Cybersecurity in Finance: Understanding Third-Party Risk Management
There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.
Isaac Heller: Hey everyone, this is Isaac. I'm CEO at Trulion. And today on AI, Accounting, Intelligence, we'll be talking with real people about real things related to AI and the impact on the accounting industry. Stay tuned. Welcome everyone. Today video, audio.
Isaac Heller: This is the Accounting Intelligence podcast AI, we're really bringing you interesting [00:00:30] and fun facts to make you a better CPA finance professional. All these things.
Isaac Heller: So I'm Isaac Heller, CEO of trillion. I'm really excited today. Demi, it's good to see you.
Demi Ben-Ari: Hello, Isaac. Pleasure to be here. Thank you for inviting me.
Isaac Heller: Likewise. So we're going to jump into a lot today. But before we do, Demi, just a little bit on a professional level, who are you? Your your title, your experience, all that. Sure.
Demi Ben-Ari: Thank you. Uh, so, um, I would start really, really far away. Uh, I, uh, came to Israel actually when I [00:01:00] was seven. I grew up in Georgia, the country, not the state. And when I came here, I started like a learning through school, etc. and right then most of the people in Israel, I went to the military with a bit of a different like, uh, flavor, uh, going to technology space. And I went to what's so called Mamram course, the elite programing course of the Israeli IDF. And I served in the Israeli Air Force for around eight years there. I actually developed [00:01:30] a neo neural time platforms missile defense system, and I was a software engineer and then a team lead. And then afterwards I shifted to a role that is a bit more, I would say broad, okay, and helping in the space of open source Java and supporting around like 250, 300 developers all across the unit left the military. And with my wife, actually, we were engaged back then and traveled in South America like most Israelis do, but in a later stage. Yeah, for six months. [00:02:00] And when I came back, I started working at a company called Windward. Basically what I did with missiles in the Israeli Air Force, I did with ships. When I left the military, it was maritime analytics started working more in big data technologies, more of the expansion of the cloud, DevOps, automation, stuff like that. And around almost a decade ago, I hooked up again with both of my co-founders, and we served in the Israeli Air Force together for an [00:02:30] executive like ten years. And then afterwards, we founded Pancrase and back in 2016. And the space in which we operate is basically what we call tpc-c third party cybersecurity risk management.
Isaac Heller: Okay.
Demi Ben-Ari: And it goes I know it sounds like wow, okay. But basically speaking, it conducts real business processes that happen today between any company in the world, from the smallest to the big, with all of its third party relationships, means it can be [00:03:00] vendors, it can be subsidiary companies, it can be customers in the financial space, uh, banks, really large financial institutions, etc. the whole know your customer space is really, really important for for both ends, for the engagement, anti-money laundering and stuff like that. So all of these business processes are conducted in a platform that we've created, and we took all of the practices that actually exist in the world. And I would say put that in software, put that on the cloud, and [00:03:30] started automating as much as possible of human intensive processes to build cyber trust between all third party relationships, both buyers and sellers. If I try to oversimplify that and not really go deep dive into the technology itself.
Isaac Heller: We're going to deep dive. And I'll say that we truly in have procured software, and that person has given us a Pancrase Portal right, to make sure that everything is exactly secure. So we're very familiar with the.
Demi Ben-Ari: So that space is exactly [00:04:00] what we provide as value to the sellers okay. Because again, we're engaging in business relationships. All of that back and forth. Me onboarding you okay. Truly on as a company that provides a service to my company touches my internal data, internal systems, etc. is more of an operational business risk, not only cybersecurity risk. The cyber security threat is the one that is imposed on the business operations side. Okay, okay. And I'll give you an example. Uh, in a different space, [00:04:30] automotive. Okay. Think of it that right now at this point, uh, Toyota. Okay. Let's take it. Uh, automotive.
Isaac Heller: By the way, I have a Corolla. I love my Corolla.
