The 10 Most Trusted Risk Management Solution Providers 2019
Vol 10| Issue 05| 2019
EDGILE Modern Approach towards Protecting Enterprises
+
Don Elledge CEO
Editor’s Desk
R Building a Culture of Risk Management Solution Provider
“Ensuring Enterprises know their Risks, & easily Detect and Locate with RiskManagement Providers”.
isk is intrinsic to every business and managing risk is an increasingly important business driver. Risk concerns in the world of business have always been the most important aspect. Be it Information Technology or Healthcare Industry, enterprises today are on the crisp of the risk crisis. Today, companies have to deal with multiple forms of digital change simultaneously, mostly increasing cloud adoption, but also increasingly mobile, IoT, robotic process automation, and advanced AI efforts. With each passing day, attacks on the unsecured digital world are on the rise, driving up risks in every industry sector around the globe. Partners, employees, and customers increasingly communicate with the digital medium which creates more risk and jeopardizes compliance. Gartner predicts that, by 2020, there will be more than 20 billion internetconnected devices in use, with Internet of Things (IoT) connecting everything from jet engines and commercial vehicles to manufacturing equipment & office equipment to personal cars and consumer electronics. Educating enterprises about risks and security is one of the biggest challenges. Most companies see the productivity gains that can come from technology and jump – but they don't always understand the risks. Or, even if they do, they don't understand the urgency. Protecting private and corporate customers from such risks is a major challenge for all companies. What are the best chances to reduce risk? This is where Risk Management Solution Experts provide a full range of fraud prevention services to help you effectively manage ongoing threats. They are here to help. And, that is why enterprises today critically need trusted Risk and compliance partners to manage the digital risk.
What’s unique about Risk Management Solution Providers? They advise customers on business and technology challenges in risk management & fraud prevention. These industries provide real-time visibility and identify all devices on the network in real-time. Such organizations identify, analyze, and evaluate risks that may impact your business. From global consumer retailers to regional manufacturing companies, the need to strengthen compliance management programs, and develop strong risk culture is paramount. That is the reason Insights Success introduces “The 10 Most Trusted Risk Management Solution Providers, 2019” which is a constantly-changing global riskmanagement landscape. Featuring the Cover Story is Edgile is a leader in building IRM/GRC programs for highly-regulated companies, both large and small. A big advantage of the company's approach is that it allows tailoring environments to the enterprise's needs while avoiding true customization that can create problems down the road. For almost two decades, Edgile has helped Fortune 500 companies deal with risk and compliance issues, by tackling the intersection of the four areas where enterprise GRC efforts generally fail. Also, makes sure to scroll through the articles written by our in-house editorial team and CXO standpoints of some of the leading industry experts to have a brief knowledge of the sector.
Kaustav Roy
ARTICLES
20
Editor’s Pick
38
Industry Trends
Data Center Security: Controlling Possible Threats
Key POS Trends Reshaping the Reatil
08
Cover Story
Edgile Modern Approach towards Protecting Enterprises
CFM Partners
18
Strategic Technology for Modern Compliance Professionals
Great Bay Software
Corlytics
28
Empowering Clients to Make Informed Choices
34
Matrix-IFS
40
Closing the IoT Security Gap
The Modern Day Crime Fighters. Protecting Financial Institutions from Hackers, Fraudsters & Money Launderers.
Expert’s Thoughts What GDPR Forgets The Physical Security
24
32
Industry Intel
Interpreting Risks
Allowing Regulated Entitiesto Connect and Structure their Data
Minimizing the Adverse Effects of Risks
42
Editor-in-Chief Pooja M. Bansal Managing Editor Anish Miller
Executive Editor
Assistant Editors
Rohit Chaturvedi
Jenny Fernandes Hitesh Dhamani
Visualizer
Art & Design Director
Associate Designer
David King
Amol Kamble
Kushagra Gupta
Co-designer Karan Gaikwad
Senior Sales Manager
Business Development Manager
Kshitij S
Philip Walker
Marketing Manager
Sales Executives
John Matthew
David, Kevin, Andy, Maneesh Business Development Executives
Technical Head Jacob Smile
Steve, Joe, Alan, Anup
Technical Specialist Aditya
Digital Marketing Manager Marry D'Souza
SME-SMO Executive Prashant Chevale
Research Analyst Frank Adams
Database Management Stella Andrew
Circulation Manager Robert Brown
Technology Consultant David Stokes
sales@insightssuccess.com October, 2019
Follow us on :
www.facebook.com/insightssuccess/
www.twitter.com/insightssuccess
We are also available on : Copyright Š 2019 Insights Success, All rights reserved. The content and images used in this magazine should not be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission from Insights Success. Reprint rights remain solely with Insights Success.
Don Elledge CEO
The
Trusted COVER STORY
Edgile Modern Approach towards Protecting Enterprises
“
Building a culture of quality and devotion to service within a challenging, rewarding and exciting work environment.
“ We secure the modern
enterprise.
“
F
ortune 500 enterprises today are engulfed in a tidal wave of digital changes, which in turn creates hurdles for IT, legal, privacy, compliance, information security, and the business. Even worse, these companies are having to deal with multiple forms of digital change simultaneously, mostly increasing cloud adoption, but also increasingly mobile, IoT, robotic process automation, and advanced AI efforts. Employees, partners, and customers are increasingly trying to communicate digitally, which would be a wonderful advancement- were it not for those pesky GRC efforts. By its very definition, digital transformation creates more risk and jeopardizes compliance. That is why enterprises today critically need trusted risk and compliance partners to manage the digital risk. But compliance is hardly a static situation. It is a mix of often-contradictory-- and constantly changing-- rules from state, federal, global and industry-specific compliance and regulatory requirements, including PCI, SOX, NIST, NY DFS, FFIEC, HIPPA and a myriad of state privacy mandates. That’s where Edgile comes in. Edgile is a leader in building IRM/GRC programs for highly-regulated companies, both large and small. A big advantage of the company’s approach is that it allows to tailor environments to the enterprise’s needs while avoiding true customization that can create problems down the road. For almost two decades, Edgile has helped Fortune 500 companies deal with risk and compliance issues, by tackling the intersection of the four areas where enterprise GRC efforts generally fail. These areas consist of the constantly-changing global compliance landscape; the evolving threattechnology landscape; mismatches in roles and responsibilities between the enterprise and their vendors (e.g., Saas, IaaS) the related nuances of cloud security compliance; and the almost-limitless configuration and related product options being offered by the major GRC vendors. An Organization of GRC implications Enterprises today face an avalanche of GRC choices. How to migrate to an earlier platform? What configuration choices make the best sense for that
“
Edgile offers proven services to help solve complex security challenges across many industries including healthcare, financial services, energy, retail, et al. company, given its size, geography and vertical? What are the GRC implications as the enterprise moves more and more deeply into the cloud? For that matter, those answers change depending on which cloud provider is being leveraged. What GRC tool to implement? Which implementation partner? Then there are the complexities that happen with every business unit sale and especially every acquisition, with new software licenses and homegrown legacy apps forced into the enterprise technology equation. The experienced Edgile team members have an average of more than ten years of experience in a wide range of GRC programs, from functional to technical engineering. This is rare and difficult to find because other companies tend to focus on just one of these areas, such as solely dealing with security or just compliance. But without factoring in all of these considerations-- the enterprises current and future operations, current and future compliance changes, partner new or changed capabilities, changes in the enterprise’s operating environment, such as new cyberthief tactics-it’s impossible to truly help an enterprise with its complex and ongoing GRC efforts. Edgile’s experience in delivering this comprehensive and holistic strategy has allowed it to create a precise methodology that allows enterprise executives to understand their GRC environment and to deal with it at their own chosen pace. Indeed, This methodology doesn’t simply make efforts easier for IT, Security, Compliance, Auditing, and other traditional GRC operating units, but it also helps articulate to the CEO, CFO, and board members that their security dollars are being used shrewdly. Life Made Easier by Managing Risk Edgile’s expertise extends beyond its 16 industry verticals, delving deeply into managing the risk of an enterprise’s entire digital transformation. The cloud itself, for example, is typically far more naunced and complicated than most executives assume because of hybrid cloud environments, where the company is neither fully in the cloud nor fully on-prem but it is doing both – to varying degrees as it slowly transitions to an eventual allcloud environmental. That painstaking slow process must be managed delicately, as those changes can have non-obvious impacts on both risk and compliance. And as enterprise shift more of their resources, data, tools, and other applications to the cloud, the number of elements that are suddenly – and sometimes invisibly - beyond their control soars.
