Quick Wins for Your GRC & InfoSec Journey

Megan Phee: Hi, I'm Megan Phee and this is GRC& Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more, to learn about your methods, solutions and outlook in the space. Hi. This is Megan Phee with GRC& Me. On today's episode, I sit down with James Rees. Jim, as I call him, is the managing director and principal security consultant at Razorthorn and he has decades of experience in information security and he's worked with some of the largest and most influential organizations around the world. Many of you might have caught our conversation on the Razorthorn technology spotlight series on YouTube or maybe you caught us live in London not too long ago, talking at our thought leadership event. But if you missed both, today you'll hear us speak about GRC, PCI and what Jim is calling some quick wins information security officers and leaders can have within their organization. Now, enjoy our conversation. Well hi Jim, it's great to see you again. How are you?

James Rees: Not too bad, not too bad. It's sunny here in the UK for once. How's it over there? It's an absolute pleasure to be with you.

Megan Phee: Yes. Yeah. Well you're catching us on a good day here in Chicago. It's sunny and actually 80 degrees, so it's a beautiful day. Last weekend, I think it was 30 so it's about right. 30 degrees fahrenheit. But thank you for joining us. What really led us today I thought, Jim, I would love to sit down with you because when we were talking the other day on your Razorthorn technology spotlight series, we talked a lot about the history of GRC and what we've both seen in the market over time. And one thing that popped up in that conversation, which was really interesting to me, was you had mentioned something about some changes within PCI and in general, in the nature of our industries. There's going to be changes to these frameworks and these requirements that we see in this space and so I'd love to just get your perspective on what are you hearing? What are you seeing in the market in regards to some of these requirements?

