KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
And hopefully we should be joined again by a OID online. Yes. On queue. There he is. So security governance and risk management. GM has finally made it onto the boardroom agenda. But the question that we're gonna be debating today, what is the best way of presenting GRM processes, a progress, sorry to the board and how do you balance keeping stakeholders happy and, and presenting the undiluted truth and risk profile.
So to give us some insights into these rather thy issues, we welcome back Niro, VAX, and he's joined by Oliver Carr and Tom Langford, could you guys just give your brief introduction to yourselves and, and, and your sort of statement on the, on the, on the topic, we'll kind of maybe start with you Oliver, because you were the inspiration for this topic. Okay.
Thank, thank you very much. Yeah. My name's Oliver car I've been in the cybersecurity field for, for longer than I care to remember. I've spent the last four or five years working with, with large global organizations in security, risk and compliance during major upheavals in both digital transformation, but also with all of the attacks that have been incoming, that, that we all know about in the last five years. And the question has always been, how do I justify what I'm doing with my security risk and compliance department?
And how do I make sure that on the one side we're addressing the right things. And on the other side that I still have a budget next year. And I also know that Tom has many, many years experience in, in it. So what's your perspective.
Yeah, my, my name's Tom Langford. I'm a recovering CSO and run my own consultancy and now work a security advocacy. My view on governance and risk and compliance, etcetera, is that it's, it's about being able to evidence value for money effectively that actually you are doing the right things for the right reasons, from a governance perspective, that you may be invested in technology be that security or it, or whatever, from a, a risk perspective that you are actually trying to reduce your risk tax surface.
So as to not spend money, when you need to, and from a compliance perspective, that actually you are reducing your, your risk profile from a, from litigation and from, you know, any kind of pushback on you doing the right thing in the first place. So for me, it's, it, it, in, in the average organization, it comes down to ensuring you are showing value for money and that your investments are in the right place. Thanks.
And you, what's your kind of, we've heard from you earlier on, on identity and, and so on, but in, in this area, what's kind of you been your experience and, and sort of what's your kind of high level take. Yeah.
So I'm a, I'm a product guy, right? So I, I could give you kind of the perspective of, of our product and our customers, right? And over the years, we've seen how our customers justify the investment in automation and data discovery. Essentially, I believe that data is one of the most important assets you are trying to protect in your governance and security program. Essentially the data is the blood life of your business. It is also where very sensitive and holds some of your most intimate secrets in your organization.
And therefore a lot of our security and governance and risk programs are really built around around the data. And, and again, naturally, I'm speaking about data because data is, is, is at the heart of our product as well.
And, and so I would say a couple of things that are very, very important. First of all, when I, when we looked at our initial customers and, and today as well, and how they've justified the, and, and position their security and risk pro profile, it was really about how, how critical data protection is for the brand and, and protecting them from losing potential customers. And that has been always kind of the fundamental driver that really gained the most traction with our, with our customers, the bigger the brand, the more concerns there were about losing data and, and breaches.
And, and, and so that's, that's the driver. The other aspect of it is really the making that process data driven, relying on actual data and not relying on opinions and surveys and interviews, but actual data making it actionable so that you can actually take actions in order to reduce the risk, just flagging the risk is not enough. So what actions do you need to take in order to be able to reduce the risk and sustainable so that you could do it again and again and again, in a cost effective manner, and this is achieved through automation.
So those are kind of the three main principles that we see our successful customers kind of taking in that context. Okay. So now to try and spend as much time as we can, as possible on the topic all the way to tell me, you know, okay, now we've got, we've got GM onto the agenda, but the question is, how do you keep it there? How do you remain relevant and how do you remain believable?
Well, I, I think there's a bit of a problem that, that we have as an industry in that we've been spending the last 25 years crying Wolf. We've been saying the sky is about to fall, and there are more and more threats coming in every single day. And in many, many cases, that's, the boards are skeptical every single time the CISO comes in, they know exactly what they're gonna say is that, look, here's the next big attack. Please give me another 10 million so that I can approach it. And to be honest, I don't think they're buying it anymore.
