Respondents highlight the challenges, opportunities and considerations they are grappling with in the face of regulatory compliance, effective governance and risk management shaping cybersecurity policies and activities.
There was a time when professionals looked at threats as a predominant measure of cybersecurity’s impact on organizations and society. While threats continue to be a critical consideration, they sit within a wider scope of factors – those of governance, risk and compliance (GRC). Risk is for many the factor that shapes and informs most cybersecurity decisions. How much risk does a particular operation or activity pose to the organization? What is the risk profile of inaction vs action? Are the consequences worth the risk we are taking on? These are just a few of the risk-focused questions cybersecurity professionals grapple with daily, especially in relation to meeting regulatory and other layers of compliance, as well as determining the risk relating to governance decisions and processes.
ISC2 recently surveyed 681 cybersecurity professionals globally that have responsibility for their organization’s GRC programs to capture their opinions on the challenges, opportunities and priorities in relation to this area.
| ISC2 Spotlight on GRC |
|
Join us for our fourth annual ISC2 Spotlight on Governance, Risk and Compliance (GRC) on January 21-22, 2026. Leading experts will discuss ways to navigate the uncertainty of mounting regulatory demands and increasing scrutiny from stakeholders. This virtual event will examine cutting-edge trends impacting GRC, such as risk quantification and artificial intelligence, while still covering the basic fundamentals that companies need to ensure their GRC program is in order. From forward-looking strategies to actionable recommendations, you'll gain valuable insights that you can immediately apply to your organization. This virtual event is free for ISC2 Members, Associates and Candidates to attend. Register Now |
GRC as a Basis for Opportunities
The biggest opportunities for cybersecurity GRC professionals stem from the growing need to manage cybersecurity risk as a core business issue rather than a purely technical or compliance function.
A recurring theme among response, one comment in particular summed up the view: “In 2026, the biggest opportunity for GRC professionals is that cybersecurity has become a business priority, not just a technical issue. Organizations face stricter regulations, higher cybersecurity risks and increased use of cloud and AI technologies. GRC professionals help ensure compliance, manage risks in business terms and guide safe technology adoption. They also play a key role in managing third-party risks and building a strong security culture. This makes GRC roles more strategic and valuable to organizations.”
This was one of several comments that recognized that organizations face accelerating regulatory pressure, expanding digital ecosystems and increased reliance on AI and cloud technologies—all of which demand more scalable, intelligence-driven governance models and all of which carry unique risk profiles that need to be understood and, where appropriate, mitigated.
“The greatest opportunity is the ability of cybersecurity professionals to leverage AI to support GRC activities especially within risk and compliance,” noted another respondent, while another recognized that the rise in GRC is an opportunity to combine technical and strategic disciplines, noting: “Organizations increasingly need GRC professionals who can bridge technical security controls with regulatory requirements, quantify cybersecurity risk to support executive decision-making, as well as govern cloud, API, identity and AI-related risks.”
GRC leaders have a significant opportunity to leverage automation and AI to enable continuous risk assessment, compliance monitoring, and predictive insights, reducing manual effort while improving accuracy and timeliness. But doing so requires a shift in emphasis, as several respondents mentioned. “GRC professionals need to integrate cybersecurity and AI risks into enterprise risk management, enabling clearer governance, regulatory readiness, and informed executive decision-making.”
At the same time, intensifying global regulations and supply-chain scrutiny elevate the importance of professionals who can translate complex legal requirements into practical, business-aligned controls across internal and third-party environments. “Streamlining overlapping regulatory requirements through unified controls, leveraging automation for continuous compliance and strengthening third-party and supply chain risk management. These capabilities position GRC teams as strategic partners who enable secure innovation while ensuring regulatory and risk assurance.”
Another major opportunity lies in elevating cybersecurity risk communication to the executive and board level. “Organizations face accelerating regulatory pressure, expanding digital ecosystems, and board-level scrutiny, creating demand for GRC leaders who can translate technical risk into business impact.”
Additionally, data governance, privacy engineering and ethical technology oversight—particularly around AI—are becoming central to trust, resilience and corporate reputation.
Several respondents noted this, with one in particular commenting: “Many executives see GRC in cybersecurity as a "check box" activity. If cybersecurity professionals can overcome the challenge of this by advocating for proper risk activities, this will create the larger opportunity to integrate cybersecurity as a business enabler.”
Overall, the view of respondents is that in the year ahead, GRC professionals need to move beyond compliance enforcement into strategic leadership roles. Those who combine regulatory expertise, technical fluency, risk quantification and corporate communication will be critical in helping organizations operate securely, compliantly and competitively in an increasingly complex digital environment.
Overcoming GRC Challenges
GRC professionals face mounting challenges driven by regulatory expansion, accelerating technology change and rising expectations from both their own boards and from government/industry regulators. The GRC function is under pressure to deliver greater assurance, speed and relevance—often without proportional increases in resources or authority.
A recurring theme in many responses, one respondent in particular noted that “the biggest challenges for GRC professionals are keeping up with changing regulations, managing cyber risks in complex environments and with third-party vendors, and balancing security requirements with business speed. Limited visibility into vendor security and ongoing human-related risks also make governance and compliance more difficult.”
