GRC: The Swiss Army Knife

hi everybody can everybody hear me all the way to the back with this mic cool i see some thumbs up awesome so my name is rose and i am going to be speaking on grc a swiss army knife this talk is one that i've been mulling over doing for years grc is super near and dear to my heart it just makes me insanely happy to do anything grc related and kind of send the information out into the world so we're going to talk about this topic i promise i didn't make it boring grc is super interesting especially if you work in it this talk is meant to be very generic so if you have other departments in your

organization that are struggling working with other business units a lot of the information that i talk today can be universally applied so take these takeaways and go apply them within your organization so i picked a swiss army knife as the the concept of this talk because a swiss army knife is so multi-faceted you use it to screw you have a knife you have clippers you can pretty much make it whatever you need to be so use this concept in order to talk about grc and hopefully it resonates with you guys well before we get into the good parts of this presentation um a little bit about me so i am the director of it and compliance

at spring health spring health is a mental health company that specializes in data and analytics to bring really good care to patients so taking away from doing kind of like hitting the darts on the wall approach to mental health but rather using data and analytics to provide really good care to our patients as you can imagine we have a pretty robust platform and lots of security things that need to happen on that before i came to spring i was a consultant for years at cso i see some of my cso friends in the crowd so hi ciso if you guys have not worked with them go see joe he will hook you up and get you

any support that you need so shameless plug for you joe [Laughter] and before that i was in the military for quite a bit of time eight years and i did network engineering i did it i worked on crypto gear you name it i was doing it and so my background gives me a whole lot of like different things to pull from when i'm trying to build really good business relationships and i think fix the things that i'm trying to fix within my organization additionally i have some education you guys can see it up there more importantly i like to volunteer in the community i do lots of mentoring with women in cyber security lots of work with giving back to the

infosec community such as speaking and then additionally i run the diversity and tech group at my organization trying to bring more diverse folks into our technology department which includes engineering security and whatnot so enough about me you guys didn't come to this presentation to learn about rose you came to learn about grc so we will get into our topics today we are going to level set on what exactly is grc i've mentioned that tons of times now and haven't quite gone over what that really means to everybody so we'll level set on grc what we normally do in this department we'll talk about the challenges of grc so these challenges are ultra important when you're trying to figure out how to fix

your department how to make it more efficient how to enable the business then we'll talk about relationships in the organization so anytime that we're working with anybody in the business we need to understand the dynamics of those relationships in order to maybe fix the things that are going on ask for help whatever we need so we're going to talk about relationships and then we're going to get into the pronged approach so what do i mean by the swiss army knife and we'll break it down by some different prongs and we'll have some takeaways the goal of this presentation is that you can go back to your organization and implement some of these tidbits and try to improve the quality of life when

working with grc working with the business governance risk and compliance that is what grc stands for a lot of organizations have a grc department maybe it's called security and compliance maybe just compliance but ultimately it is a governance risk and compliance type functionality so we have three pillars that are happening within this department we have governance which is where you're aligning processes and actions you're developing documentation policies procedures standards that are generally governing the things that need to happen within the organization then you have risk management so risk management includes risks that you may be fined on your platforms in the environment processes but it also includes vendor risk management so how are you managing

the lifecycle of those vendors additionally you can also lump in client questionnaires into the risk management area i know i refer to this program as client assurance and security so anytime you have a client sending you a questionnaire asking about documentation asking for artifacts whatever it may be then we have compliance so compliance is how we are complying with the legal regulatory landscape of our particular business so i'll give the example of spring health spring health is a mental health company so hipaa is applicable to us the hipaa privacy rule security rule breach notification so compliance team is responsible for understanding consuming and ensuring that we are complying with that additionally we have eu citizens so gdpr

