June 9, 2025 • 46 mins
In this episode of CISO Tradecraft, host G Mark Hardy sits down with Matt Hillary, the Chief Information Security Officer of Drata, to discuss governance, risk, and compliance (GRC) and trust management. They explore key topics such as the evolution of GRC, trust management, compliance automation, and the advent of AI in compliance processes. Matt shares insights on building a world-class GRC program, the challenges and opportunities in modern-day compliance, and the mental health aspects of being a cybersecurity leader. This episode is a must-watch for any cybersecurity professional looking to enhance their GRC strategies and compliance operations.
Big Thanks to our Sponsor Drata. You can learn more about them at https://drata.com/
Connect with Matt Hillary at https://www.linkedin.com/in/matthewhillary/
Transcripts - https://docs.google.com/document/d/1VzRQSEvgUwenDERlNn2bwlIpnz4QPQ15/
Chapters
- 01:39 Meet Matt Hillary: CISO of Drata
- 06:06 The Evolution of GRC and Trust Management
- 14:48 Continuous Compliance and Automation
- 19:26 Compliance as Code: The Future of GRC
- 22:18 The Importance of Getting It Right the First Time
- 23:15 Customer Compliance Challenges
- 24:21 Vendor Risk Management and Trust Building
- 26:26 Leveraging AI for Compliance and Risk Management
- 31:43 Evaluating Credibility of Third-Party Evidence
- 41:09 Common Mistakes in GRC Programs
- 43:56 Final Thoughts and Industry Call to Action
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, welcome again to CISO Tradecraft.
I'm here with Matt Hillary of the CISOof Drata, and we're gonna talk about
GRC and trust management and how totake your program to the next level.
You're gonna love what he'sgot to say, so stick around.
(00:23):
Hello and welcome back to the episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy.
I'm your host for today, and I have MattHillary from Draha, the CISO me today.
Now we're gonna be talking aboutGRC trust management, and one of the
(00:45):
things that everybody has to do, youcomply with the regulations, you get
the cyber insurance request, you havecustomer agreements and what do you do?
You fill out all these forms becausethere's a lot of compliance around,
this isn't something new either.
It's been with us for a number of years.
Honestly, I think it's only gonnabecome more and more of a burden
because it's just not going away.
And if you don't believe me, look at yourrole has gone from just IT IT compliance
(01:09):
with sarley, and now we gotta deal withHIPAA and NYDFS now data privacy with CCPA
and GDPR and operational resilience withDora AI compliance fraud list, et cetera.
It just keeps going on.
So rather than complain about it today,we're gonna do something about it and
we're gonna talk with Matt and we'regoing to look at how you can build
(01:31):
a world class GRC program and thecore building blocks that you need to
achieve this rather ambitious goal.
Now, before we start getting intomuch of the weeds, Matt, first of
all, welcome to the show and, couldyou introduce yourself please?
Of course.
Thanks so much, G Mark.
I'm super grateful.
To be here, be here.
And I hope today I'm able to share someof my own experience with your listeners.
(01:54):
And, I truly appreciate what you do, youto help, with the number of guests you
have on, the podcast and the amount ofthings we're able to learn from them.
You also have just this fun,larger than life personality.
It was great to meet with you at RSAand just get to chat with you there.
your voice is just as amazing in personas it is here on the podcast, if I
listen to you on my walks or otherwise.
appreciate what you do.
(02:14):
A little about me anda little about Drata.
I'll introduce the company first.
You as me.
I'm Matt Hillary, Chief InformationSecurity Officer here at Drata.
at Drata we are a trust managementplatform and we, help over 7,500 customers
on their respective GRC journeys.
these are companies, large andsmall enterprise and startups.
we started over a little,over four years ago and, we.
(02:38):
With the essence of using automationto help, as the backbone of, helping,
compliance programs continue toaccelerate, that has then iterated
into a fully fledged trust managementplatform to help customers with
their compliance automation aspects.
In addition to risk management,governance, most recent stuff is
the advent inclusion of AI anda number of those elements and.
(03:00):
Helping support that journey.
we started with, automating a numberof compliance efforts, like replacing
spreadsheets and shared folders andscreen prints, the things that used to
plague, our lives as GRC professionals.
And, honestly, under all of thatare underlying data elements that
we can use to then, effectivelyperform control tests on a day-to-day
basis to know where we stand.
(03:21):
I don't know about you, but, audits werea source of significant anxiety for me.
Now with capable GRC platforms wehave today, I don't worry as much,
on that front anymore because wehave this helping support keep our,
keeping our compliance programswhere they should be and, continue
to iterate forward on that journey.
(03:42):
really exciting news.
we just acquired SafeBase back inFebruary and in only that four years
time at Drata's existence, we've.
Surpassed the a hundred million ARR mark.
And so really happy to be able tosee the company grow and the market
respond and the amazing experiencesour customers are having along the way.
So,
awesome.
Tell me a little bit about yourself.
(04:02):
yeah, of course.
a little about me.
I live here in Salt Lake City, Utah.
Grew up here, lived up inSeattle for about six years.
soon after, graduating fromuniversity, I started my career at
Ernst and Young in the Seattle area.
amazing springboard to my career.
And
an EY
met
myself.
Oh, fantastic.
in Manhattan.
Oh, fantastic.
What a great, organization.
(04:22):
Such great exposure to so many differentcompanies and the way they do things.
It's helped me just immenselythroughout my whole career.
after Ernst and Young, I moved over toAWS back when AWS was a small startup
inside of Amazon that has obviously,exploded into what it is today.
I, I started their complianceprogram with two amazing humans.
once.
Sarah and Chad, a couple individualsin this space that just continue
(04:44):
to be amazing folks leadingcompliance and, other efforts there.
at AWS we help get their first kindof certifications and attestations
of which, tens of thousands of theircustomers request and rely on today.
since then I've been at a numberof other companies, Adobe, MX.
Instructure, if you ever used Canvas inschool, was instructor's first head of
(05:05):
security there to help start that programand was an incredible journey there.
Since then, worked at Workfront,Weave HQ, and now at Drata.
I've been atda, over two years now.
It has been the most action packedtwo years of my entire career.
for someone who loves to feel alive,it's been amazing to be a part of
an organization that just, helpsfeed that, all the opportunities
(05:26):
that CISO could ever, wish and ask.
For, and so super grateful for themtrusting me to be their, security leader.
It's a very humbling role,I think, more days than not.
And here I lead our IT security,compliance and privacy teams.
I'm a practitioner at heart, andultimately we are customer zero of the
Drata platform and SafeBase platforms.
But one of the things I love mostabout this role is the opportunity
(05:48):
to speak with just incredible humanslike you, professionals in this space,
and hopefully with the, again, theintent to help others on their journey.
So excited to have thisconversation with you today.
thank you very much forthe very kind words.
I do appreciate that andvery interesting background.
So I'm glad we've got you onthe show because I wanna share
your thoughts on compliance.
Now, when I step back and lookat GRC, it's changed quite a bit.
(06:11):
I think 10 years ago, organizations,you'd go and you get Archer and you'd
manually fill out some complianceevidence for a standard and, that was it.
Then it started to change instead ofjust one standard, more and there's
different regulations being passed.
And we then had to ask our developer,Hey, could you fill out this survey?
Could you fill out that one?
maybe one is for SOC 2 Type 2 evidence.
(06:33):
The other one is gonnabe for NIST maturity.
Oh, I'm sorry.
You're gonna be doingbusiness internationally.
We need an ISO 27001.
Oh, okay.
Yeah, we got healthcare data.
We gotta do hipaa.
And As a result, whether it was thedevelopers or whether it just it, or
in my case, a CISO, really didn't likeasked to fill up multiple forms that are,
(06:53):
for the most part, about 80% overlap.
Now, the thing is though, if youthink it's a Venn diagram, there's
some core ones, but you can'tjust lift one up and drop it on
the other because it doesn't fit.
And so these compliance tools startedevolving until ultimately, if we had
a control framework that could map tomultiple standards, you're in business.
Because we could say, yes,we are doing everything.
(07:15):
We don't have a blind spot becausewe only built our compliance
to, let's say, ISO 27001.
And then it turns out there's a controlthat's not there, that is over here.
So Matt, can you talk a little bitabout what you've seen in GRC recent
changes over the last couple years?
And perhaps your perspective onwhere you see our industry headed.
(07:35):
G mark, you, described that perfectly.
The journey that we've allexperienced over probably the last
10 to 12 years, it's, been wildto see that transition happen.
And I've walked that journey a number oftimes at a number of companies starting
their GRC programs from the ground up.
you're right, we would start offby saying, okay, we need a SOC 2
Type 2 attestation, or before thatit was all SaaS seventies, right?
And when we started that journey,it was like, great, now we
(07:56):
want to expand to other ones.
And quickly realized.
Oh man.
wait.
Some of these actually look superfamiliar, like how do we make this
work Now, the idea of a common controlframework is, has been around for
a while now, but I'm just taking alook back beyond even just the last
two years, but to the last 12 years.
But I feel like in the last four or soyears is when we've really seen these.
Amazing.
(08:16):
GRC platforms enable our GRCteams for a number of years.
Now, our security engineering andoperations teams have had amazing,
capable platforms supportingthem with a number of incredible
detection and response capabilities.
It's been amazing working outof those tools as a security
engineer myself as well.
And it's been fun to be ableto see how those have iterated.
Now our poor GRC team members havebeen stuck with, the, some of the
(08:38):
traditional tools and capabilitiesthat we all started with.
the beginning, spreadsheetsand word documents and having
to reach out to team members.
And we tried to automate some ofit by using Jira or other ticketing
management tools to automate those tasks.
But it ultimately never got toa point where we could really
rely on an end-to-end platform.
And yeah, those last four to fiveyears, these GRC platforms have surfaced
(09:02):
to being these, enablers and capablesupport mechanisms for our GRC teams.
One thing I'd say as a CISO is,our GRC programs, our security
programs are both journeys.
no one is truly there, but it's thatcontinual improvement experience
and I love being a part of that.
At a time.
I didn't like being a part of it.
'cause it always stressed me out.
(09:23):
I was like, man, whenare we gonna be done?
When are we there?
How can we get to apoint where we're good?
And obviously we all realize there'sno such thing as, an imp pental
organization and no such thing asabsolute perfection in this space.
my mechanical engineer brain does notlike that, but it's been a fun learning
experience to realize actually a greatopportunity here to be in this journey.
(09:44):
one of the things about just GRCin general is integrity, right?
When you mention these.
Different frameworks.
It really is an integritything for the organization to
sign up to comply with those.
And as part of that, it really isthat at the, the essence and core.
And one of the most important thingsof these, the journeys that we're on
is really building and maintainingthe trust of our customers over time.
(10:06):
And we believe that we earn that.
Every day, and beingaccountable and transparent.
Those are the things thatare, I think, at the core of
building trust with other people.
Like when I, you and I met at RSA, itwas great to be able to take a moment,
two humans just chatting and walk youalong and sharing life experiences.
It's a great connection experience.
I think the same happensat organization levels.
Now, the mechanism by which we doso today are a little bit different,
(10:28):
probably more formal, right?
With these attestationsand reports that we have.
at the B2B kind of SaaS level, manyof them depend on a SOC 2 Type 2
or like an ISO 27001 certification.
