SOC 2 Compliance: Definition, Basics, Benefits, Types & Next Steps
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
Top 3 Takeaways:
Resources:
Episode Transcript
HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski, and this is GRC and Me, a podcast where I interview industry thought leaders in governance, risk and compliance on hot topics, industry-specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space.
This is the LogicGate story which as it turns out starts with conquering risk, and then taking on a personal risk, right?
MATT KUNKEL: It does.
KS: And I've got Matt Kunkel with me here. He's our CEO of LogicGate.
MK: Thanks for having me Kelley.
KS: Thank you for joining. I'm really excited to capture this story about how the committee got started. But, I want to take a back step and understand your background, and what led you to getting the company started. And, funnily enough, we actually attended an event together, the Secure Risk Management Forum in Georgia two weeks ago, and you even mentioned a little bot more of your background that I hadn't heard before, which was you actually had your hands in a couple of projects related to the Lehman Brothers fallout, as well as the Bernie Madoff Scandal, as well. So, I want to hear about that too, because that's incredible.
KS: You were born in 82 right?
MK: I was. [inaudible 00:01:49] me here.
KS: Well, I was too. But, I think that's really incredible considering your background and how young you are, and where you're at. So, tell me more about your involvement in those projects, and then take me to the JP Morgan Chase Project.
MK: Sure. Was a Midwest guy, grew up in Ann Arbor, Michigan, but ended up getting out and went to school in Indiana, and was a finance, economics major there, and through school found my way to Chicago, working for a management consulting firm called FTI. And, this is in the early to mid 2000s. And back in those days you needed to know how to code a little bit to really get on the big fun investigations, and one of the partners that FTI landed a job with the Bernie Madoff investigation, and really we needed part of FTIs responsibility and doing all fictitious profit analysis around that so to say. "Hey we need to sue [inaudible 00:02:46] for a couple of billion and give it back to these mom and pops." I really helped coded out the solution that did a lot of that fictitious profit analysis. And then very soon after that, Lehman brothers went bankrupt, and we, myself and my team coded a big part of the solution that unwound a vast majority of the Lehman's transactions on the debtor side.
That's really where I cut my teeth in application development, and using technology to solve problems. And from there moved over to another consulting firm, called Navigant Consulting. At Navigant started up their custom app dev group, and really what we did is we built very large-scale, Fortune-100 companies, GRC program's, governance risk and compliance programs, partnering in conjunction with the folks in our financial services practice, in our energy practice, and in our healthcare practice. One of the bigger jobs that we did was to help J.P. Morgan Chase specifically, their mortgage bank, get out of a consent order with the OCC, which is the Offices of Currency Controller, and a big consent order against them. Basically, what was happening is within mortgage there is tens of thousands of regulations that they have to follow from the federal level, but also the state and local jurisdictions that they are doing business in.
KS: And this was a result of the that new, the Dodd Frank ruling?
MK: Correct. This is part of what came out of Dodd Frank. It was just really more transparency and more, "Hey here are rules and regulations that specifically mortgage companies, banks in general, specifically mortgage banks, need to follow to make sure that we don't get ourselves into situations like the financial crisis again." And, it was just a laundry list of these regulations. And, the government comes in and says, "Okay, Chase tell me how you're compliant with line 12,852 of this huge Code of Conduct, and what policies do you have in place? What procedures you have in place? What system controls you have in place to get compliance with this?"
Frankly, there's just so many in there. There's just such a big spiderweb because one regulation could relate to many different business units that Chase has in there. And, those business units could be using different policies, procedures, system controls to follow that. So, there is a huge spiderweb effect that happened, and really just ultimately Chase couldn't provide the visibility and transparency, let alone to their Executive Board, but more importantly to the regulators that they were doing this.
KS: And that web that you mentioned, what was that constructed of at J.P. Morgan at the time?
MK: Affectionately, what we call duct tape and bubblegum, which is spreadsheets, emails, file shares, a hodgepodge of really Microsoft Office products that they were trying to cobble this web together with. They had failed their consent order twice previously. Then we came in, and really partnered with our folks in our financial services group that gave the subject matter expertise around the specific policies, and controls that needed to be put in place.
In my team, we built the technology to really take all those regulations, break them out into sub-components, have a mechanism to assign those sub-components out to specific business units that they apply to, then had a mechanism to do what we call an assessment to say what policy, procedure, system control we have in place. There wasn't anything in place. We had a gap. Maybe if there was something in place, but it wasn't up to date, we have a partial gap. And then what is the process by which we get compliant, right? And those recall findings. We've findings off of that, and then we created action plans, and action items to get those gaps remediated. And, most of the time that was getting policies and procedures up-to-date. Sometimes implementing system controls in place, or sometimes just saying, "Hey, we know that we have a potential gap here, and we're okay with that from Chase's perspective because of XYZ," and that typically was Executive sign off [inaudible 00:06:54] that.
