Could you tell us a little bit about ProcessUnity and what it does?
We’re a cloud provider of risk management program automation.
We help organisations make risk management activities more effective and efficient in their businesses. We have a core concentration around third-party risk and cybersecurity program management, but we also help customers across the entire GRC (governance, risk management, and compliance) landscape. We specialise in automating risk registers, control frameworks, regulatory and compliance requirements and a lot more.
We help companies, both large and small. We focus on financial services, highly regulated industries and companies that want to protect their businesses and their brands. We have very large organisations that we help in life sciences and the high-tech sector, for example. But, also, we help smaller companies – ones that are just looking to get going and get started, and try to get organised around the ever-changing risk landscape. Our software provides workflow automation, data collection analytics, evidence collection and reporting for the needs of those clients around their compliance and regulatory requirements.
We do that in a way that we try to embed the program into their business. We integrate with their ERP systems. We integrate with their authentication system so that it’s seamless interaction with their line of business users, through their line two defense, to their line three auditors. All can interact within the solution, of the workflow and capture this data which provides clarity and remediation reporting to the people that need it most.
It’s been a tough 18 months or so and a lot of companies’ plans for development have been put on hold. But a lot of companies are starting to kickstart their plans again. What has ProccessUnity been doing?
When Covid hit last year, everyone scrambled to go remote. Our team went remote. Our customers did too. So did our customers’ vendors and partners. It was a huge shift from a cybersecurity and information security perspective. There were a lot of challenges to be able to manage that risk.
We focused on helping our customers with work at home policy assessments that they wanted to send out to their third parties because all of a sudden, there was a huge ripple effect. Where’s my data? Where’s my employee accessing my data? What about customer data going to and from my third parties, if everyone’s at home? What’s the process there? What controls are in place? So last year was about helping our customers through that process.
Every year something’s changing from a risk standpoint, and you’ve got to react to it. And you’ve got to react in a way that’s going to help reduce your exposure, reduce your brand reputational risk and help keep your business moving forward. So that’s certainly what we saw on that front.
From a software perspective, we’ve just been innovating. I like to tell our customers and our partners we’re a best-in-class program, a platform. And we bring in best-in-class data to be able to help you assess risk. We have been investing in what’s called our vendor intelligence suite to be able to incorporate cyber ratings, financial health scores, ESG data into risk programs to help our customers make decisions quicker. We’re giving customers more outside data about who their third parties are, and where that risk sits, so that they can make quick decisions around remediation efforts or contract clauses in onboarding decisions.
So there are a lot of things happening on two fronts. One is on the investment of what we’re doing in the market to help our customers along with third-party risk and cyber risk requirements. And the other one, of course, reacting to COVID-19 impacts to businesses and helping them adjust to the changes that have happened in the workplace regarding cyber risk and risk management overall.
Are there any other risk management trends that you’ve spotted?
Work from home policy management and the policy controls there is a big ticket. Business resiliency is also huge. Companies need to have business resiliency plans, of course. Those are really important to have not only your internal assets figured out – your internal processes and people – but also your third parties. Your third parties are part of your resiliency plan.
A lot of companies are relying on these third parties to do critical functions. And they need to be considered as part of the resiliency planning exercises that organisations have been going through. In resiliency planning it was a good test last year; companies dusted off the binders and saw if plans were working or not. I think that a lot of companies we see now are looking to fine tune what they realised last year to try to get it better.
Businesses and employees had to work very quickly to adjust the way in which they work. They generally did pretty well, all things considered.
I agree with you. All things considered, I think they did. There were obviously fall outs. There were sectors that got hit really hard – that didn’t respond well. But that’s the nature of the unknown, right? It’s going to hit somebody that hopefully they were prepared, and they did their homework and some didn’t. But I agree with you. I think overall, I think it’s there. We saw continued investment in monitoring of third parties and monitoring of cybersecurity. Obviously, ransomware also hit big last year, and this year too. There’s now a stronger focus on that. We’re helping organisations tie together their internal and external cybersecurity risk. They’ve got third party cybersecurity risk and now they’ve got to focus on their internal cybersecurity risk.
And they’re trying to align that against a single foundation that they can manage all of this against, as the requests keep pouring into the CISO’s office saying we need evidence of this, you need to do that, customers are asking us do we do this. And it’s all compacting onto the CISO. We’re seeing a lot of, for us, good movement to help them automate their programs and get more organised around all the things that come along with being a CISO. But trying to get them organised around some better program management, accountability, workflow, those types of things to help bring in a base.
How are you seeing companies finding success in adjusting their internal and external business risk?
It’s a challenge, because a lot of times these things are happening separately. In this case, you’ve got people trying to establish whether they know all the things in their businesses or not. Do I know the internal assets, the high-value assets, the third parties, who the fourth parties are? Can I get a mega inventory? Then I want a list of controls that I’m going to adhere to that cover the nature of my business.
I’m going to try to leverage some control standards but I need them to be my controls. And I’m going to do a baseline evaluation of how my organisation is doing against both my third parties and my internal assets. Then I’m going to find the gaps. Then we’re going to set a maturity curve and a lifecycle that says we’re going to get from point A to point B over the next 18 to 24 months. These are the top three priorities we’re going to go ask the board for money to go fix. And the rest of them are going to follow in a roadmap type format to remediate things as they see them.
That’s really what that internal/external security process is all about – establishing that foundation so that you can leverage a single set of your business’ controls as they support downstream regulations and standards tied to your upstream business data, your third parties, your policies, your processes and your assets.
It’s a daunting task. A lot of it is sitting with the CISO right now and a combination of maybe the privacy officer, the risk officer and the compliance team. But that’s where ProcessUnity is helping companies the most – get organised around that side of it.
How do you see companies creating a control-centered environment to manage the risk?
There are ways to do this. You don’t want to have an ISO control framework, a SOC 2 Type 2 control framework and a PCI control framework that are all overlapping, redundant controls, assessing the same set of applications and third parties to be compliant with each one of those things.
It’s important to be able to test one and satisfy many. Now, more than ever, that’s a really important concept. We help companies with that work. We partner with the Secure Controls Framework, which is a meta framework of controls that provides a single mapping that you can do for your business that handles all of the downstream mapping to regs and standards. It reduces all of that redundancy so that when you test a specific control – maybe it’s an enterprise control or an application specific control – you don’t have to do it five times a year, because you’ve collected it once you’ve tied it to all those downstream things.
Then, when a PCI audit comes in or an ISO certification comes in, you don’t have to look at a separate set of redundant activities to try to go and actively pursue. You’re already doing it against a single set of controls. Controls standardisation is really important. We see the meta framework as a great answer for companies that have gotten themselves into multiple control framework problems. We help them really get more efficient at what they do because the resourcing can be slim.
Having good resources in these groups is hard to find. You need to make the most out of the team that you have. And being as efficient as possible is always top of mind, especially from a cost perspective, when you talk to the board.
You’ll be taking part in a panel discussion at Cyber Security & Cloud Congress North America titled ‘Strong to the core – Security for digital transformation’. What do you think are going to be the key takeaways from this session?
It’s critical to get organised. For me, it’s about sight. It’s about cyber accountability. That’s what I’m all about. I want to see ownership assigned and accountability assigned out to stakeholders.
It’s not just line two, line three folks managing this. This is not just about the office of the CISO having to take care of everything. This is about an organisational commitment. You have policies, you have asset owners, relationship owners and third-party owners that all need to be involved in the process. It is a true people, process, technology problem. For me, accountability and making sure that everybody who should be assigned ownership of cybersecurity risk in this element has it. You need to think about it more holistically in the long-term game plan of organising this as opposed to tactical tool sets or tactical exercises that are going in to do discrete security functions.
Tactical tools are important. Don’t get me wrong. Those are critical. But why not risk prioritise them to focus on the ones that have the biggest holes in your business first? The trillion-dollar cybersecurity tool market is a real thing and last time I checked not many companies have a trillion dollars to go spend on cybersecurity.
You can hear more from ProcessUnity at Cyber Security & Cloud Congress North America on September 29-30, 2021.
Day 1 at 10.10am MDT will see David Klein, senior director of product strategy at ProcessUnity, give a talk titled ‘Create A Control-Centered Approach To Managing Your Risk’.
At 9.30am MDT on Day 2, Todd Boehler will take part in a panel discussion titled ‘Strong to the core – Security for digital transformation’.