No matter where you sit in a GRC team — whether you're running your first SOC 2 audit or managing a portfolio of global certifications — there is a failure mode that quietly undermines the whole function. We get so good at working the framework that we forget what we are actually there to do. The controls get mapped. The evidence gets collected. The audit passes. And somewhere in the gap between the checklist and reality, the real risk lives undisturbed.
The mental model I keep coming back to is the trial lawyer. A great one operates across three elements simultaneously — and so should every GRC professional, regardless of title.
The framework — ISO, FedRAMP, NIST, whatever your courtroom runs on — is euqivalent of the statutory law. Master it. Know it cold. But never confuse the rulebook with the strategy. The rules tell you how the game is played. They don't tell you how to win it.
There's a rule every good lawyer lives by: never let your client surprise you on the stand. You need to know everything — the strengths and the gaps — before opposing counsel does. Because in court, a blind spot isn't just embarrassing. It's losing.
The same rule applies in GRC. You cannot defend a product you don't fully understand. If an auditor, a regulator, or a sophisticated customer asks a sharp question about your platform's data flows, your access model, or your AI pipeline — and you don't know the answer — you have just handed opposing counsel the case. Know your product the way a lawyer knows their client. No blind spots. No surprises.
The adversary is the most underweighted element in GRC at every level. Even junior analysts benefit from asking: "What would an attacker do with this gap?" Sophisticated threat actors don't read your compliance documentation looking to help you improve — they read it looking for the seams between frameworks. Real continuous monitoring, even in its most basic form, should ask not just "is the control in place?" but "would this control hold against someone actively trying to defeat it?"
Frameworks document yesterday's threats. Your job is to defend against tomorrow's.
One final element completes the courtroom: the judge and jury — your auditors, regulators, board, and customers. A great lawyer knows their audience and argues accordingly. As a GRC professional, your ability to communicate risk clearly — in plain language, tied to real business impact — matters as much as the quality of your controls. Whether you're writing an audit response or briefing a CISO, you are always making a case to someone. Make it well.
The simplest test, for anyone in GRC at any level: if your program achieves a clean audit score while an adversary moves quietly inside your environment — and nothing flags it — you have built a compliance program, not a security program. Know your client. Know the law. Know your adversary. That's how you win the trial.