At Lynx, our most valuable assets are our people. We intentionally promote diverse talent from within our ranks and make it our mission to improve the position of any person or company who works with or for Lynx.
In this interview, Lynx GRC analyst, Paul Kletchka shares how he got started in cybersecurity and offers tips CISOs can use to build more effective GRC programs. Paul is a strategically-minded cybersecurity professional who has helped institutions successfully navigate the intersection of security, privacy, information technology, users, and customers for over fifteen years.
How did you get started in cybersecurity and ultimately become an SME in governance, risk and compliance?
My cybersecurity career path started in IT. The person who hired me for an IT position later moved to the organization’s security office. When a job opened there, he strongly hinted that I should apply, I did, and I got the job. He recognized that I had strong technical abilities, but I was also able to work well with people. Throughout my career, I have helped people understand security by making it personal to them.
This job was long before GRC was widely practiced. At the time, cybersecurity folks were constantly putting out fires. Which made security such a grind. I remember thinking there has to be a better way to be more proactive. So, I started a GRC-type program before I even knew what GRC is.
It wasn’t until I moved employers that I realized the importance of having a well-defined GRC program. Just paying lip service to GRC doesn’t get an organization very far. Neither does the security revolving door because turnover makes it difficult to establish a GRC program.
After a few years, I moved to a big bank, where I was entrenched in their risk program. I primarily worked on third-party vendor risk management. Here I learned that managing third-party risk can quickly become like a Mastodon stuck in a tarpit. Third-party risk was a huge program for the bank. They were doing site visits for every assessment. Their vendors couldn’t refuse the visits, but the assessments took forever. If an assessment was done within three months, it was a miracle.
I knew something had to change, but that wasn’t up to me. I moved on to escape getting sucked down into the depths of the tarpit. This led me to Lynx, where the attitude toward GRC issues is much more attractive, and I get to help companies achieve better value from their GRC program.
What is something you wish you knew when you first went into a career in cybersecurity?
It’s a horrible truth, but the biggest pat on the back you get for doing good security work is hearing absolutely nothing. If you aren’t hearing complaints that means things are running pretty smoothly. Silence is the sweet spot and you should lean into it because it means you’re doing your job well. Unfortunately, hearing zero complaints is rare in cybersecurity—no matter how well anyone does their job.
How has GRC changed (for better or worse) over your career?
The fact that GRC has become a widely recognized part of cybersecurity is a really big deal. There are always so many fires to put out. Battling constant threats makes it hard to find the time you need to create a program that proactively addresses every risk. Governance was an absolute pipe dream when I started. Compliance was just something that you stayed up late to complete because everybody had forgotten about the report until it was past due and it was only done to avoid a penalty. Today even smaller companies are thinking about GRC issues. That’s a big win. GRC still isn’t perfect, but it’s definitely gotten better.
What advice do you offer to companies that want to build more effective GRC programs?
Help people understand why security is important, build consensus and think twice before promoting highly technical people to executive-level roles. Technical thinking is great, but it doesn’t account for humanity. CISOs need to understand how security issues affect the business and personalize GRC in contexts that people can understand.
Can you give a specific example of this advice in action?
Consensus building was part of my first security office job. It was a big job because the security office had burned a lot of bridges. I knew to get any level of cooperation with the ton of distributed IT units we had, I was going to have to rebuild relationships and build new ones. I really had to sit down and figure out how to make what we were doing in the cybersecurity office relevant to what these distributed units were doing in their own bubbles.
From working in several different units before the security office, I knew a lot of people. I developed relationships while I was out in the trenches doing support work and system admin stuff. I went to the people I knew and nurtured those relationships. I talked to them about what we were doing. I commiserated with people about how security initiatives might make their lives hard. I took their feedback to the cybersecurity office. We could then make it personal by knowing where their pain points were, what was working for them, what wasn’t working, and understanding what we could do to help them.
I also went out and gave presentations across the enterprise to regular staff, not just IT staff. I talked about why we were doing a specific initiative. At that time, we were scanning for PII on computers. The pushback we got on that initiative was insane. But when I explained, “Hey, what if you did your taxes on your laptop? That gets hacked, and now your social security number is stolen.” That got people’s attention. The conversation moved from, “You’re invading my privacy” to “Oh, you’re actually trying to protect my privacy.”
When we identified units that were particularly vulnerable, I became their point of contact. I talked with them about what was going on, how we could help them, and what they could do to shore up their defenses. It wasn’t risk assessments like we think of them now, but we would find who was vulnerable. Then I would go out and talk with them. It really gave a face to what we were trying to do, and we worked very hard to make sure it was friendly. It takes people and business skills to make a proactive security program work.