ZenGRC Team

How Digital Transformation Really Drives GRC

ZenGRC Team · April 3, 2017 ·

Like most technology startups, we welcome digital transformation of the business world. It opens new markets, lets you forge closer bonds to customers and business partners, increases profits, accelerates sales cycles. Wonderful stuff, and we mean that.

For compliance and risk professionals, however, the digital revolution brings challenges unlike any you’ve faced before.

The easy analysis is to say that all the benefits mentioned above also bring new risks—ones that can strike unexpectedly. New markets bring new corruption or money-laundering risks; new business partners bring new data security risks. That’s all true.
But unless you want to keep reacting to new risks, frantically whacking them down every time they crop up, compliance officers need to ponder this new risk and compliance landscape more deeply. What really changes during digital transformation? How can you build a sustainable compliance strategy in that world?
Well, we know that digital transformation changes two things at a company: the assets it owns, and the processes it uses.

For example, according to financial research firm Calcbench, intangible assets (intellectual property, trademarks, goodwill, and so forth) accounted for 9.6 percent of all assets on the balance sheets of the S&P 500 in 2011. Five years later, the figure was 11.15 percent—and that’s only for the large, stable businesses of the S&P 500. For younger, smaller firms, the percentage can be much higher.

That tells us that as this transformation continues, more of a company’s value will be determined by what it knows (data collection and analytics capability), and what others know about it (reputation). That’s a world apart from the value determined by the cash and goods a company possesses.

So if creating and preserving value is what the board worries about (pro tip: it is), then for risk and compliance managers, the future will be about how to help the company protect its proprietary knowledge and its reputation.
Easy enough so far. When we add the future of digital processes, however, the situation gets more tricky.

Visibility for All

On one level, digital processes are fantastic: they enhance that collection and analysis of data we mentioned above. Everything the company does can be labeled, logged, saved, retrieved, and analyzed, all at a moment’s notice.

On another level, however, that same advantage that digital processes bring—enhanced visibility into operations—can be turned against the company’s other objective of protecting value and reputation. Why? Because all the power of that enhanced transparency is available to anyone, inside the company or out, who knows the proper way to ask for it.

This is more than saying, “Don’t let hackers steal your data.” In today’s highly interconnected business world, with many third parties acting as part of your extended enterprise, the goal is to govern how your data is used. The strength of your governance processes will become enormously important.
For example, the ability to perform due diligence on third parties, and to produce that homework on demand, will be invaluable. Maybe regulators will want to see that work as they investigate a money-laundering rumor; maybe social media activists will want to see it as they talk up a human-trafficking scandal in your supply chain.

Regardless, success will hinge on your ability to demonstrate that your business processes are grounded in strong ethical values and that they work. If they work, your digital assets are protected; if they’re ethical, your reputation is protected.
One practical example of this is the Corporate Human Rights Benchmark, a project supported by institutional investors that takes data disclosed by large businesses (that is, transparency) and uses it to pressure those businesses into improving their conduct. Another is United Airlines: the company stumbled into a social media snafu recently when it barred two girls from boarding a flight while wearing leggings. That decision was in compliance with company policy (no leggings for people flying on United employee guest passes), but the ensuing outcry underlines the importance of clear policy, good judgment, and when to grant exceptions or stand firm.

Will surprises still come? Absolutely. But strong, effective GRC builds a company’s resiliency to weather the storm—and that will be the most important key to the success of all.

Information Silos Can Be Broken Using GRC Automation

ZenGRC Team · March 30, 2017 ·

View from above of two business teams working and interacting separated by border in office

Corporate information silos create compliance inefficiencies cost an organization money and time, but GRC tools can help break these system and information silos. Information isolation comes from broken systems, both human and electronic. When these human systems act independently, businesses repeat policies and processes that can lead to inconsistencies. Those inconsistencies can lead to compliance issues.

When computer systems act independently, security gaps can form. All of these lead to audit inefficiencies that cost a company money in terms of productivity. Those costs multiply when applied to compliance and audit because the information silos lead to confusion over responsibilities and accountability. That adds hours and cost to the audit process. Finding the right GRC tool to automate these communications breaks the silos by connecting people and systems.

GRC Automation Breaks Information Silos

What are information silos?

Information silos refers to either a management system that does not play nicely with other systems or an organization where information does not flow between departments. Whether discussing an information silo in terms of people or computers, the growth of the disconnect can be related to programming. Just like machines, people must be taught how to act in given situations. Corporations that encourage interdepartmental fiefdoms will find themselves facing this kind of disconnect.

What creates system information silos?

An IT organization is at a greater risk of silos than other organizations because there are two separate types of myopia that can affect the business.
The first type of isolated information would be technological, or within your company’s systems. According to Frankie Basso at Systemware, three catalysts to information silos exist.

