August 18, 2021

Traditional compliance approaches have served us well for years…

But they just don’t cut it anymore. 

We need an approach to compliance that moves at the speed of DevOps. 

My guest today, Raj Krishnamurthy, is Founder, CEO and Engineer at ContiNube, where he is helping to bridge the gap between traditional compliance techniques and the agile, fast-paced world of DevOps.

In this episode, we discuss:

  • Why traditional compliance tools are outdated to manage today’s rapidly shifting risks
  • The 5 pillars of bridging compliance and DevOps
  • How Raj and ContiNube are helping to tackle the problem 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro…:             You’re listening to The Virtual CISO podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry:                         Raj, how are you today, Sir?

Raj Krishnamurt…:          Hey, John, I’m doing good. [00:00:30] Thank you, thank you for having me.

John Verry:                         Yeah, good to catch up again. For anyone who’s… I don’t know if this actually shows in the podcast, your last name, but I think they’ll forgive me for not trying to pronounce it.

Raj Krishnamurt…:          Yeah, I’ll [inaudible 00:00:40] with everybody. And this is, by the way, not the most difficult of the Indian last names.

John Verry:                         I know. I would agree with that. Yeah, I’m going to try this. Is it Krishnamurthy?

Raj Krishnamurt…:          It’s Krishnamurthy. You have to roll the tongue.

John Verry:                         Roll the tongue, yeah. All right, cool. And thanks again for joining today. I enjoyed our conversation that we had a couple of weeks back. I thought it would be a [00:01:00] fantastic topic for a podcast, so I appreciate you coming on today. So, I always like to start super simple. Tell us a little bit about who you are and what is it that you do every day.

Raj Krishnamurt…:          So, John, my background, I started as a real-time systems engineer, 25 years. And so, I think most of us may share a bit of similar profile, being on all sides of the technology sector, like run a product, engineering product, management, worked for big companies, startups, big companies, like Hewlett-Packard, Hitachi Data Systems, [00:01:30] Mercury Interactive, and startups, so on and so forth. Day in and day out, they essentially run their team at the ContiNube, run the product at ContiNube. We are a fantastic startup, based out of Fremont, California. We have some cool things, too. Our cool story, to say… things to talk about, and that’s what I do.

John Verry:                         Cool. And I would agree that you got some cool stuff to talk about, and hopefully we’ll talk about it today. So I always like to ask, what is your drink of choice?

Raj Krishnamurt…:          [00:02:00] I’m a non-alcoholic. So, maybe I don’t know how frequently you get folks like me on the call.

John Verry:                         That’s okay. I’ve heard everything from water to diet soda, whatever it is.

Raj Krishnamurt…:          Don’t judge me, pink lemonade. My house is full of girls, so I roll with them. So I drink pink lemonade.

John Verry:                         I’m going to judge you. I’m sorry, Raj. I will not be able to get that image, you sitting on the porch with it, with your finger, with your pinky out. Please, tell me that you go non-sugar at least. It sounds sweetened, right?

Raj Krishnamurt…:          No. It is –

John Verry:                         Oh, [00:02:30] it’s sweetened, I knew it. Raj, this is getting more embarrassing. Let’s cut it off there before… I want people to still respect you after the podcast is done with. All right, so why I was excited to have you on is I think there… In my humble opinion, I think there is a gap right between where we see traditional compliance programs right now and where they need to be in a more agile DevOps [00:03:00] CI/CD world. So let me ask you that question, do you see the same problem? Does a traditional, the long standing approach to compliance work in a DevOps world? And if not, why?

Raj Krishnamurt…:          That’s actually a great question. The way we see the world, I think number one, I think we all come from a long line of working in data centers [inaudible 00:03:23] … I’m sure your experience is pre-cloud, pre-some of these hype words that you constantly see. [00:03:30] The world has completely and fundamentally changed on us. So if you think about the application footprint, if you think about everything that is happening around you , on one hand, you have a significant sort of explosion of services in the cloud, and that makes sense for a lot more reasons. It is very easy to be able to develop applications, to be able to deploy applications at scale, at a very simplistic level, right?. We can deliver projects as a startup that big companies can’t deliver.

