The Mirage of Cyber GRC: Solving the Wrong Problem | Vyfority
Board Governance Briefing

The Mirage of “Cyber GRC”.

Why compliance-first CISOs are solving the wrong problem, and how boards can fix it.

Dean Kastelic

Dean Kastelic

Principal Consultant

A familiar pattern is emerging across organisations: a newly appointed CISO arrives, and within months, a GRC empire begins to take shape.

Analysts, risk managers, even “heads of strategy” are hired. A parallel governance structure emerges, impressive on paper, but in reality, a symptom of a deeper problem.

That problem isn’t cyber. It’s governance.

“Cyber GRC has become a boardroom buzzword, but it’s not the cure. It’s a distraction.”

Unless boards and executives recognise this, they’ll continue to misallocate resources, dilute cyber defences, and perpetuate compliance theatre.

How We Got Here

The rise of Cyber GRC didn’t happen by accident. It was driven by three converging forces:

  • 1

    Regulatory pressure: GDPR, HIPAA, CPS 234, NIS2—compliance regimes forced organisations to stand up cyber-specific reporting.

  • 2

    Weak enterprise governance: IT governance was immature. Cyber became the visible risk domain, so GRC practices incubated there.

  • 3

    Board misdiagnosis: Executives mistook a governance vacuum for a cyber problem. Instead of strengthening the CRO, they pushed it onto the CISO.

The result? A generation of compliance-first CISOs, tasked with building GRC empires instead of defending the enterprise.

The Broken “3 Lines” Model

1st Line
(Defence)
Neglected
2nd Line
(Cyber GRC)
BLOATED EMPIRE
3rd Line
(Audit)
Resisted
Figure 1: When the CISO builds a GRC empire, defence resources are drained and assurance is resisted.

The Compliance-First CISO Archetype

The compliance-first CISO is hired to “bring order.” They build a GRC team because that’s what boards expect. But here’s the problem:

  • GRC analysts are not cyber specialists: Skilled at frameworks, but lacking the depth to assess exploitability or layered mitigations.
  • The CISO becomes a compliance officer: Buried in registers and reporting cycles instead of leading defence.
  • Cyber defence suffers: Threat intelligence and resilience take a back seat to compliance theatre.

Where GRC Belongs

GRC is enterprise-wide. The most effective model is where Cyber GRC is integrated into the broader enterprise GRC under the Chief Risk Officer (CRO).

The Right Model:

Cyber Specialists: Assess technical risk.
CRO Team: Records, tracks, and governs risk.
CISO: Focuses on defence and resilience.
Auditors: Provide independent assurance.

And let’s be clear: GRC analysts are not cyber experts. Asking them to evaluate technical risk is a major error that weakens both governance and defence.

A Better Way Forward

The fix requires courage from boards:

  1. Re-anchor GRC: The CRO owns GRC. Cyber is a subset, not a silo.
  2. Redefine the CISO: Defence, resilience, and secure enablement—not compliance empire-building.
  3. Clarify Labour: Specialists assess. Analysts govern. Auditors assure.

The Provocation

“Compliance-first CISOs are solving the wrong problem. Not because they want to, but because boards set them up that way.”

Until boards accept this, they’ll keep treating symptoms, not causes. Anything else is compliance theatre, which may actually weaken the very defences it claims to strengthen.

Fix Your Operating Model

Is your CISO trapped in compliance? Let’s reset the mandate.

Get the Diagnosis