In this episode, we talk about the governance, risk, and compliance in the organizational part of cybersecurity. Our guest Shanmugavel Sankaren is the founder of FixNix, a popular SaaS tool.
Every organization has own structure and methods. During this episode, you will learn to understand the overall cybersecurity posture of an organization and how focusing on your audience impacts your performance.
It is important to evaluate and recognize risks, handle them appropriately, and minimize their impact to your organization. We will discuss the different scales for measuring risk and how to work with third-party companies that you may encounter as you continue forward in your career journey. Remember, there are different sources of risk, different ways of measuring them, and there’s always a way to remedy risks.
There are numerous rules that affect our organizations, and cybersecurity is built on top of these rules. Each set of rules has different requirements and different responsibilities for an organization. While this includes technical rules and engineering requirements, there are also larger concerns in the governance, risk, and compliance (GRC) space that you need to be aware of, as well. We will close out this episode with examples of the enterprise partnerships that you might see within the GRC portion of your organization, too.
Kip Boyle:
Hey everybody, this is Your Cyber Path. We are the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle. Wes Shriner is here. He’s the co-host, and we are experienced hiring managers of cybersecurity professionals. And what we are here to do again, is to help you get your dream cybersecurity job.
Now, this episode is available as an audio only recording. If you would like it, just go to your favorite podcast app, search for Your Cyber Path Podcast, we’re in there. And if you’re on YouTube and you’re watching this right now on video, that’s great. And if you’re listening and you want to watch, because we do have some visuals that we’re sharing, just go to YouTube and search for Your Cyber Path Podcast.
So this is an episode in a series that we are producing and delivering to you, and it’s designed to tell you all about the way that cybersecurity organizations are put together. There are a lot of jobs, a lot of different services, and a lot of different areas, and we want you to know what they all are so you can figure out, “Hey, where do I fit into all this? Where am I going to be happy spending such a huge part of my day, such a huge part of my life? Where’s a good fit for me?” So we want you to find your dream cybersecurity job, and that’s what we’re up to.
And today we’re going to focus on the governance, risk, and compliance part of the organization. You’ll hear that most often referred to as GRC. And today we’re going to explore GRC with the help of a guest. And Wes, would you please introduce our guest?
Wes Shriner:
I am excited to introduce today. Today we have Shanmugavel Sankaran, who is joining us from Walnut, California. He is a serial entrepreneur and hard worker. Our paths crossed about 15 years ago at Microsoft. Oh, sorry, let me give you a slide here. About 15 years at Microsoft where he was a security engineering leader. He has been running his own company the last few years in the governance, risk, and compliance space. He’s built a SaaS GRC tool. And I’d love to hear a little bit about it from you, Shan. We’re going to call you Shan, is that right? Because if we call you Shanmugavel Sankaran, you’re the guy who gets things done. And if we use your whole name, we’ll be still saying your name while you’re already doing things. And so we’re going to call you Shan. It’s going to be a lot of fun.
Kip Boyle:
Oh, we’re a bunch of ugly Americans. Sorry.
Shanmugavel San:
That’s the name of this and our team gave in Microsoft, so I have been used to this for almost two decades now.
Wes Shriner:
It’s been good.
Shanmugavel San:
Good.
Wes Shriner:
So tell us a little bit about you, sir?
Shanmugavel San:
Sure. So I think it’s been a good couple of decades of journey in cybersecurity. So maybe the initial first part I was with Microsoft and IBM. Great entrepreneurial learning with folks like you and many others, Wes. So I think what I learned is pretty much the application security world. And then in IBM I had a couple of interesting things towards the security architecture and the compliance and [inaudible]. So after this three stints went to work as a chief information security officer for a brief stint with a eCommerce platform. So that’s when I was trying to procure a governance, risk, and compliance software for them to automate cybersecurity across things like ISO 27001 PC DSS. I couldn’t buy it sub $50,000.
I thought that must be an interesting opportunity to jump ship and build one. So that’s how this whole journey started for FixNix. It’s been eight years of journey, bootstrapping. I think it’s been a phenomenal great bootstrapping journey, along with my co-founder Kayalvizhi. She used to be my wife and she has been helpful really, kind enough to help me found this company to scale here.
Wes Shriner:
That’s excellent. And we can find you @www.fixnix.co.
Shanmugavel San:
Yes.
Wes Shriner:
You’ve got a great thing going on there with the GRC SaaS. I look forward to seeing how it grows and changes the marketplace.
Kip Boyle:
Definitely.
Wes Shriner:
So when I met you, you were already a very successful security engineer. How did you get your start in cybersecurity? What was your first big break?
Shanmugavel San:
Sure. I think in Microsoft, I was a database administrator and then I was a security liaison program manager. So I started interacting with the cybersecurity team internally in one of the teams in India. Microsoft, India. So I think when the security team model was set up the shop in India, so that’s when I think they touched base. And then I was mandated to set up a application security team of engineers to test it all, the internal web applications. And so I joined that application security world, and then there is no looking back. It was a great entrepreneurial learning where I need to sell security to the rest of the world internally to all the Microsoft folks. But we are charging almost $150 per hour to rest of the teams to get their applications tested or hacked before it goes to the external world, so that was a great learning. I think it was a very high performing team, and I think I learned a lot from those guys, all the security, and then that got fascinated towards cybersecurity and this.
Wes Shriner:
It’s a fascinating field. And that was early on in the growth of the field.
Kip Boyle:
So Shan, you started as a database administrator. Is that what you said?
Shanmugavel San:
Yeah, that’s right. And that’s how I started my career.
Kip Boyle:
And that’s a really common thing for people to come into cybersecurity from another IT job. That’s a very common path.
Shanmugavel San:
So in fact, I joined Microsoft as an intern. I have had exposure towards network administration, database administration, or whatever, system administration, nothing except programming. So I was all on the DevOps side or whatever. Now of late, DevSecOps it’s called. DevSecOps. So I was on the other side of the world trying to fiddle around with the systems, et cetera, so building it. So I think that that’s what got fascinated towards security field.