KS: Tell me about the Executives you worked with at J.P. Morgan. Who let this project, and just give me a little bit of background on-
MK: Yeah, it was from the top. Jamie Diamond was signing off on the ultimate invoices that we were sending Chase. There's a guy by the name of Kevin Water, who is the CEO Chase's mortgage bank at the time. And then there is another fellow by the name of Roland Hargrove, he was the head od special projects for Chase, and he ultimately headed up this project. We work very closely with them at Chase.
KS: It's incredible. And how long was this project?
MK: Frankly, I think its still probably going on. We started it may be in 2014-15 timeframe, somewhere in there. Part of the reason I think Chase ultimately went with Navigant is, we said, "Hey, we can get you our technologies stood up and running in a very short time period." And they, I think, had realized after failing two consent orders that they needed some technology to actually operationalize the program, and keep the program of regulatory compliance evergreen. They put some resources in stock behind, "Okay, Navigant can actually give us a subject matter expertise, but they have this technology group that can actually execute and build us out. What we need from a technology perspective in a very short order."
KS: Got it. And, that was you and how many other people?
MK: A small army of people involved in that. Many, many, many developers, many business analysts from our requirements gathering perspective, and many subject matter experts that relates to financial regulatory compliance.
KS: Okay. And you guys were holed up in?
MK: We're in lovely Jacksonville, Florida for the most of the time. It's great. Great weather. Great to get out of Chicago during the cold winter months, and and hang out there. But, definitely spent some time in New York at the corporate headquarters, and then in Columbus, Ohio which is where a lot of their writing team is, their policy writing team. So, we spent some time there as we were building outcome of the next evolution in phase of their platform which was the old policy and procedure management module application that bolted onto the upfront assessments.
KS: Awesome. So when was the, "Aha" like, light-bulb moment for you during this process?
MK: Yeah. I was just sitting down, and talking to the Chase Executives, and they were saying, "Love the platform that you've created, [God 00:09:33] helped get us out of this consent order. We feel really good about that. But, there's just these constant change orders coming in for the platform, and frankly it's always gonna happen. And, the business is moving so fast, the regulatory landscape is moving so fast that we're always reliant on you at Navigant. And frankly, that's costing us a lot of money. We would like the platform that our Chase employees in the regulatory and compliance group to be able to make the updates ourself, and make our business analyst make the same updates our dev team is making."
And that was kind of the light bulb moment for me. That was the one where I was like, "Well, if we could do that, I really think that there is a big need in the marketplace for a technology that is that flexible in that dynamic yet that easy to use from a end business user perspective, and in an administrator of a platform like that that have no technical acumen whatsoever. Excel is where they live their lives. But, if they can make enterprise grade technology, I think you have something in the marketplace.
So, spent some time talking with my two co-founders, John and Dan. Dan was on the technical team at Navigant, and John was on the customer success implementation team. And, really looked at many different solutions that we'd created over this time period, and just came up with a thesis that, it doesn't matter if you're doing a third party risk assessment, or controls assessment, or policy management, or enterprise risk management, or incident tracking, or you need to be NIST compliant, SOCK compliant, ISO compliant, HIPAA compliant. Ultimately, at the end of the day, really what the technology is doing is just a process.
We're just logically moving work inside and outside an organization. We're routing that work on a sophisticated rules engine, depending on how the business users are answering and providing data to us. We're automating things that happen on recurring time frequencies in their. And then we're providing some really nice visual appealing analytics, and reporting to get the insights out of that. And that's what we ultimately came up with LogicGate, and being able to use the consulting experience to create and pre-populate that templates so folks have a starting spot. But, then I'll empower them really. And, that's kind of our why is is really digital empowerment, and being able to empower business users in the organization to use very easy enterprise grade technology to transform their organization, and transform their lives too. We really thought that we had something there.
KS: That's incredible. So, where were you at personally, when this light bulb moment happened? And, how did you pull the trigger, and decide to leave your comfortable position, and take a huge risk of starting a technology firm?
MK: Yep. Practically speaking I was in Jacksonville, Florida in a car with one my co-founders John thinking about this, and bouncing these ideas off of each other, and then we looped in Dan to the conversation.
But non-practically, I was in a great spot. I was very quickly ascending at Navigant, and running a very large P&L, and had built out a practice. I spent a lot of time doing that, and a lot of energy doing that, and I got myself into a pretty cushy spot. But, really just saw that there was a huge, huge need in the marketplace for this. And frankly, took a bet, a very educated bet that the market wasn't very big, the market was ripe for a disruption perspective, because most of the technology is quite outdated, and quite antiquated, that a very new, modern, built on new and modern technology, and something called a graph database would would really take off.
And, I think we've in a very short period of time kind of validated that thesis. And. now are just working on building them, and scaling the team, and getting more brand awareness around what were doing, and a lot of training and education to customers that GRC can be fairly easy to implement in organizations. Obviously change is always hard. But, if you make the technology very easy to understand for the business user in the first line of defense, that's a big part of it. I think we've got a lot of solid adoption from very large brand names down to very in a 50% mom and pops that need to be PCI compliant, or NIST compliant, or HIPAA compliant in there, and working on the [inaudible 00:14:06].
KS: Absolutely. Well obviously I'm on board. So, really glad that you decided to take the leap, and take the personal risk, and start the company. I think one of the things that is most interesting to me is the fact that this solution, this platform that you built is so applicable, no matter the size of the organization. It's an issue that is relevant to really small startup companies, and really big companies just like J.P. Morgan Chase.
MK: Yeah, totally. Our CRO has a saying that everyone is somewhere between ought to buy and means to buy a GRC platform in there, and obviously LogicGate is the one that he thinks is most applicable to that. But, it is. I think ultimately more and more risk and compliance issues are being brought to light. And, there's just obviously with data issues like GDPR, and the California Consumer Privacy Act, and in all the things that are happening with Facebook. Frankly, I just think there's more transparency that the Board and Executives want, and the people to provide that transparency in organizations are the risk and compliance groups in there. So, there's a lot of tailwinds that we have at our back, and more and more cloud saas providers need to be SOCK compliant. And, so how did they do that in a very easy, effective, efficient manner, right? And, technology is really an enabler to help them do that.
And that's really what we are. Ultimately at the end of the day we are subject matter experts on risk and compliance. We hire all of our customer success folks come from big consulting firms where they have already done many, many, many GRC implementations, and are subject matter experts on SOCK requirements, and NIST compliance, and PCI compliance, and how to put together an enterprise risk management program. We're just using LogicGate as the vehicle from a technology perspective to make that much more effective, efficient, easier. But, ultimately I look at the company as risk and compliance subject matter experts with a technology wrapper around it.
KS: Absolutely. So, we have a mascot at this company. It's the goat. Some people think that stands for greatest of all time, but that's not actually how the goat came to be. Can you give me some insight into how the goat came to be?
MK: It's true. Although, I would like to say that we hopefully empower our customers to be the greatest of all time with LogicGate, and that is what the goat now stands for.
The origin origin of the goat though was Dan, our CTO, he actually coded out the entire MVP of the platform by himself. Extremely, extremely bright person. I mean honestly, I've never worked with a dev that's so intelligent. And, for whatever reason with what came into his mind every time the application boots up, he did some ASCII art, which is basically art in ones and zeros, and it is a giant picture of a goat in there. And, we're going through a program, and one of the teams next to us saw the boot up script, and they're like, "Oh my God! What is that?" And he goes like, "Oh, that's a goat." And he goes, "You guys are the goats." So, we happily took that name on, and it's kind of just evolved as the company mascot now. But, I have now evolved that into, we empower clients to be the greatest of all time.
KS: Love it. I love the goat, and we really do take the goat to heart on the team. I think we passed out goats at the RSA conference.
MK: We did. They were huge hit. We passed that about 500 little stuffed goats that everyone very much enjoyed.
KS: That's great. So we're building a goat community, and hoping that you join us. So, just to round things out here, what's next? What do you envision for user community, for the platform, and for the company?
MK: Yeah. You know I think the ultimate vision is we want to be the number one player in the GRC market. And the way to do that is to make our customers and clients hyper successful by using our platform right is, how do we honestly advance our customers career, and the champions in those organizations that are using our platform? And, if by using our platform that evolves their career, and that gets them the higher points that they want to, ultimately I think we're going to win, right?
And, it's always just a customer centric view and focus that we have at the organization. And then everything else of where the company wants to get you in the heights that we can get to, I think that that is 100% achievable with the size of the market, and the fact that there is no real clear cut player in the GRC space, or IRM space right now. So, everything is focused on the customer. We take care of the customer, ultimately they're gonna take care of us, and ultimately LogicGate's going to be a huge success.
KS: Awesome. Thank you so much for joining me. On my next podcast episode I'm actually talking with Terry [inaudible 00:19:15] from Secure Risk Management. We're going to be focusing in on trends in small banking and what they're experiencing, and risk and compliance. So, this was great, great story and background in our experience in that space specifically.
MK: Awesome. Can't wait to tune in to listen to that.
KS: Great. Thank you.
MK: Thank you.
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
No matter what industry your organization operates in or where its business is conducted, it will almost certainly…
Artificial intelligence erupted onto the business landscape with nothing short of a roar in the fall of 2022,…
Watch this on-demand webinar from LogicGate and OCEG to learn how your GRC peers and leaders are strategically…
Find out the top questions GRC leaders should be asking to successfully integrate AI into their risk strategies.