Transcript
Patrick Spencer (00:02.382)
Hey everyone, welcome back to another Kitecast episode. I’m joined by my co -host, Tim Freestone. Tim, how are you doing today?

Tim Freestone (00:09.282
great Patrick. Thanks.

Patrick Spencer (00:11.182)
This is a really exciting conversation. We’re talking about compliance with some cybersecurity mixed in. Joining us today is Kane McCladway. He is, well, to begin with, he has a substantial amount of experience in cybersecurity in compliance at the Fortune 500 to Global 1000 companies. He’s a regular speaker at numerous events. And more importantly, we actually have a pro joining us now, a podcast pro that is.

He is the co -host of podcast drafting compliance. We’ll let him talk a little bit about that when we get started here. He’s a fellow at Russia Toner, he’s up in Bellview, or probably Bellview, Bellingham, Washington. I always welcome more folks from Washington on our podcast. He’s the filled CISO over Hyperproof, which delivers a security assurance and compliance operations platform. We’ll have him talk a bit about what they do in more detail as well.

He’s an advisory board member at a couple of different academic institutions, including Western Washington University, which is up in his neck of the woods, as well as Wattcom Community College. King, thanks for joining us today. We’re looking forward to this conversation.

Kayne (01:25.448)
Thanks for having me on, Patrick. It’s always nice to be on with another person from Washington State and nice to meet you, Tim. I hear you’re from California. So thanks for taking the time today.

Patrick Spencer (01:35.63)
Or forgive him.

Tim Freestone (01:36.706)
Yeah, yeah, technically I’m from Montana, but I’m living in California. So we’ll say that.

Patrick Spencer (01:42.798)
It depends on who he’s talking to. So, Ken, let’s start by talking a bit about Hyper Proof. Not everyone in our audience may know about the company and what you guys do.

Kayne (01:55.56)
Sure. So it’s funny when I talk about hyper proof, I often talk about why I came to hyper proof. And as you mentioned, I was doing executive advisory. So I was a former A &D CISO, that’s aerospace and defense and criminal liability is a real thing. And when you go to work as a CISO every day and you go, hi, I could get like thrown in jail in case there’s a problem. Eventually you go, what else could I do with myself? So I decided after I was done with the A &D company.

fantastic place, left it in good hands, but also decided I wanted to go back to doing advisory consulting. So I was doing advisory consulting, Fortune 500, Global 1000 companies. And when CISOs would bring us in, it’s because they thought the board, they needed to prove to the board that they were doing a reasonable job of security, or the board would bring us in if they thought the CISO was sandbagging it. And those were the only two times that when my team was brought in. And…

inevitably when you’re doing an analysis of a company’s cybersecurity maturity, you’d be asking for a lot of evidence. You’d be asking for an evidence request list or document request list, please send us your stuff. And on the back end, my team, which was a lot of former advisors, but also auditors and some associates as well, we built an engine to figure out, well, let’s look at not only the quality and the amount of evidence that they’ve sent us, but also some psychometrics like

When we asked them for proof that they had controls in place and were operating, how much did they panic? How bad was their response? How good was their response? And we’d actually include that. And in the course of doing that, something I saw was a lot of companies struggled to have a single space for all of their audit and compliance information. And they would struggle to have a consolidated view of how well their programs were operating. And so when my friend Matt,

who said, hey, we’re starting a company, we’re gonna go do that. We’re trying to do that at scale. I said, well, wait a second, that’s a pain point I see every day. And they decided it was gonna be a commercial venture, which is not what hyper proof is, which is really that attempt to take all of our evidence of control operation to collect it, to automatically test it, and then to be able to report that up to folks like me to show how well are we burning down our risk portfolio? And…

Kayne (04:22.568)
how can we take this information and leverage it to get additional cybersecurity attestations or certifications so that we can have a larger total addressable market rather than to, you know, the old narrative of cybersecurity is a cost center into which money goes in and tears come out. We’re really trying to change that. And a funny part of it is that there was a great forgetting, I think, that happened in the audit committee. We forgot that computers could copy files. We thought, well, to get evidence of control operation, you have to have…

A person, a good friend of mine, the CISO, just did her SOC 2. She had to screenshot all of the AWS consoles they had and then upload all of those to some auditor and some auditor had to go look at it and the whole thing sounds miserable, right? It’s just, it’s not fun. That’s the problem space that we’re solving is you can have a computer go collect all that information, right? You can have a computer evaluate the quality of that information. You can have that presented back to an auditor.

And it becomes a lot quicker. So now cybersecurity professionals, instead of getting the weekly email from the audit team saying, hey, could you please send us that thing? Or the audit team having to chase the cybersecurity folks. Like nobody gets out of bed in the morning and goes, I’m going to chase people for Olivia. And it’s not like cybersecurity folks are comped on how nice they are to the audit team, right? That’s not a metric that’s in that comp plan. So we de -conflict that whole thing.

which is like I said, if I seem excited about it, we’re making people’s lives better and we’re also helping companies become more trustworthy.

Patrick Spencer (05:52.781)
Interest.

Tim Freestone (05:52.834)
And you focus on, it sounds like, maybe mostly, internal audit committees, internal audits versus,

Kayne (06:01.)
Internal and external audit, actually. So yes, yeah. So we do have several audit firms that are using HyperProof for conducting their audits. One of them you may have heard of Accenture. They’re looking at using doing HyperProof as their standard way for doing all of their audits for all of their customers because it’s very easy. If you have all of your audit information consistently collected, automatically collected, it’s very easy to do a sample and say, well,

Patrick Spencer (06:03.054)
E3POs as well.

Kayne (06:27.624)
What’s the quality of this evidence and where do they actually need to spend their time? And when I was doing audits and assessments, the things that you can’t audit are harder. They are, does the board or does the executive leadership team have a commitment to cybersecurity? That takes a lot of human intelligence as well as a corpus of evidence to make that assessment rather than, hey, is there a checkbox or the word yes on some screenshot that says, yeah, the thing’s still doing the thing, right?

That’s the problems that we help companies go solve.

Patrick Spencer (07:02.03)
There’s a lot of overlap when it comes to all these different certifications out there. I assume the platform, you know, because it creates that repository, you don’t have to repeat that particular action because it’s archived and you can access it. Is that part of the value proposition? I would think so.

Kayne (07:21.864)
Yeah, yeah, that’s a… So a couple things come to mind with that. A good friend of mine over at Digicert says that her team’s saving 1 ,100 hours a year just when they’re getting ready for audits. And it’s whether they’re getting ready for… I think it’s something like 30 or 40 audits a year. It’s… In Digicert, first of all, you think about what they do. They make certificates for the internet. You’d like them to have a pretty good secure background. So they get audited regularly. They’re saving almost… What is that? A little more over half FTE over the course of a year. That’s a cost savings right there and just getting ready for audits.

or a lot of our other customers, what will happen when a sales team says, hey, look, we need to get this new certification so we can enter this market, right? Or we can win this deal. It is a lot easier if you can look at all of your programs, all of your controls, and just do the delta yourself. Like I know folks, shoot, I’m guilty as charged actually. I have charged folks as a consultant before to do a gap analysis of here’s what it’s gonna take for you to enter Latin America.

Tim Freestone (08:02.882)
Right.

Kayne (08:20.616)
or here’s what it’s going to take for you to enter the EU. If you can do that yourself and you have a high degree of understanding of what controls are working and which ones you might have to tailor, not only are you not paying consultants, but you have a faster time to respond to the business’s needs so that they can make a better decision rather than sometimes what we see, which classically, the sales team comes to you on June 29th and says, hey, by the way, we need a FedRAMP moderate.

Could you just get us that by Thursday? Could we just have that by close of quarter? Because we just need this one thing. It’s got to be easy, right? And we really help to de -conflict that and have a bit more realistic view of what certifications are realistic and feasible. And then a business can make a decision, right? And that’s what this is about is it’s about business decisions. Like, do we want to pay for this in order to earn that revenue? Another one of my friends.

ties controls and programs to top line revenue. And the conversation goes like, well, why do we have these four controls that cost us, you know, a few million dollars? And her answer can be, well, do you like a half billion dollars in revenue? What do you mean you have to go ahead? Like some executives don’t get it. Well, we have these controls because we have these programs. These programs allow us to go into the federal market. Do you like a half billion dollars or would you like to take that as a P &L, right? As a hit. Nobody’s going to sign up for that. And suddenly it makes it very easy to say,

Patrick Spencer (09:42.478)
Hmm.

Kayne (09:46.76)
cybersecurity is a business enabler rather than a cost center.

Tim Freestone (09:51.618)
Who tends, yeah, yeah, I’m curious who tends to own and operate hyper -proof at an enterprise. Is it in the security team? Is it in the compliance team? You know, is it both?

Patrick Spencer (09:51.726)
We’ve been preaching that, right Tim? For the last three years.

Kayne (10:05.544)
You know, that’s an interesting thing. And it really has to be a partnership between compliance and security. And also often, legal gets involved. In terms of the op, like, first of all, the strategic decision to use a tool like Hyper Proof has to be an executive decision. Because we’ve had compliance for years using tools like RSA Archer and other antiques like spreadsheets.

And then we’ve started to see some of this movement into this space where, you know, hey, if we buy this tool, it’ll automate our collection and it’ll automate our testing. And a good friend of mine is getting out of cybersecurity and is getting into professional woodworking. He makes beautiful stuff. And he’s given me the analogy of like, okay, and I could, I could go buy a table saw and I could buy some two by fours and some, some sheets of plywood and I could leave them in my garage and I’d say, I’d like a table. We won’t get a table. He’ll just get the tools to make the table. And if you don’t have.

that commitment of changing the business of learning a new way of doing things and making that executive buy -in. What I’ve seen classically will happen is, you know, somebody inside the business will buy Hyper -Proof and say, this is going to be great. It’s a great tool. They don’t get executive alignment. And then the security team goes, well, tinfoil hat conspiracy. I don’t know. We can’t automate that because API key because, and there’s not legitimate business reason, but.

They don’t have somebody saying, look, this is gonna make your job better. This is gonna make things easier for you. And this is going to ultimately reduce the amount of civil liability that their CISO will potentially face, whether it’s under the SEC’s new regs, or whether it’s in a private tort action, right, or a civil lawsuit, where CISOs now have an increased amount of personal liability, a lot of which is making friends decide to get out of the profession.

Like they have to have their teams being willing to push this through. Otherwise it just doesn’t go far enough.

Patrick Spencer (12:06.774)
Do you find those teams are closer to the business and they understand when it mitigates the risk, but then it enables the business to take advantage of new opportunities? Do you find, we just completed our annual survey report, we’re about to publish it, and it looks at some of these aspects as to whether IT, cybersecurity, or the risk and compliance folks understand these issues better? Obviously, cybersecurity probably is concerned about…

the liabilities that you just cited, but in terms of enabling the business, do you see one of those persona groups is closer to closer in terms of alignment to the business?

Kayne (12:46.216)
You know, that’s an interesting question. So I’ve been doing this for nearly 30 years and on multiple continents, I’ve had the privilege of working with teams. And one of the biggest determining factors I’ve seen of a successful GRC program is not alignment to the business. It’s not who owns it internally. And this is disappointing to say. It’s, did you hire somebody who is a former big four?

That is almost the only guaranteed way to get a good outcome of a GRC program is to have hired somebody who’s got former Big Four experience so that they have a great understanding of what does good look like and what does bad look like because they’ve had the opportunity to see that and then they can plan for what do we need to do. And, you know, when I thought about that last year, you know, I thought about the recent SEC changes, how many of my friends are going to be affected by that potentially.

You know, it’s not okay just to stand back and say, well, I can’t do anything about that. Right. I can’t just think, well, I’m just going to go shopping on the internet for some new shoes so I can feel better. So, got a big cup of coffee, possibly several, and, went out and said, is there a model for GRC that actually works? Is there something that’s published? Like, cause in security we’ve had maturity models for decades, right? It is not uncommon to have an understanding of here’s where you are, here’s where you want to be. Here’s the steps you can go through.

I found out there wasn’t one for GRC. And so not only is it a question of business alignment, but it’s a question of us having a common language that says, this is what good looks like, and here’s what the attributes are. So something I’ve worked on for about six months there was a GRC maturity model. It’s not published yet. I hope to have it out in July or August is when the designers are telling me, because I can write words, but my kids will tell you I’m not an artist. I can’t do pictures.

So they’re adding pictures and formatting so that it’s not just basically a plain text document of 180 pages long of what is GRC. And I think that if we can use that as a vendor neutral way of saying, here’s what good looks like, we can move from our current manual reactive, poorly aligned way of doing business to moving towards being proactive and seeing this as not only a way of limiting risk,

Kayne (15:10.504)
Stuff that would be like in an enterprise risk management system, like extended legal risk or regulatory oversight or other incursions that we just don’t want to have. In addition to civil liabilities to the CISOs, in addition to naturally the problems of like, you could also have a data breach. That’s the lowest hanging fruit out of all of that existential risk that businesses face. So like I said, I’m kind of pre -announcing it. I mentioned this at Gartner too. I’ll have a post up on LinkedIn when it goes live. And…

Yeah, I just felt I had to do something because we can’t, as professionals, stand back and say, well, we’re helpless. We’re just going to get right away without the existence.

Patrick Spencer (15:46.254)
That’s a great idea.

Tim Freestone (15:49.666)
There’s a lot of VC and PE funding going into the GRC space now and for the past, I don’t know, five or six years. There’s a lot more vendors. Are you finding it harder to get mind share in market? And you know, what, what do you think the market as a whole is doing wrong that hyper proof is addressing?

Kayne (16:14.056)
I think what the challenge ultimately is twofold. One is realizing, as I said before, that it’s not a tooling problem. We have any number of tools. I was talking to a friend of mine from Accenture who did a multi -year transformational digital, I’m not sure, all the buzzwords program with the company. And a year later, they came back and said, well, we want a refund. Well, why do you want a refund? It was this multi -year project.

Tim Freestone (16:27.426)
Yeah.

Tim Freestone (16:42.626)
Use it.

Kayne (16:43.496)
refund out of Accenture, good luck on that one. And the reason why is that the company hadn’t paid for organizational change management. They put no OCM in there. So they just assumed we’re going to drop a whole bunch of technology on a bunch of people and expect that they’re going to understand why this is advantageous. And I think that’s the first challenge in the GRC space is that it’s not a tooling problem. It’s a people and process problem. I think the other thing that’s really challenging for companies in this space that nobody’s really addressing,

Patrick Spencer (16:43.534)
Yeah.

Tim Freestone (16:45.538)
Yeah, no kidding.

Kayne (17:13.32)
well is horizon scanning of what’s coming at us next. And the reason why is we’re all currently like trying to, most companies are trying to stay on top of what’s their current regulatory risk, what’s their current legal risk, what are those challenges that they have. We’re addressing that fairly well, but I think ultimately companies need to move from that reactive space to be more proactive. And if you’re a small business, that’s hard, right? But if you’re an enterprise,

And if you don’t have a way of influencing the regulation management, the regulatory process, whether it’s by public comments on a document that’s up in the federal register or whether it’s through lobbying, if you don’t have that capability as an enterprise, you’re going to have continued existential risks that you’re going to have more unwanted regulations that are just going to make it harder for you to do business.

Tim Freestone (18:06.146)
Yeah, no, I can see the challenge here with, you know, everything seems to be at least attempted to be solved with tooling. obviously sales cycles are faster when a, when a tool can solve something, but it tends to be a smaller problem that’s being solved effectively with just tooling. So then you’re into, I, what I would imagine is pretty deep, long conversations of months to maybe more than a year to get companies in the right mindset to be able to.

have a tool like hyper -proof be successful or any of the tools in GRC? Is it pretty complex in terms of a process from start to aha moment to implementation?

Kayne (18:45.928)
I think some companies, the early adopters came to us already having had that a home moment. I think the other companies that we’re working with, I think the GRC maturity model is going to give us a way forward. I hope to publish like a set of self -assessment questions to figure out like, where are we right now? Is this even a time to have a tool conversation or do we need to actually maybe have some staff associated with our GRC program? Because if you don’t have that, if you don’t have funding, if you don’t even…

Tim Freestone (18:51.81)
Tim Freestone (18:57.474)
Yeah.

Kayne (19:14.632)
In some cases, know what regulations apply to you. You’re solving the wrong business problem. And then moving forward, I think that it’s kind of challenging for companies to go, OK, so what do we do with this? So let’s say they buy a GRC tool. How do they continue to justify it? How do they not backslide? Something we saw on our 2020 fourth survey of our IT benchmarks survey.

is we saw like in 2023 spreadsheets were darn near 10 % of the companies that we surveyed. I mean, it was like 1500 companies. And last year they started to come back. And the reason why is that companies were having trouble justifying the ongoing expenditure of having a tool. And I think that if you don’t have that business case built, like we’re saving, like my friend from DigiCert says, we’re saving 1100 hours in audit prep time. Or if you can’t tie it to top line revenue, or if you can’t tie it to…

Tim Freestone (19:56.706)
Yeah.

Kayne (20:09.224)
Hey, we want to enter a new market. Here’s how much it used to cost the consultants to tell us. And here’s how much we can do it ourselves. And here’s the Delta cost savings. Like if you don’t have those narratively defined, no matter tooling helps in the problem. You have to have a business case for these things.

Tim Freestone (20:24.674)
Yeah. We’re finding, at least with Kiteworks, the regulatory environment and all of the increases in such regulations are driving our business quite well. But it’s almost like for every 10 new regulations, there’s one that’s an actual business driver and it usually comes down to is there teeth in the regulation? Like will you actually lose business or get fines? You know, we have assets galore and…

Kayne (20:47.464)
Mm -hmm.

Tim Freestone (20:54.114)
You know, if you go to our website, there’s 50 pages on 50 different regulations, but it’s two, you know, that are driving business. It’s it’s CMMC, in, in the U S for the most part. And then, it’s a GDPR and in EMEA because they have actual fines. you find something similar. It’s sort of like regulations for regulatory purpose. Isn’t really moving any decisions. and you’re latching onto some of them.

Patrick Spencer (20:55.694)
in regulation.

Tim Freestone (21:23.298)
the bigger ones like I mentioned.

Kayne (21:25.352)
You know, yes and no. I think that we’re in an interesting inflection point where, as you say, GDPR has made a comeback, right? I think that the thing that people aren’t grokking and it’s important to understand is GDPR, here’s my nickel word of the day, it’s extraterritorial. Love that word. And what that means in English is that it’s going to affect people who are outside of the EU.

Tim Freestone (21:43.938)
Yeah.

Tim Freestone (21:48.29)
also extra stressful.

Kayne (21:52.776)
And where that starts to matter is everybody’s moving into artificial intelligence and generative AI. And if you can’t prove that you have a way in your generative AI, whether it’s an LLM or something else, whether it’s in your training data set or whether it’s in the outputs that you don’t have a way of sanitizing or removing folks who are from the EU’s personal data out of there, it’s going to be a bad time. And something we’ve seen is the GDPR enforcement.

is rotating back into fines. For a while there, it was kind of like, well, they went hard on fines and then they said, well, we’re going to back down and we’re just going to sanction some people and complain at them. And now they’re back on the fine train. And I think that with the risk associated with generative AI and what that’s causing, especially in light of the EU’s new AI act, it’s going to come down to enforcement through the GDPR, which I think most businesses thought was a solved problem. We all…

We all had to have an opt out policy and we all had to have a cookie banner. And that was GDPR solved and now generative AI is going to drive that. But I think for other regulations that are really changing, I think it is industry specific. I think like the FTCs thing under GLBA where auto loan lenders or car dealers,

Patrick Spencer (22:51.342)
Thank you.

Tim Freestone (23:02.402)
Mm -hmm.

Kayne (23:11.336)
have to suddenly have a security policy and they have to have somebody administer it and prove that their controls are operating. I think that that drove some market change for the folks who were tracking that as a risk. I think that the SEC’s recent changes they’ve made, although we haven’t seen an enforcement action under new regulation 108SK, like I don’t know if we’re gonna see that yet. I think we’re all kind of watching the Tim Brown solar wind situation to find out where does that land and where are they going to go with that? Because companies…

Tim Freestone (23:36.194)
Mm.

Kayne (23:40.392)
What I found when I was doing executive advisory work, nobody wants to be ahead of the pack. Nobody wants to be behind. They all want to be in that happy mushy middle of their cohort to figure out, provided I don’t look like something different, I’m probably not going to get a legislation or a regulation or some kind of action dropped on me. And then Tim, on your point of CMMC, it’s interesting that you’re seeing that. I try not to talk about CMMC because there are a few people, especially on LinkedIn, who…

They like to start internet shouting matches about CMMC. And as a former A &D guy who went through DFARS, sorry, DFARS 10 years ago, the DOD said, hey, you got to prove that you’re doing your things. And I remember doing consulting with like some of the biggest aerospace suppliers in the world. And they did a six week project, which eventually just turned out to be, well, you have to do self -fixation. It just got toothless in a hurry. And I think that’s what they’re all planning for in CMMC world right now, except for the vendors who are.

trying desperately to prove that they have product to sell and that it’s going to be material. I hope that that happens because goodness knows I’d like to see our war fighters protected, but at the same time, I’d like to see our small businesses still be able to compete for that part of the business because some of the stuff that’s in there is going to be very onerous for companies to implement.

Tim Freestone (24:55.522)
Yeah. I mean, the self attestation thing, it’s, you know, I go back and forth on whether that has, whether that drives business decisions in terms of, maintaining compliance. but you’re right. It’s, it still seems a little bit toothless and has been kind of strung out for years now. you know, there’s a bunch of C three PAOs that are, are popping up, but it’s still, there isn’t a definitive yet, at least that I’ve seen in terms of.

when is it going to start? What happens when you, you don’t comply? I mean, you lose, there’s loss of business, which, which is obviously incredibly important to not, or to avoid. But if you can self attestation, provide self attestation, then why wouldn’t anybody just do that? Right. so. And there’s scale problems and that’s the thing with regulations. It’s, it’s sort of, it’s all good in terms of.

Kayne (25:45.384)
Yeah.

Tim Freestone (25:54.434)
you know, protecting what needs to be protected and having a governing body to ensure companies are doing the right thing. But if you can’t scale enforcement to any degree, I’m just unclear as to the actual value of it overall.

Patrick Spencer (26:09.134)
Well, there was a report that I saw where…

Kayne (26:10.152)
Yeah, that’s 100 % on that one. Like the FHA thing, have you seen that?

Tim Freestone (26:16.066)
I don’t think so, what’s the…

Kayne (26:17.672)
Okay, briefly, the FHA, I’m not sure if they’ve ever met somebody who’s been an incident response, but I, so the FHA recently put out a letter to all FHA -backed mortgage lenders, as well as real estate brokers, as well as a whole other subset of folks like realtors who just sell houses, that if you have a data breach or a suspected data breach, that you have to send them an email to answers at, I think it’s hud .gov or fha .gov, one of the two. Is this a general purpose email alias? Send them an email within 12 hours.

Tim Freestone (26:33.09)
Really?

Kayne (26:48.296)
Right? And you think about like GDPR, SEC, the everybody else is like 72 hours seems fine. They’re like, yeah, half a day. You have no way of making a determination if it’s a real or a potential incident within 12 hours with a high degree of confidence. I know companies that don’t rule IR within 12 hours because they’re not a 24 by seven shop. And it’s those unrealistic regulations that get dropped where I think.

Tim Freestone (27:06.178)
Mm -mm.

Kayne (27:16.2)
I think what happened there is we had a couple mortgage lenders get shelled recently and a whole bunch of Americans personal batter got unveiled on the internet and nobody was very happy about that. And you get the sense like somebody in an office put their foot down and said, darn it, let’s just create more regulation because that’ll solve the problem. And I don’t think that’s going to solve the problem. It makes it more challenging for incident response teams. It’s certainly created a cottage industry for attorneys, but it’s not necessarily.

Tim Freestone (27:20.034)
Yeah.

Kayne (27:43.112)
increasing security and it’s certainly not going to drive down the number of data breaches.

Tim Freestone (27:48.354)
Yeah. And also at the end of the day, everything with, with companies is money and money out. So someone’s balancing the cost of, of what’s the right amount of risk, and the cost of that versus, not having that risk management and the benefit to the business from a spend standpoint. And you know, there’s just so many levers on that risk management to spend,

calculus that I just there’s so many regulations coming out. I don’t know how companies are doing it. So, you know, to your point with the document you’re creating, that would be actually probably the first approach I’ve heard where it’s like, okay, well, here’s your guide through this, just follow this. And it doesn’t matter what tooling or what regulation, this is just your maturity model. It makes a lot of sense.

Kayne (28:43.24)
Yeah, and the intent there is like, because first of all, it’s governance, risk and compliance. And like, if you think about that, you can’t tell somebody to get better at governance or get better at GRC. That’s like saying get better at health. Like, what do I do? Does that mean like go for a run? Does that mean that I should sleep better? Like, so you have to give people something actionable, but you can’t just say get better at governance. Because again, what’s inside of that box and inside of risk.

Tim Freestone (28:54.594)
Mm -hmm.

Tim Freestone (29:05.566)
Yeah.

Kayne (29:09.384)
There are multiple risk assessment or risk management like the NIST RMF or the NIST AI RMF. They all had certain common attributes that I’ve pulled together and said, look, you should not have to go read 700 pages of documents. I mean, goodness knows those folks who love to do that. Great. I’m glad you have the time. How do you do a risk assessment? Then how do you get into risk prioritization? Because if you’re terrible at risk assessment, your risk prioritization is also going to suck.

And then you actually have to get into applying compensating controls and measuring the outcomes of that. And then you have to report it back out. And it happens in a cycle. And part of the GRC maturity model is just documenting, this is what good looks like for each of four potential levels so that you can say, let’s make an intentional decision to get better at part of this. Instead of, maybe you’re really good at doing risk assessments, but you’re bad at doing risk prioritization because nobody have the…

Tim Freestone (29:58.722)
Yeah.

Kayne (30:05.672)
the horrible conversation of what does high impact versus low impact mean? You wouldn’t know how many boardrooms I’ve sat in and I’ve watched like the CFO, the CEO and the chief compliance officer have an argument over the definition of the word high. And you wonder like, how much is this money? Is this costing this conversation, this meeting? This is just stupid. And if you don’t write that stuff down and get agreement again, no, you have to get these things in place to be an effective enterprise these days.

Tim Freestone (30:34.434)
Yep. And when is that coming out? Did you say in a few months?

Kayne (30:37.576)
You know, they tell me the pictures are coming along and maybe July, maybe August. I’m hoping it’s going to be a summer release. I am. I’m blessed by them and that they get to send me around to send it to talk at conversations and in exchange I send them 180 page missives where they go, huh, could you put it like maybe a picture? I’m like, have we matched? Pictures are not my strong suit.

Patrick Spencer (30:42.574)
You don’t see your iron on your marketing team.

Patrick Spencer (31:00.43)
So, Tim, as we just spoke about, there’s a plethora of, and there’s even more coming, regulations that are out there that are all focused on cybersecurity issues, data privacy issues. As we look at all of those, which ones, in your opinion, are the ones that are really making a difference? We ask in our annual survey, which certifications, security certification validation do you follow?

which one is most important to you? Is it NIST? Is it ISO? Is it SOC, et cetera? If we’re going to use two or three of them, which ones do you think are most effective in terms of driving and safeguarding the data that’s out there and ensuring that organizations remain compliant?

Kayne (31:51.176)
You know, that’s an interesting question. And I think we’ve hit a point, or we’re soon to approach a point where, well, I think of when my kids were young, right? And you go to the roller coaster and have a sign that would say, you have to be this tall to ride. And that’s like the kiddie coaster. If you want to ride the real roller coaster, you have to be this tall or higher to ride. And I think that SOC 1 versus SOC 2, we’re starting to move from that in B2B sales where there’s an expectation.

that if you have a SOC 2, especially a SOC 2 type 2, it’s now becoming normal. And at some point, it’s going to become table stakes where we’re all required to have a SOC 2 type 2. I think that’s going to be one of those ones that just tips into the normal space and will move past SOC 1. I think that if you’re a publicly traded company, I think Sarbanes -Oxley, well, first of all, it’s a rule. It’s not optional, right? I think we’re going to have that one.

And then it really becomes sector specific. So I think that in the European Union and Latin America, I see a lot of ISO 27 ,001. And I really like that. It’s, it’s, it’s ilk as well. And the reason I like it is because it’s an attestation that has an external validation component. I think domestically in the United States and Canada and Mexico to a lesser extent, as well as some other Western nations.

We see the people say they follow the NIST cybersecurity framework. And the challenge is when I see people say, well, we’re certified with the NIST cybersecurity framework because there is no certification for the NIST cybersecurity framework. And at that point you go, okay, cool. So you don’t know what’s going on. Move to the next vendor, please. And I think that that becomes a challenge domestically of what is our analogous cybersecurity framework beyond SOC 2.

Tim Freestone (33:27.778)
Yeah.

Patrick Spencer (33:28.686)
Yeah, there’s nothing.

Tim Freestone (33:34.69)
Yeah.

Kayne (33:45.64)
Something I have seen in purchasing circles, which makes me rub my temples and cry a tiny bit, is the inclusion of FedRAMP moderate in deals where you’re not a cloud service provider, you’re not selling to the federal government, you’re not selling to an agency. And I get the sense that somebody in purchasing got the idea like, well, everybody’s got stock too, or at least most people have got stock too. Let’s add FedRAMP, because that looks hard. It’s bloody insanely hard, and it’s unnecessary for a lot of companies. And yet you’re seeing this show up in more.

vendor agreements and that becomes a cost for folks.

Tim Freestone (34:16.258)
Well, that’s good for us. We’re, we’re fed ramp moderate. I’m about to get high, but it’s a lot of money. It takes a lot of time and it’s a lot of work. But to your point, it’s really for the scenarios you mentioned. It’s not just a general, I mean, someone could look at it and say, well, if they crossed off all of these, you know, checked all these boxes, 300 and some, whatever they are, then it’s a good, it’s a secure company or their, their software is that level of secure in the cloud at least.

But outside of doing business with the federal government or something similar, I can’t imagine that being in a requirement.

Kayne (34:53.96)
Yeah, and yet you see it in purchasing agreements and you go, huh, that’s neat. The one thing, because we’re working on FedRAMP moderate ourselves, the one thing I get excited about is the reciprocity agreement, the CMMC. But my understanding of that agreement, and if you’re watching this stream and you have a mention on the internet, an opinion about this, please drop it in the comments below. I’m sure I’m wrong. The way I understand it is that if you have…

Tim Freestone (34:57.122)
Hmm.

Kayne (35:21.96)
all of your FedRAMP moderate controls operating 100 % with no variance in that, you don’t have plan of action and milestones, a poem, and you’re willing to share all that evidence with your 3PAO, you can get CMMC reciprocity if the contracting officer agrees that that’s okay, which it’s not great. First of all, show me somebody who’s got FedRAMP who hasn’t had a poem at some point, right?

It seems that’s a little too high of a bar.

Tim Freestone (35:54.978)
Yeah, I mean, there is some language. I haven’t looked at it recently. I’m sure this is a reminder to check in again around equivalency of FedRAMP moderate, you know, being some level of, it’s an acceptable gate to get through with equivalency, but there’s all sorts of nuances around that. Best case is to be moderate, but yeah, to your point, it’s a long process.

Patrick Spencer (36:23.758)
When you look at, maybe this is going to be in your document you publish in a couple of months, you look at different data types, PII, PHI, IP, financial documents, &A documents, legal documents and communications, you got a list. If you’re doing a risk assessment, do those all get a different algorithm in terms of their level of risk? How do you work that from an organizational standpoint?

Kayne (36:50.632)
Mm.

So I don’t get to that level of granular detail in the maturity model and the reason why is at some point you have to say like, here are the attributes and that is a thing that has to happen, but I don’t want to be prescriptive because it’s a decision that’s different for each business. I think that if you’re in a, if you’re working with a healthcare institution, you have a very different set of operational risks and a different set of tolerances.

Patrick Spencer (37:01.006)
is up.

Kayne (37:20.552)
than if you’re working with liquefied natural oil and gas, right? Like they have different risk prioritization. They also have different risk tolerances associated with them. And in both cases, I hope that they have data disposition schedules or data retention schedules, depending, saying how long are we keeping that stuff around? I touched on that briefly in the GRC maturity model, but often I don’t need to tell counsel, like, hey, you should have a data disposition schedule because often, like, if counsel has ever been to a breach rodeo before, they know somebody who has.

They know it’s better to have less and it’s better to have a consistent schedule you followed because threat actors can’t steal what doesn’t exist. And that really reduces organizational risk as opposed to a poorly set up classification scheme where, you know, you will learn that you’ve got litigation inbound and you go delete a whole bunch of stuff. That is like, that is a straight up bad time.

Patrick Spencer (38:09.614)
Yeah. Well, we’re unfortunately out of time. This has been a really interesting conversation. Ken, we appreciate your time today. For our listeners who want to know more about Hyper Proof, I assume they simply go to the website Hyperproof.io, correct?

Kayne (38:26.216)
Yes, it’s Hyperproof.io.

Patrick Spencer (38:27.598)
And if they are wanting to check out some of them, maybe listen to this podcast after it’s published even your upcoming document, will they simply be able to find that on the website or how should they discover and use it?

Kayne (38:42.664)
It’ll be on the website Hyperproof.io and I’ll also be posting announcements and probably memes on LinkedIn. You can follow me as Kane McGladry on LinkedIn. And also we have a YouTube channel where I’ll probably be talking it as well that’s hyperproof and just search for us on YouTube.

Patrick Spencer (38:59.15)
Probably a podcast on it as well.

Kayne (39:02.504)
I suspect as much, yes. We’re working through our launch schedule.

Patrick Spencer (39:06.222)
Well, thanks for your time. For those in our audience who want to check out other Kitecast episodes, you can do so at Kiteworks .com slash Kitecast. Thanks. We appreciate your time. Look forward to working with you.

Kayne (39:17.384)
Thanks for having me on.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Share
Tweet
Share
Explore Kiteworks