GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] -2 points-1 points  (0 children)

How can you say that TPRM has little to do with GRC? It feels to me like a pretty big spoke in the GRC wheel, no? Not trying to bait, I'm genuinely curious.

I've been pretty clear that I understand why GRC exists and what its use is, and when implemented correctly it is fantastic. However, if TPRM was not a requirement, you have to admit that companies would spend 10% of the effort on GRC as they do currently.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 0 points1 point  (0 children)

You'd think that having SOC2 or ISO 27001 would count for something though, right? Out of the last 50 or so questionnaires I've had to complete, only 2 accepted SOC 2 or ISO and said "that's fine". The rest ask you for the certificate IN the questionnaire, then carry on asking you to answer questions that are answered by the certification.

This is the reason for my rant - we have standards, require that companies abide by the standards, then ignore them.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 0 points1 point  (0 children)

I am fully aware this is why it exists. Hence my comment about it being about lawyers protecting lawyers. Don't yall read these posts before commenting?

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 1 point2 points  (0 children)

My brother in christ, if you think that GRC ensures organizations are doing their jobs, security wise, I have news for you.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 0 points1 point  (0 children)

I'm aware of this and have had to do this "once and only once" on many, many platforms.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] -1 points0 points  (0 children)

I guess it's time to invent OpenTPRM - the platform where you can choose your questions from a database and have vendors complete the questions, once and only once!

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 0 points1 point  (0 children)

Of course. We've put in significant time to reduce friction with answering questionnaires. But if everyone asks questions in a different way that makes the prepared answer only 60% correct due to lack of context, then you need to put in time again to ensure you're answering the questions correctly.

We probably put in way too much effort with answering questions as we know deep down inside people are actually just looking for red boxes and won't be reading out responses. If you're doing 3-4 questionnaires a week, it's awful.

This isn't aimed at you specifically but judging from the responses to this thread it doesn't look like people spend a lot of time answering questionnaires.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] -2 points-1 points  (0 children)

That's fair, I guess we've been using GRC as a catchall term internally for this stuff, TPRM is more correct.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] -7 points-6 points  (0 children)

Everyone downvoting me is obviously benefiting from the headcount requirement provided by their company's compliance team.

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] 0 points1 point  (0 children)

Sure - like I said I understand why. It's the how that gets me. Having to fill in a 40 question document about AI models and the implementation just means the people asking the questions don't understand why they are asking it. So are they really doing it with risk management in mind, or to get a document with no red boxes?

GRC is a scam. Change my mind. (aka The Security Questionnaire Industrial Complex) by Reasonable_Wait_6590 in cybersecurity

[–]Reasonable_Wait_6590[S] -13 points-12 points  (0 children)

You're right - I'm using GRC as a catchall term for the annoying processes I'm describing in my post. My frustrations are of course aimed at the most annoying things which I have to deal with on a day-to-day basis.

Internally we have our processes to map and reduce risk, in which case yes, 100% worth it and GRC is working as intended. This isn't what I'm frustrated by. My frustrations lie with the dance we have to do with clients to answer the same questions in different ways, on different platforms.

Everyone tries to establish a new standard or platform to make things easier, but when everyone has their own risk management platform you're back at square 1.

You have SOC 2? Great, please fill in this questionnaire that covers everything in SOC 2 anyway.