GRC Destroyer #7: Troy Fine Meme Review for the CULTURE
I unpack my top 10 Troy Fine memes - Troy, GRC meme god and compliance expert, has cultivated a powerful community around the misunderstood GRC profession and I think that's beautiful. Let's review!
Who is Troy Fine?
For anyone who doesn’t know him - Troy is a top voice in the IT compliance world. He’s a certified meme legend with over 35k LI followers tuned in to get the most relatable content in the industry. Troy’s been in deep for 15+ years doing every compliance assessment under the sun. He’s involved with AICPA (being a much needed leader in the SOC 2 world) and led the charge at Drata as they established themselves as a monster in the compliance software world. Troy is a Senior Advisor at Geels Norton and you should definitely use him for your compliance needs.
I’m going to talk about the differences between a bad auditor and a good one in this post and Troy’s firm is a REALLY good one. Check out Geels Norton for your compliance needs:
Why are Troy Fine memes important?
Say what you want about memes on LinkedIn - first off there’s A LOT of whack memes on LinkedIn - it’s a delicate genre to master, not for the uneducated and has immense potential not to land. I see tired marketing teams dropping the cringiest memes on a daily basis so I wouldn’t call myself a fan of them in general.
Troy Fine memes on the other hand are absolute gold. His memes bring the GRC community together to speak up about all the bullshit in the profession, find a voice, and stay sane.
If you’re a GRC guy/gal in any capacity, you’ve had an existential crisis at some point… fighting the reality that THIS is your job. You can rationalize that it pays the bills, it can be chill, and whatever helps you sleep at night, but at some point there’s been a voice saying “this means absolutely nothing to anyone, including me, and somehow also the people in charge of making these frameworks, regulations, and guidance”. If you haven’t had this battle with yourself, I envy you - and I feel sorry for you - for your lack of critique. Because you’re a GRC professional trying to figure out what you do, a relatable meme like Troy’s can really strike a chord. It’s that voice of reason you’re not alone. I think community is important in GRC because basically everyone in the profession is a “SME”. You don’t always get to go to the conferences, there’s not always a mentor in these areas telling you how to navigate, I’ve seen people get fired up in the comments section of these memes and it gives me a ray of hope.
Let’s dive deep into my top 10 favorite Troy Fine memes:
#1 - Requesting Evidence
Look at this engagement - basically 1500 people relating to this. Requesting evidence is the bane of our existence. You have “control owners” which 90% of them don’t know they are a “control owner”. The compliance asks never match the real world. The more you care about doing your job the worse off you are. So right here - great meme, VERY NICE. I think this problem alone created the compliance management software industry. Use Drata, Vanta, Anecdotes, Secureframe, whatever… to just skip this mundane activity because they’re going to pull evidence right from the source system. The issue is that “controls” are processes and if you don’t have some 24 year old screaming at the patch management veteran about what they’re doing, how will anyone get better.
#2 - SOC 2 Train Wreck
The gist here is that a SOC 2 audit never goes as planned. We’ve really hit a turning point as a society with this audit, having so many shitty audit firms saturate the market and devalue this report. Whether you’re paying the $10k for a firm that doesn’t know what they’re doing or $40k for a cupla SOC 2 legends, this train wreck scenario is probably going to happen inevitably. Typically, it comes by a crazy follow-up evidence request where they decide to drill deep into something like a board of director’s meeting or a performance review sample. This can also happen when you start legit failing controls and creative changes need to happen to tweak language or add and remove stuff to keep the deliverable clean. I’ll always have a soft spot for SOC 2 but there’s many reasons this audit doesn’t really cut it and is just your ticket to play SaaS.
I’d love to do a SOC 2 auditor review but no one will talk to me and I don’t wanna get my knee caps broken.
#3 - OBLIGATORY AI CONTENT
This meme is about #AI #LLM #ChatGPT #theytookourjobs and I wouldn’t dare write anything in 2024 without mentioning my beloved AI. Realistically, all the basic controls that already exist is how you should handle AI risk (here is just a vendor approval process or restricting shadow IT). That said, new questions arise about testing and validating the accuracy of models, sharing customer data to train models, and ethics of course.
Ya’ll should hit up Henry and check out Fabrik’s Gen AI Trust Network to get the basics down.
#4 - Are Policies Real?
This scenario happens with an auditor that actually knows what they’re doing. You have policies and procedures to pass a control but the real one’s are going to say “prove it”. They say no one reads policies but I think there’s a lot of room for improvement in modern day policies - making them absurdly short and simple to meet compliance (policy should take 20 seconds to read).
(GRC Destroyer Policy Sample Pack coming soon to a marketing funnel near you)
#5 - Explaining FedRAMP to Sales
There are 475 products on the FedRAMP marketplace today (about 350 of them actually authorized). I’m not even gonna guess how many SaaS companies exist right now (10k minimum). The decision to do FedRAMP is an insanely large business risk given the time and resources to start not to mention the cost that can easily get into the millions. The casual, “our prospect wants to know if we are FedRAMP certified” being asked multiple times a year is truly comical. 12 to 18 months out my friends, 12 to 18 months out.
Ya’ll should watch this video by James Leach, founder of Fortreum, who explains this idea extremely well
I’ll give a shout out to my friends at Paramify too - they’re trying to automate the sh*t out of FedRAMP compliance. I hope they succeed massively. There might be a world where it gets easier but only time will tell. I have full faith in the US government on this one.
#6 - Security Questionnaires Again
You can build a great meme account on the same 4 jokes and that’s essentially what Troy has done - I’m really glad the security questionnaires problem is in that core set of jokes. Honestly, the security questionnaire hatred is a large part of my brand here at GRC Destroyer. Imagine the FBI saying there’s a “broad and unrelenting” risk to national security whilst a very real talent shortage of cybersecurity professionals and then deciding to address those problems by making a TPRM program that demands this stretched resource to fill out an Excel homework assignment like a college freshman instead of trying to make a company more secure. You don’t have to imagine it, it’s our reality, it’s deplorable.
I’m sure larger companies have this figured out but I’ll say it - you have to make a hybrid revops, CSM, and GRC team in charge of this, and this only.
(GRC Destroyer “Cash Money Compliance” Advisory coming soon to a marketing funnel near you)
#7 - Why don’t trust centers work?
I want them to work but they don’t work. Read post 6 of GRC destroyer I talk all about this. You have to love Troy for calling this out because people will say they work, but they don’t. Again, continuous improvement, maybe one day they’ll work - there’s about 60 TPRM/Trust vendors trying to make their own ecosystem for this to work but without standardization and collective buy-in from all these TPRM teams it will stay in the saturated hellscape of outdated security profiles.
This also hits on the devaluation of SOC 2 and ISO27001 audits. Is there something fundamentally wrong with these deliverables? (yes/no/na) Many questions can be answered in those audit reports and a majority of those 60 TPRM ^^^ vendors are already summarizing the reports so you don’t even need to read it. Yet still the questionnaire.
#8 - Compliance Isn’t Real
This is it. This is the #1 meme. The audit findings, the risk assessments, the months spent in Excel to land on “you guys need better policies”, the million frameworks and counting. This is the perfect meme to describe the GRC profession. We need simplicity and concrete actions - and if you can figure out how to be a trusted advisor that offers them both to a business through your role in compliance - you’ve unlocked god tier GRC status.