James Rees: The whole history of compliance in general is a bit of a funny one. Way back when I started 25 plus years ago, we didn't have anything and then came along Sarbanes- Oxley because a company in America decided it was a good idea to cause some issues from a financial point of view. And then it was around about the time that eCommerce started to get really big and along with the next big fad comes people trying to either compromise it or find some way to game it for their own advantage, normally monetary advantage. And eCommerce suddenly started, was the next big thing where there was a lot of car theft going on. There was a lot of fraud and the car brands kind of got together and said," Look, we've all got this problem. We've all got our own set of different kind of security requirements that we've been sort of putting together and trying to enforce on people but it's not really kind of working. We need kind of like a universal thing." And out of that came PCI DSS. ISO 27001, which back then was BS7799, had been around for a bit but it wasn't anywhere near what it is today. And the first iterations to PCI were also, they were okay, but there was a lot that needed to be improved on it. And the reason we got compliance in the first place really was all because people just weren't taking security seriously. And it wasn't those companies that were taking on the cost of that fraud, it was people like third parties, the credit card companies, the acquirers, the banks and banking institutions, that kind of thing. Compliance was born really out of a need to kind of enforce a certain baseline level of security. And it was a big shock to the system of a lot of organizations who were used to kind of operating in a way where they weren't really regulated. They had to worry about the IRS or over here, HMRC. Let's face it, we've had to worry about those people for a long time now and sort of general legal and contractual obligations, but we've not been used to compliance. You American guys and gals over there are a lot more used to it than we are, look at it that way or historically anyway. And it's kind of evolved over time and we have reached a point where ISO 27001, PCI DSS, Lexcel if you're a legal entity over here, at least in Europe or the UK and HIPAA if you're over in the States, there's a whole plethora of different legislations and they all have very similar requirements, all with very different ways of kind of what they're trying to protect. PCI DSS, card information, ISO 27001, it's all about key assets and making sure the security and the governance is there. HIPPA obviously medical records and that kind of thing and Lexcel obviously legal case information, that kind of thing. But when you actually read through a lot of them, they've all been tracking in the same kind of direction. In the early days, it was very technical security. That's what they cared about. Do you have AV? Do you have firewalls? That kind of thing. But it's now moving into the governance side of things. It has been for a while and it's getting tougher and tougher now with a lot of these standards to meet those governance requirements, without having good security people and professionals within the organization. In the early days of a lot of those compliance, you could do it very much with IT people as a general rule, maybe with some input in from finance and legal people and the rest of it but now you just can't do it. And one of the reasons we had you on the Spotlight on Technology series that we do is because GRC is becoming such an important aspect of how to manage your security programs and a large chunk of that now is really sort of driven by the need for compliance. Seemingly, there's no organization industry that I've come across where there isn't some form of security compliance and legislation, even down to manufacturing, car manufacturing and the fact that now we're moving over to autonomous cars, we're moving over to cars which are very much run by computer now, compared to what they were 25 years ago. Something went wrong with it, you took it to a mechanic, you smacked around with a hammer and various other tools and before you knew it, you had your car back. Now, they plug it in to things and they get it to analyze itself and you could be in traffic and all of a sudden your car turns off and it's not because something in the engine's gone wrong necessarily, it could be just because computers decided it's going to give up the ghost. And all of this stuff has really driven compliance into pretty much every aspect of every organization and what we do. There's not much left now. PCI DSS is reaching a point now where the last iteration they declared it as mature. What they decided to do then was rather than kind of release updates on a cycle of three years or whatever, they would release updates as and when they required, with the same kind of consultation from the QSA community and the participating companies community. But I think, we went through, and again we covered this on the other video, there's been a big culture shock for compliance in the last two, three years. We've had the pandemic, we've dramatically changed the way that we've worked. Compliance is very much being driven down towards making sure your governance is being effectively and efficiently managed so that you understand risks. That you understand your assets that you're doing research into your own business on what key assets are. Key third parties is another big one that's come out of all of this. The massive change from on premise to virtualization and then from virtualization over to as a service, to not only drive costs down but to allow for us to work in a way that we don't have to be in the office anymore. We still have the same ability but security has become more and more important as that progression has gone and compliance takes a little while to catch up. The latest situation of PCI, when you read through it, you can definitely see where they're going with it. And they've always said they track where the current trends are. And the current trends are very much ransomware. They're very much locking out people from systems and services. Our whole defense in depth aspect of what we as information security people consider, has dramatically changed as well. And to track the changes and to understand the changes and the changing risk landscape and the effect with compliance and maintaining our compliance as well, because a lot of these models require you to do consistent, ongoing things to maintain compliance. It's not just, oh, we've got it all signed off by the auditor and now he or she'll go away for two, three years and we'll just have to worry about it in two, three years time. They want to see a consistency behind it. It's changed a lot and it's going to change as well. Compliance only gets more complex. It never kind of relaxes, I've noticed.

Megan Phee: That's right. And that's the thing is the constant in our lives personally and professionally has changed and we can assume that this compliance frameworks will evolve and as they should and mature and speak more to the times and the climate that we're all working in. What advice would you share with those listening that we're on that kind of maturity journey, they're trying to get their arms around PCI compliance, they might be on a journey to better secure their organizations and maybe even venture as far as trying to obtain future security certifications. That's a big question, but what are some early foundational guiding principles would you share with folks?

