January 21, 2021

Getting your ducks in a row for a GRC audit can be a huge undertaking. 

Especially when you get compliant for the audit, then don’t look at it again until the next one rolls around. 

If this sounds familiar, you may have wondered whether investing in a GRC tool is worth it. 

In this episode, Craig Unger, Founder and CEO at HyperProof, shares all the information you need to decide whether investing GRC is right for you.

What we talked about:

  • The challenges a GRC tool should address
  • Whether continuous compliance means continuous security
  • When you should implement a GRC tool

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator: (00:06)
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry: (00:25)
Hey there, and welcome to yet another episode of the Virtual CISO Podcast. As always, I’m your host, John Verry, and with me as always, the Pippen to my Jordan, Jeremy Sporn. Hey, Jeremy? The Chicago folks are going to appreciate that reference.

Jeremy Sporn: (00:41)
Yeah. I thought that all of our listeners are from Chicago, so I decided to throw them a bone. I finished The Last Dance not too long ago. I know I’m a little late to the party, but they’re on my mind. I don’t know what to tell you.

John Verry: (00:53)
When I read that, I was just nervous that you were going to say that you had a headache and you needed to pull out of the rest of the intro, but…

Jeremy Sporn: (01:01)
Ah. No, no. Oh, that’s [inaudible 00:01:02].

John Verry: (01:04)
We just lost all the Chicago Bulls fans. All right. What did you think of my conversation with Craig?

Jeremy Sporn: (01:11)
I’ll be honest. I was really looking forward to this one internally at Pivot Point, the debate of GRC tool or no GRC tool looks more like a ancient mythical struggle than a modern debate. It’s incredible the opinions that are around that one issue. There are so many schools of thought. And I appreciate what Craig did in his approach, which was really to just talk about why he wanted to have a different tool in the first place.

Jeremy Sporn: (01:42)
And it was this idea of addressing business needs and this idea that efficient management of building, and maintaining, and improving security and compliance is a business challenge and he wanted to address that. So, I just thought it was a really cool approach of his.

John Verry: (01:56)
Agreed. And I learned a bit as well. As you probably know from those internal debates is I’m generally not an advocate really of using what I’ll call conventionally or a conventional GRC tool. What I think is a bit different here with Hyperproof’s approach is they’re really focusing on a GRC tool from the backside, from the compliance side, from the proving your secure side, so rather than from the build side, which is, as you’re using this tool to help you architect and document your information security management system.

John Verry: (02:26)
I think as we move towards continuous audit and as we move towards more complex frameworks to conform with things like the CMMC, I think that this particular approach changes the value proposition of a GRC tool a fair deal. And I think it makes it something that has a higher likelihood of returning up a pretty fair value relative to a conventional GRC tool.

Jeremy Sporn: (02:52)
Yeah. And it was actually cool. It felt like you were almost vetting Craig and his tool during the conversation a little bit, which is, if anyone needs to do that, there are a bunch of questions that I would have never thought to ask that you pushed on him. You’re like, “Hey, well, I don’t understand, why don’t you do this?” I thought that was so cool. I was a big fan.

Jeremy Sporn: (03:12)
So, if you’re out there listening and you have compliance standards you need to manage, this episode is for you. Craig does a great job of explaining the value of a GRC tool. And when he thinks it’s best for a company to invest in one, and also not. It was not a sales pitch, even though he is clearly a giant fan of Hyperproof, which I really appreciated. It felt like I was being coached on the key things I need to know to choose the right tool for myself. Craig did a great job. Really, really valuable stuff. Looking forward to everyone listening in.

John Verry: (03:44)
Yeah. And listen, I mean, obviously if you listen to him chat, he’s a bright guy. If you look at his background and all the work they did at Microsoft and some of the products that he was responsible for included Microsoft Dynamics CRM, which we’re actually a customer of. Right?

John Verry: (03:55)
I mean, the guy’s got a resume and he’s using that resume to build what looks like a pretty interesting product that I do think that for certain people will have a very compelling value proposition. So, I think if you’re one of those people, especially this is going to be a good show for you. So, with no further delay, let’s get to the show. Craig, good afternoon, sir. How are you?

Craig Unger: (04:18)
I’m doing well, John. Happy to be here. How about you?

John Verry: (04:21)
I am living the COVID life, baby. Living the COVID life. That’s why I’m [inaudible 00:04:26]. Well, I will say that it has been good for my financial status. As you guys might have noticed, I’ve upgraded quite a bit. James, more tea, and the crumpets were a spot overdone, please.

Craig Unger: (04:37)
I’ll be over during the weekend for your [inaudible 00:04:39].

John Verry: (04:41)
I actually did this because there was a young lady I was chatting with from England and we were joking. One of the guys on our team referred to Downton Abbey as Downtown Abbey.

Craig Unger: (04:52)
Yeah. Yeah. Yeah. I thought it was that too. It’s Downton, right?

John Verry: (04:54)
Exactly. And she got all bent out of shape. So, as we’re on the conference call, all of a sudden, I just popped this up as my background. And it took the edge right off the Downtown Abbey comment.

Craig Unger: (05:05)
Is that a shot from Downton Abbey? [crosstalk 00:05:08].

John Verry: (05:09)
Yeah. This is Downton Abbey. That’s where they used the [crosstalk 00:05:11]. That was the main parlor library or whatever. They had so many different rooms they sat in. My wife would be very unhappy with me right now that I know which room that is because she really liked that show. Actually, I will admit that’s one of those few chick flicky oriented things that I really enjoyed as well.

Craig Unger: (05:27)
Watched every episode myself. I loved it.

John Verry: (05:29)
You actually look a little bit like Matthew, the guy who died.

Craig Unger: (05:33)
The guy who died. You tell me I look like the guy who died?

John Verry: (05:37)
He was good looking. He was a heartthrob before he died. I mean, I-

Craig Unger: (05:40)
I’m going to look him up. Your check’s in the mail, if that’s okay.

John Verry: (05:44)
Tell your wife. Tell your wife tonight, somebody told me today I look like Mathew.

Craig Unger: (05:47)
Definitely. I’m going to go to, yeah, I’m going to brag right now. It’s better than looking like the head Butler, the guy who’s a [inaudible 00:05:52].

John Verry: (05:53)
Oh, yeah. I can’t remember his name.

Craig Unger: (05:55)
Yeah. Mr. Something. Mr something.

John Verry: (05:57)
Yeah. True. True. All right. So, we’re off the tracks early here, I apologize. So, let’s get back on track. So, let’s start simple. Tell us a little bit about who you are and what is it that you do?

Craig Unger: (06:09)
Yeah, I’m Craig Unger and I’m the founder and CEO of a company out here in Bellevue, Washington, right on the outskirts of Seattle called Hyperproof. And our company is really all about changing the landscape in the compliance space, making it a lot easier to do that kind of activity. So, we’re a small company of 30 people living, unfortunately, the COVID lifestyle now, but in our first year of being in business in terms of selling the product. It’s a two year old company, but we just shipped the product earlier in the year, at the very beginning of the year. So, we’re a new company.

John Verry: (06:39)
Excellent. Well, I’m glad to have you here. And it’s fun for me because there is always this interesting debate with our customers, and customers ask all the time, “Hey, we’re going to get ISO certified, 27,001 certified, or we’re going to get SOC 2 attest or CMMC. Do we need a tool? Right?

