There is no one-size-fits-all approach to GRC or data privacy. The right framework, the right certification, and the right time to invest all depend on factors specific to each organization. Alyssa Ahmann, a governance, risk, and compliance specialist with over 13 years of experience, has led SOC 1 and SOC 2 implementations, performed NIST Cybersecurity Framework gap analyses, and completed privacy compliance assessments across industries. In this episode, she shares the common pitfalls organizations face when building GRC programs and explains why understanding your foundation is always the first step.
You can read the complete transcript of the episode here >
What are the biggest challenges in setting up a security program?
Alyssa identifies two common failures at opposite ends of the implementation process:
At the beginning — skipping scope understanding:
- Organizations want to jump straight into framework implementation without understanding their goals, industry requirements, contractual obligations, or regulatory landscape.
- Without this foundation, programs get built that do not actually address the organization’s real needs.
- The fix: make scope understanding an explicit step in the process. Document goals and ensure the project team is aligned before selecting a framework.
At the end — failing to communicate:
- Policies and procedures get documented but never leave the compliance group. Employees, contractors, and clients do not know where to find them or what is expected.
- Training and educational initiatives are insufficient or nonexistent.
- New initiatives launch without security and compliance built in from the start.
- The fix: dedicate resources to implementation, training, and ongoing communication. Build GRC expectations into program development so new initiatives are compliant from day one.
The recurring theme: every time Alyssa joins a project already underway and asks basic foundational questions that cannot be answered, the team must step back to the beginning. That frustration is avoidable with proper scoping upfront.
How should organizations implement a GRC program from scratch?
The OCEG defines GRC as “the collection of capabilities that enable an organization to reliably achieve its objective, address uncertainty, and act with integrity.” Alyssa’s implementation approach:
- Identify the right framework: NIST Cybersecurity Framework and Risk Management Framework are widely used, but they are not always the best fit. Consider industry-specific frameworks and regulatory requirements.
- Perform a baseline assessment: Understand where the organization stands today against the chosen framework. Often, strong processes exist but nothing is documented.
- Identify gaps and prioritize: Separate quick wins (moderate risk, low effort) from critical investments (high risk, high effort). Address both tracks simultaneously.
- Recognize the investment: Mid-size businesses spend $4-8 million annually on GRC. Leadership must understand this is not overhead but the capability that allows the business to continue functioning.
For organizations with existing programs that may be outdated: validate that the current framework still fits, then perform the same baseline assessment. Alyssa has never seen an organization fully meet every expectation of any framework. The goal is prioritized alignment based on organizational goals and risk tolerance, not perfection.
How do modern privacy regulations change the game for organizations?
Privacy regulation has shifted fundamentally. Pre-GDPR regulations focused on protecting data from external threats. Post-GDPR regulations reassign data ownership to the individual:
Three ways privacy requirements come into scope:
- Location-based: Where you operate determines requirements (state-specific laws)
- Industry-based: What you do determines requirements (HIPAA for healthcare, PCI for payment processing)
- Data subject-based: Whose data you collect determines requirements (GDPR for EU citizens, CCPA for California residents, regardless of where you operate)
The data subject approach is the modern shift. A US company with no EU presence must still comply with GDPR if it collects EU citizen data. This means organizations must answer questions like: Why did you process my data that way? How did I get this marketing email when I only gave my email for a support question?
The biggest obstacle: most organizations do not know what data they collect, when they collect it, why they collect it, what they do with it, or where it is stored. Without this understanding, compliance with deletion requests alone can consume the entire 60-day compliance window just to locate all instances of an individual’s data.
How should organizations navigate conflicting privacy regulations?
Regulations frequently contradict each other. GDPR defers data retention to individual country laws, where some require indefinite employee data retention and others require rapid disposal. Alyssa’s approach:
- Default to the most restrictive: If one regulation says 120 days and another says 180 days, complying with 120 days satisfies both.
- Document what applies: Clearly identify which regulations the organization must adhere to and where conflicts exist.
- Invest in data understanding: Know what personal data is collected, processed, stored, and shared. This is the foundation everything else builds on.
- Recognize the shift in ownership: Under GDPR and CCPA, individuals own their data. Organizations are custodians with specific, limited rights to use it.
CCPA’s Article 24 additions further restrict profiting from personal data without consent. The trend is clear: data subject rights will continue expanding globally, and organizations that build strong data governance now will be ahead when new regulations arrive. This connects to broader data privacy and governance practices.
When is the right time to invest in security certifications?
Alyssa’s answer often surprises organizations: certifications are not always necessary. The decision framework:
Get certified now if:
- You are publicly traded (SOX 404 required)
- You process credit card data (PCI required)
- You are in healthcare (HIPAA required)
- Contracts with customers require SOC 2 or ISO reports
Consider a readiness assessment first if:
- No regulatory or contractual requirement exists
- You want to understand how close you are before investing
- You need to identify gaps that would result in a qualified or no-opinion report
Skip certification and focus on internal programs if:
- No regulatory, contractual, or customer-driven need exists
- Resources are better spent building a strong internal security framework
- You can address customer security questions through other means
The key insight: certifications give a point-in-time snapshot. They do not defend against evolving threats. Organizations with SOC 2, HIPAA, and PCI certifications still get breached because certifications alone, without supporting programs like incident response, continuous monitoring, and vendor assessment, are insufficient.
What makes GRC programs succeed long-term?
Beyond initial implementation, sustained success requires:
- Ongoing resource dedication: Once the initial project wraps, competing priorities pull people away. Dedicate permanent resources to program maintenance.
- Training and education: Policies that exist but are not understood provide no value. Invest in making compliance accessible to all audiences.
- Integration with development: New initiatives should be designed with GRC requirements built in, not retrofitted after launch.
- Regular reassessment: Frameworks evolve, regulations change, and organizational goals shift. Periodic reassessment ensures the program remains relevant.
The OCEG definition captures why this matters: GRC enables organizations to reliably achieve objectives, address uncertainty, and act with integrity. That is not a one-time project. It is an ongoing capability that requires sustained investment and attention, similar to how enterprise risk management must be continuously maintained.
