GRC for Security Managers: From Checklists to Influence

This webcast was originally aired on January 16, 2025.

In this video, Kelli K. Tarala and CJ Cox discuss the challenges and strategies for improving governance, risk, and compliance (GRC) within organizations. They explore how to effectively build relationships, communicate value, and leverage technology to streamline compliance processes. Through shared experiences and insights, they emphasize the importance of prioritizing GRC efforts to reduce risks and enhance business operations, while also addressing common misconceptions and resistance faced by GRC professionals.

  • Governance, Risk, and Compliance (GRC) professionals often face the perception of being obstacles to business operations, but the focus should be on how GRC adds value to the organization.
  • Building relationships and effective communication are crucial for GRC success, as understanding and collaborating with other departments can help overcome the perception of bureaucracy.
  • Prioritizing tasks and leveraging technology, such as AI and data analytics, can help manage resource constraints and enhance the efficiency of GRC processes.

Highlights

Full Video

Transcript

Kelli K. Tarala

So today you’re here because you want to make friends and influence people. You want to be invited to cocktail parties. You, want people to talk to you when you go to conferences.

maybe you want to do your job a little easier or you want more influence in your organization. These are just some of the things we’re going to talk about today as we do that.

Let me introduce my compadre here, Mr. CJ Cox. He is our Chief Operations officer at Black Hills Information Security. Now you might be asking, well, what does that mean?

The guy does everything. He does mops, he does floors, he does strategy. He helps build our GRC practice and a whole bunch of other things.

Anything you want to add, CJ?

CJ Cox

I think you covered it pretty well there. Yep.

Kelli K. Tarala

Okay. I’m Kelli Tarala, I’m a principal consultant. I do GRC stuff. we’re not going to be putting up any sort of certifications or letters or titles or anything. Well, I guess I do have titles on there, but CJ and I have, let’s just say, we’re well seasoned. We’re not old. We are well seasoned. and today we’re going to share with you some of our experiences, some of our hard learned lessons and perhaps maybe share a couple tips.

All right, now here’s the time for you to get your thinking caps on. I want you to do a quick little quiz with us here on the left hand side. You’re going to see some of the problems, opportunities, if I’m being positive, that we see in governance, risk and compliance or in any sort of compliance position.

Have you ever, been perceived by your co workers or by the technology group as an obstacle to business operations? do you feel like your organization says, yeah, yeah, yeah, we’re all about compliance, but then they don’t actually fund it or they don’t give you any sort of staffing to do it.

do you feel like perhaps there’s a perception that compliance has to do with bureaucracy, communication challenges, resource constraints?

I know, CJ you’ve got strong feelings about resource constraints. Is that only for a select few?

CJ Cox

Yeah, yeah, just, just people who are insecurity. They’re the only ones who have constraint. No, that’s every human being, on the planet. You all know it. The only people who don’t think they’re constrained are underachievers.

but even they actually don’t have all the dollars and things they need. So yeah, constraints is basically part of the human condition. but people tend to think that like they’re, I’m the only one, like I’m so busy I don’t have enough time is like the biggest thing.

And our classic answer to that is you have all there is when it comes to time. You have 24 hours in your day. So the challenge is always prioritizing things.

And so I think what we’re going to look at here is, is one, how to be effective with the time you do spend. and what are the tricks? What are the lever points, what are the multipliers?

How do you get the low hanging fruits? That’s part of what we try to bring. When you said we’re well seasoned, we’ve seen a lot. Yeah, we’ve seen a lot of failure and we’ve seen some successes. And so that’s what we’re going to try and highlight here.

Kelli K. Tarala

Excellent.

CJ Cox

Hey, before you go off that slide though, I wanted to give another quiz. So I want to get feedback from the audience. I’m going to do it on Discord. So I want people to do this.

Here’s my quiz. I want you to tell us your company size. You can say big, medium, small, but if you’ve got a number that’s good, the percentage of your job specifically that you spend on GRC and what you would give your program as far as how successful, effective, whatever that is, because that just gives us.

So I’m going to give you, here’s my, my stuff for BHIS. I think we’re a mid sized company. We have 140 people. I spend about 15% of my job on GRC and I give my program an A minus.

So if you pop that into that zone, I’ll kind of watch that because that helps us kind of gauge the crowd and where we’re at and all that stuff.

Kelli K. Tarala

And we’re not grading you, we’re not judging you. We’re just trying to understand our audience a little better.

CJ Cox

These are good scores flowing in. So awesome. So go ahead, Kelly.

Kelli K. Tarala

All right. CJ so today’s agenda. Sometimes I ask, well, I’m the youngest child, if you didn’t know that. And I am the problem child in my family.

but sometimes I bring this up because we feel like we’re the problem child at our organization. Nobody wants to talk to us, nobody wants to do the things that need to get done.

if you get nothing out of this webinar, today, please hear me that you are not a problem child. We are so grateful that you’re doing governance, risk and compliance with Us.

It makes the world go round. It keeps people safe. It keeps people doing good things. I might even venture to say it keeps people happy. So what we’re going to do today is we’re going to talk about some suggestions and solutions and some tools and resources.

And we’re really looking forward to your comments and discord. Okay, I’ve brought this up already. Are you a problem? No.

And one of the things that’s on my list at Black Hills is I really want to change the perception of governance, risk compliance in our industry. now, you all know I work for an amazing company.

We’ve got black hoodies. My coworkers are technical geniuses. And sometimes I get a bit of imposter syndrome. Or sometimes I feel like, a problem or, kind of like the little sister who’s kind of nagging people.

Hey, what about those controls? Hey, what about your documentation? Hey, did you update that AI policy yet? CJ wink, wink, nudge, nudge.

but honestly, GRC isn’t a problem. GRC. Think of all the good things we have in this world. We’ve got safe highways, safe cars, safe food, safe water. That’s all grc.

But we’re really going to focus on privacy and cybersecurity in this presentation we’re doing. And I just want to say welcome to the dark side because this is where the fun stuff happens.

CJ Cox

So the feedback is freaking amazing. If you didn’t see that flashing by, Kelly, because you’re kind of focused on talking, I, see that the average grade was probably a C.

There are a lot of really bad grades. People were not M majority. I saw very couple that they have a GRC program. So when you talk about the people who full time job is grc, those people fall into a special category of human beings where imposter syndrome is a little bit accelerated.

So it goes with auditor and lawyer. These are, these are professions in areas that are kind of looked at sort of negatively.

Right. Dentist, maybe falls into that category sometimes. But the bottom line is comply or die scrambling.

That is fantastic. so we’re going to talk about, to me, so when I was in the Marine Corps, right, I went to the Marine Corps and I was in the Marine Corps wing the air, wing the airplane guys, which is not really what the Marines are known for.

we are a support army. we are not where the rubber meets the road. And that’s, that’s true of everyone in security. Security is not the pointy tip of the spear in most People’s companies, they are at BHIS, but we’re an exception.

