Automating Your GRC Program: Lessons Learned by CIOs and Security Professionals

Kevin Qiu
February 23, 2022

Macy Mody

Drew, I'm going to kick it over to you now. Thank you so much everyone for coming. We're excited for this webinar and Drew will be your host.

Drew Daniels

Good morning, good afternoon. Good evening, everyone, wherever you might be, and Happy Tuesday. For those of you who have been following the fun around it being, you know, the same backwards, forwards and flipped upside down.

So I'm Drew Daniels. I am a 25 year veteran in information security and technical operations. I am a prior CISO, and CIO, at over five companies. And I'm also an investor and advisor in a number of companies. And I'm going to shortly introduce you to our panel this morning. But I would like to take a quick moment to lay out some of the ground rules.

First and foremost, a quick caveat about this talk. All the opinions that we're going to express today reflect the panelists’ personal views and not those of their respective companies. I think that's important to note, we want to make sure that the panelists feel that they can talk freely about their experiences that span their entire careers. But I also don't want to put them in a situation where they feel like they have to present something that may be counterintuitive to their company. Secondarily, and Macy mentioned this earlier, for those you that joined a couple minutes early, we have a Q&A function built in. So if you have questions, please just enter your question in the Q&A. And Kevin will be making sure I get made aware of those questions so that we can answer them for you.

So let me introduce you today's panelists. First up a good friend of mine. Jack and I are part of ISLF and we're also part of SVCI as investors and advisors. Jack is the Vice President of Security and Compliance at BookNook. Jack previously held the role of Chief Information Security at Turnitin and its subsidiaries, where he managed and controlled regulatory compliance, data protection, security, technical infrastructure, and application security across the company wide process security process. He brings, much like me, 25 years of experience in designing systems within greenfield environments and providing a level of security for school districts, consortiums, and even some top secret processing Government agencies.

Dwight Doscher is Director of Security and Compliance at Stride. He is an innovative information security leader with a reputation for developing solutions and bolstering business goals and scaling processes. He's currently serving as the Director of Security and Compliance at Stride. His experience provides a unique business insight and results in efficient coordination across multiple business units. Dwight has significant experience with regulatory compliance, specifically PCI, and external and internal client coordination operations, risk management, threat intelligence, and instant response.

And finally, Blake is a senior Risk and Compliance Engineer at Instacart, who manages third party risk, what we sometimes referred to as TPRM, and customer trust programs, which are part of the GRC team at Instacart. Blake was at Salesforce for five years in the GRC and third party risk space building and managing programs. Blake has over 10 years of experience in GRC, focusing on security and compliance, CPRM, and building and scaling programs.

Good morning, the three of you. Hope you're doing well. So what I'd like to do is we're going to start out with some prepared questions that we came up with. These are questions that we selected in prior conversations. Some of them have relation to the prior webinar, if you participated in that last month, and some of it will lead into our webinar that we're going to do in March as well. Previously, we had spoken about strategies to reduce the likelihood of colleagues signing up for rogue application services by collaborating with IT, Legal, and Finance, as well as Security and Privacy. However, sometimes that doesn't work. So what I'd like to talk about with the panelists is how do we address this issue? Anyone have any comments on that?

Jack Roehrig

Program? I mean, there's a ton of different ways to get ahead of the getting around these rogue issues. There's monitoring for shadow IT. There's a lot of companies that are coming into play right now that will monitor even, I think.. Wing Security, for example right now is monitoring for things that are going on email, and it's kind of spying on employees to see what things are signing up for. There's DLP solutions that we put into place that look for data loss, for people disclosing things that they shouldn't be. But it's a problem that I haven't ever seen anybody to get on top of 100% right? I honestly believe the best way to get ahead of this sort of thing is to build a friendly security program, have a shift in security culture, that makes people feel good about security and want to disclose things, supply chain management processes that are easy. And just kind of get ahead of the problem by making it a one team issue rather than a combative thing.