Demi Ben-Ari: Uh, I have a I have a lower tier, even Toyota. I love them also hybrid, etc. and helps the world and eventually think of it that it's a manufacturing company if you look at it on the operational Rational space. Think of one of their possible vendors, a screw company. Yeah. Okay. And what happens if that screw company [00:05:00] gets breached and they can't provide screws for the assembly line? Assembly line down. It's a cyber security threat that materialized and happened. And right now they can't make cars. So their business is immediately hurt. And it's tens of millions for the hour that actually passes on. And they can't operate and manufacture cars. Okay. Right. So it is really highly connected today in the larger supply chain world. That's so call it. Okay. [00:05:30] Especially in the financial space, the whole thing of financial audit is really well known, right? Yep. I checked Dun and Bradstreet, Moody's, all of these financial scoring companies that I can operate with you and start working together without you going bankrupt or stuff like that. Right. Right.
Isaac Heller: There's a score. There's a risk score.
Demi Ben-Ari: Exactly. So it's another portion that we do have in the product that does that in an objective view and provides ratings on companies, but their own cyber, on their cyber security posture rather [00:06:00] than only their financial posture. Okay. And this is how it actually combines to the, the the whole space, I would say of any audit possible, both in the financial space, the world of TPM, third party risk management that is dismantled to smaller domains, risk domains financial is really a substantial one of them. Today when you start engaging with business. And cybersecurity became a predominant one in the last two decades. And right now, all procurement people, okay, if we say it in a broader [00:06:30] way, engage with cybersecurity questionnaires from both ends, right? They need to send them out because they have to follow regulations and many standards that incorporate that third party portion in cybersecurity. And also you as a seller, even us as a seller with any large enterprise or even, you know, the smallest companies that need to follow their soc2 attestation. Or maybe withhold an ISO 27,001 certificate, right? They need to follow that whole like third party relationship space of engagement [00:07:00] for both buying and selling stuff.
Isaac Heller: Interesting. So I'm getting I'm getting excited. I'm getting expired. We've got a lot to unpack. Um, you know, just, you know, if you're listening and not watching. Demis got this great shirt on, right? That's Panera's. I'll say p a n o r a y s. And, um, and, you know, as mentioned, being CTO, co-founder of Panera's, um, we're sitting in Tel Aviv, as you mentioned. And, uh, Panera's is one of the most exciting and coolest cybersecurity [00:07:30] startups in the country. And you can actually when you drive up the highway, you could see on one of the big buildings, the Panera's logo, which is very exciting. So you and your team have built an incredible.
Demi Ben-Ari: Thank you very.
Isaac Heller: Much. Um, company. And, you know, for those of you who don't know, uh, Israel and Tel Aviv is one of the preeminent cybersecurity hubs in the whole world. So when we when we unpack these things, you know, these areas, you know, for our for our accounting and finance friends, we're talking with some of the experts in this industry in [00:08:00] the heart of everything. But before we unpack all those things, I, you know, we know each other because we're in a we're in a portfolio together. We've seen each other at founder events, which is great. But I also see you a lot online. I see you with, uh, Cyber Selfie. Is that right?
Demi Ben-Ari: Yes, indeed.
Isaac Heller: So. So Demis got tens of thousands of followers on LinkedIn. I don't know what your TikTok or Twitter.
Demi Ben-Ari: No, no.
Isaac Heller: Just just a LinkedIn.
Demi Ben-Ari: I'm worried because of where it originated. I'm a cybersecurity person and I'm like highly data privacy oriented [00:08:30] type of person, although I'm really open.
Isaac Heller: Yeah, definitely. Well, we, you know, truly we work with accountants and uh, and auditors. So we love paranoia, you know. So we'll get to that. But okay. Cyber selfie. Right. How many. This is where Demi, um, takes a selfie with different types of CISOs and professionals around the world. Really? Right. Yeah. How many cyber selfies have you think you've done to date?
Demi Ben-Ari: Uh, you know what? I'll let Apple answer that. Okay. Just because, again, I'm. I'm an iPhone user. [00:09:00] Yeah. And I think it already surpassed over like 20,000.
