Security Masterminds

Automating your cyber security program for compliance and reducing risk with special guest Stas Bojoukha

April 11, 2023 Security Masterminds Season 2 Episode 4
Security Masterminds
Automating your cyber security program for compliance and reducing risk with special guest Stas Bojoukha
Show Notes Transcript Chapter Markers

Check us out on our new LinkedIn Page!  - https://www.linkedin.com/company/security-masterminds-podcast/

Are you tired of the same old ineffective methods for GRC optimization and AI integration for cybersecurity? Do you feel like no matter what you do, you can't seem to get the results you need? Come join us in this episode to learn the latest and greatest techniques for enhancing your GRC processes and AI integration for cybersecurity success.

Stas Bojoukha is a cybersecurity expert with over 20 years of experience in the industry. He has a deep passion for automation and making security consumable for everyone. Stas began his career as a computer technician, later progressing through various roles such as systems engineer, infrastructure engineer, and chief security officer. His diverse background has allowed him to gain valuable insights into a wide range of IT disciplines. Today, Stas is the CEO and founder of Compyl, an information security and compliance automation platform designed to streamline processes and improve efficiency in managing compliance requirements.

The resources mentioned in this episode are:

  • Look into Stas Bojoukha's company, Compyl, an information security and compliance automation platform that helps organizations automate their cybersecurity programs and reduce risk.
  • Prioritize making security and compliance understandable for non-technical staff members, as this will help improve overall security awareness and adherence to policies.
  • Remember that compliance does not necessarily guarantee security; focus on implementing security measures that go beyond compliance requirements to ensure a more robust security posture.

About Stas Bojoukha

ShowNotes

Connect with us:

Website: securitymasterminds.buzzsprout.com

KnowBe4 Resources:

This show's sound is edited by ProPodcastSolutions -https://propodcastsolutions.com/
Show Notes created with Capsho - www.capsho.com

Stas Bojoukha:

We're gonna start seeing script kitties getting a little bit more sophisticated than they have before, now that they completely don't need to code, and a lot more reverse engineering happening of code as well is my name is Stas Bojoukha. I'm the . CEO and founder of a company called Compyl.

Announcer:

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.

Erich Kron:

Artificial intelligence and cybersecurity are two of the most daunting aspects of modern technology from data analysis to automated decision making. Organizations that utilize AI-driven technologies must ensure their security protocols are up to date in order to protect against malicious actors and data breaches.

Jelle Wieringa:

Sta Bojoukha is a cybersecurity expert with over 20 years of experience who is passionate about automation and making security consumable for everyone. After working for largest whole organizations, he founded COMPYL, an information security and compliance automation platform.

Announcer:

This is episode 17, automating your cyber security program for compliance and reducing risk. With our special guest, Stas Bojoukha

Stas Bojoukha:

hi there and welcome back.

Jelle Wieringa:

Today we have a awesome episode and we're gonna talk to the CEO and founder of COMPYL, Stas Bojoukha. Hey Eric, how are you?

Erich Kron:

I'm doing great.,really looking forward to this.

Jelle Wieringa:

Actually. It was a really good interview that we did with him, so let's kick it off. The first question we put forth to him was if he can describe his cybersecurity origin story.

Stas Bojoukha:

I was just naturally curious about computers. I think I got my first computer when I was six and I. I'm actually curious to see how it worked. And I remember like the first thing they had on it was like Sim City 2000, and just being able to play around with that and then just trying to, yeah, just trying to understand how it all kind of pieced together from there. Work spread. I'm, I'm sure other people have had the similar experiences, but I became like the computer person to go to whenever anyone had any computer problems. So I was just being called in left, right and center to look at this to help with that. I ended up going to a technical high school. This is, it was a while ago now, but the technical high school still had the printing process stuff and they had like graphic design, but they also had computer technicians, and it was still early days of like networking and system administrator and all that. But what ended up happening for me was I got in there, I ended up fixing a whole bunch of stuff on the network because at that point I think I was, thirteen, fourteen and I had quite a bit of experience already just tinkering around with stuff at home. And by the 10th grade I was actually working for the high school, setting up their networks and helping them administer their, their network. I learned a lot, learned how to secure the networks, how to, how to get central reporting going. This was Windows 2000 at this point, but it was still a really good learning. From there, I went and pursued information security. I did a degree. It's questionable now whether you need a degree or not. I still think there's a lot to be said about learning the, the fundamentals of how everything pieces together, all the way from the bits up to high level coding languages. But there's a master scale shortage in this space so not being. For everybody. But from there, I, I did the traditional path, but I started on the help desk and then moved up to a systems engineer and then infrastructure engineer and then security officer, manager, CISO.