James Rees: Absolutely. Yeah. First and foremost, couple of points really to remember when you're doing this. When you're going down the InfoSec journey, as I like to term it, when you're starting out, first and foremost, you have to understand the business. You have to understand what it does, you have to understand how it generates revenue, you have to understand what its key assets are. And its key assets aren't just digital. A lot of people associate information security or cybersecurity with purely digital based countermeasures and systems. That is nowhere near the case anymore. Maybe 25 years ago when I was getting into it, yes, it was all very focused in that area. And yet all our lives are driven by technology but technology doesn't drive our business. It doesn't drive our lives. We utilize it as tools, in the same ways we did with typewriters and various other things that we dealt with sort of 25 years ago but now it's all driven by technology. In order to really secure a business, you have to do your homework. You have to understand your assets, you have to understand what the business is there to do. You also have to look at the power base within a company and that's really important because there's always a section of individuals or a department or some kind of guiding light within an organization who drive where the company is going. And those are the people that you've really got to build a very good rapport with because any changes that you make, there's a lot of resistance to security quite often, because quite often the perception is that you're there to stop them from doing something that they've done for years beforehand or to prevent them from making a profit or to just generally cause trouble and that's not really the case. By gaining that rapport early on, any changes that you make and the fact that you understand the business and you understand the assets and you understand where a lot of these people coming from when they come up with issues or complaints, then you can work much, much better with them to kind of belay those fears and actually start making some real change. The other early quick win is get a full technical and business rundown of the organization. Get some pen testing done, inside and outside. Very important for the cyber side of things. Understand how your defense in depth is built from a technical and a governance sense. defense in depth is like an iceberg, you only see the really tip and the top of it. There's a whole plethora of policies, procedures and technology that sit underneath the waterline that make up your whole defense in depth. And once you've analyzed what you have currently, if you have anything, that's the frightening thing here, then you can start looking objectively. And that's when GRC tools come in and are really important because doing the analysis, you've got to put that analysis somewhere. You've got to be able to correlate what you're doing back to that initial kind of review and that understanding because one of the key things a lot of people get wrong in InfoSec very early on, is not being able to prove the return on investment that the business is making with the amounts that they're budgeting to you. You have to be able to prove it. And the difficulty here is if you're doing security right and you're doing it really well, you don't have events or you have very few. And when you do, you recover from them really quickly and it's a double edged sword because yes, you're being efficient and effective in protecting the organization but the organization doesn't see events, they don't understand or they start to question how much they need the security that they have because they don't have problems. They've never had issues. GRC is important because you can track the events. And again, I go back to our conversation. I remember a time when we tracked it in Excel spreadsheets and access databases and in various different ways that really didn't correlate in any way, shape or form. We couldn't draw it all back in. Compliance, good example was done manually and still it does continue today to be a manual thing. But GRC has always been very expensive tooling and nowadays it's very different with companies like yourself. And there's very few that price it at a reasonable rate, that medium size companies and smaller companies who make up, by the way, that the main bulk of our economies. Be it here in the UK or be it over there in the US, everybody goes with the big companies. Or, let's go and get those on board and get them to buy our products. They price it in a way that satisfies a large company or a large organization. It's outside the remit of most medium size organizations, which means they don't do their security properly because they can't track it properly. And if their third party's servicing those larger organizations, then potentially they're a security risk to their own customers through third party chain issues, which is what a lot of focus is in a lot of compliance is moving towards. I think quick wins, know the business, understand where it's coming from, understand its culture, another big one, because you're going to have to make a lot of changes, no doubt. Track all of that in a way that allows you to prove your return on investment to the powers that be because that will come up very quickly and very early, especially when you start asking for expensive products. We want to refresh our endpoint security, well prove to me why we need to do that. If you can pull out from your GRC tool, your risk ratings, what your workings were, incidents in the past and refer them back to assets and so on and so forth, it's a stronger message, so GRC is exceedingly important. But those are probably your quickest wins and have a thick skin.

Megan Phee: Oh, I like that. Yes, don't take it too personal.

James Rees: Never take it personally.

Megan Phee: You might be overcoming some legacy experiences too, especially if you're new to a company or new to a role. I love that. Well you alluded to a couple of them, but my last kind of official question before we get to a fun one to wrap up here is, obviously we came together through the spirit of partnership and the market and we see that there's a great value with the two of us helping organizations, from not just your breadth and depth of experience and advisory lens but then obviously couple that with technology such as Risk Cloud and you spoke on a couple things but I'd love to get your perspective about you've seen a lot of technology in the market and in this space but you have selected our partnership and you've selected it to lean in and learn more about the Risk Cloud. And you alluded to things like we're inclusive, we're fit for purpose, kind of priced for purpose and it's not just for those elite to enterprise customers anymore. It's really more accessible for all. But I would love to hear more if there's anything else really, else that was interesting to you about why did this strategic partnership for you make sense at Razorthorn?

