GRC - The Swiss Army Knife - Rose Songer

hi everybody can everybody hear me all the way to the back with this mic cool i see some thumbs up awesome so my name is rose and i am going to be speaking on grc a swiss army knife this talk is one that i've been mulling over doing for years grc is super near and dear to my heart it just makes me insanely happy to do anything grc related and kind of send the information out into the world so we're going to talk about this topic i promise i didn't make it boring grc is super interesting especially if you work in it this talk is meant to be very generic so if you have other departments in your organization that are struggling working with other business units a lot of the information that i talk today can be universally applied so take these takeaways and go apply them within your organization so i picked a swiss army knife as the the concept of this talk because a swiss army knife is so multi-faceted you use it to screw you have a knife you have clippers you can pretty much make it whatever you need to be so use this concept in order to talk about grc and hopefully it resonates with you guys well before we get into the good parts of this presentation um a little bit about me so i am the director of it and compliance at spring health spring health is a mental health company that specializes in data and analytics to bring really good care to patients so taking away from doing kind of like hitting the darts on the wall approach to mental health but rather using data and analytics to provide really good care to our patients as you can imagine we have a pretty robust platform and lots of security things that need to happen on that before i came to spring i was a consultant for years at cso i see some of my cso friends in the crowd so hi ciso if you guys have not worked with them go see joe he will hook you up and get you any support that you need so shameless plug for you joe [Laughter] and before that i was in the military for quite a bit of time eight years and i did network engineering i did it i worked on crypto gear you name it i was doing it and so my background gives me a whole lot of like different things to pull from when i'm trying to build really good business relationships and i think fix the things that i'm trying to fix within my organization additionally i have some education you guys can see it up there more importantly i like to volunteer in the community i do lots of mentoring with women in cyber security lots of work with giving back to the infosec community such as speaking and then additionally i run the diversity and tech group at my organization trying to bring more diverse folks into our technology department which includes engineering security and whatnot so enough about me you guys didn't come to this presentation to learn about rose you came to learn about grc so we will get into our topics today we are going to level set on what exactly is grc i've mentioned that tons of times now and haven't quite gone over what that really means to everybody so we'll level set on grc what we normally do in this department we'll talk about the challenges of grc so these challenges are ultra important when you're trying to figure out how to fix your department how to make it more efficient how to enable the business then we'll talk about relationships in the organization so anytime that we're working with anybody in the business we need to understand the dynamics of those relationships in order to maybe fix the things that are going on ask for help whatever we need so we're going to talk about relationships and then we're going to get into the pronged approach so what do i mean by the swiss army knife and we'll break it down by some different prongs and we'll have some takeaways the goal of this presentation is that you can go back to your organization and implement some of these tidbits and try to improve the quality of life when working with grc working with the business governance risk and compliance that is what grc stands for a lot of organizations have a grc department maybe it's called security and compliance maybe just compliance but ultimately it is a governance risk and compliance type functionality so we have three pillars that are happening within this department we have governance which is where you're aligning processes and actions you're developing documentation policies procedures standards that are generally governing the things that need to happen within the organization then you have risk management so risk management includes risks that you may be fined on your platforms in the environment processes but it also includes vendor risk management so how are you managing the lifecycle of those vendors additionally you can also lump in client questionnaires into the risk management area i know i refer to this program as client assurance and security so anytime you have a client sending you a questionnaire asking about documentation asking for artifacts whatever it may be then we have compliance so compliance is how we are complying with the legal regulatory landscape of our particular business so i'll give the example of spring health spring health is a mental health company so hipaa is applicable to us the hipaa privacy rule security rule breach notification so compliance team is responsible for understanding consuming and ensuring that we are complying with that additionally we have eu citizens so gdpr becomes in scope for our compliance team and we have consumers out in california for ccpa so these three pillars make up the governance risk and compliance department and as you guys likely know it's very large the activities that need to happen in this department and we touch every single business unit in order to be able to fulfill these things that we need to do each of these pillars have their own nuanced processes that need to happen and they're ran by a team that's normally relatively small i'm fortunate enough to have four people plus myself at spring health for a compliance department but in the past maybe it was just me running it or maybe we had to get staff og and so it becomes very consuming to try to get all of these things in place now since we level set on challenges or what the pillars are let's talk about the challenges so before you even get to the point that you can start enabling the business to work better work faster and to be less of a blocker you have to understand the challenges and so i give some examples up on the screen please make sure that you go back to your own organization and you observe what the challenges are within your organization because that is ultimately how you'll identify what are the things that you need to solve and so some of the challenges that are listed here is we have where a compliance department may only be focused on the regulatory landscape for this if you are only focused on the regulatory landscape your department will turn into a check box activity and that checkbox activity ultimately influences how other departments see you well compliance is asking us to do security awareness again let me just get it done let me just check off the box that's not what we want happening we want to have really good partnerships with the business so you want to get away from focusing on just the regulatory things and focus on how do i enable the business to work better additionally cross-functional collaboration tends to be difficult when you are working in grc so we'll talk about some tips and tricks to improve that as you guys likely know while grc has some of the processes that we have to implement in order to satisfy legal regulatory things a lot of times we have to rely on our counterparts outside of these groups like engineering product maybe even people operations or hr and so achieving the point where you have really good cross collaboration can be challenging and so you have to figure out how do i make this happen uh the biggest challenge that i've also seen is being reactive versus proactive so if your compliance department is in a perpetual state of like all right we got to get this done we got to get this done well now you are creating undue burden to other teams that then need to hit those items and so you need to get to the point where you're being proactive can you put a schedule out can you have notifications well in advance and reminders and sort of things like that where you become more proactive then there is a lack of alignment between the business and grc so the business in grc we have to be speaking the same language if not we're always going to be butting heads right so the alignment needs to happen there and it needs to happen in a way where we are enabling the business to work faster harder stronger and not blocking them and it's challenging if you work in grc you already know it's a very challenging aspect obviously why it's listed here on grc challenges and then another challenge is too many manual processes so we are just now getting to the point where we can start automating within the governance risk compliance space we're getting tools that allow us to automate vendor reviews um access reviews maybe even stock to controls like tools like drata and i think vanta is another one so we're finally getting to the point that we can move away from manual processes but the manual processes they cause a lot of overhead they become really clunky and they're hard for people to understand what they actually need to do at the organization this all creates all these different challenges within this department additionally what i have not included on here are some things that i personally do to kind of track challenges within my own organization so um if you guys maybe don't know what those are yet you're trying to figure it out i do it a couple different ways i observe so if i we use slack so if i'm in slack and i'm starting to see people like oh this process is so long or they're fussing okay well that's starting to give me indicators that people maybe need training they need support whatever i talk to my team both in a public forum and private so one-on-ones guys what are the challenges that you guys are seeing are you having issues with working with different parts of the department because that tells me as a leader i need to go partner with my peers and figure out a good approach to ironing out these issues and then in the public forum when we meet as a team i like to ask because it creates a collaborative nature where we can partner together as a group and figure out the best approach to solving these challenges that we face with challenges that kind of gives you an ineffective grc program so when you have an effective grc program that becomes very noticeable to the business it becomes noticeable when they're trying to push a product to go live and we can't let them because they found out about a risk the day before they were trying to go live it's ineffective when people are trying to onboard a vendor and it's taking them a month and a half to even get them through the vendor review and we want to reduce these things we don't want the business to be slowed down again the whole point of this conversation is that we're enabling the business we're enabling them and being a good partner and we can't do that if we have an effective program so ineffective program you may have unnecessary program complexity maybe you have a vendor risk management program that has 20 steps when maybe it only needs six so it really takes looking at your program evaluating what you're actually doing and figuring out what are these things that i can get rid of that makes my program super clunky and hard to understand unknown service level agreements for processes this is a big one and a lot of frustrations when working with compliance if someone comes to me and they say hey compliance team we need you to fill out a client questionnaire and it is 60 questions i should be able to tell them immediately all right a 60 question questionnaire is going to take me three days and i've done that because i've done that data and analytics on the back end to know how long does it normally take my team i know when we do a vendor review it's going to take at a maximum three weeks because we've done the data in analytics in the back end and so when you're talking with the business they need to under the understand the slas if they're trying to roll out a project or a new product they should know all right i need three weeks of compliance time built into this project plan and so now you start to reduce the frustrations when they're working with us but if you don't have that information and haven't planned for it it gives the illusion that the team isn't operating effectively it can create headaches when working with us so highly recommend you understand your slas for these processes that interface with the business lack of visibility into risk all day long we deal with risk right regardless if you work in grc or you work in security and so when you have an ineffective program happening you're getting lack of visibility into risk i want the business to come to me every time they identify something that may be a risk they self-identified i want them to come to me but if we have a clunky program if they don't feel like they can trust us that we're going to take action they're not going to come to us with their risk and so we start to lose visibility of the risk additionally if they don't feel comfortable talking to us they don't want to have the dialogue well then maybe we don't even get risk treated and we have risk lingering out in the environment which isn't what we want either additionally when we are more in a reactive state you have an increased budget or increased money due to overhead of employees or other things that you may need to do so for each of my processes within governance risk and compliance going back to these slas i know it's going to take my team three weeks to review a vendor and i know throughout the year we're going to have around 25 vendors you start to get a sense of how many hours you need for your team throughout the year you can capacity plan but if you don't have that and you turn into a more of a reactive nature then you have you ultimately end up spending more money on things that you didn't plan for and so again it's ineffective program happening and then the final one an ineffective grc program is your grc team lacks the technology knowledge technology knowledge in order to be able to talk with the business how can i tell you how to secure something or implement a control if i have no idea about the technologies so um when you have an ineffective team they can't go to the business and say hey business i need you to implement mobile device management and these are the things they need you to do they don't understand the technologies so if your team is working i highly recommend that they understand their platform they understand how the data flows in and out they understand all these different technologies because it truly does make an impact in how you're conversing with the business so so far we've talked about the grc pillars we've talked about some challenges and inefficiencies i want to touch on relationships so this is a quick snapshot and definitely not all-encompassing the relationships that you have in the org grc and security touch every single department some may be more high touch than others but you touch every single department and so it's really critical that you are truly building rapport with these people in the department because ultimately you're trying to get them to implement or do something that you need them to do right so you want to have relationships with these different groups whether it's product and making sure that you get integrated into their life cycle before they push something out whether it's engineering to make sure that repos aren't in a public area where other people can access it two maybe your hr or people operations functions to make sure background checks are happening and making sure they're getting their questions answered about background checks or other processes so really focus on these different relationships that you need to have and focus on how your processes go into these different areas so if i know that people operations are going to touch background checks they should know that they're responsible over those different areas the same way engineering should know that they're responsible for maintaining repos in a certain way so it's super critical you understand your relationships and you build rapport with each of these groups and you understand the pains and frustrations that they go through in their own areas because they're all humans right we want to make sure that we're treating them with respect we're not just demanding them to do things and sometimes that gets away from us when we're working in compliance when there's so many things that we have to ensure the business is doing in order to keep you know data safe and secure right all right so we talked all these different areas of grc and we haven't actually talked about a swiss army knife yet even though it is in the title of this presentation um so what i have here is a pronged approach to grc so i'm going to tell you some of the things that have worked really well in my life with grc whether i learned it from the military i learned it from consulting being an individual contributor or now in a leadership position so we have these prongs up here i picked five you know your own grc for your organization maybe you have six prongs maybe you have seven maybe you have two um it really depends on what you are trying to accomplish for your organization so again this is meant just to kind of get you going um i love this concept of the grc knife because it truly can be anything that you want it to be whenever i was uh getting ready for this presentation i definitely don't know a lot about grc or not grc swiss army knife so maybe i shouldn't have gone with that but i was truly shocked at all of the different swiss army knives out there they're pink they're red they have all these different different functionalities on them and they truly can be anything that you want them to be so when you're thinking about how to make your program more effective think of all these different ways that you can approach it don't think of it just like all right this is my area i'm only going to focus on these compliance controls think outside of the box think how can i partner with the business what do they need to be successful how can i enable them to do the things that i ultimately need them to do so we'll have these different prongs in order to be able to support them the first prong that i have up here is communication i cannot stress just how critical communication is within the organization if you do not take anything else away from this talk take the communication aspect and truly implement it at your organization when we have things that need to get accomplished and maybe where there's misalignment communication is often the root cause of why we're having issues in the organization why we're butting heads why there's frustrations and so take a good look at the communication that's happening within your org advocating so you should advocate for your business partners for the work that they need to get done we shouldn't be bullying them into the work but rather advocating and lifting them up we're going to talk about training we're going to talk about enabling the business so what are some of the different things that we can do outside of these other prongs that enable our department to function better then we'll talk about automation so how do we remove those manual processes that create inefficiencies and automate the processes where possible so for uh communication i thought it was important to cover um a couple different aspects here so we're going to ta