GRC, Simply

Category: Uncategorized

  • Predictions & Resolutions for 2026

    It’s that time of year for reflection on the past year and predictions on what’s to come. I thought I’d do a little predicting of my own for things that will happen in 2026 within the GRC/Cybersecurity space. Then next year, I can look back on them and think “wow, how wrong those were!”

    Don’t forget to drop your predictions for 2026, or tell me where you think I’ve gone wrong in mine!

    Here are my predictions for 2026, in no particular order:

    • “Buy a Compliant Audit” companies will officially be out of the marketplace
      • There has been much said this year regarding companies that advertise “compliance to X framework in 6 weeks or less.” I have yet to see a security person I trust give these companies any time of day, and I think the scam will come to light and fully make them extinct in 2026. My guess is that companies will also stop doing business with anyone who has one of these “stamps of approval” within their vendor standards starting in 2026, and this will also make the companies less used. Let me be the first to say – good riddance!!
    • External auditors will begin to require automated solutions for larger companies
      • Automated GRC solutions for control and audit management are hot in the market right now, and are being adopted by security and risk teams throughout the market across industries. If you can afford it, it truly is some of the best that money can buy. I think 2026 will be the year that auditors get involved in tool selection, and some larger companies will start to be required to implement these tools by their external auditors. Whether through partnership from the external auditors, or minimum tool requirements, audit firms will start to see the efficiencies created on their side from the use of these tools, and I think they will start to mandate to save time & be able to complete more audits within a calendar year. I could use some of my audit humor here (if you’ve worked with me, you know I have a stand up special prepared during any audit for some comic relief!), but instead I’ll use this space to believe that 2026 is the year that auditors begin to embrace something that works for everyone!
    • New industry standards will be created & embraced by the security community
      • A hot topic in the last few weeks has been the fluctuating regulatory environment in both security and privacy that folks are facing. Some is de-regulation, some is delayed regulation, but it all results in a gap for some folks who aren’t sure what type of mitigations and controls to put into place. I think some companies are seeking the certainty that regulations give them (in some sense – many are still vague and/or written by non-industry experts which make them difficult to implement!), and I think this is going to create some folks who create a “plug and play” security framework which, if implemented, would help meet both regulatory and industry expectations, and create a whole new type of framework. I think this may continue the concern around lack of risk management related to control implementation, but is certainly an interesting development in the world of frameworks.

    A few resolutions for me as well:

    • Regular posting! I’ve been nervous about posting my first “real” blog post, as I don’t know how interesting or novel anything I have to say in comparison to the blogs & Substacks of true industry experts I read. Next year, I will get over that fear, and post at least once a month!
    • Broaden my consumption of security and risk content! Right now, I have a few go-tos that I read posts from, but would love to expand to podcasts, short or long form videos, etc. – any suggestions or recommendations?
    • Try new things! Collaborate with new people, companies, business models, frameworks & ways of working to see what works – want to join? Message me about the best way for us to work together & solve problems for you!

    What’d I miss? What are your predictions for 2026? Any resolutions you want to add? I’d love to hear from you!

    Have a safe and happy holiday season filled with relaxation and spending time doing things that make you feel great 🎉!

  • welcome & intro

    Hello & welcome to the Blog!

    So excited that you’re here! I’m new to blogging, and I’m excited to have a place to share my thoughts and discuss GRC, cyber & other industry issues with you directly.

    With 10 years of experience in the industry, I’ve seen a lot of things. I just tried to list all the adjectives I could think of for these things that I’ve seen and it was a lot…and yet, it didn’t even begin to cover the gamut of them. For those of you that have been through it, you get it!

    I’ve detailed more about me within my About Me Page, so I’ll save you the duplication. I’m starting the blog on this page so I can start discussing publicly some of the key issues that we’re seeing in the industry, whether legacy or emerging, and talk through the potential solutions. Maybe those solutions involve us working together, maybe they involve sharing best practices/ideas within the comments from other practitioners, or some of both! I’m excited to see what we can learn together from this adventure.

    In the future, we’re going to talk through issues in the industry, my thoughts, hot takes (maybe some cold takes too!), and many other things. What do you want to see? What do you want to talk about? Comment below so I can add those items you want to see!

    If you’re reading this and looking for some help understanding the issues you’re facing, don’t hesitate to reach out. I’m happy to build out a plan to help you deal with your issues, right size your risk and control environment or governance build, get up to speed on the frameworks and requirements where you need, and many other tasks (remember, I’ve been here for 10 years! I can help with it all!). Use the contact me page so we can talk ASAP and get you on a path to a solution!

    Until I come up with a cooler sign off, I’ll use the classics. BRB, BBL, see ya real soon, see ya later, alligator!

    -Michelle