James Rees: There's a number of different reasons. I'll pull back a little bit on that question to kind of the security landscape when it comes to providers and vendors. At the moment, it's a massive space. There's a lot of emerging technology in the security space. New companies pop up every five minutes and it's really hard sometimes, even when you're embedded in this to kind of really track who's bought what or who's where. It's tough. What I like about you guys is you're really approachable and you're really, we've had a number of conversations. I've spoken with your techies and all the rest of it. And you guys are among the first sort of GRC tools to come out that have learned the lessons from the history, which is horribly expensive, horribly over manufactured, providing all kinds of stuff that people don't necessarily want or need and your developers and the people who came up with your product in the early days have obviously put thought and time and effort into where it all went badly wrong and what your early day competitors were like. And you've differentiated yourself in a variety of different ways. Some of it is very cool technology like your risk based stuff, the way that you present and the dashboards and all the rest of it. But I think for me as a security person, it's also around the philosophy I get from talking to you guys. You're passionate about what you do. You genuinely care. You listen to feedback. People very rarely ever listen to me, unless they're asking me for a piece of work, you guys, you take on board some of the stuff that I've said and are looking at it, I know internally and we've discussed it a number of times. That's very rare for an organization. Normally they kind of, they have their vision and that's what they're going for. They don't honestly look at the market and what the market wants and needs. Compliance is big. I want to track compliance. I'm a CISO. At the moment we got CISO as a service. We do it for about five or six different companies. I have to track alongside my people five or six different people's set of risks, countermeasures, defense in depth, compliance levels, whether they're going through a project, whether they're not going through a project. We can't do that without a good GRC tool. Now some of those people are using the more legacy GRC tools, they're waiting for the end of their license period. But we are definitely going through a big refresh in technology and I think the pandemic, dare I say, really drove that because it changed the way people work so we had to start looking at different products. As we started looking at different products, we started saying," Well, I can't manage 15 different dashboards and provide stats for my bosses from where we are or the auditor when he comes in." By doing all of this, what we need is we need something where we can record all of this stuff in a more efficient way, in a modular way, in a way that allows us to use what we need to use but not kind of by some ancient, archaic piece of relic programming that does everything but we have to go through 15 years worth of training to actually understand how it works. I want to go in, I want to sort out the risk, that kind of thing. And you guys have really nailed it. Plus you're fun to talk to which let's face it, it's quite a dry area, security. It really is. But you guys have really nailed it. And us at Razorthorn, when we pick partners and we've got a good partner set of lists, in a variety of different areas, we only pick the best. We only pick those that we think our customers are going to enjoy working with because it is a partnership in this day and age, everything's as a service. If my GRC sort of cloud as a service goes down, before it was all on premise, so if it went down, it was usually because somebody had taken the database offline or whatever but we have to work a lot tighter now with our key suppliers and our key vendors. And weirdly enough, if you look at a lot of compliance now, they start to ask, how do you look at the security of your key vendors? Expect that as a bit of a tip for you guys, you're going to get asked a lot more to prove that but you guys are an open book. You'll sit down, you'll talk about it. You won't kind of hide behind the marketing. It's if someone's genuinely got a question, boom, they get an answer. Okay, if it's complex, you might have to wait a day or two but you're going to get an answer. With a lot of the vendors out there, you don't get that. They won't communicate efficiently with you, whereas you guys are brilliant. You've got a great tool, you've thought long and hard about how you are going to put it together, the component pieces that go into that tool what we need to see as security people as well. And you're open to people feeding back to you and security is going down that route where it's a two way street across the board now and I just love your style really.

Megan Phee: Well Jim, plus one. We can't say enough about working with your team as well. But you said a couple things that really stuck with me and you're right. Because I was thinking about my own tech stack that I use and over the last three years, we aren't able to just pop into a coworker's office and talk about the risk posture and compliance posture and then, okay, fine. We use this difficult system but we've had a nice dialogue to get the insights that we needed. Now being remote and heavily remote, so many folks are beholden to the insights and the reports that they're getting every day, whatever it may be. To tell us the whole story, it's just less accessible as global entities now to pop over and get these snippets of information. It just needs to be that source where it's connected, it's holistic, it allows us to take strategic risks and get the whole story. And I think you're right, I think we're all kind of like with anything, doing some reflection. What happened in the last three years? What systems are really optimizing our strategy? What systems are derailing our success or impacting or impeding our success? And so I think you're right. I love what you said a little bit about this is kind of a point for people to reflect and think this technology that I've been staring at for 12 hours a day in my office, is this a tool and the platform that's going to help us reach our next goals as we strategically evolve and go?

