Integrated Risk Management is the New GRC with Jeff Recor – Pt. 2 – #SCW18

Jeff Man, Matt Alderman, Scott Lyons, and Josh Marpet continue their discussion with Jeff Recor.

Recorded 2.18.20

STATS: Jeff 17% | Scott 5%| Josh 6% | Matt 12 % |  Jeff R 61% |

PCI Counter: 1

The question is simple – Have any of the systems on my network been compromised? The answer is harder than it should be. Enter AI hunter active countermeasures has automated in streamlined techniques used by the best pen testers and threat hunters in the industry to create AI hunter a network threat hunting solution that does the first pass of a hunt for you to identify systems that are most likely to be compromised and scores the results on a scale from zero to 100. You can then research those systems in depth with air hunter focus your valuable time on the systems that need your expertise with AI hunter sign up for a personal demo today at

RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access, control and reduce business risk fraud and cybercrime RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information visit

Jeff Man 0:00
And welcome back to the second segment, Episode 18 of Security and Compliance weekly. We’ve been talking with Jeff Recor, from Accenture, about a lot of different things loosely focusing on integrated risk management, which I think we’re going to talk more about in this segment. I’m your host, Mr. Jeff man, my co-hosts Scott Lyons, Josh, Marpet, and Matt alderman, one brief announcement and then we’ll jump back into the discussion. I looked this acronym up because the guys in the studio just threw this at me, the Ocean State higher education, economic development and administrative network which is OSHEAN and The Pell Center are partnering together to present cybersecurity exchange day on Wednesday, March 18, from 9am to 3pm. At the sad Virginia University in beautiful Newport, Rhode Island, if you visit You can register for free and come join the fun. On the break. We were talking a little bit and Matt, I think you had a question or two to kind of set up the discussion here for the second segment.

Matt Alderman 2:25
Yeah, awesome. Part of the topic discussion was integrated risk management is the new GRC. And it was interesting in the first segment, Jeff, you talked about how the risk management teams at the Big Four weren’t very big because there was no money in it. And if I think about the evolution of where we are in the space, because I spent a number of years in the space, I had a startup I work for the RSA team on Archer. And back in the day it was enterprise risk management and GRC, kind of two separate disciplines. There’s this enterprise risk component and there was this governance risk management compliance, then operational risk management came into the mix. And there were these different disciplines. And then the analysts said, Oh, no, no, no, no, it’s integrated risk management. I’d like to dig into this a little bit because of compliance is the driver and risk isn’t the driver. is integrated risk management as a discipline, really where we need to go as an industry.

Jeff Recor 3:21
Yeah, so isn’t that a fascinating question? So let me take a step back, right? Originally, if I go back to I think I started at Deloitte in 2006 2007, somewhere in there. And we had built the first integrated control library and we went to market with it and we had some trouble selling it, we actually had to modify our turn some of the different tools at the time to even be able to handle the data construct and the architecture of a harmonized control, right. And so the whole idea was assessed once test, one satisfy many. And so that was kind of the selling feature for quote unquote, GRC back in the day. And when we had conversations with the various analysts at the time, and there were a number of them back then. And you know, there’s a little there’s a far fewer of them today that focus on the space, but there are probably almost a dozen of them back then. They all were trying to get clients to understand that it should be a risk rationalized control decision, and not necessarily a compliance checklist approach. But if you look at the way that GRC tools were actually developed right there, at the time, most of them coming out, in fact, all of them coming out in the mid 2000s. Were control-based kind of tools. And so today, what you’re seeing with this kind of recategorization, if you will, of you know, these platforms now, right, these CMD platforms or these work, workflow platforms, you know, ServiceNow workday, those types of things are helping I think, to recategorize. This to help them differentiate in the marketplace that their asset centric and control centric So to throw the risk monitor moniker in there, I don’t think makes a darn bit of difference either way, because at the end of the day, clients still have the same core problem. This is a data connectivity problem of understanding how you go from assets and the associated risks to those assets. And then your associated controls policies and regulatory requirements, and how that all maps. And then on the other side of the coin, since the asset is the center of the universe, you know, how threats and vulnerabilities and all of that tie together and how that’s scored and how that impacts everything else downstream from your control set, right and your risk appetite. So that kind of hold a call it architecture soup. Now, to me is more IRL than anything, but from an acronym perspective. To me, it’s all you’re just building an integrated risk compliance management system, there is no IRM or GRC. It’s all the same thing. I know I just said a mouthful, so I’ll take a breath.

