Security, Compliance & Customer Trust: The Evolution of GRC at Scale

[Music]

hey welcome to another episode of security and GRC decoded I’m Raj Krishna morti your host I’m glad to welcome abai

Shaker senior manager information security at Cisco today abai how are you

doing I’m good it’s um it’s Friday so you know can’t complain almost there um

and you know can’t can’t wait to uh have a conversation with you about I mean this is a topic that we we both care

about a lot so yeah I’m excited absolutely so why don’t we start with About You Now who is aai who are you how

did you get started with security GRC yeah so uh a little background so I

I did my bachelor’s uh in Philadelphia I went to Temple and I I did a course

called uh management information systems I had no idea what audit was about obviously I had some idea about cyber

security at that time but the focus was more on like uh developing like a product right almost like the the mix of

uh technology and business um I I met my a few seniors during that time who who

were like uh I think uh it Auditors in JP Morgan right so and right after my

bachelors I was uh I was little interested in in the field right and my University also had the had like a

master’s program it literally said it audit and cyber security uh so I was a little interested I I spoke with a few

folks and and that’s where I did my masters as well um right after my masters I moved to um Miami uh for my

first uh full-time after college job right uh that was more of like Risk

advisory work uh being Miami my my customers were uh Bankers broker dealers

right things like that so I was like that Miami Heat wearing a suit tie right

like uh so I I spent a year doing that so essentially my job was uh it it like

my I guess my title was like something around risk advisory but ENT my job was to uh help uh companies with their socks

404 um but on the itgc it General control side so I did a lot of uh socks

itgc work uh I think I hit my uh my ceiling there right uh in terms of like there

was nothing it was just like a same thing different client um and then I had a bunch of friends uh in the Bay Area

and they were like hey like you haven’t been on the west side so you should try it out and uh and and see like you know

how how things are year so I was like yeah why not right so I moved to San Jose in 2018 I joined a boutique

Consulting I would say CPA firm also does Consulting and then I started doing sock 2 and ISO 270001 again no idea what

a sock 2 was I mean I probably knew sock one because of the whole risk advisory work that I did in Miami so we used to

look at sock one reports a lot and just started doing sock 2 helped a lot of uh

uh I would say startups quote unquote in the Bay Area get their sock to and is 27,1 and then slowly learned right you

know what like why uh it’s important to them and how their customers are asking

for it and how they want to get it right so I learned like the the that trade and

and then I think uh I I did that for like 3 years I think and then I joined

Cisco um I believe like 3 years ago and some change um and I joined as like a

senior Cloud security engineer um did a lot of uh compliance work though

when I started off so you you know Cisco CCF Cloud controls framework so uh with

my colleague we we both like architected the architected the first version of it uh made it available in Cisco made that

available in um in in our industry as well we it is an open source right it is an open source it is it is yeah it’s

it’s open source now yeah um I think we we also like uh we also like I mean I’m

not a part of that team anymore but then and I think they do a very good job of updating that as well and because you

know with the new newer regulations and things like that so I did that uh at Sisco and then uh after like I think 6

months or so I started doing a lot of um uh security quote unquote security work

so I was like going a little bit away from like traditional compliance and started doing a lot of like uh I would

say product security work uh and that’s when I I I uh my manager at that time

was like Hey like automation is like you know like that’s like the natural evolution of CCF right so so and and

Cisco like I mean given like Cisco is like you know like complexity and scale right um nobody’s doing it do you like

do you want to do it I’m like yeah sure like it sounds super interesting and that’s how I started doing compliance

automation so that that’s the first thing I do today at Cisco which is I lead the compliance automation strategy

um which is essentially looking at the CCF controls and uh VI automate CCF controls and then slowly I also um got

customer Assurance U so there is a you can think of as like a tier one customer Assurance team uh and what we do is we

we essentially answer any um security or compliance questions that our customers

have so that’s another thing that I do and then the third thing that I do is uh is something called as I also lead a

continuous monitoring office so that has like a Fed ramp angle and it has also has like a commercial angle so fedramp

has this continuous monitoring monthly uh poem package ing uh uh uh to to

maintain the ATO right so so that’s something that I do on the commercial side we have some high-risk controls that we want to monitor uh every monthly

quarterly Weekly right depending on the risk uh so I do that as well um and then

uh yeah I mean I’m also involved in some strategic projects I do a lot of uh I I did a lot of uh secure software