In the government space, you always haveFedRAMP, and the healthcare space, HIPAA
and a number of other different languagesthat we might say are used in there.
But, the main thing is continueto maintain those over time.
(10:49):
you're right.
when I started at, one organization,we had probably 50 to 60 controls that
were behind our SOC 2 Type 2 security.
At that time, it was just theonly trust service principle.
And, and then we're like, wait,we gotta go after ISO 27001.
We gotta go over to PCI-DSS, sowe gotta go after FedRAMP oh man.
But we're like, there's anumber of shared aspects here.
(11:11):
And that's when the advent of thesecommon control frameworks started
coming out and it really is one ofthe core, elements of a program.
Honestly, if you were to doubleclick into that, it may not so
much be the control wording.
That's the overlapping essence.
It's the underlying process andevidence and the data that are
truly shared across all of those.
And I think that's where.
these platforms that are now availabletoday to basically allow us to
(11:34):
pull that data from those systems.
And we'll talk about that in a minute.
But, it's nice to be able to align acrossall of those frameworks in a common way.
it also allows us to havekind of one audit season.
I don't know about you g Mark, butI've experienced a revolving door
of auditors and customer auditors.
It's been a frustratingexperience to be like, oh man,
when is audit season gonna end?
It's going year round.
(11:55):
But today with common controlframeworks and with a number
of assessors that are just.
Amazing to work with that they understand,hey, we can pull once and map too many.
And that's really enabled us toscale as GRC teams and staying
lean, but also continue to growto add additional frameworks.
we ATRA to work with smallstartups, commercial as well
(12:15):
as enterprise customers.
All of them are at different parts oftheir journey and have different needs.
It's been fun to be able to meetthem where they are at, to help them
understand what their current needs are.
And so with that, many, small startupsare Looking at a SOC 2 Type 2, and then
that becomes the springboard, to theirrest of their kind of GRC journeys.
(12:36):
in that case, a common controlframework is what they usually adopt.
Now, commercial enterprises,they usually will have their own
common control framework either.
one that they have built themselves orone that they have, built an open source.
We see that with the, some of thecommon control frameworks have
today, or unified control framework.
There's a number of them, but, it's niceto be able to meet them where they're
at and embed those in the platform, mapcontrol tests and gather evidence to
(13:00):
help support them on their journey withcapabilities they didn't have prior.
So it's been fun.
Yeah, and I appreciate on behalfof other SMB CISOs, the fact that
you've addressed that market.
There's an awful lot of companies thatsaid, Hey, all we want are Fortune
500, even get Fortune 100, the better.
They don't realize.
That, first of all, the client thatyou cultivate, that CISO may eventually
(13:24):
become one of those Fortune 500 CISOs.
And if you build a good relationshipwhile they were small then and you,
they realize that your solutionscales, you got a lot better chance.
So for those of you who arethinking out there from a business
perspective, it's not so much beingnice to little guy on your way up.
It's be nice to the littleguy on the little guy's way up
(13:46):
These men and women may haveopportunity to do a whole lot more.
But for what you've said,I'm, hearing some themes and
it's, one is trust but verify.
We wanna go ahead and make sure thatyes, this is in there, but we have a
way the auditors, they check to makesure, and we're also shifting to.
Continuous compliance model ratherthan a single snapshot in time.
(14:06):
You look good right now and you suckin our gut and we look really good.
And then when they take the photographand we go, we wanna keep going.
Now the trust, but verify means weneed evidence to show that something
that's working the way it should.
Now, developer, for example, wouldsend an evidence, like a screenshot,
say some activity has happened, but.
(14:26):
of doing that once a year,could we pull that once a month?
why not?
If we could just pull it from theenvironment directly, why do we
have to put that human in the loop?
Why do we have to create thisto-do list item, which is
gonna interrupt the workflow?
And now we're starting to seecompliance tools that are gonna
integrate evidence polls from thetools like access authentication tools
and vulnerability management systems.
(14:48):
And, these make sense to me, Matt,what are you seeing about some big
themes here as these tools evolve?
Yeah.
G Mark, you, described that perfectly.
You're spot on.
this is where the magic happens withthese GRC platforms that exist today.
you're right.
It used to be that, you and I in thisspace we'd reach out sometimes via email.
I don't think Slack was available at thetime, but, JIRA and other capabilities
(15:10):
basically check in with control owners.
Sometimes that was once a month,sometimes that was once a quarter.
And let's be honest, sometimes it mayhave been like a Hail Mary request four
to six weeks before the auditors showup saying, Hey, are we good to go here?
And they're like, I'm actuallynot the controller anymore.
And then spins up all sortsof dialogue, anxiety and pain.
in those instances, even when we didcheck in, they would, take some time
(15:31):
and potentially identify one kind of.
Judgmentally selected sampleto give to the GRC team member.
Say, yep, we're all good.
Here's an example.
And, it ends up being a perfectexample of what you'd expect to see,
only to turn out that was one ofprobably hundreds or thousands of
events in their, control ownershipprocess that we'd want to review.
And then when the audit started,we'd all be surprised to find
(15:52):
out that the auditors selected afew samples that we didn't have.
view into and understandingwhere they stood.
And so now today with APIinterfaces with automation, with
the capable platforms that we have.
Now, even with, AI included,this is no longer the case.
We have the ability to pullthis information and actually
assess the entire population.
So when you say continuous compliance,it really is enabling that idea of where
(16:16):
you stand every day at the audit period.
Now, I mentioned integrity earlier.
The anxiety attacks that I experiencedas a CISO prior to now have largely
been because if I ever felt like wewere out of compliance on something,
it was a hit against personal integrityor the organization's integrity.
And what, it's been nice for me is withthe ability to pull this information
near real time or on a daily basis to beable to check in and see where we're at,
(16:38):
it allowed me to know, Hey, we're doingwhat we're saying we're doing, which I
think is at the essence of integrity.
So with this.
advent of GRC platforms helping uswith this continuous compliance stuff.
It has totally changed the dialoguewith internal control owners.
Instead of asking like, Hey, areyou even the control owner anymore?
Or, Hey, is your controloperating effectively?
We have an audit coming upin a, whatever, it is now.
(17:00):
no, Hey, we've got your back.
we're monitoring this stuff.
All the time.
And in fact, when we reach out, it'sgonna be because we found it's gonna be
because we found something that, wasn'toperating as effectively as we thought
it was, or it didn't pass a control test.
And they're like, man, like theGRC team is behind me, has got
my back and we're ready to go.
And so when audits show up, when we, whenthe auditors show up, we're ready to go.
(17:21):
And the auditors know, and our internalcontrol owners, they both know that.
Hey, we've got a tool in placethat's letting us know when things,
like instances of non-complianceshow up and we've remediated those
and, worked together to like inflight, remediate those on the way
instead of it being a surprise.
this has allowed us to be morepredictable, more favorable in our audits.
(17:42):
Definitely a ton of time savingsassociated with this that would
replace the manual effortsthat we've been plagued with.
Prior to this time, we show upto the audit having reviewed and
checked off all of those items.
So the exciting part here is it reallyhelps us move from the reactive side of
GRC to proactive and it really allowsus to, ultimately sleep better at
night, but honestly continue to scaleour GRC programs to that next level.
(18:05):
Last but not least, I like to treatour auditors and assessors as customers
and when they show up, they'reeffectively representing our customers.
And, they also have a tough job.
They're trying to find thingsof, that might be of note here.
And, in some ways they're alsoAdvisors in the sense of helping us
continue to improve our programs.
And so with these platforms, we have a,an audit hub that allows that interaction
(18:28):
to go super smoothly with them.
Self-service.
Sometimes we're able topull that information, we're
able to show up to audits.
what I like to do is show up is likewith, a nice, present wrap with a bow
of all the evidence they'd ever needto basically complete their audit
in a super smooth and effective way.
So they've been able to have a positiveexperience as a result of all these
things, now existing and, reachable to.
(18:49):
All organizations.
Yeah, and it's interesting because.
don't appreciate the value that auditorsoffer, and I say, wait a minute, would
you, who would you rather find someproblems, your internal auditors who could
then go ahead and help you get it fixed?
Particularly talk about proactiveinstead of, Hey, here they go.
Or some attacker who gets in thereexploits it because it wasn't fixed.
(19:12):
they give you free audits.
It's just that their, andconditions are slightly different.
that's something to keep in mind as well.
But also I think what we're seeingis some shifting out there in
terms of compliance, this code.
So if you're using something like aTerraform or Cloud formation script and
build an AWS cloud environment, then I'mthinking we should probably make those
(19:34):
scripts meet a regulations as well.
So are you seeing that and can you talka little bit about how that might be
making a difference for companies as
yeah.
No, I'm super happy to talk aboutcompliance as code because this is
something that is, again, when we talkabout shifting from reactive to proactive
or preventative, in this case, that'sthe essence of compliance as code.
we launched this a little under a yearago to our customers and I dunno if
(19:56):
you've ever heard the saying, I thinkit's attributable Benjamin Franklin,
which is an ounce of prevention, is worth.
A pound in cure.
And I think that's the essenceof what compliance is, code
is, helping us here with.
And now we have AI that can generatemore lines of code in a second that
we can even comprehend and we're like,oh man, we wanna be able to deploy
this stuff and move forward there.
And it's man, we gotta have the,guardrails in place from a security
(20:18):
standpoint and from, and now withcompliance's code from a compliance
standpoint to really help us do.
The things we wanna do as fast aswe'd like to, and also run just as
fast alongside our infrastructureteams that, as, they'd like to run.
And we've all had infrastructurescode for a while now.
We've also had security scans oninfrastructures code for a while now.
(20:40):
But, a little under a year ago, welaunched compliances code to scan
your infrastructure's code duringthe ci cd pipelines to identify
any known compliance failures be.
Before they become, a reality.
I've experienced this before, whereour DevOps or infrastructure platform
teams would, they wanna go a hundredmiles an hour at some of these small
startups or even large organizationswhere they're like, man, life's
too short to, we gotta move fast.
(21:02):
And they do.
And they're just some of the mostbrilliant humans that I've worked with.
And, with that though, it'sman, the most frustrating
experiences for them have been.
I, we just got this deployed.
We're launching it, we're releasing it,and then our, whether it be our compliance
automation tools detecting something thatwas non-compliant after the fact, or it
(21:22):
may have been that they, it wasn't evenmonitored that part of the infrastructure.
And they're like just furious sayingthey have to go back and rebuild
the whole underlying infrastructureto make sure certain components are
compliant, is just frustrating for them.
It's frustrating for thecompliance team and, in this case.
Drata helps on the detectiveside, but we really wanna help
on that preventative side.
And so we came out withcompliance as code.
(21:43):
ultimately in those experiences, theyhave to go destroy the resources, re
instantiate the resources, includethe variable that, instantiates the
compliance setting and, do that.
But sometimes there's some defaultsin Terraform that, if not set, may
be a, in a non-compliant state.
And so the nice thing about compliancecode is as we have it deployed
today, is, it'll identify those.
(22:03):
Surface those during the pull request,say, Hey, you're creating this
instance that's not gonna be compliant.
You need to make sure you know thisis set so that they can do that.
