Transcript – What is Governance (GRC). Part 1 of 3 episodes breaking down GRC. Matthew Webster and Rich Connor join to discuss

I haven’t jackpot hey welcome everybody to team Tim I’m here uh in uh hot sunny Las Vegas at scale con with uh Tech tribe it’s been such a hot minute since we’ve uh actually done a team Tim uh fortunately I have an opportunity to be here today um and we’re really excited to talk about one of my favorite topics which is governance governance yeah exactly so uh I’m gonna try to play with the layout here on the phone and we’ll kind of live give everybody give everybody an opp give everybody an opportunity to chime in uh Mr schner you can start first and we’ll just kind of go around the room yeah absolutely so I wasn’t sure if Tim was going to jump on today but you know he found a nice quiet place and we’re excited to hear about governance you know I I think the uh the Catalyst for this show was him in his previous company or it’s really the same company but the company changed his name tagline was we sell governance as a service and I was like I’m not really sure I know what governance means and what you me is everyone is everyone kind of see an eye to eye on what is governance so um that was really you know that spawned the show um it’s been a couple weeks here uh been on on the conference circuit certainly I saw Matt Webster uh last week we had a great time in New York City at the Joint Metro uh conference both speaking and and jumping into their track each other’s tracks so that’s what I’ve been up to um helping uh seniors and retirees with hardened laptops uh small companies I like to call them micro companies uh less than five individuals some of these companies are are using the product so things are going well but why don’t we go around the room um J you’ll go last uh Rich you want to go first and go to Matt sure uh my name is Rich Connor from Louisville Kentucky uh my company’s called Lock Stock cyber security and compliance and uh I work on a lot on the governance side helping people understand how their cyber security ties back to their business goals and I’ll I’ll give that high level definition for now until we dive a bit deeper mat you want to go sure so my name is Matt Webster I’m the founder CEO and ceso for C virence uh basically I’m a cyber security company out of New York City um I do everything when it comes to the whole GRC space governance risk and compliance space uh governance is a topic and a favorite of mine um but I’m happy to be here today and help out however I can thank you yeah great to have you Jesse well like you said Tim it’s great to be back this week and uh for those of you that don’t know I’m Jesse Miller founder of power PSA Consulting and creator of the power grid VC so system which you can see right there I help msps build vcso programs and do it profitably exciting Tim do you want to go and talk about a little bit about your uh what you’re up to Yeah Tim golden founder CEO compliance scorecard as you can see part of my team is walking down the hall to make a cameo and say hello hey Dez we are live on LinkedIn doing our little uh Team Tim here Desiree is one of our newest hires we’re really excited to have her but yes Tim golden founder CEO compliance scorecard where we help you as the MSP have the risk conversation with your customer really excited today little bit of uh governance so let’s dive in yes so so Tim we’ll start with you we’re going to go around the corn on what we each think governance is maybe kind of a 10sec uh you know one sentence definition of it your slogan has changed as you just mentioned compliance scorecard is you know what’s the old slogan governance as a service why don’t you why don’t you tell us what that is I was going to say we we put the gas in Risk right governance as a service and and it’s interesting because now several Frameworks have actually added a governance domain right nist and CIS and so you know we started as this whole governance as a service platform the rest of the industry is not quite there yet but they do understand compliance as a service so you know kind of play it on both there um you all can go I will give I will go last on what I think governance is so you can all go ahead and I’ll try in last Matt one of you go sure so I look at this kind of from a complex perspective um govern when you talk about governance very simple it’s how do you get things done that’s the very simple definition of governance but the question is there’s a lot of different methodologies for those who have worked with a lot of advanced GRC tools that are out there they’re very process oriented do you have to make business cases within your organization do you collect kpis do you follow uh the three lines of Defense where you have you know your governance model your management and the Auditors it kind of at the outside I’ve seen some several variations of that but in short it’s it’s how do you get things done within your organization like it rich what do you think tell me what you think governance is so focusing in on cyber security uh governance I come from the world I was a former police officer that’s how I started out my career and when I think about cyber security governance I think about vehicular traffic and I think about things like traffic laws those are your policies and procedures I think about roles and responsibilities what drivers and what authorities like police officers are supposed to be doing think about risk management acent prevention and insurance and then alignment with the organizational goals