John Verry: (06:58)
Generally speaking, these tools are often referred to as like a governance risk and compliance tool. So, I’m going to ask you an interesting question. So, there are a lot of GRC tools in the marketplace. So, what made you, a couple of years ago, look at a marketplace that was already reasonably crowded and say, “Hey, I think I should start a GRC. I think I should bring a new tool to the market.”

Craig Unger: (07:19)
That’s funny. Yeah. Well, when I was looking at it, I was picking on and looking back to my experience, doing it a couple of times. I did it one starting my job at Microsoft, I had to do some compliance for the Windows Live ID product. And then I had a previous startup where I was also doing it as well.

Craig Unger: (07:34)
What I realized is it just wasn’t a great application or tool for me. You’re right, John. There are some tools, but they’re a little bit antiquated, bigger, more expensive, certainly nothing that’s cloud, multi-tenant with a really modern experience. And because of that, we didn’t use a tool when I did it before. And I’m like, “Why wasn’t it?” So, I was using email, I was using spreadsheets, I was putting files in Dropbox. And I thought, “There’s really room here for a tool.”

John Verry: (07:59)
Yeah. I think that’s a good, fundamental thing for us to underpin the conversation on, right? Where is it where there’s a value proposition associated with the tool, right? So, again, you went back and you looked at this and you said, “Hey, I got ISO-certified without the tool,” and you decide to come out with a tool. So, what are the challenges that you’re addressing that you thought were important to address for people that are listening? Like that might be thinking the same thing, “Hey, about to get ISO-certified. Should I invest in a tool or not?”

Craig Unger: (08:33)
Well, from an environment perspective, what we saw happening was compliance was following the same path that security did, where it started out as a domain of a few people that would take a look at your security posture, generate a report, maybe they’d hire some white hat hackers, send it over to the board and you’re good for a year. That’s the way compliance is still being treated largely.

Craig Unger: (08:53)
But we see it moving more towards security where it’s continuous, people need to be trained on it, everybody is a steward of it. And the process is democratized, so you’ve got to get enough people involved because they’re the people that have the evidence. So, when you look at it in that lens, you’re looking at it as a business process more than anything else that requires collaboration, automation and a functional modern system of record. That didn’t exist. When we talk about those other products, they were really for specialists.

John Verry: (09:25)
So, in a weird way, and for those listening, I know of Hyperproof, we’ve looked at it a little bit. We’re interested in the product ourselves and seeing how we might be able to use it or be able to explain to our clients how we might be able to use it. And you guys recently got, I believe, it was SOC 2 attestation. That was one of the things that was a concern of ours. We wanted to make sure that you had that prior to we having those more deeper conversations.

John Verry: (09:46)
So, I’m actually exploring the conversation a little bit myself here today. So, what you said is that interesting. It sounds as if you’re taking most of the early governance risk and compliance products, and we work with quite a few of them at points. They tended to be more about building the program from a forward-facing perspective.

John Verry: (10:07)
Now, it sounds to me the way you’re addressing this is from a compliance perspective, which is the working backwards in the process. And in a weird way, it makes a lot of sense to me because like when we would always build up anything, like back in the old days, I used a database development and was a programmer at one point. And to me, you always begin with the end in mind. If somebody said, “What should the database look like?” I would say, “Well, tell me the report I’m going to have to generate.” Like start at the end and then work backwards to the beginning. In a weird way, is that what you guys are doing with this kind of taking that compliance-oriented approach?

Craig Unger: (10:39)
I think it’s an amazing observation. It’s a hundred percent true. So basically, and I’ll put some words around it for you, what’s been going on and really is the kind of standard right now in the industry is what we call inside the company, occasional compliance. And what I mean by that is you get compliant when you need to for an audit. You pass the audit and then you probably don’t look at it again for another six or eight months until you have to do the audit again.

Craig Unger: (11:00)
That’s that forward-looking process that you’re talking about. But now, if you go and you look at the people who are, let’s say, working in security or in operations, in IT or in the business, and you look at it from their perspective, well, there’s lots of different groups doing audits, I’m getting hit up for a lot of evidence. I’m getting hit up for all of the same stuff over and over and over again. How does a piece of software make my life simpler?

Craig Unger: (11:22)
And the way it does it, the way Hyperproof does it is it gives you agency to take it back and say, “Look, I’m going to create a program here that stands outside the audit that I can maintain all throughout the course of the year.” When people come and ask me questions, I’ll just answer them with the evidence I already have. So, it avoids all the audit fatigue and that concept of life, “Are you really asking me again? I just gave this six weeks ago.”

Craig Unger: (11:45)
And since there was some foundation in the mix it’s even better, because not only can I answer real time, I can even automate the answer to that question. And so, in a nutshell, we took it from the perspective of CISOs, people who worked in that organization rather than the auditor, or the internal audit department, or even the external auditor.

John Verry: (12:04)
Gotcha. So, in many organizations, the auditors are coming in, let’s say you’re doing SOC 2 and you’ve got a one year observation period. It’s not uncommon those two weeks beforehand, it’s an all hands on deck, do we have everything we need? So, it sounds as if, to me, what you’re trying to do is automate the process so that it wouldn’t matter when they walked in the door, the data’s just going to be there because that’s what happens.

Craig Unger: (12:32)
That’s exactly right. You maintain your stance throughout the course of the year. And you can represent that, whether it be, if you start from inner working or out, it could be people in the security team that just want to come in. Maybe it’s your manager wants to come in and check that some of these controls are working.

Craig Unger: (12:47)
So, you can represent that and audit that one level further than that as an internal auditor. And you can represent that and give your internal groups the confidence. And then of course, the next level would be the external auditor. Right? But the key is those activities could happen whenever.

John Verry: (13:01)

Craig Unger: (13:01)
Because you’re prepared.

John Verry: (13:02)
Right. Yeah. Yeah maybe. All of those are stakeholders, right? And at the end of the day, what we want to do is we want to provide assurance to stakeholders that we’re doing what we said we were doing.

Craig Unger: (13:11)
That’s right.

John Verry: (13:11)
So, a question for you. So, I know that you guys stress on your website the concept of continuous compliance, right? So, that’s what you mean by continuous compliance?

Craig Unger: (13:21)
It’s exactly what I mean. So, if you look in the product, you’ll see two different concepts, one’s called the program, which would be like an ISO, or a SOC, or GDPR, or custom, we’ll do custom ones. And then one’s an audit. The audit is much more temporal in nature. It comes, it goes, you prepare for it. The audit piece of the product that we have is much more about work management. It’s like you get a task, you got to provide the proof, is it provided in time?

Craig Unger: (13:44)
The program part is much more about collecting the data for compliance. That’s where you’ll find your controls and your requirements. They’re two different concepts. They come together and intersect at a point in time. But if you look at what’s been done in the industry before, those types of concepts haven’t been separated. It’s mostly been audit preparation types of software.

John Verry: (14:02)
Mm-hmm (affirmative). Yeah. Or program build types of software. So, a lot of times, like when we’re looking at it like… So, we’re a consulting firm that often is coming at the very onset of a program. And like from a GRC perspective, a lot of times we’re looking at something which is more geared towards helping us consistently build a program. Right? Taking through the logical scoping process, making sure we’re generating the right artifacts, then getting the data flow diagram, making sure the document management policy management components of it, right?

John Verry: (14:31)
I think, to me, that’s more conventional GRC. So, you’ve got this continuous audit backside of it. Do you have that more conventional GRC policy management incident response? A lot of times they’ll throw in a third party risk management, all that kind of stuff on the front side, or are you guys really staying true to that continuous compliance, continuous audit kind of mantra?