becomes in scope for our compliance team and we have consumers out in california for ccpa so these three pillars make up the governance risk and compliance department and as you guys likely know it's very large the activities that need to happen in this department and we touch every single business unit in order to be able to fulfill these things that we need to do each of these pillars have their own nuanced processes that need to happen and they're ran by a team that's normally relatively small i'm fortunate enough to have four people plus myself at spring health for a compliance department but in the past maybe it was just me running it or maybe we had to get staff og and so it becomes

very consuming to try to get all of these things in place now since we level set on challenges or what the pillars are let's talk about the challenges so before you even get to the point that you can start enabling the business to work better work faster and to be less of a blocker you have to understand the challenges and so i give some examples up on the screen please make sure that you go back to your own organization and you observe what the challenges are within your organization because that is ultimately how you'll identify what are the things that you need to solve and so some of the challenges that are listed here is we have

where a compliance department may only be focused on the regulatory landscape for this if you are only focused on the regulatory landscape your department will turn into a check box activity and that checkbox activity ultimately influences how other departments see you well compliance is asking us to do security awareness again let me just get it done let me just check off the box that's not what we want happening we want to have really good partnerships with the business so you want to get away from focusing on just the regulatory things and focus on how do i enable the business to work better additionally cross-functional collaboration tends to be difficult when you are working in grc so

we'll talk about some tips and tricks to improve that as you guys likely know while grc has some of the processes that we have to implement in order to satisfy legal regulatory things a lot of times we have to rely on our counterparts outside of these groups like engineering product maybe even people operations or hr and so achieving the point where you have really good cross collaboration can be challenging and so you have to figure out how do i make this happen uh the biggest challenge that i've also seen is being reactive versus proactive so if your compliance department is in a perpetual state of like all right we got to get this done we got

to get this done well now you are creating undue burden to other teams that then need to hit those items and so you need to get to the point where you're being proactive can you put a schedule out can you have notifications well in advance and reminders and sort of things like that where you become more proactive then there is a lack of alignment between the business and grc so the business in grc we have to be speaking the same language if not we're always going to be butting heads right so the alignment needs to happen there and it needs to happen in a way where we are enabling the business to work faster harder stronger and not

blocking them and it's challenging if you work in grc you already know it's a very challenging aspect obviously why it's listed here on grc challenges and then another challenge is too many manual processes so we are just now getting to the point where we can start automating within the governance risk compliance space we're getting tools that allow us to automate vendor reviews um access reviews maybe even stock to controls like tools like drata and i think vanta is another one so we're finally getting to the point that we can move away from manual processes but the manual processes they cause a lot of overhead they become really clunky and they're hard for people to understand what they

actually need to do at the organization this all creates all these different challenges within this department additionally what i have not included on here are some things that i personally do to kind of track challenges within my own organization so um if you guys maybe don't know what those are yet you're trying to figure it out i do it a couple different ways i observe so if i we use slack so if i'm in slack and i'm starting to see people like oh this process is so long or they're fussing okay well that's starting to give me indicators that people maybe need training they need support whatever i talk to my team both in a public forum and private so

one-on-ones guys what are the challenges that you guys are seeing are you having issues with working with different parts of the department because that tells me as a leader i need to go partner with my peers and figure out a good approach to ironing out these issues and then in the public forum when we meet as a team i like to ask because it creates a collaborative nature where we can partner together as a group and figure out the best approach to solving these challenges that we face with challenges that kind of gives you an ineffective grc program so when you have an effective grc program that becomes very noticeable to the business it becomes noticeable

when they're trying to push a product to go live and we can't let them because they found out about a risk the day before they were trying to go live it's ineffective when people are trying to onboard a vendor and it's taking them a month and a half to even get them through the vendor review and we want to reduce these things we don't want the business to be slowed down again the whole point of this conversation is that we're enabling the business we're enabling them and being a good partner and we can't do that if we have an effective program so ineffective program you may have unnecessary program complexity maybe you have a vendor risk management