Most of the companies. Your company is about doing business. It’s about selling things or it’s about doing things. and. And the security stuff, we are the support people that allow those important things to happen.

And when you kick the supports out from under these important underlying features, your company can really struggle and be off base. And so what Kelly’s going to go through here is all these little tricks and nuggets and saying, like, how do you convince people of the importance of this?

How do you convince yourself that you need to do some grc, that it’s going to help you overall in the long run? because it’s definitely not configuring the firewall to not let people in, but it’s the thing that, that systemically causes those things to happen.

So back to you, Kel.

Kelli K. Tarala

Awesome. Great explanation, CJ that moves us perfectly into our first point. Are you perceived as an obstacle to business operations or your team or the projects you’re trying to get done?

one of the things that CJ and I tried to do as we were building the slide deck together was to talk about common phrases we hear and to say, if you hear these at your organization, it’s not just you, other people are hearing them as well.

Things like, it’s going to add too much time to my project, or I, don’t have budget for compliance that should come out of somebody else’s budget or compliance or governance is too much of a significant barrier for my business unit’s performance.

And if you’re not a fan of xkcd, I’m sure most of you are already well familiar with his work. I always like his, his little comics because he, he’s able to nail really important concepts and feelings.

and sometimes I kind of feel like that when I’m trying to fix a problem, I create a problem. And then it’s this vicious cycle of problems and problems and problems. CJ do you ever have that happen?

CJ Cox

Constantly. So someone was telling me that for every intended consequence, there’s probably four unintended consequences. Again, one of the great realities and truths in life.

and the whole thing go back to that other slide, Kel. the. The whole thing that we’re. We all. We always talked about doing is right, sizing things. So I came from the government.

I worked in the classified community where I did NIST853 accreditations, and I had a staff of like, five people, and we would produce Thousands of pages of accreditation documentation.

Documentation that’s real cool. But you come to BHIS and the rest of the business world and ain’t nobody got time for that. And it’s true. So you’ve got to right size trying to do GRC the way that some Big Ten company that’s got a GRC staff of 150 people.

You’re not going to do that. So the, the key is peeling this onion and again us, finding those leverage points. How do you get the bang out of your buck? How do you get to the essentials? Because you can’t do this.

Because small companies are expected to have security. Look at the questionnaires you get from your customers to fill out about your security program. You’re asked everything that a fortune 50 companies asked to do.

They want to know everything. What’s your, what’s your GDPR stuff like I don’t have GDPR department. Get real. But yet you’ve got to answer those questions.

You’ve got to answer that mail. So then how do you do it when you’re the, both the IT person and the security person. Oh, and a security person, guess what comes with that grc if you don’t hire somebody else to help you.

So man, appreciate it brother. Seems dismal.

Kelli K. Tarala

Are you ready for the next slide?

CJ Cox

Maybe? Yeah, sure.

Kelli K. Tarala

How do you deal with that dismal feeling?

CJ Cox

Yes. Value.

Kelli K. Tarala

So you focus on value creation for the business now. Okay, now I know some of you like to play bingo on our webinars. I don’t think value creation is on your bingo card, but if you’ve got paradigm, we’ll do a substitution there.

Okay. so in all seriousness, how do we change this perception that GRC is a business obstacle? We focus on how we add value to the business.

As CJ has already said, a lot of the reasons why we do the things we do in security is for grc. And those of you who’ve been in the industry for a long time, we used to go and try and scare senior managers or scare the board of directors with our breach stories and these bad things are going to happen to you.

And there’s nation state actors barging in on the doors. Well, they’ve kind of gotten sick and tired of hearing the scare tactics. Now what we’re trying to do is pivot to value creation.

Well, how does DRC show value to the organization? Well, first of all, it’s a win win situation. Focus on mutual benefits. How perhaps they already have regulations or compliance needs that you can help with, or perhaps you have a tool that will make it easier for that particular business unit.

I don’t spend a lot of time in marketing, but there are marketing regulations depending on the state or the city or even perhaps the country that you’re in.

another thing you can do is showcase. Excuse me, showcase examples of how compliance has prevented costly errors or penalties. Look at some of the news stories. for those of you who are more active in the HIPAA space, OCR has been sending out quite a number of notifications this week of fines and penalties that they’ve levied against organizations that fail to meet the requirements of the privacy and security rule.

And also you can illustrate how good governance practices enhance the company’s reputation. Because the one thing that you can’t necessarily bargain in or trade up in is trust.

Once you’ve destroyed trust with a customer, it’s extremely hard to build it back. And I’m sure, CJ you’ve got thoughts on this slide?

CJ Cox

Yeah. And those customers go for your internal customers. And fear is one of those things that. So fear is bad when you’re, you’re using it as a, as a prop or a shtick.

Right, but, but when you mention the word risk. And again, I’ve talked to security professionals repeatedly about risk and understanding who owns the risk. Because us, as GRC or security, we don’t own the risk.

The, the board of directors, the CEO, varying degrees, the different C swaps, they own the risk. Your job is to talk to them about risk, highlight stories, tell that story.

You’re the, you’re the professional, you’re the expert. You can go in there and talk to them about gdpr, fines and things like that and how, guess what, they do apply so that you help the company manage risk that’s perceived by leadership as being, that positive.

The mutual benefits that you’re there, mitigating a risk that could cost millions of dollars. There’s also the cost of, like your customers perceptions. Again, we have to do a SOC 2 type 2 because so many people demand to know that the company I’m working with has a good security program.

Well, one way or another, you’ve got to have that program. So you’ve got to, as professionals, figure out how can I do this for the minimum cost? And our answer is always, of course, steal, borrow, reuse.

Use the community resources to learn how to do this so that you’re not creating the wheel yourself. Right, That’s. Our community is sharing this. Hey, how do I attack this. How do I convince the boss that we need to address gdpr?

we’re a small manufacturing firm in the Midwest. we’re going to have our new GRC channel. And we’ll be happy to keep talking about these spontaneous issues, but Kelly’s going to keep going with more things that are going to get us there.

Here.

Kelli K. Tarala

We talked about that win win situation, CJ and working with other business units and other groups. The other idea we’re trying to get across here is having conversations.

I see in the Discord channel. Good, GRC people. Thanks, Luke. good GRC people are like social engineers. But I want to say in a positive way.

We’re not manipulating people. We’re really trying to build relationships. To build relationships, sometimes we look for those win win situations, and we can make suggestions that are beneficial to other departments because every department has goals, responsibilities.

KPIs. That’s a big word now at, Black, Hills Information Security. perhaps something you’re working on can also achieve a goal of a different department, highlight the positive impact on the team.

