Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 4, I am joined by 6clicks Chief Technology Officer, Dr. Heather Buker and we take up producing an audit-ready report with 6clicks Pixel Perfect™.
Buker is the transitional resource who takes the engineering and tech part of the 6clicks solution and puts it into a workable solution for customers. She says of herself, “you can see me, affectionately, as a translator if you will of the product and functionality and how that translates to business use cases, value propositions and things that clients really care about.” She went on to note, “functionality is only as good as the value proposition that it serves. I am here to make sure that those two things meet. I’m kind of the bridge.”
It used to be that the byword for data and data processing was GIGO (garbage in, garbage out). However, now it has evolved to “data is only as good as what you can get out of it. So, it’s not enough to just collect the data and give organizations a sort of single source of truth for their GRC programs anymore. Right? That’s what every SAS solution in the GRC space is really striving for. But, furthermore, users want easy, efficient ways to get that data out of the tool. So, it’s always a bit of an uphill battle when it comes to reporting, you know, there’s a constant flow of new requirements. Every organization has a different use case that needs supporting et cetera, and users have to be able to get their GRC data out of the tool and make it digestible for a wide variety of audiences. And that’s really the key right there. The wide variety of audiences we’re trying to satisfy with reporting needs, what good is it to track their risk and compliance data? If they can’t show/prove to an auditor or their Board members on their current risk posture at the monthly meeting, simply put it isn’t. So, assets reporting is, and frankly always will be, a critical piece of the GRC SAS solution puzzle”.
The problem that the 6clicks Pixel Perfect™ helps solve is repeatability. As Buker explained, “The more we can make GRC processes repeatable, even when it comes to reporting, the easier our platform will be to use and the more widely adopted we can become. To solve for this in the reporting world, we decided to automate report generation.” I asked her for an example, and she said, “6clicks Pixel Perfect™ can take a completed PCI DSS assessment and return Section Six of the report on compliance, filled out an audit ready.” This means a template mandated by the Security Standards Council to drive this functionality and ensure the report is ready to be submitted and properly formatted when generated. All an organization has to do is complete their PCI assessment and the platform will perform our “6clicks magic on the other side and deliver the PCI form from those assessment results minus all of the hassle. We are talking hours upon hours of time savings for QSAs merchants and others on their engagements.”
We concluded with some of Buker’s thoughts on how multiple stakeholders can use the information that 6clicks Pixel Perfect™ solution creates, up and down the chain in an organization, literally from the technical folks on the front lines up to the Board of Directors. She emphasized “what this functionality has to be, has to be up and down, high level, low level, right to Board members who have their monthly meeting or senior management that maybe, managing multiple projects across various lines of business. They don’t always know what they’re looking at when they look at some of these low-level risk, detailed reports or even data in general. We must make it digestible for them. We have to make it meaningful for them. We have to be able to produce reports and analytics at a really high level.”
Buker had a great phrase, that it all has to be in an “accordion range. That is, from highest level to lowest level and then back. And that’s really like the secret sauce of reporting and analytics in the GRC space. Being able to take it full circle from driving change to implementing change and all of the various levels in any organization.”
Join us tomorrow where we conclude our series by visiting with company co-founder Ant Stevens as we explore what’s next for 6clicks.
For more information on 6clicks, check out their website here.
Tag: Heather Buker
Tom Fox’s guest this week is Heather Buker. Heather is the Product Manager at Allgress and oversees the full life cycle of development and QA processes. She has spent her professional life in the world of computer engineering until making her way into the cybersecurity space. Tom welcomes her to this week’s show to talk about a new innovation from Allgress around authorizations to operate in the federal sector.
All About Allgress
Heather explains that Allgress is for highly regulated industries such as technology, government, and healthcare. “Allgress in general is a global provider of next generation audit, compliance, security and risk management solutions for organizations and their business partners to meet business risk objectives,” she says. Allgress enables organizations to streamline these processes and manage assessment monitoring in a more simplified way, and without the need for a contingent of consultants.
Fed Ramps & ATOs
Tom asks Heather to explain what fed ramps and ATOs are and why they’re important. Fed ramps are federal risk and management programs that are government wide. The programs provide a standardized approach to security assessments and continuous monitoring for cloud-based services. An ATO is the government giving you the authorization to operate a compliant cloud-based service. ATOs and fed ramps are necessary if you sell your service to the federal government. After acquiring your fed ramp or ATO, then you can focus on maintaining the continuous monitoring that the ATO provides.
How Allgress Maintains Your Federal ATO Effectively
“We’re going to give you the dynamic preparedness assessment; we’re going to automatically determine your impact level based on a survey; we’re going to guide you through [attaining an ATO] step by step,” Heather tells Tom. Allgress completely streamlines this process via automation and creates the audit trail that its clients need. “When the auditors come and they have questions, you’re gonna have all of the answers, and it’s going to be in the single pane of glass view that Allgress provides,” she adds. Allgress provides all the evidence and policies necessary for when you’re testing to the federal controls.
The Impact of COVID-19 & What’s Next
The pandemic put a spotlight on the need for GRC solutions and exposed those companies that didn’t have those processes in place. It was a reminder to organizations that we never know when unexpected risk may strike, how we may be impacted, and how it may affect our organizational systems. Businesses have to start preparing for unexpected risks within our organizations. Heather explains to Tom that Allgress helps with this by automating organizational and partner risk assessment and leading them in the direction of a recovery plan. Businesses also need to be putting more importance on the usability of their products.
“User adoption is something that’s so difficult to achieve when you introduce a new product to your workforce… It’s imperative that GRC solutions continue to become more user-friendly and reduce that learning curve so that users are going to adopt the technology more quickly and with ease,” Heather remarks.
Resources
Heather Buker | LinkedIn | Twitter