Mr.Brian Rizman
Another critical area for Edgile is regulatory change management. Although it starts with a team of compliance experts that are tracking global, federal, state, municipal, and industry laws, regulations and other requirements every day, the most powerful element is applying those changes-and the anticipated near-term compliance changes – to the specifics of each enterprise. How does it impact that company’s policies and operations? What are the best changes to both improve compliance and reduce risk? That’s what Edgile delivers. Approach and Advantage Edgile has seen a rapid rise in organizations making the IRM /GRC move to ServiceNow. This isn’t surprising as: ServiceNow is a Gartner Magic Quadrant Leader in the GRC space ServiceNow is the authoritative source for much of what needs to be managed via GRC so having native access without API integration is a huge benefit. ServiceNow platform enables synergies across the three lines of defense ServiceNow offers the first real opportunity to achieve continuous monitoring & automate early warnings via KPI/KRI sustainably and costeffectively. Unique Client Risk Programs What’s unique about Edgile is their focus on building client risk programs, using their proven 5-pass methodology and automated access they provide to the rapidly changing regulatory environment. Edgile’s ArC, Automated Regulatory Compliance Managed Content Service has a team that tracks
more than 500 states, federal, global & industry-specific compliance and regulatory requirements every day. Edgile’s ArC coupled with its Regulatory Change Management Solution allows the company to help clients’ pinpoint control and policy changes necessary to achieve compliance.
so much easier to share information. “When our auditors come and ask for specific information around our IT general controls, we can point them into ServiceNow rather than having to send them Zip files or give them access to SharePoint that would require them to then have VPN access, etc.,” Liebergen said.
Critically, Edgile works closely with Fortune 500 executives, to understand not only where they operate today but to try and focus on where they expect to be in 6-18 months and where they are heading strategically in the longterm. The team then collaborates with both technology and the business leaders to frame a roadmap.
Committed and Determined Leader A professional leader with a wealth of experience has the ability to understand how businesses operate and applying his positive enthusiasm, motivates teams into producing results. Don Elledge, the CEO is one such committed and determined leader who founded Edgile in 2001. Don holds an undergraduate degree in finance from the University of Texas, and an MBA from the University of Washington with a focus on economics. Prior to founding Edgile, Don was a partner at Deloitte, where he established a national security practice focused on e-business security. He also spent four years in New York working at First Boston in the financial industry. He advises clients on security and risk issues by the rapidly changing technology environment, and his forward-thinking view has positioned the company as a trusted, strategic partner. Don is responsible for growing the company into a leading security and risk services organization serving Fortune 500 companies.
Better Services with ServiceNow One enterprise that both Edgile and ServiceNow have helped is Banner Health, which owns 20 hospitals across six states. “Taking all of those materials and shifting it into a platform allowed us to maintain data, to see the audit trails of who did what when we just continued referencing it while putting that data continuously in the customers’ hands,” said Banner Health IS Governance Director Greg Liebergen. He also says “I don’t believe that we did any customization at all. It’s taking the ServiceNow tool and using its out-of-box capabilities, the workflows, the different aspects of the module that exist and configuring them so that they use the language that we use internally the terminology. It was a big thing for us not to have to use customization, just to make it overall easier to use the tool on a dayto-day basis. But also, when the time came for platform upgrades, that we’re not struggling, trying to take our unique item and fit them into ServiceNow’s upgraded platform to provide more capabilities.” Another advantage of not having to customize the coding is that it makes it
SUBSCRIBE TODAY
Global Subscription 1 Year..........
(12 Issues) .... $250.00
3 Months ... (03 Issues) ....
$70.00
6 Months ..... (06 Issues) ..... $130.00 1 Month ......
(01 Issue) .....
$25.00
Date :
Name : Address :
Telephone : Email :
City :
State :
Zip :
Cheque should be drawn in favor of: INSIGHTS
Country :
SUCCESS MEDIA TECH LLC
CFM Partners Strategic Technology for Modern Compliance Professionals
Beth Murphy Founder, President & CEO
H
igh-risk employee behaviors that make headlines, combined with ever-changing government regulations, heightened public awareness of corporate responsibility, and rising risk-related costs have prompted compliance executives to seek solutions that will help them manage Governance, Risk, and Compliance (GRC) efficiently and effectively.
Businesses spend a tremendous amount of time and effort carefully developing policies, procedures, and educational materials to guide employees and management in how to do their jobs well and minimize the risk of negative incidents. However, it can be a struggle to implement them in a way that encourages a culture of compliance, where each member of the organization understands their role and responsibilities. CFM’s flagship solution, Access Compliance™, promotes cultures of compliance by helping companies modernize their approach to policy and procedure management through easily-accessible, relevant, and understandable training, as well as systematic communication that lets nothing slip through the cracks.
Based in Washington, D.C., CFM Partners has been on the frontlines of GRC management for over 20 years, offering knowledge-based solutions to help companies proactively manage their risk, turn compliance into performance, and develop effective governance strategies.
Access Compliance™ Access Compliance delivers policies, procedures, and other important information that are directly relevant to the role, responsibilities, and environment of every user, when and where they need that information, thereby enhancing employee productivity while embedding compliance into day-to-day business practices.