Jelle Wieringa:

So as many of us in cybersecurity, we, we kind of ended up in this role.

Erich Kron:

Yep. There's a lot of similarities throughout our different guests that we've spoken to, but there's also a lot of differences where they came from. I'd say this is more of a traditional type of, uh, evolution into security from back in the days when IT was everything. But now everything's split off to such niches. It's a, it's an interesting time, but I think this is more of a traditional run up to these types of roles.

Jelle Wieringa:

Well, Stas is a typical entrepreneur he learned this craft in the trenches being a cyber security expert and practitioner. We asked Stas if he had some lessons that he's learned from starting out in the help desk role.

Stas Bojoukha:

There's a lot to learn. I think even just getting that initial position is quite difficult, especially if you had, if you don't have a degree or a bootcamp or like an A+ or Security+ or something like. But I think for me, it's how to do things properly, right? If the organization that you're going into is quite robust already, so if they already have policy standards, And procedures, and they follow those, then that's a really good learning experience of how to do things correctly. Also, just simple things like how do SLAs work? How do you adhere to those, what good looks like? How to report up and interact , with other parts of the business. So if we're taking like a SOC analyst position, right, that depending on the size of the organization, that can actually have quite a large reach in terms of if you're seeing certain things on the network, you might actually have to reach out to end users, like a stock analyst who will not know what you're talking about when you're telling them that you're seeing something weird on their device. And the same thing with the help desk side, right? And help desk interacts with a lot, with a good portion of the business, most of which does not care what it is doing as long as their machines are working properly and they can continue on with their day jobs. So, like the coordinating, the scheduling, that being organized, the learning, the technical skills around to be able to support that organization, I think is all really, is really key. I also think even, through like high school and university, like I was also working other jobs as well. So like I worked at Starbucks for a while. I worked for like a retail company for a while. Like these are all the soft skills. If I didn't have them now, I think it would be much harder to get to where I, I've gotten without having those, because having the ability to actually interact with people and get to their level in the sense of understanding what their priorities are and what their requirements are, and talking to them without the gibberish is super valuable.

Jelle Wieringa:

So showing empathy for their priorities. I like that one. He, he really understands that it's not all about understanding cybersecurity or knowing how to do things properly. It's also about the people aspect.

Erich Kron:

Yeah. And you know, I did frontline support for uh, Windows 95 for Microsoft for a while in my younger years. And, and I gotta tell you, it was a very good experience. I did learn a lot of the things he was, he's talking about here, especially, you know, the, the skills of dealing with somebody who's in a near panic. I, I always got those kinds of calls. Either they were upset or they needed something fixed immediately. It's always a matter of critical issues there. And so you learn a lot. And the fact that there are SLAs and how that stuff works and kind of just how things work through an escalation process and, and building out those things, help desk roles can actually be very, very good starters I have to agree with that.

Jelle Wieringa:

So Stas being the CEO and founder of Compyl, which they, on their website call an all in one information security and compliance tool. We wanted to know where actually did it get the idea from Compyl from, how did it came about?

Stas Bojoukha:

We are, it's a play on words, so compiling data compliance, but we're an information security automation platform that, that you get compliance through as part of maturing your information security program. We've been around for three years, 20 plus employees, in New York. And so my whole thing is, is automation. I don't like to do the same thing twice. I was always saying if I have to do something more than five times, I'll just automate it. And this is where Compyl came from. My background. Again, information security, but specifically on the financial services. So financial services was a good space to start off. Even though I didn't really know what financial services was when I did start off there, but the reason why I say that is it's very heavily compliance focused, right? And therefore security focused. You needed to have security in place in order to get, in order to compliance, which was basically, we just separate the front office, middle office, and back office. Traders can't close their own trades. And at that point, I didn't know any of this stuff was, but essentially you can't mark your own homework. A lot of this stuff was super manual. This was a while ago as well, so probably like 18 years ago, that I really got into the financial services space and really just thinking how to automate a lot of the processes. So one of the requirements was, hey, we need to make sure that this trading system doesn't have that anyone, the in the trading system. Permission correctly that they have access to the right, so the right books, so the right trades, blah, blah, blah, blah, blah. But they don't have access to any of the back office support stuff, HR stuff. And then, and what I did is it basically pulled in data from different sources, either being like CSV files at the very beginning and Excel files, and then eventually working through APIs and pulling all this data into a single location and then getting it presented in a way, again to, to people that are not technical to, for them to understand what it is they're looking at. Because one of the biggest things, even today with user entitlement reviews is people don't know what they're looking at. So this is where the initial concept came from, was pulling it all together, making it very easy for users to interact with the data and being able to understand what it is they're looking at. It grew from there. So I did this at multiple organizations to the point where we needed to annual policy reviews. We needed to make sure that pen tests were taking place. We needed to make sure that risks were going out and being updated, and we needed to make sure that vendor management was going out, monthly, reporting was going out, quarterly reporting, annual reporting, all of the stuff that usually was done on an Excel sheet and everyone would be running around like headless chickens at the end of the month being like, what is that? What is this metric? And where do I get this metric? And who got it? And like, why does it not add up this time? And like, why do the trending lines look all weird? We just took care of all of that because everything goes through a central platform. Everything's tied into one platform integrated through APIs or web hooks or whatever it is, and then very, very advanced exporting and reporting over top of that. So we can literally trend any data to the story within the Capal platform. And auditors come in, here's an audit to FCC, FCA, SEC whatever regulations that organization needs to follow. Here it is all clearly catalog documented. CEO wants to see like how much money they spent on Azure over the past five years. No problem. There you go. HR wants to see how many people have been fired and hired in a certain department. No problem. Here you go. It's really becoming more of like an analytics data engine and an automation engine more than like even a security and appliance platform. But that's the original story is basically automated, so I don't have to do it. And generally I did this in every 18 months I switch jobs because I'd automate my job.

Jelle Wieringa:

So there's two things that stand out here for me. First of all, I love the fact that he focuses his business on making security and compliance understandable. And the second thing is that, he says that if a business is compliance focused, it is thus also security focused. And that doesn't necessarily have to be the case, I think.

Erich Kron:

No, I, I agree. And, one of the things that really stands out to me here is the focus on automation. Because we have a shortage of qualified individuals in this industry. And if we do everything manually, it just doesn't work well, automation is such a key part of dealing with that deficit until we can get people trained up and get experience and all that kind of good stuff. That to me is the part that really stands out on here. And frankly, compliance is such a challenge. It can be so much work just trying to keep track of all the evidence, you know, and all of that stuff when you're audited. I love the idea. Any way that we can automate that kind of stuff, I think it's great. Now, I do think that compliance can drive some security, but I don't always believe that it's a one-to-one sort of ratio. But I, I do think that sometimes compliance takes the first chair, if you will, because of all of the potential for being fined. And so the focus just becomes on, yes, we did this thing, but not necessarily on the security side of things just because of the compliance and regulatory fines that can happen with that.

Jelle Wieringa:

Basically, compliance makes the need for security tangible because of the fines. So one of the questions we asked Stas being the expert in this field. Cause he's actually building a business right now. If you had any tips on how to start your own cyber security business.

Stas Bojoukha:

So my whole thing is if you've got a good idea, you should test it out and see if it works. We bootstrap the company for the first year and a half until we got some momentum, but that really just pushed us to, to experiment and try things out and not everyone has that luxury. But, First market advantage, I think is, is a big one. I wish I knew this now. We didn't push out this product until it was really complete and really enterprise grade. So right now, like we're dealing with customers with, which have much larger check sizes than some of our competitors that came out because they're offering a substandard product, which I can't actually believe any auditor would ever take seriously. But that's a different matter. But, so my advice would be this has worked for others. If you've got an idea, first, first market move or first market advantage, I think it is, definitely important. And I think also if you don't have the skillset, so like with me, I think I'm a type A, we're like, I just wanna do everything myself. And I want to do everything myself. I wanna do everything from pushing up the invoice to writing the code, to making sure that the customers are happy with their demo environments, whatever it is. And that's just not sustainable and you'll run yourself ragged. So that would be another piece of advice is I'm an engineer, I'm not a developer, which I'd have to learn the hard way. Yeah, like if you got a good idea, it's proven to work. Get it out there as fast as you can, and hire people that, are experts in their space and they can help you build a product and get it into market as quickly as possible.

