Cyber Talks: Excel Is Not Your GRC Solution: Scaling Governance Beyond Spreadsheets
Hey everyone,
I'm Jason Edwards and welcome to another
CyberTalk developed by BareMetalCyber.com.
Today I'm excited to welcome Dean
Charlton,
Managing Director of DC CyberTech,
a company known for delivering
award-winning global GRC SAS solutions,
pen testing services,
and high-skill cyber talent.
Dean has been at the front line of
helping organizations modernize their
governance, risk,
and compliance capabilities with tools
that scale far beyond spreadsheets.
His presentation,
Excel is Not Your GRC Solution,
Dean will dive into why relying on
spreadsheets can hold back even the most
well-intentioned security programs and how
automated AI-driven platforms can support
organizations of any size.
Dean,
thanks for joining us and let's dive right
in.
Thank you, Jason.
Thanks for the intro.
So quick introduction.
So as I mentioned,
my name is Dean Charlton.
So I run DC CyberTech and we work
and partner predominantly within the GRC
field.
So we're covering industries globally and
across multiple different aspects.
And I guess the reason for kind of,
you know,
the chat today and highlighting about
Excel versus a GRC platform.
It's really relevant.
I'm sure many people listening will
probably be sitting there now going, hey,
well, we use Excel.
It's pretty free to a degree and it
works.
And we've been using it for years and
we're a small scale startup.
We don't have the budget.
And to be fair,
we hear that all the time.
And in fact, actually,
a really good timing is I was at
a Risk Europe yesterday, in fact,
in London, a conference.
uh they're presenting and they said hey
look who's who's using excel here and at
least fifty percent of the room put their
hand up uh and we're talking even
enterprise level companies here uh to a
degree um that if not anything should
raise huge amount of alarm bells um across
the industry because anyone involved in
any form of compliance or governance would
understand that excel's great at
putting detail in, but it doesn't update.
You know,
you have to go back into it.
It's not linking.
It's not using AI.
And we love the AI definition term in
everything we do these days in technology
and cyber.
So we've kind of developed a platform in
partnership with a company called Risk
Cognizant's.
And and the reason why we've done that
is because we understand that you could be
a one man band.
You could be just starting out into the
field.
You could be a global enterprise company.
And and all of a sudden there's a
new regulation came out.
So within the US, we know we've got.
The whole thing is for HIPAA.
We've got kind of this too.
We've got SOX.
We've got so many regulation frameworks
these days.
You can't just say, hey,
I'll just do it on my Excel and
just tap a few words in here and,
hey, hope for the best.
And, hey, Mr. Auditor, yeah,
not a problem at all.
We're compliant.
Because they're going to dive in and say,
how are you compliant?
Evidence, where's the proof?
Where are you tractioning this?
How are you governing it?
How are you allocating tasks, processes?
How are you monitoring that on a regular
basis?
And I guess the real thing to kind
of think about here is that GRC isn't
a one and done.
You don't just go...
Hey, I want to be HIPAA compliant.
I'm going to do my HIPAA compliance
framework.
Done.
Thank you.
Nothing changes.
You've got to dive in.
You've got to keep going in.
You've got to keep monitoring it.
You've got to look at the updates,
what the policies, the processes,
who's involved, what's changing.
Because the world, the industry,
businesses,
people are changing such frequently,
you know,
and frequency-wise that you can't do that.
It's humanly impossible to update a
spreadsheet, an Excel spreadsheet,
at that demand level with that level of
accuracy.
Some people will probably say, hey, well,
I can do it.
yeah but that's probably the one or two
people companies right so um but when you
start to scale you'll understand it's just
not gonna happen uh and and unless you're
some whiz kid um and and your excel
skills are
up there and you probably should be
working for microsoft in that case then um
you know uh yeah then you need to
look at solutions you need to look for
examples um and and ai as mentioned is
it's there not to take over it's there
to compliment it's there to say do you
know what uh if we can remove the
manual task if we can remove the the
monotony of updating the changing then why
wouldn't you
No,
that's what AI is there for and not
what to do.
So, yeah.
So, you know, go out, use it.
Look at the platform that best works for
you as a business.
And that's what we do.
And that's where we focus globally,
as mentioned, because it's every remit,
every global country entity has its own
form of regulations.
So we were just recently working in the
German automotive industry.
So we've got our one five five one
four six.
As a framework,
very focused on German automotive.
Nowhere else in the world.
We work with businesses and entities out
in the UAE and with Saudi Arabia.
You know, we have SAMR.
So SAMR being kind of the governance
ordinance around financial controls within
that region.
Again, not applicable.
FedRAMP in the US.
Again, CMMC.
Exactly that, you know,
from government contracts.
There's so many that you can mention GDPR,
ISO.
It's endless.
And, you know,
if you are a business that's thinking, OK,
we want to scale, we want to grow,
we want to be compliant,
we want to mitigate our risk.
through investment that you might be
looking for scalability.
You might be looking to emerge an
acquisition.
You might be thinking about, uh,
new registry updates within your industry
sector.
You have to be compliant to, um, CMMC,
you know,
you need it to get government contracts in
the U S you don't have it.
You're not open to government contracts
anymore.
So, so you've really kind of got to,
yeah, uh, rethink about like,
how am I going to do that?
Um,
what's going to aid me who's going to
do that without spending two hundred three
hundred k on staffing um hey look we
do talent solutions i'm never gonna want
to argue and say hey get yourself a
vulnerability manager and a security
engineer and you're happy um but we know
you know you can mitigate some of that
cost uh when you start to scale out
with an automated sas platform so yeah
Absolutely.
So did you have slides?
I'm sorry, I forgot to ask.
No,
I'm going to slides to show really kind
of just but just kind of talk through.
OK, yeah, sure.
And I'd recommend, you know,
I'm sure the links will be there to
come to the website.
have a look at our blog posts so
we're blogging every day with outline and
we're really addressing some of those kind
of areas as well as talking to industry
experts and highlighting to the general
public as well really across you know all
the LinkedIn platforms and other media
platforms about why risk is important for
everybody because you could be
I know you could be an operations manager
and say, hey, well, you know,
I don't really touch on that.
It's not my area, but it does.
And then you'd be surprised to crossover.
You could be a financial analyst.
There's still crossover within your
business.
So let me ask you a question real
quick.
So when you talk to a lot of
companies, right, and I can see,
I've been in GRC for a long time
as well,
and I've dealt with large GRC systems,
right?
And there's a lot of buy-in to get
to the minimum of a large GRC system,
right?
It's not a small contract, right?
Whether it's ServiceNow, Archer,
whatever it happens to be, right?
Is that why you think most smaller medium
enterprise companies just stay with Excel
is because they see those numbers and they
don't want to move into like a GRC
solution?
Absolutely.
You know, and as mentioned,
so I was at Risk Europe yesterday,
all the big vendors there,
as you would expect, right?
So, and great, look,
they do a great job and obviously it's
healthy competition in the market,
but they are so large.
You know,
I think you just touched like ServiceNow,
for example,
ServiceNow as an entity is massive.
Now,
if I'm a ten man band and I'm
looking to get ISO two thousand seven nine
one credited,
I'm going to be scared to approach them,
right?
Because
Cost is huge.
They've got investors to satisfy.
They've got other entities and the
platform does so much more.
Then you've kind of got, well,
I only need this little bit.
No,
I don't need these reports and this
structure and this integrations because I
don't have those.
I have a very simple platform.
That's why I'm going to use Excel.
And I think that's,
as you kind of mentioned,
it scares people away.
I think they say, well,
if I if I go on Google or,
you know, everyone these days chat GPT,
right?
Chat GPT.
What can the offering is?
What's the rough cost?
You get these some nasty figures out
there.
And, and you, and you do,
you kind of go, well, I can't,
I can't go to my boss with that
figure.
He's going to tell me no.
So, so yeah, so we've,
we've created and risk conversations have
created that middle ground to say,
we're we're scalable with you we grow with
you we are modular so we only apply
to the platform what you need um and
we can customize it you know we it's
not about the business the platform being
the brand here it's about you as a
business being compliant you understanding
how it operates gives you back time and
i think that's a huge piece to play
is that anyone updating excel knows how
long that takes um but if you've got
a system that does it for you does
it in the background hey yeah why wouldn't
you and and obviously at a very low
base cost um
Yeah.
Yeah.
Well, and the other thing too, is people,
even the numbers that you get, like, okay,
chat GPT numbers,
like how much is Archer going to cost
me?
And again,
I don't want to denigrate Archer service.
Now they're great companies and stuff,
but you know, for very high end,
but like, you know,
that doesn't include any of the other
costs, right.
It doesn't, you know,
just because you buy the software,
it doesn't come out of the box most
of the time ready for your company.
You've got to spend many,
many developer hours and test hours in
doing it.
A great example is about when I first
left the military, say, in, say, in, say,
in, say, in, say, in, say, in, say,
in, say, in, say, in, say, in, say,
in, say, in,
And, you know, back twelve,
thirteen years ago,
it was really only a couple of choices.
It was SolarWinds and whatever it was open
source at the time.
Right.
And so we got SolarWinds and then we
proceeded to spend five months, you know,
configuring it.
Right.
You know, where we should have just,
you know, again,
because pro services was just as much as
the software.
to get it set up right so it's
not really just the cost of the software
it's a lot of that human capital cost
that you're going to have whether it's a
developer whether it's a human going hey
that alert's not working for me this
alert's working for me hey we don't do
it that way here because every company you
know and you'll see another thing too and
i know i'm kind of rambling but like
a lot of companies too they will you'll
so we had a product at another company
called metric stream good
Good product.
But the company decided we're going to
make minimal changes to it.
We're just going to do the way
MetricStream does it.
I'm like, wait a minute,
we're going to run GRC the way a
software company runs GRC.
And that idea lasted like six months.
And they were like, nope,
we got to customize the crap out of
it.
Yeah.
And I think people need to realize that
GRC,
as with any kind of security or any
kind of functional software function,
it's layers.
Right.
So you've got to build the layers.
You've got to grow through it.
You've got to work through those different
aspects.
And we say the same thing with the
GRC software with risk cognizance is that
you build the underlying foundation of,
first of all,
what are you looking to do?
Because, you know,
there's some companies out there that.
have got a spreadsheet that are probably
really compliant they've got some great
policies they've got some great processes
but they just need to consolidate it a
little bit more you go brilliant okay well
let's start at the base level so let's
reassess that let's get it confirmed let's
get the details and then we just build
it you know oh okay you want to
do a vulnerability scan attack surface or
dark web monitoring within your domains
okay let's add that as we go through
now oh you want to want to check
your cloud infrastructure well we'll do
that at the right time
And there's none of that kind of like,
no,
you've got to do it all now and
you've got to throw it all in the
pot.
And as you said,
then spend five months going, oh,
I've got this information.
And I thought I was really compliant and
now I'm not.
And my boss is on the phone and
we've got an investment round coming up
and we're not compliant.
And it happens.
Right.
So we're human.
Businesses grow.
Things happen all the time.
People move on.
and we've seen that as well you know
you could get a company where you've got
a GRC manager who manages it perfectly
does really well been in the business a
long time and brilliant and then they
retire or they move on they go to
your competitor and all of a sudden they
go hey wasn't that person in charge of
that like uh like where is that
information I don't know yeah we don't
have access or we can't see it or
he's linked it and I don't know how
he's linked it you know
And these things happen as well a lot.
Whereas you have a multi-access platform
and everyone's got those kind of
integrations where they can add to it and
you can allocate the right information to
the right person.
Then all of a sudden,
you don't get that.
One person leaves, okay, a minor setback,
but actually we know where we're at in
that process.
We're using the tool in order to automate
that process through.
And I think that's probably key is that
things are always changing.
And I would always say to people,
if you've got one thing that you kind
of walk away from this kind of podcast
about and information,
it's just that things always change.
people change, processes change,
policies change,
governance controls change, right?
So you could be great now,
but two months down the line,
you could fall behind and you could be
at the bottom of the pile again.
So you need to be adaptable.
You need to understand that.
And we're not all blessed with having
four five six different cyber credentials
you know that that cost ten thousand
dollars a pop and and and be in
there and go oh yeah we can do
that we can do that because businesses
don't you know everything like that costs
uh you invest in the thing at the
right time uh within the right investment
so yeah so you kind of kind of
keep that in play really um yeah and
you know it's a frustration i guess is
that
i i've come into grc after years within
more of the security engineering
background and and i was shocked that
excel is the number one platform that that
grc is used for in and we're talking
you know global banks we're not talking
your mom and pop shops here you know
we're and you and you're sitting there
thinking what really like
when when was this allowed who who said
yeah that's fine don't worry about that
yeah stick it on an excel like save
it in a deepest darkest part of the
library there somewhere that's why we come
back to it yeah yeah you know well
there's a policy here it says nineteen
ninety eight yeah don't worry about that
yeah yeah um and yeah and you see
it more and more often uh but i
think the world is changing i think people
are waking up and realizing so
Well, you mentioned ninety eight,
which is a good year, by the way,
because that was the one that was the
second year I ever developed Excel
applications.
Like back in the day when you're like,
what's VBScript?
I'm going to learn this.
You know, and, you know, the other thing,
too,
is it's like I like to call like
software archaeology because like things
get layered upon layered upon layered and
you don't even know why it was done
that way.
but it was done that way and so
you know like well we you know like
you know um there's a great saturday night
live skit very very long time ago shows
how old i am but it was talking
about uh these protesters were protesting
double hold double hold oil tankers
because there was going to be no more
leaks and the guy's like well what do
you do for a living he's like i'm
an otter scrubber i scrub otters to get
the oil off he's like my daddy was
an otter scrubber my granddaddy was an
otter scrubber we just can't let this
happen but you get that attitude sometimes
in companies with software you're like
I've done it this way.
That guy did it this way.
We're going to do it that way.
Because if not,
I have to call this other company to
come in and there's going to be a
wizard charging me three hundred dollars
an hour to make a change on a
form.
Right.
You know what I mean?
And so they gravitate to things like Excel
because they can pick up a dummy's book
and do it right.
So.
Yeah.
And, you know, and the story,
a great example.
Yes.
So last week,
task manager in Windows was thirty years
old.
Right.
So it was Bill.
Yeah.
And a lot of people kind of go,
don't think about it, you know,
and it's in the background.
And the guy that builds built it.
There's a great video on YouTube and have
a look.
and he talks about all the little nuances
and bits that he put in the script
that are still there in the background
where he's just like well no one ever
changed it so what was i going to
do it you know it's just like and
he talks about how it developed and that
that's no different to any other software
platform um and then but you know but
that's linear right so that that is hey
it's a service platform it's windows
brilliant fantastic
Now put on governance controls,
now put on insurance details,
cyber hacking,
real world global disasters, you know,
risk of mitigation,
investor controls and put that all
together.
And all of a sudden you kind of
go, wow,
this is really overwhelming very quickly.
Does Excel do it?
In all honesty, I don't think it does.
I don't think it can.
It can give you a very nice summary.
It can give you a very straightforward
breakdown.
As you said,
someone can pick up a book,
Excel for Dummies,
and you can learn it within probably a
week, not even that, from scratch.
doesn't mean that you're going to be
compliant,
doesn't mean it's going to update,
doesn't mean that it's relevant within two
months down the line.
You've got to take all these mitigating
factors into play as well.
Businesses change.
It's not us that determines it sometimes,
it's the business that determines it.
Cyber,
we'd love to have things normal and
straight every day.
you know in a lot of ways we're
like network administrators like okay no
change everything should be running fine
you know what i mean but like the
business doesn't work on that you know
every small company wants one thing they
want to be a big company and they
want to change and they want to you
know grow and they want to add stuff
to it and you can't be stuck with
something that's ten years old right yeah
and you know and i talk with pen
testers almost daily right and it's the
old adage that you can think that you're
up to date and you do all these
creditations everything
But the hackers are the people that don't
have to do certifications.
These are kids that are gaming, right?
They're playing Warhammer, right?
They're learning strategy.
They're going, hey, hang on a minute.
I can do this with Bitcoin and I
can get in here and no one's going
to stop me.
No one's stopping me now.
And they keep progressing.
And then all of a sudden,
before we know it,
something's come out in the industry.
Well, we weren't,
as security professionals,
we weren't even aware of it.
because they found a loophole.
Then we need to then fix it.
We need to then create governance around
that.
There's new governance controls.
It won't be long until
Goodness knows what other ones are coming
through.
But in the next five years,
I reckon there'll probably be another five
to ten governance controls as standard
globally that we'll see kind of companies
working towards.
Stuff that we probably aren't even aware
of now.
You know,
we've got huge emergence within AI.
We've got quantum computing come up in the
background.
So that changes the game one on one
back to zero.
So if we're at one point one,
we're back to zero point zero when quantum
comes into play.
So we've got to really take all those
considerations into play.
And if we're not doing it now,
we're not keeping up to date now,
we're going to be even further behind in
a couple of years' time to a point
where someone says, hey,
what governance controls have you got in
place?
Oh, we've got this brilliant spreadsheet.
Yeah, that's like five years out of date.
Is it?
Oh, great.
Yeah.
Larm bells, certainly.
Well,
and it also depends on the speed of
the regulatory regime, right?
And this is what people forget all the
time.
It runs at different paces around the
world.
The EU has a much shorter time to
idea to law, right?
That timeframe it takes for someone in the
EU to come up with an idea to
become a law is very short compared to
something like the US federal government,
which as we can see,
if we're even working instead of shut
down,
it may take us years sometimes to get.
Like for example,
the United States still does not have a
privacy law.
we do not not compared to the eu
the gdpr has been around for you know
over a decade and we don't have one
so what happens all fifty states do it
and their time to idea to law is
very much shorter worth right and so you
look around the world and when you're a
global company and you start to work
around the world it's not just fifty u.s
states you got you know you got
territories in canada you got the
different parts of england right you know
you got the eu you got and each
member has its own laws in some cases
right
It's never a static environment every time
you go someplace.
And the business doesn't understand that.
And again, they're not really supposed to.
The business is supposed to do one thing.
Say, if I'm a shoemaker,
you want the business to know how to
make shoes.
You want them to be successful at making
shoes.
All this other stuff,
like cyber GRC and cyber laws,
they just expect you to do it, right?
yeah yeah yeah yeah exactly and you know
and now think of like a business that's
growing and they've got to a size where
they they've not really thought about
cyber before and we work with a couple
of those businesses right where they kind
of go well we're at a point now
where we need to start thinking about
cyber controls because we don't have any
and you know you do a bit of
a bit of a scope and a bit
of gap analysis hey what have you got
in place already well we've got a cto
But he has no idea.
We've got this person that we kind of
bring in ad hoc.
They've kind of given us a few ideas
and you kind of go, OK, well,
you know, we're now scaling to a point.
We need that.
We need that in play.
And then all of a sudden,
these money figures come out and everyone
starts panicking like, oh,
we can't afford that now.
You know, can we scale?
Where does the business move on from
there?
How do we need to be compliant?
You touched a great point on
US,
European markets and regulatory controls
and how the government operates.
But look at cloud integration.
So US,
I would say probably ahead of the game,
right, with cloud.
You'd be surprised how many European
entities are still on-prem.
No cloud whatsoever.
Not that they're reluctant to it,
but it's still very much moving at a
very slow pace.
In the UK,
we've got a huge banking industry, right?
So it's what we're known for.
But look at what the banks are using.
Look at what the systems are using.
We're in the dark ages.
Crikey.
You know, sometimes.
Oh, yeah.
What's that machine over there in the
corner?
It's an AS four hundred IBM machine.
Don't touch it because it's like it's the
backbone of the bank.
You know, you're like that a green screen.
It's like I bet there's people here that
have never seen this.
It's just like they don't even understand
what it is.
And I think that's what you've got to
kind of remember as well, is that it.
we think that people are on the cutting
edge we think that industries are growing
with the latest technologies and the
latest integrations but they're not no
we're still as a world we're still very
basic technology is still very much in its
infancy uh even after these many years um
so yeah so i think everyone needs to
kind of go right okay stop assess
understand where am i going where am i
headed what do i need to do and
how do i need to be compliant to
that
And to bring something on board in order
to assist and support me in that journey
and work with me in plain English,
as opposed to the jargon and the acronyms
and everything that we love in the cyber
industry.
Yeah, otherwise you're just a cost center,
right?
And you're adding cost.
You're not adding value.
And that's the thing that the business
can't stand because, you know,
they can go out and buy another shoe
salesman, right?
Or they can pay for a GRC system.
One of those two is not making them
money.
right yeah yeah and so it's always
important to be a good shepherd and you'll
see some departments they're just stuck
with old tools because they can't make
that case yeah it's the classic isn't it
a business gets hacked uh beforehand the
cso's i need money for this i need
budget i need budget they go no no
no no no no they get hacked how
much do you need all the money great
example of how like they're they had no
money before it happened and afterwards
they were just backing up brinks trucks
you know what i mean to make it
happen yeah
Yeah.
Yeah.
You know, and we look at industries now.
So we've got a lot of food manufacturers.
UK has been particularly hit hard in the
retail sectors and FMCG side.
And they're just getting everyone's
getting attacked.
Literally,
it's like one on one on one on
one.
Now, if I was a betting man,
I'd say, OK,
let's have a look at your cybersecurity
budget.
hmm okay yeah interesting uh didn't take
it seriously then but you're taking it
seriously now um and yeah and and you
see that as you said classic classic
example look at the airline industry it's
another industry that's getting hit hard
globally um think of what that costs an
airline to be down for a day uh
it's just insane uh and you can say
hey well look spend one tenth of that
on controls and mitigate most of it can't
a hundred percent mitigate it but you're
probably close to because the hackers are
going to go i'll go elsewhere they're a
bit harder target um save yourself money
but it's the mindset of people thinking
about that isn't it i guess no absolutely
that's a whole different story no no it's
correct yeah it's right so tell me more
about your solution then dean
Yeah.
So as I say, so DC Cybertech,
we're as a services company,
so offering there.
But we partner in particular on the GRC
side with risk cognizance.
So the reason why we do that is
head up by a guy called Jeffrey Walker,
a good friend of mine for many,
many years out in New York.
So CISO, twenty, twenty three,
twenty four years as a CISO.
He's been in the industry.
He knows it.
He knows it very well.
Built on the frustrations of.
He's using other platforms.
Of course, he's using other platforms.
He's never really seeing what works for a
business.
It's always from their side,
how they pull more money out from you,
from different entities,
that kind of breakdown to customizable
solutions.
So he said, OK,
what we're going to do,
we're going to build a GRC solution,
simplified.
We're going to keep it really basic,
really to the point.
What does it need to do?
How can you do it?
How can you create that flow?
Use as much AI automation that's
reasonable.
And when we say reasonable to a point
that we're not using AI to do the
tasks that someone should be doing
because, you know,
everyone needs to double check.
You can't just go, hey,
I run this done.
Thank you very much.
Hey, I'm GIC compliant.
but use it for the manual monotonous
tasks.
So one of the processes is that we
use it as an AI function to pull
your policies into relevant controls.
Now,
That's an AI function, right?
We shouldn't need to do that as a
human person.
And that is a weekly, monthly,
if not a yearly task in a large
company, right?
I've got a policy one.
I've got a list of four hundred controls.
Which one does it align to?
Do, do, do, do, do.
Policy number two.
Do, do, do.
Right.
So we use AI automation in order to
do that.
Removes all that manual task.
You can check it.
And I would always say to people,
always double check it.
It's ninety nine point nine percent
accurate.
There's always the point one percent
because it's a machine and to go through.
And then you say, OK, well,
I'm missing four policies.
I need to create those.
I'm sure.
And to be fair, Jason,
out there and someone may be even saying
this right now.
Hey, I love creating policies.
But that's a very,
very small percentage of people in this
world that would ever, ever dare say that.
Because let's be honest,
it's one of those ones where you go,
I've got to create four policies.
I've got to get the template and I've
got to do it.
And I've got to check the control.
I've got to make sure.
And wow, that just, it's boring,
let alone anything else.
So the platform will create the AI policy
based on the control,
based on the details.
You can edit, you can add to it,
you can amend it.
And the best bit is,
what use is a policy if you then
don't share it with the business so how
many companies go we've got great policy
controls brilliant but if i went to sandra
in the ops team and asked her she
doesn't know where they are she doesn't
know what they are doesn't know what they
do say okay that's quite alarming so what
the platform we can do is make sure
it's relevant it's highlighted to the
relevant people that the the information
uh
That the information is sent out to the
relevant area and it's stored in the
relevant area as well,
because anybody that says, well, OK,
I need to check on my policies.
They've got to be up to date.
They've got to be relevant.
They've got to have visibility and they've
got to be available to the right people
at the right time.
um so so our platform enables in order
to do that yep so so it's going
to put it in the right place it's
going to highlight it to the right people
it's going to allocate that it's going to
update that it's going to be relevant it's
going to show you the most up-to-date
version of it um minus audit controls
minus investment minus whatever it might
be that's what you want right that that's
the purpose of policies and the control so
the platform is doing that as a basis
It's then creating the assessment.
It's giving you enablement in order to go
through that assessment.
I run what we call a program to
check and sense check that information,
to look at where your risk sits.
Where in the business do I need to
focus?
What am I perhaps over excelling in,
but under excelling in at the same time?
And then that's been before we even start
looking at third party risk management.
So look at most of the controls out
there now.
And I think it's probably going to be
more and more relevant in new controls
that come into place.
Third party risk management is huge.
So you could be brilliant.
Yeah.
Hey, my company,
my company XYZ is brilliant.
I've got great policy controls.
I've got people in the team that do
it.
That's interesting that you use this
particular software vendor.
Yeah, yeah, yeah.
So are they compliant?
Yeah, I think so.
They said they are.
They said they are.
Exactly.
Yeah, yeah, yeah.
They've gone.
Yeah.
They did.
We did a third party risk risk assessment.
When was that?
Three years ago.
Right.
And they haven't changed in three years.
Oh, yeah.
No, I'm pretty sure I have.
Right.
And all of a sudden you start going,
yeah, OK,
there's a few alarm bells coming out here.
Hey,
and I'm not an auditor and there may
be some auditors listening that will go,
I'm going to zero in straight on that
because I know that's a risk area that
businesses forget about.
Hey,
you want to be compliant to standards?
You're not compliant.
And then when you start looking at
government contracts, you start, hey,
I want to work with the DOD and
DOJ in the US.
I need to be timidly compliant.
I need to be at level two.
There's a lot of work here.
Oh, hang on a minute, I'm not.
Oh, I've never investigated.
Oh, I've never looked at that.
I didn't even know that control existed.
well okay you know there's a lot of
alarm bells and and this is we're speaking
way before the auditors are coming in
checking so we're talking the preparation
we're talking the work the the putting the
effort in order to kind of get to
that piece and this is where risk
cognizance utilizes all of its background
and its being and its understanding and
its ai topics and its its automation
processes to make your life or anyone's
life within that business as easy as
possible
because we want to ensure that every
business is compliant,
whether you're a one person or a ten
thousand or a hundred thousand person
company.
We want to ensure that if you want
investment,
that if you are getting involved in a
merger and acquisition,
if you're going for a compliance
framework,
that you've got the confidence to know
that.
And there's risk confidence.
It's going to tell you.
It's going to let you know.
It's going to update you in real time
to say, hey, you're nearly there.
Hey, you're now green.
You're in the green.
Fantastic.
Brilliant.
You've got a few things to work on.
These are the things to work on.
You can allocate that to your users.
Brilliant.
Have they done it?
Oh,
it tells me they haven't done it yet.
So you've now got a project plan built
into the platform as well.
So when everyone's kind of sitting there
going, oh, I don't know.
And I've got a spreadsheet and I've got
an email for that.
And I'm pretty sure I asked Jeff to
kind of sort that out.
And Jason didn't look at that.
And I'm pretty sure he's on holiday this
week.
Brilliant.
But an audit is not going to be
particularly impressed or, you know,
or anyone investing within the business as
well.
So if you turn around and say, hey,
yeah, compliance, not a problem.
Here you go.
And they go, oh,
what do I have to look at?
Just there, one login.
Okay, where's the information?
Right there.
Where's the documents?
Attached to each one.
Brilliant.
Well, what have you done about it?
Here's the audit log.
Have you updated your risk register?
Yep, here's the latest one.
Well, how do I know what you're doing?
Here's my project plan.
But when are you getting that done?
These are my timeframes.
And all of a sudden,
it doesn't take a genius to say,
when you're a business and you've got that
level of
uh i i guess kind of confidence and
that you're putting it out there people
you know auditors investors whatever it
might be gonna go okay these people know
what they're doing you know they've got it
ticked they've got everything signed and
sealed uh they're not the panickers the
worry is that it's here it's over there
back and forth uh dive and delve um
and i'm sure that's happened you know uh
in other businesses where they'll go hey
i'm fully compliant an auditor comes in
and goes brilliant
So let's have a look.
Oh, what's this?
And they go, oh, no, no, no,
ignore that.
Don't look at that.
Why is it here?
And they start, you know, diving in.
Picking it apart.
Yeah, yeah, exactly.
So at Risk Conscience,
we have an audit platform built into the
system.
So you give the auditor the direct line,
the blinkered view as such,
to the point of,
this is what you need.
This is what you can see.
And then when the auditor's finished,
you say, thank you very much.
We're going to take away your access.
Because then is there none other, oh,
hang on,
I just need to go in and double
check this.
It's like, oh, hang on,
what have I found here?
uh hey but you said we were compliant
but now we're not what's going on uh
so you don't get any of that so
we kind of remove that from that basis
as well and you know the thing is
a lot of people and they don't get
this especially if you look at a junior
leader they think the audit issue is the
issue right look auditors are always going
to find something you want them to find
things right that don't ever be upset
because an auditor found something like
that's like a pen test you know don't
be upset about pen test findings because
they're great right you know that you want
you know i would always be more worried
about an audit or a pen test when
they didn't find anything
I would think they did.
Oh, yeah.
Yeah.
I would never trust that ever again.
Right.
And regulators are the same way.
But that's not the problem.
People always, oh, my God,
we got an issue.
The OCC came down and gave us an
MRA or or something else happened over
here.
We got an observation from, you know,
someone, you know,
the people doing DORA now or whatever.
Right.
That's not the issue.
The issue is the fact that what did
you do after that?
Right.
Because that's usually what gets you in
trouble.
They're never going to come in and go,
I'm going to shut your business down
because you don't have good IAM controls
around MFA.
That doesn't happen.
Right.
Unless you just literally have none and
people are walking out for money.
They don't shut your business down because
of the issue.
What they do,
what you get in trouble for is when
they come back three months later and they
ask you for the update and they go,
where are you?
on fixing this problem or you said it
was only going to take six months i'm
here at month seven and i don't even
see what you've accomplished right how
does how does that so how does the
solution you work with you know fix those
things
Yeah.
And great question.
And a real life, you know, scenario.
Right.
Because that happens all the time that
it's as you said,
you should never fear the auditor.
You should never fear even, you know,
internal as well.
Right.
So because they're there to find the
information so you can address it.
And that happens across all regulatory
boards.
Right.
So.
So once you've got that and you've kind
of gone, OK, the auditor,
the internal auditor, the assessor,
whoever it might be inside within the
business comes up with these things.
The platform enables you with all those
issues that are being addressed,
be it self-found,
found through the system scanning through
AI or through post-audit perspective.
Those points become a plan of action.
And a plan of action then is great
if you can only track it.
And you can say, well, you know,
I'll email this person.
Say, for example,
you've got fifteen points, fifteen emails,
fifteen different contacts.
And then you're on to something new in
a new project and you're still catching up
with that.
That's a lot of workload.
Right.
And we are human.
We do forget.
But now with Wisconsin,
since you can allocate the task to an
individual,
give them the allotted time frame,
allocate hours.
You can even allocate a budget that shows
within that report as well.
Then within the plan of action milestone
report, you've got who's doing what,
when are they doing it and at what
action point?
Because it's great when we say to people,
hey, Jason,
I really need you to build out two
new policies for the latest FedRAMP two
controls.
I noticed we're missing them.
Can you get that done this week?
You go, yeah, not a problem, sir.
Let me get it underway.
And then people forget about it and it
doesn't happen or you don't write it down
or whatever it might be.
or we delete the email.
Whereas in the risk confidence platform,
it sits there.
It shows us a task.
It shows I've allocated to Jason.
This is when I allocated it.
This is when it needs to be completed.
Now, me as an admin,
I can go in and go,
Oh, I mean, I've got an outstanding here.
Jason hasn't done this.
It's now flagged.
Hey, Jason.
Yeah,
I noticed that we've got this outstanding
task that you haven't done with the new
policies.
Oh, yeah.
Oh, yeah.
I forgot about that.
Right.
Well, we're now urgent.
We need to get it sorted.
Right.
I'm going to resend it to you.
Here's the link.
So you can't get lost.
It's going to take you directly to that.
OK, brilliant.
It's also going to say when the person
says, oh, yeah, yeah, I'm working on that.
Well,
that's interesting because it tells me
here you've never looked at it.
You haven't even opened the link because
it's a URL link, right?
So it's going to take you straight into
the platform.
Oh, no, no, I've looked at it.
Well, you can't have.
So you can tell me all you want
that you've looked at it,
but it didn't happen.
So how about you look at it and
you get it done?
And this isn't about catching people out.
It's about saying,
if I'm a project manager or if I'm
a program manager or business analyst or
even a CISO,
a VCISO utilizes our platform a lot.
I want to know where I'm at.
I want to know where my tasks allocated
are, where they're at,
how long it's going to be.
And do I need to chase people up?
I don't want to chase people up who
are doing the work.
And I can see that in the platform.
I don't want to chase people up that
are off now or I've over allocated because
you can allocate a thousand tasks an
individual.
I can see that now in my kind
of plan action milestone report.
Brilliant.
OK, fantastic.
So I can now share the workload.
I can allocate it to the right people.
I can understand when they're doing it,
who's doing it, what they're doing,
et cetera, et cetera.
So the platform itself is built around
assessment,
program completion or program completion
within that process and then the next
stage the audit the boat the post the
checkup the actions the plans the new
whatever it might be you know let's build
a new business continuity plan let's build
a new resilience plan let's create new
policies and functions do we need to hire
people do we need to bring on new
vendors
Do we need to check our current vendors
and get rid of them because they're
causing the risk?
And that's where the platform all comes
into one hub rather than one here,
one there, one there.
And I've worked with some fantastic
vendors out there and some software that
is brilliant in what it does.
And it does one thing,
and it does one thing very well.
But when I'm putting that data in,
it's another outside application.
You know, it's another one.
So risk cognizance will connect.
So it has full API integration.
It's going to pull those data together
into one area.
And how easy is it as anyone within
any industry,
within any business in a form of admin
kind of control to have it in one
place?
One review, one place, one visual report.
Thank you very much.
Let's make our lives easier.
Why are we making it harder for ourselves?
let me ask you a question here too
because sometimes and this is the old like
like my daughters always ask me they're
like dad how did you do that i'm
like well it's on my phone it's a
tool you go here you do this you
do this you do this i was like
it's more than just you know tiktok right
you know the the phone you can do
a bunch of stuff on there but you
have to know right and what i've seen
a lot of times and i'd like to
tell you like ask you know and ask
you like how did you guys overcome this
right i have the greatest tool on the
planet but i don't know how to use
it
I only know how to use five things
and therefore I'm never going to get the
value out of this product, right?
So how do you guys overcome that?
So we do several things.
So we always say demo before anything.
Let's take you through the platform.
I think that's pretty standard, right?
From the demo, we then go,
we're going to give you a seven day,
three proof of concept trial.
We're going to give you the whole
platform.
You're going to play with it.
You're going to get in there,
click on everything.
You go, brilliant,
but I don't know how to use it.
Like brilliant that you've given me a
platform, but what do I do?
So we've several forms.
So the A for one thing,
we coach and guide you through it.
So we offer full twenty four seven support
in order to do that.
We can do that because we've got agents
across the world so we can cover any
time frame any day.
The second part is we've got an academy,
a training academy in the platform.
So it tells you,
takes you through the process.
OK, where to start?
And it's literally you're in the platform
doing it.
So it's a training platform in the
platform.
So you can say, OK,
I'll go through the training academy
internally, work through the process.
OK, now I understand how it works,
how it operates.
But people are different learners.
So now we kind of go, OK, well,
I just want to get used to it
and just do it.
But I don't know how to get to
there.
We then have a training folder.
And in there, we've got how-to guides.
We've got YouTube videos.
So kinesthetic learning.
People learn different ways.
People love to read.
People love to see a video.
People love to be told.
People love to just play with it and
pick it apart.
So we've got all of those options
available.
So anyone that we get to and during
that POC,
we say this is your chance to just
completely play with it.
You can't go wrong.
You can't make mistakes.
You can't break the law.
You know, it's just it's it's in-house.
Oh, actually, that's quite interesting.
Oh, how does that work?
How does that work?
And we always say to people,
we've got an internal ticket system.
Raise a ticket.
It's part of the standard program within
the platform itself.
We also say just email us,
just phone us.
You know,
I've got clients now that will ring me
at a client in Cambodia and I'd wake
up four a.m.,
with a list of like,
how do I do it?
Brilliant.
I'd rather that than not ask.
And we just cover it off.
We go, okay, bam.
Here's a how-to guide.
Here's a there.
Let's jump on a call.
Let's talk through it.
Because as you said,
the platform can be brilliant,
but if you don't know how to use
it, it's not really a platform, is it?
And I'm sure we've all been on calls
with the customer success teams that go,
oh, yeah, brilliant.
And they've got their own little agenda
and their own little script.
And they go running through it at a
hundred miles per hour and you kind of
go,
what like what you said twenty minutes ago
I've completely just like just literally
popped out my brain I have no idea
so we take it through on that kind
of process and we support we guide you
know onboarding for us is two weeks and
we don't need two weeks but we onboard
we support you know
hold hands we we kind of say well
let's go through it let's have a check-in
how we doing and because we've got that
helicopter view we can see what people are
utilizing and using so yeah i see you
haven't gone into multiple assessments or
i see you haven't looked at perhaps the
vulnerability scanning part are you
comfortable with that do you need support
we'll jump on a call we'll do a
demo on that part as well so we're
always offering support we don't charge
for that you know you could say i
want a hundred demos over twelve months
yeah
I don't know.
I've got a problem with that.
I'm an MSP and I'm bringing on new
clients,
but I need a bit of technical support.
No problem.
Bring us in.
We're happy to do that.
We're there to offer that in all parts.
So we are by no means sell it,
move on.
We are
coach guide you through it as if we're
working with you as opposed to being an
external provider so and that's part you
know dc cybertech as well as wisconsin's
where we're offering that kind of service
overview because people then say oh okay
Brilliant.
I'm using the platform.
Risk concert's great.
I'm on the compliant.
I probably need to build out a team.
We can support with that.
I probably need to do some pen testing.
We can support with that as well.
And then we can just kind of get
on there or we can advise, you know,
hey, I'm looking to bring people on.
Can you give me a bit of an
idea of what that's going to cost?
Yeah, no problem.
Yeah.
So we kind of build that into the
platform and support structure as well.
Awesome.
Okay.
So what else,
anything else you'd like to add before we
wrap it up today?
Cause this has been fantastic.
And obviously I wrote a book on GRC,
so it's kind of like,
I'm a GRC nerd.
Yeah.
Yeah.
I, you know,
I would say anybody listening,
anybody that is growing and you're using
Excel, I want you to really,
really look inside and say,
am I actually compliant?
Is it doing it what I need it
to do?
And if you're not, give us a shout.
We're not about pushy sales.
We are by no means pushy salespeople at
all.
Really not.
We are about, okay,
what are you looking for?
And we can give you an idea of
cost.
And I can hand on heart probably say
we'll be at least a quarter of the
price with pretty much anyone on the
market.
And we do it because we're not to
come to investors.
We're not lining the investors' pockets.
We build it ourselves.
We're not reliant on third parties.
therefore we can keep those costs low and
we're going to pass it over to you
right as a business so anybody wants to
have a chat even if you just want
a bit of a scope and a bit
of an idea feel free give us a
shout not a problem
Well,
and hopefully we've been answering some
questions during the talk as well in the
chat.
And all of Dean's contact information is
linked in.
The company information will all be
attached to the article as well when it
comes out.
And Dean,
I appreciate you coming in today.
And thank you.
And again, thanks for coming on the show.
I appreciate it.
Jason, yeah, always a pleasure.
Appreciate your time.
And yeah, thanks for the invite.
Awesome.
All right.
Well, thanks, Dean.
Appreciate it.
No problem.
So, hey,
thanks for joining us and the talk with
Dean today has been fantastic.
Again,
I am a GRC nerd and I love
talking to people about GRC,
but it is an incredibly important
fundamental aspect of your business.
And if you don't know what a GRC
is or you haven't thought about a GRC,
then that's the next step you need to
take if you want to become bigger,
if you want to become better,
if you want to become faster,
if you want to eliminate a lot of
those barriers.
audit headaches or regulatory headaches
that you run through.
Because if you don't know about
regulations or compliance or controls in
advance,
you're just setting yourself up to fail,
right?
So again,
reach out to Dean and the company to
talk about more about that.
Also, if you like this conversation,
if you enjoyed it, please,
and you're a company or you're a person
who would like to present on any topic,
we're taking proposals now.
So just come over to baremetalcyber.com,
click on the Society of Cyber
Professionals and at the bottom,
fill out the form or just contact me
on LinkedIn if you want to.
set up a time to do this.
Also,
we have a group if you'd like to
connect with it,
the Society of Cyber Pros,
and you can request to join.
We only accept cyber people.
So again, it's a it's a knit community,
close knit community where we don't it's
not just one of those big open groups
on LinkedIn where you have one hundred
thousand people in ninety nine thousand of
them or not, you know, cybersecurity.
So again, Jason Edwards,
thanks for coming in today.
And if you want to find out more,
go to bare metal cyber dot com.
And I hope you have a great day.
Thanks, everyone.
