Security Market Watch
SMW #4 - Cybersecurity Compliance Strategy Ft. Igor Volovich
Ever wondered why governance, risk, compliance, security, and operations often feel like estranged cousins rather than integral parts of the same family? Today, we're getting beneath the surface of this issue with our esteemed guest, Igor Volovich, VP of Compliance Strategy at Qmulos. Through a stimulating conversation, we dissect the difference between a VP of Compliance and a VP of Compliance Strategy, explore the concept of convergence, and highlight the importance of prioritizing people, not just tools, in creating a successful strategy.
The road to compliance isn't always smooth, but with Igor's insights, we dive into a discussion about embedding security within an organization - and how DevSecOps can serve as a catalyst for this integration. Brace yourselves as we illuminate the significance of controls, visibility, and telemetry in this intricate process and find out how CEOs and CISOs can strategically invest in cybersecurity. But the journey doesn't stop there!
In the final leg of our conversation, we tackle the multifaceted challenges of transforming security experts into leaders and non-IT, non-security personnel into security professionals. Get ready to learn how strategic and critical thinking can drive a comprehensive understanding of an organization's security landscape. As we tie up this insightful discussion, we delve into the implications of the SEC's new cyber security rules and the preparations companies are making to comply. So, if you're eager to navigate the complex world of compliance strategy, join us in this enlightening episode!
Ever wondered why governance, risk, compliance, security, and operations often feel like estranged cousins rather than integral parts of the same family? Today, we're getting beneath the surface of this issue with our esteemed guest, Igor Volovich, VP of Compliance Strategy at Qmulos. Through a stimulating conversation, we dissect the difference between a VP of Compliance and a VP of Compliance Strategy, explore the concept of convergence, and highlight the importance of prioritizing people, not just tools, in creating a successful strategy.
The road to compliance isn't always smooth, but with Igor's insights, we dive into a discussion about embedding security within an organization - and how DevSecOps can serve as a catalyst for this integration. Brace yourselves as we illuminate the significance of controls, visibility, and telemetry in this intricate process and find out how CEOs and CISOs can strategically invest in cybersecurity. But the journey doesn't stop there!
In the final leg of our conversation, we tackle the multifaceted challenges of transforming security experts into leaders and non-IT, non-security personnel into security professionals. Get ready to learn how strategic and critical thinking can drive a comprehensive understanding of an organization's security landscape. As we tie up this insightful discussion, we delve into the implications of the SEC's new cyber security rules and the preparations companies are making to comply. So, if you're eager to navigate the complex world of compliance strategy, join us in this enlightening episode!
Welcome to this episode of Security Market Watch, the show that goes straight to the source for cybersecurity market insights. I mean, you can go through all the data and try to go through polls and get information about the market that way. But here at Security Market Watch, we prefer to go to those who are in the field and they know what's going on, and so my guest today is Igor Volovic, and Igor is a friend of mine and just a whiz when it comes to understanding startups. He is the compliance VP over at Cumulus. But just being a compliance VP, I think that's a limited end. Scope. He is much more than a compliance VP. He is an expert on the market. I know he wouldn't call himself an expert. A lot of people don't like to call themselves an expert. I'll call him an expert, Igor. Welcome to the show.
Speaker 2:Josh, thanks for having me out again. It's wonderful to be with you. So for folks who are watching, they're seeing me dressed as a doctor and they're probably wondering why, for those who are listening to this, I am dressed as a doctor, and the reason for that is I play one on TV. Right, as we say, I play a doctor on TV. But the real reason is I'm promoting a concept called compliance therapy, and the idea of compliance therapy is really the notion that governance, risk, compliance, security, operations, it We've all been divorced for a very long time.
Speaker 2:We're trying to get the family back together. We're trying to surgically reattach the conjoined twins that got separated at birth, right, security, compliance, risk they're all part of the same family, right? And ultimately we're trying to manage risk. But somehow we've just gone down these silos, we've gone down these pigeonholes. We said, okay, security is here and IT is there and operations are somewhere else. And then, within those fields, we also sub-specialized. Right, you've got an insect response doing very advanced stuff. You've got threat intelligence, looking into the future. You've got risk, trying to manage things from more of a business context perspective, and then compliance has kind of stuck across. All of those, right, and yet we're always looking backward.
Speaker 2:So we're trying to change minds, we're trying to get people to understand what the value of compliance is, and what my actual title is is compliance strategy. So I am a compliance strategist, which is kind of a thing that people go. What does that mean? They come in a lab code and they go now we're completely confused. Good, let's start with that. Let's start with the fact that there is a lot of confusion about compliance, and let's talk about this idea of therapy. Right, let's do some therapy. Let's figure out how we can all get on the same wavelength and figure out how to get back together across all those functions and do what we call convergence. Let's converge. So that's my big intro.
Speaker 1:Well, I botched that title. You are the VP of compliance strategy.
Speaker 2:Oh, you're totally fine. What?
Speaker 1:is the difference between a VP of compliance and a VP of compliance strategy. It should be obvious, but lay it out for those who might not be familiar.
Speaker 2:Sure, well, strategy, right. Everybody kind of has their own definition of it. It's funny. I look back. I recently just reread the book of Five Rings by Miyamoto Musashi, at the sword saint of Japan, the biggest, the best swordsman ever lived, and he wrote the book and it's, and he switches from swordsmanship to strategy. To him it's anonymous, right. And what he says.
Speaker 2:One of the things that I found the most interesting, that resonated with me a lot as an enterprise architect, as a strategist, is the idea that a strategist should not focus on the finite details and you should not have likes or dislikes. And he talks about battlefield commanders. You know, should not have a preference for a battlefield weapon or a tactic or a specific kind of a way to fight on the battlefield. It should all be about one thing and one thing only how to win, right. So, whatever tool is needed, that's what you should have. Use that when it's needed and get the most out of it, right. But it's really about the what we call now combined arms, right, it's about joining different tools together, bringing them together to affect that outcome that you desire, right? Which starts with the question of well, what is the desired outcome? And so that, to me that strategy.
Speaker 2:It starts with vision. What's the end state? That, of course, you have to ask what's the current state? What is the delta? What is the gap? How do we fill that gap? And so figuring out how to get there in the most efficient manner, in the most effective manner. And it's about time, right, we want to get there in an expeditious manner. Also, we don't want to get there three years, five years from now. Now, something stayed that long, right. But ultimately, it's about seeing that vision, figuring out what the end state looks like and mapping a path to it and then getting people to come along. A lot of folks kind of stop with here's my vision, here's how we get there, and they stop and they don't transition that to well, how do we get people to actually come along for the ride? How do we get people to combine with us in this vision? How do we get them to be part of our oral strategy? Right, so it has to involve people. It has to involve not just tools and technologies and processes and workflows, but the hands, the brains, the people, the bodies. Right, somebody has to actually execute and that's what it's all about. So for me, that's kind of the long story of what strategy is, and so the difference between compliance and compliance strategy.
