Controls Are Promises: Rethinking GRC for Modern Security

Raj Krishnamurthy (00:00.93)
Hey, hey, hey, welcome to another episode of Security and GRCD Coded. I’m your favorite host, Raj Krishnamurthy. And today we have the awesome Sergio Alonso with us. And Sergio currently leads trust and governance at Rapid7, but an amazing carrier, right, progressing from, 17 years, progressing from auditing into high tech compliance, I should say Sergio, and into cybersecurity. So.

I think if there is anything in the journey that we should talk about, I Sergio has got it all. So super excited to have this conversation with you, Sergio.

Sergio A (00:37.425)
Thank you so much, Raj, for the opportunity.

Raj Krishnamurthy (00:40.504)
For our listeners, let’s take a step back. Maybe talk about our experience from an auditor through a hyper-regulated industry all the way to your currently leading trust and governance at Rapid7. What was the journey like?

Sergio A (00:54.129)
Yeah, so even before working for a financial institution in a super highly regulated environment, working as an external auditor, an external consultant is way so different when you are just going somewhere asking for the questions, asking for the information and then you move to the other side of the world, I guess. When you are working with the different teams, implementing, operating, making sure that things are working as expected in

all these highly regulated environments is way more challenging. And for me, it was kind of an eye-opening experience when I joined Santander Bank here in the US because the bar was so high. As you can imagine, many progress in terms of compliance and regulation have been coming because of the financial industry. And in the US, comparing with Spain, it’s way, way, way higher.

than you can expect, right? And I guess that was my first kind of reality shock, learning, enabling myself in a different super high-regulated environment. After that, you know, progressing to the other side, right? How can you operate in the same level in a more tech space where you don’t have perhaps that pressure has been for me a great reference.

my experience with working for a bank and making this happen there.

Raj Krishnamurthy (02:26.338)
What was that reality? You said it was a reality shock. What was that and why was that?

Sergio A (02:31.131)
I guess it’s the level of throwness that you would expect when you work for a bank. You don’t have only three lines of defense. You have 17 lines of defense, right? You are working under the CTO organization. You are working in the supposed first line of defense, but you have internal control, internal audit, have the control testing team.

You have the different risk management functions. You have the second line of defense. You have then your external evaluators, right? So when you need to do something right 17 times, of course you need to write at the very first attempt, right? Because if not, for sure somebody’s gonna be spotting where are you falling short.

Raj Krishnamurthy (03:21.144)
Got it. So you worked at a highly regulated environment like Santander Bank, and then you went on to work in blockchain for Akamai, and then you went on to work for a company like Twitter, right? And now you’re at Rapid7. What was that transition when you moved from such a very regulated environment like Santander into a company like Twitter or Akamai?

Sergio A (03:44.475)
I guess for me, everything is context, I remember when I first joined Akamai, my first weeks working there, I was always using Santander Bank as a reference, like, this is the way that I have been doing things in the last few years. And I think it was an approach that was totally off. You at the end of the you need to contextualize yourself in the industry that you’re operating and understanding the new expectations that you need to meet.

I always say that when you join a new place, you are there because of your previous experience, which is a tool, but not the only tool that you need to apply. Working for Akamai and contextualizing my previous high-regulated experience for an environment that, you know, perhaps goes faster, has a different perspective for a different risk profile, adapting yourself to it, I think it was the right transition to make in order to keep enabling

Instead of protecting, I’m going to go old-fashioned, a mainframe system protecting a new financial solution based on blockchain where Akamai was partnering with MGUFG, the Japanese bank, and using all that knowledge context to apply the same level of thoroughness in a different setup, different context, and different new technology that was blockchain back a few years.

Raj Krishnamurthy (05:15.703)
Okay, and I learned so I, one of the sort of, I think we all have stereotypes, right? And one of the stereotypes is that when you work for these large banks, right? And when you use the word GRC, most people think of the word compliance and checks, right? And sort of very, the ritual nature of compliance.

And in a company like Akamai, there are no sacred cows, like you were saying. So when they were looking at you, did they have apprehensions on how somebody like you with a very strong auditing and advisory experience and a large bank experience would fit into a company like Akamai?

Sergio A (05:53.649)
Yeah, absolutely. And I think one of the very first challenges was let’s use SOC 2 as a reference, right? Translating the trust service criteria and the different requirements and common criteria controls from SOC 2 to a context of blockchain in a company like Akamai, right? When you talk with your engineer saying, need to show proof of full redundancy.

in a system that is not operating in a traditional primary data center, secondary data center, perhaps even you have a disaster recovery center. Of course, in the cloud context, this is way, way different, right? But when you are building a system that is resilient by design with different nodes across different regions, the concept of how can we execute a disaster recovery test, for example, right? That was something that…

When you are using perhaps this more legacy mindset in a new environment, it’s the challenge and that compromising conversations with all the engineers help to move this thing forward and translating the expectations of Fastlock 2 on something that was never done before.