development framework uh uh ssdf um so yeah I mean these are the four things I

mean I can talk all day about what I do that is fascinating so but these controls whether they are commercial fed

ramp are they do they all map to CCF the yeah so CCF yeah so so little bit of CCF right

so uh so so you can think of CCF as like a a catalog of controls that is mapped

to a variety of uh compliance regimes including fed ramp as you said and

within CCF what we also did was we we came up with uh a term called as CCF

Baseline which is essentially a mix of Soto and ISO and internally the way the way we look

at CCF Baseline is that even if you don’t have a customer asking you for let’s say a sock 2 CCF Baseline is our

minimum expectation from you right uh if you have a product that that we are selling out in the market or it has some

uh uh critical data uh it’s it’s hosting some critical data right so it may not

necessarily be like a product that you are selling to a customer but it can be a service that supports actually a main

product right right so even those Services uh if they’re hosting any critical information so we we basically

knock on their door and we basically ask them to be CCF based L compliant but yeah to answer your question yeah it does map to Fed ramp as well got it

that’s right so from audit advisory to engineering security

engineering into compliance automation CCM and customer Assurance that’s a very

fascinating Journey so let me ask you this question how do you see security and GRC

how would you define them yeah so um so if I were to just Define it very simply

so security is all about like protection right compliance is all about following the rules and then uh customer Assurance

for me is how do you increase uh uh customer trust through transparency right so if you’re throwing like a uh

like a lose example would be if you’re throwing like a party in your block right uh you’ll have like someone standing at the door making sure that

only the people who are supposed to get in are getting in right making sure everything like all windows doors no

nobody else is getting in right so so that’s more like security uh compliance for me would be like hey we are

following the rules no music after 12 things like that right so let’s make sure we are following the rules right so

and then um I think Assurance would be more like U just being transparent that hey you can park you like those things

right you can park here this is what uh we’re going to charge you if you enter right things like that so so for me it’s

it’s uh there’s a lot of like overlap between these three of course but I think the focus is a little different

right uh if if you I mean look at sock 2 right sock 2 will have it those basic

controls but security goes a little bit beyond that right uh and then Assurance is how do we like tell your customers

that how you’re eating your vegetables right things like that so that’s how I Define them got it I I said GRC I said

security and GRC you said security compliance and Assurance so do you put

compliance and Assurance into the GRC bucket do you sort of separate them so I

think Assurance is uh one of the outputs of GRC that’s how I see it right that’s like telling us telling your a security

story to your customer got it right and also how you as you are telling the

story you also tell them that how do you by the way this is how we do our security work but and and and obviously

address the risk that you care about right because I’m your vendor right but by the way this is how we also meet the

regulations because we also have regulatory expectations right depending on where we are selling the product so

for me Assurance is is more like an output that comes out of uh the G the

GRC program very interesting okay so you’re saying the purpose of GRC from your perspective is security Assurance

that’s what you’re saying one one of the outcomes yeah I mean of course like you know you have to reduce the risk right

you know that because that’s where the uh the real damage can happen right you can again you can calculate like the SLE

and whatnot but then yeah like like making sure you’re you’re protecting the

company making sure you know like you’re being transparent to your customers through solid evidence I think all all

this is like an output of of a g got it so can you unpack customer Assurance for us a little bit what sort of inputs do

you take from your customers and how do you use that in your decision making process and what sort of decisions do

you make yeah so um so one good thing uh I

mean if you talk to anyone who who runs an assurance program they can tell you like all the difficulties about filling

those question uh which is true I agree with them uh but but the but I think one of the

things that we also I think which I find that uh is super useful is that so we we

track something called as what makes our customers sad right so so which essentially means that a customer made a

request and we were not able to fulfill it right it could be as easy as uh with

now the whole focus on supply chain right hey Soo is not enough right so can we demonstrate uh our supply how do we U

meet the supply chain risks through a sock to report right but now the challenge is that sock to like the tsc’s

don’t really go in that in that depth right so well that’s one metric that that I’ll that I’ll I’ll capture and

I’ll let my colleague who runs the compliance program know that hey by the way I’m seeing an uptick in this whole

supply chain uh questions right and it could be because of like the whole geopolitical situation right we we just