program that has 20 steps when maybe it only needs six so it really takes looking at your program evaluating what you're actually doing and figuring out what are these things that i can get rid of that makes my program super clunky and hard to understand unknown service level agreements for processes this is a big one and a lot of frustrations when working with compliance if someone comes to me and they say hey compliance team we need you to fill out a client questionnaire and it is 60 questions i should be able to tell them immediately all right a 60 question questionnaire is going to take me three days and i've done that because i've done that data and analytics on the back

end to know how long does it normally take my team i know when we do a vendor review it's going to take at a maximum three weeks because we've done the data in analytics in the back end and so when you're talking with the business they need to under the understand the slas if they're trying to roll out a project or a new product they should know all right i need three weeks of compliance time built into this project plan and so now you start to reduce the frustrations when they're working with us but if you don't have that information and haven't planned for it it gives the illusion that the team isn't operating effectively it can create headaches when

working with us so highly recommend you understand your slas for these processes that interface with the business lack of visibility into risk all day long we deal with risk right regardless if you work in grc or you work in security and so when you have an ineffective program happening you're getting lack of visibility into risk i want the business to come to me every time they identify something that may be a risk they self-identified i want them to come to me but if we have a clunky program if they don't feel like they can trust us that we're going to take action they're not going to come to us with their risk and so we start to lose visibility of

the risk additionally if they don't feel comfortable talking to us they don't want to have the dialogue well then maybe we don't even get risk treated and we have risk lingering out in the environment which isn't what we want either additionally when we are more in a reactive state you have an increased budget or increased money due to overhead of employees or other things that you may need to do so for each of my processes within governance risk and compliance going back to these slas i know it's going to take my team three weeks to review a vendor and i know throughout the year we're going to have around 25 vendors you start to get a sense of how many

hours you need for your team throughout the year you can capacity plan but if you don't have that and you turn into a more of a reactive nature then you have you ultimately end up spending more money on things that you didn't plan for and so again it's ineffective program happening and then the final one an ineffective grc program is your grc team lacks the technology knowledge technology knowledge in order to be able to talk with the business how can i tell you how to secure something or implement a control if i have no idea about the technologies so um when you have an ineffective team they can't go to the business and say hey business i need you to implement

mobile device management and these are the things they need you to do they don't understand the technologies so if your team is working i highly recommend that they understand their platform they understand how the data flows in and out they understand all these different technologies because it truly does make an impact in how you're conversing with the business so so far we've talked about the grc pillars we've talked about some challenges and inefficiencies i want to touch on relationships so this is a quick snapshot and definitely not all-encompassing the relationships that you have in the org grc and security touch every single department some may be more high touch than others but you touch every single

department and so it's really critical that you are truly building rapport with these people in the department because ultimately you're trying to get them to implement or do something that you need them to do right so you want to have relationships with these different groups whether it's product and making sure that you get integrated into their life cycle before they push something out whether it's engineering to make sure that repos aren't in a public area where other people can access it two maybe your hr or people operations functions to make sure background checks are happening and making sure they're getting their questions answered about background checks or other processes so really focus on these different

relationships that you need to have and focus on how your processes go into these different areas so if i know that people operations are going to touch background checks they should know that they're responsible over those different areas the same way engineering should know that they're responsible for maintaining repos in a certain way so it's super critical you understand your relationships and you build rapport with each of these groups and you understand the pains and frustrations that they go through in their own areas because they're all humans right we want to make sure that we're treating them with respect we're not just demanding them to do things and sometimes that gets away from us when we're working in

compliance when there's so many things that we have to ensure the business is doing in order to keep you know data safe and secure right all right so we talked all these different areas of grc and we haven't actually talked about a swiss army knife yet even though it is in the title of this presentation um so what i have here is a pronged approach to grc so i'm going to tell you some of the things that have worked really well in my life with grc whether i learned it from the military i learned it from consulting being an individual contributor or now in a leadership position so we have these prongs up here i picked

