Transcript
Welcome back. Let's talk about a day in the life of a GRC professional. We start off with typical responsibilities and activities. And first thing, we've got morning activities.
So I like this slide. I agree with it all. DCTB, the Daily Cyber Threat Briefing is awesome. I've got a ton of value out of it, not just for my learning and, you know, insights that I bring to the table of discussion maybe three months later when I knew it went on in the world, or what kind of the key themes were in the cybersecurity space, but also those actionable security awareness pieces that you can use to shoot out to end users in your business for, you know, their awareness and cyber risk reduction. They want to do the right thing, but cybersecurity is complicated. So it's helpful if we can break it down into those teachable moments with interesting stories and actionable intel like we get from DCTB and the newsletter, the cybersecurity newsletter that summarizes those. I literally use those in my job.
All right. Now, I wanted to add a little bit to this view from my vantage point that's a little bit different. So I'm from finance and we don't do, you know, we're not transitioning from waterfall software development to agile. We don't have scrum masters and daily standups. Those are cool, but they're more common probably in IT and engineering. I wanted to share with you how another way that you could run a GRC team, one that I've adopted, and here's how it goes.
So we don't have daily standups. What we do have is everybody has a weekly one-on-one with their manager. My reports have them with me. I have them with my manager. And as a leader, interestingly, in this awesome book, The Effective Manager, I highly recommend it. It was recommended to me and I've read a lot of them and this one stands out. You get 70% of the value of your manager tools, okay, out of one-on-ones, having them at the same time in the same format. And there's a very specific format you need to use to make them work well and not have them work poorly.
Also, we have a weekly team meeting, a management meeting, and an intake review. We'll talk more about what those are. But let's start off with The Effective Manager and their free one-on-one email template that you can get right now at managertools.com. I have taken that template and distilled down. I have three key points from it.
So it's a 30-minute one-on-one. The first 10 minutes of that 30 is for the direct report. The first 10 minutes is your agenda. Anything you want to tell me about your work, but it doesn't have to be. Your family, your pets, your hobbies, your challenges, your career. The focus of that part is you. Whatever you need, whatever you want. The middle 10 minutes are for me. I might have things to share with you. I'll probably ask about projects you're working on or projects I'm working on and need help with. Updates I need, things I've heard from up above. This is not a team meeting waste of time, you know, updates that you're going to get later in the team meeting. This is focused and pointed. Next, the last 10 minutes are for us to talk about your future, your career development plan, your career training, development opportunities, etc.
In my experience, a lot of the time, the first two parts take 15 minutes each and then we're out of time at the end. However, we're going to keep this on the agenda and we're going to aspire and we will hit portions of time where we talk about career development. And then of course, there's a separate to weekly meeting recommendations from best practices and management literature. There are career development plan areas as well and performance review areas as well that are kind of part of a broader package.
And actually, speaking of that, here's a team meeting agenda. It's not copy and pasted from a template, but it's certainly informed by the manager tools and effective manager podcast and book and templates into how I've found to be the best team meeting. I've certainly been in a lot of team meetings over my career that were not fun. And this is kind of the best way to do them, kind of in my opinion, and also for the nature of work that I'm doing that I've found. And I didn't invent it, I just adapted it and here's how it works.
So weekly, same time and place. Number one, around the table, any hot potato issues that need urgent triage, right? We're all busy all day and when we get together, is there any hot potatoes? Okay, next, manager briefing from recent leadership meetings that they've had, or with one on ones with their boss, you know, what's going on down the hall that people need to know about in terms of updates and changes in direction or whatever it might be. Next, brief, emphasis on brief, 30 seconds to two minutes each according to manager tools, updates from each team member, not with a laundry list of what they've been working on, because that wouldn't add value. But what would help is telling us a status report of your metrics. How are you measuring output? How are you measuring objectives that you're advancing? And what did you do to move the needle on those? And what is the metric now compared to last week? Or alternatively, if you need help or brainstorming or ideas, let us know in that team meeting and we're not going to solve it on the spot, but we're going to get the right people on it for an offline discussion.
So principles for this brevity and consistency and respecting everyone's time is important. Some projects are not of interest to some team members. So don't turn into a project meeting about that. But do let them know what is going on in the broad strokes so that we have effective communication flowing up and down and left and right. Focus on communication, not problem solving and document actions and decisions. Fine.