Then, you end up with, oneresource created for the price
of creating two, two resources.
It's, you've got it right the firsttime, which again, I think is in
line with some of the most incredibletechnology standards and the
(22:24):
professionals that I work with are like.
And we wanna do it right the first time.
and, so it really helps them tolike, again, another way that
GRC has their back and it's notseen as an inhibitor or, blocker.
It's a enabler.
And when you think about securityby design, or compliant by design,
or price by design, it's sogreat to be able to embed this
when code is being instantiated.
And I think that's the,in essence of this,
(22:47):
motive here.
And it's another way, again,we keep our people moving fast
and compliant at the same time.
And I think it's really importantbecause it advantage to speed, both
in terms of time to market, et cetera.
Lack of rework and thecost effectiveness of that.
And so for those, a team memberwho could indicate that the effort
involved to be able to produce afully functional, and that will
(23:08):
pass all our requirements is droppedbecause we don't have the rework done.
That's amazing.
And so it really only starts topay for itself after a while.
Now another thing, and thisis a personal thing for me, is
a customer compliance issue.
Because as a CISO, I,faced this issue before.
Let's use an example of, okay, gota company that sells cybersecurity
software now you have to meet.
(23:28):
Company's third party riskmanagement requirements.
It doesn't necessarily hasto be selling software.
It could be providing services becauseI do services work in my CISO work,
and they send out things like that.
Can we see your policy?
Can we see your SOC 2 Type 2, can wefill out this 342 word questionnaire?
And sometimes we push back and say,look, we're too small for a SOC 2 Type 2.
(23:49):
It's cost.
The problem is that these third partyrisk management questions come out
here, and then I get things that say, wewanna know your fourth and fifth things.
do you audit, prove thatyou audit your suppliers?
Like my biggest supplier isMicrosoft for crying out loud.
I, they, I can't walk in the door and say,let go ahead and look at your source code.
(24:12):
so what we find then is thisthird party risk management
becomes a real difficult problem.
So how do I deal withthat in the realm of GRC?
Yeah, there's definitely twosides of that coin, right?
You've got the customer facing,customer due diligence side of a
GRC program, and they also have theinternal side, which is the, oh, hey,
we have our own third parties thatwe need to make sure are compliant.
(24:33):
I think at the essence of everythingwe do as a security team and as a GRC
team, as a privacy team, is to buildand maintain the trust of customers.
Like why do we defend our company againstbreaches is because we are protecting our
customer's data or whatever it may be.
We want them to continue to trust usdoing so and No better way to be able to
surface that than through a trust center.
I'll talk about that.
And then no better way to do that thanan effective vendor risk management,
(24:55):
capability within the organization.
I'm seeing vendor risk management orTPRM, third party risk management,
all fitting under the R and GRC.
using third parties has an inherent risk.
And I think in all of that effort, weare trying to quantify what level of
risk that might have on our organization.
we're only as secure as that weakest linkin our third and fourth and fifth parties.
(25:17):
I, I'd like to believe that ourpurpose isn't necessarily to go and
find and weed them out, unless they'regrossly negligent in their efforts,
but to go and find and help them.
Continue to improve.
one kind of paradigm shift for mein my mindset when I was at a small
FinTech organization was we had thisrevolving door of bank and financial
institutions showing up and auditing us,and they questionnaires wasn't enough.
(25:39):
A SOC 2 Type 2 wasn't enough.
PCI-DSS says, like ROCK wasn't enough.
It was, we need to come on site for twoto three days and ask you questions.
And what I realized quicklywas like, man, this is painful.
But then when I realized theother side of that coin, which is.
We're here to help them, instilllike build, build trust in our
organization's capabilities.
But we're also here to learn, like we'realso here to help improve our own security
(26:00):
programs, to meet their standards.
And when I've approached it in those,like with that kind of mindset, it
really has changed my ability to showup and saying, no, I'm here to help.
I'm here to learn.
Let us know if there's a specific gaphere in how we're doing something.
I'd love to learn that sowe can improve and grow.
And so again, it's trying to find thatweakest link and help boy them up.
So we have this matrix of organizationsthat are all reliant on each other.
(26:22):
We can all benefit as a result.
And so that's been a really coolkind of paradigm shift there.
Now, brought us mission isto build trust in the cloud.
we really do through our most recentacquisition of SafeBase, allow
organizations to showcase their securityand compliance efforts in a seamless.
Automated self-service,customer-centric and scalable way.
And recently backed with, someAI models that really help
(26:43):
embolden both sides of that coin.
Whether it be filling outquestionnaires, we'll play with that.
But then also, reviewing third parties.
we spend so much timebetting third parties.
Sometimes G Mark I worry that, whenorganizations are showing up and
vetting their third parties, theyhaven't taken a moment to really
purposefully and intentionally tryto understand the why behind some
of the questions they're asking.
(27:04):
I, think when we do that, it'll probablyreduce the 400 questionnaire, for
a question questionnaire to maybe.
14 to 20 or even, 30 questions that arevery pointedly worded to really help that.
I'm seeing more and more organizationsdo that, which is really heartening
to reduce both the burden ofquestionnaires, but also reduce the
burden of like unnecessary questionsthat may not necessarily be asked, but
(27:25):
really focus on what really matters.
And so with that, it's been awesome tobe able to see again, that improvement.
again, we have the trust side.
Which is where we can displaythis stuff to customers.
We'll talk about that in a minutewith when we, discuss a little bit
around, the revenue unlock as aresult of having a good GRC program.
But on the other side it's oh man,like what documents do I need?
(27:48):
How can I review these?
I don't know about you, but I'vescrolled through thousands of
pages of SOC two report lookingfor the words exception noted and
management response or, qualification.
Man, no better job than havinga capable large language model.
Ingest that document and find those forus and surface those within, seconds
versus, sometimes you and I, maybefive to 10 minutes each or otherwise,
(28:10):
just to find the things that stand out.
We're doing that today in our platformwith draw out AI and the opportunity for
us to basically go through and grip andpull out those, answers and questionnaires
or an, like responses in their soc tworeports to really help us know, like I.
Hey, what are the true risks here?
(28:31):
with a, an entire GRC platform, nowyou can then take vendor risks and
surface that as an external risk toyour risk register, which has been
another great way to really holisticallyhave all your risks in one place.
Replacing some of the traditionalspreadsheets that we may have used or,
ticketing system dashboards around,risk management, risk registers to a
full platform that ties them all out.
(28:51):
So when your board says, man,what third parties do we have
with any criticals and high risks?
We're like.
Here they are, and you can see wherethose are at and you can work with
those third parties and their associatedrisks to burn those down over time
and increase, their compliance postureand security posture at the same time.
So that's kinda how I'm thinking about it.
I don't know how that resonates, but yeah.
What are your thoughts?
it does sound very good,got two ends of it.
(29:12):
One is of course interpreting your thirdparty, SOC 2, and all the other reports.
The other one is filling 'em allout, which as they said, is the
biggest headache that I have.
And I've, and I'm hearing moreand more something about called
the AI questionnaire assistance orai, qa, and I gotta give it a name
AIQA, we'll see if that catches on.
Anybody know it startedright here, if that picks up.
but can you tell us, our listeners,what is that and what does it
(29:33):
really mean in terms of compliance?
Yeah.
Yeah.
and so to answer that, I don't know howmuch time you spent, working with say,
chat GPT or large language models outthere, but it has been just incredible,
like to redirect our brains from goingstraight to Google for questions or
straight to any kind of search engineersfor your questions and answers to,
Hey, you know what large language modelcould educate me on whatever it may be.
(29:54):
And when you think about all thesequestions coming from our customers,
it's no different than basically.
Posing all those questions to a largeranges model, fueled with a knowledge
base that can answer those for us.
And taking that first pass.
Now, we're not, we're not fullsend, sending that through and
then sending those to customers.
We obviously have the humor inthe loop to help verify that the
(30:16):
answers come back as accurate.
I know you and I have probablyexperienced times where we've gotten
a response back from a large languagemodel and in infuriating ways of.
Raged against the machine and ragedagainst the machine learning in
this case, to the point where we'relike, man, you're driving me crazy.
I just posed a question and youanswered it something completely
different than I expected.
It's cool to see those progress, butwhat I will say is now with, well-trained
(30:38):
models and, with a capable knowledge base,sometimes our customers with SafeBase's,
AIQA, will have knowledge base betweentwo to 3000 questions and answers.
Accrued over the years of questions askedby customers with, acceptable answers.
These large language models take thatthey take, the next questionnaire that
(30:59):
got sent over takes the first pass at it,usually taking minutes to fill those out.
And your GRC team members on theirway, just double checking and make
sure all the answers are right.
And boom, like especially at the endof the month or end of the quarter,
it is so nice to have that capabilityversus, the stack of like questionnaires
that have come through and you'retrying to go through each one of those.
It's just not scalable.
(31:20):
And so it's great that we now havethe AIQA to help answer those.
and, just accelerate this process.
And again, life is short.
We also want to spend life doing somethingthat is beyond answering these questions,
especially when we have capable cap,capabilities today to do that for us.
so AIQA is here to help and it's beenamazing seeing that accelerate us as
well as our customers at the same time.
(31:42):
Got it.
Now I'm moving along 'cause we'recovering all kinds of stuff and I
realize I only got about minutes to go.
One of the trickier topics, and Ithink important though is how do
we evaluate the credibility of theevidence are provided by third parties.
'cause we all know that we'refilling out these forms.
yeah, what do they want to hear?
But at the same time, I'm always prettyhonest about them because I say, look,
(32:04):
if there's something that I learned fromthese questionnaires going, wow, I never
thought about that's not a bad idea.
Let put that on my to-do list.
But also, if somebody else is just, whenthe Navy used call gun decking, which
is means like, yeah, we're, compliant.
We're compliant.
But you don't actually do it.
But what about something like this?
Let's say I'm consideringpurchasing a new piece of software.
I asked the vendor forSOC 2 Type 2 report.
Here it is.
(32:24):
But it's from some small unknownaccounting firm in India.
kind of raises a fair question.
How do we determine whether this report isreally genuinely trustworthy versus just
a checkbox exercise that they had somelow cost auditor with maybe questionable
rigor in terms of how they doing thatversus like we had talked about an EY
(32:46):
who comes in there and will put theiron it and say, yep, this is trustworthy.
How do we deal with that?
Yeah.
Yeah.
I'll chalk this one up as a spicyquestion in the industry right now, right?
as many folks are starting to askthis question, it seems to be a
growing concern in the industry.
But the reality is you're right.
We have a known set of known and trustedassessing organizations out there.
(33:09):
Here at Drata, we have an auditalliance where we have the ability
to go through and say, Hey, like.
When our customers show up to us,they say, Hey, we'd like to use
your platform, but we'd also liketo know, do you know of any auditors
that, are credible in this space?
and as part of that journey of helpingthem discover where they need to go,
we have a number of, again, thirdparty, just independent assessment
(33:31):
organizations that, we can recommend manyof the providers in the space do that.
But you're right, With this, concern,I'll call it auditor roulette almost,
where it's hey, and in sometimes inassessment organizations you may have
some assessors a little bit differentand maybe is more thorough or a little
more technically savvy than others.
And so I think you and I haveprobably experienced those over the
(33:54):
years, there are incredible again.