five you know your own grc for your organization maybe you have six prongs maybe you have seven maybe you have two um it really depends on what you are trying to accomplish for your organization so again this is meant just to kind of get you going um i love this concept of the grc knife because it truly can be anything that you want it to be whenever i was uh getting ready for this presentation i definitely don't know a lot about grc or not grc swiss army knife so maybe i shouldn't have gone with that but i was truly shocked at all of the different swiss army knives out there they're pink they're red they have all these

different different functionalities on them and they truly can be anything that you want them to be so when you're thinking about how to make your program more effective think of all these different ways that you can approach it don't think of it just like all right this is my area i'm only going to focus on these compliance controls think outside of the box think how can i partner with the business what do they need to be successful how can i enable them to do the things that i ultimately need them to do so we'll have these different prongs in order to be able to support them the first prong that i have up here is

communication i cannot stress just how critical communication is within the organization if you do not take anything else away from this talk take the communication aspect and truly implement it at your organization when we have things that need to get accomplished and maybe where there's misalignment communication is often the root cause of why we're having issues in the organization why we're butting heads why there's frustrations and so take a good look at the communication that's happening within your org advocating so you should advocate for your business partners for the work that they need to get done we shouldn't be bullying them into the work but rather advocating and lifting them up we're going to talk about training

we're going to talk about enabling the business so what are some of the different things that we can do outside of these other prongs that enable our department to function better then we'll talk about automation so how do we remove those manual processes that create inefficiencies and automate the processes where possible so for uh communication i thought it was important to cover um a couple different aspects here so we're going to talk about channels of communication we'll talk about leaning into the culture of your organization so these things will ultimately help you communicate more effectively with your business it's also really important you understand the mechanisms in which your business communicates so in this day and age

i mean we all have notification fatigue of all the different systems that we have at our org i don't know about you guys but i'm getting hundreds of messages a day on a whole bunch of different mechanisms and it's really hard to keep track of it and that's just me think about your counterpart and these other groups that need to be able to do the things that we need them to and think about all the different notifications that they get out of a raise of hands do you guys get a lot of notifications during the day and are you probably thinking about like what you have waiting for you yeah a lot of heads are shaking i see you joe i

know joe gets a bunch so you guys like you have to think of your counterparts and think about oh man you know what if i'm getting bogged down in notifications what are what's happening for them and so think about that as you're working with them do you have a project management tool is that how you should communicate should it be slack should it be email how should official requests happen those mechanisms truly are important to how you're communicating are you using verbal or written techniques are you going to a meeting are you calling people up are you huddling on slack what are all the different ways that you communicate within your organization and then consumability

you guys i receive a lot of emails and i have no idea what that person is actually asking me to do we send a lot of emails that ask another person to do something and they have no idea what to do so when you are communicating you need to communicate in a way that's consumable for the person that you need to take action if they receive information and they don't know what to do with it are they actually going to take action on the thing that you need them to do probably not it's probably just going to sit in their email and then go down to the bottom of the list so when you're sending out your

communication whatever it is it needs to be in a way that is truly consumable here's the information here's the ask here's the due date how can i support you they need to know that and if they don't like i said they're not going to act on the things that we need them to so on the next two slides we'll talk about channels of communication and leaning into the culture um channels of communication recently i did a fireside chat with this really lovely chief product officer we did it as part of our diversity in tech group at spring and we targeted our engineering product data science and security groups because a lot of communication breakdowns were happening

in these groups and so this chief product officer she brought this really great concept that i i loved on different channels of communication and so up here on the screen you have these three different channels you have upward you have sideways and you have down and so when you are communicating up that's your c suite it's your leaders it's your maybe your clients they need to know the high level information they don't need to know in the weeds this is what we're going to do these are the modifications here's the procedure they don't need to know that the second that you start giving them too much information that is when we start asking more probing questions