Matt Alderman 5:54
But that’s great. Because when I created control path back in late Oh, three, early oh four, I had two centers of the universe, I had the asset database and the asset relationship, which was a core component of what was in control path. And then the control library. And what was interesting was, how do you connect those together and understand the interdependencies of the asset and the asset relationship along with the controls, because controls applied at different layers, depending on how the asset structure was all put in place, right? To your point, right, we were very control centric, but I was also very asset centric as well. And the way we calculated risk back then, was looking at control deficiencies and trying to understand residual risk, which is more of a kind of a bottoms up risk analysis. What I think IRF is trying to do, and this is where I want your take, Jeff is, with an integrated risk management approach those components still apply. But now it’s also understanding more the top down risk, and how that influences control implementation, I believe at the asset layers, is that a good way to think about IRF?

Jeff Recor 7:03
I think it’s close. Right? And where I would probably provide some nuance for you is that, you know, to your earlier point, right, we’ve talked about in the first segment, you know, it’s about understanding your environment, understanding what level of protection is needed, and then monitoring that that environment, right. And that’s kind of the key basics to cybersecurity. So from an asset perspective, right, we could mean business processes, you know, there’s all sorts of ways to categorize your assets. But for me, assets are what owned the risk. In other words, risk as an outcome is a moving target on a minute-by-minute or day-by-day basis. And so there’s a number of impacts from a procedural perspective, that impact risk against a specific asset at any given day and time, right, any point in time. So to your point, controls are simply the tolerance level of the organization to deal with the risk against that asset. And where technology hasn’t been able, in the past been able to identify it down to a specific asset. It’s usually been asset groupings because we just didn’t have the database, you know, power that could handle that kind of thing. Right. So now, I think you’re starting to see what this movement to a platform is that most organizations have scaled, as far as they can take these control based efforts. They got efficiency gains, you know, from being more efficient around doing things like PCI and some of the other control-based assessments that they needed to do. But now they want better visibility into their environment. And to me, that’s what I RM is driving is that visibility. And so where, in the marketplace, people are differentiating is how they get clients to that end goal of getting more visibility into the risk.

Josh Marpet 8:44
Oh, hang on. i want to talk for one second. And I think we

Jeff Man 8:47
We all want to talk!

Josh Marpet 8:48
I know sorry, give me two seconds. I’ll be a quick one. This is just the thought…

Jeff Man 8:51
Go ahead Josh.

Josh Marpet 8:53
You talk about how and I love this, you talk about how it used to be around the control. That was sort of the if you think about it, this were the primary key of the database. Okay. And then you talk about how assets are now the primary key of the database and that we center everything on the assets and link everything back to an asset. Okay. I’d like to point out that there are more than just controls and assets, there are workflows, there are the actual risks themselves. And I think it’s going to be interesting, and this is just my point. I think it’s going to be interesting seeing how new IR m GRC, whatever new tools in this field, are focused around our primary key Don are have as their central point of connection going forward. And I just think it’s going to be fascinating.

Matt Alderman 9:36
And I think the challenge here, Jeff, just quickly is the real-time nature of this none of GRC tools. Understand the real-time changes of risk in an environment. It is an assessment typically done through a questionnaire and collected, you can do some level of data integration. But I think the big challenge here Jeff has been the real-time nature of changing risk in the environment. And how do you get that visibility to react quicker than waiting for your annual assessment at the end of the day?

