Published on: February 3, 2025 Updated 2 times since publishing
SafetyDetectives recently spoke with Christophe Mazzola, the newly appointed Head of GRC at Cresco Cybersecurity, to discuss his journey in cybersecurity and his vision for Cresco’s expansion into governance, risk, and compliance (GRC). With a background that blends hands-on risk management with strategic governance, Christophe sees GRC as more than just regulatory checkboxes—it’s a critical bridge between business objectives and effective security. His move to Cresco, a company renowned for its elite ethical hacking expertise, signals a bold step toward integrating offensive security insights with structured governance frameworks.
In this interview, Christophe explains how Cresco’s shift into GRC aligns with its mission, the challenges businesses face in maintaining compliance, and why cybersecurity isn’t just about finding problems—it’s about fixing them. He also shares insights on emerging trends like AI and IoT in security, the biggest compliance hurdles for organizations today, and the evolving skill sets that cybersecurity professionals must develop to stay ahead in the industry.
Can you tell us about your journey in the cybersecurity field and what excites you most about becoming Head of GRC at Cresco Cybersecurity?
If you had told me years ago that my cybersecurity path would take me from hands-on risk management to shaping governance strategies at a firm known for its elite ethical hacking, I might have laughed. But here we are—and it makes perfect sense.
I started in cybersecurity with a strong technical foundation but not necessarily from a cybersecurity standpoint. Over the years, I realized that the biggest cybersecurity gaps weren’t just technical—they were strategic. Companies weren’t just struggling with attacks; they were struggling to turn security into a business enabler.
That’s where GRC becomes a game-changer. Not just as a checkbox exercise, but as a way to bridge the gap between business reality and security best practices.
Why Cresco?
Cresco is known for its precision, its technical mastery, and its no-BS approach to security. Their expertise in ethical hacking is world-class, but they saw something crucial: hacking alone doesn’t fix systemic security issues—governance does.
When we first collaborated, it was to help their team gear up for NIS2 compliance. What started as a training turned into a shared vision—a mutual drive to redefine what security consulting should look like. We both saw the opportunity to build something beyond just audits and penetration tests—to create a strategic GRC practice that’s deeply integrated with offensive security insights.
So what excites me? The challenge.
- Bringing a governance mindset to a company that’s built on deep technical expertise.
- Helping clients move beyond compliance checklists to real, risk-based security.
- Merging offensive security with governance, creating an approach where testing, risk assessment, and compliance aren’t separate silos—they work together.
At the end of the day, GRC isn’t about slowing things down—it’s about giving organizations the structure and confidence to move faster and safer. And at Cresco, I have the perfect environment to push that vision forward.
How does Cresco’s move into GRC activities align with the company’s broader mission in ethical hacking and cybersecurity?
Cresco has built its reputation on precision, integrity, and expertise in ethical hacking. They’re the people you call when you need to test your defenses against the best, and they’ve proven time and time again that they can break systems to make them stronger.
But here’s the thing: breaking things is only half the battle.
Ethical hacking identifies vulnerabilities, but without governance and risk management, those insights don’t always translate into long-term security improvements. That’s where GRC becomes the missing link.
Cresco’s expansion into GRC isn’t a shift—it’s an evolution. Here’s why it makes perfect sense:
Pentests and red teaming expose critical security gaps. But without a governance framework, many organizations struggle to prioritize and address these risks effectively. By integrating GRC, Cresco can now help clients operationalize their security improvements—turning findings into actionable, strategic security enhancements.
Regulations like NIS2, DORA, and ISO 27001 are making security a board-level issue. Organizations are expected to not just detect risks but manage them proactively. With GRC integrated into its core offerings, Cresco is now positioned to help companies align security with compliance—without falling into the trap of just “checking boxes.”
Security isn’t just about penetration testing or compliance audits—it’s about making security part of the company’s DNA.
The best security strategies don’t just find problems—they fix them. With the GRC practice, Cresco can now help clients build security resilience at every level—from technical defenses to boardroom strategies.
In short? Cresco’s mission hasn’t changed—it’s just getting bigger.
What do you see as the biggest challenges facing organizations today in maintaining cybersecurity compliance across different industries?
Cybersecurity compliance today is a moving target—it’s not just about meeting requirements, but about keeping up as the rules evolve. The biggest challenges organizations face right now? Complexity, resource constraints, and the illusion of compliance.
NIS2, DORA, GDPR, ISO 27001, SOC 2… the list goes on. Each industry has its own compliance standards, and they don’t always align.
- A financial institution under DORA has different risk management requirements than a healthcare provider under HIPAA.
- A cloud provider aiming for ISO 27001 might also needs to consider SOC 2.
The challenge? Companies end up stacking compliance frameworks rather than integrating them—leading to audit fatigue and inefficiency.
Many organizations, especially SMEs, struggle with the cost of compliance:
- Cybersecurity tools are expensive (SIEM, MDR, vulnerability scanning, GRC platforms…).
- Hiring experts isn’t easy—there’s a global shortage of cybersecurity talent.
- Continuous compliance is resource-intensive—it’s not just a one-time audit; it requires ongoing monitoring, reporting, and adaptation.
The challenge? Many companies treat compliance as a once-a-year checkbox, rather than an ongoing security strategy.
One of the biggest misconceptions? Compliance = Security.
- A company can be 100% compliant on paper… and still be vulnerable to attacks.
