This is a transcript of our interview with Aidan Parisian, VP Customer Strategy at Fastpath
You can watch the original video interview here
Boris: Hello ladies and gentlemen and welcome to our Risk Management Show. In this episode we are talking with Aidan Parisian, Vice President customer strategy at FastPath. FastPath provides a comprehensive suit of software solutions that seamlessly empowers clients to take control of their security, compliance and risk management initiatives and integrates across major business platforms such as Microsoft Dynamics, SAP, PeopleSoft, SalesForce ZenDesk and more.
Aiden, welcome to our show today
Aidan: Thank you Boris
Boris: I really appreciate your time and looking forward to our conversation. Aiden could you tell us a short story about FastPath and what are you guys up to these days?
Aidan: Sure, I often call us a two-stage rocket. If you look at the startup space, especially in the GRC space there's a lot of newcomers over the last five, maybe 10 years. We're a company that's 16 years old, we started in 2004 which for those in US compliance and risk will know that it's an auspicious year, the founding of Sarbanes-Oxley. The company was started in response to the need for people in the Microsoft GP space to focus on segregation of duties.
Prior to doing those exercises was laborious manual, often involved multi-ring binders with highlighters and hours and hours of painstaking work. So we built a platform on .NET that put into Microsoft GP and from there we kind of grew organically. So over the next 10 years we grew customer by customer and moved about six years ago to the cloud which enabled us to really focus on cross-application.
Cross-application was something that we had done in the On-Prem space, because we had to as Microsoft bought other systems NAV, SL and AX, we had to start to plug those systems in together.
Obviously once we went to the cloud we were platform agnostic, that enabled us to really plug into any application and that was the second stage of that rocket. That’s where we really kind of accelerated into this space, so our focus is in providing a platform that helps customers detectively and preventatively manage their logical security within their ERP and business systems.
We get out of the object level, which is the expectation for most auditing and compliance tools, but one of the things that differentiates us is the ability to go cross-application and that's really to aggregate that data into one space. So if you think about a normal business you're looking at business processes and how they flow well oftentimes from an IT perspective, those are isolated those are siloed by those systems. In our case we can incorporate those systems and then allow you to think about your risk from a business process flow perspective, because we can bring all that data in one place.
Boris: What is your best type or your ideal customer? And what are you doing exactly in relation to risk? Are you mostly on audit or compliance or risk side? Could you please elaborate on this?
Aidan: Yes, so it's a combination. Our platform, the primary three modules we have right now, we have an access review and access certification module which is very much a detective module looking at who has access as of right now.
We have an audit trail module, which looks at what's being done in the system, what activities, what transactions, what configurations are modified. And then we have an identity management access module that really focuses on those systems that we plug into. So if you think about large broad scale identity players like SailPoint, for example, those guys are looking at the enterprise level identity. We're really focused on identity, just within this space that we focus on from a systems’ perspective.
So to answer that first question, our focus is really around audit SOX compliance in the United States, you look at financial audits and other places and that's number one on the list. That said number two becomes anything that's related to logical access. Anytime that you're worried about who has access to what, so you start to think about privacy regulation, think about healthcare regulation.
That’s an area that we play in and then the audit trail has its own area of benefit, where if you think about regulations like the FDA approval in the United States, which has to do with chain of custody for materials used in manufacturing. That’s where the audit trail comes in, because now you can see who's modified what and how do we know that these custody chains are accurate and that the data in the system is accurate.
So all of that together kind of formulates the answer to the question, the optimal customer really is somebody who understands compliance, they understand how our tools fit in right.
I've spent a long time in PWC as an auditor and then an internal auditor and I did a lot of consulting here in the bay area in California, and you see a lot of startups here and one of the things you notice is that most startups when they start to go, their focus is “how do I check the box for the least amount of sophistication”, not because they don't know better but because they don't have time.
Their focus is on getting their product to market and accelerating their company and growing as fast as possible and a lot of times, they'll have very unsophisticated control environments.
How do you have control over your revenue? Well, we just review everything at the end of the month and that's obviously labor intensive, It takes a lot of energy, effort and a lot of time,
So we're looking for people that are further up the maturity chain from there that are thinking about integrated risk throughout their organization and understanding where does risk actually sit, what is a person and a process, what makes it a system? How much of that risk can be captured by the system, how many of these automated controls or system configurations can do away with some of that risk or avoid some of those opportunities for fraud?
So moving up that maturity chain, somebody who understands how a tool like FastPath fits inside that overall ecosystem. I find that people that have been around the industry for a long time really appreciate our tools. We go live in a day, we don't require consulting for our system to turn the lights on which is a little antithetical in this space. For a long time in the GRC space tools were very big, very heavy, very needy for time and consulting professional services. And we by design have always wanted to avoid that, so I think the mature buyers and veteran buyers tend to look at our software, and they understand that the price point and the value pitch makes sense.
And then really that cross-application piece is one that I think people are still starting to wrap their heads around right. It's a little bit like selling the microwave before the microwave was popular and that everyone understands the value of cross application but applying that is something different.
Being able to have that cross system interaction, if you have a very large multinational that's heavily siloed the likelihood that you can get the SAP team to talk to the Salesforce team, when for their entire existence have always been siloed and always been owners of their own domain it’s very difficult. So even though the technology supports that, you need a certain level of sophistication and organization and a certain amount of ability to change course and gain inertia. And that to be able to really take advantage of that and start to think about these risk questions across these applications.
Boris: So in many industries now, COVID has accelerated the move to digital transformation and as Microsoft CEO put it, we saw two years of digital transformation in two months. What changes are you seeing in the market especially now in the COVID era? And can you tell us how your clients perhaps are impacted by the crisis and what organizations will need to do in order to adapt?
Aiden: I think there's two and I'll split them in between two areas of focus. One is from an IT systems perspective, what do we see people doing during COVID and then two is from an audit perspective and how does that impact.
What we see, at least, in our space when it comes to security and access it’s really a heavy focus on Identity. Again you can go back to SailPoint as an example, the ability to do this enterprise level identification of all users in your applications. I think that for a long time people convinced themselves they didn't need that, they felt that maybe they were too old, their ecosystem was too old, they had too much tech debt, there was too much legacy applications and they didn't have to concern themselves with it.
And I think people now are being forced to deal with what has always been a problem, which is that systems that are connected to the internet have inherent risk in them and that you need to understand who has access.
There’s also a big focus on PAM which is Privileged Access Management, it's like CyberArk, for example, is a company that deals with recording of the interactions and activities of somebody who's gotten access to something that's privileged. That's a big one and I think there seems to almost have been a rushed response, so if you go back to that comment of two years and two months I think that's absolutely the case. I think you'd probably see that most of the identity space in PAM’s space have really accelerated in the last couple of months because it's that knee-jerk reaction and some of that is being driven by individuals, some of that is boards asking the right questions.
And obviously there's been an increase in penetration type activity and hacking activity. People have more time, people are sitting around in their houses and they have more time to do whatever it is that they do and that happens to be trying to break into somebody's system or network. Then they have more time to do that, there’re more knocks on the door on a daily basis.
From an audit perspective it's really forcing a lot of shifts because audit has always been a lagging space in technology I look at. When I started my career at PWC there were still firms that were using big giant boxes full of file folders of paper material. I think audit's always conservative “if it ain't broke don't fix it”.
In audit It's all about trust, it's about how I'm getting the right results and I'm going to prioritize that over efficiency or economy scale. And I think this has now forced audit to accelerate.
This could be a pretty significant change agent for audit, if you look at the GRC space as a whole. So you look at what we do, which is the access GRC space but then you look at process GRC, which are companies like Archer and BlockPath and AuditBoard and WDesk and it's NGRC. These companies that are focused on automating the audit processes and the gathering of data and the reviewing of data and even the ancillary applications like Flowcast or BlackLine.
I think you're going to see a huge acceleration for all of those guys because this is a means of enabling a digitization and an automation of what happens in audit every day. But a lot of people look at and say “I don't think I want to spend the money”, audit’s rarely the first to the trough when it comes to budgeting season. Audit typically gets underfunded if anything, CISos would say the same thing about IT security and I think you'll see that shift because now that everyone has to be remote, these tools for automation ServiceNow, there’s a lot of argument that ServiceNow may double in size of the next five years, because they provide an automation platform and the means of being able to automate and to log track and provide communication.
I think those are the three things that are really going to accelerate, we've seen that acceleration so as far as COVID goes when it comes to managing access.
If you can walk down the hall to your PSA and say “hey can you run a query to show me who has access to A, B or C”, having an automated tool that will pull that for you that's complete and accurate that checks the box from an audit perspective.
All of our automation around access certifications, all of our automation around identity provisioning, all of that obviously is a boon for folks that are remote and that are trying to manage risk. And obviously the audit trail stuff really helps because that enables them to avoid what is an inherent risk in anybody having access but I think that that risk goes up when people are no longer in the building.
Let's say you are a bad actor, you have a tendency towards that to commit fraud or to steal something from the organization, you’re less likely to do that on premise in the building with your co-workers around than you are when you're in your room and you're working off hours and it's two in the morning. So I think all of that stuff helps but I think in general you'll see the GRC space take a pretty big leap, automation space, robotic process automation, the fact that it showed up two years ago as kind of big ticket item and then all of a sudden we hit COVID and see a lot of RPA, a lot of automation around systems and applications.
And it's probably all for the better. I think a lot of these tools should have been adopted, back to the point I made a few minutes ago and hopefully you'll see corporate dollars company going towards some of these automation security tools now that we're in a place where we don't have a choice.
Boris: I'd like to ask you a personal opinion: What is a commonly held belief that relates to audit or risk management that you passionately disagree with?
Aidan: That it's an institution unto itself, I think oftentimes audit is treated as its own outpost. That's a team that we have to have while we're public, and we have to have those guys.
I think there's a massive opportunity to integrate the concepts of risk management and audit and security into daily existence. I think there's a benefit to the organization whether it comes to lowering margins or reducing risk in general and I think I'll kind of cheat and give you two answers.
And that there's an ancillary answer there, which is that we always talk about this obviously selling software in the audit space is: Why isn't there more money to be had, why isn't there more people spending money, why isn't it funded? And it's because it's hard for organizations to fund something they can't see.
COVID is a great example if you want to talk about the idiom of a little bit of prevention prevents a ton of the need for cure. That's apparent to us every day, especially in the United States where we've been hit harder than most is that thinking ahead oftentimes isn't popular, it isn't sexy as an idea but later on it's always 2020.
And I think the audit space suffers from that same concept. Am I going to spend money on this or that, that doesn't make any sense? It’s always talked about in the audit space, it was the ghost of the orange jumpsuit, we’re selling this concept of ‘what if fraud does occur’, ‘what if your CFO does go to jail?’ ‘Okay what if’, ‘I have other problems right now that I can see, that I can touch, that I can taste, that need funding, you're asking me to go find something that is imaginary, that would need five or six things to happen in a row.’
So I think audit at this point is mature, if you think about it as long as there's been banking, somebody’s been counting the coins in the box, but audit in its modern contemporary form, what came out of SOX in 2004 and then kind of spread globally based on some rules placed here around, focused on integrated audit controls looking backwards and forwards.
At this point it's matured enough that we really should be integrating it into our business. Into our governments a lot of these concepts and audit are concepts you can use in your daily life and I think they're just underserved. They're not popular because they're difficult, they're hard to do, they’re a nuisance, nobody wants to go and review the list of users in your system every month. Yes it's the same five people, why am I looking at it again and again? But it’s hygiene, it's brushing your teeth or making your bed or cleaning the kitchen. It's like anything else in life, it's good behavior that gets good results.
Boris: I wonder, what tips do you have for risk managers and auditors to help their organizations to stay on the course during this crisis? So for example what's something that they should start doing right now that they are not doing currently or perhaps another way around? What should they stop doing right now, what they that they are doing?
Aidan: I think it's a good chance for risk management compliance folks to have an opinion and to be heard. Part of that is learning to communicate in the right way, one of the things I didn't realize when I was at PricewaterhouseCoopers that I learned afterwards being inside of organizations: is the way that auditors and risk management professionals talk about audit and risk management. It's very much an insider language. You speak to each other as if both of you already know the punchline to the joke, that's not the case for the rest of the organization. And I think that the more folks can learn to communicate in the terms and ideas and concepts that the organization holds dear, the more likely that they're going to get traction. And I think to that degree, this is a time when there's change, there's change occurring, change is being forced upon all of us. This is an opportunity for risk management professionals to insert themselves in the conversation to get a seat at the table and to start to have a conversation about strategic goals for the company as a whole.
And I mean, depending on what industry in, some of this could be product wise, if you're at Microsoft you should be having conversations about “hey guys we're already ubiquitous, we're everywhere, what are we doing to help people with all these concerns that they have as people are working remote?” And then even if not, it’s about strategy so most boards require regular risk assessments on an annual basis, SWOT analysis, things like that. Risk management rarely is brought to that table, they typically are two seats away, they say something to the controller to somebody, a VP of compliance or CISO and then that gets matriculated up to the board. I don't think that is necessary and I think it's been something that risk management professionals have been taking those terms as was it dictating those terms and this is a good opportunity to insert themselves in the conversation.
Boris: So looking broadly in your industry: what are the major trends in your space and what should we expect from you guys in the future?
Aidan: I think automation obviously is one. As everyone looks to get more productivity out of the daily, head count automation is ubiquitous across all business. I think in our space it's abnormally so because of the nature of how people interpret costs related to audit.
Audit costs aren't typically seen as strategic spending, they’re seeing cost center or cost sync. So automation I think is going to be big. Automating access certifications, automating access provisioning and approvals, automating reviews of change management and then all of that is going to relate to things around completeness and accuracy. How do I know that the data when you pull it out of system A and system B combines it, reports on it and sends out some sort of export?
How do i know that this here matches these two sources? I think you're going to see a lot around data, one of the areas, the reason why integrated audits exist in their nature, why this insistence on controls and then specifically around IT controls, ITGC’s is because of the onerous nature of manually reviewing data. The way I used to interpret this to young newcomers at PricewaterhouseCoopers and they'd say: “well why do we have to have ITGC’s?” I said because how many samples would you have to take for Nike, for example, to validate that their revenue is correct? How much work would you have to do of painstaking page by page review to validate that that is correct?
If you can instead reduce that risk by understanding that none of this should change because nobody has access. It's a lot like saying “would you rather have to go count your money every day or would you rather have a password on your bank account or a lock box with a key?” So I think the ability of data processing and systems, Moore’s law of the acceleration of technology and how smart we've gotten around thinking about unstructured data and structured data.
I really think the biggest boon to this industry is going to be the ability to go and do data analytics, because if you look at what a lot Access GRC is about, it's about preventing that risk upstream. In addition to that, if you can look directly at the data itself and you can run some sort of analytics over the top of that data on an ongoing basis.
Now you can start to pick up any errors or issues on a regular basis, you think about doing tests on zeroed out numbers or 99 cents or looking at things just under approval thresholds and then looking at the inner relationship of systems is what is person A is doing here and what is person B doing here.
I think that's going to be a big boon to the space, I think it's going to be a big shift, it’s going to force a lot of organizations to have to change their product model and their focus. I think the last one is going to have to be interoperability, so a lot of that, I mean, obviously we're ahead of the curve in the sense that we look at the world from across application perspective.
Just because you have SAP, Oracle and Microsoft Dynamics, that doesn't mean that you shouldn't have a tool that works with all three. That's again like I said earlier antithetical to the space. You think about the legacy players in the space, it's SAP GRC, it's Oracle GRC, it's companies that are focused specifically on one application.
You’re already starting to see this, so “the bear” is a good example. NetSuite is one of the more prevalent ERP's in this space, now Workday has just made a pretty big push but NetSuite kind of were open about the fact. In the beginning this is what we do, we're a GL system, we do AR we do AP, we do some ancillary finance functions, but we're not going to do all the things.
But we have a bunch of partners that can do those things and what we'll do is that we'll open up the highways between us and that partner to make sure that data can be interchanged, so it doesn't feel like a different system.
They’ve created this ecosystem here where everyone is using best of breed applications. The average startup will start up and they will have NetSuite as their ERP. They'll have Salesforce, their sales system, Workdays, their AR system, they'll have Cooper, they'll have Zora. And then that's their footprint stamp. So when you think about that as a concept of this interoperability, you're now enabling any system to work with any other system and so I think especially in the GRC space when you're a utility tool that is in support for these applications, that's going to have to open up.
ServiceNow needs to be able to work with Zen GRC and Wdesk. Even though they are arguably competitors, because there's going to be people who want that as their ecosystem.
I mentioned Salepoint a few times, Salepoint, FastPath have a very good relationship. Salepoint does enterprise-wide kind of top-down identity and we do this bottom-up GRC and together we create this behemoth that does everything best to breed.
Arguably we're competitors because they do identity and we have some identity functionality and there's an overlap, but that doesn't preclude us from serving our customers and finding the best option for them. I think that's going to be a big thing in this space over the next five to ten years: is everyone's going to have to open everything up?
I had a conversation with a gentleman once at a conference a couple of years ago and he made the argument that the next big shift in this space was the standardization of APIs which to a degree has already been done but his point was: it needs to be that every application out of the box can work with any other application out of the box.
And I completely agree with that, I think that the more that people laser focus on one answer to one question, the more that you get to Ford's assembly line where you have a bunch of applications that do one thing better than anybody else and you can cobble those together to create an ERP out of all these independent systems. And then that again speaks to this ancillary, utility space of GRC tools and identity tools etc.
Boris: Fantastic and from our own perspective as Global Risk Community, social network for risk managers: How can we contribute to the process of better understanding of this complex world of risk?
Aidan: I think conversations like this are good, I think there needs to be an olive branch out to the product managers of the world. If you think about risk, you know, what are we talking about?
We're talking about assets, we're talking about data, we're talking about money, we're talking about people. Whatever the case is, there's all these products in that space, whether their ERP systems focus on finance applications of their data management systems.
And there are product managers in these worlds that are the ones that are bleeding edge, they’re the ones that are imagining what this is going to be in the future. I think the more that the risk management world can be inter- changing ideas with those product managers, the better.
Because it's not a natural relationship, they don't really want to talk to auditors, they think about it, there's somebody who is going to hold them accountable, who want to ask some questions they don't want to answer. And oftentimes for risk management folks, what they're doing is so baffling that it's almost intimidating to have a conversation with them.
But really, they are defining the future, if we think about risk management. Risk management is always behind the curve, it's always reactive not proactive. Just by its nature, the more proactive the risk management community can be the more risk management professionals who are articulate and are intelligent about the future, the better they can do their jobs.
RPA is a good example, RPA has been around but it only became popular a couple of years ago with automate automating everything. There's only a few subsets of people that know how to work with that. Data analytics, Blockchain AI, machine learning etc. For risk management professionals to get their arms around AI and machine learning takes somebody who's a developer who understands what's there. Because most management professionals are not capable in that space to go to look at code and to understand what it means. And so I think that bridging of the gap even further benefits both sides, because it enables risk management to get their hands around something that's a burgeoning technology and it allows those technologists to be considering the things that risk management thinks about, because whether or not both sides want to interrelate, eventually they're going to have to. And it's better that they do it earlier than later because later means the problem's already occurred.
Boris: So summarizing it, if someone who is listening to this interview would like to walk away with one or two major takeaways: what would it be?
Aidan: That this is a changing industry, I always jokingly say that I think that Inuits in Alaska have 26 words for snow, I always say that risk management professionals have 27 definitions of GRC. GRC is a constantly changing industry and that I think there's a lot of us here on the edge that are starting to do new things, that are not recognized. But I think risk management professionals should be open to those messages. I think sometimes they feel their marketing pitches for sales pitches but they should be looking at including those. But I think the more important side of that is that in the middle of COVID, in the middle of all the things going on, this is a change agent for risk management professionals to insert themselves into the business as a whole or into their organizations or as a whole or into the world as a whole, in a way that's meaningful and that can avoid future risk for future damage or future need for the cure.
This is a prevention point, it's a golden opportunity, it doesn't come around a lot especially for risk management professionals because this is one of those events that they would have forecasted five, six, ten years ago and said that we need to have controls in place. We need to be prepared and it'd be a shame to have this pass without us having a better world for it.
Boris: All right, interesting. So Aidan, thank you very much. It was a great interview and I wish you and your company successful growth and implementing all your plans and expanding in the future in Europe as well as in Asia and I know your main market is in the United States but hopefully you will also expand this thinking in Europe and in the further afield.
Aidan: Absolutely, well, thank you for the time.