Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC
Welcome to Distilled Security Podcast. My name is Justin Liepline. I'm here with Joe and Rick, and welcome to our new studio here. Guys, what
Joe:do you
Justin:think about this?
Joe:Yeah. This is awesome.
Justin:Awesome. We got the headphones. We got the actual real mics instead of the things dangling off us. Yeah. So over the past couple of months, we've done a little bit of maturing.
Justin:Also, you should also see focus shots. We've upgraded from one to three cameras Yeah. Into this, as well as some controllers in the back, some monitoring, new desk. We're not no longer sitting on a couch and falling asleep into this. The nice thing too with this desk and everything, we got this from pod shop or podpodcasttables.shop.
Justin:We'll put the link in the description and everything. But they're very modular. So once we have actual guests that come on
Rick:Oh, great.
Justin:On-site here, we'll be able to add one and kinda shift it around and all of sudden into this. Additionally, it gives us capabilities of doing remote people.
Rick:Oh, fantastic. So Yeah.
Justin:We'll be able to actually have remote people dial into this. We'll figure out what software to do that. Yeah. And then we'll have them up on the monitor, you know, as a conversation of us talking with them and have kinda overlays, you know, while we're talking, whether it's to them, to us, both on the same screen and everything. I'm excited for this.
Joe:No. This is good. Can I say that I I already missed the old space?
Justin:Oh, the old space? Yeah.
Joe:It's like You like your chair? Nostalgic.
Justin:Yeah. It it fits your butt cheeks, you know.
Rick:We'll we'll do these for a while, then maybe we'll have a throwback episode
Justin:Yeah.
Joe:Yeah. Upstairs. Right?
Justin:But yeah. And we're not quite done yet. We still have obviously, we got the traditional, you know, curtain still behind us. We're actually gonna be putting real wood panels that actually sound dampen right behind us. And then we're also gonna be putting a TV with our logo, you know, onto that.
Justin:Maybe we'll be able to share some stuff or something like that onto it. We'll we'll figure it out. You know?
Joe:Oh, that's awesome.
Rick:Super cool. Great.
Justin:Alright. Well, why don't we dive into the topics here? The first thing I want to talk about is what I call measuring to the score. So we've all been in consulting, you know, into this. How many companies have we seen that they are so obsessed about their annual, you know, assessment scoring that it's almost to a detriment to themselves?
Justin:You know?
Rick:Oh, yeah.
Justin:They track this, you know, every single year religiously. They were 2.5 today, so they need to be at 2.6 next year, you know, to be able to show that their CSUN knows what they're doing. They can report up to the board and senior management, all this stuff. But is that really the best? You know, like, Rick, I think you had an example where, know, they weren't really reporting correctly Yeah.
Justin:Into that.
Rick:Yeah. I've seen a couple times where again, like, the score gives people sort of an easy way to deceive leadership in a way sometimes. And there's just so many problems that can naturally come up. I mean, think the overall intent is good to simplify things down to still Metrics look to a single are good. And also like executive leadership often doesn't have time to consume all the detail behind the vast amount of work that's going on in a security program.
Rick:So saying, oh, it's a 2.8 or whatever that looks like and we should be a 4.7 or whatever those numbers are. That can be useful to demonstrate progress over time, where you are versus where you want to be, all that kind of stuff. So I think some of the objectives are good, but there's just like a ton of pitfalls along
Joe:the way. Yeah, I think it can definitely fail depending on how it's handled. What are some of the ways you guys have seen performance assessments result in a score? Like, what are the some of the scoring you're talking about a scale of, zero to five, like CMMI?
Justin:Yeah. That's probably most popular, you know, into that. I'm trying to think if there's
Rick:CSF has their, like, built in score now. Right? And it's, like, one to four.
Joe:With their their tiers? Yeah. Alignment tiers?
Justin:Yeah. And a lot of people at least, when we're at previous consulting, we'd add the zero into that.
Rick:Well, it was always debatable because, some clients were not very receptive to seeing a zero in any given area.
Justin:But one was like some assemblance of stuff. You know? And if they had zero stuff, it was like, but you're not even at a one yet.
Rick:Yeah. There's always some
Joe:debate. Yeah. And I'd say stay away from that from a scoring perspective that that those scoring in CSF for the one to four, that's really what you're aiming your program to be
Justin:at Right.
Joe:Not what you are. The other one I'm thinking about is with NIST eight hundred one seventy one, it's the SPRS score, which starts at, you know, 210, I believe, and then get down to a negative number. And what they do is they remove
Justin:Which makes so much sense to be in The US based measurement. Right? You know, we got Fahrenheit. We got
Joe:Yeah. The point of it is is that it goes through and removes minus five points for a critical control for protecting cooey and minus three and then minus one for different levels. Mhmm. And that's a little bit more control based. Mhmm.
Joe:And then what you were talking about is a little bit more maturity based.
Rick:Right.
Joe:Okay.
Justin:Yeah. Yeah. So I think the question is, you know, like, we all agreed, like, measuring your program on maturity and continuing the growth and into that is not a bad thing. But the perception of it and how you kinda get in in trance into, like, I have to get this score Right. No matter what.
Justin:Right. And not recognizing potential fails, you know, into that. Like, why don't you bring it like, you you're talking about a company you worked with that you went in to help them. They were at a score, but they weren't at that score.
Rick:Actually happened a couple times now where we just sort of had to reset perceived maturity levels.
Joe:Yeah.
Rick:One once we came in and and said, oh, yeah, due to a bunch of different reasons, either people that you paid before or either internally or externally maybe gave you a bit of extra optimism when they were reporting or sometimes a lot of extra optimism.
Justin:And
Rick:resetting that stuff's hard, right? Because it'll get baked into vendor or customer responses, for instance. If the organization you're working with has clients that want to assess them against things, right? All those either falsities, even if it's not tied to a score, just things where the scope was carved off in a very specific way. I've seen instances a couple of times now where there's actually one in a prior organization I worked with.
Rick:It's kind of legendary with some people that I work closely with now, where the question from a client assessment was, oh yeah, do you have MFA? Now that spirit of that control is, do all the people that work on this account have to use multi factor authentication to access the systems associated with blah blah blah. And the person in charge before we kind of made some changes always responded yes. And when we came and said, okay, well, how are we doing that? Because I wasn't aware that we had MFA in this way.
Rick:He was like, oh, no, like two people have MFA, so we have MFA. And I, well, that's not at all what the questions ask. Right?
Justin:That sounds like a very lawyerly answer into that.
Rick:But it matters, right? I mean, whenever we're like talking about compliance frameworks and all that stuff, right? Do you do you respond based on the spirit of what's being respond based on the letter of what's being asked? Sometimes the audience matters, is this a regulator or is this for internal maturity purposes? I mean, there's a whole bunch of stuff and all of a sudden if you say, yes, we have MFA to, you know, in one context but no in another, well now leadership's really confused.
Justin:Yeah.
Rick:Yeah, there's just a lot of problems and then you roll all that up into an individual score. And those scores, another challenge what it can be. Mean, how frequently do these frameworks actually update themselves?
Justin:They're regular.
Rick:And how often does the actual environment get more difficult to contend against? Every single day.
Joe:Right. And so I'm hearing some confusion in several areas. One is, is that the whim of the auditor, whim of the assessor, but also it's, you know, I can get behind a maturity scoring, but what does it mean to do a maturity scoring? It means to to me, it means to take a look at how mature your processes are and how well your processes function. So that they're meeting the objectives of your program.
Joe:But what I'm hearing, if you're talking about a control, now you're not talking about how mature the process is, you're talking about a binary item. Is it control on or off in MFA? Well, for the scope of those two people, well, yeah, sure, they But they met I like to look at it as what is the magnitude of what you're trying to look at, and are you tall enough to ride this ride? And so when you look
Justin:at it from the material part scoping as well.
Joe:Yeah. Scoping. Yeah. And then getting clear understanding of what that means. And so Yep.
Joe:When you're taking a look at the processes, and you look at these, like, the CMM style zero means I have no idea what's even supposed to do this. Didn't even know what was it You
Justin:can't sell MFA.
Joe:Right. And and then all the way up through, you know, one is you you kinda know about it. Two is you're doing it ad hoc. Three is you got some kind of measuring. Four is your Managed.
Joe:Know, managed, and then five optimized. And and what does that mean to me? Five means that you built self correcting processes. Yep. So if something breaks, somebody, something is gonna go and kind of fix that.
Joe:And that's good for the process. So what I would think would be important, let's use MFA, keep going with that. What is how mature is our process to ensure that MFA is active everywhere we require it inside of our scope. And so that adds a lot of nuance to it. And I would bet that most that if you go ask five different assessors, you're gonna get five different answers how you're gonna measure that and five different grades, right?
Rick:Yeah, totally agree. I mean, it's part of why too. I mean, I've seen organizations go. I'm sure you guys have too, where they'll go auditor shopping, right?
Justin:Yeah.
Rick:Again, because some people might grade hard, some people might grade a little easier. I think a lot of leadership by default often assumes that audits and reviews and assessments are very black and white. If you've done the work a little bit, you would know, like, how subjective and and and how much great rubric. There
Justin:Yeah. Yeah. Well, I mean, I think there's multiple good points into that. One, I think coming into auditor shopping, I think that's a cultural perception of how security should actually function or not, you know, type of thing. If you're auditor shopping, you're not looking for the best to help you to get to where you need to go.
Justin:You're looking for a specific output Oh, yeah. Yep. Yep. And so first off, you need to get the right leadership in security that have that idea that external auditors are just gonna help you point out the flaws in your program to continue to mature, you know, into that and then keep growing into that. You know?
Justin:I think that's first.
Joe:Yeah.
Justin:Second, I like what you point out is I think you need to talk the same measuring card, you know, like, what accounts are we talking about? What scope of systems are we talking about for this? And can we say yes to all that, you know, or not? You know? If we're just saying MFA, you know, and then you get to your example, it's like, oh, yeah.
Justin:There's two accounts that have MFA for this one application. Or I was just reading, I think I'm gonna be doing a LinkedIn post. New York DFS, you know, they have their, reg 500, you know, five for financial insurance companies. They just fined somebody $2,000,000, for, having a breeze through a phishing attack and everything. But really, the crux of it, they cite them for multiple things.
Justin:Mhmm. One, not reporting on time, some other, like, stuff. But they've been filing for years and saying they have MFA. And And they didn't? They didn't have a A new on MFA.
Justin:And this is self reporting. You know? It's not an extra auditor, you know, into that. But, again, somebody was checking the box, you know, saying we have MFA. So what led them to say, based on this, based on what we're thinking, did they think like, oh, we only have one financial system in scope, and it has MFA, and that's it?
Joe:And, you probably the same person.
Justin:Those two people are. Right?
Rick:But it actually brings up a
Justin:Small world.
Joe:We all know.
Rick:Yeah. It brings up another point that though is super insidious, I think when you start distilling it all down to a single score that
Joe:Oh, is
Justin:what I did there?
Rick:When you do that though, you end up in a place that naturally can incentivize people to not reflect how the business has changed over the course of the past period. Make it maybe just say it's a year or something, right? So the organization, I'm not saying this is what happened. I don't even know what organization it was because I haven't read up on that article yet. But I I can definitely see a scenario where someone was fully compliant.
Rick:Right? And then that organization goes through a merger or an acquisition. Right? Fast forward, you know, nine months after the assessment. Okay.
Rick:Well, it's only been three months. So we're not gonna report that we don't have MFA. We still do for the things they care about. And then another year goes by. And then another year goes
Justin:by. Yeah. But this is over their email system. And I took it at I mean, it's probably over Microsoft.
