Why GRC is now crucial to prioritising security budgets

Governance, risk and compliance (GRC) frameworks are now crucial in helping businesses prioritise cybersecurity investments, said Canary IT at the recent CyberSecure Summit in Sydney, hosted by Microsoft and Australian technology distributor Dicker Data.

Tom Freer, Canary IT.

Growing legal and regulatory complexity in Australia means that without a structured framework, security budgets could quickly spiral out of control, Canary IT’s GM of Managed Services, Tom Freer warned.

Canary IT, a cloud, cyber security and managed IT services provider with more than 70 professionals across Australia and New Zealand, sees GRC as the key to creating effective, practical and future-ready security programs.

GRC can ensure that ICT activities are aligned with business goals, helping companies identify risks, create IT roadmaps and meet compliance requirements in a streamlined, cost-effective manner.

Freer explained that without a clear GRC framework, businesses often struggle to align their security spend with actual needs.

“You can be spending money on different areas, but it may not be meeting those requirements for your business,” Freer said.

“GRC can deliver outcomes far above just cyber security; it can implement controls, improve decision making throughout the business and enhance operational efficiency, looking at process and policy and procedure to ensure that your business is operating effectively as well as being secured along the way.”

Freer also highlighted the importance of understanding the ‘why’ behind security investments, a step that many businesses overlook.

“If you go straight to the ‘how’, you're going to miss a lot of that foundational requirement,” he said.

“Cyber risks are business risks. We don't need to talk about them in isolation being cyber only” – Tom Freer, Canary IT

“It's really important to know, why are you securing your business? Is it purely a compliance requirement, a regulatory requirement? Is it because you've got IP in your business that you need to protect? Is it because you've got vendors or partners or clients that are requiring you to have a higher level of security or compliance?”

Before rolling out any security solutions, Freer advised businesses to understand the specific frameworks relevant to their industry or operational needs, such as CPS-234 for financial institutions or ISO 27001 for broader cyber security practices.

Adopting these cybersecurity frameworks provides a structured approach to strengthening defences while meeting regulatory and legislative requirements. These frameworks range from the government’s Essential 8 to global standards such as NIST, CIS, and Zero Trust, which enforces strict access controls and assumes threats exist both inside and outside the network.

Using Microsoft Purview to simplify compliance

Gary Boniface, Microsoft’s Senior Technical Specialist – Security, Compliance and Identity, discussed how Microsoft Purview Compliance Manager can simplify this process for organisations.

“At the heart of Purview is it’s understanding of the data and information types in the organisation which helps us carry out discovery of that data, and then it helps us put controls in place – for example data exfiltration across Exchange, Teams, OneDrive, etc., plus endpoint control and audit controls and visibility around what users are doing within your organisation,” said Boniface.

“All those signals would come through and feed into Purview and provide a view of your organisational risk and internal risk as well.”

Purview Compliance Manager aids businesses in choosing the right compliance framework and assessing their organisation’s risk against it. The tool simplifies compliance by providing pre-built assessments for common industry standards, or custom assessments for more specific needs.

For Canary IT, its GRC-driven security program focuses on six key areas: alignment with business objectives; regulatory requirements; risk appetite and tolerance; compliance management; incident response and management; and continuous monitoring and improvement.

“Governance and security is not a set and forget approach – it's something you need to constantly come back and look at and review and assess,” Freer said.

“Cyber risks are business risks. We don't need to talk about them in isolation being cyber only. Business continuity, disaster recovery, change management – that's a whole business approach.”

Talk to Canary IT about using GRC to prioritise your business’s cybersecurity budget. Contact Us