Perhaps, nobody wants to do GDPR as we’re going with CJ’s example here. But if you do do GDPR, well, maybe you’ve just opened up to a whole new market or a bigger market, or you’ve got an opportunity to introduce a different product to a market.

A lot of people don’t see GRC as the tip of the spear, but perhaps it can be, depending on these suggestions that you see and bring forward. And we’re going to talk a little later on in this presentation about understanding the business in which you’re doing grc.

So hold that thought. here. Oh, go ahead.

CJ Cox

In my war against acronyms, as was so aptly pointed out by char, that it’s governance, risk and compliance. Sorry about that. We do plunge into our own specialties like that.

I tend to hate acronyms, but, But someone else said about something about leadership or something. But it. Everything is working with others.

And I, I’ve said this always about security. And it’s doubly true of grc, the, the security shop. If they’re trying to force standards and practices and things like that in a vac, you aren’t the IT department.

You’re going to fail. The thing about all of business and most of life is that it is a team sport, folks. And what we’re talking about here is how to influence, how to convince, how to sell, how to sell your ideas, how to do the value you’ve Got to work with other people.

I always told the security people, you’ve got to co op the IT team, get them to go to security training. How do you get your web app shop, your development shop, to start doing security?

You’ve got to get them to do security classes. I’ve always said that, security is just quality control on it because security is a quality. So, So, yeah, working through other people and with other people is essential.

And that’s why the soft skills. And you’ll tend to find people who have decent tech skills but stronger soft skills. They’ll gravitate over to GRC management, leadership, those things. It’s pretty natural.

I’m a people person. I take the documents from the engineers and I give them to the customer. There’s a place for that. everybody’s got their place on the team, so use your skills.

Kelli K. Tarala

Oh, I like that. And not only are you trying to build relationships, but there’s a situation where being willing to compromise and say, well, if we get 80% of what I’m looking for, that’s better than 0% or 50%.

And a lot of times we look at control frameworks or we look at GRC programs, and we’re like, well, it’s got to be done in its entirety, and it’s got to be perfect. And I want to put it on the shelf because it looks so nice and pretty.

there are no pretty GRC programs, okay? They’re messy. They’re people’s best attempts. And, CJ, we’ve had these conversations where if you’re always striving for perfection, you may not be striving for the best thing.

You’re striving for Win Win solutions.

CJ Cox

And that’s where Imposter syndrome Trump comes from. We all know we’re not good enough. We’ll never be good enough. We’ll never get it all done. you can’t let that get in your way. That’ll freeze you.

Kelli K. Tarala

So, okay, boss, you want to talk about cultural misalignment?

CJ Cox

Oh, boy. So, yeah, compliance is a barrier to entering. Well, I’ve seen that a ton. Right. And we had to develop.

When I came here, we didn’t do SOC 2 type 2. we were barred from certain customers. And so I ate. Ate the, ate the apple. And I started doing it by.

Right. Sizing it. yes, grc. So I’m a big person. I love the book Checklist Manifesto. I love checklists. So GRC is a checklist exercise.

So is securing a firewall. if you don’t have checklists, those are guidelines that get you to where you need to go. So it sounds like it’s a bad thing. It’s not.

and if, if, if you, if you just want to do something as a checklist, you can get away with it. It’s your job to tell your boss what that might cost you. Because if you’re just going through the motions, you might not actually get the value.

You’ll get the appearance of value. and then it’s just an overwhelming ongoing process. Yes. So is security. So is it. So is keeping up with the market.

Everything is an ongoing process. So all these things are bad excuses. again, the key is, how do you do it smart? How do you hack this?

the hacker mentality and security is how do I break into the thing? But the hacker mentality in working with people in leadership is. And not how do I socially engineer them and manipulate them to do the wrong thing?

That’s evil use. It’s, it’s, it’s. How do I be effective at convincing people of my value propositions? So.

Kelli K. Tarala

Oh, CJ, I’m so glad you said that. because a lot of us have started out in technical positions and have moved up into management positions or consulting positions.

And, if you’ve been configuring a firewall or you’ve been, applying an image to machine, it’s pretty black and white. Turn this on, turn this off, implement this, don’t implement that.

And that’s not a bad thing to have that engineer mindset. It is very black and white. It’s very binary. And I can tell you, in my career, I’ve had to acknowledge that I’m a very black and white thinker and tone it down a little bit and say there’s room for gray areas.

now I’m not talking about, hey, we’re not going to do this regulation that’s absolutely required of us. But a lot of times, remember, CJ, we have these conversations about control exceptions.

When people say, well, I can’t do MFA everywhere all at once, so I’m just not going to do it. and I’m not going to put it in my policy. We have conversations with customers and say, listen, where can you start with mfa?

Okay, Say it’s your intention to do it. Write a control exception that says we don’t have MFA on our end user end devices yet, but we do have it on our administrative interfaces, on our VPNs, that sort of thing.

so I am asking you to think about, not YOU CJ, our audience as a whole, to examine your black and white thinking and see kind of where you are at on the scale, on, the spectrum.

CJ Cox

Black and white thinking, all or nothing. And I just laugh, Kelly, because I can see you and both of us do it. we’re so opinionated. We just have this, like, why can’t everyone see the perfection in my plans?

it’s just so classic. But, yeah, John used to always talk about that. I can’t even remember the technical example, but where people are like, and with password complexity, you’re using mfa.

Like we. Like you said, can’t use it everywhere. Well, if you just use it in a few places, wouldn’t that cut the risk? Like, isn’t a reduction in risk good? Like, if you show those classical CISSP formulas of risk times something equals a dollar value.

Yeah, we can cut some cost. So do those easy steps, but 853 shades of gray. I need a T shirt that says that one.

Well, it’s got to be audience ever.

Kelli K. Tarala

It’s got to be a PG13T shirt though. Okay. Or below.

CJ Cox

Yeah, yeah.

Kelli K. Tarala

okay, so we’re. Let me go back, a slide for a second here because I’m afraid we lost the thread just a tiny bit. You may be in an organization where you feel that there’s cultural misalignment, and I’m not going to name any organizations by name here, but you may be in a situation where they just really don’t care about grc, or they look at the bottom line and they say, listen, the cost of repairing after a breach is less than what it’s going to cost me to implement.

Let’s say the, the CIS 20, or, excuse me, 18 controls you. You may not be in the place that you want to be in. There, could be just a cultural misalignment with you and your career or with your department.

So let me go back to this slide and say, listen, if situation where you don’t think that you, are listened to or your insights aren’t being valued, maybe you’re at the wrong organization.

But to bring this back on track, let’s say you are at the right organization and you are trying to build trust and credibility with those relationships and who you’re interacting with, I have a couple bullet points down here on the bottom I really kind of want to touch on.

