Gratitude for 2024 and the 3-Year GRC Journey

Gratitude is one of the best methods to fight off depression, anxiety, by recognizing and bringing more joy to our lives. And with the end of another year, it is a great opportunity to celebrate our successes and review opportunities for improvements in 2025.

2024 was also the end of another of my professional journeys, as it marked the end of my time with Noname Security startup after our acquisition by Akamai Technologies . The time with Noname was another demonstration that with the right people, anything is possible!

Our Governance, Risk, and Compliance (GRC) team was tiny, just the three of us, Anjali Hansen , Adeel Bakht , and myself, but we were able to build a Fortune 500 level of a GRC program in just 2.5 years. Our GRC program included cybersecurity, privacy, regulatory, and sanctions compliance and was embedded in the Go-To-Market to facilitate faster sales operations. Here are some of the things we had accomplished at Noname:

1. Developed an effective Information Security Management System (ISMS) by developing short and practical policies, procedures, and standards to help Noname staff understand what was required in as clear and short manner as possible, and supported it with customized training that focused on our top risks and most relevant pieces of our corporate policies.
2. Implemented a scalable privacy program by identifying most comprehensive approaches to meeting global privacy regulations and developing privacy controls into our products and operations with the least amount of interference for the business.
3. Added and expanded our external cybersecurity audit program with annual compliance to SOC 2 Type 2, Cloud Security Alliance STAR 2, PCI DSS, and HIPAA standards. We have streamlined the audits to overlap as much as possible and used automated GRC tools and internal auditing to prepare evidence ahead of time, but still within the external audit window to maximize evidence overlap. We have been able to cover over 90% of the controls completely within our GRC team to reduce time spent by other colleagues. We have identified a great audit firm to work with to demonstrate our cybersecurity practices to major customers and been able to pass all of those four audits without a single finding every year.
4. We put together a program for automated sanctions and other compliance screenings with automated alerts for most risky countries, companies, and actions to reduce time to review and approve possible sanction violations, but ensure we were fully compliant with the most important import/export and other US government and international controls.
5. We set up a simple risk management program to meet with key stakeholders and track and remediate risks in accordance with our corporate risk tolerance threshold.
6. We deployed a quick and effective third party risk management program where we could embed it into the procurement process flow and identify and manage key security, privacy, legal, and IT risks and requirements, while protecting the company through contractual provisions and scalable levels of due diligence on prospective and existing vendors.
7. We have been able to review hundreds of customer contracts and negotiate with customers out of the most aggressive and unnecessary language that carried the most risk to the company, while also continuing to review and respond to customer due diligence questionnaires, and pass customer audits without any findings. All that and our usual turnaround time for customer contract reviews was less than 24 hours, even if those contracts were over a hundred pages long.
8. Passed Mergers and Acquisitions (M&A) due diligence by a public company and shared recommended best practices, on top of meeting all of the required key deals and deadlines for end of quarter deliverables.

This could not have happened if Adeel Bakht and Anjali Hansen were not only the best professionals I have ever worked with, but also the most amazing human beings that made everyone around them better with their dedication and kindness and constant willingness to help and learn. And of course, GRC is not an isolated function, and our ability to deliver any of the above accomplishments were only possible because we had the best colleagues with our first leader and CISO, Karl Mattson , hiring the best security and IT staff, and giving us the freedom and support to build the GRC program that we felt would serve the most value; our second CISO, Mike Morrato (and his amazing team such as William Wingert , Anthony Onorati , Jesse Rodriguez ) deploying an incredible security program and sharing key insights and support; Michael Baker for embedding us into the GTM team and having such a great Sales team that helped shape our risk approach based on business needs; Wallace Sann and Kedar Chaware for running the best Solution Architects and Customer Success teams who gave us constant support and guidance about the latest product capabilities and how to support our customers while reducing risks for them and for us; Aner Morag and Arie Sholomon for helping us work closely with the Product team and the incredible support from the DevOps and R&D teams to build and demonstrate appropriate controls that protected the company and made all the audits such a breeze.

It truly takes a village to raise a great GRC child, and I wish I could thank all of the 200+ other Nonamers who have contributed to the success of our GRC program. Here is to happy 2025 everyone and to continuing building effective GRC functions and protecting the Internet and our way of life.

p.s. And remember, just like Snoopy, with the right people, you can be and can do anything!