would be how the infrastructure and roads are set up for particular towns and States so that people can use uh travel throughout their state from one state to another Jesse you want to go yeah I you know it’s interesting because I think we’ll get into this but you know as a as like a formal or short definition the way I always think about it I like Matt said it’s how things get done right but and I’ll say and I like what rich said too about the different state of how we get things done so it’s the people processes technology those all have to be managed and so I look at governance as the policies procedures and processes that we use to ensure that cyber C security initiatives and Technology aligns itself with the business goals and that is a short definition of how I see governance awesome so before you go Mr Golden I think you made a great point between this 1.0 and this 2.0 right so I guess what was the difference what what was happening in the market or what was happening in reality in terms of cyber security was no one was own it no one was delegated authority no one was uh in charge right so I think that was a big thing between n 2.0 is really selecting somebody to be responsible empowered to drive cyber security um obviously there’s more to that but I I think it’s really that Catalyst um that you know initiating action really uh was when I think about governance so Mr Gold you are back off mute yeah so I love I love this comment because he’s literally and I can’t see because it says LinkedIn user literally using my words which is to govern the root word is to steer and when I think of governance when I think of governance as a service I think of it as the MSP helping to steer or helping to govern the customer to Better Business outcomes to Better Business risk outcomes to steer that con conversation so when I think of governance as a service I think of it as steering the ship and we have some processes that we might get into about how that can actually be accomplished with msp’s facilitating Network steering the ship as a service I like aemp yeah I’m just going to keep branding words all you know sucess exactly spending a lot of time at the USPTO yeah so sounds like carrots and sticks Tim in terms of incentives and uh you know punishments I guess to some degree but uh as a service um why don’t we you know why don’t we dive in a little bit more um Matt you I’m fascinated with your business and how you approach companies you work with in terms of cyber security talk a little bit about where governance plays a role I guess you know at what point in the conversation do you get to know the business owner you engage at what point are you actually trying to shape governance right shape these um as you said these carrots and sticks these kind of like uh policies that are driving intended behavior um so go ahead so I I look at it as a bit more complex than that um you asked me who do I talk to you know it depends on the customer I mean I’ve got things like programs to educate uh cesos to make them a little bit better and focus on things that they’re doing um I’ve got a program to where I’m educating board of directors and things like that but it shouldn’t just be about carrots and sticks it should be about inspiring people to do better um inspiration and culture play such a massive role uh when it comes to doing governance because you take a look at governance you say it’s basically how do things get done but it depends on the organization because in some organizations you have kind of like well it’s my gut my gut tells me that this is the right thing to do that is to me the wrong approach I like the risk management approach so sometimes it takes a lot of Education um sometimes there are approaches where you have to demonstrate things in multiple ways so I did that report as you were talking about Tim on the uh how to get alignment across multiple organizations when I was a global ceso that was uh definitely definitely a challenge and I used a lot of different techniques and tools you know some of that is getting into Financial quantification of cyber security risk and operational risk because I think it’s also one of the things that cyber Security Professionals typically don’t do we tend to focus on the cyber security risk but the operational risk often is much higher and much more of a concern from a business standpoint and it’s about making sure that you’re you’re in line with them so I talked a little bit about the qualified and Quantified risk assessments and how they should be aligning with one another that’s done at the business level cyber security professional does not make that decision so there’s a whole slew of different activities that are involved in trying to create that alignment um I’m a big fan of business impact assessments and I think that’s really important to do uh because you’ve got to make yeah the B um you’ve got to make sure that you’re doing things in line and meet their expectations but of course sometimes the business is wrong you know I just put out an article on LinkedIn a little bit ago um where basically it’s four time fold increase from what businesses typically expect the cost is going to be to remediate that and I see this all the time there’s a lot of misjudgments here and there on what it’s going to take to get things done but it’s like it’s about how do you create alignment how do you create questions like sometimes I take off my risk my cyber security hat and then I’ll put on a risk management hat and start asking questions you know what happens if this takes place what if your whole Cloud environment goes down what if this happens um it’s it’s about a lot of different things and how do you create that how do you get away from that gut judgment to something that’s a little more fact oriented and so using things like key performance indicators key risk indicators and trying to create that holistic context where people are talking to one another and getting things done because the Security Professionals we know a lot we don’t know a lot about the business quite often and it’s about creating that TR right alignment across the organization it’s going to start getting the buy in for people to do things in the right way so that’s a short that’s a short story I could go on and on but I want to give people to jump in there so yeah no I think we talked about I love the what if conversation and Jesse talks about it as well and and you saw Tim and Jesse and Rich we all nodded on the business impact assessment right like really that’s where you resonate with the actual what the business does and what the problems are and what’s at risk um so Jesse you have thoughts on that as well yeah so you know I pretty much had I was in lock step with everything Matt had to say right so I’m not going to rehash that ground but I do want to talk about something for people that are watching and are still kind of like well that all sounds great but like really what is governance like we talked about like as a concept what it is but what does governance look like right so there’s all these pieces all these tactics we’re using to achieve governance and Matt touched on this right so for those that don’t know I want to talk about the three lines and help people understand that like that’s the three lines of Defense model is used in corporate governance a lot of times in corporate cyber security but it’s something that can be easily applied and easily understood as you think about these things right so you have three lines and it’s interesting we talk about governance in government are very similar to the three branches of of uh government in America so you have your line one which is your management they’re like the executive branch right they’re responsible for executing and and deciding on risk like Matt said then you have line two which is like your policy development your processes and your procedures it’s like the legislative branches who’s creating laws and then you have line three which is independent audit or or internal audit so audit ensures that the decisions we’re making and the policies we’re setting are actually being done and interpreted properly so if you think about those three lines of defense and now when you hear someone say oh that’s a line three function you don’t have to feel all scared by that they’re talking about audit right so when we talk about what is governance and what does governance look like you take that model and you lay it across all those different things that we talked about and start aligning those into categories and that is the really the core set of principles that you need to operate underneath to make sure you have a true governance program for your business and my work is done here I was Wonder What internal Auditors do Jesse so they I think they they fight with every is that right or pretty much yeah yeah spot on I I I I love how you all how you all sum that up right you know for those of you that have been following me like this is the what we’ve been preaching here for the last almost two years now and so to hear others like Jesse and Matt and Rich summarize it you know succinctly like that my work is done here it’s you know you know uh I’ll plug uh right of Boom the Cyber call you know they just did a big uh thing on uh business impact analysis uh you know there’s a couple more pieces coming out from our good friend Andrew and and Brian Blakeley and a couple of other folks uh WR aoom the Cyber call around B around business impact analysis around incident response planning um you know and i’ I’m loving to see that our community and our industry is actually starting to get it to make strides in it to understand that it’s not going away um but I’ll I’ll pivot just briefly and say how do we do that in practice right how do we do that as as MSP practitioners you know not to plug what I’m doing but you know as I thought about this over the last 20 years and had to like do this work you know as an MSP or as a ceso or as a you know CTO or whatever you know I came back to well it was it was these things it was these steps right and it’s kind of like our Mantra right we call it our 4as and I can get into all of that I don’t want to continue to plug you know me or our platform but it’s the process right and real simple alignment authorization adoption and assessment at least that’s how we Define actual day-to-day practitioner functions of great we know we need to govern we know we need the three lines like Jesse and Rich and whatnot were saying but how do we do that in practice on a day-to-day basis and we can dive into that if you all have questions around that or you can go watch one of my other zillian you know live streams rich rich yeah talk I think Tim you’ve talked about this a few times before a little bit little bit that get a Goble what were you going to say Tim I I want to ask your thoughts you know when you work with clients how does it come up like where you know where is it um do you even use the word governance right like as you said it’s such a nebulous term like you know where where where is it driving your actions and their you know and their responses I guess so sure I mean it’s not always a word that’s used explicitly it depends on the audience but the very first time that this shows up is typically a business impact analysis it’s a very good starting point is running through figuring out what those business processes are um someone in the chat uh Pete uh mentioned that without a business impact analysis there’s no way to ensure the organization is focusing on the right controls uh furthermore without the business impact analysis you don’t know what’s important what is the most critical and how to actually rank order uh where are where the most critical controls need to be so um that’s where that starts and I wanted to kind of talk a little bit go back to the the vehicular traffic police analogy suppose you’ve got a new effort the city needs to they’re building a new University and they want to send traffic in and out of there well somebody’s going to be designing that and supposedly you’re Consulting on this project and you want to talk to whoever’s leading this effort and you ask them what their needs are and uh they’ll say well you know we’ve got this thing we want to throw in a want to throwing a circle a roundabout in there and uh everything is looking good but you continue your Discovery and you end up talking to the the the cop that’s been on the force for 30 years and he goes H good luck with that the uh the circle we tried back in ‘ 89 I’ll tell you all about how that went so governance needs to run all the way through you need to talk to the people that know what’s going on at the organizational level when you’re talking through your business processes and how to secure them and then get them aligned up with those organizational goals you need to make sure that those goals are able to be achieved and for that it needs to go from top to bottom yeah I I think you see that it’s dictated from the top too often without that feedback from everyone from the users the end you know stakeholders um security friction is where it could be problem so uh good point um um yeah Jesse I can see you yeah I was I was sitting here ruminating on a couple things while you guys were talking it’s um I mean I think we see some really good outworkings of this um in the latest you know the latest SEC regulations in terms of now in your uh in your 10K you have to actually report what your governance process looks like and now it’s not perfect but it’s the start of you know the asking you to show how do you actually from that Frontline reporting piece when you have an alert and you have a potential risk and you have something that’s going on that’s discovered how does that get reported up through the lines and how is that verified and how is that independently audited so you talk about adoption right and I think that to me uh and of course it could be me you know because I’m involved in that world seeing that you know now organizations are being forced to actually put on paper how they’re doing this and so everyone says oh hey this thing we talking about uh we actually have to like have a process for we have to follow this process right so you know Matt I’d be interested to to see your take with who you’re working with and obviously in the market you’re in if if you see that as a driver or or where do you see the push generally coming from to have like true governance now for organizations over the last year and a half so it depends I work everything from you know small Enterprise through very large Enterprises and um sometimes that’s that driven because a customer saying You must be compliant and you see some organizations that have no clue about governance or do doing some very basic governance only and to me I love the point that everybody’s already on board on is the Bas because part of that governance process if you’re going to be a leader in that you have to understand the business if you’re in the cyber security team and or the leader in the cyber security team and the business is having meetings without you and you don’t understand what’s going on you’re not aligned with them how are you going to communicate to effectively make changes up at that level and it’s got to be on multiple fronts the Bia if you say hey I know this is our Prime system we’ve done the Bia great that’s a high risk or hundred million dollar however you want to Define it if you’re doing qualified or Quantified but then you say what’s the priority on it this is a priority One well that’s going to apply to your Disaster Recovery plan that’s going to apply to your incident response plan it’s going to apply to everything from a governance standpoint and is and should be the foundation for how do you move forward but on the other hand you really need to listen to the end users on things you can apply a lot of things but how do you bring people around and start to focus on that culture you get a cultural movement rather than a mandate up at the top so one of the ways like I’m very big on all types of processes like creating a a control profile um a list of controls that are out there so bring in your it people under that they’re G to see things that you don’t as a cyber security professional we know a lot that doesn’t mean that we know everything and know all the Technologies if you make make them part of it they feel like they’re part of that culture and you can start to affect changes that way because they feel like they’re part of the process and then they’re going to point out hey we can do this because of that but we’ve got an issue over here well that’s great feedback it creates a very good feedback loop within organizations and that can go up to the top or we can create you know compensating controls or have other methodologies for handling and working with these different challenges within organization so it’s it’s not a one- siiz fits all um some organizations want to have that from the beginning I’m seeing even like some of the microenterprises want to have Enterprise security right at the basis and they understand the governance they understand the challenges that are going on with the roles others are kind of fumbling around and they kind of run into and they run into issues so like if I’m running an instant response tabletop I run into situations like that and they’re like oh we didn’t realize how bad the situation was but then they do because like maybe some voices are are not heard where other ones are so you’ve got to factor in all these things you got to factor in the communication channels how are you collecting the information do you have Anonymous feedback forms I mean the list of things goes on but um I’ll let some others jump in here so yeah put it under Fire Tim go ahead yeah yeah so you know let’s and I love what you’re saying right bring it back to the MSP bring it back to those practitioners as an MSP that have thousands of things going on all the time you know kind of I don’t really use the word dumb it down but starting with the Bia perfect but where do we go from there right and I you know the keyword that I picked up on uh Matthew is alignment right that is the first part of our process right is the company aligning to a framework you know is is the policies and procedures aligning to a control you know does a thing align it to a thing right so you you you do your business impact analysis you start to understand the different divisions of the different components within that business those those business orgs and then you start to bring them all together on some kind of alignment right you know we we talk a lot about like storming forming and norming right so in that in that sort of norming stage right getting everybody aligned so people know what the words mean people have an understanding of a commonality across vacular what each what yeah of the common vernacular of what each business unit is responsible for what they’re trying to accomplish what they’re trying to do but you need to get all those stakeholders together and aligned to something right and so that breaking this down from an MSP perspective doing a business impact analysis talking to the different business units and then getting them all together at the table and aligning them together and building that normalization of what are these things mean and then moving on to another step going forward yeah so interesting there Tim you talked about alignment and you talked about a business impact analysis but I was I’m gonna pass this on to Jesse because he’s got a very you know also he’s got a lot of steps in terms of starting a program like a cyber security program right kicking one off m when you look at CIS right like the first thing you’re supposed to do is inventory you’re like whoa whoa we just mentioned a bunch of other stuff in the last 20 minutes here we’re supposed to do so it seems like the Frameworks maybe there’s a little bit of an oversight but they’re not from a stepbystep prescriptive basis are not talking about as you said kind of like let’s do a business impact analysis let’s let’s play Let’s Play What If for a little while let’s talk about how the business is and what their critical assets are and their crown r that they’re protecting and the Privacy data that the law makes them protect right but why don’t we talk about a little bit Jesse like so framework aside it I think you need to do all those things and some of them are much a little more Technical and maybe nist is a little more prescriptive on on the governance side but how do we actually do this in reality like how do you kick off a program as a VC so um go ahead run yeah so yeah and I’m I’m going to talk specifically about governance right there’s a bunch of things we could go down several rabbit holes with this but I think there’s there’s two different things so what Matt has really touched on already is getting all the the risk analysis the business impact analysis doing all the the the data Gathering and the risk review and what we’re really good at to make sure we understand what the risks are to the business now that’ll include a Litany of other things right reading previous reports understanding their compliance is are they doing a corporate risk register today I mean I’ve gone into clients and I say okay they’re SEC compliant and we say okay well we need to start integrating our cyber security risk register with your business risk register and they’re like oh we we don’t have one of those so we have to take a step back and talk about that but all that aside I think some of the impactful things you can do to build consensus with leadership teams and get organizations aligned with a a true governance journey is what uh Matt has already mentioned what everyone’s already mentioned is the business impact analysis or crown jewels as I like to call it you could say those are two different things but I’m just going to lump them into one for the the time being and then I think once you have that and you understand that you should have been Gathering that information on the side and you should understand where some of the risks are at that point I think an incident response formal exercise is really good to go through whether it’s a rewrite of the current policy because I’ll guarantee almost every single program I go into doesn’t have a fully formed and detailed and properly actionable incident response policy or creating one so you’re going to create that and then you’re going to walk that through with the leadership team here’s your responsibility here’s what you need to do here’s what you need to do you’re getting them to buy in the process and start thinking about it now you’ve got that you’ve got your crown jewels you can now design a tabletop exercise using both of those and don’t overwhelm them make it simple but make them think about as Matt said you go through a tabletop exercise and they say oh you know what we haven’t thought about this or we haven’t thought about that all of a sudden you’ve kind of taken them into their worst as an organization and governance becomes very important at that point because they begin to see the need for it and then you have consensus so at a high level that’s how I would want to get Buy in from the polit from the political or the the the Personnel side of things to actually start implementing you know government’s practices in an organization Jesse you mentioned a tabletop is that is it happening that early before you implement 18 controls I I think so I what I call it I like to call it well it’s not really tabletops are on a spectrum right so I’m not going to give them a bunch of I’m not going to give them a bunch of injects but what I I’ll call it a I call it a dry run right so I’m going to take an incident response plan and just walk through okay we have we have ran somewhere we’ve been infected now what do we do okay and I’m not going to be like oh your CTO just quit like I’m not I’m not going to throw injects at him but I’m to say like okay now the now the the the we have to like we got to notify like do we have to notify anybody and kind of lead them to water oh yeah we do have to do this we do have to do this where’s the list oh we don’t have that right okay that’s fine moving on to the next now the public is asking or there’s a reporter asking for commentary what do we do for that oh we don’t have like a designated comms method you know so you start to understand we need this governance for the worst day right and then that is just a dry run and then maybe next year we can do a true tabl toop exercise where everyone’s feeling pretty confident and then you knock them down a peg right right so I mean it’s really just a simulation on um walk me through step by step like here clearly missing massive holes right in terms of our thought process if something happens if this if you know then that yeah yep Rich yeah go ahead Jesse I was I was gonna say I think that’s a very impactful step you can do that is gonna not and that gets you visible with the leadership team too so you’re showing you’re showing a ton of value when you do that as well so as a provider right you need to make sure that you’re sticky and your clients see what you’re doing is what you’re doing is valuable this is a great way to do that yeah definitely some great comments here Bob we went through a tabletop exercise uh I think we’ call that an instument response exercise but uh yeah that was awesome um Tim what do you uh what are your thoughts so you know in Practical terms and rolling out you know a compliance program a governance program you know there’s some starting with the Bia great stuff you know getting the key stakeholders you know aligning on you know Common vernacular common things you know moving into whether it’s an you know an IRP review instant response review or you know some scenario based tabletops right that’s going to help uncover you know potential gaps right it’s going to help uncover um areas of improvement right it’s going to help uncover those things that eventually need to be governed it’s going to help uncover those things that need to have policies procedures and acceptance right so this is I’m going to pull up this comment here real quick and this is key so as an MSP you know helping to facilitate that work goes into the our next a which is authorization right and what I mean by that is literally what this comment is talking about here is as an MSP we’re the facilitators of the work we’re helping them uncover that stuff but it ain’t our stuff it’s not our risk it’s not our Bia it’s not my thing it’s your customers right and they need to be as this comment says that I keep pulling back up they need to decide what they want to do with that risk they need to decide how they want to authorize things or not right and so Bia doing some tabletops uncovering some stuff finding the gaps and then allowing the customer to make their risk-based decisions and allowing that customer to authorize or not authorize to change process to put the right people in the process to remove the people that shouldn’t be part of that process and take ownership right that whole authorization component so it sounds a little bit of chicken in the egg right so you start to at least initiate who’s in charge what are the things I’m trying to accomplish what are the important assets crown jewels what are some of the critical business assets and processes and then you you know you’re kind of quickly uh running an exercise or or a simulation to poke holes and potential potential problems right and then and creating policies around um the intended Behavior what you want to happen Rich do you want do you have things to add here like so talk about um you know talk about how you how how you would initiate this with a client and at what point are you are are you fing along with the script here in terms of the steps were step the steps so far yeah thanks Tim well first of all uh Tim just featured another comment by Pete that is two featured comments so you gotta invite him to the show now make sure you follow up with do he’s he’s the one who owns the IR game and came on the show and did a live incident response exercise with us good good well I gotta meet him now it was their longest running episode so um this this tying back to the tabletop exercise excellent iterative process and um I think the right approach here is to follow what nist said to do and they have a publication called the IR 8286 D and it’s using business impact analysis to inform risk so a business impact analysis is the first risk assessment that is done you use that and those are your first set of risk scenarios and then you continue down that line of building more risk scenarios and where those risk scenarios show up in your tabletop exercises so I think Jesse’s right on point there with moving that tabletop exercise left let’s run through one of these scenarios uh uh from front to back awesome awesome Matt so go you know you’ve run through a tabletop exercise um what’s next so obviously to do Lessons Learned you know that’s one of those things that a lot of companies Miss and it’s like they go through an exercise get it done whoop and off to the next place well what needs to be improve and so let’s say they don’t have um like one of the scenarios that I run there’s no there’s no sock there’s you know really poor security controls you learn a lot by going through that you discover the value of that hey did you know that you you have logs here and they can sometimes tell you what’s going on or maybe you need to get EDR or MDR you know so a lot of these things you can start to bring out those gaps very early on in the scenario and help them to look at things from a different standpoint I also am a big fan of like before talking to a customer research them are there similar customers do customers like them have a risk profile that’s out there have there been breaches that have occurred that are similar to theirs because a lot of companies what they like to do and a lot of leaders what’s everybody else doing and right or wrong that’s just one of those things I personally am against those but I respect that all Business Leaders like to go through that and see that to me it should be about the risk what really is the risk to your organization what happens in these worst case scenarios and I think um it depends like whenever you step into a new role though everybody knows sometimes especially as like as a new seeso you’re jumping in sometimes you’re dealing with a fire hose day one you don’t have time to do a lot of these types of exercises um but also you know and I’ve seen a lot of organizations and again I completely disagree with this but they keep it at the it level it’s not up at the business level there’s a lot of fear between the business side of the house and the IT Andor security side of the house that bridge is one that really needs to be gapped you have to have everybody communicating with one another because if you have a instant response exercise and it’s a bunch of it people and maybe a security person you haven’t done an incident response exercise you not everybody’s on the same page you know and one of the things too it’s like you got to create that alignment if you’re a business person you come in here oh you all suck get out of here um I’ve heard stories like that they fired people over like cesos over this I have not been through that but I know people who who have if you’re getting fired because of that because things aren’t 100% perfect that’s a big problem there because you’re creating fear in the organization so making sure you get that alignment and making sure you’re doing things in the right way because I can tell you all the times that I’ve been through and somebody in from businesses there sometimes they’re problems and yes I understand that people get frustrated with that but they have to be part of the whole equation otherwise you’re talking Greek you’re giving them experience that they don’t have any say about don’t have any understanding of um you’ve got to get that report you got to dive into it you’ve got to listen to what the assessor is saying all these things are really critical Gap assessments are a critical part of it some organizations are not big on that they want to see the pen test so you gota really kind of feel out what the culture is and what the problems are prior to doing a lot of these things and then once you get that alignment then you can start having better conversations you can go through that uh incident response plan that Disaster Recovery plan so there’s a whole bunch I could start to tie into it but I really you really have to listen first and then you start to take action from my perspective yeah I think I think that’s that’s a spot on it’s uh well it goes back to you you know you got to sell the client what they want so you can give them what they need that’s first piece and then the the second thing you mentioned is again and I think Rich idea right it’s a conception you gotta get in in their brain well well that’s what tabletops do a lot of the times right like I I I mean and Matt Rich you know this right the I cannot list the number of times I’ve had like initiatives queued up like future we need to talk about these and then something happens and like you know we should really do third party risk management I’m like great idea we should do that exactly talk Talking themselves into it it’s much easier to sell a it’s much easier to sell a cure than a vitamin yeah well I and I think I think the last piece of that is is then tabletops again right we have to have different and again this is depending on the size of the organization but especially when there is internal it group and Leadership those need to be two different tabletops because if you go to leadership you say like how do like it goes back to the different lines how do we get like an how do we process an alert and and do we have the Acumen as an internal it team to run this down and are we reporting back to you know the playbooks to back to our Outsource sock if we have it and how are we declaring an incident like this is all technical tabletop stuff that needs to be discussed and this is top of mine because I recently ran one of these right but uh the next thing is then there’s that demarcation Point we’ve declared an incident Now The Incident Commander and the leadership team have to run through their pieces of the tabletop and we can make some assumptions and say that the other side of the business the technical team is reporting this in what do you do about this but those are two uniquely different audiences that need to be addressed in different scenarios I think so so so let’s let’s part of my job here bringing it back to the MSP level right kind of dumbing it down for all of us right so you we’re we’re 40 some odd minutes 45 minutes into this right so for the for our viewing audience you know conducting a business impact analysis you know identifying those crown jewels you know bringing this through either a tabletop or an IRP or some kind of business conversation to bring up gaps in what you’re finding right as as you know a few people just said things that you knew you already needed to deal with may come out of of those gap an out may come out of those tabletops right and then moving into we’ve discovered these things we now have this process built out we need to then move on to what what is the next step impact analysis do some tabletops and uncover some stuff you know make sure people are all aligned what next can can I go I think I mean yeah I think at that point it’s creating a road map and a suggested order of execution for the improvements right and again to Matt’s point and a Rich’s point that we’re not making that decision now I will say that you’re I what I also don’t like is when I see Consultants who are like well here’s a bunch of things we could do like no you’re the expert like you need to recommend like here’s based on all the things I know it’s like a good it’s the same thing as like running a good sales meeting and Discovery right based on all the things I know about this company so far and the risks that we have and what we’ve done here’s my suggested order of importance and priority based on all these risks in this data here’s what I think and that’s what the leadership team wants because you’ve given them something to poke holes in so you can’t get offended they’re like who this shouldn’t be number one this should be number three you’re like great let’s do both you know so so I think then working with the leadership team to build consensus and get a final road map and then start to execute against that so to answer your question Tim I think that would be the next step awesome love that that’s kind of where my brain was going so he thanks for reading my mind again his poem in the in the comments here it’s like we’ve been friends for a while yep yep so we didn’t talk about this but I I just wanted to Circle back one thing I think we missed as well you talked about critical assets we talked about critical business processes Matt actually did something very similar to what Jesse did in his talk last week he was talking about from ARIS management perspective he was talking P you know likelihood of event right and really handicapping those risks and really putting almost a dollar value on the risks so we probably do that maybe before we get into even the you know an exercise we’ll call it on uh what could go wrong um so and then you know now we’re at this point where you guys mentioned a poam or like a road map um Jesse or I could ask we can go to Rich on this like do you customize that is it based off the framework exactly um yeah I think we’re at that framework point where like we’re we’re starting to choose controls and how do you choose controls is that for me yeah go ahead Rich sure uh you know after you’ve deployed your your governance um and you’ve done you’re done doing the monitoring and enforcement of it and doing your evaluation uh and Improvement along the way you should start looking at maturity what’s your maturity level how do you captur that are you doing things in a reactive way that where the policies just exist and sometimes they’re followed sometimes they’re not uh is a little bit better than that where you have the policies and proc procedures in place with defined roles and responsibilities and you have regular monitoring and enforcement or do you have it optimized where things are fully integrated in all lines of businesses it’s really understood what’s going on because you have continuous monitoring so going back to that maturity model and seeing where you are today and setting plans for the future to get to where you need to go in the same vein of a PO awesome Matt thoughts yeah no I think that’s a a really good Avenue because one of the things too I’ve seen in different