Rick:I'm not saying that specific example. I guess the larger point being the business is changing, the external environment is changing. Sometimes the partners that you're working with are changing or the tools that you're working with are changing. All this stuff is changing. Your controls do change, but if you're like aligned to a framework, they're changing less frequently.
Rick:And there can even if you backslide, there can be incentives. Mean, one of the me personally, I think one of the worst things you can do is incentivize security or compliance leaders to hit certain scores for exactly this reason. But it can make it can incentivize people because they don't want to have those hard conversations to say, yeah, well, we didn't get worse. It's just the stuff around me changed and now we're not as far ahead. And so do I really deserve a lower score for that?
Rick:And again, it's
Justin:Or gonna maybe you shouldn't have a cumulative number. Like, if you're talking about like Right. Merger acquisition Why is penalizing what we already had built up?
Joe:Right. Scope change.
Justin:Yeah. Exactly.
Rick:But even the word that you just said there, penalizing. Right? By default, a lower score, like all of us as security professionals just assume it's gonna be penalized. Right. Right?
Rick:Like
Justin:Yeah. Because we don't wanna see it go up and to the left, you know?
Rick:Yeah. Yeah. Yeah. And that's I think there's a lot Right.
Justin:To the left. Wow. Whatever. Growing.
Rick:Yeah. Getting better. Improving. But I think there's a lot of cultural stuff there and being able to accept bad news and sometimes just celebrate the fact that the bad news is visible
Justin:Yeah. Yeah.
Rick:Is a huge thing that you can do.
Justin:Well and I think this comes down to it. You I like the the word you use, incentivize. Mhmm. Because the people that got this fine from DFS, they're incentivized to report everything's okay.
Rick:Right.
Justin:You know, they're reporting up to a regulator saying everything's okay. Mhmm. You know, with people with scoring, you know, that are locked into something, they're incentivized for a continuous improvement, you know, into that. Even though, as we know, security doesn't have a lot of operational ability. We don't have the control to apply the patches.
Justin:You know? All we can do is scream about it, you know, in most cases. So, like, in this case, like, why are we looking at this from a penalization standpoint? If it truly falls, it's not really on us if we've reported it accurately. You know?
Joe:Oh, yeah. I totally agree. And I look at it from more of a risk based approach because I think when I talk to people, I'm hoping to train them, give them a way to think about things, so that you first wanna sit back and say, well, what's our architecture? And what are the controls we need to have? And are those things working or not?
Joe:And if they're not working, then what is the risk of, that control failure or that control degradation?
Justin:Mhmm.
Joe:And then at that point, it's, you know, how do I get leadership to be on board with? Is this an acceptable situation or is this one we wanna go and apply some mitigation to?
Justin:Right.
Joe:And as we take it through that, the process to do that, I think that's where it'd be great to get scored on because it's what is our ability to find non conformities in our system? What's our ability to properly measure the risk that that non conformity creates for us? And then what's our ability to go and get leadership to actually pay attention enough to the conversation, so they can weigh in on, is that an acceptable risk? Is it an appetite? You know, is it beyond tolerance?
Joe:What is it? And so it comes back to I've been keeping a little list here of the things that become issues. And it's now I'm adding another one is what are we scoring specifically that make up the area? Is it a control like MFA? Is it a whole category of the CSF or is it just a function?
Joe:What are we scoring? What do you guys see people scoring when when you're seeing these kind of measurement assessments?
Justin:What do you mean by that?
Joe:What makes up an assessment that gets scored? Like, what exactly are they scoring in their program?
Justin:Yeah. I mean, the scoring most popular is NSCSF. You know? Mean, I you brought up one seventy one. I don't have a ton of experience with that.
Justin:You know? I'm familiar with that score that it's kinda whackadoodle. You know? Well, it's a it's
Joe:a control based. It's it's basically two of the things.
Justin:I'm talking about the range.
Joe:Oh, no. Sure.
Justin:Very weird, you know, to me.
Joe:Yeah. And it's a weird normalization of it as well. But the difference there is that's
Justin:It's like the
Joe:SNT scores. Yeah. Exactly. It's looking at your controls versus looking at how mature you are.
Justin:Right.
Joe:Right. You can have all your controls in place, and you can still have a CMM score of one to not very high. And there's a ton of room to move that needle on how efficient we are, how well does this process function. Mhmm. And one of the things I think I heard, one of the big research analyst firms say a long time ago is that maturity is a way to approximate or a proxy for how well your security program is functioning.
Joe:And so when you're looking at a program's function, you're looking at back to the processes. I keep going back to versus do you have all the controls in place? One of the processes I like to see is do you have a good process to do a risk assessment that helps you select the right controls? You know, and so you kind of keep going there.
Rick:Yeah. It's funny. I think I I frame this in pretty much the exact same way as you. I use slightly different language when I think about it internally because there's like the control itself, like the things that you're doing to achieve a specific objective, right? And then there are these, I think what you're calling processes, right?
Rick:Which is the overlays that keep those controls healthy over time that make that there's reporting stuff. So there's sort of these very specific things like do I have MFA? And then there's these more general things like do I have support to tell someone if MFA is not in place or any other controls not in place?
Justin:Where does it go?
Rick:Yeah, all that stuff. So like escalation stuff all of that. So I definitely agree. And to your question before, Joe, I typically see most often people scoring individual controls or kind of like mini objectives often. And they'll give each of those a score.
Rick:And then they'll do some sort of thing which is wildly inconsistent from assessor to assessor, which is either average those out or do a weighted average or something like that to then roll that up to typically like a domain, like all of identity as a for instance. And then that rolls up again, right, into an overall score. But then there's also like, if you're a math nerd, you know how much danger there is in averaging weighted averages and how that can get super wonky. And you can end up in areas where and again, it just generates so much noise and confusion with leadership. Can go, hey, we have a score of 3.2 and there are 30 controls that we need to fix and we can fix 25 of them by the end of the year.
Rick:And then leadership goes, oh, great. Then our score is gonna go to like 4.8, right? And you go, well, no, our score is gonna go up like 0.05%. Well, why? Well, because those are all the easy ones and so they're low weight and all that stuff.
Rick:You know, like, there's just all sorts of stuff that goes
Justin:Like the CIS tiers and everything? Yeah.
Joe:Yeah. Yeah. Well, I like that idea because those are control based. So if we say we're gonna get put in we're gonna go and get all the IG twos in place Mhmm. And we're gonna start on the IG threes, and you then would say, oh, was that gonna take our CMM score from like a 3.5 to a 3.6?
Joe:No, actually it's gonna drop down to a 2.8. Why? Well, because we just added all these new controls, which means we have new processes. And when's the last time you saw a new process implemented around here that actually functioned Yeah, efficiently and
Rick:that's exactly it.
Joe:So it's actually gonna degrade our score to do that. And also reminds me a lot of the conversations, I just was at this the local Pittsburgh CISA information sharing group, and one of the questions that came out for a presentation I was giving last Tuesday was all around well, we put in the new SIM, and we put in our new monitoring controls
Rick:Yep. And everybody thought our security just got worse. Reporting bias
Joe:Right. Is yeah. And it's no. That was already bad. We just didn't realize how bad it was because we didn't have the tools in place to figure that out.
Joe:And so now what we have is more metrics, more visibility. And now that we have this telemetry of what's actually happening, we can now go fix it. So our situation can certainly improve, but we didn't get worse.
Rick:We were already We were already assuming the same amount of risk. We just know more about it now and we're being more honest about it. Exactly. Yeah. And that's a thing that should be celebrated typically.
Rick:But culturally, it's difficult to
Joe:So I was asking how you handle that. And I can tell what I said. But what what so how do you prep the org when you're gonna put a new tool in? When you
Rick:put a new tool in. So I I think there's a couple things. But I mean, first and foremost, I don't know. I can't even have this conversation without saying all the disclaimers like, okay, well, it just a tool or is it a tool with the right staffing and the right people and all these other things that can go wrong, right? I think assuming you have all the resources you need, I mean, as you're having the purchasing conversations, the RFP conversations, my expectation is that the people around me or me, I will be telling leadership, okay, well, is what it's gonna do for us.
Rick:And, oh, we might not love the things that we see out of it right away, but it's gonna give us the ability to react to things that are already occurring that we just don't know about.
Joe:Yeah. It's highly in line with what I answered as well. I wanna ask that question. And it's gotta if you just go and put that in place and then start updating your metrics, and you didn't do any communication, what that's gonna do that you're gonna you anticipate expecting to see more. And this is a difference between and so that conversation led to another one, which is why do some people get themselves into that situation?
Joe:It's because, well, I think I got myself in that situation once because I didn't have the experience I have the day of having been in that situation. And because I was in it, and I made the reporting, and then I had to spend the next ten days explaining why it made sense. I was thinking how much simpler would have been to spend two days months before making Setting expectations. The purchase, like you said. Doing all the expectation setting, getting it there.
Joe:And then when we hit to that point, and I can say, yes, I am now going to measure back to measurement. I'm gonna now measure our effectiveness of this new tool implementation. Mhmm. And as I predicted, I was I was right, or maybe I was somewhat right, that our intel have now shown us that we have this many more problems than we would have had. So it spiked 20% the first week and we tuned it and then actually spiked a little bit more.
Joe:That's expected. And that tracks to exactly what I told you all three months ago when we approved the purchase and we went to buy this thing.
Rick:Absolutely. And let's be honest, and I'll preface this too. If you're a CEO or a COO earmuffs, Just fast forward thirty seconds, don't listen to this part. But if you're a security leader, there's level of strategic sandbagging here as well. Because look, what you want to do is you want to set the stage for your team being able to knock it out of the park once they're provided with the information that they have, right?
Rick:So, oh yeah, we haven't been scanning this pocket of the environment for vulnerabilities. Okay, well what's that mean? Well, it means we're going to see a ridiculous amount of vulnerabilities on day one and we're gonna have so much work to do. Well, what's that mean? Well, okay, look, we're gonna knock them out in this order.
Rick:We're gonna start with criticals or the scary things or all the stuff. And if you set the stage appropriately, you can you're then setting yourself up to have all those success conversations down the road. You go in week one, hey, you know how I told you would be bad? Oh my goodness. It was even worse than we thought it would be, but we were able to fix this much just like we thought and da da da da da.
Rick:And if you don't do that, exactly to your point before, like, it's just like, well, we just put in this system. What do you mean we have like 3,000 high vulnerabilities? It's like, well, you've kind of seeded the conversation incorrectly. What you should have done is started with, hey, It's gonna be bad. We're gonna kill the crits first.
Rick:Oh, and then you can have the conversation. Hey. We got rid of, you know, 200 criticals in the first week or whatever that looks like.
Justin:Yeah. Or maybe not just focusing on, like, focusing on OS first patches, you know, something like that. Whatever. And then getting into third party, you know, apps or something like that.
Rick:Yeah. Yeah.
Justin:Might be on there.
Rick:Yeah. Whatever the right whatever the right prioritization stack is for the tool that you're implementing.
Justin:Yeah.
Rick:Yeah. Yeah. But anyway, scores can be dangerous, man. And and it's like you don't you need to represent reality. You don't wanna like teach to the test or like score to the test basically.
Joe:Well, before we jump into like what kind of takeaways people might want to be able to use based on, you know, the lessons we've learned the hard way, anything else we need to what else do you wanna talk about with us?
Justin:So you're talking about takeaways. Yeah. Yeah. So I think, you know, we talked about, like, getting a good mindset or perception. Like, set the table off Yeah.