Isaac Heller: 20,000 cyber selfies.
Demi Ben-Ari: Yes. Uh, and again, I would specify I do probably too many selfies in general. The cyber selfies are specific to whatever we do. And we operate. So again in large conferences, events and things that we're doing right. When you engage with somebody in the cybersecurity domain space. Et cetera. And sometimes even again, CFOs and also other types of users [00:09:30] that might be engaging with our platform, it's considered a cyber selfie. I would even like double down on that. My wife. Okay. She works at Cyberark over a decade.
Isaac Heller: Cyberark.
Demi Ben-Ari: Yeah. Really?
Isaac Heller: Public.
Demi Ben-Ari: Public traded company, etc..
Isaac Heller: Yeah.
Demi Ben-Ari: So think of it that right now you have like two children that also like come from the cybersecurity space.
Isaac Heller: So yeah.
Demi Ben-Ari: Practically speaking, every cyber cell, you know, every selfie is a cyber selfie. When I do that with the May or Dan my two children very nice. [00:10:00]
Isaac Heller: So cyber is in the blood. It's in the family over 20,000 um cyber selfies. Can we can we officially call you like the let's think of it, an influencer like Mr. Beast or Kim Kardashian can what you are the.
Demi Ben-Ari: Said the funniest thing because I had a VC. Yeah that when we came to, you know, like started engagement with them etc. he actually said to me, okay, you're probably the Kim Kardashian of the cybersecurity.
Isaac Heller: Can we call you the Kim Kim K of.
Demi Ben-Ari: Yeah. Why not?
Isaac Heller: Is [00:10:30] that us? You know we you know so so Demi you're the you're the Kim K of the cyber world with all the cyber selfies, which is pretty cool. Um, you know, obviously cyber is having more and more moments. So, you know, we've gotta we've gotta unpack a lot within this. We've got finance professionals, I guess maybe, maybe we'll split into two areas. So there's the finance professional who's sitting in the office of the CFO, whether they're a comptroller or accountant, [00:11:00] you know. Um, and then there's the, uh, finance professionals sitting externally, right. Let's call it the audit and advisory firm. So let's start in one of those places. Pick one.
Demi Ben-Ari: I think we'll start from the internal one.
Isaac Heller: The internal one.
Demi Ben-Ari: Yeah.
Isaac Heller: And maybe, um, start as simplified as you can. What are a couple areas that they should know about. Let's call it just cybersecurity in general. Unpack it for us for the office of the CFO, that corporate controller [00:11:30] who's trying to do the webinars and read the papers and everything. Well, now you got an expert here.
Demi Ben-Ari: Sure. Awesome. I would love that. So if we unpack, let's say firstly, I don't want to call that only internal audit because you're evaluating third party entities also in this like whole grand scheme of things. But who's conducting the process is also, I think, what kind of matters if we're looking on the internal business owners inside organization or an audit firm that might perform or augment the [00:12:00] operations in this space of any company. Okay. Got it right. The big four management consultancy companies like that, and even I would say that a large and I would scope us as a territory, okay. Because again, they operate a bit differently in various spaces in the world. We have customers only globally spread. Really, I would say that the 50% ish or like almost 50% of our business is in North America. Okay.
Isaac Heller: Are they is North America the highest scrutiny [00:12:30] or the highest level for cybersecurity?
Demi Ben-Ari: And no, Europe is sort of yes, I would I would say that the most rigorous, uh, not cybersecurity, but rather data privacy regulation is probably the GDPR, GDPR.
Isaac Heller: Which is in Europe.
Demi Ben-Ari: Yes. And if you take the equivalent in the US, uh, CcpA, which evolved to Cpra. Right. From California. Yeah. Yeah, exactly. Became a really predominant one also in the US. So it's similar in practices, but the way that they perceive the entities [00:13:00] that are involved in the process, the third parties, the relationships and how you communicate with buying and selling are more oriented. Protecting the consumers. Yep. Okay. Uh, in the EU, the individual. Yeah. Right. The people. And in the US, it's more focused on business.
