Transcript

STEVE: Hey Gerry, welcome to the Akylade Cyber Risk Management Foundations Course. I want to get your approval or feedback on the title please. I've been calling it "Risk is the Heart and Center of GRC." What do you think?

GERRY: I mean as a... yeah, I mean as a tagline I think "Risk is the Heart of the Center of GRC"... I mean I feel like you know yes. Like to me when you get paid, when you get... But when people seek you out at an organization for GRC-related things, risk is like... That's when they're beating down your door, right? No one's running in the middle of the night to you and saying, "Oh, can you do some security awareness?" But when there's decisions to be made, risk is where it's at. Because as a GRC person, you're supposed to be informed and stay current on all the things all the time. And that's the knowledge pool that you're pulling from when you make these risk choices. So yeah, I would agree 100%.

STEVE: Well, I think it's a hat tip to your GRC Analyst Masterclass, okay? Because you coined the phrase for me. It was the first time I'd heard it. And it was really inspiring, right? Like we're already in the underdog position. And it's like, wow, in a security catalog for a GRC team with security awareness training at the back, right? And maybe helping make good decisions aligned to business objectives at the top and a suite of things in between. It's like, wow, I didn't realize that us underdogs can elevate not just the impact that we have, but also our careers. And you've gone so far as to say that risk work is where you can command higher salaries. So can you maybe paint a little bit more of a picture of what you mean by that and talk about what are specific skills or mindset shifts to help people transition from compliance into risk work?

GERRY: Well, first of all, I'm super pumped that I said that quote. I forgot that I said it. So I was like, oh, that is a good quote.

STEVE: So I took your course, I don't know how many years ago, right? I wrote it down in my study notes. And then I started giving people my study notes. But it stayed with me years later. It was like a ripple in a pond, man. So kudos on that one.

GERRY: Oh, thank you. Yeah. No, I 100% believe that risk is super important. And part of the... You had mentioned higher salaries, which is something that a lot of people are concerned with. The reason that you can demand higher salaries and people who can understand and truly evaluate risk and be able to speak about risk and frankly have the wherewithal to understand what risk to accept... Because I feel like junior people are like, "Oh, we can't have any risk" or "Configure all the things down." And in reality, a GRC person is supposed to not just interface with the business, but understand the business, which is difficult a lot of times for cyber people to do or tech people. Because we see our perspective and we think that's the whole world. But in reality, we're there really to service the business and realizing that you're not in the driver's seat. Frankly, you're not even in the front seat. You're kind of in the back seat or in a sidecar. But you have a role to play, right? And you need to understand that. And once you get that understood, you can really start delivering value to the business. And one of the reasons that you can demand higher pay or salaries is because once you get good at it, you are an asset directly to the business. You're not some cost center that is a requirement for compliance purposes or because insurance companies require you to have it. It's like you are delivering value that is helping the business either save money by cost reduction in some capacities or basically being smart to say, "We only need to invest this amount of money in order to achieve this amount of risk reduction." Or "We've already paid for these things. Wouldn't you know, we don't need another appliance. We actually have the capabilities to configure these things down now." You actually begin to be seen instead of a technical leader or a technical advisor, you're seen as a strategic business advisor that happens to speak to the technical risks of the organization. And that alone is mad valuable to so many people. Now, your question around compliance and audit folks getting up into that, that is the feeder system, right? So when you're doing compliance, when you're doing audit, you are looking at controls. Are they in place? Yes or no. Okay. So once you understand that, that's step one, right? Really of kind of a two-step process. You see that it's not in there or a lot of times it's partially in there, right? So a lot of people like to think with compliance, it's Boolean, like it's there or it's not there. And the reality is...

STEVE: Even scope in terms of degree of maturity or pass-fail number of samples, what system are we talking about? Well, you have maybe hundreds of them. So there's a ton of, as you're bringing that compass, and even as you're checking the compliance, there's a ton of critical thinking needed to scope appropriately and evaluate appropriately.

GERRY: A hundred percent. Yeah. And I mean, for example, I mean, just for your audience, a quick one, like, because you might be thinking like, "What the heck are these dudes talking about?" Like multi-factor authentication. Everyone can wrap their head around that. Everybody probably has MFA for their personal email, their personal banking at this point. Well, if I say, "Do you have MFA in place?" And you say yes, does that mean you have MFA on your Linux systems for someone to sudo into a root account? Your VPN, yeah, end users logging in, they probably MFA. But if someone remotes in directly to the VPN concentrator as a network engineer, does that require MFA? I don't know. But these are the nuances and these are the devils in the details. And frankly, this is why those risk people get paid. But if you're going to try to level up from compliance into risk and try to make that leap, what you have to start doing is doing the work to understand what is the current threat landscape? What is the issues? What are the concerns? What's your industry facing? What kind of vulnerabilities are out there? And are they being exploited? And then you can look at these gaps, if you will, these controls that are not in place. MFA is not on your networking devices, but it's everywhere else. Okay. This is where the critical thinking comes in, and this is why you get paid, frankly. Is that bad? That's the simple question. Is it bad? And if it is, how bad is it? A perfect example, and then I'll let you take over, Steve. A perfect example. There was a vulnerability a couple years ago, and you can Google it because it was pretty seminal. It got a vulnerability logo called Meltdown. It was paired with Meltdown and Spectre. And this was a low-level memory cache at the processor unit. And if you're not technical and this is going over your head, don't sweat it. Basically, the way modern processors work, the reason they're so fast is because they can predict some common things that are going to get looked at, and they store it in memory right in front of the processor, so it makes your machine seem faster. Well, the problem is someone figured out that they could look in that memory, and ooh, all the secrets are there. Well, yeah, that's wicked bad. But the reality is that is very difficult to exploit. And even if you could, you're not guaranteed to get the right secrets that you actually want. So despite the fact that there was this marketing campaign across our industry...

STEVE: I hear meltdown and I'm hearing some gobbledygook, but I'm alarmed. I think I need to take action. We got to patch something, right?

GERRY: Yeah, or we need to advise the IT team or anything. Stop everything. Emergency meltdown meeting.

STEVE: Meeting.

GERRY: But the reality was it wasn't very risky. For the 100th of 1% of super squirrel, secret squirrel, national security, the football, yeah, maybe you want to be a little considerate of that. But for a printing business out of Charleston, South Carolina that has 30 employees, no, there's no risk there.

STEVE: So that's hard to figure out because if it was a Log4j, you need to call that emergency meeting now or you're negligent, right? But if you cry wolf and it didn't make sense, you know, you're not going to get invited back to the table. So it makes it a tough job. And it means we need to kind of level up our skills to understand, you know, what impacts the business and what doesn't.

GERRY: Yeah. I mean, it is a tough job. It is a tough job. It is. The reason that it, you know, I feel like it's finally getting its heyday, if you will, it's time in the sun. But or in the shadows lurking is because it is very difficult to describe the role and the value and where it fits into the greater scheme of things. With other roles in cybersecurity, it's very crystal clear to point your finger at it because it has tangible elements to it that you can say, "This person was not in the computer, now they're in the computer. This person was in the computer and then I booted them out." It's very transactional, whereas GRC has some transactional elements, but it's much more about this nebulous element of what your security risk posture is, which is incredibly dynamic and constantly needs to be evaluated.

STEVE: So hang on a second. You're telling me that the mission of GRC is not to pass external audits and to close tickets?

GERRY: No, that is a vibe. People go away? Yeah, no, that's something we do around the holiday times to impress our family and friends, but no, that's not the bulk of what we're doing here.

STEVE: Well, that's absolutely right. And I think maybe the business hired us first GRC person or established that function because they had an external audit or because they had an insurance questionnaire that had an MFA question on it that didn't make any sense. But then now that we're in and we're doing that minimum threshold, we can really get beyond it.