-
The Fragile Seam: A New Way to Learn GRC
In cybersecurity GRC, practitioners go through messy, contradictory evidence to understand what’s breaking in an organization. But when I first started learning GRC, I realized there wasn’t a place to practice that. Inspired by the DIY spirit that drives creators to build the worlds they want to live in, I decided to create that place…
-
How GRC Professionals Can Govern AI Use in 2026
The defining risk challenge for the remainder of this decade is control of AI use. The experimental phase of AI is over. It is no longer just a sandbox tool for developers; it is now an autonomous agent making decisions, generating content, and interacting with customers on behalf of the enterprise. However, a dangerous visibility…
-
ISO 27001: A Practical, High‑Level Guide for GRC Professionals
This blog post will cover the fundamentals of ISO 27001. In short, ISO 27001 is a global standard used to create, maintain, and improve what the ISO (International Organization for Standardization) refers to as the ISMS (Information Security Management System). Introduction The latest version of ISO 27001 is the 2022 version, so it can also…
-
Authorization in GRC: IAM Series Part 3
So far, the IAM series has focused on authentication, which is the act of verifying someone is who they say they are. But once they are verified and have been granted access to a system, they shouldn’t be allowed to perform every action. For instance, an employee in an organization should not be allowed to…
-
Authentication in Microsoft Entra ID: IAM Series Part 2
In Part 1 of the IAM Series, we explored how authentication works, why it’s important from a security standpoint, and its various methods. Understanding these methods is important, but what is just as important is actually implementing them. Luckily, if the organization uses the cloud (which an increasing number of organizations are doing), they can…
-
Authentication in GRC: IAM Series Part 1
This is the first of several blog posts in the identity and access management (IAM) series, covering IAM from a governance, risk, and compliance (GRC) point of view. At its core, IAM ensures the right individuals access the right resources at the right times for the right reasons. Rather than configuring these technical tools, GRC…
-
Understanding Cyber Risk Quantification for Business
When it comes to risk management, cyber risk assessments are pretty well-known. Here, risks are given an impact level (low, medium, high) and likelihood (low, medium, high), based on what the business defines to be low, medium, or high. A more powerful, though less common, approach is Cyber Risk Quantification (CRG). CRQ translates technical vulnerabilities…
GRC Insights
The official blog of the founder of The Fragile Seam.