Jelle Wieringa:

So one thing I really recognize is, is that hire great people. Don't do everything yourself. That is, I think, the most important piece of advice I've heard from all of the founders that I've spoken to throughout my career. And the second one is be first to market. Get get, get your M V P, your minimal viable product out as quickly as possible, and start testing it out because the audience, your market will let you know whether or not it's any good. And if it isn't, you can pivot. You can. Something that if you keep it in house, you will never be able to do simply because you don't know what people are thinking about it.

Erich Kron:

Yeah. I think it's important to keep an open mind too when you do get feedback from people and maybe adjust as needed for that. Because sometimes people get a hold of something and it's very much, this is my baby and now you're calling my baby ugly. Right? Uh, as opposed to saying, Hey, you know what? I thought that this was a way to go. I'm hearing that this may be a different direction, slightly that we can make a difference with and people need to listen to that. It also, it takes a special kind of person to be an entrepreneur. Your mindset has to be there. He mentioned bootstrapping things. There's a lot of time and, and your own energy and finances and things like that that are gonna take a hit if you're starting your own thing. So it's not for everybody. But I do agree. I mean, the sooner you can get out there with a cool product or a new way of doing things, the better you're gonna be.

Jelle Wieringa:

We wanted to see in what ways staff thought that the role of CISO actually impacts security culture. He's been doing it for a while, so he has a lot of experience in this field. This is what he said.

Stas Bojoukha:

I think a lot of the, a, a lot of this does come down to the culture of the organization. If they're generally hiring a CISO, then that means they're starting to take things pretty seriously. But again this is going back to explaining to organizations why you're doing things like nobody likes policies, right? But you have to have them and. Getting those pushed out and reviewed and then followed easier, something done. But they need, it needs to be done. But it, things like that need to be explained, right? We're not just pushing out policy for the sake of policy. We're not trying to restrict the IT teams. We're just trying to make everyone's lives easier. Cuz here's the policy, if you follow it, then we have clear metrics to work against and it becomes, it becomes a lot easier. It's the same thing with driving that forward, even with when you're rolling out new awareness training or phishing training, you're gonna get all this pushback being like,"we don't need to do this we we're, we've never been phished and our click rates are super low" and it, that's fine if you guys haven't, but other people in other departments have, again, like explaining to them, this is still the number one way into an organization. This is still a requirement from our insurance providers. This is a requirement from our customers. We have to do this and we have to adhere to it. And we're not trying to make your lives harder. We're trying to make your lives actually easier and streamline a lot of these processes. And just, I think explaining to organizations and to people why you're doing certain things and why you're implementing certain processes and standards. I think it, it can go a really long way. I know there's this debate about CISO can't report into the CTO, can't report into the CEO, should go into chief Revenue Officer should go into whatever. Right. And I know this debate is ongoing, probably will be forever? But it's about a reasonable level of security? if the business can't make money, then you're not gonna have a job? You just need to make sure that it does it in the most secure possible way. And my experience has been, Even with developers, and again, same point, developers specifically, if you can explain to them why you guys, we need to implement static code analysis or we need to implement vulnerability management or across the code base and most of the time they're actually pretty receptive to it, or they'll bring up questions and allowing you to build that bond with them to basically. Hey this is to help you guys not do anything outta line. Or basically if you're worried about something, tell me about it. I will put it on a risk register. I'll give it to the right people and you'll get a decision back. So two, you'll get two things out of that, right? One, you would've notified the organization that you're not comfortable with something, and two, you might've saved yourself a bunch of work because if it doesn't actually get approved or it gets rejected or sent back, then you know you're potentially off the hook. So building those. Relationships I think is really valuable and it's all about a reasonable level of security because nothing is a hundred percent secure. And the amount of times where I've met CISOs and CTOs that are not technical might be very personable, but if they don't understand what it is they're implementing or they don't know the impacts of it, it could be disastrous for organizations. I think this is why CISOs tend to only last 18 months in an organization is specifically for this reason.