Craig Unger: (14:55)
Oh, no. In fact, if anything, we’re more focused on the front part on the program side. So, we ship with all the frameworks. We’ve got 40 plus frameworks. We ship with sample controls. We allow you to create collaborations of the people that are going to need to track it over time. We allow you to create automation. And then importantly, we give you visibility through health. So you can actually set a policy that says, “Here’s how frequently you need evidence updated,” things like that, so that you always have visibility.

Craig Unger: (15:20)
And we’re heavily invested in the analytics and the visibility for compliance. So we’re very, very focused on the program and bringing that together. A lot of times, John, the process you’re talking about occurs through spreadsheets, right?

John Verry: (15:31)
Mm-hmm (affirmative).

Craig Unger: (15:31)
And through documents that are sent to the email. So, in a way we want it to automate and make that process smoother.

John Verry: (15:36)
Right. Gotcha. And quick question for you. So, if I have a perfectly architected, so a perfectly and architecture controlled environment means that I’ve basically perfectly matched my risk treatments to my risks, my controls to my risks, and that if I’m executing those controls per their definition, then I’m at zero, I’m at the acceptable risk. So, if you were doing continuous compliance, does that imply I’m doing continuous security, maintaining continuous security posture? And if so, why aren’t you promoting that? Which sounds like a pretty cool thing to promote.

Craig Unger: (16:13)
That’s a really interesting point. We’ve talked about it.

John Verry: (16:16)

Craig Unger: (16:17)
It’s definitely the case. It’s a hundred percent the case because compliance is just the flip side of security. It’s proving that you’re secure. So anytime you can automate your compliance. By nature of doing that, you’re also automating some level of your security. Now, in the market, there are some other vendors that specialize on automating security, they don’t go as far as the compliance piece, but the short answer is over time we are going to talk about it more.

John Verry: (16:37)
Yeah. I mean, even if you’re not automating security, but if you’re perfectly executing the control environment, the control environment is perfectly matched to manage risk. Then what you’re doing is you’re continuously validating that their security posture is where they want it to be. Right? Because compliance equals security at that point in time. So, that’s a good question. So, from your perspective, what would you see as being, I’ll call it the intersection between security and compliance?

Craig Unger: (17:01)
Well, I mean, I think in our approach, if you look at our approach, a lot of it has to do with the evidence collection. If you look at what the corpus of where the capability is that people look at and go, “Wow, Hyperproof is pretty special,” it’s in the case of how we, or in our approach to how we collect evidence. And then what is a pretty complex set of mappings that get reused across different programs.

Craig Unger: (17:20)
So, there’s even been partners and customers as well who have wanted to just really focus down on the evidence collection piece, because maybe they’re not doing a standard program. Most of our customers use, they’re doing ISO, they’re doing GDPR, they’re doing something standard. But maybe a customer is doing something special for themselves based on the industry they’re in but they like the fact that they can collaborate both through human workflows and automated workflows in getting that evidence.

Craig Unger: (17:45)
So, I think that’s where we play in that. And certainly you would say to some degree, the analytics and reporting out of the fact that you are in compliance. That’s really where we’re at. This is like, we don’t do scans and we’re not trying to do intrusion detection. We’ll integrate with those kinds of vendors.

John Verry: (18:00)
Gotcha. So, let’s go there. And so, now I have three questions that I think are all interrelated. So, I don’t know how I want to ask them. So, I was going to ask you about when should I… So, I’m listening to this and should I be using a GRC tool? And I’m sure that the answer is it depends. And I think some of the things are going to be number of standards that you’re complying with, which types of standards, how many audits you’re subject to, things of that nature.

John Verry: (18:25)
So, let’s flesh that in. So, we’re ISO 27,001 certified as an organization. We’re not yet on a tool like yours, right? Does a company that’s just doing 27,001, is there enough value-add to make that worthwhile or do I have to get to the point where I want to layer another SOC 2 or center for instance on security controls? Where do we get to the point? How does a company know if they’re going to get the return on implementing Hyperproof?

Craig Unger: (18:50)
Yeah. I think that we see two different scenarios there that we’ve identified. One is actually for smaller organizations which are needing a little bit more in the way of prescriptive help. Because what we do is we have all the standards in there. We work with the compliance standard bodies and keep it up-to-date of our product management. And so, if there’s some insurance, we’ve always got the latest requirements for you and we ship with our own illustrative control.

Craig Unger: (19:16)
So, effectively we’re giving you some guidance to use there. And I would also add, we ship with a methodology. Because a lot of the times when you’re first getting compliant, you’re like, “How do I even get started?” Well, we have a methodology around how you bring your program from conception into reality. And so, that whole set of interlinked capability, super helpful for an organization getting started.

Craig Unger: (19:37)
And in fact, I’ll just say, that’s the stuff we ship with when we first ship. The stuff we’ve been doing since that time, and we’ve been really busy over the last nine months, has much more geared to the latter part of your question, John, around, “I’ve got multiple programs. I have to crosswalk those together so that I could leverage the proof, the people and the controls that I’ve already put in place. Because what I don’t want to do is start setting up new controls every time I have to do a new audit. That is backwards.”

Craig Unger: (20:04)
So, scaling out your compliance program, sometimes we call it the compliance journey, that’s another great usage of Hyperproof. So, we find both cases.

John Verry: (20:12)
Gotcha. And so, if we get to that backside, right? So, let’s make this more tangible for folks. Right? So, let’s say that I’m ISO 27,001 certified or SOC 2 and I’m using your tool. What’s going into your tool and how’s it getting in there? Right? So, you talk about integrations and you talk about automation. You’ve used both those terms. So, I’m assuming those integrations and automation are going to be part of the way that we’re going to get this evidence into the system.

John Verry: (20:42)
So, can we talk about that? And get down to like, hey, user account management reviews or incident response or firewall rule-based reviews or whatever it is. So, we’re really talking more in a more concrete terms.

Craig Unger: (20:56)
Yeah. So, there’s two kinds of integrations that we’re doing right now. The first is the one that we started with, which is a set of, you would call it almost a document-based integrations to documents stored. So, Google Drive, OneDrive, Dropbox, SharePoint. A lot of evidence is already plugged in SharePoint.

Craig Unger: (21:11)
What we want to do is make it so that if a large body of people in your organization already have a process that they’re following to drop in that evidence, it’s really easy to bring it into Hyperproof. So, those are out-of-box types of integrations. Another class of out-of-box integrations we have are with communication tools. So, you can actually take the conversation that you’re having inside Hyperproof, because we have collaboration in the product, but you can export that over to Slack and have that conversation in Slack.

Craig Unger: (21:37)
That’s in the product now, we’re adding Microsoft Teams. So, there’s those kinds of integrations. And then what’s more recent than that is there’s a general purpose integration framework that we have with product that will allow you to touch any source. So, you want to get, a user logs out of AWS or Azure, or you want to get some security scans out of policy or whatever you want. Those ones are ones that you can actually author.

Craig Unger: (22:00)
And here’s the key, you could offer those integrations into Hyperproof already. You’ve been able to do it for the last year by doing it in your own environment. Right? You can read some Java or JavaScript or whatever it is, because we have APIs. The thing that’s new that we’re bringing imminently, it’s coming in the next eight weeks or so, is the ability for us to run this integrations instead of you.

