Risk Grustlers EP 7 | The Process of Setting Up A Process To Set Up A Process

Welcome back to another exciting episode of Risk Grustlers! We're here once again to uncover the captivating journeys of individuals who've carved their niche in risk management and are excelling beyond expectations.

Today, we delve into the remarkable story of Renae, who embarked on a unique and unconventional route into the realm of information security.

From her beginnings in journalism to navigating the world of risk forensics and ultimately landing in the dynamic field of information security, Renae's journey is an inspiring tale of evolution and adaptation.

Join us as we explore the twists and turns that led Renae to where she is today.

Catch the full podcast here.

https://www.youtube.com/watch?v=ocLWtGcNUS4

Aayush: Could you share your journey through journalism, risk forensics, and information security? What motivated and guided you along this path?

Renae: I transitioned from journalism to technology, drawn by the excitement of the early 2000s tech landscape. Joining Expedia provided my first exposure to security through fraud prevention. The motivation behind malicious activities intrigued me, and I found satisfaction in proactive prevention.

While at Expedia, I explored roles in business continuity and crisis communications before finding my way to information security. Protecting people's information and well-being resonated with me, making the move feel right.

My background in communication proved useful, and upon entering the field, I realized I had found a community with shared interests and goals. The skills I had developed over time aligned seamlessly with information security, solidifying my path.

Aayush: Did the transition to information security, which was quite distinct from your previous experience, ever feel intimidating? If so, how did you navigate and start building your foundation in this new field? Did you start with GRC?

Renae: Initially, I wasn't intimidated, as I lacked full awareness of the tools and vendors used in the field. My previous experience helped me transition, especially in training and vetting. I began with GRC and communication tasks, gradually moving into project management and ability management.

My business background and Expedia experience enabled me to collaborate with various teams and work on policies, KPIs, and metrics for the security team, focusing on broader aspects rather than deep technical dives.

Aayush: GRC serves as the foundational step in developing a robust information security program, yet it's often seen as less glamorous within the field. Have you encountered this perception, and if so, what strategies do you think could shift the perspective and make GRC more appreciated?

Renae: GRC often faces perceptions of being unexciting and undervalued compared to development teams. It's crucial for teams to recognize that GRC professionals possess the technical expertise needed for effective work.

While checklist-based approaches can be dull, the real value lies in understanding optimal

solutions and collaborating closely with teams to innovate. This dynamic approach not only brings excitement to the role but also enables the nuanced application of compliance to enhance security and meet goals.

Aayush: As a GRC leader, how do you balance collaboration and assertiveness with teams executing activities like risk management and compliance, especially when lacking direct authority? How do you effectively manage this situation while maintaining the needed balance between being accommodating and firm?

Renae: Striking the right balance between collaboration and assertiveness is essential for long-term success in GRC. While being a hard ass may yield short-term results, it's not a sustainable approach. Long-term success lies in building relationships, educating stakeholders, and making compliance processes easy for them.

Holding people accountable in a respectful manner is key, ensuring deadlines are met and responsibilities are fulfilled. While some situations may require assertiveness, maintaining positive relationships ultimately contributes to effective GRC outcomes.

Aayush: One might expect professionals to stay longer within a company, especially after building a security program and overseeing GRC. However, the industry often experiences significant employee turnover. What factors contribute to this swift churn in the information security field?

Renae: Some individuals are placed in these roles without the required background or interest, assuming success will follow. The perception of the role's value can also affect retention. If positions focusing on compliance and oversight aren't as valued as other roles like development, it becomes challenging to sustain engagement and stay in such roles.

Aayush: For startups transitioning to a robust information security program, what's the worst advice you could provide? In other words, what would be the absolute worst course of action for a company seeking to establish a minimum viable risk management program by hiring a head of information security or a fractional CISO?

Ignoring everything is not a viable approach. In startups or situations where one person manages the role, focusing on documenting risks, listing them out, and understanding the environment's dynamics is essential. This preparation allows for proactive responses to changes and the prioritization of necessary actions, especially when assessments arise.

Aayush: Many of our viewers are growing startups that have reached the point of having a security budget for establishing a minimum viable risk program. What's the absolute worst advice you could offer them? In other words, what would be the most disastrous suggestion for companies at this stage seeking to set up their risk program?

Renae: I've learned from past experiences that when flashy tools were brought in without the necessary structure and support, it often led to issues. There's no magic solution in a tool alone; it requires knowledge and effort to work effectively. Establishing a strong foundational risk program comes first.

Once you have that foundation, you might have a basic system in place. Then, you can consider integrating tools, but you must be prepared for the onboarding, management, and ongoing work they require. Tools can help, but they're not a cure-all. Even the best tools need to be managed and integrated into your existing program. So, when considering new tools, it's essential to focus on the amount of work needed to implement and maintain them effectively.

Aayush: With tighter budgets and smaller GRC teams, how do you handle the increasing compliance demands, especially with new regulations like the SEC's incident reporting guidelines? How can companies manage a more challenging compliance landscape with limited resources?

Renae: Relying on foundational elements is crucial to navigating challenges. For instance, when we lost a tool, we went back to basics and found alternative solutions. Compliance demands are growing, affecting both small and large companies. Even with growth, effort remains consistent due to compliance requirements. Some companies might take calculated risks to sustain operations. However, cutting teams and tools could lead to increased workloads and knowledge loss.

Aayush: Can forced frugality drive a focus on essentials, yet excessive measures might hinder GRC and infosec progress? Is striking a balanced approach crucial for companies?

Renae: Yes, and it's evident in large organizations where processes become convoluted and time-consuming due to excessive layers of process building. For effective progress, especially in large companies, streamlining processes is crucial. Emphasizing compliance with a focus on actual requirements and interpretations rather than creating additional rules is key. Striking the right balance between adherence and pragmatism is essential to avoiding unnecessary complexity in compliance efforts.