Justin:You know, into this. You know? Tell how you're gonna be utilizing these metrics and that, you have a good strategy on doing scoping and additional scopes into that and communicate that methodology well with the metrics, you know, into it. So it's well aligned. It's not just a if you do do, you know, some type of accumulative type score or something like that, you know all the details behind it so that if anybody asks you, here's how we arrived at that, you know, and here's how we're measuring it.
Justin:Here's how we separate out our business units. We report all those to each one of the ELAs or whatever it may be. I think being very upfront on and putting a lot of thought on how you come to it, you know, provides a lot of, good graces, you know Yeah. To that. Not just saying, here's a score.
Justin:Next year will be better. You know?
Joe:Just publish a score on the board report and then walk away. Yeah. You probably need the, the appendix that explains how you got there.
Justin:Here's that.
Joe:And I think the biggest disclaimer is saying, look. This is gonna be very subjective.
Rick:Mhmm.
Joe:Mhmm. And it's all based on the rubric.
Rick:Yeah. And I love the thing that you said a little bit earlier in terms of the score is an approximation, right? And I think reminding people that the score is an approximation of where the program is, it's not exactly where the program is, first and foremost. And second of all, remember the mission is to make sure risk is in alignment with risk tolerance and resources. And so if you move from like a 3.6 to a 3.5, that might still be super acceptable.
Rick:Because maybe you purchased a giant company and your controls backslid a little bit, but you're still well within risk tolerance and you didn't want to invest the $3,000,000,000 it would take to get them up to speed. Like that could be super fine. But you need to make sure that's sort of woven into the conversation. I think what you said about the score being an approximation is a really good start with leadership to have
Joe:a of
Justin:Or there could be like good projects already aligned to why, you know, it's not there yet. You know? Like, hey, we're, you know, merging our IAM solutions together. Mhmm. That's gonna take a little bit, you know, to do it right.
Justin:So, yeah, I think just coming out of the gate and be like, nope. It's, you know, degradation that's bad.
Rick:Yeah. This is where we wanna be.
Justin:You wanna explain the ebbs and flows of, you know, how are you getting that stuff. And honestly, I mean, we didn't talk about this too much. It should be as real time as possible. Oftentimes, there's a lot of controls that might prevent you from, like, measuring frequently. But if you can get more of a integrated system where you're pulling controls automatically and looking at the baselines of what you already decide as this is our, you know, measurement stick into that, like a lot of cloud providers, you can get a lot of that real time and, you know, it's constantly changing at that point, you know.
Joe:Yeah. That that brings up a how do you create a proxy for the control measurement, but make it in terms of the maturity of the process that allows that control to operate appropriately. So if you were just going and scoring your controls, are they working, are they not, are they on all the systems, are they not, And figuring out how you put that in place. But then the other part that we're not talking about, like think of the ISO 27,001, the processes four through 10, and you're going through those clauses. And you look at it and you're like, well, one of the clauses is we do an internal audit every year.
Joe:So you might do an internal audit, but how mature is your internal audit? And how do you measure that as a control in some of these systems? Like, you have to feed it enough information. It comes back to the rubric, I think.
Justin:Yeah. It does. Yeah. And I've seen bad interlots. I've seen, somebody actually going through ISO.
Justin:They it was literally, like, a two day, like, Zoom meeting that they had. Mhmm. You know? And check internal
Joe:Internal audit. Yeah. And one of the advices I this might be a takeaway for anybody listening is if you're going to do an ISO 27,001 certification, you're gonna have your external audit. The best advice I got from somebody who's, an auditor said, I always recommend he said he always recommends that the internal audit time be about double the time of your internal audit of your external audit. So do your internal audit about twice as long as your external audit.
Joe:So if you're going to and the way they use the one another ISO standard to measure how long it should take an hours for their audit.
Rick:Yeah.
Joe:That's how they figure out what the price is and for everything like that. And when that happens, now they say, alright, well, this is gonna be a three and a half day audit because of all these items. Right. And so he he said, I would come in and do a seven I'd recommend investing in a seven day internal audit because you wanna have twice as much chance of me finding it during internal audit as the external auditor will have when they're here for their, limited time.
Rick:Yeah. That's cool. Like that. Well, and Justin, to your point about sort of reporting early and often and and keeping your eye on things as in as much of a continuous audit as possible. One thing I'd recommend everyone think about if you're running an internal program is look at SaaS providers trust portals and see if you could build an internal trust portal.
Rick:Even if it's just conceptual and you're not going to put a thing on the web somewhere or it's a SharePoint site or whatever, think about how they have the content organized, the types of things they cover, all that stuff. It's usually a really good the good providers.
Justin:So you're talking about more in context, like, giving the information. Yeah. Absolutely. Yeah. Yeah.
Justin:Because there's also trust portals out there that have the little checkbox. They're like
Rick:Oh, no. I checked this
Justin:fifteen minutes ago, and they still have a policy.
Rick:Yeah. Not I mean, look, if if you can
Justin:Like a.
Rick:If you can automate your controls to run every 15 minutes and automatically, you know, reflect that on an internal website like power to you.
Justin:Yeah.
Rick:But I think, you know, maybe start slow.
Joe:Yeah. Actually, this might be the save for our our third conversation, but just kind of getting into that a little bit is some of the compliance automation tools, they're actually pulling that stuff nearly near real time.
Rick:Right.
Joe:And they're taking a look to see what exactly you you have in place and giving you kind of that internal score. They even come with a trust portal that
Justin:Yep.
Joe:Yeah. Have an internal, that can be used for you don't have to publish it externally until you're ready, but you can certainly show everybody that internally. So Yeah. Well to jump ahead.
Justin:What I like about, like, a lot of those portals and everything, they give you a place to share your attestations that you're sharing out, whether it's self attestation like a star or something like that or full blown ISO or whatever it may be. Like, it's just a nice little added, like, you know, nice little portal like, hey. We're coming here for your security. You know? Prove to me that you're secure.
Justin:Right. Great. So do we do lessons learned?
Joe:I think the high levels I'm thinking about is just to, think about the things you gotta keep in mind when you're doing this. What are the scope changes? You're gonna have the whim of the auditor, you're gonna have the whim of the assessor, you're gonna have assessors and auditors changing who are giving you these scores. You might have, people have their you said this, they're incented to do certain things, so their bonuses might be based on keeping or maintaining a certain score. And really, it's just understanding what are you actually measuring and how are you measuring it.
Joe:So you put all those things together, you get to a point where these are all the moving parts. And how do you make sure that who the audience for these scores understand that there's a little bit more to it? They don't need to know all these things, because they're not gonna really care about all those details. But you probably need to communicate, look, there's some subjectivity here. Yeah.
Joe:And we have these items, and if we do this again, we may end up be doing it a little bit different. Yeah.
Rick:I love that.
Justin:Great. Alright. So segue into this. One of the things I wanna talk about here is board of directors. Mhmm.
Justin:There's been some discussion, especially last year when the SEC man mandated it that they have cybersecurity experience, but then kinda withdrew it. You know? It was like, well, that that's still good, but we're not gonna mandate it anymore. The question comes down to, is that good or not, you know, type of thing. And I think it's relevant for a lot of these metrics because we were talking about, like, hey.
Justin:If you're under the guise that you're a good score, good good score, you know, type of thing, and you're throwing it up to the board and they have no questions, you know, the cricket sign, it's like, oh, yeah. That's a 3.6. Yeah.
Rick:That's fine.
Justin:That's that seems good. That's what our peers are doing. Right? You know? Right.
Joe:Oh, yeah. That's horrible. I think one of the things you heard is, is it unrealistic or just another checkbox? And I was you made me think about that for a little while. And so as we're thinking about the role of, you know, having a cybersecurity knowledgeable person as a board member, you know, is it unrealistic and could it just be in their checkbox?
Joe:Well, I think it could be both unrealistic to do it and it could be just in their checkbox if it's done wrong. Damn. So if you're not managing it correctly, I'm sure that's what could happen. And I think that will actually be a bigger disservice to people than to organizations than actually having somebody on there who is knowledgeable and and can really guide the organization.
Rick:The illusion of that's interesting. The illusion of expertise yeah. Could be more damaging than Oh, that's a good thought.
Joe:Well, the illusion of the expertise will then result in a false sense of security by the rest of the board members. Yeah. Because I'll tell you what, I'm on a board of directors for a non for a nonprofit and the expertise I bring to that is just trying to ask the right questions, see if they're doing the things that I would expect to see. Right. And then when they go around the room and other people talk, you have an expert in real estate, expert in finance, I'm not.
Joe:And so I gotta trust that when they're saying we're doing all the right things, that's happening.
Rick:Mhmm.
Joe:And so when I speak up and I say, I think that their MSP and MSSP selection makes sense based on the scope of the organization.
Justin:Right.
Joe:I've actually took took some time and looked into it, and I've talked to them and I understand what they're doing, and that all makes sense. And so I'll bring that perspective. Now if you have somebody who maybe I've seen this. You've seen kind of unrelated to the board positions, but IT directors also be given the responsibility for security, but not have a lot of background or training on security.
Rick:Right.
Joe:And so they're gonna speak from what they know. But
Rick:But it's operational and not security And not comprehensive.
Justin:Well and that's a good question with this. There's not an IT requirement on the board directors. Right? IT experience?
Joe:There isn't. There's been discussions of should there be or should they have it so much
Justin:There's finance. There's audit.
Joe:But there's not an IT Right. Committee. There's a audit committee.
Justin:Right. There's audit, and then there's one over the numbers, financials Yeah. You know, and everything. But that, I think, is the only requirements, right, you know, from a board director's perspective.
Rick:Yeah. Yeah. I think that's right.
Justin:So it it's just interesting to me, like, like, I I I'm asking it, you know, facetiously. You know, it's like, why is security getting picked on, you know, into that? You know? Like, if you don't have somebody dedicated to IT, you know, then
Rick:Oh, like, why is that okay?
Justin:Yeah. Exactly. You know, type of thing. You know, why would security be a mandated thing if you don't even have some of the capabilities of understanding your tech stack and strategy going forward into there, you know, type of thing. Right.
Justin:I I don't know. That's just like I I get it. I get why there's a push, you know, for that. But at the same time, I'm like, well, you know, why aren't others mandated? Right.
Rick:That's that's my feeling as well.
Justin:And where does this stop?
Rick:Right. Adding just cybersecurity feels inconsistent with respect to all the skill sets that perhaps could support. Mhmm. I get why you'd I could see why it was brought up in the way that it was because there are so many cybersecurity failings and failure to disclose things that could be material and so on and so forth. And I think good faith arguments around, how material are cybersecurity issues sometimes anyway, right?
Rick:But but ultimately, agree with you. I think if they were gonna add cybersecurity as a requirement, you'd probably need to add a couple more as well. Yeah.
Joe:Yeah. So I'll argue against my own thoughts here a little bit is that and I'll argue for why maybe the IT thing should be there Mhmm. Even though I I truly support and I'll talk about why I do later that cybersecurity should be a function of the board. But why not IT? Well, let's take a look.
Joe:What were some of the big breaches, and why do they happen? Did they happen because some security person didn't put a GRC policy in place? Or did it happen because a technical control managed by an IT person in an IT environment wasn't patched in time, and a lot of security teams do not handle the patching. The IT department will handle the patching. So what was the big won't talk about specifics, but there was a big credit union, right, several years ago.
Justin:Yep. Yep.
Joe:And they knew about a vulnerability in their DMZ, and they had it prioritized on their list to come soon, but not soon enough apparently. And that ended up being the breach. Mhmm. Well, was the security person the one who was gonna go and actually do the change and put it through the change review and click all the buttons in order to apply the patch? No.
