Making GRC Your Career Superpower with Chris Honda
Jan 10, 2024
auto_awesome
Chris Honda, a seasoned Senior Security Analyst at Whistic, discusses the multifaceted world of GRC, including the concepts of governance, risk, and compliance. He emphasizes the importance of humanizing InfoSec and presenting on a personal level. Chris reflects on his own career trajectory in GRC and highlights the power of curiosity. He also explores the value of technical skills for GRC professionals and emphasizes the need for making a positive impact in the world.
Understanding the essence of GRC and its role in business and security is crucial for effective decision-making and goal attainment.
The power of asking 'why' in GRC encourages curiosity, identifies inefficiencies, and promotes a culture of continuous improvement.
There are different pathways to enter the world of GRC, with opportunities for growth as a generalist or specialist.
Deep dives
The Importance of Understanding GRC and its Role in Business and Security
Understanding the essence of governance, risk, and compliance (GRC) and its role in business and security is crucial. GRC encompasses governance (the end goal and high-level strategy), risk (identifying potential threats), and compliance (demonstrating adherence to regulations). Being able to interpret and communicate across these areas is essential for effective decision-making and ensuring goals are met. GRC professionals with a background in audit, risk management, or compliance can excel in this field, but expertise in different areas, such as IT, sales, or marketing, can also provide a solid foundation.
The Power of Asking 'Why?' in GRC
The power of asking 'why' cannot be underestimated in GRC. It encourages curiosity and drives better outcomes. By constantly questioning why certain processes, controls, or initiatives are in place, GRC professionals can identify inefficiencies, risks, and areas for improvement. This mindset promotes a culture of continuous improvement and ensures that GRC efforts align with the overall goals of the organization. The ability to ask 'why' is especially important in navigating the intersecting domains of privacy and security, where understanding motivations and the impact on individuals is key.
Balancing Generalist and Specialist Pathways in GRC
There are different pathways to enter the world of GRC, and both generalist and specialist approaches can be rewarding. Generalists can leverage transferable skills from various fields and apply them to GRC, such as having a background in accounting, risk management, or IT. Generalists often excel in roles that encompass multiple aspects of GRC, serving as bridges between different departments, interpreting technical concepts for business stakeholders, and identifying risks and compliance gaps. On the other hand, specialists can focus on a specific area within GRC, such as third-party risk management. Specialists bring deep domain knowledge and expertise, becoming go-to resources in their chosen field. Both pathways offer opportunities for growth and development in the diverse and ever-expanding world of GRC.
The importance of identifying inefficiencies and finding ways to minimize them
One of the main ideas discussed in the podcast is the importance of identifying inefficiencies within a GRC unit and finding ways to minimize them. This includes looking for inefficiencies in various aspects, such as sales cycles, customer trust, onboarding and offboarding processes, and access management. The goal is to reduce friction and inefficiency to improve the overall effectiveness of the GRC unit and its impact on the business.
The symbiotic relationship between GRC, security, and privacy
Another key point discussed in the podcast is the symbiotic relationship between GRC, security, and privacy. While there may be a perception that GRC is separate from 'real' security work, the podcast highlights that these functions are interconnected and essential for the overall success of an organization. GRC professionals play a crucial role in identifying problems, working with security engineers to find solutions, and ensuring compliance requirements are met. The discussion emphasizes the value of collaboration and recognizing the contributions of different roles within the broader security program.
In this episode of the GRC Podcast, we sit down with Chris Honda, a seasoned Senior Security Analyst at Whistic, who walks us through the multifaceted world of Governance, Risk, and Compliance (GRC). With his unique journey into the world of Security, Chris sheds light on the transformative nature of cultivating GRC expertise and the value those skills can bring to the business and security landscapes.
GRC Unpacked: More Than Acronyms Chris starts by demystifying GRC, breaking it down into its core components: Governance, Risk, and Compliance. He shares an accessible approach to explaining these concepts to non-experts, using relatable analogies like the Rosetta Stone, underscoring the importance of GRC as the lingua franca that bridges the gap between business operations and security imperatives.
The Human Element in InfoSec Delving into the art of presenting at conferences, Chris emphasizes the need to bring one's personality into play. By humanizing InfoSec, he advocates for presentations that resonate on a personal level, which in turn fosters a more resilient and relatable security culture within organizations.
Career Trajectories in GRC Reflecting on his own path, Chris discusses how asking the critical question "why" catalyzed his move from finance to security, highlighting the role of curiosity in driving career progression within GRC. He reassures listeners that a background in IT is not a prerequisite for a successful career in GRC, as the field welcomes diverse professional experiences.
”Technical” Redefined Chris challenges the misconception that one must be highly technical to succeed in security. He argues that problem-solving, communication, and understanding technology as a means to exceptional outcomes are just as crucial. This broader definition of 'technical' opens doors for GRC professionals to be recognized for their strategic and enabling contributions. (but also they should strive to have developer empathy and recognize stagnation in learning will significantly limit upward mobility, salary and future employability.)
The Convergence of Security and Privacy Exploring the nuanced relationship between security and privacy, the discussion pivots to how these disciplines intersect within GRC frameworks. Chris provides insights into how evolving privacy laws create new opportunities for those passionate about privacy and compliance, demonstrating the dynamic nature of the GRC field.
The Specialist vs. Generalist Debate Chris shares his experiences as a GRC generalist in a smaller company, weighing in on the benefits of wearing multiple hats against the deep focus of specialists in larger firms. He advocates for the value of generalist roles, highlighting their ability to manage a broad spectrum of GRC challenges and drive comprehensive security strategies.
Giving Back and Building Community The episode wraps up with Chris reflecting on the importance of giving back to the GRC community. By volunteering and engaging in acts of kindness, professionals can cultivate a supportive network that not only fosters personal fulfillment but also strengthens the collective knowledge and resilience of the GRC industry.
Join us in this enriching discussion that promises to inspire both personal and professional growth, whether you're new to GRC or a veteran looking to reinvigorate your career with a fresh perspective.
