Highlights from “Hacking the Speed of GRC” Video Chat. To watch the full video go here.

I moderated a discussion on Friday, 05-08-20 with Scott McCormick, CISO, Reciprocity and Mike Wilkes (@eclectiqus), CISO, ASCAP.

Huge thanks to everyone who participated, and see below for the best quotes from the chat room. But first…

Winner of the best bad idea

It appears everyone loves a bad idea. There were a whopping 23 bad ideas on this video chat. They seem to come to everyone so easily. Given that so many are coming in I need to amend my criteria for the bad idea that generates the most conversation. The reason being is there’s no way I can let each bad idea have its fair chance to get a discussion going.

With that being said, I’m awarding this week’s best bad idea to consultant Matt Winkeler, with his suggestion, “Force the implementation of FAIR and require companies to list them on your balance sheet as a liability.”

What I love about Matt’s bad idea is it starts with a mandate to use a model that the company may or may not apply, and then it creates unnecessary risk by exposing the information publicly. BUT, think about all the radical transparency and all the trust they’ll build with their community. Will anyone ever doubt this company ever again?

More great bad ideas

“Make your technical risk register publicly visible on your website.” – Rick Woodward, senior information security analyst, Dominion Energy

“Implement a lot of tools to solve technical/risk issues and skip implementing anything process or organization related.” – Traci Van Geel, global director, security, risk and compliance, Compass Group

“Mandate that all risks must be managed to zero.” – Jeff Kohrman, founder, eCISO

“Tie you budget to your vulnerability score – More vulnerabilities = more budget to fix them.” – Rafael Borges, senior information security engineer, Avid

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our video chat sponsor, Reciprocity

ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com.

Best quotes from the chat room

“Speaking of name changes and regardless of name change, risk is all about losses, and as a business leader what concerns me is how much of that loss (availability, confidentiality or otherwise) impacts my business.” – Richard U., head, business information security, Emirates NBD

“The role of a CISO is storyteller and therapist.” – Jeff Kohrman, founder, eCISO

“Why does it feel like everyone’s bad ideas have already been tried somewhere?” – Traci Van Geel, global director, security, risk and compliance, Compass Group

“Bottom up tends to “inform” the risks at the top.” – Chris Patteson, executive director – risk transformation office, RSA

“I view GRC as an workflow efficiency tool, and single source of truth tool, and an accountability tool” – John Mumford, chief risk officer, Fellsway Group

“Has measuring risk itself become a risk? Since risk is primarily arbitrary depending on who defines the risk wouldn’t the solutions be arbitrary and thus add complexity and uncertainty. Which are contributors to risk.” – Bob Henderson, CEO, Intelligence Services Group

Follow us on Crowdcast

For as long as we can handle it, our video chats will be happening every Friday at 10 AM Pacific/1 PM Eastern. Please follow us on Crowdcast to be alerted the moment a video chat goes live.