So cloud gives you the level- playing field for [00:04:00] a lot of us, and that makes absolute sense. It works for small companies. It works for big companies. But as a result, there is a significant amount of explosion that is happening in terms of how applications are architected and developed and deployed. On the other hand, you also see, for example, when you look at… All of us are becoming software companies in some way, shape or form, right? In my opinion, Gecko is a software company. It’s an [inaudible 00:04:21] company, right? There are fintech companies that are going… PayPal, for example, would be treated as a financial company, as a software company, or sort [00:04:30] of a technology company. So all of us are becoming software company and I think that is something that is the need of the day.

And as a result, what we are also seeing is that the release cycles that traditionally we were used to seeing 10, 15 years ago are not the release cycles today. If you go to companies like Netflix or Facebook, they’re talking about crazy release cycles, and that is something that you will see even in smaller, the regular run-of-the-mill companies as well. So on one hand, you have this explosion of applications that is going into cloud and platforms like Kubernetes. On the other hand, you have [00:05:00] a very drastic increase in the way that the products and projects are being released into production.

And then, the third, I think this is something that we are reasonably all of us are familiar with, especially what happened in the last 12, 18 months with COVID. Significant acceleration change in the way that we work together, change in the way that the business models are being… especially with the advent of COVID, right? You are forced to embrace digital business models. Not that it was not done before, but it has added a much more accelerated pace that is happening now.

[00:05:30] So if you take a look at all this, what is really happening is that the traditional tools of how we used to manage security and compliance will not hold good. They no longer will hold good, and you need new tools and new ways of thinking to solve that problem, right?

John Verry:                         Right. Yeah. And it’s interesting because you said, and I agree with you, that software is being deployed in ways that it’s never been deployed prior. What’s also interesting about it is hardware is being deployed as software in-

Raj Krishnamurt…:          Yeah.

John Verry:                         … ways that we’ve never [00:06:00] had before. That’s the one that blows my mind a bit is that, realistically, hardware is now software.

Raj Krishnamurt…:          Interesting. Okay. Yeah, I would agree. I think this is a fundamental shift in the way that we used to think of data centers and data center services. I think everything is abstracted into an API. Everything is becoming a consumption model. You are absolutely right, so I would absolutely agree with you.

John Verry:                         Yeah. So if you think about it, like in the old days, as an auditor or compliance person, you’d say, “Well, can I get a screenshot of your firewall?”

Raj Krishnamurt…:          [00:06:30] Yeah.

John Verry:                         Right? The reality is that the screenshot of the firewall that I might give you, that firewall instance may only be in existence. Like you said, someone like Netflix. How many builds a day does somebody like Netflix or a really high-end co or put out? I

Raj Krishnamurt…:          Think what I heard the last was that, and I think this number, in fact, is a very conservative number. Something like Netflix releases something like 50 releases into production a week.

John Verry:                         Okay. And that makes sense to me, that’s consistent with numbers I’ve heard. So if you think about it logically, right. So let’s [00:07:00] say let’s make the number eight per day, right. To keep math easy. That means that that firewall configuration that you’re looking at was instantiated and disappeared in a three-hour window. Exactly. Right. So it just speaks to the impossibility of, from a compliance perspective, you can’t rely on traditional artifacts, which you know, that we used to rely on to actually have any idea if we’re really doing what we think we’re doing.

Raj Krishnamurt…:          No, no, I absolutely agree. And I think I would actually take the conversation one step further, John, what I would say is that the way that I [00:07:30] look at, by the way, I may have a very biased approach to this because I am an engineer coming into the risk and the compliance domain, right? The way that I think of compliance is that, the idea of compliance is to create trust and transparency inside and outside the organization. That’s the idea of compliance when you had Sox 404 with all the sort of the wall streets issues that were happening, right? The idea is to create the trust and transparency. If you take PC ideas, the idea is to create trust and transparency between [00:08:00] retail units and the financial services and the types of players sort of chain right. Of card processing, of payment processing.

So the question is that, what should have been about creating trust and transparency has devolved into something about checking the box, right? And I think, especially in this new context, in the new world of where things are moving at a very, very rapid clip, right? We can’t hold on to this traditional notions of trying to check the box and doing an audit once a year, those [00:08:30] days are gone, that doesn’t help you at all. Because at the end of the day, what we are collectively trying to solve, whether you’re sitting in the risk organization, you’re sitting at the security organization, whether you’re sitting in the compliance organization is that we are trying to fundamentally solve and manage the risk that our organization faces. And if you can’t try and do this through sort of a once a year approach, right. While the risks, especially in the new model are almost changing on a minute by minute basis.

John Verry:                         Well not only the threats, but the technology, the types of data that [00:09:00] you’re processing, the laws and regulations that govern the operation of the type of data, every one of those contextual changes impacts risk should impact the controls that we have implemented, which should impact our compliance measurement. So, yeah. And now you’re doing that at scale with, 50 different unique samples at least per week. Right?

Raj Krishnamurt…:          Yeah.

John Verry:                         And then if you take a go into like commits and things within like your software stack, I mean the numbers scale tremendously. So, all right. So I think we’re in agreement, right? There’s a gap. [00:09:30] So let me ask the question. What is that gap? Is it knowledge in the DevOps world? Is it knowledge in the compliance world? Is it technologies on both sides or is it some combination of all of those?

Raj Krishnamurt…:          No, I think that you’re brilliant. I would say a combination of all of those. I think at a bottom level, if you start at sort of a basic rate, I think we fundamentally we see our view of the world is that software is eating the world, the famous Mark Andreessen words. Right. So

John Verry:                         Yeah, it couldn’t [00:10:00] be more true.

Raj Krishnamurt…:          Yeah, right. And so if you think about it from that perspective, we need to be able to build new tools and techniques. So there is a basic platform level capability that you’ll have to sort of build out. On top of that, I would say that you have to have specific knowledge and skillset on the runtime capabilities. What I mean by that is that you can’t have a general posture, you need to be very specific if you’re dealing with, for example, Azure versus AKS versus Kubernetes versus on-premise could be… You need very specific [00:10:30] skills on how we are going to protect your infrastructure, protect your application services. Right. And some of this can be general, but a lot of them requires a specific knowledge. So that’s the sort of the second layer. The third layer is that security in many cases actually is very transactional.

And what sort of compliance brings you to sort of an observability in governance framework. So, in some ways you need to understand about these compliance frameworks as well, right. And the industry domain. So for example, if you’re dealing with PCI DSS, you need a certain knowledge of the industry [00:11:00] domain, and you need a certain knowledge and a commitment to that compliance framework, right? So I would say that you actually have to stock all of those in that order, in my opinion. And again, sort of stack them differently, right. But you need to have the base platform technology level capabilities, and you’ll need to layer on top of that very specific runtime capabilities, right?

Whether it is a particular cloud or data’s on premise data center on top of that, you need to have very specific security and privacy understanding capabilities. On top of that, you actually layer the compliance frameworks, [00:11:30] which gives you sort of the governance and the observability, and you need to be able to stack all of that. And you need to reasonably be able to understand that stack in order to solve this problem. And I think that is one of the biggest challenges that is facing the industry, because you’re now talking about a conference of different skillsets that need to come together in order to solve this problem.

John Verry:                         Yeah, I think you’re looking for unicorns, that are spotted and striped. Right. So it would seem to me that really, we need to meet in the middle because I don’t think one [00:12:00] side can make the full leap. Right. So I don’t come out of a DevOps background. I’m being dragged there. I’m increasingly working in that world, but I don’t think I’ll ever be a DevOps, fully nuanced, knowledgeable programmer in today’s world. And I think, on a compliance, right? So, I think that we got to get compliance to move in that direction. They got to become more knowledgeable. They have to be comfortable with these conversations because they have to be able to determine what the right things are to measure. On the flip side, I think we’ve got to get [00:12:30] the DevOps guys to understand what we’re trying to accomplish on the compliance side.

And I think we’ve got to move them a little bit more towards understanding those requirements, right? What those regulations are, what the expectations are around, whether it’s our [inaudible 00:12:41] SVS, whether it’s a payment card industry, whatever those standards might be PI right now, obviously the personal information laws and regulations are a hot topic for the sizes. So, is that the way you view it is that we got to get both sides. I think both sides need to move and I think they both need to move to the middle. Is that fair? Would you agree with that?

Raj Krishnamurt…:          I think that you [00:13:00] actually brilliantly put it, John, and I would absolutely agree with you. Because as you rightly said, the way that sort of, I think about this is that maybe everybody has a role to play. If you are in platform engineering, you have a role to play. If you’re in DevOps, you have a particular role to play. If you’re in compliance, you have a role to play. If you are in [inaudible 00:13:18] , you have a role to play. The question is how do we bring each of our best of the capabilities together on a common platform? And when I say platform, I’m not talking about as a technical platform, [00:13:30] a platform where are all able to connect seamlessly, right? And as archaic as it sounds, I think the API, sort of the microservices approach and the API centric approach to the services are tremendously helpful.

So for example, if you have a set of experts that are in compliance, right, that can dictate, or that can sort of define for an organization, what sort of compliance standards they need to meet and have a security guy, or he or she that can focus on what sort of security standards that the rest of the organization should meet. I think what we really need [00:14:00] to be able to do is to be able to marry these different places together through common contracts and what I mean by sort of set of APIs, that we can communicate together.

So in other words, such an elaborate answer is the short way of how you precisely put it with. You need the dev ops person to be able to see and understand without having to become an expert on compliance. So to be able to consume the benefits of compliance and need the compliance person, right. She needs to be able to sort of consume the, monitor the DevOps challenges and the security challenges without [00:14:30] having to become a DevOps expert, a security expert. And I think that’s an interesting challenge and a problem too, for us to solve.

John Verry:                         Gotcha. So, let’s talk about that. Let’s kind of try to boil that down to something that somebody who’s listening, who’s neither a dev ops nor a compliance guru, but knows they need to have a better understanding of.. Let’s kind of drill it down to something. So are we saying that when we think about DevOps in CI/CD right, we have these pipelines, right? We’ve got these connected sets of processes [00:15:00] that take the code, they pull it out of the repository. They might run some type of process on it. Maybe they run some type of code scanning tool, which is intended to ensure that it’s got proper security, they might run some other tool that ensures that it meets some other standard. So is the idea that through these API that compliance and dev ops together would work together to determine what are the end things that need to happen during each build cycle.

Right. And then what would happen is that [00:15:30] via APIs, right? These application programming interfaces, each time something happened, we would be taking that instance of it occurring, and we’d be writing it to this master platform, database, whatever it is that would be the authoritative record of these things happening.

Raj Krishnamurt…:          Yes, I think very well said. Absolutely.

John Verry:                         Okay, cool. So now as I understand it, so I know you’re ContiNube, but I know you have a product called ComplianceCow. So as I [00:16:00] understand it, that’s what you’re trying to accomplish, or you are accomplishing with your ComplianceCow effort, is that correct?

Raj Krishnamurt…:          That is correct. So where we started, John, we started as a rules engine, right. And our thesis was that, how do we, how do we allow continuous controls, right. To be developed at scale at complex team, right. For a sort of complex controls. And then what we did was we layered on top of it, minimalistic workflows and things that you would want to do once you consume [00:16:30] the data. Once you consume the continuous control evidences or the controlled test results, the basic set of things that you will need to perform. And we put this together and that’s what we call ComplianceCow.

John Verry:                         Cool. And I would assume that we’re measuring through these APIs a ton of different things, right? I mean, you’ve got to talk to, you’re talking to EC2, you’re talking to Kubernetes, maybe you’re sitting on the web application firewall, maybe you’re sitting inside of [inaudible 00:16:57] , maybe you’re sitting inside of whatever tool that you [00:17:00] confluence. Right. Making sure that for each, let’s say for each sprint there’s appropriate levels of security stories. All of that kind of stuff is what you’d expect to be working with someone with your tool to be able to generate this authoritative record of all these occurrences.

Raj Krishnamurt…:          That is exactly correct. There are maybe two layers if I can sort of break this down. So we see this problem along five pillars, right? One is that we look at this from the standpoint of how do we make it easy to be able to write [00:17:30] these controls and to be able to deploy them at scale. And we already have a catalog of these control implementations that we have done for AWS Azure, sort of the common suspects that we can think of, right. Both cloud, non-cloud and particularly Kubernetes, because that’s our genesis. So we call that the automated playbooks, so we create these automated playbooks that allows you to be able to run them at scale, you can customize and you can create your own control implementations or add to the playbooks, right?

That’s one, the second thing is that, as I told you, we actually then layer on top of it, what we call a smart [00:18:00] workflows. And the idea here is not just to look at evidence as pieces of evidences, right. But to be able to sort of correlate these evidences to be meaningful proposals and signals, right? So we call that sort of the smart work run. We are able to route this multi-party routing within the organization. You are able to look at these pieces of evidences and you are able to create proposals and signals. Right?

The third piece is what we call, the local. So for example, we don’t have this capability yet, but what we are trying to do is to allow the users, right. Sort [00:18:30] of less technical users, in fact, analysts who are not at all technical sort of a no code platform to be able to drag and drop from a GUI, right. And create these route steps.

And the fourth is that what we believe is that not also just talk about the gaps that exist when we do a controls assessment, but how do we make it easy for folks to be able to do remediation right. Guided remediation process, right? So that you are able to take those gaps, you are able to take those proposals. And we’re able to say, you need to be able to fix those. We are not going to directly fix anything in the production system. [00:19:00] We’re not going to ask for any right access, but we’ll go through a guided process. This could be GUID process, that you are very familiar with, our change management process to service now, or JIRA or any of those ITs and tools that you’re familiar with.

John Verry:                         Right. I’m assuming that what would happen is, is that, Hey, we see a breakdown in the process, right? A build got out and something didn’t occur. The idea would be again, through the API that you’d immediately open up some type of a JIRA ticket. That would be to actually, troubleshoot what occurred, maybe someone’s password expired [00:19:30] on a log in to a particular tool and that needs to be updated, or maybe the tool location or the URL to the tool moved or something of that nature. Right. That’s the idea of kind of closed loop. Would you call this, so a couple of things for you. So first off, would you call this in your mind, continuous compliance?

Raj Krishnamurt…:          The way I define continuous compliance is that because we, and the last part of the, the first pillar that I sort of did not get to is that fundamentally think of us as a security compliance ward, right? So in other words, we have just an API [00:20:00] call away. You can consume the entire data and the metadata out and again, report it. And the reason I’m tying that back to your question, John, is that because we had an API call away, you can execute this entire infrastructure on demand.

So, in other words, what we are saying is that your entire compliance controls portfolio just becomes an API call away, just like you would spend your AWS EC2 instance, right? You would invoke us. And that ties back into your, sort of the beautiful statement you made around DevOps and the integration of DevOps and compliance. What [00:20:30] we see is that now as a compliance engineer, as a compliance manager, as a compliance specialist, [inaudible 00:20:37] specialist, you will be able to define this portfolio of controls. They just become an API call away. And it makes it very easy for you to be able to integrate upstream, right. Whether it is upstream into any of the reporting platforms are downstream in their DevOps pipeline.

John Verry:                         Yeah. So a question for you. So I would imagine one of the complexities of trying to develop a product for this world, right, is if you, like, [00:21:00] I mean, there’s that famous image of like, the Jenkins workflow environment with the thousands of different tools that are in play, right. And every one of those tools has an API, and it would seem to me that everybody’s doing things a little bit different. So I would imagine you can’t build just like an off the shelf product. So do you consider what you’re selling a set of APIs? Do you consider it a platform, like almost a toolkit that you can use to build your own? Like how, how do you, like if someone wants to [00:21:30] buy this, right. What do you refer to it as? Because it’s not quite as simple as calling it a product because I can imagine, yeah. You can’t have one product that would work for everyone.

Raj Krishnamurt…:          No, no, that is very well true. And so we actually fund them. Our business model is a product plus services company. I think everybody is to be honest, everybody’s a product plus services company. I think we have all become product plus services company. But what we mean by that is that we are not just trying to throw a product and walk away. Neither are we trying to build a consulting services company. Right. We are somewhere in the middle because [00:22:00] we are very purpose built and we are purpose focused on controls automation. That’s all we do. We don’t do anything else. So as a result, the way we engage is to be able to sort of use the product, to be able to go deploy and to be able to help customers to get to their success milestones.

John Verry:                         Gotcha.

Raj Krishnamurt…:          That’s critical. That’s step one. Step two is what you beautifully also talked about, which is that what we’re also trying to do is to open source these rule sets so that you can actually go develop these rules by yourself, and you’ll be able to deploy them. You are not bound to the ContiNuid platform at all. You’ll be able to use our [00:22:30] reference sort of the way that we have created these rules as a reference architecture, you’ll be able to build these rules. You’ll be able to execute them standalone. In fact, we are trying to, in the next few weeks, what we are trying to do is to come up and put out on GitHub, where you can actually go and consume this, without having bound to ContiNuid. So it would be in open source, but if you like what we are doing, and if you’re writing more controls, or if you want a better managed service, then you can easily subscribe to the ContiNuid compliance code platform and we’ll manage it for you. That’s sort of the model we are trying to take to the market.

John Verry:                         [00:23:00] Gotcha. So question for you. All right. So we talked about the fact that there’s a gap, right? And we’ve got folks in compliance that don’t yet understand DevOps. And we got folks in DevOps that don’t understand compliance. Does that create a problem for you trying to sell it? Because I mean you can’t go to compliance because they know they have a problem, but they don’t understand your answer. And you know, you go into DevOps, they might not want to hold their own feet to the fire, or they might not understand enough about compliance to actually tell you what they [00:23:30] need. So how do you sell a product into a market that the middle space that you need to exist, that we all need to exist doesn’t yet exist? I mean, it must be an educational sale process. That’s hard to do.

Raj Krishnamurt…:          That is very difficult for us to do. And you’re absolutely right. That is one of the biggest challenges we face. Where we fit in very well is that if you are an organization and you’re trying to create compliance engineering as a discipline, you are not satisfied where you are with compliance. You are not satisfied with these artificial silos [00:24:00] of compliance, risk and security. And you’re trying to sort of come together. We become a fantastic opportunity to work with you because this is not just a capability question. It’s also a capacity question. Maybe we would have hired engineers to do this, but the question is how much, you have to do your day job in many cases plus this. And you have to be a compliance to build a compliance engineering team is not that easy. I do like to bring a conference of all those different skillsets we talked about.

So that is our sweet spot. So technically today, the percentage of customers who are, will be [00:24:30] sort of the harbingers of trying to define this space is who would be our customers. A vast majority is still trying to sort of catch up and we are very, very confident that will happen very soon because I mean, this is nothing new, right? If you take PCI DSS for Dakor, for example, or if you take the Cloud Security Alliance, which as you know, [inaudible 00:24:49] and I are part of the working group is that there is a very clear acknowledgement that the future, and this is not just the future. As you know, we have already recognized this and we were trying to put [00:25:00] things in motion where we are trying to evaluate this on a continuous basis, right. That is already on, but it takes companies another 18 months in my opinion to catch up. Right. So we are still focused on those leading companies, talk leaders who are trying to redefine the space, right. Or rather, or redefine sort of compliance engineering and risk engineering, and that’s who we are working with today.

John Verry:                         Yeah. Unfortunately I, you know, I hope you’re right, but I think you’re being overly optimistic and thinking it’s 18 months. My experience, you know, I’ve been doing this longer than I care to admit. And, and what we always think takes 18 months [00:25:30] tends to take three to five years. So here’s a question for you. So I would think that if you want to get to scale, right, and if we’re going to get this idea to scale, and I think the idea needs to get to scale. I think that the way it gets to scale is external auditors start to get this.

So one question that I had is why is it that external auditors, aren’t flagging this as an issue more commonly. I mean, we have many SaaS clients I reviewed many, many SaaS soc twos and 27,001 certificates. And [00:26:00] I don’t see this being raised as an issue, right? So is one of the ways that we could advance this more quickly is to educate the external auditors who are responsible for flagging the fact that the compliance functions are not working the way they’re supposed to.

Raj Krishnamurt…:          No, I would agree with you. And I think the external auditors, in my opinion, and the internal auditors would have to take a very active role. In my opinion, they will have to take the lead role, right. The bull by the horn so as to say. I think the challenge, particularly in the external audit world I see, is that [00:26:30] the question I would rather ask and, I’m being very respectful, is that are the incentives aligned to do this? And I think that’s a big question, right?

John Verry:                         Yeah. Yeah. Look, I don’t feel working as you know, we do a lot of outsourced internal audit and working very closely with external auditors all the time. They do have a challenging life, right. It’s not easy being them. That being said, I frankly believe, knowing the external auditors that we do. I [00:27:00] think the challenge is that they are old school compliances. Like I don’t know that they know that this is that much of a problem. I’ll be blunt with you. Right. Not that I do audits anymore, but if I went out and did an audit of a SaaS company a year ago, or six months ago, before I started having conversations with you and [inaudible 00:24:49] and other people about this stuff, I would have missed it. So I think it’s really, like I think it’s a knowledge issue.

I don’t think it’s a conflict of interest issue as much as I think it’s just a knowledge issue. And I think one of the things that would be an interesting [00:27:30] thing to do would be to, because if you think about it logically in my experience, there’s only two reasons that people exert significant change on the information, security, privacy compliance world, right? It’s a client demanding something, right. Or it’s an external audit and, it’s a nonconformity or an opportunity for improvement cited on an audit report. Right. That could be internal, that could be external. But I mean, I think those are the two primary, because like you said, these organizations are moving so far so fast, the [00:28:00] focus is on getting product to market, but it’s not…

Raj Krishnamurt…:          Exactly.

John Verry:                         And I think we’ve got to get them to look at this more. So I think that would be an interesting tact would be to see, how do we get the people that are responsible for watching the watchers to identify this as an issue?

Raj Krishnamurt…:          No, I would agree with you. And I think this is an area that, as a company that we would have to explore a lot more and this maybe is also sort of, maybe a lacking on our end, because we are primarily an engineering centric organization. Right. [00:28:30] We feel much more comfort talking to engineers and security engineers and application developers. But I think that you’re absolutely right, John, and this is a leap that as a company, that as an industry we’ll have to take, and as a company we love to take as well.

John Verry:                         Yeah. I mean, if you think about it this way, right. And, I’m not trying to re architect your products, but imagine there was a tool that you could provide to external auditors that would demonstrate this challenge that they could use, like any auditor, that’s just, let’s say an old school audit, or maybe isn’t quite fully up [00:29:00] to date. They could run some type of a tool and it could identify, and it could tell them what they don’t know in a way that… That would be interesting to me

Raj Krishnamurt…:          Today we do some of that. So I think in my [inaudible 00:29:11] , somebody might’ve seen a demo from compliance call, you will be able to produce a PCI DSS report. but I think we, in my opinion, to get to an external audit, I think we’d have to do a lot more work to get there. That is something that we we are definitely looking forward to maybe, something to do over the next few months. [00:29:30] So-

John Verry:                         Yeah. And college children go shoeless. I mean, I certainly think that our team needs to make sure they’re doing a good job on this stuff as well, because it’s uncomfortable. I mean, this stuff moves so fast, and if you’re not a DevOps engineer, and if you get a bully DevOps engineer, they’re throwing a bunch of buzzwords at you and it’s a little bit challenging. So yeah. I mean, it’s a cool challenge. Well, listen, I really think you’ve identified a critical issue and you were kind enough to show me some of the stuff you’re doing. And I thought it looked really impressive. And I think [00:30:00] you did a good job of communicating the value prop today. Thanks. Is there anything, anything else that we didn’t cover that you think we should discuss?

Raj Krishnamurt…:          No, I think just sort of a shameless PR, if you don’t remember anything about ContiNube or ComplianceCow, there is one thing that you wanted in one, but think of us as an API first middleware for continuous controls monitoring. That’s who where we are.

John Verry:                         Yep. Yep. And, and like I said, guys, I’ve taken a look at the product. I thought it was really intriguing. I think they’re raising a really good issue. So that was why I wanted to chat with you. So, I know I screwed up and, [00:30:30] and I tried to attach the today’s agenda to the… So if you don’t have a good answer, we’ll let you off the hook, but do you want to give it a try?

Raj Krishnamurt…:          Sure.

John Verry:                         Alright. So what fictional character or person do you think would make? I’ll let you even go in amazing a horrible CSO, or maybe you could go amazing or horrible compliance person or DevOps engineer. You can pick, you can pick a choice.

Raj Krishnamurt…:          I am actually never good extemporaneously and I think most of what they said is extemporaneous. So I would say actually Spiderman because I [00:31:00] partly love the character and it comes to my mind. And just to justify my selection, I would say is because, you don’t want a CSO or a compliance person to jump from one pillar to post. So I don’t know if that’s a good answer.

John Verry:                         I don’t know if it was a good answer or bad. But it’s pretty impressive on short order. And if I could remember the word contemporaneously. Is that the word? I know what it means, but I don’t know if I can pronounce it, but that was pretty damn good.

Raj Krishnamurt…:          Extemporaneous.

John Verry:                         There you go. Something like that. I’m not even going to try it again. [00:31:30] So well, listen, thank you so much for coming on. Very much appreciate it. We should be in touch because I’d like to figure out if there’s a way for us to, if there is a way to use some of what you’re doing in our internal audit process and/or our virtual CSO process whether our software’s a service companies, because I do think you guys are thought leaders in what you’re trying to accomplish.

Raj Krishnamurt…:          We’d love to, John. And I want to also thank, I think you do a great service through this podcast. I love your podcast. So I’m very glad to be on your show. Thank [00:32:00] you.

Narrator (Intro…:             You’ve been listening to the virtual CSO podcast, as you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.