Being nice and being kind are not the same thing. Let me elaborate on that just a little bit. Being nice means somebody might say, hey, this project isn’t going to be done.

and you kind of smile and you just don’t say anything. Being nice, you’re being polite. But being kind is actually sitting down and having a conversation and being honest with that person and say, listen, I think you can get this project done.

Here’s what I see. What do you see? and so as you’re building relationships, remember, being nice and being kind aren’t necessarily the same thing.

So you have a choice every day how you’re going to be interacting with people. And speaking of interacting with people, if CJ were to poll the audience here, how many people have extra time in their work schedule?

Nobody’s, going to have extra time. GRC people usually have way too many projects on their plate. Have too many, asks from different departments, have boundaries.

CJ Cox

According to our data, they’ve got, that’s a small part of their job.

Kelli K. Tarala

A small part of what they’re being asked to do or the time.

CJ Cox

That’s actually my guess is they’re all security folks that they’re, they’re by default, they get to do the GRC stuff. So. Which is me. Before you came along, I had I had nobody.

It was me. CEO’s keeping the plate spinning. Oh, and do this GRC thing too.

Kelli K. Tarala

So what I’m hearing you say CJ is in the time that you’ve been at Black Hills, you’ve sort of shifted and M made a cultural adjustment and made sure that those important regulations like GDPR or SOC or PCI were being properly addressed and documented as Black Hills grew into the organization that it is today.

CJ Cox

Yeah. And all right, that’s why I say you got to right size it. You can’t be a Fortune 50 company. But and you attack it and you accumulate it and you’re rolling a snowball hopefully down a hill.

your GRC program can build over time. And Kelly, I think you and I talked about we need to do a course, I think for small and mid sized businesses on how to get started and get rolling and, and do it because I think there’s a need.

I’m just looking at the. But a lot of people share our views and stuff. So I think you’re on the right track. Keep going.

Kelli K. Tarala

Amen. I like that.

CJ Cox

It’s not a snowball. What is it?

Kelli K. Tarala

M. Okay. Do you feel or do your colleagues feel that you have a lack of business understanding or perhaps the group that you’re in? I, used to work for an insurance organization and they kind of Joked that we were in our ivory tower, the compliance group.

And they said, well, you really just don’t understand how we make money and how you get your paycheck. people might say to you, well, we’re trying to leverage our core competencies or if we apply this compliance framework, it’s just going to mess everything up.

Or this is. CJ and I were joking about this one a little earlier. It’s the second bullet from the bottom. We have a strategic goal of digital transformation. But our compliance team is insisting on maintaining legacy systems and manual processes for regulatory reporting.

Mean, hey, we know we should upgrade that system, but we’re not going to because, well, it just, it’s easier to do it that way. And then cg, I know you want to weigh in.

We, we have a strategic goal to use AI.

CJ Cox

Yeah, yeah, yeah. And, and everyone freaks. And now all of our customers, all of a sudden, just in the last nine months, everyone’s asking if we use AI on our services.

We get questionnaires with this. And, and John Strand pointed out, out, do you Google anything? Do you Google as part of your service, like delivering our services?

A pen testing. Do you Google? Because there’s a little AI summary there. So I guess we use AI summary, but that’s not what they mean. What they mean is, do you take our PII and you put it in a public language model?

No, we don’t do that. But, but, but policy wise, BHIS. how we’re early adopter. Ooh, shiny object toy. Let’s play.

oh, well, speaking of shiny objects, the safe shirt 50. We’ve got people playing with AI and like what are the guy.

What are the rules? What’s the, what’s the company’s policy? Are you allowed to do this? Are you not allowed to do this? What are you allowed to do? So we quickly assembled the Avengers. Kelly headed it up as the AI working group, which ended up doing all these technical ideas.

But we also got the GRC policy in place, which Kelly was way overzealous and just gave us a 150 page GRC policy. And it was like really what we need to just say is these few simple things.

And so that’s where we worked through, got the consensus and we got a simple starting point on the AI policy. Guess what folks, that AI policy, we published it in late December.

Did we get it done in January? And I guarantee you that by now it’s obe. Obe Overcome by Events. There’s another one of my acronyms.

Sorry. so the thing is, with all these policies and all your hesitations, your perfection is the enemy. The good. You got to get your policies and your GRC program down and then tweak it.

If it’s God dang wrong, fix it, folks. But get it down. At least have a working place, because then people throw rocks and you’ll fix it. So.

Kelli K. Tarala

Okay, you’re on a roll there. Let me, bring up the second. The next slide.

CJ Cox

Am I, like, the greatest Segway artist in the world or what?

Kelli K. Tarala

You are, boss.

CJ Cox

Thanks.

Kelli K. Tarala

Okay, so how do we fix this lack of business understanding? Again, we’re building relationships, and I highlighted here on the slide, building relationships outside of audits and assessments.

Because if people only see you four times a year, no wonder why they don’t like you. They want to see your pretty and handsome face more than four times a year or more than just during an audit or an assessment where you’re asking them for something.

One of the things we try really hard to do is foster relationship with key stakeholders. So at an organization like Black Hills, who would be our key stakeholders? Well, obviously our customers.

But as CJ has mentioned already, we also have internal customers. we have our SOC team here that will sometimes ask me, hey, what about this regulation?

What about that regulation? Sometimes, our. Our training platform, Antisyphon, may ask me a question about cookies in the European Union.

so stakeholders aren’t the ones that you necessarily quickly think of. We all know you got to have your senior leadership as your stakeholders, your heads of business units.

But perhaps some organizations have an embedded IT person in marketing or purchasing or in accounting that may also be a key stakeholder or a key partner for you.

Work closely with operations managers, department representatives, engaged contract managers. Perhaps if you don’t have friends in the purchasing department.

we always think of legal when it comes to contracts, but some of the sharpest contract negotiators and readers are in the purchasing department because they do that day in and day out.

and if you’re not sure how the business works or you don’t understand a particular process, invite, people to cross functional team meetings.

say, hey, if you ever want to understand what GRC does, I’d be happy to come on in, bring pizza, bring donuts. You’d be amazed what that sort of thing does to help build relationships and friendships.

CJ Cox

Yeah. So got two compliments, Kelly. One is your corporate voice is very funny. The other, the evil cackle, is great. That’s your feedback for there.

We’re just Talking about. So again, we. We talked about leadership and blah, blah, blah. But selling. And I just talked about educating equals selling. And this.

This. All this ties. GRC is just a part of security. So everything I say applies to your. If you’re the technical security guy, when you’re training the board of directors, those people are lawyers and doctors and.

And weird things or even your. Your bosses. The CEO is not an expert on it. And every time you talk as an expert, you’re educ.

And when you’re educating people, you’re selling them on usually your ideas, your approach. Right? You’re trying to give people the facts and the context and the ideas to do the things that you think are best for them, because you’re coming from your expert opinion on what’s best for the org.

