Introduction (00:20) You're listening to KBKast Cyber Security podcast for all executives cutting through the Jargon and hype to understand the landscape where risks and technology meet. Now, here's your host Karissa Breen. Karissa (00:35) Joining me today is Alastair Dicksoon, director of Quod Orbis. And today we're discussing CCM. Al, thanks for joining. Alastair Dickson (00:43) Hi, pleasure. Thank you for having me. Karissa (00:45) So I'm really excited to talk to you today because I actually haven't discussed this topic on the show before. So you are the first person out of the 140 50 plus people that I've spoken to to discuss this. So I want to start with continuous control monitoring, also known as CCM. What is it? Alastair Dickson (01:06) As you said, CCM stands for continuous control monitoring. To be honest, it's probably not a surprise, it's one of the first times you've had a guest discuss it. It's a technology that's been around for a number of years now, for three or four years, effectively. But only over the last twelve to 18 months has its awareness starts to spread and the value that it can offer to organisations, but at a very high level. CCMA gives you the ability to understand your security and compliance and risk posture with real time. Automated monitoring of all of your controls affects you the ability to bring all your disparate primarily Siri t, but some of your wider It technologies together into a single platform to be able to query and ask questions for. It to understand how you're performing against your key carers, your key KPIs, how you're aligning to your compliance regulations and really get a real good level of visibility and understanding how your entire cyber and risk posture is performing in real time. Karissa (02:05) Yeah, thanks for that. Clarification. Would you say that people have different definitions in their mind about CCM? Alastair Dickson (02:13) Yeah, I really do, actually. CCM has a very wide ranging set of use cases and in some respects that's one of the best advantages for organisations that it can be. They can go across multiple teams. I mean, it has use cases across cyber, risk compliance and audit. One of its challenges, of course, that it also goes across multiple teams that tend to be in larger organisations, relatively Disparate teams. So people's understanding of where it best fits and how it can be best utilised can be very different between not only areas of reverse calls of different organisations, but equally people and teams within organisations. So understanding where it best fits within organisation and using that as an entry point for an organisation to be able to utilise the value of CCM is a key area and then you can expand out. Organisations tend to expand out the usage of it into other areas because it can mean different things to different teams effectively. If I give you an example of that CCM within compliance one of the key benefits of CCM is it offers you the ability to do continuous compliance against pretty much kind of any regulation be that a more street standard regulation. Alastair Dickson (03:24) A NIST or sock or CISO or a bespoke set of internal set of controls or framework that an organisation wishes to adhere to compliance. It means that from a security perspective, it enables things like cyber risk quantification. Because we're taking metrics from each of your different pieces of technology and correlating them together, it gives organisations a much better understanding of how they can do quantitative cyber risk management. So in those two examples, you've got the compliance team using it for one use case, but you've got the risk team using it for a different use case, and that's before we kind of start getting on to how audit can use it and or how the security teams can use it as well. So it can have very different use cases for very different teams. What it importantly does do and what it offers organisations is a single source of truth. And actually, once you have that single source of truth, then actually how you query that information, how you query that single source of truth, can be very different for your roles. But you can be confident that all your teams are wearing that same set of that same data set and as a result, you get that level of consistency across all of the teams for how you're best managing each of those sprinters. Karissa (04:31) Okay, thanks for clarifying that. What do you believe is the value, though, for CCM from your perspective? Because you've spoken a lot about like, you know, quantitative qualitative on the compliance front, on the risk front, which is excellent, but if you had to sort of summarise, what would be your main driver for the value of CCM? Alastair Dickson (04:53) Yeah, great question. There's a number of them. Actually, one of the key values that we see within organisations, and it's one of the main kind of challenges that we see when we're speaking to our clients, is at a very first stage, it gives them the assurance that they have visibility over all of the assets within their organisation. It often brings a bit of a smirk and a smile when we talk to our clients and we talk about kind of Cnbds and having an understanding of all of the assets. And they often kind of smirk and smile back as they don't have as much confidence as maybe they should have across all of their cyber infrastructure, all of their users and all their assets across the organisation. How we create that, what we call an intelligent asset repository, is because we connect to every piece of technology an organisation has. We have the ability to connect to every piece of technology an organisation has. What we're doing is we're creating a live intelligent asset repository. So all of these technologies be your vulnerability scanner, your VR tools, your security awareness tools, these are all connected to all the assets across the organisation. Alastair Dickson (05:54) Now, having pulling that information together into one platform and being able to understand all of the assets that all of those different technologies are talking to means you can really significantly reduce the risk of having any assets that are missed if you're relying on one single format. Be at the CMBD. Actually, you're relying on one piece of information here. What you get is validation from all of your technologies, pulling it together to give you confidence and assurance that you have a level of visibility and control over all of the assets and the users across your entire organisation. Once you've got that base level point that adds a huge amount of value, gives you a level of assurance that you have an entire understanding of what you need to be setting your controls over how your security technologies can help protect you. Once you have a clear understanding of all the various assets that you have across the organisation, once you have that, the next major benefit from our perspective is significant kind of operational cost savings. Because we connect directly to what CCM connect directly to technology, we will extract out the very specific information required to assess the effectiveness of that control from that piece of technology. Alastair Dickson (07:03) Now currently that is in a very manual process organisations have to go through. So they tend to have to request from team to team that piece of information. An individual will then have to extract out the most common moment, a sample piece of information and then send that information over. All of that is a very manual process. That information, when it's extracted out, becomes a static data point as well. So with the best of all in the world tends to be out of date pretty much as soon as that information is pulled and it tends to be done from a sample set of data. Once you're able to access all of the data, you can send that information over in an automated way from 100% of that data. So it removes that entire manual process of having to do it and with that obviously reduces the risk because as and when there is any manual process, there is of course a risk of something going on within that process or the perception of that data by that individual or those individuals or those teams. So we remove all of that. So you get significant operational cost saving while being able to utilise the CCM. Alastair Dickson (08:09) The other benefit that comes with it is being able to monitor your Kris, your KPIs, those kind of key questions that you need to have answered. How is my Joyous movers levers process, you know, effective? Are we enabling that process by correlating multiple pieces of information together, you can understand exactly how effective you are for monitoring those specific controls. That leads on the ability to do continuous compliance. A lot of our clients, whether looking for ISO certifications or PCI certifications in the months building up to it, they have that kind of preorder compliance scramble. So kind of is all hands on deck to try and gather the right information, position it in the right way to be able to effectively demonstrate compliance against those regulations. So it becomes again a very kind of static moment point in time and everything is building up to that one compliant regulation. With continuous compliance you can see how you are, how compliant you are against those regulations at any moment in time. So it avoids any of that pre audits scramble which again uses up a significant amount of an organization's resources and the build up to it. Alastair Dickson (09:14) And if you're doing it continually, of course you can utilise the controls and the answers and information you get from those compliance to preach your cyber resilience. If it simply becomes about a process to pass that compliance regulation, then actually by the time you finish it, you tend to have a kind of big deep breath and then move onto something else. So you don't utilise the output as effective as you can do unless you are doing it in a continuous way. Karissa (09:39) Definitely hear what you're saying and totally agree with the pre audits scramble. Most definitely. So one of the things as you were speaking out for someone who was a previous reporting analyst, do you think though, that may be overwhelmed? Because all well and good to have all these things feeding in, but then once we have too much information, what we as human beings don't really retain it or it feels like there's too much or we feel overwhelmed. What are your thoughts on that? Alastair Dickson (10:09) That's a great question, actually. Yeah, and it's one of the big benefits of CCM asony here at Court orbit. So we only extract out the very specific information from each piece of technology to help test or ascertain the effectiveness of that control. What we do by that is you therefore only see the information that you need to see to answer the specific questions you need to answer. We are not a SIM and one of the kind of premisconceptions around CCM is that it becomes a little bit like a SIM technology where they're ingesting vast amounts of data. We are the opposite of that to an extent. We only extract out the very specific information to remove that ability to have too much information to be able to look at. Not only does that lower your risk in terms of information you're sharing with your CCM vendor, which is kind of managed, kind of third party risk area, of course that data when sharing it with your CCM vendor can be anonymised any personal or PII data can be removed from it. And again, within the core office solution, you are effectively presented with a dashboard view to what you see in your dashboard is just what you are required or what you need, or what you would like to see and nothing else. Alastair Dickson (11:21) So actually we try reducing all of that noise and all of that data down to a very specific set of questions or telemetry that you wish to be able to monitor to avoid that very situation. I think over the last number of years, organisations have, rightly so, invested in a large amount in their security environment, they've invested in a large amount of tools. And actually that course poses its own issues and challenges, not only from a value perspective, trying to maximise your ROI and usage of those tools, but actually which tool does what best, what features, what functionality, of course can be very challenging for an organisation that's stretched on resource to have that understanding. ECM does that for you, so your CCM vendor will understand what pieces of information can be extracted from which tool and how they can be correlated together and then presented that back to you. So hopefully we start to remove an awful lot of that noise and you can be much more targeted and focused around the questions you want answered effectively. Really. Karissa (12:25) Do you think people know what they want presented, though? Alastair Dickson (12:27) Not when you first start talking to them. Actually, I think there is a mix. When we're talking to our clients, some pick a specific regulation like NIST. They're trying to get a higher score in the kind of NIST framework, or they're picking ISO and having to answer very kind of specific. So people tend to start with a more industry established regulation and there's absolutely nothing wrong with starting in those areas. But of course they're very generic regulations written for a wide range of types of organisations in verticals, different sizes, different areas. What I think actually becomes quite beneficial after that is if you start to develop a specific set of controls and questions you want answered that are unique to your organisation. So again, eccent vendor would be different. Within core orbits. We align to what's called the Ses for the Secure Controls framework. What that organisation has done has mapped all regulations against all of the controls. They have essentially a database into the thousands of different controls within that they have. They allow each of their clients, each of their customers, it's a free service, it's a really useful tool, actually, to be able to create what they call a meta framework that is effectively, I suppose, a bespoke set of controls that are unique to your organisation. Alastair Dickson (13:50) How they align to the more industry regulations is contained within it as well. But it does therefore allow you to create a set of questions that work, that work well for you. One of the challenges organisations have with CCM is they feel that they're not supposed to mature enough. I don't think they're kind of ready for CCM. Actually. I disagree with that only for the fact I think CCM is a really intelligent way of maturing your organisations cyber approach and increasing your cyber resilience. Once you've got that intelligent asset repository then you can start to understand where any gaps are and that will help you understand what you should be doing next, that will help you kind of achieve your objectives. So some of the more straightforward questions we tend to discuss and get asked about are what percentage coverage do I have my EDR tools? Actually, if you're correlating on piece of information together around Active Directory, your asset repository, your EDR tools, you can therefore get a much better understanding of saying actually, I know. I can see these exact assets are being scanned by my vulnerability scanner. Or these exact assets don't have the latest version of Ed are being installed on it. Alastair Dickson (14:52) And then you can raise a helpless ticket via the platform itself to go to the relevant team for them to go into the necessary action to update that asset or install the latest version of Ed on it. So you can start with some very simple but very important questions around, say, things like kind of EDR coverage or vulnerability management coverage or your security awareness rates. And once you've got those, then you can build up into suppose more complex questions around join as movers, leavers your contractual staff against full time staff. You can then start to build it up so you don't have to start with the big bang of PCI socks. You start with some very important questions to answer that are actually quite straightforward and from those that will help you understand what the next step should be with your increased usage of your CCM platform. Karissa (15:41) So Ali mentioned before that people have said to you in the past that they don't think that they're ready. Why do you think that people say to you, oh, I'm not ready. Where do you think that comes from? Alastair Dickson (15:52) I think that primarily comes back down to one of the kind of challenges I've mentioned a bit earlier on in terms of actually understanding all the assets that an organisation has, who owns those assets, what should be installed as assets, what credentials, what access rights those individuals have. Having that base level understanding is obviously a very important step for any organisation at the moment. We get mentioned by other kind of prospects or clients, that when we're talking around continuous compliance, cyber risk quantification, operational cost savings, those types of more, I suppose, mature areas. I've just got to have a level of assurance over all of my assets, all of my users, all of my people, and once I've got that, then I can build up from it. But actually, at the moment that's one of the major challenges we see with our prospects and our clients for knowing exactly what they need to be protecting. And I think that's a bit they're more concerned about. And then they want to get into the more challenging areas around continuous compliance and say, cyber responsibility. But they see that as kind of the next step that becomes something they want to have the ability to achieve over the next year or two years. Alastair Dickson (17:02) But understanding what you need to protect is always the first step and a lot of organisations are still struggling at that level. Karissa (17:08) So if we zoom out with everything that you've spoken about so far, and we put our executive hat on, from your experience, what is sort of the most important thing that an executive would focus on? Like, is there anything that sort of insights that you have that primarily executives are looking at X or Y? Is there anything that you can sort of just share with the audience perhaps? Alastair Dickson (17:30) So it really depends on the team that you're talking to. As I mentioned, PM has use cases across audit, risk compliance and security. So it does depend a little bit on the team are talking to for what the kind of Kia they should be looking at if we look at security. One thing we have been asked for a lot over the last twelve months, effectively a bit of a CISO dashboard. So building out the, say the top 10, 15, 20 other metrics or controls that a CISO would like to have real time visibility of, and building out a dashboard where they've only got that information displayed to them. So we can be very specific in the approach. There's always a bunch of questions they'd like answered at the moment. They're either asking their teams to manually both gather and correlate and attest that information. As I mentioned, that tends to be kind of static and sample data. But actually they can have the ability to answer the key questions in real time. They can have a much more level of confidence, assurance over the effectiveness of all the tools that they've invested in and how they can bring all those together. Alastair Dickson (18:34) One thing we'll often say to our CC clients is that CCM is not another security tool. I think the perception is, oh, here comes another security tool that hopefully would add value to the organisation, but I don't need more tools. CCM isn't another security tool. It doesn't create any information or information or results itself. It's extracting information from all your current security technologies that tend to be a little bit disparate at the moment and pull them all together into one single platform. So from a CISO perspective, if you want to have a really good level of visibility over how all of your technology is performing, your CCM platform is by far and away the best place for you to be able to visualise that information itself from a risk perspective. One of the big challenges that we've seen over the last couple of years. That's a very good development in the area is how the risk teams can manage cyber risk effectively when you do it by your CCM platform. Because we're extracting very specific information in real time from each of your tools. That gives you that specific and measurable information for you to be able to much better manage and mitigate or whatever that information is around how you're managing cyber risk. Alastair Dickson (19:43) You can utilise your CCM to be able to answer those questions. And I said previously, second line risk might be asking first line to supply information once a week or nightly or monthly, and it's sample data. So the information they're utilising, I think everyone doesn't have as much assurance over it as they should do. CCM removes that whole process so they can be confident the information they're looking at when they're assessing cyber risk is fact, evidence based. Real time, it's 100% of the data. So whatever decision they're making is based on all of the accurate and real time information that they would want to have at their disposal. Karissa (20:18) So I guess then, on that point in anything that we do, things do get overlooked or missed or forgotten about. How can companies ensure that CM is covering the majority of their bases? So, for example, like Media data source isn't connected, for example, because if you're working in an enterprise, sometimes you don't even know what you've got. So talk to me a little bit more about this. Alastair Dickson (20:43) Yeah, that is something that becomes a joint conversation that you should be having with your CCM vendor. So from a core perspective, there is a lot of conversations we'll have with our clients long before we kind of think about borrowing them onto the platform, where we're discussing exactly what it is they're looking to achieve. Part of that, of course, is what technologies they've invested in. One thing we often discuss quite early, so let's not restrict yourself to your security technologies. A lot of information can be extracted out from wider pieces of technology. So HR databases, as a good example, is a very rich data source from us to help an organisation understand what's going on with their assets or users, say join us, move as levers, or have an understanding of track staff or permanent staff. So first things first, we'll go through all the technologies that an organisation has and have a conversation to work out exactly what piece of information should be extracted from which area. That's something from our perspective. We have an onboarding team that will work through all of that with a client to help them long before they have to make any kind of financial investment in it, to give them a level of understanding over what it is we will help them achieve and very importantly, how we will help them achieve that. Alastair Dickson (21:56) So first things first, don't restrict yourself just into those kind of security cyber controls. Another recommendation I would say to most organisations is there's a few of them out there, but as I say, from our perspective, we tend to align to the Ses, the secure controls framework. I would investigate those types of offerings. So you have the ability to create a specific set of controls or a framework that's unique just to your organisation. So depending on what the specific threat is, insider threats, ransomware or security awareness or whatever it might be, you can create yourself essentially a personalised set of controls that you want to be adhering to. That means that actually, what you are creating, you can be confident is right for your organisation. Once you've got that again, that gives you the questions that you need to have answered. The other thing I think we try and talk about as a third and final point is having the ability to connect to any piece of your technology. We try and encourage organisations to connect to the relevant technologies, be it in their cloud technologies and their onpremise technologies, but really importantly, also the legacy technologies. Alastair Dickson (23:02) Legacy technologies tend to be both quite sensitive and organisation. They're still there probably because they are conducting a very important business process, whatever that might be. And if it wasn't a critical process, it probably would have upgraded or updated or moved to the cloud or whatever. So if a legacy system exists, it's because it's important to the organisation. If it's important to the organisation, it's important to have a level of control over that piece of technology so you can keep it secure. So make sure whoever you're speaking to has the ability to connect to every piece of technology wherever it exists. And therefore you can be confident that when you move down the line and you've understood all your technologies, all the kind of key risks, what controls you want to align to, that when we're on boarding you into the platform that we've understood everything you want to achieve, we've understood your entire security ecosystem. So we're not removing all kind of phishing, any missing any areas, so we don't tend to just jump straight into it. There's almost a kind of consultative conversation to help an organisation understand all the parameters that they wish to have within this project. Alastair Dickson (24:09) Map it out, plan it out, scope it out. When everyone's agreed and happy at that point, you then move forward. And that gives the organisation the assurance that we understand what they're looking to achieve, how we'll help them achieve it, and that actually we can connect to all the various disparate technologies to pull that information together, to offer them these visualisations so that they know is unique to them. Karissa (24:29) So you reference the word assurance a lot. When you say assurance, what do you mean by that specifically? So you said we provide assurance to an organisation. Alastair Dickson (24:38) Confidence really, I suppose is probably kind of almost a different way or a good way of doing it. I think there is a lot of threats, the kind of zero day exploits. There's a lot of threats, obviously at the moment, an increasingly large amount of breaches that we see almost on a daily basis. What we're offering. I suppose within that is a level of confidence for how an organisation can do all that they can do to try and ensure that they are not the next breach, they're not the next organisation that has to go public to say some of their data or their users or their information or passwords has been compromised. Now, of course, no one is claiming you can stop that in its entirety. What we help an organisation do is give them the confidence they can get the most out of all their different investments, all the different technology investments that they procure to plug those various gaps and those various hulks. What we will do is take those kind of disparate systems and pull them together and hopefully that gives an organisation a high level of confidence that they are utilising all of the investments they've made to give them the best possible chance of being able to not be the next organisation that's breached effectively. Karissa (25:46) Right, okay. I totally hear what you're saying. Okay. There's a couple of things coming up in my mind as well when we talk about you said map out key risks. One thing that I know in speaking to people on the show and being a practitioner historically, is sometimes organisations that either don't agree on the CISOs or they don't actually know what their key risks are. So what would be your advice for companies to, like you mentioned before, like, starting with these are our key risks and then, of course, we can reverse engineer from a CCM perspective to ensure we've got, you know, we're looking at the right sort of intel on all of our organisation. So how would you sort of have that conversation with people in order to get the right feeds? From a dashboard perspective? Alastair Dickson (26:33) Yeah, I suppose it slightly depends on what kind of who the organisation is, the markets the organisation works within, any, I suppose, clients or regulatory information that's put upon them, depending on kind of what vertical they're in. So we'll kind of start at a very high level. Once you download the controls and metrics, you're kind of right down at the kind of you're into the kind of weeds at the bottom layer. I have those conversations at the very kind of top layer. What are the things you are most concerned about? What are the things you keep you awake at night? What are the questions you need answered that you are unable to answer at the moment? And depending on where they sit in any kind of manufacturing supply chain or a service organisation, depending on what their focus are, will depend, of course, enormously on what their key risks are. So that's the kind of key bit. For us to understand exactly what their overall kind of what their risk posture is, what the things that keep them awake at night, what are the questions they need answered. Once we can understand that, then you can start kind of flowing that back down again. Alastair Dickson (27:33) But it really depends on the maturity of the organisation. Also, of course, what they're currently doing in terms of managing risk. One of the useful areas around ECM is if an organisation is already utilising an IRM tool to an integrated risk management tool, then the chances are they already have a process for managing other types of other types of risk and operational risk. But there's a number of different kinds of courses, there's many different areas of risk. An organisation probably already has a process for managing risk. What we need to do is be able to complement how they are already managing risk, to present that information from all their security tools in a model and a process that complements what they're already doing across other areas. That means they can manage risk as effective as they can do in all those other areas. And managing that cyber risk is one of those challenges that the organisations have had historically, so it's kind of slightly tended to sit outside how they're managing risk in other areas. Actually, it's just another type of risk, cyber risk. So understand what an organisation is already doing in terms of managing risk, what platforms they're utilising, what model they're utilising, using different three x three or five x five frameworks or Monte Carlo risk modelling, whatever that might be, and understand how we can use the information from the different technologies to complement exactly what it is they're already doing. Alastair Dickson (28:58) One of the key uses of CCM is you can as well as automate data into the platform, you can automate data out of the platform and that tends to be in two or three kind of key areas. Firstly, if you're seeing issues that come up within the platform, you can create a helpdesk ticket into your ITSM tool to be able to get that issue resolved. The output can go into any form of business intelligence tool for overall business reporting or as we've seen more and more frequently, it can be automatically exported into their integrated into any kind of IRM tool that they're currently using. And of course that information can be fed in a near real time, as I mentioned, obviously is 100% of that information. So we'll look at exactly how they're managing risk at the moment and try and complement that to it so they can assess cyber risk of the way they're assessing other areas of risk within the business. Karissa (29:45) Do you think they're the same in terms of how they're assessing cyber risk versus other CISOs in the business, in terms of metric or do you think it varies? Alastair Dickson (29:53) I think it probably depends on the type of organisation. I think it does vary a bit. I mean, cyber risk is reasonably unique and actually in terms of risk management relative in its infancy for how we are managing cyber risk relative to conduct risk or overall what a business risk. So we're on a kind of, I suppose, a journey to help organisations mirror what they're doing in other areas. So I think in some respects it can be very similar. It's beneficial if it is similar. It's much easier for senior executives that aren't particularly experienced cyber security to understand the risks and particularly what organisations are doing to mitigate their various risks, if we can do it in a way that is similar to how they're already assessing risk in other areas. But of course there are uniquenesses around that. So actually in some areas it tends to what could be beneficial for them to have a slightly different model of how they are kind of assessing cyber risk, but actually we can complement what they're already doing. That actually makes it much easier for the wider organisation to understand the value and what the security teams are doing to protect the organization's users and data. Karissa (31:01) So moving forward then from your perspective now, when I used to be reporting analysts, like I used to build a lot of these dashboards in tableau so we would have a live dashboard. And that wasn't that long ago, like eight years ago maybe. And it was a lot of work just to build for one part of the bank that I was working in, for example, like one security field that I was focused on. So I definitely see the value of it. But what do you see them moving forward for CCM in the coming years? Where do you believe it will evolve to? I mean, look, it's a bit of a hard question to answer, but if you had to hypothesise, where would that sort of land? Alastair Dickson (31:42) So at the moment when we start a CCM conversation with a new prospect, it tends to have a reasonably civic use case. As I mentioned, across kind of security tends to be the more money one of compliance or risk, but we tend to start a conversation around area and actually it's very valuable once the area is utilising it. Where the real value of CCM can come into it is once multiple teams are using that dataset, as I said, they can have a huge level of confidence and assurance that data set is accurate, it's evidencebased and it's real time from each of their various, various pieces of technology. But actually, once you are utilising CM, if you can start getting the compliance teams who start utilising it as well, they can get continuous compliance from that similar data set. If the risk team then starts to use it, as well as that, they're able to then ability to manage cyber risk. And finally, where I think you'll end up going over the next few years is also utilising it across audit. Audit, I suppose that internal police that organisations have a lot of what audit do at the moment of course is have to go and question query all the various teams across the organisation for how they're adhering to the governance of the organisation has set out. Alastair Dickson (32:52) If all that information is available within one single platform, you're confident can be your kind of one single source of truth then actually that you can start to pull all those different teams together. So audit don't need to start requesting information from the various teams, they can create their CCM platform. So again, that gives all it a much I suppose better ability to answer the questions that they need to answer for their roles without having to go and request information from all those various teams all the time. Which of course takes time, effort and actually from large organisations like this can be an incredibly expensive process as well. So actually once you get a consistent backed an evidence based set of data, how that data can be utilised by the different teams is in pilot organisation. So once you get security, audit, cyber and risk all utilising it, you start to put all of those teams together. In summary, we tend to start within one specific area or one specific team. Once an organisation is utilising CCM, it then starts to kind of slowly spread out into areas in those other areas and where I think we'll get to in a few years time is that you'll have all of those different teams all utilising that one set of data. Alastair Dickson (34:06) So I think that's probably where it would end up because it has the ability to meet all the requirements or meet the majority of requirements for safety, for different in terms of voices, the It teams, our whole business, but from those perspectives it gives them the ability to answer questions as well. So we'll start small and then expand its user in an organisation once we've connected the data sources, which you do from first use case actually those queries can be asked from any team so it's not a lot of additional work from an organization's perspective to expand it out into other areas. A lot of that work is done during the initial onboarding phase. Karissa (34:40) So in terms of wrapping this interview up, Al, I'd like to get your advice on from an executive perspective who are perhaps maybe on the fence about CCM because again, maybe they don't really understand it or they have some assumptions made about it. So I wanted to sort of bring you on to demystify perhaps some of the assumptions people do have about CCM. So what would be your advice to executives who are perhaps contemplating this or perhaps a little bit unsure? What would you say to them? Alastair Dickson (35:11) Yeah, it's a conversation we have quite ready actually and going back to the very first question you mentioned perceive in terms of 150 podcasts you've done the first couple of times CCM has come up we have that a lot. So we'll have a conversation with a new prospect. Actually the first call tends to just be a pretty open chat around what CCM is, what value it can offer their organisation and in some respects there is that kind of it's almost a little bit too good to be true. I get this one single source of truth that increases on my visibility to make a whole bunch of previous kind of manual processes. So increasing the productivity of teams offer continuous compliance. You're skewing risk posture in real time. In some respects it sounds an awful lot like a lot for one single platform to help an organisation achieve so you get a lot of scepticism but more suspicion that it can't do all that it proclaims to be able to do. Now by no means that we progress claiming that CCM is all things but for all people, not in any way at all. But it does have the ability to offer an organisation a huge amount and not able to achieve without a CCM. Alastair Dickson (36:19) It's quite unique in its approach. So what I would encourage them to do in that situation is to what we often do is kind of go, look, just pick out, say, 1015 and even five or key questions that you want answers you are unable to answer at the moment. Pose those questions to the CCN vendor and have a conversation around how those questions can be answered, no matter what it might be. If it's something you need to know you're unable to find at the moment without having to go through a lot of time and effort for yourself, your teams to answer that question, once you've answered it, you're pretty confident that information is out of date. Fire those questions over, have a conversation around how they can be achieved within your CCM platform to give you a level of confidence understanding for what you'll receive if you decide to progress forward within it. I'd also encourage organisations to speak to their peers that are utilising a CCM at the moment. That peer validation of course is a really important step within that kind of buying process to understand how your peers are utilising that technology. Alastair Dickson (37:21) And obviously vendors can offer kind of case studies, references are a really important step that we suggest to have an understanding of how a similar type of organisation is utilising it and the value it's offered to and the value is offered to them will help you understand what you can achieve with it internally within house. And the other thing we often say to them is give it a go, try it out. You can go through a kind of POC or POV process, pick out those kind of 510 questions I've just mentioned. You can work with your CCM vendor from a cordova perspective. We'll work out which technologies we need to connect to and actually, if we're only answering five or ten questions, it tends to be a relatively smallest number of pieces of technology we need to connect to. And then answering those questions, then you can see exactly what it would be like if it was expanded out into a wider set of use CISOs without having to make that initial that big investment into an area of technology that you might be relatively unfamiliar with. So understand, I guess, some kind of key questions, the real tricky questions that you want answered. Alastair Dickson (38:20) Don't be shy of what they might be trying to make them as complex or as challenging as they need to be discussed with your CCM vendor to understand how they will answer those questions for you and give you the assurance the information they're looking at is absolutely accurate. Speaking of peers, of course it's a key area for organisations to understand how they're doing it. You don't know anyone that's doing it. We can always offer references or case studies of similar organisations to give you that independent and unusual opinion of what can be done about it and then finally give it a go. Try it, try it out, ask us, do a kind of 30 day trial to get a real understanding of actually how it would work within your infrastructure, what it entails to onboard within the organisation, how you want that information visualised back to you. You can get a really, really good feel of understanding by going through a small subset of controls or risks you want to have monitored. That gives you the confidence to know that it is the right area for you to have as your investment. And what we'd always say, as a reminder, I mentioned earlier, is not another security tool, it's the ability to pull all of your security infrastructure into one consolidated platform so that utilise it as that one place where you can have all of your security information pulled into one single platform. Alastair Dickson (39:38) And I think if you go through those kind of three or four steps, hopefully you'll get a good understanding of how those questions can be best answered, how you can adhere to those controls or how you can demonstrate compliance against those regulations. Your peers will tell you. Hopefully. It's a very valuable piece of technology, and when you try it out, you get the chance to see it for yourself. So you can go through that journey to give you the confidence it's the right investment for you before you have to go and make a wider investment in the technology or in the service. Karissa (40:06) Well, thank you, Al. Thank you so much for sharing some of your thoughts, your insights on things that you're sort of seeing in the market as well. And again, demystifying a lot of assumptions people have about TM. So I just wanted to thank you for coming on. I know it is not too early where you are, but I do appreciate your time and for sharing some of your thoughts and your insights. So thanks very much for coming on the show. Alastair Dickson (40:30) Very well. Precious great it's been on. I hope it's been an interesting conversation for people to understand and learn more about CCM and if it might be right for their organisation. So hopefully it's been a good interest and it's certainly been enjoyable speaking to you. Thank you very much. Karissa (40:43) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit mercsec.com to connect today. Karissa (41:04) If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital.This podcast was brought to you by KBI Media, the voice of Cyber.