Craig Unger: (22:21)
So, we’ll give you a little code window and we’ll say, “Hey, what data do you want to pull out of [inaudible 00:22:25]?” Let’s say. Okay, where do you want it to go? Do you want it to go into this set of controls? We have a concept in the product called Labels that you can use as a store for your evidence, and then you can attach labels and multiple controls. So, there’s a lot of ways to do it. And we will let you customize that integration and we will operate it for you. And that’s the benefit of the new capability that we’ll bring to you.

John Verry: (22:47)
What do you mean by a… So, I have this automation. So let’s say we’re using Nessus. And let’s say we’re using Nessus and this is what we do. We have a requirement in our ISMS that we scan our end consultant laptops once every 30 days. So, how would that integration work? So, I need to scan those laptops, I need to make sure that we say that if we have vulnerabilities of a certain type, above a certain CVSS level, that those are going to need to be addressed.

John Verry: (23:20)
The process is IT reaches out to their consultants. Sometimes those laptops are not visible to them. They’ve got to make them visible. They’ve got to make the change. And then we have to close that loop. So would your product provide value prop there? And if so, take me through what that would look like.

Craig Unger: (23:37)
Yeah. So, basically what you would do is, you would figure out that that body of evidence needs to get mapped to a certain set of controls, that Hyperproof doesn’t manage it. So, what you would do in our automation environment is you’re basically tackling the rest of the API that that would provide. So, basically we would call the API, effectively do a search and search and get those information on those logs and then we would bring it in.

Craig Unger: (24:01)
Now, that part happens automatically. Once it comes in, then you get to use the rest of the infrastructure inside Hyperproofs. And what I mean by that is we have health and health calculation. So, you can start to calculate health of this control on the basis of evidence that you brought in. You can get people to review it.

Craig Unger: (24:18)
So, right now you can mention people and say, “Hey.” I’d mention you John and I’d say, “Hey, John, let’s take a look at this.” We’re very close to the ability to pegging a date on that and actually make it a formal task. Right now I mention and you’ll get a notification. We’ve just shipped, in the last release, the ability to start putting these tasks, which would put some dates teeth into that and say, “Hey, John, you got to really get back to me.” And then after two or three weeks.

Craig Unger: (24:42)
And on that basis I’ll decide whether we’re good or not on this control. And on that basis, the dashboard will get updated so that I know and my management knows that the compliance program is actually moving forward.

John Verry: (24:53)
Gotcha. Does that include some kind of workflow capability? So, as an example, if I needed to report that I had closed that, and then somebody else needed to sign off on the way I closed, the way I hit that to work. If we had user account management views or something of that nature or same idea?

Craig Unger: (25:09)
Same idea. We’re doing that sort of concept of tasks. You would assign tasks to people and say, can you please approve it as part of this task and then the [inaudible 00:25:16] do that and then you might not update the health until they approve it. Until they finally approve it.

John Verry: (25:21)
Gotcha. So, just to be clear, we’re talking about integrations at that point, correct? How did the integrations interact with the automations?

Craig Unger: (25:29)
Well, the way we think about it is that the automations are the things that happen automatically while you sleep. So, we have a concept in a product called live sync. And basically what happens is, is after you set up one of these integrations, meaning, let’s say it’s integration to SharePoint, where you’re dropping a bunch of evidences in. There’s literally a button that you, it’s a slider that you just hit the slider and then you turn live sync on.

Craig Unger: (25:51)
And then from then on in Hyperproof keeps track of all that proofs for you. So, you’ve taken an integration that we have with another system and you’ve turned it into an automation with this live sync capability. Again, we also have the ability to do it for custom sources that we don’t yet have in as integrations, as I said, for as long as the rest of the APIs can do it that way.

John Verry: (26:11)
Gotcha. So, I can imagine another use case that would be integrated into a help desk system. I could see where that would be a common… Because a lot of people use help desk to trigger workflows around that and play onboarding and play offboarding.

Craig Unger: (26:25)
I was going to say, finding resource management for onboarding off-boarding is a big one. I mean, we’ve used spreadsheets for that in the past and we want to move off and just have things automatically happen. For instance, one of the integrations that we’re writing would be an integration for something checker, where if anybody’s going to have production access, they have to have a background check. Well, let’s grab that on checker and let’s put it in the control [crosstalk 00:26:46] production access.

John Verry: (26:47)
Right. So, you can trace into an HRIS, you could go into an applicant tracking system if I had certain validation that take place during it?

Craig Unger: (26:54)

John Verry: (26:54)
Gotcha. Same thing with a, like we use a learning management system, online learning management system.

Craig Unger: (27:01)
That’s right.

John Verry: (27:01)
So it’s sort of from a training perspective, that can be scripted. I’m assuming you have some kind of email parser because that can be scripted to send, like we get an email message once a week with an Excel file attached to it. So, I’m guessing I could, through your API, I could parse an Excel file and make it based on the actual [crosstalk 00:27:22].

Craig Unger: (27:23)
It’s not through the API, but what we would do is hopefully the learning system or like a trading system, in its own storage system would store whether you watched it. And then through our API, you can get out the [crosstalk 00:27:34] criteria that you watched it and bring that.

John Verry: (27:37)
I got you. Cool. So, we talked about integrations automations and that ties into, obviously the more onerous and more significant the number of these activities that need to occur, right? The more value that integration that automation brings. Where do you see the value prop? Like if you look at your client base right now, who’s coming to you and why? What is it that they need to conform with? Is it multiple standards, is it a particular onerous standard? And what’s a typical use case and why?

Craig Unger: (28:13)
Well, through the year it’s been changing a little bit. And now with some of the capabilities we’ve added recently, John, it is starting to get more towards medium to large size enterprises who have a pretty limited set of boats they can deploy towards these problems. But the work there is just getting bigger and bigger.

Craig Unger: (28:29)
And I mean, you can denominate it by these companies were doing three or four programs, perhaps three frameworks a few years ago. Some of our customers are now stretching up close to 20 compliance programs that they have to do.

John Verry: (28:41)
As a…

Craig Unger: (28:42)
Yeah. And so, they want to get reuse. They can’t have these runners 20 independent processes from a scheduling perspective, visibility perspective. And some companies that aren’t necessarily in touch with that kind of idea of reusing your evidence, they don’t even have access to it today to be able to reuse it. So they’re coming to us and they’re like, “Okay, how do I scale it? How do I actually do this crosswalking?”

Craig Unger: (29:06)
A really interesting capability in a product we call jumpstart. And what jumpstart does is it takes a look at all the compliance programs you’re already doing in your instance. And then it looks at our library and it says, “Here’s how much of these new ones you’ve already gotten done.” And the way we do it is we just match the requirements up. And we say, “Look, you already have a control for that.” So, boom you’ve got that done.

Craig Unger: (29:31)
And so, those kinds of capabilities are what these enterprises want, because they want to be able to scale. Basically on their side and on the auditor side both, it’s been such a manual and expensive process that anything they can do to control the headcount growth, but also get better visibility and mitigate risks. If they could do it all at the same time they released it. So, it’s about-

John Verry: (29:51)
Yeah, I would imagine that, in a weird way, the SOC 2 auditors would love working with your clients because it would make their job easier and less expensive, right? Because if you think about it, they don’t have to go in there and ask for all the evidence. And year over year, especially year two, year three, now they know exactly where it is, how to get to it. And they’re not chasing people around for evidence. The evidence is always in the same place every time.

