In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Kenneth Moras, Head of Security GRC at Plaid. Kenneth shares his journey from web developer and pen tester to building GRC and assurance teams at scale across leading companies like Adobe, Meta, and now Plaid.
The conversation explores how GRC must balance governance, risk, and compliance as distinct but interdependent functions — and why great programs require clarity, collaboration, and simplicity. Kenneth also dives into the origins of the Adobe Common Control Framework (CCF), co-authoring the Open Finance Data Security Standard (OFDSS), and how Plaid applies these principles to secure the future of fintech.
From reducing GRC toil through engineering and automation, to the role of AI and LLMs in risk management, Kenneth makes the case that GRC isn’t just about passing audits — it’s about building trust, reducing risk, and enabling innovation.
🔑 5 Key Takeaways
What You’ll Learn:
Watch more episodes: https://www.compliancecow.com/podcast
This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: www.compliancecow.com
🔗 Connect With Our Guest:
Kenneth Moras | Head of Security GRC at Plaid
⭐ Stay Connected:
Rate, review, and subscribe to Security & GRC Decoded wherever you get your podcasts:
Raj Krishnamurthy (00:01.058)
Hey, hey, hey, welcome to another episode of Security in GRC, Decoded. I’m your favorite host, Raj Krishnamurthy. And today we have sort of a person with a very practical approach to security in GRC today, Kenneth Morris. Kenneth Morris is the head of security of GRC at Plaid. He has more than 15 years of experience with security in GRC. I would say Kenneth actually grew up the ranks the hard way, right? From a web developer to a pen tester.
to becoming a leader in building GRC and assurance teams. I think we would love to hear from you, Kenneth, and welcome to the show.
Kenneth Moras (00:36.445)
Thank you, Raj. First of all, thank you for hosting this beautiful show. I’ve seen a lot of different presenters talking on really intellectual things. Thanks for hosting this and thank you for calling me on this program. Yeah, quick introduction to everyone. My name is Kenneth. I’ve been, as Raj said, I’ve been in the security space 15 years. I started as a web developer. I think so I was doing fairly well, but I…
hated fixing bugs middle of the night and slowly realized this may not be my cup of tea for a long period of time. But I did enjoy talking to lot of people, hearing their interesting views. that’s that point of time when that’s when I joined KPMG in the consulting world in a cybersecurity consulting space. Throughout that time did a bunch of different roles, IT audits, pen testing, vendor management.
try to flex my muscle in different areas, but I was primarily hired to do software dev even over there. But I think so just because the nature of consulting the needs of your customers, I was able to flex my muscle, my, and these opportunities helped me think through CyberSecret from wide lens, technology risks, pen testing. But again, like that is a one small facet of technology risks. Got to learn lot about how customers deploy products.
systems, how misconfigurations can create havoc. So it was a really great opportunity, but over a period of time moved to Adobe to help them set up their cloud security practice. And also at that point of time, I was involved in building trust with their enterprise customers like Disney’s, et cetera. They had really high bar in protecting their IP. So at that point of time, I really learned that having great security is one small
piece of the puzzle. If your story, if your hard work, if your strategy does not resonate well with your intended stakeholders, you have lost half the battle. And at that point of time, I really enjoyed working with external stakeholders. And at that point of time, I realized that, yes, GRC is potentially the area I want to specialize in and create my expertise. I got the similar opportunity at Meta, helping them scale their enterprise products.
Kenneth Moras (02:59.919)
It was Oculus hardware, WhatsApp, their ads business. They had a Slack based competitor at that point of times. It is quite interesting because it is every stakeholder based on the type of products, hardware product have a different risk profile, a SaaS based product has a different risk profile. And it was really interesting to flex my security risk mindset and help the business work with different security SMEs in
helping reduce the risk and at the same time, articulating our story externally correctly. And I was quite fortunate to work in at Plaid. So Plaid is building very interesting products to empower financial freedom for everyone. At that point of time, Plaid was really exploding in terms of new products, in new Geos and our use cases in how Plaid was being used by more than 10,000 plus customers was quite very interesting. And that
that opportunity seemed right to me because I really wanted to be in an organization that is actually trying to build something that is benefiting consumers in different facets of their life and their mission. The problem statement really resonated with me and that’s how I started being one of the first hires building the GRC team bottom to tops like from scratch, as you say. All these different experiences from like technology,
risk management, compliance audits, talking to regulators. Finally, all of this meshed together, which ultimately helped me get the role that I enjoyed. And that’s how I am at Plaid in a nutshell.
Raj Krishnamurthy (04:44.782)
I actually, that’s a beautiful story, Kenneth, and I loved the way you put it. I think what you’re basically saying is, in order to create a better security, the end just doesn’t matter. The means to the end matters. If you do all the right things, and security and definitely GRC is a consequential outcome, but you have to do all the right things. I think that’s a beautiful perspective. You also actively participate in open source.
Kenneth Moras (05:05.863)
Yes.
Raj Krishnamurthy (05:14.734)
Were you part of the open CCF effort at Adobe?
Kenneth Moras (05:18.523)
Yes, yes. So I was part of the Adobe Common Control Framework design, the design and implementation of it. A quick story, very quick snapshot of that story was Adobe was acquiring a lot of companies. Adobe by itself is a giant beast, right? They have the creative products, they have their marketing products, analytic products, they have the document signing products and all of, not all of these products acquisitions came with a very similar text tag, similar.
people, processes kind of technical, they were, so in order for us to build a scalable compliance program, build a scalable security program, most importantly, standardization was required. How we talked about security controls, what are our capabilities, how do we measure maturity in our program? We needed to talk in a simple language one.
and B, that simple language should translate into multiple different frameworks, multiple different expectations by regulators. So what we decided was just go to the drawing board. At the end of the day, all of these different regulations, standards are expecting you to do core fundamental things. And we just made sure like we articulated those, documented those in a way that makes sense for Adobe. And we did some internal.
rationalization on how these practices actually map to different standards. And we just use this approach to talk to internal stakeholders, talk to different organizations that we acquired and help them build this fundamental capability. And soon we realized that standardization of controls, standardization of technology stack, and audit once and get multiple certification was…
high ROI work and that’s when we double, triple down our effort and we realized that, hey, this is not just useful for Plaid. It could be useful for organizations beyond Plaid and that’s when we decided to open source this. And it’s really awesome to see the different GRC tools, different organizations have built on top of this concept. Like it’s not a radical earth shattering concept, but it is super important. Sometimes we need to reduce complexity.
Kenneth Moras (07:41.749)
And when you reduce complexity and you articulate things in a straightforward simple manner and you can tell that story in a very
clear manner, things become easier. And that’s why WCC have got popularity. And I was fortunate enough to be in the initial design phase of this program.
Raj Krishnamurthy (08:02.392)
No, absolutely. And I think I actually call this, pardon and no pun intended, the Adobe mafia, because Adobe has created some of the most phenomenal security and GRC engineers out there in many, different companies. And some of them have been our guests as well. And you’re also part of, you’re also a co-author of OFDSS. Talk to our listeners about what OFDSS does. What is OFDSS? What do you do there?
Kenneth Moras (08:22.865)
Yes, so.
Kenneth Moras (08:29.053)
So we need to step back a bit to understand the origins of OFDSs. So OFDSs in simple terms, Open Finance Data Security Standard. Think of it as you had PCI. PCI was created very specifically to protect payment information. But open finance is a concept which is really exploding in United States. You have lot of fintechs like
the big brands like Venmo’s, Robinhoods, like you already heard about it, but there are so many innovative fintechs that are building innovative experiences like ability to build a great financial portfolio of yourself with just $1 subscription a month. Like there are a lot of very interesting use cases built by Plaid customers. And Plaid being in the center of the ecosystem where
we are responsible to share consumer permission data to different fintech developers. We felt it was pretty important that we don’t randomly onboard any fintech developers to build products and create challenges for consumers like you and me, right? So we really thought that with the boom of cloud technology and how security controls are built,
in a cloud native environment, just not telling do this. How can you do this? Like for a modern organization that is just bootstrapping on top of AWS, there are different ways in how we can meet the intended objective. So we thought like by writing it down, again, taking the experience from AWS CCM simplifying things, right? Okay, you are an organization, you have X data, you have Y data, these are the use cases of how you work with Plaid. If you implement these fundamental capabilities,
and this is how you could potentially build, you will organically build a more secure product and secure infrastructure. And we wanted to double down on it because sometimes just telling your customers, okay, go and follow this CSF, follow A, follow B, follow this blog, right? It just becomes a little difficult. Like you don’t want to make your developers scared in adopting security. So we just took a approach that, let’s just understand all of these best practices that are out there.
Kenneth Moras (10:54.383)
understand the different scale, right? Like a startup with five people may not require, like may not have the bandwidth, may not have the funding to match the security investments what Microsoft or Google would do. So we needed to calibrate it and present it to this unique set of people that if you’re building on top of our platform, we expect you to have a certain bar. that concept led us to build OFDSS and
And it really helps our customers understand how they could implement these practices when they’re just starting to scale their products along with Plaid.
Raj Krishnamurthy (11:33.134)
And does OFDSS, does it do the harmonization like OpenCCF does where you’re, or the Cisco CCF where you’re correlating that with other frameworks and authority documents?
Kenneth Moras (11:45.979)
Yeah, but we have to a small extent that was not our primary objective. Like our objective was not to help our customers harmonize per se, but help them implement some of the basic tenants of security controls and how they can improve. So we didn’t take a compliance lens. Like, if you do this, you’re going to get ISO 27001 SOC 2. That was not the intention in why we…
essentially built it. We just wanted them to have a easy framework to digest these concepts and implement it so that they can actually do security real world. And if they do that, security certifications will become a by-product. And if they really, as in when they grow, their company, as in when they have to demonstrate external assurance, they can definitely use something like Cisco CCF, Adobe CCF, or anything that exists in the market.
But because ultimately, if you have the fundamental capabilities, if you have built your product and infrastructure ground up in a right way, your likelihood of complying with this industry-based practices becomes better. So that was a little bit shift in how we thought about this. And again,
Raj Krishnamurthy (12:57.667)
I’m with you.
Raj Krishnamurthy (13:01.88)
Got it. Something like cyber essentials, the cyber essentials framework.
Kenneth Moras (13:05.169)
Yes, a similar concept but with more targeted guidance.
Raj Krishnamurthy (13:16.55)
I think spoken truly like an engineer. No, I agree. What is the level of adoption for a way of DSS, especially among fintech and financial and banking services companies?
Kenneth Moras (13:18.685)
You
Kenneth Moras (13:28.753)
Yeah, so I think it’s primarily our customers and we like to, we also want to make sure that if they’re not directly adopting as well, we can periodically do a diligence on them periodically based on risk signals and indirectly enforce those best practices. So it’s a dual strategy. It’s not just like, give this document and figure out like over a period of time if…
If these customers are ramping up meaningful traffic, they’re consuming meaningful data, then we’ll use the similar framework constructs to review our customers and help them adopt the standard and elevate their practices.
Raj Krishnamurthy (14:11.168)
I think when you said this earlier, and I think even in an earlier conversation when we spoke, you said cyber security is beyond technology risk management. What did you mean by that, Kenan?
Kenneth Moras (14:21.615)
Yes.
Kenneth Moras (14:25.277)
So I think mostly people think that cyber security is just a concept where you harden your systems, you harden your laptops, infrastructure, That is a very important aspect. There is a technology component. There’s a human aspect of it. Like how do you interact with that data? What is the responsible way in interacting with the data? There is a lot of people.
processes and technology, right? Like you will always see this triad. So I don’t know whether it’s called, it’s called a triad. Yeah. There is a CIA triad and there is a PPT triad, like people process technology. There needs to be a sweet spot of all three things converging in a way to meet the intended cybersecurity outcomes. What could be a good example? I’m just trying to think through this. Yeah.
Not a great example, let’s assume that you build a perfect process where employees automatically get off-boarded within X amount of time and you are great integration within Octa, you have integration between workday. But again, you need people to think through, are all the right systems scoped in? Has Octa been actually integrated with all the systems? So the people and processes need to exist.
to make sure first of all, all of these things do take place. Like the scope, the breadth is actually in place. And for example, like even if this controls work, right? And if managers are not even submitting your end date within workday, things are not going to work. So I’m intentionally choosing this simple example because as a GRC professional, like you can think that I want to be an expert at technology, technology address.
Raj Krishnamurthy (16:07.438)
Exactly.
Kenneth Moras (16:22.183)
But in reality, are involved. Humans do do mistakes. Humans do need context. So when you’re building a great GRC program, you have to think through the entire life cycle in how the technology control does work. How do you make sure these processes support these technology controls? And as a result, you need to really go to the drawing board and GRC is more like a
strategy advisory kind of role, rather than a traditional audit lens. You do have internal audit functions where the whole objective of internal audit, nothing against internal audit professionals. It’s a very important profession by itself. But they have a very specific goal. You have come up with very specific objectives and you said that you do ABC. Do you do ABC? They need to validate it with a very precise
defined lens, but GRC needs to operate a little bit differently. Like we are the ones who are going to work closely with our security counterparts, engineering counterparts and how the control will either prevent, detect, reduce, monitor, measure. There might be thousands of different variations of these terms, but ultimately we need to, whatever we do is to get a risk under control that is manageable to our appetite.
And if you do that really well, compliance can become a byproduct by itself, right? So GRC is quite an interesting field. I would say you need to be jack of all trades, but at the same time, you need to have pockets of depths and it becomes very hard. Not every team member within a GRC or can be expert at everything. So at that point of time, the GRC leadership’s strategy in building the right people with the breadth, depth,
skills, people skills, business skills become so important. And that is something I enjoy a lot because I’ve hired people directly from business schools with zero cybersecurity context. I have hired people with pure data analytics backgrounds. I have hired people with hardcore engineering skills, software engineering. So for me, it is the collective team that helps
Raj Krishnamurthy (18:20.494)
Absolutely.
Kenneth Moras (18:49.263)
meet the business objective. I can’t expect every person to be master at everything. that’s what GRC appeals to me. As a person, I get bored really fast. An example of it, I picked one musical instrument, I learned it. I can pretty much play any song just by hearing the tune. Let me pick up the next instrument. I keep on, for me change is very important.
that keeps me motivated, that keeps my mind sharp. Not everybody enjoys context switching. I enjoy context switching. So GRC is a very different field on its own. Like you need to have a great personality fit. You need to have curiosity because what can go wrong. So building a GRC team requires you to really pick and choose the right personality fit.
the right persona, the right skill. And that’s what makes, that’s what I enjoy because you’re building like, even like in a sport, right? Like there are people with different skills, cricket, are an expert baller, you’re a batsman, you’re a wicket keeper. Like you have, when you get all of your different key skillset people in the right place, only then your team wins. And similarly, similar concept is with GRC as well.
So I give a very long-winded answer to this whole question that you asked. So ultimately, where am I going at is you can’t look GRC only as a pure technology problem. I know GRC engineering is a term that is really catching buzzwords, et cetera, right? That is needed. It is a very critical component of GRC, but it is not.
like GRC engineering by itself is not GRC.
Raj Krishnamurthy (20:45.902)
So what I’m hearing you say is that if I have generalists on one side, the sales guys, the people who work in HR, who have generalist sort of skills, and then you have specialists on the other side, like people who work as engineers, rust engineers, go engineers, and they can go down the level of specialization, security engineers, architects. You are saying GRC is max right in the middle, what I would call maybe generalized specialists.
Kenneth Moras (21:05.287)
Yes.
Kenneth Moras (21:11.463)
Yes.
Raj Krishnamurthy (21:11.788)
Right? Where you have to be, you have to be general enough, you have to have, so the breadth becomes your depth in this case. You have to be broad, but you have to be deep enough to be able to work with both the specialist and the generalist.
Kenneth Moras (21:17.575)
Yes.
Kenneth Moras (21:22.941)
Yes, What fascinates GRC, why I enjoy GRC a lot is it is hard. Of course, every job, if you do it really well, the complexities keep on increasing. But with GRC, the biggest complexity is just the breadth. You need to understand infrastructure. You need to understand your product strategy. You need to understand your go-to-market strategy. You need to connect the dots really well.
Raj Krishnamurthy (21:49.166)
Exactly.
Kenneth Moras (21:52.325)
And finally, at the end of the day, when you are talking about technology risks or risks in general, those are what you internally perceive. There are risks which external stakeholders are worried about and you need to normalize all of this information. Your regulators are worried about something. Your customers are worried about something. Your partners are worried about something. Your internal engineering is worried about something. And so how do you normalize all of this information?
stack rank this information, use data driven, use good signals of what is happening in the world, like what are the attacks that you see in the world. So you need to normalize different information, work closely with your security leadership like your CISOs and other security leaders and help stack rank your yearly OKRs or like quarterly OKRs, right? It has to be risk driven. Like these are the key risks.
And these are the security initiatives that are going to bring down those risks. So that’s why the security GRC profession needs to work so much in hand in hand with other facets of cybersecurity, whether it’s corporate, platform, project, the different variations or different facets of cybersecurity. We need to be fine tuned with these different teams within cyber security so that we can really understand why we should be investing in or…
essentially focusing on reducing certain technology risks and build it into our yearly roadmap. That’s the reason all of these expectations like your advisory being up to speed on different things that are happening inside the organization, outside the organization makes this role quite challenging.
Raj Krishnamurthy (23:39.647)
I want to double click on this. What is your view of g, r, and c? Do you see them as distinct functions? How do you see them vis-a-vis security?
Kenneth Moras (23:52.605)
So I have two young kids, so I’m trying to see if I can make an analogy with that, right? So like just with my, like for example, my kids play with toys. So I need to give them certain rules of the game, method to the madness, right? They cannot just throw their toys anywhere and create havoc, right? There has to be certain direction or directive things that say that, okay, once you’re done, keep your toys.
somewhere in one place. So essentially governance is method to the madness. You just cannot run your security program or your security strategy randomly. So you need to be able to articulate, document them and govern them. So I would say, just give me a second, my laptop is not charging.
Kenneth Moras (24:46.877)
So what I’m trying to say is like governance is essentially understanding
What are the?
What are the rules of the game? And that guiding principles, and you can’t just do any more like, hey, I see this says that, let me add it into my policy. It has to be very thoughtful. so that’s why governance is important. I don’t see a lot of organizations really critically thinking about governance. Governance by itself is a very hard problem, distinct problem. Risk, like if while…
Raj Krishnamurthy (24:58.946)
guiding principles.
Kenneth Moras (25:25.787)
while my children play and if there are some small pieces within the toys and if they swallow it, right? It is a health hazard. So you need to look at every situation, what can go wrong. And similarly, you need to have a very different mindset for risk. Like you need to have a lot of curious mindset, what can go wrong. You need to have depth or if you don’t have depth, you need to prompt well, right?
in the AI world, right? You need to ask the right questions. Whether it was an AI world or non-AI world, you have to have those very specific, keen, curious mindset. How can I bypass this control? If I were an attacker, how would I try to game the system, right? So you need people. So R is a unique skill where you’re trying to really bring down what can go wrong.
make it in a way that is understood and ultimately you need to be able to influence, right? Just by saying something is wrong, doesn’t work. So you need to have an influential hat. So R is, I would say R is really hard. So you need to be able to identify, quantify and influence the outcomes. So very distinct skill sets. See, for example, the rule,
The rule is toys should pass through safety checks, shouldn’t have very small choking parts. I need the compliances like, hey, is this toy gone through a certain standardization, certain testing? Can these parts easily come out? So basically I’m just going to validate whatever I wanted to validate. Like you have a set of things, principles, and you just want to validate those things do take place or not. So all three are interrelated. I wouldn’t say they’re
totally disjointed, but all of them need a very different lens and how you think through it. But if all g, r and c are not connected, if they’re not cohesive enough, yeah, then that you do, you will have a problem. You’ll have a problem. Like you can’t say that I want to be compliant with X and your policies and directions are just in opposite directions. So there needs to be harmony. There needs to be good synergy.
Kenneth Moras (27:52.795)
because if your risk management program keeps on telling you that your change management controls are super weak and there are like 50 risks coming in in the risk register, but your compliance professional says that like, you’re great, like we’re going to pass our ISS, we’re going to pass our SOC 2s, right? So that means something is wrong. This entire GRC function needs to be lockstep. They need to work very closely with each other, but they are very independent as well. They have the independent tasks. They have the independent success criteria.
And that’s what makes GRC interesting, right?
Raj Krishnamurthy (28:26.772)
I love the way you’re saying it. So you’re essentially, it’s a check and balance function, right? Just like you have the judiciary, you have the executive branch, and you have the legislative branch, and I think each of them has to check the other. And so your point is that GRC is an independent function, but it also has sub-functions that have to be in alignment and in synchronization with each other. That’s a great point.
Kenneth Moras (28:38.843)
Yes, I agree.
Yes.
Kenneth Moras (28:47.773)
Yes. Just adding like, it didn’t mean to interrupt your chain of thoughts. Like at least when I was a meta, the org that I was part of, was itself called as measurement and validation. Like the name of the organization was called measurement and validation. Like you have your engineering function that are jumping from problem A to problem B to problem C, right? They are paid to disrupt. They’re paid to build features, capabilities that your customers need. And with that speed,
Raj Krishnamurthy (28:57.518)
Uh-huh.
Kenneth Moras (29:17.423)
sometimes the core expectation, the core capabilities may regress, right? They may not do it intentionally. There might be wide ranges of factors in why your control regresses. So you need an independent team that has been given the charter, they’re given with the head space to just validate like, hey, this is a core capability. This is what helps us be mature in these areas. And we need to be able to continuously measure those capabilities.
And that’s where the GRC engineering is helping disrupt this space, right? How can we use data-driven approaches to essentially identify deviations in your controls as soon as possible and take a data-driven approach rather than a sample-based approach? I’m pretty sure almost everybody in this audience understand the screenshot versus a data-driven complete population-based testing. So I’m going to dive deep into that.
But ultimately, everybody like pushing evidences using webhooks, ability to centralize all of this information in one place and perform analytics on that data and taking a detection engineering kind of mindset. if something looks… So what I’m really excited in the last few years, people, there are companies like ComplianceCov, there are a lot of other companies that were helping organizations.
solve that problem. The biggest challenge was GRC teams were asked to do a lot. It was not because GRC teams were lazy. They wanted to take the easy route. The problem was they were asked to work on too many things. Vendor risk management, be the PR person of security, go and talk to, you have to wear a lot of hats, would say. And with that, you had to cut corners in some place.
Raj Krishnamurthy (31:04.238)
Yeah.
Kenneth Moras (31:15.015)
traditionally engineering security engineers are like engineers were not generally part of the GRC team, but organizations like you who are helping build this capabilities is super impactful. And I’m really loving the trend, right? Now people are talking about it. Why is it important to measure things better? And we’re building tools, et cetera, to make it easier. I’m really excited in how this whole GRC
function is essentially evolving. Primarily C, I still feel the R has to evolve a lot. the disruption in the risk management space is still up for grabs. But I’m seeing among GRCCs where, of course there is a reason why C is picking up more than R, but I still feel there’s a huge opportunity for the risk management space.
Raj Krishnamurthy (31:47.5)
And I had.
Raj Krishnamurthy (32:08.142)
Why do you think she is picking up more than her?
Kenneth Moras (32:12.936)
I’m just thinking what is a good diplomatic answer over here. Like, of course, like nothing to shy over here, right? If you don’t have certain certifications, if you don’t have certain, if you don’t have certain seals, you cannot sell. That’s the world we live in, right? And of course, a lot of organizations have capitalized on this need, this pain. lot of startups are building innovative stuff, but they want to be able to get that seal as soon as possible, right? So organizations might have
Raj Krishnamurthy (32:23.47)
cancelled.
Kenneth Moras (32:42.169)
Optimized for that, but I really don’t care like every business has to make money but I think fundamentally the direction the investment that is going in is helping take that programmatic data driven approach and so the C is C is really an area where we see startups and organizations putting a lot of money to disrupt make it faster more efficient, but R I still feel is quite legacy and yeah
Raj Krishnamurthy (33:09.386)
I hear you, I hear you. And I want to come back and talk about that. But the one question I want, I won’t really come back and talk about the R, but the one question I want to ask you is that if you are the product engineer, right, sitting out there, based on what you’re saying, you may potentially see the GRC function, the security GRC function.
slowing down innovation, because you’re basically trying to say, slow down, don’t go too fast, or if you’re going too fast and I’m going to measure you, I’m going to validate you, creates possibly some unintended friction, right? Even if, how do you respond to, do you agree with that view, the GRC slows innovation, and how do you respond to that?
Kenneth Moras (33:50.877)
GRC can slow down innovation if you’re not doing it right. That is true. There are a lot of organizations, lot of compliance professionals who just put in requirements without asking like, what is the benefit? What is the value? What is the risk reduction? And when you just say that, this with a hammer. Yeah, people like nobody likes to be bossed around. Nobody likes to be told around to do without having an intellectual conversation, right? So.
Yeah, this is happening. It’s happened in the past. It will continue to happen in the future. But a great GRC team wouldn’t operate in that way, right? Like, I really feel that at least I’m fortunate that I have not seen this problem at least at Plaid because fundamentally what we do is when we make an ask, we methodically do our assessment as to like, what are the downsides of this? And we also look at the upsides of it, like.
there are upsides of not doing things, there are downsides of not doing things. So we present both the picture to the best of our ability, get our SMEs understand all of these capabilities and then have a good intellectual conversation on like why we might slow down a bit for whatever reason, if required. Nine out of 10, the conversations are not really about slowing down. How can we measure this? Like, hey, you are building this, but I want to measure whether, like for example, MFA rates.
like if we are building certain MFA features within our products and suddenly the rates are dropping. The engineering team cares, the GRC team also cares, right? MFA is a key control for us. So why don’t we just say that you care about this thing, I care about this thing, why don’t you build the fundamental data logging pipeline and I can build the dashboards measurement around it, which you can subscribe to. It’s a win-win for both, right? So it is all about framing, right? What is in for you? What is in for me?
If there’s nothing in for, if the benefits are only for the compliance team, that means there is something wrong. There has to be a benefit. There has to be a benefit for the engineering and product team in whatever we are proposing them to do.
Raj Krishnamurthy (35:50.414)
Beautiful you said.
Raj Krishnamurthy (35:59.086)
Got it. I think there has to be a balance after it. And I think that’s a brilliant point that you’re making. Kianatan, you’re absolutely right, because the contribution has to be felt on both sides. Now, I want to ask you, building this great GRC team, like you rightly said, Can you walk through, maybe I’m putting you on the spot here, so a new app comes into being, right? How do you sort of, at a high level, how do you break down this problem in terms of adding controls to it?
Kenneth Moras (36:02.076)
Yes.
Kenneth Moras (36:08.54)
Yes.
Raj Krishnamurthy (36:29.038)
right, evaluating the controls for either compliance or risk or establishing a governance around it. And how do you bring the engineering teams and the product teams into the fold? Do you have a high level framework by which you can walk our listeners through?
Kenneth Moras (36:44.465)
Yeah, it’s a long conversation, but ultimately it breaks down into a couple of phases. One is the core expectations on how the product should behave, the capabilities or the features that we expect the product to have, the security features. They need to be known. First of all, you need to be able to tell the product manager who’s overseeing the entire ideation to execution. They need to be aware of
the key expectations that we have in terms of logging. I’m not going in depth for this conversation. So first of all, you need to have your baselines and non-ambiguous baselines. Again, thou shall do X, right? You should have very clear expectations that you are not going to spin up this product in a random AWS account without us first, without the security team actually setting up their tooling, hardware. So there has to be paved path, correct? So paved path.
Raj Krishnamurthy (37:39.33)
So some paved path from a security perspective exists.
Kenneth Moras (37:43.527)
has to exist. One, B is the security culture. So the next thing is you need to build a great security culture. This is a very hard problem, but ultimately your employees, your product teams, product engineers should feel empowered that they can ask questions on like, I really don’t know whether this is the best way to deploy this product or implement certain things, right? They need to have a safety net that
by asking, they’re not going to get penalized. So the security review process, the threat modeling process, whole, again, this seems like this is outside GRC, but the GRC team should be involved in making sure a lot of these pieces do exist within an organization. So what am I essentially trying to say is like, there has to be a way in where they can get right advice. So advice can come in multiple places, right? If it is a very product and infrastructure related thing,
you can have a separate intake process. But if it’s a true technology risk where they really don’t know to make the trade off, should we do X or should it be Y? But I’m worried about Z. Is Z really a big deal or not? There should be a way they can just express it in very simple words and trust that the team that is getting this request is going to methodically evaluate it. They’re going to do their due diligence. They’re going to understand it and give them good targeted advice, right?
this only happens by one, like you building your own brand, security team has to build their own brand and they feel comfortable that you are engaging really well. essentially step one, pay off parts. Step two is essentially ability to make trade-offs very reasonably. And step three, have a very scalable auditing infrastructure, right? Like we are going to tell them, like we’re not going to ask you these
Artifacts, evidence, capabilities again and again, right? You tell us upfront, like how do we measure this? How are you going to measure this? How are you expecting us to measure it? So having all these conversations upfront, initially might take a little time, but over a long period of time, we know exactly how to measure, what to look at. They know where to get advice from. They know what are the expectations. So these are three high level pillars. It feels very conceptual.
Kenneth Moras (40:08.593)
Right now, it feels like a fairy tale, but ultimately, I really believe in simplicity. You need to make things simple and clear, upfront. The more less ambiguous you are and the ability for stakeholders to ask for advice, seek advice, it takes time. It takes time to build that culture. It takes time to build that rapport.
And ultimately, even your GRC team, by telling them, like, hey, the reason why we are asking these questions right now is so that we can measure this at scale over a period of time. Having these logs, having this metrics, having this additional logging parameters, all of this makes everybody’s life easier. And that’s how we approach, I would say, getting the product or getting the…
a new concept live from ground up in a more easier manner. It all sounds like complex, like you need to jump multiple hoops, but in reality it does not if you are giving these expectations in a very clearly legible way.
Raj Krishnamurthy (41:15.254)
You’ve worked in tech-forward companies, Kaith. How real is engineer style on GRC?
Kenneth Moras (41:21.711)
It’s real. Within GRC.
Raj Krishnamurthy (41:25.174)
No, outside of GRC. Working with GRC, whether it is evaluating your access controls, whether it is making sure that you are staying within SLA, the managers reviewing it, the product engineers working on it. How much time do these teams spend on GRC and what should be the role of the GRC function in reducing that friction?
Kenneth Moras (41:52.359)
So toil is real. I don’t want to say that toil doesn’t exist.
Kenneth Moras (42:01.201)
Different organizations have seen different levels of toil.
But ultimately…
It is the GRC team’s responsibility to reduce the toil. I would say, when I say responsibility, in making sure one, in making sure the business, the product teams understand why they’re facing the toil. Let’s just take examples because it’s easier to talk through, right? Like if you’re giving SLAs that every low vulnerability needs to be fixed within 15 or 30 days, Yeah, like they are going to get upset.
like you already have so many critical findings, you have certain things that needs to be fixed over a period of time and you’re expecting them to manually do all of this patching, manually fix this, provide updates, it distracts them from their innovation, from their deep thinking zone. So toil is real. That’s why like, I don’t think it’s just a GRC problem. Like I think this is actually an example where
the security and GRC team really need to work hand in hand. What is our governance expectations? What is our compliance expectations? How the security engineering can build automated patching pipelines, can hyper-prioritize what needs to be fixed versus not? What is a reachable exploit versus not? Providing all of this context upfront and helping them understand why we believe out of 10,000 things that can go wrong.
Kenneth Moras (43:38.897)
We’re asking your headspace on these five, six things. So that’s why engineering is needed within security. is engineering needed within GRC. I would say toil is a real problem for which security teams need to continuously think about them because for a security team, their internal employees are their customers. you need to, you can think of customers as your
customers who pay you money, but in reality, your customers are also your internal employees because you are building CI CD, SAS tooling, you’re building a lot of different capabilities within the places where they work. And if you keep on bombarding them with findings, keep on bombarding them with to-dos, they’re just going to not be engaged with you. And it can be in multiple places, it could be a training as well.
Like my philosophy is instead of making them sit through like two hours of training and then answer like 10 questions, I would rather focus them on asking meaningful questions, answer them, think about what makes sense and if they go wrong, train them. Like let the answer help them think through like why this was incorrect. So there are different ways you can meet the intent. Like somebody might go with an approach that training means you need to pass 100%. Right? That is the success of VIN.
But in reality, if the mindset is changed, if people are thinking in the right way, they understand why they are wrong. It’s still a win, right? So where am I going at as?
as a GRC practice, as a security engineering practice, we need to consistently think through what are the ways and how we can reduce the toll, how we can help them secure code by default instead of training them to write the code that doesn’t have accesses at all. Of course, that’s great, but if you can build the tools that can detect them, fix them and provide the context timely, then yeah, like…
Kenneth Moras (45:47.727)
they will enjoy, it’ll create an enjoyable developer experience, right? Instead of just telling them, hey, you suck, you made this mistake, tell them like, okay, this is actually a problem. Like I had this idea, but I’ve never implemented it any of the organizations. Like instead of having secure core training per se, like of course you can have gender onboarding training, as in when critical errors or misconfigurations take place, you can always have like a two minute.
Raj Krishnamurthy (45:54.954)
you
Kenneth Moras (46:16.817)
video or you can have a Google doc that just explains like what can go wrong like hey this this thing that you introduced what is the ramification of it what has happened in the wild because of these kind of things just train them as and when they are introducing misconfiguration etc right is also also something to think of like what is the right time to create awareness upfront during the time of
performing the action, et cetera. So I would say a very long winded answer to your question. Toil is a real problem. I don’t think any organizations have perfectly solved it, but it is definitely an important thing for GRC and security organization as a whole to contemplate and empathize on their stakeholders.
Raj Krishnamurthy (47:08.184)
I love it, I love it. And I think you’re absolutely right. So I think you’re making a fantastic case of why GRC engineering is a real discipline, should be a real discipline, just like security engineering is a real discipline, right? The question then becomes, as a leader, how do you go about building a business case to build this GRC engineering? Because it takes time, money, effort, right, to go build this practice.
Kenneth Moras (47:21.778)
Yes.
Raj Krishnamurthy (47:37.612)
And how do you convince your leadership teams that this is the investment that they should make?
Kenneth Moras (47:43.719)
Yeah, a loaded question.
Raj Krishnamurthy (47:51.298)
Have you ever done that or in your case you never had a, you fortunately were not in a position where you had to go justify?
Kenneth Moras (47:59.613)
everybody needs to justify like you just can’t of course like unless you are like a very lean agile team where with a short like couple of employees you are empowered to do that and anytime you cross a 500 600 size company right like you always end up you need to justify every penny or every dollar that you invest so I would say one to answer the question frankly like I have I’m fortunate that my leaders have
place the trust in me that I’m proposing, like I’m not just randomly choosing the most awesome thing that like a marketing material that exists and just deploying it randomly. So they trust me that like whatever I’m recommending to procure or recommend to deploy or hire an engineer, they trust my instinct. It takes time to build that rapport, but ultimately everything needs to be justified. Like in terms of GRC, right? Like the number of hours.
Like a simple example, right now I’m just working on something where I still feel my team spends significant amount of time in
producing collateral, producing assurance material to meet the needs of our supply side of our business, the banks, our customers. So I need to be able to explain them that, like you see with all the AI boom, et cetera, that amount of inquiries that are coming, like we cannot expect somebody who has done their master’s in cybersecurity to spend four months a year in responding to this question. So we need a method to this madness.
we need to solve knowledge management as a problem. Knowledge management itself is a discipline. How do we make great knowledge? You need to invest in knowledge management. The next is how do you extract the knowledge management at speed, at scale that can be consumed by different stakeholders? All of this sounds like a simple problem, but at scale, when you have 30,000 stakeholders auditing you every year, it becomes a pain. So you need to hyper-optimize.
Kenneth Moras (50:02.299)
knowledge management, hyper-optics. So essentially what I’m trying to say is like, you need to make the problem statement clear, the pain clear, the benefit clear, like, hey, faster deals, we are building trust at scale. So your storytelling needs to be very crisp. Like why are we investing in a better knowledge management solution or an LLMX? So everything that you do, like within compliance, sales enablement, vendor management, or.
risk management, if you’re procuring tools, etc. All boils down to at the end of the day, trust or dollars, right? So sometimes you can equate trust to beyond dollars as well. Of course, people will quantify trust with dollars, but I feel that they’re distinct. Like your brand equity, the trust, the relations that you build is very important with your customers. Like if a go-to-market team is building relationships with them,
Why not the security team? Like the security team needs to give them comfort that if you’re partnering with us, you are actually partnering with a great organization who’s thinking through this thing seriously. So the experience, et cetera. So you need to think through, like at least I look at in three-dimension, risk reduction, trust, enablement, security benefits, right? So you need to be able to quantify.
Raj Krishnamurthy (51:20.142)
risk reduction, trust, enablement, and security benefits, you said. Okay. And where is the engineer style?
Kenneth Moras (51:24.061)
Yes, you can also take the fourth. Yeah, the very fourth angle, is dollars, which is very important. But luckily, I have not been in a position right now where I need to justify everything based on dollars. Like I have optimized these on three principles, but the fourth principle is also dollars because you can’t, you need to have a leverage like why this particular investment is actually going to benefit us going to build more sales deals.
etc. There is a dollar component to everything but I have been fortunate that I don’t have to do that on a day-to-day basis for everything.
Raj Krishnamurthy (52:03.736)
What do you think is the current state of GRC tools today, Kenneth? You have been around this block quite some time. What do you think is, where do you think we are with the tools today?
Kenneth Moras (52:22.023)
So again, we need to break it down by R and C. As I stated earlier, I really don’t think so the R spaces with the boom of AI, with the boom of LLMs, with the boom of MCPs, et cetera, we are truly exploited. Exploited is not the right word, but we’re not fully leveraged the power to make risk quantification, risk assessments efficient. that I wouldn’t say that risk management is a place where tooling has…
reach to a decent level of maturity. There are startups that are trying to disrupt this for a while, but it’s ripe for disruption. My assessment of the state of affairs of GRC tools. See, we do see lot of organizations helping you collect and collect information in one place, but not necessarily analyze that information to clearly identify risky patterns or risks, right?
So I feel like everybody has, let me correct my statement. A lot of organizations or like startups have focused on collecting data and putting it in one place, right? The data collection piece, they have solved really well.
which is a big problem in its own, which is great. Like instead of us going in disparate systems, collecting data, normalizing the data in different formats and in a way that you can analyze it. So I believe that that has been solved. But the next phase, like once you have collected the data, what do you do with it? How do you surface trends? How do you surface issues, et cetera? don’t think so, GRC or C tools are really great at it personally. That is the reason why.
I use both the strategies. Like I have compliance tools like GRC engineering tools that help me collect information at scale, help auditors come to this platform, review this information and help themselves serve their audit success. So there are a lot of benefits, but I personally do think that for me, I need a lot more metadata. I need a lot more raw logs. I need to go to the source to understand what goes wrong.
Kenneth Moras (54:37.307)
So we need to build a of internal dashboards, et cetera, on top of what traditional GRC tools provide. And I think there’s nothing wrong in it. I don’t expect every C tool to understand every organization needs. So GRC tools need to not overly rely on compliance automation tools, I would say. Like this server problem, getting better and better. I’m seeing tools where you can write if and then rules.
If Workday is collecting this data, if Okta is having this data, you can write if and then rules and flag gaps. it’s definitely maturing, but in reality, the technology risks gaps, the fraud, the abuse, et cetera, that happens, you need to go to the source of your logs, understand the patterns, the trends, connect different data sources, right? So data skills are going to be more and more important in order to do true compliance.
validation and measurement. I would say it’s great. I’m not saying that the C, the compliance automation tools are not doing justice. They’re solving a piece of a problem and they’re doing it. They’re getting better and better and better at it, but there is still lot more to be done. Yeah.
Raj Krishnamurthy (56:00.066)
Do you see a world in which, just like you have all the financial companies, I’m sure, know, played as standing machine learning models, right, for financial transactions, for fraud and abuse, do you see GRC teams, and particularly cybersecurity, from a risk perspective, writing our own models, machine learning models, to evaluate risk, or to quantify risk?
Kenneth Moras (56:32.775)
I’m not sure that we have, at least I’m not seeing that in the industry as of now. Do I really want to? I think the answer is still no, right? Like, again, you can’t make a GRC team expert at everything. Like you can’t make them expert at machine learning models. Of course, there are abstractions like OpenAI allows you to pull data, fine tune their models, et cetera. So there are certain level of things that of course the GRC team should be able to do.
But there will always be advanced cases when it comes to your product fraud analytics, et cetera. I wouldn’t want my GRC team to do that. We would have a dedicated fraud team or like we will build capabilities within them so that they’re fully up to speed of the developments, the product needs, et cetera. So there are places where I feel GRC teams should be able to do some lightweight capabilities in.
making their life easier but for the higher higher stakes scenarios I would still lean on our ML infrastructure team to build the things that we need.
Raj Krishnamurthy (57:44.566)
And do you think the tooling infrastructure that you have, especially with third party GRC tools, allow you to contextualize
the data collection and the reporting and the visualization process.
Kenneth Moras (58:02.461)
I don’t think so. Somebody might disagree with me, but at least my assertion is if you really want to render an opinion, I don’t think they’re going to render an opinion based on
Raj Krishnamurthy (58:16.718)
Why do think that is so difficult? Why do think that has been the case?
Kenneth Moras (58:23.419)
The truth to be told is all the systems that you, I’m not talking about my organization per se, but this is my observation in general, right? When you go to audits, I don’t think so you’re exposing every core storage component, core infrastructure component, every AWS account, your auditors are not going to look at everything, right? They’re going to get reasonable assurance, but we have to go beyond, the GRC team has to go beyond reasonable assurance.
the depth, the breadth, the scope of systems, the scope of products that we need to get involved is far beyond what traditional audits consume. So like if, I don’t know what is a good example, like if it’s a circle, yeah.
Raj Krishnamurthy (58:59.565)
see.
Raj Krishnamurthy (59:06.126)
Got it.
Raj Krishnamurthy (59:11.832)
But what I’m hearing you say, Kenneth, and I think you’re making an interesting point. I think what I’m inferring from what you’re saying, part of the reason why we have not gotten there is because a lot of the GRC today has been very audit focused. So your entire perspective has been how do I pass an audit? And you’re just building enough to pass that audit. Your point is that the GRC team, especially tech forward leaders like you, need a lot more than just passing an audit. That’s a function, yes, you have to do, but there is a lot more you have to do.
Kenneth Moras (59:24.711)
Yes.
Kenneth Moras (59:30.77)
Yes.
Kenneth Moras (59:38.289)
Yes. Yes.
Raj Krishnamurthy (59:41.654)
before you get there. And your point is that the tools have not focused from an assurance perspective as much as you would like to yet. Got it. I think that’s a phenomenally great point. What do you think, Kenneth, is the role of generative AI, large language models, and how they should be used within the GRC teams? Is there any directive that you have for your teams on how to use Cloud or OpenAI or any of these tools?
Kenneth Moras (59:42.887)
Yes.
Kenneth Moras (59:48.049)
Yes, that’s correct. Yeah.
Kenneth Moras (01:00:11.611)
Again, like I’ve been very fortunate, Plaid has been a very AI embracing organization. What I mean to say it like, we’re not randomly deploying AI everywhere, but we have the appetite to empower employees to be more effective at their roles. And that’s true for my team as well, right? Like, so how I’m thinking about using generative AI, right? One is like we have…
engineers using cloud to write code. My team may not be writing code per se, but my team should know to answer like, hey, where are all the key storage systems? What has been configured? What has been logged? They need to be able to prompt and ask questions on top of our code base, right? So instead of going and asking our engineers like, hey, where do you send these logs for so-and-so components? My GSE team should be able to write prompt in cloud.
saying that this is my intention, this is what I want to validate, is this practice in place or not? Can you go and validate this for me? ability, and Claude actually does that really well. Like I am generally not in favor of talking about tools. There is another tool that I have personally POC, POC, it’s called unblock.ai. So like they’re really great. Like you can really ask very specific questions. It can connect the dots between what’s in a code.
What is in an engineering docs? What has been discussed in a Slack? And summarize that we believe like this product feature does X, this capability is configured in this particular line. So instead of my team going and asking these questions, they’re using this generative AI tools built on top of the code to answer questions about how things have been configured. So again, toy, right? I’m not bugging engineers saying like, hey,
me where is this configured. I have already discovered where it is. I believe this is configured or not configured and then we go with all of the data and when we speak to so example one next example of LLMs generally is report writing right like we okay let me go to a very specific use case
Kenneth Moras (01:02:34.863)
If we can prompt LLMs to write or perform assessments in a particular manner, if we prompt it really well. So I’m really, would like to, there are places where my team uses, but this is a place where a lot of other organizations can use in performing risk assessments and performing summarizing vendor risk reports, et cetera. So instead of spending a lot of time in doing report writing, et cetera.
LLMs are really good at summarizing information. So there is a lot of scope over there. But the place that I’m truly excited is risk management. Imagine a world where you have a risk management framework that says that this is exactly how you render an opinion high, medium, low. It could be fair. It could be a derivative of fair, whatever that works for you. You can train a custom model to perform assessments in particular way. And just imagine this AI agent right now.
can talk to different tools like hey, like if you’re talking about backups, it can automatically scan through engineering docs, what are the places backups are configured, can look at, like if there is a GitHub MCP, it can ask a question to the GitHub MCP, it can ask a question directly to this. So I’m imagining a world where…
different AI agents can talk to each other and ask very smart questions to prompt each other’s systems really well, get the information well and summarize me that saying that like, this is the scenario that you’re worried about. I did A, I looked at what is happening outside the world, like all the threads, what are the breaches, like if you see S3 buckets have been compromised because they’re misconfigured, et cetera. So it connects the dots like, hey, you have so many S3 buckets.
You have so many S3 buckets with data. Like it asks all of this information in different places and just summarizes you that, I do believe this is actually a risk for a company like you. just imagine the time save, right, for GRC teams. Generally to perform one resessment, they would have spent like three weeks. They would have spoken to 10 engineers, logged into five different tools, run in different reports, and the analyst would have done this. LLMs are great at parsing information.
Kenneth Moras (01:04:50.221)
and doing this. So that’s why I feel that the risk management space is ripe for disruption.
Raj Krishnamurthy (01:04:56.398)
Do you think the behavior, especially from a GRC team’s perspective, is the behavior changing from what I would call click ops, right, clicking buttons, to more like chat ops, where you are actually more conversational and asking your cloud desktop or opening a playground, any of those MCP host questions? Do you see that changing?
Kenneth Moras (01:05:15.569)
Yes, I do see changing. I do see that changing like,
I’m, am I?
I’m not saying that my team is 10 on 10 over here. We’re moving in that direction, but I do feel that is the right direction to go. And I’m actively encouraging my team to go in that direction.
Raj Krishnamurthy (01:05:39.852)
And why do you think that is the right direction to go?
Kenneth Moras (01:05:44.135)
Why do I think it’s right direction? Because not everybody is expert at this administration. Not everybody is expert at like you like but you might you if you have a right risk mindset, you might know exactly what is the type of question you want to ask without really knowing which filter to click, which report to go, which which button to click, except the mechanics, right? And and if that that is abstracted.
Raj Krishnamurthy (01:05:50.178)
Exactly.
Raj Krishnamurthy (01:06:06.21)
the mechanics.
Kenneth Moras (01:06:13.201)
the speed of course there needs to be an accuracy to this. You can’t blindly trust the results but I really would love to like I’m so impressed by how Claude can give the right insights about the code and how things have been configured purely from a GRC lens not from a SWI lens.
Raj Krishnamurthy (01:06:31.662)
Yep, and I think MCP is going a long way in making the ecosystem happen as well, Like you rightly pointed out, so absolutely. Now, the other question I want to ask you is that one of the challenges is that these are probabilistic responses, right? Audit, and I’m sorry to push you back into audit, that’s a real world sometimes you have to deal with. And audit is all about deterministic responses. You can’t say this could have happened. You have to say,
Kenneth Moras (01:06:36.945)
Yes.
Kenneth Moras (01:06:53.82)
Yes.
Raj Krishnamurthy (01:07:00.738)
Either this has happened or this has not happened. How do you reconcile between what you are trying to do as a tech forward leader with your GRC teams with what you have to do to work with your internal and external audit?
to demonstrate reasonable assurance.
Kenneth Moras (01:07:15.902)
If you don’t mind Raj, can you rephrase that question? I’m just trying to understand it better.
Raj Krishnamurthy (01:07:19.352)
So the auditors are looking for reasonable assurance, and they are looking for a small subset, like you were saying. And you are using these tools like Cloud Desktop and your MCP host and a whole bunch of other things to be able to get to information faster and to be able to consume information faster. But these are probabilistic responses as well. So you have to reconcile between these probabilistic responses that you’re getting with the deterministic responses that you have to provide to your auditors.
Kenneth Moras (01:07:23.057)
Yes.
Kenneth Moras (01:07:45.191)
Yes. So.
