Jamming with Jason E48: Enterprise Security Risk Management with Toby Houchens

Many of you are familiar with ERM, but do you know ESRM?

ESRM affects the broadest spectrum of organization, from government, corporations and NGOs, to schools and universities, to entertainment and leisure, casinos and hotels, from oil & gas giants to technology companies and multinationals. Pretty much everyone has to deal with this aspect of #riskmanagement.

In this #jammingwithjason #internalauditpodcast I’m joined by Toby Houchens who has a diverse technical and scientific background in risk management, security, intelligence, and threat assessment. With over 11 years as a US Army green beret, education in neuroscience, big data technology, and international relations. Toby possesses a unique blend of experience and education.

As a critic of siloed and traditional security approaches, still favored by some in law enforcement and security professionals today, Toby argues for a more comprehensive and holistic risk management view to drive security strategy and efforts. He is a co-author of the enterprise security risk management (ESRM) standards and guidelines, on behalf of ASIS, he is at the forefront of modern practice and thought leadership.

Toby is also an entrepreneur and is the CEO of the risk technology company Alpha Recon.

Alpha Recon is an easy to use risk intelligence and management technology platform for schools and workplaces. The central mission of Alpha Recon is to help clients see threats and risks proactively to better respond and manage them as they impact their important assets such as students, staff, clients, workplaces, and campuses. Alpha Recon makes an impossible job easier to accomplish with built in risk management tools, communications, crisis management, and more with intelligence forming the core of the value proposition.

Learn more at: https://www.alpharecon.com/

Transcript

1
00:00:01.050 –> 00:00:11.130
Jason Mefford: Welcome everybody to another episode of jammin with Jason. Hey, today I have my friend Toby how chins, who is the CEO of alpha recon

2
00:00:11.790 –> 00:00:21.750
Jason Mefford: And today we’re going to talk about a term. Some of you may not have heard about SRM and we’re going to get into that, but first I wanted to give Toby an opportunity to introduce himself.

3
00:00:22.200 –> 00:00:30.060
Jason Mefford: And then we’ll kind of jump into the topic and show you how this is relevant for people in internal audit risk and compliance. So, Toby. How you doing, man.

4
00:00:30.810 –> 00:00:32.460
Toby Houchens: Very good. Thanks for having me.

5
00:00:32.880 –> 00:00:46.710
Jason Mefford: Hey. You’re welcome. So, so maybe give just give people a little background on on you and your company alpha recon kind of what you guys do because, you know, we’ve known each other. I don’t know what, two, three years at least.

6
00:00:46.950 –> 00:00:57.750
Jason Mefford: Right be longer Kimmy. Remember now and you guys fill a really interesting spot that I think a lot of organizations, still don’t fully grasp.

7
00:00:58.260 –> 00:01:09.510
Jason Mefford: And it’s one of the reasons why a lot of times, risk management is not as mature and evolved and collaborative and organizations as it really should be because there’s certain people that are left out. Right.

8
00:01:09.960 –> 00:01:23.730
Toby Houchens: That’s right, yeah. Yeah, a little bit about my background. So I came out of the, the military. I was in special operations. The army side and also have a background in

9
00:01:24.690 –> 00:01:40.320
Toby Houchens: Molecular Biology neuroscience international relations National Security Affairs and so as part of my my role in over 11 years in the military. I dealt with a lot of intelligence topics wide variety of different

10
00:01:41.400 –> 00:01:58.530
Toby Houchens: Types of missions and operations, but mainly to do with security and risk assessment and a lot of different types of environments. And so if you mix all that in a pot you start to you start to get an idea of of trying to use technology.

11
00:01:59.580 –> 00:02:11.340
Toby Houchens: To to help with some of these complicated tasks. I’m also working on a a doctorate in big data analytics. Currently, and I’ve always had a very

12
00:02:12.030 –> 00:02:27.360
Toby Houchens: You know, strong affinity towards technology solutions for security and risk management I speak about these things routinely around the world trying to find, you know, more appropriate more practical more

13
00:02:28.530 –> 00:02:45.750
Toby Houchens: goal oriented solutions for security and risk management and alpha recon is just a risk technology company we focus on the risk intelligence, if you will, part of things, but we also have a lot of management tools have built in. So you basically can use it to monitor analyze

14
00:02:46.860 –> 00:02:53.610
Toby Houchens: YOU KNOW, RESPOND intelligently to some of these threats and impacts and then also be able to manage those things.

15
00:02:54.690 –> 00:03:04.290
Toby Houchens: And track your assets and and be able to run reports and communicate effectively and we do so in a wide variety of different environments.

16
00:03:04.620 –> 00:03:17.310
Toby Houchens: currently focusing on, you know, kind of some of the school risk management areas, but we also are very useful for security companies and enterprises across a wide variety of different industries.

17
00:03:17.970 –> 00:03:25.440
Toby Houchens: And I’m also a subject matter expert in what you mentioned yes RM, which is enterprise security risk management.

18
00:03:26.730 –> 00:03:37.920
Toby Houchens: Some people call it security risk management, Nick. They keep off the especially in Europe, but the idea is the same. And it really seems like common sense to me. But

19
00:03:38.580 –> 00:03:51.840
Toby Houchens: To a lot of people that are now starting to move forward with security risk management, but the idea of, you know, applying your, your, your security practices and operations.