Craig Unger: (30:20)
We’ve gotten a few referrals from folks like that. They’re CPA firms and others, that is your opinion, because I haven’t heard of us necessarily. Then they get into their client and they’re like, “I can do the audit this way.” And then all of a sudden we hear from them. I’ll tell you a quick story. Of course, we use Hyperproofs to do our own audits. And I was doing, as the administrator of the company, the CEO, I have a bunch of controls that I have to deal with. Right?

Craig Unger: (30:42)
And so, I with Hyperproof, I was able to get, I had about 30 some odd controls on my SOC 2. And I was able to put in all my evidence in 1 hour and 10 minutes. I finished my part of the software. My engineering team had to do more than that. But my part, I finished in an hour and 10 minutes. And the auditor had, every Friday at 10:00 AM. The first one was really interesting. And after that, they just stopped being interesting because I didn’t have a whole lot left to do.

Craig Unger: (31:06)
So, I think that surprises people, but I will also say one other thing. We are a very partner-focused company. We want to make the CPA firms extremely successful. There’s a number of organizations out there that are talking about, “Hey, we’re going to use AI and ML. We’re going to automate away the human being out of this process.” And maybe what’s perhaps a CISO might be interested in lowering the cost there, so I get why they’re saying that.

Craig Unger: (31:30)
But the reality is that’s not where we’re at today. We need to have a strong ecosystem of folks who are out there and really making sure that we all keep our promises. And I think Hyperproof is very, very tuned. And we have about 30 partners now that are working with us in that vein. So, it’s about making it easier, but it’s about making it easier so that you, as a partner of ours, you have a CPA firm where you can be doing advisory work so that you can actually get to a higher level of business value with your mind. We’re not looking to put anybody out of work.

John Verry: (32:01)
Yeah. It’s really funny you say that because we’ve made great efforts over the last couple of years to automate a lot of things. We’ve accelerated risk management through some really cool things that we’ve done. We’ve automated some document generation for very common oriented artifacts that is not just, oh, fill in the blanks in the template, right? It’s contextualized into some really intelligent, cool things based on the organization, based on the results of the interviews and the artifacts and things that we’ve gathered.

John Verry: (32:29)
And people are always like, aren’t you worried that that’s… No, what that really does is it frees up the consultants to consult. Because I mean, if a consultant’s sitting there and wordsmithing documents and making those changes manually and we’re charging a client X thousand dollars per day for a guy, and they’re using that time to generate documents, they can only afford to pay 50 grand, and 50 grand was doing the menial stuff.

John Verry: (32:56)
We never got to the real value prop, which is the actual consultation guidance. Right? It’s the sitting there and really, right. So really, you’re trying to take through the same thing that we’re doing, right? Is when we’re automating that backend, the idea isn’t to replace people, the idea is to let people do what people do best, which is to think and objectively assess evidence and determine whether or not we’re doing things in an optimal way. So that way, A, we’re truly compliant, and B, we’re truly secure.

Craig Unger: (33:23)
Exactly. I talked to a number of CPA firms where they say, “You know what, I hired these people from college. And after a year, I’m facing attrition because they’re tired of copying and pasting a piece of evidence and doing all this over and over and over again.” And not only that, the way it works today, John, is that they’re on schedule. Right? You know how it is with the soft audit date.

Craig Unger: (33:41)
They send some people over, pre-COVID, for three, four days. And they jump into your facility, they interview you and things like that. And I think it’s a good segue this point to continuous audit, right? Because our whole thought on it is that if a CISO in his organization internally can get to a state of continuous compliance, it at least opens up the possibility for the audit firms to do continuous audit.

Craig Unger: (34:07)
And that’s a benefit because they’re scheduling is really tough right now. And the biggest problem I have is that they go spend the four days and then it turns out the client was prepared. So, they still have to ship those other people off to other work, but then they have to work overtime and come back to finish that audit. So, we also think over time that CPAs can move to this continuous audit model. But the thing is, is we also feel that continuous compliance is a prerequisite. Because how can I as an auditor talk to my client every couple of weeks and see what’s new if I don’t have a structured system to do it? So that’s how we keep things changing, you know?

John Verry: (34:46)
Yeah, no, I agree with that completely. So, organizations that we work with where we’ve gotten them certified to whatever framework it is, and most frameworks have some concept of internal audit each year. And we all know and want to aspire to quarterly or at least a monthly audits. And the reality is is that the organizations can’t support that, right? Because they just don’t have the time and bandwidth.

John Verry: (35:11)
So, what you end up with is you end up having some level of exposure where something changed, context changes, change equals risk, change breaks processes. And now what happens is you don’t become aware of that for nine to, you have technically an 11 months, 11 and a half month exposure window. If I can sample logically [inaudible 00:35:33], I’ve reduced your risk logically of a compliance gap by 75%.

John Verry: (35:40)
So really I guess that’s part of the value prop of what you’re trying to get to is that you’re shortening those windows by making that capability available too.

Craig Unger: (35:49)
Yeah. And you’ve defined what we call as the state of the world today, which we are not satisfied with, which is occasional compliance. You get compliance and then your risk goes up in the course of the year. In Hyperproof, our auditors, they have a role inside our system. They don’t get to see everything, right? There’s internal conversations, effectively the program that we’re running isn’t really in their purview.

Craig Unger: (36:09)
But when it comes to the audit, which is a separate entity in Hyperproof, they have access to that. So, if I want to make something available to them six months before my audit, my net SOC audit, instead of six days, I can do that. I can drop it into the control and my auditor sees it.

John Verry: (36:23)
Gotcha. And I would assume, so you’ve got these programs, I’m running these programs, these programs have a commonality across them. You’re making that easier for people to deal with that. Then I’m assuming that if I was going to run an internal audit, that would be, you would spin up the internal audit. And then I’m assuming that if you were then having your external audit done, you’d spin that up as a separate assessment as well. And then you give the internal auditors just the access to that piece, which is necessary to conduct the internal audit and the same thing with the external audits. Although that that access is probably going to look pretty similar because they’re both going to be looking at the evidence, and artifacts, and documentation.

Craig Unger: (37:00)
That’s exactly how it works. What usually happens is you start with the ERL document request list. That can be a little different between the internal and external auditor. You can come to him as a spreadsheet. If you bring that in, you do that once, and then the rest of the work happens in Hyperproof where you attach evidence, you link back to controls and all the communication. And there’s an audit trail that all happens inside Hyperproof.

Craig Unger: (37:20)
And our model for how we commercialize our software is that we charge by the program. So, if you’re doing SOC, you’re doing ISO, that’s two programs, you can generate as many assessments audits, internal/external. We don’t charge for them. We want you to do that. Right?

John Verry: (37:35)

Craig Unger: (37:35)
We want to use it.

John Verry: (37:37)
Interesting. Interesting. So, guys consider yourself disruptors to the industry? Where does Hyperproof and where does the industry go from here? I’m assuming you’re going to tell me you’re going to be one of the winners. Who are not going to be the winners as well?

Craig Unger: (37:55)
Well, I mean, we’re very focused on the disruption that comes around with continuous compliance and then we sometimes generalize that concept of compliance operation. So, we’re creating really a platform that allows you to really operate in an entire compliance activity inside a company. GRC, historically, has been broader, there’s elements of governance in there.

Craig Unger: (38:15)
There’s some overlap there and risk for sure, but it’s been a kind of boil the ocean exercise, I think, for too long. So you’re trying to do a very wide range of capability for very limited number of people. I think the thing that we’re trying to disrupt and where we think the industry is going is that, you can’t really reduce the risk profile of the organization unless you get the best of what everybody has to offer. And the only way you’re going to get the best of what they have to offer is if you give them systems that they’re actually interested in using, that are simple to use, that work the way that they work.

