My Journey from Information Security to IT GRC
I am often asked why I elected to transition from working in Information Security to IT Governance, Risk, and Compliance (IT GRC). The prevailing thought of those who ask is that most go the opposite direction in their respective careers. I tend to run counterculture, so I thought some of the factors that influenced my decisions might be interesting.
I am currently fifteen years into the portion of my professional career where I have specialized in Information Security and IT GRC. It is just about at an even split between the two. The use of the term 'Information Security' should give some awareness to the timeframe in which I was most active in the organizational security domain.
The adage "you lose it if you don't use it" is applicable in the specialized functions of security. Enough time has passed since I actively performed penetration tests that I did not fare so well in a recent capture the flag event. I climbed aboard the rust struggle bus. Struggles aside, I am still an active Information Security practitioner through threat research, cybersecurity control assessments, and risk management practices. I have a deeply embedded passion for it.
So why the move?
Burnout
Information Security is a tough gig with conflicting priorities, limited resources, and depending on the organization, a confluence of leadership ego that often interferes with the work. Information Security is also an incredibly broad domain with various niche areas of practice. The cost to stay proficient across multiple disciplines requires a significant amount of personal time investment.
I spent five of my eight years in Information Security working in a traditional penetration tester role when organizational security was still finding its footing. The lack of maturity in the industry often created a lot of procedural chaos. I exploited that chaos to introduce creative strategies, which kept the work entertaining. Still, several years of engagements that typically involved 17-hour days led to some severe burnout.
I also experienced career burnout related to an array of ineffective leadership situations. I will expound more on this topic in another article. Suffice to say that security practitioners need the support of leadership to do what they do well. When it is lacking, the personal morale hit compounds the burnout.
Cultural Influence
I had an epiphany when sitting in a meeting with various leadership members going over findings from one of my assessment reports. The dialogue was less about how to remediate the identified issues and became an argument over ownership. Further complicating the conversation was the realization amongst those in attendance that it would be incredibly challenging to address the remediation. The challenging aspect of remediation eventually broke down the entire discussion.
As I left the meeting, it occurred to me that I failed leadership by not adequately addressing the value proposition of risk mitigation. Regardless of how brilliant my, or the team's, hacking exploits were or how polished the report was, the tactical presentation of security vulnerabilities was not in a language that leadership could understand. Information Technology is a business and operates with budgets and portfolio prioritization like any other business area. My throwing a proven exploit scenario on the table left business partners with a "fix it now or else" scenario that backed potential owners into a corner. As a result, their initial response was self-preservation.
I was guilty of a trope that occurs for a lot of security practitioners. I thought of finding owners as adversaries, and my test results were beyond reproach. To not fix it quickly implied a dereliction of duty or some level of incompetence on the owner's part. I acknowledge that leadership incompetence does exist in the industry. Large-scale data breaches prove that organizations are often quick to accept risks that they should not. However, I needed to remove that from the equation by ensuring that I met the leaders where they operate. I needed a different approach to address risk management culture beyond what I could accomplish at an analyst level.
Boredom
I could include boredom as a component of burnout. I am separating this because working on an internal security team within an organization is entirely different from working for a research firm or consulting company. Internal security teams are not wholly autonomous and can be restricted to focus on widget production over conceptual security strategies. For me, I found the rinse and repeat nature of assessments, far too often with reduced scope and time, to be tedious. As I progressed through my security work, I naturally pivoted to researching emerging threats and tactics. There was not a lot of room for that focus when assessment needs were stacking up in the queue, and it was frustrating to have to step away from defining new services.
Evolution
Suffering from burnout, boredom, and realizing a gap in the ability to influence risk management culture, I started to look for a different opportunity. I knew that I wanted to apply what I loved most about security. I targeted a domain where there was the potential to overlap technical assessments and effectively navigate the organizational hierarchy.
My first pivot was to the area of compliance control assessments. This area introduced me to the legal, regulatory, and privacy risk aspects of an organization. I applied a penetration tester's approach to compliance control assessment strategies, and pieces started coming together. I implemented test cases to validate the technical efficacy of control design and operation to the stated risk objectives. I then utilized established enterprise risk matrices and shifted the narratives to derive a value proposition with managing technical control deficiencies. I also realized the benefit of performing independent control assessments from the Second Line of Defense. It afforded an objective lens to the actual state of controls.
The impact was evident to me. The compliance assessment report results were consumed by leadership differently from those I presented in my position in Information Security. We mapped controls to regulatory requirements, and the value proposition dialogue appropriately considered multiple facets of operational risk. And by introducing a focus around technical controls, I was able to influence a pragmatic risk management approach instead of the division that I felt from before. I greatly benefited by the incredible support from the leadership in that area and their empowerment to think creatively and to endeavor to teach others how to assess their controls accurately.
This change gave me what I was desperately seeking. I embodied my favorite motto of using my work to ensure that leadership can make informed risk decisions. I could see an immediate impact on the results of the work. The position that I served took on more of a guidance role instead of that as an adversary.
I wanted to move back into a more IT-centric position. Still, I did not want to lose the integral elements that I gained by working in a compliance-oriented role. The emerging space of IT GRC felt like a natural evolution. My move into the IT GRC domain brings the journey up to my more recent work focus. I will cover more IT GRC-related topics in upcoming articles.
Conclusion
I often state in my industry presentations that there is no silver bullet to managing risk. There is no silver bullet for individual careers, either. I have taken a crowdsourced approach to my career and benefited by mentoring and partnering with leaders and peers that I respect. I took advantage of various opportunities. Most notable was developing my value proposition and not letting ineffective leaders challenge my loyalty by having the audacity to embark on something new. I refused to decouple what I love the most about Information Security, and it has allowed me to create a niche approach to leading an IT GRC department.
Most importantly, I believe in the principle of doing what is right for an organization and allowing senior leadership to make informed risk decisions. This directive has never steered me wrong. I love the work that I do and the opportunity to share my experiences to help others find creative ways to address their challenges.
I hope that you can take something away from my journey as you continue on your journey.