This is a transcript of our recent interview with Frank Vukovits, Director of Strategic Partnerships at Fastpath about
You can watch the original video interview here
Boris: Welcome to our Risk management Show interview with Frank Vukovits. Frank is a director of Strategic Partnerships at Fastpath, which is the leader in audit, compliance and security solutions for mid market companies. Frank, thank you for taking your time and coming to our interview today.
Frank: Great to be here. Thank you.
Boris: This is our second interview with you guys from Fastpath. We had the first one, a few weeks back with Aidan Parisian and we saw very high engagement and decided to invite you guys for the second interview.
Frank: Yes, he's a good colleague of mine known him for a while.
Boris: Today we will do a deep dive into security controls as a strategic enabler and talk about many important things that auditor’s been asking about.
Frank, for those viewers who didn't watch the first interview, can you perhaps tell us about what you and your team at Fastpath are up to these days?
Frank: Absolutely. Fastpath is a software company in the GRC space. We spend a lot of time working with customers around governance, risk and compliance, specifically developing great solutions that work to provide the right controls you need from security, audit and compliance perspective and controls around business software. So the traditional accounting systems, ERP systems, as they continue to evolve mountainous business software systems.
So SAP, Oracle, Microsoft Dynamics, NetSuite, those are the types of systems you work with. However, the last couple of years as the ERP space has evolved similar to security in the cloud, we've also moved our solutions into other business software solutions, such as Workday on HR side, Salesforce, Coupa. At the end of the day, controls are important for companies big or small, and many business software solutions either are lacking the controls auditors like to see, or the controls that are in place natively with the software require you to do auto manual processes.
So Fastpath really fills that gap that exists there. And we've developed a set of solutions starting 17 years ago here in the States around Sarbanes Oxley or SOPs and some compliance needs there for Microsoft, then it was called Great Plain solution. And the company has really evolved from there.
We don't offer professional services, but we have a lot of really smart people who understand security inside these different systems, how it works and where the data is at specific way. We mapped that with the knowledge we also have with our accountants and auditors and staff that understand how controls need to be designed in software to ultimately provide confidence. Not only if you get audited, but confidence to the CFO and the CIO and CISO so that their internal control system is designed and operating correctly.
Part of that design are strong controls in the area of security and we fill that gap that's there. We have probably now, 1200 plus customers in 30 different countries. And again, we've been doing this for 17 years, and we worked quite closely as well with the accounting and audit community.
In my role at Fastpath, I do a lot of that actually working with the big four and Grant Thornton, and Protivity. There's a long list of audit partners we have that are using our solutions out in the marketplace to audit their clients, to provide services when there's external audit, internal audit security re-architecture projects.
And also we have lots and lots of system integrators, implementers out there that are helping our clients with deployment and Fastpath to meet their security needs as well.
Boris: Interesting. So let's start with a question that you probably have to answer many times, what should audit look at the IT security and the cyber world?
Frank: That's a great question. It continues to evolve. I was doing a webinar, actually a virtual session for an Institute in Toronto recently and that exact question came up. With cybersecurity now in the evolution of all the tools out there, it is a different approach to what auditors are asking for and what they're looking for.
In the past they used to be very, very focused on the ITGC or IT General Controls. As an example, testing the process for granting someone new access and following that paper trail, if you will, the user access request form, ask them basic questions about you, test your code before you move it to production from a development perspective.
Now with cyber, the threat landscape is much broader and they have to worry about security and the controls on the outside or the external threats, but still worried about security on the inside, the internal threats, that fraud that could exist in areas where traditionally they asked the ITGC questions. But now they're having to ask even deeper questions because of the technologies evolve.
And when you move applications to the cloud, they're not only asking questions and the auditors are only looking at areas they have in the past but now they're asking questions about the key vendors you work with, that you integrate with.
Everyone now has software solutions. Fastpath is no different that they've added onto their core business software systems be an API or web services. Auditors are having to ask questions about how you do vendor management and what questions are you asking those key vendors you're now doing business with electronically, do you know the controls are in place to develop their product? If your solution is hosted in the cloud, like Microsoft hosted on Microsoft Azure, do you ask questions about the host during the controls? They have to keep your data safe.
Those are all questions that auditors never had asked in the past. And then you have the cybersecurity questions as well, that in the past, maybe touched upon a little bit from a network perspective, but it's more important than ever to ask questions. For example, how you're protecting the perimeter of your environment of your company, your data center which is now probably a data center room, still important to keep the software and the hardware in that room secure, but also as your employees now work remotely, especially in this COVID world, we've been talking a lot about the Cybersecurity and a work from home world.
