วีดีโอ

great 👍

Promo>SM

Bro the intro music is too much... Best avoid it. Appreciate your podcast and content benefiting the community. ❤️👍

Thanks for another great conversation to elevate GRC. My favourite sound bites from this one were “Make GRC and technical people friends. Everything else is downstream” “Sales if hard Dude, [GRC can help]!” “I’ve been in highly scrutinized environments all my life.” Insight roundup: 1. Collaboration Between GRC and Engineering: Winning hearts and minds between these two silos is an important and challenging endeavour. Focus on encouraging understanding an optimizing use of Engineer’s time: for example: don’t send them a pile of tickets and end up in diverting their energy to taking screenshots. For starters, can the GRC get read access to collect artifacts for them and then raise a list of punchy questions? 2. Continuous Compliance: Just as DevOps embraces continuous integration and deployment, GRC should adopt continuous monitoring and adjustment to maintain compliance status in real-time. 3. What is Compliance Automation? There's a distinction between true compliance automation and automation of compliance-related workflows. True automation should not only streamline bureaucratic processes but also address the root causes of compliance issues. 4. Automated Remediation: There's a push towards not only detecting compliance issues in real-time but also automatically correcting them where possible. This approach helps prevent the accumulation of compliance debt. 5. Preventive Measures: Implementing guardrails to prevent non-compliance from occurring is more efficient than addressing issues after they happen. This proactive approach can significantly reduce the workload on engineering teams. 6. Business Enablement: GRC activities should be closely aligned with business objectives, particularly in enabling revenue generation. Demonstrating how GRC practices facilitate business growth and protect against potential losses can help secure executive support. I made a “Cyber Risks in Business Speak” video about this idea to elevate conversations about security investments with a list of customers that have asked about compliance and their Annual Contract Value.

Great point for GRC to upskill and take the lead in advancing security outcomes, using the foothold of compliance (“the stick”) to drive risk reducing and business enabling innovations. I see a parallel between this idea of GRC rolling up their sleeves to make a bigger strategic impact and S1E3 talking about the second line compliance team being more active in supporting the first line of defense control owners. Thanks for another great discussion!

Thanks for this very inspiring and thought provoking discussion of ideas to advance what’s possible in GRC. Very cool to learn about “changing the rules of the game” coming from a Detection Engineering and Incident Response background. I’m on an Avenger like GRC team where we each bring diverse backgrounds to make the whole greater than the sum of its parts. I bring accounting and my teammate is a software developer. As it relates to applying software developer engineering principles you mention to unlocking GRC capabilities, is there any advice you can offer on how to: (1) optimize my partnership with my colleague to protect and enable Engineering, (2) elevate my technical engineering principle acumen as a non-engineer?

So many great principles and sound bites for world class GRC! The ones I wrote down: In the Three Lines of Defence governance model, “the Second Line of Defence has a responsibility to discover ungoverned risk.” And this won’t happen without appreciating complexity and adaptiveness of modern systems. A reminder to be cautious of complacent SALY (Same As Last Year) checkbox auditing. The point that “there’s adversaries on the other side” has me thinking a box could be added to the IIA’s model beside External Assurance Providers GRC can provide real value in describing where a system isn’t working as designed. And the breadth of GRC gives us a unique capability to do so. In recruiting to GRC for the long haul or even a temporary rotation, the breadth of experience and big picture perspective gained are a big Pro to consider in a candidate’s Pros/Cons list. Key GRC skill: “Translating into an easily understandable system of control which also recognizes the business objectives”. And ideally draw a picture. Adding my perspective: Accountants have good training for this that they can bring to GRC. Building on the above point, “Abstract information to the level and time horizon of the decision maker”. In my experience Accountants and Finance professionals do this with pivot tables and Business Intelligence dashboards. Risk reporting to Senior Leaders: 1. On fostering risk culture via FUD/throwing shade vs a positive “How to we make success more likely” approach: “Minimize the downside risk and the upside will take care of itself”. 2. Instead of presenting a theoretical view of operating within risk appetite and tolerance, focus on the controllables. Here’s the health of the system, here’s the capabilities we’ve built and their measurable improvements. Here’s how much it might cost to change these metrics 3. It’s like sports where you can only control the quality of the training and preparation. You can’t control the weather or the opponent. 4. It’s an infinite game, not a finite game of win/lose Thanks for this contribution to the GRC community!

Great to discover this channel. Yes a niche and nascent topic, but important and rapidly growing in demand. I strongly agree that technical skills are crucial to elevate GRC, both to understand control owners and to execute GRC tasks. It’s inspiring to hear of how you developed your technical acumen independently from your undergrad and I’m interested to learn more. Subscribed!

Good👍👍👍👍😇😛

14:16 I have literally written headless chrome scripts that automate taking screenshots of PRs. It doesn’t scale but works great.

This was a great discussion. Great guest. Very thought-provoking and inspiring.

great 😎

👍🏼

Thank you for starting this podcast. One topic I would love to see you cover is time investment of learning Python or Go while the capabilities of OpenAI are already impressive and will only get better over time. So one concern of mine is spending 2-3 years becoming proficient in Python only to have ChatGPT blow my coding capabilities out of the water.