#NSBCS.093 - Applying a PR Lens to GRC in Cybersecurity
Source: NSB Cyber
Applying a PR Lens to GRC in Cybersecurity
I’ve spent more than 20 years in Public Relations, the last six of which have been at Tenable, an exposure management company. In my role, I focus on shaping and executing messaging and outreach strategies across the Asia-Pacific and Japan region to support our business objectives. A big part of this work involves raising awareness of the most pressing cybersecurity challenges and translating these complex issues into clear, relatable narratives for business leaders, media, and the public.
When Macquarie University posted internship opportunities for students to deepen their understanding of cybersecurity, particularly in Governance, Risk and Compliance (GRC), it was the perfect opportunity to learn and grow. Having written multiple thought leadership pieces about various aspects within GRC, I was curious to see how my communications background could fit into this discipline. After all, it’s not every day you get the chance to step into a fast-paced consulting firm, surrounded by experienced cyber professionals and fellow alumni, and be encouraged to learn (and make mistakes) in real time.
Over the last eight weeks, I’ve had the opportunity to work on a wide range of projects that gave me an in-depth perspective into the mechanics of GRC. I created detailed documentation for incident response plans, business continuity plans, disaster recovery plans, cyber risk policies, third-party risk assessments, and cyber awareness training materials. I also became familiar with cybersecurity frameworks, including ISO 27001, SOC 2, NIST 2.0, APRA CPS 230, APRA CPS 234, the SOCI Act, and the Essential Eight.
Did my communications skillset come into play? Absolutely. Writing was central to much of my contribution. I quickly saw how communication is woven into the fabric of every GRC activity. Take incident response as an example, communication is integral at every step, from internal team coordination to external stakeholder updates. It is vital for minimising impact, maintaining trust, and ensuring a timely and accurate response. A strong plan doesn’t just outline technical steps; it also specifies who communicates, what is communicated, and when, whether it’s with internal teams, leadership, customers, regulators, or the media.
But I also had the chance to see the other side of the coin, the resilience side. Cybersecurity is not just about preventing breaches; it’s about how organisations respond, recover, and continue to function when the unexpected happens. Sitting within the GRC team gave me a front-row seat to how resilience is built into every policy, plan, and framework. It’s about ensuring that business operations can withstand disruption and that risk is managed proactively, not reactively.
This internship gave me the opportunity to view things from a GRC perspective, an area I had only ever written about before. I saw how frameworks move from guidelines into practice, how risk registers become living documents, and how compliance obligations intersect with business realities. Most importantly, I gained an appreciation for the “why” behind GRC. It’s not just about ticking boxes or meeting regulatory requirements, but about building trust, protecting people, and safeguarding the systems that societies depend on.
For me, this internship experience was more than an academic exercise. It was a chance to connect my background in communications with the world of GRC. It also underscored that strong communication is a critical enabler of resilience.
What we read this week
Ongoing targeting of online code repositories: The ACSC has warned of a rise in attacks on online code repositories, with threat actors exploiting phishing, social engineering, stolen credentials, compromised tokens, and infected packages to gain access. Once inside, they scan for secrets, leak credentials, make private repositories public, and modify packages to trigger supply chain attacks, often using legitimate tools rather than custom malware. To mitigate these risks, the ACSC advises organisations to investigate affected systems, validate software packages, raise user awareness, monitor for secret scanning, and rotate potentially exposed credentials.
NIST invites comment on Migration to Post-Quantum Cryptography: NIST’s NCCoE has released a draft white paper (CSWP 48) mapping post-quantum cryptography (PQC) migration capabilities to established risk frameworks. Cryptographic algorithms protect sensitive data today but could be broken by future quantum computers. Post-quantum cryptography aims to secure data against both current and future quantum threats. Organisations are urged to start planning PQC migration now, as adoption historically takes years. A key concern is “harvest now, decrypt later” attacks, where adversaries store encrypted data until quantum computers can break it. The paper maps NCCoE’s PQC project to NIST CSF 2.0 and SP 800-53, aligning migration efforts with established frameworks and controls.
Social engineering campaigns highlight the ability to exploit human behaviour: A recent S&P report warns that social engineering attacks are exploiting human behavior to bypass advanced security systems. Hackers have used voice phishing to steal Salesforce credentials and even leveraged compromised OAuth tokens from third-party apps like Salesloft Drift. While no Salesforce vulnerabilities were found, such campaigns pose reputational risks and highlight over-reliance on third-party applications. Analysts stress the need for stronger awareness, training, and governance, noting that human error can nullify even the best security. The FBI has also linked groups like UNC6040 to ongoing campaigns involving credential theft, data breaches, and extortion.
Cyber security leaders battling burn out: Cybersecurity professionals face constant stress and burnout, often feeling like they are on call 24/7. Fred Thiele, CISO at Interactive, likens the role to “going to war,” with hidden day-to-day pressures (the iceberg below the waterline) compounded by targeted attacks or audits. Organisational demands to “always be better” heighten stress, making executive buy-in, funding, and backup support critical. Thiele stresses the need for personal accountability, knowing limits, and seeking help to avoid breaking under pressure. While AI can ease workloads, it cannot replace human oversight, adding further responsibility to already stretched security leaders.
Referenceshttps://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-targeting-of-online-code-repositorieshttps://australiancybersecuritymagazine.com.au/nist-invites-comment-on-migration-to-post-quantum-cryptography/https://www.cybersecuritydive.com/news/social-engineering-campaigns-highlight-the-ability-to-exploit-human-behavio/760747/https://www.arnnet.com.au/article/4060639/cyber-security-leaders-battling-burn-out.html