Raj Krishnamurthy (07:09.229)
Got it. So I think Akamai is a lot more discussion and participation with the engineering teams, what you would have done at Santander. That’s what you’re saying. OK. And how, as a GRC professional, maybe I’ll take a step back. What is your perspective on G and R and C?

Sergio A (07:18.544)
Yeah, absolutely.

Sergio A (07:29.692)
I I think I have seen daily that question question asked a few times. you know.

Raj Krishnamurthy (07:32.941)
Ha ha ha ha.

Sergio A (07:38.28)
Probably it’s just now it’s a legacy term, right? I think compliance gives you the context from what expectations do you need to meet, right? Governance is what you use to orchestrate end-to-end meeting those expectations. And the R is the tool that you have in place place to manage your

your deviations from that expectation that is compliance telling you to meet. meet, I think right now it’s an archaic or legacy concept that should be kind of adapting to a new… For new times that I don’t know yet how it’s gonna be, but for sure it needs to transform into something different.

Raj Krishnamurthy (08:26.645)
Okay, now you today, today your role is you lead trust and governance. You don’t say, I mean, when I look at your LinkedIn profile, you don’t say you lead GRC, right? Which is what he used to say when you were in Santander. Now you say trust and governance. Compare and contrast that word trust and the word GRC. And I’m not just trying to play word games here. What I’m trying to understand is, is there a fundamental difference in the way you think about that?

Sergio A (08:47.559)
hehe

Sergio A (08:52.957)
For a company like Rapid7 that operates in the business-to-business ecosystem, we saw other customers, we have more than 11,000 customers. think trust is up front for us, right? trust is a tool that we have to meet our customer expectations and to improve our own security posture. I’m gonna say, I will miss the…

the world risk on that name and it’s something that we are debating internally and governance is kind of the orchestration that we have to make those trust expectations from all of our stakeholders, know, externally our customers, our auditors, but also internally our executive team, our CISO and all of our partners.

Raj Krishnamurthy (09:44.255)
Okay, and what do you think is the perspective that others outside of the trust of the GRC organization, other than your organization, have on GRC? How do engineers feel about GRC, and how do leaders feel about GRC?

Sergio A (10:02.961)
That’s another good one. It depends on each organization, right? And even within the same GRC team, you can have different initiatives that your stakeholders is going to be considering in a different way, Who is excited about running through an audit? I don’t know, like, it’s our breath and butter, but…

at the end of day, nobody gets excited about it, right? But who is excited about pushing the envelope a little bit, implementing the new controls that, you a new standard where you may have some gaps is pushing you to do better, right? That’s different, exciting. So I guess when we have the right proposal for the teams, the feedback and the excitement is way different when you need to keep running

things that you have been running before. And this is where GRC needs to keep evolving and be more efficient, right? Reducing that friction with the teams that you work with. you know, in the tech space or in a bank, in any company, engineers are a key partner for GRC. So you need to really handle and set up the right expectations with them.

Raj Krishnamurthy (11:23.306)
Got it. So you’re saying that don’t just tell them what to do. I think make sure that they understand what they are doing and take them along in this journey. Right? Makes it better. But you use the word that reduce the friction. Engineers, what is causing this friction?

Sergio A (11:33.019)
Yeah, absolutely.

Sergio A (11:41.726)
think there are different fronts, right? You can have compliance fatigue, you know, and this is where this approach of meeting once, meeting many, can help to rationalize the level of effort that you may require from your partners. That’s one. Especially, you know, when you work in a global complex environment, different regions,

serving all the industries, like how can you meet the expectations for all of them right? And they will listen to the details, as you know. The other one is on a daily basis, what can you do to improve your iterations with them in a way that you don’t do busy work or non-applicative work and you start thinking about where are we spending more time and getting less value, right?

I always repeat this with my team, with my partners, Pareto principle, how can we keep applying that 20 % to do 80 % of the work? I know it’s easy to say, easy to claim, but it’s kind of a philosophy or an author’s thought that is important always to keep in mind.

Raj Krishnamurthy (12:57.802)
Okay, and so I think that leads me to this natural question, right? Given your background working very closely with the engineering teams, what is your view of automation? And I’m gonna, maybe I’ll break it down, automating evidence collection, controls testing, and how do you think GRC engineering as a discipline fits into this?