you're trying to get down into the weeds and that's not what you need from leadership they need to know the status update and if there's a huge risk or something they need to take action on generally you're providing them more of a status update so you don't want to provide them in that weed's details now when you're communicating more of sideways those are your peers those are the people that are leading departments they're leading groups they're leading teams and so they need to know the information to lead away from risk what are the things that they're doing that may be risky in their areas and how can they go about fixing it additionally they need to know the

information on things that we need them to implement say we are trying to go after iso 27001 certification my peers need to know what i need from their groups in order to be able to capacity plan appropriately and they need to know that information in a reasonable time frame finally we have downward communication and this is communication for our individual contributors our implementers contractors whoever is actually in the weeds these are the people that are taking the information they're taking consuming it and actually applying it in the environment and so they need to know all the details they need to know all the information in order to be able to do their job effectively and it's our

job to make sure that they get this information in these channels in these ways that is appropriate for them so i ask you guys when you go back to your organization are you being mindful of your audience when you're communicating are you giving them the right information at the right time and are you communicating well in advance for them to take the appropriate actions if you can't say yes to any of that you're likely having communication breakdowns at your organization and it's making it challenging for your department to function which then in turn makes it challenging for you to enable the business so think about that while you're going forward and thinking of these challenges

and things that you're trying to improve and making sure that you understand these channels and then additionally make sure your team understands it's not on me as a leader to only bear the burden of communication it is on me as a leader to ensure that i've enabled my team to communicate effectively to do their job and if they can't then i'm giving them right training i'm teaching them how to do it and we are then enabling the business again through making sure the team has the right training culture so we talked about the communications and the methods and the channels and the mechanisms and all those different things culture play is a really large part of

your organization if you have communication issues breakdowns whatever it leads to your team being really frustrated as much as i want to like uh have a super stellar grc program operating 100 of the time that just doesn't happen and the amount of times that i get my team frustrated over little things it's because generally we're not being mindful of the culture at the organization how does the culture operate at your org is it slack is it teams do they only use email or are they stuck in the stone ages where we call people up because i definitely don't like to call people up how do you lean into that culture and so i know at our organization we

love using slack and so if i need action to happen i know i need to go to slack just like my counterparts know if they need action for me they're hitting me up in slack yes it causes tons of notifications but again i'm leaning into the culture and working with the culture on the best approach to them if you're trying to go against the culture and force them into something that doesn't work what you're going to have is frustrations working with us a lot of the times people don't want to come to security we're constantly in a state of making sure people are aware of us making sure they know to contact us and so if we're

forcing a tool or solution on them that goes against the culture they're going to be even less inclined to talk to us we're already a headache nobody wants to talk to us they think when they talk to security they're getting in trouble or they've done something wrong and that's not what we want at all we want to have really really good relationships and we do that by understanding how we communicate leaning into the culture maybe the culture is we like 15-minute sync ups on the things that we need to talk about lean into it and embrace it and plan for it within your own department so before i wrap up communication show hands how many of you guys feel

like you're having communication issues at your organization now yeah it's hard communication double hands i see you the communication aspect really is hard and i've spent a lot of my career working on how do i talk to the other people and how do i talk to them in a way that influences them to do the things that i need we have so many different personalities that we have to work with and if we're always in a state of conflict it it just makes the communication so challenging so for all of you guys that have the communication issues really mull over what's the best path and path of least resistance how can i enable the business

by having better communication and i also ask you once you identify what are your challenges with communication jot it down and implement the things that you want to change and six months from now reevaluate did you get to where you were going with your communication were you able to make it better at the organization did you see increa increased productivity from these other teams and if not tweak it right we're in a constant state of improvement so time over time look over it see how you can change it and adapt all right so advocating when we partner with other teams other business units we almost get state and pushed into a state of bullying them to

