Don't let the security questionnaire stall your deals with Kayne McGladrey, Field CISO at Hyperproof

Andrew Monaghan [00:00:00]:

If you've been selling at all for any length of time. You know how deals can get completely stuck if you don't have the relevant security controls and assessments in place to pass the vendor assessments that your prospects will put you through. Especially if you're selling into highly regulated industries such as finance and healthcare and defense, things like that. But when should a startup start doing this and how do they go about doing it? Kayne McGladrey joins us today to demystify this whole area. Kayne has been a practitioner and a CISO. He's led consulting organizations at vendors, and now he is the field CISO at Hyperprove. So if you don't like your deals getting stuck or slowed down in procurement, don't miss this episode. Welcome to the Cybersecurity Startup Revenue Podcast, where we help cybersecurity companies grow revenue faster.

Andrew Monaghan [00:00:59]:

I am your host, Andrew Monaghan. Our guest today is Kane McGladry, field CISO at Hyperproof. Cain, welcome to the podcast.

Kayne McGladrey [00:01:08]:

Thanks for having me on the show today, Andrew.

Andrew Monaghan [00:01:10]:

I'm looking forward to this. Kane, you're not our usual type of guest. You're very different. Your background is that you've been a practitioner in security, you've been a CISO in security, you've been on the vendor side where you've led and built professional services and implementation organizations. And right now, of course, you're the field CISO at Hyperproof. But we're going to get into an area, I think that some startups wrestle with, which is we're pretty small, but we want to win some big customers, we want to do the right thing in terms of our risk posture. At what point should we start investing in getting some security folks on board? When should we start going for things such as SoC Two to get the credibility we need to win big customers? So it's a whole area, I think, that companies, early-stage companies, kind of wrestle with. So I'm looking forward to having your perspective on all that area.

Andrew Monaghan [00:02:07]:

All right, well, let's continue with the business side of this. So, Kane, Field CISO is a title or something like that that's been around for a little bit, but not that long, right? Going back 1015 years, it wasn't something that was all that common, but now it seems more and more common. I thought that since you were on, get a bit more thoughts about being in the Field CISO role. What exactly are you doing day to day? What value do you bring to the organization? Give us a sense of what it's all about.

Kayne McGladrey [00:02:33]:

So I think the Field CISO role is a recognition on the part of companies, including Hyperproof, where I'm at, to separate the role that a CISO would typically or a CISO would typically do. So a lot of companies have this expectation that CISO is going to be the person who can talk to the board and they can write Python code and they can do Incident response and they can manage a multimillion-dollar budget, and they can do all of that somehow in a 26 hours day, only eight days a week. And I think that forward-looking companies. There was a fintech I worked with down in the Atlanta area maybe five years ago where they had separated the CISO role into three distinct parts. They had the policy person who was responsible for ongoing governance. They had the implementation person who was responsible for making sure controls were getting implemented, not implementing them themselves. Then they had the public-facing person who wasn't named a field CISO, but their goal was to separate people based on their unique strengths and their unique talents. And when I moved from being a traditional CISO to becoming a field CISO, I tell you, it's a bit of a joy because I've previously done things like ITAR and ISO and FedRAMP and so on.

Kayne McGladrey [00:03:52]:

And at Hyperproof, I'm buttressed actually by my co-host on Drafting Compliance, one of our podcasts, Tom, who is responsible for our FedRAMP uplift because I was offered, hey, do you want to, in addition to doing field CISO work, do you want to do FedRAMP policy development work and implementation? I was like, yeah, no, I've already got enough gray hair. I think I'm good on that front. So a lot of what I do is evangelism or outreach associated with the media. A lot of earned media, as well as podcast appearances, media appearances, talking at conventions, as well as talking to investors and prospects occasionally to look at where compliance operations fit into an organization's, day-to-day operations and how it could be an improvement for them. Or alternatively, if it is not even vaguely a good fit. I think there are a lot of companies out there that right now are trying to figure out how to talk about risk effectively, how to communicate it, how to measure it, and how to proactively act on it. I think those are the companies where they're a natural fit for Hyperproof. It's a great conversation with me about that.

Kayne McGladrey [00:05:05]:

And there are other companies where they still think that cybersecurity is an It problem. Those are the ones where if I can't change their mind, at least I can give them the idea that it's not just an IT problem that we're out to solve here.

Andrew Monaghan [00:05:20]:

I love the idea that the skill set to go and do what you do right now is talking, meeting with people, be influencing them. Evangelizing isn't always a skill set. As a person who's used to doing some Python coding right. Sometimes just not their belly weight to go out and be more public, right?

Kayne McGladrey [00:05:39]:

Definitely. I think the other thing is that and this is possibly a cautionary sales to be a field CISO, I think there's an entry criterion that you have to have previously done the job because you're going to be meeting and talking to other CISOs, and other senior executives. And that is a very different conversation than when you're leading an implementation team, or if you're doing work in the trenches, or if you just come from, I don't know, a straight communications major or marketing background. You might have the ability to speak, but you might not understand the context and the broader outlook of where things are going right now. Consequently, in addition to doing CISO work, I mean, I spend an inordinate amount of time reading law journals, probably more than I should. If you see me on LinkedIn, you'll see a lot of my stuff comes from law journals these days rather than technology journals, because I think, as you've said, a lot of cybersecurity vendors aren't doing anything bold. And a lot of the more interesting work I'm seeing right now is legislative or regulatory. And that's in response to a potential market failure associated with innovation and making meaningful investments in cybersecurity.