Speaker 2:Compliance strategy is kind of a title we thought up, right? What is it that we're trying to deliver to the marketplace here at Cumulus, which is a compliance animation and a converge continuous compliance company? Again, it's a tagline that we invented, and what it captures is the idea of compliance being rethought of as a strategic tool of risk management, not just a retroactive reporting function, not just something that gives you historic reports from three months ago, three years ago, et cetera, but it's something you can use in real time and now right. The only way to do it, of course, through automation. We can talk about that separately. So strategic realignment right, that's what it's really about for me and for us, and it's not just another tool in the Quiver, it's not just another thing that you bring into your stack. It's more of having this kind of a meta capability, macro capability.
Speaker 2:We will using compliance as a prism to look at your entire environment, to look at your enterprise, not just from a risk perspective, but from a perspective of what do you have in your stack, what do you need? What mission is it fulfilling? Which part of your risk is being addressed? Which part of the risk being out of dress and how do you fix that? How do you prioritize different risks based on the business context and also how do you prioritize your technology investments based on those needs? So that to me that's kind of the long-winded way of answering the question of what's the difference in compliance.
Speaker 2:Compliance is just checking the box and saying, hey, I have a thing or I don't have a thing. Control is effective or it's not, or it's failed. And the combined strategy is really, how do we apply compliance? All the immediate capabilities that we have within the compliance sphere, the consistency, the in-depth control definitions, all of this really good, really important stuff. Decades spent inventing it, making it as complex as it is today, as capable as it is today, but people get lost in the complexity and they lose force for the trees. They lose that, the understanding of. But I could use it not just to report past state, I could actually use it to manage risk. Again, that's part of this whole compliance therapy mindset. How do we make compliance come into real time? How do we make it become a tool of true risk management at the enterprise scale? So that's what I'm trying to answer every day.
Speaker 1:So I'll try to summarize in a few sentences everything that you said so I can understand and so the others can understand exactly what is this difference between compliance and compliance strategy? Because I really want to get to this article that you wrote that got picked up by the new stack and I think this will be a really good lead into it. Compliance is or let's start with strategy. Strategy, in general, as I see it, and probably the way that you're laying it out, is the big picture, being able to see the entire whole and how all the little pieces fit together.
Speaker 1:And compliance, and especially GRC governance, risk and compliance so far has always been about a very small slice of cybersecurity, which is also cybersecurity, being a very small slice of the business and very siloed. And so when we think about compliance, we usually think about audits. You do an audit, the audit's done, it's looking at past data. We're done, we wrapped it up, and then cybersecurity operations takes over to look to the present and to the future, and it seems like what you're saying is that when we look at compliance strategy, we're understanding how compliance fits into the entire whole, not just into the cybersecurity picture, but also into the business. Is that an accurate description?
Speaker 2:Absolutely, and we want to make sure people talk about embedding security in, and there's a lot of ways to do it things like SDLC, things like DevSecOps. Really, we're trying to do what I tried to evangelize out. There is the concept of basically doing for compliance what DevSecOps did for bringing security development and operations together. We want to be the DevSecOps company of compliance and it's not just hey, we've got this automation platform that makes it faster and makes compliance easier and makes it kind of a no-brainer, puts it on autopilot in a way. There's a lot of companies out there who are doing sort of quote-unquote compliance automation. A lot of them, for fair disclosure, are kind of focusing on workflow automation, right, where we kind of want to do it end-to-end, which is how we built this company over the last 11 years but separate story for another episode, potentially right, but for this perspective, yes, how do you embed security in? Well, you have to have good controls, you have to have good visibility, you have to have good telemetry, and a lot of folks when they face this problem, especially new incoming SISOs or folks who find themselves in those roles they start asking these kind of strategic questions because, well, the CIO is asking, the CTO is asking, the head of the risk committee is asking, the board of directors is asking, the external orders are asking right, they're all asking different things, but ultimately they're asking the same thing Just in there, different ways. Right? What they're asking is where do we stand? Are we happy with where we are? Are we happy with our security posture? Because our security posture match our risk appetite? And then what are we going to do about the difference? Right, and a lot of those predicates are very difficult to come by in a lot of companies, and the bigger the companies are, the more difficult it is.
Speaker 2:So folks forget that compliance gives you all the tools, all the consistency, right, all of the structure, all the scaffolding. You simply can ask those questions as a matter of control definition. Right, you can say well, my firewall? Right, you can focus on the tools. You can go hey, let me go to my firewall team and ask them if they're happy with where their firewalls are. There's a bias built into that? Right, there's a. I mean you presume there's going to be some bias, right? People are going to go oh no, everything's happy, right, you go to the intrusion detection team and you go hey, what's going on with intrusion detection. And you go oh man, we need more investment, we need more intrusion detection. Everybody you ask is going to tell you we need more of what I've got.
Speaker 2:People are trying to build their fiefdoms, they're trying to hire more people and this kind of this bloating organism. It's almost like the government. If the government never shrinks security, always the budgets always want to go up. And guess what, when we look at the kind of the macro global economic level, we keep spending more and more in security every year and we keep getting more and more breaches. Clearly something's not working there, right? So you take it down to a level of a single company or a single organization, you can throw all the money at it, right.
Speaker 2:Ultimately, if the system is not fixed the system of how we bring these solutions on board, how we select the kind of technologies we need to have in the portfolio, why we make those decisions is it because you read that on Gartner? It's in the MQ, right? The Magic Quadrant, you're going to buy that versus? What is the risk problem that we're trying to solve and how do we plan on solving it? And can you show me, prove to me, credibly that that particular investment, that $1 of that security investment is going to give me $1, $3, $10 of security mitigation value, right? The ultimate measure for me, the ultimate metric, is what is the risk mitigation value of a proposed investment? And if you can bring it down to that, right, if you can boil everything down and give it to the executives in that kind of language, that creates a lot of that credibility, right. So it stops being, hey, I like this firewall versus that firewall, you know, and it stops being this conversation about vendor selection and starts having you start having a conversation about capability selection that's driven by risk and that risk being driven by the business context, right.
Speaker 2:So that's what we're trying to elevate the conversation about compliance towards, that's what we're trying to elevate the entire idea of, you know, this convergence between these different functions security, risk, operations. Really, we're trying to operationalize compliance, make it just another thing that you do on a daily basis, not when, like you said, not when the audit comes around, not when you have a breach and everybody wants to know okay, are we okay or did we actually screw something up? Are we going to have a failing control somewhere that we didn't close? And you look, you're trying now to scramble and kind of do damage control, let's be proactive about it. Right Again, compliance as a tool of proactive risk management it's a complete non-startup with most folks because they don't have the tools for that right.
Speaker 2:They don't have the capability to really do compliance in a real time. Too many controls, too many systems, too many technologies, and they look at things from kind of this bottom-up, technology-based perspective right, it always starts with a technology conversation what kind of tech do we buy? We get that right? Abstract from that Kind of put that enterprise security architecture head on, put it on tightly and ask the question what is the capability that we need and how do we know that we need it? Very structural kind of questions like that.
