GRC Destroyer #10: What does GRC Destroyer mean?
Long overdue explanation of the name and update on the ethos of this blog.
Do I actually want to destroy the governance, risk, & compliance industry?
Yes. Yes I do. The GRC industrial complex blows, it’s just been years and years of bullshit stacked on top of itself, there’s a massive problem with gate keeping essential information and there’s a laughable amount of completely useless jobs, trainings, best practices, exercises, content… the list goes on. I’m okay with being the villain here. Villain with high integrity. Visionary villain. Potensh a hero??? Definitely someone who’s gotten way too comfortable on Substack.. and that’s on god.
Approaching too quickly, a decade of me doing various things in GRC, I’ve realized that it’s just a bunch of Andrews and Ashley’s at the consultancy firm convincing themselves more than anyone that their readiness assessment is going to do something positive for a client. Meanwhile, people like myself who accidentally made their career an indefinite community college homework assignment just laughing (on Zoloft) at the thought that most of the skillset is writing up random shit in a vague way and throwing big brain statements at people who know EVEN LESS than them like “we use AES-256 to encrypt data-at-rest”.
To sum this up nicely. This summer I’m gonna buy this exact clown costume on Amazon, get the tripod out in my backyard, put on the clown costume, and proceed to record a serious video called “COMPLIANCE DOES NOT EQUAL SECURITY”. I’m gonna give that to my loyal blog subs, ya’ll deserve it. Dude, I can’t wait to debunk this hot topic for you, it’s going to be really insightful for you, trust me bro you NEED to know the difference.
BOOOOM ROASTED. Rate my rant in the comments.
Destroying GRC in the name of progress. The time is now.
Even though I am salty about some stuff, this blog has always been in the name of good. We know that AI is going to ultimately correct some massive inefficiencies (TPRM…lol) and also wipe out some GRC jobs to various degrees. I don’t want anyone to lose their job, in fact, I want to encourage people to stay in GRC, pivot to GRC, and/or forge a lucrative and innovative path in GRC.
I have one condition to whether I’m in or out on ideas nowadays - I ask myself is this person, firm, product, etc.. doing the right thing for the right reasons. It’s not that I want people to build stuff for free or give out all their knowledge for free, I just think that value proposition lies heavily in honesty, transparency, and community connection.
Here’s a couple of examples how “destroying” lead to progress in the GRC industry(ies) :
Example 1
Vanta, Secureframe, Drata, “destroyed” GRC by making super easy to use platforms for startups to prepare for initial compliance certifications. The status quo they challenged was getting a SOC 2 audit had to be expensive, hard, and… in turn be this super valuable thing for an early stage company. We know that SOC 2 is basically only a sales enabler at an early stage company, they need it to get any good customers, and they don’t have the maturity or money to invest a lot in compliance. This was a healthy improvement to the larger GRC ecosystem for a few reasons.
Outcomes
Drives higher general awareness of compliance frameworks
Enabled boutique audit firms to partner with platforms and offer SOC 2 reports insanely cheaper than the big 4 to end customers. Obviously some people were mad about that but truthfully that saturation makes everyone better because now the “best” firms that were charging 10x more have to either offer a wayyy better audit deliverable or better yet, innovate with new services to compete. It’s a win for general adoption of compliance because it lowered the cost barriers for companies. I’d say a slightly shittier audit is better than a company foregoing it all together because they can’t afford it.
They walked so companies like https://trycomp.ai/ could run. They’re building an open source version that’s 10x cheaper, even more intuitive, and seamless (finally a tool you can just make a free account and use). Of course they can and should monetize the offering as the customers progress in their compliance journey. This isn’t necessarily a Comp AI plug but I do want to make some content within their platform. I love how easy they made it to jump into a free account and start getting acquainted with compliance management basics.
Example 2
Security questionnaire LLMs like https://www.heyiris.ai/ become so good at answering customer due diligence security questionnaires that they “destroy” the entire exercise of sending a CAIQ questionnaire via Excel. (if it’s that easy to automate the answers how can we take them seriously…well we can’t and we never should have).
Outcomes
Forces due diligence activities to get better by asking more thoughtful questions or requiring actual evidence of compliance
When you can query all security/compliance documentation against an LLM, many new roles could be created in marketing, CX, and rev ops…. more on that in a second.
Let’s call some of this “Trust Ops”
First off “Trust Operations” or “Trust Ops” is a sick name, not only for a next gen function within a company, but also easily could be a noise rock band from New York.
I think that we need to shift some of what we traditionally think of as “Governance, Risk, and Compliance” into a thing called Trust Ops which focuses on using security and compliance information for offensive marketing, customer acquisition, CX, internal enablement, and SALES of course.
I would love to see a SaaS vendor send out a marketing campaign showing their OWN internal security practices and what they do. Either that, or a gen z social manager throwing up absolute total nonsense - I am legitimately a big fan.
Where this blog is going
Couple of goals for the blog after I finish up these 4 audits I’m in the middle of.
Showcasing and critiquing cool tools (with a focus on next gen tools that actually let me use them without having to do 6 sales calls and still not even get access to a demo. I get it, I’m in SaaS too, but I simply don’t have time)
Youtube Channel - content strategy WIP (Friday beer style video memes non-negotiable).
Has, is, and will continue to make fun of TPRM
Potensh start making fun of cyber marketing campaigns - still doing the risk assessment on how badly that will end my career.
Massive unlocking of free compliance documentation resources for the modern Global, AI-Enabled, SaaS company (ISO27001, ISO42001, ISO27701).
1 minute or less videos explaining exactly how to do various aspects of internal audit
Thank you for reading. Feel free to destroy the content of this issue of GRC destroyer in the comments. For the community!