Sergio A (13:22.203)
It’s the only way to go. That’s my first take. With no automation, it’s impossible to scale up your program in a way that doesn’t cause more friction than necessary. There is some level of transactionality and you need to have some key basic steps in place in order to make everything happen. framing properly…

Raj Krishnamurthy (13:25.087)
Okay.

Sergio A (13:49.906)
the scope where applies automation to me is the very first step. I do believe that sometimes we claim innovation, now with AI, with automation in a way that sometimes we transform the problem. And what I mean with that is I have seen many times enabling massive automation or

gap assessments, like just snapping your fingers and finding yourself with millions of findings and creating a different problem about, what is next, right? What makes sense? What is your pace or gap remission flow in order to keep a proper pace, helping the organization to get better and not just being buried in a massive amount of problems that is impossible to solve.

You mentioned about evidence gathering, right? Not everything applies when thinking about where automation can help you with your evidence gathering. Probably evidence gathering is the most boring task ever, looking back, screenshotting things, and I think we were crazy before, And now hopefully we have many folks.

Raj Krishnamurthy (15:06.252)
Mm.

Raj Krishnamurthy (15:14.123)
No.

Sergio A (15:16.189)
enabling and having the right thinking like you, helping companies to move to the next level. And this is where, know, scoping properly for your context, selecting, iterating files and proving the value of automation for evidence gathering and compliance checks is the only way to move forward.

Raj Krishnamurthy (15:40.845)
Makes sense. So one thing that is bothering me a lot, Sergio, is that you have worked through the compliance aspects of the company, right? And you worked on, strongly with the engineering teams, you have a significant emphasis on automation.

But when I think about automation, and for example, take evidence collection as an example. And even as you move away from screenshots into collecting them directly from APIs, when I use the word evidence, people normally associate that word to compliance and audits.

They don’t associate that with risk management, continuously managing risks or the ability for you to be able to collect signals and metrics towards risk management. They don’t think about sort of managing this from a governance perspective. Why is that? Why are these, even though we are trying to do the same things, because they are all essentially the same types of data in slightly different contexts, aren’t they towards the same outcome? Why are people thinking about these things differently, or am I wrong?

Sergio A (16:43.453)
I think you’re right and I’m pretty sure still the legacy mindset that is living with all of us. When I executed my first audit, it was in 2008 and the concept of everything has transformed massively since then. At the end of the day, evidence is is proof of rightness, right? And proof of rightness means that what you wanna do

Raj Krishnamurthy (17:06.956)
Hmm.

Sergio A (17:12.279)
is behaving in the way that you want, right? And there are multiple ways of evidencing that thesis. And I think framing the narrative where you have an important risk that you need to take care of, and you can show live proof of all your controls or key controls addressing that risk are operating in a way that you expect, is that the concept is way beyond evidence, you know?

I think we all think about evidence like a different piece of paper where you look at to prove that this is happening somewhere else And with this automation and life view on behavior of a system or a process, people or everything together is what is making a difference.

Raj Krishnamurthy (18:00.425)
Interesting. So what you’re basically saying is that you are seeing all of them as interconnected. The idea of to, I mean, yes, you can collect data and you can use that as a means for proof, or as you rightly said, proof of rightness. But it can also be used for a bunch, so it is much beyond just trying to satisfy an audit, is what you’re saying.

Sergio A (18:05.564)
Absolutely.

Sergio A (18:21.661)
Absolutely. At the end of the day, an audit is the last line of defense, right? I know there is a lot of hate against compliance, but again, this is kind of a legacy mindset. At the end of the day, you can base your security program in your own judgment and expertise, or you can…

base your security program or complement your security program with security best practices, baselines or any type of compliance regime, right? When you are doing an audit which has many limitations and that’s another point of the world right now and you are failing an audit because you’re not meeting the basic compliance expectations, I mean, not same on you, you know, but at the end of the day, you are failing the real estate resort.

to test that you’re doing the right thing.

Raj Krishnamurthy (19:21.907)
Okay, but I think one of the challenges that most leaders face, right, and most practitioners face is that even if you’re willing to move at a much faster clip, right, in terms of automating a lot of this process, bringing engineering principles into this, the last mile seems to be that you’ll have to convince your auditors, internal and external auditors. What has been your experience in that?

Sergio A (19:47.133)
To me, always convincing auditors is just a natural consequence of doing everything important right before.

