Honest GRC is an independent blog launched in February 2026 by Andrew Hesketh. I have over 20 years of experience in cybersecurity, spanning security engineering, security vendors and resellers, GRC consultancy, and leading GRC functions within major global organisations.

I started Honest GRC after repeatedly reading cybersecurity articles and finding myself thinking things like:
“That doesn’t line up with how things work in practice.”
“Is this actually a problem, or just part of the job?”
“Is this insight, or just noise?”
“Is this real progress, or just hype?”

The goal of the blog is simple: to share practical perspectives on governance, risk & compliance and information security from the viewpoint of someone who has spent many years working inside security programmes and dealing with the realities of implementing them.

This isn’t an academic blog and it isn’t vendor marketing. It’s a place for thoughtful discussion about how cybersecurity GRC actually works in practice.

A few important points about the content

• All views expressed on this blog are my own and represent personal opinions.
• The confidentiality of previous clients and employers is extremely important to me. When describing situations I’ve learned from, I do not name organisations or provide identifying details.
• I use AI tools to generate illustrations and occasionally assist with editorial review. However, I do not use AI to generate the substance of the articles themselves. Writing and developing ideas is the part I enjoy most.

If the articles help cut through a little of the noise in the industry and contribute something useful to the conversation, then the blog will have served its purpose. Thanks, Andrew

Newsletter Subscription

By subscribing, you’ll receive notifications whenever new articles are published and gain access to the full archive of past content.