20
00:03:53.220 –> 00:04:02.190
Toby Houchens: In a risk management setting and actually attaching those two organizational or corporate goals seems like common sense but

21
00:04:02.490 –> 00:04:08.040
Toby Houchens: But what you have is a as we’ll talk about here in a little bit, as you have still have the silo effect and so

22
00:04:09.210 –> 00:04:16.350
Toby Houchens: aces, which is the largest security education in organization in the world actually had me helped them write the standards and guidelines.

23
00:04:16.800 –> 00:04:24.180
Toby Houchens: For security risk management because a lot of the security industry understands that security. It does impact risk on a day to day basis.

24
00:04:24.570 –> 00:04:31.860
Toby Houchens: And that it does have business outcomes and business impacts you know so or the impacts affect business outcomes.

25
00:04:32.370 –> 00:04:44.340
Toby Houchens: So on the security side, you’re really seeing this kind of convergence towards risk management and so we release the standards and guidelines in September at the global security exchange in Chicago.

26
00:04:44.880 –> 00:04:51.480
Toby Houchens: And it’s just an area that I find fascinating. And it’s also an area that you need technology to kind of help.

27
00:04:52.140 –> 00:05:08.880
Toby Houchens: Implement the solutions because it’s one thing to break down silos to make information and data useful and actionable and it’s an another thing to to implement it and to make that work in a culture cultural phenomenon that that works for the organization.

28
00:05:09.930 –> 00:05:18.090
Jason Mefford: Yeah, and I think is, you know, like you said, it’s it’s common sense that we should be doing this, unfortunately, it’s still not common practice just

29
00:05:18.390 –> 00:05:34.470
Jason Mefford: Talking about this. And you know, I don’t know, I’ve been on this bandwagon for 20 years on, you know, when it comes to it because maybe I’ll try to explain a little bit, you know, we’ve got the SRM that that you guys are kind of focused on a lot of people have heard of er.

30
00:05:35.520 –> 00:05:38.340
Jason Mefford: Right but but that enterprise risk management.

31
00:05:39.090 –> 00:05:49.530
Jason Mefford: But it’s really to manage risk and an organization. There’s a lot of different inputs, one of which is security, one of which is operations there can be financial there can be

32
00:05:49.950 –> 00:06:00.690
Jason Mefford: You know some of the external things as well, that all of these things are forces are things that are driving events that are about to happen or have happened right

33
00:06:01.230 –> 00:06:12.210
Jason Mefford: Right. So, especially from a military background. I mean, that’s where you came from. Right. I mean, you were monitoring from a security standpoint, what’s going on, to be able to assess risk and know

34
00:06:13.110 –> 00:06:25.740
Jason Mefford: What to expect right kind of from from that standpoint, and I see this again, you know, this is, it’s one of these areas that really has to be brought in. And this is where collaboration comes in.

35
00:06:26.340 –> 00:06:31.800
Jason Mefford: Because like you said a lot. I think a lot of times people take that very narrow view of risk management.

36
00:06:32.490 –> 00:06:50.820
Jason Mefford: To where maybe they’re only thinking about finances or they’re only thinking about operations and in, they don’t think anything else besides they’re very narrow scope would affect risk. But in fact, all of these things have an impact on everything within the organization. Right.

37
00:06:51.480 –> 00:06:52.050
Jason Mefford: That’s right.

38
00:06:52.230 –> 00:07:00.270
Toby Houchens: Yeah, and you know, on that note, I mean, if you look at the end because yes arm is most closely aligned to DRM like an SRM is a

39
00:07:00.690 –> 00:07:17.220
Toby Houchens: Is a topic that risk professionals can understand and appreciate and have some you know affinity with and an era itself has evolved over the years and what DRM was in 2001 is a lot different than you know what it is now. And you’ve had a couple of financial crises.

40
00:07:17.910 –> 00:07:21.150
Jason Mefford: And I was gonna say that’s what happens when you go through global financial crisis, right.

41
00:07:21.180 –> 00:07:33.360
Toby Houchens: Right, right. When you have a crises, you know, typically, everybody’s wondering well what did we do wrong. What kind of due diligence that we have done what kind of standards and guidelines and so then you have the the coast. So, and you know the the different types of

42
00:07:34.890 –> 00:07:42.390
Toby Houchens: frameworks that are that are out there that that help to provide a model. Sometimes there’s maturity models associated with that but

43
00:07:42.720 –> 00:07:51.690
Toby Houchens: But the idea of DRM is just simply all risks as it relates to the business and for the for the betterment of that business and, you know, being able to early

44
00:07:52.110 –> 00:08:03.060
Toby Houchens: You know, identify these these risks early being able to assimilate them report them. And then, you know, apply whatever controls medications management removal, you know, whatever you want to do to those risks and

45
00:08:03.570 –> 00:08:16.020
Toby Houchens: And and so, er, M is fairly well established. If, if not a little bit you know debated as far as what it entails. I mean, how much of it is governance, how much of it is operational you know how much of it is day to day

46
00:08:16.440 –> 00:08:25.650
Toby Houchens: How much of is it just a sea level type of reporting function but but the, you know, some of the one of the major limitations of DRM on its own is that it kind of lives in a

47
00:08:26.310 –> 00:08:31.290
Toby Houchens: In some tower, you know, in an office somewhere and you get, you have these

48
00:08:31.740 –> 00:08:37.170
Toby Houchens: Risk professionals that are basically looking at data that they have access to, and usually it fits into a model.

