Host Dave Sobel engages in a thought-provoking conversation with Arik Solomon, CEO and co-founder of Cypago, a leading cyber governance, risk, and compliance (GRC) automation platform. The discussion delves into the challenges faced by organizations in the GRC space, particularly the reliance on manual processes despite the abundance of data available. Solomon shares his insights from his experience as CTO at Ernst & Young, where he recognized the need for technology to enhance the efficiency and sophistication of compliance services.
Solomon explains that Cypago operates at the intersection of cybersecurity and GRC, aiming to streamline the alignment of security programs with business requirements and regulatory standards. The technology developed by Cypago automates the collection and analysis of data related to security controls, enabling compliance officers and security leaders to gain meaningful insights into their organizations' security posture. This automation, however, raises concerns about the potential for a "checkbox culture," where organizations may rely too heavily on automated processes without meaningful engagement from human experts.
The conversation also touches on the evolving landscape of cybersecurity regulations, particularly in light of increased scrutiny from governing bodies. Solomon emphasizes the importance of establishing a baseline of minimum security standards while acknowledging the complexities of creating a universal compliance framework. He critiques existing regulations like GDPR, suggesting that a more effective approach would involve providing organizations with best practices and guidelines rather than rigid requirements that may not fit all scenarios.
As the episode concludes, Solomon highlights key trends to watch in the GRC space over the next 18 months, including the need for enhanced visibility into data management and the importance of having robust governance processes in place. He underscores that organizations must prioritize understanding where their data resides and implementing necessary security measures to protect it. This insightful discussion provides valuable perspectives for cybersecurity professionals navigating the complexities of compliance in an ever-changing regulatory environment.
πΌ All Our Sponsors
Support the vendors who support the show:
π https://businessof.tech/sponsors/
π Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
π https://businessof.tech/plus
π§ Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
π² https://www.businessof.tech/subscribe
π° Story Links & Sources
Looking for the links from todayβs stories?
Every episode script β with full source links β is posted at:
π https://www.businessof.tech
π Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
π¬ https://www.podmatch.com/hostdetailpreview/businessoftech
π Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] So let's have another security conversation. Let's talk about the governance, the risk and compliance space. And let's talk to somebody who's focused on the enterprise to learn where it matches and what we can learn from that space. Arik Solomon joins me today as an expert and as CEO on a product focus in this space on this bonus episode of the Business of Tech.
[00:00:24] Today's episode is supported by Huntress. You want to focus on your clients and are always looking for ways to get more time. Use Huntress' fully managed cybersecurity platform to fight off cyber threats. Huntress is more than cybersecurity software for endpoints and identities. It's a 24 by 7 security operations center. It's security awareness training, community engagement and dedicated partner support with an average CSAT score of 95% of 95% of the data.
[00:00:55] Technology can only get you so far. Human expertise is what's needed to truly elevate and protect small businesses. And you get that with Huntress. Secure your clients and help them thrive with the number one rated EDR for S&Bs on G2. Visit Huntress.com slash MSP Radio to find out more. Well, Arik, thanks for joining me today. Cool. Happy to be here.
[00:01:22] So I really kind of want to start a little bit of the, you know, you identified some specific issues in the government's regulation compliance space that drove you to build Saipago. Tell me a little bit about what that impetus was. Well, it's interesting. I was spending some time as CTO for Ernst & Young. I led their cybersecurity center. Back then I was based in Tel Aviv, but all of our customers were in the U.S.
[00:01:52] And, you know, I came in with a suit and tie, having a great time spending the customer's money and providing what I believe was valuable advices. But I quickly learned that these type of organizations that are consuming consultancy services, they rely on manual processes while they are sitting on piles of data.
[00:02:20] And there is, or there should be technology that can help them with that. It doesn't mean that it's going to annihilate or eliminate services. It does mean that it's going to, or it will enable, it can enable services to become much more sophisticated, much more pinpoint, much more precise and efficient for the customer. So this is where the idea for Saipago really started to go out and build that technology.
[00:02:47] Tell me a little bit about more about like what the technology is, because it feels like there's an automation, AI, like there's a lot of different components here. Tell me specifically what the solution is. So Saipago lives in the, on the intersection between cybersecurity and GRC. Now GRC has been around for what, 20 years now, more than that governance, risk and compliance.
[00:03:06] We all know what that means, but when you take that and lay that over the cybersecurity program and the way that security leaders build these programs and manage those, usually what you see is that they need to align or ensure that these programs are aligned with business requirements. And business requirements translate into regulations, standards, customer requirements, internal company policies, and so on and so forth.
[00:03:36] That eventually translates into a list of hundreds, sometimes thousands of security controls. Stuff that you need to implement, track, monitor, and maintain 24-7. So essentially the technology that we have built at Saipago knows how to collect all these different pieces of data from one end.
[00:03:55] On the other hand, understands what controls mean, what regulation, standards, and policies mean, and knows how to analyze the data and present to the users, the kind of the bottom line. What's wrong? What's in place? What needs to be done? Gotcha. So it leans into more of that automation and intelligence. I'm trying to not necessarily immediately slap AI on it. I'm trying to say, so you're looking at it saying- But we check that box now. Well, sure.
[00:04:23] But we want to get meaningful to what the technology is, right? So you're using machine learning, algorithmic analysis, automation to help look at all of this data and help compliance officers and security officers have a better insight into what's going on. Is that a fair assessment? Exactly. So how do you do that? I mean, the sheer fact is that there are tons of data out there from so many different types of sources.
[00:04:51] And on the other hand, regulations and similar requirements come in usually in human text. I mean, this is human readable text. How do you do that? How do you bridge the gap? This is exactly what our technology is doing. Gotcha. Okay. So that makes a lot of sense. And so how much do you think this space is going to continue to change with, you know, and I'm using AI now, but the intention being is more automation, more machine learning.
[00:05:19] How much more do you think cybersecurity is going to change based on that technology influence? Yeah, well, there are so many different moving pieces here. So I think that it's safe to say that everything will change. The requirements, the demands, the regulation, everything that tries to dictate or at least put some order into the chaos will change. Will it continue to evolve? The risks continue to evolve.
[00:05:49] That's obvious. And also new technology, while it helps to manage and, again, put some order into the chaos, it also introduces additional risks, such as AI, for example. Gotcha. Now, one of those risks I actually want to get your sense on is this kind of an automation risk that I think would be particularly relevant in the GRC space.
[00:06:10] If you lean too far into automation, you know, perhaps an over automation, you risk creating that checkbox culture, right, where people are able to just leverage the automation and just check things rather than have any level of meaningful compliance. Talk to me about your thinking on the way that you balance that correctly to ensure that you're not resulting in a checkbox culture.
[00:06:33] Yeah, I think that the way I see automation is not necessarily a fully autonomous system that does everything on itself without any human intervention. No, I think that human experts are critical in the process to define the requirements, to review the results and to fine tune the system.
[00:06:58] However, humans do need the technology, do need the system in order to eliminate friction, in order to lower the effort, to reduce the time it takes to, you know, crunch data, all those type of tedious tasks that computers were built for them. Interesting. So the other thing I really wanted to get your opinion on is you've criticized GDPR as kind of an example of compliance totally wrong.
[00:07:24] Give me a sense of what you're thinking on an ideal global compliance framework would look like. Yeah, I think that that's type of an oxymoron. I'm not sure that there is an ideal regulatory framework.
[00:07:39] What I think that it's fair to say is that as long as you put in place, let's call it, let's call them guardrails or guidelines to what are the best practices or even think of it as your cheat sheet. You're the security leader. You build what you believe is an amazing security program. Now someone slips in like a list of tips. Hey, guy, look at that.
[00:08:08] Make sure that you have, I don't know, enforced MFA across your system, that you did this, you did that. I think this is the right way to look at it. Gotcha. So you said a little bit more of the leaning into the best practices way. Now I'll offer, don't you think there needs to be some level of minimum standard where we can at least agree that if you have not done this, you are woefully non-addressing the problem?
[00:08:35] If I talk about this from a physical perspective, right, and we say, if I build a house, but not only do I not put locks on the doors, I don't actually put like knobs on the doors. I just allow them to be pushed open. If I was burglared in a court of law, they would go, a reasonable person would think you've got to at least do the basics. It feels like in cybersecurity, we kind of haven't established what a reasonable person would do and have consequences for customers that don't do it.
[00:09:04] Give me a little bit of sense of your thinking on that problem. Yeah, I think that your analogy is great, but it will only be complete once we will be able to build houses in the cloud. So long that we cannot do that, I mean, the span of opportunities or possibilities in tech is endless.
[00:09:28] Therefore, it's super difficult to come up with something that will be unique, global, and will capture everything in one place. I do believe that U.S. administrations for the last 10 or more than that years are using NIST and NIST-CSF frameworks have tried to do that.
[00:09:49] The recent NIST-CSF 2.0 released early last year, that's the last attempt or the most recent attempt to put things into one common framework, which I think does a fairly good job in that. Okay, but I want to push back a little bit here because, you know, and I have tons of respect for the security community because there's a lot of really smart people working on trying to protect customers.
[00:10:14] But I often feel that security people are looking for perfection and sacrificing good in that quest because, you know, by giving an out to, well, there's just so many, you know, potential possibilities here. You allow customers to be in a state where things are just completely non-managed, where there's no responsibility there. And there's sort of no responsibility through the system for owning that problem, right?
[00:10:44] A security consultant can go in there, make a bunch of recommendations, and then the customer just does whatever, and no one's held accountable for their portion. I don't want to dismiss the fact that criminals are the adversaries, but at the same time, I think that there's an element of the security industry having to own this. How do you balance that thinking to make it practical? Yeah, I mean, accountability, that's a completely different story.
[00:11:09] How do you, how the change, the chain of responsibility works in a way that it's going to reflect on accountability? That's more of a legal question than a technical question. But I think that going back to a framework, like a common framework that will serve as a baseline, I think that there is a baseline.
[00:11:32] Wherever you will look, whatever standard you're going to be using, they will ask you or require you to implement MFA, for example, multifactor authentication, or to encrypt your data storage, whatever you have it on the cloud or on-premises. So there is a set of basic minimum requirements that everybody will ask you to implement. Okay.
[00:11:55] So what I want to, as we sort of look to the future, what are you thinking about your particular trends that you're tracking right now? And I don't want to do like a five-year projection. I sort of want to say like over the next 18 months, what are the things that you're thinking about that are major trends that you're keeping an eye on? I think the number one, and that's imminent, not just imminent, I think that has already started like a year, a year and a half ago, increased regulatory scrutiny.
[00:12:24] Regulators all across globally, in the U.S. in specific, but not just in North America, governments and other governing bodies, they want to, and Europe just now, turn DORA and NISTU in effect starting January 2025. So these type of governing bodies, they would like to make sure to ensure that companies, financial institutions, and other type of organizations are formally following the requirements.
[00:12:54] So that's not just, you mentioned tick the box earlier in this conversation. This is no more tick the box type of exercise. You need to come up with a detailed account of everything that you do. So a year ago, I think I would have completely agreed with you, but we're talking in January 2025. There's a new administration in the U.S. I think we're actually potentially looking at a real divergence in regulation.
[00:13:19] I think you're 100% right on Europe and what they're investing, but I think we may end up in an environment where things are very different in the U.S. It's not getting political. I want to actually just get your sense of what does that mean for cyber professionals when we now have two spheres of very different regulatory worlds to live in? No, for sure. I mean, time will tell. Nobody knows how it will unfold.
[00:13:48] But I think that, again, politics aside, the fact that we see a lot of leading tech experts, part of this new administration, tells me that they know the risk. So my suspicion right now or my assumption right now is that we will see an effort to remove bureaucracy from the process, but not necessarily to remove the guardrails in terms of information security.
[00:14:19] Okay, interesting. So are there key indicators that you're watching for that tell us that it's playing out that way? So, for example, we're talking close to the fact that they just disbanded the cyber review board that was looking at the soft typhoon bit. I would look at that and I would potentially say that's a little troubling. Give me a sense of the signs you're looking for that say, yes, it's playing out where this is still going to hold together as a coherent whole.
[00:14:47] So the first step that we will see if and when this will happen is lowering or changing or modifying the requirements for doing business with the federal administration. Requirements, I mean, information security wise. If this will happen, this will tell a lot. This will mean that something will change. I'm not sure this will happen. Okay, cool. It's good to know your opinion because, I mean, you spent a lot of time thinking about this. And I'm curious that that's why I'm talking here.
[00:15:16] So kind of as I move toward thinking about this, like how do you think about positive of this? What are indicators in the technology that you think people should be looking for as they consider their compliance offerings? What are the elements of it that you think are foundational? And what do you think is going to be coming over, say, the next 12 to 18 months? In terms of what people should look for?
[00:15:41] Yeah, in terms of making sure that they're doing a good job with their GRC compliance. It starts with data, breaking your data. Where do you store your data, your customer's data, your partner's data? It's so easy today, these days to deploy everything everywhere. So visibility, this is the number one key factor. You need to know what's going on.
[00:16:10] Even before you take any measures to protect, to defend, whatever, you need to know. So visibility is number one. And as the best, the better visibility tools or capabilities that you have in place, you will be better positioned to be prepared and protected. Protected from adversaries and protected from auditors. I don't know which one is worse, but it works the same. So visibility is one.
[00:16:40] The second is governing processes. You need to have the measures, the tools, the policies, the processes that will, even if you are a 10-people organization, that will enable you to take active measures. If you decide to do something or if you want to ensure that nobody logs in, going back to that MFA example, without going through an MFA mechanism, you need to make sure that you have the ability to do so.
[00:17:07] Well, Eric, it's always interesting to me how thematically similar portions of the market are. Your going right to data is exactly the same kind of conversation we're having at the SMB and mid-market level, and it's super fascinating to learn. Eric Solomon is the co-founder and CEO of Cypago, a leading cyber governance, risk, and compliance automation platform.
[00:17:28] With over 30 years of executive experience spanning cybersecurity consulting and software development, he's held pivotal roles such as CTO of EY Israel, VP of security and deep learning at Deep Instinct, and VP services at Murado. Eric, thank you so much for joining me today. This has been learned. I've learned a lot. Thank you very much. It was a pleasure. Are you ready to get your brand in front of the tech leaders shaping the future of managed services?
[00:17:55] Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact. Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs.
[00:18:25] Be a part of the conversation that matters to IT service providers worldwide. Join us at MSP Radio and amplify your message where it counts. Visit MSPRadio.com slash engage today to explore all the ways we can help you grow. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.
[00:18:53] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP Radio, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered?
[00:19:16] We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio.com slash engage. Once again, thanks for listening, and I will talk to you again on our next episode.
[00:19:48] Part of the MSP Radio Network.