information security podcast

Risk Grustlers EP 8 | A scoop of risk, squishy not crunchy!

Get ready to explore the crunchy and soft side of GRC in the eighth episode of our podcast Risk Grustlers, with Jason Leuenberger, a Leadership and Team Coach, who specializes in GRC.

With over twenty years of experience in the industry, Jason is the perfect guide to help you master the often overlooked softer side of GRC. He emphasizes the importance of skills like communication and relationship-building in strengthening risk management.

Jason also offers insights into how GRC professionals dealing with a crunchy mindset can transition to softer tasks requiring behavior changes across teams. 

The insightful conversation ends with him discussing his unique practice called Kinkou and its benefits for GRC leaders with our CEO Aayush Ghosh Choudhury. 

Watch the complete podcast here

Here are some highlights from the engaging episode.

Aayush: Could you discuss some insights you gained during your long GRC journey? 

Jason: I’ve been chewing on this idea for about a decade now – that risk management isn’t all crunchy and rigid. It’s not just about frameworks, tools, and giving directives. What’s been largely overlooked is the softer, more human side of risk.

You know, how company culture, teams, and systems within an organization play into risk management. Especially if you’re approaching it from a very crunchy perspective. I’ve been quite immersed in that crunchy approach for the past 20 years, deep into technical domains. I’m really into the technical aspects, the nitty-gritty of GRC. I find the innovative ways to simplify things intriguing, trying to make it less crunchy, more people-friendly. But even though I’ve been in that crunchy mindset, I’ve been wondering, how can we make risk management more data-driven?

How can we quantify everything, back it up with numbers? How can we use data to clearly show when we’re in a crunchy situation and need to step back? But you know what? In the process of all this technical focus, I realized I was missing a crucial piece – understanding people’s perspectives. Those teams and individuals dealing with difficulties, fears, and uncertainties that impact their risk decisions.

Aayush: Can you let us in on what the soft and squishy side of GRC entails?

Jason: The human side of risk is what I like to call the softer side. You’ve probably heard of “soft skills,” but honestly, that term doesn’t do them justice. These skills are anything but soft – they’re pretty tough.

You know, when it comes to these so-called “soft skills,” many struggle because they involve our human aspects. We often assume that people are either naturally born with talents like communication and relationship-building or they’re not. But the truth is, these are skills that we can learn, understand, and actually develop over time.

And regarding your question about the key components of this softer side and the patterns I’ve observed, well, there are definitely some strong trends. I’ve even given presentations on this topic, and I’m in the process of crafting a manifesto that covers several of these key ideas.

I also touch on these concepts in my work with GRC assessments. While I don’t do a ton of that these days, I still occasionally get involved in more substantial GRC assessments, depending on the specific situation, project, and client. So, when we find ourselves favoring a sense of knowing over learning, it’s often a signal that we might be leaning too heavily toward the rigid side of things.

Aayush: What would be some examples of situations where there was a trade-off between knowing and learning and what were the interventions that you made?

Jason: I’ve run into CISOs and risk pros at the executive level who are just plain frustrated. They’re like, “Why is no one listening? Why do I have to keep saying the same thing over and over?”

So, diving into this, when we really unpack it, a big part of this frustration comes from our personal fears. As risk professionals, we often fear not being right. People look to us for solutions to those potential risks, those worst-case scenarios we’re trying to prevent.

Sometimes, we come in thinking we’ve got it all figured out. We have a framework, analysis methods, the whole shebang. We’re confident that we know the controls to tell people, where the failures are, the problems, everything. But what we miss is asking questions to truly understand the deeper issues. Like, why is this a challenge for that team? Or how does the company culture play into certain risk decisions?

You know, they might be facing common or ongoing risks that they just can’t seem to tackle, despite staring them in the face for years. It’s about getting under the surface and understanding what’s holding them back.

Aayush: Risk management often doesn’t get a dedicated team until companies reach a certain size and scale. The CISO or VP of Information Security ends up handling it as a side task and when an incident happens, they end up taking the fall. It’s also tough for them to drive change across the organization because they need buy-ins from different teams. What are your thoughts on this?

Jason: Totally get what you’re saying – it’s the defender’s dilemma. CISOs and risk folks carry this concern with them every day. They’re haunted by the thought that attackers just need to be right once, while they feel they have to be right all the time.

I hear this often too – the term “buy-in.” It’s like, “I just need these people to buy in. Why won’t they?” But here’s the twist, what does buy-in really mean? Do you want them to just nod along or robotically follow your instructions?

Here’s the thing: buy-in usually sounds like an ultimatum. It’s like, “Agree or else.” But there’s a difference between buy-in and weigh-in. Weigh-in should always come before buy-in. See, if we don’t take the time to ask questions, understand their viewpoint, and give them the chance to weigh in, they feel like they’re being told what to do, without any say.

So, when we skip the weigh-in part and leap straight to “achieved buy-in,” they feel sidelined in deciding their risk journey. This contributes to the rigid side – we’re not letting them have a voice in their risk choices.

And this mismatch can lead to defensive behavior, signals that they’re disinterested or shut down. They don’t feel heard or involved. They might even resist by going completely against what we’re suggesting. It’s a dynamic that adds to that crunchy side.

Aayush: What happens when GRC professionals on the crunchy side have to carry out softer tasks that require things like behavior changes across teams? What steps have you taken to help such people bridge this gap?

Jason: It’s all about their choice – the clients decide which intervention works best for them. It boils down to what’s personally tough for them. I mean, what’s challenging specifically for them, not for someone else. Changing people and teams? Well, that’s quite the task, you know, we can’t reshape them as much as we wish we could.

It just doesn’t work that way. So, here’s the deal: how are you playing into this scenario? How’s the difficulty or challenge showing up for you? Often, leaders are looking for some common shifts in themselves. Like, they’re becoming more at ease with asking questions to grasp viewpoints from the other side. You know, from across the table or different teams or audiences.

Maybe it’s about talking to someone who’s just not vibing with the risk management program as it’s been pitched so far. Or perhaps they don’t quite get their role in risk management as a whole. It’s about being open to learning about people rather than already having all the answers on what they need to do. Because thinking you’ve got it all figured out can really narrow your path and isolate others.

So, one change leaders often strive for is transitioning from a rigid control mindset to a more open, adaptable one. And then they wonder, what small practices can help them shift from rigid to flexible, from fixed to expansive? You know, from being all about control to collaborating intelligently with diverse people and teams.

Aayush: Can you talk about the three most common interventions that you see yourself having to do over and over again to promote the softer side of risk management?

Jason: So, if I had to pick three key changes, the first one that immediately pops up is starting small. This applies not just to us getting a better grip on ourselves through increased self-awareness – which is a superpower for leaders – but also to any change we want to make, whether it’s personal or for our organization’s culture. I often advocate aiming for 1% gains – tiny improvements that can add up big.

Next up, there’s the balance between listening and talking. It’s kind of like the earlier point about learning versus knowing. How often are we really listening, grasping the reality of control owners or performers? What’s their day-to-day like? Their struggles, their exceptions – really diving into their world. It’s crucial to shift from control exercises to meaningful engagement.

And last but not least, there’s the dance between empathy and collusion. It’s essential to understand someone’s shoes without actually wearing them. Building rapport and understanding doesn’t mean we’re compromising integrity; after all, risk management is about assistance, not cheating. With empathy, we’re tapping into the human side, recognizing that everyone’s job is tough and they’re just trying to do their best. So, embracing empathy paves the way for meaningful change in the long run.

Aayush: Can you tell us about your practice?

Jason: I started a practice called Kinkou. I’m all about partnering with leaders who are up for the challenge of change. Change isn’t a walk in the park, but it’s where the real growth happens. It’s the game-changer that can make a leader or any professional step up and make a meaningful impact, unlike the traditional crunchy approach that’s been around for years in this industry.

We’ve been sticking to the crunchy side for far too long, overlooking the human and emotional aspect of our work. And let’s face it, risk and fear aren’t anyone’s favorite topics. So, how can we adjust ourselves to create a warmer, more productive collaboration where we can make real progress together? That’s what I explore in my sessions.

You can learn more about Jason’s practice at kinkou.org. Feel free to contact him at jason@kinkou.org.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

Get ready to explore the crunchy and soft side of GRC in[...]

Get ready to explore the crunchy and soft side of GRC in[...]

Get ready to explore the crunchy and soft side of GRC in[...]

See Scrut in action!