49
00:08:37.530 –> 00:08:46.980
Toby Houchens: You know, whatever. Some simulation or financial asset model that they’ve created or risk model for certain types of threats and they run the numbers you know that they have

50
00:08:47.790 –> 00:08:53.310
Toby Houchens: Through these models and come up with an output. And then they deliver this to the stakeholders and they make decisions based on that.

51
00:08:53.940 –> 00:08:57.870
Toby Houchens: So that’s great. But unfortunately, there’s a lot of other impacts.

52
00:08:58.530 –> 00:09:08.070
Toby Houchens: That would impact those models that are paid maybe not in there. And by the time you work through one of these, you know, simulations, or do the one of these big data analytics operations.

53
00:09:08.430 –> 00:09:15.900
Toby Houchens: You know some of the underlying assumptions and some of that data is changed, you’re missing data you’re missing impacts and that’s where security.

54
00:09:16.650 –> 00:09:24.630
Toby Houchens: Really comes into play because you’re looking at external impacts environmental impacts you know that impacted day to day operations.

55
00:09:25.050 –> 00:09:35.640
Toby Houchens: And so those organizations that have security siloed off and you’ve got one person doing mobility risk and other doing cyber and other human risk physical risk, you know,

56
00:09:36.780 –> 00:09:44.880
Toby Houchens: You know production risk. You know, you look at all these different you know types of risk in that are in the potential in the security purview.

57
00:09:45.420 –> 00:09:53.820
Toby Houchens: And if you’re not collecting, you know, information and turning that into intelligence that are going to kind of impact those those risk.

58
00:09:54.150 –> 00:10:02.940
Toby Houchens: Kind of that risk understanding and and what that risk reporting, you’re really doing a disservice. And with the technology that we have today.

59
00:10:03.570 –> 00:10:15.420
Toby Houchens: There’s no reason why we can’t be monitoring threats as they overlap across different silos and as they impact the business. I mean technologies evolved to the point where you can start getting closer to those sources.

60
00:10:15.960 –> 00:10:30.270
Toby Houchens: Receiving more sources more sensors, bringing that in so that you can have a more intelligent decision making capability than just sitting some kind of analytical framework on top of existing data that’s been, you know, sitting there for a while.

61
00:10:30.720 –> 00:10:37.920
Jason Mefford: Yeah, no, I think, you know, from what from what you said there were a couple of really important points, I think, to kind of just summarize that we can maybe go down on

62
00:10:39.060 –> 00:10:46.020
Jason Mefford: Because I think you know like you were talking about kind of this, the traditional era model, right, is we

63
00:10:46.560 –> 00:10:53.550
Jason Mefford: We gather some data we create some kind of model we come up with a point in time risk assessment.

64
00:10:54.270 –> 00:11:02.520
Jason Mefford: That we then usually use for, you know, a year, let’s say, because that’s kind of been the historical thing right we do an annual risk assessment.

65
00:11:03.090 –> 00:11:18.540
Jason Mefford: based on historical data and then we’re making decisions. But, you know, the point is, like you said, with technology with some of the changes that are going on, we can actually receive and get some of this data quicker. Right.

66
00:11:19.020 –> 00:11:26.640
Jason Mefford: Right, and we should move from more of a point in time assessment to more of a continual assessment, but

67
00:11:27.270 –> 00:11:34.140
Jason Mefford: But here comes the problem, right, is we’re overblown with data, right, you’re doing a lot of stuff with big data to write

68
00:11:34.860 –> 00:11:44.520
Jason Mefford: But data is not intelligence. So maybe we should spend just a minute on on talking about the difference between data.

69
00:11:44.880 –> 00:12:02.490
Jason Mefford: Versus intelligence because one of the things that I think is really cool what you guys do is you take that data and you create intelligence real time intelligence for people so that they can make decisions, especially when a security issue happens. Right, right.

70
00:12:02.550 –> 00:12:14.280
Toby Houchens: And and that’s an important distinction and people that are in the intelligence community or the security assessment reader and even some people in the risk modeling, you know, community, understand the difference between data and intelligence.

71
00:12:15.600 –> 00:12:18.210
Toby Houchens: But, but just for the purposes of the audience.

72
00:12:19.590 –> 00:12:28.320
Toby Houchens: Data is just what it is. It’s either you get some information you have a source that you know that came in some kind of a tidbit.

73
00:12:28.800 –> 00:12:41.310
Toby Houchens: Of data that’s come in intelligence is basically the you know what you have now done with that data to make it meaningful to the end user or to some kind of

74
00:12:42.300 –> 00:12:53.820
Toby Houchens: For some kind of goal intelligence usually has a requirements to begin with. Sometimes you don’t know what that requirement is exactly but you at least know hey I need to know these types of things and

75
00:12:54.330 –> 00:13:03.180
Toby Houchens: And that understanding and using that data to help with that understanding, you know, kind of turns that into intelligence, whether it be in the form of risk ratings.