Speaker 1:I'm a big fan of those structural questions and I think we focused on the tools a little bit too much. Yesterday I was having a conversation with someone who just talked about leadership and how to communicate between. How can CISOs and security teams communicate? So that's a structural issue. So I'm a big fan.
Speaker 1:There's this trend going on in cybersecurity now that I'm really happy about, where people are really pushing to think outside the box, to think about structure, to think about integration, and you know how do we all? You know it's just short of holding hands and singing kumbaya, but it is sort of what you talked about in your article and I encourage anybody listening to this or watching this. The article is called the Disconnected State of Enterprise Risk Management, written by Igor Volovich and, like I said, it got picked up by the new stack. So check it out, read it in all of its entirety. I'm really happy to see not just you, but to see this general trend of cybersecurity professionals moving towards orchestration, moving towards. Let's get everybody together and really understand. You know the tools aren't working, because the thing is the hackers have tools to counter your tools and as far as you can spin them up, for all we know, it's the same person selling to both sides. You know we focus on the tools. You're not gonna get too far. That's the lesson here. But we can outsmart them, we can out-organize them and we can out-orchestrate them.
Speaker 1:And the thing that I really asked you down here to talk about and you touched on it a little bit is cyber investments. So, once you've done your compliance audit compliance audit still have a place. Once you've done your compliance audit, you've done your review, you've done your maturity assessment, there are certain things that you have to do. For the next two or three years, you're gonna invest your dollars into something. So, if you're a CEO or a CISO, listen carefully. This is what we're gonna be talking about here is where do we invest after we've completed our risk assessment, our maturity assessment, our audit? What are some of those key areas? It doesn't have to be a tool. It could be human resources. What are some of those key areas that you're seeing businesses making those investments after they've assessed their risk?
Speaker 2:Great question, and I think that's the way that these questions are typically asked. Right, you know we've had an audit or had a breach, right? What failed, what's not working, how do we fix it, what's our three-year investment plan? And it tends to, of course, very quickly devolve into conversations about what kind of tools we're gonna buy, what kind of people are gonna hire. You know, we're gonna bring out an MSSP, we're gonna have an external partner, etc. Etc. There's a sort of this built-in mindset of cyclical, periodic cadence. We're gonna have an audit on date X, then there's gonna be some period of time we're gonna take to analyze the results. Maybe we'll hire somebody to read them for us, right, explain what they saw. And then we're gonna have an outcomes meeting where we'll talk about okay, this is how we're gonna fix those problems that we found, and it'll take some period of time. Then we're gonna have another reassessment and then audit-inautom will just keep repeating that process cyclically. And then, you know, they'll take us through the next two, three budget cycles and then we'll continue to reinvest, etc. Right, and that's more.
Speaker 2:To me, this seems like more of a tactical conversation. Now, you'll see, labels on those meetings will always say it's our security strategy or it's a security roadmap meeting, etc. Etc. Right, I don't find those to be particularly strategic and I'll explain why. To me, investing strategically means investing into a capability I mean category if you want to go down one layer. But from my perspective is a true CISO If that C in the Ossiso title is not silent or courtesy title only right.
Speaker 2:If that C you know sort of well, you're the highest ranked person. That no security. So we're gonna call you a CISO. A CISO is not, it's not a rank. Ciso is a role, and it's a role that should reflect strategic leadership, not management, actual leadership. And if you're not in the room with those strategic decisions that are being made by the true business leaders, if you're not really part of that conversation, then that C is absolutely silent.
Speaker 2:And I have I actually have an op-ed piece that I'm working on right now the C in CISO is silent and for most folks they find themselves in those roles. It's a courtesy title, right, it doesn't really. The C doesn't really be anything. You're not chief of anything. You're chief of technology, right, you're working on security technology. It really should be called like a chief security technology officer, if anything, right? So that's that's. That's one smaller side up front.
Speaker 2:But if you're really thinking about things strategically, you should be investing into things like agility how agile is my program? How quickly am I able to adapt to incoming threats? How far out is my horizon for incoming threats? And I'll be just threat intelligence, but actually working with the business leaders to say things like okay, we're going into a particular area of the world. These are the kinds of risks that we know we're going to have to deal with. Like, let's say, you're investing into, into China, we're going to open up a research and development center there. In the next three or five years, we're going to invest, let's say, $3 billion into that effort.
Speaker 2:And this is a massive undertaking, right, and it's got a lot of strategic implications. But most of them are driven by the business and so you, as a security person, you have to enable that. You can't just say, look, we're not going to do that because China requires us to open up our source code. It's a big brain suck. You know our IP is going to leak, et cetera, et cetera. You present that right, but you don't ultimately control that. The business is going to say we want, we want to do that. The rest of the two advantages for our company, for our shareholders. That's going to build shareholder value long term. We're supposed to support that, right. But yet you need to be able to communicate the risk that this is going to incur and how we're going to treat that risk. What's going to be the risk mitigation plan? How are we going to address the? The things that are going to happen two, three years from now? Not the hack that's happening three minutes from now or that happened three hours ago. Right, that's all important, right, but it's tactical stuff. These are tactical capabilities.
Speaker 2:I want to be able to go back to the business and say look, no matter what comes down the pike, no matter what you guys come up with for the next year or two years, three years, we are ready for it because we have invested into adaptable agile capabilities. Flexibility is what we offer you. We offer you the ability to support whatever mission you've got and, if we can also understand things from that mission supportability perspective, right. So I'm not going to talk to the board of directors about firewalls and internal detection and endpoint detection, response and SOAR and whatever right. I'm going to talk to them about strategic capabilities like agility, adaptability, risk mitigation quotient, if you want to call it that right.
Speaker 2:How much risk can we actually mitigate? If you can quantify that for the board, then you're truly a CISO. If you are coming into these meetings and talking about this, how many viruses we batted off in the last week? Nobody cares that. It's not a metric, I mean, it's something you can throw on the dashboard, but how much risk did you actually mitigate?
Speaker 2:And so, when you talk about investment, I want to invest into capabilities like that, macro category capabilities, and I think agility and adaptability is one of them. I think risk just being able to measure risk, right. What is our ability to understand our risk posture on a continuous basis? I don't want to wait for an audit and I don't want to wait for the breach right Now. Those are the two primary ways that we know about where we stand. A breach happens.
Speaker 2:People go scrambling around. They go okay, this is how they got in, we'll make sure they never get in that way again. Right. And they just come around. They went through a door. Now they're going through a window. You close the window. They're going through a chimney.
Speaker 2:Every environment is full of holes, going into the cloud. That didn't solve anything for people. The attack surface just became larger and different, right, but it didn't go away, right? You didn't just magically flip the button and go, okay, now we're in the cloud, now we're secure, because Microsoft is taking care of that, amazon is taking care of that. That's not how it works, right? You still own that risk, right, even though the environment is somewhere else, right? So how do you know what you know?