The way I dream about audits is having a package ready for an auditor where you have the whole story of your context scope with your policies, with your narratives, with the 12 months of applicable from a 10 perspective. Every single data point showing these are my 75 promises and this is proof of rightness.

for these 75 key controls operating 24 per 7 during 12 months. That will be the consequence of a properly run information security and GRC program. That’s the dream that I’m sure I’m not alone. Everybody’s having right now.

Raj Krishnamurthy (20:40.683)
I love the word here. Did you use the word promise? Did I hear that right? And I think that’s a very, very interesting way to phrase this problem. So you’re basically thinking about this as promises being made and promises being kept. So do you think of controls as promises being made? Is that how you think about them?

Sergio A (20:44.187)
Yeah. Yeah.

Sergio A (21:05.597)
Absolutely. You know, I mentioned before your security program is fed with the best security expert criteria.

optional best practices and compliance is less regulatory non-negotiable. It’s up to you to decide what are your promises for the company, And honoring those promises when you have the responsibility of protecting the footprint of your company in the global complex world we live in.

is the minimum expectation from the information security and data setting, right? Streamlining and simplifying that narrative about what is your mission for this company, what are the ingredients that you need to apply to support your mission, and be transparent about how you are accomplishing that mission.

Raj Krishnamurthy (22:06.953)
OK, got it. I want to go back to your experience, and especially I want to go back to Akamai, because where you started talking about block saint, right? Have you worked on zero-knowledge proofs? And can you describe to our users what are zero-knowledge proofs, and what was your work around zero-knowledge proofs?

Sergio A (22:22.877)
Yeah, that was part of it.

Sergio A (22:32.155)
I guess in simple terms and…

And of course, I wasn’t the creator of this, but of course, Aki partner basically is without information being able to prove that something that needs to happen is happening right. And I think for the context of the project that I was supporting in the payment and credit card transaction world, I think that’s something here, right? You are going to a shop, you have a merchant,

You use your credit card, you make a transaction, you have a credence entity, you have your bank. So how can you move all that sensitive information that, from a PCI perspective, is clearly limited, defined? Probably one of beauties of PCI is that, from a scope perspective, it’s one of the most specific things that you can find. So leveraging one of the key engine antennas of blockchain.

Raj Krishnamurthy (23:29.887)
Yep.

Sergio A (23:36.891)
for zero proof to make sure that you have multiple entities talking to each other. You have a central layer, you know, keeping everybody honest. You leverage that engine in your internet to make sure that everybody feels comfortable even without having all the information.

Raj Krishnamurthy (23:56.533)
Got it. And I think maybe that’s a very interesting principle, Because you are basically saying you don’t have to expose all the sensitive data, but you are able to provide assurance that the right things are happening on those controls. Did you expand that beyond blockchain controls into other security and GRC controls as well? Sergio, this idea of zero-notch proofs?

Sergio A (24:10.279)
Absolutely.

Sergio A (24:21.921)
I’ve been thinking about that lately and right now companies and especially cybersecurity companies where you have a high bar for trust and transparency, I that concept has an important role in the next years. How you as a vendor can show proof of the strength of your security program

without over disclosing your weaknesses, right? Because let’s be honest, everybody has weaknesses. If not, know, an information security program or a risk management function will be useless and you are in continuous improvement, especially on this global threat landscape that we need to live with. So I think applying that concept from blockchain in the new emerging, powerful trust opportunity that many companies out there are trying to capitalize.

will be to me another dream. Like, how can I keep so improved to my 11,000 customers that what we’re doing is right and you can trust our position.

Raj Krishnamurthy (25:30.444)
I would love to double click and maybe do a separate session with you. And I want to call out another one of our guests earlier, Mosey Platt, who works at Netflix. He has been a big proponent of this idea for a long time. I know it is forward looking, but we would love to. I think we should double click and do a session just on this. And I would love to do that. I want to take the experience from Akamai. I think that’s a very interesting segue, because in at, I don’t know whether to call it X or Twitter.

Sergio A (25:48.518)
Absolutely.

Sergio A (25:58.622)
I wanna stick with Twitter so far.

Raj Krishnamurthy (26:01.067)
At Twitter you built the GRC team for privacy from the scratch. What was that experience like, Sajeev?

Sergio A (26:12.029)
So it was awesome, great company. And something that I always like to highlight at the very beginning is it was the only time that I have not been working under the CTO, CIO, CIS organization. I reported to the chief privacy officer who reported to the general counsel. So my team members were lawyers and project and program managers.

And just the concept of risk management with lawyers, I think, boom, is a massive conflict, One of the tenets of risk management is writing down the things that are important and broken. And from a lawyer perspective, it took some time to click in the way that… And I understand, okay? I think it’s a massive empathy exercise that I went through.

