United States to serve as the sixth assistant secretary for Infrastructure Protection at the Department of Homeland Security. He also served as the first assistant director (now executive assistant director) for Infrastructure Security at the U.S. Cybersecurity and Infrastructure Security Agency. Brian has spent time during his career in the U.S. Marine Corps and various private sector agencies with the goal of protecting the United States from security threats.