1 minute reading
About Laura Sawka
Laura Sawka is the Founder and GRC Executive of Sawka Advisory Group and former SVP of Security GRC at Salesforce. With deep expertise in governance, risk, and compliance, she helps organizations turn GRC into a strategic driver of growth. She previously spent 13 years at Salesforce and started her career at KPMG. Laura is also a mentor, nonprofit board member, and advocate for women’s leadership.
The address explores how to transform compliance from a reactive, burdensome obligation into a strategic enabler for business success. The primary topic centers on the idea that human risk is not just a training problem but a “governance leadership priority” that shapes the very culture of an organization. By moving away from completion rates and toward outcome-based measurement, leaders can ensure their security programs are truly effective.
This involves creating a “closed loop cycle” where training behavior is continuously monitored and used to refine future content. Ultimately, the goal is to build a “risk-aware culture” where employees think logically about security rather than reacting emotionally to threats.
Key Quotes:
- “Thinking about controls as being embedded into the business processes is something I’m very passionate about”.
- “It starts from the tone at the top in terms of how the training is being communicated”.
Content: Embedding Controls into the Workflow
Laura emphasizes that the “tone at the top” is essential for the credibility of any security program; how leadership phrases the importance of training directly impacts its meaningfulness for employees. She advocates for personalized content that reflects the specific job function and level of risk a person carries within the organization.
A successful program measures “memorable” outcomes, such as whether an employee took the correct action—like reporting a phishing email—rather than just whether they failed a simulation. Beyond training, she is a strong advocate for embedding controls and guardrails directly into business processes early on.
This approach utilizes technology to detect issues proactively, leaving less to chance and ensuring more consistent security outcomes. By integrating people, process, and technology holistically, organizations can create an environment where security is a seamless part of daily workflows rather than a separate, intrusive task.
Discuss Your Organization’s Human Risk Challenges – Book a Meeting