Raj Krishnamurthy (26:44.981)
They don’t fit well.

Sergio A (27:06.941)
One of the great things about Twitter was there was already an app and running security team with a GRC function that when you are arriving to a new page, don’t want to say nothing is usable and you just want to use existing prototypes and adapt for your scope, for your context. And you have a GRC team running the G, the R, the C. So you can try to figure out what is the vehicle or the structure that you can replicate.

and adapt and customize for the privacy context. Something that I really love about Twitter was the thing was called Privacy and Data Protection. And something that stuck with my mind is privacy gives you context and sense of the regulations. And data protection is the extension where you partner with information security to protect the data, right?

Raj Krishnamurthy (27:47.627)
Mmm.

Sergio A (28:04.975)
And sometimes I think that in a GRC security focus, you don’t have that context. We focus on critical assets. We focus on critical data types. But the use case of the information is something that I have not experienced a lot in a company. And when I was working at Twitter building GRC for privacy, the amount of context that can give you a lawyer,

Understanding and translating the regulations on a specific for your own GRC program helps you to be more targeted in your outcomes and priorities.

Raj Krishnamurthy (28:44.683)
Okay, but at a company like Twitter, I would assume that the focus is more on privacy and not on GRC, right? Because you are not necessarily subjected to lot of regulations. Is that a fair thing to say?

Sergio A (28:58.745)
Twitter being a consumer app, privacy was one of the top five enterprise risk for any type of company in that business. privacy was an extension of the privacy needs. This is public data, but one of the needs for

for Twitter to build a GRC function for privacy was the consent decree that they got from the Federal Trade Commission, right? All this is public, there were some problems managing user data and the FTC asked Twitter, you know, and also find them with 150 million. You need to uplift your security program and you need to create…

a GRC function for your privacy program, right? So it was the missing piece that in this case the regulator observed missing in order to make sure that everything that Twitter should be doing, all those promises that we mentioned before were properly documented, orchestrated, disseminated and honored.

Raj Krishnamurthy (30:07.731)
And how did you bring the Twitter engineers to work with you on this? Because they are going to be notoriously anti-compliance, anti-GRC, possibly even anti-priority, would assume, right?

Sergio A (30:22.109)
You know, always pivoting, right? And framing what is the final problem or not the start that we’re trying to achieve, right? And keep pivoting, iterating, reflecting, incorporating the feedback, adjusting, and fine tuning for the expectations that are always changing so quickly.

Raj Krishnamurthy (30:50.281)
OK. I want to come back to your rapid seven. And I think when we were speaking last time, you said something very, very interesting. So you said the infrastructure security team is customer zero.

Sergio A (31:02.309)
Yeah, so Rapid7 is a cybersecurity company heavy on detection and response, writing management, cloud security, and other few things. So I have the opportunity. And this is one of the coolest things about working for a company like Rapid7. You are the cybersecurity team of the cybersecurity company.

All those products that Rapid7 and professional services that is developing externally for the market, when there is an internal consumer within the company, automatically belongs part of the customer zero program, which somehow helps to give feedback as practitioner to product team and impact better the roadmap of the product.

And you know, we, Information Security, being in a security company, we are part of that program.

Raj Krishnamurthy (32:06.103)
And I love the way you phrase it, right? Because you are in some ways sort of acting and providing not only to solve the internal operations, but you’re also trying to help in terms of better customer relations, better product, releasing product, release on and so forth. You also said something very interesting early on, Sajiya. You said that I think the flip side of automation is that, I don’t know if you quite said that, but is that it produces a lot of signals, or in other words, a lot of noise potentially.

And then the question is, what are the signals from the noise, That sort of the needle in the haystack problem. How do you think about these things, especially in a company like Rapid7, where you’re essentially creating a whole bunch of signals, right? And from looking at postures of different infrastructure, how do you manage that as a GRC team to reduce the, to increase the signal from the noise?

Sergio A (32:58.397)
Yeah, I always think that at the end of the day, an information security function is, let’s say a data management function, right? So data is what you manipulate, you use to do your job and you keep ingesting every day in your brain in different ways, So even agnostic of Rapid7, when you have multiple tools,

with multiple data points, what means operating that tool successfully, right? Something that I have experienced in other companies as well is when you start having visibility in a complex, heterogeneous ecosystem, it’s difficult to decide, okay,

where we get started, you know? And this is where again, context, context and context is extremely important, right? How many tools are there giving you false positives? You know, because the rule and the rationale behind the logic that you are using when you talk back to the right system owner or SME saying, this is so because, or this doesn’t apply to us.

or I think the rating criteria is inflated, given, I consider that we don’t have, or perhaps fairly is missing the control environment, that tool doesn’t have visibility over, right? I will say that there are a few things that for us is super important. First of all, from a footprint perspective, focusing first on the most critical and more exposed footprint.

and try to narrow HMAS as possible. Of course, focus on the real true positives that you are seeing and then iterate fast. At the end of the day, this is not about you plugging in something and RF-LU having thousands of issues. It’s how looks like the end-to-end cycle from spotting, assessing, triaging, confirming, remediating, and testing validation that the problem has gone now, right?