do the things that we need so um let's say we need to do system access reviews i don't know about you guys but system access reviews are super painful we have issues with system owners even wanting to do them right it takes a lot of their day no one wants to take care of them and so you're almost bullying them into doing it i hate that approach it creates tensions it creates frustrations so when you're thinking about the things that you need to do as an organization how can you get to the point where you're advocating for these teams to have more bandwidth have more time to be able to work on them we shouldn't be in a state where we're

bullying them to do these things we should be advocating for them and helping maybe they can't do system access reviews because their team is at 150 capacity and they have not learned how to articulate that to leadership i can sit down with my peer and say hey joe why are you not doing your system reviews like what is going on how can i help you well maybe he tells me i am working 80 hour weeks i literally do not have time to do this i can take that information back and work with leadership and help him figure out how do i solicit for more headcount to get this off get these other things off my

plate so i can actually do these other items so now you start advocating for your peers and they come to trust you right they don't see you as oh i'm compliant so i'm coming to tell you to do things but they see you as someone they can trust someone that's going to support and advocate for them additionally you need to align with their work we know we know well ahead of time when things need to happen during the year i know in november every year i'm going to do a tabletop exercise i know in january i'm going to test from backups i know in june i'm going to get security training done even though that's a terrible idea because everybody

always goes on vacation here in june you know these things are happening and we need to align to the business right the business has the ebb and flow of things that are going to happen should we be asking everybody to do security awareness during the summer when people are going on vacations maybe they're traveling more because of work no we should be planning it for when the business is in and when the business generally has a lull should i be asking my organization to test from backups during january when that's when we have the most enrollments of patients no they need to focus on the things that are coming up from enrolling new patients we need to align to their work

slowly rotate our compliance activities around to when it best suits the business and you'll run into less resistance they'll be more inclined to help with these things because we've looked at their schedule and we've said all right we know the business is doing these things now let's plan to do it later and so now the business is more appreciative they understand that we're actually looking out for their best interest and again not bullying them to do these things and then the product and business road maps so if you are working at a company that rolls out new product features all the time you have to be mindful of that as well that's going to influence the work alignment and the

things that you need to get done and more importantly it's important it's important that we understand that because we need to get into the security of that particular pipeline of those things that are happening are they rolling out a brand new feature that could possibly affect phi or any other data that we're concerned about so we integrate into their sooner and then we start advocating for them if we get integrated sooner and we see this risk pop up let's say they're rolling it out in november and we find this risk in february we can advocate for them to get more money more budget because we know the things that actually need to get fixed so again we're advocating for them and

ensuring this work can actually happen training so i do not mean security awareness training with this this is training in order to enable the business so understanding technologies grc should understand everything about our organization we should know every system every application we should know what these do we should know how the data flows through the organization especially if you need to comply with gdpr right you have to do a data mapping exercise so it's important that you understand how this happens in your org because ultimately you need to be able to communicate with your business partners you need to understand well is this really a risk when they're communicating this to me and what's the risk scoring

here you can't do that if you don't understand the technologies and so your grc team needs training on understanding the technologies and once you have that you'll see that the communication again going back to like prong one there the communication will get better because the business or maybe the smes and the product in engineering actually see them trying to understand the technologies and they're getting less frustrated with them and happen to spend time telling them how the technology works and they can have more of a collaborative conversation on the flip side the business should understand technologies that impact them if i require everybody to go through the vendor review process for vendors that they're trying to onboard they should

understand that technology it should be streamlined it should be user friendly and if it's not they're not going to want to do it and you're going to have vendors that slip through the cracks and you'll have vendors that you're sending data to because people didn't follow the process because it's not intuitive so understand your technologies both from the grc side and what the business interfaces with decoding controls man controls they're sometimes really hard to understand what you need to do right you need your special decoder glasses and if we need decoder glasses to figure out what these controls from these frameworks are telling us there's no way the business is going to understand so if your team cannot take a control

