In response to the headline breaches plaguing organizations across the globe, there have been numerous solutions and recommendations that have gained popularity in the fight to combat cyber-crime. New security appliances, 24x7 network monitoring services and red team assessments are a few of the solutions being discussed among IT leadership and the cybersecurity services community. While each of these solutions plays a crucial role in strengthening the cyber resilience of organizations, their efforts are often futile if the appliances are not being used correctly or if vulnerabilities are not remediated properly and expeditiously.\nSo, the question becomes, how do you manage your security program and ensure that your organization is following the proper processes, policies and procedures? The best way to do this is with an effective, cyber-centric IT Governance, Risk and Compliance (GRC) program.\nUnless I\u2019m talking with internal audit leaders, I\u2019m often asked \u201cWhat is IT GRC?\u201d A closer look quickly reveals that the concepts covered by this acronym encompass topics that keep CIOs and CISOs awake at night -- at organizations of all sizes, in all sectors.\nAn effective IT GRC program delivers sustainability, consistency, efficiency and transparency through execution in strategic alignment, value delivery, risk management, resource management and performance management. Each of these domains are vital to the success of an enterprise\u2019s IT effectiveness, however in today\u2019s cyber threat landscape, it is imperative that an organization\u2019s Risk Management Program sufficiently addresses modern cyber risks.\nAn effective Cyber Risk Management Program is an organization\u2019s first defense from becoming the next headline breach. An IT audit or security assessment only delivers value if proper remediation steps are taken and supported by the board and senior management. An effective cyber-centric IT GRC program can facilitate the remediation and prevent future weaknesses.\nHere are ten questions to consider which an IT GRC program will facilitate:\n\nWhat are our objectives related to the confidentiality, integrity and availability or our systems and data?\nHow do we establish, maintain and approve cybersecurity objectives that support achievement of the organization\u2019s business objectives?\nHow do we establish, maintain and communicate integrity and ethical values to support the Cybersecurity Risk Management Program?\nHow is the board of directors engaged in the oversight of the organization\u2019s Cyber Risk Management Program?\nHave we established effective cybersecurity accountability and reporting lines?\nWhat are our cyber risks based on the nature of our business operations, our principal products and services, and our distribution channels?\nWhat types of sensitive information do we create, collect, transmit, use or store? Where is our sensitive information stored?\nWhat factors have a significant effect on our inherent cybersecurity risks, including the characteristics of technologies implemented, use of third-party service providers, and delivery channels used by the organization; organizational and user characteristics; and environmental, technological, organizational and other significant changes?\nHow do we conduct ongoing and periodic evaluations of the operating effectiveness of cybersecurity control activities?\nHow do we evaluate and communicate cybersecurity threats, vulnerabilities and corrective measures to management and the board of directors?\n\nWhile an effective, cyber-centric IT GRC program will not prevent all cyber incidents, incorporating these 10 areas will better position your organization \u2013 away from being the \u201cgazelle at the back of the herd,\u201d in constant attack from cyber criminals.