LogicGate Resource Center | LogicGate Risk Cloud

15 Quarters at the Top: Risk Cloud Named a Leader on G2 for Spring 2023

Check Out the Spring 2023 Report

KRIs for ERM: Developing Metrics for Managing Enterprise Risk

Anticipate risk events, make better risk decisions faster, and provide context for your decisions to key stakeholders with effective key risk indicators.

Reports

15 Quarters at the Top: Risk Cloud Named a Leader on G2 for Spring 2023

Check Out the Spring 2023 Report

Webinars

Managing Risk in Turbulent Times: Fireside Chat with SAP

Hear from LogicGate’s President of Product and Technology, Jay Jamison, and two risk leaders from SAP as they…

Webinars

Shattering the Silicon Ceiling: Celebrating Women in Cyber Risk

Join us as we celebrate Women’s History Month with five women working at the pinnacle of the risk…

eBooks

KRIs for ERM: Developing Metrics for Managing Enterprise Risk

Anticipate risk events, make better risk decisions faster, and provide context for your decisions to key stakeholders with…

Webinars

Fireside Chat: Risk Surface Management Strategies for 2023

Join us to hear about important shifts in risk surface management and navigating vulnerabilities in the year ahead.

Brochures

Risk Cloud® Platform Overview

Risk Cloud is a no-code governance, risk, and compliance platform that scales and adapts to your changing business…

Webinars

The Root of the Compliance vs Security Paradox

Join us for a friendly debate on why compliance is so misunderstood and the critical role it plays…

Webinars

Straight From a CISO: 4 Cyber Risk Priorities in 2023

Learn how to manage cyber risk during times of economic uncertainty.

Case Studies

Horizon Media: Spinning Up a Cyber Risk Program from Square One

As a company grows, so does its responsibility for keeping its customers’ data and assets safe and secure.…

Reports

14 Quarters at the Top: Risk Cloud Named a Leader on G2 for Winter 2023

Check Out the Winter 2023 Report

Infographics

Connect, Optimize, and Scale Your Cyber Risk Management Program

Build a Centralized View of Assets, Risks & Cyber Controls

Webinars

Streamlining GRC Controls to Optimize Cybersecurity

Find out how to take a proactive, connected approach to your cybersecurity risk management processes.

Webinars

Enriching Third-Party Risk Processes with Targeted Risk Intelligence

Find out how to incorporate targeted risk intelligence and enrich your Third-Party Risk Management program.

Videos

Control Your Cyber Risk Posture - Tips From LogicGate's Risk Wrangler

Close out Cybersecurity Awareness Month with actionable tips from LogicGate's Risk Wrangler, Chris "Cpat" Patteson. From prioritization to…

Reports

Take Control of Your Cyber Risk Posture

Celebrate Cybersecurity Awareness Month by better protecting your company and yourself online! Check out LogicGate's cybersecurity resource hub.

Brochures

Risk Cloud® Platform Accessibility

Building a culture of risk starts with platform accessibility.

eBooks

How Risk Cloud®️ Unites Privacy and Security Teams Using One Collaborative Platform

Security and privacy management is a team sport. Download our ebook to learn how the right strategy and…

Reports

Risk Cloud Named Leader on the G2 Grid for 13 Consecutive Quarters

The Fall 2022 G2 Grid Has Been Released

Brochures

Cyber Risk & Controls Compliance Solution

Prioritize cyber risk mitigation and response with Risk Cloud’s® Cyber Risk & Controls Compliance Solution.

Videos

How Risk Cloud's Intuitive Interface Simplifies The Change Management Experience

During a fireside chat, Edwin Ng, Associate Vice President of Cyber Security at Hyatt, talks about his team's…

Webinars

Panel Discussion: GRC Trends in Banking

Learn how to navigate the regulated landscape of banking through first-hand advice and stories from senior governance, risk,…

Case Studies

How Texas Mutual Improved Their Third-Party Risk Management Experience

In this excerpt from the GRC & Me podcast, Stephen Crouch, Senior Financial Risk Analyst at Texas Mutual…

Webinars

Preparing For The Unknown: How Hyatt’s Cybersecurity Team (successfully) Navigated COVID-19

Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng,…

Reports

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

Your board has questions. Now, you have the answers.

Case Studies

Equiniti's Journey to a Connected Risk Program

Learn more about their story and how they use Risk Cloud to grow and scale as changes arise,…

Webinars

[Webinar] Optimizing Controls to Mitigate Cybersecurity Risks

In this webinar with LogicGate and ITGRC you will learn how to optimize your cybersecurity program using personnel…

eBooks

Teaming Up to Solve Third-Party Risk: How to Plan When You Don’t Know What You Don’t Know

Vendor risks aren’t slowing down. You shouldn’t either. Learn how to manage your third parties better.

Reports

Risk Cloud Named Leader on the G2 Grid for 3 Consecutive Years

The G2 Grid for Summer 2022 has been released, and Risk Cloud has been named a leader once…

Case Studies

SOC 2 Compliance: Attaining Audit Maturity at Amount

Amount was preparing to spin-off from an industry-leading digital lending company. This transition brought up some challenges, but…

Reports

LogicGate Named a “Strong Performer” in the Forrester Wave™

LogicGate was named a “Strong Performer” in the Forrester Wave™: Third-Party Risk Management Platforms, Q2 2022.

Brochures

Risk Cloud Documents™

Automate your documentation and reporting processes.

Webinars

Risk & Reward: Women in GRC Roundtable

Listen to an intimate roundtable discussion with four trailblazing women in the GRC space. Celebrate the impacts and…

Reports

Risk Cloud Named a Leader on the G2 Grid for Spring 2022

LogicGate’s Risk Cloud platform has been named a leader on the G2 Grid Spring 2022 report.

eBooks

How to Make Your Work Life Exponentially Easier With a Holistic GRC Program

If you want your GRC engine to run smoothly, you need to look at systems holistically. Create a…

Case Studies

Internal Audit: Finding Efficiencies through Analytics

Learn how the internal audit team strengthened their data analytics capabilities and automated their internal audit process to…

Infographics

Fine-Tune Your Audit Process. Cancel Audit Stress.

With the Right Platform, You’ll Love Conducting Audits. (Or at Least Dread Them a Little Less.)

Infographics

2021: A (WILD) Year In Review

You liked it. Watched it. Or tried it out. Take a look at our year-end roundup!

Webinars

[Webinar] GRC 101: Aligning Compliance, Security, and Business Goals

In this webinar with LogicGate and ITGRC you will learn how to incorporate governance, risk, and compliance processes…

Reports

Risk Cloud Named a Leader for GRC Platforms on the G2 Grid for Winter 2022

LogicGate’s Risk Cloud platform has been named a leader on the G2 Grid Winter 2022 report.

Reports

LogicGate Recognized in the Gartner® Market Guide for the Second Consecutive Year

LogicGate is one of 13 vendors to to be named a Representative Vendor in the November 2021 Gartner®…

Webinars

Risk Quantification 101: Communicate Risk in Dollars and Cents

In this webinar, LogicGate and Protiviti will explore the fundamentals of risk quantification and highlight how the practice…

Brochures

Risk Cloud Quantify™

Translate risk into financial values.

Brochures

Risk Cloud Exchange™

All the Applications, integrations, and guidance you need to scale and mature your governance, risk, and compliance program.

eBooks

The Definitive Guide to Risk Quantification

Validate decisions, see into the future, and start presenting risk in a language your organization understands—money.

Webinars

[Webinar] Strategies to Turn Risk Into an Opportunity for Business Growth

On this panel discussion webinar we will address some of the key steps your organization can take to…

Reports

LogicGate Named “Strong Performer” in the Forrester Wave™

LogicGate has been recognized as a “strong performer” by Forrester Research in the Forrester Wave™ for Governance, Risk,…

Reports

Risk Cloud Named a Leader for GRC Platforms on the G2 Grid for Fall 2021

LogicGate’s Risk Cloud platform has been named the top GRC platform on the G2 Grid Fall 2021 report.

LogicGate

LogicGate® Receives Honorable Mention in 2021 Gartner® Magic Quadrant™ for IT Vendor Risk Management Tools

Get an unbiased overview of the IT Vendor Risk Management market in 2021 Gartner® Magic Quadrant™ for IT…

Videos

Automate Your GRC Document Generation with Risk Cloud Documents

Are you spending hours manually creating your audit reports, policy documents, or incident management memos? With Risk Cloud…

Infographics

Roadblocks on the Path to Operational Resilience

Use this guide to help you navigate your path to operational resilience.

Reports

Risk Cloud Named a Leader for GRC Platforms on the G2 Grid for Summer 2021

LogicGate’s Risk Cloud platform has been named the top GRC platform on the G2 Grid Summer 2021 report.

Case Studies

LogicGate and BankProv: Migrating to Risk Cloud for the Growing organization

As BankProv's business has grown, the company needed a proactive compliance management solution with more flexibility, active monitoring,…

Infographics

6 Steps to Find the Right GRC Solution for Your Organization

Use these 6 steps to help you select the right GRC solution for your organization that fits in…

GRC Today

GRC Today: Risk Renaissance

Matt Kunkel, CEO & Co-founder of LogicGate, chats with Principal GRC Architect, Dustin Owens, about the recent Risk…

Demos

[Live Demo]: Meaningful Integrations to Enhance your GRC Program

Learn how LogicGate’s Risk Cloud solution and our Open API can be utilized to ingest data from outside…

Podcasts

GRC & Me Podcast: Exploring Risk Cloud Exchange | Season 3, Episode 1

Risk Cloud Exchange offers a central space with an expanding library of pre-built applications, regulations and integrations.

GRC Today

GRC & Me Podcast: Exploring Risk Cloud Exchange

After a short break, GRC Today is back with a special episode highlighting the Season 3 premiere of…

Case Studies

How Uphold Uses Risk Cloud's Slack Integration for Incident Management

Uphold identified LogicGate’s Risk Cloud platform as the all-encompassing platform they needed and has been able to leverage…

Demos

[Live Demo]: The Power of Reporting Insight & Data Visualization in LogicGate’s Risk Cloud

Whether it’s staying on top of a staff analyst’s upcoming deadline or displaying concise cost-saving metrics to an…

Infographics

Life With a Modern GRC Solution

Risk leaders know their risk management solution is vital to their organizations, but many (almost 50%) say their…

eBooks

Operational Resilience: The New Paradigm for Risk

We asked 190 risk professionals what they’re concerned about, what they’re focusing on in 2021, and how they’re…

GRC Today

GRC Today Episode 4: "Health Days" vs "Sick Days"

On this episode of GRC Today, Matt talks about "Health Days" and why the LogicGate team added them…

Reports

G2 Spring 2021 Grid Report for Top GRC Software

LogicGate’s Risk Cloud once again topped the G2 list of best GRC platforms on the Spring 2021 report.

GRC Today

GRC Today Episode 3: Using Information Security to Build Trust

In episode 3 of GRC Today, Matt speaks with LogicGate's own head of Information Security about how to…

GRC Today

GRC Today Episode 2: How Core Values Shape Company Culture

In this episode of GRC Today, Matt Kunkel discusses the importance of core values, how they influence the…

GRC Today

GRC Today Episode 1: GRC Trends in 2021

Welcome to GRC Today! In our series premiere, see Matt's predictions for key GRC trends he expects to see…

Demos

[Live Demo] Accelerate your IT Controls Management with LogicGate's Power Mappings

Speaker: Annmarie Rombalski, Senior Solutions Engineer at LogicGate Formally documented IT controls are more important than ever. Without them,…

Demos

[Live Demo] Create Synergies Between Internal Audit and Risk Management Teams with LogicGate’s Risk Cloud

This webinar will focus on two Risk Cloud applications: Risk Management and Internal Audit.

Speaker: Sam Pranckus, Solutions Engineer at LogicGate In this webinar, we will focus on two of our applications - Risk Management and Internal Audit - and demonstrate how teams can share information to streamline their annual planning and ongoing assessment processes. We will discuss the benefits of collaboration between Audit and Risk teams, and the rationale behind integrating various aspects of each program. The objective of this course is to highlight areas where Audit and Risk teams can share information, which will eliminate redundancies and harmonize the 3 Lines of Defense. We will start with the fundamental building blocks of an Enterprise Risk Management (ERM) and Internal Audit programs. We will then focus on potential “connection points” to provide Internal Audit insight into ERM assessment scores and vice versa. Audit and Risk teams can leverage the relationships between various data points to make informed decisions, and influence the strategic outlook for the organization. We will also demonstrate: Risk Cloud’s Application marketplace which consists of “best practice” templates for a wide range of use cases Risk Owners ability to leverage Internal Audit testing results to mitigate Inherent Risk levels to an acceptable Residual Risk. The rationale behind this feature is that, as the Audit team conducts potentially hundreds of tests over a period of time, the results from audit fieldwork can help the Risk owner understand how well the Control environment is actually operating and factor this into their evaluations Internal Audit teams can utilize Risk assessment scores to prioritize upcoming audit activity and build a Risk-based Annual Plan Connection points between various data objects such as processes, risks, controls, policies, and Strategic Objectives - so that Internal audit coverage is aligned to critical risks that potentially prevent your organization from meeting Strategic Objectives Flexible Risk Assessment methodology to accommodate your team’s preferred methodology whether it is a standard Impact X Likelihood or more complex methodologies that factor in Velocity, Speed to Mitigate, Controls Effectiveness, etc. Prioritization of upcoming Audit Activity from an Audit Manager standpoint, the Risk Cloud’s scoring methodology dictates the audit frequency and gives management a holistic view of all auditable entities, including date of last audit and date of next planned audit View Webinar

Demos

[Live Demo] Automate Your Regulatory Library, Get Granular with Obligations & Close Compliance Gaps with Risk Cloud

Keeping up with the ever-shifting regulatory tides feels increasingly impossible as regulations continue to change with more frequency,…

Demos

[Live Demo] Third Party Risk Management: Breaking down silos between your procurement and info security teams

In this webinar, we'll focus on Third Party Risk Management applications in Risk Cloud and dive into best…

Infographics

2020 Year in Review

Check out LogicGate's most popular resources from 2020!

Reports

G2 Winter 2021 Grid Report for Top GRC Software

LogicGate’s Risk Cloud once again topped the G2 list of best GRC platforms, placing first on the Winter…

Webinars

Regulatory Compliance: Effectively Managing Your Regulatory Obligations Register

Struggling to understand what your organization needs to comply with? Wasting too much time and resources scraping through…

Webinars

Automated Integrations for Third-Party Risk Management with ITGRC

In this webinar with LogicGate and ITGRC you will learn how to strengthen your third-party risk management process…

Podcasts

GRC & Me Podcast: Is GRC a Subset of Cybersecurity?

Is GRC a Subset of Cybersecurity, or is it the other way around? In this episode of GRC…

Case Studies

LogicGate and Ziff Davis: From Legacy System to Intuitive Internal Audit

Find out why the LogicGate Risk Cloud was the right choice for Ziff Davis' Internal Audit initiatives

Reports

Fall 2020: Top Rated GRC Platforms on G2

Risk Cloud is the #1 highest rated GRC Platform on the Fall 2020 G2 Grid Report. See how…

Podcasts

GRC & Me Podcast: Adapt to Change with Flexible Data Models

Legacy technology’s grasp on GRC processes is slowly loosening. As LogicGate’s Director of Customer Success Szuyin Leow explains,…

Webinars

Webinar: Executive Tips to Modernize Your Compliance Program with ITGRC

Join LogicGate, ITGRC, and a panel of experts in exploring the current compliance landscape and challenges facing today's…

Podcasts

GRC & Me Podcast: Return to Work with Confidence (and avoid GRC Pitfalls)

In this episode of GRC & Me, Priyam Shah discusses how the PwC x LogicGate Risk Cloud™️ relationship…

Reports

LogicGate Named in 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools

Get an unbiased overview of the IT Vendor Risk Management market in Gartner’s 2020 Magic Quadrant for IT…

Podcasts

GRC & Me Podcast: A Conversation on Risk Language

Asureti co-founder and Practice Director, Melissa Ryan, discusses the importance of language when talking about risk.

Infographics

Proactive Risk Management: Transform Your Risk Strategy

In this infographic we share the benefits of transforming your risk strategy from reactive to proactive, and what…

Podcasts

GRC & Me Podcast: Agility 2020 Highlights

In this weeks episode of GRC & Me, we revisit some highlights from LogicGate's first-ever user conference, Agility…

Infographics

Top 4 Takeaways from Agility 2020

Whether you attended every session or didn’t attend, we wanted to share the top 4 biggest takeaways that…

Podcasts

GRC & Me Podcast: Transformative Risk Management

In this weeks GRC & Me episode, we discuss the concept of transformative risk management.

Podcasts

GRC & Me Podcast: What is The Risk Cloud™?

In this weeks GRC & Me episode we answer the question: How can The LogicGate Risk Cloud enable…

Reports

G2 Summer 2020 Grid Report for Top GRC Software

LogicGate named a top GRC Software Solutions on the G2 Grid for Summer 2020.

Videos

GRC & Me Podcast: How LogicGate Uses The LogicGate Risk Cloud

A simple question — “why?” — jumpstarted Heath Anderson’s journey with governance, risk, and compliance (GRC). Today, he’s…

Podcasts

GRC & Me Podcast: How LogicGate Uses The LogicGate Risk Cloud

For his first-ever podcast appearance, Heath Anderson, LogicGate's Information Security Manager, joins an episode of GRC & Me…

Podcasts

GRC & Me Podcast: Cyber Risk as a Business Risk

In the Season 2 premiere of GRC & Me, Megan is talking to John Mumford, Chief Risk Officer…

Videos

Agility 2020 - LogicGate's Virtual User Summit

Join LogicGate customers and other industry analysts as they host exploratory sessions about the current state of the…

Videos

LogicGate's Origin Story

Hear from our three co-founders (Matt Kunkel, Jon Siegler and Dan Campbell) talk about LogicGate's humble beginnings, what…

Videos

A Rock 'N' Roll Company Culture

LogicGate's Chief Revenue Officer, Karry Kleeman, speaks candidly about why he starts a rock band at every company…

eBooks

The Risk Cloud: Your Guide to the Future of GRC

We see a future where risk professionals not only predict and manage risk with confidence, but proactively turn…

See the Future

Webinars

Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management

Learn how taking a cross-functional approach to risk management will drive success for your business.

Webinars

Powering Through a Pandemic: How to Create an Effective Response Plan in the Midst of a Crisis

In this webinar, we’ll cover strategies and techniques executives can use to respond swiftly to a crisis, focus…

Podcasts

GRC & Me Podcast: How Does a Risk Management Company Handle the COVID-19 Pandemic?

In this special episode of GRC & Me, Megan sits down with LogicGate CEO Matt Kunkel and CMO…

Reports

G2 Spring 2020 Grid Report for Top GRC Software

LogicGate named a top GRC Software Solutions on the G2 Grid for Spring 2020.

Videos

[Video] Incident Management with Risk Cloud

LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have…

The Risk Cloud™️ offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary, automated process to manage reported incidents and related activities. Video Transcript: At many companies, incidents just cause confusion. When they occur, managers are left asking: Who owns it? Was it closed? What should we prioritize? What’s even going on? It’s easy to see why. Usually it’s because the incident was submitted through e-mail or some other unsystematic way, leaving managers with no easy way to view all reported incidents in one spot—let alone the assets and controls they’re linked to. All of the tracking, linking, and resolution activities simply can’t be properly captured without a solid system. Imagine these issues at scale! If managing one incident is hard, managing incidents across divisions and geographies is a nightmare. Here’s a typical scenario. A data breach gets logged The dev team just closes it out, not giving it much thought. Little did they know, the breach is tied to data privacy regulations and reporting needs. If these aren’t followed up upon, they can cause problems such as major fines down the road—all because they didn’t communicate the incident to the right people, at the right time. Don’t let this happen to your company. Before your incidents lead to more...incidents...look to LogicGate. LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary process to manage reported incidents and related activities, including the ability to prioritize them by severity rating. Incidents get automatically routed to different groups for action based on what is being reported. From the platform, incidents can be linked to other processes such as regulatory reviews, policies and procedures, vendors, and audits. In one report, you can see how all your incidents are tied to all of your compliance programs. You’ll also be able to put the right process in place so your incidents are resolved according to your company’s service level agreements. Use the conditional workflow builder to route incidents to the appropriate parties, set up notifications, and meet those SLAs. Incidents can be escalated to different roles and groups. Required fields in the LogicGate form builder ensures you capture the information you need. With your process configured, resolution activities and responsible parties can be easily reported on. Productivity reporting helps you identify bottlenecks within your process, so you can allocate time, training, and resources effectively. With standardized incident metrics at your fingertips, you’ll have the vision and understanding to make the right decisions at a large scale. Stop tracking incidents in different places, with different methods, and through different people. Put an incident plan in place. Make better decisions. Look to LogicGate.

Brochures

Risk Cloud® Integrations

Integrate and optimize your risk and compliance program with 100s of integration capabilities insides Risk Cloud

Webinars

Automating GRC To Increase Business Value with ITGRC

GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance…

Reports

G2 Winter 2020 Grid Report for Top GRC Platforms

LogicGate is the highest ranked GRC software and leader on the Winter 2020 G2 Grid Report.

Podcasts

GRC & Me Podcast: Emily Heath on Why The GRC World Needs An Overhaul

For our season finale, Megan welcomes Emily Heath, Chief Trust & Security Officer at DocuSign. Emily discusses exciting…

eBooks

LogicGate's 2020 Research -ERM and the Modern Organization

What do CEOs think about enterprise risk management (ERM)? And how do they view the ERM efforts of…

Podcasts

GRC & Me: Karry Kleeman on "The Value of SaaS in GRC"

Karry Kleeman, Chief Revenue Officer at LogicGate, has 30+ years of leadership experience in enterprise software. In this…

window.addEventListener("message", function(message){if(message.origin === "https://grcandme.com" ) { if( message.data.event) { if(message.data.event === "castedSizeUpdate") { var casted_episode_player = document.getElementById('casted-embed-' + message.data.payload.slug); if(casted_episode_player) { casted_episode_player.height = message.data.payload.height;}}}}}, false) EPISODE NOTES Top 3 Quotes "There's a number of players providing solutions, but only a small number of true winners that will emerge to set this new standard for usability and effectiveness combined with affordability." "Risk and compliance needs change so fast that the technology has to be flexible enough to keep up." "The market is wide open for a company to set the pace for the rest of the pack and for the industry." Resources: Connect with Karry on LinkedIn Connect with Karry on Twitter Transcript: Karry Kleeman: There's a number of players providing solutions, but only a small number of true winners that will emerge to set this new standard for usability and effectiveness, combined with affordability. It's really a great time to be in GRC. Host Megan Phee: Hi, I'm Megan Phee, and this is GRC & Me, where we interview industry thought leaders in governance, risk and compliance on hot topics, industry-specific challenges, trends and more. Learn about your methods, solutions and outlook in this space. My guest today is Karry Kleeman, Chief Revenue Officer at LogicGate. Karry has over 30 years of experience in global enterprise software sales, and today Karry and I talk about the value of a software as a service delivery model for GRC, what's exciting about GRC today, and we end with a discussion on how he fosters a positive culture by starting a rock band at every company he joins, whereby he assures that he won't be quitting his day job anytime soon. And now my conversation with Karry. Thank you, Karry, for joining us today on another episode of GRC & Me. KK: Thanks, Megan. Great to be here. MP: So let's start off. Will you share with the listeners a little bit more about your sales background? KK: Yeah, for sure. I started my career in sales during my college years, and my primary motivation was to defray some of the costs. That's code language for I needed money. At first I sold advertising time for a media company, and then I hit pay dirt when I joined IBM while I was still in college. I was a lead generation specialist and I also sold IBM's lower end product line, things like personal computers and PC-related products. I really enjoyed that. I found out I was pretty good at it, and it helped me get through college, get my degree, and get ready for the journey. The experience working at IBM not only set the tone for a career in sales, but it cemented the kind of job I wanted, which was a sales job with a technology company. MP: So is that background, is that what led you eventually to SpringCM, which is now DocuSign? KK: Yeah, for sure. I had a great experience prior to that with a start-up company that moved from zero in revenue to about a hundred million dollars in revenue, and went through fast growth, to IPO, to global expansion, and I got to be a part of all of those phases. And then you fast forward the tape a few more years than I care to admit to, and just prior to joining the LogicGate team here, about a year ago, I was on the executive team at Chicago based start-up called SpringCM, which is now a DocuSign company. As the Chief Revenue Officer for SpringCM, I was part of the team that led the acquisition of SpringCM by DocuSign after growing the company's revenue pretty dramatically and building a global footprint of about 675 customers and 190 employees. MP: Fantastic. Now I know you worked at SpringCM, which is now DocuSign, on that contract management, the buy-side contract management, and also vendor management. Was that your first foray into this GRC type of experience? Is that what led you to kind of be interested in moving into a company that serves as more of that GRC market? KK: We were adjacent to governance risk and compliance through this contract management and vendor management use case. It opened my eyes a little bit to the challenges and the opportunities to operationalize not only contract management and vendor management, but things that were going on around risk in doing business with third parties and procurement kinds of applications. And in fact, during the interview process here at LogicGate, I was able to talk to a couple of customers that were really, really adept in understanding the difference between coming at the buy-side contract management and procurement side of the house from a GRC perspective versus a contract management perspective. Certainly opened my eyes. MP: So Karry, you've enjoyed particular success in the software as a service space. Tell us a little bit more about the emergence of software as a service, as a business model, in your lifetime, and how you originally got involved with it. KK: Yeah, cool. Software as a service has grown rapidly. Something like 80% of all applications for businesses will be SaaS in a year or so. It's really pretty amazing when you think about it. There are some great SaaS companies to be admired and great examples to be followed. In fact, there's no shortage of ambition here at LogicGate. We believe that we will disrupt the GRC space by providing the simplest and most effective SaaS platform that can help companies undertake certain measures, because the regulations say that they should, and if the rules aren't followed, there could be fines and penalties and reputational harm. And on the positive side, good compliance just manifestly means good business. And SaaS has been able to overtake so many industries so quickly, because like the overall subscription economy that we live in, it provides a reduced time to utility or benefit, far lower costs, a pay-as-you-go model, and rapid iteration on changes, updates and improvements in the process and in the technology. MP: So Karry, why is GRC a perfect fit for a software as a service delivery model? And most importantly, what is it about that software as a service delivery model that's allowing start-ups like LogicGate to really make headway? KK: Well first of all, Megan, I think the real winners here are customers, those who are making investments in managing risk and compliance. Risk and compliance needs change so fast that the technology has to be flexible enough to keep up. People and processes change. And before companies like LogicGate, routine change orders required trained personnel and complicated adjustments, and it affects the company's ability to be innovative and responsive, makes them too slow or even unresponsive. The giants in this market didn't really grow up in a SaaS business model. They were what is referred to as an on-premise or on-prem model with kind of a late nineties code base. And those legacy GR players have done really very little to do the things in their product and in their business model to provide adaptability and an excellent customer experience. We've got an opportunity to change that here at LogicGate and in the governance risk and compliance market. MP: Great. What else would you say, Karry, is exciting about risk and compliance, or GRC, today? KK: Yeah, the market is really wide open for a company to set the pace for the rest of the pack and for the industry. It's a very fragmented competitive landscape with a few, as I said earlier, large expensive solution providers that have been widely panned by customers as rigid and too costly. So that presents really the perfect conditions for disruption, sort of the perfect storm. Customers demand a simpler user experience. They demand almost a point solution implementation curve, and a lot closer to a point solution price than a really monolithic system at a really expensive price. MP: I think you're right on. I think the market is demanding more of these GRC providers. LogicGate is fitting into a sweet spot there that is really carving out a path that hasn't been there before. Where else do you see the market going in the future? KK: I think the need for GRC is only getting stronger. There's a number of players providing solutions, but only a small number of true winners in the current sort of group of companies in our space, including LogicGate, that will emerge to set this new standard for usability and effectiveness, combined with affordability. It's really a great time to be in GRC. MP: Awesome. And finally, if you are following us on LinkedIn, you might've seen a post that Karry had, a little bit about an element that he does to instill a positive culture at every company that he goes to. And really it was an article on LinkedIn talking about how he starts a rock band, and he has started one at LogicGate. So we'd love to talk a little bit more about that. Tell us why you do this at every company you go to and what does it mean to you? KK: Yeah, thanks for asking me that question. I love this question. The short story here is why not? I like to find something fun and unique to do in the context of the work environment, and I love music and pop culture, as do so many others. And I'm really just trying to create an opportunity for my coworkers to express themselves in a different way, and to kind of bring their full selves to work. It ends up being a lot of fun to do these kinds of things. And although our band, which is called Logic and the Goats, has the ability to be pretty good, we're not going to be quitting our day jobs, I promise you. MP: Absolutely awesome. Well, thank you so much, Karry, for joining us on another episode of GRC & Me. KK: Great to be here. Thanks.

Webinars

Controls Mapping is Hot. It's Also Difficult.

Watch this webinar to hear from Gary Elens, Tom Cornelius, and Megan Phee Brown on how controls mapping…

Videos

[Video] Compliance Management with Risk Cloud

With LogicGate's Compliance Management solution, you'll keep your team in sync, on top of tasks, and ahead of…

Podcasts

GRC & Me Podcast: Jack Tanselle on "Pursuing Sustainable and Continually Improving Programs"

On today's episode, Megan chats with Jack Tanselle. Jack is the Managing Director at Deloitte and even though…

EPISODE NOTES Top 3 Quotes "Risk assessment is not the same thing as conducting an assessment of your compliance program." "The risk assessment is not designed to be an audit of every activity your company is doing; it’s designed to scan across the breadth of what your company is doing." "The skill-set needs are changing." Resources: Connect with Jack on LinkedIn Connect with Jack on Twitter Connect with Deloitte on LinkedIn Deloitte US Deloitte UK Navigant Consulting Huron Consulting KPMG LogicGate Matt Kunkel LinkedIn Transcript: Jack Tanselle: The auditing and the monitoring, if you're doing those consistently, make it nearly impossible for your program to become stagnant, because they all provide output that show you new observations of where you can get better. Host Megan Phee: Hi, I'm Megan Phee and this is GRC and Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more to learn about their methods, solutions and outlook in this space. On today's episode, my guest is Jack Tanzel. Jack has spent over 15 years in consulting working previously at Eli Lilly and Company and most recently Deloitte. He helps organizations develop strategies to drive results. On today's episode with Jack, we'll discuss how he works with clients today, how you can adopt continuous improvement in your programs and this concept of RAMP. R-A-M-P, what it is and what it means for organizations. Lastly, we'll have an interesting story about Jack's hidden talent, songwriting and performing. Now, here's my conversation with Jack. MP: Thank you, Jack, for joining us today on another episode of GRC and Me. JT: Thanks for having me. MP: All right, so we want to get started and I'd love to learn a little bit about what led you to risk and compliance as a career path. JT: It was not a preplanned journey. I went to a work at Eli Lilly and Company after getting my MBA at Northwestern in the late '90s. I spent seven years in the marketing organization at Lilly, which is how I got into risk and compliances. I did a lot of marketing and strategy work for Lilly. I was hired by a large consulting firm away from Lilly in the mid-2000s with the idea of doing more marketing strategies at work, but on of the very first projects that came to me, came through our forensics practice where the question was a global manufacturer has an R&D organization that doesn't know how much it's paying its healthcare professionals annually for a variety of services that health care professionals provide manufacturers. There was no one in the group that had had any experience conducting advisory boards or any other types of services. I had just come from an experience where that was all I was doing. It was a little bit of serendipity perhaps. Nine months later, I got a call from a conference organizer asking if I would speak on what we now think of as transparency reporting and tracking and aggregate spend. I found that a little odd at the moment, but realize that I had gotten into a project that was part of an early wave of an issue for the industry and there weren't that many people that had been involved in projects prior to me getting involved in that one that had had a lot of experience helping a company through that situation. That very project is what flipped me from coming at it from the marketing and strategy angle to that of addressing risk and compliance issues for these clients. That project led to another one led to another one, and over the course of several years I ended up gaining a tremendous amount of experience helping chief compliance officers in their teams and other risk and assurance functions around a lot of things having to do with the risk that comes with interactions with healthcare professionals, sales and marketing activities, medical affairs activities and those sorts of things. MP: Thanks for sharing that. I know you're also a friend of LogicGate. You know the LogicGate founders pretty well. How did you come to cross paths with them? JT: So the LogicGate founders spent some of their time at Navigant consulting and so did I. Your CEO Matt Kunkel and I worked together pretty diligently on a couple of different projects including one that in fact I think was a precursor to him and the others getting the ideas that that formulated later that to become LogicGate. we worked together on what was to be a workflow automation around the operations of a compliance department while at Navigant together. MP: Awesome, fantastic. And so you mentioned, you know, you're helping customers in the healthcare industry, but I know you work with Life Science's clients today. You help them with the concept called RAMP. Can you describe what RAMP is and how does it benefit clients today? JT: I think RAMP is, as far as I know, exclusive to life sciences. It might even be exclusive as an acronym in the context I know it to pharmaceutical companies. Probably a decade ago, one of the large pharmaceutical companies had a corporate integrity agreement with the US government and their risk assessment program had the acronym of RAMP, risk assessment and mitigation planning, because corporate integrity agreements are one of the things that many in the compliance world, whether you're working in house or for a consultant or for a law firm, corporate integrity agreements are one of the benchmarks of the types of things you would go look for to say, "What are the leading requirements? What are the leading trends? What's the government expecting?" Along with say the the OIG work plan, other guidance documents that get published. Corporate integrity agreements are a key document, so always check the new ones that come out. Because of the prominence of this company and the prominence of corporate integrity agreements at the time and the fact that they were the first one to have the risk assessment be included in their corporate integrity agreement, the acronym of ramp generally caught on with life sciences and again, a specialty pharmaceutical companies. It's risk assessment and mitigation planning. It's designed to not only be about the risk assessment, but perhaps more importantly to be about the mitigation planning and the implementation and the idea of what more often than not becomes an annual cycle of let's assess the risk, let's identify some places to go, put some resources to mitigate those risks and let's see if we can't close the loop on that mitigation action and then have those actions perhaps serve as inputs to the next year's risk assessment, so you create sort of a virtuous cycle of activity MP: In addition to RAMP, do you recommend companies adopt continuous improvement within their compliance programs? JT: I do think RAMP is a backbone, I mean any risk assessment program, whether you call it RAMP or something else. When the OIG first came out with their guidance for manufacturers on the seven elements of an effective compliance program, risk assessment was not explicitly listed and yet it is implied and many people often refer to it as the eighth element. It is a backbone or a foundational piece of any effective and sustainable program. One of the reasons for that is if it's a scheduled activity, again, probably on an annual basis, maybe it's monthly, maybe it's quarterly, but whatever your cycle is, it creates a dynamic for your program that makes it almost impossible for your program to become stagnant, which is what you're looking for. What are the things that can keep our program from becoming stagnant? Risk assessment is one of them. Oftentimes some of the major activities that come out of the mitigation planning of RAMP are the auditing and monitoring exercises. The risk assessment is not designed to be an audit of every activity your company is doing. It's designed to scan across the breadth of what your company is doing and to repeatedly and continually assign maybe a score or some other way of weighing or ranking where do we carry the greatest risk and where do we want to put resources to dive deeper into some of those places where we either one, already know we have a control gap that needs to be fixed or two, we're not quite sure what's driving that risk. We're not quite sure how well controlled we are with that area. We need to conduct an audit, we need to do more monitoring. Those things, the auditing and the monitoring are also activities that make it nearly impossible if you're doing those consistently and you're moving around on the different activities or companies conducting make it nearly impossible for your program to become stagnant because they all provide output that show you new observations of where you can get better. And so if you're conducting good risk assessment and you're following up with audits and monitoring as well as the investigations that should naturally be happening through your hotline and other ways of people reporting potential noncompliant behavior, those are all dynamic activities. While you've got your other elements around policies and procedures, training and communication that shouldn't be stagnant either, they have a much greater chance of growing stagnant if you're not conducting these other activities that have a chance to point out specific places for improvement. I would really hang on the idea that the RAMP program or whatever your company might call it, as well as the auditing and monitoring. The typically comes with it are the real critical dynamic pieces that keep a program getting better and better all the time. MP: All right, thanks Jack. Are there any other examples of types of things companies could use or do to pursue continuous improvement? JT: One other that comes to mind is the idea of assessing the compliance program as a whole. The previous examples we were talking about with risk assessment and auditing and monitoring, those are day to day activities that the compliance program, the compliance department should be conducting every day. Those activities can organically help you understand where the program can get better. But every so many years, two, three, four years, it is worthwhile to have someone else take a look at your program and come in and maybe give an assessment as well as conducting your own surveys with people in your organization, whether it's from the outside or from other people outside your department, getting other people to provide input to you on where the program is or isn't working. It's not part of the natural day to day elements. Risk assessment is not the same thing as conducting an assessment of your compliance program. All of those things can contribute to keeping your program dynamic, identifying risks or areas for improvement. When you add it all up collectively and done routinely, they contribute to a sustainable and effective program as much as anything. MP: All right, Jack, how do you see things changing in risk and compliance in the near future and then also in the medium to longterm future? JT: I think the leveraging of technology and automation to drive more efficient work and better decision making is already happening, but I think it will continue to gain a momentum within the life sciences world. I know within ... While I don't work in financial services or some other industries, I know that in the banking world and other financial services companies, leveraging analytics has become a critical part of reducing risk and mitigating against risk. I think that pharmaceutical and life sciences companies are working through individual use cases where they've identified an opportunity to automate a workflow, whether that's an inline business workflow or a workflow to help monitor something or to create better use of data that's already available to them to improve their analytics. What I see on a routine basis is many companies have their own distinct use case or two where they've leveraged or found an opportunity to further modernize their program. I think that's going to continue in an individual use case by use case example for many of these companies. What I think is still to come is for companies to realize the holistic possibilities of strategic automation or modernization of not only the compliance department but all of the assurance functions that share both common workflow as well as use of the same data. For instance, an internal audit function conducts audits. A compliance function conducts audits. A litigation department may also conduct investigations, but that have the same steps in their workflow as the internal audit and the compliance department. There are workflows out there, and I know there are workflows in the LogicGate tool, that feed that concept. And so instead of functionally thinking about your budget as a compliance department or an internal audit department or litigation department, the company as a whole, realizing we have common workflow here, that one platform can help us. There's an of scale through that spend that these three functions as an example could benefit from that spend versus just one function. The same is true with analyzing how much money is being spent on certain healthcare professionals. Those types of questions are applicable to not only the three functions I just mentioned, but to many in the business who want to do that. And so I think life sciences companies are working through a natural maturation cycle, if you will. We're still in the early days of figuring out how one use case can lead to a second use case can eventually get us to a strategic vision of how we can apply many use cases on technology platforms that will allow for that type of flexibility. I think if you don't do that, you're going to be held accountable by government regulators and government officials who have oversight responsibility. Eventually it'll be an expectation that you've invested in technology to improve workflow for better controls in flight and to be able to find data and find certain points of risk faster and better as a natural part of running your business. MP: In working with customers, those that have been able to gain support and adapt technology to help them achieve those type of goals, what do you think they did well to get that support or what allowed them to be able to take that step forward? JT: I think, one of the things that comes to mind to that question is that we've seen a number of companies identified that the skillset needs are changing. People who have a law background or an operations background or a finance background who have all been and will continue to be positive contributors to a compliance effort, they may not have an analytics background, they may not understand the technical aspects of what it means to understand where different data sources lie and how to grab that data, how to aggregate that data and then turn that into analytical tools and understand what may come from that. I think there's a skillset and certain companies that we work with have hired people into their compliance departments who are data scientists. I know that several clients we work with have former IT professionals now working in the compliance department where instead of going to ask IT if and how we can do this, they start by having this person maybe do some things for them, again, in that individual use case perspective, create some sort of machine learning tool that allows us to go through a particular use case one of the people in the department may have identified. That's really helping move through that maturation cycle of seeing a particular use case pay off only accelerates everyone involved realizing where else can we do this. MP: We've talked a lot today about your background and the RAMP process and how you work with clients today, but we've also learned that you have another talent, which is that you are a talented singer. We'd love to learn a little bit more about the origin of that talent as well as your origin of risk and compliance. JT: Oh boy. I had no idea we were going to go here. Yes, so music was a big deal in my house as a kid. My grandmother on my mom's side loved to play the piano and sing. My mom, my aunt and uncles on that side of the family were all not shy about singing. My sister's a really good singer and older than me. She started singing in church. I thought, "Well I can get up there and do that too." I started singing at a pretty young age at our church, performed throughout middle school and high school and variety shows and musicals. Even at Northwestern, at the Kellogg school, we did a skit every year. During my second year, I helped write a few songs and perform. I wrote a song to a the Bee Gees' tragedy and turned it into strategy and was one of the Bee Gees, and we went out and made fools of ourselves, but had a really good time. Most recently in my professional life at a previous firm, we were at at an event and one Matt Kunkel and I were on the same team. We were all, each team was assigned to do something, singing to a song and create a parody. How Matt knew this, I don't know. He then turned to the rest of our team and said, "Jack will be our lead singer. We all can just stand behind them and back up." I couldn't believe it that he had outed me like that. It was Heard it Through the Grapevine. We had to come up with some way of pitching a new client on a service by changing Heard it Through the Grapevine. We had to rewrite the lyrics. MP: Right, fantastic. JT: Everybody told me when I was done that I was in the lead, because they were scoring this. The last team knew that one of the administrative assistants in the DC office had just finished performing on The Voice. They called her. They brought her over. They gave her their song as a total ringer. I had no chance at that point. When she got up there and started singing and I was like, "Oh, boy." In my little amateur world with some of these other people that tried to get up there, I might have had a chance, but when she started singing, I'm like, "Okay." MP: Oh shoot. JT: We all had a great time with it. Great lady. She was great at singing, and so we had a riot. MP: That's really funny. JT: Yeah, so thanks for that embarrassing moment. MP: Uh-huh (affirmative), no problem. JT: I appreciate you. MP: Well, you know we at LogicGate, we have an in house band called Logic and the Goats. JT: Oh wow. MP: If you ever want to make your professional comeback, you are welcome to join us. JT: I think I'd rather stay in the audience and watch them. MP: That sounds good. Well, thanks again Jack for your time today. Thanks for joining us. This is Megan Phee with another episode of GRC and Me.

eBooks

Assessing the Costs and Benefits of ERM: An Inquisition

Every project must be analyzed from both cost and benefit perspectives, and building a technology-enabled ERM program is…

Videos

[Video] Questions to Ask Your GRC Software Provider

Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits…

Are you asking the right questions of your GRC vendor? You should demand the features and benefits that will make your program and people as effective as they can be—today, and well into the future. Video Transcript: Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits that will make your program and people as effective as they can be. Let’s look at some examples. With LogicGate, you can start with our industry-standard best practice templates. You can then configure them with our visual workflow builder to align with your company’s unique process, complete with custom fields and assigned user roles. But the power of LogicGate doesn’t end there. Say you start with your control audit process against SOC2 and ISO 27002 requirements. With LogicGate, these automatically map together through the Secure Controls Framework. No manual mapping required. Now let’s fast forward a few months. Let’s say you’re getting close to signing a large contract with the government. Your organization needs to meet NIST 800-53 requirements to demonstrate FISMA compliance in order to move forward with the contract. Now what? You’ll want to link that framework to SOC2 and ISO 27002 to accelerate this process. With LogicGate, you can easily add these frameworks to your program and report on your compliance coverage. It’s also no sweat to change and adjust your existing data structure over time. This means you can start with the data structure you have, and look to the future with confidence knowing you’ll be able to add to and customize your program as it evolves. The same goes every time your team needs to add in a new application. What happens when you need to find the different activities associated with each framework, such as a control evaluation, risk, exception, or policy? With most GRC vendors, you might need to work backward through ISO, SOC2, and the Secure Controls Framework just to find an item. That’s a lot of extra clicking. Why not go straight to it? With LogicGate, you can. In the LogicGate platform, you can start anywhere within your data structure and find the information that it’s linked to. For example, you can go directly to a SOC2 or ISO requirement and see every activity or asset that’s associated with it, such as a policy, exception, risk, system, internal control, or evidence you have gathered. No more endless clicking through various record hierarchies just to get to the information you need. Are you asking whether your GRC vendor can do these things? If so, are you asking how much it will cost? What about how long it will take? How easy is it to actually perform them? With LogicGate, you get a flexible platform that’s ready to grow and adapt with your program—whatever the future holds.

Podcasts

GRC & Me Podcast: Dominic Vogel on "The Journey of Cyber Security"

Dominic Vogel, Chief Security Strategist at Cyber SC, joins Megan to discuss how small businesses can use basic…

EPISODE NOTES Top 3 Quotes “I'm a firm believer that cyber security is very much a journey.” “Do the basics and do them well—that's a strong foundation.” “Doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, which would allow for cyber resilience against whatever the threat landscape might be.” Resources: Cyber SC Connect with Dominic on LinkedIn Connect with Dominic on Twitter Cyber SC Facebook Cyber SC Twitter Cyber SC YouTube Channel Episode Transcript DOMINIC VOGEL: It's very interesting to see cybersecurity tied to a very clear business driver, which up until recently was just not the case and it's definitely seen as being a core need for why security is so important. HOST MEGAN PHEE: Hi, I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends, and more to learn about your methods, solutions and outlook in this space. Today our guest is Dominic Vogel. Dominic is a chief security strategist at cyber se and today's episode, Dominic will share advice for small to mid sized businesses on their journey to cybersecurity. We'll discuss global trends and security issues that you is in Canada and lastly we'll talk about how he leveraged his comedy to bring light to an often dry topic. All right, Dominic, thank you so much for joining us today on another episode of GRC & Me. DV: Thank you for having me, Megan. MP: Great. Well let's get started. We'd love to learn a little bit more about your background. How did you come to be in the position that you are today? DV: Yeah, I always love sharing my career narrative. Uh, I'm definitely one for oversharing. All the [inaudible] I've always wanted to be in cybersecurity and I've been very fortunate. I've only done that my entire professional career. Uh, I remember entering first year of university, I knew I wanted to do cybersecurity and I was very fortunate enough to get an entry level job when I graduated, uh, with a liberal organization as a security and men just running their McAfee endpoint suite. It was just a fantastic way to start my career. And I like to say that I, I serve my corporate time. I served about 10 years in various corporate roles, mainly in the credit union system here in Canada. My last corporate role, I was in charge of a cyber security team. And then one day I realized that I no longer enjoyed the corporate world. And I believe it was about four years ago this past summer. And when I went out on my own and formed cyber SC, which is my consulting company and something which I've just been, uh, lovingly growing over the past four years, serving the small and midsize businesses. MP: Oh, fantastic. That's a really interesting journey. You could take your experience from the corporate world and bring it now to this and SMB market. So that's great. So since you help startups and the SMBs with their cyber security, you probably see organizations wrestle with these challenges at every step of growth and maturity. So in your experience, what is the right time to incorporate cyber security into their strategic planning and how can start ups or smaller organizations lay the foundation? DV: Yeah, that's $1 million question there, Megan. It's that point. When do you start? And we've worked with organizations and stripes as small as three people. I'm a firm believer that it's never too early to start doing cyber security, right? Even if it's just a matter of using multifactor authentication for whatever systems a three person startup is leveraging. That to me is still being able to put out some foundational building blocks. So it's never too early. But when we're talking about that broader strategy in terms of what type of cyber security controls, governance or start up you're looking at, I truly believe that the sooner you do that and the earlier you do that, it'll save a ton of money and pain down the road. A favorite story of mine is actually a one of my earliest clients. They were I when I joined them, I believe they were a 20 person company. Very early on they realized that they wanted to do security well and they see what, tell us what we're not doing and tell us what we need to do and we're going to be aggressive with that because we know that down the road we want to make sure that we're in a good space when it comes to cybersecurity. So we went through the CIS top 20 security controls at the time that was very malleable for a startup and you'll go in through the different security journey with them when they became a 50 person company than a 75 person company. And then one day they were a 200 person company and the security aspects that they tackle it was very different. That's why we always say security is a journey. It very much more with the organization and it was fulfilling at the end of my time with that organization because they got so large that I said, you need an in house CIS, so, and they were shocked by that. They said, we've never had a consultant say you no longer need us. I'm a firm believer in understanding that cyber security is very much a journey and that regardless of where you are in that journey, you do need to plan for cybersecurity. It's just what it looks like is very different depending on where you are. MP: Yeah, and so for small businesses, when they're on that journey and they're just starting out, how can they remain mindful of budget concerns as they're starting to develop a cybersecurity program in your opinion? DV: For sure. I'm a firm believer in being able to at least do the basics and do them well. And then even just choosing a framework, I'm a big fan of using the the CIS top 20 critical controls and even for a, when I start off with a lot of these startups or smaller organizations rather than even fully saying on all 20 let's break that down into the most critical, the top six and that's covering items like asset management, vulnerability management, controlled administrative privileges, having a sufficient logging and monitoring. Those are all foundational building blocks and where a business and organization is able to do those basics and do them really, really well. That's that strong foundation and without that other security technologies like SIM or next generation firewall or what have you, all those tools and platforms to be truly effective, they need a very firmly rooted foundation and that's where being able to sort of break down those controls into the most critical ones tend to really resonate with small and midsize businesses. MP: I'm glad you had talked about the CIS controls. I actually just learned about this personally within the last week. I've been familiar with NIST and ISO, but I wasn't really familiar with the CIS controls set. And after I dug into this 20 core controls and learned, yeah, how it is a really great entry point to understanding, you know, where do you need to address areas within your business and then eventually you can map those to NIST or ISO or other requirements that you have. So I'm glad you mentioned that. Yeah, I think that's a great tactical and practical way for folks to begin their journey, um, into cybersecurity. So other than scale, how do you think small businesses when it comes to cybersecurity, how do you think differs from the corporate or the enterprise needs? DV: Yeah, yeah, it's definitely a different beast. I think it's both on the needs where it's different, but also with the firm, the resources are the resource restraints where it's very different as well. With a lot of these smaller midsize businesses, it varies so much in terms of what type of it team they have. Some of them will have just one it guy or girl who handles everything or there may maybe two or three people, others there'll be no internal it team whatsoever. There's fully outsource relying on an it managed service provider. So there's a lot of different wants is there in terms of who's ultimately, at least on the it side, we'll be able to help from that implementation point of view for the, for a lot of the security controls when we're talking about the needs, I definitely see that the needs, especially with the small midsize businesses being acutely tied to the uh, broader vendor risk management movement, we're seeing with larger organizations and more in the enterprise realm as we're seeing larger organizations and enterprises really clamped down on their supply chain that's really affecting the small and midsize businesses. I'm really seeing that as being one of the main motivators for doing cybersecurity well. We've had diamonds, I would say more than 50% of our clients reach out to us based on the fact that they are struggling with a lot of these vendor questionnaires or vendor risk management that the companies that they're trying to supply their tools, platform or services to, they're clamping down on them and they're not sure how to answer those questions and they don't want to lose out on these contracts. So it's very interesting to see cybersecurity being tied to a very clear business driver, which up until recently was just not the case. And I'm definitely seen as being a core need for why security is so important. MP: Yeah, I think that's a really interesting point. You mentioned this trend here on the implications on vendors and even folks having to think about the way that they manage vendor management internally and there is a lot of trends and security and compliance that are global in nature simply because business as we know has very few borders. But that being said, would you be able to share a little bit about security issues that you see in Canada and how they differ from anywhere else in the world? DV: I would say a lot of the, uh, at least from the user perspective in terms of fishing business, email compromise, there's been a huge uptick in that type of activity in Canada. The Canadian businesses, they definitely were not in the cross hairs in prior years, but I would say within the past couple of years, stuff like ransomware, business, email compromise, and these are all things which were relatively low from the [inaudible] perspective. But there's been a huge uptake. And I think one stat I read recently that can, is a in the top three in terms of countries that get hit by those types of attacks. So it's interesting to see that threat profile change so quickly. I would say the other core difference in terms of the underlying cyber risk is that there's a different privacy landscape in Canada compared to the U S I'd say the Canadian privacy landscape is rapidly changing and it's certainly closer to the GDPR in the EU. And also we're seeing that in the States as well. With California, the privacy landscape has been rapidly changing and that's very much affecting how cyber security is approached with Canadian businesses. MP: Thank you for sharing that. And you know you're kind of a self appointed chief security strategist, which I love. So what would you say are things that are top of mind for you as a chief security strategist? What keeps you up at night? DV: A lot of what keeps me up is worrying about my clients and then our clients in terms of being able to really understand that the fact that more so than at any point in my career, the threat landscape is just changing just so rapidly and trying to keep up with the threats, with the risks and what are the right technologies. Are we using the right tools or platforms? It's a very, very confusing time at this point in history for even for the most seasoned cyber security professional. It's very much that unknown piece that keeps me up. Just trying to figure out are we doing enough? It's a question which is becoming increasingly more difficult for me to answer. For me, one of the saving graces I truly believe is the advancement in a lot of these frameworks. Michael, I mentioned CIS. Another big one which I'm very eager to learn more about is fair framework, which really focuses on being able to quantify cybersecurity risk and really attach key business metrics to why cybersecurity investment is warranted. Being able to have those types of more business level discussions rather than focusing around qualitative risks or qualitative metrics. That adds a lot of comfort to the levels of discussions that we're having with our clients. So that's part of what's helping me sleep a bit better at night as well. MP: Good. That's good. Great. Well thanks for sharing that. And I know Dominic, in our conversations before, you've talked about this term sustainable security. So can you talk a little bit about what that means and how can companies attain that? DV: That's the term and I can't take full credit for it. I did see it somewhere about three years ago, but I don't remember where I saw it. So I'll take partial credit. I suppose for it, but we're very much at this point in history and what the whole notion of any endeavor it needs to be sustainable. To me, doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, very much acting in a very strong symbiotic fashion, which would allow for a greater cyber resilience against whatever the threat landscape might be. To me, unsustainable security is trying to solve the security problem or paradox I suppose by just trying to put in random technologies without any rhyme or reason and just trying to find the problem with various technologies that's not sustainable that might help you in the long run, but without a very cohesive governance and risk based approach to how you tackle cybersecurity. And like I said, laying out that from a people process and technologies point of view, that is the way to do things from a sustained fashion, not just choosing technologies haphazardly. And unfortunately we see a lot of security professionals who do that. So that to me is the difference between sustainable versus unsustainable security. MP: All right, Dominic. Well, thank you for that guidance. And lastly, as you heard in my introduction of you today, we learned that you're also a comedian, so tell us more about that. How did you get into comedy and do you ever use your comedy in the business cybersecurity world? DV: Yeah, call me is something which is, which is core to my personality and ever since I was a little kid, that's all I ever wanted it to be. Jay Leno, Dave Letterman, those were my heroes and I like to brand myself as being a no cyber comedian just because it helps with it from a dialogue perspective with non technical people, cybersecurity is a very dry subject. Even on a good day, I'm someone who's been doing this my entire career and I still have a tough time reading my way through various white papers and listening to people giving the same old boring advice. I very much tried to inject the comedy and flair in my talks when I do you have any presentations? When I'm meeting potential clients, when I'm dealing with my existing clients, that's how you end up with really engaging dialogue. I'm a firm believer in comedy and it's power to lead a systemic change. And in the field like cybersecurity, where sometimes you need to make advances in leaps and bounds, you need a very core and important fueled to to make that happen. And to me, comedy is that fuel to make incredible change happen. MP: Awesome. I love that, Dominic. Well, thank you for sharing more about your advice, how you work with customers today, and then your personal experience of leveraging comedy in the cybersecurity space. Megan, thank you again so much. This was an absolute blast. Awesome. All right. Thank you listeners for joining us on another show. Until next time, this is Megan Phee with GRC & Me.

Case Studies

Team Select and LogicGate: Managing Change

Find out why LogicGate was just the tool Team Select Home Care needed to achieve its Compliance goals.

Podcasts

GRC & Me Podcast: Rafael Moscatel on the “Olympics of Privacy”

Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and…

EPISODE NOTES Top 3 Quotes “The more that you can show your customers that you're being a good steward with their data, the more they're likely to trust you. And from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.” “And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what's under the hood in your company.” “...you know there's not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.” Resources: Connect with Rafael on LinkedIn Connect with Rafael on Twitter Rafael’s Website The Little Girl With the Big Voice Episode Transcript RAFAEL MOSCATEL: The more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other. HOST MEGAN PHEE: Hi. I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more. Learn about your methods, solutions and outlook in this space. Our guest today is an author, privacy expert, filmmaker, and he's the managing director of Compliance and Privacy Partners, Rafael Moscatel. During our episode today we will talk about his journey within privacy roles working at organizations such as Farmers Insurance and Paramount Pictures over the last 20 years. We'll discuss this article Seven Ways to Repair Data in the Age of Privacy and Information Governance. Raphael says it best. "Content may still be King, but now the rights to some of it belong to the people." Thank you, Rafael, for joining us today on another episode of GRC & Me. RM: Thanks, Megan. Thanks for having me. MP: Of course. Let's start off. I would love to hear a little bit more about your experience. I know your background at law firms, you worked at Farmer's Insurance, you spent some time at Paramount Pictures, and now you're doing your own thing. I'd love to hear a little bit more about your experience, and as you walk through your journey of your background, you also had shared with me the other day a really interesting story about this concept of the Olympics of privacy, and I know our listeners would love to hear about that story. So would you be so kind just to share your background and then a little bit more about that Olympics of privacy event, what it was, and what it meant to you? RM: Yeah, I'd love to. I began very early on working for law firms and consulting companies, specifically in employee benefits law firms, and that was around 1996 when HIPAA first came out, which was a kind of an omnibus bill around privacy and protection of data and which had some guidance on technology as well. It was really fascinating to me and it was something that I immediately gravitated towards because I've always seen myself as a type of a liaison between technology, which is one of my passions, and law and compliance. So I settled in there for a little while, and at some point the office of the general council at Paramount Pictures heard about me and they offered me a position working at the Melrose studio doing compliance and records management and information governance for them, so I stepped in to fill in on their data classification policy, their email retention policies, and their privacy policies. It's a multinational conglomerate, so they're always going through mergers and acquisitions, and so a lot of policy work that was being done and folding in some of the sister companies into the greater governance plan for Viacom's. I worked closely with that group, and then I got this great opportunity at Farmer's Insurance where I was for the last few years before I started my own company. I began working there originally under the, I believe it was the business improvement group or the project management group, and very quickly we realized that this was something that needed to, this program that I was tasked with, needed probably to be under a compliance arm, so we quickly realigned and restructured that group under that compliance discipline. We started moving forward on a roadmap which would essentially define our information governance policy, and I stayed there for quite awhile right up until the point the California Consumer Privacy Act came into effect. Then I, something very interesting happened in my life. I was invited by a colleague of mine in Brussels to what he called the Olympics of Privacy. I thought that that was kind of a branding gimmick for the organization, and so my wife and I decided to make a trip out of it. She'd wanted to see Paris for her whole life and I said, "Well, we'll just hop over there after Brussels." But little did I know that he had kind of made that up and there was really no Olympics of Privacy. There was of course a conference, a significant conference that ended up being a really watershed moment in privacy policy worldwide, but I got on the plane and I headed out there, and as I was heading out there, I tweeted, "I'm heading to the Olympics of Privacy," assuming that that's what everybody was calling it. I sat down in the hemisphere, which is what the European Union parliament building is called. There's two different hemispheres or parliamentary bodies, I believe. You sit down there and Giovanni Brunelli, who actually just passed a couple of weeks ago, gave this stirring speech about privacy and he kind of looked out across this kind of very disciplined group of compliance people, and also Tim Cook was there, Tim Berners-Lee who invented the Internet, so to speak, and when he concluded his speech, he looked out and I almost felt like he looked directly at me and he said, "And now let the Olympics of Privacy begin." It turned out that the IDCC or the privacy commissioner's group had actually picked up my tweet when I was flying over there and circulated amongst its members, so it was kind of serendipitous that it ended up being part of the opening keynote for this 40th conference. But it was quite an event and it's something that kind of put me on the path that I am right now with my company Compliance and Privacy Partners. MP: That's fantastic. What an amazing moment that must've been, just sitting there and hearing him say that. You just mentioned it was kind of a watershed moment for those in compliance and privacy. Why do you think it was? RM: Well, the reason I say that is because the conference came about a year and a half after the GDPR law, the General Data Protection Requirement went into effect. Tim cook actually spoke at the same conference. Tim Berners-Lee was there, the King of Spain and it was essentially the launching of this very powerful law, which we see constant headlines. I think the Wall Street Journal ran an article just yesterday on privacy. It seems like it's always in the news, and this was in some ways kind of the kickoff or the message that Giovanni and the rest of the data commissioners were sending to the world, to say that we need better policy around privacy and it begins now. That really was the big event, and I think having all the commissioners from the 28-member use states and so many international people there, it really solidified this message, which is now being discussed all over the world from Asia to right here in California where they've passed a pretty comprehensive consumer privacy law. MP: Speaking of that, as a resident of California, you're ... and a privacy expert, you're familiar with CCPA, and the other day you were sharing with me, Rafael, a story about your experience interacting with the State of California and their records retention process. I think when we as consumers or at the organization level, we see and read about CCPA and we're thinking about the implications to us as professionals, as business owners, as well as consumers. It's sometimes nebulous to think about the implications to us as individuals. Would you be able to share your experience? I think it really gives context to the legislation not only as CCPA, but the statewide legislation and broader privacy legislations and why they're vital to consumers and not business detractors. RM: I mean, privacy by nature is personal and it's really served to drive home the point about information governance and data security and all of these tangential type of issues because people have personal connections with privacy. It's something that brings out areas of our lives that really hit home. When we're talking kind of about these existential issues with records or data governance, they're important, but how does it really affect me? I do have a personal connection with the State of California. I believe it's now sixth or seventh largest economy in the world, but even when I was born back in 1977, it was a very large bureaucracy. I was a late discovery adoptee, which means that I didn't learn until very late in life, until I was about 30 that I had been adopted, and it was only a testament to the discipline and best practices of the State of California and their social services department that I was able to learn about my own adoption. I had actually written a letter kind of on the fly to the State of California and I had ... didn't know where I was adopted from it, but I was living in California, so I thought I'd give it a try. I sent this note to Sacramento, I believe, and then just like that scene from Back to the Future where Doc gets the letter 150 years later after? Well, anyway, I received a manila envelope, and in this manila envelope were 30 or 40 different records collected from various different medical groups and social services groups around the time of my adoption describing everything from the condition of my mother when she gave me up to medical issues pertaining to my birth. It was just eye opening, and I thought it was so remarkable, Megan, because if but not for the best practices and privacy standards of the State of California, I would not be able to learn so much about my own history, which of course helps me now that I have children because I can pass that information on to them. But if you think about it, it's really fascinating that this file or this set of files collected sat somewhere protected for 30-odd years, and the rules in place and the policies in place were effective enough to actually produce that document all of those years later. So I really have an appreciation for records management and the handling of governance and a lot of the policies behind what makes a process like that possible and stable, and so that's kind of, that was my own personal experience with records. MP: Is that what led you to do what you do now with the consulting practice that you lead? RM: Yeah. Well, I mean, it certainly did, and I've also like many people had other experiences related to my own privacy, the privacy now of my family, but that was certainly a big event for me about 10 years ago. Again, I had worked with the HIPAA law for some time and also doing related compliance work before that, so it crystallized around the time of the 40th annual conference that I went to in Brussels and definitely was a watershed moment in my own life. MP: Thank you for sharing that. I hear about this regulation and legislation, but when you put a personal story to it, we understand why this legislation exists and why organizations need to take it seriously and need to follow the best practices to ensure secure records retention processes. RM: The California Consumer Privacy Act in some ways is really an extension of those best practices, and here you see California leading the way in developing those protocols, really recognizing very early on that consumer data is very critical. I mean, 20 years ago it was health data and that's still important, but also today and with the cybersecurity issues we have, the data breaches, the ransomware, financial information is now becoming paramount, and that financial information and consumer information is really a key to allowing criminals to exploit other avenues, and not just that, for corporations to abuse personal privacy. But when I look at the CCPA, I like to look at the opportunity of it and I think if you look carefully, the CCPA is quite a blessing. I mean, it doesn't need to be a burdensome requirement on corporations. First, it helps reduce expenses and monetize the information life cycle because you have a better understanding of what's under the hood in your company. Second, it presents opportunities for better governance to avoid those fines and also litigation exposure, and you see, especially with information governance teams coming into address CCPA or kickoff and run the CCPA projects, there's a focus kind of not just on checking the boxes on compliance, but taking another lap around the litigation exposure that you have when you don't properly manage those records and retain them properly. And then finally, as you were mentioning earlier, it's really fosters that trust and enhances the customer experience because the more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other. MP: Thanks, Rafael. I think that's a great point. When you look at the CCPA, what is your opinion of it? RM: We're looking at a January 1st kickoff of this law and it's going to look back 12 months. It's pretty comprehensive. I think the challenges are going to be in terms of how companies adapt to them, and I think it's very vague in terms of guidance that we have right now. If you are the type of company that is making over 25 million in revenue or meeting some of these other requirements, you're looking at a significant investment in a project to overhaul your data landscape, and so although it does seem like the law is clear cut, what's not clear for many companies is how to execute on a plan to reach compliance. I think as we go into the next year we'll get additional guidance from the attorney general on exactly what companies need to do, but you're familiar with compliance and if we look at organizations like the Department of Insurance, sometimes it takes years for this type of stuff to be worked out. It may be in some cases there's a little overkill on some of the projects, and in other areas companies may not be doing enough, so we'll really have to see what the state attorney general does in terms of the enforcement actions, and I think that that will ultimately guide companies in tweaking their existing programs. I also don't think a lot of companies have jumped on board yet and they're waiting for some enforcement to take place, so there's probably a second and a third wave of enforcement, but overall I do think it's a good comprehensive first step. I think your listeners would really be interested in seeing how this legislation took shape. It originally began as a ballot measure, and quickly the social media companies and big data companies got in because they feared that it would be a little bit too restrictive. That article I mentioned in the Wall Street Journal actually just spoke about how they're actually running ads on social media trying to tamper down the law itself now because they're concerned about its impact on business and marketing. MP: Hmm. That's interesting. I have another question for you in regards to CCPA. We've been talking a little bit more about how it applies to policy management, but you mentioned to me the other day it does have implications to vendor risk management. Can you share with the listeners why that may be? RM: Yes. It's interesting you bring that up because we're living in a cloud-based world now, so the data isn't just on premise. In many cases it's in the cloud or in a variation in the hybrid cloud, and that has serious implications for the CCPA because under the CCPA you're not just obligated to take care of and provide data from your own systems, but those that are managed for you, including software as a service and repositories like Box that are kept offsite. So from that standpoint, third party vendor risk is critical and it has to start being baked into the overall compliance process. That means you need to identify vendors and service providers that are impacted by the CCPA. If that personal data does exist with those vendors, you need to be able to perform a contractual review to validate compliance based on those requirements, and you need to document your approach to all of these contracts versus attestation, which is another approach, another avenue that certain companies are taking in making their service providers attest to certain quality control measures that they've taken for their data. But beyond that, you have to establish plans to engage those vendors for contractual changes because these laws are going to continue to get modified and change. You need to establish a controlled and timeline for the completion of attestation questionnaires, which you may provide to them. All of those processes and controls related to your third party vendors are critical again because they collect that data, so companies need to be mindful of what's outside their walls as well as what's within them. MP: We're going to switch gears because I know you recently wrote an article in a publication regarding best practices for privacy and policy management. Would you be able to share a few of those tips with us today? RM: I've been looking through this actually because the more I think about it, there's not one silver bullet when it comes to preparing data for an information governance strategy. IG is essentially a multidisciplinary type of approach where you're essentially gathering the best minds around your organization to make decisions about data that are not in a vacuum so that they'll be longstanding and support longterm strategy. But even if you check all the boxes on CCPA, Megan, it's still not going to prepare you for the overall needs that you'll still be subject to for so many of the other laws, including HIPAA and Sarbanes-Oxley and so many, so I put together a list of initiatives where you can have some quick wins. I would say definitely learn how to automate your records retention schedules. There are thousands of records subject to thousands of different statutes and regulations. It's not enough to get a cookie cutter or a templated retention schedule. Really need to look into what types of records you have and then see how best you can automate that with research that feeds into you and tells you if the laws have changed rather than periodically making those reviews, which can be quite cumbersome and expensive, especially if you're hiring outside counsel. The second tip I would mention is I call it covering your assets, but really it's getting ahold of your enterprise architecture landscape, and in many cases, companies already have a lot of these resources at their fingertips so it's a matter of getting the right people in the room, in this case, taking your retention or records management people and introducing them to your enterprise architects and your IT groups so that you can really get on the same page around retention and assets and know how to protect the paper as well as the digital information. There's a lot of great tools out there now that can be leveraged for both of these cases, especially with CCPA or GDPR. It's not enough to know where this information is. You need to know how it flows upstream and downstream in particular when you're deleting data that may have unintended consequences on some of the systems that you're working with. That's that second piece. I also would say that companies need to be careful and methodical around their legal holds because as they're destroying or cleaning up data, they could run afoul of litigation or court orders and then end up with an adverse inference ruling or an accusation of spoliation, and that can of course lead to terrible reputational damage. Then there's some other tips, too. You can find them in the article. One being activating file analysis tools. Companies just don't realize they're just junking up their environments and their shared drives and their SharePoint and their Boxes and their Dropboxes with a whole lot of material that doesn't need to be there, but it's almost impossible to tackle it with a manual effort. There's amazing tools out there right now that do the file analysis for you, and while you're getting rid of the junk, you can also identify personally identifiable information or other vulnerabilities. Just kind of taken all together, it's more of a holistic way of looking at the data in your organization and making a commitment to really having a more holistic and healthy approach to the stewardship there. And then finally, the best practices piece in terms of policy. I mean, policy management is the backbone of good information keeping, record keeping, and records management. It's policy that ultimately governs and guides all the practices that our companies do in which they will ultimately be judged and regulated on. The regulators almost always go immediately to the policy to see if the company is putting its best foot forward in executing on what it says, and so I think good policy management systems are critical to that effort. MP: Thanks, Rafael. Where can the listeners read more about not only this article for data preparation and a new regulatory climate, but also, I know you have a book called Tomorrow's Jobs Today, which is advice and insights from thought leaders around a variety of things including privacy. Where could folks learn more about this? RM: Folks can come straight to my website, which is just my name, rafaelmoscatel.com. There's links to a lot of this content and my company Compliance and Privacy Partners, as well as the book, which comes out next year in probably January or February, which is a set of interviews actually with thought leaders in privacy and policy, Internet of Things, AI, and those types of subjects. If they visit that, they'll definitely be able to find all the links to the resources I mentioned. MP: Fantastic. Along with a passion for privacy and compliance, you have another interesting interest, which is filmmaking. I could be stepping out of turns here but Rafael, were you a theater kid growing up? Did you participate in front of the camera before you took an act into filmmaking? RM: I had a couple little dalliances with that prior to one film that I made a last a few years ago. My father was close with an actor many years ago. His name was Michael Landon, and so I ended up being a child actor for a very, very brief time on Little House on the Prairie. After that, some years later when I learned about all of this adoption, I discovered that my biological parents were entertainers. The only problem was with that was my grandmother never received an obituary, and so I felt very strongly that she should have some type of honor or memorial. So my wife and I set out to make a film about her. At the time I was working for Paramount Pictures, and the VP of intellectual property there told me I had to proceed very carefully because there was so much copyrighted material, it would be difficult to make a story about our life. RM: So he connected me with Stanford's Internet Society and I received a grant from them to do all of the legal and fair use work, which made this film possible, which I made, which was called The Little Girl with the Big Voice. It's the story of a radio star from the 1930s and '40s who kind of hit it really big and then drifted into obscurity as the years went on and kind of exactly how that happened. That was my foray into that, and I ... it was kind of fun because I got to use my knowledge of archives and records management to kind of support the film. MP: Where could the listeners check it out? RM: It'll be on iTunes likely this Christmas as well as YouTube, Vimeo, and probably in a hotel room somewhere. MP: Well, fantastic. Rafael Moscatel, thank you so much for joining us today on GRC & Me. RM: It was a pleasure, Megan. Thank you for having me. MP: And thank you all for listening today. If you're interested in learning more about how LogicGate can operationalize your GRC and privacy program, visit our site at logicgate.com. And until next time, this is Megan Phee with GRC & Me.

Reports

G2 Fall 2019 Grid Report for Top GRC Platforms

LogicGate is the highest ranked GRC software and leader on the Fall G2 Grid Report.

Podcasts

GRC & Me Podcast: Bryan Graf on Cybersecurity as a Positive Business Driver

Bryan Graf, Senior VP at Abacode, joins GRC & Me to discuss cybersecurity. With more than 12 years…

EPISODE NOTES Top 3 Quotes “Ultimately, you wouldn't go through any of these assessments unless it's driving business.” “You don't want to be more secure just so you can be more secure, it's got to be a part of your overall business plan.” “You have to start looking at this as a positive business driver instead of something that is just a line item that costs money at the end of the year.” Resources: Connect with Bryan on LinkedIn Abacode Cybersecurity Website Abacode Cybersecurity LinkedIn Abacode Cybersecurity Twitter Abacode Cybersecurity Facebook Tampa Bay Dalmatian Rescue Show Transcript BRYAN GRAF: Everyone understands that there's security risks and there are bad actors out there trying to get the data, but they have no idea even where to start. "Do I start with endpoint protection? Do I start with SIEM and ESOC? Do I start with a risk assessment, a penetration test?" You need all of these, but what order do you do them in? HOST MEGAN PHEE: Hi. I'm Megan Phee, and this is GRC & Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends and more. Learn about your methods, solutions, and outlook in the space. We have a very special guest with us today. His name is Bryan Graff, and he's a senior vice president of Abacode Cyber Security. Welcome, Bryan. Thanks for joining us. BG: Thank you for having me, Megan. MP: All right. So today, we're going to talk all about cybersecurity. But more importantly, I want to just know more about your journey. So if we could just start off by giving us a little background about yourself. So, how did you get to where you are now? BG: I started off my career at KPMG in IT audit, helping organizations get through Sarbanes-Oxley assessments. IT audit was still relatively new at that point. It was kind of tacked on as a component of financial statement audits. And after Enron and WorldCom, the federal government put more regulations on publicly traded companies that not only required them to shore up their financial statements and assure that those numbers were correct, but also that the systems that information was hosted on also had security mechanisms to make sure that overall the financial statements were correct. So from that organizations, then quickly realized that, "Well, a lot of my data is not on my systems, it's on a third-party system." So audits had to be completed on third-party systems so that publicly traded organizations could then sign off saying that my data is secure, whether it's on my system or not. So from that, SAS 70s were born out, which were control assessments over organizations that are third-parties with access to financial data. That expanded into nonfinancial data, which is where SOC 1 and SOC 2 came from. So for nine years, I spent my time doing assessments and then managing and building divisions to do assessments for SOC 1, HIPAA, ISO 27001, PCI. Our firm grew into pretty much every type of third-party assessment you could do. After those nine years, we started to realize... or I started to realize that these companies that were requesting these audits were not ready for these audits. They were being requested to go through these assessments by their customers, but they would get the list of requirements and they were nowhere near ready. So I kind of switched from doing the assessments, I say, "Going the prosecution to the defense," and I helped the organizations get through that audit and put in their GRC programs. Now, I was just doing policy and procedure, and I was documentation and compliance. I was approached by Abacode a little over a year ago because they had kind of the same roadmap where they wanted GRC as a component or really driving all of their services. So I took my knowledge of GRC and helped them build packages so that an organization going through a SOC 2 or an ISO 27001 for the first time, that has very little in terms of security and compliance maturity, instead of having to pick 10 or 11 different security services that they may need to pass an audit, now they're just purchasing SOC 2 readiness assistance, ISO 271 readiness assistance. So that's how I landed here at Abacode, basically infusing security into GRC because that's the driving force of organizations implementing security services. MP: Yeah. Great. As you've seen client security needs evolving over time and over the last few years, what trends are you witnessing today in regards to cybersecurity? BG: Well, the attacks are getting more and more sophisticated. It's no longer just a 15-year-old in the basement trying to hack into your system just to see if they can. These are state-sponsored organizations. These are large criminal organizations that use a variety of techniques to get into your systems, steal your data, and get credentials to your systems. So now, we see coordinated attacks where an office will be broken into, a laptop will be stolen, a phishing campaign will begin. All this is coordinated. It's not just one person doing this. So if the attack is on multiple fronts, you have to have a robust security and compliance program in place that already has some mechanisms in, already can predict, and prevent, and detect cybersecurity attacks. MP: Great. Bryan, in working together, I've heard you talk to your clients about different compliance standards from that GRC perspective. So, how can a company understand and identify which standards apply to its own situation? BG: The easiest way to determine is what are your customers asking for? So your customers will bring you requests for, "I need you to have a SOC 2 assessment." Or, "I need you to be ISO 27001 compliant." If you've never heard of those before, and there's a pretty easy way to determine what standards apply to you. If you have a publicly-facing web application and you are hosting customer data, if you bring in, if you transfer, or process, or store customer data, you more than likely need a SOC 2. If you are going to be doing business in Europe or anywhere outside of the U.S., basically, at some point, an enterprise customer's going to ask you for ISO 27001. If you are dealing with healthcare data in any way, more than likely you are under HIPAA regulation. If you store, process, or transmit credit card data, you are subject to PCI. So it really depends on the industry you're in, the data that you process, store, and transmit, and whether you are acting as a third party for another organization. If you're B2B, you're more than likely under a lot more regulation than B2C. If you are a government vendor, you're probably under even more regulatory compliance requirements, but it really depends on the industry you're in and the data that you're dealing with. MP: Mm-hmm (affirmative). Working here at LogicGate, I often hear customers want to comply with FedRAMP and we hear that often, whether they're seeking to be FedRAMP approved. Could you share with our listeners kind of the Reader's Digest version of what is FedRAMP? What does it mean for organizations? That would be great. BG: Sure. So FedRAMP is a program started by the federal government to streamline the process of approving a service for a federal agency to use, an internet service or a web application. So if you were a government agency and you want to use a payroll application, well you can't just sign up for any payroll application. That data needs to be protected in accordance with FISMA. So if you are using a third party or if you're a federal agency and you're using a private business application, you have to ensure that that application has the same safeguards as your internal government systems and networks. So FedRAMP was a way for an organization to go through an assessment at one time and then they could sell their services to any federal agency. So prior to that, if you had a payroll service and you got approved by the EPA, you would have to go through a separate process to get approved by the FBI or whatever other agency there was. So that made things almost impossible for anything other than the largest enterprise organizations because it's a very intense process to get approved by federal agency to sell your services, especially if you're housing their data. So FedRAMP was an attempt to streamline that. I would say by streamline, I'm doing air quotes right now. It still is by far the most intense, arduous assessment process there is out there. If you think you want to go through FedRAMP, you are probably not ready for FedRAMP. FedRAMP requires intimate knowledge of NIST 800-53 of the FedRAMP and process, the agency procurement process. It's not like any other assessment out there. Most audits are just a test. A proctor comes to your office, and they asked you questions. They ask for evidence. You pass, you get your report. FedRAMP is not like that. There are multiple stages. You need an agency sponsor. If you do not have a sponsor, you have to go through what's called the PMO route, meaning the FedRAMP PMO office itself and a trio of agencies will review your security package and make sure that it complies with all FedRAMP standards before you are given what's called an authority to operate, meaning that you are now allowed to sell to federal agencies. It's usually an 18-month process, and I've seen articles stating that the average cost by the time the organization has done is usually about $1.5 million. So I've joked several times that I talk companies out of FedRAMP as much as I talk companies into FedRAMP. Because it is a substantial investment and if you don't already have an agency sponsor on the other side waiting to buy your service, you're taking a very large gamble by going through this process. So I would definitely do your research, talk to 3PAOs. A 3POA is a third-party assessor organization that has been approved by the FedRAMP program to do the assessments. I started one of the first FedRAMP 3PAOs over at Schellman back in 2015, but you really want to make sure that, A, you have the business and you have the internal commitment from management and the budget to go through FedRAMP. Because it's going to fundamentally transform the way you do business. MP: Well, that was great. I was just going to ask you before they go down this journey, what should customers be doing internally before they seek outside counsel? So you mentioned make sure that the budget's allocated, stakeholder involvement, anything else that you think that folks should do to get their house in order before they go down this journey? BG: Well, if you've never been through any type of assessment before, you definitely don't want FedRAMP to be your first type of assessment. If you're required to undergo FedRAMP by an agency that you're already servicing, more than likely you're under some other sort of B2B compliance requirement, be it SOC 2 for some of your other customers. So I would at least look other avenues in terms of, "What can we do in terms of compliance to drive business before undergoing FedRAMP?" Because it's basically like skipping kindergarten, high school, college, and going straight to surgery medical boards. It is the absolute hardest test you could possibly take. So you probably want some practice first, and there's probably other things you can do first. Because ultimately, you wouldn't go through any of these assessments unless it's driving business. Security is a great driver for compliance, but really you don't want to be more secure just so you can be more secure. It's got to be a part of your overall business plan. This has to be a positive driver and FedRAMP can be that, but you have to be in the right position for that to be the case. You already have to have relationships with the program managers over in these federal agencies. Have you talked to them? Are they willing to sign a letter? Are they willing to officially sponsor you? Are they willing to sign an agreement or even a purchase order with the stipulation that you will undergo FedRAMP in the next few years? There are ways around... not around, but there are ways to navigate the assessment process to do it in an intelligent manner. You have to engage the agency. You have to understand why you are doing this and whether it's worth it. MP: Great. So how do you help in your role today at Abacode? How do you help customers navigate this? So once they've identified the standards that they need to implement or they understand FedRAMP is a journey that they need or want to take within their organization, how do you help them with that? Do you help them in the beginning to do that research, or where would you say you are value for customers in the market is today? BG: Well, we would want to do a pre-assessment first, and make sure that you have even the lowest baseline of security mechanisms in place, and that it's possible for you to put in the additional mechanisms to make sure that you comply with the NIST 800-53 control requirements to pass FedRAMP. So that initial pre-assessment is vital because you don't want to start down this path and realize, "Oh, I can't put in this patch, or I can't implement this encryption protocol because of the way my system is built." So either you build a completely different system or you just wasted that last three months before you got to that control that now you cannot implement. I do want to say that FedRAMP, it is a baseline of controls. That means you do not need every single control in the moderate baseline in place. You do have to document why a certain control isn't in place. Maybe it's not applicable to specific system or your service. Maybe you have a compensated control. So just because you can't do something NIST 800-53 is telling you to doesn't mean you can't go through FedRAMP, but if you hit three, or four, or five of those, then you have to start taking a step back and thinking, "Okay, do I want to completely overhaul my infrastructure or is this maybe something I maybe shouldn't be doing at this point?" So that pre-assessment is the first step. You definitely need someone who has gone through this process before. I'm going to keep harping on it, but it's not just implementing security mechanisms, and policies, and procedures. It's a complete process. It's a procurement process. It is a relationship process between the agency and between the FedRAMP PMO. There's a lot of back and forth. Government agencies can throw you curveballs. To have someone that's been through that process before is completely vital. You will hit speed bumps, and you will find yourself in very uncomfortable situations. And then you'll be so deep into the process, it'll be hard for you to turn around if you don't have somebody that's been through this process several times before. There aren't very many of them because there's only been a few, maybe 200 and something organizations that have even gone through FedRAMP. So the number of personnel that have successfully seen an organization through this process is still a very low. MP: Yeah. You hear it often, but I think those numbers kind of bring it home to think, "Is this important now in the journey of a customer's experience or in a company's organization's experience?" I love that you mentioned, Bryan, don't go at it alone. So make sure that you have a plan in place, you have resources to support you, resources who have done it before. So thank you for sharing that with us. We talked through what a company should be mindful of in regards to cybersecurity at trends and evolutions over time. We've talked through compliance standards, ways to identify what's applicable for your business, and then we talked a little bit about that journey of FedRAMP, and what to be aware of before you go down that path, and how to successfully navigate the waters. So, Bryan, anything else that you'd like to share with our listeners today in regards to GRC best practices or cybersecurity trends? BG: I would definitely look at GRC as a part of the way you do business instead of something you tack on at the end because somebody asked you to or because it's a part of the audit. Once you start to understand the GRC process, it definitely helps in terms of implementing IT security and IT operations. As you grow as a business, these decisions become harder and harder and they multiply exponentially in terms of, "Okay, now you have to expand. Are you going to the cloud, or are you staying on-prem? Are you virtualizing? Which SIEM service are you going to use? What endpoint protection are you going to use?" All of these questions, they're going to pop up whether you have a program to handle them or not. If you are just dealing with them as they come along, you're definitely going to make mistakes and implement security mechanisms that don't work with your other security mechanisms. And you're just trying to keep your system going at that point. To have management commitment to that, "Okay, we're going to sit down at the executive level every quarter or every six months and say, 'Okay, where are we at? Where are our biggest security and operational risks? Where do we need to focus our attention?'" That's always the start of a proactive and effective GRC program, which eventually will affect your business in a positive way because your customers will eventually be asking for this way if they haven't already. If it's already there, then that's a market differentiator. You have to start looking at this as a positive business driver instead of something that is just a line item that just cost money at the end of the year. If you do it that way, then yeah, that's all it's going to be. But if you use it to your advantage... Your competitors are still struggling with this. So if you're the first one to stop struggling with it, you look a lot better than them. MP: Great. Thank you, Bryan. So thank you so much for your time with us today. I have one last question. We know that you are a cybersecurity expert. You're a GRC guru. You've been a really great tactical resource on the call today with our listeners or on the podcast today. But we also know you're an avid dog lover, so we'd love to talk a little bit about your work with dogs. I know from working with you, you foster dogs from time to time, but tell us a little bit about that. Like, what led you to have that passion, and how do you work with dogs today? BG: Sure. So I work with an organization called the Dalmatian Rescue of Tampa Bay. I don't know why it's called that. It's not specific to Dalmatians at all. But we take in dogs from high kill shelters and place them with foster homes basically just to get them out of the shelters, to give them time to get adopted. So there is an epidemic in a few different states to where there just aren't enough, especially in rural areas, there are just more animals than there are shelters and kennels. So we have a lot of volunteers that will drive and fly dogs from Georgia and from other states all the way down to Florida. We have a network of basically foster homes that we place dogs in. So I'm just a foster parent, so I just take dog every month or so. I have the easiest job. My volunteering is basically I let a dog crash on my couch for a few weeks. MP: That's great. BG: So the organization is great. They put the dogs up on the adoption websites like Petfinder and Adopt a Pet. It's been great. I think I've had my 11th dog fostered and adopted about a month ago. I'll be getting another one, probably the next three weeks, trying to figure out my travel schedule so that that works out. If you are interested in it, I had a few reservations when I was first starting. I was like, "Well, what's going to happen if the dog never gets adopted or if I get attached?" It's easier than you think. I think I got to say it's probably the easiest community to serve as you could possibly do. MP: You're providing a whole nother level of security. Right? BG: Right. Yes. MP: Yeah. Fantastic. Well, Bryan, thank you so much for your time today. Keep up the great work on the cybersecurity and GRC front, and thanks for your work with dogs.

Videos

[Video] Controls Management with Risk Cloud

LogicGate’s software provides full visibility of your controls in one responsive toolkit.

Podcasts

GRC & Me Podcast: Donata Kalnenaite Talks CCPA

In today's episode, Donata Kalnenaite joins GRC & Me to share her expertise concerning the California Consumer Privacy…

Brochures

Controls Compliance Solution

Automate and Scale Your Controls Compliance Program

Podcasts

GRC & Me Podcast: Neil Watkins and the Concept of Defensibility

In today's episode, Neil Watkins, co-founder and Chief Operating Officer of Asureti, shares his views on the necessity…

EPISODE NOTES Top 3 Takeaways Defensibility is the ultimate concept that everybody drives to—whether they say it out loud or not. In the security landscape we see today, there are many opportunities for improvement. Even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data. Resources Asureti Website Connect with Neil on LinkedIn Show Transcript [Host Megan Phee]: All right, Neil. Thank you for joining us on today's podcast of GRC & Me. So let's first off tell me more about Asureti. [Neil Watkins]: Sure. Asureti is a company focused on SRCP. In fact, we built Asureti because in the marketplace, we couldn't find anybody who uniquely covered all those concepts. We found many companies who actually proclaimed they could do GRC, which is just typical governance, risk, and compliance. So we've developed a concept called manage assurance. So we do it in an advisory role, an operational role, but we basically provide our services who either can't, don't want to, can't afford to insource it, or simply just want the output from it. [MP]: And in your introduction, you mentioned the acronym SRCP. So can you share what is that, and how does it differ from traditional concepts within GRC? [NW]: Sure. For many years, the GRC has been simply governance, risk, and compliance. We found that through our practices, there were many missing components to that framework going forward. Security, risk, compliance, and privacy are the four acronyms used to make SRCP. So the inclusion of the security practices, which had been long since isolated, but overseen by compliance functions and directly feed to risk, were still allowed to live in a silo to operate a little bit freely from that process. So we believe its inclusion into the acronym and to the practices was key. And as we continue to move forward into the future it has to be included as a forefront thought leader, and a process of which must be adopted to these organizations. I want you to think about like in a military concept, where they have the concept of what's called sectors of fire. So in other words, each person had a unique landscape, but they also overlapped at the same time. And that's the same concept of that, where everybody would look out into their landscape, cover their area of visibility, but no one concept covered them all. Well the SRCP concept creates that horizontal layer that allows the practices to operate efficiently, in concert with one another, both taking in the feeds and the inputs, and providing the feedback from their own skillsets, and operate in a much more effective way for organizations if they employ them in that manner. [MP]: And do you find that organizations have a solid strategy around the principles of GRC today? [NW]: It's ironic that both in public and private companies, the answer to that wants to be yes. But in the landscape that we see out there today, there are many opportunities for improvement. So when it all kind of starts down with the mandate of operational governance, we find that many don't employ that in an effective manner, or sometimes often at all. So when it comes down to how does a policy read, or is it even a policy, we find companies sometimes don't even want to use the word policy, because it specifically gives some organizational, cultural affect to their people, that they have to behave in a certain manner. So they find it to be too restrictive in a business environment, that has to be adaptive, free-thinking, fast, and growing at a rapid rate. So policies in that framework seem to be restrictive. So there seems to be a hesitance out there, even though it kind of makes sense for them to exist. Because that governance framework is what companies use to rely on how they operate. Each individual looking at the horizon, operating independently, can come back to that common set of rules and say, “Am I doing my job effectively? Am I doing it within the guidelines provided?” Sometimes, “Am I doing it safely?” Some of those questions are answered by that governance structure. But ironically, sometimes it still doesn't exist. But without that cornerstone and that mandate, the programs around data protection, or the security, risk, compliance, and privacy that I spoke about earlier, are ineffective or non-existent as a result. Because even though individual departments will run around, trying in good faith to execute their skill craft on behalf of the organization, the lack of mandate prevents some of its growth and effectiveness as a result. Well when it comes to certain things like this, the organization has to employ legal regulatory oversight. Risk, compliance, privacy, operations, executive management, and the security team have to function to provide adequate protection. Without the governance establishing that requirement, it often doesn't get done. [MP]: And so you talked a lot about the landscape that an organization should have. So, what are the functions, or organizational pieces that need to be in place in order to achieve this? [NW]: Sure. When I talked about it just a moment ago, and I briefly overlaid them really quick is, you have the legal department. The legal department is key for understanding regulatory requirements, interpretation of commercial effect, in other words the contracts you sign that say you have to do certain things, and the understanding of any kind of mandate the organization must find. The risk organization, whether it's formal or informal, is the process of identifying what risks to the strategy of an organization exist. And the reason we talk about all of these in a concerted fashion is, they all feed into an element of risk to the operation. So it can be risk to revenue, risk to growth in a strategy, risk to strategic enablement, risk to the existence of an organization if absolutely done right. And the other one, the cornerstone of that is a compliance function. I know compliance has a kind of a mixed feel for it within an organization about what it is. But it really is the entity who's responsible for making sure that what we are supposed to do is being done, and being done within an acceptable level according to what we said we were going to do, or with what a regulatory framework says you must do. And of course, you have the privacy group on its rise to the organization now, because people, individuals and their data are becoming more aware of where it lives and what's being done with it, and they want to make sure that there's an element of control and adequate protection. Operations of an organization in its generic form, those are the ones out there trying to execute the strategy, tactically employing these things, moving information along. They are a cornerstone to this as well, because it's not unheard of for them to move at the speed of business, and sometimes forego their requirements for adequate protection or compliance and everything else, because the most cornerstone of their job is to enable the speed of the business, and the growth of whatever their strategy is. And of course, technology and security teams, where they're a last part of that. So technology drives how the mission is done in most companies. So they are strategic to that, and the security team is the one who's wake up every day in a vigilant fashion, to find ways to use technology to make sure that what we said we were going to do, what we need to do, and of course at its cornerstone, what they feel compelled must happen, gets done in a unique way. So those cornerstones are legal, risk, compliance, privacy, operations, executive management, technology and security teams. Listen to the complexity and number of participants in a simple design of adequate data protection. Sure. Good enough is the concept that I use to describe what we should aspire to do. There are many people out there that believe it's all a nuisance and a drag on operational expense to an organization. I will do this with the minimum amount of effort and spend necessary, because I must focus on driving my company's strategy, profitability, or non-profitability if that is the case. The other out there think in a lot of ways, that they must do it to the best of their ability at all times, every day. And that is what you want to employ culturally, but the reality of all that is, if you do everything with the most expensive, most time-consuming, most focus, it will be an effective program until somebody simply undermines a common principle. We see this happen all the time in the headlines, where somebody will spend millions of dollars on a security function. And yet they're breached and people are wondering, how did that happen? Well that just kind of shows you the adversary's willfulness, their discipline to approach, and everything else in some of those cases. So here you are, the operational leader of the organization says, “I spent millions of dollars and it still happened.” How does that occur? Well, it occurs because perfection was never the goal. But to understand where the threats may be, to prepare for adequacy on that, to look at it and understand the risks of it, and to continuously prepare to harden that response really is the goal from that perspective, that leads to that good enough principle. And in the end, it is the combination of an organization's risk appetite, risk understanding, landscape, financial wherewithal, and operational constraints that will create good enough. [MP]: All right. Thanks for sharing that. And you, you've also mentioned in discussions kind of this concept of defensibility. So can you share, what does that mean for organizations in practice? And what should they be thinking about, whether it's in terms of preparedness or potential consequences to their organization? [NW]: Sure. Defensibility's kind of the ultimate concept that everybody drives to, whether they say it out loud or not. You have to think about anything that you're going to defend the decisions that you made. So that is kind of the root of defensibility. Did we do it, did we do it right, and did we do it adequate will always be the question, either as an assessment factor, or as after-effect of something unfortunate happening, a business disruption, a loss of data or key information. Again, it doesn't take much to grab from a headline that you look out there and see massive amounts of data were lost in the most simplistic of ways. And then at the time, the organization tries to go back like we do so many times, and recreate why it happened. And then they find that it's a simple failure of things. In the world of this complexity, and when I talked about all these things working in a concerted fashion, something like that is always bound to happen. It doesn't make it excusable, but it makes it a realistic approach to all of that. So the defensibility is the idea around some key components that I'm going to spell out, that prepares an organization should it go through this, to say these key things. So even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data. The speed of business drives it, change and evolution drives it, all kind of things. But if I'm looking at it from as a core component, I have the governance in place, I have the right assignments and I have the right team engaged, that's kind of the first pillar of all of that. But when you asked about the landscape out there, I would argue that still companies struggle with that, because they don't understand the importance of it. And you hear the cliché of, well nothing bad has every happened before. Well nothing bad happens until it does, and that this kind of opportunity and this kind of approach prepares you for that moment should it ever occur. And quite frankly, even if it doesn't, there are some things out there that say you really must do this. And it was ironic that the Department of Justice had released some recent documentation over these things, and it's really ironic that they talk about the effects of a disciplined operating compliance program. And I'll read the three things that they talk about. It says, "Is the program well designed? Is it applied effectively? And does it work in practice?" The concept of defensibility covers all of those. With good governance and strategy that you have around these programs, overlaying it with a horizontal function that allows them to be seen uniquely, and then steps of defensibility I measured out a moment ago, would uniquely answer all of those questions, as is part of the normal operations. [MP]: That's wonderful. Well, thank you. So Neil. You shared with us some really great concepts there, around SRCP, the landscape organizations should be mindful of, the concepts of defensibility. Anything else that you'd like to share with our listeners? [NW]: Yep. The last part is, all of this seems to be very daunting, large, and effective. And as a result, most people don't even start. They use that as the barrier to their success, or the fear of their success in that regard. My encouragement is, find technology enablers, like LogiGate out there, that are quick and effective to market to help you create that horizontal overlay and visibility into what's happening, and to monitor and engage at a very cultural level the willingness of it, the importance of it, the training to do so. And of course, the continuous assessment of are we doing it well against it? Because again, these things constantly change, but I hear more times than not, the barrier to this is either culture, speed of business, or the right technology enablers. Because it is so broad, those things can cause people to not start. Don't let that be the problem in all of this. One person, one department can make significant impact to all of these requirements if they simply just take it in a very pragmatic, risk-based, stepped approach. [MP]: Fantastic. Well thank you Neil, for sharing your insights and your thoughts with us today. We appreciate it, and stay tuned for another episode of GRC & Me.

Webinars

From Ad Hoc to Agile: Chart a Course for Enterprise Risk Management Maturity

Watch this webinar to hear from Michael Rasmussen and Szuyin Leow on charting a course for Enterprise Risk…

Podcasts

GRC & Me Podcast: Introducing Megan

In this short episode we’ll introduce you to our new host, Megan Phee. We are excited to have…

Videos

[Video] Policy & Procedure Management with Risk Cloud

LogicGate's Policy Management Software gives you the power to automate routine compliance activities. It's like having a personal…

Podcasts

GRC & Me Podcast: Alexei Sidorenko - The Most Controversial Risk Thought Leader

Today, we are excited to have Alexei Sidorenko calling in from Spain to discuss industry-specific risk methodologies. Alexei…

EPISODE NOTES Top 3 Takeaways Risk Management is not really a profession. It's a competency that should be part of most (if not all) degree programs. Most organizations have been disillusioned with the astrology version of risk management. Sometimes, even a little quantification improves the quality of decision-making significantly Show Highlights [01:17] Alex shares what the Risk Academy provides [03:02] How Alex got into risk [05:13] Alex's "controversial" blog [08:04] Methodologies, strategies, importance [13:52] What forces Alex to be controversial [16:16] Brilliant idea of dumbing it down [17:42] Approaching risk quantification [20:37] The real question: how complex can we go? [23:29] How and when organizations should approach quantification [26:00] An unrealistic fairytale based on averages [29:03] Cultural difference in risk management approach [30:00] Alex's predictions in the coming years [34:17] Final nuggets of wisdom Resources RISK-ACADEMY Connect with Alex on LinkedIn Connect with Alex on Twitter Prospect Theory: An Analysis of Decision Under Risk by Daniel Kahneman and Amos Tversky Judgment under Uncertainty: Heuristics and Biases by Daniel Kahneman and Amos Tversky Foundations of Behavioral and Experimental Economics by Daniel Kahneman and Vernon Smith How to Measure Anything: Finding the Value of ‘Intangibles’ in Business Probability Management Conference Monte Carlo Simulation Moneyball The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty by Sam L. Savage Show Transcript ALEXEI SIDORENKO: Risk managers, if they are willing, have the most amazing tools at their disposal to really change how organizations land, forecast, budget, and make decisions. HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski and this is GRC and Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends, and more to learn about their methods and solutions and outlook in the space. Today, I have with me Alex Sidorenko calling in from Catalonia, Spain. Alex is an expert in risk with over 14 years of risk management experience in private equity, sovereign funds, investment authorities, and venture capital firms across Australia, Russia, Oman, Poland and Kazakhstan. In 2014, Alex was named the risk manager of the year by the Russian Risk Management Association. Alex is currently director of Risk-Academy. Alex, welcome. Would you like to explain to us a little bit more about what the Risk-Academy provides? AS: Hi, Kelley. Thank you so much for having me. It's a great pleasure to speak to your audience. KS: Thank you. AS: Risk-Academy is a fun story. It started many years ago when I was still head of risk of one of the biggest venture capital funds in Russia, and I had this internal weird desire to share everything I do. So I created an online portal in Russian at the time, which shared all the templates, the methodologies, video recordings from the conferences, master class, so basically everything I did outside of my job. And that kind of continued as I later moved as the head of risk of one of the biggest sovereign funds in Russian. So the Risk-Academy continued and it's now the biggest risk management brand in the Russian speaking world. But about three years ago, I moved most of my IP in English and now Risk-Academy is the place where I write a lot of articles, where I do a lot of videos and I provide a lot of training sessions for either risk managers or the decision makers that want to apply risk tools to better make investment, or strategic, or operational budget decisions. So Risk-Academy, essentially, is the place to learn about risk management, but also, a consulting house that does a lot of work when clients request for it. KS: Close Wonderful. And I understand you have podcast episodes as well. AS: I do. I do. I think, as of as of today, I have like 300 plus articles, 400 plus videos, three books and something like to a hundred different podcast episodes. KS: Wonderful. What a great resource. Okay. How did you get into risk? AS: That's, I guess, a pretty typical student story. As many people in their early twenties, I had no idea what I wanted to do. So my dad was doing a PhD in chemical engineering at one of the best universities in Australia at the time. And he said, "My university has just started this new and exciting degree in risk management. Why don't you try it?" And just like any young student, I said, "Dad, I don't care, so I'll do it." And I signed up for this degree and it was- KS: That's great. AS: ... very hilarious because later, once we finished, we were the first ever undergraduate intake for the risk management degree. So we were the first ever bachelor's of risk management in the country in Australia. And it was kind of like, finally, because the university canceled that degree a few years later. So we were the guinea pigs in a failed experiment and I think the experiment failed because risk management is not really a profession. It's a competency that should be part of most degrees if not all the degrees at university. So it was it wasn't exciting start of the career realizing that you [inaudible 00:04:15] and the market doesn't really appreciate you being there. KS: Yeah, that's fascinating. And this was in Australia you said at Monash? AS: Good. Monash University. Yeah. And it's by pure chance that I have a second degree in statistics because I was so good at statistics. The faculty for statistics and econometrics kept sending me letters. Do a second degree in statistics. Do second degree in statistics. So I kept ignoring them for a year and then on the second year I, again, got really good marks for stats and I decided to do a second degree in statistics. I mean, thank God. Who knew risk management is actually about math as much as it is about everything else. KS: Yeah, I was going to say those really go hand in hand so I'm sure that serves you quite well. AS: Absolutely. KS: So one of the things that I really like about the content that you put out there, especially your blog, is that you claim to be the most controversial risk blog. What makes it controversial and why is that your goal? AS: That's a really good question and I mean I can't really say I have thought about it a lot. I think somebody said that it was controversial and somebody on Linkedin kept calling me controversial Alex or something. So I just kind of [inaudible 00:05:25] said, "Fine, I'll go with it." It wasn't necessarily the intention, but I guess the general observation ... I mean now in the age of social media, we, all of us, we can track engagements, we can track a lot of statistics on how certain messages get better or worse received by the audience. And I've been saying pretty much exactly the same thing for the last maybe 10 or 12 years. And the first seven years out of that last 10 have been pretty uneventful. I've been saying exactly the same message, but it just really wasn't widespread. It wasn't received as well. And I think when I kind of got sick of it and I started challenging and questioning some of the norms or some of the accepted practices in risk management and exposing some of the silly things that we do as risk professionals, still do, then I immediately ... It was really a no brainer. The engagement skyrocketed compared to your average mile, the friends [inaudible 00:06:29] everyone [inaudible 00:06:29] nice position. In the age we live now, I don't know why that happening, but it just makes perfect economic sense to do it, to be more controversial than not. I received dozens of messages every day saying whether they like or don't like something. Most people are still pretty shy so they send personal messages instead of just commenting under the article. And for every one message that I get from people who hate the format or the form in which I communicate and they find it insulting or they find it too controversial or too difficult to absorb, for every one person who dislikes the approach I take, I get like 10 or more people saying, "Thank you. Finally, we heard the messaging. It will help us get the message across. So even in that regard, even though a small ... and it's, it's by far the minority, small percentage of people very much dislike the way I present information. Majority of the people find this helpful. So again, even in this regard it works and everybody who claims it would have been so much better if I chose a much milder form of communication, that's actually not true. I mean, I've tried different formats and statistically speaking, this is by far the most engaging one. I guess in 2019, it's nice to be controversial. That's all I can say. KS: I agree with you. I like it. I think that risk and compliance right now is really ripe for some disruption and challenging status quo. So I think it's great and I just was curious, so thank you. Something else that I really like about your approach and I agree with and I want to really highlight on GRC and Me is that you encourage using risk for strategy. So what methodology do you recommend? How is it applied to strategy and then why is that important? AS: Yep. It's kind of funny. I was just writing another article on that topic just before we got our call. If we ask how old is risk management, people usually will divide into two kinds of camps. One will say risk management is ancient because that's what people did when they were building pyramids. And then the kind of camp, people would say risk management is relatively new. In the 70s and 80s, that's when the whole concept of GRC and ERM became more prominent. Well, in reality, I mean both of those groups are wrong because the modern day practice or theory of risk management and the science behind mismanagement, really started in kind of in 16th and 17th century when some of the mathematicians starting to quantify uncertainty and using mathematics to help them make decisions about future. These are strategic decisions, better investment decisions, better operational decisions. It doesn't really matter that much. The whole idea of using mathematics to make sense of uncertainty, which is highly complex, unpredictable by definition, is about 16th, 17th century. And we've kind of, we've lived with that science of risk management and then it was first called probability theory. Then, in the early 20th century, it kind of developed and evolved into decision science, and by the 1970s, some of the psychologists kind of jumped on board and we had neuroeconomics developed on top of it. So in probability theory with decision science, with neuroeconomics of risks, psychology. All of that kinds of merge and by 1970s, we had what was a pretty solid foundation for risk management. But then in the 80s, a miracle happened because I guess that's what usually happens when something is very interesting but highly complex. Somebody hijacked it and really decided to dumb it down to make it, I guess appealing and relevant for the majority of the people. It's like astronomy existed for so long, but that was too complex and it was highly mathematical to comprehend. So somebody came up with astrology. Astrology is basically your fairytale ... I mean, fairytale. It's not real science. It's basically BS and that's what most of the modern day risk management theories are. They're basically astrology of proper decision science. And so what I've been supposedly controversial about in my articles and in my work, I'm trying to bring the risk community back to almost like 1970s saying, "Well, we've had all the good tools and we had all the science behind proper risk based decision making for ages and we don't really have to recreate the wheel and the existence of the new artificial intelligence or cyber risks doesn't really change much. I mean the math is still the same." All I've been trying to do is say, "Well, if you want to make a strategic decision or an investment decision, or a budget decision for that [inaudible 00:11:49] , well we actually have all the methodologies we need to do that and if we want to make a choice between different strategic alternatives, so decision trees are still as powerful as they ever were. In fact, decision trees still drive a large portion of artificial intelligence algorithms out there together with neural networks. Both tools are old. And so for strategy, integrating risk management that the strategy just, it makes perfect sense, but it's not unique or new in any way. I mean this is what risk management was always about in 15th century, in 16th century, in 17th century, 18th century, 19th and 20th. I think it's unreasonable for us in the 21st century to consider it somehow an innovation. But to integrate into strategic planning, we still use decision trees, which are old. We still use scenarios and simulations. And simulations, the multicolor engine for a algorithm for stimulating the possible future outcomes has been developed in '45, '46 so that's what, 75, almost, years old and as powerful as it was when it was developed to create the atom bomb or nuclear weapons. So I obviously think risk management is important, not just in strategy but in any kind of decision making because it just makes so much sense to do risk analysis, not once a quarter as we're used to doing it once a year, once every six months, but actually do the risk analysis before an important decision is being made by the management or the investment committee or whoever or as personally in life. And the good news is, we have all the tools necessary to conduct risk analysis before making decisions. KS: That's the old, if it ain't broke, don't fix it, methodology. AS: Well, kind of, which is weird because I mean I'd love to see risk management associations and risk consulting powerhouses come up with better ways to apply those existing tools. But that's not unfortunately what they do, which kind of forces me to be controversial. That's not what they do. They recreate the wheel instead and ironically, they don't give us better tools. They actually give us tools that are significantly worse. And, again, we know for a fact that the methodologies that are commonplace in risk management right now, for example, using heat maps for trying to multiply likelihood by consequence and getting like a risk level. We know for a fact that those methodologies provide much poorer results. They're much less accurate than any of the like 70 year old tools, which is bizarre. KS: Yeah. Do you think it's the human element that is breaking down the mathematics of it? AS: It's difficult to say. I think it's more the kind of the entrepreneurship spirit because whoever's made this popular and the Douglas Hubbard is, in his book ... He's publishing he another book on risk management very time soon, which I'm really looking forward to. But in his book, he actually went on a quest to find the patient zero, find that person who hijack risk management and turned it into astrology. KS: I want to read that too. AS: Yeah, I know. Isn't it exciting. It's amazing. Somebody seriously hijacked risk mismanagement in 1980s and turns it into literally astrology. Your average risk management report is no different from a horoscope. It's just as accurate and it's just as dangerous to use for any kind of proper decision making. So on one sense, it's horrible that this happened, but then on the other sense you can kind of understand how entrepreneurship and making money is that carrot that's dangling in front of the people because decision science, and math, and cognitive biases, and risk perception, it's hard. It's difficult. That's why they have whole departments in Pentagon. And that's why CIA spends millions on researching this. It's actually really difficult. And somebody had a brilliant idea, why didn't I dumb it down for everyone? Well, I'm going to lose all of the important information and it will become a horoscope, but I'll be able to sell millions of copies and that's literally ... I mean, astrology, if you think about it, it's hugely popular. I mean, people are making ridiculous amount of money on horoscopes and everything else. So from a commercial point of view, makes total sense. From an ethical point of view, very questionable practice. KS: Sure. Now I'm curious, what's your astrological sign? AS: Aries. KS: Aries. AS: I think because when I was born, I was Aries, but remember how they moved the whole thing- KS: Oh yeah. AS: ... years back. KS: That was not accurate. That was disproven. But to your point, it's all hokey, fakery anyway. AS: Exactly. KS: But now the controversial title makes sense because Aries is the bull, so. AS: Yeah, I guess. KS: Okay. So something that I keep hearing a lot lately and it's not a new methodology, but it's just really coming full circle now I think is risk quantification. It's been really hot. So why do you think that is and when should it be considered and then how do you recommend organizations approach risk quantification? AS: Yeah, which is fascinating because risk quantification can literally mean like a million different things. From very simplistic scoring methodology, saying, "Look outside. If the sky is blue, then it's going to be a good day," to like a complex Monte Carlo simulation model that runs like 10,000 scenarios, trying to figure out what the possible range of outcomes is, so highly broad, complex. The good news is that almost everything we do is some form of quantification, and over the last 50 years a number of scientists have done a lot of research trying to figure out, trying to answer the age old question who's better, a human or an algorithm. And unless something new comes up in the near future ... at the last conference, the portability management conference in U.S. ... I think it was again Douglas Hubbard who was sharing the stats, but there was approximately 150 studies in different fields of life conducted to determine who's better human intuition or some sort of algorithm, some sort of quantification, even the most basic quantification. And out of the 150 ... I mean, I may be wrong. It could be 130 and it doesn't matter. You get the volume of research. It's been extensive. And out of the 150, two studies have shown that human intuition is similar or slightly better than an algorithm and everything else. So 148 showed that actually using some sort of algorithm is much better than relying on our intuition. If we look at the situation from that perspective ... and all your listeners, you're more than welcome to disprove that. Run your own study, prove us otherwise, but until then we have to rely on ... And it's a large population of scientists that tried to answer that question and the study covers all different fields: agriculture, pharmacy, engineering, oil and gas, governments. It's like it's a very broad spectrum of study. So from that perspective, it's a no brainer. You have to quantify everything if it's a big enough decision. If it's significant enough and it's not trivial, if it's going to cost reputation or money, then quantification is definitely the way to go because the alternative to quantification is to not use anything and rely on your intuition, which is a pretty dangerous bet, it seems, based on the research I conducted as of as of now. So quantifying is kind of the only way it seems. The real question is how complex can we go? How complex do we need to go? And here again, there are different schools of thought. For example, the school of thought by Daniel Kahneman and Thomas [inaudible 00:20:47], Vernon Smith, all the oldest researchers in cognitive biases and human risk perception and risk psychology say that because we are inherently irrational in our decision making, because we fall into so many different cognitive biases, because the quality of our decision making depends on how much glucose or sugar we have in our blood, whether we are tired or not of whether we're happy or not, what colors we're wearing, because we're so highly influenced by all these many different random factors, we really have to apply proper [inaudible 00:21:25] that quantitative tools to help us make decisions. And then of course there's the school of thought by [inaudible 00:21:32] who says that no model can really be predictive of the future because the future is highly complex and the [inaudible 00:21:40] are hidden from our comprehension that we have to use the models, but we also have to have downside protection no matter what. So basically those schools of thought still say we have to apply some sort of tools. And the good news is sometimes even a little quantification improves the quality of decision making significantly. We don't actually have to run highly complex Monte Carlo simulation to make a better decision. Sometimes even adding a little bit of analysis to our decision making ... I mean sometimes even extrapolating the future. Sometimes creating a scoring model based on a number of the factual, observable items can significantly improve the decision making. And Douglas Hubbard has an amazing book called How to Quantify or How to Measure Anything. He argues that sometimes three observations is enough to improve decision making, not to make the decision making perfect, which is not our objective but to improve our decision making compared to just intuitive thinking. [inaudible 00:22:51] with quantification has actually been hot since 15th century but now kind of everybody's finally getting the hang of it because I think part of it is that most organizations have been disillusioned with that astrology version of risk management with DRM style discussions, realizing that having a heat map of your strategic risks doesn't actually change how you budget or make multi-billion dollar [inaudible 00:23:19]. We've had all the tools to help us make better decisions. So how do I recommend organizations approach with quantification and when should it be considered? I think it's the first point to realize is that quantitative risk analysis tools is actually like a whole spectrum of tools starting from very simple decision trees, which you could draw on a napkin to scoring methodologies, which again are relatively simple two scenario analysis, which is super basic to more complex simulation models, which are slightly more complicated. But if the price is high enough, if the reputational damage is significant enough, then running a simulation, even though it's complicated it's not a deal breaker. It's not that difficult. It takes maybe an extra day to run the simulation and maybe like an extra week to find all the necessary assumptions and verify assumptions and actually create the model. I think a week to like a multi-million dollar decision or a multi-billion dollar decision is literally the least of the troubles that you have. KS: Right, exactly. Thank you. I think that's really insightful. Even just considering three objective opinions is better than one or two. I think that's really helpful information for the audience. It kind of reminds me too of ... Did you ever see that movie Moneyball, was about Billy Bean and how he uses saber metric analysis on- AS: Yeah. exactly. KS: ...Baseball players scouting? Yeah. AS: Yeah, he- KS: It's a little bit like that. AS: Absolutely. I mean he was the first in the industry, in the sport industry. He used very simple math to significantly improved decision making. KS: Yeah, that's fascinating. AS: Which is essentially what risk management is all about. I mean whatever industry we are working on, we can use some of the basic risk management tools that we have and significantly improve the quality of decision making that executives have. I mean this is just mind blowing stuff and it's mind blowing because this theory has been proved by the Danish mathematician in 1906. It's called Jensen's inequality. This is groundbreaking because most executives still have no idea and this is how business operates, ignoring that finding. Can you just imagine this is not 110 ... 1906 so 110 years ago a mathematician proved that when you build your business plans, or budgets, or investment proposals, or literally anything else, or production forecasts or anything, well, sales forecast, when you build anything in business based on single point estimates, especially if those single point estimates are what people call most likely or averages, you're pretty much guaranteed to have an unrealistic result. This is how everyone does it in business right now. He took this idea and made it very popular in his book Law of Averages, which is amazing, but he's basically saying if your company is planning, and budgeting, and forecast using averages, which is what every single company on the planet does, things you signed off on that budget or that business plan or that strategy, you're pretty much guaranteed to have an unrealistic target because you've just taken out all of the uncertainty out of the equation and you've created this unrealistic fairytale. And so of course whenever we're working with our clients ... we're the training producers for some of the biggest corporations in Russian speaking countries. Whenever we talk to them we're saying, "Well we've had since the dawn of time, since the 16th century, we had the solution." What's the alternative to planning and budgeting and forecasting with single points estimates? Well, of course we can do that with ranges. We have the techniques to create business plans with ranges that will give you distributions with single point forecast. Basically what they're saying is that the way business planning is happening right now in 99.9% of companies in the world, pretty much guarantees rational results because it ignores risk and we actually have the solutions. We've had it for at least 70 years to overcome that, to improve our planning, which is fascinating. I think risk managers, if they are willing, have the most amazing tools at their disposal to really change how organizations plan, forecast, budget, and make decisions. KS: Yeah. Fascinating. And I totally agree. So this is actually a really good segue because I'm curious about, you have such worldly experience in risk management and I have to think that just based off of our conversation even so far, you mentioned how our humanity kind of plays a role in our gut decision making and we've got dopamine firing, influencing our decisions. So what differences do you see in risk management globally? Culturally, are we really different across the different countries in terms of how we approach risk management? AS: That's a very good question. The short answer is I'm sure we are different, but because most of the people on the planet are so fundamentally wrong in their approach to risk and uncertainty in general, that our cultural differences are insignificant compared to our methodological differences, so I can kind of put it that way. We're so inherently ignorant of uncertainty and risk when we make decisions in the workplace that some countries are slightly worse. Some countries are slightly better at it, but we are kind off by a mile and plus/minus hundred meters is not the real problem per se. KS: My next question, since we've been talking about predictive analysis, what are you predicting for the next couple of years in the risk management space? AS: I sincerely hope that the messages that myself and many other risk managers have been pushing for years will become more mainstream. I hope that we will switch from having conversation about risk and the risk levels to having conversations about uncertainty affecting objectives, or decisions, or forecast of budgets and we will actually finally find that magic pill, which by the way, I have a sense that I think I might have found it recently, finding that magic pill to sell the idea of thinking in ranges and scenarios and simulation the futures of the executives. I just think it's so ironic that before making any kinds of decision any kind of big decision, the CEO would call his tax advisor. He would call his legal team. He would call his finance team to first figure out what the potential problems are, and then run some sort of scenarios to figure out what's the best approach. I mean, most executives do that as a given. No one would make a decision without first consulting at least somebody in finance, tax or legal team. And yet, almost no one calls the risk manager for the same advice because I think we've not done well in selling our tools, our expertise as being able to add and make sense of uncertainty in the future decision making. Fingers crossed, I've only been saying exactly the same thing for the last seven years. Fingers crossed, business plans of the future will not have a single target. It will not just say we want revenues of 100 million. It will say we want revenues from 80 to 105 million and this is the kind of the probability of achieving our objectives. We will actually stop talking about relative things when we talk about the future and we will appreciate that uncertainty has a huge impact on the future and we will be honest with our shareholders and government regulators about the effect that uncertainty has on objectives. I mean, I was amazed when I was still the head of risk of one of the big sovereign funds in the country. I was amazed my CEO had the courage to take the Ministry of Finance the calculations that we've done and he's shown that ... We build this strategy until like 2020. This was quite a few years back and that strategy basically said that there was a 30% chance that the strategy will not work. And in fact, if it doesn't work, we may lose quite a lot of money and this is how much money we will lose with 90% confidence interval. I thought it was just amazing. I've never seen anything like that when the companies were honest with the government and the regulators and the public about the level of risk they're taking and how that risk, if it happens may affect the bottom line. I sincerely hope this is the future that we are moving towards. KS: I hope so too and I think we're right there. I think we're at that tipping point just because I feel like a lot of organizations are taking another look at risk and really wanting to change and improve their programs. They're starting to invest in the tools and technology that they need to set their programs up for success, which I think is a really good starting point. You have to have a foundation of gathering that data to be able to do anything smart with it. So I think we're on that precipice. So I'm hopeful with you as well. AS: Absolutely. KS: Well, this was really eyeopening and sort of a brief little history on risk, so thank you for that. I'm going to say you are refreshing and very reasonable, not controversial at all. AS: That's what I've been saying all this time. I mean, I personally don't think I'm controversial. All I'm saying is wake up. The things that we're trying to do for the last 30 years don't work as well as we want. Maybe the problem is not that executives aren't listening. Maybe executives are actually very clever that they're not listening to some of the nonsense that we're trying to sell them. And why don't we go back to the drawing board and use some of the tools that the engineers, scientists, doctors have been using to make decisions under uncertainty for the last century. KS: I agree. Get back to the basics. All right, well, Alex, that rounds out our conversation. I really appreciate you coming on GRC and Me. I think this was great information for our audience, so thank you for that and I wish you the best of luck with the academy. I'm going to be tuning into your content as well, so thank you. AS: It's a pleasure. Thanks Kelley.

Podcasts

GRC & Me Podcast: Terri Sands - Risk and Compliance in Finance

In this episode, Kelley talks with Terri Sands, founder of Secura Risk Management. Terri shares her thoughts on…

Brochures

Risk Cloud® Onboarding

Launch your program quickly with step-by-step guidance from our expert Implementation team.

Brochures

Risk Cloud® Differentiators

Learn why leaders like you choose Risk Cloud.

Reports

G2 Summer 2019 Grid Report for Top GRC Platforms

Download the G2 Summer 2019 Grid Report to learn more about LogicGate and the other top GRC platforms.

Podcasts

GRC & Me Podcast: Matt Kunkel - Starting LogicGate

CEO Matt Kunkel shares his journey launching and leading LogicGate—a company helping organizations of all sizes bring unprecedented…

EPISODE NOTES Top 3 Takeaways: There's a big need in the marketplace for a technology that’s flexible and dynamic, yet easy to use from an end-business-user perspective. “I took an educated bet that the market was right for a disruptive perspective.” “Everyone is somewhere between ought-to-buy and needs-to-buy a GRC platform.” Resources: LogicGate Website Connect with Matt on LinkedIn Connect with Matt on Twitter Navigant Group Dodd-Frank Ruling GDPR California Consumer Privacy Act Episode Transcript HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski, and this is GRC and Me, a podcast where I interview industry thought leaders in governance, risk and compliance on hot topics, industry-specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space. This is the LogicGate story which as it turns out starts with conquering risk, and then taking on a personal risk, right? MATT KUNKEL: It does. KS: And I've got Matt Kunkel with me here. He's our CEO of LogicGate. MK: Thanks for having me Kelley. KS: Thank you for joining. I'm really excited to capture this story about how the committee got started. But, I want to take a back step and understand your background, and what led you to getting the company started. And, funnily enough, we actually attended an event together, the Secure Risk Management Forum in Georgia two weeks ago, and you even mentioned a little bot more of your background that I hadn't heard before, which was you actually had your hands in a couple of projects related to the Lehman Brothers fallout, as well as the Bernie Madoff Scandal, as well. So, I want to hear about that too, because that's incredible. KS: You were born in 82 right? MK: I was. [inaudible 00:01:49] me here. KS: Well, I was too. But, I think that's really incredible considering your background and how young you are, and where you're at. So, tell me more about your involvement in those projects, and then take me to the JP Morgan Chase Project. MK: Sure. Was a Midwest guy, grew up in Ann Arbor, Michigan, but ended up getting out and went to school in Indiana, and was a finance, economics major there, and through school found my way to Chicago, working for a management consulting firm called FTI. And, this is in the early to mid 2000s. And back in those days you needed to know how to code a little bit to really get on the big fun investigations, and one of the partners that FTI landed a job with the Bernie Madoff investigation, and really we needed part of FTIs responsibility and doing all fictitious profit analysis around that so to say. "Hey we need to sue [inaudible 00:02:46] for a couple of billion and give it back to these mom and pops." I really helped coded out the solution that did a lot of that fictitious profit analysis. And then very soon after that, Lehman brothers went bankrupt, and we, myself and my team coded a big part of the solution that unwound a vast majority of the Lehman's transactions on the debtor side. That's really where I cut my teeth in application development, and using technology to solve problems. And from there moved over to another consulting firm, called Navigant Consulting. At Navigant started up their custom app dev group, and really what we did is we built very large-scale, Fortune-100 companies, GRC program's, governance risk and compliance programs, partnering in conjunction with the folks in our financial services practice, in our energy practice, and in our healthcare practice. One of the bigger jobs that we did was to help J.P. Morgan Chase specifically, their mortgage bank, get out of a consent order with the OCC, which is the Offices of Currency Controller, and a big consent order against them. Basically, what was happening is within mortgage there is tens of thousands of regulations that they have to follow from the federal level, but also the state and local jurisdictions that they are doing business in. KS: And this was a result of the that new, the Dodd Frank ruling? MK: Correct. This is part of what came out of Dodd Frank. It was just really more transparency and more, "Hey here are rules and regulations that specifically mortgage companies, banks in general, specifically mortgage banks, need to follow to make sure that we don't get ourselves into situations like the financial crisis again." And, it was just a laundry list of these regulations. And, the government comes in and says, "Okay, Chase tell me how you're compliant with line 12,852 of this huge Code of Conduct, and what policies do you have in place? What procedures you have in place? What system controls you have in place to get compliance with this?" Frankly, there's just so many in there. There's just such a big spiderweb because one regulation could relate to many different business units that Chase has in there. And, those business units could be using different policies, procedures, system controls to follow that. So, there is a huge spiderweb effect that happened, and really just ultimately Chase couldn't provide the visibility and transparency, let alone to their Executive Board, but more importantly to the regulators that they were doing this. KS: And that web that you mentioned, what was that constructed of at J.P. Morgan at the time? MK: Affectionately, what we call duct tape and bubblegum, which is spreadsheets, emails, file shares, a hodgepodge of really Microsoft Office products that they were trying to cobble this web together with. They had failed their consent order twice previously. Then we came in, and really partnered with our folks in our financial services group that gave the subject matter expertise around the specific policies, and controls that needed to be put in place. In my team, we built the technology to really take all those regulations, break them out into sub-components, have a mechanism to assign those sub-components out to specific business units that they apply to, then had a mechanism to do what we call an assessment to say what policy, procedure, system control we have in place. There wasn't anything in place. We had a gap. Maybe if there was something in place, but it wasn't up to date, we have a partial gap. And then what is the process by which we get compliant, right? And those recall findings. We've findings off of that, and then we created action plans, and action items to get those gaps remediated. And, most of the time that was getting policies and procedures up-to-date. Sometimes implementing system controls in place, or sometimes just saying, "Hey, we know that we have a potential gap here, and we're okay with that from Chase's perspective because of XYZ," and that typically was Executive sign off [inaudible 00:06:54] that. KS: Tell me about the Executives you worked with at J.P. Morgan. Who let this project, and just give me a little bit of background on- MK: Yeah, it was from the top. Jamie Diamond was signing off on the ultimate invoices that we were sending Chase. There's a guy by the name of Kevin Water, who is the CEO Chase's mortgage bank at the time. And then there is another fellow by the name of Roland Hargrove, he was the head od special projects for Chase, and he ultimately headed up this project. We work very closely with them at Chase. KS: It's incredible. And how long was this project? MK: Frankly, I think its still probably going on. We started it may be in 2014-15 timeframe, somewhere in there. Part of the reason I think Chase ultimately went with Navigant is, we said, "Hey, we can get you our technologies stood up and running in a very short time period." And they, I think, had realized after failing two consent orders that they needed some technology to actually operationalize the program, and keep the program of regulatory compliance evergreen. They put some resources in stock behind, "Okay, Navigant can actually give us a subject matter expertise, but they have this technology group that can actually execute and build us out. What we need from a technology perspective in a very short order." KS: Got it. And, that was you and how many other people? MK: A small army of people involved in that. Many, many, many developers, many business analysts from our requirements gathering perspective, and many subject matter experts that relates to financial regulatory compliance. KS: Okay. And you guys were holed up in? MK: We're in lovely Jacksonville, Florida for the most of the time. It's great. Great weather. Great to get out of Chicago during the cold winter months, and and hang out there. But, definitely spent some time in New York at the corporate headquarters, and then in Columbus, Ohio which is where a lot of their writing team is, their policy writing team. So, we spent some time there as we were building outcome of the next evolution in phase of their platform which was the old policy and procedure management module application that bolted onto the upfront assessments. KS: Awesome. So when was the, "Aha" like, light-bulb moment for you during this process? MK: Yeah. I was just sitting down, and talking to the Chase Executives, and they were saying, "Love the platform that you've created, [God 00:09:33] helped get us out of this consent order. We feel really good about that. But, there's just these constant change orders coming in for the platform, and frankly it's always gonna happen. And, the business is moving so fast, the regulatory landscape is moving so fast that we're always reliant on you at Navigant. And frankly, that's costing us a lot of money. We would like the platform that our Chase employees in the regulatory and compliance group to be able to make the updates ourself, and make our business analyst make the same updates our dev team is making." And that was kind of the light bulb moment for me. That was the one where I was like, "Well, if we could do that, I really think that there is a big need in the marketplace for a technology that is that flexible in that dynamic yet that easy to use from a end business user perspective, and in an administrator of a platform like that that have no technical acumen whatsoever. Excel is where they live their lives. But, if they can make enterprise grade technology, I think you have something in the marketplace. So, spent some time talking with my two co-founders, John and Dan. Dan was on the technical team at Navigant, and John was on the customer success implementation team. And, really looked at many different solutions that we'd created over this time period, and just came up with a thesis that, it doesn't matter if you're doing a third party risk assessment, or controls assessment, or policy management, or enterprise risk management, or incident tracking, or you need to be NIST compliant, SOCK compliant, ISO compliant, HIPAA compliant. Ultimately, at the end of the day, really what the technology is doing is just a process. We're just logically moving work inside and outside an organization. We're routing that work on a sophisticated rules engine, depending on how the business users are answering and providing data to us. We're automating things that happen on recurring time frequencies in their. And then we're providing some really nice visual appealing analytics, and reporting to get the insights out of that. And that's what we ultimately came up with LogicGate, and being able to use the consulting experience to create and pre-populate that templates so folks have a starting spot. But, then I'll empower them really. And, that's kind of our why is is really digital empowerment, and being able to empower business users in the organization to use very easy enterprise grade technology to transform their organization, and transform their lives too. We really thought that we had something there. KS: That's incredible. So, where were you at personally, when this light bulb moment happened? And, how did you pull the trigger, and decide to leave your comfortable position, and take a huge risk of starting a technology firm? MK: Yep. Practically speaking I was in Jacksonville, Florida in a car with one my co-founders John thinking about this, and bouncing these ideas off of each other, and then we looped in Dan to the conversation. But non-practically, I was in a great spot. I was very quickly ascending at Navigant, and running a very large P&L, and had built out a practice. I spent a lot of time doing that, and a lot of energy doing that, and I got myself into a pretty cushy spot. But, really just saw that there was a huge, huge need in the marketplace for this. And frankly, took a bet, a very educated bet that the market wasn't very big, the market was ripe for a disruption perspective, because most of the technology is quite outdated, and quite antiquated, that a very new, modern, built on new and modern technology, and something called a graph database would would really take off. And, I think we've in a very short period of time kind of validated that thesis. And. now are just working on building them, and scaling the team, and getting more brand awareness around what were doing, and a lot of training and education to customers that GRC can be fairly easy to implement in organizations. Obviously change is always hard. But, if you make the technology very easy to understand for the business user in the first line of defense, that's a big part of it. I think we've got a lot of solid adoption from very large brand names down to very in a 50% mom and pops that need to be PCI compliant, or NIST compliant, or HIPAA compliant in there, and working on the [inaudible 00:14:06]. KS: Absolutely. Well obviously I'm on board. So, really glad that you decided to take the leap, and take the personal risk, and start the company. I think one of the things that is most interesting to me is the fact that this solution, this platform that you built is so applicable, no matter the size of the organization. It's an issue that is relevant to really small startup companies, and really big companies just like J.P. Morgan Chase. MK: Yeah, totally. Our CRO has a saying that everyone is somewhere between ought to buy and means to buy a GRC platform in there, and obviously LogicGate is the one that he thinks is most applicable to that. But, it is. I think ultimately more and more risk and compliance issues are being brought to light. And, there's just obviously with data issues like GDPR, and the California Consumer Privacy Act, and in all the things that are happening with Facebook. Frankly, I just think there's more transparency that the Board and Executives want, and the people to provide that transparency in organizations are the risk and compliance groups in there. So, there's a lot of tailwinds that we have at our back, and more and more cloud saas providers need to be SOCK compliant. And, so how did they do that in a very easy, effective, efficient manner, right? And, technology is really an enabler to help them do that. And that's really what we are. Ultimately at the end of the day we are subject matter experts on risk and compliance. We hire all of our customer success folks come from big consulting firms where they have already done many, many, many GRC implementations, and are subject matter experts on SOCK requirements, and NIST compliance, and PCI compliance, and how to put together an enterprise risk management program. We're just using LogicGate as the vehicle from a technology perspective to make that much more effective, efficient, easier. But, ultimately I look at the company as risk and compliance subject matter experts with a technology wrapper around it. KS: Absolutely. So, we have a mascot at this company. It's the goat. Some people think that stands for greatest of all time, but that's not actually how the goat came to be. Can you give me some insight into how the goat came to be? MK: It's true. Although, I would like to say that we hopefully empower our customers to be the greatest of all time with LogicGate, and that is what the goat now stands for. The origin origin of the goat though was Dan, our CTO, he actually coded out the entire MVP of the platform by himself. Extremely, extremely bright person. I mean honestly, I've never worked with a dev that's so intelligent. And, for whatever reason with what came into his mind every time the application boots up, he did some ASCII art, which is basically art in ones and zeros, and it is a giant picture of a goat in there. And, we're going through a program, and one of the teams next to us saw the boot up script, and they're like, "Oh my God! What is that?" And he goes like, "Oh, that's a goat." And he goes, "You guys are the goats." So, we happily took that name on, and it's kind of just evolved as the company mascot now. But, I have now evolved that into, we empower clients to be the greatest of all time. KS: Love it. I love the goat, and we really do take the goat to heart on the team. I think we passed out goats at the RSA conference. MK: We did. They were huge hit. We passed that about 500 little stuffed goats that everyone very much enjoyed. KS: That's great. So we're building a goat community, and hoping that you join us. So, just to round things out here, what's next? What do you envision for user community, for the platform, and for the company? MK: Yeah. You know I think the ultimate vision is we want to be the number one player in the GRC market. And the way to do that is to make our customers and clients hyper successful by using our platform right is, how do we honestly advance our customers career, and the champions in those organizations that are using our platform? And, if by using our platform that evolves their career, and that gets them the higher points that they want to, ultimately I think we're going to win, right? And, it's always just a customer centric view and focus that we have at the organization. And then everything else of where the company wants to get you in the heights that we can get to, I think that that is 100% achievable with the size of the market, and the fact that there is no real clear cut player in the GRC space, or IRM space right now. So, everything is focused on the customer. We take care of the customer, ultimately they're gonna take care of us, and ultimately LogicGate's going to be a huge success. KS: Awesome. Thank you so much for joining me. On my next podcast episode I'm actually talking with Terry [inaudible 00:19:15] from Secure Risk Management. We're going to be focusing in on trends in small banking and what they're experiencing, and risk and compliance. So, this was great, great story and background in our experience in that space specifically. MK: Awesome. Can't wait to tune in to listen to that. KS: Great. Thank you. MK: Thank you.

Videos

Enterprise Risk Management Solution

Learn More About Enterprise Risk Management With Risk Cloud®

Webinars

Automating Your Third-Party Risk Management Program

Podcasts

GRC & Me Podcast: All Things Implementation with LogicGate's Szuyin Leow

Looking for a GRC tool but not sure where to start? Szuyin Leow is here to help! She’s a…

EPISODE NOTES Top 3 Takeaways: Focus on critical items first and make sure you have people and processes in place beforehand. If technology is flexible, you can continue to scale and grow and change your processes over time. Start simple, drive value in one place, and then build that over time. Resources: LogicGate Connect with Szuyin on LinkedIn Read up on Szuyin’s Work on Medium Episode Transcript HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski and this is GRC & Me, a podcast where I interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more, to learn about their methods, solutions and outlet in the space. I have Szuyin Leow with me, or Meow as we like to say, because she is a cat lover. A cat lover by night, but by day, she loves helping clients in onboarding and implementation of risk and compliance projects. Welcome Szuyin. SZUYIN LEOW: Thank you. Happy to be here. KS: Thanks for joining me. So I wanted to have you on an episode to tackle the topic of implementation, because it's a big part of a project like this and certainly an area of challenge and pitfalls and I want to help inform my audience about what they need to consider and also help them avoid some of those common pitfalls. So, I'm really excited to have you on and I want to understand first and foremost your background in consulting and why you got started. SL: Sure. Yeah. So, before joining LogicGate, I worked at PWC and was a cybersecurity and privacy consultant, and in that role I worked with a lot of customers in various industries and worked with them on helping them to develop and operationalize their cybersecurity programs. So, that ranged from actually performing some cybersecurity assessments myself to writing policies and procedures to helping more of the C level develop their cyber security programs and strategies. And throughout all of that work, really a common theme I found was that there were challenges in terms of collaboration across teams. There were challenges in terms of really getting to operationalize and automate processes and have centralized views into data. And then when I found out about LogicGate and some of the other technology solutions that were available, really opened my eyes to the opportunities in technology beyond just spreadsheets. That's what got me excited about working for a company where we could really help to build and implement solutions in a more powerful way. KS: Awesome. So when clients first come to you for an implementation, what are the common challenges about getting started? Because one of the things that I find during the evaluation phase is clients commonly, they don't know where or when to get started. Timing and maturity are both things that they're considering. A lot of times prospects will tell me, "Well we haven't quite figured out how we want our framework or method to look, or we don't even have a risk register started," for example. What do you recommend to clients in that situation and where and when should they get started? SL: Yeah, it can be really overwhelming. There is so much to consider in the world of governance, risk and compliance, so definitely can relate to what those customers are facing. In terms of getting started though, there are some key things to keep in mind. First of all, if you are going to invest in a technology solution, you want to make sure that technology is actually going to be implemented successfully, right? So, one of the big things we've found is you can buy as much technology as you want, but that technology is only going to work if you have the people and the processes in place to actually support that technology. And as someone who works at a technology company, maybe there are some people who wouldn't want me to say that, but it's so, so true. So definitely when implementing a GRC solution, you'll want to make sure that, first of all, you have the right stakeholders at the table to provide input on what that technology should include and how it should work. Then you're also going to want to make sure that you have the right processes developed and defined to support that technology. So, definitely getting alignment on those process requirements before you start to even get your hands into a tool I think is the number one thing that I would recommend. Another thing is when customers come to the table often for a GRC solution, they are looking for the full package, right? They want a fully working GRC platform, and if they could have that yesterday, they would want that. While that would be amazing, it's just not realistic. So, a lot of technology solutions out there do have templates available that you can use, but oftentimes you're going to need to have some sort of customization built into the tool, because not every single organization is unique and so your business is going to have its own unique requirements that you need to build into that technology. And that can be a challenging process when you have multiple people involved. And so another thing we found is by focusing on one module or use case first rather than trying to build a full GRC platform all at once and trying to boil that ocean, you can instead focus on one that you think is going to be super valuable and critical to your organization, roll that out first. Give value to your end users so that first process initially, help them buy into that technology solution through that first process, and then get them involved to help roll out the rest of your GRC platform going forward. Both of those things I think are super important in terms of focusing on a critical item first and also making sure you have the people and process in place beforehand. Another thing I would mention is oftentimes customers will get super excited when they see what they can do in a technology solution and that's super empowering and that's great, but sometimes that can lead to customers wanting to try and make whatever they're building initially perfect and they are going to try and almost make it too complex or robust on the first go. And so another thing that I would definitely encourage any person who's implementing a new technology solution to embrace is the concept of keep it simple and less is more, because that will often help that technology to be easier for end users to actually adopt and also just keep it easier for admin users to manage going forward. And certainly if that technology is flexible, you can continue to scale and grow and change your processes over time. KS: Yeah, I think that's a good point. I think it's also something to consider when you're looking and evaluating software. When you are looking at something that is really complex with lots of bells and whistles and that's trying to boil the ocean for you, is that really going to be a good fit? And is that something that you can adopt and get value out of? It might not be. SL: Definitely. KS: Yeah, I like that simple start and driving value in one place and then building that over time. So, in your opinion, is it difficult for small and mid-sized companies to ditch the, we like to call it duct tape and bubblegum, but spreadsheets and email and implement a software solution, and what's holding them back or keeping them in that status quo space? SL: Sure. One of the biggest challenges for small and mid-sized companies is often that risk and compliance teams in those companies could be a one person show or maybe a two or three person show. And because it's a small team that's managing all of these responsibilities, those people are juggling a lot. And for them to throw into the mix, the thought of implementing a brand new technology, that can sometimes be too much to handle and ... KS: Daunting. SL: The scope. Totally. In the scope of all of their other day to day activities. And so I think that's often the biggest challenge, is getting over that fear that by implementing a technology, you're going to lose out on time in other places. Now, that may be true, but what you have to look at is the light at the end of the tunnel, which is by investing that time and implementing the technology that should ultimately, if that technology is good, that should save you so much more time after that technology has been stood up. So, that's one of the things I think that technology providers can look at is showing users how that technology is going to change the way they work and change their effectiveness and their jobs. So, that's definitely one piece. Once you get over that hump, I think there's obviously still some more change management pieces that come into play. It's hard to get people to change their habits and learn something new. So, another thing is if that technology that you found is user friendly and really intuitive to use, obviously that's going to make it easier for these owners of GRC programs to be more willing to invest in that technology and buy into it. KS: Yeah, I totally agree. No pain, no gain, right? SL: Exactly. Yes. KS: But you take into consideration when you're building out an implementation schedule that people have day to day jobs, so ... SL: Absolutely. KS: That's all a part of it as well. Don't bite off more than you can chew and take the time to be thoughtful in how you schedule the implementation activities. So with risk and compliance programs trying to support constant change, how can they be more strategic and proactive, and how can they avoid essentially chasing their tail on these regulatory changes, business changes, as that can be driven by external factors? SL: Yeah, absolutely. I think you hit the nail on the head there that oftentimes we don't have control over those changes. They are so often driven by external factors with changing regulations, changing standards. So I think it's first of all being aware of that and understanding that and then making sure that as an organization you're prepared for that. So again, it comes down to your people and processes, making sure that you have a process defined to handle those changes, and once you've defined that process, making sure that that is clearly communicated across the organization to the appropriate individuals so that they can respond in the right manner. This is something that ideally your GRC technology will be able to support you with as well. We've worked with many customers to help them put together workflows to keep track of these changes and notify the right individuals. So, that's part of developing that process and that program. If you can automate that in your technology too, even better. I think another piece of it is just being aware of trends in the industry to help you be proactive. A great example would be GDPR was all the talk last year when that finally went live, and for smart individuals here in the U.S. Who maybe didn't have to comply with GDPR, because they don't have any EU citizen data. They probably realized that that trend happening over in Europe was eventually going to come here to the states and we're already seeing that with California and CCPA. So, just being aware of where the industry is going and what some of those changes are that might affect your programs and your requirements can help you get a head start on moving your program in the right direction. KS: Right. So, my next question is implementations are risk-taking endeavor in and of themselves. How can companies prepare for and ensure a successful go live and how do they avoid losing that momentum post implementation? SL: Great question. Yeah, so one of the things that I would definitely recommend, really anytime you're making an investment, but especially in terms of implementing technology, is making sure that from day one you have thought about how you're going to measure and communicate your success with that solution. So, that's thinking about what are your objectives and goals in terms of implementing this technology and what metrics are we going to use as an organization to prove that we've actually met those goals and objectives. This is something that we try to work with all of our customers to do in terms of being a implementation provider, because not only is that going to help our customers realize the value of the technology that they're pouring so much time and effort into, but also helps us as implementers to see, okay we've checked the box on these requirements that our customer has asked us to fulfill and we are able to see that we are actually driving value at the company through what we've built and configured. So definitely communicating about those metrics and putting processes into place to collect that data and then report on it later, I think is super critical. One thing to think about in terms of defining metrics and objectives is making sure that you are covering all of the different audiences involved in your implementation. So that includes the end users who every day are going to be working within that technology. If you are working with external partners, like vendors for any sort of third party risk management, getting feedback and input from them, and of course thinking more high level in terms of managers and approvers, directors and sea level, and your board in terms of what high level insights they're looking for from all of your data. So, one of the things we've definitely found with customers is they might not think about these metrics when they're first looking for a technology solution. They start to think about them, obviously once they've gone live and they've built a process, but by that point, it can be hard to make sure ... If you haven't been thinking about metrics beforehand, it can be hard to make sure that your process has actually been built to capture that data appropriately. So, by thinking about it from the very beginning, that can, one help you just stay focused on your target, but also two, make sure that you're building your program and your process and your technology in the way to actually support those metrics. Once you've actually gotten those metrics, I think the other big thing is in terms of communicating the results to those different audiences that we talked about, making sure that you are using those numbers and that data in a way that's going to engage and empower those users and those different stakeholders, especially at the end user level. By having them engaged in that conversation around success and objectives early on, you're going to get so much more buy in from them and really empower them to feel like they are impacting that process and driving change in a meaningful way. And I think that's true both within your risk organization or compliance organization, but also across the business. So, any other stakeholders that you are asking for in terms of action or data that they're providing you, making them feel like they are a meaningful part of the process for sure. KS: Great. When you talk about metrics at a high level, it's things like time spent, cost, right? SL: Definitely. KS: And also resources, like how many resources are involved in executing on this one thing? And what's the cost of those resources? I mean, these processes are involving high level resources, and when they're bogged down by this administrative work, it's really not a good use of that resources time. SL: Definitely. KS: So, those are some high level areas. Anything else that you would recommend they look at for a high level metric? SL: Yeah, I think one thing I'd expand on with the example you just gave, which is a great example, is people will think about time savings as one of the metrics they want to capture, but oftentimes they might not think about it one step further, which is now that you've saved that time, what are those employees that are having that time saved, what are they able to do now with their extra time? And oftentimes you'll find that the efficiencies gained in maybe some of that administrative work they were doing previously, they are now able to spend on some much more valuable, meaningful work that's contributing to your business objectives overall. There are plenty of other things you can look at in terms of metrics. In the GRC space, obviously one of the things we look at is risk levels, and not only necessarily looking at how are we able to overall drive down this risk score for XYZ risk, but also being able to bubble that up to a more holistic perspective across your organization. And you could that down by departments, by geography, by products, by services. So, thinking about the different lenses from which you want to view all these data points is important as well. KS: Yeah, that's interesting. I'm going to go off on a brief tangent, but just today I had a call with somebody who wants to implement the fair risk methodology, which actually quantifies risk and also quantifies the cost of mitigating that risk. And they ... SL: Absolutely. KS: Want to use that to actually go and lobby for budget for things, because they're able to say, "Hey, yeah, it's going to cost us this much to make a change to mitigate, but the risk potentially could cost this much," and kind of use that as a way for getting buy in on budget, which I thought was really interesting. SL: Yes. I think that that is definitely a trend we're seeing as well, being able to use these metrics. Anytime you can put a dollar value on the table, that's going to be more impactful, right? KS: Exactly. SL: But yeah, being able to use the metrics to drive business making decisions and in cases like that, especially when you can put a dollar value on, here's the potential impact that this risk could have, but also when you've then tied to that risk to maybe high level business drivers that your company is working on, or high level objectives and they can see from that objective level, well this objective could be impacted by this risk and this risk has number of dollars associated with it in terms of impact. But then this objective could also be impacted by two other risks that also have dollar values associated with them. And then they can bring all of that together and see the total dollar value of impact that could potentially occur on that objective. And then compare that with the potential dollar value of mitigations you can put in place. I totally agree that, I mean that's so much more data in terms of being able to make smart business decisions on what risk are we going to accept versus what are we going to address proactively? KS: Awesome. So, what trends are you seeing and what solutions are making the biggest impact? SL: Sure. Right now in terms of what our customers are asking us most for, in terms of implementing their GRC solutions, I think there are, we kind of have our big three right now, which is enterprise risk management, of course. Third party risk is huge. A lot of people are looking at ways to get a better handle around the vendors and suppliers that they're working with and what type of risks they might be introducing to their ecosystem. And then the third one is controls management or controls assessments. Those are the top three use cases or modules that we're seeing are being asked for the most. And I would say also have the biggest impact. One thing to point out about those three use cases is all of them have tie ins across the board, across your GRC platform, right? So, from the enterprise risk management perspective, a lot of times those enterprise risks are tied to controls or policies. And so having a platform where you can manage both your enterprise risk management solution and your policy and procedure management solution, and then tie those together and see the relationships between them, so critical. Same thing for third party risk. You'll often want to be able to see your third party risk assessments in the same solution where you're managing procurement and contracting of those vendors, and link those to IT risks or enterprise risks that you're tracking in your GRC program. So, definitely that points, I think too, another big trend to just overall, which is getting a place where you can centralize your data and get a holistic view into risk across your entire organization. In those three that we just mentioned, there are so many different teams across an organization that impact all of those different use cases, compliance teams, risk teams, IT security teams. There are so many people that work together to get that overall GRC program to run. And one of the biggest challenges that companies often face is they don't have a solution that allows those teams to really seamlessly work together and collaborate. So, one of the biggest things that technology solutions can bring is that centralized repository where teams can make decisions together and really see those relationships across their different business units. KS: Yeah, I would agree with that. And I think that vendor risk management being one of the key areas that's a hot priority right now is it relates back to that, making the case for the dollar impact, because vendor management is enabling you to do business with other vendors, which is helping grow your business. So, I think that's indication as to why that's one of the hot areas. SL: Definitely. Yeah. And in general, I think that whole concept of using risk to inform your business making decisions just ties into the overall trend of trying to be more proactive and strategic with the information we're getting from our risk programs and making sure that from the very beginning we are tying our risks to business strategies and objectives. And when we do that, we are, as we alluded to earlier, able to make GRC something that is cared about at the board level and make it just a much more meaningful conversation topic. KS: Yeah. Changing it from a dark rain cloud above your head to actually something that is meaningful and easier and exciting to discuss, because you're able to see ahead and take action and make a change that's positive for the business is key. SL: Definitely. KS: Yeah. Well thank you so much for joining me on this episode of GRC & Me. I hope to have you back, because there's so much more to discuss. I think we just scratched the surface. But implementation is definitely a major area of concern when clients are looking at these projects, and I'm really glad that you came on and kind of shared some of your techniques and advice for that process and I think it was really, really helpful. SL: Well, very happy to be here. Thank you Kelley. KS: Thank you.

Videos

[Video] Third-Party Risk Management Solution

Learn More About Third-Party Risk Management With Risk Cloud®

Podcasts

GRC & Me Podcast: Matt Kunkel on the Key Benefits of a Flexible Data Model

On the show today we have Matt Kunkel, CEO of LogicGate, a leading GRC process automation platform. Matt…

Podcasts

GRC & Me Podcast: The Why Episode

What if you could hang out with GRC experts, ask them about their favorite methodologies, tools, and tips,…

Just like the billion-dollar GRC industry it covers, GRC & Me helps companies achieve their revenue goals while managing risk and compliance issues with integrity. This podcast is perfect for you if: You’re in a role concerned with corporate governance, risk management, or compliance (GRC) You want to protect your company and your brand, or… You simply love GRC like Kelley does! Tune in every month to learn from GRC experts and thought leaders, catch up on industry-shaping news, and better understand the decisions that drive results in your company. Connect with Kelley on LinkedIn. Episode Transcript KELLY SPAKOWSKI Hi, I'm Kelly Spakowski and this is GRC and Me. This is our very first episode. So if you're tuning in, thank you and welcome. I'm glad you found me. Why am I starting a podcast? Well, I work in risk and compliance and I want to bring a voice to professionals in GRC. GRC stands for governance, risk, and compliance and encapsulates many different processes that help assure organizations reliably achieved objectives, addresses, uncertainty, and acts with integrity. This podcast is a safe space for knowledge share on pertinent topics, shaping this increasingly important responsibility and complicated endeavor. So if you're in a role that requires risk awareness, if you're concerned with mitigation, if you're a chief of something, if you have a GRC title. Maybe you love compliance, and I know there's folk that do, or maybe you simply just love your company and you want to protect its brand at all costs, tune in and please join me. Avoiding risks tends to be a thankless job and only the big catastrophes get the headlines. But really it's the day to day mitigating work, the small corrections that avoid the iceberg. And that's what I want to discuss. I will be interviewing thought leaders in GRC discussing everything from hot topics, methodologies, frameworks, cultural nuances, you name it. I want to hear from you. My goal is to enable those in risk and compliance to be business enablers and an ally to revenue growth. With that mission in mind, we will look to share stories and lessons that rarely get discussed or celebrated in the goal of making an impact on your ability to drive change and also support a positive trajectory for not just your company, but your career. In my next episode, I'll be meeting with Matt Kunkel, CEO of Logic Gate. Definitely tune in and I can't wait to share. Thanks so much.

Podcasts

GRC & Me Podcast: Michael Rasmussen, the Father of GRC

In today's episode, GRC2020.com founder Michael Rasmussen joins us to discuss agile solutions and all things GRC. He…

EPISODE NOTES Top 3 Takeaways It’s important to first establish what your company is trying to accomplish with its GRC program. Frameworks are like the human body; you've got multiple systems involved. All those come together to help form a GRC program. In light of data breaches, consumers are picking up on privacy. They're demanding better practices with their personal data. Resources: Connect with Michael on LinkedIn Connect with Michael on Twitter GRC 20/20 GDPR California Consumer Privacy Act Ten Thousand Commandments The Competitive Enterprise Institute Episode Transcript Michael Rasmussen: At the end of the day, GRC is something organizations do, it's not something they buy. I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And from there, can we establish what technology's going to help us accomplish that? Kelley Spakowski: Hi. I'm Kelley Spakowski, and this is GRC And Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more to learn about their methods, solutions, and outlook in this phase. Today we have Michael Rasmussen with us to talk about all things GRC in general. Really excited to have him here. He is known as the father of GRC. Michael, welcome. MR: It's a pleasure to be here. KS: I'm super excited to have you on because you are the father of GRC. Can you give me a little bit more about how that came to be, and how you got involved in this industry? MR: Well, I... there's a dichotomy because there's a what GRC is, but then, there's also how I came to formulate GRC, because GRC is much broader than technology. But, as far as the GRC acronym, back in February 2002, I was working at Forester Research, and it's been seven years at Forester now, 12 years on my own. But, in 2002 on a cold snowy day in the Chicago office of Forester, I just got done with a briefing on a solution that can map risk and controls, and policies, and I; Wow! This is great. MR: When I was an IT Security Consultant in the Chicago [inaudible 00:01:43] markets, I was looking for something just like this. And so then, there's a whole market for this. And so, what do we call it? And at that point, you know, I thought; Well, it has a governance aspect, of, you know, understanding what our objectives are, and the risks to those objectives, and compliance obligations, and so, labeled it GRC, thus creating the GRC market. MR: Now, what's important to understand is, GRC's more than technology. In fact, every organization does GRC today, whether they call it GRC, ERM, IRM, XYZ, ABC. Everybody's got some approach to GRC, whether they use the acronym or not. You're not going to find an organization that says; We don't govern the organization, we can care less about risk or compliance. Every organization has, you know, some approach to Governance, Risk Management, and Compliance. MR: And so, to me, what's important to understand is that, while there's a market for GRC technology, at the end of the day, GRC is something the organization's do, it's not something they buy. I get frustrated all the time when, you know, like an insurance company called me in and said; We just bought GRC, now come and tell us how to do GRC. That's like putting the cart before the horse. KS: Right. MR: It's like, you're doing GRC already today, in some aspect. What are you trying to achieve? What are you trying to improve? How do you want to make things more efficient, effective, and agile? And then, let's talk about how to improve that, because there's some foundation of Governance, Risk Management, and Compliance, whether it's reactive firefighting through more structured and integrated, every organization's doing it in some way right now. KS: Yeah. That's interesting. So, when they say, help me do GRC, do think they're actually referring to; How do I operationalize this? Because, traditionally, we've just had, you know, Becky or one, you know, one person that actually own GRC for the organization. MR: Well, the challenge is, we've had multiple owners of GRC. And, it reminds me of the Winchester Mystery House in San Jose, California, the sprawling mansion that was built in the 1800s. It cost 5.5 million dollars to build in the 1800s. That's one expensive house today when you're calculate inflation. It had, it was built over 38 years, and had about 140 different builders. At the end of the day, it doesn't make a lot of sense. MR: It's got 10 thousand windows. It's got doors that open to walls, 20 foot drops of staircases that go up and down to nowhere. Skylights are in floors instead of ceilings. That's most organizations' GRC programs today. Over the last 38 years, they had to have 140 different builders of GRC in different departments doing their own little thing and manual processes or point solutions, without thinking big picture of how this should be designed. MR: The Winchester Mystery House had no design, no blueprint, no architect, but had 147 different builders. You know, that's exactly where organizations are at with GRC in a lot of cases, is they've had all these different builders without stepping back and saying; How can we design this? KS: I love that analogy. I like that return on investment too. I think I'll run with that. That's a good Segway to, you know, talking about how GRC is really moving from a nice to have, into a priority for a lot of organizations. What do you see going on there? Why do you think that's happening? MR: A lot of it is coming from multi-faceted environments. There's a lot of regulatory change, changing laws, rules, regulations, enforcement actions. It's not just the regulation itself, but, it can be the enforcement of that regulation. You know, global financial services firms are doing a 216 regulatory change events every business day, coming from 905 regulators around the world. That's just one aspect. We're not even talking healthcare and all these other industries. So, lots of regulatory change. There's lots of risk change, changing geopolitical risks all around us. Changing economic risks. Changing technology risks, and society, industry demands. But, at the same time, the business itself is changing. You have changing strategy and processes, changing employees, people moving from one department to another. And people that enter and exit the organization. Third-party risks of changing vendors and suppliers, and outsourcers, and service providers, and contractors, and consultants, and temporary workers where half of our insiders are no longer employees, but they're third parties. MR: And then, the whole area of mergers and acquisitions, and how that impacts and organization. The challenge there, in answering your question, is, you have to keep all that change in sync. Now, I can devote a ton of experts to be knowledgeable about regulatory change, but that doesn't make me compliant. As the business changes, I'm out of compliance. I've got to keep the business change in sync with the risk change, in sync with the regulatory change. And, that's the challenge. KS: Mm-hmm (affirmative). Yeah, great point. So, what we've found is, a lot of organizations, who are looking, or maybe are kicking the tires with solutions to support GRC, and a change, really, in GRC. They, up until this point, have been essentially keeping the lights on. Why is that not a fit anymore? And, I think you've kind of just said it, because all of these moving pieces are not in sync. But, can you elaborate more on why an organization should really ditch the spreadsheets, and email, and have a strategy around GRC? MR: Partly, to answer that, first off, it's because organizations are distributed, dynamic, and disrupted. You know, we've distributed operations across third-party relationships, around the world, and all these different interactions and transactions. And, it's very dynamic and distributed. And, it's dynamic in constantly changing, and it's just referencing on regulatory change, risk change, and business change, which leads constant disruption as well. In that context where you're trying to manage things, the lot of manual processes things slip through the cracks. Things get missed and overlooked. And then, we get into hot waters. I was talking to one bank, in which, you know, they went to more of a technology approach for defensible GRC. Because, the Federal Reserve had come in and said; You're not going to pass your next regulatory exam if you continue to manage GRC in documents, and spreadsheets, and emails. We want to see a complete record, auto trail, a system of record. What was assessed? What day and time? Who assessed it? Then somebody came back a week later, or two weeks later to try to paint the rosy picture to get the organization out of trouble, or, you know, bypass the regulator. They want to see that day and timestamp of that complete auto trail and history of all those different interactions on the assessments, and controls, and policies. Documents, spreadsheets, and emails don't get you that system of record and auto trail that the regulators and auditors are starting to look for. On top of that, you know, it's around efficiency, effectiveness, and agility. How can I make my processes for related to GRC more efficient? Time saved. Dollar saved. More effective being accurate, complete, thorough, as well as agile and responsive to a dynamic business environment. You know, one organization I was talking to is spending 200 FTE hours building an interview report for the Board of Directors and Compliance. Now it takes them less than a minute. But, if it takes you 200 FTE hours to build a report, you're certainly not agile. KS: Yeah. MR: And, if you're trying to find transient patterns and see that where things are going wrong, and if you're doing that once a year, and it takes you 200 hours to build that report, things are slipping through the cracks, and big issues are going unnoticed, if you don't have that at your fingertips. That's an issue. That's a challenge in organizations. We need that visibility. And, documents, spreadsheets, and emails don't get us there. They don't allow us for that ongoing monitoring, and instant understanding of what's going on in the environment, and being able to identify key risk indicators and trends that can be monitored on a minute by minute, second by second basis. KS: Great point. So, for the organizations who are now realizing; Okay, we're ready to take on GRC, they're past this point. And, they're looking at how they can be more strategic in a GRC strategy. There's a lot of different frameworks out there. How do they decide what framework is the best fit? And then, how do they actually take a technology, operationalize it, and then build a strategy around that? MR: Great question. There are a lot of frameworks. And, frameworks are like the human body. You look at the human body, you got multiple systems involved. You've got the skeletal system, the muscular system, the nervous system, the respiratory system, the digestive system. You know, that's like frameworks. There's frameworks that can model the different parts of, like, the body of different components of it. You know, you got risk frameworks. You got compliance frameworks, and audit frameworks. And so, all those come together to help our former GRC program. There's no one framework or standard out there that is a perfect fit for every organization. And so, it's about taking these frameworks, and applying them to your organization, modifying them, so that it makes sense for your organization. And, like the human body has different systems, we might bring together different frameworks to build and compose that. Now, the sort of uber framework to sort of manage all this, that I like is, the OCEG GRC Capability Model. Now, I helped contribute to that, so, I've got an interest in that. But, you know, when we built version one around version three of the GRC Capability Model, now, we've looked over a hundred different, you know, frameworks and things out there from Australia, New Zealand, 4360 was the management standard, which became ISO 31000. MR: Did the ISO 27000 standard, ISO 9000. COSO ERM, COSO Internal Control, COBIT. You name it, we looked at a lot of different frameworks and standards. So, what if some of the common Governance, Risk, and Compliance processes and activities across all these frameworks? And from there, we came up with all these components and elements, and each component to be able to manage that. The existing version three includes the learn, where we understand the environment. The internal and external context, stakeholders and culture of the organization from the align, where we identify risk, we... and compliance, and obligations. And, we assess that. And, we define activities. And, from there, we move into perform, and where we document controls. We have new policies, communication and training programs, and hotlines, and incentives for reporting issues. And to be able to manage that process. And then, we monitor where we provide audited insurance and validation of the program. But, it... to me, the GRC capability models are the good uber framework to encompass all of them. But, really, it provides integration. But, I describe the juice and capability models being really a Rosetta Stone of frameworks that sort of provides some of the common 80% commonality between different frameworks. But, the other frameworks are still needed. It's just sort of more of a translation stone. KS: That makes total sense. So, do the decisions need to be made on the framework and the methodology before the technology? What do you recommend there? Because, I think a lot of organizations really struggle. They say; Well, we haven't quite decided how we want to run our program. We don't know what methodology is a best fit. We haven't decided on a framework. So, we're just not ready for technology. Do you agree with that? And, what's your advice there? MR: It depends. KS: Okay. MR: There's always, you know, little factors and things that can influence that. KS: Yeah. MR: To me, I mean, we can talk about an enterprise GRC type strategy, or multiple departments are coming together to cohesively look in how we approach this. Or, we could talk about, you know, very specific department needs, which are easier to get our hands around. If we don't have that enterprise GRC strategy in place, how can I solve department problems? And, what type of solution can I pick out there from a technology perspective that can, not only solve my department problems, but could eventually be leveraged for other needs across other departments as well? Because, if all I'm looking at is my department, I might pick something that couldn't be leveraged with other departments, and might limit me in the future. And so, looking at what could possibly happens is important. Now, obviously, the best point of reference is, being able to understand, and will be able to build that collaboration across departments so that you can select the right framework and technology to fit that. Ultimately, it's good to understand what framework you're going to have, so the technology can be adapted to it. As I mentioned earlier, I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And, from there, can we establish what technology's going to help us accomplish that? And, what frameworks? KS: Great advice. What trends are you seeing, and what do you think those trends indicate? That's a pretty broad question, but, I'm ready for the broad answer! MR: Well, there's growing regulatory concerns across industries. And, changes in enforcement actions, and increased enforcement on that. A lot of geopolitical unrest, and understanding, you know; What's happening in the world right now with different, you know, political regimes, and changes, and shifts, and different trajectories of different countries and things like that? And, what does that mean to a dynamic and distributed business environment that goes around the world? You talk about Brexit and United Kingdom and things. Or, import and exports, and sanctions, or whatever it might be that, there's a lot of things influencing that. There's a lot of shifts and things internally on greater responsibilities and oversight. Compliance is a function that's maturing rapidly in organizations where it used to buried in the legal department. Now, corporate compliance, more and more is reporting outside of legal, in its own entity in the organization. We're seeing trends there. Internal audits being challenged to be able to do more than just traditional internal controls, or financial reporting-type audits, where we see more and more IT audits over years, but now, operational audits, out in business operations, and even third-party audits. There's a lot of different parts of the organization that are very dynamic in shifting and changing right now. KS: Awesome. What success metric should be priorities for GRC teams? When they're implementing GRC technology, what recommendations do you have for achieving those outcomes? MR: I break it down to those three areas of value; efficiency, effectiveness, and agility. The efficiency metric is; time saved, money saved. You know, before, you know, it was taking me this much time and effort, and cost me this much money to do things related to GRC. Now, I've reduced it to this figure. Effectiveness, you know, how more accurate, complete, thorough, reliable is our GRC related information? How timely is it? That also ties into the third element, the agility. How can we keep up with the changing and dynamic regulatory and risk environment, and business environment, and stay current with the changing business? On top of that, agility is also the ability to be responsive. How can we quickly identify issues and resolve them before they become bigger issues? KS: I love that. The effectiveness piece, do you think that's hardest one for people to get their finger on, because maybe they don't have those data points, even, you know, if they're starting a GRC program from scratch? MR: Effectiveness can be challenging. But, I find that a lot of organizations is the efficiency piece. That, they just haven't measured the actual human capital cost of GRC in their organization. As I mentioned the one organization that was spending 200 FTE hours, after they really dug into it to build one report for the Board of Directors. There's multiple reports. That was just one report on an annual basis for the Board of Directors and Compliance. 200 FTE hours, and it now takes them less than a minute. You can build out a value proposition from there. You know, a firm I was just talking to is spending, you know, their competitor spends six FTEs managing their third-party relationships and suppliers. What they spend, this organization, was one FTE, you know, because they have an automated process. You know, six employees, and you calculate full-time equivalent benefits and salaries, and things out there against one employee with the technology that can enable that. Same amount of suppliers, two different companies. Different contrasts. KS: That's huge. So, those are huge numbers. It comes full circle back to that Winchester House analogy and all the time and resources spent on that. You have people that own little bits of it. And so, the work is really spread around and kind of lost in the scenes. That's interesting. So, in a recent GRC 20/20 piece, you contrasted agile GRC solutions with legacy players. How do you define agile, and what do you think is behind the emergence? MR: Great question. The emergence is, technology that's evolved. I've been monitoring this GRC market since 2002. So, we're in 2019, that's, you know, 17 years now. Technology is not the same today as it was in 2002. KS: No way! MR: We have a lot of different technology. And so, some of these legacy [inaudible 00:17:35], they cost a lot of money to implement. I was doing an analysis of the different ROPs I've interacted on, and found that, those that Gardner enforced are put up in the upper right, in the leader's quadrant of the wave and magic quadrant. They typically have a ratio of every dollar you spend on software license, like subscription license, you're spending three to five dollars in implementation and build out. That's expensive. And, those that are outside that, is more of a ratio of .5 to 1.5. And so, I'm not talking management consulting. I'm just talking about configuration and build out of the platform. You know, technology's changed significantly, and the more established, you know, legacy of being with players are very costly to implement and own in the organization. And, organizations are starting to catch up on that, and understand that there's more agile technology available in the market. The way I define agile GRC technologies, one is the user-interface. How intuitive is it to use? How willing and engaging is it, not only for the second lane of defense, the risk and compliance and security officers and managers? As well as the third line and the auto professionals. But, also the frontline employees, the first line of defense. How easy is it for them to use and read policies, go through training, take assessments, report issues and things? You know, so, when an element of agile as a usability intuitiveness. Another piece of agility is the ability of the solution to be easily configured and adapt to the organization without custom coding that breaks on upgrades, or takes six months to make a change with, you know, a certified expert that costs 130 thousand dollars a year to make that change. You know, how agile is the solution itself to be adapted to the organization rapidly? And then, scalability of it too, is important. You know, can the solution scale with me and help me through mergers and acquisitions as the business evolves and changes? That becomes important. KS: Yeah. The adoption to the business, I think, is huge, which I think gets lost in conversation a little bit. The ability to bring the business users who are actually close to the needs and the requirements, regulatory business and otherwise, bringing them closer to the technology, and actually giving them control over how that's configured, I think is huge, rather than passing it off to an IT resource who might not necessarily know the nuisances of the needs of the business. It reduces a lot of friction there. What are the differentiating factors among GRC solutions that will establish industry leadership positions versus ones that won't? MR: First and foremost, to me, today in this agile market that we need, is the total cost of ownership. What is the cost, not only to acquire the solution, but to actually implement, and own, and maintain the solution? There is a LinkedIn post out there from last August that compared, you know, the implementation. I'm not going to name names here. But, of one of the major GRC BMS platforms that Gardner loves a lot, to the lyrics to the song, Hotel California. That, basically, you're trapped and can't get out. You know, they said, after spending 500 thousand dollars in software licensing, and two million dollars in implementation, three years later, they're just getting some basic functionality working. That's not agile. I mean, today's technology for GRC needs to be rapidly implemented and molded to the organization to be able to bring value and return to the organization. To me, that's critical. KS: Yeah, the evolving piece, I think is, you hit it on the nose. I hear that very commonly. People are very committing to a piece of a technology because they feel as though they're locked in to that, you know, initial configuration at that point, which agile solutions are now really unlocking that for people, so, really great point. Do you foresee massive data breaches to continue? And, if so, how will they shape the future of GRC? MR: Data breaches are definitely going to continue. It's just the complexity of the world that we live in. I mean, you go back a couple years ago to the Target breach, one of the largest credit card breaches in history. The doorway into that was an HVAC vendor. The heating and air conditioning had a connection with the Target Network and Environmental Monitoring. And, a hacker broke in. The heating and air conditioning vendor was able to compromise point-of-sales systems across Targets. That's the interconnectedness. Now, the heating and air conditioning vendor is not a traditionally team vendor. But, they're being connected to the network, and were given access. It could be anybody, a supplier, vendor, outsourcer, service provider. Our risks are multiplying with a lot of these third-party relationships. And, over half of data breaches are not with traditional employees, but they're with third-party relationships now. And now, we have a concern with the Internet of things that the next major breach can come from the microwave in the break room that's connected to the Internet. KS: Right. Exactly! Medical devices, multi-function devices often get overlooked. These are all new things that are being folded into the risk profiles. MR: Yep. KS: So, yes. That's fascinating. And, I agree with you. I don't think it's going to slow down. I think it will just increase. How do you expect the regulatory landscape in the U.S. to evolve in the coming years, and especially in light of GDPR and key California Privacy Consumer Act? MR: That's a loaded question! That can get into political ideology and things too, and... KS: We don't need to go into politics, but, yeah! MR: Yeah! But, one thing that happens year over year with whatever administration it is, is regulations and things grow. I mean, one of my favorite annual reads is the 10000 Commandments that comes out of the Competitive Enterprise Institute from Kolkata Institute on that, you know, just that the actual impacting cost of regulation at the U.S. Federal Government, not even talking about State and Local governments. There's a lot that happens in changes. Now, California tends to be a trendsetter. So, what happens in California, other states pick up upon, and then eventually, it might get implemented in Federal regulation, because organizations say; Oh, but I they didn't want regulation before. So, you... now you got to do something, because now we have, you know, 48 of the 50 states doing something here in different ways. We need consistency. And so, you know, when you look at mandatory disclosure laws that came out, you know, a decade ago. California started that. And then, within two years, it was like 48 states had similar laws. You know, now, with California's Consumer Protection Act, which, you know, is very GDPR-like, from the EUGDPR-type regulation, you're going to see other states pick up on that too. And, at some point, organizations are going to say; This is a mess. Because, the government's got to step up and have over sweeping regulation on this so it's consistent. KS: Yeah. Absolutely. And, I think consumers are really picking up on privacy, and they're starting to dial into that, and you know, start to question some of the companies that they do business with. They want to know about their data. They want to know, is it being protected? They want to know how it's being used, because of all the, you know, the exposure that have happened through breaches like Target, and you know, what's going on with Facebook and other social media platforms. Privacy is top of mind. So, whether it's coming via regulation, it's certainly coming from consumers that are demanding better practices with their personal data. MR: Yeah. KS: Thank you so much for joining me on GRC And Me. It's been a great podcast. Your expertise in this phase because of the complexity is just really, really great to have on, and I know my audience will really appreciate it. So, thank you so much for joining me, and I hope you'll join me again. MR: Certainly will. Thank you.

eBooks

Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle

Catch up on modern frameworks and methodologies for managing your network of third-party vendors and suppliers.

Webinars

Webinar: Third Party Risk & Driving Cross-Functional Alignment Across the Vendor Lifecycle

Join our panel of experts for an informative discussion on the subject of Third Party Risk Management, from…

Case Studies

LogicGate and Intradiem: Promoting Trust

Intradiem needed help with a number of its GRC processes, from ISO and SOC2 controls to Business Continuity…

Reports

G2 Fall 2019 Grid Report for Top GRC Platforms

Download the G2 Fall 2019 Grid Report to learn more about LogicGate and the other top GRC platforms.

eBooks

A Guide to Enabling and Protecting Your Business with Smarter Infosec Strategies in 2020 and Beyond

Learn the four pillars of a sound IT Security program—and why they're so important to your company's mission.

Webinars

Critical Actions to Survive a Data Breach in 2019 & Beyond

Today’s organizations face a cybersecurity landscape more difficult to navigate than ever before.

Brochures

Regulatory Compliance Solution

Comply With Constantly Changing Regulatory Requirements and Pass Your Next Exam or Audit

Brochures

Internal Audit Solution

Shorten Time to Audit With a Connected View of Controls, Risks, and Evidence

Brochures

Environmental, Social, and Governance (ESG) Solution

Use Risk Cloud to measure, track, and report on your company’s ESG goals and initiatives — all in…

Brochures

Operational Resiliency Solution

Build Operational Resilience and Recover From Business Disruption

Brochures

Policy Management Solution

Learn how the LogicGate platform can improve your policy management program.

eBooks

How to Build Organizational Support for ERM

Gain support from your entire organization for an enterprise-wide ERM program that can change your risk culture.

LogicGate

5 Practical Steps to Scale Your Vendor Risk Management Program

Listen as GRC experts discuss the practical steps you need to scale your vendor risk management program.

LogicGate

Managing Third Party Risk in the Age of GDPR

Third-party relationships can add an extra layer of complexity to your GDPR compliance strategies.

Videos

[Video] LogicGate: Building the Future of GRC Automation

LogicGate can help your organization reduce risk and ultimately improve operational efficiencies.

Watch More

eBooks

GDPR Compliance

Learn how GDPR could affect your company—as well as how to manage its many compliance requirements—by reading LogicGate's…

Brochures

Third-Party Risk Management Solution

Identify, Assess, and Quantify Third-Party Risks With Risk Cloud

Brochures

Enterprise Risk Management Solution

Risk Cloud puts you at the center of all Enterprise Risk Management processes so you can identify, assess,…

Brochures

Data Privacy Solution

Streamline and automate data privacy tasks without hassles — all in one place.

Sorry, no results found.