Jeff Recor 10:08
Well, the word gets really interesting for me. I’m sorry, Josh, go ahead.

Josh Marpet 10:13
No, I was gonna say that goes right back to the metrics you were talking about earlier. So please take it away.

Jeff Recor 10:17
Yeah. So for me, there’s the underlying architecture of how everything connects, because in order to get that visibility that you were talking about, without that architecture, that’s right. Nothing will be correct downstream. And that’s been part of the challenges with metrics and getting metrics effective, we always had this term called golden sources, right? And it was you really couldn’t have an effective metrics program unless you had the right data sources linked, you know, to the right metrics in the right way. Right. And there’s a whole kind of program around that. I think that approach still applies today, what I’m talking about is a little fundamentally different, right. And so I guess, first of all, let me start by saying, you know, happy RSA Independence Day, right? So with the news that Dell is probably going to reposition RSA to be sold to StG i think that that news broke this morning. So Archer is kind of in a unique position and metric stream and some of these other tools that really have been kind of predominant in the marketplace. Coming at the challenge for clients around controls and efficiency gains around how they deal with controls. I think today clients have said, Okay, I get the fact that there’s a control checklist, right? And if I had a nickel for every time I walked into a client and asked why a control was there, and somebody told me while it was there, 20 years of experience in the business, that that’s why control is there. I think GRC has done a terrible job of enabling bad behavior around controls. It’s made it easy for people to take the easy way out, and not really think about why they’re doing something. They’re just doing something because a standard or a guideline tells them that’s what they should be doing right New York, DFS, you can go down the list. And so I RM in my humble opinion, even though I don’t like the vernacular, is trying to force clients to think about, okay, if I come at this from a risk perspective, and I have all this data, right, we’re doing pen tests, I’m doing internal audits. I’ve got the app to risk exchange REM anonymizing my, my loss events, and I’m uploading those into the cloud. You know, I’ve got all these data points that I’m trying to figure out what I do with and they’re all in silos today. How do I bring that together? And I think originally when we started talking about even to your point, Matt, back in the control path days, right, when you go back into the early 2000s, I think there was a movement to try and get there. But the technology really wouldn’t support it. Because there were two reasons right? One clients didn’t want to pay for have for somebody to figure out their asset problem. And I still think that’s a core problem today. You know, we did one asset management CMDB repository project, it was $13 million, just to take 27, disparate cmdbs and get them down into one. So these aren’t little things, right, for the most part. And then the second part of that is how people actually use risk assessments and what they do with them. And so in my humble opinion, right, and this is just Geoffrey cores opinion, I think most organizations have the right data points, where I don’t think they need to go out and do questionnaires anymore. I think the data is there for them to see in near real-time, what their risk posture is based on all of these components, that all of these tools, and all of these people are bringing to the table every day, and it just needs to be processed in a way to help get them visibility. So I think you’re gonna you are going to start seeing some market changes around this, this kind of approach.

Jeff Man 13:30
All right, I’m gonna jump in. No, I have to jump in here. Because I’ve been, I’ve been banking, a few comments.

Scott Lyons 13:40
It makes you wonder, what’s my friend?