So that’s why the risk management and compliance function is like the focus areas is different, right? So for me, like using all of this cloud and all of these things is really useful for the R function, right? They have to connect the dots with the business goal, business objective, with the operational reality and what is happening outside my organization. So that concept works really well on the risk management.
But again, I don’t see a time where I’m going to expose Cloud interface to my audit firms. I still feel we will provide, this is my understanding, we will still provide a much broader data set rather than just like 10 samples, 20 samples. I think so as in when we get
more and more mature. think so organizations will feel comfortable exposing their larger data set so that auditors can look at the entire population and render an opinion. I still don’t think so anybody’s doing this. audit firms are still taking what I call a sample of all those things. But I believe if the GRC teams are taking actions, things can go wrong.
Like I don’t think so the goal of an audit is to say that like things will never go wrong. Like you never had a problem. You never had a compliance gap. The goal is like when the compliance gap happened, you knew it, you fixed it before something really a real risk materialized, right? So as long as I feel the audit firm understands that like things can go wrong, but you fixed it immediately. You had means to correct it, detect it and still render the right opinion. Then that’s the time where I’ll be more comfortable.
Kenneth Moras (01:09:45.763)
exposing the entire data set so that they can look at it and tell us like, hey, like these are the three times in the entire year out of 30,000 events, three things did not go exactly how you had planned. But I can tell them for these three things, there wasn’t corresponding action that we took and we really didn’t have a meaningful risk that materialized because of whatever just happened.
I really don’t know whether audit firms even want to have this conversation because it is more work for them. So they have limited amount of time. They want to build within the limited amount of time. So they looking at entire population is only going to make their work more. but again, see, I have different opinions, right? Like it’s fine. Like I am not saying they’re wrong, right? They have a time window.
Raj Krishnamurthy (01:10:20.849)
Ha
Kenneth Moras (01:10:42.087)
They have to do an assessment of the limited amount of the best of ability. But the ball is in the GRC team’s court, right? It is their job to look at things holistically in more depth. Like if you are expecting auditors to do a more in-depth job than you, then yeah, like you are failing as a GRC professional, right? So that’s the reason it’s great. Like these tools can consume holistic data.
and it allows GRC team to do potentially allows GRC team to uncover insights. But I still don’t think audit firms are moving in a direction where they’re going to look at the 100 % data set to render an opinion.
Raj Krishnamurthy (01:11:26.106)
But I like the way you’re saying. I think the way that if I can rephrase it and correct me if I’m wrong, I think you’re saying this is they all are in a straight line, which is audit firms have to take a slice of the data and they do it at a very less periodicity purely from the perspective of looking at compliance. And if compliance can collect all of the data that you can choose which ones to present to auditors makes it faster. But because you’re collecting all of the data and if you can
use these generative AI tools to provide better insights, then your risk falls in line. So ultimately, what you’re basically saying is that your risk compliance and audit, they’re actually just different facets of it, maybe different prisms through which you look at it. But the underlying data flow or the data stream is exactly the same. The more you do that, the better value you get in each of these.
Kenneth Moras (01:12:16.573)
Correct, but with a caveat that the management program generally looks at so many different things, situations, scenarios, which you wouldn’t typically look from a compliance angle. if you have just 10 things that you’re looking for, the risk management program will suddenly be looking at scenario 40, scenario 80, scenario 90, new product being launched with X feature. So the changes to which
Raj Krishnamurthy (01:12:29.166)
Come on.
Kenneth Moras (01:12:46.077)
risk management team needs to adopt generally is significantly a little bit more. But again, if there are if the risk management program can feed the compliance team that like there are thematic issues, the compliance team as part of their assessments can say that like, hey, you are relying on these controls to determine the risk is low, but in reality, it is not so they have to be in. They need to be in talking terms, but each of them have their own.
focus areas and perspectives.
Raj Krishnamurthy (01:13:16.628)
I think we are approaching the end of the show, Kenneth, then. And this is going to be my last question, right, which is for the new grad who’s coming out of college, or the new person who’s entering into this cybersecurity and GRC industry, what would you look for, what should they prepare with if they wanted to go get hired in a GRC function and with a leader like you?
Kenneth Moras (01:13:52.549)
One is definitely they need to demonstrate that they have fundamental cybersecurity for most of the roles. Again, I’m just taking the most important roles. I want somebody who has gone through that drill of understanding the different domains. They wouldn’t know all the domains in depth, but they understand why cryptography exists, why…
like they have been exposed to SAML, like some of these fundamental terminologies, et cetera. I don’t want them to hear first time when they’re joining my organization, right? So whatever they can learn in terms of key technology, terminologies, concepts, et cetera, the familiarity. So having the familiarity either through their coursework or genuinely through their interest is generally…
a great signal for me, somebody who has taken the time to understand different things like webhooks, et cetera. Again, I’m telling from a purely fresh grad perspective. Not all fresh grads will come from a software engineering background. So for me, it is going to be important either through the self-motivation, determination, they have taken additional coursework. How have they shown that they have gone beyond their
comfort zone to learn something new is these are the things that I’m looking for.
reason right like when when I’m taking a little bit on I’m flipping the game on the interview side right now they need to be able to explain me the chain of thought like what can go wrong like when we put in a simple scenario right how would you react they may not know the perfect answer but how they think through how they are essentially trying to break down the problem for a new grad breaking into GRC is actually
Kenneth Moras (01:16:04.197)
I don’t have a great answer, but I would say that whatever opportunity you get to get into the cybersecurity realm, right? It can be anything. It could be detection. It could be anything. Just grab it because eventually you need multiple different contexts, little bit of pen testing, little bit of software engineering, little bit of product security, et cetera. Whatever different wide experiences and expertise you can get, just grab it.
That is after you get a job. So instead, if you can’t directly get into the GRC, it is totally okay. Play around with different facets of cybersecurity, learn the breadth in whatever way possible. And the way I did it when I joined, I always had a curious mindset. Like, hey, what are you working on? Like, why does this project even exist? Like, what is the role of a product security? So you need to have a great, curious mindset even before you join.
and after a journal before if your question is purely on coming right out of university, there are different ways, right? You can take course works on ethical hacking. You can take course work on basic generative AI. You can take like, if you can show that like, hey, I have a little bit of decent breadth of concepts, then it makes me comfortable that this person is okay to
learn diverse things quickly in a self-driven manner. So I know this is not a perfect answer, but what am I concluding is one, if they can demonstrate that they have taken self-interest in learning different concepts within technology, don’t need to be cybersecurity purely related. That gives me a relatively confidence that they can learn, grasp their motivation to learn things on their own.
and at the end of the day I look for
Kenneth Moras (01:18:07.717)
I look for things such as do they really are they comfortable doing multiple things. A of people don’t enjoy doing a lot of different things. So I ask them like, do you enjoy doing just one thing really well or do you like this is a very different approach that I take. But ultimately I really don’t think there is a one perfect way to break into GRC. It is essentially if you believe that you have good breath.
And if you are keen in expanding your breath, then that’s how you enter the GRC world.
Raj Krishnamurthy (01:18:44.088)
No, I think this has been a very fascinating session. Kenneth, thanks for taking the time to spend with us and other listeners. Sincerely appreciate it. Take care.
Want to see how we can help your team or project?
Book a Demo