Craig Unger: (38:46)
And so, I think when I used to be at Microsoft and I used to work as the general manager for Dynamics CRM. And it was very similar. When I started back in CRM in 2006, it was really just sales team, core sales teams and marketing teams that were using, these CRM systems, like the CBO and an SAP.

Craig Unger: (39:03)
But by the time Salesforce and Dynamics CRM came out, if you just look at the percentage of people inside an organization that have access in some way to a CRM system, it’s much, much, much greater down. That’s exactly the way compliance is going. Five years, we’ll all have different levels of access. We’ll spend different amounts of time in there.

Craig Unger: (39:22)
We understand that compliance isn’t what people are trying to do every day, but it’s a very important thing. It’s not necessarily the focus of their job for a whole large set of people, for some others it is. But everybody needs access to that tool. And so, generally, it’s interesting. If you look at the tech industry software and the SaaS industry generally, there’s a move to take a lot of these general purpose concepts like collaboration, integration, and specialize them.

Craig Unger: (39:48)
So, it used to be, you had generalized integration vendors and now you see integration for dev ops and integration for financial or for auditors and all these different specializations happening. And that’s going to happen on collaboration too. You need a special set of tools to collaborate for this specific use case.

Craig Unger: (40:08)
So, that’s the disruption, is really bringing the usage model and the user model into the 21st century and allowing us to unlock what needs to get unlocked inside your organizations. I think we’re leading that charge right now. And people appreciate it. CISOs appreciate it, the people on the front lines appreciate it.

Craig Unger: (40:25)
And I think slowly, a wave is coming out where partners, organizations like your own but also the ones that issue opinions like the CPA firms realize that they have to be on top of this change or they have to help guide it.

John Verry: (40:38)
Gotcha. So, if somebody is listening to this and going, “This sounds cool, but I don’t know if we’re big enough for a tool like this.” I mean, so when you think of the attributes that someone would use to determine whether or not a product of this nature makes sense. Would that be size? We talked about it being the levels of integration. We talked about it being the number of programs. Does that directly correlate with size? I mean, you mentioned that you work with some large organizations. What’s a small organization that you look like that you work with?

Craig Unger: (41:08)
A good example, well, like if you go to our site, you’ll see like three months is up on our site. They do other tech companies, SaaS or in the education space. They’re not a giant company. I’m not quite sure how many employees they have, but it’s a pretty small number overall. Not as small as us, we’re only 30. But we have other organizations our size in there. And then we have-

John Verry: (41:29)
So really, you literally have an organization that’s 30 people using your platform?

Craig Unger: (41:33)
Absolutely. We have organizations that size, literally that size when they’re just getting going. And then we have POC’s that we’re doing with companies that have more than 200,000 employees. So, those we weren’t doing nine months ago, we’re just stepping into that size. We are spanning, and I’ll be candid, one of the biggest things we’re going to hone in on over the next year is where is the best place to focus our time, because there are opportunities in both of these areas and we’ve got to learn more about where we’re best suited.

Craig Unger: (42:07)
In all honesty, we’re off to great guns and it’s been a nice start, but we’ve really been selling the product for 10 months. So, we’ve got to really learn, learn, learn, learn, learn is the watch word.

John Verry: (42:16)
Gotcha, gotcha. Yeah. That makes sense. It’s funny, everyone likes to go up market and having been both, I really like working in the SMB SME space. The reason I do is that the people, they recognize your value and that’s when you truly partner with customers. And one of the problems with the big guys, the big guys, I mean, they tend to treat you like, I hate to say this, but they tend to treat you like crap. They treat you like a number. You’re something in a spreadsheet to them, at some point somewhere up the line.

John Verry: (42:46)
When you’re working with a company that’s 30 people, a hundred people, 300 people, there’s still some level of more, I don’t know, personalization. So, I love the SMB SME space. And I’ll never go back to… Service in corporate America is definitely not for me.

Craig Unger: (42:59)
I mean, I agree. So we have another smaller, they’re a fairly small company called Glance Networks, and they’re a great tech company that does a lot in the way of collaboration software. And after using our product, the CEO, Tom Martin, great guy, he got wind of it and he got in touch.

Craig Unger: (43:17)
And all of a sudden, he and I are talking about what we can do together, and you’re not going to have those kinds of conversations with people like that in these larger companies. And the fact that in the small company you can actually light up their productivity and people who actually care about productivity gets to see it is actually a huge, huge thing. And it adds a lot of satisfaction to the job. I think that’s-

John Verry: (43:38)

Craig Unger: (43:39)
[crosstalk 00:43:39].

John Verry: (43:39)
Absolutely. And you know what? You know that what you did that day for them mattered.

Craig Unger: (43:44)
Mattered. Exactly.

John Verry: (43:45)
Like when you’re doing, and talking about we have some really large companies. And sometimes you’re working with a smaller group within a bigger company, and you still have that same value proposition. But I mean, it’s hard to move the ball forward at Microsoft. I mean, in any given day, what you did, is it really going to influence versus you’re talking with a 50 person company. I mean, you can really do something in a single day that’s significant.

Craig Unger: (44:07)
See. [crosstalk 00:44:08]. Because if the senior leadership of Microsoft or those sized companies knows about you, it’s typically something, it may not be a good thing.

John Verry: (44:15)
That’s exactly right. You don’t want to be on their radar.

Craig Unger: (44:19)
Exactly. Stay out of their radar.

John Verry: (44:21)
Question for you. Well, one last question I forgot to ask you. So, we talked about security. When you talk about these programs, are you doing a lot with privacy? I mean, GDPR, CCPA, ISO 27,001, those kinds of things are they covered by your tool?

Craig Unger: (44:37)
Yeah, we’ve got them all. We’ve got all the ones you mentioned, ISO 27,001. We have GDPR and CCPA. We have HIPAA, which Florida privacy. And we’re adding more as we go. So it’s important.

John Verry: (44:48)
Yeah, I think that’s going to be, I think, waylaid a little bit this year. Like this, I think, with our friend COVID. I think people have said, “Yeah, I don’t have time to deal with privacy.” But I think with the DPAs coming out of the, the Data Privacy Addendums, and you’re going to see a lot more privacy and third-party risk management questionnaires. I think you’re going to see a big balance there this year. I think that gets interesting too.

John Verry: (45:11)
There’s really some great opportunities there as well for you to automate some of the compliance there because some of that stuff is a little bit hard to deal with. With accessing DSRs and the processes necessary to provide that evidence and delete personal information. So yeah, there’s probably some really cool opportunities there for continuous compliance. And that’s one of those ones that could get people in a lot of trouble.

Craig Unger: (45:40)
I think that’s a good point because a lot of the security ones end up being a case where you’re automating the system, where it’s like, in the case of privacy, you really are getting down to that user level. Right?

John Verry: (45:49)

Craig Unger: (45:49)
Did they opt in, did they not opt in? And that kind of thing.

John Verry: (45:52)
Yeah, exactly. And with your connectors, you can take it from the very front end of the process where you have to have the capability on the website for somebody to make an access request and tracking that comes right in right through the system. And somebody can say, “Hey, prove that this happened. Show me down to the record level.”

Craig Unger: (46:13)
That’s right.