I think uh I just read about Sal typhoon hack the other day right so so I mean it’s a bunch of things right that

happens so what I so I think where it’s useful is that what is it that customers are asking and what is it that we are

not able to fulfill through our current customer uh sorry current compliance program right so that that’s always good

right uh I mean that input is always uh almost always appreciated by sales as well right because it’s uh it’s it’s

better for them to um sort of uh be prepared right because when they go into these conversations like when they are

about to sell the product right these these topics are I mean security is obviously going to come in but then

which exactly which part of the security right so so so it’s good so that’s one data that that I care about a lot um the

other thing that I that I also track uh in assurance is um something like a like

security influenced Revenue right lack of better term because compliance

through compliance and through our engagement with customers we we we are

also helping them uh sell right we are also helping them maintain the ARR right but then what’s that dollar amount right

so that’s another metric that that I uh that I capture and and and Leadership really appreciates that so so these are

the two that that come in mind like just looking at the pattern first right and seeing where the industry is moving when

it comes to questions uh what is it that we are not able to fulfill today right so so the compliance program has to sort

of think about like the strategy the third is that how security is helping um

sell right essentially God no that is that is very fascinating and I I I’m

actually um I learned something today right customer happiness index uh yes

the customer happiness index that is fascinating so you see this as an integrated approach you whatever inputs

you’re getting from customers um you are essentially feeding that back into compliance so that there

is a it’s a continuous process for you is is that correct exactly yeah yeah okay um and and and and and the thing is

that if uh there is also an angle of risk here because we do risk assessments uh of

course right we have our Cadence as well and if there are areas that our

customers are probing and we haven’t thought about right that’s another input that goes into uh that goes to the risk

team that hey like maybe it’s worth looking at these gaps right if if there are any I haven’t

seen um a lot of examples but that’s another thing that I I personally I I

care about a lot so AB what do you think are these broad changes that are happening in the

industry right now so um some of the things I mean of course like U

compliance automation is a Focus right how do you how do we like modernize the way uh we are doing

compliance I think reducing the engineering burden that’s like that’s like in in

everybody’s mind right um so that’s like one thing for sure uh and I I think

within that realm I think there’s also a push to uh ask the government uh government agencies to uh sort of look

at the possibility of accepting some of these reports or I I talked about like those uh monthly poem files in like a

program programmatic fashion right so instead of us sharing like these reports like through emails or like their repos

right how can I connect my system to yours right and how can we like uh integrate that so that I can share

information seamlessly right so that’s one thing that I’m seeing so it’s not automation just on like in the companies

right it’s also automation like the entire cycle right all the way to whoever cares about that report so

that’s number one uh and the other I think other major thing that I’m seeing is um transparency right so if you look

at sbom and you look at ssdf right what they’re essentially talking about

government is talking about is that hey we you are all software producers we are buying a buch of software from you right

uh but then I we need Providence right we need to know like where like where is this software being built right what are

the uh internal dependencies what are the external dependencies if you have any external dependencies are you using

any out ofd uh external dependencies in your in in the code which is which may impact me right going back to what

happened in solar winds as an example right or or what happened very recently with with uh with saltt Typhoon right so

those are like the two and I think trans transparency I think that’s a that’s a complicated problem to solve because uh

if and and transparency is not just like from the government right it’s from the customers as well it’s on also on the commercial side because if you look at

any vendor risk team on the customer side right if if it’s a good team they

will always have an assumption that all my vendors are they are not doing good security right so they’ll always dig in

deep they’ll always have sophisticated questions right and on the other side like the team that I run right uh we’ll

always try to make sure that we are obviously being want to be transparent but we also have our internal policies

that restrict us to from sharing information right so I can maybe talk about like how we do change management

how we package and build software and and ship it out to you but then if you ask me to pull up my GitHub repo and ask

me to like show like The Master Branch protection settings all the way to like I don’t know get actions and how

everything is gets packaged I think that’s a little challenging right because I because for me I don’t want to reveal much because that’s also a risk

right so I think the transparency portion although it’s the right question to ask it’s a it’s a challenging problem

to solve right and I think as an industry we all should like come together to to to to like maybe like a

framework right uh or or maybe like an approach that will work for for all the all the stakeholders so I would say like

automation transparency and within transparency I’ll say right now the trend that I’m seeing is uh is is more

like supply chain security with sbom and ssdf got it got it got it got it and how do you think the companies should um