Jelle Wieringa:

I really do like the fact that he's talking about there's no 100% security, right? It security's all about, basically he says there isn't a hundred percent secures. It's all about risk acceptance. And to do that, to get that going, you need to make sure that people understand why you're doing it, what the value you should bring to the organization. You have policies in place that actually help as directives to those people guidelines, basically, which are still feel that's the way you should use policies. In the end, you're building those relationships and that is what Stas is explaining here. I like his approach. It's a very human approach combined with just the facts about security, the facts that you can't change, you just need to accept.

Erich Kron:

I've always kind of felt that, you know, this CISO is that bridge between the technical sides and the leadership, and they need to be able to understand better than some of the highly technical people what the risk is and, and even why leadership may want to accept risk that somebody may be down in the trenches, may be going, that's the craziest thing I've ever heard. But they don't understand the whole picture.

Jelle Wieringa:

So CISOs with their job being as it is and all the risk they run and all the hardship that they had, we need to encourage more people that actually want to become a CISO. And we wanted to know from Stas what advice he had for technical people that are trying to bridge the gap and actually want to become a CISO.

Stas Bojoukha:

I think my background's a bit unique in this, but I think there's lots of opportunity for technical folk to be able to get a little bit more assimilated with the business side of, of their organization. I think there's definitely been times where I've been asked to create a deck or talk about something of relevance in in a town hall or ask for input for the CTO because he's gonna be presenting something to the board if the goal is to become a CISO and the goal is to become more social and understand the business side. I think there's definitely opportunity in most organizations to do that. I think the first thing would be to talk with your boss and just tell 'em that you're interested about doing something like this and see if there's any room for even going into a different department for a little while and seeing how things are done there. I've seen that happen in multiple organizations where IT has gone into compliance or IT has gone into HR to understand their processes. And the reason that they're doing that is they want people to, one, transfer skills, but also to understand how different parts of the business operates and then being able to work together to, once they've established those relationships, to be able to help them from an IT perspective or an HR perspective, or streamline the organization. I think the soft skills take a bit of time to learn, especially how to interact with the C-suite and the executives. I think that there is an art to that. I think it's being prepared and in growing your confidence and being able to talk to them, and it just takes a bit of time. But if that's the way that you want to go, I would start with talking to your supervisor and, and seeing if there's any opportunities there. But it's all, this all comes with time, right? And the nervousness that you first get when you have put together first board deck or, and get grilled on subjects that you don't particularly know about yet, or that you're not an expert in, but it comes with time.

Jelle Wieringa:

Basically. He's telling us not to rush it. He's telling us to slowly learn the article of understanding and learning to work with C-Suite and the organiz. Now I, I think that's really cool. But to be honest, a lot of technical folks out there aren't well known for their patience are they?.

Erich Kron:

Yeah, that may be true. But the other thing I think we're kind of hearing here too is that is gonna be a gap that people don't necessarily a lot of times have those business skills. You know, putting together that first board presentation that is a little unnerving. It's also very helpful for people to look at business books or listen to business based podcasts and not try to necessarily understand it all at once, but to start becoming familiar with the terminology, the thought process, how these things happen in a business setting, which will then help you be able to speak that language. Remember, I'm big on the fact that I think a CISO is a translator between the tech and the business. So if you're trying to get in that role and bridge that gap, you need to know how they talk in that C-Suite.

Jelle Wieringa:

One of the things that Stats was talking about is how they use APIs and how they're automating things. When he talks about that stuff, I automatically go towards AI and what that means for his business, and what that means for cybersecurity in general and how should organizations protect themselves from this threat that they will pose in the future.

Stas Bojoukha:

And I always said, we do have plans to implement ML and then AI, I think hedge funds have utilized AI for a long period of time now and I think that's working out really well. Cause if you look at their returns, they're doing quite well. But all of the other stuff that I've seen where people are just AI this, or AI that. It was never ai. It was logical rule sets for almost all of it. But I think with chat G B T, I think that is quite game changing. I don't think we know the implications of this yet, but I think the industry is definitely gonna evolve pretty quickly from this. We're gonna start seeing a lot more script kitties, getting a little bit more sophisticated than they have before now that they completely don't need to code. And in. A lot more reverse engineering happening of code as well. So be able to give them insights as to what's happening within organizations and the code that they run. And also just even from the logical perspective, just giving some of these bad actors just ideas, because I've been using it for idea generation for sure. It's super useful to get the juices flowing. So in terms of what organizations can do to protect themselves, apart from like looking out for more sophisticated fishing training and sophisticated malware and spearfishing. I think we just gotta keep at what we're doing now and just keep educating the user base in investing in technology that's interconnected and centrally reported and I think we should be okay for the near term future. I was at a conference in October where government officials, from the US and Canada and the UK and Italy and a few others, and they were literally trying to draft regulation for AI AI bills across the world and like literally they're like, what should we put in them? I don't know yet. Cause nobody knows what this looks like yet. And, and now it's a little bit clear because ChatGPT has done, it's allowed people to actually see like in a very layman's terms, practical way, to actually ask a question. So I think it's become a lot more tangible. Where it actually goes I think we're gonna start seeing people interacting with it in ways that we didn't think about taking existing malware, even if it's taking something out at Meta Exploit and then putting it into sequences that we've never intended for and trying it out through different attack vectors. And I think that's what will probably be the first couple things that we'll start seeing.

Jelle Wieringa:

So I, I really do like the, that his idea of basically scenario planning, scenario building and leveraging AI to run through scenarios that you can't figure out yourself we're having fall up yourself.

Erich Kron:

Yeah. This is, it's gonna be very interesting to see what happens here. if you look at some of the, the interesting things that are being done with AI, such as deep fakes, to me it's really fascinating to see how that's done and then to be paired with a GAN, or a generative adversarial network where essentially you create a deep fake using AI and then you put it in front of an AI to see if it can identify that it's a deep fake. And if it can, then you go back and you make some changes and then you put it in front of that. You know, using these tools like that is, is pretty brilliant. And, you know, he mentioned doing things that it wasn't really designed to do and, and that's almost the definition of hacking. It's taking something and making it do something it wasn't originally designed for. That's what hacking is. So we are going to be hacking, but we're gonna be doing it in a different way, perhaps. Yeah. Maybe the kids don't need to write all the code these days, but we're gonna see some pretty amazing stuff that it's gonna do that we just kind of go, wow. I had never even considered using it for.

Jelle Wieringa:

AI opens up a possibility for people without a lot of technical expertise who are creative enough to think about the application, what do I want out of it? And AI takes care of the rest of it. And that's what you're seeing with defects and generative AI in general. It is. The images that are created through AI are really cool. Now. Creating a video, creating a photo that's lifelike is cool. Already. Think about new forms of hearts, think about new forms of music and sound. That's really where AI can shine. Another aspect is frameworks. Frameworks and security go hand in hand. So we've wanted to see in what way these framework can actually be help us to introduce things like transparency or some integrity and ethics. To watch . AI, cuz that is something where AI is usually lacking a lot.

Stas Bojoukha:

This was literally the point I've touched on about a conference in October where it was regulation for exactly this like ethics and morale and integrity about, about AI and how to use it and cause obviously if you unleash onto personal data, it's gonna come back with a whole lot of insights, right about this person took off these dates and they happen to be on a Monday and a Friday and Monday and a Friday tend to be more for people skipping outta work and therefore this person is not a great employee and this person is. And then you mix up with phishing data and then all of a sudden this person is also has been phished multiple times. They're also having admin rights on this box and they don't come into work very often and they've logged in from these weird locations. So like therefore it's a high risk in potentially termination. This is where this stuff leads. An example that I used was the Cambridge Analytica scandal, right? The fact that somebody took Facebook data it in 90 data points. Within those 90 data points, they were able to determine exactly how and what needed to be presented to the end user in order for them to vote in a certain way or do something in a certain way. And it totally worked right? And then it was duplicated again for various other elections and things like, Using something like that in a, in completely, in a way that was never intended. I is what we need to worry about with AI because that's exactly what's gonna happen.

Jelle Wieringa:

I think that AI is currently in a state where it's like the wild west, right? In the beginning of the world West, we were doing things. We didn't have many rules yet, but along the way came rules and regulations, came new laws, and that's where we are with AI today. So things like Cambridge Analytics are bound to happen and we learn from those. It is what lessons do we take from this, and how do we apply those lessons to build new legislation, new laws, new ethics and get morale into the codes of AI?

