Apply Now to Attend Nexus Conference 2025
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
nexus_ratliff-grc.jpg
Healthcare
Risk Management
Cyber Resilience
Operational Resilience

Rebuilding Legacy GRC from the Ground Up

Mike Ratliff
/
Jul 15, 2025

Let’s be honest: traditional governance, risk, and compliance (GRC) isn’t aging well.

What started as a useful governance model has become a checkbox bureaucracy in too many organizations. It reports risk but doesn’t drive it down. It tracks compliance but doesn’t improve resilience. And in today’s high-stakes threat landscape, that’s not just ineffective — it’s dangerous.

At Providence, one of the country’s largest not-for-profit healthcare systems, we’ve reached a point where the legacy GRC structure is holding back the impact of some incredibly capable people. So we’re doing what needs to be done: we’re retiring the structure—not the people—and rebuilding it into something that works.

To pull this off, I needed a partner who shared the vision and had the capability to lead. Manan Kakkar stepped up to take the helm and is driving this idea into reality. (btw, check out his app, I've made it part of my morning routine).

What we are building is GRAC — Governance, Risk, Attack Surface Management, and Compliance — a risk-centric, threat-aligned function built for outcomes, not optics.

Why the Legacy Model Had to Change

So why did we decide on this rebuild of the legacy GRC model? 

  • It prioritized documentation over detection

  • It reported risk without reducing it

  • It isolated key functions instead of integrating them

  • It limited technical talent to governance process support rather than risk action

Most importantly, it trapped skilled team members in a framework that didn’t reflect modern threats — or modern security work.

From GRC Constraint to Capability

This shift to GRAC isn’t about criticism — it’s about unlocking potential. Our former GRC team had the skills and commitment, but they were boxed in by a structure focused on reporting, not results. Now that they’re unbound, expectations are higher. I challenge them to use this empowerment to engage in deeper, more technical, and more strategic work. Here are some outcomes from this effort:

  • They now lead internal risk assessments that test real security posture, not just policy adherence

  • With support from the Office of the CISO, they work alongside Cyber Threat Intelligence (CTI), SecOps, Data Security, and Identity and Access Management teams to map threats to exposure

  • They are building skills in artificial intelligence, automation, analytics, and threat modeling — not just audit prep.

  • We’re not displacing them. We’re giving them room to grow.

What GRAC Brings to the Table

We believe GRAC will improve our overall program in five areas:

  1. Governance That Enables Action: We’re integrating governance into real decision-making processes, not just policy writing. It now reinforces engineering standards, drives exception management with teeth, and ensures accountability for enterprise security at a higher level.

  2. Risk Is Now Quantified and Prioritized: Using a custom Risk Priority Numbering (RPN) system injected with AI, we’re shifting from theoretical risk registers to real-time prioritization informed by threat intelligence, ITDR, and business impact. Risks are no longer debated in the abstract — they’re ranked, visualized, tracked, and owned.

  3. Attack Surface Management— Operational Core, Not Add-On: We’re fully integrating ASM into the program. It drives asset discovery and threat modeling, informs triage for vulnerabilities in systems, applications, and code, and surfaces real exposure across internal, external, and third-party ecosystems.

  4. Compliance as a Result, not a Goal: We treat compliance as a natural outcome of doing the right security work — not the primary objective. Controls are designed around threats and business needs, not audit checklists.

  5. Cyber Architecture Now Tied to Execution: No more “design ivory towers.” Architecture is embedded in the program and directly supports secure-by-design, SSDLC, and modernization efforts. It’s hands-on, risk-informed, and aligned with real deployment timelines.

The Result: A Program That Works — and a Team That Can Grow

This restructure isn’t about gutting legacy teams — it’s about enabling them to do what they’ve always been capable of: real, high-impact security work. GRAC elevates their mission, deepens their influence, and opens up new career paths grounded in technical acumen and operational relevance.


We didn’t rebrand GRC. We replaced it. And in doing so, we’re creating a program — and a team — that’s ready for what’s next.

Healthcare
Risk Management
Cyber Resilience
Operational Resilience
Mike Ratliff
AVP Security Engineering and Operations

Mike Ratliff is the Chief Information Security Officer at Providence, one of the country's largest not-for-profit healthcare delivery organizations.

Stay in the know Get the Nexus Connect Newsletter
Share
LinkedIn Twitter Facebook Email
Featured Articles
Considerations for Medical Device Vulnerability Remediation Technical Debt in OT Environments: How It's Different and Why it Matters The Purdue Model's Risky Blindspot
Featured Videos
Browse by Topics
Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust
You might also like… Read more
nexus_ricci-economics-of-ot.jpg
Industrial
Operational Technology
Risk Management
Technical Debt

The Economics of OT Cybersecurity: Are We Investing in the Wrong Priorities?

Dan Ricci
nexus_hope-2-cmdb.jpg
Healthcare
Operational Resilience
Cyber Resilience
Vulnerability Management

ASL Roma 1’s HOPE: Innovation and Resilience to Vulnerability Waves

Stefano Scaramuzzino
Fabio Battelli
A new Information Risk Insights Study by Cyentia Institute puts real data behind the likelihood of attacks against critical infrastructure sectors enabled by digital transformation. CISOs need to understand the expanded attack surfaces and other risks within smart factories, healthcare, and other sectors connected devices online.
Operational Resilience
Cyber Resilience
Operational Technology
Risk Management

Study Warns: Digital Transformation Amps up Cyber Risks in Manufacturing

George V. Hulme
U.S. critical infrastructure operators are urged to be vigilant in hardening operational technology and ICS cybersecurity in expectation of a retaliatory response from Iran for last week’s missile strikes.
Cyber Resilience
Operational Technology
Industrial
Internet of Things
Healthcare
Risk Management

Experts: Expect Iran’s Cyber Tactics to be Disruptive

George V. Hulme
nexus_underfunded-healthcare.jpg
Healthcare
Risk Management
Vulnerability Management
Cyber Resilience

Bridging the Cybersecurity Gap Among America's Underfunded Healthcare Providers

George V. Hulme
nexus_fabela-ur-e26.jpg
Cyber Resilience
Risk Management

E26: More Than Just a Maritime Cybersecurity Regulation—It's a Fundamental Shift

Ron Fabela
shutterstock_1489100678-(3)-(1).jpg
Industrial
Operational Technology
Vulnerability Management

Managing Serial-to-Ethernet Exposures in Modern OT Networks

Alessio Rosas
nexus_cloud-and-ot.jpg
Cyber Resilience
Industrial
Operational Technology
Risk Management
Vulnerability Management

Cloud's Double-Edged Sword: Transforming OT Exposure Management

George V. Hulme
nexus_terlizzi-weaponize-hc.jpg
Healthcare
Vulnerability Management
Risk Management
Cyber Resilience

How Hackers Exploit Healthcare Technology to Turn Life-Saving Systems into Weapons

Francesco Terlizzi
The NSA's Cybersecurity Technical Report on securing smart OT controllers champions secure-by-design and cyber-informed engineering, stating they prioritize “engineering controls to mitigate the worst consequences of cyberattacks”-like physical damage or loss of life. CIE moves cybersecurity from a design afterthought to a core engineering discipline. Traditional OT security often relied on air-gapping or retrofitting defenses, but CIE mandates designing systems that inherently resist attacks.
Cyber Resilience
Industrial
Operational Resilience
Operational Technology
Risk Management

How Cyber-Informed Engineering Shapes NSA’s Blueprint for OT Cyber Resilience

George V. Hulme
nexus_labonty-manuf-checklist.jpg
Industrial
Cyber Resilience
Operational Technology
Operational Resilience
Risk Management

An Operational Checklist for Securing the IT/OT Ecosystem

Jim LaBonty
nexus_convergence_rogers.jpg
Industrial
Operational Technology
Operational Resilience

Has IT/OT Convergence Improved Critical Infrastructure Cybersecurity?

ADM. Michael S. Rogers, USN (Ret.)
Latest on Nexus Podcast
See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
gentry_lane_hi-res_portrait.jpg
Cyber Resilience
Risk Management
Industrial
Healthcare

Nexus Podcast: Gentry Lane on the Use of 'Salami Cuts' in Cyber Conflict
steven-sim-ot-isac.jpeg
Operational Technology
Operational Resilience
Cyber Resilience
Vulnerability Management

Nexus Podcast: Steven Sim on OT-ISAC and Cybersecurity Information Sharing
Sarah Fluchs revisits the progress and adoption of the Top 20 Secure PLC Coding Practices list.
Cyber Resilience
Risk Management
Vulnerability Management

Nexus Podcast Episode 100: Sarah Fluchs on the Cyber Resilience Act