Assessors out there that are whatI'll call Drata friendly or GRC,
automated, automation platform friendlyin the sense that they understand
what's going on behind the scenes.
The reality is, companies likeDrata, we have the ability to then
pull information from source systemsand present that and monitor that.
Now, if the assessmentorganization wants to.
(34:15):
Follow that from cradle to grave, fromthe source system where we originally
got screen prints or, and, when wefirst started on this pathway to
like, to the very end where they'reseeing the result in the system.
Auditors can do that today withtheir, customers, our customers
that are using Drata today.
But, independence is a hugepart of a credible, third party.
Assessment organization and thequality and reputation assessors
(34:37):
really does carry weight.
I don't know the tiering structureor what reputation, who's what and
where, but it really is up to theorganization to make sure that they're
using an assessment Organization thatis seen in the industry is, hey, like
we, oh, great, I see that name beforeit looks like they do a good job.
I've been assessed by them before.
Maybe another statement that's common.
But, it, the reality isyou know, again, there.
(34:58):
Most of 'em are following in goodfaith, doing this the right way,
which is a heartening thing tosee, I'd like to believe that,
folks, people are inherently good.
I like to believe assessors andorganizations are going about this,
are inherently good and are tryingto do this in good faith efforts.
And, again, we have a great auditalliance that organizations can
work with to help them on theirjourney, and, help assess the way
(35:22):
that we'd expect them to be assessed.
Yeah, and it seems like a good wayto differentiate if you're a small.
Or medium-sized auditing firmto say, Hey look, we're using
an automated collection tool.
Something you can point to thatwe're not just randomly filling out
questionnaires as a porous drinks orbias donuts or something like that.
But we're actually have some way tovalidate that and that'll differentiate
(35:44):
a smaller firm or even somethingfrom an even another company.
Say, look, this is what we use.
We use this tool.
It's an, you can look it up and,it works pretty well now also, but
questionnaires are shifting around now.
It used to be everybody would try tostandardize on something like standardize
information gathering questionnaire.
The SIG and then Cloud Security Alliancehad their own consensus assessment
(36:06):
initiative questionnaire, the CAIQ,which you pronounce, like cake.
are these the most common or is everybodyshifting their own questionnaire
or somehow gonna get to one.
Question that answers everything, whichto me seems like a disaster because
it doesn't address what we talkedabout earlier, such as the overkill
(36:26):
for the type of questions asking fora particular third party or vendor.
Yeah.
Yeah.
It's, I'm seeing that it'sall over the place still.
We, see many organizations still showup to, with a cake or a sig, right?
And it's very, industry centric.
We have those already pre-filled out.
It actually makes the conversationgo a whole lot faster as a result.
And so those have been helpful.
Now the reality is, We wanna meetcustomers where they're at, right?
(36:50):
It really is a leadership principleof meeting other people where
they're at instead of expectingthem to meet you where you're at.
And so I think that principlestill applies here when it
comes to customer questions.
And so when they show up, they mayhave their own custom questionnaire
and in many cases when they areshort and pointed and well thought
out, it's a really good use of time.
To help you know them under, get theanswers that they're looking for and
the construct that they have set up.
(37:11):
So we definitely wanna meet them wherethey're at now again, like I mentioned
earlier, is like really want organizationsand encourage them to take a moment
and look at the questions that you'reasking third parties and decide are these
really the ones that are gonna help usidentify any risks for our organization?
And if not.
You have the power to change thosequestions to really make it, again, an
intentional and purposeful exercise.
(37:32):
So again, take that moment and thenreally just see what the questions
you are asking and that reallywill help you, in this process.
It'll speed up time on your team.
It'll help you, again, continue togrow and progress as an organization
because you have freed up time there.
Yeah, definitely encourage on thatspace, but again, we're seeing all over
the place and that's why AIQA exists.
I think while we all would like tosee less and less on the questionnaire
(37:54):
front, keeping 'em intentional is agood step in the right direction of
hopefully relying on the existingmechanisms that we had, prior to
questionnaires or even, no, just I tohopefully replace questionnaires, I think
originally is the right way to say that.
But, it's nice to see, again,the progression in that space.
Yeah, and I think that anotherI'm seeing is more of a focus
on cyber risk quantification.
(38:16):
want compliance, but they'reusually things we're, we're
not gonna be compliant with.
So we document those as risk.
We put some value on the likelihoodand the impact and it could harm.
And then we do the high, medium, lowand we have a qualitative view or
have a quantitative view in numbers.
And those numbers arereally hard to prove.
I that goes back to the old FIPsPub 65 for those who wanna go
back in the archives in the 1980s.
(38:37):
I remember working with that one.
some of the things like it can'tput a number on it, at least
not too many significant digits.
And other people wanna use thefair methodology, the factor
analysis of information risk.
and what do you recommend thatpeople use and, and the like?
this one is a really hard questionbecause I was thinking about it like.
(38:58):
I dunno if you've ever the book, thefailure of risk management or How to
Measure Anything in Cybersecurity byDouglas Hubbard, Hubbard really encourages
us to say Hey, traditional risk managementmethods, particularly those that rely on
like qualitative techniques like matricesor intuition or arbitrary scoring, like
he feels that they're like deeply flawedand obviously, and often misleading
and, can sometimes create this kind offalse sense of truly assessing risk.
(39:22):
Instead, Hubbard Helps encourageall of us to say, Hey, like there
are quantitative, evidence-basedmethods like, probabilistic modeling
or Monte Carlo simulations to use.
Kinda like you mentioned, the fairmethodology to assess and manage risks
more accurately and equating or yieldingan annual loss equivalency to really
help, organizations use a dollar amountof potential likelihood of impact that
(39:46):
year to, Switch around investments oridentify where they should really focus.
I've seen both use and action.
It is fascinating to see the differencein conversations and approaches and
effort that goes into each of those.
I feel like I need a master's degreein actuarial science to do the, the
monte-carlo did, but honestly, I.
It doesn't, in some cases it's super,super in intuitive to go through and
(40:09):
sit down and using these simulationsand using the right kind of like range
of impact from a dollar standpoint andfrequency to then run the simulations
to say, Hey, this year this, mayimpact us this amount and this is
why we want to invest in this area.
And it really, helpsin making that a more.
quantitative approach.
And so again, seeing both, I'mseeing customers use both of those.
(40:30):
I do see that, the qualitativemethod ends up being one that's a
little bit more intuitive by internalteam members that say, Hey, if we
had a range here, how bad is this?
And if we had a range here, like,how frequent might this happen?
And Sure.
Then we yield like a, heat map that it'slike, Hey, this last, quarter we saw this.
Pixel, or sorry, we saw this, riskmove like 14 pixels to the left
(40:52):
and you're like, what yielded that?
And so then, we get back tothe, we should probably make
it a little more quantitative.
So I've seen both, both have been,generally successful in communicating risk
and burning down in, in a large quantity.
The more mature organizations thatI've seen really do use kind of that,
to quantitative model to get there.
Got it.
Now, what are the biggest mistakesyou think that a lot of GRC programs
(41:14):
make and things that people get wrong?
one of the things that came to mindon, as I, thought through this, is.
Not really tailoring, their GRC programsto meet the needs of the actual business.
many, leaders will come in and be like,Hey, this is the checklist approach.
We need this, and this.
And it's very, I like to say it's an artto be a security and GRC professional
(41:36):
to show up in an organization with theexperience that you have to truly tailor.
Your, the needs of the organization.
And so your compliance program tothe needs of the organization like B
B2C SaaS is very different than B2BSaaS versus professional services
versus brick and mortar stores.
And very much need to prescribethose needs to that organization.
And so with that, that probablyone of the biggest mistakes.
(41:59):
The second one I think of is,just not being able to adequately
explain the why behind controlsand frameworks and GRC efforts.
And so being able to sit down withanyone in the organization and explain
it in a way that they understand thewhy behind their them doing something
has been helpful also allows a verycollaborative effort to decide, oh
my gosh, that makes total sense.
(42:20):
And we could probably do this in abetter way by going about this way.
and then the last but not least, andthis is a space that's a call out to many
of my GRC peers in the space, is havingthat technical expertise showing up to
the table, be able to dive as deep inthe technical details as their security,
DevOps, and infrastructure counterpartsare to really, understand and, Help there.
(42:42):
that's, been awesome.
I will have one last one here thatI thought about, which is just not
being able to measure the impact oftheir GRC program on the business.
with the advent of trust centers, like Ijust mentioned a moment ago, like you're
able to tie the requests from customers toyour CRM to understand the revenue impact.
Of, all the documents that arebeing requested to understand which
(43:02):
documents are being requested so youcan continue those and then which
things have been requested but youdon't have yet that you should add.
And it's, allowing GRC programs to showup to their board meetings and fuel their
CISOs and their executive team memberswith data such as, Hey, because of our
capable GRC program, we unlocked X millionin revenue last quarter, last month.
(43:23):
Last year, it really has turned GRCprograms into a business enabler
instead of the cost center or ablocker that may be seen previously.
And so that may be another mistakeis, not being able to surface those
numbers, like we can today with these,trust centers that can enable that.
Got it.
Okay.
We've got, about a minute or two left.
So it's been an incredible amount ofinformation here and I appreciate you
(43:44):
being on the show to talk about this.
before we wrap up, any last thoughtsthat you might have that maybe we
didn't get a chance to talk aboutyet that we could put out here?
We talked about a ton.
We talked about trust centers, wetalked about, vendor risk management.
We talked about, compliance automation.
honestly, I think it's just a callout to the industry to continue to
(44:06):
improve and grow as professionals.
This is a very humbling role to bein, whether you're on the GRC side or
the security side or the CISO side.
When you look at all the thingsthat a CISO needs to worry about
day in and day out, I. It's probablynot a very mentally healthy role.
and so as I look at this, I, just,I wanna get probably more human here
(44:27):
and just share out to the industrythat like, this is a painful, this
is a painful role at times, mentally.
And so taking that time that, thatwe need to really recoup whether
that be meditating, whether that be,helping us, take the time to Really
put boundaries into the time at work.
Like when I say life is short, thatapplies to life outside of work as well.
And in, in this role, there'sa lot of pressure here.
(44:49):
And so with that, I like to have a lot ofgrace towards other peers in this space.
Whether they may be direct competitorsor whether they may be others in the
space, other CISOs to really have thatgrace and humanity towards others is to
realize they really are trying their best.
And so I wanted to say that,that, as you evaluate where you're
at, take the time to mentally.
(45:09):
relax and also realize that thisis, again, a journey, not the, an
end state and have some grace foryourself and others along that way.
And so again, that's probably thething that I would probably end here on
this space.
of good wisdom.
I could probably pay attention to that.
Hey, how does someone get intouch with you or learn more about
Drata if they wanna follow up.
Sure, So for just, headdrata.com and sign up for a demo.
(45:32):
We have an incredible, incredible team tohelp support you and meet you where you're
at, wherever you may be in that journey.
I also like to assist and helpwith our sales and customer
success team members as well.
It's fun to be able to meet withour customers prospects as well as a
CISO to help them on their journey.
So that's there for me.
I'm on LinkedIn.
Pretty easy to find there.
This is Matt Hillary at Drata and andhappy to help you wherever you are at.