Erich Kron:

Yeah, I think frameworks are very important, but I think they also, especially in emerging fields or, or technologies such as this, need to be a little bit flexible or able to be changed on a regular basis. Things are changing. We are gonna see things morphing. We're gonna see people using it in new and exciting, sometimes not great ways. And I think that while frameworks, again, are a great way to start, they do have to be somewhat flexible, especially in the beginning.

Jelle Wieringa:

So given that Stas and his organization are all about GRC and we wanted to know what are the newest trends in governance, risk and compliance?

Stas Bojoukha:

You'd think that there would be quite a lot of new innovation in the space? There really isn't. The traditional GRC platforms are all still there. Everyone's still using them. Everyone hates using them. They're clunky, they're old. They're hard to get people to input data into them because they're slow. If I could automate everything, I certainly would. Risks to an organization are risks. You can't really automate those, those needs to be plotted down. They need to be evaluated. And then an action plan needs to be put in place so you can certainly automate the, once the risk is actually in place, the chasing and the following up, and then the reporting. You can obviously do that, but actually getting the risks inputted into the GRC platform. Install manual process, fortunately, but making that as simple as possible. I think things like integrations are becoming really key focus for us. Again, this is going to the automation piece of this as well. We don't need to ask a systems engineer to give us a screenshot of the actual directory group policies, there's no need for that. This is 2023. We can pull all that stuff out. One of the main gripes when being a CISO and working for larger organizations is never understanding what anyone had access to, or hr, if they wanted to know if somebody was terminated on a certain date, they'd have to put in a ticket, then somebody would have to go and check it and, and all of that stuff just took forever and it was just a great waste of time. So with us, HR can go, they have access and query the data out of active directory, query the data out of AWS, so query the data out of wherever and actually get the data that they need. It's all read only, but they can put reports over top of that aswell. Just the efficiency gains on just doing stuff like that I think is really important for GRC platforms as well. I think another thing is having everything in a single location. GRCs are messy, like depending on the functionalities that they have, if they're running like vendor assessments and risk assessment, contract management and IT assets and all of all that stuff is there and it's all super manual and it's hard to maintain. And then on top of that, you have interactions going on in like teams. Slack and having all of that in in one place, being able to tag people and ask 'em the questions, kinda like you do with Google Drive, I think, I think just makes it a a little bit more coherent in the GRC, and then all the evidence is there as well. And then finally slightly off the GRC spec. But if you get audited or you have to show adherence to a regulation or whatever, being able to export that data out into a format that's easily accessible by anyone including an auditor, I think is really valuable. Instead of we then know we did all this stuff, but now we have to go and unpick all of it. We have to download it, we have to put it in folders. We then have to share it. We then have to explain it. We'd be able to do that all seamlessly. I think is, is a good step forward in, in GRC platforms, it's all, it's all about perception and confidence. If you run a tight ship and you can show this to them, as soon as they come in, they completely get off your back because there's a sense of calm and a sense of confidence in the organization and in the person helping them.

Jelle Wieringa:

So I like the run tight ship thing. It's all about showing that you're in control and I think that's one of the benefits actually of GRC, uh, include integrations into that and ensure integrations help a lot from the technical front and ease on the amount of work and input you have to do. But integrations also facilitate that. People, well, they can't make mistakes anymore, or in worst case scenario, lie about the state of things, right? You're just pulling in data it's easy to lie about things, but data doesn't lie. So it's also a bit of a quality assurance there.

Erich Kron:

Yeah. I've lived on both sides of the aisles when it comes to GRC stuff. And I can say this, he mentioned that they're, if I come in and I'm auditing somebody and they have their ducks in a row, they have their stuff together, and they give me a packet that says, here you go. Boom, boom, boom, boom, boom. Here's all the things you're gonna need it automatically just as a person instills confidence in their processes if they're running around trying to piece all this stuff together. I'm automatically gonna be less confident that they're doing what they're doing and maybe a little bit more critical in my questions.

Jelle Wieringa:

So now we go to a segment that I really adore because I am a great believer in learning from the mistakes of others because well then I don't have to make that mistake on my own.

