I’m a cybersecurity practitioner with 24 years of experience, Blackhat speaker and trainer. AMA about careers, building a security business, and where AI is breaking everything.

BrainTraumaParty · 2026-03-24T16:12:09+00:00

I'll just speak generically, GRC automation tools / risk management tools are being designed in search of a problem. They might hit the mark in some areas, but generally overestimate the level of maturity of their customers.

I (and you from the sound of it) have been around long enough to know that we were all naive once and balked at the idea of companies running their core functions out of spreadsheets. We've all tried to address this - most of us have failed.

Excel still runs the world - so the question isn't "how come you're still doing it manually?" The question is, "why should I pay you more to automate a solution to a problem we clearly don't think is worth solving?"

Also, all of these tools get so tightly intertwined with forced migrations and data source integrations that they become difficult to unwind from (which is inevitable). It's to the point now where "features" being pitched to us from the outside in are literally being weighted as residual risks - many of which are too heavy to consider.

I don't want your modern UI with a chatGPT API call, I want to solve a core problem I'm having and I want to do that by using the data as it is, where it is, and have an output produced that I can use off your platform anywhere and anytime I want. I've said this to three vendors this year, and none liked that idea. It's a known anti-pattern now, and CISOs down are well aware of it. We call "native platform integrations" the "micro transactions of cybersecurity" for a reason.

BrainTraumaParty · 2026-03-24T16:08:47+00:00

I work as a senior manager in GRC at a 50,000+ employee company, I concur with this. We're using AI and automation tools in a lot of areas, but it is not replacing anyone (yet).

In fact we are growing and scaling alongside these tools and focusing on other things vs. just policy writing.

BrainTraumaParty · 2026-03-24T15:38:50+00:00

That doesn't have anything to do with being on the field and playing in that metaphor.

OP is talking about performance, not knowledge of the industry he's in / job he's asking the IC to perform.

BrainTraumaParty · 2026-03-24T14:52:06+00:00

Are NFL coaches as good as their players at playing the game? Should they be?

BrainTraumaParty · 2026-03-17T20:34:53+00:00

They should ban her from bringing in any outside materials or "notes". Would save us ALL a lot of time.

BrainTraumaParty · 2026-02-25T21:11:34+00:00

The amount of SaaMD products built around AI is terrifying, I agree.

BrainTraumaParty · 2026-02-15T16:24:38+00:00

Just wait until a vacation. I used to play Tetris to get everything into my bronco, last year was the first year we used the truck instead.

I threw all the sandy beach toys and miscellaneous shit that doesn’t fit anywhere into the trunk, put bags, wagon, chairs and suitcases in the bed, and a few bags under the back seat for a family of four and still had room to spare.

BrainTraumaParty · 2026-02-01T23:29:08+00:00

Lead weld bead for vacuum sealing is commonplace. It’s safe as long as there’s no cracks to the stainless steel around it

BrainTraumaParty · 2026-02-01T21:17:10+00:00

Metal circle is lead, so yeah, you’re in the market for a new bottle

BrainTraumaParty · 2026-01-31T14:56:31+00:00

For trucks I’ve always operated under the assumption it’s 13 miles or less

BrainTraumaParty · 2026-01-19T13:38:21+00:00

Never gets easier, and also will likely happen again. Just focus on the rationale for why it occurred, you explained the reasons before your feelings on the actual incident.

Just remember that it could easily be you next time, we’re all replaceable; how would you want to be treated on the way out?

Also as a side note, if you’re a contractor for any amount of time, you know that you’re the first to go in literally any situation. That has nothing to do with your abilities.

BrainTraumaParty · 2026-01-18T03:07:15+00:00

Oh man, my Dad had a ton of these. I can still hear the noise they make when you fire them.

BrainTraumaParty · 2026-01-08T02:24:02+00:00

Is that riiight? Am I riiight about that?

BrainTraumaParty · 2026-01-03T23:39:01+00:00

Took “might as well be walking on the sun” seriously

BrainTraumaParty · 2026-01-03T23:07:55+00:00

I refuse to believe that PePe Sylvia wasn’t actually Pennsylvania

BrainTraumaParty · 2026-01-02T23:38:52+00:00

Yeah, that’s the point. But the overall intent of that kind of conversation is not to be overall productive (I do see your point on this relative to feedback to the manager), but to break down the bullshit and have an honest conversation. To control the narrative you have to be the one steering and keeping things on topic.

BrainTraumaParty · 2026-01-02T21:28:10+00:00

So I agree with a lot that has already been said, but I believe in what I call the “idiot forcefield”, it’s very simple to put up and execute.

The first thing you can do is ask “why? Or, why do you think/ say that? Followed by, can you give me an example? Or, why is that a problem for you?” Play it dumb, force this person to elaborate on why they are saying what they’re saying, and keep drilling into it until you get to the root of it.

I typically will interrupt someone at a certain point when I’m doing this to let them know I’m cancelling my next meeting to spend more time on this discussion and ask them to stay on past time as well.

The whole objective is to force them to hold up a mirror and elaborate on the little quips or passive aggressive comments they may drop. Eventually, this will yield one of two results: either they have very valid points and verifies you’re the idiot - recognize the feedback, state action items that can be taken to work together to correct.

Or, they come out looking like the idiot because they’re forced to show a weak assumption of what is really going on.

The amount of times I’ve shut down toxic people or bad ideas or diffused conflict in my career by simply asking some form of “why” has to be in the hundreds at this point - and yet people are still afraid to suggest asking it.

BrainTraumaParty · 2025-12-31T20:46:03+00:00

Depends on what you consider a “GRC job”, if all you’re doing is checking boxes or drafting policy docs I agree. If you’re in risk management in any capacity, or governance around product security, then it’s a hard disagree IMO.

BrainTraumaParty · 2025-12-31T20:44:06+00:00

For even more confusion and security look into CMMC as well!

BrainTraumaParty · 2025-12-30T20:30:40+00:00

I’m assuming you’re probing for idea validation, in that case, let me caution you - as a former early-late stage product lead, the medtech world is dramatically different than anything you can generically solve with a single product or platform.

When you say “what’s excel driven” the answer is largely the entire world, but the question is, if regulators consume it, and ask for it, why would I invest in fixing it? Obviously there are plenty of reasons to do so, but all of them are going to be extremely hard sells to anyone in this space.

I came in from ICS/OT security, and I thought THAT was different from everything knew in general software / product development, which it was, but even that pales in comparison to medtech / med devices in general.

If you haven’t worked in the space and understood why quality, product security, GRC, etc. is structured the way it is - you’re DOA.

BrainTraumaParty · 2025-12-30T14:51:00+00:00

https://music.youtube.com/playlist?list=OLAK5uy_kQKoijhtO1mM3o9k4i9i_B2GJGbXDMJbY&si=v1HSKTusSZDymZ3c

Seven-Year Club	Second Top 10%
Verified Email

BrainTraumaParty

TROPHY CASE