(45:55):
thank you.
This has been absolutely.
For our listeners and our viewersout there, thank you for sticking
around for CISO Tradecraft.
I hope you found this incrediblyvaluable and if you had pay it
forward, go ahead and share thiswith your other professionals.
Let 'em know where youget your information.
Don't forget if you subscribe to us,we also have a Substack newsletter.
We have shorts that we put out onYouTube as well as the full episode.
And follow us on LinkedIn 'cause we'rea whole lot more than the podcast.
(46:17):
We put out regular informationthat'll help you out.
So thank you very much again forbeing part of our team today.
This is your host, G Mark Hardy.
Matt, thank you very much for beingon our show, and until next time,
everybody stay safe out there.
Hey, welcome again to CISO Tradecraft.
I'm here with Matt Hillary of the CISOof Drata, and we're gonna talk about
GRC and trust management and how totake your program to the next level.
You're gonna love what he'sgot to say, so stick around.
(00:23):
Hello and welcome back to the episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy.
I'm your host for today, and I have MattHillary from Draha, the CISO me today.
Now we're gonna be talking aboutGRC trust management, and one of the
(00:45):
things that everybody has to do, youcomply with the regulations, you get
the cyber insurance request, you havecustomer agreements and what do you do?
You fill out all these forms becausethere's a lot of compliance around,
this isn't something new either.
It's been with us for a number of years.
Honestly, I think it's only gonnabecome more and more of a burden
because it's just not going away.
And if you don't believe me, look at yourrole has gone from just IT IT compliance
(01:09):
with sarley, and now we gotta deal withHIPAA and NYDFS now data privacy with CCPA
and GDPR and operational resilience withDora AI compliance fraud list, et cetera.
It just keeps going on.
So rather than complain about it today,we're gonna do something about it and
we're gonna talk with Matt and we'regoing to look at how you can build
(01:31):
a world class GRC program and thecore building blocks that you need to
achieve this rather ambitious goal.
Now, before we start getting intomuch of the weeds, Matt, first of
all, welcome to the show and, couldyou introduce yourself please?
Of course.
Thanks so much, G Mark.
I'm super grateful.
To be here, be here.
And I hope today I'm able to share someof my own experience with your listeners.
(01:54):
And, I truly appreciate what you do, youto help, with the number of guests you
have on, the podcast and the amount ofthings we're able to learn from them.
You also have just this fun,larger than life personality.
It was great to meet with you at RSAand just get to chat with you there.
your voice is just as amazing in personas it is here on the podcast, if I
listen to you on my walks or otherwise.
appreciate what you do.
(02:14):
A little about me anda little about Drata.
I'll introduce the company first.
You as me.
I'm Matt Hillary, Chief InformationSecurity Officer here at Drata.
at Drata we are a trust managementplatform and we, help over 7,500 customers
on their respective GRC journeys.
these are companies, large andsmall enterprise and startups.
we started over a little,over four years ago and, we.
(02:38):
With the essence of using automationto help, as the backbone of, helping,
compliance programs continue toaccelerate, that has then iterated
into a fully fledged trust managementplatform to help customers with
their compliance automation aspects.
In addition to risk management,governance, most recent stuff is
the advent inclusion of AI anda number of those elements and.
(03:00):
Helping support that journey.
we started with, automating a numberof compliance efforts, like replacing
spreadsheets and shared folders andscreen prints, the things that used to
plague, our lives as GRC professionals.
And, honestly, under all of thatare underlying data elements that
we can use to then, effectivelyperform control tests on a day-to-day
basis to know where we stand.
(03:21):
I don't know about you, but, audits werea source of significant anxiety for me.
Now with capable GRC platforms wehave today, I don't worry as much,
on that front anymore because wehave this helping support keep our,
keeping our compliance programswhere they should be and, continue
to iterate forward on that journey.
(03:42):
really exciting news.
we just acquired SafeBase back inFebruary and in only that four years
time at Drata's existence, we've.
Surpassed the a hundred million ARR mark.
And so really happy to be able tosee the company grow and the market
respond and the amazing experiencesour customers are having along the way.
So,
awesome.
Tell me a little bit about yourself.
(04:02):
yeah, of course.
a little about me.
I live here in Salt Lake City, Utah.
Grew up here, lived up inSeattle for about six years.
soon after, graduating fromuniversity, I started my career at
Ernst and Young in the Seattle area.
amazing springboard to my career.
And
an EY
met
myself.
Oh, fantastic.
in Manhattan.
Oh, fantastic.
What a great, organization.
(04:22):
Such great exposure to so many differentcompanies and the way they do things.
It's helped me just immenselythroughout my whole career.
after Ernst and Young, I moved over toAWS back when AWS was a small startup
inside of Amazon that has obviously,exploded into what it is today.
I, I started their complianceprogram with two amazing humans.
once.
Sarah and Chad, a couple individualsin this space that just continue
(04:44):
to be amazing folks leadingcompliance and, other efforts there.
at AWS we help get their first kindof certifications and attestations
of which, tens of thousands of theircustomers request and rely on today.
since then I've been at a numberof other companies, Adobe, MX.
Instructure, if you ever used Canvas inschool, was instructor's first head of
(05:05):
security there to help start that programand was an incredible journey there.
Since then, worked at Workfront,Weave HQ, and now at Drata.
I've been atda, over two years now.
It has been the most action packedtwo years of my entire career.
for someone who loves to feel alive,it's been amazing to be a part of
an organization that just, helpsfeed that, all the opportunities
(05:26):
that CISO could ever, wish and ask.
For, and so super grateful for themtrusting me to be their, security leader.
It's a very humbling role,I think, more days than not.
And here I lead our IT security,compliance and privacy teams.
I'm a practitioner at heart, andultimately we are customer zero of the
Drata platform and SafeBase platforms.
But one of the things I love mostabout this role is the opportunity
(05:48):
to speak with just incredible humanslike you, professionals in this space,
and hopefully with the, again, theintent to help others on their journey.
So excited to have thisconversation with you today.
thank you very much forthe very kind words.
I do appreciate that andvery interesting background.
So I'm glad we've got you onthe show because I wanna share
your thoughts on compliance.
Now, when I step back and lookat GRC, it's changed quite a bit.
(06:11):
I think 10 years ago, organizations,you'd go and you get Archer and you'd
manually fill out some complianceevidence for a standard and, that was it.
Then it started to change instead ofjust one standard, more and there's
different regulations being passed.
And we then had to ask our developer,Hey, could you fill out this survey?
Could you fill out that one?
maybe one is for SOC 2 Type 2 evidence.
(06:33):
The other one is gonnabe for NIST maturity.
Oh, I'm sorry.
You're gonna be doingbusiness internationally.
We need an ISO 27001.
Oh, okay.
Yeah, we got healthcare data.
We gotta do hipaa.
And As a result, whether it was thedevelopers or whether it just it, or
in my case, a CISO, really didn't likeasked to fill up multiple forms that are,
(06:53):
for the most part, about 80% overlap.
Now, the thing is though, if youthink it's a Venn diagram, there's
some core ones, but you can'tjust lift one up and drop it on
the other because it doesn't fit.
And so these compliance tools startedevolving until ultimately, if we had
a control framework that could map tomultiple standards, you're in business.
Because we could say, yes,we are doing everything.
(07:15):
We don't have a blind spot becausewe only built our compliance
to, let's say, ISO 27001.
And then it turns out there's a controlthat's not there, that is over here.
So Matt, can you talk a little bitabout what you've seen in GRC recent
changes over the last couple years?
And perhaps your perspective onwhere you see our industry headed.
(07:35):
G mark, you, described that perfectly.
The journey that we've allexperienced over probably the last
10 to 12 years, it's, been wildto see that transition happen.
And I've walked that journey a number oftimes at a number of companies starting
their GRC programs from the ground up.
you're right, we would start offby saying, okay, we need a SOC 2
Type 2 attestation, or before thatit was all SaaS seventies, right?
And when we started that journey,it was like, great, now we
(07:56):
want to expand to other ones.
And quickly realized.
Oh man.
wait.
Some of these actually look superfamiliar, like how do we make this
work Now, the idea of a common controlframework is, has been around for
a while now, but I'm just taking alook back beyond even just the last
two years, but to the last 12 years.
But I feel like in the last four or soyears is when we've really seen these.
Amazing.
(08:16):
GRC platforms enable our GRCteams for a number of years.
Now, our security engineering andoperations teams have had amazing,
capable platforms supportingthem with a number of incredible
detection and response capabilities.
It's been amazing working outof those tools as a security
engineer myself as well.
And it's been fun to be ableto see how those have iterated.
Now our poor GRC team members havebeen stuck with, the, some of the
(08:38):
traditional tools and capabilitiesthat we all started with.
the beginning, spreadsheetsand word documents and having
to reach out to team members.
And we tried to automate some ofit by using Jira or other ticketing
management tools to automate those tasks.
But it ultimately never got toa point where we could really
rely on an end-to-end platform.
And yeah, those last four to fiveyears, these GRC platforms have surfaced
(09:02):
to being these, enablers and capablesupport mechanisms for our GRC teams.
One thing I'd say as a CISO is,our GRC programs, our security
programs are both journeys.
no one is truly there, but it's thatcontinual improvement experience
and I love being a part of that.
At a time.
I didn't like being a part of it.
'cause it always stressed me out.
(09:23):
I was like, man, whenare we gonna be done?
When are we there?
How can we get to apoint where we're good?
And obviously we all realize there'sno such thing as, an imp pental
organization and no such thing asabsolute perfection in this space.
my mechanical engineer brain does notlike that, but it's been a fun learning
experience to realize actually a greatopportunity here to be in this journey.
(09:44):
one of the things about just GRCin general is integrity, right?
When you mention these.
Different frameworks.
It really is an integritything for the organization to
sign up to comply with those.
And as part of that, it really isthat at the, the essence and core.
And one of the most important thingsof these, the journeys that we're on
is really building and maintainingthe trust of our customers over time.
(10:06):
And we believe that we earn that.
Every day, and beingaccountable and transparent.
Those are the things thatare, I think, at the core of
building trust with other people.
Like when I, you and I met at RSA, itwas great to be able to take a moment,
two humans just chatting and walk youalong and sharing life experiences.
It's a great connection experience.
I think the same happensat organization levels.
Now, the mechanism by which we doso today are a little bit different,
(10:28):
probably more formal, right?
With these attestationsand reports that we have.
at the B2B kind of SaaS level, manyof them depend on a SOC 2 Type 2
or like an ISO 27001 certification.
In the government space, you always haveFedRAMP, and the healthcare space, HIPAA
and a number of other different languagesthat we might say are used in there.
But, the main thing is continueto maintain those over time.
(10:49):
you're right.
when I started at, one organization,we had probably 50 to 60 controls that
were behind our SOC 2 Type 2 security.
At that time, it was just theonly trust service principle.
And, and then we're like, wait,we gotta go after ISO 27001.
We gotta go over to PCI-DSS, sowe gotta go after FedRAMP oh man.
But we're like, there's anumber of shared aspects here.
(11:11):
And that's when the advent of thesecommon control frameworks started
coming out and it really is one ofthe core, elements of a program.
