Skip to main content
GRC from the Trenches
ComplianceCybersecurity

GRC from the Trenches

By April 24, 2024No Comments

 

As the pre-dawn mist draped itself over the desolate battlefield, a lone figure lay nestled within the confines of a shallow trench, his silhouette a stark contrast against the ashen sky. Clad in worn fatigues, his weather-beaten face betrayed the weight of countless battles, each line etched with the memories of comrades lost and battles won. With every breath, the chill of anticipation hung heavy in the air, mingling with the earthy scent of damp soil and the distant rumble of artillery fire. In the eerie calm before the storm, he found solace in the familiar routine of preparing for the impending onslaught, methodically checking his gear and steeling his resolve for the chaos that awaited beyond the safety of his makeshift sanctuary. For in the heart of this crucible of conflict, amidst the cacophony of war, he would once again be called upon to confront the demons that lurked in the shadows of the trenches. And as the first rays of dawn pierced the darkness, he knew that the time had come to face his fate head-on, for better or for worse, in the crucible of combat.

Nope, that is not that type of a story… But as I was reflecting on my military service from the warmth and comfort of my comfy office in Carmel, Indiana, a light bulb went off… Having been in the military for the last 11 years (and counting) with deployments to the Middle East and Africa, suddenly, I realized that what I do in my civilian job is not that much different from my military trade.

Let’s take a step back. I am a cybersecurity professional with extensive expertise in standing up Governance, Risk and Compliance (GRC) programs by day, and a Navy Expeditionary Logistics Officer when I am wearing the cape a.k.a. the uniform with a dog-tag around my neck and one attached to my boot. But what is the catch here, how do those 2 functions overlap?

GRC in the corporate world usually revolves around risk assessments, tracking compliance to several frameworks, and chasing people, of course. Not to mention a GRC tool that many organizations unfortunately get baited into viewing as a silver bullet to their GRC program scaling. Unfortunately, most of those organizations end up swallowing a hard pill when the tool alone not only fails to fix the grand collapse of their GRC program but also highlights the lack of foundational processes and procedures in place.

So how come the military was able to get it right? Armed with Excel Spreadsheets, PDFs, and PowerPoints, the US Military added a collateral duty of a “GRC Analyst” to every man and woman who wears the uniform and proudly displays a star-spangled banner on their shoulder.

The “one team one fight” culture and the sense of personal buy-in into the mission allow the US military to take a group of people from different walks of life and morph them into one holistic unit, a very lethal one most of the time.

As you attend the initial/basics training, you go through a series of mental and physical evolutions that teach you to assess the risks on the fly. Moreover, the scope of the assessment is extended beyond your own well-being to cover your brother and sisters-in-arms and the overall mission that you have been tasked with. On a subconscious level, you start to genuinely care about the people who surround you and how your actions will impact them and the mission you have been tasked with. As you advance through the ranks, the scope and coverage of this trait begin to grow exponentially.

This type of behavior can never be a result of just an order from a commander. For it to exist, you must gain the trust and the member’s buy-in. Buy-in into the mission, the vision, and high-level strategy.

And that’s where we constantly fall short in the corporate world, in my opinion. We spend hours chasing our stakeholders and pulling feedback from them without spending the time to win them over.

In 2012, General Martin E. Dempsey, Chairman of the Joint Chiefs of Staff, wrote a white paper on Mission Command as part of Joint Force 2020 development. Below are the key abstracts:

“Mission command is the conduct of military operations through decentralized execution based upon mission-type orders. Successful mission command demands that subordinate leaders at all echelons exercise disciplined initiative and act aggressively and independently to accomplish the mission.

Smaller, lighter forces operating in an environment of increased uncertainty, complexity and competitiveness will require freedom of action to develop the situation and rapidly exploit opportunities. Decentralization will occur beyond current comfort levels and habits of practice.

There are 3 key attributes that enable the practical application of mission command: understanding, intent, and trust.

Understanding equips decision-makers at all levels with the insight and foresight required to make effective decisions, to manage the associated risks, and to consider second and subsequent order effects. This is the “inner eye” – the cognitive ability “at a glance” to see and understand a situation and thereby make independent decisions and correct actions.

Joint Doctrine defines “commander’s intent” in part as “a clear and concise expression of the purpose of the operation and the desired military end state”. In mission command, intent fuses understanding, assigned mission, and direction to subordinates. Commanders will be required to clearly translate their intent (and that of higher) to their subordinates and trust them to perform with responsible initiative in complex, fast-changing, chaotic circumstances.

Just as understanding informs the commander’s intent, trust informs the execution of that intent. Building trust with subordinates and partners may be the most important action a commander will perform.”

So what is the Holy Grail root-cause issue of failures that plague successful GRC program adoption and scaling within a corporate organization?

In my opinion, it is the lack of understanding of the intent, failure to clearly communicate the intent, and therefore complete absence of trust. We rush to tool implementation and metrics reporting before we even reach an alignment at the C-level when it comes to the pain points the tool is supposed to address.

The solution requires you and your organization to go back to the basics of GRC. After all, GRC, fundamentally, is the people and their expectations management function.

  • Start with winning over your people by getting them onboard with your organization’s mission and current strategy.
  • Establish boundaries for them to operate in and have trust in their ability to execute.
  • Explain the why behind the ask and be open to their feedback.
  • Communicate, and over communicate if needed.
  • Lead by example at all levels

Here are the key points and insights from “the trenches” of GRC implementation at the junction of corporate and military worlds:

  • Understanding Business Context: Effective GRC practices require a deep understanding of the organization’s business objectives, operations, and industry-specific risks. This understanding helps tailor GRC frameworks to the specific needs and challenges of the organization. (There is a reason why a brief is mandatory before any major mission is authorized within the military.)
  • Integration of GRC Processes: Successful GRC implementation involves integrating governance, risk management, and compliance processes seamlessly into existing business operations. This integration ensures that GRC activities support rather than hinder business activities. (Every member of the military practices GRC daily without even realizing it. There is also a process for every task and a documented manual for every established process.)
  • Communication and Collaboration: GRC efforts often require collaboration across various departments, including legal, finance, IT, and operations. Effective communication and collaboration are essential for aligning GRC activities with business goals and ensuring buy-in from key stakeholders. (Effective communication is the linchpin of Command and Control in any military organization.)
  • Risk Assessment and Prioritization: Identifying and prioritizing risks is a critical aspect of GRC. We learn to conduct thorough risk assessments, considering both the likelihood and potential impact of various risks on the organization’s objectives. (Each member of the military is taught operational risk management and is expected to act upon his/her assessment results within the pre-established boundaries.)
  • Technology Enablement: GRC tools and technologies can streamline processes, automate routine tasks, and provide real-time insights into risk and compliance issues. However, successful implementation requires careful selection, customization, and ongoing maintenance of these tools. (Tools help optimize and scale the implementation once you have the basics zeroed in. Microsoft 365 is the most widely used GRC tool in the military.)
  • Adaptation to Change: The business environment is constantly evolving, with new risks emerging and regulations changing. You must remain agile and adaptable, continuously monitoring the landscape for new threats and adjusting GRC strategies accordingly. (Adaptability and ability to overcome obstacles have always been an essential attribute of successful militaries.)
  • Continuous Improvement: GRC is not a one-time project but an ongoing process. Continuous monitoring, evaluation, and improvement are essential for ensuring the effectiveness and relevance of GRC practices over time. (After Action Report is a must for every evolution, no matter how small or rudimentary that evolution was.)
  • Cultural Considerations: Building a strong culture of compliance and risk awareness is crucial for the success of GRC initiatives. Strive to foster a culture where employees understand their roles and responsibilities in managing risks and complying with regulations. (Specifics of geo-location and local culture nuances are always taken into consideration when planning a mission. As well as the strengths and potential shortcomings of the team you are going forward with.)

Good read, but where do I start? What are the next steps? How do I get my GRC program off the ground and running?

  1. Stakeholder Engagement: Engage or re-engage your C Suite, secure a program Sponsor and align on goals and expectations.
  2. Centralized Documentation: Consolidate all relevant policies, procedures and compliance documentation into a centralized repository accessible to all stakeholders. Ensure that those policies are realistic and can be implemented and not just aspirational check-the-box type of documentation.
  3. Training and Awareness Programs: Your people are your biggest asset. Develop tailored training and awareness initiatives to educate your employees about compliance requirements, risk mitigation strategies, and their roles in maintaining a culture of compliance.
  4. Process First: Review your existing processes for completeness and fit for your current operational environment. Seek honest feedback. At the end of the day, you cannot automate (successfully) something that is broken.
  5. Phone a Friend: Reach out to the community and tap into the collective knowledge. Happy to chat as well. Don’t hesitate to ping me directly if/when needed.

* I am not stating that the US military is perfect and has nothing to learn from the corporate world. In fact, over the past several years, the United States Navy has been actively reshaping the force and ingesting ideas and concepts of agility in the workforce from the corporate world. As we move out of the Fourth Industrial Revolution (4IR), it is vital as never before for 2 domains (corporate and military) to collaborate and share knowledge & best practices.

** The views expressed are those of the author and do not reflect the official policy or position of the US Navy, Department of Defense or the US Government.

Get in Touch!

At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.  

317.759.4453  

About the Author

Eugene is a senior consultant with 9 years of experience in both implementing and assessing controls. Before joining Reveal Risk, Eugene spent 3 years working for a hospitality technology startup, helping the organization turn the corner from having an Information Security program with a startup mentality to maturing into an enterprise-level program with multiple audits and compliance certifications including PCI DSS and GDPR.  ​

When not assisting his clients, Eugene fulfills his duty with pride as a Staff Officer within the United States Navy Reserves.

Leave a Reply

Close Menu