Up next. This is just from my own experience and it's from Stephen Covey. If you ever meet Will Reed, he's in the synthetic community. He's a Stephen Covey kind of advocate or he's found helpful in his career and he's a cool guy and the GRC mentor. And when Dr. Osher puts morning emails right off the top as part of the GRC routine, do keep in mind this picture. Like, yes, I'm going to scan those emails for hot potatoes that need urgent triage. However, I also want to use energy management and time management and put my big rocks, those tasks that need big thinking and are hairy problems to solve into the jar first. And for me, I like to do that in the morning. And the concept here with this picture is that if you put emails of sand into the jar first and then try to put the big rock on top of it, it's not going to fit at the end of the day in the 24 hours you have. But if you put the big rocks in first and then pour the sand on it, it'll all fit. And if anything falls out of the jar of the time you have, your most precious resource, sand is going to fall out. Pebbles that aren't as impactful and problematic as rocks. You don't want big rocks and even little rocks falling out of the jar. You want to get them all in. The only way to do them is to put them in first or maybe the best way, I guess, in my experience. So this works for me. Maybe it'll work for you.
All right. Moving along into core daily tasking. Third party risk assessment, check. Policy and procedure maintenance, absolutely. Awareness and training, love it. I would add to this that wasn't mentioned, phishing. Doing an internal phishing campaign or on a cadence. And also doing deepfakes. So I've prepared a James McQuiggan style deepfake using his YouTube video here. It was awesome. It was fun to do and very helpful and impactful to raise awareness of this new threat now in our lives. Vault management security questionnaires make sense. I think I bring some customer perspective to this I'm going to talk more about that is an additional two vendor side. Like if you sell software, not only are you doing sending security questionnaires to your vendors, your supply chain, but you're getting them from customers where you're in their supply chain.
And then moving into project-based work, audit and risk operations. It could be a new regulatory requirement like CMMC in the US. So that's common. Am I getting a new customer requirement and it could require a giant audit that's new and we need hunting, not farming, but establishing. Do we comply? If not, what are the gaps? What do we need to get there? Does it make sense that we're doing this compliance? What's the scope? Is it about data? Is it about something else? And kind of the business case around a compliance piece of work can be a huge deal and a huge project, a giant project. I think that's my key point here.
All right, monthly and quarterly risk and compliance reporting can be a lot of work, but you can schedule it out. And actually, that's another key point on audit and projects is that audits are like eating an elephant and that can be very intimidating. It's a high volume, a lot of the time of work, but you can project manage it well. It's like planning a wedding, right? You do it in advance. Not that I plan weddings, okay? But it kind of feels like it sometimes with the amount of project management work that goes into giant audits and eating that elephant one bite at a time. And with the right people on the right control and open lines of communication, that could be a giant part of a GRC team and a GRC role. Same with this reporting. It can be a lot of work getting the data sources, finding new data sources. Do the numbers make sense? Extracting insights from the numbers. What do they mean? So what's next? And the key is not to do it last minute. Have it scheduled out because here's the wildcard now, intake.
Intake can be volatile. Where the interface of the business, where the connective tissue, the business is changing and wants to do things. Change is the only constant. By the way, great business book about that called Who Moved My Cheese? Change Management. But the Phoenix Project is another one that I think Dr. Rozier has talked about. It might even be in the simply cyber.io/books recommended readings. But we have our audits scheduled out. They're big. We have our monthly and quarterly risk reporting. Maybe it's a CSF profile assessment, whatever it is. Our key risk indicators, our key performance indicators and a scorecard scheduled out. Intake is volatile. That's for like, "Hey, we're doing a new thing. We're getting it right and we need to have a quarterback there from the GRC team that can get the right people in a timely manner to help protect and enable the business." Otherwise, you're going to be a big source of friction and no one's going to like the security team. They're going to bypass them. So your intake process is critical.
All right. So adding a little bit there. I love metrics and dashboards because I come from finance. I love Power BI and Tableau. I love making briefings for our Cyber Expansion Action Plan. Here's our current state. Here's our desired state. Here's the steps we've taken to increase those maturity levels or get to where we want to go. And I have a workshop about this you can check out from Simply CyberCon that's public on YouTube. Up next, we'll get into my GRC service catalog. So let's check it out.