So I think as Thomas was pointing out, just now, we need to make it relevant to what it is that the organization is actually doing. And to do that, we need to understand what it is that our board sees as relevant and how they measure that relevance for themselves, and then talk in their terms rather than the latest risk indicators or, or KPIs that we've dreamt up ourselves.
Yeah, I'd, I would take it in two, two different directions on that. Firstly, I think what CISOs and, and many sort of junior C-level execs fail to do is to do something basic, like read the company, report, attend an earnings call because without that, you don't actually know what the business is about, what the priorities of the business are.
And, you know, given that we, as security professionals think that the world revolves around us, we end up getting caught up in this little bubble of what we've got to say is what's most important. And anybody who doesn't listen is an idiot and that doesn't sit particularly well with boards. And so with that then leads me to the second point, which is again, historically CISOs have come from technology backgrounds.
You sometimes, you know, rarely, but sometimes get them from other backgrounds consulting, et cetera, generally technology backgrounds, not known for our creativity and for our ability to, you know, look outside of, of the box. We find ourselves often living in. And I think if we were actually able to one take the data that we had from the company report and that information we had, and then two start to create some compelling storylines, some compelling facts about our business. We might actually get a better chance of speaking to the board on, on their level more.
And if you, if your first meeting with them is more than five slides, for instance, you've probably got too much. If you've got, you know, if, if all, all your reporting is metrics, that's not gonna be interesting enough if all you're talking about is in TLAs three letter acronyms and KPIs, et cetera, that's not gonna do it either. And I think we have to move, make that move from being sort of heads of departments into actually security leadership, where we're doing something different.
And, and if I may may add to that, talking about the, the question of how do I stay relevant. It's each time that you go in there, you need to know what is on their mind right now. And talk to that and not talk to what we were talking about when I was in here last two months ago. Yes.
I think, you know, I was often asked what, what my job was at as, as a CISO. And I used to joke at first, cuz it, it kind of was true, was, oh, it's just PowerPoint and politics now. And then towards the end of my stint, when people ask me what my job was, I, I would very clearly say it's PowerPoint and politics because that's what actually keeps companies moving. And if you were to, you know, take it in a slightly more serious tone, my job was not to make the company, the most secure company.
My job was to help the products, help the company, sell its products, be that widget, be that services, be that whatever it may be, if we're lucky that my job was not to make it secure. But by, by helping the company sell more staff through the use of security, through the judicious use of security, then actually we get back into the value for money, relevancy, them actually being interested in what I've got to say and how it contributes to that bigger picture. So now Thomas is like just presenting data and metrics is kind of by itself.
Not, not, not the be all and end all, but in your experience, I mean, what, what kinds of interaction have you had with it professionals in helping them to, to foster this engagement and, and to kind of make it relevant. And so what do you find is the most useful type of engagement and useful data?
Yeah, so, so in our experience with, with our customers, and first of all, I want to relate back to that boardroom discussions and the boardroom discussions is comments are very true. I would even say one slide. If you have time to present one slide, you're lucky because even if in a small company like big ID, it, it gets very, very tight in terms of the time for people to speak and definitely focus on what are the topics of discussions in this specific board meeting and how security aligns with those goals.
Because everybody assumes that the day to day is already taken care of and definitely at the board level. So focus on your company is investing in cloud. What are you doing in that area? Your company is launching a new product that what are the elements or aspects of security. So I completely agree with that.
And you know, when, when we sit in our, in our board, that's definitely the things we wanna hear relating to our customers and how they reflect because a lot, a lot of our customers invest in big ID because of board level visibility required into privacy and data protection boards are concerned about the breaches and they're concerned mostly about the impact to the brand, as I said, and to the, the risk of losing customers. And so showing kind of metrics or impact on those metrics are, are important in, in justifying the, the budget for it.