Speaker 2:I think another metric that I want to like, another capability strategically I want to invest into, is integrity, confidence, right. How confident am I that when the question is asked, where do we stand, that my answer actually holds any water? Right? Because to me, most compliance programs which is basically the primary way that we know about where we stand with any level of integrity or confidence they're still built on opinion, not fact, because some analysts looked at it.
Speaker 2:Some analysts looked at it, they made a decision based, hopefully, on data, but when you peel that onion, you look at what that data really is, its opinions, its opinions wrapped in, opinions stacked very high, and it's like that scene in the Big Short, right? You know, ryan Gosling's character walks in and he's got that Jenga set. It opens it up and it's got all kinds of different bond ratings on it. It goes these are all nonsense, right. Just because you stack them high, it didn't make it a NASA. It's still a bunch of liabilities and a lot of them are bad, bad deaths, right? Same thing Most compliance and audit programs have built in opinions stacked very high and then we say, oh well, at some point it became a fact. No, it didn't, it's just a lot more opinions. It never became a fact. It never became a fact, right?
Speaker 2:So to me again integrity, confidence, and how do we know what we know? Can I prove it credibly, not just to like? The question that is framed now is can we prove it? The question that is framed now is can we pass an audit? That's the question that's being asked of CISOs, of Heads of Risk, of IT. Right, that's not the question.
Speaker 2:You can pass an audit. You can convince an auditor of you know pretty much anything and guess what. You wind up with findings and they go okay, we got a gap remediation plan and we're going to close it off. Or, if you know the government setting, you know you have a poem, right, a plan of action on milestones and we're going to let that persist for some time. Every time between an audit and the next audit, that's that never, never land where everything, where bad things happen. That's that period of time where you don't know what's going on. Guess who does the bad guys who are seeing the environment right now? Right, they know. So, collapsing that time difference, right, the Delta is not between you know what we have now and what we need to fix to get to that next state, desirable state. The gap is between the reality and your perception. So I'm going to invest, as a CISO, strategically into the closing the gap between what we believe we know and what's actually out there. There's your big takeaway right there.
Speaker 1:Yeah, that is. That is. That is big, so we're getting very meta here.
Speaker 2:Yes, we are.
Speaker 1:Yeah, and philosophical, and I think technical people shy away from the philosophical. You know philosophical.
Speaker 2:At their own peril. At their own peril, yeah, then you become just another guy, who's you know? You're just another keyboard warrior sitting there, you know, on council's own tools. Look, I've walked into places in my advisory practice where folks haven't been, haven't left in 25 years, right, and this isn't any knock on you know, 10 year longevity and sometimes, hey, you might love an environment and that's fine. But the problem is you get attached to tools and technologies and they become part of your identity. And here's something else that I want to, aaron, I just spoke to somebody about that recently, actually a Gartner analyst, at the Gartner Conference in DC, and she said something that I thought was really insightful. She focused on organizational leadership and those kinds of dynamics, right, and what you talked about is culture and the culture of complexity, and she talked about complexity as an attribute of someone's identity. So complexity as identity is kind of how I summarize it after we talked for about a half an hour. It's complexity.
Speaker 2:I think a lot of folks in IT and especially in security, but really in any tech field they find their personal definition, their personal identity, in the complexity right, in being competent to delve into that complexity, to solve those complex technical problems and there's something that we call, you know, admiring the problem. There's that danger, right? You admire the complexity instead of trying to simplify, to really de-conflict all the different complexities and really focus on the mission, which is the end result. You know you got to win, you got to get to that end goal. And when you're that deep in the technical weeds it's hard sometimes to see that force for the trees. That's where leadership comes in. That's what, having that great vision, the strategy, those organizing forces have to be in place. But unfortunately, how most folks get into leadership echelon right within IT and especially in security they get there by being really good on the technical front.
Speaker 1:Yeah.
Speaker 2:Right.
Speaker 1:They have great technologists.
Speaker 2:They're world-class technologists but they're not great leaders, right? And I was recently asked just to comment on it. Sec is actually coming out with a rule, a proposed rule, that says the boards of directors should have and demonstrate security expertise. And I kind of approached answering that question it was a forereporter the idea of, well, how do you think the market is going to respond to that right, is this valuable? And I think my answer is this and I mean this is the answer I gave there are two options you turn board members into security experts, or you take security experts and you put them on the board.
Speaker 1:Where do you land? Where do you land? What's the way you land? Where do you land, right?
Speaker 2:So I have been a part of the efforts in the past where I've actually taught at like internal academies at large enterprises where the idea was let's take non-IT, non-security people and turn them into security people because, well, we already have them, they've got low tenure, they're not leaving, we can't fire them, we've got to do something with them.
Speaker 2:So let's give them a path where they can get into a technical field and kind of stay with us for the next 10, 15 years. And, by the way, that's going to be a lot cheaper to set up the class for the next six weeks than go hire somebody who's already a certified, trained experience professional. It's out of good on paper but ultimately you've got somebody who's been, you know, working in a warehouse for the last 15 years and we're going to try to. Basically it's like that old, you know, learn to code, right, you can try, but you can't re-replace. You know 10 years of experience in six weeks. You just can't do that right. So on paper it looks like you've got all this capability. In reality you don't right. And then the flip side of that okay, let's take a bunch of security professionals reform hackers, you know, developers, what have you right?
Speaker 1:And then turn them into leaders.
Speaker 2:Yeah, let's send them to business school. Right, let's give them all MBAs. And I was asked about that. 10 years ago I was on some panel at a SISO event in Dallas, I think and somebody asked me exactly that question Like, do you think SISO should demonstrate their you know their business acumen? You know that they're actually a capable business performer by good now and getting MBAs, and I've seen people do that. Right, we're not trying to check the box here. Right, the point is not to just go oh, yep, yeah, they've got an MBA, okay, they're ready for their SISO spot.
Speaker 2:We still have no real way of hiring for the job. Like, I know the questions to ask to hire VP of marketing. I know the questions to ask to hire a CIO, cto, really any C title. We have the metrics. You know chief revenue officer we know what that takes. Right, how many sales did you close? What was your closer rate? Closer rate, et cetera, et cetera. Right, you know how did you build a pipeline? How long did it take you? How did you manage the team? Like, we have metrics for that SISO. What's the metric? Did you or did you not get hacked in the last 24 months? That's not a metric.
Speaker 1:A lot of times the question is how good are you at security? How much do you know about security? What does that?
Speaker 2:even mean yeah, like you go through the security.
Speaker 1:You go through something like the ISC squared CISSP exam and if you go on Reddit everybody's trading, you know techniques for passing that exam and you've got people now in Troves who are passing that exam. This is what happens when you tell a bunch of technical people and you say, look, if you want to get into management, you have to check a box. You have to do X, y and Z. They're technical mind. They've gotten to where they are right now by consistently in their lives checking boxes.
