While Armor is known as a leader in cybersecurity, we’ve earned our reputation thanks to the people who put their skills, experience, and collaborative spirit to work here every day on behalf of our customers. In this blog, we continue our “A Day in the Life at Armor” series by introducing you to one of those valued team members, Marie Garcia, Director of Governance, Risk and Compliance, and her role in understanding the issues and concerns of companies large and small, as well as the problems Armor helps them solve.
What does your role as Director of Governance, Risk and Compliance entail?
The Open Compliance and Ethics Group (OCEG) formally defines “Governance Risk and Compliance” as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.”
GRC is the common abbreviation for Governance, Risk, and Compliance—but the full story of GRC is so much more than those three words. GRC refers to the critical capabilities that must work together to achieve Principled Performance—the capabilities that integrate the activities of governance, management, assurance of performance, risk, and compliance. This includes the work done by departments such as internal audit, compliance, risk, legal, finance, IT, and HR, as well as the lines of business, executive suite, and board of directors.
GRC is all of that, but for me, my role is really about building relationships.
What is your typical day-to-day like here at Armor?
A typical day for me involves many seemingly disparate activities. I regularly check in with control owners across the organization about their compliance and security controls to ensure the appropriate evidence is obtained and archived. In the same day, I can work with our rock star Customer Support team regarding internal vulnerability scans for customers and their compliance requirements. I’ll also work with our seemingly tireless Cloud Ops team to operationalize and fine-tune compliance and security activities. One of my favorite things is to work with our Engineering Directors and Product Managers to brainstorm product features and functionality. And then, I could end my day by working with our HR and Training teams.
What one word would you use to describe your job? And why?
This is a challenge, but I’ll have to say relationships.
Building and maintaining relationships is really what I do. First, I truly enjoy and respect the people I work with here at Armor. They are a highly intelligent and fun-loving crew. They are also very busy and have many other commitments/deliverables, so when a GRC person (me) walks up, it usually means I’m going to add to their to-do list—not always, but lots of times, yes.
So, I work on building relationships with them. When we meet, I schedule either 30-minute or 45-minute meetings with actionable agenda items. When I can ease a compliance burden, I do. If we can automate a process, we do. I try to be very respectful of their time. But, we do have fun! In fact, several teammates have gone above and beyond to support compliance efforts and, for those individuals, we reward them with a “Compliance Unicorn”—a stuffed-animal unicorn with a compliance necklace. That may sound a little odd, but I think they appreciate the gesture, and the unicorns seem to be quite coveted!
What’s a typical pain-point for your customers?
I feel the main pain point that customers have is understanding their environment scope and compliance requirements, especially if they are subject to multiple compliance standards. When that’s the case, there can be, literally, thousands of controls to execute and monitor, so figuring out where to start can be overwhelming for them.
How does Armor help them with that?
The GRC function eases those burdens for customers by ensuring that our products meet applicable requirements from several compliance standards. We also maintain a shared-responsibilities matrix to help customers understand their compliance obligations.
Additionally, Armor has a Director of Customer Compliance, who is available to address any specific compliance questions or concerns. He’s a super-knowledgeable guy with a great sense of humor. There’s also our Customer Experience team. Those folks genuinely care about our customers and work with them to ensure that everything is running smoothly.
What are some pain-points in your day-to-day?
Staying current with technology, new/changing regulatory and compliance requirements, and the ever-changing threat landscape. It can be overwhelming.
How do you deal with them?
I meditate, for one; it helps me focus on one thing at a time. In addition to that, I’m an audiobook and podcast junkie. I listen to a plethora of audiobooks and podcasts to keep up with technology, new-and-changing regulatory and compliance requirements and the threat landscape. I also listen to a few not-so-techie podcasts just to keep things fun and interesting. Then I share what I’ve learned with my workmates. I’ve been known to say, “I heard on this podcast that…” They call it podcast vomiting!
Where do you see the industry 5 years from now?
I see at least 3 major changes coming in the next 5 years for our industry. First, I see security being done in software—our infrastructure, our applications, and our security controls will be done inside of software.
Since compliance is a byproduct of security, I can also see Security-as-a-Service (SECaaS) companies starting to serve up compliance-related activities to their customers via the SECaaS portal. Activities beyond baseline drift; I see SECaaS companies commoditizing the automated solutions they’ve created to address their own security/compliance pain-points and making them available to their customers. To further reduce the compliance burden to those customers, I see the SECaaS companies capturing evidence of those and putting solutions in use and serving up that evidence to the customer’s GRC tool of choice for the customer’s own compliance assessments.
And, finally, I see SECaaS companies and cyber-insurance companies partnering with one another. If a SECaaS company can provide evidence to a cyber-insurance company that they have a solid security platform, cyber-insurance companies can then, in turn, offer lower insurance premiums to customers who use that security platform.
Understanding current cyberthreats, anticipating future risks, and providing the protections that will keep data safe and compliant requires more than just bits and bytes. It takes people who are more than just experienced, talented, and vigilant—it requires people who care. Thanks to team members like Marie, Armor provides best-in-class solutions and takes the complexity out of cybersecurity, so our customers can focus on what they do best.