76
00:13:03.510 –> 00:13:11.430
Toby Houchens: Whether it be in the form of kind of an analysis or whether it be trends predictive analytics, you know, these types of things. So

77
00:13:11.850 –> 00:13:18.150
Toby Houchens: So big data, you know, typically you know historically has rested on existing data sets that are there, you can find some trends.

78
00:13:18.450 –> 00:13:28.620
Toby Houchens: You can do some backwards, you know, kind of analysis on this, and even project, you know, given no historical data. But if you’re not updating that routinely

79
00:13:29.130 –> 00:13:39.870
Toby Houchens: And you’re missing a lot of impacts or other data sets that you’re just either missing because you don’t know that they exist. You don’t know that they’re part of the equation or the impact you don’t have access to them.

80
00:13:40.830 –> 00:13:49.590
Toby Houchens: You know, you come sometimes can have this false sense of comfort, you know, with some of the findings in a big data exercise and so

81
00:13:50.190 –> 00:13:58.920
Toby Houchens: When you talk about business intelligence of the future, you’re really starting to look at near real time impacts because there’s one thing to look at long term trends.

82
00:13:59.310 –> 00:14:09.990
Toby Houchens: And to be able to find some value there and you can, and this is not dissuading anybody from from running big data operations but but being able to now take some of those acute.

83
00:14:10.260 –> 00:14:11.010
Jason Mefford: Impacts

84
00:14:11.430 –> 00:14:19.770
Toby Houchens: Being able to look at multiple threads looking at how they overlap, how they impact different aspects of your business. Now that’s the real difficult part

85
00:14:20.160 –> 00:14:32.730
Toby Houchens: And so we try to help with that that process, but by making it easy by taking all aspects of the intelligence process data in analyze analysis and characterization, you know,

86
00:14:33.570 –> 00:14:40.440
Toby Houchens: Output in the form of analytics answering specific questions decision making support know those types of things.

87
00:14:40.800 –> 00:14:49.350
Toby Houchens: And we do that we help to do that for the for the client, because unless you have an army of analysts, unless you’re a bank, you’re a government or law enforcement.

88
00:14:49.650 –> 00:14:56.610
Toby Houchens: You know, you don’t really have a bunch of analysts sitting around, you know, doing stuff for you so you, you really need to find

89
00:14:57.210 –> 00:15:04.950
Toby Houchens: Software and technology capabilities that can at least do do some of that for you. But you’re right, you know, understanding

90
00:15:05.400 –> 00:15:18.870
Toby Houchens: The difference between information until this is important because from a cost effectiveness standpoint, I mean if you’re sitting there with an army of analysts crunching numbers and doing analytics and trying to create intelligence, whether it be reports analytics or otherwise.

91
00:15:20.160 –> 00:15:28.920
Toby Houchens: You know, at the end of the day, is it worth the squeeze the money that you’re spending on, you know, creating these these reports and these insights

92
00:15:29.460 –> 00:15:35.580
Toby Houchens: Is that worth what you’re getting are the insights that you’re getting is the value to the company worth it. So that’s why you have to move to more of a

93
00:15:36.270 –> 00:15:42.540
Toby Houchens: Hey, knowing upfront. What is important. What are those sources. What is that information I need, what kind of intelligence Delaney

94
00:15:43.140 –> 00:16:00.270
Toby Houchens: And then being able to take that data in in a more dynamic way as opposed to doing these static quarterly annual types of, you know, kind of, you know, real quick glimpses in a in a time capsule of what that exposure is

95
00:16:01.320 –> 00:16:10.950
Toby Houchens: What we’re moving towards a period in technology where, you know, everything is a lot of thing decisions are going to be driven by machine learning and AI.

96
00:16:11.490 –> 00:16:19.230
Toby Houchens: And and being able to have that advantage and have the advantage of no data that’s coming in on a regular basis.

97
00:16:19.590 –> 00:16:24.030
Toby Houchens: That’s targeted that’s going to help answer some of those intelligence requirements. It’s going to make those

98
00:16:24.450 –> 00:16:34.500
Toby Houchens: Those companies that are, you know, leveraging that technology, a lot more successful. They’re going to be limiting their losses, they’re going to be finding opportunities that aren’t seeing, they’re going to be creating efficiencies.

99
00:16:35.250 –> 00:16:44.550
Toby Houchens: The list goes on finding little of, you know, opera, whether it be operational gains or whether it be for your market gains.

100
00:16:44.910 –> 00:16:51.540
Toby Houchens: Whether it be, you know, being able to see creating a culture that’s more efficient, being able to collect information that’s more acute.

101
00:16:51.870 –> 00:17:00.420
Toby Houchens: That would have impacts on the bottom line of that company. You know those types of companies are leveraging technology to do that are going to be much more successful.

102
00:17:00.750 –> 00:17:10.890
Toby Houchens: And are going to rise to the top. Whereas people that are kind of in companies that are stabbing in the dark, if you will, or using what would I would call a breather your own exist, your exhaust.

103
00:17:12.330 –> 00:17:22.440
Toby Houchens: You know risk model like where you’re just taking data that’s there and, you know, not taking all of the other impacts into account the day to day impacts that impact your business.