Sergio A (35:21.275)
So I think those three steps is not the secret source, but the only way to move forward.

Raj Krishnamurthy (35:28.021)
I think you’re bringing up a very interesting point, which is that I think context is key in all of what you’re saying. But one of the challenges, what I see as a fundamental paradox, is that if you look at the cybersecurity market and the investor’s perspective of cybersecurity market, let’s say the venture investors and all the startups, they want to go solve a problem as commonly as possible. I want to go solve this problem that I can just keep minting for hundreds and thousands of customers.

The challenge there is that there you are losing context. You’re not necessarily talking about every single company. You’re doing something that can be broadly applicable. So at some point, each of these tools are going to produce data that may be nice for a given company. Overall, may be for a given company it’s going to create now. And you multiply that by the number of tools that an organization is required to deploy from a security perspective.

So when you say context is king and you’re using all these different tools and you’re getting all these different data, where do you apply this context then? Because each of them have their own context that is producing this noise. So what should be the role of the GRC team and the security team in reducing this, bringing more context and reducing this noise? How should they think about it?

Sergio A (36:48.839)
Probably that’s the most and very first step running a ERC program, right? How you gather the context that you can serve with your peer teams, know, security operations, the security cloud team, to make sure that we prioritize on the right spaces, right?

I think one of the biggest challenges is asset management and visibility. When you are operating in a complex ecosystem where you have your public cloud deployments, you have multiple SaaS vendors, you may have also some on-prem infrastructure. You have your endpoints in different ways. You may have big six.

packets of different contexts, right? You may need or six different tools or less, and then you need to aggregate all the data, right? I think the concept of securing depth, layering, you what you should be prioritizing first, it’s something that… If I mentioned before that information security is about managing data, the team owning the responsibility to aggregate all the right data points,

is the gel sitting.

Raj Krishnamurthy (38:13.052)
I think that’s a great point. I want to go back to, think, which is exactly the point you were making, even with the inflated scores. Let’s take CVSS as an example, right? But in order to do this, you need to have a very strong engineering practice. You can’t do this manually. It is almost practically impossible. You have to automate this. So what is the role of the GRC team in building engineering around this? So is GRC engineering real? And do you go hire engineers in the GRC team? How do you go about doing this?

Sergio A (38:44.701)
Setting up the framework, I know framework perhaps is another word that may have folks raising their eyebrows, but having the right framework with the key decision points to empower teams to keep in an autonomous way reducing risk, GRC engineering is a reality, like, no doubt.

It is true that that GRC engineering can be living in your GRC team, in your information security team, out of the information security team, Everybody wants to be jack of all trades and I think that’s something important. But, you know, GRC engineering is the catalyst given all those data points that you need to gather from your ecosystem, context, scope.

to then give that back to your partners in order to help them to expedite decisions with a risk focus.

Raj Krishnamurthy (39:52.053)
Beautiful. So what I think if I can rephrase what you’re saying is that the GRC team acts as the catalyst to bring everything together. But at some point, you also want to democratize. So your partners can make the right decisions as well. Now as a leader, how do you build a business case to your management team?

Sergio A (40:01.893)
Absolutely.

Raj Krishnamurthy (40:09.938)
about building this year’s engineering practice. It may not have been a challenge for you in tech forward companies, but what general advice would you give to our listeners when they think about, how am I gonna go about justifying this to my management? How should they think about this?

Sergio A (40:27.205)
Again, context in this case business context is golden, right?

What is your driver? Is it the R or is the C? The G for sure is not going to be your driver, right? But when you are in a business to business landscape, you need to serve your big enterprise or federal customers, right? So there is a big C that you can leverage to push the envelope with your information security program.

Raj Krishnamurthy (40:37.77)
Mm-mm.

Sergio A (41:00.177)
but also to say, I need to meet these customer expectations. This is the investment that we need to make. This is the security improvement that we’re gonna have. And this is the ROI or the market opportunity that we have ahead, right? When perhaps you can not lean that much on the sea, this is where they are, is relevant, right? How you can, and of course both can be combined, right?