So it’s good.

Kelli K. Tarala

Appreciate it, brother. Okay. Another common challenge we see in the GRC space is a perception that we’re. I can’t even say it.

Not brioche, because apparently I’m on the pastry line there. Bureaucracy. Say it with me. Bureaucracy.

Okay. so a lot of people look at GRC as a necessary evil or perhaps an unnecessary evil or just plain bureaucracy. Perhaps you’ve been in situations, even with your city government or your county government, you have to send something in by postal mail, and you’re like, well, can I just send an email?

Or can I just. Just upload it on a website? No, you’ve got to put it in the mail. You got to put a stamp on it. That might be an example of bureaucracy, but here are how GRC people might be perceived as being part of a bureaucracy.

People might. You might hear, I’ve got audit fatigue. grc. Oh, man. They just. They’re just a resource hog. that never ends. There’s always another audit. There’s always another assessment.

Oh, my goodness, this is just a waste of my time. I have more important things to configure. Or, Do I have to, We hear that quite a bit, especially when we’re looking at a new framework or a new controls project.

Do I have to do this? And don’t forget the eye roll, too, because we always get the eye roll as part of that, too.

CJ Cox

What are you talking about?

Kelli K. Tarala

That was good. That was very good. okay, CJ

Deb Wigley

So.

Kelli K. Tarala

So how do we deal with this perception of bureaucracy?

CJ Cox

I think we have to be valuable. You have to convince people that you’re not a roadblock, that you’re not the negative, the naysayer, the impediment.

To getting business done. this is a constant job. Someone asked me the other day, they did something, they go, does this go down on my permanent record? Hey, folks, folks, our, our brain recorders are always on.

Everything you do is on the permanent record. So how you present yourself, how you do your ideas, how you handle yourself, your communications, how you, you get your projects, that’s all part of how you’re perceived in who you are.

And so again, education and awareness, it’s just part of selling, it’s part of doing your job. because as experts in all these different fields that we have have, the other people around us don’t have that.

You’re always educating everybody all the time. That’s what conversations are practically about.

Kelli K. Tarala

And we all, we’ve been, we’ve been through maybe slightly boring security awareness training. There’s a video, looks like it was done in the 1980s.

And that’s, that’s a part of what it is, what we do. But the training program doesn’t have to look boring. And in fact, I’m, I’m probably getting eye rolls from the Antisyphon group right now.

They’re like, our TR isn’t boring. You’re right, folks, I’m not talking about our training.

CJ Cox

why it’s called Antisyphon.

Kelli K. Tarala

Exactly. so not only do we want to teach our end users how not to do, how to avoid phishing attacks, how not to click on a link in an email, business email compromise, but let’s start telling them about the importance of grc, of, why we do it, how it helps protect them.

M. I’ve done training, especially in November where I’ve talked to people about, hey, here’s how you be safe on the Internet before all. You do your Christmas shopping at the last minute.

So when you show value like that, it gives people a warm fuzzy feeling in their heart and they start to like you. They don’t see you as the, m nerd who’s behind the assessment or the audit.

You can always ask a speaker to come in. It can be done virtually, it can be done in, in person. one of the things we’re talking about is having somebody come in who’s very technical, but having them do a presentation that’s less technical just because they’re a different face and they may be trying to understand how to get better at presenting.

So there’s, there’s a, we go back to that slide we talked about earlier. There’s always a win, win situation for this. And then Here of course, is my shameless plug play back doors and breaches.

And for those of you who aren’t familiar with this, this is our incident response car. And yes, it is very technical and yes, there’s times where I have to Google some of the cards in there because I don’t understand what it is.

But as part of backdoors and breaches, we also have process, procedure and policy cards in there. So if you are uncomfortable with some of the more technical attacks in there, focus on the procedures and the processes.

Go ahead.

CJ Cox

Got a great question, Kelly from Cybergilly. What if the issue isn’t the bureaucracy? Assume we have full leadership buy in due to the fact back for contractual. They’ve got contractual requirements, maybe DoD, government, something or finance.

The issue is with implementation at the lower levels.

Kelli K. Tarala

problems and successes rise and fall with leadership. So if there’s a problem at the lower level, there’s a problem with leadership at that particular.

I’m guessing maybe it’s maybe.

CJ Cox

But my thing is that in your design of the program, you’ve got to account for your audience. And if you’re not successful selling your ideas, you got to go back and do some introspection and say why?

What? So you got to do the analysis of why is implementation at the lower levels of problem. You got to dissect. That is because they don’t understand, they don’t care. They’re too busy doing their other job.

The priority scheme is askew. There’s not a proper feedback loop. There’s, there’s a million answers to that that you’ve got to dig into. My thing is usually just sell the Mortimer cell.

But, I don’t know that that’s necessarily the answer. You got to analyze the problem.

Kelli K. Tarala

I agree, CJ And I see Cyber Gilly’s comment about, about it feeling weird that the Cyber team is, is teaching senior leadership how to manage or how to lead.

well, just because they’re in senior leadership doesn’t mean they’ve had the same experience as you, the same expertise as you. And remember, we’re a very niche, knowledge base and they can’t possibly understand that.

Remember senior leadership, they’ve got to know a little bit about accounting and marketing and purchasing and a little bit about the law. Absolutely. You can teach them about things and we talked a little bit earlier about trust and credibility and doing a good job.

They’re watching you even if you don’t think, think they are or not. You could be showing leadership just by being at work. At 7:58 every day and not saying a word to anybody.

so everybody on this call is a leader. If you have the title or not, please hear me say that. It’s so important.

CJ Cox

There’s that hokey shirt or whatever about be the change, Right? So you can only control the things that are in your influence. And by demonstrating leadership, you might inspire someone.

You might show someone a trick or a technique that’s like, you’re marvelously successful. Believe it or not, the people above you are people, too. And they learn from things that work.

So if you’re able to show things work, they might mimic you. So be a leader.

Kelli K. Tarala

Good point.

CJ Cox

Doggone it. You deserve it.

Kelli K. Tarala

Okay, for those younger people on the call, the picture there is a reference to the old telephone game. And you’re like, I know you’re probably rolling your eyes at me, but I have had people say, I get it.

What is that supposed to be? It used to be a game where person A would say, gorillas eat bananas. And as it goes from person to person, eventually it comes out, the AI thinks the Detroit Lions are going to win the Super Bowl.

so it completely gets messed up from point A to point B. just a small plug for the Lions there. but everybody has communication challenges. It doesn’t mean you’re bad at it.

It doesn’t mean you’re young. Communication challenges happen all the time. And for those of you who are married, can I get an amen?

CJ Cox

Amen.