Drew Daniels

I agree with you, Jack. I mean, I think that it's often lost on security professionals that even though we're there to protect the business, ultimately, we have to do so in a business friendly environment. We have to be able to entice employees to want to do this. And that's not by bribing them or something like that. We're looking for ways to encourage them to do the right thing. And I know that you and I don't believe in FUD: fear, uncertainty and doubt. We do believe in a certain amount of precaution, and letting people understand kind of the risks that come with information security, and why it's important that everyone does it.

I'm sure everyone on our webinar today is heard that you're only as strong as your weakest link. And that's often in the employee space. If somebody clicks on a phishing email and enters their credentials, no amount of security is going to really protect you from things like that. And there's nothing you can do about that. So you've got to you got to educate your users, and you got to make sure that they understand the challenges of information security and the speed at which those challenges can be taken advantage of. You mentioned something about some of the applications out there, and I talked about that in a prior webinar the first one that we did on this, and there's a whole bunch of tools out there Lumos Identity, Blissfully, Zylo, Torii. When you mentioned that, I think you and I both investors in that. Maybe, I don't know.

Jack Roehrig

You've got no bias here, right? No bias at all.

Drew Daniels

But yeah there are applications out there that are certainly addressing some of this problem and you know, it's interesting, they're all taking different approaches. And you also mentioned something else that I wanted to kind of highlight, which is DLP. And some of these solutions are hybrid solutions. So they're working on improving how people access applications, but they're also looking to understand the threat matrix. They're looking to understand some of the challenges with data leaks, and also some of the risks associated with some applications. And I think that's an important piece to consider.

One of the things that we also talked about in the past that I'd like to get Dwight's buy in on, but let me let me talk about it first, is as many of you know, SaaS apps are a boon to our business. I mean, Jack and I've been in this business for 25 years and everybody on the panel has been in here for 10 plus years. Even 10-15 years ago, applications were things that you installed and they required binaries and things like that.

Today, the SaaS landscape, makes it so that most things are browser based. And because these companies are working off of a consumption model. They make it extremely easy to add them to someone's list of applications because they offer free plans. They offer freemium plans, the offer basically where you don't have to have any contracts or payments involved. But that's kind of a  just a quick way to get in, and then build a beachhead in a company.

So one of the strategies we talked about in an earlier planning session was Application Whitelisting in Google Workspace and and I'm sure that Microsoft Office 365 has this as well. What are some of the problems that you are aware of with allowing any user to add random applications from a GRC perspective?

Dwight Doscher

Thanks. And you kind of summarized the problem really well in that the availability and the ease of integrating tools into Google Workspace and other tools. So like with GitHub and across the board, this is just becoming a really easy thing to do. So employees don't really think about, so what is the implication of data sharing with this unknown entity, who may be either monetizing the data on the back end, or distributing it in some other sort of way, or maybe even be a malicious actor themselves? So Google Whitelisting and blacklisting allows us to, to at least block Google Drive and some of these applications from being able to share out information without explicit approval from admins. And just as an additional note, that's another reason to continue to reduce the number of admins to to as few as possible, or at least ensure that there's a security review before an admin makes a decision on on a whitelist application.

Drew Daniels

That's a very good point, too. I'm a serial startup guy myself. So I often walk into companies as the first security hire, and it'd be a 50 or 100 person company, and I'll walk in and find out just about everybody has administrative access. And I think that it's not because they need that access, it's not because they're asking for that access. It's just that a lot of the teams, these are small companies that start out with, they don't have a lot of time to go in and set up profiles. They don't have a lot of time to do that administrative function. They're there, they're doing 2, 3, 4 jobs as they're trying to build the brand. The bills build the business, that I think all of us are aware of, because we've all worked at smaller companies and dealt with that.

But even in big companies you'll find that there's a lot of opportunity for misses when it comes to that administrative burden. So as I mentioned earlier, I'd spoken at a prior webinar about some of the other tools out there. What's recent to the market for these tools is that they do a number of things, but primarily data discovery, so they help teams like GRC discover applications. And for me, personally, and I'd like to get weigh in from the panel as well.

You know, I've been surprised when I've used these applications. I've looked at Lumos, I've looked at this Blissfuly, I've looked at Torii I've looked at Wing, you know, and what I found is that they may inevitably discover applications that I as a security professional are not aware of, and there's just a numerous set of problems with that. I mean, these applications are collecting or processing data that may lead to privacy problems. They have access to systems and networks and proprietary and confidential data that needs a security review.

So what I'd like to ask the panel is how have you all dealt with this beyond application whitelisting? Is there anything old school? Maybe, Jack, you can talk about that, you've learned over time on how to deal with this beyond what we talked about very early on about applications or about kind of helping educate employees. Is there any technical solution or data scraping techniques that you use to be able to trust, but verify the employees and help them understand, things that they may be doing that are not quite reasonable from a security perspective?

Jack Roehrig

I love that you use the phrase trust, but verify. And I highly recommend folks Google that because it's been a tagline of mine that I've used, kind of tongue in cheek. People that I work with tend to think that I'm like a secret Russian spy or something like that. They're so fascinated with security. And you got to put a little ski than Volga, right like I speak Russian for no reason. And so like, it's the I got this air of like don't mess with Jack. Right? But at the same time, I'm also a very friendly person.

So in terms of discovery of the applications, the best way I found to do that is is just to be in the  know, and also when somebody tells me about an app that they're using, not to be like, what did, you get disciplinary action? Right. Um, I was one of the first customers of Zoom back at ISE. And I remember when we were doing our first all hands with Zoom, they upped the number of concurrent people that could be broadcasting video for us, like 100, or something like that, like, that's how long ago it was, and look where Zoom is now.

So in terms of finding the stuff right now, I mean, if people are using their Google accounts to authenticate to it, Google has reporting on that. I get a report from that every so often. But there are a lot of other techniques to discover programmatically. And the new stuff that I'm seeing coming out is really cool. And definitely, it gets a lot more of it. But it's still stochastic, right? I don't know of a deterministic way to get ahead of everything. But when it comes comes down to what do we do once it's there? Do we have great data classification policies in custodianship tracking, segregation of duties, and network partitioning that's going to protect against that?

Nobody does? Nobody does. Every place I've ever worked for of course, didn't mean it but you know, nobody does. So you know, staying on top of that, really, I think is what I call Judo IT right? So you have you have shadow IT, which is where people are going to procure all of these things. Judo IT is to take that momentum and move it in our favor. I've had some bad experiences in the past with Trello. When Trello first came out they refused to give me any VSA or answer any security questions or provide me with any security attestation. And we still use them right?

So there are instances where we have active disciplinary policies in the past because of people who are using Shadow IT, but I think the best example that I can think of, the most hilarious one, was Grammarly. I don't know if any of you all use Grammarly. It's a great service. I like LanguageTool because I'm a huge privacy geek and LanguageTool was developed by other people that are just as cool as me and super privacy geekish. But Grammarly, it's storing everything that you're pumping through its system. It's doing that to develop a similarity detection database to compete with a company like Turnitin, where I used to work. And many Turnitin employees, they had no idea what it was doing. Grammarly was breached in 2018. There was a data leak, it was a small anomaly. And so I the way I got ahead of that one was, I said, guys, they’re a competitor, you know, and the minute that that word got out, everybody stopped using it. I was going to block it on the edge, but I noticed that all the traffic was kind of dropped out. I'm in a different company now. And people use Grammarly. That's cool, you know, Grammarly. They're not a competitor to ours. But these are like some nuanced things, right? Like, I mean, as engineers, we all want to think about some programmatic way to just block it, but they never work completely.

Drew Daniels

Yeah, I mean, you're right. I mean, at the end of the day, we certainly have to leverage the business environment that we're in, and make sure that employees understand that something they may be doing may be causing a problem for. For that, Blake, I'm wondering your thoughts on this?

Blake Hoge

Yeah. You know, as my manager always says is, GRC is the hub of the wheel. So, you know, it's, it's essentially our responsibility to work very cross functionally with those stakeholders. So, you know, our more technical security and application security folks, our privacy folks that are staying up to date on CPRA, or whatever new privacy laws or regulations coming out, or IT folks, our users that are requesting new apps and services. It's being able to connect the dots between all stakeholders involved and decipher what are the goals, the objectives, the risk, and again, if you're able to articulate what the risks are to your stakeholders, or to the end users you can usually find a path forward of how to reduce that risk.

Instances we've implemented could be from a governance perspective is that it's not super fancy, it's not going to mitigate everything at the start. But you know having policies, procedures, a wiki outlining to people, hey, what is what is the risk of using some shadow IT or implementing a SaaS, it might come off as harmless, but here's the risk with that. And here's a defined process that you need to go through, implementing the technical controls we talked about. So whether it's doing allow or block list through Google Workspace, stuff like that, we can reduce some of the risk. And then again we want to be business enabling, and also enabling compliance as well.

So being able to integrate requirements. As for us, as we maintain a SOC 2 and PCI, and anything like that, we want to make sure that we're incorporating requirements that are also going to help us fulfill those certification requirements, and uphold trust to our customers. And then also integrating those back into our processes. So we can reduce risks there, make sure we're making compliant decisions as well. So we use a combination of all those but, like you said, I don't know if there's a one size tool that fits all, for mitigating this. And I think it's important for professionals like us to meet with those that are rolling out new tools and socialize with them telling them about our requirements, our use cases, and making these tools usable. Because at the end the day, we got to be able to work on these environments and make our business users compliant as well using these processes.

Drew Daniels

Absolutely. And I'd mentioned in a prior webinar, making sure that especially when it comes to SaaS applications that you need to kind of illicit and get the support of Finance, Legal and Privacy. If privacy isn't part of Security, sometimes it's separate under Legal. Because there may be cases, especially with Finance and Legal where they learn about an application that may not have gotten through security. And if you've got that built in relationship with them they're going to not only ask the person that's asking to have something paid for something that's being asked to be added to SAML SSO, hey, have you run this by security to make sure security is aware of this? But they can also let security know, hey, I heard about this application that some users are using, you might want to look into it.

And that's certainly old school stuff. I mean, that's just relationship building. And one of the other things that I often do at companies is at least once a quarter, I'll go round each team, which generally have all hands and meetings with everybody in that department. I'll go around and spend some time in their own hands talking about kind of the things that are top of mind for me right now so that I'm humanizing information security. Because they sometimes think, as Jack mentioned earlier, that we're not human, and we very much are experiencing some of the challenges they have.

One of the other things that came up in our conversation, and anybody can chime in on this, I've not had a lot of success with this. I've tried this a few times, but have not had a lot of success is having a software catalog, which keeps track of what applications a company has and what licenses and how they're being used? Has anyone on the panel done a software inventory or software inventory portal to keep track of that or worked with it to build that?

Jack Roehrig

Well, do I did yours work?

Drew Daniels

No, sorry, mine, we got most of it. But no.

Jack Roehrig

Well yours is probably better than mine was. A year ago, you talked about yours, probably better.

Dwight Doscher

So what I've done in the past is to kind of make sure that as many software requests as possible, are routed through finance. They're one of your best friends when dealing with vendor management and software applications. So making sure that you're hooked into everything there. We implemented a software called Certa It allowed us to build out a portal on the back end to allow people to kind of see all the software that we had already had approved. Recently, I have started to use Snyk for our third party software inventory, or third party library for our open source software. And it's been honestly kind of a godsend. There's a number of other competitors in the space there also, if you're not a Snyk user, but that has helped me kind of streamline all that work as well. So those are the two ways that I've done it. And I review that through our MDM software. Cisco Meraki does this, Rippling does this, JumpCloud does this, they allow you to see what's installed on people's machines.

Drew Daniels

Yeah, I mean, that's a good one. And it spurred a conversation I thought about in my head, which actually was reinforced by a question that we just received from from the audience, which is, and I'll read the question specifically, on the topic of software catalog, have any panelists or attendees done anything concerning SBOMs. And before I kick it to the panel, this is something that some of you may be aware of, and I did a fireside chat talk about this last week with one of these companies that are in the space.

And as you may or may not know, recently, late last year,  a new ISO standard came out around software bill of materials. And, specifically this is something that's garnered attention from the White House. There was an executive order released last year. And it's something that I think, certainly in the very near future, if you're working with the government, you're going to have to be able to produce that and deal with that. But I think that that's going to lead to, and I hope, it leads to greater transparency, especially when you are working with a service provider vendor, because and I hope the panel can chime in on this.

And all the companies that I've worked at as a service provider, we are definitely leveraging the modular approach to applications and using many, many open source components. And what I mentioned last week, when I was speaking at fireside chat, was that, on average, it's about 200,  open source components. But I think that's kind of the bare minimum, I think, when you factor in that a lot of things are running on Linux, and Linux has just so many open source components built in. It's probably 1000s, once we get down to the nuts and bolts of it. So I'd like to open up to the panel, have you dealt with SBOMs? And what are your thoughts on that? Let me start with Blake, because Blake has not had a lot of opportunity to talk.

Blake Hoge

Yeah, I would say in this in this space, I haven't had as much experience, since we're still kind of building out some of the foundational stuff that I'm working on. So I'd be interested to hear a little bit more maybe from Jack. You have a little probably more experience in this space than I do.

Jack Roehrig

Yeah, so every time you acquire a company, right, or you sell the company, SBOMs are huge, right? I mean, it's a huge thing that's in scope. And I've never once acquired a company, I think we've done like three dozen, where they had one ready. It's always audited post op, I think that it's strange, because when I think of supply chain, supply chain risk management, I don't think about all the open source models that I'm using, and Dwight I love Snyk, by the way, right, like just a huge fan because of what they're doing.

But what I like to think more of is getting involved in every little thing that's going to be processing my data, every third party that will be processing my data. I'm thinking all you know very much so about data, and who has access to it now. Don't get it twisted, if I'm using a model that's going to make my system vulnerable to something or if it's going to, you know, have some sort of malware in it that's going to jeopardize the data, I that's a problem. But risk wise, if I have a data science team, that is going to partner with a company that has no security program whatsoever, and send all of our most confidential data to it, that's a huge risk.

So in terms of Software Bill of Materials, my software bill of materials, really, I know that this isn't what it is. But what I like to think of as a software, what it should be, is a list of data processors and their associated risks. And I mean, I think that that can translate down into components of software that we're using, but what Drew you mentioned when you're talking about Linux? And all the I mean, it's 1000s is not an understatement, but it is 1000s. Yeah, there's no way to get ahead of that, and Log4j. And that certainly taught us something. So I guess the way the way I try to look at this as it's a risk based approach, if we try and tackle every single risk and make everything perfect, we're not going to have a product.

Drew Daniels

Right. And, and I think Dwight said it best. You know, what I've done in the past is, you know, especially with Synk, I've done exactly that where I've used that to build kind of a listing of the open source components. I wasn't looking at that for building an SBOM. I was looking at that for, being able to derive the risk as you mentioned, Jack. I think that's that's one of the things that I was looking at and and I partnered with Legal. Legal was very interested in that when I was talking about software compositional analysis, which is one of Snyk’s core capabilities and Legal had prior to me joining the company that I mentioned, had the engineering unit basically create a spreadsheet of all these components.

And and I looked at that spreadsheet when I implemented Snyk. And I said, you realize this is not even a sixth of what I know is in our application and the applications that we provide, because we had many applications out there. And I've heard this over and over again from from Legal, oh, that's what engineering told us was out there. And I said, well, you know, engineering was trying to placate you they weren't trying to piss you off. They weren't trying to do something to drive you nuts. But they were trying to satisfy multiple masters, which is what all of us are trying to deal with now.

We had a question that is sort of on topic, so I wanted to address it. The question was, do sales professionals typically understand their security programs? And I'm sure all of the panelists can, can talk about that. So I'll ask them, but from my experience, no. And I addressed that in the last webinar that we talked about, if you hadn't seen, I think you, you should reach out to SafeBase and get a copy of that. But that was one of the things that I raised is that when I send out security questionnaires to companies I put negative questions on there, because what will typically happen, what I've seen more often than not, is sales professionals will be tasked with responding that questionnaire, and their answer is yes, on everything. So you put negative questions so the correct answer is no. So you could detect someone that just went in so you gotta havepsychological tricks to, you know, be able to catch that. So let me open it up to the panel. What have you all seen with regards to that?

Blake Hoge

Laws? Yeah. I was gonna say, yeah, I've definitely, definitely run into that, again, being kind of in the third party risk base and customer trust space, we run into that where even inversely, when we're receiving the questionnaires from our retailers or customers were going to be partnering with and we get the the quick pressure of we just need to get these turn around quickly. And, you know, little do they know that it takes a lot of time behind the scenes, we need to make sure that we're providing the right responses.

So instead of just yes, no, providing context of why it's yes. So what we're doing in these aspects, and providing the details. So if it was up to the salespeople, I think they would they promised the moon and the stars and everything to seal the deal. But I think that's why it's critical, we just started using SafBase recently, as part of our customer trust, to streamline that, to empower us to kind of be the arbiters of truth of what we are doing right? And versus just putting yes and no responses. So, yeah, definitely, definitely have my skepticism when it comes to that. But anything we can do to empower ourselves and being transparent and honest, and in documenting things correctly.

Drew Daniels

What I want when I want to lay into specifically, and my last company, I was also a SafeBase customer, and I've been using trust pages for a while, more than six years now. And prior to SafeBase I’d say they failed. And while this isn't, I don't want to get in too much of this. But, what I want to see, my hope for service providers is that they provide more transparency.

I think that there's an opportunity to shift the paradigm. Instead of me waiting for a questionnaire and having to deal with that questionnaire that companies have this templated process where they go and look for that documentation, look for those trust pages. Because, you know, at least for me, when I built the trust pages, I would include, security policies, I include, SOC audits and things like that. And I think that that's something that is very helpful to not only show that you have transparency and that you are a trustful entity, but it can be a competitive advantage.

Because I think one of the panelists mentioned before I think Jack mentioned that he'd reached out to some vendors, and we've all had that experience, and the vendors just basically said pound sand I actually had a vendor once tell me, we were buying something. And we were literally $50 below the threshold for them to answer a security questionnaire and they told us that they said the package you purchased is $50 under minimum requirement for us to respond to your questionnaire, and I ended up telling IT that I wanted to use this. I said, okay, we've got to walk away. There are multiple solutions out there as multiple competitive advantages that can be sought in other solutions. And one of them is they'll respond to questionnaires. Funny thing is that the IT director, and I never followed through to see if he did this, he was going to actually, even though he walked away from that vendor, he was going to send them $50 and and basically screw up their books, because now they'd have to recognize $50 for a customer that never happened. And I don't know if he ever did it, so I’ll have to go back and ask him.

So, um, I see that there's another question. It says, there are producers and consumers of SBOMs, but curious if GRC and CPRM teams within organizations are asking for SBOMs, to understand the risk and vendors with vendors that they're onboarding to utilize. So I'm going to open that to the panel. I personally haven't really asked for SBOMs, because it's relatively new concept. And I don't think a lot of vendors are there yet. But, and Kevin mentioned this, that another way to look at this, and I think Jack mentioned this as well, from a privacy standpoint, GDPR, has really kind of pushed on this with subprocessors. And some of the rights around that. So I'll ask the panel, if any of them have an experience asking any of their service providers for any kind of software bill of material? And how has it gone with dealing with the sub processor requirements in some of the privacy legislation that has come out.

Jack Roehrig

In terms of SBOMs, for me, though, I've never been asked when I was a data processor for 45,000 government funded institutions internationally, never once asked for an SBOM. I don't think if I maybe it didn't hit my desk, because it was too orthogonal of a request. That what I typically do with regulatory compliance requirements for data processing agreements, data sharing agreements, it's more about the cognizant understanding and contractual obligation of liabilities, notifications, that sort of thing. And when I'm doing diligence, for a security program of a sub processor, I'm looking for a security program that has a certification that is on par with a certification that I have, right? So the way I look at it as if I'm SOC 2 type 2 certified in availability, privacy, confidentiality, whatever, I want to make sure that all of my data processors have something equivalent.

Otherwise, what's the point of me having that if I'm just going to send all that data to somebody that doesn't. And the way I enforce that internally, because I know a lot of the CISOs out there gonna be like, easier said than done right? It's real simple. If we are beholden to an external audit that requires IT set up and own, have your department own the vendor approval process and make it easy and automated, right? So have the request come in, have the security approval start very early on in the game, have it automatically hit legal, automatically hit the accounts payable department, right, get it all. Piece of cake, everybody. There’s not a lot of people contacts, and if there needs to be an exception.

That's why people have that, that oh, in their title, company officers, and company officers sign a an attestation letter a personal liability, that they are overriding. And I'll tell you, no one really wants to do that, because they tend to own homes. And they tend to like the freedom, right. And when the data that I deal with in the education technology sector is incredibly sensitive and incredibly vast. So when I'm asking an officer to issue it over, and I'm saying do you want the 1.3 billion essays that have been submitted to our database by children over the last 25 years, to go to this boutique, data science company that has a picture of a dog listed as their security officer on the About Us page? Or would you like to spend the extra cash and go somewhere good? And I've seen a couple of Officer overrides that I've agreed with but generally speaking, I never seen it.

Drew Daniels

Yeah, I've implemented that in my programs as well, where I think it's important to have this, that there is an opportunity for the executive of a department to say no, that's an important tool. And, and the funny thing is, I've seen it go both ways. You know, I had an HR officer once, they had a friend who had started their own company, and they wanted to use them for something in HR. And, and I went and spoke to the CEO. The entrepreneur had built that business as well, you know, you want us to send employee data to you. And I mean you want to hand salaries, you want to hand reporting relationships and things like that, how are you handling it all? And they said, oh, you're just gonna zip it up for us and it'll end up on a developer workstation, because we're building the product for you. And I went back, and I explained this in kind of simpler terms to that HR officer. And she said, yeah, that's probably not a good idea. And I said, yeah, I've denied it, you can certainly override it. But then ultimately, you're, being accountable and responsible for the risk associated with this. And she was just not willing to make that make that determination. So I think that's important.

I want to jump ahead now, though, because we've spent a little bit of time on this. One of the things that I'd spoken about in the past, and we spoken about a little bit here, is automation tools that can help you achieve some of the compliance that you need. And I know some of you have worked with this. But there's kind of a number of tools out there today that can help kind of automate some of the simpler checks that you do, because then it is a and I think everyone on here agrees, even though we're in the business of GRC, it can be a little tedious, a little pedestrian, a little repetitive, and working with spreadsheets and things like that can be challenging.

I'd like to ask Dwight what are some of the strategies that you've helped employees to digest for example, policies, because that's something that I've struggled with myself. I walk into and speak to my GRC leader, and they've got a 30-35 page policy on Information Security that they want to send all employees and get them to acknowledge it. And I'm just sitting back going, I barely understand everything on here and it's not something that I'm going to remember all all the time. So how do you deal with that?

Dwight Doscher

So we're all friends here, right? We're all GRC friends, we can admit to each other and ourselves that people are never going to read and retain the policies. Good, because that's exactly what happens. So what I've done at Stride in places that I've worked in the past, is to say, break down those policies into procedures, guidelines, and standards. And the intent then is for policies to be the high level legal jargon to help protect the company. And to serve an additional purpose, which is to help guide the company through strategic discussions. So it's all high level stuff. And then those other three documentation that guidelines, the standards, and the procedures are there to help the implementers do what they need to do. That way, I can point them towards a specific document and say, this is where you need to go to get the information that you need to do your job. And then refer them to say the policy and see this is where it's all driven from. So you can see where all this comes from. And that kind of helps simplify their lives, it helps simplify my life.

Drew Daniels

I mean that's really good. And I've definitely seen that with other with GRC leaders that have worked for me in the past. One of the things that I've done, and I want to share it with our participants, and also with the panel. At the last three companies that I've worked out over the last 12 years, I built what I called the security credo, which was kind of a set of high level goals and aspirations for the security program. And inside that document it would reference the sections of the information security policy, it would reference the standards and the guidelines, for them to get more information, but it would basically boil each one of those topics up into a sentence or a small paragraph so that someone has essentially just two or three pages that they have to keep top of mind when they're going through their business day, and then reinforce it as many of you have talked about and I know Jack, you mentioned this a couple times with security awareness training. But that's that's how I've done it. Jack, or Blake, what are some of the ways you've dealt with that?

Jack Roehrig

What Dwight said honestly, was so validating. It made my day there's so many people that stop at policy and they don't really get the whole GRC framework but Blake you probably have something.

Blake Hoge

I would say from my experience, previously at Salesforce or Instacart, just that there's similar mechanisms. I think that's the way you make the very granular detail. You break it down into bite size, meaningful information, starting on a policy, procedure, getting it down to the level of information that people are going to digest for their use cases, and being able to understand and, be compliant with, I guess, if we want them to, to complete these needs to be a manageable format that anyone can pick up and run and do this and not end up on a naughty list. So I think Dwight nailed it there.

Drew Daniels

That's helpful. So I'm going to jump back a little bit and talk a little bit about one of our first questions, and we talked about sensitive data and rogue applications, and how applications aren't necessarily integrated into some of the automation tools that we use, and this can pose a huge risk.

I'd like to ask the panel, what are some of the other GRC tools that have made your life easier? We've certainly talked about a few. One thing we didn't mention was some of the automation tools out there. Ad there's a bunch, you know, there's one that I've used recently was brought up, but there's others like that, you know, there's Secureframe, there's a bunch of them out there now that are building a platform to help with some of the automation and some of the workflows. But what are some of the other tools that some of you have used to help make your life in GRC? Easier?

Blake Hoge

You know there's typically like the more established ones we've all heard about more like the OneTrusts or AuditBoards, and some other established ones. So I've either had some experience using those through other peers in the space and talk to some of the the pros and cons of using some of these tools.

I guess, without putting any one tool on the leaderboard on this space, I would say I always go back to what are what are the requirements that I need to get from this tool? Who are the stakeholders involved? Again, if it's Security, IT, Privacy, what are some of the requirements that they care about looking future state down the road. Are there going to be any tools or anything else we need to start integrating into that we need to start planning for now? Or does it needs to be out of the box, and just ease of use?

And I would say from from one of the tools we started using again, I'll just name SafeBase right now, is I've really been appreciative of the more startup based companies right now, in this space, because I think they are a lot more in tune with their customers. They're really receptive to feedback. And they're super quick about rolling out new features. So if you ask for something, they're really quick to deliver it where I think a lot more than traditional bigger companies. They might lose a little bit more of that customer relationship there and just rolling out in mass that might not be as applicable. Is it a nice to have, yeah, but if this this what you need to get you to the next level, it might not be so I would say I really been fancying more of the startup companies and just the way that they're able to roll things out and deploy things quickly.

Drew Daniels

Yeah, I think that's great. And, you know, I'm with you. And I'm guessing Jack is as well, I mean, you know, we're both part of SVCI, and, we're constantly looking for new tools that are in the security space, to help companies envision the best way to handle and tackle these problems. And that's one of the reasons I do it is I think you're completely correct that these newer companies, they're hungry. And, and they're willing to listen to their customers, because they know it's a competitive market. And they need to kind of build that, that strong customer base. Any final thoughts from anyone else in the panel because we're over time at this point. So we're pretty much done with today's talk.

Drew Daniels

Okay, since I didn't hear anything else from anyone else, I appreciate the panel, Dwight, Blake, and Jack for spending time with us and I hope everybody that attended the webinar, enjoyed our chat. We've collectively got about 75 years of experience here. And I think it's important that we pass on that knowledge and I want to thank SafeBase for sponsoring and promoting this and I think that will be it so I bid you all adieu. Thank you very much thanks everybody.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.