Jeff Man 13:43
So there’s several things wrapped up in here. So I apologize for dumping. One of your premises that you made about sort of the early days was based on you know, sort of the original approach to security. I’m not sure I bought, you know what you had originally said. But because I think the original premise of this thing that we used to call internet security was simply to create a create a hedge between the internet and the corporate network, and who cares what went on inside. The second comment I wanted to make is to push back a little bit. This has been a pet peeve of mine as consultants, not for the Big Four. But for smaller companies in organizations over the years. I’ve always kind of found it curious that when people talk about assets, they tend to be talking about computers and servers and databases. Whereas my god background, I always thought of assets being information. It can be other things but largely information. So it’s a little bit semantic because oftentimes that information is housed in servers and databases on computers and what Not so I get that. But I think part of what you’re describing in terms of this sort of people not getting it or not approaching things directly has to do with sort of a fundamental not understanding what it is you’re trying to do forget the risk, or before you understand risk, understand what’s at risk, what is it that you’re trying to protect? What is it, it the thing, the asset that’s at risk that we’re doing all of this about? So there’s wanna throw those out as statements. In terms of a question, though, I want to ask, because the conversation seems to have been steered more towards up to this point, large enterprises, enterprises that are affording or potentially can’t afford groups that focus on risk and, and buy some of these sorts of tools that helped him sort of think larger, you know, as we’re, as we’re talking about what could or should be done. I would also just like to throw out the question, you know, how, how can the common company also benefit from this discussion, if they’re not one of the large fortune 100 500 companies that have huge budgets that can kind of, you know, throw some amount of budget at these things that that, at least at some level seem a little bit more esoteric. I mean, we can all agree that they’re important and vital, and really what the focus should be, but I think, companies as a whole, you know, right or wrong, they focus on the, but what do I need to buy? What do I need to do? What do I, you know, I need to have these boxes checked. So, you know, as we’re having this discussion of this thing called integrated risk management and what that means in in an organization, not just enterprise, but other companies go, Oh, shut up.

Jeff Recor 16:53
So all very good points. would agree with all of it, I think to answer your question directly, what I would say is, I’m actually about to step into a meeting when we’re done here with Microsoft. And I think Microsoft is starting to show signs that they’re interested in getting into the quote, unquote, GRC game themselves, they made an attempt at it. Back in the mid 2000s, we actually helped them develop a tool called compliance manager, and it didn’t really go anywhere. And then things changed and other priorities came up. But I think they’re making another attempt at and the reason why I’m bringing this up, is because there is for the smaller firms, right to just use that term, that may be limited in size, I think, or in capabilities or in resources. I think that tie back to the business and the ability to understand objectives, and taking the data and the structures and the information and the protection mechanisms that you have. And being able to tie that back to the business is actually if not as important more important for smaller companies to do that, because they are so limited with resource. So for me, this whole movement towards just being able to understand what your objectives are, what the uncertainties are to those objectives and managing around those, I think streamlines frankly, the spend and the focus that smaller companies could dedicate to being much more practical with the way that they go after security rather than worrying about the bigger picture kind of items that they have to do now this is this Yang and Yang were compliance maybe comes into play in and helps a little bit is some of those mechanisms can be interpreted that way. And in fact, some of these things about objectives and objective setting and strategies are actually built into the some of the compliance activities. It’s just, you know, most organizations, big organizations focus around the control activities, and that’s so much the outcomes, and what’s being expected from those compliance rules. So that’s kind of how I would address the question, if that makes sense.

Scott Lyons 18:48
I fear you’re missing a key component there in understanding the risk. Right. So how can small companies push the risk offshore? How can they manage that risk? Right, what systems are involved in the risk? How do people tie into the risk? Right? There are a lot of GRC tools and programs out there that can definitely help. Right. Earlier you mentioned Archer right now Archer is one tool, but it’s also a monolithic tool with a monolithic price. Unfortunately for some of the packages that come with it, other tools that are out there are like exakta that is put out by Telos exactly does a really good job as a competitor to Archer. But they’re even smaller companies out there that have GRC tools that do absolutely everything under the sun that is needed to do from for compliance from vulnerability assessment to asset discovery to cataloguing and tagging of risk to being the nag on the network. Right. So how, how would in your eyes, a small to medium business? How would they be able to identify a toolset that can aid them in this journey of understanding what risk is on shore what risk is on Sure, in any incoming risks from outside effectors.