Isaac Heller: Interesting. So in Europe, they take care of the people. In America we take care of the companies. I'm just kidding.
Demi Ben-Ari: Yeah. Yeah, I would, I would say I care more about money.
Isaac Heller: Yeah.
Demi Ben-Ari: Well. But yeah. Yeah. Just kidding.
Isaac Heller: Um, so I'm from Texas, so [00:13:30] I can say. And you mentioned you're from Georgia, but not Georgia. I know, not.
Demi Ben-Ari: That.
Isaac Heller: Georgia Georgia. So. Okay, so now we're talking about let's focus on the US. The US, uh, controllers, uh, finance professionals. What are those little buckets of cyber that they should know about? Cool.
Demi Ben-Ari: So first of all, it all evolves through data. Information, right. And data that we need to keep. And I won't say only tick the box compliance things, okay. Because it is on par when you speak about [00:14:00] cybersecurity risks. That is compliance oriented in the world of GRC and compliance Sox 404.
Isaac Heller: We you know we know it all.
Demi Ben-Ari: Many, many, many standards. And as you go into industries, the transitive manner of this becomes really also important because eventually think of it. Let's take the Department of Defense, okay. As an example. Any contractor to the DoD needs to withhold a certain bar. Right. But what happens on the transitive matter? The vendor of that vendor also [00:14:30] needs to withhold that.
Isaac Heller: It's like a supply chain.
Demi Ben-Ari: It's exactly a supply chain issue, right? And again, just like in the financial world, if a vendor of yours in the supply chain goes down and can't provide the service, it might propagate up to you. And that's why they protect that in the transit matter of looking on the broader supply chain. Okay. So any regulation today, any data privacy regulation or standard to withhold cybersecurity practices evolve throughout all of the services that you're using as [00:15:00] a company. As an example, a company can hire an external CFO, right, that will conduct all of the business processes and all of these like a day to day actions, right? Accounting collection, stuff like that. All of that is confidential information of the company that they provide the service to. They're a third party that provides that service. At a certain point, you would hire a CFO that will build out the whole like, finance [00:15:30] organization in your own company and then taking the outsourced and bringing that in. And then if you evolve and grow your company even more, you have to hire an external resource also to conduct like regular audits on you. Yep.
Isaac Heller: So we just got a new auditor. So yeah.
Demi Ben-Ari: Fun facts. Yeah. Fun, fun switching. But again, it's the way that business are being conducted today. And we need to support these processes, business processes with the proper [00:16:00] technology and data protection. And that's why any data privacy regulation that even you know what the financial institutions today there is a standard, a regulation that is mandated right now in Europe called Dora, that Data Resilience Act.
Isaac Heller: Dora.
Demi Ben-Ari: Yeah. Yeah. And which you as a company that is a part of really large financial networks have to be on par with following your supply chain just because of that ripple effect. I would [00:16:30] say to your supply chain when one of your vendors gets breached, because think of it. I don't want to take us. Right. Like comparably smaller companies look on the larger banks, financial institutions, insurance companies. I'm specifically mentioning the highly regulated bodies. Right. Think of it that when they're using a vendor, even the biggest ones AWS. Right. Amazon Web services.
Isaac Heller: Yeah.
Demi Ben-Ari: You're basically taking [00:17:00] all of the data that used to be hosted on prem, in your own servers, in your own server farms, etc. and extracting that information and giving that to the safekeeping of AWS. And what happens to the other type of vendors that you might be using that are touching that data? That's it. It's not no more a safe silo.
Isaac Heller: I understand, I understand. You know, like it's like if AWS goes down for a second the amount of companies that get impacted, it's like a it's like a ripple effect. [00:17:30] And also like we you know, truly and we work with financial systems. Obviously we're hosted on things like AWS and Azure. But what's funny, uh, if you work with a company like Microsoft, even though you're hosted on Azure, you may not be able to work with them when it comes to financial statements because they hold government financial data. Right. And so we've gotten into FedRAMP and all that stuff.
