How to Build a Risk Practice

Megan Phee: Hi, I'm Megan Phee and this is GRC and Me, where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more. Learn about your methods, solutions, and outlook in this way.

Andy Ruse: Hi everyone and welcome to another episode of GRC and Me. My name is Andy Ruse. I'm the President of Field Operations at LogicGate. Today I sit down with my good friend James Bundy, Practice Director at Optiv. Our conversation centers around how to build a risk practice, how to get started, what are the key components, what goes into managing a risk program and how to improve upon it as business needs change over time. Now here is my chat with James. Jim, so tell me a little bit about your background in the GRC space and how your risk journey brought you into your current role as Practice Director at Optiv.

James Bundy: Hey, first and foremost, thanks for having me here. I really appreciate it, appreciate the conversation. Always enjoy talking to you Andy. It's always enlightening and generally pretty passionate. But from my perspective for who I am, I've been with Optiv about seven years. Prior to that, I was an information security leader for a large multimedia company where we had multiple locations in multiple areas. My background in risk really kind of started while I was here at Optiv. As a security leader, risk was something that we focused on, but it didn't really resonate with me well at that time. Now that I've been providing risk services and providing assessment work and helping customers mature their security program, I now understand how critical and how valuable risk management and risk management processes can be for the organization. Not so much from a security perspective, but from a holistic business perspective. It gives you the roadmap in what you need to do to help secure your organization above and beyond best practices.

Andy Ruse: And we just came out of a pretty in depth conversation where we were talking about how to build these programs and enhance them. You're in a incredible spot because you're out there working with customers and the market every single day. So as you think about how someone would get started in building a risk program, a GRC program, how would you approach this?

James Bundy: Well, that's a great question. What I try to do and what I do help with my customers, and I've learned from them and I've learned from my past experiences, is I go back to when I took over a security program and had to build it from the ground up and understanding what was important to the organization. One of the things I should have done and a lot of the things I'm going to recommend here I didn't do because I didn't know. But now I think I've learned a lot and I've learned from our clients and learned from some of our partners. But doing an inventory of what's going on in the environment, getting an understanding of what's there already, what can I reuse, what can I recycle and what can I leverage to help mature the program moving forward rather than building from net new. Oftentimes there's a lot of good ideas floating around within the organization. Some of them may not be fully formed, but if you can take those and leverage those to try to help drive your program, it'll make it easier for you in going down that path. And then do an inventory of what you have to do from a compliance perspective. Some people look at compliance requirements as this is what I need to do and this is what I can use to drive spend for security. I look at it a little bit differently. I look at compliance requirements and I see them as business enablers. Because let's just say if you are a service provider, SOC 2's pretty important and that could help you stand out with your competitors. So if you leverage it that way, and also it'll help drive your security program, you're starting to show that you're adding business value. And third, what I like to try to do is once you've done those two things, is take a look at what you've got from a technology standpoint. Understand your technical debt. You have too many tools, you have not enough tools. And then when you take a look at those business requirements and what's in place, and you also consider what compliance requirements you have from a technical perspective, what can you test and what can you manage? And that gives you an indication of what your next steps should be and gives you some targets on what you should look for from a budgeting and a build perspective. Did that answer your question?

Andy Ruse: Absolutely. And I'm thinking you're in these engagements and a lot of configuring GRC programs, enhancing them, but we're seeing more and more executives get involved in risk management programs. So maybe share a little bit about what role should we be asking the executives to come in and help us when we're building risk programs or enhancing them?

James Bundy: I think it's important for business leaders and the executives to get an understanding of where the risk program is going. But I think they need to look at it more from a programmatic standpoint and more from a business line standpoint. I think the questions that business line leaders especially should be asking is, these are my key and core needs within the organization. This is what helps me make the widget. Security and risk, how are you helping me protect that? Because a lot of our customers, they're not security companies and they don't have to worry about some of the security things they need to worry about. They need to worry about getting product out the door and keeping revenue generated and doing those things. So if from a leadership perspective, that's where I'm seeing them start to lean in. You think about ESG and some other areas that are kind of coming in into the forefront and some of the other enterprise risk based factors around geopolitical and things like that. They're concerned about those things and those sometimes don't directly map to IT risk, but you have to look at it globally and that's where they're looking. They just want you to protect their product and protect their processes. While AV is important and firewalls are important, they just want them to be effective. They're not worried about the product or which one you're using, but they just say, make sure my stuff runs.

Andy Ruse: Yeah, and I think this pace of change and the complexity that we kind of see throughout the world really comes out in what you just talked about. And so taking that into equation here, what do you think about in terms of what are the key fundamental components of building a risk practice?

James Bundy: So some of the key areas is, number one, you have to make sure you maintain your compliance. I mean, that's one of the things that your leadership is going to understand. If you are a merchant and you don't maintain your PCI compliance, that's something that's going to come up and you're going to have to deal with that with the risk committee and you need to make sure you control that. Another element is making sure that the control testing and the framework that you select, NS, ISO, whatever supports the business and the control testing that you do is directly in line with managing and maintaining those key business processes. So you've got those key performance indicators and those key risk indicators and you're aligning your risk program with those needs. Those are key areas. And control testing is always a challenge. I'm a big fan of integrated control frameworks or common control frameworks where you're taking multiple controls and then testing. Everybody wants to test once and comply many. It's a little bit harder than that, but if you can get that set up that's worthwhile. But from building from the ground up and make sure that you're supporting the business and their business needs, make sure your control testing is realistic and valid. And make sure you're a business advocate and a business enabler. And if you can do that from a risk program and those are your foundational things, it's all about supporting the business. It's a challenge to just throw out regulations and compliance requirements and forcing people to do things if there's no value in it.

Andy Ruse: Right. And I think one of the things I love in the approach that you take and Optiv takes is really going in and working with clients in the market. And not starting over, but taking a program and start thinking about how do we improve on this, the continuous improvement mindset. Maybe you could share with us what are the things they should be doing now to get ready for these unknown changes that'll come up over time.

James Bundy: Yeah, that's a great one. I mean, what do you do to solve the unknown? It's being flexible. It's understanding what's going on in the environment, understanding the threat landscape and trying to get ahead of it a little bit. If you think back when we just kind of started with ransomware, I mean everybody's answer was, well, you just have to have backups until they encrypt your backup system or until they encrypt your entire back plane and now all your VMs are encrypted and there's nothing you can do about it. It's hard to predict those, but you kind of have to take a look at those and be prepared for some of those issues and also be prepared for where the business is going. I've had issues, not really issues, where I didn't know where the business was going but I was building processes around that. And then when I find out where it's at, I have to adapt and adjust. In one of my roles, PCI compliance was very important, but a PCI mitigation was going to cost us about$ 2 million. Because before I was there, we really weren't good at it. Come to find out, our CFO said, we're not doing that. We're just going to go ahead and not be compliant. Me being me, it's like well I can't work under these conditions. I got a major case of the goo goo and I was thinking this isn't right and I was going to tender my resignation and take my toys and play elsewhere. And luckily I thought about it. Two months later we sold off that part of the business. I didn't know that because I shouldn't know that. But it was an interesting concept so I had to adapt. The risk organization had to adapt to that change and there was other risks because now we had to, it's a divestiture, so we had to adjust our risk program and align it with those divestiture opportunities or requirements. So we knew that the risk associated with spinning them off was going to be within the confines of our organization.

Andy Ruse: I love that. You always got to think about being agile, being flexible. You never predict the future, but being flexible along the way.

James Bundy: Yeah, I've been around a while. The old ways of, it's just everything is in a SaaS, everything is quick, everything moves, you've got to move with it or you're going to add risk to the organization.

Andy Ruse: How has the Risk Cloud changed your risk management experience?

James Bundy: What I'm a huge advocate of the LogicGate products and product line. From our perspective and our client's perspective, it's made significant changes, it's added significant value. If you think about some of the key things we see in the environment in our world, everybody wants to do risk quant, everybody wants to do a lot of these things, but they may still be on spreadsheets and you just can't do that. You're going to do it once and it's going to be in your spreadsheet for that week, but after that you're not going to be able to keep up with it. So we're seeing a lot of our clients going down the quantitative process, leveraging the LogicGate tool. We're also seeing our clients wanting to automate things around control testing and make sure all that stuff is being taken care of and handled. One of the things we're doing here at Optiv is we're looking to deliver and provide our customers with access. So now when we do an assessment, we provide them with a report and we kind of walk away, that's what they paid for. But we come back the next year and what we see, sometimes nothing has really been taken care of because it goes into a file share and it's looked at for the first six months because it's got the executive vision. Something else happens, it falls to the wayside and we have the very same findings the next year. Leveraging products such as LogicGate allows us to keep that in the forefront and get it focused because it's not someone looking at a spreadsheet and sending out an email reminding the network team to do something. It's LogicGate and the process doing the reminding and keeping it straight and providing the dashboard so leadership understands where they are in those remediation efforts. It's adding a little bit of ownership and making sure that the internal team is doing what they're supposed to be doing. Otherwise they all forget, they all full- time jobs. I mean I'm not knocking anybody. Remediating compliance or audit findings is important, but that's not their full- time job. You got to make it as easy for them as you possibly can and tools like LogicGate let you do that.

Andy Ruse: I always think about it as getting it as close to the individual's work as possible and making it part of their workflow and not something different.

James Bundy: Exactly. So if you think about control testing. If you're doing it quarterly and if you're doing it in an automated fashion, when audit comes along, you already have the data. You're just creating a report because it's part of the day to day operations. But if you don't do that, auditor shows up, I'm not saying this happens. But auditor shows up, either someone is finding the testing that they'd done several months ago or they might be doing testing then and maybe being a little bit liberal with the dates. And it's disruptive to the organization because when they're doing that stuff, they're not supporting core business processes. So you make the control testing, you make those processes part of their day to day operation and it's easy peasy.

Andy Ruse: Jim, we've been out on the road together a couple times over the last few months. You get so many customer conversations packed in, people looking for advice. But as I think about what I might look forward to, what are the trends or what do you think we need to be thinking about in the future here as risk practitioners?

James Bundy: I think from a future state, I think we're still going to see customers push for quantitative risk assessments and risk valuation because it's going to help drive decisions from an IT and a security spend perspective. And it's a great thing because you really want to focus your value and your dollar on what's going to add the most value and reduce your most risk. I think we're going to continue to see that. I think there's a maturity curve that some customers may not be able, it's going to take some time, but that's what we're here for. We're here to help them do that. I think ESG is coming along. I think we're going to see more and more of that where customers are going to want to understand how that impacts their world and that's more from an enterprise risk perspective, but I think we're going to see that and supply chain is still there. I mean when we look at the what's going on in Russia, the Ukraine and other areas, and COVIS, while here in the states I think we have it pretty well under control, other smaller countries that are feeding our supply chain may still be challenged a little bit. I really think another area is we're going to start seeing leveraging artificial intelligence and robotic technology to help manage our control testing. I think what we want, what I'm hearing, they want to make sure that their staff is focused on core business processes and they want to automate as much as they can. So I see that coming down the pike where we're looking at some RPA stuff and some other things to where we can help automate some of those opportunities for them. Control testing still has to be done, it's still going to have to be reviewed by someone. But pulling those configurations and pulling that in for review, if we can automate that and provide a customer and that IT team or whoever does that testing some relief, it turns risk and security into a business enabler. And back in the eighties, we were all Dr. No. It makes sure that we're helping and march forward with the organization.

Andy Ruse: Excellent. Jim, thanks for sitting down with me today. What do you got that you're looking forward to in your personal life here?

James Bundy: Personal life? Well, I'm heading off to South Carolina here in a few weeks. Going to be there for a couple months, rented a nice condo, going to work from the beach. One of the benefits of COVID is remote work and so I'll do that. Really looking forward to that. I'm going to take up kayak fishing, I'm going to see if I can find a cheap kayak and float around and hopefully the Coast Guard won't have to come get me. But I'm going to try that for a while, see how that goes.

Andy Ruse: Jim, I bump into you all the time, but where can our listeners find you if they want to know more?

James Bundy: So easiest place to find me is optiv. com or LinkedIn. You can find me on LinkedIn. I think I'm one of the few James Bundys out there from Optiv. By all means, reach out for connection and more than happy to respond and we can communicate that way. Otherwise, if you're looking for risk services or support, please reach out to your local Optiv sales rep and they can get me on the phone anytime to have a discussion. The fun part of my job working in consulting is talking to customers. I learn as much from them as they learn from us and there's always that information sharing that that adds value to everybody.

Andy Ruse: Excellent. Again, thanks for sitting down with me, Jim. I'm looking forward to getting back on the road with you. Always great to have conversations. You have tons of experience with customers, bringing that to our listeners, I really appreciate it. If you want to learn more about how Risk Cloud can help build a risk practice, visit logicgate. com today.