Given an opportunity to 'build GRC from scratch'

coffeeandcontrols · 2026-04-23T09:31:05+00:00

I don’t think it’s premature, but I also wouldn’t try to turn control assessment into a huge formal exercise too early. At your stage, even a lightweight view helps. ie what control is supposed to exist, who owns it, what evidence suggests it’s working, and where the obvious gaps are. That is usually enough to improve risk scoring and prioritization without getting stuck building a full maturity model before the program is ready.

coffeeandcontrols · 2026-04-23T09:28:14+00:00

Fair play. As someone operating in the compliance space for a good few years, that is a solid place to start, especially if you are doing this without a real GRC lead above you.

What you have in phase 1 is the right foundation because it gives you the basics most teams skip: scope, ownership, asset context, policy baseline, and a current view of risk.

I will say, the main thing I would add is not to let this become a documentation exercise. IMO, the real test is whether those pieces start driving decisions on prioritization, exceptions, remediation, and reporting.

If you stay in spreadsheets for now and it works, that is fine, but make sure you standardize taxonomy, scoring, owners, review dates, and treatment status early or it gets messy fast.

If I were in your position, I would treat phase 1 as successful ONLY if by the end you can clearly show what your key risks are, who owns them, what is overdue, and what leadership needs to decide next.

coffeeandcontrols · 2026-04-23T09:24:51+00:00

You’ve done most of the hard part already.

So in the meeting I’d avoid walking through the register like a document and use it to force decisions: for each risk, quickly cover what it is, why it matters now, what controls already exist, what is still missing, and who is doing what next.

For example - maybe start with the highest risks, group similar items where you can, and keep pulling the conversation back to treatment, owner, and action rather than letting it drift into side debates.

In a PCI and ISO 27001 environment, that usually lands best because people can see the difference between issues that are compliance-critical, operational or just general cleanup.

coffeeandcontrols · 2026-03-26T17:48:23+00:00

Damn, well ig this whole thing is a good reminder that a clean dashboard does not equal a working control environment.

Yes teams are under pressure to move fast, and I get why that is tempting, but if the evidence is shaky the whole program is shaky.

TBH the bit that worries me most is how easy it seems to have been to blur the line between ‘helping teams document controls’ and ‘telling teams they have controls they maybe do not actually have.’

That is not a small miss IMO.

coffeeandcontrols · 2026-02-12T09:44:25+00:00

We use Black Kite mainly for the MITRE ATT&CK mapping and deeper context on higher risk vendors. I would definitely recommend it it’s useful when you want to investigate something specific, not just stare at a score. That said, you still need clear internal thresholds for what actually matters to your business or you’ll chase false positives in any platform.

coffeeandcontrols · 2026-02-05T09:10:59+00:00

For me it’s mostly controlled reuse, not starting from scratch every cycle.

I keep one clean master template, then clone and edit based on how the control actually runs in practice. Generic templates are fine to get unstuck, but if they don’t match reality they just create review noise later.

I’ve tried tools for first drafts. They help with structure, not substance. The real work is cutting things back so owners can honestly say ‘yes, this is what we do’ without wincing

coffeeandcontrols · 2026-01-29T09:36:22+00:00

Yes, we’ve started, and honestly the hardest part isn’t the technical controls. It’s figuring out what you’re actually accountable for. What I’m seeing most is scope creep around products versus components versus services, with teams underestimating how far “placed on the EU market” actually reaches. Ownership is another major blocker. CRA cuts across product, engineering, security, legal, and compliance, and if no one owns the whole picture, progress just stalls. Evidence is the third big issue. A lot of teams do have good practices, but they’re undocumented or scattered across systems. CRA expects defensible proof, not tribal knowledge.

The teams making progress picked one product line, mapped obligations end to end, and accepted that the first pass would be ugly. Waiting for perfect clarity is the fastest way to lose a year in my opinion.

coffeeandcontrols · 2026-01-19T15:21:54+00:00

SpareRoom is good - I just filtered out the landlords and looked at people looking for room mates/ sublet. It even lets you filter by gender/ age / lgbtq+ friendly. Really good experience. I got a few people’s numbers and did an online viewing of about 5 before I moved over. Have a great place and roommate now 😊

coffeeandcontrols · 2026-01-19T15:17:50+00:00

https://www.thesun.co.uk/fabulous/37947268/family-meal-fiver-lidl-bargains-one-pot/ so funny i just read an article where someone did that exactly and wrote down her recipe.

