When I Stopped Needing to Be Right

GRC isn’t just about frameworks and risk matrices: it’s fundamentally about people. And people are anything but simple.

When I Stopped Needing to Be Right
GRC isn’t just about frameworks and risk matrices: it’s fundamentally about people. And people are anything but simple.

When I first got into GRC, I thought my job was to be the expert. You know, the one with the right answers. The one who had the policy ready. The one who flagged the risk before it exploded.

I equated being right with being effective. I believed that if I could clearly outline the risk, supported by the right policy, compliance would naturally follow. I thought my role was to win arguments. But the truth is, winning doesn’t build trust. And trust is where real, sustainable change is born.

This is why success in security is a question of human skills. Not the vague “soft skills” mentioned at conferences, but the deeply personal work: managing your emotions, your ego, your expectations; to negotiate effectively and to lead the way with practical solutions, not buzzwords, not spreadsheets and heat maps.


You Will Not Always Be Heard

I once believed that passion was synonymous with raising my voice, standing my ground, and making the risk impossible to ignore.

Here's what's actually impossible to ignore: speed, urgency, and hype. If you’re emotionally attached to your recommendations being executed exactly as you’ve outlined, you’re setting yourself up for burnout.

I’ve witnessed the destructive power of anger within a team. One angry GRC professional can drain a room of any willingness to collaborate. People avoid you. They stop sharing ideas early in the process. They stop reaching out for help.

A long time ago, I saw a colleague throw fits of rage over their considerations being brushed off by engineers. But here's the kicker: a few years later, all of the compliance considerations were handled. Sometimes, all you need is patience. The irony? When you let go of anger, people start listening.

You need to learn to play the long game. Sometimes that means staying silent, even when you’re right. Waiting for the right moment to reintroduce a risk. Returning not with “I told you so,” but with well-considered solutions.

It’s humbling, even frustrating at times. You might not look like the hero in the moment, but it’s how you build credibility that lasts.

I’ve sent snarky emails. I’ve escalated. I’ve dropped the “compliance requires this” hammer more times than I care to admit. It never worked long term.

Here’s the thing no one tells you about GRC: If your ego is wrapped up in being right, this job will break you.

We’re not here to win. We’re here to build.


The True Battle Lies Within

The most difficult lesson I’ve learned in GRC is that emotional detachment isn’t a sign of coldness, it’s a necessary survival mechanism. It’s the ability to show up, day after day, even when you feel overlooked or dismissed. Not to preach or reprimand, but to genuinely help.

time lapse photography of street during nighttime
Photo by Sid Verma / Unsplash

In security, there’s no endpoint. No final victory. So stop treating every discussion like it’s a battle to win. Let the waves of disagreement wash over you. Be the calm in a storm of shifting priorities and competing demands.


Relationships Outlast Processes

Some of my most significant wins in GRC didn’t come from meticulously crafted risk registers or perfectly executed policy updates. They came from informal hallway conversations, a quick DM, or those spontaneous “Hey, security person” exchanges where trust is forged in the smallest of moments.

These moments won’t show up on your OKRs, but they are often the reason you’re invited into the room before a contract is signed, not after.

You don’t earn these moments by being efficient. You earn them by being human.


This Is the Work

Being relevant in GRC goes far beyond frameworks or tools. It’s about emotional intelligence. It’s about knowing when to push and when to pause. When to explain and when to simply be present.

Security is about trust. And trust isn’t built through policies or risk matrices. It’s built through people.

If you’re in GRC and this resonates with you, know that you’re not alone. This is the true work, the invisible, human-centered part that separates checkbox fillers from trusted advisors.

Let’s work together to build security cultures that people genuinely want to be part of.

Let’s do the human work.


This post is adapted from a collection of my most personal reflections on emotional intelligence in GRC. If this resonates with you, I encourage you to share your own journey or challenges in the comments.

Because someone in GRC needs to hear it from you.