Stas Bojoukha:

This for me this always comes down to not trusting your gut. Most of the failures that I've had on have just been not trusting my gut or not reaching out, asking for help when I need it. I'll give you a perfect example of this. We're set, like we were setting up the sales and marketing side for Compyl, and I was like, oh, like how hard could this be? Like. Marketing sales, right? And we, we gave it a shot on our own without hiring or bringing in experts in the space, right? And all that ended up happening is we ended up just spending nine months spinning our wheels and we ended up having to hire an entire sales and marketing side as well, because there's just things are difficult. Things cost what they cost, so you get what you paid for. It's also, I think, something, there's something very true to that as well, and but in terms of failures, I would say it's knowing when the right time is to reach out to people and ask for that help.

Jelle Wieringa:

That is great advice actually. And it's not just. For the entrepreneurs out there. It's also for people in their personal lives, people should reach out more to other people. If those other people are the experts, don't try to figure it out yourself because in the end you might be able to, but it will cost you too much time. So we've been talking a lot about AI stats. We've talking a lot. We've been talking a lot about GRC and I, I think that he has a very good view of where our industry is heading. So we ask him if he could share that where is cybersecurity heading over the next 10 years, and especially focus on the AI approach since that's what we've been talking about.

Stas Bojoukha:

I literally have written a bunch of articles on this just recently. The threat actors are not going anywhere, right? It's very lucrative business, but I think we're gonna see a lot more automation as time progresses over the next 10 years. I think a lot of the day-to-day stuff that we're doing now, I think like a lot of the SOC analyst work is gonna die down a bit. There'll obviously be people that look at the results, but I think AI, it's a perfect place for that to be handled. I think any type of anomaly detection is probably gonna be going that way. I don't know if we're gonna see that much of a rise. I think in new people coming into the field, the shortage isn't getting any smaller and it doesn't seem like there's any more of a drive in the security space than there is on the engineering or computer science space. So, I think we're gonna have to deal with a lot of this stuff with utilizing new technology in streamlining a lot of the day-to-day processes that organizations have.

Jelle Wieringa:

So, especially his comment on the skill gap, I find that interesting because I'm of the same mindset. I don't think the skill gap, the shortage of staff will go away. It's simply like math, there's not enough people coming into the field to fill that gap. So we need to make sure that we automate, that we optimize everything. AI can really help in that. And an example he gave is anomaly detection through AI. He can do it quicker, better. So those are all good things. But we also need to make sure that even as we turn to ai, we need to make sure that we don't lose touch with us being human. We don't lose touch with emotions. We don't lose touch with the communication side of business.

Erich Kron:

Yeah, I think it's an interesting point about the way that things are working, where they're going with this and honestly how often is it that we see that people focus so much on the technology piece and forget about the human side of things as well? I think AI is gonna be good again, for automating, and I love that he kind of, you know, vindicated what I said earlier about anomaly detection and seeing those changes those outliers in large amounts of data. I agree. I think that's very, very important. But we absolutely can't rely too much on technology. We see that fail organizations over and over again. So this isn't just the silver bullet that's gonna fix everything. I think that's what we have to keep our minds on, is that this is not going to solve everything.

Jelle Wieringa:

Well, on that note, we would like to thank everybody for listening to yet another episode of Security Masterminds. It was a pleasure to talk to Stas about everything concerning GRC, AI and his thoughts on cybersecurity today. I think he's a really knowledgeable guy.

Erich Kron:

I would agree with that completely. I think that GRCs not going away. It's going to be there, it's gonna be something we are gonna continue to have to tackle, and it's only going to get more and more prescriptive and cover more and more things as we move forward.

Jelle Wieringa:

So with that, we want to say goodbye to everybody and tune in for the next episode. Say goodbye, Eric.

Erich Kron:

Goodbye Eric.

Announcer:

Coming up on our next episode of Security Masterminds.

Stas Bojoukha:

Well, I am a big proponent in the power of the voice and there is some science on it. It is a burgeoning area of neuroscience, but there is a fair amount of research and I think there will be more about the way that audio straight into the brain mainlines and is remembered in a way that is different from data that is consumed in other formats.

Announcer:

You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit Knowbe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.

Introduction
Cybersecurity Origin Story
Help Desk Role Lessons
Compyl Origins
Cybersecurity Startup Tips
CISO Impacts on Culture
CISO Bridge Gap for Technical People
Cybersecurity and AI
Frameworks and AI
GRC Trends
Greatest Mistake
Cybersecurity Threats in 10 Years
Wrap-up