Speaker 1:I do this certification, I learned this thing, I learned about that code, I learned about this network, I learned about that tool. And you take that all the way to management, senior management. Then you say, okay, there's a SISO position open. Whoever can check the MBA box is going to be the next SISO. They can all do it. They're very good at it. They're very good at checking boxes. So I've seen maybe a couple of companies do this I don't know how you feel about this but not selecting SISOs from the security organization at all, but from the business, and it would be a CIO from another company, maybe a smaller company, or, yeah, maybe a smaller or larger company I guess the size doesn't really matter and they bring a CIO over. I've seen companies bring over somebody from marketing into security because what you need at that point is probably leadership skills, communication skills. You need to understand what security does, but you don't really need to understand what it does.
Speaker 1:You need to understand the end goal of security, which is a business discussion, and then you have to be able to manage the people who are much smarter than you, and then, at that point, those people shine, because now they have a leader who is strategic and understands what direction the company is going in with regards to security and as a whole.
Speaker 2:I agree with you, I think I mean I've seen that happen before. I've worked in places and I have advised in places where, yeah, they've taken that route. We basically said, look, we need a VP level person to take over this and we have a spare VP who may have done some technology projects or not necessarily security professional and actually using that as a forcing function to get the abstraction to happen, to abstract from the technology and really use that person as kind of a translating layer between the security tech and all the gobbledygook that nobody can understand and then be able to communicate to the upper leadership because they simply don't know how to talk that lingo. Now, the problem with that from a leadership and organizational perspective is credibility, right, that person like that might have a lot of credibility with the upper leadership walking in the door, but they're going to have a tough time bridging the gap with their underlings, right.
Speaker 1:Does it matter? It's not very specific about the next challenge, right, yeah.
Speaker 2:And so I mean, look, we've all been there, security people want to talk to security people and they want to talk that lingo and they want to have, they want to feel like they can just use the shorthand, use the acronyms, throw all that tech technology out there. And again, it's that complexity, right, complexity as identity. So you have to make that transition in your mind and so a lot of that you have to invest in. So, again, talking about investments, right, if you can invest into strategic thinking, critical thinking, I mean it sounds, again, like you said, like a lot of people don't like to talk about that. They want to talk about the tech, the tools, the complexity, the technology, all those challenges. That's what they want to focus on, because that's where they shine, right.
Speaker 2:It's a tough ask for somebody to basically say, look, I've spent the last 20 years being a chemical engineer and I'm a leader. Now I have to kind of leave that behind, not get my hands dirty, not jump in there and actually do the work after thinking about it from a macro perspective. And so I've seen some organizations spend the time to invest into that and not just kind of like, hey, we're going to pay for your executive MBA, go off for six months and go do that, or, you know, go take some time, 10 hours a week, and do that over the next two years. It can be the model, right, and I think that's helpful for somebody to remain embedded in an organization while they're still kind of understanding, gaining that perspective, that strategic perspective. I think that's a good model.
Speaker 2:But ultimately, what you're asking of you're not asking for somebody to just flip that switch, because it's impossible, right, and you also can't just hire for that, because we already have enough of a problem with that. We can't get enough people, especially at the leadership level. Sissos are saying they don't want the job anymore. Why? Because those metrics are not well defined. The performance metrics, like well, you know, did we not get hacked? Did we did not pass an audit? Like we?
Speaker 1:You set up a failure.
Speaker 2:Exactly Right. So I mean, still still, years later, we still have the 10 year average. 10 year average Sissos, like 18 to 24 months. They just flip, flip, flip, right. So we need to get better as Sissos, as leaders, as security professionals, at doing that abstraction in our heads and going, yeah, I know where this fits and I know how it works, but I need, I need to look at the entire picture, not the individual puzzle pieces. Right, you know you need to. I mean, yes, you should understand and have awareness of how those pieces work. To a certain degree and, depending on your background, you might have more depth and less depth in a particular category or layer, right? But ultimately, it's about building that puzzle together so you can see what the actual picture is. Right, I mean, it's a classic problem of strategy, right? Can you see that at state? Can you visualize it in your head? Can you Right? At the same time, right, it's not a one-dimensional thing. Right, it's not even two-dimensional, it's a multi-dimensional. You've got all these different things coming in. When you look at the kind of the classic view of enterprise architecture, enterprise security architecture, it's actually a cube, it's got intersecting things and you look within that Tesseract even it's a test, exactly, exactly. It's like interstellar, right, it's actually unfolding onto itself and you try to navigate that, and the thing is that I think that's an apt analogy too, right, it's about time. People tend to navigate that tesseract in their mind right, strictly from our perspective of the here and now, and most often looking at the past, especially if we put on the compliance lens or the audit lens, you're looking backwards, by definition, simply because you can't get that data into being real time. It's just too much. And again, most of it is manually collected Data calls, people getting on the phone begging for data from system owners, et cetera. Right, and so you've got the ISOs basically acting like human fax machines pulling that data together. They can't pull it fast enough.
Speaker 2:You look like a combat ship. They have something called the CIC, the Combat Information Center. That's the north center of the ship. That's not up on the bridge, it's in the belly of the beast right, it's inside. It's three decks down. That's where all the wires go in, that's where all the fiber goes in. That's where all the telemetry comes in, from the satellites, from the ship itself, from all the sensors and so on. All that data comes in there so they can make those decisions For us in security. That place is the SOC, the Security Operations Center. Now they have the NSOCs, whatever they combine, knock and sock network operations center, security operations center, come together. Right, we don't have that for risk. Where's the SOC for risk? Where's the ROC? Where's the risk operations center? Right, where's the compliance operations center?
Speaker 1:Somebody might say the GRC team is, you know, but the ones that are running around trying to make sure that the auditor gets everything they need. That is sort of the risk SOC. I mean it's a-.
Speaker 2:Yeah, except they're running around collecting data from you know, by the time they get the data to them, it's been days, weeks, months and, let's not forget, audit looks backwards across that audit period. Right, you're capturing that past date and once you set that stake in the ground, you take that snapshot, using the audit. Right, you take that snapshot, you have an assessment based on that same framework or model of standard. You got to take another snapshot at some point in time later, like another year from now, two years from now, you know, in the federal government, in ATO authority to operate, that's three years for a system. So once the system's been authorized into production, you've got three years. Yeah, you have to come back around and, like you know, look at it every year, but not to that level of depth, right, you have to basically reauthorize. Now even the federal government has gotten gotten hip to it. Right, they understood, like, but what happens in the middle? What happens between the snapshots? That's the that's the no man's land, that's the place where the bad guys operate. You know, you've got that dark, that fog of war that obscures everything between those periods, because the only time you look at it is during the audit, right? So they're going to something called Cato, which is continuous authority to operate, where you actually are collecting telemetry. That's kind of the most evolved level within sort of that audit and authorization sphere. You're collecting real time, you're always checking on these controls, you're always understanding what's going on right. So you have that disability, but you also have the the timeliness. It's it's in the current state, so you're capturing current state. You're making decisions in the in the here and now, right. The the value of us sitting around looking at an audit report that captures data from last year or two or three and trying to make decisions about the next year or two or three I think the value is just not there and I think the breach statistics reflect that.
Speaker 2:Because we keep doing audits, we I mean the frameworks plenty of the choose from. You know it's like Oprah. You know you get a framework and you get a framework and you get a standard right. There's plenty of that. We don't have any shortage of consistency. We don't have any shortage of frameworks. We don't have any shortage of knowing how to secure environments. There's no mystery there. Everybody knows the missing pieces. It's not happening in real time If we can close that gap. So again, investment right. So when when I talk about investing strategically, I want to invest into timeliness, I want I want current state. So how do I close the gap on my horizon, my time horizon for knowing what I know? And then the inherent question in that is how do I know what I know? So it's trust and it's time. These are the two pillars.
Speaker 2:If you can boil down all of the conversations, so somebody hey, you know your executive flew in from some conference and they read some brochure on the plane, like the classic, like oh my God, this is the latest thing, let's go buy that. Do we have that? You've gotten those phone calls before, right, you know, tuesday afternoon, mad scramble. Do we have magic solution X? Oh, why don't we? We need to invest into SOAR, we need to invest into XTR name it. I mean, it's the technology du jour, right? Whatever the latest trend, we've got to capture it. Do we have I've actually had this call. Somebody called up and said oh my God, do we have blockchain? Like what does that even mean? I'm like do we have blockchain? Everybody has blockchain. It's blockchain, it's everywhere. They're like no, but do we have it?
Speaker 1:Like do we have the internet?
Speaker 2:I don't even understand the nature of the question, right, and the question was Can I, as a leader of this environment, demonstrate that I'm hip to the latest trends they were on trend or on topic that we get what's going on. We're right in the latest wave and we have to go basically sit somebody down and explain what blockchain is and literally have a whiteboard session for 10 minutes to explain, and literally in the middle of it, somebody said hang on a second, but where's the database? Where's the database layer? We're like the whole thing is a database. It's a distributed database. So these are the kinds of wacky things that we've gotten into over the last. You know 25, 30 years that I've been in this, in this game, right? So it gets us away from that conversation which stops.
Speaker 2:The question to ask is how will this increase or decrease or, let's say, impact? How will this improve our visibility and what will it do to close the gap between what we believe we know, what we actually know, so trust and confidence and, on the other hand, how will it make it timely? So how will we'll close the gap between the time that something fails, breaks or goes awry and the time that we find out? Right? So it's it's like in the in the instant response world, we call it MTDR, right, or MTDD right. Like mean time to detect and then mean time to resolve, right. So mean time to detect something happened we didn't know about it. Or it also dwell time, right, you know how long has somebody been in my environment that I didn't know about? Used to be like 260 days, now it's down to like 44 days, depending on what kind of tech you use, right. So closing that gap even further. So we use all these great metrics, we understand time. The temporal dimension is very much alive and well on the instant response side. We get that. Security operation totally gets that. They live by those metrics.
Speaker 2:But on the risk side it's like, well, that poem is sitting out there. You know, we've had some findings. They audit in the room. So good, okay, it's a compliance problem, it's an audit problem, right, because ultimately it doesn't mean nobody, nobody's understanding, nobody's connecting the line between. It's a failed control, which means it's a vulnerability. Like you would never let a system sit on patch for two years. If you knew what you were doing, right, you'd never, you'd never let that go Right. But with a control failure, oh yeah, you know, we didn't capture it. Oh yeah, we'll fix it, we'll get around to it. Right, it's risk, that failed control is a risk, and it's risk at a macro level.
Speaker 2:And, by the way, you want to talk about abstraction, you want to talk about investment, you don't want to talk about strategy, instead of saying, hey, we have a bug that we need to patch on a system X for operating system Y, right, and it's some CVE number blah, right, and it's going to be exploited by this. You know fancy bear or honey bear or I don't know. Uh, you know slimy lizard, whatever they're going to be the latest threat actor, they get a name. Right, that's all cool. It sounds really cool because you know you sound like you're, you're a spy and an intel operative and you're throwing out all these acronyms and all these cool code names, and you know it's. You feel like you're in a Tom Clancy novel. Yeah, all that is fine and well, but guess what? We're talking about a category of risk. Right, we could talk about a category of risk that's represented by a controlled category like oh, I don't know account management. Our account management is decayed by 37% because this particular technology is malfunctioning, poorly designed, poorly implemented, poorly managed, et cetera.
Speaker 1:That's a conversation we can have. So that is the clip right there. I don't want to gloss over that. That is what a good security team does. Is they say that this thing in account management is broken because this thing in security or IT or whatever isn't in place? It's not. We need a blah blah, blah, blah, blah blah. We need this, this, this. No, we don't talk about the tools.
Speaker 1:Look, you are not going to get your books right if we don't spend X amount of dollars on this risk. And so the trick, though, is how do you prove that? Coming back to reality versus perception, how do you prove that a risk that you've identified is really a risk? Let's say that you understand it is timely, the data is in real time, it's supported by historical data, everything is set up, but it hasn't happened yet. It's like convincing somebody that they're going to get hit by a bus tomorrow. An actuary can say look, statistically, you're going to die in the next 10 years. Good luck convincing that person to not go on vacation one day before they're supposed to die. So how do you suppose that we, even with good data and good risk practices, communicate that risk to the business?
Speaker 2:It's the culture of risk and culture of risk management. What is the company culture is going to determine a lot of that. So when we talk about risk appetite, I've talked to a lot of executives out there and I've advised them and I've been them. Where you ask, well, what is our risk appetite? And people kind of go, hmm, I just don't know. We don't even know how to approach that conversation. It's hard for folks to. I mean, look, I've seen people do surveys. They literally send out a survey every quarter and they go. I want every VP or senior VP or head of business division to tell me what is their top 10 prevalent risks that they perceive. It's a very opinion-based exercise. And then, okay, so let's say we've captured that, we put it under risk registry, or maybe you have a treatment plan across those, maybe we've kind of reconciled them and maybe there's some overlap there. Okay so let's say we came up with 47 top risks that we need to worry about. Sounds good to me, but that's again, it's inconclusive, it's not.
Speaker 2:How do you get buy-in to actually do something about it? And really, when we look at you know John Carter's model of organizational change leadership, you know sense of urgency is really important. And so you have to build a coalition, you have to get people on board, you have to have your champions, you have to get a kind of a critical mass of people who get it, and you got to make sure they're in the position of trust and they're in the position of influence. And they may or may not be a person with a title. They actually may be a person who just happens to be kind of the center of gravity for particular division or department or a function, and there's somebody that's looked to, there's somebody that's trusted. You know, I saw this psychological exercise that was done and it's actually it's a tool, right, you do conversational traffic analysis kind of like you do on the network, but you do it for people speaking at a table and so what they?
Speaker 2:I've been through that personally myself. I actually went to a training class of some length and we were on camera. They were watching us talking, and then the and these were industrial psychologists and then, you know, we'd go off to dinner and drinks and they would sit there and debrief the day's events and they would actually look and see who was talking to whom. And that's that's what you want to see Like. You want to see who is the most deferred to person and who is the influential person in the room. In the room being virtual, right, you know, could be department, could be division, could be a company, and so they may or may not be the highest ranked person. It could be the person who's been there the longest, or it could be the person who's there, who's the most capable, who's the most trusted, because they've solved many problems before. So you capture those kinds of minds right. So you, you don't have to kind of hug the entire world all at once. You have to find your, find your tribe. You have to find the people who actually care about the problem, get them to care about the problem, and once you've built that coalition, you create that sense of urgency. And sense of urgency Well, guess what?
Speaker 2:You've got regulatory oversight. You've got the SEC enforcing left and right, you've got FTC, basically governing by president. Also, they're kind of expanding their sphere of influence within cyber because they look at the consumer protection SEC, look into protecting investors, increase transparency, make sure that cyber is part of the conversation that investors actually are considering when they make investments or pass on investments. Hasn't happened.
Speaker 2:The market has not really been able to price cyber risk into the price of securities. It's getting a little better. We've seen actually, and I think that's positive. I mean it's. It's negative for the shareholders, right, the companies get breached and their shareholder value goes down. But from a perspective of trying to get to a better, smarter, more transparent market that is actually influenced by these choices, that might drive better behaviors for companies, better investment into cybersecurity, I think from that perspective it's a good thing that we're seeing actually depressed stock values for NASDAQ companies that have been studied but they saw their securities underpriced by about, I think, 12 to 50% over the period of the next two to three years. So following a major breach that's been publicized. So now we actually have the data, we can actually go to the board and say look, this is what happens and these folks, that's all they live and die by. What's the stock price? Can I show how much we gained or lost over the last two, three years of my tenure as a CEO, as the president, chairman of the board, et cetera. We can show them the data, right. So you can go very high level. You can. You can boil that down and you can get down to a level of a single controller. You can say, look, we have some opportunities in this particular category of risk. We have a near term, let's call it long hanging fruit. If we hit that well, let's say a treatment of a million and a half, it would give us an increase in 50% across this critical category. Right.
Speaker 2:And whatever framework you use you know NIST, fisma, you know PCI, dss, iso 27001, it doesn't matter, right, there's plenty of frameworks. You can show that across those frameworks by mapping those technologies to those controls. Right, we don't have to reinvent that wheel, it's been invented. We have spent the last three, four decades inventing these standards and frameworks, like, we don't have to figure it out, it's all there. So when you say, hey, what happens if I buy more X? Well, you abstract one layer. You go, well, it's getting increased capability in this area. Well, to your point, right. But how do I make sure people know that that capability is important? Well, because it's on that framework, right. And if you go, okay, well, it's my sans-cis top 10 controls, whatever, right, fine.
Speaker 2:So whatever you choose to follow as a guideline for getting better and understanding your environment better, getting to that risk posture state that you want to be in, whatever the money, as long as it's consistent. I mean a lot of it we don't determine, right, a lot of it is going to be passed down to us. You know you operate in a particular market. That's the regulatory framework you have to operate under. You're a public company, sec, you've got consumer facing stuff, ftc, et cetera, et cetera and so on. Right, so some things are mandated. But when you look at, like, what's my security strategy, governed by, people typically go oh well, we're not going to build to compliance because that's just the lowest possible threshold. No, it's not right. It doesn't mean you pick every control and maximize it. That's impossible. Right, but as long as you know to a level of confidence, and you know what the confidence level is, right, then you can use compliance as a prism to look through and look at your environment, understand what's going on right and then map that path to a better state. Right. So to me that's the language. So I think compliance, if you can synonymize compliance and risk, you can make that mental connection happen in your environment, in your organization. You can get people to understand that compliance is not just a historical reporting tool but could actually be a model, a vehicle for real-time risk management, proactive risk management, if you can make that happen. Again, investment area, trust time if you can invest into that and you can demonstrate that, let's say, a $5 million investment is going to increase availability credibility.
Speaker 2:By the way, let's talk about things like audit-proofing. Right, you kind of start to audit-proof your environment. Audit readiness that's a thing. Somebody comes around, let's say, I'll give you an example. This is from my personal practice.
Speaker 2:An environment suffered a breach and a company that they were partnering with basically said we can't do business with you because, well, we don't trust you anymore. They're like, hang on a second, but we're operating. Our contract requires us to pass an audit. We passed an audit. We did it nine months ago, yeah, but you got breached last week and you're about to ship me like $50 million worth of product and services and I can't because I have people to answer to. Right? So now $50 million is on hold, even though they've done business for like a decade. So this isn't hypothetical anymore, right? So now You're scrambling around as a sys of that environment, of the supplier going okay, but like, so they don't accept the audit anymore because they basically aren't Validating the findings of the audit because they think that's bogus, because clearly, you got audited, you passed, but then you got breached.
Speaker 2:We're good, yeah, what is the audit? Yeah, of what values the audit, if it? If it's not, it's not actually demonstrating. And here's, here's a little news flash. Audits are not perfect and by their very nature you have to sort of sample across the environment. Look, I've been an auditor, I'm still legally a certified auditor.
Speaker 2:You walk into a place and they go we have 2,000 line of business applications. I've got two weeks on site. I've got a team. Sure, yeah, but I mean you expect me to look at every application? No, we're gonna sample system. Same thing we're gonna have. We have to do a sampling run. We're gonna figure out which systems Representative in that sample. But you know I'm not a statistician. We're gonna do the best we can, right, but we got to rely heavily on the client to tell us what is their representative said. So let's say, okay, they gave me, out of two, two thousand applications, they gave me 150. Again, I'm not a software guy, I'm not gonna dig in there. We're gonna ask about controls. Again, I'm relying on their opinion of their own systems, which of course is already biased. It's predicated on some level of, you know, fear and you know they're gonna. They're not gonna Tell me these systems suck. I think I tried to kind of sugarcoat it to the degree that they can.
Speaker 2:And so I'm rely. So again, opinion, opinion, opinion, right. So Audits are based on opinion. They based on a sub sample, you know, sub sampling of of the environment. You're trying to infer, right I'm not answering, incredibly, about every one single system, every one single application, every piece of data, every data storage, every user account. We can't right so the value of an audit from that perspective, like we're just trying to manage risk, we're trying to infer where somebody stands, but ultimately you don't know, you can't guarantee it right. Every audit, you know it's predicated I mean, that's a disclaimer out front we only saw this sub scope of the environment to the best of our ability, and you know We've done a due diligence, but ultimately, you know, we can't guarantee right. So so that's the situation you wind up in like here's an audit, you passed it, you still got breached. Now we can't do business with you. What are you gonna do?