The Company that “Gets It” Employee misconduct often originates from gaps in communication and adoption of policies among groups, departments, and individuals -- gaps that the team at CFM Partners works to bridge through its expertise and technology.
It aligns corporate, business group, and country-specific policies – at the end-user level – to ensure users don’t have to sift through volumes of irrelevant information. They see only the policies they need to do their jobs, stay compliant, and stay productive. The platform makes role-appropriate information and education easily searchable and accessible.
18 |October 2019
www.insightssuccess.com
The
Integrated throughout Access Compliance are features that allow administrators to designate who sees what and when, via CFM’s exclusive Push-by-Profile™ distribution and customized audience assignments. This feature has helped the company secure a well-differentiated position among regtech providers by ensuring the right information is at the fingertips of the right people at the right time. “Risk is substantially mitigated by consistently making people aware of how a particular policy, procedure, or regulation applies to them and their job,” said CEO Beth Murphy. “We determined early-on that our solutions need to be configurable to deliver information that is relevant to each user to be truly effective.” CFM Partners also led the field in delivering solutions in the cloud. Leveraging cloud-computing technology, Access Compliance hosts a suite of solutions and tools that are modular, integrated, configurable, and customizable. Applications and content are swiftly deployed across different regions to specific, appropriate audiences – providing clients with round-the-clock access to the information they need to do their jobs well. Modular design also makes it possible for organizations to acquire as much, or as little, functionality as they need. “When we see an opportunity to enhance our solutions in ways that matter to our clients, we readily pursue those enhancements and make them a reality. It’s kept us ahead of the market repeatedly over the years,” Murphy notes. Streamlined for Managers The easier it is to administer a solution, the more effective it will be. Access Compliance includes tools and templates that make it easy for clients to map policies to groups that need them. “We’ve worked to centralize and streamline the management of policies and procedures, as well as distribute them through a single interface,” Murphy explains. "Features provide a way to standardize policy and procedure development by clearly indicating who owns the content, when it was last updated, where it impacts the organization, and more.” Access Compliance also provides a single access point where managers can see when, where, and by whom policies are reviewed. These tracking features are ideal for managers who understand the importance of monitoring for red flags that may indicate additional communication or employee training is needed. www.insightssuccess.com
Trusted
When we see an opportunity to enhance our solutions in ways that matter to our clients, we readily pursue those enhancements and make them a reality. It’s kept us ahead of the market repeatedly over the years. Beyond monitoring, Access Compliance generates reports that document when policies have been reviewed or training programs completed. Data is archived for future reference and regulatory compliance. Education Is Key “Simply put, companies that know better, do better,” Murphy observes. Effective compliance education starts with a corporation’s policies and procedures and is supplemented with training to fully educate employees on complex or critical issues. Access Compliance’s education and training module features a suite of online course libraries with topics including Cybersecurity Awareness, Conflicts of Interest, Anti-Bribery, Sexual Misconduct Prevention, and Use of Social Media, to name only a few. Its robust functionality provides easy course administration, customizable and tailored content, review and monitoring of employee progress, reporting, and updates. Clients Come First “Every client has its own distinctive needs,” Murphy reflects. “We meet our clients where they are, and our philosophy is to adapt our products and services to meet the needs of each organization.” Deep knowledge, innovative solutions, and an unwavering commitment to client success are the keystones upon which CFM Partners built its business.
October 2019| 19
POS Trends Reshaping the Reatil Sector I n recent times, the retail industry hasn’t seen a more exciting invention since the invention of cash register. With new and innovative technologies helping shape both online and offline experiences for consumers, the landscape is continuously changing in a way which was unimaginable even few years back. The best part is that there seems to be no end of the innovation, which only influencing the purchase decision of the consumers.
Nowadays the main focus of retailers is to create a safe, engaging, and unique shopping experience for its consumers, it’s very important for the retailers to understand the importance of Big Data and in-store analytics and adapting to the cloud. With the retail industry at the verge of massive transformation, we are listing out few key trends that everyone needs to know to be successful in the ecosystem that is transforming quickly. Multi-system Integration Multi-system integration with various applications gets the utmost priority from top retailers. Most of the retailers list out POS integration with other applications as a key priority alongside the implementation of dynamic marketing content through mobile devices. This is mostly due to the retailer’s interest to store all the customer information and purchase history in a database, which is completely centralized that could be easily integrated with multiple applications. However, in order to do that, a retailer needs to use an ERP database that can handle all these. Speed People always look for quick solutions for everything. A clock starts ticking the moment a customer enters, no matter how good the product is, if the process is slow and the attention to details are missing, then customers will leave 20 |October 2019
disappointed. As a retailer, one cannot please everyone, but with a modern and efficient POS, the service can be improved. A modern POS simplifies the communication between various departments and can save a lot of time for both the retailer and the customer respectively. Managing Stocks Keeping and managing inventory is a nightmare for most of the retailers, and it’s quite natural. Managing inventory is a never-ending task and takes a lot of effort, time, and manpower. However, it is quite important to manage inventories when it comes to long-time survival. An efficient POS system always makes the process of managing the inventory much easier. The best part of a POS is, one can monitor the status of stocked items, shipped products, and new orders anytime. This is a huge time saver for a cumbersome and a tedious process, and eventually helps retailers to focus on other important aspects of running the business. Customized Experience With POS systems, retailers just need to provide personalization that scoops out every shopper. Every passing year, retailers are adapting to personalized technology solutions that allow an interactive user experience. Thanks to the emergence of all new mobile POS technology, now retailers can offer its customers more choices to accommodate their shopping habits by letting them to complete transactions anywhere in the store. Now with the invention of improved POS marketers and customer service teams can contact the buyer at each point of their purchase decision. With so much data retailers and consumers can have better customer service, quicker payment processes and access to better offers and real-time personalization. www.insightssuccess.com
Industry Trends
Promotions and Marketing at its Best Nowadays with the advent of digital technology, marketing involves maintaining a digital presence as well. A POS can integrate all the advertised offers with transactions, making it easier to keep track of all the campaigns. Additionally, it can integrate with CRM and track customer behavior. When an offer gets popular among the masses, then the retailer will see it in his transaction data. Usage of Big Data analytics In order to compete with e-commerce, retailers are now taking the help of Big-Data and in store analytics just to have a better idea about what’s happening inside the store. Big-Data analytics helps retailers to track how frequently a specific item moves from shelf to shopping cart allows retailers to know the trends that are dominant in the market. Analytics helps the retail industry in a big way to better understand consumer purchase pattern and behaviors. Keeping Track of Employees To run a business smoothly a retailer, need few people. A POS system enables to manage them with great accuracy.
www.insightssuccess.com
With a Point of Sale system in place, employees can sign on or off easily and the system will automatically log their work hours and break hours. Security Above all, a POS system offers great security protections that help keeping customer data safe. Retail stores and businesses are always prime targets for Cyber Criminals, and a data breach is not good for a business. So, by using standard encryption and firewall, businesses can be secured from cyber-attacks and customers can swipe their cards with a peace of mind. So, here we have listed out few of the POS trends that will shape the future of the retail industry. As we look ahead, these trends will be on focus for both retailers and customers. The main advantage of an advanced POS system is greater efficiency and optimization, it links all the departments together which eventually allows to have better control over the inventory, better profitability, and to manage processes in an efficient way.
