As the pre-dawn mist draped itself over the desolate battlefield, a lone figure lay nestled within the confines of a shallow trench, his silhouette a stark contrast against the ashen sky. Clad in worn fatigues, his weather-beaten face betrayed the weight of countless battles, each line etched with the memories of comrades lost and battles won. With every breath, the chill of anticipation hung heavy in the air, mingling with the earthy scent of damp soil and the distant rumble of artillery fire. In the eerie calm before the storm, he found solace in the familiar routine of preparing for the impending onslaught, methodically checking his gear and steeling his resolve for the chaos that awaited beyond the safety of his makeshift sanctuary. For in the heart of this crucible of conflict, amidst the cacophony of war, he would once again be called upon to confront the demons that lurked in the shadows of the trenches. And as the first rays of dawn pierced the darkness, he knew that the time had come to face his fate head-on, for better or for worse, in the crucible of combat.
Nope, that is not that type of a story… But as I was reflecting on my military service from the warmth and comfort of my comfy office in Carmel, Indiana, a light bulb went off… Having been in the military for the last 11 years (and counting) with deployments to the Middle East and Africa, suddenly, I realized that what I do in my civilian job is not that much different from my military trade.
Let’s take a step back. I am a cybersecurity professional with extensive expertise in standing up Governance, Risk and Compliance (GRC) programs by day, and a Navy Expeditionary Logistics Officer when I am wearing the cape a.k.a. the uniform with a dog-tag around my neck and one attached to my boot. But what is the catch here, how do those 2 functions overlap?
GRC in the corporate world usually revolves around risk assessments, tracking compliance to several frameworks, and chasing people, of course. Not to mention a GRC tool that many organizations unfortunately get baited into viewing as a silver bullet to their GRC program scaling. Unfortunately, most of those organizations end up swallowing a hard pill when the tool alone not only fails to fix the grand collapse of their GRC program but also highlights the lack of foundational processes and procedures in place.
So how come the military was able to get it right? Armed with Excel Spreadsheets, PDFs, and PowerPoints, the US Military added a collateral duty of a “GRC Analyst” to every man and woman who wears the uniform and proudly displays a star-spangled banner on their shoulder.
The “one team one fight” culture and the sense of personal buy-in into the mission allow the US military to take a group of people from different walks of life and morph them into one holistic unit, a very lethal one most of the time.
As you attend the initial/basics training, you go through a series of mental and physical evolutions that teach you to assess the risks on the fly. Moreover, the scope of the assessment is extended beyond your own well-being to cover your brother and sisters-in-arms and the overall mission that you have been tasked with. On a subconscious level, you start to genuinely care about the people who surround you and how your actions will impact them and the mission you have been tasked with. As you advance through the ranks, the scope and coverage of this trait begin to grow exponentially.
This type of behavior can never be a result of just an order from a commander. For it to exist, you must gain the trust and the member’s buy-in. Buy-in into the mission, the vision, and high-level strategy.
And that’s where we constantly fall short in the corporate world, in my opinion. We spend hours chasing our stakeholders and pulling feedback from them without spending the time to win them over.
In 2012, General Martin E. Dempsey, Chairman of the Joint Chiefs of Staff, wrote a white paper on Mission Command as part of Joint Force 2020 development. Below are the key abstracts:
“Mission command is the conduct of military operations through decentralized execution based upon mission-type orders. Successful mission command demands that subordinate leaders at all echelons exercise disciplined initiative and act aggressively and independently to accomplish the mission.
Smaller, lighter forces operating in an environment of increased uncertainty, complexity and competitiveness will require freedom of action to develop the situation and rapidly exploit opportunities. Decentralization will occur beyond current comfort levels and habits of practice.
There are 3 key attributes that enable the practical application of mission command: understanding, intent, and trust.
Understanding equips decision-makers at all levels with the insight and foresight required to make effective decisions, to manage the associated risks, and to consider second and subsequent order effects. This is the “inner eye” – the cognitive ability “at a glance” to see and understand a situation and thereby make independent decisions and correct actions.
Joint Doctrine defines “commander’s intent” in part as “a clear and concise expression of the purpose of the operation and the desired military end state”. In mission command, intent fuses understanding, assigned mission, and direction to subordinates. Commanders will be required to clearly translate their intent (and that of higher) to their subordinates and trust them to perform with responsible initiative in complex, fast-changing, chaotic circumstances.
Just as understanding informs the commander’s intent, trust informs the execution of that intent. Building trust with subordinates and partners may be the most important action a commander will perform.”
So what is the Holy Grail root-cause issue of failures that plague successful GRC program adoption and scaling within a corporate organization?
In my opinion, it is the lack of understanding of the intent, failure to clearly communicate the intent, and therefore complete absence of trust. We rush to tool implementation and metrics reporting before we even reach an alignment at the C-level when it comes to the pain points the tool is supposed to address.
The solution requires you and your organization to go back to the basics of GRC. After all, GRC, fundamentally, is the people and their expectations management function.
Here are the key points and insights from “the trenches” of GRC implementation at the junction of corporate and military worlds:
Good read, but where do I start? What are the next steps? How do I get my GRC program off the ground and running?
* I am not stating that the US military is perfect and has nothing to learn from the corporate world. In fact, over the past several years, the United States Navy has been actively reshaping the force and ingesting ideas and concepts of agility in the workforce from the corporate world. As we move out of the Fourth Industrial Revolution (4IR), it is vital as never before for 2 domains (corporate and military) to collaborate and share knowledge & best practices.
** The views expressed are those of the author and do not reflect the official policy or position of the US Navy, Department of Defense or the US Government.
Get in Touch!
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453