104
00:17:23.490 –> 00:17:30.390
Toby Houchens: You know you’re you really are in some ways, breathing, you’re going to exhaust. There’s some insights that can be gained from it but but the future is moving towards

105
00:17:30.870 –> 00:17:39.450
Toby Houchens: You know, dynamic risk management dynamic decision making capabilities and you’re either going to be ready for that, or you’re not.

106
00:17:40.350 –> 00:17:46.560
Jason Mefford: Well, I think that’s, that’s one of the really cool things that I think you guys do is you know that you that you brought up from before as

107
00:17:46.950 –> 00:17:59.160
Jason Mefford: I like that analogy of breathing your own exhaust because, you know, you can do that for a while, but then you’re going to end up passing out you know from carbon monoxide. But, but the

108
00:18:00.180 –> 00:18:12.720
Jason Mefford: You know, the, the point is that so much of risk management is done only using internal data and only the intelligence within the organization. I don’t see as many companies actually looking outside

109
00:18:13.680 –> 00:18:23.940
Jason Mefford: Because like you said you know they’re they’re trying to run and analyze the data they have the problem is they don’t have some of the data that will also impact them.

110
00:18:24.600 –> 00:18:32.100
Jason Mefford: You know, which is where you know companies like you kind of come in to help out because there’s there’s just certain information.

111
00:18:32.700 –> 00:18:37.260
Jason Mefford: That you’re that you’re not going to have, you know, if you’re like you said, if you’re the military, if you’re

112
00:18:37.620 –> 00:18:42.720
Jason Mefford: You know, law enforcement, you get a whole bunch of information when it, when it comes to security.

113
00:18:43.110 –> 00:18:51.480
Jason Mefford: But, but the regular companies don’t and even, you know, large multinational companies don’t have some of that information and so

114
00:18:52.170 –> 00:19:01.710
Jason Mefford: If they’re trying to assess risk in their silo just with internal data they’re never going to see some of these external things coming

115
00:19:02.130 –> 00:19:13.410
Jason Mefford: That everybody else can see who has access to the data, you know, like you said, if, if you’ve got access to more of that, you know, dynamic instead of static data.

116
00:19:13.950 –> 00:19:20.250
Jason Mefford: You’re going to be able to win, where the static folks are going to be left wondering, you know, kind of sitting on their hands going

117
00:19:20.730 –> 00:19:30.480
Jason Mefford: What do you mean I i’ve never could have expected this, you know, whenever I say that it reminds me of the 2008 financial crisis and I don’t know how many people I heard say

118
00:19:30.900 –> 00:19:44.670
Jason Mefford: I never saw this coming. It was a perfect storm and it’s like, are you kidding me all the people that were looking at the dynamic data and we’re modeling the future being different based on what they’re starting to see. There were a lot of people that saw it coming.

119
00:19:45.480 –> 00:19:52.500
Toby Houchens: That’s right, yeah and and there’s a, you know, and that’s that’s part of it. It’s more than just governance and compliance checking the block.

120
00:19:52.980 –> 00:20:00.720
Toby Houchens: Those are important functions and there’s risk involved with that. And then you have to be monitoring that and you have to make sure that your, your mind and your P’s and Q’s there so

121
00:20:01.140 –> 00:20:07.800
Toby Houchens: So there are there are those, you know, internal metrics that have to be monitored and have to be modeled. And that’s part of it.

122
00:20:08.100 –> 00:20:15.960
Toby Houchens: But it’s not the whole thing. And so what you’re finding is the skill sets and the expertise required for risk officers are changing.

123
00:20:16.590 –> 00:20:27.360
Toby Houchens: And you have to be more than just a financial asset you know expert or you have to be more than just somebody that’s an expert in governance and compliance and

124
00:20:27.810 –> 00:20:36.990
Toby Houchens: Now you’re starting to have to have some intelligence capabilities as well. If you’re going to really thrive in the future. I mean, if you look at some x. For example, perfect.

125
00:20:37.650 –> 00:20:44.850
Toby Houchens: Example, they actually hired former intelligence experts to run their risk outfit.

126
00:20:45.780 –> 00:20:53.220
Toby Houchens: And there’s a reason for that. And if you look at their numbers. You look at how they how well they’ve done you know they’ve they’ve done very well in a very high threat.

127
00:20:53.970 –> 00:21:03.840
Toby Houchens: Environment and you don’t do that unless you have really solid intelligence about those threats, they’ve really got a great integration with their security teams.

128
00:21:04.200 –> 00:21:22.140
Toby Houchens: And and security can provide that. I mean, in some ways, your security gets you out of that silo. It gets you out of that that you know that basements, you know, crunching you know numbers and you know it helps you to really understand what the threats are externally.

129
00:21:23.460 –> 00:21:27.750
Toby Houchens: How they’re changing how they’re impacting organization that threats from within.

130
00:21:28.380 –> 00:21:36.780
Toby Houchens: But there’s a lot of security functions across the board that have daily impacts on that company’s risk. I mean, you just look at human risk by itself.

131
00:21:37.140 –> 00:21:41.310
Toby Houchens: I mean, this is something that security touches every single day, whether it be during

132
00:21:41.760 –> 00:21:51.390
Toby Houchens: Hiring, whether it be during just picking up indications that there’s, you know, a problem cultural issues you know training issues talent issues.