Andrew Monaghan [00:06:52]:

And are you joined to the hip with the sales team or you got a wall between you guys and you kind of do your own thing?

Kayne McGladrey [00:07:00]:

The sales team and I get on pretty well. I think that I'm aligned as executive operations, so I'm in the executive team, but I've spent. I think the marketing team pays my bar tab, bless them for that. They also send me to events, and the sales team can get me on calls, can work with me as necessary, but it's not a direct one-to-one relationship.

Andrew Monaghan [00:07:24]:

Right, right, okay. But if I was on the sales team at Hybridproof, I would love the fact that I've got someone in the company who has credibility and the ability to get to know, engage with people extremely well, and be influential with them right. Without having the sales in their title. Seemed to me that'd be a weapon that I would want to have.

Kayne McGladrey [00:07:44]:

I think that that's a fair assessment.

Andrew Monaghan [00:07:46]:

Remember the first time I heard about this, I think years, probably 2015 or so, when Malcolm Harkins left? He was the CISO at intel, and I think it was intel, and he left there to become I forget what his title was, field CISO. Like, something like that. At Silence in the early days, he must have known Stuart McClure from various things and he became that role there. And I remember that time thinking, that makes a ton of sense. I like that idea. If I was in the sales team, I would think, yeah, I want more people like that than necessarily, I don't know, another email campaign from my marketing team.

Kayne McGladrey [00:08:22]:

Yeah, I think the other challenge with being a field CSO and convening a Field CISO roundtable invite-only activity, I think a thing we all collectively struggle with as Field CISOs is not being sales. So I am not a picks and clicks guy. If you want to talk to me about the macroeconomic portrait here's how things are trending across the world and here are possible strategies that we could use. Sure. Cool. If you want to talk about business-level risks associated with that, awesome. Cool. Fun.

Kayne McGladrey [00:08:54]:

If you want to talk to me about why our product is the best thing no, sorry, wrong. Not me. I certainly have a strong opinion that's why I joined the company. But it's not like I don't carry a quota and I've only ever met one field CISO who did and they recognized at the time that it was a bit of a squidgy fit. I think that all of the field CISOs I know are fairly broad brush. We are all former CISOs, and we all have that breadth of experience to be able to figure out, like, does this solution that you're looking at make any logical sense for your business, or should you be looking at something else? Should you have table stakes things in? Something we're good at doing in cybersecurity is selling shiny widgets that don't necessarily solve business problems, they just solve people's sale quota reduction problems, which doesn't help the company that bought it necessarily. There are a lot of point solutions out there that despite having seen them, I keep looking at them and going, yeah, you're an acquisition target, you're an acquisition target. So if you do a relationship with them right, contractually just expect they won't exist in two years and you'll be negotiating with somebody else.

Andrew Monaghan [00:10:00]:

Yeah. A final thought on this area that back to your point about trying to draw that line between not trying to be the salesperson or the se, but trying to have a different view. One of the things we talked about before is the idea that when someone thinks that you or your company just absolutely understands the problems they're facing inside and out without even having to talk about your product, they just intuitively think you also have the solution. It seems to me that many vendors, especially salespeople, are not good at that. Let me be the expert on the problem. They believe their role is the expert in the product and therefore the solution. And it seems like what you would bring is that gravitas to the experience, the title to say, yeah, we're going to show that we understand the problem inside of that.

Kayne McGladrey [00:10:49]:

Part of that also comes with working with product management, which is another aspect of my role at Hyperproof, where I have the privilege of talking to people who are our designers for each aspect of the product and the solution. So I have a conversation, for example, with our risk designer who's responsible for both first-party and third-party risk, or for the person who's responsible for our audit function or our framework function. And in those I can bring the perspective of this is as a CISO, what I'd be looking for? If you're going to show me a dashboard that shows me my first-party and third-party risks. Here are the elements that I need and here's what I need to be able to draw from that. And here's what I need to go into my board meeting with because I've done that before and I've also done executive advisory before, where I've seen CISOs struggle with tooling to get a deck together to put in front of their board. It tends to be a common problem. But also in terms of future products about evolution, we recently closed our Series B and there are conversations now on like the whole world is talking about generative AI, right? And I fully anticipate the next RSA is going to be a lot of lipstick-wearing pigs. And my conversations with the product are, let's not do that, please.

Kayne McGladrey [00:12:04]:

Right, let's look at if we're going to invest in generative AI, let's have it be sensible. Like, nobody wants a chatbot to say, how do I build a compliance program? That's a nonsense feature. Now, some people might choose to build that into their product. To me, I think there are more thoughtful applications. The work that I might have put on an associate consultant for evaluating evidence for Adequacy and Sufficiency, for example, is something that I think AI could be helpful for. But you can't just throw AI, put it on your booth at RSA, and say, job done, because we all tried that with zero trust and we saw exactly how burned and cursed of a term that's become. And I'm trying to steer the conversation on. Let's be deliberate here.

