Transcript

STEVE: Hey, Gerry, thanks for meeting.

We're walking through, I sent you that screenshot of the Simply Cyber CSF profile assessment database. Can't wait to talk about it. How are you today?

GERRY: I'm wonderful, super excited to have this conversation, Steve, let's rip.

STEVE: All right, cool. So just wanna know what feedback you might have to optimize the thing to make it useful for GRC practitioners in the field as an open source community project.

GERRY: It'd be so cool if it caught on and if people used it and applied it. I think it'd be handy. You know, I heard from students that, you know, they wanna be consultants. Like, hey, I wanna pivot jobs to be maybe a GRC consultant. And this, I think, gives them a template and an approach to do good work that is gonna land.

And I think I wanna start, if you hear GRC tool, right, it can mean a lot of things. And you can really get into some heavily engineered Cadillac-like platforms. This is not that. However, in times of uncertainty like this, I think there's a lot of value in back to basics. And so I think, you know, I love from, a quote I've used from you, "Lather, rinse, repeat." Working through the cybersecurity framework outcomes, talking to people, is how you become a baller GRC analyst, right?

So that's what this is all about. It's just giving you a good workflow and a tool to have those conversations with control owners. And that's it. So I think I wanna show you a little bit of the big picture sketched out and then dive into the tool. Sound all right?

STEVE: Yeah, it sounds perfect.

GERRY: All right, well, I'm a new Excalidraw advocate. So let's fire that up. All right, so we start at the top with the output. The output is talking about cyber risk with the business. And at the top is executive. So rolling things up into six functions with an executive dashboard of our results. And they just wanna talk about the red. They couldn't care less about the green and it better be, you know, straightforward and to the point. And that's why we aggregate everything up into just six functions.

And then beyond that, you can drill down into the 22 CSF categories, and you can do a radar chart or a bar chart. It's the same thing. A little bit more detail for managers. And actually, if I just start here, like, you have any thoughts on the granularity piece and how did it be, have enough data to make a good decision, but not, you have it tailored to the right audience. And maybe, I don't know, like, have you ever tried to present something like this to the top executives and maybe it didn't go so well?

STEVE: Yeah, well, so it really does depend on your audience. I do like presenting kind of at the functional level. 'Cause a lot of times they'll say, like, how is our information security program, which is like such a, like, loaded question. You know, like, what dimension, but—

GERRY: Are we secure?

STEVE: Right, exactly. But they're just looking for, you know, like, they don't understand that their question isn't right in its base. So I do like using these different dimensions with the different functional areas and showing where there's room for improvement. So those are good.

I prefer personally not to use, like, the top left, how it's a spreadsheet and grams. Like, that's fine. I do prefer more along the line of, like, the bicolored histogram or bar chart on the right. 'Cause it visually conveys, like, here's where we are and here's where we need to be. Whereas the numbers, while, you know, you can look at the number and say, oh, we're at a three, we need to be at a six. That's a delta of three.

Honestly, like, I know it's gonna sound ridiculous 'cause they are management, which means they are intelligent, or they should be, right? That they can do the math, but they don't wanna do that stuff. They wanna just be, like, given the answer and sort of visually see it on the right. I prefer that.

I could even see this going one step further, Steve. Not that you're asking me for constructive feedback, but where it's the six functional areas, and then you kinda, like, can double-click down and drill into the expanded different categories within that functional area if they'd like to see exactly why the gaps are. 'Cause sometimes in one functional area, you could have several of the categories fully met or exceeded, and you just have some really, really big gaps, like around, for example, like in the identify phase.

Maybe, like, you just really have terrible control around software and asset, and inventory of software, or inventory over data, which is really challenging. And that's bringing everything down, but everything else is great. So having that kind of, like, visual is nice.

And part of the reason why is because what you wanna do, really, is you want any graph you use, including this one, to not just be, like, a status report. You want it to lead conversation. That's really the goal of these visual graphs. It's to lead the conversation because you're typically going in there. Yeah, sometimes it's like, what's our situation? But really, if you wanna maximize the value of those type of stat meetings, you wanna have an agenda where you're gonna try to push whatever it is, 'cause you're, like, the focus of the conversation is your program, and the status is what you're presenting, but how are you gonna drive it, and kind of shape and navigate the conversation so they ask you the questions you wanna ask, or you lead them, really, if you're really good, you lead them to give you the answer to the question that you wanted them to ask in the first place, around, hey, we should, why is this? We should invest in this, or why is this? We should do something about that. You're like, absolutely, we should do something about that. I happen to have three options for you that I brought with me just quickly.

GERRY: Exactly, that's right, and you really need to anticipate the objective of the meeting, what they need from you, and what kind of you're hoping to get out of the meeting that's good for the company. And I've certainly gone really into the weeds, detailed analysis, prepared like the Super Bowl, and didn't have the aggregated view for that top audience, and brought too much detail, and it was just like, well, outcome of this meeting is, you need to prepare better next time, Steve, okay?

Right, like, come back to me when you can talk at my level and in my gear about, generally, how are we doing in the program? And if you want to, who do you need to talk to to break through barriers, right? And then you would drill into something more detailed to talk to the manager level and so forth.

And I think not only is tailoring to the audience for the outcome key, but also you hit on being dynamic. When they say, I want to know more about that identify, 'cause it maybe has the biggest gap, what is the biggest gap here? Respond, four, two, what's that all about? Click on that and dynamically expand it out.

That's the kind of capability that we don't get from the wonderful NIST templates at nist.gov, and that's why I made this tool, is that we're doing more of a business intelligence platform that's more dynamic, roll up, drill down, slice, dice, and you can do it in this web interface that I've made in a React database. You can also, if you're more comfortable, do it in Excel, but not treating it like the bad Excel, the old brittle thing that breaks with pivot tables, or VLOOKUPs, right? This is with Power Query, more dynamic, and more of a business intelligence platform.

And one more thing about it is that I am benefiting from your enterprise risk assessment, Rosetta Stone, 'cause I love referencing that when I'm going through these assessments. So that's basically it. We start, the output is a meaningful conversation with executives, underlying is this stuff, and then there's this React database format. So I can demo this for you now, or I don't know, any questions about the objective of this tool or what I've shown you so far?

STEVE: No, no, I love it, and I mean, I can just tell you as a practitioner, so if someone's watching this and they haven't dabbled in these type of situations, you mentioned it earlier, a lot of the tools, Excel is great, and that's where many of us live. Some enterprise-grade tools like ServiceNow or Archer or any things like these, yeah, they're great, but they're wicked cumbersome, they're super big, and they're very difficult.

When you have these large, large programs, I mean, if you wanna do it right, you have to hire a team to help you implement and roll it out, and culturally, your business needs to be ready to take on all of the responsibility and new workflows associated with making sure that that governance tool works. So a lot of times, every time I've ever been involved with one of those, it's great for the first month, and then it fails immediately, right? So I love this.

Even Power BI, which is basically Excel++ for visually communicating spreadsheet data, is great, but it has a very steep learning curve. It appears to be like a WYSIWYG, what you see is what you get, drag-and-drop interface, and if you watch a demo with someone using Power BI, that's what it looks like, but in reality, it's very nuanced in the way that you have to configure data and the way you have to reference data. It takes a lot of time to learn. I've been trained on it and built things, and still, it didn't look great or cool.

So for this, I love that this is a step above Excel, but it seems like maybe on par with Power BI or a little bit lower, just in sheer volume of functionality options, but really, the 10% of Power BI that most people are gonna use is what this is capturing.

GERRY: Well, and it's a stepping stone to Power BI, and I love that you brought up Tableau and Power BI in your GRC Jumpstart, right? It's like, I'm the bean counter, so yes, data analysis, and that was a missing piece. So I think we start with the NIST guidance, we move into spreadsheets, and then we elevate in Power Query and then get to Power BI, that's awesome. And then this tool on that journey. So, okay, I'm just going to switch views here and I'll show you the tool.

All right, Gerry, so I'm in my browser and I'm just at localhost 3000 for my React database that I spun up out of my terminal, and here it is, man. So it looks like some of the GRC tools out there. And the first thing I wanna show you is how I organized this thing. So you'll see that there are 363 records in the database, and that's because there's 363 implementation examples for the 106 subcategories in the CSF.

So what I like to do for a vanilla assessment is pick one implementation example per 106 subcategories, and that's what I've done out of the box. So if I just filter for in scope, I've got this button, yes, no, do I want to include this in scope? It's right here. And now we'll see that there are 106 of those things and they're all in a different testing status. So in progress, complete, or submitted.

And if I go into an example one, so if we're picking on DEAE8 implementation example one, I click it, I get this panel on the right. What are we testing? You know, sometimes you're wanting to test something and it's like, oh, what's the category that's related to? What's the implementation example? And I don't want to see the CIS controls. I don't want to see 853. I just want that thing. It's nice to have a database where you can quickly get to that bit.

STEVE: Oh yeah.

GERRY: And then below it, I've got my audit work paper, right? So I can edit it. I'll do that live. So is it in scope? Yes. The owner is Gerry. I've got this business case called Alma Security that I've put into my course as just kind of a fictional example to apply it to. We're going to talk to some control owners, Jane and John for this one. I'll be the auditor.

Let's say we're in progress for testing. What are our test procedures? So you've talked about different types. You just did that CIS auditing talk. And I want to have inquiry, meaning talking to the person, plus something else. That way I get a little bit more verify in my trust with verify. And so there's some inspection of what are the incident criteria and looking at a sample of tickets.

So I get my date that I meet with them. I observe those things. I punch it in and I'm linked to an artifact. So I actually looked at a sock ticket for this one and I can score it. So there's different scores and I'll show you the legend for this in my audit work paper and save the thing. So, you know, lather, rinse, repeat, do that 106 times, inspect the artifact.

So if I go there for a second, I've got this example sock ticket and I kind of made this fictional one. So that's in this public GitHub repo. So reported by John, a phishing attack, and some details you'd see in maybe a JIRA ticket or a ServiceNow ticket for your sock. And that artifact is linked to control DEA example one, or the implementation example that we're testing.

In terms of scoring, you can do it different ways. CSF has its four tiers. There's CMMI with its five levels of maturity. That's a very good and popular one. I tend to like this zero to 10 scale. It gives a little bit more granularity and also kind of connecting with a business audience talking about, do we have too much security, not enough security? And also if we go overboard, you don't want to be an eight or a 10, right? Like that's into the too much friction zone. People can't easily get their work done.

So that's basically the tool in a nutshell. Any knee jerk reaction to what I've shown you?

STEVE: Well, two things. One, I've never seen, usually with status, it's like not in place, partially in place, in place.

GERRY: Okay, right.

STEVE: But hold on now, that's more like an audit and you can use it for risk assessments. I really like the novelness of too much security. Like that's like paradigm busting for a cybersecurity professional 'cause we never get too much security. But it really is a thing to have too much security.

And since we are typically going to provide our guidance and our suggestions on how you can address gaps, like, oh, you don't have, you have, whatever, poor email security or like you've got, you're likely to get phished or whatever, your end users. So you can do awareness training, you can purchase an email security gateway. Like we offer suggestions and whether or not the client or your own business takes it is different.

Never have I seen suggestions where like, hey, you have three solutions doing this thing and you're not like getting any additional value from having three, you could have some cost savings. Like I think that that's brilliant, Steve. And it's really in tune to the business and the business needs. And this is actually really valuable to further getting GRC and the cyber team seen as partners, trusted partners, ones that get the mission, which is typically in private sector making money.

The other thing I want, it's more of a macro thing, but you would create one of these, I mean, this is the database, but it feels more like a artifact. I mean, not an artifact, it almost feels like a tool that can help auditors or risk assessors drive an assessment project.

GERRY: Exactly.

STEVE: So if that's the case.

GERRY: It's a workflow.

STEVE: Yeah, yeah. So I almost don't think it should be like a database. I almost feel like that's like a misleading title.

GERRY: Oh, I struggle with naming it. Yep.

STEVE: Yeah, but the one thing I would say is like, you'd almost want to like capture that this is the Alma security, 2025 enterprise risk assessment, like instance of this tool, because if you're gonna be choosing, you know, testing techniques, and you're gonna be marking how, like what level of implementation the controls are against those, you know, those risks or the implementation for those objectives in this CSF, you'd want it to be captured because if you're gonna do it for beta secure, beta whatever business tomorrow, you'd want a clean one.

And there's massive value in kind of forking it where it's like Alma securities 2025, because when you go back in 2026, you can repurpose a lot of the, you know, just wipe the answers, but keep—

GERRY: I call that farming, right? The first one was hunting. There's a lot of discovery. And then in a repeat year, you don't want to do Sally auditing, same as last year and be complacent, but you know, you have tons of, you're in the run phase now, and it's more farming work than hunting and certainly a valuable reference.

STEVE: I gotta tell you, when I came to security from accounting and I kind of said like, where's, oh, maybe this is too, well, when I came to security from accounting and wanted to see their work papers from the prior year's audit, I was kind of surprised by how little there was. And the answer was like, oh, but Steve, that's very confidential. So we had to destroy it right away. I'm thinking like, there's a lot of value to be fine from having the benefit of past audits to roll forward the next one.

GERRY: Yeah, that sounds like someone who didn't keep it. (laughing)

STEVE: That's right. And now that maybe on the other side, I can maybe see through that.

GERRY: Can I just share one other massive value to this tool? So for me and the way I audit, and this is a personal choice, but I think it's the right choice. So I would try to convince anybody of it. Like when I'm auditing, I try to go axiomatic. So like this objective, DEAE04, for example, this is the evidence to support that. Now DEAE06 might have the same evidence to support the finding or, you know, like there's some overlap, right? One piece of evidence maps to others.

I will duplicate that evidence and I will have, so if someone comes to me and says, I disagree with DEAE04, I disagree with you, Gerry, I can go right into DEA04. I have all of my evidence, all these things. I don't have to look around or anything like that.

STEVE: Oh, that audit trail, and it does, right? And it's not just with audits, it's with risk assessments or approvals for access or whatever it is. When that's a hot potato that's been escalated, you need a strong management trail to trace back, you know, what was approved when and how, and based on what verifiable evidence. And so yeah, traceability is huge at being organized and you organized by control ID and so do I.

And that's, this is the reason is I call it management trail but traceability to the risk work is essential. And I think a lot of GRC people that are new just want to make people happy and go away and transactionally answer emails. It's like, whoa, just like in a sock, make a ticket and have it documented for, it's going to be very helpful and important in the future.

GERRY: Yeah, yeah. And just some people get kind of wrapped around the axle, like, oh, like, yeah, there's a policy for that. There's a policy, like, I know there's a policy, so I don't need to capture it 'cause I already did it for the first control. The next 30 controls, the policy is all relevant, so I'll just reference that. But then—

STEVE: What clause?

GERRY: Yeah, exactly. But like a month later, when you're delivering your final report or whatever, you're not gonna remember that that's what, I mean, you might, but you're probably not gonna remember. You're gonna be like, they're gonna be like, we disagree with you on this and you're gonna go look and your evidence locker is gonna be empty for that control and you're gonna be like, oh, geez, like, I know it's a bunch of these and you're gonna look like a joke and it's going to work against you in the perception of your finding from the business perspective.

STEVE: That's right. So I think a couple of things going on to do a good job and to have it land and be effective. One, we're acknowledging that you can have too much security and that's kind of helping protect and enable and resonate with the culture. And that's not my original thought. That's in the "Mastering Cyber Resilience" textbook.

Two, I guess we have the traceability of solid work papers that are defensible. And yeah, being organized, I think that's a big part of the GRC function, not as glamorous as the other ones, but we can have that solid, robust documentation that's traceable. Well, I talked to this person on this date and this said this, and I'm pretty impartial. If you disagree with my finding, it was based on these assumptions and these things I've collected and you're welcome to, you know, and I'm open to changing the score. Just show me the evidence to verify it, right? We're all aligned to the same objective.

And also, one other thing, you mentioned linking artifacts. So that is a feature. So you can see here that I took that stock ticket one, I put on another control and we get some test ones to show any benefits here. So I guess you mentioned you've seen a policy overused. One, maybe it wasn't a good fit for the control. And two, maybe it didn't, it was overused as people were rushing. But when you do get the benefit for something that does make sense, linking controls and test ones to show many, not just in the same framework, but across them is a very helpful capability for your efficiency.

GERRY: Yeah, 100%. And even like, even if it's not you defending it, if you hand it to another auditor, 'cause you're going, like you have an emergency.

STEVE: That too. There's reviews.

GERRY: Yeah, like someone else can pick up where you left off and a reasonable person can come to the same conclusions that you came to, if they have all the evidence to support it, right? Like you said, traceability. It's not just about defending yourself and being right. It's about like smooth operations, both for yourself in the future, for others next year.

Trust me, you're not gonna remember all these details a year later, but if you pick it up for the annual assessment, wouldn't it be great to have, you know, if you could do yourself a favor today, Steve, so future Steve had a better, easier, slicker situation, wouldn't you do it? Like you're only benefiting yourself. Like who can't get on board with that?

STEVE: No, absolutely. And I think we have a saying in accounting, good audit papers stand on their own, meaning that someone should be able to come in and you are not in the room and understand and kind of what you assessed and how you came to the conclusion that you did. You can't always go that deep and robust given your time and budget constraints, but it certainly helps to aspire to have it stand alone.

All right, Gerry, so the next thing I wanna show you is how to export the data so we can get those charts in Excel, right? Also, so we can save that file for next year's assessment, like you said. So it's real straightforward. You just hit export CSV and I'll grab it out of my downloads. (mouse clicking) There it is.

So I get this CSV file and you just copy and paste it into your spreadsheet. It's got all of the same fields. So you drop it in right there, paste values. And one, I kind of have an offline Excel workbook of the thing, and then two, I get those reports and you can slice and dice in the way you described to exactly what details were underlying that assessment.

And then let's say you change something in Excel because maybe that's your preferred workflow, right? So, you know, I use these slicers here to go to the govern function for in scope. I change my observations here. I can then save this tab as a CSV and upload it back into the React database. So, and then it kind of overwrites everything and then you're working on that instance. So I think that would be helpful to keep a good record of your various assessments.

GERRY: Yeah, I think it's awesome. I think this is very slick. I could see a lot of potential for this.

STEVE: All right, well, that concludes my demo, Gerry. I think it'd be really cool as if people actually download this thing from GitHub, apply it to Alma Security, apply it to organizations or projects of their own and bring their improvement ideas, right? So it's my first big public project where people could submit issues and ideas to evolve it and we'll see where we can take it. All right, so thanks for checking it out and we'll see you in the next lesson.