Speaker 2:And that's the question of audit readiness comes in. How quickly Can I go and reassess what I need to reassess to increase the confidence, or regain the confidence of my customers, partners etc. Or regulators for that matter, right, colonial plot line. And I guys sat there and said, oh well, at least we didn't have password, one through three on our VPN, yeah, and he was waving their compliance report from a year ago. Okay, you still got breached. It means nothing, right? So, unless you actually managing risk in real time and doing basically compliance in real time, you got to compress that gap. That time gap, right, the confidence gap and a time gap. Compress those two, invest into that. Every time somebody says, hey, let's invest into something, these are the, the litmus tests that I'd be, that I'd be testing against, right To me. That that's, that's the questions I want to ask. Is it gonna increase my trust and confidence? Is gonna compress my time gap? Everything else is, you know, small potatoes.
Speaker 1:I want to close the show with some questions about the SEC ruling that I think in October is when things go in into effect, although they keep pushing it back. How is cumulus preparing for the SEC rulings once Companies are forced to comply?
Speaker 2:Well, if, to your point right, you know we don't know about the timeline, hopefully, I mean they've been pushing it back. So the rule that I'm I'm particularly focusing on. So there's something called the regulation SK and Item 407 J, I believe, is what they wanted to add, and this is exactly the thing that we talked about before. So the board of directors need to demonstrate capability from a cyber security perspective interestingly small side and more kind of legal thing but they are carving out what they called a safe harbor under section 11 of securities act. So what does that mean? Is under section 11? There's something called an expert definition. So if somebody is like an engineer or a doctor, etc. Right, they, their opinion is valued more by the marketplace and so investors might pay, might give it more weight and Therefore, if you have somebody like that on the board of directors and they make a statement on behalf of the company, investors might rely on it more and give it more weight and then make investment decisions that are predicated on that and that perception. Right? So the SSC is purposefully carving out and Saying even though you might be qualified as a cyber security expert for the purposes of rule 407 J, you're not. That does not translate over to you becoming A expert under section 11.
Speaker 2:So what does that mean, right? So if let's say and the companies were kind of I think that was part of the public comment that so many companies feared that well, okay, we'll hire a sysso, and now he sits on the board, or she sits on the board and we make statements, we say, like you know, we're investing into security and we're secure company, blah, blah, blah. Investors invest. They say, okay, well, yeah, I believe this company's is a good spot. And then they get breached. And now you've got shareholder lawsuits, right, because basically, well, what we talking about? You are an expert. That was supposed to be truthful.
Speaker 2:So, what, I think, like I said, you know, there's two options. Right, you hire experts, security experts, get him onto the board, or you have sitting board members and you turn him into security experts, right, but there is provision. So, literally, second line in that proposed item for zone subsection J is cyber, is a Sh. So, yes, it's the exam. Right, you have to have, you know, six domains of knowledge and and significant experience. But I think you will probably see some kind of an executive cyber MBA type program. I'm sure it's gonna get offered out there. You know, colleges tend to be pretty, pretty innovative that way, trying to capture that, those training dollars from the corporate sphere, that's probably what's gonna go by the way.
Speaker 1:That's. That was what my I Graduated maybe I don't want to say when I graduated with my master's Sometimes in MIS, but that's what my master's in MIS was supposed to be. It's a master's in MIS with the school that I went to had a cyber security. They call it information assurance yeah, concentration, and so that was what they were carving out. They hadn't quite reached that goal, but, to your point, yes, schools are definitely going in that direction. I'd love for them to have a full-blown MBA with cyber security tacked on, which, ultimately, is kind of like what I did, but in a more formal fashion would be nice.
Speaker 2:I mean there are programs out there already. I mean, if you look, I mean Harvard, mit, stanford, a lot of, like you know, top tier colleges and university out there are already offering programs for kind of like for existing leaders to become more cyber aware. Will that qualify for? Because the SEC is not defining what they consider to be expertise. They're giving some guidance but they're specifically saying we're not gonna tell you exactly, it's all gonna be sort of subjective. So I think what the SEC has shown so far is that their enforcement arm is getting stiffer and stiffer. They're getting a lot more honor us and a lot more.
Speaker 2:You know, there's a lot more scrutiny being applied. They are looking at controls, they're looking at Transparency. Of course. I mean the whole point of this is trying to ensure transparency that the companies are disclosing not just incidents but also the where they stand proactively on the security posture. And I think again we're gonna have to get into the conversation about confidence. You know when, when that you know the board members or the CEO or the chairman of the board, when, when their hand hovers over that dotted line, when they're signing off on those controls At the end of the quarter in the year. You know the 10 Q, the 10 K. They have to wonder, right, you know. They have to wonder because they can't put a disclaimer, like the auditor did right. Well, to the best of our knowledge and ability and based on a subscope of this environment, no, you're answering every thing.
Speaker 2:Exactly and you're personally responsible, right, you know people focus on, like Syrbanes, oxley, section four, four. That's kind of when we started after, after the and runs and the and trans worlds, etc. The telecom disaster, right, but the, the other section is section 302, which is personal accountability. So when you sign off on those controls you're personally accountable. And now criminally so right in the SEC is now is mincing no words with that either. You lie About your control posture and people make decisions based on that and then you lose shareholder money. You're gonna be responsible. You go to jail. You're not getting, you know, you're not getting the kushi golden parachute like you go to jail, right.
Speaker 2:So I was from Enron, you have exactly, so you have to. I mean, I'm gonna reiterate that again and I that's gonna be my parting thought here, I guess Trust confidence, right. What is your confidence in what you believe you know about the state of your compliance program? Because compliance is your lens. This is how you tell where your controls are and where they aren't right. So I think, increasing confidence, asking those questions. If, if I had that seat right now, I would be really worried about where I stand.
Speaker 2:So from from. You mentioned cumulus, right, cumulus has been thinking about that for over a decade. That's what we built our platform on, that's what we built our strategy on, and they had a compliance strategy here, cumulus. So that's that's exactly kind of thing I love to talk about, because you know that's the question we're trying to answer every time and for us again, reducing the reliance on the opinion and maximizing your reliance on facts and turning your compliance risk security management from a Opinion based exercise into an evidence-based exercise and again evidence-based or something that you know they use in medicine a lot.
Speaker 2:When we made that transition in medicine from you kind of opinion-based while you know this is sounds like best practice, let's do that and kind of hope for the best to really evidence-based. That's a recent thing. For thousands of years, for millennia, medicine was kind of all let's poke the guy and see what happens. Right, we made it. Now it's it's really more science than art. That's what we're trying to do for risk and compliance and security management make it evidence-based, reduce the reliance on opinions and that. Those are questions you have to ask.
Speaker 1:Igor Volovich. Everybody drop the mic. That was great, igor. I really appreciate it being here and Doing this, taking time out of your busy schedule. How can people find you if they would like to get a hold of you?
Speaker 2:So I'm on Twitter at cyber Igor IGR. I am on LinkedIn, very active there, so find me there. Igor Volovich, igor VOLO V I C H and it's cumulus QMULOScom, loscom, qmuloscom, and we are a compliance automation company and we're converge continuous compliance innovator. That's what we brought to market years ago and that's what we continue to evangelize.
Speaker 1:And this is security market watch. Thanks everybody for tuning in. See you next time. Bye, thanks for having me on.