Legacy systems – Sure corporations want new and better systems, but all too often they park them next to the systems they already have. They are unwilling to give up legacy systems either because it is too difficult to migrate or there is really no reason to go through the expense and effort to move to another system. The current system provides the functionality the organization needs to do the job.
Mergers and acquisitions – This can be the trickiest of all with the ramifications of organizations that suddenly find themselves with two ways – or more – to do seemingly everything. Oftentimes the best way for individuals to handle these sensitive situations is to ignore them. It works for individuals in the short term, but for organizations it’s an issue long term.
Merger or not, each department inside an organization looks for a system or systems that address their specific requirements. When content in these different systems can’t be leveraged, time is wasted on repetitious tasks.
Vendor diversity – In their understandable search for flexibility, corporations seek to diversify their vendor base. More solutions from more ECM providers creates more ways to capture, manage, store and access information. All those collaboration and information-sharing tools can end up adding layers of complexity.

With more vendors providing enterprise content management, businesses may be choosing different vendors to organize and store the documents and content about their strategies methods and tools. Organizations may be choosing vendors based on theirs products without thinking up front about the integration across multiple systems.

What creates interdepartmental information silos?

In addition, many organizations, information technology or not, suffer from interdepartmental silo mindsets. According to Brent Gleeson and Megan Rozo in a 2013 Forbes article,

The silo mindset does not appear accidentally nor is it a coincidence that most organizations struggle with interdepartmental turf wars. When we take a deeper look at the root cause of these issues, we find that often silos are the result of a conflicted leadership team.

Many executives may look at their organization and dismiss department inefficiencies and lack of cross-functional solutions with immature employees, lack of basic training, or simply the inability for some employees to play nicely with one another. Unfortunately, while these behaviors may be a result of the silo mentality; it is not the root cause. These assumptions will lead to long term harm to the organization by creating resentment and cynicism within the teams. Most employees become frustrated with their department and the organization when they have identified the problems, but can’t do anything about it. It is the responsibility of the leadership team to recognize this and rise above to create effective, long-term solutions that are scalable, executable, and realistic.

Although these two types of siloed information seem different, both stem from conflicting programming. In the case of the computer systems, that programming is in terms of code. In the case of the employees, that programming comes from management.

New technology seems exciting and shiny, just like new employees. However, anything new means replacing a pre-existing software or person. These kinds of legacies often lead to migration issues. When it comes to systems, it’s often easiest to just find a work around instead of taking on the expense of data migration. This means that when other systems in other areas are brought in, the legacies either don’t interact well or you are tied to your current vendor’s options.

The same can be said with management. People who have worked in a field for several years often find it difficult to change, thinking that “new” makes them “old” and outdated in the workforce. This inherent human fear leads to people not always being willing to share knowledge. In the same way, mergers and acquisitions only add to these rigid responses. Departments want to keep using the systems they know well, in the same way that managers want to keep using procedures they’ve always used. The sense of “if it ain’t broke don’t fix it” certainly helps to create information silos. While this may work in the short term, the lack of connection leads to long term problems.

How do information silos cost a company?

At the end of the day, the bottom line is what matters. Back in 2009, the University of Maryland’s researchers noted that poor communication in hospitals in the United States cost $12 billion a year which was approximately two percent of the nationwide hospital revenues and more than half of the average 3.6 percent hospital margin. IT and information security aren’t hospitals. Inefficient communication occurs in any industry, medical care just happens to have some numbers to support it.

Brittany Pay at eFileCabinet notes that, “silos can form when managers focus on individual departments, departments work in isolation, goals are kept on an individual department basis, or communication as a whole is not fostered and encouraged. Silos keep people from understanding what other departments and individuals are doing, effectively forcing everyone to work in a partial state of isolation.

The result of a silo in your business is a lack of productivity, poor morale on a company-wide scale, and, inevitably, poor financial performance.” When it comes to cost, the lack of communication can lead to gaps in work being completed which then requires additional time to figure out how to close those gaps. It also means that people’s expertise may be going to waste.

Similarly, systems that work in isolation and don’t connect with other systems create a disconnect in how work is done and how information is accessed. For example, if a payment system and a data storage system don’t play nicely together, it’s difficult for employees to share documentation to help support payment processing.

How do information silos specifically impact IT compliance?

IT compliance requirements often overlap across standards. Marne Gordon wrote in an article for CIO Update,

Although the goals of the multiple information security regulations may be different, there are six basic commonalities between the prevalent regulations, such as SOX, HIPAA, Payment Card Industry Data Security Standard (PCI), and ISO27001.

At first glance SOX and HIPAA do not seem to have much in common. HIPAA protects patient information, while SOX aims to reform corporate accounting practices and safeguard investors.

All of these mandates, however, require an incident response plan; a business continuity and disaster recovery plan; physical and logical controls over access to data; hiring, retention, and termination policies; and data backup and recovery procedures.