Demi Ben-Ari: Yeah.
Isaac Heller: So you were talking about Dora. So okay, so that's one area of cyber risk, let's call it. What do you call it. Supply chain. [00:18:00]
Demi Ben-Ari: Third party supply chain, third party risk. It really depends who is actually defining the problem. Right. Because again think of it for physical operating companies. Yeah it's an actual supply chain thing.
Isaac Heller: Which is the.
Demi Ben-Ari: Screw manufacturing screws. Just like I mentioned the again uh, even TSMC is one of our customers okay.
Isaac Heller: The what's TSMC Taiwan semiconductors. Uh okay. Big semiconductor company.
Demi Ben-Ari: Yeah. They provide chips to 92% of the world or something like that. And [00:18:30] why am I mentioning that fact? Because again, think of it. What massive supply chain effect they have on the world.
Isaac Heller: Yeah, absolutely.
Demi Ben-Ari: So it's securing themselves and securing their supply chain to basically be secure enough to operate with any company that exists in the world.
Isaac Heller: Okay. So I'm, I'm, I'm the CFO or I'm the controller. I'm now armed with third party risk management. What's give us maybe two more buckets to jump into in the world of cybersecurity?
Demi Ben-Ari: So flip side, when you're being conducted with an audit, [00:19:00] even us selling. Right. Or any company that sells today, they get an engagement just like you need to provide. If you're a public company, your financial records and transparency to your business, etc. for private company. It's complicated. Right? Basically, a lot of things are being said in the room without the ability to being, you know, like. Yeah. Stuff like that about privacy and all of that engagement piece when you're conducting sales processes, evolve the cybersecurity space just because, again, the customer would be [00:19:30] giving you their information. Right? Or you know what, even it doesn't have to be the information they're relying on you to provide their service. Right. That basic like operational burden. And right now they need to conduct a due diligence process on the onboarding thing. Right.
Isaac Heller: Got it. So now we're we're talking about I'm the CFO I'm the comptroller. And I need to make sure that we have I don't want to say checked all the boxes but ensured compliance as a seller. So for example a truly and we do SOC ones and twos, [00:20:00] we have pen testing all that stuff. So so now we've moved from the bucket of your the vendors to think about to us as the vendor.
Demi Ben-Ari: Exactly. So we did also create even in Paris a piece.
Isaac Heller: Yeah.
Demi Ben-Ari: It's called the security passport for you to show your passport to wherever you go. It's actually a trust center. You upload all of these attestations and documents how you conduct processes for the potential buyer to have an easier way to conduct. In this process, we're trying to help both sides [00:20:30] to streamline a really human intensive process, right? And surfacing only the things that are relevant. Think of it that any company from the smallest companies have, I don't know, at least like 3 or 400 interactions. Third party interactions that they need to conduct some kind of audit. I'm not saying everything is super critical. Usually they're around like 20, 15, 20% ish are the critical third parties for you to be able to provide the service and also the touch confidential information and customer information, etc.. [00:21:00] So even you as a seller, you need to conduct all of these processes with your customers. I'm telling you most of the burden today in deals, running deals, us as sellers and us as buyers. It evolves throughout that audit space, right? And when a salesperson really wants to close that deal, he drives the CISO with their CISO crazy for them to answer to the customer to all of these audit processes as fast as possible.
Isaac Heller: Okay. Interesting. [00:21:30] All right. So I'm going to I'm going to throw a curveball. Sure. Um, well, first of all, it's a really good summary of kind of the internal concerns. And, uh, we're going to get to the external concerns, too, like, how do you build a practice and how do you think.
Demi Ben-Ari: About.
Isaac Heller: As an advisory or audit firm or whatever? Sure. But I was just thinking, you know, you talked about the security passport, and I assume that's kind of like the broader picture of all the certifications you would need and all the security risks you've assessed to [00:22:00] show that passport to the vendor. One of those I'll just use an example. It's popular with with accounting firms is SOC one and two. That's a popular one. So within the passport.