and go explain it to an implementer an individual contributor the work is actually it's not going to get done and so your team needs to know how do i explain this in a consumable way for the business to understand and how can i communicate this control upwards to the c-suite so they understand the impact of this control if you're not doing that it's not going to get done and so not only does the team need to be trained in how to communicate this they also need to be trained in how they sit people down and talk to them um for this particular item i actually spent a year contracting after i got out of the

military where i would take disa stigs and sit down with system administrators and network engineers and explain to them what that disa stick was trying to tell them to do and they likely would have never gotten through those because if anybody's worked with disa sticks before you know they're very long they're very comprehensive and you need your special decoder glasses to look at them so i take that away and i apply it to my teams what are the things they are really knowledgeable about and what are the things that they're not and how can i teach them to understand these controls better and communicate them to the people that actually need to implement them and then effectiveness testing so

effectiveness of testing it applies to both your grc team and it applies to the business so are you testing how effective your processes are if you have a manual process let's take vendor reviews again if you have a vendor review process that's like 20 steps are you evaluating the effectiveness of it often probably not because it's at 20 steps and it doesn't need to be so figure out how you're evaluating your program's time over time and teach your teams how to evaluate the program and then enable your teams to speak up when they think these are ineffective right we need to allow our teams to have the safety the psychological safety in order to feel like they can speak up and

say we have ineffective programs happening so you're teaching them how to evaluate the programs you are defining the criteria for the effectiveness and having them go forward and do the things and then on the opposite side you need to teach the business the same thing they own a lot of the controls and the things that we need them to implement and if they don't know how to evaluate it for its effectiveness how are they going to approve it they're just going to be stuck in a perpetual loop or just doing something for the sake of doing it without understanding how can i make this more effective so the effectiveness testing is super critical and actually ties into one of

the bullets that i'm going to talk about next so when we talk about enabling the business the second bullet there talks about measurement and metrics so tying in from effectiveness testing you got to understand your your measurement metrics that first bullet there is trust and transparency so trust it's really critical what we do in security right that's all we do confidentiality integrity availability trust and if we are not building rapport with our business partners if we are not enabling them they're not trusting us you're not going to have a good program operating i know at this point in time any of my peers can come to me and we can have a dialogue and they know they trust that

i am going to go do things to take care of their team i'm going to help them take action just like they can trust anybody from my team because they've built that rapport that we're going to go take action and help them and then transparency i don't believe in keeping secrets i think my team should know all the information and so once i start enabling my team to have the same information that i have they go forward they understand they understand the goals and objectives of what we're trying to do i'm not trying to operate in a silo i'm really trying to make sure that they know what they need to do for their job and that comes with transparency

additionally when we talk about transparency it's important that the business always understands what's going on security should not have the secret security should not be holding the keys to the kingdom of all the risk that we have we should be communicating these things again well in advance and so we create this trust and transparency loop that's happening where the business knows they can count on us they know they can come to us and we're creating transparency of how our program is operating so trust and transparency highly recommend you take that concept and you ensure it's implied at your organization measurement metrics this is one of my favorite things i get so giddy over doing some sort of analysis of how my

program's operating this is how i know for certain at my organization for my client questionnaires it takes me three days to respond to 60 questions from a client and it takes me seven days if it's over 150 questions i know for certain it ha we have a five-day turnaround for when the business asks us to review any sort of document i know i have a three-day turnaround for contracts and it's because i've done the back-end data and analytics on it that was the first thing i did when i started taking over this because how are you going to improve if you don't understand the numbers right there's certain things that you can improve because you witness it or you

hear it but there's other things you can't just make assumptions you really do need the data and analytics behind it so i highly recommend you look at your program for every process that you have operating have you defined out measurement and metrics criteria so look at that and then improve over time this is where you can get yourself into a continuous improvement cycle that is a really great thing that you can do for your organization if you can get yourself into a continuous improvement cycle you will improve year over year over year because you recognize that is a critical thing for your org additionally when you do your metrics you start to get an understanding of

