The Difficulties of People Taking Ownership

July 3, 2024

Facebook
X (Twitter)
Pinterest
fb-share-icon

So, you've got an amazing team of tech savvy folks who love the tech side of things.  

 

They excel in implementing the latest tools and systems, but when it comes to the less glamorous side - like making sure tasks are completed and nobody drops the ball - things start to get a bit messy.

 

How many times have you tried to engage the right people to find out where ownership lies and received no response? And when they finally do respond to you, the answer is "it's not mine" Ever felt like you're playing a game of hot potato? Yeah, we see that too.

 

In conversations with clients, we often come across a common issue: people are eager to use cool new tools, they are far less eager to assume ownership of the "boring stuff".

 

To truly be successful with your GRC (Governance Risk and Compliance) program, people need to clearly understand what they are responsible for, and then be held accountable.

 

To address this gap, we advocate for 3 fundamental steps:

 

#1 Make your best guess to find the right owner 

 

Think of it like this, if more than one person is responsible, that means no one is. You've got to pin down who's responsible for what, even if it means making your best educated guess just to get started. It's better to have assigned ownership to each task even if the assignment isn’t perfect. Trust that giving someone ownership sparks accountability to get things done as long as the next step is being done.

 

#2 Keep everyone routinely accountable

 

Consistency is key here. Set up systems to keep everyone on track and engaged, from regular check-ins to automated reminders and metrics. Let's face it, we're all busy and things can easily slip through the cracks if we aren't careful. By keeping everyone on their toes we ensure that competing priorities don't result in things being forgotten. If we don’t hold people accountable, they likely aren’t going to do it until they absolutely have to.

 

#3 Share the why

 

Ever been given a task without knowing why it matters? That's like trying to solve a puzzle without seeing the picture on the box. When everyone understands the bigger picture and why assigned tasks are important, they're more likely to step up to take ownership and follow through with your goal of a mature GRC program.

 

At the end of the day, when things hit the fan (and they will), you need to know who to engage.

 

This is why, in CPR training, best practices state to delegate specific actions to specific people. The training suggests pointing and making eye contact with one person to dial 911, one person to run to get a helpful supply, one person to get another supply, and so forth. Though bystanders would usually help in an instant, they assume someone else is going to do it so they end up doing nothing instead. By the leader taking charge and delegating effectively, emergency personnel can respond faster, and the injured parties can get the help they need.

 

When it comes to applying these principles to your program, clarity saves time, reduces stress, and ensures that things get done when they need to. This gets you closer to meeting the overall objective of a mature Cyber GRC program.

 

Invest the time upfront to save time later and get the right result/outcome.

 

At Hotman Group, we’re all about simplifying the complex. By engaging people to take ownership, you steer clear of chaos and instead create clear accountability to run your program like a well-oiled machine.

You May Like These Posts

Where Compliance Meets Security: Doing Both the Right Way

Compliance and cybersecurity are often seen as separate priorities—but the truth is, good compliance reduces risk when done right. So how do you effectively integrate both for a stronger security posture? In this session, we’ll break down the intersection of compliance and cybersecurity, share best practices, and walk through real-world examples of organizations that have […]
Read more

Vulnerability Scans: Only Part of the Equation

There are two primary ways we see companies manage vulnerabilities… one of them significantly riskier than the other.   Reactive strategies rely on a problem to arise before taking action. This makes reactive the riskier option of the two, hopefully for obvious reasons. Using a reactive strategy is like waiting for an electric bill to […]
Read more

Supply Chain Security: Managing Risk Beyond Your Vendors

When it comes to third-party supply chain security, there’s a big difference between doing it and doing it right. Every vendor you work with brings their own vendors into the mix—so who truly owns the risk? In this session, we’ll explore how to identify, assess, and mitigate supply chain risks at every level without overburdening […]
Read more

The ROI of GRC: Turning Compliance Into Competitive Advantage

Too often, compliance is seen as an expense instead of an investment. But when done right, Governance, Risk, and Compliance can become a competitive advantage that drives trust, growth, and resilience. In this session, we’ll share how forward-thinking organizations are proving the ROI of GRC—quantifying risk reduction, accelerating sales, and strengthening customer confidence. Join us […]
Read more

Security Awareness Training – Verizon 2025 Data Breach Investigations Report

In this 15-minute training, the HG team breaks down the most critical findings from Verizon’s 2025 Data Breach Investigations Report (DBIR)—and what they mean for real-world security programs. We cover the sharp rise in third-party breaches, the growing threat of GenAI misuse, and the continued dominance of ransomware and credential-based attacks. You’ll walk away with […]
Read more

The Audit Trap: Why Passing isn’t Protection

Think passing an audit means your cybersecurity program is solid? Think again. Many organizations unknowingly expose themselves to greater risk by relying on compliance checkmarks rather than a true security strategy. In this session, we’ll uncover the hidden dangers of audit-driven security, why "passing" may leave you more vulnerable, and the real steps leaders must […]
Read more

Bridging the Gap: Why Cybersecurity Tools Alone Aren’t Enough

Investing in the latest cybersecurity tools doesn’t automatically mean you’re secure. Many leaders feel the initial promise of a new solution—only to realize it’s not delivering the protection they expected. So, what’s missing? In this session, we’ll break down where the responsibility of the tool ends and where your team’s role begins. We’ll uncover why […]
Read more

What Operationalized GRC Actually Looks Like: From Silos to Systems

Many organizations believe their GRC program is operational because audits are passing and tools are in place. In reality, operationalized GRC behaves very differently. Risk has clear ownership. Information flows across teams. Gaps surface early instead of being hidden. In this session, Cheri Hotman and Peter Spier walk through what an operationalized GRC program actually […]
Read more

Securing AI: Balancing Innovation, Risk, and Reality

AI adoption is exploding—but so are the risks. From data exposure and prompt injection to unregulated model training, most organizations are using AI without fully grasping where their data lives or how it’s being secured. In this session, we’ll unpack the real meaning of “securing AI,” exploring how risk, governance, and innovation must coexist. You’ll […]
Read more

Post A Comment

Leave a Reply

Your email address will not be published.

Endless audits and customer demands were never supposed to replace real security.
We build, implement, and run Cyber GRC programs that reduce risk, protect the business, and still pass audits.

Hotman Group is a certified

woman-owned business (WOSB)

Hotman Group, LLC

Fort Worth, TX

Privacy Policy | Terms of Service | All Rights Reserved © Hotman Group, LLC