The other metric that we see, and maybe it's not necessarily at the board level, but more at the operational executive level is progress over and remediation progress, right? So you want to be able to show over the course of, of progress over time as how your security program is, is effective, right? It starts with the definition of your policies, assuming that very early on, as you kind of joined the organization or start your program, you have very clear policies, the discovery of these risks in our case, it's typically data risk. So sensitive data, financial data, high value data.
The next step is starting to remediate over time. And so you want to show how those risks are improving over time. And those risks typically are measured at the file level at the data source level. So you want to show over time how this risk and the number of findings are reduced. And finally you want to be able to drill down to the line of business to the business owners because they are need to be made essentially made accountable for the, for that okay.
For, for remediation. Okay. So that was a whole lot in there. I know that Tom wanted to jump in with the point and I think Oliver also wants to come back. Yeah.
I think, I think metrics are all well and good. And I, you know, metrics and data are foundational to a lot of decision making. I think if it comes to when you're reporting on your, you know, GRC programs or in this case G programs, I guess I think if you rely who on metrics, you you're gonna get lost in the, in the weeds and the, you know, the, the board, the executive's not gonna be interested. It's a bit like saying, you know, we had 30,000 vulnerable vulnerabilities a year ago.
Here's a, here's a graph and we've now got 2000 vulnerabilities. Okay.
So what, you know, what does that mean? We've got, got less of that. Great.
You know, what are the implications of that? You shouldn't be presenting, you know, charts. It should be, we have reduced cost. Our risk profile has reduced because of actually take it to the next level, because then you also have the data. If they wish to drill down further, obviously they have to take what you are saying at face value. You are the expert in the room, although they will do their very best to make you not feel like it.
But, but having that data behind what you are presenting is very important. If all you are showing is data. That means you've, you've actually sort of shown that complete sort of lack of creativity, lack of connection to the business and lack of understanding as to what the board is there trying to achieve. And there, there's actually a, a very interesting report that, that came out recently by, by McKinsey, that that actually does underline this of that.
If you're still in the space of building your cybersecurity, maturity and reporting on that, then you are probably not at the front of the game. The front of the game today is doing exactly. As Tom just said, is looking at putting it into risk and risk, not just from a threat, but risk also from an opportunity perspective for the board, because that is the language that they're speaking.
And then, you know, we get away from this. This was my three year plan to solve all our security problems over to a, this is the three month plan to get us to achieving those, those quarter results that the organization needs. The other interesting thing though, as well is how do we deal, Tom, perhaps giving this, this back to you?
How, how do we deal with this thing of the sort of sensationalism that we have today? Because the boards just see what is written in the financial times or whatever that the newspaper is that they read, where, where you are at home and it's the next big breach and the next big breach and the next big breach. And we all know, as, as we sit here in this, this virtual room, that actually what needs to be addressed of the topics we've been talking about for the last 15 years, which is get your patch management, right. Get your identity and access management, right. Get your supply chain, right.
And then at least half of those problems go away. Yeah, absolutely.
And I, you know, I, I will absolutely follow up on that. And I wanna pick up on your, your three month sort of plan as it were versus your three year plan. There's both good, good and bad to that sort of thing.
I, I liken it to being the manager of a, of a football club in the premiership or whatever they call it. I don't know.
I don't, I don't watch football, but every time they lose a big match, they get kicked out and they have, you know, someone else has to start again. That's the CISO, you know, every time something goes wrong, they get kicked out and there's a new one brought in. And so if you focus purely on the, the sort of quarterly aspect of it, which is maybe if it's a public company, like the reporting cycle, you, you can fall prey to that sensationalism. You've got three months, you've gotta fix this before we have to, you know, report this and everything goes, goes to hell.
So there is advantage to long-term thinking. I, I think I understand that there is this cycle internally of quarterly thinking, et cetera, you need to try and find that balance between the two, because you, you will fix, you will not fix either the new challenges that we're facing today in three months. And you certainly won't fix the 15 year old problems that we're facing the next three months.
You have to kind of, you know, actually smooth it out, show that you're a steady pair of hands, et cetera, to follow on from your point about how do we avoid the sensationalism of this is happening here now and everywhere. How's it affecting us? There's a couple of things that we, we should be doing. The first one is taking the opportunity to talk to the boards, an educational opportunity. They don't understand our world and it's our job to translate for them.
They may, they may think they know as much as we don't. You may, if you're very lucky may even have a CSO or an X CSO there on the board, but chances are their financial people are entrepreneurs, et cetera, need to educate them about what we're doing. We also need to educate them about risk. Human beings are terrible at understanding risk. We jump at shadows because the little lizard part of our brain thinks we're gonna be eaten by a leopard that's, you know, that's a biological thing, you know?
And so we often look at risk and give it entirely the wrong relevance, more babies in the us, for instance, babies kill more people in the us than bears do. And yet we, we are very happy to cuddle babies. The fact that the babies have access to firearms has got nothing to do with this, but, but, you know, sharks, sharks kill less people every year than coconuts. And yet we're, you know, we're quite happy sitting under a coconut tree, laughing at people, swimming in shark infeed waters.
It's, you know, risk is a complicated thing that humans are very bad at understanding. We need to actually ensure that we're talking the same language measuring in the same way. And actually are, when we talk about something, actually understand, you know, how we are talking and how we are actually referring to it. I know we are standing between you and lunch. We're all that standing between you and lunch, but you've got three very experienced individuals here. Are there any questions in the room We've thrilled them to death. Yeah. All lunch. Yeah. Yeah.
I think I suspect that the online, online audience have already broken for lunch because is fairly quiet. Yeah.
I think, I think with that in mind, then just a quick, quick takeaways from the three of you, we'll start with you. Yeah. I think that what we are seeing our, our customers being asked by their board is to get visibility into their risk, which include visibility into the data. So finding out what actually data is stored in the organization is top of mind, in order to understand what is the potential risk of a breach, because breaches are what show up in the newspapers. And in order to get that visibility, a lot of our customers engage in a very intensive kind of data discovery exercise.
The other thing that we've seen that is very interesting is that a lot of our customers have been able to leverage that investment, to provide kind of a, a carrot to the board in the, in the form of value, because that visibility into the data also increases the value, potential value of the data. And so risk and value are kind of terms that come hand in hand, right? The higher, the value, the higher, the risk associated with losing that valuable asset. And so there is definitely an opportunity to show both sides and tie them together.
Your more risk your riskiest assets are, are also the more valuable assets that ability to discover the risk allows you also to unlock the value of those assets as well. Okay, Tom, and then we'll give you last word to Oliver. Yeah. I would say in any kind of, you know, ensuring that your governance and risk programs are maintain relevance is to elevate your conversation around them. Don't just report on the stats or the metrics that come out of it. Don't just report on, you know, Hey, we did this, we did that.
We did the other make that connection between what you are doing and how that's impacting the business as much as possible. And it's quite difficult, you know, until you actually start to really understand how the business is operating, what it's doing, what are the other influences in there?
You know, we're not special flowers, we're not the only department that's reporting to, to the board, understanding how, what we deliver interacts with all of the other areas and builds towards the larger organizational goals. Then you can start to have really effective conversations. Yeah. The bottom line for me is it's both a privilege and responsibility of being in that room and talking to them, you need to show that you understand what is important to them and put it in their words.
But at the same time, as Tom said earlier, remember that they hired you and they set up your department for a reason, and to show what it is that you are doing to help bring the company forward and to make sure that it stays ahead of the competition and that it actually survives into the next year, two years, 10 years, a hundred years, whatever. And that only goes by understanding what it is that the company purposes, what is important for the board and putting it in those terms.
And if you could add a little bit of this is added value that security can bring that you perhaps didn't think about, then you may be onto a winner. Great advice. Thanks so much, gentlemen, for putting a very sharp focus on this sh thorny issue and for bringing this morning session to a close. Thank you very much. Thank you.