Kayne McGladrey [00:12:51]:

Let's not just jump on the bandwagon with everyone else.

Andrew Monaghan [00:12:55]:

Well, I can tell that you're very passionate about the different facets of your role as a field CISO. There are two or three really exciting areas that you're working on and you don't have to worry about audits and things like that you might have had to do in previous lives.

Kayne McGladrey [00:13:09]:

This is very true.

Andrew Monaghan [00:13:10]:

Yes. It's a joyful question on that, though. When you joined Hyperproof, what employee number were you? How early did you come on?

Kayne McGladrey [00:13:20]:

Oh, boy.

Andrew Monaghan [00:13:20]:

Roughly?

Kayne McGladrey [00:13:21]:

I don't know. I think somewhere in the 50s.

Andrew Monaghan [00:13:24]:

Okay. I would say that's quite early. Right. I would imagine the management team there was quite thoughtful then about what this role would be like and what it would do. You don't see many roughly 50-employee startups employing someone in this role. I wish more would do it because I think there's a lot, especially now, where a lot of the old ways of generating pipes seem to be not working nearly as well as they used to have someone knowledgeable and known and trustworthy in the community out there advocating for the problem and solving it. It must be a huge value to organizations. If they could move a couple of SDR headcounts, for example, two or three, to bring in someone like yourself, I would imagine they get a much bigger bang for their buck.

Andrew Monaghan [00:14:09]:

But Kane, let's move on to the original premise of the discussion, which was we're going to continue with the idea of this company we've been talking about, this fictitious company, Cyber Donut. Cyber Donut is a vendor. They've got roughly five to eight reps on board. They got their 1st 20 customers. They're growing nicely, right? But they want to go after big companies now. They're going after enterprises, maybe financial services, banking, defense contractors, things like that. And somewhere along the line they've realized, or are about to realize they're going to be asked questions in the vendor survey or as part of the procurement process. So where are you guys at with your own risk and compliance program? And they're going to ask a whole bunch of questions that you might have to answer no to, which is not good in terms of getting selection.

Andrew Monaghan [00:14:58]:

And so therefore, at what point should Cyber Donut be saying, we need to do this, we need to figure out what we do, how do we approach it? So how do you advise companies such as Cyber Donut to start thinking about this whole area?

Kayne McGladrey [00:15:12]:

I'm going to oversimplify this and put it into three distinct steps or three distinct phases. And I think the impetus for this is not necessarily Cybersecurity, which might come as a surprise to me, but it comes down to we've had a persistent narrative in the industry of cybersecurity as a cost center. It's a black hole, if you will, into which you pour money and effort and only breaches come out. And I think that's the wrong way of thinking about our industry and the discipline of cybersecurity as well. It is a competitive sales differentiator. And I think that as companies start to not even sell up market at this point when you're in the mid-market, there is a lot of there's this emphasis on third party risk and supply chain risk that has become pervasive in the past few years whereas companies are acquiring products or solutions, a lot of companies are using questionnaires which can decelerate and slow down and become an obstacle that causes companies to miss. They're financials because the deal didn't close. After all, they're still filling out the questionnaire. Or they're going back and forth on the questionnaire.

Kayne McGladrey [00:16:26]:

Or the company wants to send their assessor to do an evaluation. And so I think as companies start to initially bump into that, it only gets worse that one does not ever get better. And so I want to talk through kind of the three things that make that feasible and survivable for a small company. And the first is a kind of table sale. Pick a table stakes framework, something like the Center for Internet Security's, critical Security Controls Implementation Group, one that's super bare bones easy. Like if you are not doing these basic things, you probably are not going to be in business for a very long period. Because you're going to have either reputational issues, you're just going to get breached and get rolled up and all your infrastructure gets burned. But I also think that as companies look at that, or, I don't know, NIST CSF has some prescriptive controls.

Kayne McGladrey [00:17:21]:

Now for early-stage companies, there are others as well. Don't necessarily think that you have to buy all the shiny products and don't necessarily think that you need to do it yourself. The reason is, even though these are like the bare minimum for a company to have the trust of their customers and earn the trust of their prospects, you don't have to staff that because there's a talent war going on right now, and there's a product war going on right now where there is a lot of cybersecurity. Salaries tend to be higher than the market average, and products do tend to get more expensive over time. And so I think the first thing is to look for a service provider, a managed security service provider, an MSSP, instead of trying to fight that talent war, right, try and see which of these controls when I say control now, this is the former auditor in me coming out of control is people process or technology. We always in this industry, focus on that third element of, oh, look, shiny technology. No, it can be a person, it can be a process, or it could be a technology. And for those where the MSSP can provide that, heck yes, have them do that as much as possible so that your company can focus on your core business value and your core business strategy and implementation and engineering, rather than like, how are we operating all these security controls in as lightweight a fashion as possible?