133
00:21:51.780 –> 00:21:55.290
Toby Houchens: You know, there’s a lot of data that just gets left on the bone.

134
00:21:55.710 –> 00:22:06.090
Toby Houchens: That could have serious consequences, you know, for an organization. If you’re not monitoring these things. And so not leveraging your security team and in your security operations as a collection

135
00:22:06.660 –> 00:22:15.150
Toby Houchens: Is just, you know, it just doesn’t make any sense. Honestly, and if you’re just leaving all that data there and you’re not even trying to get gather it you really are.

136
00:22:15.540 –> 00:22:20.400
Toby Houchens: You know, living in a bubble and and what the insights that you come up with

137
00:22:20.970 –> 00:22:30.120
Toby Houchens: You know, and in some cases, they’re not going to be earth shattering and and not overly helpful, you know, to the leadership of the of the organization, you know, and so and that’s another thing about

138
00:22:30.780 –> 00:22:37.590
Toby Houchens: You know, security and risk and the convergence of that insecurity, you see now, at least on the security side.

139
00:22:37.980 –> 00:22:48.270
Toby Houchens: They understand now more than ever that what they’re doing on a day to day basis impacts the company and is becoming a risk management problem and it’s becoming something that has to

140
00:22:48.780 –> 00:22:55.530
Toby Houchens: dovetail with risk management on the risk side, we’re starting to see that slowly, you know, you have these e RM

141
00:22:56.130 –> 00:23:00.570
Toby Houchens: Conventions and er M is starting to move forward in a, I think a positive way.

142
00:23:01.380 –> 00:23:13.320
Toby Houchens: But you still now need to connect the dots here completely across the organization and and stop living in a risk management silo. And I think that’s what he SRM seeks to do

143
00:23:13.800 –> 00:23:22.140
Toby Houchens: Is to start breaking down the silos that you, you start getting that intelligence, you start building that culture across the organization which is really nice.

144
00:23:23.070 –> 00:23:34.590
Jason Mefford: Well, and it is because I think, you know, again, that’s there has to be that collaboration and cooperation across all these groups, right, because again, if it’s not, then your

145
00:23:35.370 –> 00:23:42.120
Jason Mefford: Excuse me. You’re making decisions, you know, and I’m just making up numbers here. But let’s say there’s you know 10 or 12

146
00:23:42.510 –> 00:23:55.710
Jason Mefford: Different groups that you should be using and kind of collecting information from and getting their input and if your own, you know, if you’ve got 10 but you’re only listening to seven of those people

147
00:23:56.700 –> 00:24:08.040
Jason Mefford: Then when something goes wrong, what I’ve seen a lot of times, as you’re like again. Well, how could this have happened. We’ve we talked to these seven people and the other three people are like, well, if you would have asked us, we saw this

148
00:24:08.160 –> 00:24:15.840
Jason Mefford: coming six months ago, but nobody asked us, and so, you know, I think this is why it’s so important to get that discussion out there and

149
00:24:16.200 –> 00:24:29.100
Jason Mefford: It’s going to be different for every organization. But all of these different people that you need the input from you need to get their input and invite them to the table because those 10 heads are going to be better than the seven

150
00:24:29.670 –> 00:24:30.960
Toby Houchens: Right there’s context.

151
00:24:31.050 –> 00:24:42.660
Jason Mefford: That yeah there’s the context to it because in this is where without having all those different perspectives. It’s hard to see the true picture of what’s really going on.

152
00:24:43.350 –> 00:24:58.560
Jason Mefford: Right and and and that’s, again, you know, for a lot of smart people that are experts subject matter experts in their area. Sometimes they have a hard time realizing or admitting that other people’s perspective is also valid.

153
00:24:59.760 –> 00:25:14.130
Jason Mefford: And it is, man. I mean, if we don’t, especially as as connected and interconnected as the world is today, if you’re not thinking about that you’re going to miss some some really big things come along.

154
00:25:14.850 –> 00:25:22.680
Toby Houchens: Yeah. And you see that with schools safety and security right now. And the problem there is different in the sense that

155
00:25:23.370 –> 00:25:28.050
Toby Houchens: Historically, they haven’t been looking at this as a risk management problem and it is a risk management problem.

156
00:25:28.560 –> 00:25:37.620
Toby Houchens: You know, adding guards metal detectors cameras. These are all you know preventative reactionary, you know, types of measures.

157
00:25:38.280 –> 00:25:49.140
Toby Houchens: But in almost all of these major events that have happened you know 70 over 70% of them. There have been indicators. They’ve there’s been a cry for help. There’s been some kind of

158
00:25:49.650 –> 00:26:00.360
Toby Houchens: On social media, there’s been a conversation with a co worker with a another schoolmate there’s been problems at home. There’s been plenty of flags and indicators as to why there was a problem and

159
00:26:00.930 –> 00:26:08.940
Toby Houchens: And that’s the idea. If you’re not looking at the intelligence. If you’re not looking at the indicators, the leading indicators, you’re not leveraging the whole organization to work together.