James Rees: Yeah. Actually, one thing before we move on that you make a very good point there, comms is changing and we're not talking as we did three years ago and communicating, so we can't talk around a risk anymore or we can't talk around an investigation. We do, but not like we did. Everything is becoming more stats driven and that just leads more credence to GRC in general because if you don't have a good GRC tool to present what you're saying in a way, you're not going to be sat in front of the boss anymore, you're going to have a Teams conversation. I've seen a lot of people saying," I just don't go in the office anymore." And it is interesting, I just thought I'd add to that.

Megan Phee: Yeah. You're absolutely right. There's just not that chance for air time to talk about it, ad nauseum. You really have to document it succinctly, have that connected data and let anyone who's reading it digest and understand it. And I know we've talked about that, we're seeing this trend where it's about even normalizing the way we look at risks into pounds and sterling and dollars and cents and all of that, into euros. It's about a financial look at this and I know that IT has been a leader in that space. But yes, well wonderful. Well Jim, we've talked about the serious nature of our work and what's going on in the market and so would love to just wrap up our conversations today with just a fun one. What do you do these days to get a laugh? What are you doing out there to have some fun?

James Rees: Okay. Something that a lot of people don't know about us and I'm probably not going to get thanked by some of my staff members, a number of people at Razorthorn get together, usually three or four times a year. We haven't had been able to do it because of the pandemic, get decked out in armor, pick up swords, shields and axes and engage in medieval warfare, is probably the best way to describe it, with about two to 3, 000 other people in a field.

Megan Phee: You are saying, you had some mates, some connections that have had a little bit of celebrity spotlight. Tell us about it.

James Rees: Yeah. We've been doing kind of this kind of medieval battling now for 20 odd years and I've known a lot of people in that community for a long, long time. And quite often when big films or big television programs where they require a lot of people who are used to wearing armor, wielding swords and actually hitting one another, have required things like Game of Thrones, that kind of thing. They normally call upon various different communities and ours included. I've known armorers. I knew the guy who developed the original armor style for the Night's Watch on the wall. I actually have a cloak very similar to one of theirs. And a lot of people work in a lot of films. There's been people who've worked for things like Robin Hood back in the day. There's been two versions of Robin Hood, I know people who've on both of those. Braveheart.

Megan Phee: Or archerists, you said archerists too.

James Rees: Archers, I know quite a few archers who've been used in filming and all the rest of it. It's quite fun. You apparently you get to spend a lot of time standing around in the cold because obviously a lot that's filmed in the UK rather than nice places. And you'll stand around for eight hours and you'll battle for about 20 minutes if you're lucky. It's not all fun but that's what me and a few of the other people here, guys and gals here at Razorthorn do. And then we will go down the pub afterwards, go down the tavern for an ale.

Megan Phee: There you go.

James Rees: Or some mead. There you go.

Megan Phee: There you go. Oh well, that's great fun. I know the life of an extra is there's a lot of waiting and anticipation but as a movie buff, as a film buff, I always aspire to be in the corner of a scene or something but that's awesome. Jim, thank you so much for sharing your thoughts today in the market. As always, it's great to come together and just get your perspective on what's going on and the history and the evolution of where we are today. Thank you for joining us on an episode of GRC& Me.

James Rees: Thank you for having me and it's been an absolute pleasure, Megan.

Megan Phee: Sounds great. Have a great day.

James Rees: Cheers. You too.

Megan Phee: And if you want to continue the conversation on governance, risk and compliance, join us at our third annual user conference, Agility on September 22nd and 23rd. You can join us virtually or in person at the Swiss Hotel in downtown Chicago. Just visit agility. logicgate. com for more information. And until next time, this is Megan Phee with GRC& Me.