How can you frame real exposures, past incidents, big gaps? You can leverage independent pen testing, anything that can help you to expose the weaknesses across your footprint and keep building, hey, we need to protect those specific assets this way, we need to build these capabilities, this is what peers are doing. I think from purely GRC perspective,

they see and they are for your business context is what you can leverage in multiple ways basically.

Raj Krishnamurthy (42:06.41)
Okay, and I think when we spoke briefly last time, you were talking about this also helps you to go from lagging indicators to leading indicators, if I remember right. How important is that for you?

Sergio A (42:14.855)
Yep. Yep.

Sergio A (42:21.809)
Well, as a security practitioner, you don’t want to be cleaning up the mess, right? You want to prevent the mess. So clearly, lagging is when you go after the fact. And leading is when you are preventing that bridge.

Honestly, I’m going to be super transparent here, but probably it’s always a combination of both, right? Because how can you take the credit of things that never happen, right? You can be lucky, you can be optimizing your resources in some way. But sometimes when something bad happens, and not necessarily to you, but to your peers when you have a high profile security situation across the world, right?

I think last year with Crowdster Strike and the situation we had in July, I think probably made everybody thinking about what is your release process and, you know, are you ready for that? Right. So I think combining both is what can you start helping you shifting from lagging to living. Right. And every time that something happens, you know, in your company,

And even if it’s small, you need to think about, we detected this within three hours. Imagine the consequences if this happens for seven days, right? Or if instead of being one S3 bucket, are 5,000 S3 buckets. And you can link this with records and et cetera. So I think that part of simulation, that part of what if.

think there are awesome folks out there pushing the frontier with cyber risk quantification. It’s another catalyst that can help us to make better decisions based on data that we don’t have because it’s not past data, right? And it’s the key tool for that shift into leading instead of lagging.

Raj Krishnamurthy (44:33.82)
Okay, no, that’s a great point. I usually ask about people’s heart take very early on. Maybe I’ll ask you much later. What is one heart take you have in the world of GRC, the world of security?

Sergio A (44:47.279)
I it’s not the illusion of hot take, but future is on-prem. And what I mean with that is on-prem, yeah, on-prem, on-premises. And what I mean with that is internet broke, then cloud, now AI, right? With any next breakthrough, we have the ability to build faster and better.

Raj Krishnamurthy (44:57.3)
Future is on-prem. That’s what he said.

Sergio A (45:16.145)
but we also increase our level of exposition, right? And the ability for attackers or even human error to expose ourselves, right? I think, of course, this is not going to happen to everything, but there are going to be some ex-mandate regulation in the future asking you to protect your crown jewels, right? We are seeing already a trend with that, with cloud sovereignty.

data localization in a specific country, region, I think is the very first step. But when you have some specific systems that should be the most isolated ever, I think we’re going to see some things coming back to prem and leaving the cloud environment. Just as an idea, OK? I’m not saying everything, of course, because it doesn’t make sense. You are going to lose.

your ability to compete with others. But if you pick wisely, you can prevent the bigger problems.

Raj Krishnamurthy (46:21.95)
So what I’m hearing you say is that I think it is not going to be a blind, all-on-cloud proposition. It has to be an intelligent, tiered, risk-based hybrid where you at least take some of your most crowned based on privacy data protection as you bring them on. And you’re saying that shift can potentially happen. That’s what it

Sergio A (46:42.981)
Absolutely. All the narrative that we are seeing in the cybersecurity race is around exposure, right? So how can you manage that exposure if you are not exposed, basically?

Raj Krishnamurthy (46:57.61)
God, makes sense. What do you think as a GRC practitioner for 15, 17 years Sergio, what do you think is the state of the current tooling?

Sergio A (47:12.313)
it’s progressing the right way. Right now, I think there are two worlds, right? The archers, the folks that led the way and have an important footprint right now, and then the new emerging competitors that are using a more sophisticated tech stack

a more pragmatic mindset and I would say listening to a different segment of customers. And now we have these two worlds and you can see that so easily out there.

How is it to be changing in the next years? don’t know. Zooming out of TLC, think from a cybersecurity perspective, it’s one of the industries with the biggest growth ahead. there are going to be many Palo Alto buying CyberArk situations. CyberArk is a huge company by itself. So imagine a startup.

Raj Krishnamurthy (48:20.465)
Yeah.

Sergio A (48:29.809)
ABCD level, so it’s gonna be kind of crazy, But honestly, what I love about this is these new competitors are changing the rules of the game, you know, and I hope that eventually somebody is gonna come up with a blueprint that is gonna transform GRC. You know, we talked before about how can you prove your trust without giving away your sensitive information, right?

