That thought of “how did I get so old?” happens so quickly. Some reference to something from the past celebrating an anniversary will immediately trigger it. So when I saw the CNN article “Happy 30th, Dr. Jones: 10 Things a Hero Taught Us”, I immediately cringed. Has it been 30 years already since Raiders of the Lost Ark was released? I was even more deflated when I found it was 30 years since Temple of Doom was released. UGH! Raiders of the Lost Ark was released in 1981. I am even older than I first thought. But I comforted myself with the “I am not older; I am better” internal speech all of us old timers are so readily able to spin. Then I sighed and clicked on the link to find out what the indomitable hero Dr. Henry Walton “Indiana” Jones Jr. has taught us.
Read the article above first and then see what can GRC and Security programs can learn from the legendary Dr. Jones.
- Sometimes you have to try even when the odds don’t look good: This should be the mantra for every grass roots initiative. When you know it is the right thing for the organization, sometimes it takes a persistent thrashing to finally get everyone in line and moving in the same direction.
- Keep it simple: Why get into a sword fight with an immense warrior when you have a pistol and a lack of time to mess around? Eloquence through simplicity. Don’t overcomplicate things or make efforts complex if they don’t have to be. Those simple, quick wins towards a larger strategic vision will pay off.
- When all else fails, run like h***: This is a bit hard to spin into the positive but I take this as following your gut. When issues seem insurmountable, then you have to go with your instincts and go towards the strategy you think is best and deal with the consequences. At least make your decisions based on solid information at hand and use your intuitions and experience to make the best choice. Sometimes that is all risk management has to go on.
- Don’t knock it before you try it: Many times organizations can get stuck in a rut. 'GRC is too complex and complicated' or 'Security is an IT thing' are quotes you don't want to hear in your organization. Organizations are going to have to embrace change and force issues. Understand the objectives and don’t worry about the label. Get the job done.
- Sometimes you have to take chances: This is hard thing for risk adverse people. However, GRC and Security SHOULD BE focused on building confidence to take controlled risks. Organizations that can control risk can take on more risk to reap the benefits. Many opportunities have inherent risks and building the confidence in how your organization can manage that risk is essential in realizing the rewards.
- Take criticism gracefully: This is extremely important for those GRC and Security programs getting off the ground. Continuous improvement should be a recurring theme and listening to those outside the program can provide insight into what needs to be changed.
- A smile can go a long way: I really like this one. GRC and Security shouldn’t be considered the grim “bad cop” of the organization. Risk management processes should be a partner in making the business successful. Risk and compliance functions cannot be ‘all stick and no carrot’. Smile at the business and they will smile back.
- Befriend interesting people: Breaking down silos – as all GRC programs tend to do – will require building relationships with people across the organization. Security is the same way - we need tighter relationships with our business counterparts. The experience those people bring to the table is invaluable for a GRC and Security to achieve its ultimate objectives. Those interesting people will help you get over those organizational challenges or give you views that will move your program forward.
- Sometimes you just have to have a sad day: Every GRC and Security professional has had that ‘sad day’. It is only normal to have setbacks and challenges that seem insurmountable. The good news is item #10.
- You can conquer anything you set your mind to: Just like Indiana Jones, GRC snd Security teams are extremely resourceful. Risk and compliance processes today require ingenuity but, evidenced by the great work I have seen at our customers, they are getting it done and conquering many different challenges.
Indiana Jones was a fairly successful risk manager. He took a lot of risks, he generally achieved his objectives and most importantly he kept his skin intact. In fact, on some days, a pit of snakes in the middle of desert would be a welcome change to the regulatory briefing paper sitting on our desk waiting to be read or that new vulnerability released that will require multiple days of research to determine the remediation plan. As long as you keep your hat on and your whip handy, you too can outrun large rolling boulders whether it is an upcoming regulatory change or a dangerous security threat.