Joe:It was the IT person that were So gonna do to your point, why isn't IT on there? Because if you look at the security breaches, it was because somebody in IT maybe didn't do the thing they were supposed to do.
Justin:Oh, yeah.
Rick:Well, easy add to that line of thought is just availability as a concept. Very rarely are the security people running the backups or implementing the high availability architectures or things like that. That's all IT. Availability absolutely can cause material financial distress both from a reporting perspective or failure to report and from a just, oh, the system's not there when it should be during the highest sales volume time of the year. Like, that's a problem.
Rick:So I mean, yeah, I get it. But that but that's exactly my point. If you were gonna add security, I think you need to add a couple others. I mean, sales sales being another one. Right?
Rick:I mean
Justin:I guess they'd look at it from it's more from a protection of the company, not whether you're growing or not, you know, into that.
Rick:Well, I mean
Justin:So if you have a, you know, terrible IT strategy of, you know, doing that and it's very wasteful, oh, okay. You know? And you're just gonna waste money. Or a sales thing, like, if you're not pulling in revenue from all the available channels or doing a good customer outreach strategy or something like that, like
Rick:I could argue no no sales like, sales as a function
Justin:of protecting companies. You, you know, type of thing. But, like, again But where does it stop? And and that's Yeah.
Rick:I agree. The one
Joe:is negligence and the other is just not being good at selling your stuff.
Justin:Yeah. That's what I'm that's what I'm talking about.
Rick:Like And this isn't negligent. Well, right. But you could make the same argument from a security perspective, I think to an extent. I mean, is a difference between a good faith security program put together by someone who just isn't necessarily prioritizing things the way I would prioritize them versus, which I think is good, versus someone who just is being truly negligent because they don't care about anything and they just don't know anything. Like, there's
Justin:and
Rick:and motive is hard.
Justin:Well, and that's where all the layers are built into this, you know, structure and everything from the audit committee to GRC and all that stuff. Like, hopefully, one negligent person doesn't bring down
Rick:the system. Right.
Justin:Right. You know, type of thing. That there's enough checks and balances that Yeah. People are like, no. No.
Justin:No. That that's that's wrong Yeah. You know, type of thing. And, Joe, I wanna play a little devil's advocate against you here. Like, you mentioned security should be a function.
Justin:Would it not fit well under audit? Under the audit committee's purview?
Joe:So I don't think of those as two mutually different things because the audit committee usually has directors on the the directors on the board who are on the primary board, but also would be assigned to committees. Right. So I'm assigned to the governance committee, at the board I'm on, and then somebody else is on other committees. And the audit committee, so that same person who's representing it, or you might have multiple people. I think it truly makes sense that the cybersecurity expertise person would join these subcommittees on the board.
Joe:And that would make sense. And then who reports into that audit committee, In some companies I've talked to, the only exposure the director of security or CISO has to the board is through the audit committee. And so they get to talk there, and then maybe once in a while they can be invited in to talk to the whole board. And so I don't think that's mutually exclusive, and I I agree that it should they should be at least influencing Yeah.
Justin:So you're talking about the person with that role there reporting in the audit committee. I was talking about more from like, can they just have audit as a background, you know, type of thing. You know?
Joe:Oh, should they only have audit as background? I would say no. That wouldn't qualify for having the cybersecurity expertise
Justin:Broad on the and at least with Sarbanes Oxley, it's first finance. You know? Like, it was very finance forward. You know? Even though there's IT general controls, they're pretty light, you know, to what they cover.
Justin:And until they expand out like, I've worked with companies that have then created their own IT audit department, and then Oh, yeah. They start looking at other aspects of the organization on effectiveness of security and monitoring and all that stuff, which is great, you know, out of that. But by default, it's usually very finance focused.
Rick:But so Joe, I I think I heard you say earlier before you said you were gonna argue against yourself that you thought the cybersecurity representation being a requirement was a good idea. Did I hear that right?
Joe:I do think so.
Rick:And like what were your thoughts on that?
Joe:Well, I think the intent is good. And if you think back, there's two different groups out in industry that are saying this should happen. One is Digital Directors Network, DDN. And the other one is the National Association of Corporate Directors, NACD. And if you look at the NACD studies, and you all probably read this, there's a
Justin:I read them all the time.
Joe:I'm sure you do. I'm sure you do. That's how I stay awake at night. And they did a in cooperation, I think with SCI at CMU. Okay.
Joe:A 70 or 80 page pamphlet for cybersecurity advice or guidance for boards of directors. So the NACD has that, and it's an actual free document. And what it does is it has these six principles that talk about what boards of directors should know when it comes to cybersecurity, and how to guide into that. One of their recommendations is for both those two organizations, that they do have somebody knowledgeable. And they both put out materials that help boards understand, what should they know and what should they be focused on?
Joe:And at least on the NACD side, it's a lot of free guidance. So I recommend that anybody out there who needs a report to the board, understands what that document is. Go create a free account on NACD and and get that document.
Justin:You have to create an account?
Joe:I think you had to at one point. And once you get that that document, go through it. Look at it, and then talk to what's the natural way you're gonna get to the board? Well, probably like we said, through the audit committee. So talk to them, talk to the head of internal audit who probably gets a big say in what's happening at the board level, what's gonna be communicated to the CFO, and say these are the things.
Joe:So find out who your champions are for this, so that when you're reporting to the board, you're actually knowing what the boards are being told are their responsibility levels. And if you are on a board of directors, and you look around the room, and you don't see somebody from a that has a cyber expertise, go and the document, take a look at it, and see if they can help you understand what others think the responsibilities are for. I'm not saying a single director on the board, but collectively that board has a responsibility to cybersecurity. And so they wanna make sure that stuff is those functions are happening appropriately, and they'll give some background into it.
Rick:So is your note that because this guidance suggests it's a good idea, it's a good idea? Or was there additional think I thought you were gonna talk a little bit about why you thought it was a good idea to enforce.
Joe:And so why do I think it makes sense is, well, as boards are, I'll just go from my experience of what I get insight to. So when I'm hearing the president of the organization and others talk about what their plans are, and what their risks are, and who's gonna do this stuff, then I can start to ask questions. Well, how are you handling? And then just take all the functions that we always talk about every How are you handling awareness? How are you handling good design?
Joe:Who internally is looking at this? And really it's just kind of break down through those areas, but keep it at a high level. Keep it as just trying to figure out what's actually happening. What investments are you making this year? When's the last time you had an assessment of any kind, a maturity assessment, or risk assessment?
Joe:How was that being scored? How is that being communicated? So we just got to go through all those things and ask those questions over time. And if you don't have somebody on the board who understands what's the background of asking those questions, and what a right or wrong answer is, And this is probably getting to the real point. The being able to hear somebody come and report to the board, and understand whether you're hearing the right answer, hearing an answer that has any sense, or if you start hearing answers and you're like, wow, I've been
Justin:doing This this sales an answer where he talks for five minutes and just circles.
Rick:No, I love that. I think I'm hearing two things. So one is being able to having someone on the board who can actually challenge the information flowing upwards as another layer. I think that makes a ton of sense because it is often highly technical as we had in our prior conversation, highly nuanced in terms of what's that score mean? How do we get to that score?
Rick:That totally makes sense. And I think the other thing that I heard was having someone at the board that could potentially challenge other strategic directions that other board members might wanna take. Right? In terms of saying, oh, we wanna accelerate this or that or we wanna do this or that. Have we thought about cybersecurity as the cybersecurity's perspective as we go down these strategic Expand
Justin:in China.
Rick:Right. All those kinds of things. Think that makes
Joe:sense. In your organization and a common question could be, well, in the organization is looking at the risk of that decision internally?
Rick:Right.
Joe:And what have they concluded, and what do I need to know before the board will approve the budget that supports that?
Rick:Exactly right. Yeah. Yeah. That makes a ton of sense.
Justin:Yeah. Because if you're not seeing line items in there, including considerations into that or how deep is our due diligence onto an acquisition that we're performing over in Vietnam, you know, or something like that. I've actually talked to somebody just recently that he did a lot of acquisition stuff, and it they did a pretty good job, but they knew well into it. And he actually recommended against going with this company for all the problems that they had. Oh, yeah.
Justin:Just clear text everywhere. Everything was a little hack. They had interns performing functions against the production server and all this stuff. And he's like, this is the scratch, the due diligence scratch surface. Like, who knows what we're gonna find?
Justin:You know? Yeah. And he got overridden and yeah. Right. Then had to fix whole bunch of stuff for a year and a half.
Justin:Sure. You know, type of thing. But yeah. Like, yeah. Do you have representation into this that will actually get you at least an accurate picture to make a good decision
Rick:Right.
Justin:You know, into that.
Rick:And Joe, I would also say, maybe another very compelling element that I heard you mentioned before in support of it is if there's 80 pages of guidance that all the board members should read because there's not a member of cybersecurity, like representation directly on the board. Many of the board members that I've interacted with in the past would not read 80 pages of cybersecurity guidance. And so probably the easiest route is just to put someone else on the board than to try to get them.
Joe:Get that one person like me who reads those documents.
Justin:You could either read this or hire this.
Rick:You everyone can on the board read this or add someone.
Joe:No. Yeah. Good point.
Justin:That's funny.
Joe:Yeah. I think I think the biggest takeaway then is or my advice is board should do it, but you know, if they don't do it right, it's gonna create more risk. And it'll give that false sense of security. So I'll go back to what we started with.
Rick:No. I think that's right. I I like the concept of if you're not gonna do it right, it's better not to do it.
Justin:Well and I think I think it's even simpler than that. Forget about the cybersecurity. You need to have somebody knowledgeable to push back on the executive management team. So if you don't have somebody on your board for all the functions that you're you know, it's coming up through the executive management team and is smart enough to ask the right questions and to push back into that, then you're missing something on that board. Yeah.
Justin:Like, cybersecurity, it could be that, or it could be IT, or it could be, you know, other functions as well. That's where I'm like yeah. If you don't if somebody's presenting you something and there's crickets and they're like, it's like, okay, then maybe there's a gap in, you know, scale onto the board.
Joe:Yeah. Yeah. Well, a lot of boards and a lot of organizations I've talked to and been in and worked with on this have a a top 20 set of common board reported risk areas that they report on. And so to align with that, like how do you to go from what you said to actually getting that done? It's take a look at what are your top risks that you're reporting to the board?
Joe:How are you prioritizing those? And for the ones that are making the top of the list, do you have somebody knowledgeable who is representing those areas?
Justin:Yep. Exactly. Yeah. Tom. Cool.
Rick:That conversation made me thirsty.
Justin:Yeah. I know. To the best part of the conversation here, we are drinking a delicious thing. I've had this for a few months now, and I really wanted to break it out here. So this is the Woodford Reserve, which I'm really big fan of as kind of a a generalized one.
Justin:Like, their double oak is phenomenal. Mhmm. This is their double double oaked. I can't wait for their double double double oak to come out.
Rick:The triple double?
Justin:Yeah. But this is delicious. I mean, is super sweet. It's almost like syrupy, like sipping on it. Like, it's very sweet and it just I
Rick:get that, like Yeah. Maybe not maple, but maple esque. Yeah.
Justin:So diving into, like, some of the descriptions of Woodford's, The taste, rich dried cherry and cranberry fruit swim in a blackberry jam brightened with hints of ripe apple, chai tea, and warming clove notes developed to spice up to the palate.
Joe:And sounds like it'd be great to have on Christmas Eve.
Rick:Yeah. It's pretty fantastic.
Justin:Actually, I got a a drum that we're gonna have closer to the holidays. Nice. Look at this. I've I already have plans.