So something like that eventually is going to happen and it’s going to change the way we business.

Raj Krishnamurthy (49:03.945)
And what are there any significant gaps that you see with the current tooling that you hope existed?

Sergio A (49:15.367)
There is a little bit of AI hype, that’s for sure, you know, which I think we need… There are many things happening right now, right? But the immediate gap is the promise that is not fully delivered in some instances. And I know this is a huge hot topic right now, but that’s something that we are seeing, especially, and just not only for cybersecurity, but…

but when you oversee the third-party risk management function and you see all the vendors out there, you can see that it’s agnostic of just the cybersecurity industry. I think it’s visibility and empowering the user to gain context quickly. We talked about this, what is the point of having millions of data points if you are lacking the context? And the next thing that you’re going to be doing is

Raj Krishnamurthy (49:58.612)
Beautiful. Got it.

Sergio A (50:11.323)
looking for an owner to gain that context, right? How can you integrate that context in the end-to-end process in the GRC tool?

Raj Krishnamurthy (50:19.419)
That’s a brilliant point. So I think you said two things. Number one, build better context. Build inclusive users. And when you say users, are you talking about those folks in the GRC team, or does it go beyond into engineering operations and other teams?

Sergio A (50:35.421)
both at the end. And this is a term that we use at Twitter. A GRC person, maybe a Sherpa, has a responsibility in guiding others. But others need to walk that way. So it’s both. At the end of the day, if you are giving the context, parameterizing the context, fine-tuning the context, then others are going to be doing their job in a better way and seeing the value that GRC is giving to them.

Raj Krishnamurthy (51:04.477)
I love the analogy. you are GRC as a shepherd, which means that they have to act as a consultant, coach, and basically they are orchestrating across the entire enterprise, right? It is not the small GRC team beyond that. Got it.

Sergio A (51:17.733)
Absolutely. And just to give you one example, when you go to an engineer with the right problem, which of course is heavy insecurity, you have an ally forever because they are so in to fix and address that, you know. It’s a beautiful experience and happens hopefully to everybody, but you know, having the right plans with the right people is the great catalyst.

Raj Krishnamurthy (51:40.17)
Beautiful, beautifully said. I love it. We are approaching almost the end of the segment, and I wanted to, so are there any books, podcasts, anything that you listen to, or people that have helped you to get here where you are, Seju, that you want to do a shout out?

Sergio A (52:00.315)
I need to do a better job with that. Now I’m trying to focus myself on a few e-learning platforms that now we have at Rapid7. I have a few books around risk management. I’m halfway of how to quantify anything on cyber risk, great book, and I always check in on that when we have some internal situations.

Raj Krishnamurthy (52:02.877)
Look.

Sergio A (52:30.351)
And probably if I can recommend one podcast is this one, which is the main one I’m following nowadays, you your podcast.

Raj Krishnamurthy (52:40.027)
Sorry, what is the book?

Sergio A (52:41.149)
No, I mean your podcast, sorry. Yeah.

Raj Krishnamurthy (52:43.017)
My part of it. Thank you very much. No, big thanks. Thank you very much. I love it. Thank you very much. One, I mean, my final question to you is that you actually had one of those fairy tale experiences, in my opinion, in GRC.

a large regulatory bank moving into a company like Akamai, Twitter, Rapid7. So to somebody who is listening to this, right, and wants to say, I want to be this next Sergio, right? How do I get myself into these much more forward looking, innovative GRC sort of companies and programs? What would your advice be to them? How can they approach this?

Sergio A (53:23.101)
That’s a great question. I was going to be grateful about the experience I got in Earth, Sun, Yon and Deloitte because every single month was like one year. I was lucky enough to work for multiple big customers at the same time doing different types of projects and I learned a lot. I think having the opportunity to…

land first in a place where you’re going to have 360 visibility, it’s going to give you a perspective of what things are out there. I don’t know how that has changed right now, but to me, made a difference. At the end of the day,

If you don’t have that opportunity because it’s difficult to rotate across different industries, projects and areas of expertise, know, trying to be patient, bringing ideas. It doesn’t matter if you are just starting your career. At the end of the day, if you keep pushing yourself to solve problems that are relevant for the company, you know, I’m going to put you in the right place. Pretty soon.

Raj Krishnamurthy (54:39.815)
No, think that’s a without call for action and I want to end the session today. So thank you very much for coming and sharing your experience with us. This has been super fantastic.

Sergio A (54:49.721)
Absolutely. Thank you so much, Raj. Thankful for the opportunity and this has been great.