Understanding the unique challenges and solutions in securing sensitive data across critical sectors!

As the digital environment changes rapidly, some unseen guardians of our cyberspaces work constantly to keep us safe from ever-increasing threats. To provide secure conditions, these professionals use their knowledge so that companies can prosper without having to constantly worry about cyberattacks.

Their impact is felt in every industry, where security and trust are critical, including healthcare and banking. They enable enterprises to grow securely while also protecting against breaches by creating strong frameworks and encouraging partnerships.

Grace Llojaj is a leading cybersecurity expert who is revolutionizing risk management and compliance within companies. She has nearly a decade of expertise and has been instrumental in building governance frameworks from scratch for businesses in a variety of industries.

She enthusiastically volunteered for difficult projects as a project manager, which led to her engagement in creating third-party risk management and compliance procedures. Grace works as a Consultant for Security, Risk, & Compliance at SEI, where she helps Fortune 500 firms and startups alike navigate the difficult world of cybersecurity.

Under her influence, her approach emphasizes building strong relationships with organizational leaders to align cybersecurity initiatives with business objectives. Through her work, Grace not only mitigates risks but also cultivates a culture of security awareness that empowers teams to navigate the digital landscape confidently.

Below are the interview highlights:

Can you please introduce yourself and your motivation to embark on this sector?

I got my start in cybersecurity when I was a Project Manager by simply raising my hand for any project that came across my desk that sounded interesting or challenging. This is how the standing up of a third-party risk management program and a governance, risk, & compliance program was assigned to me nearly ten years ago.

At the time, my company didn’t have a GRC or TPRM program, so I was responsible for creating these from scratch. Since then, I have focused primarily on cybersecurity, risk management, and compliance consulting, working with startups to Fortune 500 organizations across financial services, healthcare, aerospace/defense, and other highly regulated industries.

Could you please give a brief introduction to your company and its inception story?

SEI was founded in Cincinnati, OH, in 1992 by Dan Pierce. After years in consulting, he decided that he wanted to build a firm that provided broad-based ownership to the consultants in a meaningful way. Today, over 65% of consultants at SEI own stock in the company. This is just one factor that has made SEI the #1 Best Firm to Work For by Consulting Magazine for the past 2 years.

How do you approach building relationships and trust with organizational leaders to drive cybersecurity initiatives?

When I am starting an engagement, I always try to meet one-on-one with the stakeholders and leadership so I can take some time to get to know them on a personal level and understand what motivates them, their personal goals, and what is keeping them up at night.

Spending time investing in these relationships early on pays dividends when it comes to getting buy-in, understanding their pain points, and collaborating to drive results.

Can you share an example of a successful cybersecurity project you led, and what key factors contributed to its success?

One very successful cybersecurity project that I led was a risk assessment and mitigation plan for a large corporation. The deliverables included developing a risk quantification framework, assessing organizational risks against that framework, and creating a prioritization and action plan to mitigate the identified risks.

The key success factors for this particular project were the ability to understand the organizational risk tolerance to develop the risk framework and to engage with cross-functional stakeholders to understand what risks were present in their functions that might be relevant from a cybersecurity, data security, and data privacy perspective.

How do you assess an organization’s cybersecurity maturity, and what frameworks or methodologies do you find most effective?

When assessing an organization’s cybersecurity maturity, I try to collect quantitative data through current state security policies and controls and qualitative data through stakeholder interviews.

This allows me to benchmark the current state and conduct a gap analysis against best practices to develop a roadmap for recommended enhancements. The frameworks that I most commonly use are NIST Cybersecurity Framework, NIST Risk Management Framework, NIST AI Risk Management Framework, ISO 30001, ISO 27001, and COBIT 5.

When developing a cybersecurity capacity-building plan, what are the critical elements you consider to ensure it aligns with the organization’s goals and culture?

The first thing I try to understand when developing a cybersecurity capacity-building plan is the organizational mission, vision, and strategic plan. From there, you can drill down into the objectives of a cybersecurity capacity-building plan to understand what success will look like in the eyes of your stakeholders.

This will help you determine if you should be more focused on data security, compliance, scaling for growth, adding tools to the tech stack to address gaps, etc. A focused approach is critical to building a plan that aligns to the client’s culture and goals.

How do you balance the need for proactive, offensive security measures with the organization’s risk appetite and compliance requirements?

An organization’s risk tolerance will tell you a lot about how they approach security. Offensive security is just one tool in your toolkit to protect the organization as a whole. Activities such as vulnerability scans, penetration testing, and red team exercises might be a matter of ensuring compliance as well, depending upon the organization’s standards and regulatory requirements. These items should be undertaken on a regular basis to help the organization assess their cybersecurity posture and prioritize improvements.

In the event of a security incident, what is your approach to leading the incident response effort and ensuring effective communication with stakeholders?

Ideally, you will have practiced for the eventuality of a cybersecurity incident prior to it actually happening through tabletop exercises and incident response plan walkthroughs. When an incident does occur, the first thing I turn to is the plan, if it is built out properly, incident response should feel more like running a well-practiced play from the playbook rather than a chaotic emergency situation.

Starting with empathy that we are all on the same team to get the issue resolved and reminding the players of their role in that is critical in aligning the team quickly. Constant communication with stakeholders is also critical to ensuring that everyone feels as though they are in the loop and understand what they need to do to help the team move through the situation.

How do you stay current with the latest cybersecurity trends, threats, and best practices, and how do you incorporate this knowledge into your work?

If you are not constantly learning in cybersecurity, you are going to be behind. Subscribe to industry newsletters and alerts, attend webinars to learn about the latest technologies and tools, and make time to go to networking events and conferences so you can speak with other people in the field.

A few resources that I recommend subscribing to are the CISA alerts, ISACA, IAPP, ISC2, and WiCyS, and many of these organizations may have a local chapter that hosts in-person events so you can network with fellow cybersecurity practitioners in your region.

What role do you believe data privacy and governance play in an organization’s overall cybersecurity strategy, and how do you ensure these elements are addressed?

In today’s cybersecurity realm, which is more about data security than it has historically been, data privacy and governance are critical elements to your overall cybersecurity strategy. The best way to ensure that these elements are included is to get all of the stakeholders in the room together to collaborate, share synergies, and understand one another’s priorities.

The cybersecurity function should be working with data privacy to understand how data needs to be stored, shared, and tracked to ensure compliance with the ever-evolving data privacy regulations. Likewise, they should also cooperate with governance, as it is critical to ensure that cybersecurity policies and procedures are compliant with organizational governance standards and regulatory requirements.

Can you describe a challenging situation where you had to navigate complex political or organizational dynamics to achieve a cybersecurity objective, and how you overcame those challenges?

One of the biggest challenges that frequently arises within organizations that impacts cybersecurity outcomes is not having clear risk tolerance definitions. It is often critical to determine risk standards internally to be able to assess cybersecurity metrics and prioritize their remediation. It is often the case that different stakeholders have different risk tolerances that converge around cybersecurity issues, and it is critical to discern how to align those into a single organizational framework.

A recent example of this is for an AI governance project that I led. In this instance, the business functions are eager to adopt AI technologies and have a mindset that we can layer on security controls after the fact because they don’t want to stifle innovation.

The privacy, compliance, and legal teams, on the other hand, were very concerned about putting guardrails in place before deployment, which the business functions saw as not being an enabler of business outcomes. We were able to implement a rapid review cycle for approved AI technologies, models, and models as we added new use cases to enable the business to move quickly while operating safely and responsibly.