What if I told you your organization is already practicing cybersecurity—even if you’ve never written a single security policy?

That’s right. Many businesses unknowingly embed security and compliance into their daily operations. The challenge isn’t starting from scratch—it’s recognizing what you’re already doing and building on it.

Take a simple example: invoicing and payment processing. In many businesses, the person who sends out invoices is not the same person who processes payments. That’s not just good accounting practice—it’s a security measure called separation of duties. Even if your organization doesn’t have a formal written policy for this, you’ve operationalized security by embedding this safeguard into your daily workflow. And by consistently following this practice, you’ve operationalized compliance.

Why We Get GRC Wrong

In the security world, we often throw around the acronym GRC (Governance, Risk, and Compliance) as a way to describe this concept. But honestly, the order is wrong. It should be RGC: Risk, Governance, and Compliance.

Here’s why:

• Risk comes first. Let’s replace the work Risk with the word problem. When we notice a problem in the business we come up with a plan to avoid that problem. No one should be solving a problem that does not exist. Just like no one creates a policy without a reason. That reason is usually risk. Leaving a process to chance is too risky. Therefore, policies are created to solve the problem aka address the risk.
• Governance follows. Once we understand the risk, we put rules and policies in place to manage it. Governance is just the policies, or guidelines, put in place to avoid the risk.
• Compliance measures success. Compliance is just measuring how well the organizations follows the policies.

At its core, security isn’t about acronyms or frameworks—it’s about helping organizations avoid problems by putting operational rules in place and then measuring how well those rules work.

What’s Next

Starting in January, we’re launching a new weekly blog series focused on what we call essential cyber hygiene. Think of it as the bare minimum every organization should be doing to protect itself from cyber risks. We’ll use the Center for Internet Security’s Critical Security Controls, Implementation Group 1 (CIS IG1) as our guide. This framework includes 56 practical controls designed for small and medium-sized businesses.

To make this series impactful, I’ve teamed up with two incredible experts:

• Andrew Scott, Field CISO at Todyl
• Tim Marley, President at Prism One Services

Together, we’ll break down each control, explain why it matters, and share actionable steps to operationalize these safeguards in your organization.

Our goal is simple: help every organization understand and implement the foundational steps to protect against cyber threats.

Look for next week’s post, where we’ll discuss the three steps to implementing any operational process.