160
00:26:09.390 –> 00:26:16.860
Toby Houchens: You can have all the walls. The metal detectors, the high speed cameras that detects motion it track people

161
00:26:17.460 –> 00:26:27.360
Toby Houchens: It’s just not going to, you know, lower the incidence, you know, demonstrably and it’s and so that’s why we, you know, an alpha recon we’re, we’re trying to help an education process to

162
00:26:27.870 –> 00:26:32.670
Toby Houchens: We had schools to start thinking about, you know, school safety and security through a risk management lens.

163
00:26:33.060 –> 00:26:46.530
Toby Houchens: So that you can start seeing exposure where those exposures are happening, what are those early indicators of risk and and how do you, how can you start to proactively you know address those risks as opposed to waiting for something to happen.

164
00:26:47.790 –> 00:26:57.150
Toby Houchens: So, and this obviously carries forth to almost any organization that there is. And so typically you’ll see a problem of either too much security focus

165
00:26:57.390 –> 00:26:58.470
Toby Houchens: And no risk management.

166
00:26:58.980 –> 00:27:10.770
Toby Houchens: Or you’ll have too much risk management and nobody cares about the day to day security impacts the culture and those those dynamic threats that are going to eat your lunch if you’re not

167
00:27:12.060 –> 00:27:13.140
Toby Houchens: If you’re not careful.

168
00:27:13.260 –> 00:27:21.120
Jason Mefford: Well, and I think it’s, you know, we we’re about out of time for today because we, I could go off on this whole other tangent right now too, but I think

169
00:27:21.690 –> 00:27:27.600
Jason Mefford: You know your your example of the schools, and I think this is something you know that most everybody

170
00:27:28.080 –> 00:27:36.630
Jason Mefford: Can relate to right because either you have kids or, you know, had kids or whatever. And so in you, you went to school yourself right but I think

171
00:27:36.930 –> 00:27:45.390
Jason Mefford: I think what we’re seeing kind of in in that space is also a mistake that we’re seeing in the corporate space. And this is what I mean is,

172
00:27:46.140 –> 00:27:59.400
Jason Mefford: There’s a school shooting that happens. And so the first knee jerk reaction is we got to put up a fence. We got to have an armed guard. We got to put in metal detectors. We got to do all this kind of stuff.

173
00:27:59.970 –> 00:28:07.590
Jason Mefford: There’s a whole bunch of spending up front, without really thinking about. First off, the return on investment for

174
00:28:07.650 –> 00:28:08.910
Toby Houchens: Exactly right.

175
00:28:09.090 –> 00:28:24.300
Jason Mefford: And and the negative side of it as well in here’s here’s where I’m going with this, too, is when when I was in high school. We had a brand new high school belt, you know, and so we were so excited because we got to be the first class that went into this new high school

176
00:28:25.500 –> 00:28:32.400
Jason Mefford: But to look at the building. It was just a big building with these really tiny narrow windows and it looked like a prison.

177
00:28:32.790 –> 00:28:33.180
Toby Houchens: Right.

178
00:28:33.300 –> 00:28:39.960
Jason Mefford: And so we used to joke like we were going to prison. Well, we didn’t even have a big old fence around us. But, you know,

179
00:28:40.620 –> 00:28:47.370
Jason Mefford: Assume now to, you know, these kids are going to school all in a place that looks like a prison. Sometimes

180
00:28:47.880 –> 00:28:56.460
Jason Mefford: That has to have an effect on your child’s learning as well. And just like you brought up you know 70% of the time. Plus, there’s

181
00:28:56.820 –> 00:29:15.600
Jason Mefford: There’s some other indicators, there’s some other things that if we would have spent the time and effort and money there probably could have avoided it instead of just trying to protect once the event has happened. And so you just like that we see so many companies that spend

182
00:29:16.710 –> 00:29:21.090
Jason Mefford: SHIT ton comes to mind of money on the

183
00:29:23.010 –> 00:29:30.900
Jason Mefford: Reactive or side of it after the event has happened with very little spend or effort on the proactive side.

184
00:29:31.500 –> 00:29:36.030
Jason Mefford: And that’s where we’ve got to get to. That’s, that’s what you guys are trying to help people get to, that’s what

185
00:29:36.480 –> 00:29:43.770
Jason Mefford: The RC SRM movement is trying to help. We’ll get to, as well as hey you know what if, if we’re proactive if we

186
00:29:44.280 –> 00:29:54.270
Jason Mefford: You know, in this instance, you know, give counseling to this kid or whoever this employee that so so that instead they never get to that point where some sort of a security.

187
00:29:54.690 –> 00:30:01.110
Jason Mefford: incident happens we catch it, we fix it before it ever gets there. We don’t have to rely on that other stuff in the back.

188
00:30:01.770 –> 00:30:08.040
Toby Houchens: Yeah. And then the last thing I’ll say about this is, that’s the other part of this is the optimization, you know. So now when you’re

189
00:30:08.070 –> 00:30:10.500
Toby Houchens: When you’re intelligence driven your data driven

190
00:30:11.190 –> 00:30:20.850
Toby Houchens: You’re now able to make those decisions that are going to have the maximum ROI and maximum impact and in some cases, save money. You know, it’s just like DRM

191
00:30:21.240 –> 00:30:29.670
Toby Houchens: You know, you’re looking at where you need to have that risk management spin. Same thing with the SRM. How do you optimize that security which which is going to have the best impact.

