by Steve Schlarman – June 30, 2010

We all have our own little secret hobbies that we use to escape from the craziness of our everyday life. Spend any time with someone, and most likely you will learn about their pets, their thimble collection, their penchant for photographing railroads or their clandestine weekend job as a rodeo clown. Frankly, I haven’t met any rodeo clowns yet, but I am still holding on to some hope that somewhere, I will meet someone whose passion outside of work is to jump in a barrel a split second before a furious bull comes charging near.

Now, I have a few covert interests as well—I play bass guitar (check out iTunes, and I have one song as part of a compilation CD), I enjoy video games (who doesn’t enjoy blasting away at bad guys to burn stress off) and I enjoy working out (I will hit the big FOUR-O this year and have to do something to stay young.) However, one my favorite underground loves is military history, specifically World War II. A visit to my home office would reveal collages of D-Day maps and pictures on the wall, some metal soldiers in a display case and a bookcase full of tomes written on the conflict. I know: geek city…

So when I saw a “World War II Sabotage Field Manual” post on Bruce Schneier’s blog, I literally fell out of my seat—which in our row is not an out-of-the-ordinary event. In fact, Jason Rohlf (my product management compadre and “cubemate”) didn’t even blink. But he did ask me what I had found. I proudly displayed my monitor and showed him the declassified Operations of Strategic Services’ Simple Sabotage Field Manual. For those of you who aren’t familiar with the history, the OSS was the intelligence agency within the United States established during World War II that led many of the covert operations. The organization was the precursor to the Central Intelligence Agency and was based on Britain’s Special Operations Executive. The tattered document on my screen—now 56 years old—was published to help locals behind enemy lines disrupt operations and cause damage in many simple ways.

Part 5 “Specific Suggestions for Simple Sabotage,” section (11) outlines some rather amusing suggestions to cause general interference with organizations and production facilities:

• “Insist on doing everything through ‘channels.’ Never permit short-cuts to be taken in order to expedite decisions.”
• “Bring up irrelevant issues as frequently as possible.”
• “Haggle over precise wordings of communications, minutes, resolutions.”
• “Be worried about the propriety of any decision.”

The document goes on and on with numerous suggestions on how to essentially cause general mayhem in any organizational situation. While it is laughable now, I have no doubt that these are very effective strategies given that we see many of these things every day in our corporate world.

This brings me to my point—and how this relates to our beloved GRC world. Many times, as risk and compliance professionals, we pride ourselves on the intricacies and technical details of our world. I mean, who doesn’t love throwing the difference between a threat and a vulnerability into the discussion? However, we always must be grounded in the fact that most of the people we interface with—and those who are truly the ones we must impact the most—are business people who couldn’t care less about the difference between a buffer overflow and an overflowing buffoon. They want to conduct business and keep our companies moving forward. Our job is to help them do that while maintaining some level of control.

Therefore, think about how you explain risk and compliance needs within your organization. Use straightforward, relevant examples and make the needs real for your business counterparts. Establish some common understanding of risk language within your organization. Speak in terms that mean something to the business and don’t get wrapped up in the technical nuances of governance, risk and compliance. While the cloak-and-dagger world of spies may seem glamorous, the last thing you want to have happen at a meeting is to be introduced as the “saboteur” sent from the risk group.