Demi Ben-Ari: And there is even a three.
Isaac Heller: There's a three.
Demi Ben-Ari: The three is a public SOC two.
Isaac Heller: Oh a public SoC.
Demi Ben-Ari: So basically it's an upgrade for you to be able to share something with a limited scope, without sharing too much confidential information, and still showing that certificate, right? That you're on par with soc2 with the, uh, all of the audit processes that you've been.
Isaac Heller: So here's the curveball, [00:22:30] right, with SOC one, two and maybe three. Um, so for example, we use KPMG and they come in and there's we have our friends and our partner, and they come in and they organize everything and they complete our or help we complete with them the SOC one, SOC two. Yeah. I also know there are companies that have software that try to help automate the SOC one and SoC two process. I also know that there is AI today that is trying to ingest [00:23:00] that information. Those files, those data points, those risks to help speed up that process from a true risk perspective, a true risk, not checking the box, a true risk perspective. Do you see an incremental difference between using AI based software to complete your SoC audits versus using just firms, right. And maybe those firms are using software to you can include that. But like is there a does the software help lower the risk. And using SOC as an [00:23:30] example nowadays. What do you think?
Demi Ben-Ari: So I would say like I mentioned in the beginning, I'm paranoid about everybody okay. Human risk is one. Yeah. And software what so-called AI, if I wrap it around in a different way, is also a risk. Okay. And just like you mentioned, it's complicated. Okay. It's great because eventually all of these audit firms might actually leverage a lot of AI capabilities. And really depends how the data flows. Okay. That's why I said, uh, I'll I'll throw [00:24:00] it again. Sorry for being like a a box nudge, but the compliance space, the like the regulations that actually came up both in the US and the EU, the AI act.
Isaac Heller: Yeah.
Demi Ben-Ari: Was for a reason. Okay. I'll try.
Isaac Heller: It's recent. There's an eye.
Demi Ben-Ari: Yeah. In the last, like, two years, it started.
Isaac Heller: Like.
Demi Ben-Ari: Being more of knowledge. Okay. And especially it will be start. It will start also being enforced and regulated. Right. Yeah. So, so for that piece, [00:24:30] basically speaking all of these, um, guidelines I would call that because again nothing is concrete and in law yet.
Isaac Heller: Right. Pronounced right. Guidelines.
Demi Ben-Ari: Exactly, exactly. All of these things are to surface the problem and for people to know what happens when you perform an action. I'll explain. Okay. What happens as an example. And I will try to oversimplify and not double down on technology and stuff like that. There are multiple ways of running [00:25:00] AI. One if we go on the paranoid aspect and protect stuff, self-trained and self-hosted, meaning a company, an entity right would take the information that they hold train that in an internally uh hosted also silo right. And not leveraging general purpose LMS which people when they hear I o open AI cloud three and Tropic and many other providers that today created [00:25:30] that AI boom AI evolution.
Isaac Heller: Right. So from a from a and I'm just saying it back like I would think that if you self-host and self train on AI, that is less of a risk from a cyber perspective. Yes, it is in the box of your company. Obviously there's always risks, yes, but it is less of a risk than if you're leveraging a lot of third party LMS. Yes, because it's a two way street. With third party LMS, they consume your data to train, so your data could go out into the world, [00:26:00] into the ether. And at the same time, you're also consuming data from them that you don't know if it's credible, Credible, verified. And you don't know the people that fed that. Okay. I just want to frame that. So you're. Yes. Keep going with your.
Demi Ben-Ari: And even it gets more complicated. I'll explain why. Okay. Because I gave you the example of llms large language models. Yeah. Which were trained by companies. They're still private companies. I'm not even saying if it's private or they're their own. [00:26:30] Okay. It's not something of yours. Right. And basically, it's a black box most of the times. Right. Just like you mentioned, it was a model that was trained on top of a bunch of information. Again, it can be a massive order of magnitude of information.
