On a snowless, sunny Christmas Eve in Indianapolis, a go-getter cyber analyst named Dean Perry worked meticulously in his cubicle. His inbox was swarmed with spam, offering gift cards and gadgets if he agreed to spend an hour of his time demoing one of the GRC solutions.
Suddenly, an always-cheerful man appeared in front of Dean’s desk, offering holiday greetings and an exclamatory “Merry Christmas!”. The man in a vest was Dean’s fearless leader, Norris Wells. “End of quarter and end of year, you know…” proceeded Norris. “How are we doing with our GRC proposal? Need to select a tool and secure the budget so we can roll right into implementation first thing next year”. Dean looked up and gave a thumbs-up.
Dean has been working on this project for the last few months and has reviewed a myriad of GRC offerings. In his mind, they all started to blend in, and he was at the point of accepting spreadsheets as the way to go forward.
His Outlook notification jumped out with 101 new unread emails. “Glitch?” thought Dean to himself as he opened his inbox. To his surprise, there was only one unread email with a blank subject line. Reluctantly, Dean clicked on the email. The email read: “Mr. Perry, we would like to help you make the right choice in the spirit of Christmas. You will be given three insights by the end of the day today”. “Hmm, what a lousy phish,” thought Perry as he deleted the email and rushed to his next meeting.
5 minutes into the meeting, and none of his attendees have showed up. “This is strange. All of them accepted…“ But Dean did not finish his thought as the screen in the conference room flickered and he could hear echoing coming through the speakers. Dean checked the participant list. While he was the only one on the call, somebody definitely has joined his meeting.
“Mr. Perry, how are you doing today?” suddenly came the voice across the speakers.
Dean, a bit frightened by the fact that he might just become the source of the incident breach but also mesmerized by the technological acumen of the unknown, was frantically trying to recall what his next steps should be to report this.
“No need to report to this,” – the voice continued – “unless you want your colleagues to think you have gone insane. Let’s cut to the chase. I don’t have much time. I am here to share three insights with you. But first, how is your GRC search progressing?”
“Very funny, Norris,” – laughed Dean – “this is the best prank from you so far…” Before Dean could finish his sentence, he saw Norris walking by the conference room. “Definitely, Norris, that vest is hard to be mistaken for anything,” zipped through Dean’s mind.
“You can call me Norris if you wish. But I prefer to be addressed as Alexa.” Dean checked his forehead to make sure he was not running a temperature.
“Just kidding. I have no name since I am a ghost, a ghost of GRC. And no, you are not hallucinating. I am here to help you. When is that GRC proposal due? By the end of the day today?”
“Yes,” – mumbled Dean. He was retracing his morning, trying to remember what he had eaten for breakfast and if he had taken his medication.
The Ghost of GRC went on, “How many sales pitches and demos have you seen this year? One too many?”
“They all have one thing in common. They tend to promise to solve all your GRC program pain points with little to no customization required out of the box. Here is your first insight:
There are no unicorns in the GRC software market. Each solution has its place in the ecosystem, but do not expect any single one of them to address all GRC functions and magical alignment to your business. You must prioritize and choose which pillars you want to cover.”
“If this were a prank, they would come out by this point,” thought Dean.
“What exactly are you in the market for?” the Ghost paused for a second to give Dean time to think the question through. “How often have you attended a demo where you have been shown a state-of-the-art solution with vibrant infographics? But did it really address your requirements?
Here is your second insight:
Before you start looking for a GRC tool, document your internal requirements. Workshop the potential use cases with your stakeholders and prioritize them. Don’t go with a pre-staged demo. Have the GRC Sales team show you how their solution can address your specific requirements.”
“What comes first? Process or Tool?” asked the Ghost of GRC.
“Is this a trick question?” replied Dean. “I guess it depends on who you ask. From my perspective, the process should come first.
“Bingo” beamed the Ghost “and now, here is your third insight:
Have your process outlined and functional before you start automating it. Your process should dictate tool configuration, not the other way around. If you start implementation without an internal process in place, the GRC Sales team will implement it based on the tool’s capabilities. They may also make unrealistic promises like writing bad personal checks that even a magical ghost can’t cash.”
“All of this sounds great when it comes to theory, but what should I do? My GRC proposal is due later today, and I have no process or requirements matrix. Only my notes,” Dean asked with a voice full of despair.
“Start small. You always have to start somewhere. You have your notes. Organize them, find common themes, and prioritize the features you got excited the most about. This will be your foundational requirements, the baseline. At a minimum, do it in parallel – document your requirements while searching for the tool. But do not, you hear me; do NOT pull the trigger until you are on solid footing with what you need. Build the carriage as you ride it, so to say.” finished the Ghost.
“What?” Dean reacted, “What carriage? Did you mean the plane? Fly the plane while building…” Dean did not get a chance to finish the sentence. His head turned as he heard the door screech.
Norris was standing in the doorway:
“Dean, are you ok, man? Do you always talk to yourself in empty conference rooms?”
Dean did not know what to reply. He needed a second to regain his composure.
“So, what will be the recommendation? Which GRC solution are we going with?” Norris continued.
At this point, Dean knew what to do:
“None… yet…. We need to formalize and document the process internally first. Once we have a functional process in place, we will work with stakeholders to document and prioritize our requirements for a GRC tool. Let’s not rush and put a tool before the process. A tool alone will not solve our problems unless we have a strong process foundation in place. And I will need internal support and dedicated staff for tool onboarding and implementation if we want to do it the right way.”
As Dean was hanging up on the call, he saw a “thumbs-up” emoji flash for a second on the screen. Was this the ghost, or just an A.I. automated MS Teams emote? That question was the least important in Dean’s mind.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Eugene is a senior consultant with 9 years of experience in both implementing and assessing controls. Before joining Reveal Risk, Eugene spent 3 years working for a hospitality technology startup, helping the organization turn the corner from having an Information Security program with a startup mentality to maturing into an enterprise-level program with multiple audits and compliance certifications including PCI DSS and GDPR.
When not assisting his clients, Eugene fulfills his duty with pride as a Staff Officer within the United States Navy Reserves.