your maturity do you really just want to be doing the bare minimum and be a check box activity happening or do you want your program to be operating at the point that it's so effective that it's always enabling the business and maybe it's even low touch because you've automated processes and you've done all the things that you've needed to automation i love automation when it comes to grc there have been so many improvements in this space where you can take a vendor review almost through the entire cycle automated and it's seriously great if you guys have not evaluated that with your own organization please take a look at it because i promise you the return

on investment from reduced overhead of employees managing these manual processes is well worth the time and effort to evaluate how can you automate leverage grc tools if your budget allows so if you're at an organization that you have a budget that will let you get a grc tool please look into it because it really does help with how you're managing your program there's a lot of functionality built into there for the metrics so take a look at that technical expectations ahead of time my engineering and product team should always know my expectations when they are trying to roll out something new nothing should ever be a surprise to this to them and we do that by having

guardrails what are the things that you can do that don't go outside of my guard rails they should have this information and you should be training them because what then happens is a reduction in them having to have one-off conversations with you they feel more comfortable and confident in the things that they need to do but you have to give that to them in the first place and if you are not in a place where you can give that you're automatically blocking the business from being effective so you really do need to understand the guard rails and how they apply to your organization and then additionally building security into ci cd pipelines is there a way you can codify the things

that you need for them within the entire life cycle and have it implemented if if possible please please please take that avenue and make sure people understand it because now you are really enabling the business you're not a blocker all the time right the theme of this talk is how we enable the business how we get them to work better harder stronger and still do the security things that we need them to do okay so we got through the entire swiss army knife there's tons of prongs in there i talked about a lot of different concepts a lot of them geared around communication so take that away guys communication super critical building relationships i spend so much

of my time building relationships and you know what i love it i love getting to know my peers i love getting to know the people in the organization because it allows me to help them i want to make sure that they're doing things that i need them to do and sometimes they need a listening ear sometimes they need someone in their corner and i can do that by listening to them and building relationships and then eventually they come to trust me and when i need them for something they help me and it really is for the best intentions for the organization to make sure that you really have those relationships built automate where possible automation is your friend you are i'm

serious you're going to reduce so much overhead once you figure out how to automate processes and now your team can focus on building relationships doing training doing this other things instead of spending hours over hours answering a questionnaire or reviewing a vendor when it could otherwise be a automated process choose simplicity over complexity one of the things that makes it so challenging to work with grc is we have so many things that people have to talk to us about and we seem so clunky you have to do steps a b c d f all whatever and we seem so clunky and it's because our processes generally are complex and so figure out how you can simplify and meet

the things that you need to do because the business they will love it if it's easy for them to do they're going to be more inclined to do it use the right communication channel so understand these different communication channels how they apply to your org and then integrate into the sales pipeline i only touched on client questionnaires just a little bit but it's super critical if you our organization which you likely are that have tons of client questionnaires come in understand your own sales life cycle at your organization how do you partner with sales to get ahead of it if you work in compliance or if you're in my position you tend to read a lot of contracts dsas other

things like that for the security aspect but you also have questionnaires so get in that sales pipeline ahead of time because it does create undue burden to the team to have these random questionnaires pop up through the week and then you have to load balance appropriately so get into the the sales pipeline and understand how you can leverage that to your benefit if you know you're gonna have a bunch of questionnaires come in august well maybe you shouldn't be planning any major compliance activities then and your team needs to be load balanced to plan for these questionnaires so we've reached the end i i think i saved enough time cat for a couple questions if people have some um so you

guys can contact me through any of these ways email twitter linkedin um best chance of reaching me really is linkedin um don't check uh twitter too too often and um gmail i check it probably like once a day so um yeah that's grc as a swiss army knife i hope you guys had some takeaways that you can actually apply your organization and if you guys have questions i'm here for a couple more minutes thanks