What are you doing and what questions should they be asking to make sure your employees are still working securely from home? Are they sharing their home device with others in their family? Is everyone at their home uses that computer? Are there good basic principles around strong IT security and awareness and not open up phishing emails. Last, more questions auditors ask, especially from external side, but there's one key stat I'd like to quote is that the Association of Certified Fraud examiners that came out with their annual report to the nation study recently.
It looks at fraud, specifically, occupational fraud, whether intentional or not in the space. It’s only sampled 2,500 companies and they identified $3.6 billions of fraud in those 2,500 companies extrapolated the data out and estimated that 5% of revenue for all companies around the globe will be lost to fraud. It'll happen. Majority of that fraud is internal. So while it's important to talk about cybersecurity and all the controls and keeping the bad guys and gals out, there's a huge component still inside your company that you need to worry about your own systems and what you're doing with control lives, including your accounting systems, your HR systems, your CRM systems, that occupational fraud happens, whether it's intentional or not.
And you need to have a good eye on that. And auditors are asking more and more about that as well.
Boris: So what have you learned in this couple of months on the importance of security changed in the new COVID and the work from home world?
Frank: Great question. I think what we've learned is that the larger companies or enterprise companies that have large IT staffs have large help desks, have large security groups, they were better positioned to transition the workforce immediately to a work from home world. Not just because they have the resources, but also they could spend the time and had programs already to educate those users and quickly get them directions for setting up computers at home. Here's the security guidelines for working from home.
And those guidelines are not just for you, the employee at anyone that uses that computer. I'm making sure they have the right antivirus and the right malware protection, the right patches for their operating systems on their home computers. Those larger companies had groups already that had developed that type of guidance. They just had to push that out to their distributed employees now working from home.
Unfortunately with the smaller companies fraud happens just as much. In fact, I could argue that let's say a quarter million dollar fraud in a smaller company is able to bring it to its knees and probably put out of business. And that only has to happen once.
Larger company, Fortune 10, Fortune 100, they can stomach that a small company can't, but that smaller company has just as much exposure in the work from home world, all these threats as the larger company. And those are the ones with maybe they have two people in their IT department, they don't have a help desk. They've really not done much with security awareness training historically inside their company to begin with. They did not have programs to fall back on to quickly push out to the distributed folks, to educate them about the need for security and home.
I speak a lot about security. And one of the quotes I like is the chain is only as strong as its weakest link. It takes one weak link to break down the chain from a security perspective. Ironically, that's very similar to COVID right now that you could have social distance, do all the right things and if one person is not doing the right thing that chain can break.
From a security perspective it’s extremely important in these smaller companies that initially weren't prepared to work from home, as far as resources go with hardware and making sure that employees had the right equipment, and they did not have the right solutions that immediate they can pull in distributively to work from home, they didn't have a lot of staff already in place to educate their users about the need for strong security and to give that to their users. So they share with their family.
There's, many, many, companies that are working from home, where there might be only one computer and one internet access to the home. And that computer shared by the students working from home, shared by their spouse. And do they all understand the right and wrong way to use your computer and things to look out for?
We don't make this assumption. Everyone knows that. And I think that's been the biggest challenge that the smaller sized companies working from home, it's easy to say, okay, just log in remotely, but really the security around that device, that link is indeed secure and how do you educate your users to keep it secure?
Boris: All right. So how do organizations get more than only one IT department to engage in the need for strong security?
Frank: So, and that goes back to that last part. I like to draw an analogy when it comes to security to do it correctly, it's a company wide project with executive support. Where does that sound familiar? Hopefully that's the same way you're cutting me, ran the project when it implemented SAP or Oracle or NetSuite or Microsoft Dynamics or Salesforce or any of these large business software solutions that your company probably uses when you first implemented it, or when you upgrade, it's a company wide project, you need to have an executive steering committee with buy-in, the CIO, CFO, the CEO of the other executives, understanding why implementing that software was important.
The exact same thing is true with security. It's not just an IT project and us as auditors, a lot of times we see companies that think security is just an IT thing and in some cases, IT headache. We have to do it, but it's something we prefer not to do. It's something that does allow us to sell more software, does allow us to build more cars, It does allow us to acquire more customers. Well, I can make a strong case that security is a strategic enabler. And we'll talk more about that later.
Ultimately to do security right it has to have the executive commitment and then it trickles down all the way down to the lowest levels of organization. And that's where the security awareness is so critical. You might have someone working from home today, then the past worked in an office in the back of a plant and maybe never talked to someone in IT. So their world was to support the plant, working there with Office. Now they're working from home and they need to understand why, what IT is asking them to do is so critically important, the entire security of the company is that weakest link.
And if you don't set up a security project with the executive commitment from the top down, educating people all the way down and putting the right resources, the right dollars and the right executive commitment into it, it's going to be very difficult for your employees to buy into it and certainly from an investment perspective to do the right things.
Once your company puts the right security controls in place and starts to require a periodic review of users access, require running segregation of duty reviews, require looking at sets of access more closely and starts to require tracking changes to critical data, all those controls that Fastpath sell solutions for.
But more importantly, also as auditors we're asking questions about, and there are strong controls that people actually using the tools to implement those controls need to understand why it’s important. If you don't educate people, you don't explain to them that as part of a broader security policy, you're ultimately going to have people that maybe don't do the tasks how they supposed to.
Maybe this quarter, they don't look at all these items because they don't understand why it's important.
So ultimately strong security starts with executive commitment. It starts with putting the right resources there and the right education explaining why it's a company wide project, and it's not just an IT project. And then the other thing I'll throw in there, sometimes companies make the mistake similar knowing implement business off for thinking that the software's the silver bullet that just implement the security software and it'll make all your problems go away. It'll make the auditors happy. It'll provide the controls we need.
The only way to really do things correctly, whether there's any project around compliance, whether it's security, audit, government regulations, what have you, is that your executive commitment, has to understand that security is achieved by people plus process plus technology.
So technology is a piece that people process are equal piece. And if you don't educate people that correctly without one of those three things together, then you won't have the strong controls around security that you need.
Boris: So you just explained that a security is not really only about a strong technical solution, but how to choose the best framework for security control?
Frank: There's lots and lots of guidelines out there, lots of frameworks out there to follow and depending on what industry you're in, no matter what, and they would tell you first, you need to figure out if there's any specific regulations need to be following. Here in the States, we have the FDA and there's lots of guidelines they have that you have to follow around security for manufacturing, medical devices, prescription drugs, and what have you. If you work in government here in the States, FedRAMP has another regulation you have to look at. So the first thing you have to do framework-wise is to figure out if there's regulation or some standards you have to fall in.
Today's privacy world, I'm sure you're very familiar with that. I'm somewhat familiar with it actually had done some work with Fastpath internally with it and spoken to some conferences about GDPR and the privacy of personal data. Now, the regulation that you have to worry about out here in the States, we're starting to see some of that here with California has their own version of it, CCPA.
At the end of the day, there's going to be either international or state and local regulations standards that you have to follow from a security perspective. So that the first thing you need to identify.
Then second need to realize in addition to meeting the standards, there's also different frameworks. Different groups have put out there to make it easier to build security the right way with the right controls that will meet those standards.
So the ISO 27001 and the like frameworks. They're out there as a guideline, as a roadmap to help you with setting up a very broad security program from how you manage the security program to the technical approach you should have, to the education and users. So I would encourage everyone to look at a lot of free resources that are out there around these different frameworks, by designs that have been developed.
They want to push that out to the different businesses to have access to. And again, a small, medium size company, your two person IT shop can pull down some information that's free and use that as a good starting point. And again, I'd like to draw analogies to strong security and building up correctly to implement a business software. We used to always say, when we implement ERP software and to just like eating an elephant, you eat an elephant one bite at a time, even though elephant might be huge, you can't eat it at once.
Same with implemented business software, you can't do everything at once. You can't make everyone happy in the first time, same with security. You have to take a risk based approach. You're not going to set up security the same way across your entire organization, big or small because different parts of data, different business processes, different parts of your business operations are at a higher risk compared to other parts of the organization.
In the past path, we spent a lot of time working with our customers about talking, taking a risk based approach to security that applies as well in this scenario.
You need to figure out where you need to invest your time and money based on the risk profile of your company, what are the threats are? And then basically make some business decisions.
If we have X amount of dollars to spend this year on security, what's mapped that up against our risk assessment of our business and where we think the most of the holes are and the highest risk areas. And let's put a fair amount of dollars there first, because ultimately again, here in the States, there used to be a famous bank robber called Jesse James. And the little joke is why did Jesse James Rob all the banks?
Because that's where the money was from a security, audit and a risk and control perspective. You need to protect your most important assets. And if you don't do a risk assessment, you don't really know where those are, where the risks and where the threats are. So that's how I would approach it initially, people plus process plus technology. It is not just a silver bullet technical solution.
Boris: So once the framework in place who actually owns security inside an organization, IT, audit, the business units, or what is your take?
Frank: So unfortunately I think what we find a lot is that, especially again in a smaller organizations, even after we implemented, security is considered to be owned by IT. And that's just a flawed approach. IT may be the one that is doing the most risk security, provisioning users, running reports. If you have an information security department that probably rolls up through IT, but that's the operation side of security. It doesn't mean it's the same as the ownership side. Ultimately strong security is owned across the organization at the executive level.
I've been around a long time and I worked at corporate audit for Verizon for many, many years starting in the late eighties. I can tell you security back then was viewed just as an IT thing. I was an IT auditor, we go out and do IT audits. When we audit the data center, we would just present the results of our data center audit to the CIO and his or her organization, not the business users, not the COO, not the CFO. And that was unique. And it was flawed back then because ultimately who is using all those applications that run in the data center? The different business units that are spread out across your business operations.
So their data, their applications exist in a data center. They had just as much at stake to know that it's control, correct correctly as do the IT people that are working daily in that data center. So take that now, 30 plus years from an owner security perspective, ultimately it needs to be owned and be committed to from all your executives.
CFO is worried about your accounting system on his suite in generating strong financial statements. But also the CFO now has to worry about a business relationships you have and dollars going in and out.
And other things involve technology. The CIO was always worried about controls from an IT perspective. And now they have to worry about the different operations and applications they have to support the business that might be more distributed, might be in the cloud. And that worked closely with the sales function and the manufacturing function or the HR function. Your CISOs now, Chief Information Security Officers, you're oftentimes viewed as the owner security. We split that off from the CIO. Ultimately I would argue still a strong security has to have executive commitment and ownership across the company.
And when they talk about security, those the CFO and the CIO and the CEO, the CISO need to be involved. I know here in the States, there was a guideline that came out from the PCA OB years ago, couple years ago that said publicly traded companies when their board meets, and that's usually every quarter, they have to talk about cybersecurity. Well, your Board members, aren't all IT people. That's your Board. Now talk about security. If that's good enough for the Boards to talk about it, people with different backgrounds, it's good enough for your executives to talk about and be committed to and understand they all are a part of that ownership or security.
That doesn't mean, however, what IT does is not as important as was in the past. Operationally, it is still the biggest component, execution wise to what's going on with security and all the things they do.
Boris: All right. So summarizing, if someone who is listening to this interview would like to walk away with one or two major takeaways, what would it be?
Frank: So, number one, that the companies big or small, controls are important. Yes, we talked about a lot of that aspect because we're in the business, but that taken off my Fastpath hat, I'll take it off for a second. I put my auditor hat on. Controls are important for any company because ultimately they protect you big or small, public or private.
So it doesn't matter if you're getting audited or not. When you hear people talk about the need for strong controls and strong system that applies to your Fortune 10 companies and multibillion dollar companies. And that applies to the mom and pop, the husband and wife company, that maybe is only doing a hundred thousand dollars a year.
Going back to the report by the certified association of fraud examiners, that threats out there with fraud, you need to have the right controls in place, big or small to protect your financially and operationally and from IT perspective.
That's the first thing, don't think that worrying about strong controls are just a thing for IT audit, it's not.
And then the second thing I would say is the key take back is if you are getting audited, the relationship you have with audit should be a positive one. You talked to about who owns security. Is it IT, is the business owners, is IT audit? Ultimately, if you are working with auditors and work with organization, that is, they are there to be an enabler to make your company more successful.
We talk about security as a strategic enabler to companies, auditors serve a purpose. Sometimes it seems adversarial. And again, the person they're auditing may not understand why the audits important, this broader scheme of things, internal control system. I'll go back to chain of only strongest or weakest link from a security perspective. The same holds true with their internal control system. If there’s a part of their organizations that don't have the strongest controls, that one weak link can be compromised that can lead to that part at 3.6 billion of fraud last year alone, and 2,500 cases and across 125 different companies according to Certified Auditors Association.
So don't be afraid of auditors, they're there to help you and work with you.
And ultimately, again, this is more of an internal oversight, but even external oversight, what they're doing is, one to protect your company, two is put in a better position from a strategic perspective. And I think sometimes us as auditors get pigeonholed into and an adversarial relationship, we've worked really hard over the years, trying to build how we communicate better with the folks in the business, how we explain to them better what we're doing, but ultimately it's about education for strong security, education for strong audit, education for strong internal control systems period.
And remember a chain's only as strong as this weakest line.
Boris: All right, fantastic. Thank you Frank, for, for your time and I wish you and your company high growth and that we can see you more on our community at www.globalriskcommunity.com
Frank: Absolutely, I appreciate the opportunity Boris, and look forward to meeting you in person. Hopefully I'll be over at a conference. And then another one is sometime here in 2021, perhaps. Thanks. Have a great day.