Honestly, if you were to doubleclick into that, it may not so
much be the control wording.
That's the overlapping essence.
It's the underlying process andevidence and the data that are
truly shared across all of those.
And I think that's where.
these platforms that are now availabletoday to basically allow us to
(11:34):
pull that data from those systems.
And we'll talk about that in a minute.
But, it's nice to be able to align acrossall of those frameworks in a common way.
it also allows us to havekind of one audit season.
I don't know about you g Mark, butI've experienced a revolving door
of auditors and customer auditors.
It's been a frustratingexperience to be like, oh man,
when is audit season gonna end?
It's going year round.
(11:55):
But today with common controlframeworks and with a number
of assessors that are just.
Amazing to work with that they understand,hey, we can pull once and map too many.
And that's really enabled us toscale as GRC teams and staying
lean, but also continue to growto add additional frameworks.
we ATRA to work with smallstartups, commercial as well
(12:15):
as enterprise customers.
All of them are at different parts oftheir journey and have different needs.
It's been fun to be able to meetthem where they are at, to help them
understand what their current needs are.
And so with that, many, small startupsare Looking at a SOC 2 Type 2, and then
that becomes the springboard, to theirrest of their kind of GRC journeys.
(12:36):
in that case, a common controlframework is what they usually adopt.
Now, commercial enterprises,they usually will have their own
common control framework either.
one that they have built themselves orone that they have, built an open source.
We see that with the, some of thecommon control frameworks have
today, or unified control framework.
There's a number of them, but, it's niceto be able to meet them where they're
at and embed those in the platform, mapcontrol tests and gather evidence to
(13:00):
help support them on their journey withcapabilities they didn't have prior.
So it's been fun.
Yeah, and I appreciate on behalfof other SMB CISOs, the fact that
you've addressed that market.
There's an awful lot of companies thatsaid, Hey, all we want are Fortune
500, even get Fortune 100, the better.
They don't realize.
That, first of all, the client thatyou cultivate, that CISO may eventually
(13:24):
become one of those Fortune 500 CISOs.
And if you build a good relationshipwhile they were small then and you,
they realize that your solutionscales, you got a lot better chance.
So for those of you who arethinking out there from a business
perspective, it's not so much beingnice to little guy on your way up.
It's be nice to the littleguy on the little guy's way up
(13:46):
These men and women may haveopportunity to do a whole lot more.
But for what you've said,I'm, hearing some themes and
it's, one is trust but verify.
We wanna go ahead and make sure thatyes, this is in there, but we have a
way the auditors, they check to makesure, and we're also shifting to.
Continuous compliance model ratherthan a single snapshot in time.
(14:06):
You look good right now and you suckin our gut and we look really good.
And then when they take the photographand we go, we wanna keep going.
Now the trust, but verify means weneed evidence to show that something
that's working the way it should.
Now, developer, for example, wouldsend an evidence, like a screenshot,
say some activity has happened, but.
(14:26):
of doing that once a year,could we pull that once a month?
why not?
If we could just pull it from theenvironment directly, why do we
have to put that human in the loop?
Why do we have to create thisto-do list item, which is
gonna interrupt the workflow?
And now we're starting to seecompliance tools that are gonna
integrate evidence polls from thetools like access authentication tools
and vulnerability management systems.
(14:48):
And, these make sense to me, Matt,what are you seeing about some big
themes here as these tools evolve?
Yeah.
G Mark, you, described that perfectly.
You're spot on.
this is where the magic happens withthese GRC platforms that exist today.
you're right.
It used to be that, you and I in thisspace we'd reach out sometimes via email.
I don't think Slack was available at thetime, but, JIRA and other capabilities
(15:10):
basically check in with control owners.
Sometimes that was once a month,sometimes that was once a quarter.
And let's be honest, sometimes it mayhave been like a Hail Mary request four
to six weeks before the auditors showup saying, Hey, are we good to go here?
And they're like, I'm actuallynot the controller anymore.
And then spins up all sortsof dialogue, anxiety and pain.
in those instances, even when we didcheck in, they would, take some time
(15:31):
and potentially identify one kind of.
Judgmentally selected sampleto give to the GRC team member.
Say, yep, we're all good.
Here's an example.
And, it ends up being a perfectexample of what you'd expect to see,
only to turn out that was one ofprobably hundreds or thousands of
events in their, control ownershipprocess that we'd want to review.
And then when the audit started,we'd all be surprised to find
(15:52):
out that the auditors selected afew samples that we didn't have.
view into and understandingwhere they stood.
And so now today with APIinterfaces with automation, with
the capable platforms that we have.
Now, even with, AI included,this is no longer the case.
We have the ability to pullthis information and actually
assess the entire population.
So when you say continuous compliance,it really is enabling that idea of where
(16:16):
you stand every day at the audit period.
Now, I mentioned integrity earlier.
The anxiety attacks that I experiencedas a CISO prior to now have largely
been because if I ever felt like wewere out of compliance on something,
it was a hit against personal integrityor the organization's integrity.
And what, it's been nice for me is withthe ability to pull this information
near real time or on a daily basis to beable to check in and see where we're at,
(16:38):
it allowed me to know, Hey, we're doingwhat we're saying we're doing, which I
think is at the essence of integrity.
So with this.
advent of GRC platforms helping uswith this continuous compliance stuff.
It has totally changed the dialoguewith internal control owners.
Instead of asking like, Hey, areyou even the control owner anymore?
Or, Hey, is your controloperating effectively?
We have an audit coming upin a, whatever, it is now.
(17:00):
no, Hey, we've got your back.
we're monitoring this stuff.
All the time.
And in fact, when we reach out, it'sgonna be because we found it's gonna be
because we found something that, wasn'toperating as effectively as we thought
it was, or it didn't pass a control test.
And they're like, man, like theGRC team is behind me, has got
my back and we're ready to go.
And so when audits show up, when we, whenthe auditors show up, we're ready to go.
(17:21):
And the auditors know, and our internalcontrol owners, they both know that.
Hey, we've got a tool in placethat's letting us know when things,
like instances of non-complianceshow up and we've remediated those
and, worked together to like inflight, remediate those on the way
instead of it being a surprise.
this has allowed us to be morepredictable, more favorable in our audits.
(17:42):
Definitely a ton of time savingsassociated with this that would
replace the manual effortsthat we've been plagued with.
Prior to this time, we show upto the audit having reviewed and
checked off all of those items.
So the exciting part here is it reallyhelps us move from the reactive side of
GRC to proactive and it really allowsus to, ultimately sleep better at
night, but honestly continue to scaleour GRC programs to that next level.
(18:05):
Last but not least, I like to treatour auditors and assessors as customers
and when they show up, they'reeffectively representing our customers.
And, they also have a tough job.
They're trying to find thingsof, that might be of note here.
And, in some ways they're alsoAdvisors in the sense of helping us
continue to improve our programs.
And so with these platforms, we have a,an audit hub that allows that interaction
(18:28):
to go super smoothly with them.
Self-service.
Sometimes we're able topull that information, we're
able to show up to audits.
what I like to do is show up is likewith, a nice, present wrap with a bow
of all the evidence they'd ever needto basically complete their audit
in a super smooth and effective way.
So they've been able to have a positiveexperience as a result of all these
things, now existing and, reachable to.
(18:49):
All organizations.
Yeah, and it's interesting because.
don't appreciate the value that auditorsoffer, and I say, wait a minute, would
you, who would you rather find someproblems, your internal auditors who could
then go ahead and help you get it fixed?
Particularly talk about proactiveinstead of, Hey, here they go.
Or some attacker who gets in thereexploits it because it wasn't fixed.
(19:12):
they give you free audits.
It's just that their, andconditions are slightly different.
that's something to keep in mind as well.
But also I think what we're seeingis some shifting out there in
terms of compliance, this code.
So if you're using something like aTerraform or Cloud formation script and
build an AWS cloud environment, then I'mthinking we should probably make those
(19:34):
scripts meet a regulations as well.
So are you seeing that and can you talka little bit about how that might be
making a difference for companies as
yeah.
No, I'm super happy to talk aboutcompliance as code because this is
something that is, again, when we talkabout shifting from reactive to proactive
or preventative, in this case, that'sthe essence of compliance as code.
we launched this a little under a yearago to our customers and I dunno if
(19:56):
you've ever heard the saying, I thinkit's attributable Benjamin Franklin,
which is an ounce of prevention, is worth.
A pound in cure.
And I think that's the essenceof what compliance is, code
is, helping us here with.
And now we have AI that can generatemore lines of code in a second that
we can even comprehend and we're like,oh man, we wanna be able to deploy
this stuff and move forward there.
And it's man, we gotta have the,guardrails in place from a security
(20:18):
standpoint and from, and now withcompliance's code from a compliance
standpoint to really help us do.
The things we wanna do as fast aswe'd like to, and also run just as
fast alongside our infrastructureteams that, as, they'd like to run.
And we've all had infrastructurescode for a while now.
We've also had security scans oninfrastructures code for a while now.
(20:40):
But, a little under a year ago, welaunched compliances code to scan
your infrastructure's code duringthe ci cd pipelines to identify
any known compliance failures be.
Before they become, a reality.
I've experienced this before, whereour DevOps or infrastructure platform
teams would, they wanna go a hundredmiles an hour at some of these small
startups or even large organizationswhere they're like, man, life's
too short to, we gotta move fast.
(21:02):
And they do.
And they're just some of the mostbrilliant humans that I've worked with.
And, with that though, it'sman, the most frustrating
experiences for them have been.
I, we just got this deployed.
We're launching it, we're releasing it,and then our, whether it be our compliance
automation tools detecting something thatwas non-compliant after the fact, or it
(21:22):
may have been that they, it wasn't evenmonitored that part of the infrastructure.
And they're like just furious sayingthey have to go back and rebuild
the whole underlying infrastructureto make sure certain components are
compliant, is just frustrating for them.
It's frustrating for thecompliance team and, in this case.
Drata helps on the detectiveside, but we really wanna help
on that preventative side.
And so we came out withcompliance as code.
(21:43):
ultimately in those experiences, theyhave to go destroy the resources, re
instantiate the resources, includethe variable that, instantiates the
compliance setting and, do that.
But sometimes there's some defaultsin Terraform that, if not set, may
be a, in a non-compliant state.
And so the nice thing about compliancecode is as we have it deployed
today, is, it'll identify those.
(22:03):
Surface those during the pull request,say, Hey, you're creating this
instance that's not gonna be compliant.
You need to make sure you know thisis set so that they can do that.
Then, you end up with, oneresource created for the price
of creating two, two resources.
It's, you've got it right the firsttime, which again, I think is in
line with some of the most incredibletechnology standards and the
(22:24):
professionals that I work with are like.
And we wanna do it right the first time.
and, so it really helps them tolike, again, another way that
GRC has their back and it's notseen as an inhibitor or, blocker.
It's a enabler.
And when you think about securityby design, or compliant by design,
or price by design, it's sogreat to be able to embed this
when code is being instantiated.
And I think that's the,in essence of this,
(22:47):
motive here.
And it's another way, again,we keep our people moving fast
and compliant at the same time.
And I think it's really importantbecause it advantage to speed, both
in terms of time to market, et cetera.
Lack of rework and thecost effectiveness of that.