- Many breaches happen inside “compliant” companies—because real security isn’t just about policies, it’s about people, processes, and real-world testing.
With emerging regulations like NIS2 and DORA, compliance is shifting towards accountability at the highest level. Companies that don’t adapt now will soon realize that compliance isn’t just a requirement—it’s a competitive advantage. The real winners? Those who see security as a continuous process, not just a box to tick.
In your opinion, how is the role of governance, risk, and compliance evolving with the rise of emerging technologies like AI and IoT?
GRC is no longer just about checking boxes and enforcing static policies. With the explosion of AI, IoT, and hyper-connected ecosystems, the traditional approach to compliance is being turned upside down. Regulatory frameworks struggle to keep up with the speed of innovation, and security teams must navigate an increasingly complex, ever-changing risk landscape.
AI, for example, is a double-edged sword. On one side, it enhances cybersecurity with automated threat detection, risk assessments, and real-time anomaly detection. On the other, it introduces new risks, from AI-generated phishing attacks to deepfake fraud. Similarly, IoT devices expand the attack surface dramatically, creating security blind spots in industries that were never traditionally digital-first.
This means the role of GRC must shift from static rule enforcement to continuous, risk-adaptive governance. Security leaders need to think proactively, not just reactively. Instead of simply following compliance frameworks, they must anticipate how threats will evolve and adapt policies accordingly.
Threat actors are creative, persistent, and constantly finding new ways to exploit vulnerabilities. Security and risk managers must match that determination, staying ahead through continuous learning, creative problem-solving, and a pursuit of identifying emerging threats. In this new era, compliance isn’t just about meeting requirements—it’s about building resilience against the unknown.
What lessons can smaller businesses learn from larger enterprises when it comes to building robust cybersecurity and GRC frameworks?
Smaller businesses often assume that cybersecurity and GRC are luxuries reserved for large enterprises with deep pockets. But the reality is, they face the same threats, often with fewer resources to mitigate them. The good news? They can learn a lot from how larger organizations approach security—without the enterprise-level complexity.
One of the biggest takeaways is prioritization. Large enterprises don’t try to secure everything at once—they identify their most critical assets and risks first. Small businesses can do the same by focusing on what truly matters: customer data, financial transactions, and key operational systems.
Another key lesson is embedding security into business processes rather than treating it as an afterthought. Big companies have dedicated compliance teams, but smaller businesses can create simple, repeatable processes that make security part of daily operations—whether it’s enforcing strong passwords, implementing access controls, or regularly training employees on phishing threats.
Automation is another major advantage that large enterprises leverage, and small businesses should too. Security tools that were once only accessible to corporations are now available as affordable cloud-based solutions. Automated risk assessments, endpoint protection, and compliance tracking can help small businesses get enterprise-grade security without breaking the bank.
One often-overlooked lesson? Third-party risk management. Large companies rigorously vet their vendors because supply chain attacks are a huge risk. Smaller businesses, often reliant on third-party providers for IT, should do the same—just because you outsource a function doesn’t mean you outsource the responsibility.
Lastly, culture matters. Big corporations invest in cybersecurity awareness because they know that people—not just technology—are the first and last line of defense. Small businesses can implement the same mindset, ensuring that employees understand security isn’t just an IT issue but a business imperative.
At the end of the day, cybersecurity and GRC frameworks are not about size—they’re about strategy, adaptability, and the willingness to make security a priority before it becomes a problem.
Looking ahead, what do you think will be the most critical skills for cybersecurity professionals to develop in the next five years?
The cybersecurity landscape is evolving at an insane pace, and the skills that made a great cybersecurity professional five years ago won’t necessarily be enough for the next five. While technical expertise will always be essential, the real game-changers will be adaptability, critical thinking, and a deep understanding of business impact.
One of the biggest shifts will be AI and automation in security operations. The rise of AI-driven attacks and defenses means professionals need to understand how these tools work, their limitations, and how to implement them strategically. Knowing how to leverage AI for threat detection, risk management, and even compliance automation will be a massive differentiator.
Another must-have skill is risk-based decision-making. Cybersecurity is no longer just about setting up firewalls and patching systems; it’s about understanding which risks are worth mitigating, which ones to transfer, and which ones to accept. As businesses move toward a more risk-centric approach, cybersecurity professionals who can align security with business priorities will be indispensable.
Regulatory expertise is also going to be crucial. With frameworks like DORA, NIS2, and AI regulations coming into play, cybersecurity pros need to stay ahead of compliance requirements and know how to turn them into strategic advantages rather than roadblocks. Those who can translate complex regulations into actionable security measures will be in high demand.
Another overlooked but critical skill? Soft skills and leadership. Cyber professionals need to communicate complex security issues to non-technical stakeholders—whether it’s the board, legal teams, or even frontline employees. The ability to educate, influence, and lead cross-functional teams will be just as important as technical know-how.
Lastly, cybersecurity pros must develop a hacker mindset. That doesn’t mean breaking into systems, but rather thinking like an attacker, understanding the evolving threat landscape, and anticipating how cybercriminals will exploit new technologies. Ethical hacking, red teaming, and advanced threat modeling will continue to be highly valuable.
In short, the future of cybersecurity isn’t just about knowing how to configure a firewall or manage vulnerabilities—it’s about understanding the bigger picture, adapting to rapid changes, and ensuring security isn’t just a technical function but a business enabler.