Transcript

STEVE: You enumerated governance here, leadership, how decisions are made, et cetera. How is my one sentence summary? So I distill it all down and say, the outcome of good governance is that everyone knows the organization's objectives, risk appetite, and they make decisions that are aligned to it.

GERRY: I think that that's a great one sentence. You know, the way I always think about it is, when you have a random employee make a decision is it a good choice for the organization from a cyber perspective, right? 'Cause that's ultimately when the rubber hits the road, right, like you can say all these things and you can, you know, whatever, have a dog and pony show. But if the governance has truly permeated the organization, when an end user installs something or clicks on something, right? Like I'm not even talking about phishing awareness. Like end user clicks on something and sees a command shell pop up and is like, oh, geez. Like it is, are they calling InfoSec and letting them know? Are they not even clicking on it because they know better? Like, or are they just--

STEVE: Are they pulling up their credit cards and spinning up cloud infrastructure and putting sensitive data in it?

GERRY: 100%, yeah.

STEVE: Firing up DeepSeek or, you know, a lot of things. Yeah, for sure.

GERRY: Yeah, and again, you're not gonna get 100% commit from everybody, but the general vibe of the organization, to me, that's what governance is. And the same can be said in the inverse of that, going back when you had asked me earlier about, is GRC a good fit and all this other stuff. And organizations that don't take cybersecurity seriously or they don't see value in it, that level of attitude will permeate down. No matter what, whatever the attitude is of the senior leadership, that will permeate down and essentially become the governance of the organization from a cyber perspective, which means when you have this, like, it doesn't matter, or it's just here for compliance purposes, that will permeate and your end users will make poor choices.

Most people, most people want to do the right thing. They just wanna do their job and go home.

STEVE: That's right.

GERRY: Right? They just wanna do the right thing. But if you don't give them the tools to be able to make the best choices, they're gonna choose what they think is the best. And remember, this is their job. For most people, this is 100% of their revenue stream to support their life. They're going to make decisions that they think is the best and also in line with what leadership would expect from them. So, you know, that's what governance is. It's making sure that that is enabling them to make good choices.
And I like that you're saying this where the rubber hits the road because it's kind of a controllable area. If you have the good tone from the top, even if you have a lot of work to do, you can get there and get to those good decisions by end users. You can't really, anyone can get taken out by an apex predator, you know, like the Mandians of the world will tell you. But this is something you can really focus on and is a good barometer.

STEVE: All right, well, that's governance. Risk, I mean, it's the rock star, you know, heart and center GRC. I'm gonna go now right to compliance.