Joe:I I like What I like about this is it's very smooth, and I usually like to drop a little ice into one of these just to kinda cut it a
Rick:little bit. And I don't Not necessarily.
Joe:I'm not getting a lot of heat from it. It's
Justin:It is a 90 proof. So it's not yeah. Very It's not very hot at all on the lower scale. But I don't know if you guys know this. I'm like, this, no pun intended, is kinda my sweet spot.
Justin:Like, I like stuff right around the low nineties into that. I mean, I'll drink high octane, you know, one point proofs and all that stuff. But when I can sip on this and there's you know, it's just nice and easy, and I do like the sweetness coming out of a spirit. Natural sweetness, of course. Yeah.
Justin:That's just delicious.
Joe:Yeah. Yeah. This is awesome. This is really fantastic. Bringing this.
Joe:Hey. Did you get to us? Did you guys hear about the the two guys that were robbing a liquor store? The first guy looks at the second and says, is this whiskey? And the second guy looks back and says, yeah.
Joe:But robbing a bank is whiskier.
Justin:Did hear that joke, I love it. That it's usually one of those are done with Daffy Duck and and One
Joe:more fun.
Justin:And One fun. Yeah. That's awesome. Yeah.
Rick:I'll also say about Woodford, their their distillery is absolutely gorgeous. Yeah. You have a chance to get down there. It is worth doing. It's beautiful.
Justin:Yeah. Something that, yeah, that the audience should know. We did pre COVID. Unfortunately, we haven't made it down there since
Rick:We haven't. Well, maybe we'll to make a
Justin:trip. All three of us with a few more friends of ours, we went down for a mini distillery tour over a few days after DerbyCon, and it was phenomenal. We went through a number of the distilleries. Woodford was and maybe it was just the weather that day, but it was such a beautiful distillery.
Rick:It's
Justin:You know? Not all can say how beautiful, like, that that place is. Yeah. So, let's go into here. We're a little over an hour on our thing.
Justin:Let me pull up, of course. Show notes. Talk amongst yourself while I'm pulling up Oh, yes. The next thing here.
Joe:Well, I think what we're gonna talk about a little bit was VGRC. Yeah. And, high level, what is VGRC? So there's a lot of, and I actually had this conversation today, there's a lot of these fractional services that are covering everything. I've probably gotten four LinkedIn invites today to talk to somebody about their fractional CMO, their marketing, their fractional CFO, their fractional human resources.
Joe:And I use I actually use all of those. And so it doesn't make me feel bad at all that one of the things I like to do is help companies with fractional GRC teams. And so when you talk about VGRC, I think today we wanted to cover a little bit about what is it and when you should engage and how it might be different than say, like you hear VCSEL.
Justin:Right, yeah.
Rick:That might be a great place to start because I think a lot of people might conflate fractional security services with fractional GRC services. So do you wanna talk a little bit about that? What are some of the main differences?
Joe:So if you think about it, there's a couple of aspects. One is you have MSSPs, which is a fractional security monitoring service. And they're gonna be watching your networks. They're gonna have agents or system things on all of your endpoints, all of your servers in your network, and kinda watching it. And VGRC is is not that.
Joe:So it's more of the technical controls looking at what's happening and the people who get the make and get the 3AM call.
Rick:Activity and response. Yeah. Exactly.
Joe:And then so VGRC to me that looks like in way I'm used to helping companies with that is, when you think about what an organization needs, and once you become 1 and a half billion dollar organizations, you're probably starting to hire these kinds of teams internally. Yeah. But when you're smaller all the way up to that size, and if you think about what a security team needs, you probably need like four or five different expertise. And when you're looking at those four or five different expertise, you probably need somebody who understands how your policies work, and manage that. So a typical GRC team, somebody who understands how to do risk assessments, put in vendor risk assessments, and look at those functions.
Joe:And then other things organizations might need are, well, do you have somebody in the security team who understands objectively how to look at your cloud security configuration? How to do a penetration test? And so those things. So when you're thinking about what that virtual GRC team could be, it could be GRC and also product security, kind of combined into something that you can get fractionally. Yeah.
Joe:Meaning if you were to hire all those five people, and just assume they're each gonna be a 6 figure salary, which plus or minus isn't too far off. And probably a lot more than that. Now you're talking a half million dollars a year investment in a team, and you probably don't need those people full time.
Rick:So If you wanna get one person, good luck finding one person for that number that has all that experience.
Joe:Right. Yeah.
Justin:And We're not even talking about the hiring process for
Rick:No.
Joe:Which Right. Will take months anyway just to identify people and we've been we've been through it with a number of folks. So when you're thinking about the VGRC and you're able put that in place for a fraction of the time or a fraction of that cost, because you really probably don't need forty hours a week of every single one of those resources until your scale is much bigger. So that's another thing you can virtualize. People will say, hey, I want VC.
Joe:So I get a lot of calls. Hey, do you guys provide VC services or we are thinking about a VC. So what do you all do? And I'll argue right off the bat. Maybe you shouldn't be considering VC, so do you really wanna get one of the most expensive single resources that are out there on the market today that is gonna come in and try to do forty hours a week of the things you might need?
Joe:You're looking you want a VC so to come in for even a fraction of the fraction, because you need somebody to come in and kinda have some oversight. Are you properly doing risk management? Think about what you're saying about the to push back and say, is this the right direction? But when it comes to updating all the policies, and when it comes to being updating spreadsheets, and getting all the little things done. I think there's somebody who might be a little bit more appropriate to do that.
Joe:That is up and coming in their career, future.
Rick:Oh, sure. Yeah.
Joe:And so when you look at somebody asked me, do I do do we want VC? So I'm like, well, no. You probably need a fractional set of people where you have that that experienced VC so as just a piece of the team. And so that's how I look at it.
Justin:So I'm gonna push back with you a little bit on that. So I always define the difference between the two, that virtual CISO had almost like all the components, you know, that you could do it. But oftentimes, even, you know, early two thousand, mid two thousand when I started doing virtual CSO stuff, like, if you wanted pen testing, we'll throw that in as a module. If you wanted policy work, we'll throw that in for a module. Right.
Justin:You know? And usually, the core of it was some type of checkpoint iteration and then double checking and make sure you're doing all the necessary stuff with usually a there's usually some type of annual assessment, you know, from a metric standpoint that would also be built into the virtual CSO. Sure. With virtual GRC, that's usually how you focus on the GRC component, you know, into that. So it wouldn't necessarily have a maybe a pen annual pen test, you know, that would pull into it.
Justin:Maybe it would feed in from a external company or something like that. Is that how you're aligned to that? Or
Joe:Well, in order to
Justin:make up person like sorry. A virtual CISO is like all the packages versus I don't know. I always treat it as very modular.
Joe:I gotcha. And so the way you're explaining it is is you call it a vCISO, a virtual CSO, but are your and you can cover all the things, but is it one person covering all those things?
Justin:No. Well, it depends on the modules you pick.
Joe:Mhmm. Well, if you pick all the modules.
Justin:No. It would be from different parts of the team within
Joe:Okay. That's probably just a difference in naming than Yeah. From what you and I were talking about.
Justin:But, like, virtual CSO, I found are usually more focused on, like, hey. We have to support ISO. Can you help us to make sure that we're checking off the boxes, we're doing all the things, maybe like focus and scope or focused in, you know, doing a security assurance oversight? Like, again, GRC function into there.
Joe:No. Exactly. And when I think of it very similarly, so when we're putting a program together and we're gonna offer say a VC so service Yeah. Or a VGRC service, we're going to look for something that's probably gonna be a minimum of a couple year engagement to keep it going. Because to get ramped up and get it all mature, then it's gonna operate effectively and it doesn't happen in six months, nine months.
Joe:Usually takes that first year, and now that you're going should keep going. And then in order to usually sweeten the deal, and make it a little bit easier to get things done. We like to offer a tabletop exercise. Like to offer a built in penetration test. And so you can get one of those every year.
Joe:We'll do a risk assessment every year. So we'll do these various pieces each year. And when we're doing it, it's built in in a way that if you would come along and say, well, don't really need the pen test. It's not gonna change the scope that you're gonna see any marginal monthly cost change. So you're getting it, don't have to use it, But we have the resources in order to make that available, and do that with some of our V fill in the blank offerings.
Joe:And so that's how I look at it, which I don't think is too much different than what you're looking at. What we do is we position it that way, because when somebody is selling VC, so Ian in some situations, and it may be different than yours, is you get that one person who's coming in,
Justin:who Yeah. They're the point person, essentially.
Joe:Yeah. Well, they're the point person, but I've also seen that they're the only person. And when they're doing that, they they're they're calling themselves the VC. So I've seen VC's those who were yesterday, director of IT who recently got promoted Yeah. Got caught up in a layoff and decided to hang a VC.
Joe:So shingle and now they're the VC. So and you look at what their background is, well, they were six months ago in charge of configuring m three sixty five or all
Justin:of Right. The Conflict of interest.
Joe:Yeah. Yeah. And now, well, they decided to pivot. Right. But they didn't have, you know, like the three of us have been spending years and years and years figuring out maybe more years for me than you Yes.
Joe:I have more. Don't know, we shouldn't brag about this. And and and so as you're going through it, you're looking at well, who's gonna do that? So when we put something together in order to get the best, most effective and affordable price, we definitely have a VC level person on the team for But we aren't positioning them. They're not positioned forward.
Joe:They're not the front line person.
Justin:Gotcha.
Joe:They're the one who they're not usually the project lead either. They're the ones who are gonna be in there for a fraction of the time. Maybe it's one full day spread over the month, where what they're doing is oversight, is this going in the right direction? Those kinds of things. And so if you think about the scope of how much time are you gonna spend, well, maybe an organization needs twenty hours a week or fifteen hours a week over the course of a month on average.
Joe:Some months it's more, some months it's less. And then out of that, a fraction of that time might be the the VC. So the most expensive resource. And that's the one that wants to make sure that everything is functioning, meeting all the goals.
Justin:And then
Joe:you have somebody else who is managing day to day. Well, how are we doing against that risk assessment? Are we getting these controls in place? What controls aren't in place yet? What are the non conformities?
Joe:How are we addressing these? How's corrective action program
Justin:Pen test report came back with these. What are we doing about
Joe:What are we doing? And then the VCs will jump in at that point and say, well, is good. We see the pen test report. Let's go have a conversation with leadership about the root cause. Why is this pen test What finding is it that's missing from your underlying security program, from your development program, from your change advisory board, whatever it is, that allowed this problem to get in, so it could be a finding on a pen test.
Joe:Let's do root cause analysis, get into proper corrective action, get the person who can talk to top leadership and hold that conversation.
Rick:Yeah. Love the clarity that the language of VGRC brings. Think cause it's not a term that I've heard bandied about a ton in the past, say, 10 or whatever, but VC
Justin:so Fairly no, I would say.
Rick:But I like the clarity because how often have we as practitioners said the words, well, security is not the same as compliance. And it's true, they overlap but they're not the same. And so I really actually like even though they're overlapping still, VCSO and VGRC related, but they are different. And I think historically VCSOs would have kind of to your point earlier, Justin, they'd paint with this very broad brush and you kind of like, well, I'm gonna get all these functions from this. But technically
Justin:It's a la carte, what are you picking out of this? All the numbers on each of those.
Rick:But you could absolutely could have a security expert, someone who's expert in the technical security of the program, who's not a compliance expert, who's not even to some extent a risk expert if they're very implementation focused. They know some risk, but maybe not the academic risk management elements of things. So I like the concept of VGRC being a related but different practice when done fractionally.
Justin:Well and I'll throw this out, and now I wanna do a question too. Like, one of the things I think a lot of people, especially in executive management, it's not, you know, separated from the CISO. Mhmm. But the cultural smarts on how to get things done, how to position conversations, how to, you know, kinda lay it up because
Rick:Like the political and relational stuff?
Justin:Exactly. You know? EQ. Yeah. Yeah.
Justin:Like and, you know, that's something that some people are naturally better at it than some, but it it is often a learned trait, you know, going up through the ranks and dealing with executive management. And if you've never had that from a virtual CSO, all you're doing is throwing reports at it. Oh, yeah. You know what? I I've seen it too, especially in my younger years, like, trying to do this stuff, then you come back in a quarter and none of the things are patched.
Justin:You know? Like, we had a quarterly touch point at this one CISO virtual CISO I did. And we're like, hey, guys. Here's all your findings. You know?
Justin:Like, I'm gonna touch base with you. You know, quarter and come back and like, we didn't do anything. Didn't have time. Yeah. Know?
Justin:It's like
Rick:Your ability to act to actually affect change is a huge capability.
Justin:Right. Yeah. So at that point, you're trying to then have more conversations and say, you know, like, is this an acceptable thing the way the business is lining up to? Probably not since they're paying you to be there, you know, type of thing. But then, you know, and then how do you effectively manage without making enemies of IT to saying, like, now I'm coming down and saying to you, stink at your job, you know, because you haven't done anything in the quarter type of thing, which is well, I'd there probably might be some maybe true to that, but they have other priorities that they've been doing.
Justin:You know? So somebody has told them to do other stuff, you know, into this. So, yeah, into that. The other thing I wanna bring up as a question, does liability have any thing to play between a virtual CSO and a virtual GRC? Because if you're a virtual CSO, whether perception or not, legally, I don't think so.
Justin:But, you know, you being a virtual CISO and you get like, the company gets breached, you know, into that, do you play any part into that?
Rick:Boy, I'm really thinking through insurance claims now. Yeah. Yeah. I'm like, oh, man. This order of
Justin:Virtual's
Rick:operations
Justin:gets GRC, I would think be less, you know, into that. Does that play anything into it?
Joe:I have a hot take, but No.
Rick:I wanna hear I wanna hear your hot take first.
Joe:Yeah. And and so well, first, if you're virtual, that means you're not actually on the accountability level at the company. You are an outsourced resource. Therefore, everything that's being done is, you know, at that point. Right.
Joe:So can you take a fall for an organization? No. But can you be sued by the organization for giving them bad information? And should you have E and O and maybe directors and live directors officers and insurance? Probably.
Joe:Because you'll wanna defend against that. So that's my hot take. Yeah. But that's and there's no difference there than if you're doing a VC so service or you're doing a VGRC service. You're still being thought of as the expert who's giving advice.
Joe:Do you think there's no
Justin:difference between them?
Joe:When it comes to that, I don't think companies will differentiate when they're deciding deciding they're they're gonna gonna need to sue you because Yeah. You gave them bad advice. They don't care.
Justin:I just think perception wise, you know, there might be something there. Like, if you're I'm wondering. Virtual CISO, you're kinda put in the spot of executive management. While virtual, I agree with you, like, from a legality standpoint, there's a separation there. But you have
Joe:this Let's talk a little about between the c so in a company and a v c so, and what the differences are. A c so in a company, if they're truly a c level, and it's rare to find a c level person who has signed papers and is put on the cap table, and is truly accountable as an officer
Justin:Right.
Joe:There are very few CSOs who have that title
Justin:Right.
Joe:Who actually have that accountability. Mhmm. And it might be they report to the CIO, they report to the CFO, they report to one of the people who have that accountability. So the difference there is, you know, that that's that's still a difference. Was the guy from Uber, was he on that level And with the he still got held accountable.
Joe:So but he was an internal person at that company managing that process. So in that case, yeah, I think that they're the ones who need to worry about that risk in that way. And whenever you're a V level of that where you're a really a supplier to an organization
Rick:Yeah.
Joe:One of the things that and and so if you're not doing this and you're one of those people, my recommendation is is that you go into every conversation with, I'm not ultimately able to even to sign off on this risk. I am here to give you advice on how this risk might impact the organization, have a conversation with you about what that means, and help you understand your options on decisions. Ultimately, you're gonna make a decision because I don't work here.
Rick:Right.
Joe:That's the way I would look at it.
Justin:Yeah. I guess and I agree with all that. But the perception of the CISO being into the title.
Joe:So how do you let that perception get in place and how do you avoid letting that
Justin:perception get in place? Think the perception is natural because it's v CISO Mhmm. If you have that. Whereas, that's what I'm saying, like, if you have v g r c, you know, like you're performing a v g r c function, I think that's less of a perception risk.
Joe:I agree. You could it could be perceived at a lower level than maybe, the VCs.
Rick:Yeah. Could be, but I don't know that it necessarily would be. Because I I could see worlds where a VGRC function feeds a chief risk officer or a chief compliance officer.
Justin:Right. But person is a c level.
Joe:Right.
Justin:Right. And I'm saying like you're the virtual c level.
Rick:Fair. But but also there's going to be cases then. So if that's true, there's also going to be cases where your VGRC function is your acting, right? Not officially, but your acting risk officer, your acting compliance officer, which in many organizations is sort of an equivalency to a security officer. So I think like it's almost like a connotation versus denotation thing.
Rick:I think you're right, like by default a lot of people think a chief security officer or a VCSO has this like sort of global responsibility. But I'm thinking, I'm like visualizing all these scenarios in my head where I have a firm as a VCSO and a firm is a VGRC, something goes wrong. Then I'm like, okay, well, who do I go after? And it's gonna be super contextual about like what that something is and all that. But like, I don't don't know that I by default think one is over the other.
Rick:They seem like Mhmm. Again, they seem like, and this is what I was saying before about like I like that it brings clarity because there's two sides to that coin. There's the security stuff and the compliance stuff and the risk stuff. And they're all actually different. It's a many sided coin, guess, which is a dice at that point.
Rick:But it does. But it's multiple things. And from my perspective, it ends up being like co equal partnerships, right? The same way that you'd have a Chief Security Officer be a co equal partnership with a Chief Risk Officer and things like that. Like slightly different focuses, but obviously highly interdependent.
Rick:So to me, I don't necessarily see like a risk or a liability thing that would be like inherently different, but that's just how I'm visualizing and defining the term for me. Yeah. And it is still a new term.
Justin:I just threw it out there because, you know, I was just thinking, like, is there a difference from a perception level Yeah. You know, into that. And I have seen cases, not personally, but if you come at it and you don't set the right table when you're coming in there as a virtual CISO or GRC Mhmm. Of what your true role is into that, the perception is you're in charge. Yeah.
Justin:Sure. The perception is you're in charge of the security organization. And if you don't contextualize that and, like, I'm I'm your expert adviser, but all actions are on you. Like, as long as I'm not lying to you or negligent in my job and not finding, you know Yeah. Three fourths of the things that are actually on your network or whatever it is, you know Yeah.
Justin:Type of thing, like, then it's really probably gonna be on you for not putting the controls in. Like or you told me multifactor is everywhere, but they really wasn't, you know, type of thing. Right. You know? Yeah.
Justin:The way
Joe:I would handle that is certainly through my contract with the organization. I would have clear terms Mhmm. Conditions and expectations, and set all that out upfront, explain that upfront and say, yeah, I can lead the effort to do this. Here's the scope of work. Here's the responsibilities.
Joe:Here's what we're gonna handle, and we're gonna take these through this. When it comes time to make a purchase, I'm probably Yeah.
Justin:I can't I'm not signing authority.
Joe:There's no way I'm gonna be able to sign off on this. In fact, most CISOs that we, talk to don't even have that because they still have to go and get that from the And CIO or and there's the rare companies where the CISO is actually elevated
Justin:Yeah.
Joe:To the level of being an actual person
Rick:Named named off the start.
Joe:Yep. And they can can spend money without getting extra approval. But even even then, those companies, by the time you get to that point, you can't spend money without procurement and being involved either. So unless it's at a lower, you know, a lower signing level. And so you kind of put all that stuff in place.
Joe:And, yeah, I I think that hits a little bit on what what I would be worried about. And so if I was so let's look at it from the the buyers of these services. What should they be looking for?
Justin:Of I was also gonna ask if we can put it into the this context, who who is it right for, you know, into this? You know, you've mentioned the buyers, but, you know, there's probably ideal clients out there Mhmm. You know, that would be specifically, like
Joe:I know my best clients are those that are in highly regulated industries, growing companies, probably, know, while we do have customers that seek us out, I'm not intentionally marketing to companies under 20,000,000, and I'm not marking the companies over 1 and a half billion because, below that, they have to make their own decision that they need the help, they'll come to us, we'll work on it. And if they have funding, at that point, they may not have the funding to wanna invest in doing this the way Right. The right way. And in fact, I was having conversations with Rick earlier about, well, what sometimes we'll get something Mhmm. That comes through.
Joe:And I'm trying to, you know, figure out what do we do with that very small organization that needs help. Because one of the things that, is hard to do when you can't compromise on quality Mhmm. And completeness is sometimes you just can't take a contract with a small company because they won't want to afford to pay for what it takes to do it the way that somebody who has 20 Yeah. Plus plus plus years of experience would have and bringing that kind of
Justin:team we worked with. We're going back and forth on it like a $2 contract.
Joe:Yeah. Well, it's funny
Justin:And it like, come on, like, we've already spent this.
Joe:I just got an email from them the other
Justin:day. Oh, really?
Joe:And you got it too except that was at your your CISO email address, which was
Justin:too long ago. You found out.
Joe:You never got it. Anyway but that's funny. Yeah. And they were just making a reference to somebody else who needed help.
Rick:But to your point though, like a very small organization that needs point in time help to get over a very specific hurdle is a different thing than a company that needs help building or maintaining or operating a program.
Joe:Yeah. And I would say those are different for sure. And the one that needs that point in time help, that is might be something we'd be able to do because to me, I wouldn't look that as VGRC at all. To me, that's a pro services engagement to fix a thing, not to build a program that can mature over time. And you
Justin:can afford the price, you can afford the price.
Joe:Exactly. And then and and so when we look at what customers make sense for this, and I'll say, look, this doesn't apply to everybody because there's nuances. You could be a small couple person company who isn't highly regulated, who has a killer idea and has funding, and just got, you know, a couple million dollar venture or PE money to do this. In that case, call me because Yeah. We'll help you and we'll go fast and we'll probably go faster than you wanna go.
Joe:And we have some customers that have that exact situation. They're smallish, but they're they're they're going to sell their company sometime in the future Mhmm. For a huge multiple, and they need to make sure that everything is buttoned up. And so they would typically if they didn't have funding
Rick:Yeah.
Joe:Externally in order to do this, they would not be ICP, ideal client profile. They would totally be somebody that we would we would be giving them an offer bigger than what they could afford, and it won't make any sense. And then on the other side of that, when you start to hit that $20,000,000 company, you really should you're you're growing to the point that it's risky for you not to have somebody with one of our skill sets as an overseer, and then having somebody who can take care of that daily stuff in between the time that we're checking in at the VC, so or the principal engineer style of it. And then on the upper side of it, what I look for is once you're hitting in the over a half a billion dollars, you're probably putting resources in place, but you probably haven't put the full program in place. And so you could probably leverage some VC.
Joe:So you might even or even VGRC, not even VC. Because maybe the person who's running that could very well handle the leadership conversations. Right. And they just need somebody to take care of, make sure these policies are good and bring them to me when they're good, and I'm not gonna pay a fortune to get this done.
Justin:So maybe they're like a director of security and have zero team.
