From Backcountry Ranger to GRC Pundit

BenjiMontanaIt is the Thanksgiving holiday here in the United States, so I thought I would make this post a little more personal. I am grateful for all of my clients, followers/subscribers, and the many I get to interact with in the range of my travels at conferences, workshops, and other events. Each and everyone of you make GRC worthwhile.

As I have often stated, GRC is something organizations do it is not something organizations buy. There is a range of technology solutions that help improve GRC processes and can make GRC more effective, efficient, and agile. But purchasing a GRC solution does not get you GRC. GRC is something every organization does. Some well, others not so well. You will not find an organization that states they lack governance, do not manage risk, and can care less about compliance. Whether the organization uses the GRC acronym, something else, or no label at all . . . all do GRC in some form or fashion. At the end of the day it is actually individuals that do GRC. We all play our part and participate in the machine of strategy and operations of the organization(s) we serve. Each of you plays a part in GRC in one or many organizations.

Oddly enough, becoming a GRC professional is not something I ever strategically planned to pursue. We often talk about organizations being on a GRC journey and it is not a particular destination. As a professional it has been a journey, one that I have enjoyed but not one that was intended.

I grew up in the Northwest corner of Montana near Glacier National Park. Montana is in my blood. I echo the words of John Steinbeck, in Travels with Charley: In Search of America, “I’m in love with Montana. For other states I have admiration, respect, recognition, even some affection. But with Montana it is love. And it’s difficult to analyze love when you’re in it.” From the age of four until I was seventeen my desire was to be a backcountry ranger. I loved, and still love, the outdoors. I spent my teenage years backpacking, rock-climbing, skiing, and doing anything outdoors. I was fascinated with all aspects of nature, ecology, botany, and the variety of animals that surrounded me. The mountains themselves beckoned to me and my heart leaps when I get to see mountains, particularly those in Northwest Montana. My middle son, one of three who is twenty-one years old, lives where I grew up. His friends often chide him as he will wake up and look at the mountains and be amazed. They will remind him he has been living there for over two years; it does not matter to him as every day mountain vistas strike his heart with a fresh flood of admiration and amazement. I understand my son.

The only thing that could move me from my pursuit of the outdoors and becoming a backcountry ranger was my greater love for the Creator of all that I loved so dearly. At age seventeen I decided to pursue theology in college to become a pastor/minister. It was my first year of college that I met a wonderful young lady and fell in love. We got married two years later while still in college, and a year later got pregnant with our first child. I was serving in ministry while still trying to finish my degree, it was not enough to support a young family. We moved to Milwaukee, Wisconsin (where my darling wife is from) and I pursued work in technology, with a focus in information risk and compliance. I worked in a manufacturing organization, then in a healthcare and life science research organization, and then led a risk and compliance consulting practice in the Chicago and Milwaukee area for several years throughout the 1990’s.

During this time, I finished my undergrad degree in business, not theology, and went on to complete a Juris Doctorate. Though my passion for theology has not changed as I have finished my coursework and am writing my thesis for a Masters in Church History. My thesis is on the influence of medieval theology on J.R.R. Tolkien (another passion of mine). My favorite theologian and philosopher from church history is Anselm (11th/12th century Archbishop of Canterbury), who stated my life’s purpose so well in his Proslogium, “One who strives to lift his mind to the contemplation of God, and seeks to understand what he believes.”

As for my professional life, I started the Milwaukee chapter of the ISSA and was appointed to serve on the International Board of Directors for the ISSA serving in several capacities, first the VP of Chapter Relations, then VP of Marketing, and finally the VP of Standards & Public Policy representing the many ISSA members on public policy matters and standards impacting information security, risk, and compliance. I was able to have some of my works published in Congressional reports as well as serve on special Congressional committees.

It just so happened that the Chicago chapter president of the ISSA, and friend, was Steve Hunt, an analyst at GiGa Information Group (note the two capital G’s in GiGa, it actually stands for Gideon Gartner and not Gigabyte, Gideon left Gartner which he established to form a new bread of analyst firm in GiGa). Steve kept throwing his client inquiries/questions on compliance and policy over the fence to me for my insight and answers. One day he said, why don’t you just come work here. So my next part of my journey started – I became an industry/market research analyst at GiGa which shortly thereafter got acquired by Forrester Research.

I guess my claim to fame, should Wikipedia or something else remember me for a few months after I am gone, is on a snowy day in February 2002 at the GiGa offices in Chicago. During my consulting years in the late 1990’s I had pondered that there had to be a better way to manage risks, policies, controls, compliance requirements, and do this in context of each other. A solution provider named Telos (with their solution Xacta), focused on government, demoed a solution to me that did just that on that snowy day in Chicago. It struck me that this is exactly what I had envisioned and was looking for in the 1990’s. I saw a great demand for this type of solution and decided that it needed its own market segment and name (little did I know that the events unfolding with Enron at that time would lead to SOX which would see this market take off very rapidly).

The question before me: what do I call this market. My next briefing after Telos was with PwC. They were reviewing the range of their services with me. They had lots of slides in their presentation categorizing their services from broad to industry specific. But three separate slides stood out to me, their Governance services, their Risk Management services, and their Compliance services.  GRC. That was it. So on a snowy day in Chicago in February 2002 I first defined and labeled a market GRC.  I went on to further define and model this market, but also have worked closely with OCEG over the years in contributing to and collaborating on the GRC Capability Model as at the end of the say GRC is something organization do, not something they buy.

Thus the GRC market was born. During my tenure at Forrester I was a VP and led their GRC research, often getting their Top Analyst award. I wrote the first two Forrester GRC Waves comparing solutions in the market, as well as the two ERM Consulting Waves comparing risk management consultants. I spent seven years at Forrester and then went on my own as an independent market research analyst under my company name, GRC 20/20 Research, LLC.

The GRC market has grown over the years and I love researching and following it. I have mapped over 700 technology solution providers into different segments of the GRC market, and have now mapped over 115 providers of GRC intelligence and content solutions with over 500 content offerings into the market as well. It is a passion of mine to understand the different solutions, what differentiates each, and to model and forecast the market.

I trust this Thanksgiving holiday is a good one for each and everyone of you. I am thankful for all of you as you make my research meaningful, and I love interacting with all of you! I would love to hear about your GRC professional journey, feel free to comment on the road you took to where you are at now . . .

 

 

 

Trackbacks/Pingbacks

  1. How to Operationalize Cyber Risk Management Frameworks - Telos - 2016-05-05

    […] “In the late 1990s it occurred to me there had to be a better way to manage risks, policies, controls, and compliance requirements, and do this in the context of each other. In February 2002 a solution provider named Telos Corporation demoed their Xacta solution to me, which did just that. It struck me that this is exactly what I had envisioned.”  — Mike Rasmussen, GRC2020 […]

Leave a Reply