Isaac Heller: Right?
Demi Ben-Ari: That yields answers. Nobody knows how to explain where this information came from. Right. Right. So for that assurance purpose, it's also something of a risk. But I'm not even speaking about that. It was proven in some, you know, like [00:27:00] research pieces etc. that you can claim data was anonymized and stuff like that when the model was trained, but it can be inferred from the answers that the model is answering the origin of the data.
Isaac Heller: Oh, interesting.
Demi Ben-Ari: Which which? This imposes risk of privacy because eventually you give ask questions collaborate conversational stuff with these llms.
Isaac Heller: Right.
Demi Ben-Ari: Sounds wow. It's amazing. It augments people. It does things that are, you know, like haven't been [00:27:30] able to to do until today. But it was a risk because eventually the attack point. We didn't speak about that. Right. They can also leverage that. I'm not even speaking about AI generated attacks. That's a whole different space. I'm literally speaking right now. What happens when that vendor gets breached? Their model might be compromised. Right? Right. It doesn't really have to be a cybersecurity breach because they collaborate with this model.
Isaac Heller: Okay.
Demi Ben-Ari: And data can be inferred.
Isaac Heller: So let's let's tie it together with the sock analogy. So first [00:28:00] of all I'm just it's like it's dizzying. Like to think about all this stuff like, you know, I'll, I'll jump onto the the kind of the AI inference idea, you know, people who are using ChatGPT at home, they're asking all kinds of personal questions. Just to use an analogy, we all know. Well, they might be asking psychological questions. They might be asking medical questions. A lot of I heard someone last week taking their x ray and putting in a ChatGPT saying, is this a break? You know, going to the doctor? So, right. People [00:28:30] are putting this amount of personal information into ChatGPT and then you're saying with inference, ChatGPT can infer who put it what they another. Exactly. So, so it's almost like there's a bit of this nothing safe. Uh, a bit of your.
Demi Ben-Ari: I would even say that.
Isaac Heller: Yeah.
Demi Ben-Ari: For internal use. I'll give you an example. I know it sounds stupid. How come this thing actually happens, etc.. For saving purposes? Yeah. Okay. Uh, you might actually buy a subscription. [00:29:00] I don't want to say, like, only for OpenAI. It can happen in any right, any of these types of services that is shared across the whole company. One account, it's a really bad practice in cybersecurity. Okay. But eventually, for cost saving purposes, the CFO can say, guys, no, I approve a budget only for one seat.
Isaac Heller: And this happens all the time. Chatgpt has an enterprise license. It's not just all of these have an enterprise license. Of course they're coming in. Copilot. All of these. Okay. Got it.
Demi Ben-Ari: So I'll give you an example. What happened [00:29:30] in a workplace? Okay. I won't name that. I don't want to embarrass anybody. They had a shared account.
Isaac Heller: Okay.
Demi Ben-Ari: In which all the employees had access to that practice in cybersecurity, but whatever. Right. Cross purposes. And what happened is through that because it saves the previous prompts and it holds context to some of the things. Right? Right. They knew which people were searching for a job just because they put their CV into that to get their feedback, etc., or something like that, or [00:30:00] search for information and the one the auditor write internal one see so-called that infosec person, etc. actually saw whatever was happening because all of the employees were leveraging that like enterprise account, but only one shared, right. And everybody can see everything. That's why you isolate stuff.
Isaac Heller: Got it.
Demi Ben-Ari: And think of it. What happens if you take a financial report of a company and, you know, one of the accountants of the company actually says, oh, I need to fill out these two columns [00:30:30] just because I need to search for information. Let me throw that for a sec there and just get it back. And it's all filled out. And I saved like, I don't know, ten hours. Yeah. Right. Does not resonate with people. What happens after to that document. Right. Because eventually I know maybe I'm a sound like a paranoid person, but you being paranoid does not mean nobody's chasing you.
Isaac Heller: These are my people.