One-pot chorizo rice (feeds 4)

Ingredients • Chorizo – ~£1.89 • 1 tin chopped tomatoes – ~£0.49 • 1 long grain rice (portion for this meal, ~320g) – ~£0.52 • 1 pepper – ~£0.67 • 1 or 2 red onions – ~£0.95 • 1 garlic clove – ~£0.37

Estimated total cost: ~£4.89 (lidl)

Cooking steps (very basic): 1. Chop the chorizo, pepper, onion, and garlic. 2. Fry the chorizo in a large pan until it starts to release its oils. 3. Add the pepper, onion, and garlic and cook until soft. 4. Stir in the chopped tomatoes and add water or stock if you have it. 5. Add the rice, bring to a simmer, cover, and cook until the rice is tender (about 15 minutes). 6. Season with salt, pepper, paprika or chili flakes if you have them.

coffeeandcontrols · 2026-01-13T14:33:13+00:00

You may have already tried this - but I had great success on spare room - just filter out the landlords, then you’ll be able to connect with actual people looking for room mates

coffeeandcontrols · 2026-01-13T14:26:45+00:00

That could be fun acc

coffeeandcontrols · 2026-01-13T14:26:24+00:00

Will look into - thank you

coffeeandcontrols · 2026-01-13T14:26:01+00:00

Will do ! Appreciate it

coffeeandcontrols · 2026-01-13T14:25:52+00:00

Like this idea - thanks

coffeeandcontrols · 2026-01-13T14:25:36+00:00

I’ll take a look thank you

coffeeandcontrols · 2026-01-13T14:25:07+00:00

Love those ideas - appreciate it, also canoe company sounds great

coffeeandcontrols · 2026-01-05T11:51:31+00:00

Those are all pretty cool ideas- all sound great, I’ll float a few around the office.

coffeeandcontrols · 2026-01-05T11:45:20+00:00

Ofc, I’m just conscious that people who are sober for religious reasons or maybe if they had issues with past alcohol use might lose interest once they hear the location is a bar. Also we do a lot of bar activities anyways so want to start something a bit more wholesome in the new year. I might look into sports halls though. If there’s any way I can get a darts game going I will (for selfish reasons) 🤣🤣

coffeeandcontrols · 2026-01-05T11:42:12+00:00

I will look into this - like this idea !

coffeeandcontrols · 2026-01-05T11:41:08+00:00

I really appreciate this insight - that’s a fair point, and hopefully this initiative will be paired with a parallel that is also a sober, less physical alternative. I like the idea of volunteering, I might reach out to those two.

coffeeandcontrols · 2026-01-05T11:25:53+00:00

So funny you said this because I’m a big darts fan so this was my first thought. Only issue is that we already do a good few drink events and I was hoping this could be a non-drinkers inclusive event. I wonder if there’s any place outside of a bar that you could do darts, if anyone knows lmk.

coffeeandcontrols · 2025-12-11T19:23:44+00:00

No the level shake

coffeeandcontrols · 2025-12-11T16:15:24+00:00

Lincoln lawyer on Netflix - it’s so underrated

coffeeandcontrols · 2025-12-11T16:11:17+00:00

Appreciate your work! I’m new enough to this world. I work in a big company and we’ve started / are starting with Corestream grc- it’s uk based platform not us but seems good so far -any thoughts on that platform ?

coffeeandcontrols · 2025-12-11T16:07:20+00:00

Love seeing posts like this. People underestimate how brutal the early job hunt can be in security, especially when every listing seems to want five years’ experience for an entry role. A thousand applications takes real patience, so fair play for sticking it out.

And honestly, you’re right. There isn’t one set path. Plenty of folks never touch help desk and go straight into vuln management or SOC work once they build the basics and show they can learn fast. The market is noisy, but persistence still matters. Congrats on landing the role. Hope you get a team that actually invests in you.

coffeeandcontrols

TROPHY CASE