October 2019| 21
Gisle M. Eckhoff CEO, DigiPlex
24 |October 2019
www.insightssuccess.com
Expert’s Thoughts
The Physical Security About the Author Gisle M. Eckhoff joined DigiPlex in August 2014 as Chief Execu ve Officer. He brings nearly thirty years’ experience in senior posi ons in the IT industry in the US, Sweden, UK and Denmark as well as at home in Norway. Gisle is the former Senior Vice President and Managing Director of CGI’s opera on in Norway, and has also held a number of senior management roles at both country and regional levels in CSC Computer Sciences Corpora on. The experience and knowledge gained from heading up the Financial Services ver cal in the Nordic region, before becoming Vice President and Managing Director of CSC in both Norway and Sweden, is of great value when implemen ng DigiPlex’ growth strategy in the Nordic markets.
T
he EU’s GDPR legislature will have consequences for every company doing business in Europe, including American companies. The new directive promises sizeable fines to anyone that does not take personal data seriously. Meanwhile, the data centre company DigiPlex urges companies to focus on another important aspect: physical security. The General Data Protection Regulation’s (GDPR) purpose is to harmonize legislation related to personal information across the EU’s member states. It does however also create radical challenges for American businesses holding information on EU customers. Come May 2018, when the legislation enters into force, companies will have publicly disclosed how the data is used, in addition to offering transparency for individuals seeking access to their data. The GDPR includes a sanction mechanism, and the fines for non-compliance can reach 4 percent of a company’s annual revenue. • Business will obviously change for everyone not taking personal information seriously. This will clearly raise awareness regarding how the data is secured, but it’s also vital not to forget where the information is located, says DigiPlex CEO, Gisle M. Eckhoff.
www.insightssuccess.com
October 2019| 25
Moving data to safety American computer security company, McAfee, published a study of over 800 company leaders from different sectors. The report reveals that 50 percent of the respondents state that they would like to move their data to a more secure location. A motivating factor is the new EU legislation. The report also reveals that 74 percent of the business leaders specified that they thought protecting the data correctly would attract new customers. • Data security is not just about protecting yourself against hacking and other digital threats. The overall security critically depends on where your data is stored. Companies who actively select a secure data centre to host their data will gain a competitive advantage in the market as the management of personal information is in the spotlight, says Eckhoff. Physical security is forgotten While EU-based companies are in the process of adapting to the GDPR, Gartner predicted only 50 percent of American firms will be ready for the strict regulation by the end of 2018. It’s primarily the largest companies and public enterprises that are furthest along in the process of adaptation. According to Eckhoff, they are usually the ones that are the most concerned with data security and where it is stored. Fire and operational safety are two obvious challenges, but physical security also includes securing yourself against theft. • Several smaller businesses and organizations keep their data servers at their offices, and the physical security in many of the smaller data centers is almost absent. If your data is stored in such a data center, where someone easily could break in and physically remove the hardware containing your information, then you are very vulnerable – both operationally and in relation to GDPR, says Eckhoff. At DigiPlex’s data centers, several layers of security ensure the safety of the data and the personal information that is stored there. Physical security is one of the most complicated and expensive features when building or updating a data center. That is why newly established data centers have to reach critical mass, allowing them to store enough data to compensate for the large security investment. Adapting to GDPR One consideration to take, as we are getting closer to the implementation date of GDPR, is where your data center should be located. Several US based companies are already relocating their centers to the EU in order to comply. Multiple database providers are helping non-EU companies organize and segregate EU data from other personal information. The data center industry is well established in Europe, and some of the most cost and climate efficient centers are located in the Nordic countries. In the Nordics, the cool climate helps chill down vast amounts of hardware that otherwise would have been cooled down solely by electricity. Additionally, the electricity that is required by data centers to run their operations is supplied through easy access to affordable renewable energy. • In recent years, we have seen political turbulence in larger parts of the world, Europe included. The stabile political environment in the Nordic countries is also a climate to consider, as the establishment of data centers is a long-term investment, says Eckhoff.
26 |October 2019
www.insightssuccess.com
Corlytics John Byrne CEO & Founder Corlytics
Empowering Clients to Make Informed Choices
information. This allows regulated firms to protect themselves from unexpected exposures and fines.
B
ack in 2008, when the Lehman Brothers filed for bankruptcy, it was done with fear and confusion, following one of the worst economic meltdown since 1920’s great depression. Up until then Lehman Brothers survived the great depression, two world wars, cash shortage, the Russian debt default of 1998 and the long term capital management collapse. However, despite surviving all these, the collapse of the housing market in the US brought Lehman brothers to its knees. Back in 2008, compliance was a nuisance function that banks used to keep in the back office. Its importance wasn’t fully appreciated, and there had been a complete lack of investment in it. Fifteen years ago, banks may have paid attention to the regulators, but they didn’t worry about them the way they do today. So, with the target of delivering world class regulatory risk data and analytics, Corlytics empowers its partners to make transformational, informed, and positive choices. It uses a combination of artificial and human intelligence to categorize and organize regulatory notices and when required, internal firm data, into highly structured relevant
28 |October 2019
The Inception Story Thanks to the global economic meltdown of 2008, banks and other financial institutions have been confronted by an intimidating stack of new regulations. However, the founders of Corlytics found a business opportunity in the landslide of 54,000 regulatory documents which was published by 130 different agencies of the G20 countries. The most shocking part of this financial meltdown was Lehman Brother’s bankruptcy filing, since the great depression of 1920s no major bank had failed. And suddenly one of the top 10 investment banks was gone! Just like that! This created a problem that was unseen before. In fact, the biggest risk for the world’s top 20 banks today is regulatory risk. Last year there were about $100 billion in fines levied on banks for not complying with regulations. In 2008, before the big financial crisis, that was less than $1 billion. When the Aim is to Solve Regulatory Risks Corytics analyses the enforcement outcomes of each regulator and regulatory categories, allowing banks and financial institutions to understand the business impact. Data is presented in a digestible, easy to action dashboard, with heat-maps and financial impact predictions. Corlytics’ technology includes: Taxonomy Mapping: Corlytics’ regulatory taxonomy www.insightssuccess.com
The
solution enables categorization, mapping and routing of regulatory content to a firm’s view of compliance risk, business lines, and controls. Corlytics makes sense of regulatory notices for departments, teams and individuals so that only relevant information is highlighted for action. The solution has also been used to create the world’s first ‘searchable’ intelligent handbook, through taxonomy mapping. Monitoring global regulators: Corlytics’ bots scan all notices from regulators for all types of regulatory content. It collates this information to a single cloud-based repository, which can be used for analysis and risk weighting. Risk insights: RiskFusion® highlights regulatory concerns for risk, audit and compliance teams to assist in the planning and allocation of regulatory compliance investments. Corlytics collects and categorizes regulatory data. Relevant data sets are then analyzed and summarized by Corlytics regulatory and legal analysts. RiskFusion® risk models are applied to the curated data to illustrate the highest risk jurisdictions, regulations, regulatory topics and provisions. Corlytics RED app: This app scans regulators in near realtime for all types of regulatory developments. These include regulatory notices, speeches, press releases, consultations, enforcements and penalties. Users can choose five global regulators to appear in their feed and RED (regulatory enforcement data) alerts on content relevant to them. The Trendsetter John Byrne is the CEO and founder of Corlytics. When it comes to setting the company’s vision and strategy, John is the go to guy. He is a serial entrepreneur in the financial technology sector, and has built and sold multiple global technology based enterprises. He also founded one of the first campus companies in Ireland back in 1985 in the energy sector. That’s not all; he also built Information Mosaic in 1997, a global player in the securities software industry which was later sold to Markit in 2015. Since the introduction of global regulations for the financial markets in 2009, John realized that there was complete lack of intelligence and predictive analytics in order to help the banks, regulators and their advisers to make informed decisions. Picking up Invisible Trends Corlytics has developed a global taxonomy that structures all regulatory notices, enabling businesses to look across jurisdictions for common trends and patterns. This global intelligence means the company can pick out emerging trends that are otherwise invisible. In 2017, Corlytics helped develop the world’s first intelligent regulatory handbook for the UK’s regulator the Financial Conduct www.insightssuccess.com
Trusted
We are now at the very fore of regulatory intelligence revolution. Our forensic analysis and forecasting of regulatory risk and sentencing globally by four different professions sees Corlytics deliver 360degree intelligence.
Authority (FCA). The FCA handbook is used by thousands of regulated financial institutions and their advisors daily. It contains binding regulatory obligations and guidance for firms. Corlytics has worked with the team at the FCA to apply a central, common taxonomy to all regulations. Having put this in place, the existing material in the handbook can be tagged and machine read. This allows for a much more user-friendly search and navigation experience. When Expansion is on the Cards Corlytics continues to generate promising unsolicited inward leads and referrals which reflect the strength of its value proposition and suite of compliance risk applications. The company’s sales and successes to date with early adopters including global regulators, large global banks and financial institutions illustrate substantial validation of its product. According to the company, it will continue to pursue its sales channels in core markets such as Europe and the US. A strategic partnership with a global bank, advisory practice or consultancy firm may be considered to accelerate growth and market approval in new territories. This year, Corlytics is planning on expanding its core product offer in terms of strategic geographical and regulatory coverage to include other jurisdictions. In terms of market segmentation, it sees significant potential for sustained growth across asset management, brokerage and insurance. October 2019|
Industry Intel
Allowing Regulated Entities
to Connect and Structure
their Data W
hat are the latest trends in business world? An impressive raise in regulatory, compliance and risk management requirements together with an exponential growth of data that corporations struggle to manage. The idea behind Governance.com is a spot-on observation and vision of our founders, Bert (CEO) and Rob Boerman (CTO) to allow regulated entities to connect and structure their data. As a Regtech, our purpose is to allow our clients to structure and simplify their data and control their business by building their workflows, checklists and activities around it. Governance.com is a totally flexible and customizable central system which can be interfaced with legacy and external systems of our clients. All their data and operational flows are centrally linked and easily accessible via our platform. This explains our continuous growth and recognition among the industry (winning Fintech of the year Award in 2016 in LU, included on Fintech 50 2018 and Global 100 Regtech in 2017). We all know that a revolutionary vision and performant system do not guarantee commercial success. Regtech is a relatively young concept which has to show all its potential and concrete value to traditional companies. I truly believe that the key for a successful collaboration lies on an open and transparent communication. The biggest concern and
32 |October 2019
pain point of Regtech companies is the lengthy decision and procurement process of the companies. There is no point to get frustrated on this as we have no control on this process. I believe the optimal way to build long-lasting relationships is to focus on the challenges, needs and culture of our clients. An intensive risk assessment, a multi-layer decision taking and procurement process is part of the DNA of the regulated companies we are talking to. So, either deal with it or stay aside for Regtech CCOs. This is one of the first strategic decisions I have taken as Commercial Director: rather than beginning to talk how marvelous and innovative our solution is (and I truly believe Governance.com is an awesome platform) we always begin discussions by asking our contacts: How do you manage your business? What would you like to achieve with it? Ÿ What are you biggest pains? st Ÿ Who are the users? What is the 1 thing they will do on Governance.com? Ÿ Ÿ
Based on their feedback, second step is to show the features and functionalities of our platform adapted to their needs. During the advanced negotiations phase, we aim to underline our concrete support and value:
www.insightssuccess.com
Define together the Return on Investment of the project: our aim is to achieve 600% ROI within 3 years Ÿ Focus on Simplicity of our platform: our motto is that a system is useful and will be used massively if it is simple to use Ÿ Propose Agile and timely Implementation: tech means a quick, easy and efficient deployment Ÿ Close follow-up of their activity: our Business Support experts are easily accessible during the entire process and afterwards to assist our clients in case of need Ÿ
This approach is the key for the strong and long-term relationships. It is also vital to integrate the decision-making and procurement variables very early in the process. Regtech is a new concept and Senior Management and DecisionMakers are sometimes informed of the procurement process once they have decided to use our platform. A pro-active and continuous support is the key to be able to work with them quicker and help them throughout the process. This, I believe, is the reason of our success and our shortened relationships activation compared to our industry standards. We are all so proud to be part of this exciting adventure, which allowed us to grow from 2 to 17 FTE with offices in Luxembourg and the Netherlands.
We have many exciting challenges for the upcoming year: Continue our international expansion by partnering with high-quality organizations and direct presence via local offices. We plan to be present in the UK during 2018 and extend to US and Asia during 2019 to get closer to our clients worldwide. Ÿ Ensure continuous enhancement of our functionalities by listening to our clients Ÿ Implement Machine Learning and AI functionalities we are working on our platform Ÿ
Financial Regulation and Compliance costs around 780 BN $/year: 1% of Worldwide GDP! This is why it is so exciting for me to work within tech and being able to participate to a sustainable economy by providing a cost-efficient, safer and user-friendly solution!
About the Author Olus Kayacan, CCO of Governance.com, has over 20 years of experience in Financial Markets including prime brokerage and asset management with a substantial network of Institutional Investors, Retail and Private Banks, Brokers, Asset managers, Family Offices and Corporates. His career has allowed him to meet extremely exciting, interesting and professional individuals every single day. He has successfully participated to the launch & development of several businesses and overachieved commercial targets on each of them. www.insightssuccess.com
Olus Kayacan
CCO Governance.com
October 2019| 33
Great Bay Software Closing the IoT Security Gap
necessitates an elastic and responsive security framework, in addition to the wisdom and context from the enterprise environment. Ty Powers Vice President Technical Solutions
W
hile “Internet of Things” security is the focus of Great Bay Software today, its beginning predates IoT. The company got its start in 2005, working with clients to help shore up their networks with network authentication, and they identified a significant gap in the market: Endpoint Visibility. They created a product called Beacon, and this became the flagship product of their new company, Great Bay Software. With that launch, Beacon was suddenly on the map – it was quickly OEMed by household names in Network Access Control. But by 2014, Beacon had outgrown this OEM status – by then, the product included features like authentication and enforcement, and it also had the ability to discover and profile the new world of IoT devices. With the advent of the “Internet of Things” starting in the mid to late 2000s, Great Bay knew that Network Security would need to change. In these early days with Beacon, the organization envisioned the next generation of IoT Network Security – and that gave birth to its Network Intelligence Platform. The company took the core of Beacon and its agentless architecture and, after years of successfully ingesting data from enterprise sources, it build out a robust Open Platform designed for bidirectional integration. The highly migratory and rapidly evolving nature of IoT 34 |October 2019
Importance of Security Security concerns around the “Internet of Things” have been percolating for decades, but today’s enterprises are on the cusp of the crisis. For years, an endless barrage of under-secured gadgets was acquired by consumers at a dizzying pace, and the tipping point of enterprises hit just a few years ago– business investment in IoT was $215B in 2015 and is expected to grow as much as $832B by 2020. Attacks on unsecured IoT are on the rise, driving up risk in every industry sector around the globe. Gartner forecasts that, by 2020, there will be more than 20 billion internetconnected devices in use, with IoT connecting everything form jet engines and commercial vehicles to manufacturing equipment and office equipment to personal cars and consumer electronics. This staggering number, along with the range of device manufacturers, creates a vastly larger and more complex environment for enterprises – and a larger attack surface. Great Bay Software was the first IoT Security solution on the market to eliminate the cost and complexity of network visibility and control with an agentless architecture that automated the device discovery, threat detection and defense – well before any other solutions on the market. Today, the company is a leading provider of IoT Visibility and Control, and its Network Intelligence Platform provides organizations of all industries and sizes with unparalleled visibility, scale, and control to address one of the most prolific and challenging cybersecurity risks of today’s time: IoT devices. The company’s vision is to arm every company with the visibility, and control needed to harness www.insightssuccess.com
The
Trusted
the power of IoT – along with the means to protect their organization, customers, partners and stakeholders at scale. Risk Management Challenges Educating enterprises about IoT risks and security is one of the biggest challenges. Most companies see the productivity gains that can come from IoT and jump – but they don’t always understand the risks. Or, even if they do, they don’t understand the urgency. There are numerous examples where IoT enterprise threats are here now – and Great Bay Software is in a place where CISOs and their teams cannot de-prioritize this any longer. Often, the challenge is based on budget or IT skills shortages - but the company can very quickly show how its platform can save organizations’ valuable time. The ROI is there. In addition, even when risks are understood, many companies and industry leaders are focused on device manufacturers – there is a deep desire to drive security standards from the manufacturing side. While there have been some improvements, that approach has a critical flaw: the way IoT devices are manufactured is core to the problem of security. When looking at broad manufacturing processes for IoT devices, there are several players. It starts with the chip manufacturers, who compete based on price and have slim profits margins, so there may be limited engineering focus placed on security. Next, there are the system manufacturers – they choose off-the-shelf silicon and OEM software, manufacture the device, and maybe build in some tech elements, but don’t often put their brand name on it. Finally, the brand-name company packages and makes sure
We ensure that enterprises know their real-time IoT risk and can easily detect, locate and mitigate device threats as they emerge.
everything works and ships the product. At that point, maintaining the platform, firmware, and patching the OS may not be a priority (or possible), and the software is often times outdated even if the product is new to market. Who is responsible for keeping everything up to date? It’s not clear, so it doesn’t happen. The waters are even murkier if one of the entities goes out of business or is acquired. When evaluating regulated industries like healthcare, Medical Device manufacturers face another conundrum: device review and approvals can take as much as 5-7 years, so the software is often times dated just as soon as the device is approved for launch. And the device may have a life span of as much as 15-20 years. This is a far cry from the 3-5 years expected from most PCs, tablets and mobile phones. As such, while manufacturing; security is important, it is only one control. So, Great Bay Software believes outside governance is of utmost importance for security to be delivered – it’s all about checks and balances. Prompt and Thorough Leader Ty Powers has been with Great Bay since the beginning – but, back in 2005, this predated the advent of IoT. That said, the company’s DNA is in endpoint visibility, security, and networks. Great Bay Software has worked with CISOs and CIOs from companies of all sizes and all industries – and Ty had a front role seat to much of it. As a security analyst, solution architect, systems engineer, technical product manager... and now, Vice President Technical Solutions. His role working alongside customers as they engage with the company’s platform has been among the most rewarding.
www.insightssuccess.com
October 2019| 35
Ty brings more than 20 years of network infrastructure and security experience to Great Bay Software. He has specialized in all phases of network security, from the design, planning, and scaling of architectures to the implementation, integration, and deployment of critical network security solutions. Ty has held technical positions at Aruba Networks, Blue Spruce Technologies, Enterasys Networks, and Cabletron Systems. Solutions Offered by Great Bay The company’s Network Intelligence Platform is designed to discover, profile, and monitor all network-attached endpoints – in real-time without an agent. It is the first and the only real-time visibility and enforcement solution proved to deliver device discovery, robust profiling, continuous behavior monitoring, and flexible remediation at an enterprise scale. The company has secured more than 1.5 million devices in a single instance for an enterprise – this is the largest known deployment in the industry. Great Bay’s platform includes: Ÿ
Ÿ
Unmatched Visibility: Great Bay Software’s agentless architecture ensures that it sees 100% of networkattached devices – arming IT, security, compliance, clinical and operations teams with a complete view of all IoT devices. Presented in an intuitive interface, the company enables professionals to obtain complete and up-to-the-minute asset inventory, and enable them to quickly detect, understand, and mitigate device risks within 2-3 clicks. Real-time Behavior Monitoring & Risk Intelligence Scoring: The Great Bay Network Intelligence Platform analyzes the identity and behavioral attributes of endpoints, identifying real-time events and, when needed, automating a change to mitigate risk. Leveraging and correlating multiple risk indicators, the platform also calculates an enterprise risk score based on each organizations’ unique environment and priorities.
36 |October 2019
Ÿ
Dynamic Network Segmentation and VLAN Strategy: Network Segmentation is a best practice for security and compliance that is increasingly impractical to implement and maintain in large corporate environments. Great Bay Software Network Intelligence Platform is designed to help identify, devise & enforce an optimal segmentation strategy – streamlining operations, and strengthening security by dynamically taking action to alert administrations when network security policies are compromised.
Ÿ
Bidirectional Integration and Workflow Automation: The company’s Open Platform is designed to increase the efficacy of the security architecture and asset management systems through the sharing of endpoints attribute data and context. Delivered through our rich API or Great Bay Data Connector, the bidirectional data-flows enables powerful feature delivery, such as dynamic ticket generation, and also improved infrastructure security and a higher return on investment.
Innovative Future Great Bay’s platform is among the first to address and solve the enormous challenges around IoT device visibility and control. Understanding of the threats in this market is still emerging – and the company is poised to help organizations of all walks and sizes tackle these issues head-on. The company’s platform continues to evolve as IoT continues to mature, and Ty is looking forward to announcing several innovations in the not-too-distant future.
www.insightssuccess.com
Data Center Security Controlling Possible Threats
T
he rise in cyber-crimes is one of the main causes of Data center outages. As per the recent survey conducted by industry insiders, cyber-crime caused 22 percent data center outages in 2015 opposed to 2 percent outages in 2010. Adding to all these, now most of the data centers are re-evaluating their security policies after the recent WannaCry ransomware attack. Data center outages cause companies to loss revenue in many ways. However, the costliest loss is service interruption and loss of IT productivity. So, the organizations are now realizing that traditional security is no longer secure enough to secure any data center. A recent study has found that 83 percent of traffic travels east/west within the data center, which stays undetected by the perimeter security. In this environment, when an attacker infiltrates the perimeter firewall, then can jump across the system with ease, extract information and compromise valuable data. Additionally, data centers can fail due to trespassers or a terrorist attack or by natural calamities. So, how can one secure a data center in the best way possible from any kind of cyber threat? Don’t worry we’ve got you covered, with the points below. As the first step, one should Map the Data Center and flag the hackers within the virtual and physical infrastructure. The CSOs and CIOs with a system map of their systems can react to any suspicious activity and take steps to stop data breaches. Being able to visualize different traffic patterns within a network helps to understand threats, that eventually elevates the level of security. Understanding and measurement of traffic flow within the data center boundary are very important. In the case of
38 |October 2019
any interruption in traffic across east/west vs north/south, protected vs unprotected one can get to know about a threat. Additionally, vulnerable zones and unprotected traffic need to be monitored for a better result. Firewall rules need to be defined and implemented as per requirements. Additionally, one should allow traffic only after thorough verification and selectively allow communication to ensure maximum protection. The key is to identify, what is legal and secured and what can be blocked to enhance security. One needs to Build a Team with executives who understand how traffic flows within the premises and can access & secure information, take necessary measures to secure important assets along with the implementation of roadblocks for the attackers. Security must move as fast as a data center’s technology adoption and integration. Security Strategy Should Change Alongside the Technology and it should not be treated as an add-on option. Additionally, businesses also should ensure that their virus protection, signatures other protection features are up to date for better protection. Businesses should Identify and Place Controls over highvalue assets, which will help to reduce risk. However, older security solutions are completely blind to new threats, new security companies have produced latest solutions that protect data in the virtual world. Access Restriction also needs to be imposed. Every business should thoroughly check a person’s background before giving the access to a prized possession. Access to the main site and the loading bay must be limited,
www.insightssuccess.com
Editor’s Pick
additionally, two-factor authentications and fortified interiors with security guards and roving patrols would help to safeguard the employees and the data center. Installing Surveillance Cameras around the data center, alongside removing signs which may provide clues to its function helps to locate an intruder. A buffer zone between the data center and all the entry points will limit unlawful trespassing to a great extent. Additionally, the data center needs to be far away from the main road and it should not have any windows other than administrative purposes for better security. A data center should Check Test Back-Up Systems regularly as prescribed by the manufacturer. It should also ensure to make a list and of Do’s and Don’ts in the event of an attack. Recovery plans and security plans also need to be checked thoroughly. Data centers are always a Soft Target for The Terrorists, as an attack on them can disrupt and damage major business and communication infrastructure. So, security needs to be taken seriously and to do that proactive steps should be taken to limit the impact of a terrorist attack. Trained Security Guards needs to be posted inside a data center and they should be well trained. Security officers must undergo strict site-specific training to monitor surveillance footage. Depending on the size of data center and the number of security cameras multiple security officers may be required on duty. Security officers dedicated to inspecting surveillance footage helps when it comes to securing a data center. Disaster Recovery is very much important, that must be in place. If the data center stops functioning after an attack or natural calamity, it must have a way to restore operations as soon as possible. To be ready for a disaster and to evaluate the disaster recovery plan, it’s necessary to train staffs well and experience simulated disasters. To avoid these obstacles, one needs a fair bit of knowledge of new security systems, solid plans, and comprehensive visibility. The more work a data center can do up front in the above-mentioned areas the better the chances of success with lesser outages.
www.insightssuccess.com
October 2019| 39
Matrix-IFS
Renan Levy CEO
The Modern Day Crime Fighters. Protecting Financial Institutions from Hackers, Fraudsters & Money Launderers. Matrix-IFS was founded in 2006, due to the growing need for tailor-made, cost-effective services in financial crime domains - risk management, Anti-money Laundering (AML) and fraud prevention.
W
ith millions of accounts containing people’s life savings, security has always been one of the largest concerns for financial institutions and their customers. As cybercriminals become more sophisticated in their hacking techniques, so should a company’s cybersecurity and fraud prevention systems. Although new technologies provide more advanced security options, knowing which ones to use and how to implement it is a challenge many institutions face today. Aa a global leader in financial crime and compliance consulting and services, Matrix International Financial Services (Matrix-IFS) places the safety, privacy, and security of financial institutions and their customers above all. Led by Chief Executive Officer, Renan Levy, the company provides bespoke solutions to the financial sector that address emerging threats. About Matrix-IFS
40 |October 2019
“For the past thirteen years, the IT financial crime space has been exploding as regulations become more demanding, and technologies such as artificial intelligence (AI) and Machine Learning continue to improve. The risk of being a target of illegal activities is only increasing, requiring the banks and other financial institutions to adopt various solutions to protect themselves from different types of attacks. Matrix-IFS was founded for this particular reason: to help our clients address these issues by providing domain and IT expertise of highly qualified and experienced financial crime specialists.”,Renan commented on the landscape of financial crime. Having the Customers’ Best Interests at Heart Renan adds, “As a leading advisory firm, we strive to deliver only the best-suited solutions for our clients. We develop customized solutions jointly after a careful examination of the companies’ requirements, existing technologies, and processes. One shoe does not fit all.” Since Matrix-IFS is vendor agnostic, it can offer its customers “best of breed” solutions, meaning that the
www.insightssuccess.com
The
company’s experts combine different technologies to offer the most efficient financial crime ecosystem. For example, whereas some vendors have strong AML systems, they may lack a good data quality or fraud prevention solution. When asked about implementing cutting-edge technologies, Levy responded, “A robust AML or fraud prevention program requires a deep understanding of the data, relevant analytics, and the effective application of innovative technologies and processes, to name a few: Machine Learning, AI, and Robotic Process Automation (RPA). Renan also states that one of the main challenges faced by the market today is addressing high volumes of falsepositive alerts generated by transaction monitoring systems. This inherently wastes a great deal of time and money due to inaccurate results that can lead to missing bonafide alerts and causing high rates of customer frustration. Matrix-IFS’ experts have developed methodologies to optimize AML/fraud prevention systems and models to reduce the false-positive ratio, freeing up investigators’ time to handle real threats. One method of making the process more efficient and cost-effective is through RPA, which automates manual and repetitive tasks, reducing overhead and increasing accuracy.
Addressing Client Vulnerabilities Many vendors in the market try to address the issues of fraud and cybersecurity. Most address 80% to 85% of the client’s security issues. Matrix-IFS uses penetration testing to assess the institution’s vulnerability. This methodology takes a bird’s-eye view, looking at the whole picture rather than only the mainstream. Stepping into the Shoes of the Leader Boasting a proven track record of building and running several successful companies in the fields of technology, banking, business, and consumer services, six years ago Renan took on the role of Matrix-IFS’ CEO. Since then, he has grown the company’s footprint from a single office in NJ to include a global network of offices. Under his leadership, the company’s offerings have expanded while not compromising on quality and innovation.
www.insightssuccess.com
Trusted
Our number-one value is the client’s success; it drives the company forward to deliver tangible, measurable results. There is nothing more rewarding than seeing our clients return to us time and time again over the space of two decades. A Step Ahead of the Competition According to Renan, “What sets Matrix-IFS apart from other consulting firms is our domain and technology expertise, which derive from years of experience providing risk management and financial crime prevention solutions solely to the financial sector and, by doing so, honing our craft. No one is as focused or has as many successful advisory and implementations projects in the fraud prevention and AML space under their belts as we do.” He continued to say, “Our number-one value is the client’s success; it drives the company forward to deliver tangible, measurable results. This kind of customer-centric culture across the entire company is what drives us. There is nothing more rewarding than seeing our clients return to us time and time again over the space of two decades.” A Glimpse at Matrix-IFS’s Future Renan aspires to bring even more value to his clients by developing impenetrable new services, including cybersecurity offerings, top-of-the-line cloud services, and trustworthy data quality solutions. He envisions for the company’s future expansion into new territories -growing Matrix-IFS’ offerings within the financial sector and beyond.
October 2019| 41
Minimizing the Adverse Effects of Risks H
as the number of security issues you deal with on a routine basis ever made you feel a bit like Atlas carrying the world on your shoulders? I can’t tell you the number of conversations I’ve had with discontented security practitioners who lament to me the woes of trying to speak with management about the latest Heartbleed or Spectre/Meltdown vulnerabilities and ‘management just doesn’t understand’. Even worse, when management inevitably turns a blind eye to the issue, the security practitioner worries that they’ll be searching for a new job if the vulnerability is ever exploited. As the Information Security Program Owner at National Instruments for over eight years, I frequently find myself offering up the following bit of advice to my compatriots who are struggling with what to do in this situation. When I first started the security program at National Instruments, I had these same feelings of anxiety. The tools that I was using to scan our networks, systems, and applications were coming up with vulnerabilities left and right, but there were few things that I had the ability to fix. I had to go to another team, explain what had been found, and then I had to somehow try and convince them that they needed to fix it. In some cases they humored me, but in many cases the result was that my vulnerabilities were just another bug that they’d get 42 |October 2019
Josh Sokol Creator & CEO SimpleRisk
www.insightssuccess.com
Interpreting Risks
to when they had time. The weight of all of these unmitigated issues was crushing me. I knew that if I didn’t find a better way to do things, then I wouldn’t last long in that role. I quickly came to realize that my role as a security practitioner never was to fix the vulnerabilities that I found. That was the function of the application administrators. Nor could I control the resources and roadmaps which determine the prioritizations of the various mitigations. That role belongs to members of the business. My primary function as a security practitioner was to assist in identifying the issues, advise on how to mitigate them, and ensure that the right stakeholders are aware and educated so that they could make the most informed decision possible for the business. In short, my role was that of a risk manager and my job was to drive visibility and accountability of the risks the organization is accepting to the stakeholders who are accepting them. To formalize the processes around my newly found risk management role, I did quite a bit of research around what others were doing. Eventually, I stumbled across the NIST SP 800-30, a Risk Management Guide for Information Technology Systems. I’ll admit that it wasn’t the most titillating document I’ve ever read, but the content really helped to solidify what our risk management process needed to look like. To start with, I needed a way to track all of the risks that we were collecting through various assessment processes in our environment. This system, typically referred to as a risk registry, would become the aggregation of risks found in our organization through vulnerability assessment, auditing, interviews, vendor notifications and many other sources. In order to be successful, I needed a system that everyone could access quickly and come across a risk in their environment and a system that allowed them to enter a minimal amount of data about the risk so that they could get right back into what they were doing when they identified the risk. I would then use that information to later populate the details myself or to schedule time on their calendar to fill me in. My system also needed a way for me to understand the prioritization, or risk level, of the risks I was capturing.
www.insightssuccess.com
Once the risk had been recorded, I needed a way to track how we were going to handle the risk. Possible options ranged from accepting the risk because the likelihood and impact were within what we considered to be a tolerable range to planning some sort of mitigation for the risk. I needed a way to understand the level of effort involved so we could balance those costs against the risk level. If my ultimate goal was to drive visibility and accountability up the chain of management, my last step was to have a process for who would perform a review of the risks. I decided to use a combination of the team a risk is assigned to and the risk score. Since risk management is designed to be a cyclical process with risks re-evaluated on a routine basis, I also used the score to determine how often the risk would be reviewed. Most of the organizations I speak with these days about risk management start out using complicated formulas on excel spreadsheets, but there are tools called ‘Governance Risk and Compliance’ (GRC) that can help you with this endeavor. There range options from open source tools like ‘SimpleRisk’ to more expensive options like ‘Archer’. It depends on how complicated you need your workflows to be and how many resources you can afford to spend to run the program. I started this discussion with the person telling me that ‘management just doesn’t understand’. The fact of the matter is that management doesn’t understand because they weren’t speaking the same language. Your business understands risk because they use it every day to make calculated decisions about the investments it is making. Risk is the language of business and shifting the focus of your conversations to risk will ensure that everyone is on the same page and that you are not only viewed by management as an excellent communicator, but also a stellar security professional helping to guide the organization in proper risk management. Not only that, but you will sleep better at night after shedding that weight off your shoulders and placing it back on the solid risk management foundation on which it belongs.
October 2019| 43