Andrew Monaghan [00:18:45]:

And should they bring in someone then as an FTE to work on this? And even though they might work on MSSPs, things like that, or is this something an outside consultant could help them with?

Kayne McGladrey [00:18:55]:

I think if before your Series A, or maybe even in your Series A, this is something where the MSSP if it's a reputable managed security service provider, they're going to have the staff and the time. Of course, now you can work out the time allocation that you get from your MSSP, but they're going to have that ability. So I don't think this is a dedicated FTE. I think that the only dedicated FTE might have on this one is your It person who's going to be working alongside the MSSP for any implementation details.

Andrew Monaghan [00:19:27]:

That they have it. So they're the ones you can turn to to drive it at the start before you get to maybe A or B right level of funding. By picking a framework, you're answering one of the first questions that you'll get, which is, what do you base your program on? Right? And if it's a shrug of the shoulders, it's whatever Jimmy thought would be a good idea. That's not necessarily what they're looking for. Right. So even just by saying CIS or NIST or whatever, you start to build up some credibility that you're thinking about things correctly, right?

Kayne McGladrey [00:19:57]:

Yes. And that also has knock-on benefits. If you're a business in Connecticut or Iowa or Utah or Ohio, you get an affirmative tort defense because the legislatures there have realized, like, if you're trying to do reasonable cybersecurity and your policies say you're following something better than what Joe who lives in the basement told you to go do. ISO CIS NIST. Don't care. HIPAA. They will say, you know what, if you get a derivative lawsuit, you don't have to deal with that. It's just get out of jail now.

Kayne McGladrey [00:20:27]:

It won't help in criminal proceedings, and this is not legal advice. However, it does recognize the value of that. So there are knock-on benefits associated with that.

Andrew Monaghan [00:20:38]:

Got it. So the first step is to pick your framework.

Kayne McGladrey [00:20:41]:

The second step and a partner to help you with the implementation. So the next bit of it is on the creation of a corporate risk register. You might be thinking, wait a second, he's a former CISO, he's a field CISO, and he says, create a corporate risk register. And I'm saying that because I don't think that a business risk is different than a cyber risk. I think that if you think of let's take a tornado, for example. Let's say you have manufacturing capabilities in a location where tornadoes are a thing that happens. You can put a lot of controls in place. You can have reasonable, I don't know, building codes.

Kayne McGladrey [00:21:21]:

You can build in maybe an area that is less susceptible to being hit by a tornado, but there's still that risk that happens. Similarly, you could have a ransomware attack or you could have an extortion attack or you could have some kind of cyberattack. In both cases, your outcome was you don't have manufacturing capabilities at this point. Now, that's one was the cyber risk. One was the business risk. No, there's no such thing as a cyber risk. Cyber is an influence on business risks more than anything else. And the thing that I've found in years of talking to companies about risks, if people don't agree on the definition of words, you're not going to have a productive conversation.

Kayne McGladrey [00:22:04]:

And so get everybody who is a stakeholder in risks, and this is not a cyber exercise at all. What does the word low mean? What does the word high mean? What are the categorizations of risk? Is it a reputational risk? Is it a legal risk? Is it a financial risk? Like, what are these terms mean? Write it down. Get everybody to sign off on that. And the reason that that's so important before going any further, is that's what your board expects. That's what your investors expect. That's what your sea-level executives who you bring in, that's what they're going to expect. Because the thing that I've seen pervasively is if the CEO thinks that a high-level financial impact is going to be a million dollars and the CFO thinks it's going to be $250,000 right? You can't have a meaningful conversation over risk tolerances at all.

Kayne McGladrey [00:22:59]:

And I've seen this in ten-person companies. I have seen this in Fortune Ten companies. It runs the gamut. If you don't get the risks written down and agreed upon with standardized definitions, stop. Don't bother going any further. But also get this baked in as early as possible culturally, because companies don't like having conversations about risks. It's an uncomfortable conversation.

Andrew Monaghan [00:23:26]:

Kane, let's learn a bit more about you. I've got a list of 35 questions here. The good news is I'm not asking you 35 questions. I'm going to ask you to pick three numbers between one and 35.

Kayne McGladrey [00:23:38]:

Let's go with number eight.

Andrew Monaghan [00:23:40]:

Number eight is tricked out. Jeep or German car with all the.

Kayne McGladrey [00:23:45]:

Gadgets, probably a Jeep. If it can get up to Mount Baker, that would be my favorite.

Andrew Monaghan [00:23:50]:

Tell me about Mount Baker.

Kayne McGladrey [00:23:52]:

Mount Baker is our well, let's see now. This is a nationally syndicated podcast. Rains all the time. Worst ski hill ever. Never show up there. It's green, it rains, it's full of rocks. Terrible. And all the locals will tell you that.

Kayne McGladrey [00:24:05]:

And anything you see about world-record snowfall is an absolute lie.

Andrew Monaghan [00:24:10]:

Which part of the country is this?

Kayne McGladrey [00:24:11]:

Bellingham, Washington, the city of subdued excitement. Kind of closer to Vancouver, Canada, than to Seattle, Washington.

Andrew Monaghan [00:24:19]:

Got it. So, Mike, Baker is wet, which is why you need a Jeep to get up there. Is that what you're telling me?

Kayne McGladrey [00:24:24]:

Oh, definitely, yes. That's what we do in the winter. I've been an avid snowboarder for the past 30 years now, I think. And yes, definitely, it's very wet up there. Don't go and certainly don't buy your season passes.

Andrew Monaghan [00:24:36]:

Yeah, I'm lucky enough to live in Colorado, so we usually get good snow here every year. We've had a couple of winters where last good never as bad as some of the unfortunate winters in Tahoe. I know they've suffered a little bit in the last 1015 years, but we do pretty well here. But it all seems like Utah is the one where they talk about truly getting the big powder and the huge dumps and many feet every year. So I'm kind of jealous of Utah.

Kayne McGladrey [00:25:02]:

Yeah, you get that light, fluffy snow. We get what we call cascade concrete, which is a distinct experience. It's kind of like mashed potatoes.

Andrew Monaghan [00:25:12]:

All right, the next number would be more than 35.

Kayne McGladrey [00:25:14]:

Let's go with 27.

Andrew Monaghan [00:25:16]:

27 cats or dogs?

Kayne McGladrey [00:25:19]:

Cats.

Andrew Monaghan [00:25:19]:

That was a quick answer.

Kayne McGladrey [00:25:21]:

Easy question. Yeah, I'm looking at one right over there. My Norwegian forest cat, who last year appeared in the company commercial. Oh, really? Yeah. Sometimes people will walk up to our booth still at events and see the cat video and just be entranced by that. And they'll go, oh, wait, is your cat here? And now we're debating if he wants to come to conferences with yep, there he is. Well, hold up. Do we want a guest appearance real quick?

Andrew Monaghan [00:25:46]:

Go on, then. Come on.

Kayne McGladrey [00:25:47]:

All right. Come here, Modi be on camera. He's like, wait, what?

Andrew Monaghan [00:25:52]:

Okay, so I haven't done my makeup.

Kayne McGladrey [00:25:53]:

Norwegian Forest cat.

Andrew Monaghan [00:25:55]:

Oh, big and fluffy.

Kayne McGladrey [00:25:56]:

Yeah, they're very small. He doesn't fit on screen. Yeah, he's two years old and they grow to be about 20 to 25 pounds. So he is about 17 pounds, would you say? Yeah, about 17 pounds. So he's still got some growing left to do.

Andrew Monaghan [00:26:11]:

Now, how did he end up in the company video?

Kayne McGladrey [00:26:15]:

I suggested that it would be a fun twist to put him in, and the editing team decided, hey, why not? Let's see if that works. And he's just got a natural talent for theater, it turns out. Admittedly, a lot of the time he spent in the dressing room until it was time for him to go on camera and he just knocked it out of the park when he got on stage.

Andrew Monaghan [00:26:36]:

Listeners of the podcast will know that I've been on various rants over the years about how cybersecurity companies need to be bolder and do things differently. Right. When they go out there in the market, you can't just be giving boring, value props to people all the time. And I'm always looking for people that just try just try something different. Just something right. So it might stand out. It sounds like your cat might be starring in the world of cybersecurity vendor videos.

Kayne McGladrey [00:27:02]:

He has been. Yes, indeed.

Andrew Monaghan [00:27:04]:

All right, last number, team. One in 35. One in 36. Sorry.

Kayne McGladrey [00:27:08]:

Let's go with 1919.

Andrew Monaghan [00:27:12]:

Is it GIF or JIF?

Kayne McGladrey [00:27:16]:

Oh, dear me. Are we allowed to be friends after we have this conversation?

Andrew Monaghan [00:27:21]:

I don't sense your answer. This could be cut short very quickly.

Kayne McGladrey [00:27:26]:

Oh, dear me. Loaded question. So I go with Jif, even though my kids relentlessly mocked me for that one. I go with Jiff because that's how I heard it pronounced when I first came out. And it's one of those historical anachronisms, I'd say, more than anything else.

Andrew Monaghan [00:27:42]:

It's one of these things where people have strong opinions about which way it should be but for no good reason.

Kayne McGladrey [00:27:50]:

Yes.

Andrew Monaghan [00:27:51]:

I've never heard anyone give a logical reason why one or the other is the right way to do it, but yeah. So you're a GIF guy, which is fair enough.

Kayne McGladrey [00:27:57]:

I am. You have animated GIFs?

Andrew Monaghan [00:28:02]:

Yeah. Let's try and make this real for cyber Donut, then. I mean, this is a company. Let's say they're based on some of the east coast of the US. Tornado is not their thing, but what may be examples of the type of things they should be thinking about that's relevant for a software development company, essentially? Right. With 50. Employees, five to eight sales reps.

Kayne McGladrey [00:28:20]:

So I think one of the risks well, there are possibly many of those risks. One would be the loss of intellectual property more than anything else. I think that's one of those because if you lose your intellectual property, whether through corporate espionage or whether through denial of service, that you can't get it out at your platform anymore because somebody's taken over it, that becomes a risk and it's a business risk ultimately, and that you can't do business at that point. Another risk to consider would be the loss of all of your data. And that's especially important if you are processing data, especially for either California citizens or more pointedly, EU citizens, because of privacy risks associated with the loss of all the personally identifiable information that companies have. That becomes a regulatory risk and it also becomes a reputational risk. And you can, of know, stack, and rank those as you like. And then for a software development company, the other thing that comes to mind is financial impact risks.

Kayne McGladrey [00:29:25]:

Like if you have a cyber incident that was to cause your workforce to be working on that as opposed to building software because a breach is going to suck up time, a breach is going to suck up resources. And that means your engineering resources. Instead of dealing with building a new product, they are going to be dealing with cleaning up the mess and trying to perhaps rebuild their infrastructure. Again, that's a risk that we have to consider because that's going to decelerate any product development we have. So if you had a contractual obligation that says we are going to deliver this feature by this day, right? Companies do that all the time and if you have a breach, your risk becomes you're going to miss contractual obligations that you have to your existing customers. So it's those levels of risk and more that companies have to document and then decide, how comfortable are we with that? Some companies will be fine. Like, yeah, we might miss a date. That's okay, right? But if our reputation gets damaged, maybe that's not okay.

Kayne McGladrey [00:30:27]:

And that helps assess how those risks will be treated.

Andrew Monaghan [00:30:31]:

That feels like a much higher level discussion than your first step around a framework to work off who usually you would look to drive this inside the company.

Kayne McGladrey [00:30:41]:

It's going to be whoever owns risk ultimately inside of the company because they're also going to become the first person who operates this risk program. I've seen that more often than not be the CFO just because that tends to be their core skill set and their aptitude. Outside of that, if you've got internal counsel, they might be able to do it. If you've got external counsel, then you're paying through the nose to do it. And I wouldn't recommend that. It's most commonly the CFO or somebody with that background.

Andrew Monaghan [00:31:13]:

Yeah, that makes sense. And so they got to drive this at the executive level to have discussions about the company which is kind of fundamental to what the company is all about, it seems like, right?

Kayne McGladrey [00:31:23]:

Yeah. And also the investors will want to know what are the risks that are facing your business. And some of those are going to be your traditional market competition or expansion into new territories. And some of those are going to have cyber elements like increased risk of regulatory oversight resulting from a breach.

Andrew Monaghan [00:31:43]:

So what's step three?

Kayne McGladrey [00:31:44]:

So step one was we got ourselves some basic table sales controls. And two we've figured out what are our risks. Right? So this becomes now a decision point for companies do we have a reason to go get an external Attestation that's going to help us create some trust and smooth our sales cycles instead of spending our time filling out endless security? Questionnaires and this is something that the MSSP that you're working with, maybe they've got like a virtual CISO, a V CISO to do that initial uplift. Because if you can say here are the business risks that we have and select controls to mitigate those business risks. And if those just happen to nicely align to something like, I don't know, to a sock two or something heavier like an ISO 27,001, if you can get there, if you can make that business case, the, the outcome becomes you can build something like a trust center. So when a company comes, a prospect says, well, we have this miserable 1200-question SIG that we'd let no, you don't need to fill it out actually. The reason why is here's all of the answers on our trust center, or here is our sock two, type two, or here is our ISO 27,001 Attestation. And that is going to reduce the amount of friction associated with sales cycles from a lack of trust.

Andrew Monaghan [00:33:03]:

And anyone who's on the podcast has been in sales at a company early stages. You'll know, when you get that vendor questionnaire through and it's 40 pages and 750 questions, trying to get the resources to work on that, it better be a big deal, right? But sometimes, unfortunately, just working in your entry, your land deal at a big company requires that level of effort to go through. So I like the idea of the trust center where you can collect these artifacts, right, so you can at least try and take control of the conversation to say, look, here's what you can get from where we are right now. We want to work with your questionnaire and things like that. But first of all, let's look at what we have and see if this satisfies your requirements, right? Some companies will gladly work with that. You'll probably still get the big financials who will say it's my way or the highway kind of thing, right? And you'll have to sit there and do the translation. But I do like the idea of.

Kayne McGladrey [00:33:57]:

The Trust Center, but it also gets us ahead of the conversation. So the thing that I've learned and the thing that I've heard consistently from other field CISOs is the person who offers first probably is going to win that negotiation. And so if you wait for a prospect to say, here is our questionnaire, and it's this miserable online portal that has an unknown number of branching questions that you're going to have to fill out, it's going to suck to be you. If, on the other hand, you say, look, here is all of our proof that we are doing the cyber is okay, they might come back and have missed that and say, well, we still want to send a person to come. I was talking to a friend of mine. They have an ISO 27,001 certification. The prospect wanted to send a person to their office. They have a virtual office and nobody works there.

Kayne McGladrey [00:34:44]:

It's just like they have some least office space and they said, we're going to send a person and they're going to do an assessment. The conversation comes. Okay, so you think in a four-hour conversation you're going to do better than an ISO auditor who spent three weeks with us. Are you feeling okay? Do you understand how this thing works? And sometimes that's necessary. Now, as you say, occasionally financial companies or other companies that are highly risk averse are going to still demand to do that, but it reduces that to a manageable level. So instead of having to deal with like one questionnaire per deal on every deal, it becomes the exception, not the norm. And I think that's where we need to move towards because these security questionnaires, don't necessarily mitigate risks, right? That depends on who's the person who filled it out and who's the person who read it. And I would posit that a lot of the activity that's happening right now on security questionnaires is not necessarily factual.

Kayne McGladrey [00:35:39]:

And that is unintentional mistakes being made by either the people who are reading it and not understanding what they're reading or the people who were filling it out, not understanding what they're filling out because of a lack of alignment. There's one example where I saw a security questionnaire that asked for a tape backup strategy. I'm sorry. Like the 1990s want that question back because it belongs there. Nobody's doing that anymore.

Andrew Monaghan [00:36:03]:

Yeah, I heard someone in the third-party risk management space say that the only people who want the spreadsheets are the people who created them in the first place because it gives them the job. Right. Everyone else kind of defaults to it because they haven't got a better solution. So when a better solution comes along, they're like, we're good with that. You got your stock two and you got your ISO. Sure. Let's at least start there, right?

Kayne McGladrey [00:36:23]:

Exactly. It then allows them to focus on the other thing I'd say as well. And this is something that even startups because we all also purchase software and services from other companies. Please risk ranking the companies that you're doing business with. Like, do not send the giant security questionnaire beast to somebody else. If they are a low risk, if they're going to be doing your landscaping, for example, or if they're going to be doing a marketing campaign where they have no access to your data and only are using your brand. They should have a considerably lower rank in risk and have a lower treatment on setting up a deal with them than somebody who's going to be processing and have access to all of your corporate data and maybe be at risk of exfiltration.

Andrew Monaghan [00:37:06]:

Right? So you have to do it appropriately. I remember back in the day, ten years ago, I was working in a company and we had to educate that we weren't a data processor, right? So they would give us first of all, the agreement that they wanted us to sign was all based around being a data processor. So there were whole swathes of it which you had to redline X to apply. So there's always that discussion and argument about what should apply and not. And the same on the questionnaire side, right? Just seems complete overkill for depending on what your solution does, but just to.

Kayne McGladrey [00:37:33]:

Could you bring it back to Cyberdone? So if they were to follow the very high level three steps, they're going to get faster sales cycles and they're going to have a better understanding of corporate risks and what business risks they're facing, whether they communicate that to their board or their investors or internally. And finally, they've got the base foundation for cybersecurity in place, but it has taken it away from that conversation that this is a cost center. This is a very close alignment with the go-to-market team. This is a competitive differentiator rather than something that nobody wants and that we all have to do.

Andrew Monaghan [00:38:08]:

Let me inject another phrase I've heard that may be misunderstood on the sales side: sock two. It seems to be, oh, we got our sock two or we don't have our sock two, or they're asking about our sock two. Let's peel that back a bit. What the heck is a sock two and where would it fit into your framework? Here are your three steps.

Kayne McGladrey [00:38:23]:

It would fit into the second step. And so SoC two is a report that you're operating your controls as they are written consistently. I think that's neat, except for what you control, right? And that's where there's some definite interpretation associated with it because they only measure the controls that you're operating. So if your controls are based on what Joe in the basement came up with, right, you're first of all going to have a harder time, but also you're going to have a more inconsistent way of communicating that outwards. Now, if you've got controls based on something reputable, like, I don't know, AICPA's SoC Two, like Illustrative controls that they have, or if you've got them based on that and Ciscsc Implementation Group One, then if you are asked for a copy of the auditor's report, which tends to be what the more demanding clients and prospects will ask for, they can see which controls you are operating and they can go, oh, these do look like reasonable controls, like reasonably operated. I'm going to set aside control design for a whole other conversation because there are 6 hours of our life we'll never get back, but at least they can go, oh yeah, these are common controls, we understand these, these seem normal and.

Andrew Monaghan [00:39:37]:

Are they aligned to the cloud in some way? We've talked to or is it they?

Kayne McGladrey [00:39:41]:

Don't necessarily have to be cloud-aligned. No.

Andrew Monaghan [00:39:43]:

Okay. And then when we're thinking about tools to help people go through the process and get to the point and then I guess monitor and keep growing from there on. Where does hyperproof fit into this whole process?

Kayne McGladrey [00:39:54]:

So it's the recognition that as a cybersecurity or as any startup grows ultimately, or as any business grows, the number of audits that we're going to face, whether they're contractual audits or whether they're regulatory or managed external attestations on an annualized basis, that that's only going to accelerate. And the amount of people that you want to have spend doing that, you don't want to necessarily staff your way out of this problem. Right. I think that the other thing that comes to mind is if we've had that good conversation early on about risk and we selected our controls based on our risk if you can then measure the effectiveness of the control operation continuously, you have a higher degree of confidence that you're effectively burning down your risks. So for example, if you have a risk that is maybe, I don't know, data exfiltration and you check that you've got a control of data loss prevention so people can't just upload stuff to the cloud and yolo it, right? And you measure that once a year, that to me says the other 364 days you had no visibility operationally into how effectively you were mitigating the risk of data exfiltration, which if that's one of your company's risks, it's the loss of your intellectual property. That would be concerning to me as a CISO or as anybody who manages risk. And so by being able to continuously evaluate how effectively a control is operating and test it on an ongoing basis, we get that confidence that we are effectively managing our risk. And if a new risk comes up, we can then, because we have a control inventory say, oh well, we don't need new controls for this one, we've already got it.

Kayne McGladrey [00:41:31]:

Or if you get a new regulatory requirement, maybe you choose to, maybe you've got a sock to and you choose, well, you know what, we want to get ISO, right? Then you can see which of your controls you currently have based on the risks that you currently have and align in any additional ones, reuse as many of those controls and that evidence that you've been automatically collecting as feasible rather than going, oh shoot, it's a new one, we have to do this big gap analysis. When I did consulting, we made a bank on gap analysis, right? If you've got your control inventory, if you've got your risk register, you don't need a company to go do a gap analysis for you. And that's kind of the premise behind Hyperproof in that it allows companies to get those consolidated inventories of all of your proof or evidence, all of your controls, all of your risks, so businesses can talk about it and then automatically collect and inspect it so that we get that real-time dashboard view of how effectively we're managing our risks. It is a GRC software solution. I tend to think primarily in risk, so I've probably over-rotated into R. But nobody selects controls because they're fun and nobody does governance because they're fun and nobody does compliance because it's the best thing ever. We do it to manage our business risks well.

Andrew Monaghan [00:42:45]:

I think that's an important point. I think that it takes Cyber Donut, right? They're probably really scrappy in a whole bunch of different areas, right? They're getting by, they're happy, they got 20 customers. They're trying to think how do we get to 50? They have some processes in place, but at the end of the day, they're still in that scrappy mode. I remember the CEO at Okta said that he believed their revenue was pretty fragile up until about 3 million arr. Right. So I imagine cyber donuts in that realm, but to me, this is part of growing up a little bit, right? If you want to turn this from a cost center into a profit center and help you differentiate and drive sales, you want to do more than just go out there and just get a sock too. Right.

Andrew Monaghan [00:43:26]:

And this is going to give you the foundations if you do it right to maybe not overhire right in an area, not throw a bunch of bodies at it. Not having to go to externals to come in and do a whole bunch of work that gets very expensive but gives you the foundation that you can actually win some deals and then grow from there.

Kayne McGladrey [00:43:40]:

Absolutely, yeah. And it's that continuous alignment with go-to-market. Because when a startup as you move from, I don't know, angel investing through series D, for example, it's not like the go-to-market alignment should go away, it should only become more tightly enmeshed there so that the security team, even if you're in housed it at some point like you have your FTEs dedicated for cybersecurity. They should maintain that relationship to understand, like, here are the contractual terms that we're willing to accept that is going to be an easy thing. Here are the things that we should avoid. Like if you see this in here, this is a straight-up deal killer. If they're asking us for, I don't know, $10 million in cyber insurance, just go ahead and don't bother pursuing that deal because they are not a reasonable prospect that we want to do business with. And it's like that continuous conversation and I think that's also endemically been missed in cybersecurity for decades now where there hasn't been that close alignment with go to market and that's why we are where we are today.

Andrew Monaghan [00:44:38]:

Yeah, I think that connection is so, you know, ask any know, do we need to do this sort of stuff? And they'll go, I don't know, I'd rather get more leads until they get an opportunity that doesn't go any further because you don't have this in place. And then they'll go, I wish we'd done the program right.

Kayne McGladrey [00:44:53]:

Definitely.

Andrew Monaghan [00:44:53]:

Well, Kane, listen, I've enjoyed the conversation. If someone wants to get in touch with you and talk about what you're doing or if they've got events that they think you might be a good fit for, what's the best way to get hold of you?

Kayne McGladrey [00:45:04]:

Sure. So the best way to get a hold of me is on LinkedIn. I am Kane Mcladry on Twitter or X or whatever. I'm Kane McGladry on that as well. Although I keep evaluating, like, where does this fit in anymore? And if you're interested in learning about hyperproof, we are at Hyperproof IO. And also if they want to see anything else, check out drafting compliance on YouTube on our YouTube channel. Or if you want to learn that's, if you want to learn about why I don't drink beer and why we're doing FedRAMP, that's where we talk about that. Or if you want a news summary, check Kane's top five and five on YouTube as well.

Andrew Monaghan [00:45:38]:

So beer and FedRAMP, that's quite the spectrum right there.

Kayne McGladrey [00:45:41]:

It certainly is. And I am not a beer drinker, but it's part of the show. We evaluate FedRAMP controls too.

Andrew Monaghan [00:45:48]:

Very good. Well, listen, I wish you every success for the rest of this year into 24. It's a great time to be in this whole area right now. So wish you and the company, everything and all success.

Kayne McGladrey [00:45:59]:

Thanks so much, Andrew, thank you for having me on the show.