The most significant challenge is managing regulatory complexity and across borders and industries. Organizations must comply with overlapping and sometimes conflicting cyber, privacy, and resilience regulations, requiring GRC teams to continuously interpret, harmonize, and operationalize requirements while maintaining consistency and audit readiness.
“One major challenge will be keeping pace with rapidly evolving regulations and standards, particularly in areas such as privacy, AI governance and sector-specific cybersecurity requirements, which increase compliance burden and the risk of misalignment,” one respondent noted, with another adding that “as rules continue to evolve across different regions and industries, it can be difficult to interpret them correctly and ensure the organization stays compliant without slowing down business operations.”
Skills was also seen as a challenge, with the growth in GRC roles and needs occurring faster than cybersecurity professionals have been able to adapt and grow their own skills to adapt. While tools and opportunities exist, such as certifications including ISC2’s CGRC, many are struggling to develop themselves and their teams due to resource challenges.
“Resource constraints and skills gaps— particularly in data analytics, automation and cross-disciplinary risk expertise—limit the ability of GRC teams to move from manual, reactive compliance toward continuous, strategic risk management,” said a respondent.
Third-party and supply chain risk remains a persistent and growing challenge. Organizations are being held accountable for the security posture of their vendors, software suppliers and partners, yet often lack visibility, leverage, or standardized assurance mechanisms to manage these risks effectively at scale. It creates a risk layer that many are struggling to deal with, according to several participants in the survey.
“Organizations face a "perfect storm" of rapid AI adoption, tightening global regulations (like the EU AI Act and NIS2), and interconnected supply chain threats, the role of the GRC professional is becoming more visible—and more valuable—than ever.” Another added that “Supply chain attacks and vendor breaches are increasing. Regulators now require organizations to manage third-party risks proactively.”
Another critical challenge is translating cyber risk into business and financial terms that resonate with executives and boards. “As compliance moves toward continuous monitoring and automation and boards become more accountable for cyber oversight, GRC roles are shifting from administrative compliance to strategic, board-level advisory functions, making technically aware GRC professionals highly valuable and future-proof,” with comments going on point out that GRC teams are now needed to support executive decision-making, but that some struggle with inconsistent metrics, immature models and limited alignment with enterprise risk management (ERM) and financial planning processes. However, it was also noted that “rising board expectations for resilience opens the door for GRC leaders to drive integrated cybersecurity risk programs that link technical risk to financial, operational, and reputational impact,” while also recognizing that “those who can contextualize cybersecurity in terms that executives and boards understand — financial exposure, operational continuity, legal obligations — will be the most impactful leaders in their organizations.”
Finally, talent constraints and role expansion strain GRC teams, with several noting that “talent shortages, technical debt and the need for continuous evidence generation strain already limited resources.” Professionals are expected to master regulatory interpretation, technology risk, data analytics, AI governance and leadership communication—often simultaneously. Balancing compliance execution with strategic advisory responsibilities, while maintaining independence and credibility, is increasingly difficult at the best of times. One respondent in particular summed up the challenge facing those responsible for GRC in their organizations: “I find it difficult to provide the board with the real time, financially quantified risk data they demand. This is compounded by a critical talent shortage of professionals who possess the rare blend of technical cloud expertise and international legal fluency required to navigate this landscape.”
Summarizing GRC Professionals Plans
Across the responses received to the survey questions, those charged with GRC programs for their organizations made clear that they are focused on increasing the strategic impact of GRC, improving risk quantification and modernizing how GRC operates within their organizations. In particular, they noted:
- There was recognition of the need to strengthen the ability to translate cybersecurity risk into business and financial terms, supporting executive and board decision-making with clearer, more actionable risk insights. Quantitative risk and how cybersecurity risk integrates with enterprise risk management (ERM) were repeated in responses.
- Deeper expertise in emerging regulatory and governance areas is seen as essential, particularly those related to cloud resilience, third-party risk, data privacy and AI governance. Rather than focusing solely on regulatory interpretation, GRC professionals see the need operationalize risk requirements—designing controls that are scalable, auditable and aligned with how their organizations actually function.
- Several respondents stated a need for modern GRC roles and applications to move away from manual, point-in-time assessments toward continuous, data-driven oversight, in many cases leveraging the very same AI tools and technologies that are creating some of the evolving GRC headaches they need to contend with.
- Strong governance depends as much on trust and clarity as it does on frameworks and policies. Being able to communicate up to the board and out to the rest of the business in terms they can understand and relate to is key. GRC is also increasingly interdisciplinary, making building credibility across other non-cybersecurity and non-IT teams such as legal, sales, marketing and finance essential for effective governance.
Overall, the responses of these survey participants suggest that the core GRC challenge in 2026 is not a lack of frameworks or regulations, but rather the ability to operationalize governance at speed and scale while keeping it aligned with business strategy. GRC professionals also need to move from just carrying out compliance execution towards providing risk leadership within their organizations, positioning themselves and their teams as a resource that can modernize processes, improve risk visibility and communicate clearly under pressures while maintaining resilience and trust.
