This is a transcription of our Interview with Joseph Schorr, VP at LogicGate. You can watch the original video interview here or tune in to the podcast episode here, iTunes, Spotify and other podcast apps by searching "Risk Management Show".
Hello Ladies and Gentlemen and welcome to our interview with Joseph Schorr. Joseph is a Vice President Of Strategic Alliances at LogicGate which is a leading provider of cloud software solutions for automating governance, risk, and compliance processes.
Joseph is also an advisor to Dreamit Ventures, a Growth program and venture fund focused on pre-Series A healthtech, securetech, and urbantech startups. Joseph is helping founders in the SecureTech program which is focused on cybersecurity, anti-fraud, risk & compliance and physical security startups.
Joseph, thank you for coming to our interview today.
Joseph: absolutely thanks for having me.
Boris: Joseph, Can you tell us a short story about your unique path in the industry?
Joseph: Yes, I think it's kind of funny. I've debated writing a book someday about everything I learned about Risk. I discovered making cloth when I've worked for a company who makes Gore-Tex weigh back in the mid nineties. And I was a computer guy and ever since then I've found out that probably the best training for best first job to get to the security and risk and compliance is to work for a manufacturer that makes something that a lot of people want to steal.
They've got the right information, a lot of patents, things like that. So I learned some really, really hard and fast lessons way back then. And quite frankly, I kind of wandered off into a lot of the networks like networking and routing and switching and all of those types of things, and always found myself drawn back into security and Risk to the point that everything I've done in the past 20 some years with the exception, maybe five years as the CIO has been in the consulting space.
This is only the second software company I've worked for. So I've worked at places like British Telecom, Hewlett Packard, Lucent. And then finally with LogicGate and at Optiv right before this, and as a kind of progressed in my career, more of a more, it became more and more Risk centered, but it also became more and more business focused.
As the talk tracks elevated and we went from the threat landscape to Risk transformation and digital transformation, you just find yourself gravitating more and more towards business people and what they're trying to get done in their business, which honestly led me to LogicGate. A lot of the work I was doing in the past two or three years was the board level and C-suite level and trying to provide these people answers.
And we will get them some subjective data, some subjective opinion, some objective data mixed in, but I really wasn't seeing a way to get them something like a really good coherent answer, which led me to LogicGate.
Boris: Can you explain what LogicGate offers to the industry? Why was there a need for your solution and how it differs from other software providers?
Joseph: Yes, its, it is pretty unique. We're the leading SaaS GRC solution working in the whole enterprise risk environment. What I really do think is unique and it is kind of the path that led me here and it goes back to the work I was doing the past 15 years.
I started out like a lot of us did on big risk assessments and vulnerability assessments and things. We just had to add a lot of data we had to crunch and try and come up with the reporting.
And back when I was doing a lot of that, the only good and it was a great solution is put stuff into Archer, hire a couple of really good Archer consultants to build what you want to build and then keep them on staff to tweak and move that make this thing work.
As time went along we had that sort of spurt of innovation where people sprung out of the Archers in different companies and built a discreet “GRC tool”. We had some pretty good ones and I've known some of the founders of different companies who are now still our competitors.
And then a logical progression that I think is when people like our founders, Matt, John and Dan who were risk and compliance professionals doing consulting at the tip of the spear, figured out exactly what we needed in client environments, which was something much more lightweight, something that lent itself to almost instant innovation and change, something that they could adapt to the absolutely ridiculously rapidly changing compliance regulations around the world and be pretty easy to use, which everybody says they are, and that's a big factor.
So we've gotten to the point now that it literally is something that advisory like my partners, advisory consulting firms can use in their engagements doing these big risk transformation projects, but when they leave and put that in place as a solution, the clients aren't lost, it's usable.
They don't have to be an Archer expert or hire people that know ServiceNow really well or something like that. It's something that's very, very powerful, relatively inexpensive, and quite frankly, easy to use. It checked a lot of boxes for me as my needs change as a risk consultant,
Boris: What are some major examples of your customers’ use cases?
Joseph: We say a lot of the time and it's quite true, a lot of our customer base looks a lot like we do. They may be in a technology and hightech manufacturing space, they may not have a whole lot of people, but they might have relatively a lot of money under their control, they're heavily online and they are already undergoing the digital transformation.
So they probably make something or do something or provide a service for a living and they do it very efficiently with relatively few people. So our typical use case, quite frankly, they may not have a staff of risk and compliance people on hand.
They may not have a Chief Privacy Officer or Chief Risk Officer or a hundred person IT department or a 30 person security department, but they may have billions of dollars under their control at Risk, quite frankly. So that's kind of a typical client that we get.
Then we're also really heavy in financial and healthcare for obvious reasons. And as far as use cases, it really is a lot of ways client driven. And like I said we can shift on the fly pretty fast. So obviously when GDPR is hot, we can mount something that meets a GDPR market really, really fast, we did it really well and it is a wonderful application built on our platform.
Right now a lot of people are talking about the CMMC, FedRAMP compliance, SOX 2, kind of the old traditional ones where people may like I did, first dip their toe into the risk and compliance space with vulnerability management. Everybody is getting pen tests, everybody is getting their vulnerability assessments. It’s sort of gets tossed over to the fence and then they really don't know what to do with it. So vulnerability management and we have a relatively new partnership with Tenable.
We improved what we think it was a really good vulnerably Management application, already and amped up kind of a one plus one equals five models with a new partnership.
Boris: I would like to hear your personal opinion, what is a commonly held belief or a biggest misconception in a Risk field in the GRC field that you strongly disagree with?
Joseph: GRC sometimes has a negative connotation and I just had this conversation with someone yesterday. A lot of times when people hear GRC, they think PCI and HIPAA, all they hear is the compliance part of it. And in the majority of times in the past decade or so, GRC is always been something you had to do. It wasn't something you really wanted to do. And it's a little bit of an overused term when people talk about security being enabler, risk being enabler.
I think the biggest misconception is that GRC does not in a way somehow inhibits a business. I explain it to people that if you've ever flown or seen a pilot, what they do before a flight and you do a pre-flight checklist and they literally walk around the plane and bang on things, they look at everything. Fighter pilots have a board that they are checking off everything before they even start the engine off. So it's just a pre-flight checklist. That doesn't mean that these pilots are risk and compliance experts.
They use these tools and methodologies to ensure that the plane gets off the ground, they're in the business of flying. So before that plane ever gets off the ground, you had to go through all these checklists and all of that enables you to get off the ground.
And that's a GRC in a nutshell to me. There is a lot of different things that people want to do. Simple stuff, if you're trying to measure your risk, if you're a jeweler that goes to the bank every day at four o'clock with a bag of money and you've never had a problem because you walked there with a body guard, but now you're thinking this is the pain, the neck.
Maybe I should do it on Sunday night when no one is actually around. It'll be dark. There's less traffic. No one sees me doing it. Maybe that's a good idea. Well, think about that a minute. There's nobody around, it's dark and you're not going to have your bodyguard. Have you actually thought about this and measured that Risk? Like you were going from one business process of how you deliver your money to a new business process. And you're just going to go out there on Saturday night or on Sunday night at dark and walk to the bank and drop off a bag of money. That's kind of where we're at now.
People need to start thinking in terms of GRC as a way that you could actually make really critical business decisions and have to make these decisions.
Boris: So for example, if we take life of a risk manager, if there is one thing that they should start to prioritize right now that they are not doing currently, what would it be?
Joseph: Two things. And one that they are sort of locked in with each other, I would say the most important thing is to immediately start getting closer and closer to the business. If the risk manager is only talking to their peers in the company meetings, security people and compliance people and other Risk people and worrying about just there piece of the puzzle, they are going to be an abject failure, a risk professional in any company should be talking to the CFO and the chief legal officer, making their presence known, are getting themselves invited in the business discussions.
They need to know that the company is thinking about expanding manufacturing operations to Southeast Asia or that there is trouble brewing at some factories, they've got in trouble in certain States in the country.
There's lots of things they need to be included into the business things instead of just of being checklist, compliance people, they need to get into the business and start being able to provide some answers.
The tough part of it is they need to quantify some of this stuff because they can't get along anymore with handing a heat map to someone who asks you for information saying, yes, we're a green or yellow or red. They need to be able to say, if you want to start carrying that bag of money to the bank on Sunday night, your risk goes from 35% to 76%.
We have to start assigning numbers because the people that we work with are worrying about these things and they work on numbers, they don't work on red and green and yellow.
Boris: Well, the same question, but, another way around, what should the Risk Managers stop doing right now that they are doing?
Joseph: I got this pushback from dealing with people on boards a lot, the director level people at different companies, even where I've worked in the past. The higher you go in companies, the simpler the questions are and potentially disastrous for your career because somebody, a board member or a CEO asks you something really simple like what does good look like?
And you show them a dashboard with just all green lights lit up and say, well, that's what good looks like. That's not what they're looking for. So what I would encourage risk managers to do is to nip what it's called green dashboard disease in the bud, stop looking downstream and making people that are working with your or under you, provide you with data that you're pretty sure is a suspect and you repackage it and you move that data upstream and these people that are making strategic decisions for the company in a business sense where they're steering the ship are relying on you and relying on that Risk data to make a decision about which way to go.
I've always said, you're honing this knife blade to be a sharper and sharper and sharper and any good, accurate data is better than false data, obviously. So start getting in a culture of asking for a really good verified data.
We should be eminently capable with all the tools and technologies we have available now to start putting the exact data we need to make sure it's accurate. Then we move that upstream, then we can start to give answers and we can say, look, we made this decision based on knowing maybe 10 or 15% of the puzzle. And we're working really hard to gather more and more accurate data. So our answers could get more and more reliable as time goes on, but don't just provide that green dashboard and pass it up to the line because that's disastrous.
Boris: I see people are talking about this kind of a dashboard disease. Maybe without dropping the names, it will be interesting to know what you or your team have recently achieved that you already proud of.
Joseph: That's easy. I'll drop the name. With my team in particular, I've got the team that handles partnerships. So we've got Technology Alliances, which is what it sounds like, finding great technology partners that we can either get the content that they have, integrate them with our product to make it better or more efficient or partner with what they do for a living. And make that one plus one equals three or one plus one equals five model.
And then on the professional services side, we call solution provider side, we're making partnerships with companies that are just absolutely tip of the spear, bleeding edge, innovative strategic thinkers that are doing really big Risk transformation things.
And they quite frankly, need somebody like us to get this stuff done. So a couple of recent things, we've done on the technology side, we have a partnership with Ascent. So, they're the Kings of regulatory compliance and we have a regulatory and compliance application, but now that we have Ascent content added into that, it makes it a really powerful message.
On the professional services side, we have partners that are basically, I hate saying boutique, but they're smaller really, really expert consulting firms that specifically go after a certain industries. So for the folks that are working in the finance industry, this enables them to do some really, really good stuff. They now have a model where they can go in and their clients don't have to worry about going back in and manually updating banking regulations every three months or whatever it is as these things are constantly changing and evolving.
They have a living continuous risk monitoring model in place between the advisory services and amazing technology solution.
We've done the same thing right now about vulnerability management. So we've got a partnership with Tenable and we have partners of ours on the solution provider side that are just begging for help.
This is what drove me into the GRC space 10, 15 years ago. I was running 10,000 hour ethical hacking engagement's, 10 people working for three months producing an insane amount of data. And it really hasn't gotten that much better over the past 10 or 15 years.
So now we've got something that we can enable our partners with, that they can get into a client where they've got some of these really unique needs with vulnerability management, use us as the workflow and automation platform, have all of that amazing content from Tenable, everything is being pulled in and getting really close to this Risk automation process, where they got vulnerabilities coming in, remediation being taken care of, things were being pushed to the different business units in the company.
It's really an elegant solution to what I mean a need I had 15 years ago. So there are two of the things we're really proud of.
Boris: So what are the major trends in the GRC space that you see and what we can expect for you guys in the, in the future?
Joseph: Sure. There's an interesting trend. I know that in large part has been spurred by 2020 and Corona and this move to work in different ways than we did in the past and that's the whole outsourcing philosophy. There was a recent poll on February, I saw it and I couldn't believe the number of this high, quite frankly. Computer Security Magazine, I think had it that 83% of IT leaders want to outsource security and Risk functions.
That's amazing. I've worked for four managed security providers over the years. If we had numbers like that 10, 15 years ago, it would have been astonishing. We were trying to get people outsource stuff. So now I think that there was going to be two big things.
One is going to be automation. Again, our clients aren't in the risk and compliance business. Some of them may have departments or people that deal with that as a hundred percent of our duties, but unless there another LogicGate or something like that, or an Ascent, they're not doing it for a living, they're making widgets or they're healing people or running restaurant chains.
So to get that done, they're doing it leaner with a workforce that may be remote. They need solutions to come pretty darn close to being fully automated. And I don't think Risk is any different. We had 20 some years ago configuring routers and switches and all that stuff, that was like a black art that's when I was doing a lot of it and it was a real big deal. People don't talk about that stuff that much anymore. Things became very mundane and they became less sexy.
It's really cool in the past few years to say you were a hacker and you do pen testing and all of these things, but everything's getting much more commoditized and it kind of needs to, a lot of these things need to become operational so that the few people are working at these companies can actually do their job.
If you're the only compliance person at a billion dollar company, or you are doing compliance, a couple of people in security, it's just three or four of you having to steer the ship. So everything you can do to take the operational things away and make your life easier, lets you do your job.
You can worry about the big picture. You can talk to the business leaders so you can do what you're supposed to do, which is to enable your company. So I think that automation, outsourcing of these things, moving into a managed model is good, become a really big deal. And I think it should be, we've got clients asking for it and I think they're asking the right question.
Boris: Fantastic. Joseph, you are also a startup advisor, can you tell us what does it take to set up a successful business fir a SAS company may be in GRC space in general?
Joseph: In general have money. I've spent with my friends over these years, spend time sitting around drawing stuff on a napkin saying, man, if we had 5 million bucks, this would be killer. There's a great leap between writing that down the napkin and having the wherewithal and the gumption to go out and actually attack that problem and do it. I think there's a lot of great ideas out there going by the wayside and in the SaaS in particular were a lot of these new kinds of cyber startups and things.
I think it honestly boils down to your MVP that, that first kind of a beta that you'd go out and show people. And even then I think it's a really, really critical. Sometimes people will even build that first thing and build the app because they're a good coder, they have a good idea and they have a buddy that can help them make a framework for this thing at least, but they don't go out and get those two or three or four first innovative clients, good ones. It can't be my wife's flower shop or my dental practice or something, it's got to be a decent client that you can go embed this thing.
Quite frankly, they are willing to take the risk with you. So it's a bit of a sales job. I mean, very rarely can you just to have a pure technical startup with three technical people, you got to have somebody who can get out there at least make that first, second, third of the deal and get the MVP in the hands of somebody to really use it. Because once you get that referral, that's gold. If it's like anything else, it's word of mouth. If you get somebody that's willing to speak up on your behalf and they're a good brand, you have a heck of a lot better chance.
There's more than enough money out there right now. VCs are flooded with cash. They need the finance stuff, but they're not dumb. They're not just to throw money at a pure idea.
Boris: The amount of unicorns now is growing in the security space, a privacy space. So for my own perspective because I run Global Risk Community, a social network for Risk Managers. How can we potentially contribute to the process of a better understanding of this complex world of risks?
Joseph: I would focus more on the business, quite frankly, it's like I started off with everything that I learned. I learned back in the mid nineties being the computer guy fixing windows 95 machines and keeping the servers running and making sure the router didn't go down, that was what I did every day for a living my real job. But my real job, I was in charge of making sure nobody's stole our patents.
That's what it really boiled down to. So I had a really intimate knowledge of what the plant that I worked at made specific products, I had a very intimate knowledge of what we did, and it's like animal farm. All things are equal, some are a little more equal than others. The biggest trick, and the biggest thing that Risk professionals can do to help other ones is that triage of not just staring like a deer in the headlights at this flood of threats and risking in your environment, but figuring out which ones are more equal than others, you know.
It's like when I'm still at pen testing and the vulnerability assessments, can you come across those things? Once a while there's like 50 critical vulnerabilities. You think, Oh my God, while I see some of them in that bunch of 50, there's always one where you look at the client, you think you need to take a machete to the back of your wires right now.
Like you got to get off the internet. You're like, you're done. This is bad. And that doesn't happen all the time. But there's a lot of places where I think Risk professionals get caught in a decision loop and bogged down a little bit with the inertia and they can't really figure out what's most important for their company.
It could be you to be PCI compliant. That's great. Again, you need to operationalize a lot at stuff to get it done, get out of the way. Don't spend three months with auditors every year, be efficient with it, get that done and get it off your plate, then go worrying about what the expansion plans are for the business.
And if this marketing campaign where, you've got people walking on the beach with iPads, taking information from spring breakers, like how much Risk does that introduced to your environment?
Those the types of things we need to help each other elevate that conversation.
Boris: Finalizing, if someone who's listening to this interview would like to walk away with one or two takeaways. What would that be?
Joseph: Calm down. It'll be a better you can do, you could do yourself a lot Good and make yourself a hero by involving yourself in the business even if they don't want you to be. And then start knocking down some small victories and legitimize, what you are and what you do for a living and become an asset to your company or your environment, your organization, whatever it may be, and always be studying.
I mean, this stuff changes so much and we work in a field that the other security risks, people probably think of a GRC is kind of dry and you it's a checked box and it's this and that.
I think the complete opposite. I'm the ultimate generalist. If this stuff was dry, I wouldn't do it for a living. I need like variety in my life. So to me, I'm always just having to learn about the entire threat and risk landscape and, and collate all the stuff in my head, trying to figure out like, which ones are more equal than others in this space.
So always be learning. It's a big one for me.
Boris: Thank you. These were all my questions is if you have some questions that I forgot and you like to add to the audience?
Joseph: No, this has been fun. I'd love to come back. I love talking shop and again I feel like I have to go out and evangelize that what we do is pretty cool too.
Boris: We have to a different type of interviews. First one is a general as this one in the next day, you can do a deep dive on a specific topic. So you are welcome.
Joseph: Absolutely. I'd love to. It's a great to meet you.