John Verry: (46:14)
Yeah. That’s pretty cool use case. All right. Anything we didn’t touch on yet that you think we should probably touch on with regards to Hyperproof and how an organization can determine whether or not product… Can I ask you a question you don’t want to answer now. I know this is one of those huge, it depends, but I mean, does a product like yours tend to cost a dollar per month, a hundred thousand dollars per month, a million dollars per month? Like if somebody is interested in saying like, “Hey, is this in my budget?” Roughly. I mean, what does the product generally cost?

Craig Unger: (46:48)
So, outside of any specific enterprise deals that are going to be negotiated separately, whether it has a level of SLA or whatever it might be, if you look there is a very standard based way of doing business with us, which we’re priding ourselves on being an easy company to transact with.

Craig Unger: (47:02)
So, if you go to our pricing page up on hyperproof.io, there’s a business, there’s a professionals view, which is the lowest view. And then there’s business view, they’re both nominated on a per program cost, $800 a month per program on the professionals view. So, that’s 9,600 a year for a program [inaudible 00:47:21].

Craig Unger: (47:23)
And then $1600 a month for the business. The business has a whole raft of customization. You can customize your schema. You can customize health calculations. We provide single sign-ons to Okta, match them to custom integrations that we talked about.

Craig Unger: (47:37)
So, we go through and where we’re very, very open to realize, “Hey, here’s the capabilities, do you need them?” If we’re doing a POC, oftentimes it comes out in the POC as to whether they need it. And then for the largest organizations, we’ll negotiate an enterprise deal.

John Verry: (47:49)
Yeah, gotcha.

Craig Unger: (47:50)
Quite straightforward.

John Verry: (47:51)
Yeah. So, I mean, yeah. I mean, 20K a year, when you look at what the security resource costs now. Especially if you’re talking about someone in San Francisco or something like that or Boston. But I mean, you’re looking at $150, $200,000. But I mean, generally speaking, if you look broadly and you set a security resource cost of 120,000 bucks, now that’s really one sixth of an FTE, which basically just means it’s just going to provide a little bit of automation capacity, right? Save someone a little bit of time and it largely can pay for itself pretty quick, it sounds like.

Craig Unger: (48:27)
That’s how we think about it. We actually say, if you look at the per program price, it probably equates to, depending upon the math, 80, 90, 100 hours of time savings through the year for the whole program.

Craig Unger: (48:36)
And what we see in customers, they’ll tell us, “Hey, we’re saving 10, 15, 20 hours on a program a week of what we used to do.” So we think the value is there. And we’ll start disrupting a bit on price. Some of the ones that are the more established or older guard players are phenomenally expensive.

John Verry: (48:53)
Listen, I mean, some of the GRC solution out there, it’s easy to spend $120,000 a year, $150,000 a year on. So yeah, we’ve seen it. The other thing too is that, what is the value, especially with SOC 2, right? What is the value of a clean SOC 2 report versus a non clean SOC 2 report?

Craig Unger: (49:15)
That’s a really good question. Because the thing is, of course, even as a vendor, we got to ask ourselves all the time. When you could send a report that has no findings, and it’s amazing you just really-

John Verry: (49:27)
Completely different. Yeah. We do a lot of third party risk management, right? We do vendor due diligence. We’ll send the questionnaires, we review the reports. And you get to, all right, well, one exception noted. Uh, that’s not a big exception. He gets a second exception noted. And you’re like, hmm.

John Verry: (49:45)
And when somebody says to you at that point, “What did you think?” “Well, there were a couple of issues on there.” One, you might not mention, but it gets to two and you’re like, “My eggs are going off.” So, that’s the other side of the equation is that you’re in this business, and even just the level of effort that is necessary to prep for an audit, if you’re undergoing two, three, four, five reviews a year, there’s going to be a lot of monetary value proposition there just in the time savings there as well.

Craig Unger: (50:16)
The efficiency and the risk reduction is really where it’s at, and they’re both significant.

John Verry: (50:19)
Yeah, yeah, yeah, yeah. Interesting stuff. Anything else you wanted to chat about before we say fair thee well?

Craig Unger: (50:25)
I think you hit all the major issues. The one issue that maybe I would throw out there that’s an interesting one, just to mention and it could be a good topic for follow-up discussion is around the transparency of what you’re doing to your stakeholders. I think that’s something that’s a little bit under-explored right now in this industry. And I think we want to explore a little bit more. And I’ll give you an example in a different part of the industry.

Craig Unger: (50:49)
Forget security fr a minute, look at outages. It used to be the case five years ago, seven years ago, if a company had an outage, you might read about it in a news article, but they’re not publishing, they’re not telling anybody [inaudible 00:50:59].

John Verry: (51:00)
Now they’re tweeting it or you go to, what is it? Outage.com.

Craig Unger: (51:06)

John Verry: (51:08)
YouTube was a week ago, the YouTube outage. I mean, I literally had to sit down and click on a YouTube and I’m like, “What the heck?” And I’m like, “I wonder if YouTube is having a problem.” I typed in YouTube outage and these nine tweets from different industry people, from Google themselves. At this point, as of this moment, this is what’s going on. And then there’s the outage.com. And you can see if it’s cascading. Yeah. It’s incredible.

Craig Unger: (51:40)
People have realized that perfection isn’t expected, but you have to be transparent in order to keep on gaining that trust. So, the question I’m raising here for us is, how do you guard around compliance and security? How do you do it? And also what we feel is that if you’re using a structured tool with a methodology, something you can be proud of, then you don’t mind sharing a little bit more and say, “Here’s how we’re managing it. Yeah, we hit a hiccup here, but here’s how we manage it.” So, I think that’s an important thing that we’re going to explore. And I think the industry should explore and maybe a good fodder for future discussion.

John Verry: (52:11)
Yeah. Yeah. I do think that’s a really interesting topic and there’s two thoughts that come to mind. One, we have to be careful that we don’t end up getting spanked by, like we’ve got to educate SOC 2 auditors, right? So, one of the advantages of not using your tool, sorry, is that I can pick and choose the evidence that I present. If I’ve got continuous compliance, the evidence is the evidence.

John Verry: (52:32)
So, you end up in a situation where if I’m being transparent and something was supposed to happen a hundred times and it didn’t happen once, is that guy going to thank me for that? Right? Or is that guy going to look at that and go like, “Wow, you’ve given me such insane visibility. You didn’t give me one, two samples, you gave me a hundred samples and it was just one that’s had a little bit of issue and you corrected it at some point.”

John Verry: (52:55)
I mean, you knew about it instantly. Yeah. So, that’s one part of it. The second part of it is really, I think, we’re someone listening that’s at a board level or in a management position, I mean, they’re going to be the ones that should be demanding that level of transparency. Right? You’re increasingly paying your security team, your compliance team lots of money. Their failure is a business failure now.

John Verry: (53:19)
It’s no longer information security risk and business risk, information security risk is one of your biggest business risks. And if you fail to recognize that, shame on you. So, the nice thing is that if you think about it, that should be who should be driving this continuous transparency, because then they call, right? You’re going to be the one that’s standing up there on Kramer or one of these shows saying, “Well, here’s what happened.” And we’re really sorry, and Mayor Cooper.

Craig Unger: (53:45)
Well, exactly. And I think the thing is, there’s really symmetry right now in what a security professional, even up to the CISO or the head of compliance represents to the board and other stakeholders and what they feel. They’re still pretty nervous about it. And so, to the degree you have the transparency and you put the tooling and the automation in, you actually end up in a case where those compliance folks and the CISOs can actually say, “I genuinely do feel more confident. I’m not just representing it.”