Rick:Yes. Exactly. Yeah. Technical administrator. Like, I I do another vendor assessment.
Rick:Oh, I have to get these policies done. Oh, I have to
Justin:yeah, absolutely.
Joe:Outsource that to somebody like us who can handle that and put it through a system like that that can handle managing controls on a platform online
Rick:Right.
Joe:And make it more efficient. And and then I did complete my scale. So once you start hitting that billion dollar company, I'm starting to ask questions. Why are you a billion dollar company that needs exactly these kind of services? What is it you really need?
Joe:And as part of it, do you really need us to stand something up? Do a program to start hiring people so the time you hit a billion and a half and bigger, you're starting to internalize this. It's almost the how do we put ourselves out of business and switch the dynamic. For those kind of customers, once they hit that level, what's happening? Things are changing, dynamics are changing, they'll need to have somebody internally who can go to more internal meetings.
Joe:They'll need to have a security architect
Justin:Right.
Joe:Who's handling a lot of that stuff. So that'll have to be internalized.
Justin:It's staff aug or internalized.
Joe:Yeah. And so at that point, they could be, you know, either way. And, what also happens at that point is when you're looking at what the 20,000 to the 300 or the 20,000,000 to the $300,000,000 companies are spending for VGRC, the kind of work we might do might be a certain price point on a monthly basis.
Rick:Right.
Joe:But once you hit that 1 and a half billion, am I out of work? No. It just changes. What do they need? Well, what they need is somebody to come and do an independent risk assessment to guide them through that process, to do a maturity assessment of their program, to help look at how they're handling their, various functions.
Justin:Right.
Joe:And because of the complexity at that size organization, the price the the the price they're willing to spend, you know, Quinn, it is weird how it works out. It turns out to be about the same amount of money as those smaller organizations are spending in order to have that fractional team. Yeah. So I never look at myself as putting myself out of work by growing into those, organizations. It's just the work dynamic shifts.
Joe:They start internalizing the things that they can do themselves, and they, and and they should. And then we help them make their internal resources more mature as they grow. Right.
Justin:Yeah. Yeah. I agree with all that.
Rick:So what like any evolving term that's becoming marketing fodder, right? Like what's the difference between a good GRC shop and a bad GRC shop or VGRC, I should say? Like, what are the things to look out for?
Joe:I don't even know you have to put the V on it. We'll just talk about It could be just GRC shop.
Justin:That's really what it is. Right? Depth of experience. You know? I mean, experience in general.
Justin:I'd say
Rick:breadth of experience.
Justin:Breath of experience. Yeah. Well, explain the two.
Rick:So you have to be good at any individual topic, but GRC naturally encompasses a bunch of topics. Like we can rattle them off very quickly, and we did some already. Policy stuff, vendor stuff, risk stuff, right? Knowing the frameworks, knowing how to do appropriate control sampling or challenge an auditor or support auditors, all of
Justin:Going back to the first topic.
Rick:It's all
Justin:of it.
Rick:So I think it's important to make sure that someone who used to be an infrastructure director that wants to hang a shingle and could just put VGRC on it, actually still has the breadth of experience in all those domains. And maybe any individual client doesn't need all of those all at once. But I would think that a good VGRC shop or just GRC practice is gonna have experience in all of those things because this is all an ecosystem and it all plays off each other.
Joe:Yeah. Yeah. It's interesting. I don't think I I mentioned I was I did a presentation last Tuesday and it was for the information sharing group. And I'm not sure if I mentioned how that all came about, but back in February, I was at that same meeting and I was talking about little bit about what my organization's doing, what we're researching, and what we're putting out.
Joe:And we talked about GRC. And so we did a somebody else asked for a show of hands. Hey, by the way, does Joe need to explain what GRC is? Who knows what it is? And out of this room of people
Justin:GERC. What's GERC?
Joe:Yeah. A ton of people didn't know what it was. And so that resulted in them asking me to come back and and ended up being an hour and a half presentation on how to put a mature, and so what's the difference between a good and bad GRC program
Rick:Yeah.
Joe:And and put this program in place. And so I built out these, you know, about 15 different concepts to cover, and it went through various topics. And the topics were, and we hit on some of these earlier, you know, what is it what is risk appetite and what is risk tolerance, and can you explain that in your organization? What is how do you and ultimately, it gets to the function of the security program is to drive change in the right way for the right things.
Justin:Mhmm.
Joe:And so defining GRC, somebody said, define that for me. What is G and what's R and C? And together, you know, we came up with, you know, GRC is a bridge from intention to execution. And I love that.
Justin:That's a good one.
Joe:G is, you know, ensuring the right actions happen, the right risks are known, and commitments are kept. So governance, who decides, and it's how decisions are made. The r risk is what could impact our objectives, and how uncertain are we about it? And c, the compliance is, well, the proof that we did what we said we'd do, showing that we're meeting the commitments we made to our regulators, customers, funders, employees, and anybody who expects that we're running a mature security program. So if you put all that together and you drive to how you can get that done, it really comes down to and one of the one of the problems that these these these organizations were having is they would take a technical finding to their leader with a with a solution that they wanted to get paid for, and they couldn't really explain it well enough, and they didn't align it to a business risk, so they didn't get any funding.
Joe:And we we concluded as a group that day that leaders fund what they understand. And so if you don't understand what it is so one of the functions of a good CISO or a good VCSO or VGRC is to make sure that you're creating transparency and that people understand what these risks are. Ian, you need to put the risk into, don't just do a risk, but what is a business aligned risk scenario? You know, if this happens, what's the consequence, and how's that consequence gonna negatively hurt the organization? Yeah.
Joe:And so when you take it through that, that formula, now you have something that's a little bit more meaningful. And what can you do with that? You can actually get the leaders to understand what it is, and then you can go in with your leadership ready ask. And so we spent the that hour and a half talking through how to get from point A to point B, where point B is developing your leadership ready ask, and then how to get from B to C. C is, well, how do you put a proper risk management program in place?
Joe:What does a proper risk management program look like? And another area that I kind of skipped over that we spent a lot of time on is the difference between a nonconformity and a risk. And where a nonconformity is you're not doing something you've already decided is a control. Meaning you have a policy to do it, and when you don't do it, you're breaking your own rule, you're breaking a standard, whatever it is you're breaking. And whenever you have a nonconformity, it ties to risk.
Joe:It's different. You should track those different, and you should treat them differently.
Justin:Yeah. Right.
Joe:When you treat a nonconformity, you do a root cause analysis, you figure out if you stop the bleeding and where else is happening, and then you put in a corrective action plan. And you don't really wanna report every day in your risk committees, here's our nonconformities. You wanna report on how effective is our corrective action plan. Yeah. What is the corrective action plan that's gonna make that happen that get that put in place?
Joe:And so now you're talking about the corrective action plan, which is nothing more than just another project you're gonna run. And when you're running it, let's go back to something you guys said earlier. You'll have that IT guy who you came in and said, last month I was here and we talked about these things. Did you do anything? Didn't make any progress.
Joe:So what I like to do is say, hey, go find that person. You're responsible for this corrective action plan. The bus is coming down the road. We're both squarely standing in front of I'm telling you what's gonna happen next Tuesday when we have the risk manager committee meeting. I'm gonna be stepped over there outside in front of the bus.
Joe:It's your choice whether you're stepping over there with me or you're standing right here in front of it. Because my job, my expectation, what I promise to the the leaders is that I'm gonna let them know what's, failing. And one of the things that's failing right now is your corrective action process. It is late. It doesn't show any signs of getting better, and I don't know what we're doing about it.
Joe:Now we could go in there and I could say that, or you could come in there with me and together we'll say that we know this is off track and we have a plan to get it back on track and we need your support, and let's figure out who the blockers are.
Justin:Right.
Joe:Yeah. And do that ahead of time.
Justin:It could be like a valid one, like, don't we have any resources and you threw three new projects at me.
Joe:Exactly.
Justin:You know?
Joe:Whatever it is, you need prioritization. And so whenever you have a nonconformity, you also have an associated risk because if your control Sure. Stops, some risk went up. And if you do a measurement of what risk went up and you're looking for that, and you're like, well, what got riskier because this control failed? If you can't fight anything, that's
Rick:actually think a about great that control.
Joe:Yeah, you don't need it. And so that's something else. So when we take this from a to b to c to d, you're leaving that risk management committee meeting with talking about the things that matter because it's gonna be a very expensive meeting. You're gonna have lots of people in there who don't wanna spend their hour unwisely. And as you're talking through that, now you're hitting a point where, you know, what's off track?
Joe:Let's just not put in the appendix all the things that are on track and just put a dashboard up there that say, we have 50 things going on right now and, 45 of them are on track. Today, I'm here to talk about these five things, and you can see there are ones in red or the ones that are declining.
Justin:Yep.
Joe:And it's two non conformities that have corrective action plans off track, and it's these three risks that we all decided were highs or criticals and need to be mediums, and their risk mediation plans are not tracking to the agreed upon plan. And I need this organization, this committee's help in getting these back on track. Yeah. And if you focus on that, you're going to be much more effective of running that. And I don't care if you're internal or outsourced.
Joe:That's what I think a good that's the difference between a good GRC team and one that's not effective. They're not doing those things.
Rick:I love that. Yeah. We hit, I think, ton of really good stuff. But one, I heard the ability to explain complex situations in a way that's going to resonate with leadership that might not be technical experts or compliance experts and things like that. And the ability to communicate why that stuff matters to them, right?
Rick:So communication skills, the ability to build a coalition, right? So you can affect change with other internal parties is a huge piece of it. And the ability to implement and build and adhere to structure essentially, right? I think all of those things are huge benchmarks in terms of separating people that can actually do this work and and people that might not be so good at it.
Justin:I think another thing too that only comes with experience is providing real world solutions, like multiple solutions Oh. That could be into it.
Rick:Like pragmatic solutions. Exactly.
Justin:Yeah. And you can kinda go down, you know, it's like, okay. We can do this. Oh, that won't work. Okay.
Justin:Well, what about this? You know? And how about we do it this way? You know? Like, that solution does not exist outside of experience and actually seeing that.
Justin:I agree with that. You know? And so that's a value that you bring a lot of times, you know, into that. I can't tell you how many times doing just general consulting, but basically, that's what this is, you know, when it comes down to it, is, like, we're stuck against a rock and a hard place. And it was like, well, why are you doing it that way?
Justin:You could do it this way. You know? And they never knew you could do it that way. You know? It's like, oh, yeah.
Justin:So, like, a lot of companies do it that way, you know, type of thing. Like, I was just talking with, I think I talked about it before, dealing with the company, trying to help them with some of their four point, PCI four point o vulnerability management. I was like, guys, you know, you don't have to take, the vulnerability rating coming straight out rapid seven. You know? It says critical, but it's three layers deep in your network.
Justin:You don't have to classify it as critical. If you do Right. You have to fix it within 30 days, you know, and it's in a more difficult spot. Whatever you know, there's a lot of things in there.
Joe:How to actually read the intent of the standard, not, hey, if it's critical, oh, the systems the the scanners are as critical. Right. But that's only one component of our grading system. If it's critical from them, and then it comes to our grading system, if it's, not exploitable and it's behind, protection, we actually classify that as moderate, and we don't have to do those in the same way as radicals.
Justin:Exactly. And that's the thing. It's like, hey. The only access to even exploit this is the admins that can log on to the box. Like, are we still saying this is critical here, you know, type of thing?
Justin:And you get a novice GRC person, they're reading like, well, if it says it's critical, it is critical, you know, type of thing. But, yeah, from an experience of and that's just, like, one example. There's also just, like, the solutioning of it or the segmentation or just knowing of all the tool sets out there and other applications that could work, you know. Like, a lot a lot of times, again, with a, like, a PCI thing, they came out with monitoring your website. Mhmm.
Justin:And I gave them the manual way that you could do it for cheap. You know? Write a python I even wrote a Python script for some customers to actually do it their own way, you know, put it in CronTab and run it. Yeah. Or you can get Cloudflare to do it or Akamai.
Justin:And I'm like, yeah, you should probably if you have Right.
Rick:$10 in your budget, you should probably just do
Justin:it that way. It'll be way easier. You don't have to monitor it, like, and set it up and all that stuff. I was like, it's probably better that way. You know?
Justin:So, like, you know, you know the complexity of these challenges, when to spend a dollar and when to save a dollar, you know, into that. And that that doesn't come with, you know, people just out of college that have studied their GRC, you know, or just passed their SIP
Joe:Yeah.
Justin:For the first time, you know, type of thing.
Rick:It made me sort of think of a a thing. I I think experienced people very rarely will give ultimatums. They often give options.
Justin:Mhmm.
Joe:Yeah. I love that.
Justin:I I often kid around with my PCI clients. So it's like, you know, well, first option, you can stop taking credit cards.
Rick:Well, even if they're ridiculous. No. But I actually think that's
Justin:part of it. I was like, I know. That's not realistic. Let's go to the next one.
Rick:But I do think that's part of it because even considering fully ridiculous options is evidence that you understand the problem and the impacts and the things that while technically you could do this, but you'd never want to.
Joe:Right. You can normalize the real answers.
Rick:Exactly right. Exactly Well
Justin:and but that's sometimes not ridiculous. You remember the first client that you and me worked on Go ahead. Into that? There was one channel where they were doing, like, 40 or 50 transactions a year.
Rick:Like, do you really need this? Like, just turn
Justin:this off. Come on, guys. Like, really?
Rick:That takes all
Justin:of Yeah. And they ended up turning it off. Yep. Like, I was like, yeah, this is important.
Joe:Yeah. What are the four things you can do with the risk?
Rick:Well, avoid it. Yeah. Yeah. Exactly right.
Joe:I like that. So so we covered who might need it or what size customers or what what are ideal customers for this kind of thing. We covered the what makes it good and the bad type of GRC. We covered, you know, kind of the differences. And then maybe it's not so different, it's a matter of understanding what you're what you're getting when it comes to v, GRC versus VC.
Joe:So, I do agree with you that if somebody has that v, that that c in the front of it, they're probably gonna have this expectation that they're doing more, and it's probably on them to make sure that's communicated. The thing we didn't really cover is when does somebody need it? So what do you all think about when is it right for a company? So maybe we have a listener here who's like, I don't know. Do I need it?
Joe:What's the answer?
Justin:I mean, honestly, as soon as you can afford it, you know Yeah.
Joe:I think
Justin:think it's probably the right answer. I was just, unfortunately, working with a friend of the family. She runs a really small business. Mhmm. Eight people.
Justin:Got hit with a compromise. Their email did not have MFA in front. They were sitting on their email server for at least a few months and started sending out change of ace ACH forms to their customers Yeah. And got hit with, like, again, like, small company, quarter of a million
Joe:Oh, wow.
Justin:Customers paid out to these fake ACH accounts.
Rick:Oh.
Justin:So you say, like, what's the right time? It's basically as soon as you can really get somebody. And I think the problem is there's not somebody really dedicated to that small of organizations. Like, that's more time than they can really afford. There hopefully is some packaging out there.
Justin:I haven't seen anything great. You know? It would have to be highly packaged.
Joe:I've seen some MSSPs that do an okay job with proxying for the experience that we have from a GRC and CSO perspective. But I've seen so many who don't really know how to do it right either. So you're right. That is a problem that I don't think there's a solution. And I I think some of the symptoms as to why that is is because the resources that we have to hire to do this kind of work don't come cheap.
Rick:It's a scaling machine.
Joe:Yeah. And That's why
Justin:I said it has to be highly packaged Yeah. If there was a attractive thing. Like, one of the things I was surprised so I don't know if you know the, is it GoDaddy? They have that front to Microsoft Office where it's like their splash page for back end Office, but they integrate with Office three sixty five. Oh, they got And you can go through the advancing to log in to their Entre instance and everything like that.
Justin:I tried to so I went through, and they kinda hide a lot of features. They front end it with their, like, SaaS solution. The problem is, like, there's not a lot of security stuff. Like, you can enable MFA, and that's about it. I went into their on like, their Microsoft solution.
Justin:They stored seven days of logs into their solution. Yeah. I'm like, I can't tell what what the entry point was. Right. Know?
Justin:Like, they That's gone. Yeah. So and I was just shocked with that. It was like seven days of logs. Like, why do you even have logs?
Joe:So so I liked your idea better than I liked my idea of when somebody needs it. As soon as you can afford it, because almost everybody has something to lose. And the GRC, they're like the second line defense and the three line defense model. Mhmm. Who's overseeing to make sure things are happening the way that management's expecting, the way you're expecting.
Joe:Yeah. My answer was gonna be, that the moment that you are, needing to become audit ready for anything. Oh. It's Interesting. Yeah.
Joe:You probably need it because the way the way I look at and explain to like my customers, the way that we think about a program like this is everything we do is done first as lean as we can do it. So as efficient as possible. But when we start doing something, we're thinking about the end in mind. The end in mind is where does the evidence that the thing we did happen is the c that I mentioned earlier in the GRC. And it's how do you know that it was done?
Joe:Mhmm. And how can you automate knowing it was done so you don't have to worry about somebody manually grabbing a screenshot Yep. And putting it in a Absolutely. Folder to know it's done. So it's that kind of stuff.
Joe:And the minute that you know that you need to be ready for somebody's audit, And and and to your point, it's probably the minute you know you're gonna fill out that cyber insurance application. The minute that you're gonna fill out anything or have to tell a customer you're secure.
Justin:My That was funny. The same, friend of the family that I was working with, It was very unfortunate. She didn't also have any cyber insurance, you know, into this.
Rick:That's rough.
Justin:And she now is starting to look at it.
Joe:Of
Justin:course. And she's got the form. She's like, I have no idea what half of these questions asking. Mean? So, like, I have no idea.
Joe:They were just helping a startup. And I said, so here we had a startup customer, still do. And we, and and one of things I had coach them on, so if you're listening, you'll know it was you, is they submitted their first cyber insurance application without any help from us. And when they did, they got this they got denied that by by one, and then they got a huge price from another, I think. Oh, wow.
Joe:And and it didn't make any sense. And I said, please do not submit those. We will look through those. We will properly figure out when you're ready to answer these. And since you're not gonna go with it anyway at that price point, you're already accepting the risk that you can't get it.
Joe:So we're not telling you not to buy it. Buy the most expensive one if that's what it called. Buy the only one you have if that's what you gotta do. But, let us go through and look at these answers. Let us make sure they make sense.
Justin:Mhmm. So And?
Joe:Do you have oh, then with the probably four months later, we were able to get a program in place with all the things that checked all the boxes legitimately with
Justin:Okay. The ability to So they were answering no to questions and that's why it was
Joe:coming Great. Like, do you have two factor
Justin:Yeah.
Joe:On everything? No. Yeah. Well, that's just gonna get you Yeah.
Rick:And then do you have sensitive client data? Yes. Okay. Well, like yeah.
Joe:And so we we work through that. And so Got it. And and it was at their scale, it was actually very trivial to get two factor functioning everywhere it needed to be.
Rick:Right.
Justin:And so turn it on on Microsoft. Is that what you're saying?
Joe:Well, they're a little bit more complex than that. But yeah.
Justin:Yeah. Some of them. They're they're like medical device related organizations. Gotcha.
Joe:So they had some things extra things to do. But it was not it was not really, you know, it was a little trivial. Yeah. So it was it was easy to to get it in place. But to get that in place and get all the other things in place, to be able to do, you know, a high level security assessment of where they're at and what they need to do, like all these started checking Yeah.
Joe:Boxes. Yeah. Literally checking the boxes on their cyber insurance form. So the minute you need the you know you need to do that, and you want somebody to give you guidance through what those things mean and how to answer them. Those are the things I love.
Joe:And then the thing I love after, I think we had a whole episode, didn't we? Where we talked about cyber insurance, but once you
Justin:Little bit. We?
Joe:Once you get the cyber insurance, then what do you do? And now you need to preselect your panel, preselect your
Rick:Right.
Joe:Your IR, your your top two IR vendors, your lawyers, and your PR company. Yeah. Because those are usually the three things you gotta pick.
Rick:Well, I think my answer to when do you need it is just when the fear of something going wrong becomes unbearable or the confusion of what you're being asked becomes unbearable like the insurance thing or the client thing, which kind of ties the audit ready or just the pain. I think operationally, if you're going through a bunch of administrative stuff related to security because you're trying to do the vendor assessments or you're trying to do the policies and get them up to date. Like if your time could be better spent doing something else, yeah. I mean, do that cost benefit and see if you need to pay for that.
Justin:I mean, how many times do we see post breach, you know, things become more important, you know, from a security perspective?
Rick:Well, how many times do you see a breach happens because someone's trying to wear too many hats?
Justin:Yeah. Yeah. I I think it yeah. You say unbearable. I the only reason I hesitate on to that wording is a lot of people have their
Rick:A different tolerant different tolerances.
Justin:Yeah. Or don't even know, like, again, it's security is one of those things if it's never happened, it probably will never happen, you know, mindset, you know.
Rick:That's fair. That's fair. We haven't
Justin:had a phishing incident. So yeah, we're probably good.
Rick:But think about what what would your world turn into if you own a small business and someone was camping on your servers for a month and they were able to send ACH form changes.
Justin:Run through it, it is way more important. That's the thing. Like, once you go through a breach or an incident or something along that line to all of a sudden, you have a brand new perspective on life. You're like, I never wanna go through something like this again, you know, in this manner. Yeah.
Justin:And, yeah, that's one of the things is, like, once you have that like, it it's all risk and reward. You know? So it it it's much like a fire extinguisher. How many of us have had fires in our house? You know?
Justin:For the most part, probably zero. Right. Right. You know? Like you know?
Justin:But do we still have fire extinguishers? I do.
Rick:Well, because you hear about it. Yeah. Well, you hear about it. You know the risk. But then Yeah.
Rick:It's also different too if your neighbor's house burns down. You go,
Justin:oh, actually.
Rick:Maybe I should check the dates on my fire extinguisher.
Justin:Living in a two bedroom apartment that, you know, insurance is paying for, but Right. You know, they also lost all this stuff. And it's like yeah. It yeah. Once you realize kind of the personal pain of it, it becomes more of in forefront of it.
Joe:Too bad to have somebody who was at a place that could make sure they're doing this stuff, you know, like like a like a cybersecurity expert on a board of directors. Yeah. Who would then insist that measuring their security program was done in a way that could be relied on and made sense. Yeah. And then in order to get those good measurements, maybe they did need GRC.
Justin:Look at that.
Joe:You just made a whole episode that tied together.
Justin:Perfect. I know. Isn't that awesome? That's what goes into ten minutes of planning. Nice.
Justin:Cheers.
Rick:Cheers to that.
Justin:Cheers, guys. Yeah. To the brand new studio and podcast, and this was a good episode here. So thank you everybody for joining us. Don't forget to like, comment, subscribe.
Justin:It really helps our algorithms kind of beef up and everything and get more viewers. Stay tuned for next one. We're going to, I don't know, figure out some good topics here and we'll have probably more of the studio finish. Alright. Thanks, everyone.
Justin:Have a great one.
