The job of GRC doesn’t stop when you write policies, communicate and make users “aware”. That’s table stakes.

It must include seeing through the changing of operational / business practice to reflect the intent of policy.

What you think the job is matters more than you think.

“We have a choice. We choose between self control, ill discipline, virtue and vice.

Self control must be observed physically, embodied mentally and must be rendered magisterially when our moment comes.

It’s our decision how this will look like, not once but a thousand times in life. Not just in the past, and in the future but right now, today.

What will it be ? Dependence or independence ? Greatness or ruin ?

Discipline is Destiny. It decides.

Will you choose it?”

- Ryan Holiday in ‘Discipline is Destiny’

Great management systems consider stakeholder bias and implement ways to avert it

One of the many reasons I’m a proponent of both risk analysis and threat modelling, ensuring they connect but aren’t overly prescriptive

Top-down meets bottom-up, but each isn’t bound by the other

“Losing is not always up to us, but being a loser is.

Being a quitter is. Saying “what the hell, why does this even matter”. That’s on us.

Throwing in the towel on a fight we clearly lost is one, throwing in the towel on fighting ? On your standards ? From that point forward ?

Now you’ve been beaten.”

- Ryan Holiday