John Verry: (54:10)
So, have you looked at any of this stuff that comes out of, and I’m going to screw up the acronym because it’s not a place I normally am. But is it NACD, the National Association of Corporate Directors or something like that? So they put out guidance, it was like S630, I can’t remember the name of the guidance. But they put out guidance a couple of years ago that basically said that boards can no longer not have sufficient security expertise on the board to deliver and meet their fiduciary responsibilities.

Craig Unger: (54:38)
I had a similar question with AICPA. Is that from AICPA or from-

John Verry: (54:43)
No, no, no. There’s an entity called the National… I don’t know if this is a good protocol during a podcast to be actually doing, to be Googling. Actually I’m Binging, by the way. I’ve been using edge, which I actually tend to like. National Association of Corporate Directors.

Craig Unger: (55:02)
Oh, wow. Okay.

John Verry: (55:02)
I’m reasonably sure. They put out some guidance, and you’ll find a blog I wrote on it a long time ago on our website if you can’t find it. It was 636 or something like that. And I would think that that is a really interesting, they should be the ones that are demanding this level of transparency. And they take risk to have that job. To some extent, that’s their logical way of managing that risk, because no one runs a perfect security program, right? It doesn’t exist. So, that gives them that ability to gauge how perfect or imperfect that security program is. And if you don’t know how perfect or imperfect your security program is, how could you ever improve it?

Craig Unger: (55:42)
That’s one of the key things we’re looking at too, is we have a lot of dashboards of the product. We want to formalize it to more of a reporting type of structure. So you can get that information over the board because you really want the transparency up and down the chain. So, it’s really important to check that out. Thanks for the pointer there, John.

John Verry: (55:58)
Yeah. You sold me. Can I get three, and do they come in red?

Craig Unger: (56:06)
We’ll put a goal around it too.

John Verry: (56:09)
I want it to match the couch and James’ jacket when he brings me my tea.

Craig Unger: (56:15)
John, we would love to partner with you guys. I mean, I can just tell from the conversation, I mean, that the level of sophistication is just great there, and I’d love to talk to you about it.

John Verry: (56:22)
Yeah. Well, we should have… Look, we’ll have a distinct conversation because I mean, I think the idea that you have is a good one. And I think if you can find ways of doing that at a reasonable price point with a reasonable level of investment of time, energy, and effort, that the payoff could potentially be really significant. So, of course, I very much enjoyed the conversation.

Craig Unger: (56:47)
Me too.

John Verry: (56:47)
So, I’m not letting you off the hook that easy. So, did you do your homework?

Craig Unger: (56:51)
I did. I did my homework.

John Verry: (56:54)
Because Jeremy warned you that I actually have more fun when people don’t do their homework than they do.

Craig Unger: (56:57)
[crosstalk 00:56:57].

John Verry: (56:57)
All right. You better step up then. They better be good because otherwise I’m going to be disappointed. So, as we always ask it, give me a fictional character or a real world person that you think would make either an amazing or horrible chief information security officer, or chief compliance director, and why?

Craig Unger: (57:14)
All right. I’m going to give you a real person. He was a general then he became the army chief of staff, George Marshall, World War II. And he was presiding over when we were tapped at Pearl Harbor. Okay. And of course, there’s been a lot of military incursions and big defeats over the course of the, that you can read all about, hundreds of them. But why am I choosing this one?

Craig Unger: (57:33)
Well, there were two things. When they actually did an inquiry and looked into how did this happen? The failure of intelligence, two things, he didn’t send… And by the way, he did amazing things before and after. So, he got some amazing, I think, got some amazing prizes and recognition later in the late ’40s.

Craig Unger: (57:53)
But when it came to Pearl Harbor, failure to send the intelligence they had, so big problem for CISO is, and it goes to this whole confidence of what you represent versus what you really think. When you find the issue, and it goes to the transparency we’re talking about. When you find an issue, bad news doesn’t age, doesn’t get better with age, right? You have to send that out and you’ve got to get people working on it.

Craig Unger: (58:17)
You can’t just try to contain it to a crazy degree because if thwarts your ability to react. That’s one thing that came out of the inquiry. The second thing that came out is some people say, “Did we not know that,” let’s say that in that case, “Japan might attack us at Pearl Harbor or in Hawaii, more generally?”

Craig Unger: (58:34)
It’s clear. It’s clear that everybody had considered that as a possibility. So, that part of it wasn’t a surprise. The biggest surprise was that we weren’t well-prepared for it. We actually thought we were better prepared. So, the CISO has to know the true preparedness state of the organization. So, sharing that information and knowing the preparedness state is what made George Marshall a bad candidate for a CISO. But it’s something everybody should focus on now going forward.

John Verry: (59:01)
So, just to be clear, he did a bad job.

Craig Unger: (59:05)
He did a bad job because he didn’t send the intelligence, he didn’t share it fast enough. And he didn’t understand that Hawaii wasn’t ready for the attack. They thought the attack could happen. They were surprised how we weren’t ready at Pearl Harbor afterwards. Right? And so, you can’t be surprised if you know, of course as a CISO, attackers are coming in all the time. And you can’t be surprised with your stance. Your stance has to be there.

John Verry: (59:28)
Yeah. So, that’s that danger. And God bless, we see it everywhere, is that false sense of security that way too many organizations have. I can’t even count the number of times I’m chatting with somebody and they’re a pretty successful organization. And they’re like, “No, you don’t understand. We’re not big enough that…”

Craig Unger: (59:47)
They drink their own Kool-Aid. They’re telling the board everything’s great. But you actually really have to be prepared fr when-

John Verry: (59:53)
And the problem is that they think they’re great, but they just don’t know. So yeah, that was actually a really good answer. Dang it, you got me.

Craig Unger: (01:00:00)
You can set me on something else next time

John Verry: (01:00:02)
You got me. All right. So, I’m not going to ask you about another podcast. I think the transparency one is an interesting topic for another episode. Maybe we’ll get together and just talk about transparency and what that would look like and really who should be driving it? How would you structure it? Because I think that’s a really interesting topic.

Craig Unger: (01:00:21)
You can see a small panel of some people from some different perspectives in there. I’d love to talk to you about, John.

John Verry: (01:00:25)
Yeah, that sounds cool. All right. So, last thing as we say our fair thee wells. How can folks get in contact with yourself, Hyperproof if they’re intrigued by what you guys are doing?

Craig Unger: (01:00:37)
You can catch us, of course, at our site, hyperproof.io. There’s a million ways from Sunday to connect with us there and get demos and things like that. You could find me as Craig Unger on LinkedIn, CEO of Hyperproof. You can also email me at [email protected]. And then of course we have a Twitter and a Facebook, you can find us at #hyperproof on Twitter and Facebook as well.

John Verry: (01:00:59)
Cool beans. Well, listen it was genuinely a lot of fun to have a chat. You got me excited. I’m going out to dinner tonight. I’m going to have my Martini and I’m going to be thinking about this continuous compliance and transparency.

Craig Unger: (01:01:15)
It’s my pleasure. I really enjoyed it.

John Verry: (01:01:17)
Yeah. Same here, man. So listen, have a great weekend. All right?

Craig Unger: (01:01:21)
[crosstalk 01:01:21].

John Verry: (01:01:21)
And we’ll talk to you soon.

Craig Unger: (01:01:22)
Yeah, will catch you soon, John. Thanks for the opportunity. Bye-bye now.

Narrator: (01:01:25)
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]