Kelli K. Tarala

Common phrases that you’ll see or common phrases that you’ll hear when there’s communication challenges. Oh, it’s an uphill battle. Oh, we’re back to the drawing board.

Oh, yeah. Laugh about it someday. Yeah. Okay. And then. Oh, oh, there’s that GRC person. let’s go in the cafeteria. Let’s go down this other hall.

Cause I just. I don’t even want to make contact. Contact with that person because they’re going to ask me how the audit’s going. So what do we do about these communication challenges?

CJ

CJ Cox

You’Re never going to get there. Communication is. You just. You sent me this dumb book about, digital body language. Does that even mean.

And I realized that I suck at communications, and I’m probably the oldest person in the room. communications is just a constant challenge. Just like I use three.

Three acronyms. Grc, obe, and pdfq. no. Communications. You’re never gonna. You’re never gonna finish it. It’s always a challenge when you get.

When you get short on time. Or patience. You’ll screw it up. but communications is something you’ve got to be cognizant of, conscious of focus on work and work on getting better.

That doesn’t necessarily mean taking speech class, although, Kelly, going to point you to some great resources on it. But it is a challenge. And the more influence you get, the more you become recognized as a leader.

And that doesn’t just mean positional leadership, the better you have to get at communications. So there’s just it. This is just. This is one of the key things.

Communication.

Kelli K. Tarala

I like what you said there, CJ

CJ Cox

We.

Kelli K. Tarala

We do lapse into jargon, jargon acronyms. And one of the things you mentioned earlier on this webinar, Was risk management.

That sort of gets pushed aside even though it’s right in the middle of grc. We sometimes forget why we do the things we do. People, you might say, oh, my goodness, more controls.

We’ve got to implement. Why are we doing this? We’re not doing it because we want to spend a lot of money with security vendors. We’re doing it to reduce the risk profile of the organization.

When we reduce the risk profile, then we’ve got a little breathing room. We don’t have to worry about meeting payroll next month. We don’t have to worry about, well, can I go on vacation? Is the company going to be okay?

All of those things are the things that are important to, employees, to people in the workforce, and that’s what GRC helps protect, those things that really make a difference in people’s lives.

Okay, One of our last things we hear all the time as GRC professionals. Oh, we have resource constraints.

We can’t do the things we want to do. I don’t have time. I don’t have money. I don’t have people. and then my favorite. This isn’t a Tom Cruise movie.

It’s Risky Business. Everybody has resource constraints. And I know CJ you’ve got something to say about this one.

CJ Cox

I kind of said it earlier. well, then do it faster, do it cheaper, do it better, do it quicker. when you are resource constrained, that means you can’t do everything. So you’ve got to prioritize.

If you’re the expert, figure it out. What are the essential pieces? What’s the bare minimum to get the gdpr? What do we have to do? And then you’ve got to tell your bosses within those constraints, hey, I don’t have enough time to do our GDPR program because I need these six things.

And we need a Rep over in the EU that we have an address that people can mail their privacy request to. There’s all sorts of crap. You’ve got to identify the pieces and communicate.

Communicate it in a way the boss can understand it. What they understand is dollars and resources and risks.

Kelli K. Tarala

So perhaps CJ like the conversation is, well, if we do this project, we reduce our risk on this front. But if we don’t do this project, it’s a bigger risk because a regulatory agency may fine us if we delay that this project, we incur the risk of this.

So, sometimes when they just see a large budget item and they don’t understand why you’re asking for EDR or why you’re asking for more MFA licenses, explain to them, if we don’t do this, this is what could happen.

And the likelihood of that happening is X or Y.

CJ Cox

We got a quick question from Justicia. I work at a corporate law firm. These attorneys get paid to find loopholes, and they frequently do with the security rules. How do I make them see their ethical requirements or just that requirements?

I would talk those lawyers during. Have you ever seen, a client get in trouble with the IRS because they thought they had a loophole? Do you want to take that risk? Is it worth it?

That’s the only way. Because lawyers are damn smart, man. I had jury duty last week. Week. And I am stunned at just this. The county level, the. The caliber of judges and attorneys that were there.

It. It, it. I know there’s bad ones out there, but it blew my mind. So, yeah, attorney. Attorneys are smart rats. and they’re a challenge.

yeah, yeah. Write your rules better. Close the loopholes on them. Play the game well.

Kelli K. Tarala

And. And also the conversation you can have with the attorneys are, remember, REC regulations are written for multiple verticals and multiple sectors.

HIPAA is meant to cover the little rural clinic as well as these conglomerate hospital chains.

So where do you fit in the food chain? And so if you have the conversation and say, listen, no regulatory agency can write a rule that covers everyone from the little guy to the big guy.

So you kind of have to put blinders on and say, this is our. This is the court we’re playing on. And these are the rules for our court. Not the big conglomerate and not the rural clinic.

Okay, let’s go on to.

CJ Cox

I ban at you, but ten minutes.

Kelli K. Tarala

Okay. well, we’ve got lots to say, so. Okay. If you’re dealing with resource constraints, and we’ve made it abundantly clear that we all have resource constraints, how do we deal with it.

How do we fix it? What? Well, hey, let’s talk about technology. We’ve got tools that are available to make our jobs easier. Specifically within grc.

What sort of tools can help us? We’ve got new GRC user friendly platforms and yes, we do have, not so user friendly platforms that have been in existence for a long time.

But you don’t have to expose your customers or your stakeholders to those ikki platforms. You can give them a different interface that’s a little easier to use.

There are mobile friendly solutions. And also another thing you can do is think about how you can automate some of these routine compliance tasks. CJ will tell you he gets kind of, crazy in the head when he’s got to fill out these vendor assessment forms over and over and over again on some portal that I can’t.

CJ Cox

Even log in on because it doesn’t support Firefox. Oh, wait, it does. But you have to do this step. For God’s sakes, people. Make it easy for people.

Kelli K. Tarala

Could somebody please put in the meme of the old man yelling at the.

CJ Cox

Clouds because get off my lawn.

Kelli K. Tarala

okay, so not only we talk about what sort of platform are you communicating your GRC goals with, but also are you leveraging data and analytics?

This is something that I’ve been working on, learning over the last year. Are you using good dashboards? Could somebody in your organization, if you’ve got some, people, engineers who are really good at PowerShell or, I’m sorry, Power BI, or somebody who’s really good at graphs.

Hayden at our organization guy can do beautiful things with graphs. We’ve got people who are much better at massaging data, making it look meaningful, telling stories with data.

GRC metrics, for those of you who don’t know, there are measures and metrics associated around the CIS controls. Very helpful guide if that’s something you’re interested in.

You can write or look at use case scenarios. And then here’s the biggie here, folks. If you’re not using, an AI prompt to help with your GRC efforts, you’re missing the boat.

Now, I’ve been learning this over the last few months myself, how to write better prompts. But this is, this will streamline your work. You will find answers that are sometimes difficult to find.

