Transcript - RiskInsiders to the Rescue with Amy Ford COO and co-founder at Steel Patriot Partners talking about GRC programs.
Megan Manville - Risk Optics
Amy Ford - Steel Patriot Partners
Megan Manville: Hello, and welcome to this episode of Risk Insiders to the Rescue, a web series dedicated to highlighting common challenges and innovative solutions across security and GRC. I'm Meghan Manville, and today I'm joined by Amy Ford, Co-founder and HITRUST practice lead at Steel Patriot Partners. Thanks for joining me. Amy, why don't we begin by you telling us a little bit about yourself and maybe a fun fact about you and your security career.
Amy Ford: I'm Amy Ford, the COO and HITRUST lead at Steel Patriot Partners. A fun fact, within the last 10 years, I got into the security space an prior to that, my background was in human resources. I think it's a really easy transition when you go over to the security compliance space because HR is very rules governance-focused. Shifting into the security compliance space was a real easy transition for me because they're very specific. Here are your rules, here is what you need to do, here is how you need to do it. And so I was able to transition over. This has not been a life career for me. It's kind of new within the last 10 years.
Megan Manville: Wow, that's interesting. I hadn't heard it explained that way, but that makes a lot of sense. You know, you look at something that's very rules-focused. I was talking to a customer earlier and mentioned, you know, thank you for Arthur Anderson and Enron, right? Because that was the genesis of Sox. And I think like it's kind of come that way, right? Like we kind of, all of us kind of joined this new industry as these things are happening over the last like 10, 20 years or so. That's awesome. Very cool.
Megan Manville: Oh, well, I introduced you when we started here. Obviously, co-founder and COO at Steel Patriot Partners, but also HITRUST practice lead. Tell me a little bit about Steel Patriot Partners, maybe some of the challenges that your customers have approached, and I'm guessing maybe some of it with HITRUST, right? That's probably one of those challenges you have there.
Amy Ford: So about two years ago, about probably about 18 months ago, we were having a lot of conversations with our customers about HITRUST. HITRUST, as you know, is a gold standard in the healthcare space from a compliance perspective. At that point, we were looking at what we need to be able to do to effectively help our customers go through that process on the HITRUST side? As an organization, we made the decision in 2023 to become a readiness licensee, and myself and my entire compliance team went through the training required, so that we are prepared and really get a deep dive and understand what is in HITRUST CSF framework and what it takes to get through that process. We did that fall of 2023, so that way we can really understand the controls, what they're looking for, and how we need to implement technology within our customer's environment so that they come out the other side with a successful validated assessment.
Megan Manville: Oh, I love that. And I think it's very much the sense of, you know, if you guys can become the experts in HITRUST, then your customers, when they come to you, you know, they have that reliance. They know that you guys are there to support them. And even if they have questions, you've probably, you know, had one of those challenges for sure.
Amy Ford: We've encountered it and we've dealt with it. Through our relationship within HITRUST, we have the ability to pick up the phone and say, okay, what does this mean? Or how does this work? And that's really been instrumental, and all of our partnerships that we have to have those relationships and help our clients through that journey.
Megan Manville: Yeah. More than just a tool, it's truly a collaborative approach of coming in and helping them, not just with the assessment, but understand and educate there.
Amy Ford: Absolutely. And that's one of our key things is for anyone going through, whether it's HITRUST or SOC or FedRAMP, whatever it may be, our goal is to educate first and foremost so that people really understand what is it they're getting into, why they have to do it, what does it mean? And then getting them through that process, alongside with them.
Megan Manville: No, that's great. And you mentioned a couple other frameworks in there, so not just HITRUST, right? Steel Patriot Partners, you guys cover a vast number of frameworks and concepts within the cybersecurity world?
Amy Ford: Yeah, so I tell everyone this, you know, a framework is a framework. There are many of them out there. For the most part, the controls are pretty much the same across the board. They're worded a little bit differently, but they mean the same thing. So from a framework perspective, we're really agnostic. If you want to go for FedRAMP or HITRUST or SOC, or there are a many other ones, we can get you through that process by implementing. Our compliance analysts understand how the controls are written. Two of our analysts were auditors before they came on board with us, so they understand what the auditors are going to be looking for and asking for, and how they like things so we're really agnostic. We're just helping you get through that process by implementing compliance as a customer.
Megan Manville: Awesome. You mentioned something in there. I want to shift gears a little bit then, because I know you mentioned talking about having like auditors as part of your team and some of these experts and things like that. We've talked a lot about the maturity of a GRC program, right? And how to not just implement one, but grow and mature with that over time. I hear basing on this too is you're helping folks with a lot of different frameworks, a lot of different challenges there. What are some of those key factors when you're starting out in GRC, so that you can establish a good foundation for that scalability, for the next framework?
Amy Ford: Yeah. The way I look at it, what we see, and the way I've been able to articulate it the best is there's kind of three big challenges just from the beginning that companies need to look at and address. A lot of times what we're seeing is at six to nine months in or 18 months in, but executive buy-in. If it doesn't come from the top, unfortunately, your program isn't probably going to be successful. And what we see is a board member will come in and say, thou shall, or a contract dictates, you need to have this certification in place. It becomes a checkbox exercise from a leadership perspective, because the customer said, if we don't do this, but they don't really understand and really are not bought into why they have to do it. That's a key one.
Amy Ford: Then the next level down is maybe the leadership team is bought in, but the employees are not. The people that are actually day to day going to be implementing these controls, going to be living, breathing, having to make changes. Let's be honest, change is difficult for all of us. When you've been with a company for a year or five years or 10 years, and you've always done it a certain way, then it becomes, well, why do I have to change now? And it's a cultural shift.
Amy Ford: Then the last one that we see a lot of, and it's interesting, I've had this conversation with two customers this week alone, is everyone understands it and they buy in and they're all in for it, and they get it. However, the people that are tasked with doing the work don't have the time, the bandwidth, the capacity to be able to do it. So it becomes a, do I do an item for a customer that is revenue-generating, that is part of my nine to five job, or do I focus on implementing this control, which isn't revenue-generating right now in the near term? Employees are looking at the here and now where your executive team and your leadership team is thinking six, nine, hopefully 6, 9, 12 months down the road. Knowing that if you put these controls in place, the revenue that you can get from having these compliance frameworks in place would drive it, but employees look at the here and now and what does it mean from nine to five job today?
Megan Manville: Yeah. You know, it's funny as you're telling this story, it reminded me of when I was back in my InfoSec role, and one of the things that we had to do was we were aligning with ISO 27001. We knew we needed HIPAA, we knew we needed PCI, we had a lot of work to do, and I was the worst at it. I was like, Hey, everybody, you know, like developers have access to production, shut it down. Everybody needs a mobile device on their phones, everybody, and just roll it now, right? I think when you come from the security side, you get a whole bunch of people who are like, whoa, whoa, whoa. Like, what are you doing here? And so being able to communicate that, it sounds like that's something too that you all have seen and can help guide your customers as well. If I had you next to me, you know, guiding me of a kind of, you know, what to say and how to approach it, because I think that's true. The management might buy in, but if you don't have the people boots on the ground, for lack of a better word, understanding it, they're just gonna be like, all right, whatever. You're crazy. Go away. I got my job to do. Right.
Amy Ford: And a lot of times they look at it as, you know, from a security perspective, you just put things in place for the sake of putting things in place. There's no real reason behind it, even though there's like loads of documentation and, you know, you hear case studies or you read in the news articles on things that are happening. They don't, it's, oh, security's just there. It's not real. It's for the sake of, you know, busy. It's keeping you in a job. And I'm like, it's not, we're here for a completely different reason, but, you know, that's the way a lot of people see it. Or we just, we're roadblocks. You know, you say that and you're like, well, put this in place and you can't do this. And then all of a sudden it was like, I can't do my job because Meghan's put all this stuff in place, and now I can't do my job.
Megan Manville: Exactly. And it's always us, right? Meghan put this stuff in place, Amy did this, right. It's not absolutely. And I think it's true too, even if you think about, you know, going for, and that scalability too of like, oh, it's always something else, right? Or it's always this, it's always that. And I think a lot of it is perception. And I've had conversations previously about like, the purpose of compliance isn't to be compliant, right? Like, yeah, okay, we're going for that framework. We're going for that audit or that certification. But at the end of the day, the reason you put those controls in place is to protect your business, is to reduce risk. And what, you know, compliance folks are doing is just making sure we're reducing that risk. You know, making sure that we're still in a good spot. But I think people tend to still get hung up on, well, it's a checkbox activity, you know, do we have this report? Whatever, here, take this report, take this screenshot, talk to me in a year. And that's, it's really the, the true value of that, that compliance side of it is, is lost a little bit.
Amy Ford: Yeah. And it is, and you know, unfortunately, when there's an incident or things that happen, it's not the employees that have a direct line and they don't see, you know, is there an attack and how does that impact your business insurance, your reputation with your customers in the news, with your board, with your partners. There's such a downstream impact when you have something that happens in your environment that most people don't think about. Like it's a web that spreads out to, and it makes your partners and everyone else start to question things. So you're putting these things in place from a reputational perspective and then, you know, from a financial perspective as well.
Megan Manville: Yeah. And that's a good point too, the reputation, the finance. You know, I always joke if your driver for getting your SOC two or your ISO or whatever, that your driver is often revenue, right? And we see that a lot of times with startups where, hey, if you wanna compete in this industry, you need a SOC two. And so they jump to the SOC two because that's what they need. But if you think about that revenue impact, you know, if you're just doing it as a check the box activity, you might get revenue today, but if those controls aren't really doing anything, and then you get breached because all you did was check the box. Now, you're, you know, that revenue impact is there. And I think you're right. It's sort of that, that longer-term vision of what's gonna be the impact there.
Amy Ford: Yes! And that's part of the conversations that we have with our customers when they're coming on board is to make them, you know, make sure they understand, okay, why are we doing this? And our team needs to understand why are you doing this? Is it a contract? Is it your board? Is it, you know, you have a new CISO in place that came from an organization where they had this and they wanna put this, help us understand that because we can better tailor our messaging to you. We can better tailor our plan to you, and to your teams to be able to continue to evangelize that message for you so that way you can get through this successfully. Like we talked about in the beginning, it is educational. So I have had, I've sat in all-hands meetings and explained with our customers, this is why we do it. And ask me the in-depth questions, ask me why on certain things. I'm more than happy to be able to go down that road with employees because I want them on board. It makes it easier for my team. I'm gonna be a little selfish there. It makes it easier for my team because everyone's on board and it's getting it there, but it also makes it so the customers get through this in a much quicker fashion and get to a successful and a happy end result.
Megan Manville: Yeah. You know, it's interesting. One of the things that, we did a benchmark study last year, and one of the things that we found is that among organizations, among the everybody who responded is there was a huge disparity in how people just define terms. And so even just thinking about, you know, what is a control, what does that mean and how does that relate to the requirements or objectives or whatever you wanna call 'em of a framework? And then, you know, on that side, right, what is a threat versus a risk? And some people, right, they don't differentiate that within their business. And so that's a big piece of kind of what, what I do as well is focus on the education when we're talking about it. Because, you know, I hate the expression, but it is true. It's garbage in, garbage out. And so if you start with messy craziness that you don't really know what you're doing, you're not necessarily gonna be able to mature in the way you want to. So really understanding, educating, and setting that solid foundation, I think is really key when we're talking about scaling GRC, just in general. 'Cause now, now you add another framework, you add another department, you start adding risk management, it's just gonna explode out there.
Amy Ford: And it continues to grow and it'll, it grows on each other in different ways. Most people don't realize how those are so interconnected. One feeds off of the other, which you may not think about. So it's important that your foundation is solid, and as you continue to grow, it doesn't crumble underneath you.
Megan Manville: Yeah, absolutely. I'm interested, I know you help a lot of your customers, your clients there, get set up. How has automated evidence collection sort of changed that dynamic with the auditor, the compliance person, and some of those end users? We talked about them maybe not necessarily understanding the importance of compliance. Have you seen a little bit of a shift in that, in the engagement with some of your customers who have started down that automated collection process?
Amy Ford: Unfortunately, it's not in a positive light because it is automated. So no one really sees it. We have integrations built in. Some of this stuff just automatically happens. Or they're pulling a report and just sending it over. They're not understanding what is in that report and why it's important. It's kind of an automated process, so it's kind of there it is, gotta go. You're not manually or physically going in and pulling information. So I think people kind of get, you know, I just have to do this and get it across versus really going in and figuring, all right, how am I gonna get this information? And why is it important? It works from the customer perspective and from our perspective because it's easier, it's faster. We're making sure we get it. It's an, it runs every third Wednesday of the month and it automatically, some of it is automatically pulled and you don't have to think about it. So you kind of forget that it's there, which is a good thing because it's automatically there. The auditors go and they look and they're like, all right, you say it's done every Wednesday at 10 o'clock. Every Wednesday at 10 o'clock I can see that X, Y, Z, and W happened. Great. But sometimes, you start to, you don't get into the weeds of things and you forget why, or you don't know why.
Megan Manville: Interesting. I actually wouldn't have even thought about it that way. But yeah, it's almost, at least when you have to have the manual collection, it's an opportunity to have a conversation about it. With the automated, you're taking a little bit of that collaboration away. Have you seen any, kind of unique approaches to that where customers have kind of married that automated with a little bit of that communication, anything like that where you might have any tips on implementing it?
Amy Ford: One of the things that we do here is as we are onboarding and we're going through that process, we explain a majority of it to the customer. Sometimes, begrudgingly, they don't; they're like, just whatever, we just want it, whatever we need to do, we'll set it up, and it automatically goes. But we take the time to say, this is why you're doing it and this is why it's important and this is the information that's in there. Then we do have some customers that will stop and go, well, why? Why do you need that? Why do you need that integration? Help me understand that. What does it mean, what does it tie to? Those are the customers that really are invested in. Okay, I'm behind this and I'm a hundred percent on board. I just wanna understand why. IT folks, for better or for worse, especially when you start building in integrations or you're poking around or you're pulling stuff out of their environment, they wanna know why, because they feel like it's their kingdom, and this is my kingdom, and why are you messing with it and why are you pulling information out? I wanna understand better, which is good. So we make it a point to whether begrudgingly like it or not, this is why we're doing it and this is why we have to get this evidence so that people are educated. That's a huge thing for us here is education. It's understanding what you're doing and why you're doing it. Because if you understand it, you're more apt to be like, all right, Amy's not just sending this over to be a pain. This is why she's doing it. And you're more apt to build that relationship and be like, all right, fine, I don't really have the time to do this, but I'm gonna do it because she's taken the time to really let me know why. And that's important.
Megan Manville: Yeah, it's funny, when I started in my InfoSec role, we sat in IT, and so I was very engaged with our network admins, our system admins, everyone on that side. And so I had that very personable approach. Not every company has that. I used to joke, when donuts stop working, you bribe people with donuts and you bribe them with pizza. I was on a webinar one time where somebody said, yeah, it's donuts, pizza, tacos, beer, and once you get through beer, if they, you still need, then automated evidence collection like that, that was her wrap. So she is like, Hey, I've tried everything I can to capture this evidence and to play nice and to, you know, not inconvenience our IT folks or whatever. But it's true. So I think the approach was integrations of the new beer, right? So how do you get IT people to give you your evidence? You bribe them with integrations, but being clear upfront of like, Hey, we just wanna check. The biggest one is if you're talking to an IT person, speak their language, right? And so, hey, we just wanna check to make sure that the root user is disabled and they're gonna go, oh, you know what you're talking about. Okay, cool. And I think having some of those, we just wanna check this without inconveniencing you. That little bit of communication I think really does go a long way if you don't have that interconnected handshake there with the IT team.
Megan Manville: Awesome. Well, cool. So thinking a little bit about your experience and all that we've kind of talked about here with your customers, any specific challenge that you wanna talk about and share with some of the folks that we're watching? Anything you've seen kind of consistently come up with your customers that you've been able to solve for them? Or any creative ways that you've approached any challenges that you wanna bring up?
Amy Ford: I'd say the biggest challenge we see, and it's with organizations that have probably never gone through a framework before, whether whatever it may be, when they first look at it, they look at the system and they go, oh my gosh, there's how many controls? There's what? How do I, I can't do this. I don't have the, I don't have the resources, I don't have the time. I don't understand what this control means. I hear that so much across the board. And you get a lot of people early start of the sales process or as after they're on board. That's a big one. And it is overwhelming. And anyone in any role, if you look at it and you see this big project and there's 400 tasks you have to complete, you don't know where to start. Or you start something and you get distracted and you leave that and you go to the next one, but nothing ever gets finished or nothing ever gets done. And that's a big thing that we see. So the approach that we take with our customers is, we kind of chunk it up, okay, what do we need to do? Okay, there's this framework. It has X amount of controls, let's just take it, break it down into smaller chunks that are more digestible, and break it out that way. So you can get through it and they understand it and they're not so overwhelmed by all the controls. And being kind of, like I said, I always tell people, and I'll use this example for myself, I fish or price it for people. Make it as simple as possible. 'Cause if I'm a non-IT person trying to understand that control, it's like, what, you know, we put it down in the simplest terms possible. Do you do this? Yes or no? Well, what does that mean? Do you have MFA set up in your environment? Well, I don't know. We do on some things, but not on others. Okay. Well, let's talk about that and how does that work? Break it down in very simple form, small chunks to get them through that process.
Megan Manville: Yeah. It's interesting. I think some of the frameworks being very large as well can be very overwhelming. And I think, like you said, breaking it down. One of the things that I've found, and I'd be interested to see if you see this as well, is folks will come in and they're like, we know we need GRC, and maybe we're doing a little bit of this, a little bit of that. And then you go to sit down and conduct that assessment or deploy a tool or whatever you're doing. And it's very abstract to start from nothing. And so, to go to somebody and say, oh, what are you doing for security? And they're like, firewalls, right? But being able to guide them like that of like, hey, so what do you do in terms of HR onboarding, right? There's one, Hey, what do you do for security training? And kind of guiding them through the different domains of cybersecurity. I think it helps make it, it helps them understand what's there because it can be overwhelming and thinking about, oh gosh, I'm starting from scratch, but no, you probably have some stuff there.
Amy Ford: Absolutely. You see that a lot. In HR department, I'll pick on HR. Sometimes the person that's heading up the framework doesn't understand everything that's in place for HR. So they're like, no, we don't do this, this, and this. And you go to the HR person, they're like, of course we do. Yes, we background screen everyone. How did Johnny forget that he went through a background investigation when he started? Our approach is, let us talk to the key figurehead and get all their documentation. We wanna see it all. And then from there we say, okay, we've read everything that you've provided to us. We're not seeing this, this, and this. Did we miss it? Does it mean something different? It helps educate everyone across the board. 'Cause then they can be like, oh, I didn't realize that HR did X or it had this in place. We try to provide that guidance so that way they can see, okay, we've got 50% of the controls already in place and we have these other 20% of the controls that we have in place, but it's not documented someplace. So we know we need to do that. And then, okay, the rest, we need to work on and we need to get through the process, and we break that down for them so that way they can see, okay, this is a really good spot to be in, because we do have a lot more in place than we originally thought.
Megan Manville: I think what's really key with that too, is the fact that that's an internal assessment before you even talk to any type of auditing firm, external firms, certification body, anything like that. That really is that first step of, we just gotta figure out what we have so that you can make a plan. You never want that to be with your external auditor, right? God forbid, that person comes in and you're like, oh yeah, we totally do background checks. Like, I don't know. But having that understanding and doing that proactively then allows you to fill those gaps. So when the auditor comes, it's not like, oh yeah, we have these controls, they're just not documented. It's, we have them. Here you go. Here's that evidence. Ready.
Amy Ford: Absolutely. If you have that all in place and you're ready to go, and if you have a tool in place that the auditor logs into, it's all right there. So the auditor gets a good sense right from the get-go of starting this audit process of, you know what, they kind of have their stuff together. Because when I logged in, look at everything that's already here. It sets the whole audit process on the right foot from the get-go, which is great.
Megan Manville: Yeah, exactly. Relationship with that auditor, you definitely wanna keep them happy for sure.
Megan Manville: Absolutely. Awesome. As we wrap up, I just wanted to coach any practical advice for any professionals who are starting out might be dealing with some of these challenges in the GRC world, maybe tips for how to establish and mature a GRC program for some of the folks who are watching.
Amy Ford: Yeah, so there's a couple of things. I would say, get involved in LinkedIn groups, other, any type of forum that you can get involved with, where you can ask questions like, Hey, I'm seeing this in the world, or What does this mean? Or How did you get there? The community is important to be able to get involved in and ask questions of those of us that have been in it for a while or have seen things and those that are even new coming in. That would be one. The second one is don't try to boil the ocean when you're going in. I've had customers come in and be like, I'm going for HITRUST. And I'm like, what are you having place? They were like, well, we're just kind of all starting and it's all new. I'm like, we're not doing that. No, no, no, no, no, no. We're not doing, we can't do this this way. Break it down into smaller chunks. Start with a sock two report. And then slowly build from there. Like and so I say that, and I said this to customers, don't try to boil the ocean. Start small, get a good understanding, get a good solid foundation under you, and then let's move from there. We have customers that have come in and said, well, we have contracts that say we have to have X, y, and Z in place. Okay, well that's great. I need you to understand if you were gonna go this route, this is what it's gonna mean to your organization. This is what it's gonna mean to you. Not only from a cost perspective, but from a cultural shift, from a resourcing perspective. I'm one, I'm brutally honest. I lay it out there like, this is what it's gonna take. Are you ready? I've had customers go away and come back and go, we're not ready. Okay? So this is, let's start a journey with you. Where do you wanna be in six months, 12 months, 18 months, 24 months, whatever it may be. I've had customers come back and say, we have to do this. I've got revenue on the line. I don't have any other course of action. I'm like, all right, let's do this. We'll get you through it. It's gonna be painful. You're gonna have some pain points. It's a process. If you're on board and you're committed, I'm on board and my team's committed, we'll get you through it. And we've gotten them through it. Others, we've gotten through halfway through the process and they've gone, we can't do this anymore. We can't, was saying until you take a step back, like, and that's okay. Don't see if you decide to take a step back as a failure. No. You're being successful because you're putting things in place and you're taking steps, whether it's baby steps or giant leaps. Tell everyone, just start. That's a success. And you'll continue to grow and mature your organization.
Megan Manville: I love that. I love that, for sure. Thank you so much, Amy. This has been absolutely fantastic. I hope you all found this session informative and inspirational. Our goal here is to inspire, educate, and cultivate a world where forward-thinking conversations, strive, insight, and innovation, just like you did here today, Amy. So for those of you watching at home, if you have a challenge you wanna share or nominate someone for a future episode, please comment below.
