By: Lauren Shaffer – Seiso Project Manager and Side Up Podcast Host

Governance, Risk, and Compliance Still Struggle to Get Attention 

When cybersecurity leaders talk about underfunded initiatives, the conversation usually turns to budget. But what if the bigger problem isn’t money? What if the real issue is visibility? 
 
Seiso CEO Joe Wynn saw this firsthand during a recent gathering of IT leaders. “I was in a room of about 40 or 50 people,” he recalled. “And when I asked how many were familiar with GRC, only a few hands went up—maybe 15 percent.” 
 
For many of those leaders, the challenge wasn’t just securing funding for penetration testing, audits, or new controls. It was explaining to their own leadership teams why those investments mattered in the first place. “They couldn’t clearly connect security risks to business risks,” Joe said. That gap, he realized, had less to do with technical shortcomings and more to do with missing structure. 
 
It was a turning point. As Joe put it:   
“Most of these leaders aren’t just missing budget. They’re missing the process that helps connect security work to business risk.” 
 
That process solution is governance, risk, and compliance—GRC. Not in the form of a software tool or a compliance report, but as a business function that defines how security is prioritized, reviewed, communicated, and pursued across the organization. 
 
In many growing companies, especially those in regulated or high-risk sectors, GRC is treated like a formality. It only becomes a focus during audit season.  

Listen to the full Seiso Side Up Podcast episode related to this article
 
Without a GRC foundation in place, risk remains abstract. Leadership doesn’t see the trends. They don’t see the cost of inaction until it becomes a breach, a failed audit, or a lost customer. 
 
At its core, GRC is about surfacing risk early, translating it into business language, and establishing the structure to address it. That structure doesn’t need to be large or expensive, but it does need to exist. 

What GRC Is (And What It Isn’t) 

GRC stands for governance, risk, and compliance. It’s a critical set of business processes that shape how your organization manages security risks and ensures defensibility. But in many companies, the term gets confused with tools or frameworks. 
 
As Joe explained during the conversation, “GRC is not a product. It’s not a tool. It’s a series of business processes.” 
 
At a basic level, governance means defining who the security program serves and how decisions getare made. It includes policies, ownership, and clarity about what the organization stands for when it comes to security. 
 
Risk is about identifying threats, prioritizing them, and deciding which controls to implement. It’s not just about creating risk registers or passing audits. It’s about making security operationally relevant to the business. 
 
Compliance is where most organizations tend to focus—but it’s only part of the picture. Whether your team is working toward ISO 27001, SOC 2, CMMC, HIPAA, or internal policies, compliance is the outcome of strong governance and risk practices—not a substitute for them. 
 
GRC brings all three together. It supports oversight, escalation, prioritization, and communication. It also creates a repeatable way to answer a foundational question:   
How effective is your security program, and how do you know? 
 
Without these processes in place, organizations struggle to stay aligned from a security perspective. Risk assessments are one-offs. Policy reviews get skipped. Reports to leadership are reactive or incomplete. 
 
Joe put it clearly:   
“If those processes are missing, you  lose the ability to communicate properly to the organization.” 
 
That communication gap is where security programs stall. It’s not just about technical controls. It’s about having the structure to guide decisions, report status, and keep the business accountable to its own priorities. 

Why Traditional vCISO Services Don’t Go Far Enough 

Many growing organizations have historically looked to a virtual Chief Information Security Officer (vCISO) when they can’t justify hiring a full-time executive. On paper, it sounds like the right move—an experienced leader who can shape your security strategy and communicate with the board. But in practice, most vCISO models don’t go deep enough. 
 
The issue isn’t the intent. It’s the assumption that one person can do it all. 
 
“There’s a common misconception I hear from customers,” said Eric Lansbery, Seiso’s COO. “That a vCISO can do everything themselves for one low hourly rate.” 
 
In reality, effective security programs require a range of skills—technical, procedural, and strategic. A single vCISO might be excellent at executive communication but unable to handle risk assessments, policy writing, audit preparation, or technical remediation planning. Some bring strong governance experience but lack exposure to cloud environments or modern application architectures. 
 
Joe expanded on this point. “A vCISO is one of the most expensive resources you can find. And when they’re asked to fill every role—from creating policy to prepping PowerPoints for the board—that’s not an efficient use of their time.” 
 
The challenge gets even tougher in smaller organizations. There’s often not enough work to justify full-time roles for each function, but too much risk to ignore. The vCISO ends up pulled in too many directions, while gaps in day-to-day operations persist. 
 
The key question isn’t “Do we need a vCISO?” It’s “Do we have the right mix of skills and capacity to run a program that actually moves forward?” 
 
That’s where the traditional vCISO model starts to break down. It offers strategy without support. Oversight without execution. Leadership without lift. 
 
What many organizations need isn’t just a strategist—they need a functioning GRC capability. 
 
And that’s where a new model begins to take shape. 

Introducing vGRC: A More Practical Model for Today’s Organizations 

To solve the disconnect between strategy and execution, Seiso developed a business solution called vGRC—short for virtual Governance, Risk, and Compliance. It’s not an abstract framework or a set of checklists. It’s a managed service delivered by a fractional team that operates like an extension of your internal staff. 
 
Joe described the origin of the approach this way:   
“Customers would come to us needing help getting audit-ready—ISO 27001, SOC 2, CMMC, you name it. We’d show them how to build the missing processes, and after seeing our team in action, they’d say, ‘Can you just keep doing this?’” 
 
That repeat request led to the development of Seiso’s vGRC service. Rather than assigning a single point of contact, Seiso brings together a team of specialists—typically three to five roles—to cover the full scope of governance, risk management, compliance, and security leadership. 
 
These roles can include: 
– GRC practitioners to structure and maintain the program 
– Cloud and infrastructure security experts to connect compliance to real-world architecture 
– Enterprise and application-security penetration testers 
– Policy writers and training facilitators 
– A vCISO who engages when strategic leadership or executive communication is needed 
 
This model isn’t about passing off work to a generalist. It’s about matching the right skill to the right need, at the right time. Each team works alongside the client to fill in the operational gaps and build internal maturity. 
 
“We’re not just consultants on the sidelines,” Joe emphasized.   
“We’re in the trenches with the customer. Sometimes we’re in the driver’s seat, helping implement the program while their internal team focuses on other priorities.” 
 
With Seiso’s vGRC approach, clients don’t just get strategy—they get execution, continuity, and outcomes. The service runs on a defined rhythm, supporting everything from audit prep to incident response planning, all year long. 
 
It gives you the depth of an internal team, without the overhead of building one from scratch. 

The Value of a Fractional Team 

Building a complete internal security team is expensive and time-consuming. And even when budget isn’t a barrier, finding the right mix of skills can be nearly impossible. That’s why the vGRC model relies on a fractional team—not a single person trying to do it all. 
 
Joe explained it clearly:   
“You’re not just getting one unicorn. You’re getting the strengths of three to five people, without needing to hire them full-time.” 
 
That team often includes a GRC lead, a vCISO, a cloud security engineer, an enterprise penetration tester, an operational support person, a secure code developer, an automation specialist, and a policy or training specialist. It can also include software security experts or seasoned system administrators. Each brings specific expertise, activated as needed. 
 
For most organizations, especially those in the $50 million to $500 million range, there’s not enough work to keep a full team of five busy year-round. But there’s more than enough risk

Listen to the full Seiso Side Up Podcast episode related to this article