And also it might help you draft a response to an audit or an assessment or a response to a regulating, body. It can be used in all sorts of ways.

And CJ i’ve sort of said a lot there. Is there anything you’d like to add?

CJ Cox

Now, we’re focusing this year and we talked about key performance indicators and things are not about counting everything or counting the easy things. But if you can use metrics and things like that, that’s Management speaks that language.

it will be helpful. But again, you can do bad metrics and bad, bad KPIs. don’t do that. again, do it the right way.

Don’t just do it the easy way.

Kelli K. Tarala

Well, I’m glad you said that, CJ because even at Blackhouse, we’ve started out with some metrics and we said no. what’s your analogy you always use for pilots?

CJ Cox

If you lie to me on my data or you give me bad data, I’m flying the BHIS plane. If you give me bad data about my altimeter, I’m, going to fly right in the side of a mountain.

If you’re in the business, you’re on the plane. You don’t want to fly into the side of the mountain. Mountain. So don’t, don’t lie in metrics. Don’t use bad metrics. All that good stuff. But someone just said here, have I heard of the sig?

Yes, the sig is what’s wrong with the world? 800, 950 questions in a sig. Really? Really? Never mind. I’m yelling at the cloud again, aren’t I?

Okay, don’t put those back up. I saw those. They’re great.

Kelli K. Tarala

Okay, so these are just a few suggestions on, when you’re resource constrained within GRC or within your job as a security engineer, and you have to do some GRC work on the side, how can you leverage technology?

How can you leverage data and analytics to make things easier? One of the points I was driving at, but didn’t quite actually hit the home run is when you’re developing your metrics, they’re allowed to change.

If you’re tracking a particular metric and it’s not allowing you to fly the plane, drop it, modify it, fix it.

metrics aren’t meant to be set in stone. They are, as CJ said, part of the dashboard. And if they’re not giving you what you need, get rid of them.

Okay, our last one in our list here. Negative associations with audits, assessments, and penalties. We all feel this.

We’ve been asked to do something, and our co workers will tell you, oh, good goodness, not another audit. Not an under assessment. I don’t have time for this. I don’t have the budget for it.

Oh, My goodness. I lose 50% of my staff hours because they’re answering your stupid questionnaires. Oh, my goodness. You. You didn’t understand something.

So now you’re going back to my subject matter expert and he’s got a project to implement. Or she’s supposed to implement this over the weekend and now she can’t.

sometimes there’s negative associations where people miss out on their home life balance because they’re responding to an assessment or an audit. This happened all the time at the organization I was at previously.

the assessors were coming in, we had to do some last minute pushes of patches and installs. And you miss important life events, like your kids soccer games, or you miss going to your Bible study, or you missed having dinner with that friend that you haven’t seen in a while.

These are all sort of negative, associations with audits and assessments. So what do we do about it, CJ.

CJ Cox

Look for the pony and the pile of poop.

Kelli K. Tarala

You heard it here first, folks. Look for the pony and the pile of poop.

CJ Cox

It’s raining. There’s going to be a rainbow. There’s other signs that results of audits and things like those are feedback. Right? and those are consequences for actions.

And if you get bad results, then you go to management, you tell how you can improve.

Kelli K. Tarala

So, okay, I know maybe this slide is a bit cheesy and lead by example. Okay? Insert eye roll.

We all know that, but let’s take a step back. It is January and all, and a lot of us are having our resolutions. You lose weight, exercise more. Well, maybe let’s examine how we are at work.

Can I lead with a better attitude? Can I maybe do less eye rolls in that meeting? Or perhaps turn off my camera so people don’t see my eye rolls?

Or like John Strand does, go and swear off camera and then come back on? but what we do by leading by example, you guys know this.

If you don’t know what you’re doing, admit it and say, I’m doing the best to try and understand this particular framework.

I can tell you from experience there are some technical controls I don’t quite understand. I have to go to our more technical guys and gals and say, I just don’t get this.

and they’ll say, well, I’ll try and explain it to you, but we might need a wipe board. and then again, we’re sort of hammering this point about talking about risk management.

We do everything in our lives based on risk decisions. We choose not to Run red lights. We choose not to eat all 12 donuts.

people understand risk management. They just don’t understand that language we use. So if you can use real world examples, well, if you do this, this potential bad thing may happen.

I’m six months overdue for an oil, and I’m like, it doesn’t matter. But now I’m thinking, well, if I don’t get that oil change soon, what are the risks of not getting it?

That could be pretty substantial. so as we’re trying to overcome this bad perception around audits and assessments, us, ourselves, we can try and be more positive about it.

And, we all want to belong and we want to have friends. We want to have somebody to talk to. But sometimes in this role, you’re not going to have friends. You’re just going to have to do the right thing and hope eventually people are going to say, yep, he did the right thing.

She did the right thing. Even though it wasn’t very much fun. Okay, so what did we talk about so far? We talked about these seven areas where GRC or compliance people hit roadblocks or bumps.

Well, what can we do to address those roadblocks and bumps? We talked about focusing on value creation, creation, collaboration, building trust and credibility each and every day.

Developing effective communication, leveraging technology, data and analytics, leading by example. What we wanted to share with you. We know we’re getting to the top of the hour.

And remember, we’ll have this, the slides available for y’all. We’ve got lots and lots of resources and CJ, do you want to talk about some of these?

CJ Cox

No, we don’t have time. One minute. These are great books. I haven’t read them all. but this is where our philosophy comes from. Kelly’s got a. She lists lots of podcasts. Lots of good stuff in there.

Inspiration comes from everywhere, including you, our community. Your discord today was killer. Like, you were making me laugh. You were adding good points. I tried to answer your questions as we go.

Thank you so much for being here. Kelly, take us out.

Kelli K. Tarala

Okay, again, thanks, everyone. We are super glad that you’re here today. we’re going to get that GRC channel stood up soon, and we were going to continue the conversation there.

Deb Wigley

Well done, everybody. Right at the top of the hour.

CJ Cox

Bang.

Deb Wigley

Like you planned that. And the GRC Channel is live. It is called GRC Mafia requested. So well done, everybody. That’s great.

Great.

CJ Cox

who the star of this show was? The freaking audience was just crushing it.

Deb Wigley

They’re the Best for sure.

CJ Cox

It’s just amazing.

Deb Wigley

Speaking of the wonderful audience, do you have any questions for the, illustrious.

CJ Cox

Yeah, we can hang around. Post show now. Do the question.

Deb Wigley

We can. How about we just.

CJ Cox

Yes, I’ll be in Denver.

Deb Wigley

How about you guys wrap it up? Final thoughts. Final thoughts. If you just one sentence. If you could sum everything up, Kelly, what would it be?

Kelli K. Tarala

GRC rules. And we’re here to support you.

Deb Wigley

Nice. Well done. CJ

CJ Cox

Force multiplier. You get clarity, cohesion going from your GRC. The rest of your program will go better. And we pointed to 100 resources, including us.

We’re here to help you on the channel. You want to come direct, you got serious problems. Problems. We’re. We’re out here to help you. Name the problem, we’ll come help.

Deb Wigley

Nice. Name the problem, we’ll come help. I like it. That’s good. And with that, we will transition to question time. What does Jason always do? He does the, Any questions that you guys have, we will stick around for a couple minutes and ask.

CJ Cox

I can’t wait to quit sniffing glue. Fulcanelli, you were a great time. That’s a great, great points in there.

Deb Wigley

Lots of love.

Kelli K. Tarala

I don’t see anything.

CJ Cox

Do we have. Do we have, like, a who’s who on Discord with, like, people’s like,

Deb Wigley

like, they’re real.

CJ Cox

Like they’re LinkedIn. Like, who. Who is this?

Kelli K. Tarala

We.

Deb Wigley

Do we have a LinkedIn?

CJ Cox

Who’s this Kintsugi panda?

Kelli K. Tarala

Like, oh, he’s.

Deb Wigley

That’s Chad. He’s. He’s our buddy.

Kelli K. Tarala

Oh, we do have a question that came in.

CJ Cox

Where?

Kelli K. Tarala

Why do security and GRC seem to be always at odds?

CJ Cox

What?

Kelli K. Tarala

Well, I’ll take a stab at that. Security, very black and white thinking grc, more gray thinking and more relationship focused.

And sometimes security people don’t want to have good relationships. They just want to get shit done.

CJ Cox

I would point it to why are security and it always at odds? And it’s kind of a layer thing. Thing. because security is kind of trying to levy security requirements.

Well, compliance is levying security requirements on security. Security is on it. So the crap rolls downhill.

but we’re trying to capture the fundamental basis of the foundation of your security. So. And we. We can get it wrong. You can go overboard on it. You can be too vague.

You can be a lot of things. Again, you’ve gotta. That’s why you’ve got to. If we’re at odds, where, Dennis Prager, great guy, you may agree, or disagree with him politically.

But he said clarity is king and he would rather know where I disagree with somebody than that we disagree. That’s not as important once you understand where we disagree.

That’s where Kelly says, okay, now negotiation, compromise has to come into effect. The art of the reality. So I think that’s the wrong answer to that.

Deb Wigley

Going back to your, kind statement, Kelly, clear is kind, like clarity is kindness. Definitely. To be clear is to be kind. Jake wants to know any advice on working with ineffective folks on other, in other departments.

Kelli K. Tarala

Try and find any sort of common ground you can. And probably best not to tell them that they’re in effect. That doesn’t usually start a good conversation.

Yeah, but sometimes asking simply, how can I help you? Are there things that you’re struggling with? is there, do you need somebody to talk things over with?

Those seem to be good icebreakers. But what do you guys think? Mhm.

Deb Wigley

I think that like, how can I help my Siska? Good. Like I think that’s a good. Well, while they’re answering that, we have another question. for an org that has grown without ever devoting resources to a formal GRC program and barely secops, what would you suggest to start with?

So how do people even just get started? It’s a great question.

Kelli K. Tarala

Oh, that’s a great softball. A charter. Yes, a charter document. CJ Explain what a charter is.

CJ Cox

You explained it to me, Kelly. I didn’t have one. I had a security policy that said you have to have a security program. The charter is that policy that lays out, what the responsibilities are.

What do you report, who do you report, what is your realm of responsibilities? and from there you can roll out what are the pieces we need. You can start having a prioritized list. Do we need a GDPR policy?

What’s the next thing we need? We probably have, an acceptable use agreement already in the company. We have some things like that, but there’s policies you need to build up.

So how do you eat an elephant? One bite at a time. So your charter lays out that we’re going to eat an elephant. Here’s, here’s what we’ve already eaten on the elephant and here’s the next pieces we’re going to eat.

I think that that’s kind of a plato.

Deb Wigley

do you have any kind of link to a template?

CJ Cox

Yeah, we can give you ours. Cool. Kelly’s got templates. We got all sorts of stuff. Email Kelly or K Torala app.

Which are you?

Kelli K. Tarala

I’m Kala and a couple folks in the Discord Channel mentioned using chat GPT. There’s another great resource to build a charter.

CJ Cox

Mhm.

Deb Wigley

Any other questions, guys? Before we wrap up, I think you guys got them all.

Kelli K. Tarala

There was, there was one question I’d like to hear CJ weigh in on. do you think it’s better approach, that InfoSec and GRC become one?

CJ Cox

No.

Kelli K. Tarala

Well, why not?

CJ Cox

Separation of duties.

Kelli K. Tarala

What does that mean?

CJ Cox

so it can be like the audit group. It shouldn’t be part of the IT group because they audit it. but here we got people who wear the IT and the security and the GRC hats.

So it’s going to happen, but you have to compartmentalize a little bit and say what, what does this function call for? What’s different? when you’re the, the sole person, you. You do communication at lightspeed.

Maybe you may get unclear on stuff, but I mean like in our group, I am security and I am grc, but I’ve got Drock who handles the technical security.

So I still get the pushback and the internal stuff going. So I mean they can be. There’s no. That’s like, where does the security program belong within the C suite?

Is it under it? Is it under audit? Where is the compliance group grow? You look at people’s org charts and they’re all over the place. There’s no right answer. It’s what works for you.

Kelli K. Tarala

Well, there is one last question I would like to address. When are we going to have another GRC webcast? Well, my friends, it’s going to be in February and Corey Hamm and I are going to be talking about cyber resilience.

Deb Wigley

Nice. So soon, very soon.

Kelli K. Tarala

Soon, very soon.

CJ Cox

Real quick. Zoe Brack wants to know any, any tips for working with less technical auditors and regulators? Clarity, communication, speak in their language.

Why is. Why battle over zero trust.

Kelli K. Tarala

Can I, can I add one thing to that? I’ve been there. The auditor might very well know that they are less technical and they might feel some imposter syndrome if you casually say, hey, if there’s ever a technology you’re looking for clarification on, I’ve got great training resources or I know this article.

You can very, simply suggest to them where they can find information to learn about it.

CJ Cox

Man, the community comes in with answers as good as ours. So they do.

Kelli K. Tarala

Or better in some cases.

Deb Wigley

In some cases for sure.

Kelli K. Tarala

And on, that note, let’s wrap it up.

Deb Wigley

Thanks guys. Showing up and we appreciate again you spending your time with us on this Thursday or whatever day it is that you happen to catch the recording and. Yeah, I think that’s it. We’ll wrap it up.

Ryan, we have one job.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand