SOC 2 Compliance: Definition, Basics, Benefits, Types & Next Steps
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
On the show today we have Matt Kunkel, CEO of LogicGate, a leading GRC process automation platform. Matt sheds light on the differences between traditional and flexible data models, and why they’re important. We also discuss some high-profile projects related to regulatory requirements.
EPISODE NOTES
Top 3 Takeaways
- A data model is the underlying architecture that underpins any GRC program.
- We live in a world that is constantly moving, changing, and evolving. That’s why flexibility in business systems is key.
- Flexibility means being able to put a program in place on day one, without a final vision of where it’s going—it can change and adapt to changing requirements along the way.
Resources:
- LogicGate Website
- Connect with Matt on LinkedIn
- Connect with Matt on Twitter
Episode Transcript
HOST KELLEY SPAKOWSKI: Hi, I'm Kelly Spakowski and this is GRC & Me, a podcast where I interview industry thought leaders in governance, risk and compliance, on hot topics, industry specific challenges, trends and more to learn about their methods, solutions, and outlooks in the space. Today I have with me Matt Kunkel, CEO of LogicGate, to discuss flexible data models.
MATT KUNKEL: Hi, Kelly. Thanks for having me.
KS: Thanks for joining. I want to understand your background. I know you have a lot of experience in risk and compliance projects, specifically in the financial market sector. Tell me a little bit more about your background and how you got started.
MK: Yeah. So I spent probably the last 13 years in the consulting space developing risk and compliance applications for very large organizations like JP Morgan Chase and developed their regulatory change management application, and then their policy management application, things for Sanofi Aventis, which is a very large pharmaceutical company developing their enterprisers' management, applications, things for Facebook. The list goes on and on.
MK: And really just, we were doing custom application development which means you needed a custom data model for each specific application that we were creating in the space.
KS: Very interesting. And I understand you were a part of some pretty high profile projects, things related to some regulatory requirements. Can you tell me more about those projects?
MK: Yeah. So, we, the big one I think that you're speaking to is at JPMorgan Chase and getting them out of a OCC consent order, and really what that revolved around was, they had all of these mortgage banking regulations, so about 30,000 plus federal, state and local mortgage banking regulations, and then what the office of currency control wanted to know is, how is Chase compliant with those? What policy procedure system control do they have in place? What is the evidence that they can provide that they do have this in place? And if they don't have any evidence, how do we actually get that evidence in place and remediate that. Right?
And you can think about that. That's a big data model. We've got structures of the regulations and then those regulations ties to the different business units that they're associated with, it could be one or many. Those tie to the different assets that they're using to provide evidence for. That could be a large amount that are more policies and controls, but it could be a system control. That then tied to an assessment of, yes, we are compliant, no, we're not compliant, maybe we have a partially compliant, we have a gap. That then tied to a whole system of, if there was a gap, how do we remediate that gap or sign off on that gap?
So, all of those things in tandem combined, that makes up a data model, in the background, and in the foreground who have a nice little application that provides the data up to you nicely and moves things along in the process and makes sure that the end business users get the data that they need in a timely manner.
KS: Right. And that is a perfect segue. So, with this, obviously, flexible data model is really key. And now that you're in the GRC solution provider space I think you really understand that in your innovating here. So, why are data models so important to an effective GRC program?
MK: A data model really is the... and it's not just the GRC program, it's any program. A data model is the underlying architecture that pins the program that we are providing in here and that we're delivering up. I think specifically when you're talking about the flexibility of the data model, where that comes into play and why that's important, is because of many different reasons. The change that happens in the organization and rapidly, rapidly changing.
Two is because nothing in the organization is permanent, so if you start with something down the road you might not know where you want to go and you need the flexibility of putting something in place day one, but not having the final vision of where it's going, and you can have the flexibility to morph along the way.
And three, is it presents different approaches. And maybe, for example, one business unit wants to do something one way with their processes and their procedures and another business unit wants to do something in a totally different way. That's not saying one's better than the other, it's just how the organize their business and do their business. But then, having that roll up to a larger holistic view in there.
That's really kind of what having that flexible data model allows organizations to do. And if you have a traditional data model, it is a upfront, we define the processes and the programs and the protocols and how we want our systems to work. And then we've defined that. And then we build that and implement that and put that into place.
The problem with that is that it's just not realistic. We don't live in a world that is static. We live in a world that is constantly moving and constantly changing and constantly evolving. The business landscape evolves, the regulatory landscape evolves in here, we get into new lines of business. And specifically, as it relates to risk and compliance, they're put in place to monitor the business, and provide transparency to the executive team and the board on how the business is performing, as it relates to regulatory, risk and compliance matters. And if the business is moving, they have to move ...
KS: Mm-hmm (affirmative)
MK: ... and if they have to move, the technology that they're using to operationalize their business has to move. And if you have a nonflexible data model in there, a framework data model, that means that change is just dramatically stunted, and you can't make efficient change in the manners in which you want to. And that means, time and also cost.
KS: Yep. On one of the issues you touched on is that lack of vision. I hear it so commonly from risk and compliance professionals. Well, we don't know what we don't know yet. So, I think that this is a really interesting way to allow for that. It's okay, you don't have to know because the data is going to move with you.
MK: A great point on that is, I was talking to Asiso and he gave me just an amazing, amazing kind of analogy about this. And he said, "Listen, I look for someone on my team for a job that I need to fill today. But really, what I'm ultimately hiring 'em for, is down the road, what I believe they can do and be within the organization. Right. I don't know what that is, I don't know what that's going to be yet. But I'm hiring them for where they can grow into." He said. When we evaluate software, that's what we're looking for as well. Right. We're looking for a piece of technology that can meet the need that we need today, whether it's third party risk management, or IT risk, or policy management, or controls management, or employee attestation. But ultimately what we want is a technology that is flexible enough and nimble enough, that can morph with us at the organization changes and evolves down the road.
KS: Right. And not only that, but support different types of maturity levels and complexity, too.
MK: A hundred percent.
KS: Awesome. The flexible data model, you kinda already touched on this, but I want to dig in a little bit to understand how it's really different from other data models. Can you elaborate on the key differences...
MK: Yeah so traditional, kind of relational, data model, that's like a sequel or an oracle, kinda those are the big, two traditional data bases behind these models. They're just frameworked, right? And what we do is when we, and actually the development methodology is called waterfall. So you define all of your business requirements up front. You get a bunch of stakeholders in the room. You identify, kind of, you know what are the requirements in here. What are the business processes that need to be supported? How do we scope all that out? What are the data we need to display and collect? And we create tables, and those tables link together and you create a framework data model. And then, probably within the last, I'll call it, I don't know, decade or so, six and ... probably really an earnest, the last four, to five, to six years, different data base technologies come out. No sequel.
Neo4j is the one that we use, and is the one that I think is a big player in the market. It's a lot of what the social networking sites are built on top of. And what that allows you to do is create relationships with different entities and these really tables that can very easily be linked together on the fly, real time, without having to define the architecture upfront and knowing exactly what you want to build, upfront, in here.
KS: Very interesting. So, why would somebody choose this model over another? And what are the key benefits?
MK: Yeah, I think, there's a couple reasons, right? And I think some of them we've hit on. One is if they are a hyper growth company, that doesn't know where they're going to be 12-18 months down the road. And they want to start now, right so they can get something up and running. But it allows them the flexibility to as their organization morphs and evolves, and as their programs, the risk and compliance programs morphs and evolves, very easily able to update the technology on that. That's one.
I think, two is, we talked about this a little it, it allows for different approaches, right? We don't have to have one framework data model, we can have multiple data models running on the same, kind of platform that focus on our IT risk management group, and then maybe how marketing is doing their risk management can be wildly different, yet still roll up to kind of the holistic enterprise view in there.
And then lastly, I think it's, just change is happening so rapidly these days, right? Businesses are moving and evolving so fast, and so is the regulatory landscape, that it allows organizations to not be pigeonholed to one frameworked environment. And then if they want to change it in six months, you know, that's another six months to get up and running, right? You can very easily be able to change the underlying architecture. And then, ultimately, I think different organizations are doing things in different ways.
KS: Mm-hmm (affirmative). Do you think that's why some of the old ways of doing things ad hoc in Excel and email, and whatnot, different drives and different documents, do you think that's maybe why that's persisted. Because change is happening so rapidly that some technology can't keep up with it?
MK: Oh, for sure. I mean, I think that's a big part of it, right? And I think another big part of it is they see themselves and say, "Hey, this is where we are today." Right? "And we're using spreadsheets and emails and we'd love to use the technology, but it's going to take a big lift to get how we do things today into the model that this piece of technology is built around." Right? This frameworked model, in there. A lot of time and a lot of cost in that.
And with a flexible data model, it is a much dramatically smaller lift to take, "Hey! This is what we're doing today and these spreadsheets and emails and file shares and Microsoft Office kind of product, and get that into a very robust, enterprised technology that gives you the audit ability, that gives you the automation, that gives you the efficiencies in there as these larger tools, but it allows them to wrap exactly how they are doing something around their process with the technology. The technology just wraps right around that.
KS: So valuable. Why do you think the data model flexibility is important to the future of organizations? And how do you see this innovating how we do business?
MK: Yeah, well, I just think the big thing is the rate of change within the world, right, and in organizations specifically. You know, it's exponential. That is something that I don't think anyone would disagree that is going to slow down in any way. So as we are changing from a society and organizations faster, and faster, and faster, the technology that we are using to operationalize, frankly, our lives and how we do our work, needs to adjust and move and change faster, and faster, and faster. And if you're built on very nimble, flexible technology and date models, you're able to do that.
KS: How do you think this is going to influence industries? Not just companies, I think that value is pretty clear, but how do you think this will change industries and how we're doing business?
MK: Yeah, it's a good question. I think, kinda, the jury is still out on that one. And we'll see over time from an industry perspective. But, ultimately what it will allow us to do is get to places from a peer industry perspective faster...
KS: Mm-hmm (affirmative).
MK: ...then we have gotten there ever before, right? Just, it's a trickle down effect. If the companies are moving faster because they can morph and change and evolve, and adjust faster to market trends and other factors out there, then just industries as a whole are going to bolster up and be able to move faster.
KS: What innovation is developing from the flexible data model?
MK: Yeah, so the data models that, I mean, the big ones that are out there are kind of the no sequels of the world, then you know, 4Js of the world, but I think there's a lot of innovations that are trending from these flexible data models. And what folks in organizations are able to do with them, and frankly it's the applications internally that they're able to create in a very short time period. It's almost creating, what I'll call citizen developers...
KS: Mm-hmm (affirmative).
MK: ...meaning that analysts, folks with no real technical in coding experience, can actually build out applications to enhance and make their business lives more effective and efficient. And then really change, that will allow organizations to kinda change the trajectory and how they're going and their growth patterns and what they can provide to their consumers and their customers.
KS: I think that's such an interesting point. You know, and I think that actually speaks to how it's changing the way we do business. If you think about the past, there was a really had line between IT and the business units. And IT really controlled all of the technology and ownership of that technology. And really, things are changing. And users are way more technically savvy. They're leaning in. They want more ownership over their business solutions. And so I think that this is making that kind of tech more accessible to them. And spreading that technological resource across the company a little more evenly, too. Which I think is giving the business side more agility and strategy over technology and data.
MK: One hundred percent. I couldn't agree with you more.
KS: What if advice to you have to organizations who want to move towards this model?
MK: I would say, move and move fast. And the reason why is you can always change it later, right? That's the beauty of the flexible data model is that you get up and running with something and then inevitably, as your business morphs and changes, or evolves or if it just wasn't initially thought out in the way that it practically works, it's very easy to change going forward. So, move and move fast.
KS: That's a great point. And you've helped companies move from an old model to this flexible data model.
MK: Mm-hmm (affirmative).
KS: What obstacles did they have? And were they just perceived obstacles and how did you help them overcome that?
MK: Yeah, I think the biggest obstacle, again, moving from whether it's the Microsoft Office Suite and spreadsheets and emails or a legacy plot form on to something new, is just change management and then option. And getting that rolled out within the organization and making sure that the appropriate buy in from stakeholders are there. But from a technical perspective, there's not really a lot of large obstacles when moving from, you know, spreadsheets, emails, file shares, to a flexible data model, or from a legacy technology system into a flexible data model as well.
KS: Fantastic. Well, this was really interesting conversation. I think that the flexible data model is super exciting. I think if you're in risk and compliance, really any function, you should be thinking about this and demanding it of your business solutions. Because it's going to allow you to be much more agile. So thank you so much, Matt, for joining me on this episode to talk about flexible data models. I'm sure I'll have you back on to talk about other things. We can even do a deeper dive on this. But this is a really great start and thanks again.
MK: Great, thanks for having me, Kelley.