Jeff Recor 20:04
Yeah. So thank you for calling me on my consulting language. So yeah, you’re right. When I’m talking about risk, I’m actually that’s why I was talking about measuring uncertainty, right. So I gotta take my consulting hat off and stop using the terms. But yeah, that’s what we’re referencing, right? So from a tool perspective, if you think about GRC, or IRS, or whatever phrase we want to use today, risk and control management system. They’re really three things and only three things right there a database, their workflow engine and the reporting engine. That’s what these tools are. They’re, you know, an integration of those three capabilities. And so, you know, do you need a dedicated, quote, unquote, GRC tool, I think the last analysis I saw had 64 different, you know, well defined GRC tools in the marketplace, I’m sure there’s more if you really kind of cut it up that way. So to your point, you know, how do people actually take a look at it, what I would say is start at the end, right? Start with what kind of reporting you want to get, what kind of visibility you want to get to support, enable your business, and then work backwards from there. And that’s, that’s kind of how we manage to everybody, whether you’re really, really large or really, really small. And because the architecture needs to support the outcome, so whatever tool or tools you’re going to use, and nobody says, You need to buy a GRC tool in order to get this kind of outcome about, you know, understanding or visibility into risk, you could probably do it with some of the existing tools you have. But at the end of the day, if you can define what your accountabilities are, right? In other words, who owns what, who’s responsible for what and what kind of information do they need, I think the rest of it is kind of cake, right, you can kind of go from there and work backwards and figure out the capabilities that the tools can bring to enable that to happen.

Matt Alderman 21:44
What I think is interesting is is you know, I haven’t tracked the number of GRC tools, but the biggest one in the industry is Microsoft Excel.

Jeff Recor 21:53
So you know, Microsoft getting into the business is probably good for them. Because the majority of people still track this stuff in Excel spreadsheets. And

Scott Lyons 22:02
Its a phenomenal

Josh Marpet 22:05
You’re right,

Scott Lyons 22:06
hey, reps Look at our excel sheet?

Jeff Recor 22:12
Well, and the thing that’s interesting to me is some of this data. So you know, to Jeff’s point about, you know, God, right is a great example, because I started my career out that way, back in the day, and work doing a little bit of work for that three-letter acronym. And, you know, you just look at the stakes, right? I mean, just that alone, and what kind of data management problem you have in trying to manage stakes. I mean, that’s a major problem for people. It isn’t readily available, and a lot of automated tools today. I mean, it’s some of its there. But connecting that back into the mothership, and getting visibility around just sticks is a is a solution in and of itself. And I think if you could really make that easy for people, you’d have something and so I have a lot of a lot of hope that Microsoft can bring a lot of quality in the marketplace that maybe they’re in a different way and in a different level for people around procedures and policies and controls, that gives them visibility into risk, because they come back into it.

Josh Marpet 23:05
You know what I’m gonna ask you a question. Where do you see this all going? We’ve talked about measurements, we’ve talked about standards, we’ve talked about tools. We’ve talked about a lot of different topics in this roughly hour that we’ve been together. And it’s really, by the way, been absolutely fascinating. And I cannot thank you enough, this is lovely. But I’m curious where you think we’re gonna go and say, three 510 years in terms of compliance, security, working together, how we measure it, how we get better at it, or worse at it, depending? You know, what are your thoughts?

Jeff Recor 23:38
Yeah, that, I’d love that question. And, you know, we’re obviously, you know, I put my consulting hat on, right, there’s a lot of investment being made and trying to push the envelope to, to address that window. And so, you know, there’s a lot of buzzwords around AI and ml and, and it’s funny to me that there, I just saw an article and one of the major media, you know, security media releases around natural process language. And, and that impact on compliance with that. And, you know, we were trying to do that, you know, 15 years ago, yeah, and realize the weaknesses there. And now you have Watson and in some of these things, what I, what I really believe, and what I’m starting to see, and let’s even take the three to five-year window, imagine if you’re a see. So you come in, in the morning to your office, you take your coat off, and you say to your assistant, your virtual or digital assistant, you know, give me a window on what’s going on in the ecosystem. What happened while I was away last night, and so you get a rundown on, you know, top threads, top weaknesses, top problems, challenges, whatever’s going on in your ecosystem that, you know, based on sort of the business objectives and criteria that you’re managing to your digital assistant can give you that that window and then through the night can also tell you these were the problems that were automatically addressed. Here’s the things that you need to you know, continue to work on today. And just Think provide a layer of intelligence to security that doesn’t exist today that most teams struggle with, especially in the mid tier, right? We’re technology isn’t really being applied as well as it could be. Because, you know, there’s a lack of skill set and a lack of spending. And so that’s where I think in three to five years, we’re gonna see some major, major improvements with just some of the things I’m seeing here that we’re doing. And, and other, you know, my peers, there’s really some neat stuff coming down the path as far as being able to enable people to function better as security practitioners, just because of the dearth of data that’s out there, and the overwhelming ability to make sense out of it.

Matt Alderman 25:41
So you think we will finally allow the CISOs or give the CISOs a system of record? Because everybody else has their system of record, the poor, Cecil’s got 50 to 75 plus tools, he’s trying to manage to get to that level of intelligence, Jeff, I mean, do you think we can really get there in the next three to five years?

Jeff Recor 26:00
Yeah, I would even make a prediction that the CISCO role may be going away. How about that for a prediction?

Matt Alderman 26:05
Yeah, prediction five years ago, so you’re five years behind me?

Jeff Recor 26:09
It’s just like the paperless office, right? I mean, eventually, we’ll get there too, I suppose. But yeah, if you think about that, right, for even forget the system of record of just being able to understand, you know, what they’re dealing with on a minute by minute or day by day basis, I think would be a giant step forward for a lot of the systems that are out there. And so that if you think about the systems that are really good, right, they’re the ones that can interpret technical capability into business ability. And for me, I think technology can help a lot there. And that’s what I’m hoping to see in the next three to five years.

Jeff Man 26:45
Oh, my gosh, so we’ve covered a lot of ground. And unfortunately, our time is sort of running out. Just in terms of you’ve sort of summed up a little bit already, but if you could just encapsulate maybe three takeaways, three things that our listening audience can do, really, regardless of size of organization, maturity of an organization, but what are three topics or three areas that you think our listening audience should focus on, you know, as a parting shot as an admonition to do better? What? Give us some?

Jeff Recor 27:27
Well, based on everything that we’ve just talked about, I think the three takeaways for me is, first, understand the business make a concerted effort to actually understand the reason why you exist, and the context within which you exist to function. Right. So as a security practitioner, why are you doing what you’re doing, that’s for so take a step back and don’t just focus on the bits and bytes, but actually how it impacts the business in a positive way. The second thing is try and figure out how you can communicate that way. And so they’re solving technical problems. And we all know that you know, there’s some mundane tasks that just are what they are, and you have to do them. But I think the communication of the value of that could be really improved upon. And so I would implore everyone to kind of focus around that as kind of the second takeaway is really work on communicating to the business in business terms and make them really understand the value that you bring to the table. And then the third thing would be, get ready for change, right? And take a hard look at how you bring data together to try and get better visibility to the business. Right? To me, that’s what it’s all about. At the end of the day. It’s not just solving the immediate technical problem that’s in front of you. It’s actually being able to make the business better through your efforts in what you’re doing. So that one you get credit for what you’re doing and to help the business grow. So those would be my three takeaways.

Jeff Man 28:42
Great. Appreciate that. Jeff, thank you so much for your for your time today. It’s been a great discussion. If there’s a fourth takeaway, it’s that Microsoft is going to solve all our problems.

Jeff Recor 28:52

Jeff Man 28:54
All right. Thanks a lot. Josh, you can hit me next time you see me.

Josh Marpet 29:00
Okay. All right.

Jeff Man 29:02
All right. That’s gonna do is do us today for security and compliance weekly Episode 80. And we’ll see you or you can listen to us in two weeks after RSA. Take care.

Translate »