This means that when each of your departments is creating their own workflows, they are doubling, tripling, or even quadrupling the amount of time spent on the same tasks. This inefficiency costs the organization in several ways.
First, this lack of communication costs the overlap of time spent on the same task. Second, the different approaches are often reviewed separately meaning that more than one manager is reviewing the same item. Third, there is a cost associated with ensuring consistency between workgroups. Fourth, with so many people engaged in the same type of work, the person to whom questions should be directed is unclear. All of these costs impact your compliance.

How do silos impact IT audit?

The information silos impact your IT audits in all the same ways that they impact your compliance and more.
MIS TI Training Institute interviewed Michael Gallagher, managing director of CBIZ Risk and Advisory services, and shares.

“Companies are required to manage risk throughout the organization, by process and by sub-organization. The silos occur when that process isn’t coordinated across the company,” said Gallagher. “So each individual, officer, leader, department, or location decides on their own way to manage risk and their own priorities, and they may or may not be linked to anything related to the company’s strategic objectives. And that is a problem.”

According to Gallagher, there are some red flags to look for that could be indicators of an environment where risk silos are likely to occur. “Some of the signals are policies and procedures in organizations that differ greatly by location, process, leader, or executive,” he said. “Anytime you see schedules of authorization, levels of authorities, anything that is trying to determine approvals and authorizations and ways to talk about and quantify risk that aren’t tied to the company’s strategic objectives are clear indicators of silos in the organization.”

When too many people are involved in too many places, the risks are multiplied rather than mitigated. This can lead to poor audit results, which then leads to additional spending on compliance.

How do you break down information silos?

Kotter International noted in a Forbes article, that two ways to eliminate silos were to:

Bring the outside in: Make divisions share data with one another so people understand how each division is performing, what customer or external stakeholder complaints are, and where this room for improvement.

Create a “guiding coalition” that breaks down barriers: Bring together a team of people committed to changing the way the organization operates, composed of people from all levels, divisions and locations.

By bringing your organization together and finding people committed to communication, you can break down the silos to create greater efficiency. This sounds like it only takes care of the interpersonal silo; however, people create systems and update them. Paul Duvall, at IBM’s developerWorks blog, explains,

A cultural obstacle they often encounter is that traditional development and operations teams tend to work in silos, limiting the amount of inter-team communication until software release times. (And such communication is often confined to a series of tickets in an issue-tracking system.) Growing software enterprises must become more collaborative, or else they will cease to exist. The software industry is changing in this direction-much more quickly than some anticipated-as the result of cloud computing, which makes computing resources less scarce, and business demand. Companies that evolve will put those that don’t out of business.

As emphasized in the introductory article of this series, collaboration across organizational boundaries is one of the anchors of agile DevOps. This article discusses how establishing cross-functional teams and broadening the skill sets of delivery-team members are ways to increase collaboration and break down the traditional barriers that prevent software from being delivered continuously.

When developers from across an organization work together, software delivery becomes smooth and continuous. By creating agile DevOps, the organization can create systems that play better with one another.

How can GRC automation help break down silos?

GRC automation doesn’t create cleaner systems or remove employee turf wars. It does, however, create an atmosphere of integration. Spreadsheets are not the best way to approach GRC.

An automation platform, like ZenGRC, provides easy access to everyone involved in each compliance area. In the same way that DevOps needs to be collaborative so does compliance. By using an automation platform, the C-Suite sets the tone of collaboration.

Automation allows for you to see easily where there are overlaps in workflows so that you can apply the same protocols across the organization. The correct GRC automation system will allow you centralize evidence collection and assessments while also assigning roles to different members of the company.

By doing this, automation creates instant team collaboration and allows you to set up workflows that combine project management with compliance. In other words, automation is an elegant answer to creating efficiency.

Silos in information technology come in different forms. Despite the impact of system silos, you must keep in mind that people create those systems. Using automation as an elegant solution to create efficiency can add financial and moral value to your business.

User Access Review Best Practices

ZenGRC Team · March 23, 2017 ·

User Access Review Best Practices

Taking regular inventories of your users and their needs helps keep the information, and your company, safe and secure. In discussing user access Deloitte Review Issue 19, Irfan Saif, Mike Wyatt, David Mapgaonkar note:

Humans can still be bugged or tricked into revealing their passwords. There is a malware or malicious software installed on computers; there is phishing, in which cyber crooks grab login, credit card, and other data in the guise of legitimate-seeming websites or apps; and there are even “zero-day” attacks, in which hackers exploit overlooked software vulnerabilities. And of course, old-fashioned human attacks persist, including shoulder-surfing to observe users typing in their passwords, dumpster-diving to find discarded password information, impersonating authority figures to extract passwords from subordinates, discerning information about the individual from social media sources to change their password, and employees selling corporate passwords.

When the media approaches information security, passwords get the most coverage. Password stealing is interesting and sexy. However, when it comes to information security threats, password safety is the lowest risk of all. User access reviews assess more vulnerable areas: how much information an employee needs to do their job.

Internally monitoring your company’s user access is one way to protect information from both human and electronic risks. A lot can change in six to twelve months, and data needs evolve throughout the user access lifecycle. Particularly in larger corporations, employees enter and exit their workforce on a rotating basis. Further, they change positions within your organization.

An employee may have shifted departments, changing their user access needs and potentially posing a serious security threat Or, if a system administrator misses an employment termination email, former employees may have access for far longer than they should. Employees with outdated access can compromise internal assets.

Therefore, periodically assessing user access is a critical step to ensure compliance and security.

To ensure that user access reviews are implemented successfully, you may want to consider some of the following tips.

How To Make User Access Reviews Effective

Assess User Access Risks

Risks are inherent in user access simply because it is the human element in a system, and people make mistakes, can be fooled, and sometimes act maliciously. When reviewing the risks to your organization, consider who has the most open access to most systems. Often, developers and information technology professionals pose the greatest risk. Although they are less likely to accidentally intrude upon your systems, their work requires access to more of your sensitive information. This group requires more frequent reviews because their actions can cause the most business and system damage.

The second high-risk group to assess is third party vendors. This group temporarily has access to your systems and information. Often, their use ranges from a few weeks to a few months. With this group, the risk lies in forgetting that they have access when the contractual relationship ends.

The category to review with the broadest risk exposure is your employees. New employees pose an initial risk upon entry, as managers often tell their IT department to add the person at the same level of access as a current employee. Even though people may work in the same department, they do not necessarily need the same system access. Similarly, employees who transfer from one area to another without adequate review of their access needs may inadvertently take business intelligence or system access beyond the units that need them. Inappropriate access assignments can violate segregation of duties controls, jeopardize sensitive material, and needlessly expand risk exposure.

For those individuals whose employment has ended, timing of access termination becomes another level of risk. Neglecting to curtail access for former employees means continuing to share internal information with now-outside actors. Premature, involuntary termination can cause people to act maliciously. This means that termination of access should be as close as possible to termination of employment.

Many companies perform risk reviews, but treat them as perfunctory—ignored or merely glanced at before being approved.

To truly determine the risks posed to a business, annual or semi-annual risk reviews need to do more than simply restate the previous year’s risk. To keep pace with evolving risks, user security roles need to match organizational changes. Revising privileges or changing roles can meaningfully reduce risk exposure.

Create Risk Appropriate Policies and Procedures

Once the organization has identified its risks, it can begin to review the ways in which those risks will be mitigated. Two approaches underpin many policies and procedures.

Under the Deny All approach, no one gets access unless they specifically need it. With this mindset, IT reviews incoming requests, determining additional access on a need-to-have, case-by-case basis.

With the Allow All approach, everyone is granted access until they have proven their untrustworthiness.

Traditionally, the Deny All approach minimizes risk exposure; however, for smaller organizations where jobs overlap, Allow All might be best. Another option blends these approaches by establishing different access right strategies across departments and jobs.

Regardless of which method an organization chooses, consider business needs. Designing policies and procedures around workflows bolster the effectiveness of your compliance program.

Most security lies in action and row security. Action security means securing users from executing actions: what steps that user can perform. For example, some employees may only require read-only rights, while others need an update to information rights, and still, others may need to add and delete information.

Row security relates to the type of information or records users can access. For example, certain groups may need to access all customers but not all vendors. Limiting access to information enhances security for the organization. Organizations can determine for themselves what, within these spectrums of access, is most suitable, but they must do so thoughtfully.

Train Staff

Many managers assume that user access review is solely the IT department’s responsibility. When asked to do their own reviews, they look at stacks of sheets, add the required signatures, and submit the forms. Doing this meets the requirement but not the function of user access reviews.

If managers are not thinking about providing employees with appropriate access and simply adding access without a clear purpose, security administration becomes unwieldy. When too many users touch too many assets, this makes the managers’ stack of reviews larger, which makes them less likely to clearly understand what they are reviewing.

Breaking this cycle requires training and communication between departments. For an organization to be secure, everyone from managers to IT to HR needs to understand their role in the process. Staff must understand the consequences of missed notifications or data breaches.

It’s important to create a culture of security, which means that the CFO, CIO, and VPs should be attending the trainings as well. If those reviewing employee performance do not take security seriously, those tasked with protecting the security will not see its value.

Since employee populations change so quickly, CISOs and CIOs need to focus on keeping reports updated. Current information helps the reviewers, who need up-to-date materials and evidence. For reports run on a regular basis, audit documentation older than 30 days diminishes in relevance. Because reports can take a while to review, scheduling them to all run simultaneously and reviewing them by a given deadline may not be feasible.

Review a Variety of Reports for User Access

Alerts from Monitoring Software

Many user access alerts emphasize rule compliance, not security, although they can be useful for both. Reviewing daily alerts from a monitoring software can help find areas where a user’s access may have been compromised. Lags in rescinding access can lead to gaps in security that undermine security.

The daily monitoring of these reports can help to standardize methods of asset protection. Monitoring alert logs can point to weaknesses in controls or failure of controls. Inconsistent practices highlight where policy or processes are unclear or missing key steps.

User Access Changes

Run monthly, these reports can help you target workflow efficiency. For smaller organizations, reviewing the entire report monthly may be appropriate. For larger organizations, reviewing a random sampling of these reports can help determine whether the users hold appropriate access and whether revocations occur in a timely manner. Discrepancies in the sample should trigger a full verification.

Review Function Access Profiles

Reviewing function access profiles is one of the most important parts of user access reviews. Function access reviews ensure not only that all employees have the access they need, but also that your organization is responsive to what employees don’t need.

If an employee is not using the asset, they shouldn’t have access because it opens a vulnerability. For example, if an employee moves from the development side of the house to the sales side, their access needs to be limited. If the employee looks for information because they “still have access,” they may accidentally change settings due to updates that they did not know were installed. Plugging the holes regularly is important!

Some of the reports that can be used to track access rights are the role listing by functional area, user listing by role, action security by role, row security by role library of applications, and key application reports.

Even if the move is within the organization, updated access protects against employee accidents and malicious employee access. Moreover, continually updated access ensures the least damage is done if the employee’s information is used by someone outside the organization.

Manager Reviews of Employee Profiles

Annual, manager-level reviews of employee access profiles add not only another protective layer of review, but also can provide insight into employee access needs that may not be related to intra-organizational moves or employment terminations. Managers know when special projects that necessitated access have ended, and including them in the review process can close gaps.

Review Employee Termination Procedures

At least annually, it’s important to review the termination procedures set by human resources and ensure that information security steps are appropriately represented. Cross-reference a list of former employees against a list of those who have had their access revoked. No one wants a former employee to have access to their information.

When implemented smoothly, this review should show how well the two departments are communicating. Communication in these cases is just as important as action.

Automate Reviews and Compliance

Whenever possible, use tools available to your organization to perform user access reviews. Ideally, your organization may want to use some type of identity management tool, such as Core Security and SailPoint to automate the removal of terminated employees’ access. These tools provide an essential bridge between HR systems and directory services and can provide valuable transaction data on changes to a user’s employment status or role within the organization.

When trying to organize large scale communication between different departments, compliance management software is one of the most cost-effective tools to help IT professionals coordinate with other departments. The importance of ongoing user access reviews cannot be overstated.

Automation sets the cadence for review so the process can run itself.

Communicate Between Departments

To run a secure business and protect the organization’s assets, constant vigilance is necessary, and consistent communication between IT, managers, and HR must happen. Communication is one of the key assets of automation. An automation program like ZenGRC engages communication between all parties in two different ways: workflow and audit documentation.

For example, ZenGRC automates information sharing and people taking action. It sends reminders to those who need to complete tasks, creating automated “to do” lists. In ZenGRC, by clicking on the assigned task, the responsible party is brought directly to the instructions and resources that are linked through the corporate Google Drive. This automation process streamlines the activity, making it less burdensome and more likely to be completed in a timely manner.

By connecting the user list and other resources through the automated platform, automation also allows for consistent documentation of these reviews. With inter-departmental communication so vital to the user access review process, automation closes the gaps that lead to compliance issues. Automation shares information across the relationships. This means that, as items are updated across the GRC space, any department can view evidence of the related items and controls.

User access reviews constitute one of the main ways in which a company can protect its information assets. Whether guarding against anger or accidents, user access dictates how available the organization’s data is to employees. To effectively safeguard those assets, program access, and information access need to be restricted based on employee role within the company. From top management down the organizational chain, everyone needs to work to create a culture of security.

Jason Mefford Talks cRisk Academy and GRC

ZenGRC Team · March 9, 2017 ·

Based out of California, Jason Mefford is a well-known speaker on all things ethics, corporate governance, risk management, GRC, compliance and internal audit related. He has authored two books, Risk-Based Internal Auditing and Masters of Success. He was also a contributing author on the OCEG GRC Capability Model v3.0. Mr. Mefford sat down with ZenGRC to discuss his new training platform, cRisk Academy, as well as changing an organization’s approach to risk.

ZenGRC: What’s interesting about cRisk Academy is that you bring with you both auditor and trainer experience. What was the catalyst for cRisk? How does your background uniquely situate the academy?

Mefford: I spent many years as both an external and internal auditor, was a Chief Audit Executive at two large companies, was responsible for information security, risk management, ethics & compliance, and have now been a trainer for many years. I understand the information that I needed to do my job better as an auditor, what I needed for the employees who worked for me, and now the needs of students I have in my courses.

Most people have a desire to understand risk better. Since the business context now changes rapidly, as a result of new technologies, it’s more important now than ever for individuals to understand how forces, events, and changes in condition impact their organization’s ability to meet their objectives. Companies that have been at the top of their industries now no longer exist, and some companies are now worth billions of dollars didn’t exist a few years ago.

Risk-based professionals need training to improve their professional competencies, but unfortunately many organizations have cut back on training budgets and often require professionals to “take vacation” in order to go to training. I also see a large demand for risk-based professionals outside the US wanting high-quality training. I spend most of my year traveling the world speaking and teaching, but I know I can’t reach everyone in person.

Also, as a trainer I personally wanted to provide a better option for authors. Many of the training companies and platforms do not pay authors enough to make a living, which I believe is very unfortunate. I realized there needed to be an option for students to get affordable training that they need, but also to fairly compensate expert authors. Since I couldn’t find one that existed, it seemed like the right thing to create one.

ZenGRC: What is your intended audience for cRisk? CISOs? CIOs? Auditors? Developers? Do you have any future plans to expand that audience?

Mefford: Our intended audience is anyone who considers themselves a risk-based professional and/or wants to “see” risk more clearly in their organization. That could be anyone in audit, risk management, governance, compliance, GRC, IT, etc… and even management. While many of our trainings are focused on helping practitioners do their jobs better, many of our courses are applicable to everyone in the organization, even the C-Suite.

We have an agreement with AuditNet® an online digital network where auditors share resources, tools, and experiences including audit work programs and other audit documentation. AuditNet® has been doing live webinars for many years and has a significant library of previously recorded webinars on internal audit topics. Our agreement allows us to publish the previously recorded AuditNet® webinars, and make the valuable learning available to auditors all over the world in an on-demand format. One of the problems with the webinar business has been once the webinar is over, the great content presented by experts is not longer available. We are happy to be able to provide a platform so auditors can now gain access to these previously recorded webinars from AuditNet®.
Many of the courses on our platform now are from AuditNet®, so they are specifically focused on improving internal audit practitioners skills.
We do have plans to add many more courses on corporate governance, risk management, ethics, and many more topics that are relevant to any risk-based professional.

ZenGRC: Talk to me about your platform. Since we’re all computer folks around here, what’s the difference between your platform and other training sites? Is this like a Netflix for webinars? Or an Amazon rental for webinars?

Mefford: This is a great question and a great analogy to other entertainment platforms. Since my partner and co-founder has a background in the entertainment industry, we built our platform to match what people are used to doing with entertainment. We offer webinars, webinar replays, and on-demand training through our platform. Let me explain how it works using the entertainment analogy.

I personally have subscriptions to Netflix, Hulu, Amazon Prime, HBO Now, cable, and use Apple’s iTunes TV service. Most of those are subscription based, except for Apple. I pay monthly for the ability to watch movies and TV shows through those platforms whether I use the services or not. I don’t really like that option, especially my monthly cable subscription. I pay for cable so I have the ability to watch live sporting events, that are not available on one of the other platforms, but I also pay for many channels and programs that I don’t ever watch.

With cRisk Academy we wanted to provide an option that put the student in control of their schedule, and only have them pay for the content they want, without being locked into a subscription. I tend to find that even though I have several subscriptions, I am often left going back to Apple to find an on-demand option, so I have the flexibility to see what I want on my schedule.

I personally really enjoy the show “Game of Thrones,” and we can use that show to help illustrate how our platform works. “Game of Thrones” is an HBO original content program. If I want to watch the show I have a few options. I can watch it each week when a new episode is released on HBO. I can watch it through the HBO Now application. I can purchase it through Apple.

Since I travel often, it is difficult for me to watch the show at the appointed time each week. Watching at the appointed time is like attending a live webinar. It’s a lower investment, but I have to be available to consume the content at the appointed time, and I only get to watch it once.

Another thing about watching live TV is the commercials. Someone has to pay for the content. When we choose to watch live TV as a viewer we “pay” by having to watch the commercials from companies who are sponsoring the cost of the program. Most “free” webinars fall into the same category and require you to essentially watch a commercial from the organization sponsoring the webinar so you can watch for “free.”

We wanted a different approach where the student pays a small fee for the webinar, but receives hundreds of dollars in value from the presenter. Not only do the students get great content, to improve their career and help them do their job, but they also receive practical tools and special offers the presenter would normally charge their clients hundreds of dollars to receive.

If HBO offers reruns of the show, I could see when “Game of Thrones” was playing and watch a rerun. I would still have to schedule my time to be available for the rerun, but since there are usually several reruns, I would have more options.
This is like our webinar replays, only our platform allows students to select from several different time slots in the future, both during and after business hours, based on their time zone. No longer does one have to attend a webinar in the middle of the night.

Lastly, is the on-demand option. Since my schedule didn’t allow me to watch “Game of Thrones” live or as a rerun, I had the ability to purchase the entire season through Apple and watch it when and where I chose. Even though I have an HBO Now subscription, I am often blocked from using it when I am traveling internationally and can’t watch it on the airplane. For these reasons, I chose an on-demand option by purchasing the entire season through Apple. I paid more for the convenience, but then I could watch it when it was convenient for me. Another benefit, I can now watch the series as many times as I desire.

This is like our on-demand option. Once a student registers for the course, they can watch it when and where they like, as long as they have an internet connection. They can also watch and rewatch the training as many times as they want. All of the training remains in the student’s account forever.

Just like Apple, where I have the ability to purchase individual episodes or the entire season, we also offer the ability to register for individual 1-2 hour sessions, or get the entire “season” what we call bundles. You save when you purchase a bundle, just like you save when you get the whole season.

By offering training as webinars, webinar replays, and on-demand we are trying to provide students with flexible options to meet their schedule.

ZenGRC: From the perspective of a client, I love that these are individually priced. My state recently instituted a CLE requirement that makes it cost ineffective for me to retain ongoing licensing. Explain to me what the options are for individuals in my situation.

Mefford: Your experience reminds me of an experience from my own life. I had just moved to California and had just gone through the reciprocity process to get my California CPA license. I was already a licensed CPA in Idaho, but now that I had a license in two states I was hopeful my employer would support me in paying for my CPE training and licensing in both states.
When I approached my boss he said, “I know you spent a lot of time and effort getting your CPA. Most people who get it would hate to let it go.”
He was thinking exactly what I was thinking. I would hate to let any of my certificates or licenses lapse because of the time and effort I put into getting them. It’s unfortunate some companies are not supporting their employees now in their professional development. The employees really want to maintain them and shouldn’t let all that hard work go down the drain because of lacking CPE.

Luckily for me he was very supporting, and my company at that time and helped pay for my licenses and CPE training. Now that I am on my own, I pay thousands of dollars a year to maintain all of the certification, licensing, and CPE on my own. I do that because I worked so hard to obtain those certifications and licenses in the first place, that I don’t want to let them lapse.

As I mentioned before, many people who work for large organizations are asked to pay for it themselves. One reason for creating cRisk Academy is to help people have access to CPE at a much lower cost, on their time schedule.

We have also taken an approach to make our trainings available in smaller sizes (1 or 2 hours) and bundled into larger courses of multiple hours or days. This was a way to help students customize their learning experience so they only get what they need, and what they can afford, when they want it.

I remember a story from business school one of my professors told us about toothpaste. Toothpaste is something we use each day and don’t really think about. We buy large tubes and use it for weeks or months at a time. The story he told us was about how some consumer products companies that make toothpaste actually create special “one-time-use” packaging for certain parts of the world. It seemed odd to me at first until he explained they needed to do that because some people in the world can only afford to pay for a single serving of toothpaste. To them, brushing their teeth was a luxury they couldn’t afford everyday.

That story has stuck with me, and I guess one reason we do this is to help people that only need a “single” serving of training, instead of a full three-day course. It also is helpful for individuals who get to the end of their CPE year and see they are a few hours short. Now with cRisk Academy, they can purchase just the hours they need to maintain their CPE.

ZenGRC: When looking at CLE requirements, many people think that having an “accredited” program is necessary. Is this true? How do you feel cRisk Academy can change that mindset?

Mefford: I’m going to let you in on a little secret that will probably make the accrediting companies mad.
One of the biggest accrediting companies in the US is the National Association of State Boards of Accountancy (NASBA). NASBA was created to help ensure Certified Public Accountants (CPAs) training is high quality and has reciprocity agreements with all of the state boards of accountancy. The idea is that if a training is NASBA accredited, it would be accepted by any state board of accountancy in the US for CPE purposes. For this reason, many people look specifically for NASBA accredited courses.

The reality is, only a handful of state boards of accountancy in the US require CPE to be NASBA accredited. I am personally a CPA in two different states and neither requires my CPE to be NASBA accredited. Each state does have their own CPE requirements, but those vary from state to state and are usually based on topic areas instead of accreditation.

Internationally NASBA accreditation is not relevant unless the student is a US CPA; and, as I already said, their state may not even require NASBA accreditation.
I have many different certifications and two CPA licenses. Only one of my certifications is particular about having accredited training, which means I am free to choose the training I need for the others, within the parameters of my certifications and licenses, to have most of my training qualify for my annual CPE requirements.

We decided not to go through the NASBA accreditation process, as it is very cumbersome and costly, especially in an online training format. We decided that since most people using our training platform wouldn’t require NASBA accreditation, there was no reason to add extra cost to our trainings when it wasn’t needed.

Our platform is perfect, for someone in your situation, who can’t afford the time away from work, or the large investment required to obtain in-person accredited training to maintain their certificates and licenses. It also allows you to customize your learning experience to get exactly what you need to do your job and meet your individual CPE needs.

One last comment on this area. It is important for people to focus on why we need to obtain CPE, not just obtaining CPE. Certifications and licenses mandate a certain number of CPE hours each year to help ensure professionals are staying relevant with changes and are competent to do their jobs. One’s focus should be obtaining the training they need to improve their career and do their job, not just getting CPE “hours.”

I think that is also one of the benefits of our training platform. Students can get the training they need to improve their career, and use the training for their CPE requirements. We offer CPE certificates for all of our courses once the course is completed, so students can track their training hours and use it in their CPE reporting each year.

ZenGRC: Your book really tries to get auditors to think differently, more holistically, about the way the audit process fits into the greater scope of business. Can you explain to me some of the ways in which you approach audit differently from others? Why do you feel this approach is better for an organization?

Mefford: The name of my book you are referring to is Risk-Based Internal Auditing. I used that title because lots of auditors realize they need to use a “risk-based” approach to auditing, but there are some misconceptions about what it really means to be risk-based in your audit approach.

What I advocate is “focusing on objectives, not internal controls.” I like to joke that an auditor never sees an internal control he/she didn’t want to audit. This causes many auditors to believe they need to test all of the controls in their organizations.

The real trick is to only audit key controls that relate to response activities their organizations are using to help meet key objectives. Auditors tend to focus first on controls instead of taking a couple of steps back and considering the organization’s objectives. As a result, they audit the details instead of looking at the bigger picture where they can provide more value to their organizations.
There are really three things that affect whether an organization achieves its objectives, which go back to the concept of Principled Performance®. Organizations are trying to reliably achieve objectives (performance) while addressing uncertainty (risk/reward) and acting with integrity (mandatory and voluntary compliance). Auditors should be focusing on the forces, events and changes in condition, that impact their organization’s ability to achieve objectives in those three areas. My book helps to explain how auditors can focus on the “significant” items.

The concept of Principled Performance®, created by OCEG, the organization that invented GRC, is really what my book is about. How auditors can help provide assurance to their board and management that the organization is on track to meet its objectives. This approach is better, since it focuses the auditor’s efforts on what matters most to the organization, not just what the auditor wants to, or thinks is important to audit.
This is a common theme I teach people in all of my trainings, including those on the cRisk Academy training platform.

ZenGRC: One of the things we talk about constantly in infosec is building a culture of compliance and awareness. From what you’re telling me about your approach to audit and cRisk, it feels as though this is very much on your mind. How would you envision cRisk adding to culture shift within organizations?

Mefford: For organizations to succeed in the future they must be more risk aware. They must practice the concept of Principled Performance®. The risk-based professionals we are trying to reach through cRisk Academy need to clearly understand forces, events, and changes in conditions. They need to learn a language they can use to help others in their organization understand these concepts.

Culture in an organization is based on values and beliefs that lead to individual behaviors. The way to change culture is changing belief. Belief changes through education and experience.

If an organization wants to build a culture of compliance and awareness, their employees need to be educated (that’s where cRisk Academy comes in) and have experiences that support that culture.

Cultural change is a long-term process that requires repetition, another way cRisk Academy helps. Our on-demand trainings are available to the student as long as they maintain their account. They can go back and watch the video lectures again and again, until they really understand the concepts and can apply them in their job.

6 InfoSec Cartoons & Webcomics to Brighten a Gloomy Week

ZenGRC Team · March 3, 2017 ·

Here's Why Regulatory Compliance Is Important

When your week is getting you down and you need a quick pick-me-up, cartoons and memes are the way to go. The wonder of the internet may bring with its security concerns, but it also brings with it the ability chuckle at a moment’s notice. Below are five places to find IT, infosec, and technology-related humor on the internet.

Dilbert

Dilbert is never not funny. Anyone who has ever spent their day in a cube farm filled with people who would never understand them or their value understands Dilbert. We get Dilbert. We are one with Dilbert, and Dilbert is one with us. The best part, is that Scott Adams’s official website has 212 pages of comics totally dedicated to the search “Information Security.”

XKCD

Ok, every geek worth their kryptonite knows about XKCD. They might even hand out XKCD comics with the Bachelor’s of Science degrees diplomas. Unlike Dilbert, there is no search function on the XKCD website. However, using a web search led to individual cartoons about things like security, encryption, InfoSec expert Bob Schneier, password strength, authorization, and the impossible dream of a back door to tech-savvy tech support.

Little Bobby

Written by Robert Lee and Jeff Haas, Little Bobby is from an insider’s perspective. Robert Lee is one of the top infosec experts around, but he works on this comic in his free time. With a subtitle like, “a Sunday morning webcomic on technology and security,” Little Bobby is intended for the InfoSec community.

Geek & Poke

Geek & Poke publishes webcomics every few weeks. More sporadic than some of the others, its focus is very clearly programmers. Minimalistic in style, it maximizes humor.

User Friendly

Started in 1997, User Friendly publishes IT-focused webcomics daily. J.D., the author, comes from the IT world noting proudly in his FAQ that “The first (user-programmable) computer I ever used a Hewlett-Packard 2000 mini, with thermal-paper printouts.” Although not currently in IT, he still visits IT departments for continued up-to-date inspiration.

Radical Compliance’s Meme Page

Everyone loves a good meme. Run by Matt Kelly, the former editor and publisher at Compliance Weekly, Radical Compliance generally serves as an information source but has a pretty phenomenal page of infosec memes.