And so for those, a team memberwho could indicate that the effort
involved to be able to produce afully functional, and that will
(23:08):
pass all our requirements is droppedbecause we don't have the rework done.
That's amazing.
And so it really only starts topay for itself after a while.
Now another thing, and thisis a personal thing for me, is
a customer compliance issue.
Because as a CISO, I,faced this issue before.
Let's use an example of, okay, gota company that sells cybersecurity
software now you have to meet.
(23:28):
Company's third party riskmanagement requirements.
It doesn't necessarily hasto be selling software.
It could be providing services becauseI do services work in my CISO work,
and they send out things like that.
Can we see your policy?
Can we see your SOC 2 Type 2, can wefill out this 342 word questionnaire?
And sometimes we push back and say,look, we're too small for a SOC 2 Type 2.
(23:49):
It's cost.
The problem is that these third partyrisk management questions come out
here, and then I get things that say, wewanna know your fourth and fifth things.
do you audit, prove thatyou audit your suppliers?
Like my biggest supplier isMicrosoft for crying out loud.
I, they, I can't walk in the door and say,let go ahead and look at your source code.
(24:12):
so what we find then is thisthird party risk management
becomes a real difficult problem.
So how do I deal withthat in the realm of GRC?
Yeah, there's definitely twosides of that coin, right?
You've got the customer facing,customer due diligence side of a
GRC program, and they also have theinternal side, which is the, oh, hey,
we have our own third parties thatwe need to make sure are compliant.
(24:33):
I think at the essence of everythingwe do as a security team and as a GRC
team, as a privacy team, is to buildand maintain the trust of customers.
Like why do we defend our company againstbreaches is because we are protecting our
customer's data or whatever it may be.
We want them to continue to trust usdoing so and No better way to be able to
surface that than through a trust center.
I'll talk about that.
And then no better way to do that thanan effective vendor risk management,
(24:55):
capability within the organization.
I'm seeing vendor risk management orTPRM, third party risk management,
all fitting under the R and GRC.
using third parties has an inherent risk.
And I think in all of that effort, weare trying to quantify what level of
risk that might have on our organization.
we're only as secure as that weakest linkin our third and fourth and fifth parties.
(25:17):
I, I'd like to believe that ourpurpose isn't necessarily to go and
find and weed them out, unless they'regrossly negligent in their efforts,
but to go and find and help them.
Continue to improve.
one kind of paradigm shift for mein my mindset when I was at a small
FinTech organization was we had thisrevolving door of bank and financial
institutions showing up and auditing us,and they questionnaires wasn't enough.
(25:39):
A SOC 2 Type 2 wasn't enough.
PCI-DSS says, like ROCK wasn't enough.
It was, we need to come on site for twoto three days and ask you questions.
And what I realized quicklywas like, man, this is painful.
But then when I realized theother side of that coin, which is.
We're here to help them, instilllike build, build trust in our
organization's capabilities.
But we're also here to learn, like we'realso here to help improve our own security
(26:00):
programs, to meet their standards.
And when I've approached it in those,like with that kind of mindset, it
really has changed my ability to showup and saying, no, I'm here to help.
I'm here to learn.
Let us know if there's a specific gaphere in how we're doing something.
I'd love to learn that sowe can improve and grow.
And so again, it's trying to find thatweakest link and help boy them up.
So we have this matrix of organizationsthat are all reliant on each other.
(26:22):
We can all benefit as a result.
And so that's been a really coolkind of paradigm shift there.
Now, brought us mission isto build trust in the cloud.
we really do through our most recentacquisition of SafeBase, allow
organizations to showcase their securityand compliance efforts in a seamless.
Automated self-service,customer-centric and scalable way.
And recently backed with, someAI models that really help
(26:43):
embolden both sides of that coin.
Whether it be filling outquestionnaires, we'll play with that.
But then also, reviewing third parties.
we spend so much timebetting third parties.
Sometimes G Mark I worry that, whenorganizations are showing up and
vetting their third parties, theyhaven't taken a moment to really
purposefully and intentionally tryto understand the why behind some
of the questions they're asking.
(27:04):
I, think when we do that, it'll probablyreduce the 400 questionnaire, for
a question questionnaire to maybe.
14 to 20 or even, 30 questions that arevery pointedly worded to really help that.
I'm seeing more and more organizationsdo that, which is really heartening
to reduce both the burden ofquestionnaires, but also reduce the
burden of like unnecessary questionsthat may not necessarily be asked, but
(27:25):
really focus on what really matters.
And so with that, it's been awesome tobe able to see again, that improvement.
again, we have the trust side.
Which is where we can displaythis stuff to customers.
We'll talk about that in a minutewith when we, discuss a little bit
around, the revenue unlock as aresult of having a good GRC program.
But on the other side it's oh man,like what documents do I need?
(27:48):
How can I review these?
I don't know about you, but I'vescrolled through thousands of
pages of SOC two report lookingfor the words exception noted and
management response or, qualification.
Man, no better job than havinga capable large language model.
Ingest that document and find those forus and surface those within, seconds
versus, sometimes you and I, maybefive to 10 minutes each or otherwise,
(28:10):
just to find the things that stand out.
We're doing that today in our platformwith draw out AI and the opportunity for
us to basically go through and grip andpull out those, answers and questionnaires
or an, like responses in their soc tworeports to really help us know, like I.
Hey, what are the true risks here?
(28:31):
with a, an entire GRC platform, nowyou can then take vendor risks and
surface that as an external risk toyour risk register, which has been
another great way to really holisticallyhave all your risks in one place.
Replacing some of the traditionalspreadsheets that we may have used or,
ticketing system dashboards around,risk management, risk registers to a
full platform that ties them all out.
(28:51):
So when your board says, man,what third parties do we have
with any criticals and high risks?
We're like.
Here they are, and you can see wherethose are at and you can work with
those third parties and their associatedrisks to burn those down over time
and increase, their compliance postureand security posture at the same time.
So that's kinda how I'm thinking about it.
I don't know how that resonates, but yeah.
What are your thoughts?
it does sound very good,got two ends of it.
(29:12):
One is of course interpreting your thirdparty, SOC 2, and all the other reports.
The other one is filling 'em allout, which as they said, is the
biggest headache that I have.
And I've, and I'm hearing moreand more something about called
the AI questionnaire assistance orai, qa, and I gotta give it a name
AIQA, we'll see if that catches on.
Anybody know it startedright here, if that picks up.
but can you tell us, our listeners,what is that and what does it
(29:33):
really mean in terms of compliance?
Yeah.
Yeah.
and so to answer that, I don't know howmuch time you spent, working with say,
chat GPT or large language models outthere, but it has been just incredible,
like to redirect our brains from goingstraight to Google for questions or
straight to any kind of search engineersfor your questions and answers to,
Hey, you know what large language modelcould educate me on whatever it may be.
(29:54):
And when you think about all thesequestions coming from our customers,
it's no different than basically.
Posing all those questions to a largeranges model, fueled with a knowledge
base that can answer those for us.
And taking that first pass.
Now, we're not, we're not fullsend, sending that through and
then sending those to customers.
We obviously have the humor inthe loop to help verify that the
(30:16):
answers come back as accurate.
I know you and I have probablyexperienced times where we've gotten
a response back from a large languagemodel and in infuriating ways of.
Raged against the machine and ragedagainst the machine learning in
this case, to the point where we'relike, man, you're driving me crazy.
I just posed a question and youanswered it something completely
different than I expected.
It's cool to see those progress, butwhat I will say is now with, well-trained
(30:38):
models and, with a capable knowledge base,sometimes our customers with SafeBase's,
AIQA, will have knowledge base betweentwo to 3000 questions and answers.
Accrued over the years of questions askedby customers with, acceptable answers.
These large language models take thatthey take, the next questionnaire that
(30:59):
got sent over takes the first pass at it,usually taking minutes to fill those out.
And your GRC team members on theirway, just double checking and make
sure all the answers are right.
And boom, like especially at the endof the month or end of the quarter,
it is so nice to have that capabilityversus, the stack of like questionnaires
that have come through and you'retrying to go through each one of those.
It's just not scalable.
(31:20):
And so it's great that we now havethe AIQA to help answer those.
and, just accelerate this process.
And again, life is short.
We also want to spend life doing somethingthat is beyond answering these questions,
especially when we have capable cap,capabilities today to do that for us.
so AIQA is here to help and it's beenamazing seeing that accelerate us as
well as our customers at the same time.
(31:42):
Got it.
Now I'm moving along 'cause we'recovering all kinds of stuff and I
realize I only got about minutes to go.
One of the trickier topics, and Ithink important though is how do
we evaluate the credibility of theevidence are provided by third parties.
'cause we all know that we'refilling out these forms.
yeah, what do they want to hear?
But at the same time, I'm always prettyhonest about them because I say, look,
(32:04):
if there's something that I learned fromthese questionnaires going, wow, I never
thought about that's not a bad idea.
Let put that on my to-do list.
But also, if somebody else is just, whenthe Navy used call gun decking, which
is means like, yeah, we're, compliant.
We're compliant.
But you don't actually do it.
But what about something like this?
Let's say I'm consideringpurchasing a new piece of software.
I asked the vendor forSOC 2 Type 2 report.
Here it is.
(32:24):
But it's from some small unknownaccounting firm in India.
kind of raises a fair question.
How do we determine whether this report isreally genuinely trustworthy versus just
a checkbox exercise that they had somelow cost auditor with maybe questionable
rigor in terms of how they doing thatversus like we had talked about an EY
(32:46):
who comes in there and will put theiron it and say, yep, this is trustworthy.
How do we deal with that?
Yeah.
Yeah.
I'll chalk this one up as a spicyquestion in the industry right now, right?
as many folks are starting to askthis question, it seems to be a
growing concern in the industry.
But the reality is you're right.
We have a known set of known and trustedassessing organizations out there.
(33:09):
Here at Drata, we have an auditalliance where we have the ability
to go through and say, Hey, like.
When our customers show up to us,they say, Hey, we'd like to use
your platform, but we'd also liketo know, do you know of any auditors
that, are credible in this space?
and as part of that journey of helpingthem discover where they need to go,
we have a number of, again, thirdparty, just independent assessment
(33:31):
organizations that, we can recommend manyof the providers in the space do that.
But you're right, With this, concern,I'll call it auditor roulette almost,
where it's hey, and in sometimes inassessment organizations you may have
some assessors a little bit differentand maybe is more thorough or a little
more technically savvy than others.
And so I think you and I haveprobably experienced those over the
(33:54):
years, there are incredible again.
Assessors out there that are whatI'll call Drata friendly or GRC,
automated, automation platform friendlyin the sense that they understand
what's going on behind the scenes.
The reality is, companies likeDrata, we have the ability to then
pull information from source systemsand present that and monitor that.
Now, if the assessmentorganization wants to.
(34:15):
Follow that from cradle to grave, fromthe source system where we originally
got screen prints or, and, when wefirst started on this pathway to
like, to the very end where they'reseeing the result in the system.
Auditors can do that today withtheir, customers, our customers
that are using Drata today.
But, independence is a hugepart of a credible, third party.
Assessment organization and thequality and reputation assessors
(34:37):
really does carry weight.
I don't know the tiering structureor what reputation, who's what and
where, but it really is up to theorganization to make sure that they're
using an assessment Organization thatis seen in the industry is, hey, like
we, oh, great, I see that name beforeit looks like they do a good job.
I've been assessed by them before.
Maybe another statement that's common.
But, it, the reality isyou know, again, there.
(34:58):
Most of 'em are following in goodfaith, doing this the right way,
which is a heartening thing tosee, I'd like to believe that,
folks, people are inherently good.
I like to believe assessors andorganizations are going about this,
are inherently good and are tryingto do this in good faith efforts.
And, again, we have a great auditalliance that organizations can
work with to help them on theirjourney, and, help assess the way
(35:22):
that we'd expect them to be assessed.
Yeah, and it seems like a good wayto differentiate if you're a small.
Or medium-sized auditing firmto say, Hey look, we're using
an automated collection tool.
Something you can point to thatwe're not just randomly filling out
questionnaires as a porous drinks orbias donuts or something like that.
But we're actually have some way tovalidate that and that'll differentiate
(35:44):
a smaller firm or even somethingfrom an even another company.
Say, look, this is what we use.
We use this tool.
It's an, you can look it up and,it works pretty well now also, but
questionnaires are shifting around now.
It used to be everybody would try tostandardize on something like standardize
information gathering questionnaire.
The SIG and then Cloud Security Alliancehad their own consensus assessment
(36:06):
initiative questionnaire, the CAIQ,which you pronounce, like cake.
are these the most common or is everybodyshifting their own questionnaire
or somehow gonna get to one.
Question that answers everything, whichto me seems like a disaster because
it doesn't address what we talkedabout earlier, such as the overkill
(36:26):
for the type of questions asking fora particular third party or vendor.
Yeah.
Yeah.
It's, I'm seeing that it'sall over the place still.
We, see many organizations still showup to, with a cake or a sig, right?
And it's very, industry centric.
We have those already pre-filled out.
It actually makes the conversationgo a whole lot faster as a result.
And so those have been helpful.
Now the reality is, We wanna meetcustomers where they're at, right?
(36:50):
It really is a leadership principleof meeting other people where
they're at instead of expectingthem to meet you where you're at.
And so I think that principlestill applies here when it
comes to customer questions.
And so when they show up, they mayhave their own custom questionnaire
and in many cases when they areshort and pointed and well thought
out, it's a really good use of time.
To help you know them under, get theanswers that they're looking for and
the construct that they have set up.
(37:11):
So we definitely wanna meet them wherethey're at now again, like I mentioned
earlier, is like really want organizationsand encourage them to take a moment
and look at the questions that you'reasking third parties and decide are these
really the ones that are gonna help usidentify any risks for our organization?
And if not.
You have the power to change thosequestions to really make it, again, an
intentional and purposeful exercise.
(37:32):
So again, take that moment and thenreally just see what the questions
you are asking and that reallywill help you, in this process.
It'll speed up time on your team.
It'll help you, again, continue togrow and progress as an organization
because you have freed up time there.
Yeah, definitely encourage on thatspace, but again, we're seeing all over
the place and that's why AIQA exists.
I think while we all would like tosee less and less on the questionnaire
(37:54):
front, keeping 'em intentional is agood step in the right direction of
hopefully relying on the existingmechanisms that we had, prior to
questionnaires or even, no, just I tohopefully replace questionnaires, I think
originally is the right way to say that.
But, it's nice to see, again,the progression in that space.
Yeah, and I think that anotherI'm seeing is more of a focus
on cyber risk quantification.
(38:16):
want compliance, but they'reusually things we're, we're
not gonna be compliant with.
So we document those as risk.
We put some value on the likelihoodand the impact and it could harm.
And then we do the high, medium, lowand we have a qualitative view or
have a quantitative view in numbers.
And those numbers arereally hard to prove.
I that goes back to the old FIPsPub 65 for those who wanna go
back in the archives in the 1980s.
(38:37):
I remember working with that one.
some of the things like it can'tput a number on it, at least
not too many significant digits.
And other people wanna use thefair methodology, the factor
analysis of information risk.
and what do you recommend thatpeople use and, and the like?
this one is a really hard questionbecause I was thinking about it like.
(38:58):
I dunno if you've ever the book, thefailure of risk management or How to
Measure Anything in Cybersecurity byDouglas Hubbard, Hubbard really encourages
us to say Hey, traditional risk managementmethods, particularly those that rely on
like qualitative techniques like matricesor intuition or arbitrary scoring, like
he feels that they're like deeply flawedand obviously, and often misleading
and, can sometimes create this kind offalse sense of truly assessing risk.
(39:22):
Instead, Hubbard Helps encourageall of us to say, Hey, like there
are quantitative, evidence-basedmethods like, probabilistic modeling
or Monte Carlo simulations to use.
Kinda like you mentioned, the fairmethodology to assess and manage risks
more accurately and equating or yieldingan annual loss equivalency to really
help, organizations use a dollar amountof potential likelihood of impact that
(39:46):
year to, Switch around investments oridentify where they should really focus.
I've seen both use and action.
It is fascinating to see the differencein conversations and approaches and
effort that goes into each of those.
I feel like I need a master's degreein actuarial science to do the, the
monte-carlo did, but honestly, I.
It doesn't, in some cases it's super,super in intuitive to go through and
(40:09):
sit down and using these simulationsand using the right kind of like range
of impact from a dollar standpoint andfrequency to then run the simulations
to say, Hey, this year this, mayimpact us this amount and this is
why we want to invest in this area.
And it really, helpsin making that a more.
quantitative approach.
And so again, seeing both, I'mseeing customers use both of those.
(40:30):
I do see that, the qualitativemethod ends up being one that's a
little bit more intuitive by internalteam members that say, Hey, if we
had a range here, how bad is this?
And if we had a range here, like,how frequent might this happen?
And Sure.
Then we yield like a, heat map that it'slike, Hey, this last, quarter we saw this.
Pixel, or sorry, we saw this, riskmove like 14 pixels to the left
(40:52):
and you're like, what yielded that?
And so then, we get back tothe, we should probably make
it a little more quantitative.
So I've seen both, both have been,generally successful in communicating risk
and burning down in, in a large quantity.
The more mature organizations thatI've seen really do use kind of that,
to quantitative model to get there.
Got it.
Now, what are the biggest mistakesyou think that a lot of GRC programs
(41:14):
make and things that people get wrong?
one of the things that came to mindon, as I, thought through this, is.
Not really tailoring, their GRC programsto meet the needs of the actual business.
many, leaders will come in and be like,Hey, this is the checklist approach.
We need this, and this.
And it's very, I like to say it's an artto be a security and GRC professional
(41:36):
to show up in an organization with theexperience that you have to truly tailor.
Your, the needs of the organization.
And so your compliance program tothe needs of the organization like B
B2C SaaS is very different than B2BSaaS versus professional services
versus brick and mortar stores.
And very much need to prescribethose needs to that organization.
And so with that, that probablyone of the biggest mistakes.
(41:59):
The second one I think of is,just not being able to adequately
explain the why behind controlsand frameworks and GRC efforts.
And so being able to sit down withanyone in the organization and explain
it in a way that they understand thewhy behind their them doing something
has been helpful also allows a verycollaborative effort to decide, oh
my gosh, that makes total sense.
(42:20):
And we could probably do this in abetter way by going about this way.
and then the last but not least, andthis is a space that's a call out to many
of my GRC peers in the space, is havingthat technical expertise showing up to
the table, be able to dive as deep inthe technical details as their security,
DevOps, and infrastructure counterpartsare to really, understand and, Help there.
(42:42):
that's, been awesome.
I will have one last one here thatI thought about, which is just not
being able to measure the impact oftheir GRC program on the business.
with the advent of trust centers, like Ijust mentioned a moment ago, like you're
able to tie the requests from customers toyour CRM to understand the revenue impact.
Of, all the documents that arebeing requested to understand which
(43:02):
documents are being requested so youcan continue those and then which
things have been requested but youdon't have yet that you should add.
And it's, allowing GRC programs to showup to their board meetings and fuel their
CISOs and their executive team memberswith data such as, Hey, because of our
capable GRC program, we unlocked X millionin revenue last quarter, last month.
(43:23):
Last year, it really has turned GRCprograms into a business enabler
instead of the cost center or ablocker that may be seen previously.
And so that may be another mistakeis, not being able to surface those
numbers, like we can today with these,trust centers that can enable that.
Got it.
Okay.
We've got, about a minute or two left.
So it's been an incredible amount ofinformation here and I appreciate you
(43:44):
being on the show to talk about this.
before we wrap up, any last thoughtsthat you might have that maybe we
didn't get a chance to talk aboutyet that we could put out here?
We talked about a ton.
We talked about trust centers, wetalked about, vendor risk management.
We talked about, compliance automation.
honestly, I think it's just a callout to the industry to continue to
(44:06):
improve and grow as professionals.
This is a very humbling role to bein, whether you're on the GRC side or
the security side or the CISO side.
When you look at all the thingsthat a CISO needs to worry about
day in and day out, I. It's probablynot a very mentally healthy role.
and so as I look at this, I, just,I wanna get probably more human here
(44:27):
and just share out to the industrythat like, this is a painful, this
is a painful role at times, mentally.
And so taking that time that, thatwe need to really recoup whether
that be meditating, whether that be,helping us, take the time to Really
put boundaries into the time at work.
Like when I say life is short, thatapplies to life outside of work as well.
And in, in this role, there'sa lot of pressure here.
(44:49):
And so with that, I like to have a lot ofgrace towards other peers in this space.
Whether they may be direct competitorsor whether they may be others in the
space, other CISOs to really have thatgrace and humanity towards others is to
realize they really are trying their best.
And so I wanted to say that,that, as you evaluate where you're
at, take the time to mentally.
(45:09):
relax and also realize that thisis, again, a journey, not the, an
end state and have some grace foryourself and others along that way.
And so again, that's probably thething that I would probably end here on
this space.
of good wisdom.
I could probably pay attention to that.
Hey, how does someone get intouch with you or learn more about
Drata if they wanna follow up.
Sure, So for just, headdrata.com and sign up for a demo.
(45:32):
We have an incredible, incredible team tohelp support you and meet you where you're
at, wherever you may be in that journey.
I also like to assist and helpwith our sales and customer
success team members as well.
It's fun to be able to meet withour customers prospects as well as a
CISO to help them on their journey.
So that's there for me.
I'm on LinkedIn.
Pretty easy to find there.
This is Matt Hillary at Drata and andhappy to help you wherever you are at.
(45:55):
thank you.
This has been absolutely.
For our listeners and our viewersout there, thank you for sticking
around for CISO Tradecraft.
I hope you found this incrediblyvaluable and if you had pay it
forward, go ahead and share thiswith your other professionals.
Let 'em know where youget your information.
Don't forget if you subscribe to us,we also have a Substack newsletter.
We have shorts that we put out onYouTube as well as the full episode.
And follow us on LinkedIn 'cause we'rea whole lot more than the podcast.
(46:17):
We put out regular informationthat'll help you out.
So thank you very much again forbeing part of our team today.
This is your host, G Mark Hardy.
Matt, thank you very much for beingon our show, and until next time,
everybody stay safe out there.
Popular Podcasts
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.