192
00:30:30.000 –> 00:30:38.340
Toby Houchens: And when you start using actual data to support that incidents events exposure you know metrics, you know, now you can really

193
00:30:38.850 –> 00:30:47.250
Toby Houchens: Measure the impact of what your security and risk team is doing and how that’s instead of just looking at profit and loss which is this one.

194
00:30:47.730 –> 00:31:01.410
Toby Houchens: Master. Now you can actually see changes and exposure changes and spend optimization of spend so that’s the other you know benefit of looking at things and having it with having intelligence as the core that is

195
00:31:02.460 –> 00:31:08.370
Jason Mefford: It is so I’m glad you came on, so we could talk about this because I think you know again for everybody listening.

196
00:31:09.990 –> 00:31:18.000
Jason Mefford: You know, whatever you’re doing, whether you’re an auditor, whether you’re in risk management, whether you’re in compliance, whether you’re in security or operations, whatever.

197
00:31:18.720 –> 00:31:34.950
Jason Mefford: We got to start working better together and start bringing in these different perspectives, because that’s how we’re going to be able to get that intelligence and make these better risk decisions for the entire company. Right. You know, again, that are linked back to

198
00:31:36.240 –> 00:31:44.310
Jason Mefford: What really matters for the organization and what it needs to be able to succeed, right, what it has to do right

199
00:31:44.820 –> 00:32:04.470
Jason Mefford: And what if it goes wrong becomes a very big deal for us and focus on those those areas. And we’ve been talking about and kind of the niche where you guys play really helps with that in organizations now now we just need to get it from being common sense to common practice right

200
00:32:04.560 –> 00:32:04.920
Toby Houchens: Right.

201
00:32:05.220 –> 00:32:06.750
Toby Houchens: And then technology can help that.

202
00:32:07.860 –> 00:32:14.730
Toby Houchens: Yeah, and we’re working on it. And I think there’s a lot of things that are happening on the technology side. And there’s been some improvements made

203
00:32:15.180 –> 00:32:25.170
Toby Houchens: Both in you know theory and practice. So we’re getting there. It’s just, you know, going to take a lot more education a lot more data points a lot more success metrics.

204
00:32:25.530 –> 00:32:30.900
Toby Houchens: For people to start looking at this and saying, oh, this does has an impact on my business. This can positively impact us

205
00:32:31.590 –> 00:32:44.070
Toby Houchens: So once you start to get more historical data points that that that show the positive impact. I think you’ll see a larger movement towards those more comprehensive holistic

206
00:32:45.090 –> 00:32:47.070
Toby Houchens: Risk management programs so

207
00:32:47.550 –> 00:32:50.250
Jason Mefford: Yeah, I think we’re very, very, very close. From a technology side.

208
00:32:52.110 –> 00:32:57.240
Jason Mefford: Well, Toby. Thanks for thanks for coming on today. As always enjoy talking to you and

209
00:32:58.020 –> 00:33:03.120
Jason Mefford: Kind of hearing about and trying to spread the message that I know both of us have been trying to spread for a long time, we just

210
00:33:03.690 –> 00:33:17.220
Jason Mefford: Again, everybody that’s listening. Let’s not make this just common sense. But let’s start making this common practice in your organization’s because thinking about it with no doing doesn’t help anybody in fact that probably hurt you more.

211
00:33:18.300 –> 00:33:28.590
Jason Mefford: So reach out to other people in your organization, go find your security people because they have a big, big impact on risk management as well in the organization. So

212
00:33:30.480 –> 00:33:33.810
Jason Mefford: With that, thanks. Toby, and I think it’s probably

213
00:33:34.920 –> 00:33:43.800
Toby Houchens: Probably time for us to to sign off. Alright. Thanks for having me. Jason and people can find out more on our website, if they’re interested in our technology.

214
00:33:44.010 –> 00:33:46.980
Jason Mefford: Yeah, and it’s alpha, alpha recon com i believe right

215
00:33:47.310 –> 00:33:58.200
Toby Houchens: That’s right. Yep. And we have educational events and there’s there’s various engagements that we, that we have and we do have content and blog content that we

216
00:33:58.770 –> 00:34:07.200
Toby Houchens: That we share to kind of help with some of that practical implementation. So a lot of that’s going to be, you know, coming forward this year in 2020

217
00:34:07.830 –> 00:34:22.800
Toby Houchens: Moving beyond the theory of this sounds great, or you should do this or you should think about these things to okay how do I implement this, how do I actually, you know what information do I need, how can security help, you know, how does this inter inter we’ve

218
00:34:24.030 –> 00:34:37.260
Toby Houchens: Know what are some best practices, we can use. What are some maturity. What does a maturity model look like that. So I know I’m on the right track. So there’s going to be a lot of that content coming out to help people implement these things.

219
00:34:37.500 –> 00:34:52.860
Jason Mefford: Well, good. Yeah, lots of good content. So I’ll make sure and link that up in the show notes for everybody so you can click on that and head over and get some of those resources. So with that we’ll catch everybody on the next episode of jam with Jason So yeah, okay.

220
00:34:53.130 –> 00:34:53.820
Toby Houchens: See you later, everybody.

Please follow and like us: