November 12, 2024
5
minutes

Q&A with Anthony Sielczak, GRC Team Lead

Insights from a leader in Governance, Risk, and Compliance on navigating a career in GRC and collaborating with other teams.

Anthony Sielczak is the Team Lead of Governance, Risk, and Compliance (GRC) Security at WebMD Health Services (Limeade), where he spearheaded the formation of the GRC team and established Limeade’s Information Security (InfoSec) program. With a background in IT/InfoSec Business Analytics, business development, and real estate, Anthony’s path to GRC leadership was unique. His approach to GRC emphasizes often-overlooked soft skills, like strong communication, analytical thinking, problem solving, and the ability to articulate technical concepts to non-technical audiences.

Our Q&A with Anthony Sielczak dives into his journey into the field of GRC, lessons learned throughout his career, and his advice to security professionals seeking a similar path.

Q&A with Anthony Sielczak

Q: Can you share a bit about your journey into the field of GRC?

A: All journeys begin by taking the first step towards your destination. My journey into cybersecurity and more specifically GRC was no different, and was kicked off by my offering to help with information security related work while the team was short staffed. While our CTO at the time was receptive to my offer, seven months passed before my name came up in conversation with the new Director of the team. I later met with them and was asked to apply for an Information Security Analyst position. Eight months later, my leadership team requested that I accept the role as the leader of the newly formed GRC team, which I excitedly accepted.

Q: What inspired you to specialize in this area of cybersecurity?

I was inspired to specialize in GRC because it was an entirely new frontier for me and I felt I could make a meaningful impact to improve our processes and procedures in a growing business, with the added benefit of being able to rapidly see the improvements my team and I made.

Q: What are the biggest challenges you've faced in your career as a GRC security lead, and how have you overcome them?

A: In my experience, Governance, Risk, and Compliance work has the tendency to have a very broad scope, so one of the biggest challenges is limiting the scope of work and refining your goals as a GRC member (or team) to enable greater bandwidth, which in turn will ensure that your initiatives can be completed at the appropriate level of depth.

The second challenge I've faced during my time in GRC is developing new processes to replace old, obsolete processes, and implementing them in a manner that causes minimal friction to other business stakeholders, yet supports your GRC strategy. I believe that it's critical to learn the art of when to recommend a change vs. when to require a change. Once you can effectively deliver that messaging to people, they will help support your GRC vision – but it ultimately starts with tactical communication.

Q: In your experience, what skills are most critical for success in GRC, and how can professionals in the field develop them?

A: In my opinion, developing soft skills like strong communication, analytical thinking, being able to articulate and explain technical concepts to a broad audience, and possessing a high degree of proactiveness and problem-solving are at the forefront. Also, gaining a foundational knowledge of the regulations your organization adheres to allows you to more readily identify gaps, risks, and pitfalls that might otherwise be easy to overlook.

My recommendation for any professionals seeking to improve their soft skills is to practice them. Unfortunately, I don't believe there are any short-cuts to improve in these areas - you'll have to put in the work. For example, if you're not sure if the instructions in the email you drafted make sense, share a draft with a trusted colleague at work to get their input. If you know your company is going to be pursuing a certification or embarking on a large project, get ahead of it and learn as much as you can.

Q: What are some common misconceptions about GRC that you've encountered, and how do you address them in your work?

In my experience, the most common misconception is that GRC are blockers and an unnecessary compliance bureaucracy, and that each department can effectively manage its own activities. Unfortunately, various teams and departments (even those within the same organization) operate in completely different ways. This is where the GRC function serves one of its greatest values, as our purpose is to assist the organization to agree on a standard, so that all teams and departments operate within a ruleset that is as uniform as possible. I address this misconception in my approach. I'm your partner and ally in improving our business. – let's make it better together, whether that’s through new procedural rollout, a non-standard software review, or when surfacing risks identified during a vendor risk assessment

Q: What advice would you give to someone who is just starting their career in GRC?

A: My best recommendation (especially as you kickstart your GRC career) is to volunteer some of your time to respond to prospective-client and client security questionnaires, as doing so exposes you to the most common questions that they have about your company and/or product and will give you a sort of crash course into your security practices. As you work through the questions, you may find areas of your security program that you can improve, whether that be through improvements to policies, customer-facing documentation (like security and compliance program white papers), or even technical controls.

After spending your first year immersing yourself in as much GRC work as you, I would start to identify what specialization(s) you have a passion in – whether that's auditing and certifications, data governance, third party risk management, etc. Once you've identified what you're passionate about, you can make a better determination on the certification(s) you wish to pursue to better distinguish yourself in an increasingly competitive job market.

Q: How do you approach collaboration between different departments, such as IT, legal, and compliance, to ensure a comprehensive GRC strategy?

A: To ensure the greatest output of our GRC strategy as possible, I view our collaborative efforts between departments like an alliance. Much like the Avengers (for Marvel fans out there) or Justice League (DC fans, you matter too), each department is critical to the GRC strategy reaching its full potential. To discuss and roll out GRC-related initiatives, we meet regularly and come together on various tasks and projects throughout the year. As a company, we've fostered an open-door environment where questions are celebrated, iterations and improvements are championed, and collaborative work between departments is the expectation.

Q: What trends do you see shaping the future of GRC, and how can organizations prepare to adapt to these changes?

A: While not a unique take, I can't but help call attention to the clear trend emerging in all of the tech space. I foresee AI taking a front seat to a lot of the "entry-level" GRC tasks, such as security questionnaire responses, vendor risk assessments, compliance automation, etc. Of course, some tech industries will be more adaptable to this change than others, so I'm personally interested to see how rapid adoption into AI is within the next 3-5 years. In the short term, it's probably best for organizations to consider a standalone AI security policy (or minimally a set of AI guidelines) to establish best practices for the responsible use of AI systems and which are permitted/not permitted.

Q: Looking back on your career, is there anything you would have done differently? What would you consider your biggest professional lesson?

A: Yes. Hindsight being 20/20, I think I would have benefited by joining the team as a true Information Security Analyst, having the opportunity to receive more hands-on experience with some of the technical tasks my security engineering colleagues perform. Thus far in my career in information security, I have been laser-focused on GRC-specific work. While it's been a great experience, I feel I'm missing a hands-on perspective to their day-to-day work that would have benefited me numerous times.

Anthony is a member of the SecurityPal Council, our community of security and GRC experts who are collaborating to pioneer a new approach to conducting business in an increasingly Security- and GRC-conscious world.

Subscribe to our newsletter below for more expert insights.

No items found.
No items found.
No items found.
No items found.
Sarah Rearick
Content Writer

Why ESG is Becoming More of a Concern for Vendor Assessments

Explore the factors driving the integration of ESG considerations in B2B relations and vendor assessments in the modern business landscape.

SecurityPal is going to the APEC CEO Summit USA 2023

I am honored to be participating at the APEC CEO Summit USA 2023 in San Francisco this week. I have the pleasure of representing SecurityPal and the innovation we are delivering to leading global companies at the intersection of AI, cybersecurity, GRC, and commerce. Back in 2011, I served on behalf of the U.S. Department of State as the Economic Liaison Officer to Taiwan for the APEC High-Level Policy Dialogue on Women and the Economy in San Francisco.This week I get to participate from a different vantage point.

How organizations can balance innovation and compliance

The EU AI Act impacts U.S. companies, necessitating leaders to engage in regulatory dialogues and align their operations with EU guidelines. Pukar recently shared his thoughts on the challenges of regulating AI, and how over-regulation could hinder innovation, particularly for startups and SMEs.
Resources
eBooks & Whitepapers
Case Studies
Events & Webinars
FAQs
Blog
SecurityPal Council
Company
Vision & Values
Leadership Team
SOCC
Careers
Press
Newsroom
Connect
Contact us
Call us: +1 650-503-9216
Legal & Compliance
Terms of Use
Terms of Service
Privacy Policy
DPA
Security & Assurance