Wes Shriner:
Cool. Thank you, sir. All right. So I’m going to remind our audience, if you’re listening in audio only, you don’t get to see this, but if you’re on our YouTube channel, you can see the visual. And this is the placemat we’re using to map the roadmap we’re using to describe a security organization. To remind you, if you haven’t, if you don’t recall this, check out one of our earlier episodes where we introduce each piece of this diagram. Understand that the center is your cybersecurity organization. You’ve got four large portions or sub-organizational units inside your cybersecurity org. And then you’ve got 15 domains, and each of those domains then has individual teams. Each of those teams is responsible for specific service catalog line items. Your common security service catalog has 23 common security services, and that’s just too many to take on in one episode. So we’re going to jump into just a specific area this week. We’re going to focus on that top left, the governance, risk, and compliance space.
Now governance, risk, and compliance sounds like it’s GRC, and oh, it’s all one thing, but actually there’s seven different unique services in that service catalog. And I think as we talk today, you’re going to see there’s a lot more going on inside there than you might have expected. Right? I think there’s a lot of job opportunities in there, and I like to make this simple for you. So governance, risk, and compliance. This is the Christmas season here at our house, and it’s time to hang Christmas lights. And so governance is how much money did I spend on my Christmas lights? Risk-
Kip Boyle:
Show me the receipts. Show me your receipts.
Wes Shriner:
Yes, exactly. Risk… And was it against my budget or did I go over budget? Right? And I’ll tell you, I did go over budget this year. Risk, risk is how high is the ladder you’re going to climb to hang those Christmas lights, and compliance is, are they hung in time for your wife’s party?
Shanmugavel San:
[crosstalk].
Wes Shriner:
And so, that’s the difference between governance, risk, and compliance that we’ll be taking on today in the terms of Christmas lights.
Kip Boyle:
So simply put. So simply put. And that means that, ladies and gentlemen, you know what you need to know. If you’re pressed for time, you don’t need to watch anymore. But you have a few minutes, stick around.
Wes Shriner:
There’s going to be some interesting stuff along the way. Let’s see what we’ve got.
So I’m going to dive deeper into that governance, risk, and compliance space. We’re going to call at each of the security services in that service catalog. So number 20 is governance and PMO.
When I think about governance and PMO, I think about setting the budget for the organization, setting not just the GRC, but for the entire security organization. I think about governance, I think about the staffing levels and planning for staffing for year-over-year planning and staffing. I think about reporting, right? We can… Actually, that’ll be a later one. So I’m going to save that one for just a minute. I also think about this is your PMO. This is your project management office. Your PMs here do the work of executing the plan and the roadmap for next year. Now I may want to upgrade my SIM. My SIM is not part of my GRC, but the budget money and the PM are going to come from my governance organization to support the SIM upgrade.
Kip Boyle:
I like to think of these things as like, is what are we going to do to change? Right? This is like, how are we going to change our organization? How are we going to adapt? How are we going to keep up? Right? And how do we do that in an organized fashion?
Wes Shriner:
This is an area that is a big touchpoint for all other parts of your security organization and your business organization. Governance and PMO is how you get things done. Understand, you don’t control most all of your resources. Your project management office has to tentacle out into all parts of your organization, your infrastructure teams, in order to deliver on the commitments we’ve made.
Kip Boyle:
Yep, that’s right. And they’re going to make sure that… Hopefully, they’re going to make sure that people aren’t overloaded, right? That they’re not 150% allocated to all kinds of different projects, because that’s just a recipe for burnout and failure to delivery.
Wes Shriner:
So I’m going to jump to the next one. 21 is policies and standards. Now I wish this were number one because this is where all security begins, right? We have an expectation that everybody should do it according to a certain level of security. But if we don’t write that down and manage that expectation across the organization, then nobody really knows what that expectation is unless we’ve written it down. So all security flows from your policies and standards.
Shanmugavel San:
On the first one, Wes, in fact on the PMO side, I believe that usually the organizations have the project management standards. In fact, now, I see they’re also looking at how the integrated management system standards, be it quality, environment, I think they started off including the cybersecurity management system also, along with the PMO’s project management framework of the organizations. So I think very well, it goes into the organization central piece of the PMO itself. Not necessarily have a PMO in say governance. It’s like, it’s becoming part of the central, so the CXO dashboard itself. If you are CEOs looking at a dashboard, so how are the… There are four or five metrics which is going from the cybersecurity world, which is becoming part of its daily reviews or whatever, monthly or quarterly review. So I think that’s plays a huge role by the PMO contributing to those metric service.
Wes Shriner:
I think you’re exactly right. And I’m actually going to call that out as number 22, management reporting. That’s where your security analytics function is going to a live where we’re going to be gathering data from all over the organization. That’s where we’re going to define our KPIs for what, how do we want to measure our own security organization? And that’s where it rolls into your CXO dashboard. And also reporting to the board, right? Here is what’s going on in our risk world. Here’s what’s going on in our security world.
Shanmugavel San:
That’s right. So in fact, on the policies and standards, it’s a big version of it’s starting from ISO position almost one. If you look at the, not the [inaudible] like NASD to CAS, many different bodies for health care, that’s a HIPAA for payment card industry. That is a PC DSS. So every industry has their robust standard or regulation which is governing the sub-policies under controls. How we can assemble all of that and which can help come very handy when it comes to assembling the software processes service.
Wes Shriner:
Makes sense. You’re right. There’s a lot of organizations and bodies and standards that speak into what’s our appetite for risk and how are we going to write that down in our policies?
Shanmugavel San:
That’s right.
Wes Shriner:
So I’m thinking a little bit about this management reporting, and a question that we’ve come across over beers in the past is, how do you measure the success of a security organization? What are the KPIs, the key performance indicators, that you would use to measure success in a security org? Shan, you’ve been doing this at a lot of companies. Do you have some thoughts on that?
Shanmugavel San:
On the management reporting, certainly, yes. So in fact, people usually think that it’s the management reporting is just about getting some of the cybersecurity things like risk register or a threat register or incident register. So it’s much beyond that. So it’s of late, it has evolved so now there are tools like threat intelligence, security incident, and even management. They’re a phenomenal set of tools, which is of late contributing to even the overall cybersecurity posture of the organization, which is becoming part of the management reporting. How often they are finding more incidents, whether it’s anything going beyond about this world.
So whether they have this covered as part of their business as usual, and then they are able to identify and mitigate, it’s not just about identifying and mitigating. So how can they be proactive in handling incidents which are prevalent in the industry so that they can be prepared without even getting to handle one?
So those kind of things are becoming part of this whole management reporting, that there are phenomenal set of systems tools from almost all parts of the cybersecurity world, products are contributing feeding to this overall management reporting. I think GRC as a system is playing some role plugging or taking inputs from multiple of these components based on the threshold value. It is getting those datas, and then able to showcase that, okay, to give a good cybersecurity portion of the mission to the CISO ready in particular this.
Wes Shriner:
Interesting. Kip, do you have some thoughts on that?
Kip Boyle:
Oh God, yes.
Wes Shriner:
I think we found the hot button.
Kip Boyle:
I just want to share one idea here, okay, and that is what you report is very much driven by who your audience is. And you’ve really… I’ve struggled with that, to be honest with you. For the longest time, I thought that my reports should be more universal, right? That everybody should really be looking at the same things as much as possible. And what I realized was, oh, that’s okay, but it really is going to be a lot better if you just focus on who your audience is. And I’m going to give you one specific example, one specific use case.
So I’ve had people tell me in the past, “Well, we should tell the CEO, we should give them metrics on how often we’re attacked.” And I’m like, “Okay, what does that mean?” Like, “Well, let’s go to the perimeter firewalls and let’s go ahead and just show them how many packets we’re dropping every day because we think that packet is associated with some kind of attack or prelude to attack or something like that.” And my initial reaction was like, “No, that’s ridiculous.” Like, “We can’t demonstrate anything about something that we don’t control.” Like, “We don’t control how often we’re attacked, right? So why would we report on something that we have no control over? Because people might ask us to fix it. It’s like we can’t fix who attacks us.”
So that was my thinking for a long time. And then somebody came along recently and challenged me, and it was really hard, and I just have to admit that I think, I’ve agreed that actually it can be useful to tell CEOs and other members of the C-suite just how often you’re getting attacked, because here’s the thing. If you do a really good job at dropping all those packets and all the other things you do to defend, right, all the malicious code that you block and all that stuff, if you do a really good job, then nobody thinks there’s a problem. Nobody thinks there’s a problem at all. They think that you’re just running around consuming budget. So you’ve got to show them the problem, right, that you’re here to address. And so, I’ve completely come 180 degrees off of my original attitude about that. And I actually think that is a really great way to help paint a really rich picture for the people that you’re trying to serve, the folks in the-suite.
So anyway, just there you go. There’s my little rant.
Wes Shriner:
I’m hearing confessions of a CISO right here and the apology that he just issued to all those who used to work for him, who-
Kip Boyle:
That’s right.
Shanmugavel San:
The whole cybersecurity thing is just a insurance, like a car insurance, right? Until you meet up with an accident, nobody realizes the value of it.
Wes Shriner:
No kidding.
Kip Boyle:
Yeah, it… The insurance angle is a good one. And in fact, I use that now as a small business owner, as an entrepreneur, when I meet somebody, a potential customer, and I start talking with them. And if I start to feel like I’m selling life insurance to Zeus, I just shake their hand and move on. Because if you’re immortal, you don’t need what I got.
Wes Shriner:
No. And that’s awesome that you’re immortal. That’s tremendous.
Well, I’m going to keep us moving here. We’re going to learn a little bit about cyber risk management and third party and vendor risk management, just because that’s our next piece is risk.
Kip Boyle:
Great.
Wes Shriner:
Understanding risk, I think a little bit about… A risk is a violation of our known security policies and standards. Now, there may be a violation of what might be an industry best practice, but if it’s not codified as a policy and standard, then I can’t really record it as a risk on my risk register. That doesn’t mean it’s not a risk. It means I need to update my policies and standards, and then capture the risk. Right? That’s what that means.
Now, your risk management organization focuses specifically on cyber risk and has a major five-by-five scale or a three-by-three scale of high, medium, low. It’s going to quantify those risks and qualify those risks in a cyber world. But then we’re going to roll that up into enterprise risk. That’s the larger risk organization owned by your enterprise risk VP, separate from cybersecurity. Now, that enterprise risk owner is going to have the same five-by-five or three-by-three scale, but they’re measuring it against life and death. They’re measuring it against did somebody drive a truck into the front of my store and kill several of my staff, right? And sometimes the database protection isn’t the same as protecting a human life. And sometimes actually it is, right? It depends on the value of the asset that we’re addressing right now. So-
Kip Boyle:
It can be, right? If it’s a database of dosing for medicines or how deep the Gamma Knife should cut.
Wes Shriner:
Yeah, then we very much have a life and death situation. And so understand enterprise risk is taking into account all of physical and cyber risk and every other risk as they evaluate. Even the supply chain risk that we’ve looked at lately, right? What is my supply chain, and is my supply chain using inappropriate labor? Is my supply chain pulling from war torn countries that maybe are not approved for trade at this time, right? So they’re looking into enterprise risk at all levels, and cyber risk is just one of maybe 15 different candidates for risk that they’re looking at.
Then that risk is then rolled up to the board as this is what the risk is to our organization. That appears in your public reporting if you’re a publicly traded company, and that’s how we handle risk as an organization. Understand that all risk comes from violations of policy. And all policy can be changed as needed in order to capture those risks.
The second part of the cyber risk organization is the third-party risk management, right? We’ve made a promise to our customers that we’re going to treat your data, your assets, the things that you’ve trusted to us, with appropriate care and concern with the proper security controls. And we have that same expectation for our third-party and fourth-party companies that do business with our customers through us. Right? And so if we’re going to trust your data to someone else, we have an expectation that they’re going to treat your data with the same quality of protection that we, as our company do. Would you add anything to that?
Shanmugavel San:
Yeah, I completely agree with that risk. It’s like cyber risk is a very big ocean now. In fact, there are a good amount of products focusing on the different aspects of cyber risk itself. There are products to quantify. There are products who are looking at that, the enterprise risk aspect of it. There are products looking at the IT risk aspect of it. So let’s try to take a look at what is IT risk and enterprise risk.
Enterprise is mostly an organizational level risk where even whatever is impacting on an organization. So it’s like whether they have covered it for the future of the organization in case if there is a big pandemic or a disaster occurs. So those kind of risks. So whether they have planned for it, or in case they have not planned, all of the risk there, they’re kind of accounting for and then planning for it to handle that risk for the future.
So IT risk is pretty much be the web application security through patch management, to multiple other different things. So there are different models for both this enterprise risk as for the IT risk. In fact, in our product, so we certainly have products out of our platform for all of this. In fact, in particular risk in our risk product that we have a different risk scoring algorithms for both IT risk, enterprise risk.
For example, web application security risk, we have OWASP risk scoring. Patch management risk, we have a serious scoring model. And then for our general risk, we have a third scoring framework. And then there are quantitative way of scoring, qualitative way of scoring, asset-based risk scoring. So there are multiple ways the enterprise risk can be scored and then can be brought into the risk register. Once after the, every, all different categories of risk is brought into the risk register, then comes the… There’s the team which is supposed to be fixing it, providing a mitigation, and the risk management team reviewing.
It’s a big ocean, and I think people have been very successful doing this through Excel, the biggest missing pieces. They are not able to really collaborate with the rest of the business functions when they grow. So if they’re a mid-market or becoming towards, growing towards an enterprise, they are having a phenomenal growth. That’s where I think they are not able to catch up maintaining this risk register, bringing both the IT aspect, enterprise aspect. I think that’s where products are or even people, these are the people who can have an hunger for the risk systems can handle it thus.
Kip Boyle:
I want to say something about that last part about as companies grow, they begin as startups, and then if they do well, they become a mid-sized organization. And then if they do really, really well, they become an enterprise. And one of the things I’ve noticed about risk management is most of the available frameworks and approaches are very large enterprise suited. In other words, mid-market companies, small companies, it’s very, very difficult for them to adapt some of these larger risk management frameworks. And so a lot of them just end up doing a lot of shooting from the hip, a lot of qualitative risk assessment, or they just sort of say, “Well, I’m just going to pay attention to what I read in the headlines,” or “I’m just going to do what Cisco and Microsoft tell me to do,” or “Whatever they think is the priority, that’s what I’m going to make my priority.” And so if you’re working in a small or a mid-size organization, I think that’s a huge challenge for you is to figure out what your risks are, because you’re just not set up to be able to work successfully with a lot of these existing frameworks.
Shanmugavel San:
In fact, I am one big person differs with my GRC industry. I don’t sell like the rest of the industry that, okay, in case you don’t use our product, you guys are going to have a huge issue. So you are able to automate your existing business processes within Excel. I think you are good to go. So you should have a basic system which is covering all of these different pieces and parcels of governance, this compliance. So risk, you are able to maintain a risk registry with an Excel and then able to, sophisticated manner, you are able to mitigate it or review it with a management perspective. So I think you are good to go. So only thing is you need to do on a very religious manner, and then regular reviews to the management, and then publish it, and everybody should have an access, and they should know that there is a process for it. So tools are here to enable the processes. It’s not the other way. People buy the tools and then try to figure out the process, which should not be the case.
Kip Boyle:
Yeah. But I see that happen a lot.
Wes Shriner:
And we can’t let that happen. Thank you very much for risk. And Shan, thank you for calling out that there’s different sources of risk and different ways of measuring risk, depending on where the risk comes from. And then lastly, reminding us that there’s a remediation function, right? And just to tie that back into our governance piece, if we have a risk-driven security organization, then we’re going to identify risks, we’re going to put them on a risk register, we’re going to prioritize and curate that list until we get to a top five or a top 10. Then as we build our plan for the years following, the roadmap for next year and the year after, we’re going to prioritize projects that will remediate those risks, right? Those top risks. And so that’s really how we go from risk register, we wrote it down, to how we’re remediating, resolving, and getting risk turnover, and we’re getting the velocity of risk turnover that we want to see in our organization.
Kip Boyle:
Velocity. I love it.
Shanmugavel San:
That’s certainly, for people who have a different calculation models incorporating velocity also versus broad risk point.
So today I just went out. I think this is my COVID-19 risk register. People got me the COVID-19 boost, the traditional Indian way of fixing the COVID-19 production mechanism. This is my risk boost of COVID-19.
Wes Shriner:
Your hot tea?
Shanmugavel San:
It’s a risk… Yeah. Kind of.
Wes Shriner:
Outstanding. I’ll drink my tea as well. Thank you.
Kip Boyle:
I’m all out of tea. Dang it. I didn’t make enough.
Wes Shriner:
Unlucky. Unlucky. So we’ll keep moving and see if we can get Kip back to his cup of tea. The next one is compliance and-
Kip Boyle:
If you think about the-
Wes Shriner:
Go ahead.
Shanmugavel San:
You mentioned about the third party, right? So the third party, in fact, there is this third party there for example, Apple have outsources to Foxconn. When they have outsource to Foxconn, and they even when Foxconn screwed up on their employment issues. So the people have really issues around handling that mess. Right? And then Apple stock went down because of that, the workplace practices of Foxconn, which is a really not a so good thing.
So all the companies have now because of this environmental, social governance, many, many other bases and practices, they are trying to look at all their vendors or even third parties to make sure that whether they are following all those things. Right? So particularly in cybersecurity, I’m outsourcing to somebody. So whether they’re handling my data right.
So Microsoft has come up with a very nice thing called SSPA. It is kind of their own GDPR ISO 27001. That they’re looking at almost all the… I was told seven, Microsoft has got 70,000 plus vendors across globe. So they’re looking at almost all of them to complete towards this ISO, their own SSPA, but there is a huge amount of new systems for the cybersecurity or even privacy.
So I think that they’re trying to do something about the vendor risk of third-party risk, trying to make sure everyone of them who having some touchpoint with Microsoft or their data or their systems or intellectual property, they’re trying to cover. So I think it’s a huge, huge thing which has evolved over the period of time now. I think it started with the, I think almost the kind of lot of this Foxconn issues where Apple stock went down because of Foxconn, because of Apple don’t have real direct impact towards them, but they have been building it through Foxconn. Right? So I think SSP is a very nice thing where they have close to complete control in Microsoft world, and the pretty much it’s called Microsoft Supplier Security and Privacy Assurance is the expansion of this.
Wes Shriner:
Thank you. Yeah. Supplier Security Privacy Assurance.
Kip Boyle:
Now if you’re on the receiving end of SSPA, if you are a vendor to Microsoft, and this is true for all kinds of large enterprises, they have third-party risk management programs of all different types. But if you are working in a mid-size company or in a startup and you’re trying to do business with a large enterprise and there’s a cyber risk component or a privacy component, you’re going to get crushed. It’s going to be like a mouse dancing with an elephant. It’s really, really hard. So just-
Wes Shriner:
And the best answer to that is to look at your attestation of compliance, right? Your SOC, your SOC 2.
Kip Boyle:
If you have one, yeah.
Wes Shriner:
Once you’ve got SOC 2 in place, you’ve got an attestation that says, “We perform the way we say we perform. We have a third-party attestation of that and we can move on to the next question.” Sometimes that’s a fast pass.
Kip Boyle:
Yeah, sometimes it is. Well, I can do a whole episode just on that topic, but I won’t right now. I’ll let you keep going, Wes.
Wes Shriner:
We’re going to save that for another day. I do want to jump into compliance because compliance is a small little line here that’s actually a really big part of our organization. We have government accountabilities, we have industry accountabilities, we have client accountabilities, customer accountabilities, and each one of those accountabilities is a compliance requirement. Right? What are the common compliance requirements? Sarbanes-Oxley or SOX is one. PCI or PCI DSS is your payment card industry compliance. You might have in the US, a GLBA, right? The Gramm-Leach-Bliley Act is your banking compliance. You might have a HIPAA compliance for health care. You may have a child marketing compliance if you’re marketing to children under 13 years old. You may have CPNI if you are in the call data record space or telecommunications. And you may have a FedRAMP or FISMA if you’re working with the Federal Government. That’s just a short list.
Kip Boyle:
Or DFARS. Yeah, there’s all kinds. It depends on your industry and all kinds of other things. But one thing I tell people when you’re working in cybersecurity is get a clear definitive list of what it is that people are expecting from you in terms of laws and outside regulators or industry self-regulation. Be clear about that. Don’t wonder.
Wes Shriner:
Your legal team is your best friend in figuring that out. And once your legal team has helped you define what you’re accountable to, then delivering on that is your role.
Shanmugavel San:
In fact, I believe there are the standards like CSA Star, and there are even regulations like ISO 27001, which is towards privacy information management. And the privacy things like the GDPR, the California Privacy Act. Many other things are really evolving. I think it’s for good. I think people are really overwhelmed about frameworks regulations and international standards. They don’t have any clue. Lot of times when they are in the startup space or even a growth phase, I think they don’t have any clue. So most of the times they get called by one of their customer or a large enterprise partner or a vendor ask them, “Go get certified on ISO 27001 or the GDPR or NASD.” That’s how I think they start their journey, I think. But when it comes to mid-markets, they have pretty much, at least some sorts of legal team, at least who figures out that they need to [inaudible] to a system and they put some basics of it. I think suddenly things are evolving. I’m very glad. I think industry is taking it in widespread instead of just getting a namesake stamp for getting that certified of late.
Wes Shriner:
Excellent. We could go a long time on compliance. I’m going to leave that one there and leave Shan with the last word on that one. It was a good one. Because my favorite is coming up next. Security awareness and training is by far, in my opinion, the most important piece in the entire security organization. This is where we’re teaching our organization the culture of security. Every developer that ever went to school learned and took a security class in their development degree program. But it seems none remember any of them. And so our role as security awareness and training is very much reminding you of the bare knuckle table stakes of how do we protect our environment? How do we protect the data? How do we keep the promises that we’ve made?
So awareness and training are two different functions. Training is very much a classroom or an online learning. Awareness is much more about a poster on a wall saying, “Change your behavior,” or “Don’t let somebody follow you through the door.” Both are valuable. It’s also part of your October security awareness month, which is your big month in the cybersecurity space.
Kip Boyle:
And it’s probably the one thing you have no budget to spend on. Unfortunately. That’s what I normally see is that this area, which is so important, is often completely under-resourced and the people who are responsible for it don’t come to it with the heart of a teacher, and they don’t like dealing with people.
Wes Shriner:
What are we doing?
Kip Boyle:
Oh my goodness. Yeah. So anyway. Some of the things that I-
Shanmugavel San:
No, but I slightly different [inaudible], Kip. So I think people considering COVID-19 situations. So think about a bank. They used to have hundred thousand people working out of their huge walls. Now they don’t have walls anymore. It’s like everybody’s working out of home. So they’re still scared and they’re certainly highly investing on training and awareness. I think that’s a phenomenal change which I’m seeing with the respond industry. They’re doing phenomenal amount of things. So let’s take an example like a phishing training, right?
So you know about all the [inaudible] of last time, right? So where people send you some kind of official mail to the whole corporate world with a different kind of a messaging, and then try to get at this part of them and then infect the corporate network with the kind of a ransomware so that they can get the corporate data.
So I think banks are really worried about it. A lot of this highly regulated industries allowing their employees to work out of their home, they’re worried about it. Despite having a virtual desktop infrastructure and the VPN, all these kind of controls, still they’re still scared because people go off network all the time, and then they use that same corporate interface for their personal things. Now they have their kids banging them. They trying to do, someone’s offline. Even kids’ class and the official infrastructure. Right?
So now the thin line between the office and home has gone down. So it’s like people are heavily investing, particularly things like phishing, phishing training, but they try to… They send out maybe already planned stuff. They send out mails to almost all of the corporate infrastructure. And then they try to see how many people get misled and then try to click that link, which is not a good thing.
And then there are a lot of startups in this space that are startups like KnowBe4, who have hundreds of millions of dollars doing phenomenal amount of things in this training and awareness space. I’m very glad things have moved. And I think you guys must be knowing the shift to left, right? The shift to left, which is happening in the cybersecurity world, where people are trying to see…
So you are in a lifecycle of developing software or doing things. So how you can start thinking about security in the left-most corner of your whole journey. It is like the envisioning part of journey, right? First, you must be able to remember our old days of Microsoft where I think in Microsoft there was a concept called the secure development lifecycle, right?
Kip Boyle:
Yeah.
Shanmugavel San:
That SDL. The SDL is the new, I think, old wine now put in new bottle, which is nothing but shift left. So I think everybody’s talking about shift cloud left, so how can be the not only software development, be anything? So how you can think about cybersecurity from the start of this so that training plays a huge role in this shift to left, or any new initiatives, Kip.
Kip Boyle:
No doubt about it. No, I agree. I absolutely agree. I just don’t see it often given the resources it needs to succeed.
Wes Shriner:
All right. So let’s see where we go from here. We’ve got the seven services and we went long on those, but I think it was worth doing. I think we learned a lot there.
As we jump into the next slide, we get to see the common functions and tools we might expect to see in the GRC space. Unfortunately, PowerPoint is the first tool in use in the DRC space. And I think that’s because this is very much a business-driven function, right? You don’t have to be an application security specialist in order to be able to quantify risk. In fact, it’s very much business language when we’re understanding risk, and that’s very much a business analyst role, not a functional or technical analyst role. And so PowerPoint is our tool that we use to communicate what’s going on in our security business with the rest of our business. And this is a big business touchpoint. We need to use business language. And so that’s why we see the PowerPoint.
The governance risk compliance tool is right there, number two. And Shan, you can tell us about FixNix.co and how it helps solve that problem for the mid-market companies. That risk register is critical because this is where we… If it’s not written on the risk register, we didn’t really find it. And once it is written on the risk register, it is accountabilities of our board to be aware of it and to accept or remediate that risk.
We’ve also got a training platform, an analytics platform, and project management platform going on inside our functions and tools. Insider processes and standards. We’ve got a policy review board. This is where we make changes to our policy. We don’t do it in a vacuum. We don’t it alone in an ivory tower. We make our policy changes with the consensus of our organization. We also have risk questionnaires where we understand and quantify risk, a risk matrix for scoring that risk, and KPI reporting come out of this area. Anything you guys would add or change on there?
Shanmugavel San:
I think you pretty much covered almost everything. So I think in the GRC tool spectrum, I think that there are aspects like some of the physical security aspects like business continuity, disaster recovery, multiple bunch of things come, but if GRC is not really [inaudible] some platform where you can get multiple processes automated under the platform. So I think it’s much beyond a tool offload. I think that covers very much every pretty aspect of it, of risk.
Wes Shriner:
Thank you.
Kip Boyle:
Wes, there’s one tool we should have put on the list that didn’t make it on there. Excel. So much of this work is still being done through spreadsheets.
Wes Shriner:
It is. It is very much so. And a lot of our internal security relationships for the GRC team, we need to be getting our information directly from our incident responders. We need to be getting it directly from our IT’s project assessors. We need to be getting it directly from our security test teams. So our GRC function needs to be directly embedded inside our incident response project support and testing teams so that we’re getting real live what’s going on on the ground data. And then that policy administrator, right, that policy administrator is your best friend, not just for security policy, but for organizational policy. And so, those are the internal security relationships.
Shanmugavel San:
I think I have a small observation to make here on analytics side of it. So analytics means usually as a cybersecurity person, we usually think about the SIM aspect of it, security incident, and even management, and bunch of well, how we can get the logs out of this multiple cybersecurity investments. And then correlate, and then present, takes [inaudible]. But of late, I think analytics, the mission learning, artificial intelligence systems are tools or components that are built on top of the whole GRC platform itself. We have done that. We have done that. When we did it, I think we were suddenly having no pre-role models in the industry to see how we can apply automation diligence machine learning in GRC platform. But we went ahead and did it for the audit management and risk management.
So how the analytics on top of audit can help the teams plan audits. So when we are able to predict future audits saying that, “Okay, there are going to be findings in this area. There are more issues going to be discovered from this particular location.” Then we make a good bunch of those predictions as a dashboard in a platter, and automation as part of the dashboard. Organizations are able to use it in a phenomenal way for their planning, audit planning activities. So the same place for risk. Then we are able to present a multiple [inaudible] of this risk predictions about which risk scoring model they will be using, which team will have more risk, and which team, which mitigation models we will be using to handle more of the risk in this first part of the next year.
Some of these predictions when we are able to make. So these predictions get more accurate as we grow the data, historical data, but when we start on this prediction, it comes very, very handy for the original risk team or audit team with respect to planning for their future which functions they should be auditing, which functions they should be doing more of risk process. So I think the analytics aspect, that’s phenomenally come in and then changing the overall governance system, company, and landscape risk. You have made a very, very nice point there.
Wes Shriner:
Very cool. I’m going to jump ahead here to the enterprise partnerships that we might see out of the GRC organization. And I think this is probably the item I want to highlight. I think we highlighted it with our PowerPoint as well. Your finance team, your legal team, your vendor management, and your physical security are all going to be key enterprise dependencies we’re going to have from our governance, risk, and compliance space. We’re going to have strong partnerships with our board and with our C-level executives because this is where the risk reporting happens. This is the what keeps you up at night question from your security. This is security’s answer for what keeps you up at night. And we really need to curate that to our top five or top 10, and then really drive those to remediation.
We also have strong partnerships with our enterprise risk we talked about, with our IT teams for policy, compliance, and project interdependencies. And then we talked about training and communications. Anything you guys want to add here? I’m going to jump ahead because I know we’re tight on time and we’ve got a lot more content we want to get through. So I do want to call out-
Shanmugavel San:
I have one observation in this piece.
Wes Shriner:
Yes, sir.
Shanmugavel San:
The observation is, I think we used to have this very famous debate in the cybersecurity world. How can we make the chief information security officer report to a CEO? So our CTO, which used to be a very, very, very famous debate of the ideal world, CISO should be reporting to your CEO so that he had the complete independence with respect to cybersecurity, right? So we go ask them to report to technology or IT. So you may not be able to question them, so that’s a usual thing. I think it’s going on for decades. And I think industry has changed it now.
So the same thing with respect to governance system compliance. So lot of times, ideally speaking in ideal world, it should be a separate operation system according to think tanks like go open compliance in a fixed group, which is one of the famous think tank in the governance system compliance, OCEG.org. But what we find is in reality is people align the whole GRC under legal or finance, financing, and under security or even under a kind of ID. So they have one manager. If you don’t have a CXO compliance officer, to compliance officer type person, or this officer type person, they end up falling under IT or security, or even finance or legal. Certainly, I think they are supposed to be the collaborators. They are not necessarily, ideally speaking, we should be reporting the whole GRC mission. So that’s an observation I have as let’s go get ahead.
Wes Shriner:
Good stuff. I want to call out that if we were looking at this organization as a GRC staffing organization, this is probably 16% of our head count of our overall security organization. And you can, if you’ve got the slides or if you download the slides, you can see in detail where that staffing is going to align. Additionally, you’re going to see about 20% of your overall security budget is going to go into this organization. Wait, 16% of your staff and 20% of your budget? Why is that? Great question. I’m glad you asked. Because 10%, so half of your GRC budget is actually seed money for remediation of problems in your organization, right? So I see a problem over in my container space. My container team doesn’t have budget or schedule for that to be remediated this year. I need it remediated this year and I can drop some seed money in there to help incubate that project and get it started. So that’s a little bit about how we use that seed money in our risk space, and that’s how we got to 20% of our overall budget. Thoughts on that?
Shanmugavel San:
I think I completely agree, but only thing is in reality, people always think that whatever investment they are making toward cybersecurity or risk or compliance as a cost center, I think which should be changing. I think because it’s, as I said before, it should be an insurance for the organization about their reputation. So in case if they don’t invest, they’re going to get screwed. Some of their tasks may be out and their brand value’s going to go down or their stock market or market cap. A lot of these issues are going to happen. So certainly, this is an issue which they can make to protect themselves from the future attacks now.
Wes Shriner:
As we look at what are the available career opportunities in the governance, risk, and compliance space, there are several senior positions that you can transfer into. You can get a senior project or program manager. You can get very senior business risk analyst, and you can get very senior compliance to analytics leads. This is not a common place for IT professionals to transfer into unless you’re a business analyst, an IT business analyst transferring into the risk, governance risk or compliance organization.
Now this is a great place for entry level positions, that person looking for their first job, their internship, their zero-to-two-years and their two-to-five-year roles. The person can be a policy administrator. We’ve got a lot of opportunity for project management, for risk analyst, and for third-party risk analysts, because that’s done in the business language, right? You don’t have to know everything about IT. You need to be able to write down the salient parts of the technical risk into a way that your business can understand and quantify that risk alongside you. You’ve also got your compliance and analytics analysts, and you’ve got your security awareness trainer, project manager, and analyst. So those are all areas that you can step into from an early career perspective and be very successful in this organization. How would you guys add to that?
Shanmugavel San:
So in fact, I would add internal audit as a function. There are internal audit associate roles, which is also a great role where you know some set of basics about some of the standards and frameworks. So almost all of the Big Four, all this EY, PwC type. So you certainly have lot of roles there. They do a lot of work, phenomenal amount of work in the space, helping you and Fortune 1000. So there are a lot of amount of roles in that audit space. Eventually you can get yourself into the CISA system, kind of a different certifications, graduating yourself, tools. You have process person, process framework person, and then which can help you become an internal auditor or external auditor. Lot of those kind of audit roles for the senior auditors. I think eventually you can get to your even CPA, and then you can become a kind of an audit function. So that’s a phenomenal category out there in the audit world, along with the risk and compliance space.
Wes Shriner:
Very much so.
Kip Boyle:
Wes, just real quick, one of our most successful students has, is say he crossed over into GRC. He was actually in the accounting department and he had a lot of really great, transferable skills he didn’t even realize. And he went over into the cybersecurity team, and now he works in the governance, risk, and compliance space, and he loves it. He’s having a ball. If anybody wants to learn more about Steve who did this, you can just go to yourcyberpath/steve and we’ve got a little writeup of what he did, so check that out.
Wes Shriner:
Excellent.
Shanmugavel San:
Right. There are bodies like Open Compliance and Ethics Group, which is the think tank in this GRC space. They have a certification called GRC certificate, Professional GRCP, which also can help us get into any of this area in the whole GRC gamut.
Wes Shriner:
Good advice. Thank you. I don’t have that one on my radar, so I’m glad you brought that up.
All right. So Shan, this is our chance to get to know you a little bit further, right? What have been the keys to your career success along the way? What has helped you be successful? You mentioned your wife. You mentioned a lot of hard work. What else would you add to that?
Shanmugavel San:
So I think one part of the journey was we never had much precedence in the industry when we started out. So I think particularly, I think I started the company out of India, and in fact, it was one of the toughest place to secure venture capital. So I put all my eggs in one basket and [inaudible] the house to raise the seed from Government of India. Did lot of this crazy-
Wes Shriner:
You sold your house to start your company. That’s phenomenal.
Shanmugavel San:
Yeah, I became officially the entrepreneur who sold this house when we raised a [inaudible]. That was really, really crazy. I will not recommend… In hindsight, I will not recommend that route. It’s suddenly a huge rollercoaster, emotional rollercoaster, but in case if you guys want to get in, so just try to keep persevere. I’m passionate about the problem. It’s not that you are going to find out something, some light in the tunnel in year or two. So when you are signing up for something, at least sign up for something for three years or four years. If you are in your early 20s or mid-20s or mid-30s, I think that’s the best time you try start something. So at least, even if you try something for three years or four years, something doesn’t work out, you can go back to the industry. Nothing hits your career path.
So people respect, at least in North America, people respect that you have been to work with a startup or pursued something. You have that huge learning curve. You have pride building and it didn’t work out. So now you can bring the entrepreneurial passion back to the corporate world. That’s how I think people see that.
So always try to see how you can personally solve some of the problems. Don’t give up the plan for a marathon. Don’t plan for a sprint is what my recommendation is. And also with respect to capital, capital is always a, is a very big challenge. So try to see how you can bootstrap. Bootstrap through service. So you are already equipped with some of the skills in governance, in this compliance space like auditing or compliance risk, et cetera, so try to see how you can serve the clients inside some of the standards implementation space or whatever. There are multiple theater of opportunities.
Try to see how those services can feed you, where you are going to build some of the products using that seed money which is coming through the services. And so the way you can build up your entrepreneurial pursuit in case if you want to take up the route, [inaudible] to pursue a career route. So try to see how you can differentiate yourself or try to keep learning about new standards, new regulations, other new verticals in the whole GRC gamut.
So I think I’ll just give an example of financial services. Financial services will have… People usually think that the payment card industry standard is the only cybersecurity standard, but you think about the blockchain industry or crypto industry, there are plethora of cybersecurity standards have come in because of blockchain and crypto. They’re just in the financial services gamut. So you will want focus on it. You can do phenomenal amount of things by being a cybersecurity person in the blockchain industry or in the crypto industry. It’s called, the whole gamut is called FinTech, right?
So you just, say, keep learning, keep up your learning curve, even if you are on the carpet path. This is my recommendation. I think my humble I think observation about our own journey are we are still moderately successful. We got recognized by Gartners of the world, but still we have a long way to go. I believe, I think we have been keeping our chins down and keep focusing on how we can keep recreating whatever little less amount of capital resource we have. We continue keep shipping. We shipped totally seven iterations of the whole platform. We have now 12 products in the platform and we are trying to make the data thing. Now the industry is trying to follow the whole software system, this business model. I think we are really very pleasant about that, that everybody’s trying to follow something which we have pioneered. So that is the one thing from our journey which I want to share with this.
Wes Shriner:
Thank you. And what do you know now that you wish you knew then? If you could go back 20 years and tell young Shan something else, what would it be? What wisdom would you give yourself?
Shanmugavel San:
Maybe I think don’t go by the usual fancy company brands. So maybe I think you and me wouldn’t have met working along in the Microsoft world if I know the secret. So I think go see in case if there’s an opportunity to go for a startup is what I would’ve taken in case if I knew this before. But working for a startup, I think it gives you a huge… It’s kind of a mini MBA. You work for a startup for a year. It’s kind of a two-year, hundred-thousand-dollar MBA. That’s how I will put it. It can be a random startup out of India. It can be a phenomenally funded startup out of Silicon Valley. It can be anything. Go work for a startup, at least a startup. You going to have a phenomenal amount of learning. I think that I would redo that differently just if I can come out of school now.
Wes Shriner:
That’s good advice. Thank you, Shan, for joining us today. Your wisdom has been fun to listen to, and you’ve added a lot to the conversation. I appreciate it very much.
Shanmugavel San:
Thank you.
Wes Shriner:
I want to close out today with these three key takeaways, right? Security GRC has some great early career opportunities. Security policy is the start of all things security. And this is a really important touchpoint for our business and our organizational leadership. Next time we’re going to dive into product security, and I really hope you can join us for that because it’s going to be a lot of fun.
Kip Boyle:
Oh yeah, for sure. Shan, thank you so much for being here. I really appreciate the contribution that you made to the material that we’ve looked at today, and I’m sure that our audience is going to understand it much better because of what you’ve shared.
Well, folks, if you like our podcast, then we’ve got a free guide that I want to point out to you that we put together and that you might want to get your hands on. It’s called Play to Win, Getting Your Dream Cybersecurity Job, and you can actually see an excerpt of it here on the slide, on the screen, along with the URL that you can go to to retrieve your own copy.
What it does is it says, “Look, a lot of people like playing capture the flag. Do you know you can actually borrow the whole capture the flag mindset and skills to actually go and get your dream cybersecurity job?” And that’s what this guide does, is it takes you into a different head space on how you should actually go out and hunt for your job. Not just passively wait for job listings to show up in your inbox. That’s not the way to do it. The way to do it is to get out there and actually track down the job that is going to be a great fit for you, and tell people that you are a great fit for that job. And this visual guide, 20 pages, is going to help you do that. So go to yourcyberpath.com/pdf and grab yourself a copy. Take a look at it. Tell us what you think. If you think it’s missing anything, I want to hear from you. If you like it and you think it’s just right, let me know that too. Just would love to hear back from you either way.
But that does it forward today’s episode. Thank you so much for being here. And I just want you to remember you’re only one path away from your dream cybersecurity job. See you later.
Wes Shriner:
Bye now.
Shanmugavel San:
Thanks a lot, Kip. Thanks, Wes.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!