Back after three weeks away from work! Didn't touch email or Slack ONCE!

4 hours into this first day back, I'm finally caught up in Slack 😂

Now for Outlook...

I haven't checked my email in a week.

I have two more weeks of not checking my email.

These are good weeks.

Availability is always a fun compliance topic, especially when you come into a team who doesn't have compliance in mind when working on it.

I still remember the system owner who set a 5 9s requirement for a system that didn't pick a single service over 3 9s and argued with me over the failed controls.

Like, dude... It's YOUR requirement they didn't meet.

Even better is when a business impact analysis is a completely new concept to an established system, but that's a toot for another time.

My most frequent advice for compliance folks wanting to advance:

Learn risk management concepts and don't get stuck in a tool. Understand the processes and standards the tools implement.

A compliance professional with 3-5 years under their belt should be able to explain risk analysis and how to assess several key controls for proper implementation WITHOUT resorting to describing a tool workflow.

One of my favorite interview questions to ask is, "How would you determine whether a system is properly implementing separation of duties and least privilege?"

This advice may seem somewhat obvious, but I once went through ELEVEN candidates for such a position before I found someone who could explain that conceptually.

Entry-level positions are often limited to that kind of work, so take it upon yourself to learn. You'll stand out and it'll make an enormous difference in what you can contribute.

Remembering that time I I once replied to a program manager's "let's double-click on that" with "can we right-click first and see what our options are?"

The only way I can describe the silence that followed: it was like everyone silently bit into a lemon at the same time.