This is GRC

For GRC’s next generation of leaders building the skills that actually matter

Subscribe

This Is GRC helps the next generation of GRC professionals who want to lead with technical relevance.

For too long, GRC has been reduced to memorizing frameworks and chasing certifications. That era is over. Today’s GRC demands more: a mindset rooted in systems thinking, technical fluency, exceptional human skills and the confidence to challenge outdated norms.

Founded by Pierre-Paul Ferland, a cybersecurity GRC manager and educator, This Is GRC delivers unfiltered insight at the intersection of security, compliance, and leadership. It exists to serve two groups:

  • GRC professionals already in the field who want to build lasting influence.
  • Those breaking into GRC who want to understand what it actually takes to get hired and thrive beyond certifications and fluff.

Whether it’s bridging the gap between compliance and engineering, dealing with real-world risk decisions, or preparing for the impact of AI and automation, This Is GRC explores the messy, high-stakes work that actually defines success in this space.

What We Believe

GRC should drive business forward, not create unnecessary bureaucracy. Solutions must provide actual security value instead of checking compliance boxes for the sake of it.

Technical fluency isn't optional anymore. The best GRC pros can translate complex technology for business leaders and, just as importantly, explain business needs clearly to technical teams.

Communication and human skills are foundational. Technical expertise means nothing if you can't build trust, navigate organizational politics, or speak your collaborators language.

Compliance is never the end goal; it's a byproduct. The real prize is meaningful security and business value, not just playing audit theater.

This Is GRC exists to elevate those eager to learn and grow in this fascinating field. We've seen brilliant people get funneled into GRC for the wrong reasons, sold the false narrative that if you're not a coder or malware analyst, governance is your consolation prize. That mindset insults everyone involved.

We've witnessed teams stuck in outdated practices because "that's how it's always been done," approaching every challenge like it's still 2005. We've watched security professionals develop a superiority complex, expecting others to bend to their processes and timelines simply because "security matters." We've seen talented pros get burned out because they couldn't get their message across to engineers. This ends now.

When someone approaches GRC with genuine curiosity about how businesses really work, when they understand both the technical landscape and human dynamics, everything changes.

Those are the professionals who don't just survive in this field; they transform it. That's the kind of GRC leader This Is GRC helps you become.

Meet the content creator

Pierre-Paul Ferland: GRC Lead. Dad x4

I'm Pierre-Paul Ferland (call me "PP," pronounced pay-pay), and I created This Is GRC because our field has a terrible band problem.

I work in Quebec City, Canada, specializing in cybersecurity GRC for cloud and AI environments. I help organizations turn GRC from a compliance theater into something that actually drives security and business value. I'm also dad x4, teach cybersecurity at the college level, and have strong opinions about how we're currently failing the next generation of GRC professionals.

Before I fell into security, I earned a Ph.D. in literature with dreams of becoming a writer. Plot twist: I'm still writing, just about risk scenarios instead of short stories.

The Problem I'm Solving

Every day, I watch brilliant people get terrible career advice. "Stack certifications." "Memorize frameworks." "GRC is perfect if you don't like coding." It's all wrong, and it's creating a generation of professionals who can recite NIST but can't explain to a product manager why their feature request is a security nightmare.

I've seen too many smart people trapped in checkbox culture, wondering why executives ignore their perfectly formatted risk registers. I've watched technical teams dismiss GRC pros as "those people who slow everything down" because nobody taught them how to actually communicate value.

This field deserves better. The people entering it deserve better.

What I Actually Believe

Real GRC work happens in the messy middle ground between business needs and technical reality where we act as connective tissue. The future belongs to GRC professionals who can walk into any room and communicate the right information to the right audience with the right medium. I call this relevance.

I write mostly in English, but as a native French speaker, n'hésitez pas à m'écrire en français aussi.

Ethics & Contact

I keep things educational, honest, and respectful of confidentiality. I don't write about my employers, past or present. My views are my own... except for dad jokes, those are public domain.

📬 info@ppfosec.com