Gartner Sr Director Analyst Michael Kranawetter discusses why its essential risk management and governance work closely together in 2025.
Digital transformation and dawning regulations like NIS2 means organisations are having to navigate a dual challenge: adapting to a new regulatory environment and managing expanding attack surfaces.
As the stakes rise, aligning Cyber Governance, Risk, and Compliance (GRC) practices with broader risk management strategies has become an urgent priority.
But how can organisations adapt and prepare effectively?
To explore this further, we spoke with Michael Kranawetter, Sr Director Analyst at Gartner, about strategies for aligning Cyber GRC with enterprise risk management, the role of AI in enhancing cybersecurity practices, and the milestones organisations should focus on in the coming years.
Establishing a proactive governance framework
Industry experts emphasise that adopting a proactive and structured approach is crucial. Establishing governance frameworks, such as the updated NIST2 can lay the foundation.
This enables organisations to define decision rights and processes while embedding cybersecurity into their overarching risk management strategies. Yet, this transformation isn’t without its hurdles, particularly when it comes to resource constraints and the integration of cutting-edge technologies such as AI.
Therefore, one of the first steps for organisations is transitioning from a reactive to a proactive stance in cybersecurity governance. Formalising a governance framework like NIST CSF 2.0 provides clarity on roles, processes, and control implementations.
“Governance frameworks ensure that cybersecurity efforts are strategic, structured, and scalable,” notes Michael. This structured approach ensures that cybersecurity measures are not only effective but also aligned with business goals.
Governance frameworks also facilitate continuous monitoring, a crucial aspect in today’s fast-paced threat environment.
By investing in real-time impact-based assessments, organisations can stay ahead of potential vulnerabilities.
“Continuous monitoring equips organisations to identify and mitigate risks dynamically, reducing potential disruptions,” adds Michael, emphasising the need for agility and foresight in risk management.
This shift enables organisations to identify risks early and respond effectively, minimising their impact on operations.
Leveraging AI and automation for risk mitigation
The role of AI in cybersecurity cannot be overstated, with its ability to enhance predictive analytics, automate assessments, and enable continuous monitoring.
“AI enables organisations to move from reactive risk management to a predictive approach, unlocking the ability to forecast threats and act preemptively,” Michael explains, highlighting how AI-driven insights are revolutionising risk prioritisation.
Organisations integrating AI into their Cyber GRC practices gain an edge through automated risk assessments, which reduce manual effort and improve accuracy.
Predictive analytics, in particular, allow for early detection of potential vulnerabilities, enabling preemptive action.
“AI tools are most effective when paired with robust governance, as they amplify the impact of a well-structured risk management strategy,” says Michael.
Despite the advantages, adopting AI requires investment in training and strategic resource allocation.
“Resource constraints are a challenge, but prioritising training and leveraging AI for high-impact areas can maximise efficiency,” says Michael.
Therefore, targeted training is needed to ensure teams are equipped to leverage these advanced technologies effectively.
Aligning cyber GRC with business objectives
For Cyber GRC efforts to truly succeed, they must transcend mere compliance and integrate seamlessly with an organisation’s broader objectives.
“Cybersecurity leaders need to articulate the business value of their initiatives, showing how they support growth and resilience,” explains Michael.
This proves important when trying to foster cross-functional collaboration between cybersecurity teams and other departments, for instance, cyber and legal, which will become increasingly essential to adhere to regulations.
Developing a clear risk appetite statement, derived from business objectives, ensures that Cyber GRC initiatives support the organisation’s strategic direction.
Furthermore, regular engagement with stakeholders, like the boards of directors and executives, promotes alignment and builds trust.
“Stakeholder engagement is vital; it helps create shared ownership of cybersecurity strategies and their outcomes,” Michael explains.
Studies have shown lack of cyber representation during executive meeting has previously proved a hindrance to cybersecurity, thus open communication can foster a shared understanding of cybersecurity’s value.
This alignment is further reinforced by using metrics that reflect both compliance and business priorities.
By demonstrating tangible outcomes, such as reduced risk exposure and optimised resource allocation, organisations can secure continued investment in their Cyber GRC programs.
Milestones for the future
Looking ahead, organisations must focus on both immediate and long-term milestones to build a robust Cyber GRC strategy.
Over the next 18-36 months, key priorities include adopting explicit governance frameworks, implementing continuous control monitoring, and integrating AI-driven risk quantification.
“The future of Cyber GRC lies in adopting tools and frameworks that bridge operational needs with strategic goals,” Michael advises.
Ultimately, the journey towards a more integrated and proactive Cyber GRC approach is a strategic imperative.
By aligning governance with business goals, leveraging AI capabilities, and prioritising impactful risk assessments, organisations can safeguard their operations while building a resilient foundation for future challenges.