adapt to these changes so I mean the one challenge transparency I frankly don’t don’t have

like a good answer but then um uh through your um uh customer trust uh

programs right uh you can uh maybe have like a like a demo of like a like a test

environment like showing you the like showing them the process right I don’t know what the if that’s going to be like acceptable solution for for our

customers right um but then so so that’s one thing that I that I don’t know like

what the answer is um when it comes to um GRC like when it comes to automation

right I I feel like if you’re able to convince the Auditors uh and if you are

able to tell the Auditors that hey this is I have done my automation this is you

know this is how we do compliance in in in my company right and you have all the rights to test the completeness and

accuracy of the data I think that’s one way of like winning the trust from the from the uh third party Auditors and a

similar exercise on the government side right where we’re telling them that hey like you can do like the CNA like the complaint is and accuracy test that you

want uh and and that’s how they’ll be able to I guess get have more confidence on the data that that that you sharing

with them right um and also I think telling uh the security story with with

risks right because the risk that if you talk about supply chain the risk that as

an example the government sees it’s it’s very similar to the risk that even we see as a company right we also have

dependencies on uh some other like third party libraries even we want to make sure that those libraries are secured

right so so if you have if you mix risk and if we bring risk in the conition I

think that’ll be a much more effective U strategy of of of dealing with with these all these stakeholders got it so

you have gone come through the ranks of audit and advisory right into compliance

engineering and and Assurance what do you see are the differences

between what we typically make out of GRC and what you do as you practice in a

very Dynamic environmental exoscope um not I not much of a

difference when it comes to um like the mindset like it’s the same Playbook right uh when it comes like it’s the

same regulation so we know to expectation the same right so we all know what to do right one thing that we

do here I think very well is we are very risk and metrics focused right and I I

talked about metrics uh before as well so when it come to risk right again we

can’t boil the ocean that’s the reality it’s a you know you may be working in a in a similar size company lot of teams

lot of things to fix right but the reality is that there is always not enough budget like you know like not

enough like time right things like that so really knowing what are the risks

that you have to treat right where you need controls effective controls and

then how to tell that story up in the chain using metrics right um and and I

think that’s something that uh and and again it’s a hard thing to do it’s it’s time consuming right I mean if you don’t

have time then you can maybe look at um the the CIS CIS has a RM like a risk management framew which is a little bit

more practical but again it doesn’t like U cover the entire like landscape when it come to comes to risks right but it

does uh touch upon some of the important like technical aspects right when it

comes to like your assets that you you’re spending in your in environment things like that so that’s one and then

I think we we also do a lot of uh re uh we also bring Revenue in in our uh in

our conversations a lot right because I think we talked about um security influenced Revenue right uh I think

that’s super important I think it’s it’s important for uh for the leadership and for

especially on the product side to understand like what’s the value of not just the Assurance team but also like

your compliance team when it comes to maintaining the ARR or if you’re going and scoring like a a new new deal right

so you’re in a pre-sales process right so that’s another thing that we we try our best to to capture a lot and we and

and that’s how you also tell sales that hey this is how we have been good partners with you right this is how much

revenue we have we have uh we have influenced all time so I think those are the two things that that come in mind I

I want to double click on that that’s a very interesting fascinating point I want to double click on that a little bit so yeah how do you now take that

you’re talking about an integrated program from an assurance perspective into compliance right I would say

broadly say governance risk and compliance GRC how do you go build this business case with your executive

leadership teams yeah so I will focus on

uh phone four main areas right uh one would be again as I said right ultimately influencing the revenue

growth right so using the tasks that we do every day how does that unlock Market

access right we have products to sell right we have I mean my company sells products across the world right which

means that we also have to meet a lot of U uh uh commercial and Regulatory complants right depending on which

region we talking about some regions are more regulatory heavy than others right so really tying compliance program to

how does it unlock newer markets right for Cisco right and the other is that

how do we stay out of trouble right so how do we meet Regulatory Compliance right so that’s like that’s a given there is no Revenue attached to it uh I

mean there is but then I think the more is like how do we stay out of paying fines right and how do

you correct exactly so there’s a brand reputation angle there as well right and then the third is I think more um a lot

of like my my friend on Security will probably appreciate like Risk right how do how are how are we going to be less

vulnerable to hacks right I talked about uh uh the supply chain attack uh uh a

few minutes ago right so do we know our assets do we know the the status of

those assets do we know our policies do we know how we are doing against our policies do we know our policy Health

metrics across the board for every asset right uh so that’s more like Risk treatment risk mitigation policy Health

uh and then the fourth would be customer satisfaction right how transparent are we are we with our customers right um

how much time it’s it does it take us to uh close the deal is

security uh increasing the velocity of sales or is it or we are not able to do

it today because I mean the questioners are always going to get long right so we have to find a solution we can’t just sit here and say that oh my God like you

know questioners are are getting long yeah I mean that’s the reality right like the the geopolitical there’s like

various reasons right and they have to do the due diligence right so I understand why they are asking I also

sometimes I understand why they cannot trust the sock to or the other reports that we are producing because even they

have regulatory pressure to actually go fetch the evidence right so or or they may have regulatory impact on them right

so I understand that part right so so that customer satisfaction metric is

something that that I definitely track right in in Cisco um but but then how do

we increase the transparency that’s a challenge right I think we as an industry have to find a solution there that’s actually very very very

interesting so you said four things unlock U Market access right I mean um

or increase Market access or make it easier to do business in New Markets you talked about um uh the uh risk right

managing the risk right you talked about customer satisfaction and what was the

fourth thing that you talked about and then how do we like stay out of trouble when it comes to regulation correct regulatory reg and what is very

fascinating is that you did not talk about audit cost cost you did not talk

about the C you know sort of slashing the GRC so you’re not even going into the cost basis you’re staying on the top

line that is actually super fascinating uh that is very interesting got it so your advice is try to focus on the

larger broader outcomes rather than just talking about Cost Containment I think that’s what I’m hearing yeah just just

know where the business is going right no that’s beautiful that’s beautifully said so the um I’m I’m sure I think

people are going to have some followup questions and trying to understand what sort of framework you do but maybe we should come back to another call maybe

sort of a dive a little bit deeper on it but let’s say that the leadership has given you the money to do it what would

your advice be to those security GRC teams that are either inheriting the program or starting new right especially

as they as they sort of grow what what would your advice be how should they go about thinking about starting these

programs yeah so I mean the first thing would be to do like a good asset uh uh

have like a good asset management program you need to know your assets right you need to know what to protect that’s number one right you can’t boil

the ocean you know it has to be uh strategic it has to depend on this asset

goes down that will have the maximum impact on the business it’s end of the day it’s all about like people and business survival right those two things

so you need to know your assets you need to know your crown jeels you need to know what are the important assets that you need to protect right so that’s

number one you need to know your landscape right as an example the second thing would be do a good risk assessment

right be friends with engineering right because it’s going like they’re your friend I mean you you’re going to like

go like together in this it’s a journey for for both of you right it can’t be like we succeed and they like it can’t

it can’t be like that right so you have to be friends with engineering you have to sit with them and you have to ask them hey if tell me what are your

important assets and why they are important to you and if this asset goes on do you know in dollar amount what is

the impact going to be right so so so that’s loely saying clarify question

when you say engineering are you are you saying product teams broadly or are you product teams product teams okay good

product teams right U um so that’s the other thing do risk risk assessment depending on your time or depending like

how much time you have right uh start with knowing again your company Crown jeels do your risk assessment right and

of course then again you can’t again treat everything right you have to then again uh take like a strategic approach

where where wherever you have like the most impact right you’ll have to treat them uh first right so so that’s another

thing right and then have like a Consolidated certification strategy right uh something like CCF that we did

right which sort of eases the way U especially on engineering right and also

like reduces the cost for the entire company because the truth is the regulations are going to get more

sophisticated we’re going to have more regulations right uh with all the things that are going on um and but then we

have to also protect our our friends right on on the engineering side to make sure that every time there is a new

certification requirement that doesn’t mean now they have to spend X number of hours right from their uh from their

day-to-day job right uh so that’s that’s uh that’s another thing and then at once

you have once you have created that once you have reached a certain maturity point you then also have to think about

automation right because that’s another way of well two things right one you tell a very effective story to your

customers right the like you’re modernizing the way you do compliance you have near real checks so that it’s

it’s not like if the control let’s say fails in February you’ll get to know that in August because that’s when you do the audit no that’s wrong right you

the movement control fails um you you you it’s flagged you’re going and remediating that right away you’re

looking at the historic data and then you are with historic data you’re looking at patterns and you’re also um

uh doing rcas on like some of the systemic issues and you are making sure that this doesn’t happen again right and of course there’s going to be problems

right you’ll never have like a fullprof process right I mean that’s the Assumption at least I go with right got so you you’ll be able to address res

systemic problems uh more effectively in my opinion and again once you uh do like

the process automation the next will be like the control automation right and once you do control automation then next will be the predictive analysis right so

that’s like a that’s another like Journey that you’ll have to take and do you see this as a waterfall model or do

you see this as a very agile iterative model how do you sort of think about um how to get quick wins and how

do we continue to build on that progression so so quick win would be uh just listen to where U your

company’s uh let’s say lack of leadership is complaining about right it could be sales leadership complaining about that hey X number of time we are

not able to address it because we don’t have this there’s a compliance road block that’s one that’s one strategy

right listen to what your sales leadership is saying again listen to what where the business is going right observe that and the second would be

like like where the real risks are right go and go talk to uh your your security

leadership I’m assuming you are like someone who either inherited or this is like a new program right go talk to security folks and see where what what

they care about right and see if there’s an overlap maybe you can achieve something with like G goto Market maybe

you can also address some real risks right and the other is like go talk to engineering right if What complaints do they have from the way we have done

complains so far right maybe we don’t have a Consolidated sear strategy maybe every time there is a audit that happens

you have to go to engineering and Engineering is probably hit 10 times in a year for an audit right which is wrong

right you need to have a a a solution where you gather evidence either automatically or you gather evidence

once and then you figure out how you can reuse it multiple times right and how you can like consolidate all your audits

right so yeah have a Consolidated audit strategy as well with your search strategy got it thank you you have a

very interesting sort of combination of sort of experience here right you’ve been an engineer you’ve been sort of

come through the ranks being an engineer also being a manager managing the complaints in the automation

team and what would you say to those people that say that you know we have already automated anything that needs to

be automated how would you approach this from an engineer’s point of view and from a manager point of view what advice

would you give them to go look for to better the GRC possible so so from an

engineering uh as an uh from an engineering mindset right I think one things that I I I I often tell my team

is that always challenges status quo there is always going to be something uh that you will find right that like a

better way of doing things or or there’s something that we didn’t think of when it comes to like some sort of a solution

right and and and create those relationship with with your counterparts it may be like an engineering team right

on the other side right and and understand their their

systems as much as they do right because one thing that uh product engineering will always appreciate if you actually

know the landscape right right you have done some homework right you understand their landscape you understand their technology right because a conversation

then becomes very easy right from a for a compliance engineer to to talk to a

someone on the prod engineering side um telling you from my first hand experience right uh the time when I

didn’t know uh let’s say what a tenable was to the time where uh I knew what how to read a tenable reports and how to

have that conversations with with engineering night in a difference in in the conversations right they they saw me

as like one of their own like to lack of better term right so I think uh if if there was there is some compliance

engineer who’s who’s uh who’s trying to um uh I think who has like done all the

Automation and everything again one thing that I I I’m I also want to unpack is the word automation right because the

thing is that we let’s say termination control as an example right you can have that

entire Control process automated but then you can also have automated control

checks on top of it just in case something fails right so so I don’t know like where you are in that Journey but

you have achieved everything that you you you have you had to right I think then the next step would be to actually

look at the data right is there any predictive analysis that we can do given

the historic data right because each control will have some sort of attributes right so if a control has

let’s say three attributes and let’s say attribute a is fails so let’s flag them

let’s flag that control maybe not red but maybe Orange right maybe a control at attribute a failing could mean that

this control will eventually fail right all these the you know like eventually it will be it will not be a pass right

so you’ll have to learn all that uh depending on like your landscape depending on the quality of your control

the way it’s designed right um and the quality of checks you have around it right so that that’s I will do as an

engineer frankly right uh as a manager I would say relationship building more and

more right and more understanding the business right understanding the return on control right so if I have a control

I’ve implemented what’s the return of control right what is what does that mean to business right does it mean um

unlocking like new markets does it mean Maybe not maybe it’s not helping you on the goto Market maybe it’s helping you

uh addressing risks right which is also you need also need to reduce your exposure right maybe so how do you

create that narrative and go to your exx and and and and make sure that even they

are looking at it the way you are looking at it right so again it may not be go to market but it may be like real like some other like

lessening the the risk exposure reducing the the risks right in in a certain area

uh and and obviously relationship building right I mean without that I I I mean I don’t I mean and it goes for both

engineering and manager both right learn what engineering cares about

more right if let’s say if an engineering team if prod engineering team has what like more than thousand

vulnerabilities right don’t just like increase their security Tech debt right

work with them to see that hey okay you have thousand things right let’s just come up with a strategy where let’s just

let’s just focus on the assets that are important right let’s just look at the uh look at the assets that are more problematic let’s let’s just look at the

vulnerabilities that are common right so let’s let’s look at this and let me help you right help yourself eventually and

reduce these these vulnerabilities as an example right so I think that that’s something that I’ll I’ll just give this advice to any any manager because that’s

something that I learned I would say a hard way but I learned a little bit late in my in my career and then I started

doing it and then in my team I have manager and then and that’s something that I make sure that they’re doing it as well got it got it how do you how do

you think the current GRC tools are addressing what you’re just talking about I think I’ll maybe I’ll rephrase

the question what would your G dream GC product look like so so I do like as I

said right I do like these uh these three different things right so I’ll I’ll probably like go bucket by bucket

right so um so when it comes to uh customer Assurance right um so we have

we have all these like trust centers right so I want these uh trust centers to be like truly self-service platform

like truly self-service platform on steroids I’ll say right where they’re running these um uh chat Bots at Peak

efficacy where I’m able to focus on which then allows me to you you know have focus on customers that require

some wide glove service right um very minimum back and forth with product engineering as well um and and and which

brings me to the next point right which is also having like a very solid uh knowledge database right that provides

that needed accuracy for the chat Bots to give that information out to the customers so that’s just the and that’s

just like the trust and Assurance side right because that that’s something where I spend a lot of time these days but but we need to um also pump this

knowledge uh database with with latest information right because because I also need to drisk uh us from providing

outdated information through chat BS uh which means seamless integration of my

trust platform with the knowledge graph to the GRC platform right and then

within the the GRC tool I feel like I’m and I’m seeing a lot of companies uh

that are doing this now so maybe like not not a distant dream but but at least in this domain where I can work with a

purpose-built GRC tool not a tool that that is trying to be a GRC tool but a

purpose-built GRC tool right where I can customize it uh from the ground up so that I’m able to fold my processes into

the tool and it should not be the other way around right and then again uh again

the ability to reach a stakeholder I care about that a lot right uh where we can maybe use chat Bots where again we

can have like a biral interaction action in a natural language right so that

stakeholders uh don’t have to learn another tool right um in in in in the GRC world and depending on who you’re

transacting with you can either um assign them tasks or provide them the

ability to read metrics right on the chat think of exx right who want to know like hey like I just read this news I

want to know what my company how my company’s position when it comes to this risk because my competitor just got

hacked as an example right and and most of the exx will love this because um they’re responding I don’t know about

most execs but then I know like some execs love responding using their phones and and and they’re mostly they check

their emails on the phone so and they all have like WebEx or a slack right so some way for them to interact with this

like our uh system right through their uh through their phone like in a national language right and then lastly

I think obviously I think uh the automation platform right uh which can we can use that as a utility and end of

the day I I I want to tell engineering that hey if you spin up an asset in region a with let’s say these three

non-compliant actions this is your SLE in terms of dollars right this is a risk you’re taking right so so because I I I

know preventative controls are great in a situation where you have a lot of issues where engineering is absolutely

refusing to uh uh uh go with like whatever controls you have right but I

do believe that if you really give them the dollar amount and if would tell them this is a risk and this is the risk in

terms of dollars they will do the right thing right so so although preventive controls are great I I don’t know how

how how strong of a story they’ll create when it comes to interaction with engineering right because we want to be friends with them we don’t want them to

hate us right and then eventually I also want our U sales and account team to use

this Self Service platform Empower themselves and talk to customers about Security First right when we are in the

RFP process rather than the customers bringing the topic let’s say two days before the deal is about to close right

and then uh I want the security leadership to actually see the level of risk across all our assets um with

whatever like SLE or whatever values right and and and the work we as a company have done to reduce uh the older

risks right got it I I I think I think the gist of what you’re basically saying is let me let me make sure I got this

right I think number one you want to absolutely reduce the friction of what it takes to get information from

different stakeholders control owners right on the GRC side you want a very seamless way to build a Knowledge Graph

you want people to ask questions and get answers as real time as possible out of the knowledge graph you want to be able

to contextually get the data not just any random data but contextually get the data based on risk and finally you want

to be able to take all of this sort of push this into a risk model that can give you some dollars some um uh uh uh

uh sort of uh you know impact and uh um

probabbly probab particularly you know sort of phrased in terms of dollars right uh yeah exactly I mean the other

example is I get that right I talked about vulnerabilities right let’s say you have th vulnerabilities you take uh

uh you look at like if there is any um so you look at cisv you look at epss and

you see if there is an inter like intersection and then you look you compare your data and then you look at

at what against what asset we have that vulnerability right and then you I mean that’s like a

no-brainer at that point got it totally totally and and and the knowledge graph allows you to do so because it’s not

it’s a sort of a multi- relationship structure to be able to look across all these different data sets so in other

words in yeah in other words I think what I’m hearing from you sort of if I have to phrase this you want this GRC

and customer Assurance to be almost like an observability plane for security

right so most of what we are doing in security operations I think you want to help them right and rather than uh sort

of be a roadblock right you want to be an enabler for better security road block and and also like I don’t want us

to just like compliance just to work in a silo right I think like that that data

has a lot of uh totally totally uh useful I think it can serve as a useful input into the security program the

Assurance program so on and so forth and also the other way around I believe yeah got it got it got it no I I I think this

is this is super fascinating um and I don’t think I I I think what you said is

absolutely fantastic right and um and I know a lot of companies are working towards it and it doesn’t remain a dream

for a long time right it’ll come into action and fruition soon now we are approaching the end of the segment I

want to ask you um maybe uh what channels podcast books do

you read anything I have some books there but the one that I read well I’m reading today

or these days is I mean I don’t know if you can see this it’s called how to measure anything in cyber security risk

yes and yes and this is Doug and I I truly believe that when it comes to

metrics there’s a lot we can capture um uh there’s a lot that we can report on I

so so anyway so that’s one thing that that I read and the other thing that I mean I usually uh look at like some of

the cissp issap books that are recommended on security engineering because I feel like I I haven’t my

personally speaking I haven’t done like in-depth security engineering work just yet so so for me I’m I’m usually curious

like hey like I want to like you know like really like sharpen my my security engineering skills and of course like

you know there there like a bunch of like cyber security podcasts um and that’s how I learned about like this this salt typhoon hack as well very

recently right so there’s like a bunch of uh uh cyber security podcast that I mean I don’t have like a favorite one

but then I keep like uh hopping or depending on the topic because like on the app I’ll see like a topic and I’m

okay hang that that actually sounds interesting so I’ll go and I’ll watch it like the other day I saw like how uh

like laptops can be compromised using like the the USB charging cable right it looks like a normal USB charging cable

right so so there like there’s like a lot of like fun stuff that that I usually um that you usually read but

then I I think one important thing is also like talking to your peers right I think because when it comes to uh I mean

let’s just talk about automation for an example right it’s a hard problem to solve right and I I think it’ll

be I I I I don’t think so it’ll be right for me to think that I’m the only one who knows the solution for it although

I’m in a very like I mean given like you know like my company’s landscape it’s very challenging right so if I solve here that means this is the answer right

uh so I I feel like all can together solve that problem right uh just like

how we have done it uh in in other domains as well right so so what that means is I’ll I’ll usually like talk to

my industry peers experts I I’ll obviously we we do some brainstorming sessions as well right um and and yeah I

want to jointly solve the problem so so I talk to Industry peers I see not just in the automation area but also in the

Assurance area right hey what are your customers how how do you handle this situation right how do you handle that situation uh hey this new regulation has

come up so so like what does that mean to your company right and and when it comes to automation like hey there is

this ingestion problem that we have because change management control is so complicated right so so this is how I’m

thinking what do you mean like what do you think right and also metrics right hey this is what I’m thinking about

reporting next time like do you think it’ll be like so those things right so also like being in touch with industry I

think our I think our industry is pretty CL closing it and and very helpful so so that’s another thing that I that I that

I do totally I think that’s that’s all this was a fantastic session thanks for

taking the time and really really enjoy the thanks thanks for having me thank you so much have a great weekend

[Music]