Watch this special, collaborated webinar session where industry experts from Netsurit and Centraleyes meet at an intriguing panel discussion focused on the biggest pain points of cyber risk and compliance management for the South African market, and provide priceless best practices on how to relieve them.
Learn how to:
- Utilize the power of automation and orchestration to reduce manual activities such as score correlation, building out risk registers and open gaps remediation
- Leverage smart mapping of common controls between frameworks to alleviate assessment fatigue and liberate InfoSec teams to focus on proactive risk mitigation
- Generate real-time dashboards with actionable insights and reports, and benchmark your progress over time with the click of a button
Webinar Transcript:
Eugene Perumal:
Yeah. So welcome, guys. A few clients on the call here, and so so familiar faces, so not so familiar names. You know, it’s a pleasure to have you guys. We are here to talk about security and compliance as general points and there’s, you know, some specific things that we wanna get into. But then on behalf of Netsurit and Centraleyes, welcome you guys. The difference with this webinar is it’s really sharp. It’s steady minutes. We don’t have too much time to talk about the reasons that we’ve called you guys here, and I think you all know you know, in terms of the climate in the world right now and in sub security, there are enough compelling reasons for us all to be here and to be talking about this topic.
But, yeah, nice to have you guys. This is gonna be a short and short one.
We’re excited to partner with Centraleyes. We’ve been doing so for about two years, amazingly, about two years now. I’m really proud of this partnership and what it’s grown into, and I think when you guys seeing the webinar, you’ll really understand why we’re so proud of this collaboration. So, you’re here for a bit of a panel discussion. If you wanna call it that, you know, you’ll get to know and understand some of the some of the interesting opinions of our panelists, but you’ll also have the opportunity to ask questions and we get it answered.
I’m Eugene. I’m the managing director of Netsurit in South Africa. Yair is on the call here, and he’s the CEO of Centraleyes. Sean Davis is on the call. He’s our Chief Security Officer of Netsurit,, we’re all glad to have you guys, and we’re gonna jump straight into it. So Yeah. I hand it over to you.
Yair Solow:
Sure. Thanks a lot, Eugene. Nice to meet everybody, and thanks for attending today. Yeah. I’m Yair Solow, the CEO and founder of Centraleyes. A little bit of background about myself. I was a vice president at Visa, I’ve been dealt with a few years ago, so I got to see a lot of risk compliance the cyber world through the financial service at the particular angle. Saw big pain points in the market, around cyber risk and compliance and felt like there were not enough tools out there to address this challenge, and that’s where I sit out on the journey to make that world a more automated, more orchestrated, world for our clients than the people out there that are struggling with a growing problem in the risk of compliance world.
Building a Saas automated risk management platform that really helps organizations, you know, just get to the end result of the risk and compliance program, which is both faster and more efficient with a lot less resources. So excited to be here today. Shaun over to you and excited to hear more about you and the, you know, environment in South Africa. Awesome.
Shaun Davis:
Thanks Yair. Thanks, Eugene. Good afternoon. Nice to meet you. I’m Shaun Davis, our Chief Security Officer, Netsurit. Brief background, my responsibilities. I’m meeting up our own internal security. So I faced a lot of challenges that you guys deal with on a daily basis. As well as add up our security products that we do take to market, and jumping into some of the challenges that we’re currently facing, you know, being an African company and as far as I’m aware, all the participants today are from South Africa. You know, one of the biggest things on the top of our minds is POPIA. You know, and it is goes around how do we actually take privacy data or private data or personal data and recorded that, and if you look at POPIA on its own, it’s just an act.
You know, it doesn’t really tell you exactly what to do. You know, it just tells you you have to take the same set of data, and then based on our experience and some of the changes we faced, is actually one of the reasons to be partnered with Centraleyes. You know, take two years back, but we were trying to get around how do we approach this challenging landscape of identifying your data and driving a top of framework in the business that will allow us to meet some of the requirements And that was one of the reasons we turned to Centraleyes because they have a fantastic platform that allows you enables you to do it in a more efficient way.
You know, if you look at, for example, ISO 27001 just in one control set, it’s like 18 control sets and each of the control set, as a ton of excel requirements, just complete many. But this morning, I actually went and looked at the IT web server that was not too long ago. It’s around companies in South Africa in a percentage of how well they’re tracking against the POPIA, and some interesting stats, you know, of all the countries they surveyed, only 47 percent of them are comfortable to say they are ready. You know. 43% of them report they are getting there, and the rest of them were, we just don’t know. And that’s the reality, and this is what a lot of businesses are facing these days. Right? It’s also like trying to hit a mini target, and I think you get rating stuff changes, and there’s a high so high level of some of the changes we have seen, and also the changes we face, you know, we all face as businesses in South Africa is how to stay secure, how to stay compliant and what’s the most efficient way of doing it.
Yair Solow:
Thank you, Sean. So, yeah, I think that was a great introduction to POPIA, and I think that also we see those changing environments globally kind of not just in South Africa, but really around the world. As privacy laws come out there, and you know, you see new regulations coming out in almost every country and staying. Globally. So that’s something that’s affecting, you know, I think, a lot of companies today, especially ones that operate internationally, and at the same time, there are the common standards and public standards that also continue to shift and change and get updated. So this is kind of an ever-changing landscape that’s only kind of moving faster and faster, and I think locally by you now, this, you know, the population is really something that as kind of, you know, kick start of that.
So maybe this is a good time just to mention that we have, you know, Q&A at the end of the session today. So please feel free to post questions in the q and panel there, we’d be happy to answer some of those questions towards the end of the session. So maybe the first area I wanted to focus on really how to utilize the power of automation and orchestration to reduce manual activities. So one of the things that we’ve seen here is really, you know, the ability and that’s really what we’ve been focused on as a company and how you move from this tactical compliance effort to a more strategic approach. So that you can manage both your risk and compliance programs in a much more real-time automated way and not repeating tasks that are redundant. They are working in silos and allowing the organization to share information in a much more collaborative way. So you can both see the bigger picture but also, you know, going to the bits and bytes and connect the dots there. You know, Shaun, maybe from your side, you know, whatever you see in there, on your end around, you know, the risk and compliance space as clients are looking to automate. It’s specifically around POPIA or you know just in general. So what are the trends that you’re seeing there and kind of the activity around that automation piece?
Shaun Davis:
Yeah Yair. It’s a good question. We all know takes a ton of effort and manual effort to sort of sustain a good compliance in the business. You know, and as complexity increases, it takes more human efforts, and we all know, time is money. You know, and a lot of these people they multitask. You know? There’s not did they drop in a lot of new sheets, you know. They do it even when they can get to it. Now the problem with that type of approach is, firstly, it’s gonna take a very long time to get compliant even if you do get compliant, and at the same time, there’s no sustainability as well. You know? We have turned, you know, we start coming, leaving. And because it’s such a manual tap, used to be such a manual tap engagement, You know, there’s no collaboration, there’s no type of tracking. It’s just purely that’s organized, and what I’ve seen a lot happening now is people are trying to look at solutions, you know, automation orchestration platforms that can drive this. You know. Platforms that can actually help you achieve your compliance, but also maintain it. You know, because the last times what we see is there’s a lot of effort going into getting compliant. You know, getting that first classification. But then the effort reduces or there’s lots of subtle across that, and then when they have to recertify, it’s almost starting from scratch again, and that’s why people are trying to use platforms to not only check progress, ensuring that you achieve that compliance, but also to maintain it, and in the same time, have a central place that you store of this. You know. If you think about it, a big portion of being compliant or getting certified is yet to provide evidence, you know, and evidence or artifacts depending what you wanna call it, and the promise I’ve seen a process, it’s scattered. You know, some of them as not a PC or it’s in a Sharepoint location or a positive source. But it’s not very structured. So once again, you have start turn, you have someone in the app, there’s a need, and suddenly you don’t know where the data is. It’s just it’s just disorganized, and what I’ve seen companies focus on is firstly containing the information one central occasion, being able to check collaboration, being able to sign task of functions to various teams, but out of a single platform.
You know, and that’s really where we start getting efficiency to the business. You know, and I think that’s why it’s such a big push to get a solution in place that can drive this.
Yair Solow:
Yeah. Makes perfect sense. I think that, like, just looking at the, you know, the points that you made there about, you know, compliance being very often. It’s kind of once a year audit task that’s very painful and you kinda do it around some kind of you know, certification or end of year regulation audit or things like that, and then most of you’re not really compliant very often because you’re not really tracking those things and often also those compliance requirements change in midstream. That’s one challenge a lot of organizations have here. But then at the same time, as you a tremendous amount of one on different work here. They mean different standards here like SOC 2 or PCI or NIST or ISO or things like that in parallel to privacy act like POPIA, and then that overlap now gets redundant on the one one, and then also at the same time, you know, you have a lot of, you know, things that you could act once and apply to many. But because if not automated, you’re just, you know, your ear is stretchy and you didn’t know very we see organizations are leveraging different tools like you mentioned, Sharepoint, Jira, Google Docs. Right? Whatever it might be, Right? At the end of the day, you know, you’re basically building a platform on your own kind of with silo tools, and it’s, you know, very hard to standard, especially as it becomes more than one single standard.
That’s one single standard or something that’s manageable. But as soon as you’re running around, you know, a company that has multiple requirements here or risk management requirements, like you’re trying to look internally and quantify how exposed it you are as an organization, which is very different than compliance even though a lot of overlap there. That’s where our tools, I think, you know, can certainly, you know, help there. Definitely, we’ll look at, shortly, we’ll actually share some of the screens here of the platform itself to show how this partnership that we created here is leveraging technology together with the services that Netsurit provides here with our platform and then leveraging, you know, that capability to allow organizations to create a lot of efficiencies.
You know, a number of the solutions in our platform can literally save hundreds of hours of manual work. At a click of a button, you know, we’ll talk about those shortly, and maybe the next topic will John here, he’ll really, you know, kind of bring that home here. So maybe, you know, the next piece I wanted to really touch on is really around the different frameworks that are out there and how they map up to each other today. So, you know, maybe just maybe you Shaun, you know, you can share a little more how will be affecting organizations today. What is being enforced? Anything around that you’re seeing in the field today? Because that’s an area I think that obviously you know, the viewers today around on the especially here are gonna be very interested in, and it’s new relatively.
Right? So you always see it’s kind of evolving a reality when it comes to new rate niches coming out. Some are forced more, some less, and that often has a big impact on how that takes effect on an organization Yeah. So I’d love to hear more about that.
Shaun Davis:
Yeah. Yair. Exactly. I think the biggest thing that we see, as I mentioned earlier, the POPIA is an Act Right. I think your biggest challenges, to be honest, is is the cyber insurance companies you have to deal with these days, you know, how to protect against liability, and they’re actually the ones really driving the pop, you know, the road to say this, and that’s what we expect from you. That’s what we expect from you as a business that you have to put in place to take the data that we’re supposed to be protecting. So we see a lot of security programs to say, you know, that could be ISO 27001. We see a lot of companies sort of adopting that. I think one of the key ones to come to mind is NIST. You know. NIST is actually one of the global types security frameworks that’s being enforced by most companies. If you think about if you get audit set, normally, it aligns to the NIST type of framework to be honest, you know, and that is identify, detect, detect, detect, respond. You know, I may miss one day. A top of my head. But, you know, that’s normally where our companies are actually driven to make sure it sort of gives him you know, it’s a lot of times, I see that the Canvas does wrong. It’s they have an unstructured approach, you know, and it Country Point areas. Yeah. It’s more of a tactical aspect. Right? It’s a current need, and we could gonna cover do something to cover the needs.
However, that creates gaps. You may not see it now, but not not until they have to be a gap summary, and that is where it said critically, you have to solve a dot A a framework accesses ISO that introduced a security program into the business that gives you the road map of what you need to achieve to make your business more secure. The same thing is a little bit easier to drop is NIST. You know, NIST is very clear controls what you can implement, and they didn’t ask you to have a structured way of approaching security for your business.
Yair Solow:
Absolutely, and NIST is obviously something that we’ve been very focused on, you know, we’re very active. Well, the US and Europe today as well as South Africa, and we’re seeing NIST become really that popular, kind of a little more popular, you know, cyber security framework in the world, although ISO 27001, definitely, you know, another one one, that’s very popular, and you know, I think that looking at those structured approaches versus maybe one, you know, previous approach, which is kind of like everybody wants to figure it out on their own, is kind of a thing in the past more and more. Because at the end, yeah, you have to adapt with your organization. If you don’t use one standard that helps to achieve, you know, very structured kind of approach on all the pieces, you know, miss pieces that you might overlook, and NIST when one, think about this, you know, the 5 functions there of identify, protect, detect, respond, or recover there.
So if you break that down, it really touches on the different points of your cybersecurity kind of life cycle from that, you know, preliminary stage of they identify your assets, your threat actors, your industry, what you have inherent risk piece is there, and then you have the protect part, which is really putting up those different building blocks to help, you know, walk out those different types of threats there, and then the detectives, you know, the guys are, you know, the bank guys are one a doorstep trying to one. How do we see that they’re there? But the interesting I always find fascinating about NIST is the last two pieces, like, 40 percent of the framework is respond and recover.
That’s actually acknowledging you’re gonna be breached and saying, well, how do you respond and how do you recover from a reach like that. So it’s not detrimental to your business, but actually a minor bump in the road versus maybe, you know, bankrupting your company or sitting back very, very far there. So that’s something I think that, essentially, maybe I you know, just talking about, you know, we spoke a lot about a Shuan, about the spreadsheets out there. You know, that are used today to manage these type of challenges, and that’s something that, you know, we looked at together, and maybe we could look at the platform now Yeah. Is take a look at how that looks in real life and how we’ve transitioned from a spreadsheet manual approach two 8, you know, a more automated approach.
I’m gonna share my screen now. Hopefully, everybody can see it. You should be able to see now the, you know, our collection center here. We’re looking at the actual frameworks in place to get some different NIST assessments here, and if we look at one of these NIST assessments here, you know, we click on it, we open it up, and we can see those functions here. They identify, protect, detect if not recover, and as you click in here, you’re gonna go deeper and deeper here into the framework in a way where you can see the actual control enhancements. You know, interpreted into questions here. So the platform really helps guide you to a very actionable place of how you can assess if these controls are being met, and then from there, you know, one of the things you’re talking about are those parallel paths there of multiple, you know, frameworks that are running side by side, and you know, this is how the platform helps one, lot of it today.
So when you conducted a NIST assessment of the platform, you’re able to actually automatically crosswalk the controls over to 25 other frameworks in the platform in a way then it will automatically apply the evidence artifact and answers there to the different pieces there. So this is an area that I think, you know, one of the areas of how you’re thinking about conducting NIST and POPIA and other frameworks your favorite level of the text of smart mappings here, which help you, you know, both assign, you know, control owners here connected one tools here. Right? Like, I think we’ve got some integrations about vulnerability scanners. We’re now adding Azure and then AWS in the in the near future also, and I know there’s a lot of Azure kind of Microsoft users in your client base.
I think that’s exciting is coming here, and that’s something that I think that as, you know, you conducted assessments, first of all, become more and more automated, but they also allow you to do what you said before on the orchestration and collection of data in a much more efficient and organized way. You’re doing once and applying to many there. So that’s just kind of why, you know, kind of a first screenshot here of the ability here to kind of you know, guide through the different frameworks, and then you can see the left here, you know, different frameworks like ISO 27001 one. Rather things like that if you’re trying to implement, you’ll have those match up here to automatically map so that you can then at least say sometimes between 35 to 85 percent of that manual work that usually would be there to conduct that assessment again. So to just leveraging kind of that, you know, automation to really create a lot more time savings over there.
So on that point, you know, I know that there’s another piece around, you know, POPIA that we talked about, Sean, and maybe get your thoughts on that around the POPIA compliance piece around the requirements with vendors, and partners there. We’d love to hear kind of how that’s meeting, you know, the world down, you know, in your region, and that’s something that’s been a big focus globally. Where, you know, most supply chain and vendor risk have become a top-of-mind topic because that’s something that has really been at the epicenter, a lot of big attacks that have happened over the last few years.
So, you know, before touching on how we help solve and you know, address that, I’d love to hear more about that challenge and those requirements there, you know, in your region?
Shaun Davis:
Yeah. You got it. You can actually touch on a very important topic there. It’s I ran a part of risk management. You know, as much as we have to worry about our own internal risk, we now have to worry about the partners of industry to business, but you know, are they introducing numerous to us or to our clients, and to be honest, what I’ve seen happen is quite still legacy when recorded that, you know, it’s either a word document or Excel spreadsheet that gets mailed out to say, piece onto the following questions, and that sort of gives us a sort of idea what’s the risk appetite you can introduce to our business.
You know, and the problem with that is, once again, it’s manual. You know, email to you, email back to me, there’s no real structure on it. Once again, there’s no real central way of tracking that, and you find that depending who does it in business, even the output of that is that question may differ. You know, it could be different business units in the business asking during those questions, you know, and then how do you track it? You know, how do you better digest? You know, someone on the other end is answering your question and it solved the country trust thing, and when we all know. Unfortunately, trust is important, but it doesn’t stop to back us. You know? And I think that’s a key thing, and I I know one of the key aspects that we need to think about when it comes to the compliance management is How can we better manage the rest has been introduced to our business? You know? For me, a question is just not sufficient. You know, can we rather send him a type of I. Wanna quote almost like a smaller business type questionary. Almost like a second day, we can get a audit aspect, you know. Do we have how do you do your vulnerability management, or doing annual pain tests. You know, can you supply evidence or artifacts, you know, and I think in doing it that way, it will allow us to be able to better assess the risk that’s being introduced to our business. A word document, the email it’s just not gonna be sufficient, to be honest. However, we do see it still happening on a day to day basis.
Yair Solow:
Yeah. I would say the majority of companies are still in that exact block today. So I think those of you out there that are still in a block shouldn’t feel alone, but should feel that it’s packed to move up to a more modern automated solution because as you just described now. There’s a bunch of different approaches here, and really, as this becomes a more kind of, you know, center point for, you know, a tax on organization, really demand this in a more efficient way because you’re not gonna be able to just send questionnaires out. You’re not gonna just do live scan. You have to combine both, and you have to do this at scale for your organization, then maybe I’ll just show kind of a few screens here from the platform. On the vendor risk side here, so you can see kind of how the vendors are onboarded through the wizard here, which takes probably around 60, 90 seconds to onboard a new vendor here to a series of questions, then onboarding fax that you put in here, and this can be customized for each organization to fit their workflows.
The vendor then gets onboarded into here, then like, in addition voice, send it a spreadsheet. Right? You don’t know where that stands at any point. Right, and here, you have a real time view of the progress of this vendor. You have alerts here telling you they’re behind schedule, telling them they’re buying schedule. You have automated functions, you’re helping them solve gaps that they have before gets to even, and then you have the ability here to look through and say, okay, I wanna see a specific vendor here, and then you can go into that vendors, you know, in, you know, management area here profile, manager users timeline, but then I’ll oversee the question years here that are being managed here in the platform.
You can see all the artifacts that are being shared back that are automatically cataloged, and then it’s put up here into different folders here. So it’s all very easy to manage with sharing of evidence and documentation. Keep track of it, version control, approval, denial of those pieces because you go through them and you say you don’t wanna news track and whatnot that, and we’re combining two worlds of risk management for vendors here, both that piece of self attestation my vendor where you’re sending them out some kind of qualitative questionnaire whether it’s based on this, NIST, ISO or your own. But then combine that with the automatic standing here on the darknet public of a perimeter.
We’ve created scanners here that can see open ports, CDs, other finding, credential theft indicators, things like that, and you can actually see all that information here, and then all this gets also quantified into the vendor’s gap score here. So at the end of the day, you have both external information here and internal information coming together in a seamless and automated way. It creates this footprint for the vendor, which we’ll see in a second, have us presented from a management perspective. But the idea here really that we’re combining those in the best of all world because neither of them alone are actually sufficient here, and you need to do this at scale, and the new piece we’ve just added now, which pay to pay attention to is the fourth party piece, which is a big piece of top of mind now where supply chains are being leveraged. So ask for your vendors now to give you their top vendors and then have one, automatically scan them as well and quantify that in is another piece one, our platform automates today. At the end, once you quantify a vendor profile here, it’s gonna both tie it into a risk level here, critical down to low. But it’s also gonna break that profile down into both impact and probability score. How much damage can this vendor cost us? It’s very relevant to your organization, and then how likely the venue to be breached based on their controls and assessment that we’ve done as well as an automatic external scanning And then the idea is that we’re gonna try to lower the probability to everybody to the left here.
So again, using this ability to kind of leverage automation here it’s another big piece, and then we’re almost at a time and I want to just get to know more topic here. So maybe enough with any questions here, we’re happy to answer those shortly. But, you know, maybe, you know, Shaun from your perspective, you know, around the dashboard side, right, and the actual insights here. We’d love to hear how your thoughts there, how much that’s needed in the market today. You know, do you feel like that’s something that helps clients both management and track progress over time there.
Shaun Davis:
Yeah to be honest, that’s actually one of the base setting points. I think most of us has to understand the investment security requirements. Right, and a lot of times it’s difficult to visualize and report back to the board, you know, Where’s the investment going? How are we tracking from security posture aspect, and being able to have a dashboard that we can present to a board or to d’s or or a CFO, if required to say, this is being based on this current. You know, that’s your quantitative risk. It’s your quantitative risk, and be able to visualize risk. I think that’s such a key thing, and it’s one of the biggest changes people had is how to visualize risk. And how to check it correctly, and I think that platform does that so well.
Yair Solow:
Yeah.So I’m just gonna share the screen that you’re talking there. I think you’re right. I think that that’s one of the things at least we’re seeing definitely you know, in the US today, and I think that’s very relevant to South Africa as well. We’re being able to get a dashboard live dashboard here showing you your risk and compliance levels, real time statuses here. But then the ability here to not just get this, you know, live view, but actually be able to click in and get more and more granular. Right? You click in and you can see here breakdown through your organization. You can get breakdowns. So everything is clickable, so you can peel off layer by layer here, show the exact compliance level or risk domains here. Right, and you can see the domains, which you see a real-time score in blue versus a shadow, which is a target, or you have the ability to go back in time with the platform. Because the platforms are archiving the data in real-time and gives you that ability to show a side by side of your progress over time. So that benchmarking piece is easier because now you actually have a way put a measuring stick in the sand here, right, and then measure that progress forward, and you’ve seen that, you know, with ISO 27001 and 27002 now, right, being able to track the progress of you know, a information security program in in huge here and you know, just being able also to go back to management and say, look, what we did 6 months ago, look at this investment we’ve made here, look at the quantifiable and right tangible progress we’ve made, that’s something that I think also at the end speaks very loudly here.
So, you know, on that point, maybe I’m gonna stop sharing here. Just look at, you know, if there’s any questions here that came in, and then from there, you know, we’ll send it back to Eugene to wrap up. So let me just take a look here. Can you share examples of how working through POPIA compliance can save time and other frameworks? Shaun I’ll pass that one over to you about the overlap of POPIA to some of the other standards out there today.
Shaun Davis:
Yeah. As I mentioned earlier, POPIA, once again, it is still a guideline of what you have to achieve as a business. We leverage from other frameworks to achieve that. You know, depending on your business, you may choose ISO you may choose NIST They all drive the same sort of protection controls you have to put in place to protect your private data.
You know, prepare us to protect private data that’s all the awesome here. You know, you have to leave it from the fine frameworks to try achieve that level control and the result in protecting that.
Yair Solow:
Yep. Yep, and then we’ve seen just, you know, how that matches up to a lot of that other, you know, different top there, like you said, then maybe one last question here about integration to things like, you know, Jira, Servicenow, or other platforms like that. So, yeah, there are integration platform today on the ticketing side there where we could push and pull tickets through automated remediation planning system, and again, anybody who’s interested in seeing more short reach out to Netsurit and can learn more about, you know, you know, the features more in depth, but certainly have a live integration one, the show. There. You know, I’m gonna pass it back to Eugene now. Thanks, Shaun.
Eugene Perumal:
Thanks, Yair. Yeah. Thank you, Shaun. Yeah. So like I said to everybody, it’s gonna be short and short. We’re gonna try to just give out some information. Michelle has been kind enough to post a link into the chat. That leads to our website, and so, you know, if you guys have more questions and wanna get more information, just go there you’ll be able to sort of read up a little bit about this this partnership that we have and you know, you can reach out to us and and I think there’s a lot of people in this sort of insured community and centralized community that you guys know for many account executives, etcetera.
You know, get in touch and we can direct you if you need, but go to the website first and and you’ll, you know, there’s a lot of information on one, that’s available. Thanks again, guys. I hope this has been valuable. Yeah. You know, thanks Yair really appreciate your time and the energy that’s gone into this, Shaun. You too really appreciate your time and your knowledge on this. And I guess we’ll see you guys again real soon. So take care everyone