Demi Ben-Ari: I know, I know, I'm sorry.
Isaac Heller: We are all paranoid.
Demi Ben-Ari: And so. So for that purpose. Think of it that you need to think like [00:31:00] two steps ahead, not too far away, like a year from now. What happens with that piece of information? Even what you get information value out of that who might be able or you know, who might actually take that and repurpose this information for a bad.
Isaac Heller: Yeah. And and a and a probably an emerging use case would be, you know, I'm a CFO or I'm a finance professional and I'm using Copilot or Gemini or whatever it is on my models, on my spreadsheets. Or maybe [00:31:30] you're even using an fpna tool. Yeah, in theory, if that LM or that AI access point is shared with other people in the team, let's say you have a model about, I don't know, a cost reduction, a headcount reduction, a change, a variance. So they're operating on that same data. So they may find out about confidential information that you would never have intended. Or they'll ask a question. And they could even talk to the AI model who has this information and ask.
Demi Ben-Ari: Them.
Isaac Heller: Nicely. Ask them nicely and you ask [00:32:00] first and they say, I can't share, but you can. You can be nice. You know, we of course, everyone, everyone knows, uh, you know. So. Okay, so back to our SoC one. Soc two. Yeah. Okay. So we just we just unpacked the whole world of LMS. Soc one done by human auditor or SOC one done by a software. What. Okay.
Demi Ben-Ari: So I can give an example again just because we have partners. You mentioned the compliance automation space. If I like Overgeneralize that companies just like anecdotes audit board [00:32:30] okay. Probably some actually are using all of these platforms throughout all of that more in the security, space oriented, etc.. So I really am a firm believer of using these things because again, why these platforms actually helps you to automate the processes that human beings do. Right? Okay. And I'll say maybe something that people won't like me for that I trust software more than humans.
Isaac Heller: Okay. Interesting.
Demi Ben-Ari: Again on the paranoia end. Why? Because again, [00:33:00] I'm not saying there is malintent. I'm saying pieces of software are usually well defined. And sometimes the negligence. Recklessness, I would say of people. I'll give you an example. What happens if you have a let's take it to the Google's Workspace suite. Okay. You have a document, an Excel spreadsheet that has all of the financial information like paychecks, how much you're paying to whom.
Isaac Heller: Yeah.
Demi Ben-Ari: And usually it's consolidated to one. Okay. [00:33:30] Right. It's not a that it's a siloed or something like that. Because again I understand the CFO that needs to have the whole picture. What happens if by accident right. Somebody hits the share button and all at Company.com.
Isaac Heller: Yeah.
Demi Ben-Ari: That's it. Basically you have like a at least 50% of the people filing their The resignation.
Isaac Heller: Well, look, we.
Demi Ben-Ari: Right?
Isaac Heller: You're not being too paranoid because we've all accidentally replied to all. [00:34:00] Or I know at one time we have we have slack channels. And one time I started to type something that was supposed to be in the leadership channel, or I typed it in the general channel, and I consider myself a pretty, uh, detail oriented person. Okay. So so software can be better. Now, what about what about the really popular phrase right now that's telling everyone, well, the software can help you do the grunt work so that you can focus on the strategy. Right? You as an accountant, you as a cyber professional. Are you saying that [00:34:30] if the, uh, internal company or the firm uses the software to complete their SoC one or SoC two, that it's just better anyways, or it's better because the human can do more true risk assessment. How do you think about that?
Demi Ben-Ari: I think like for repetitive tasks. Yeah okay. Such as collecting.
Isaac Heller: Documents.
Demi Ben-Ari: Well defined.
Isaac Heller: Right. Well defined.
Demi Ben-Ari: Right? Why spend the human effort on that? If I can do that better than you and even won't make mistakes because [00:35:00] it's well defined? Yep. Right. And there are many like ways I would I would assume that to implement that in a better or safer way, having safety pins, having many security products that also facilitate that whole, um, AI security or security in AI. I don't know how we want to scope that was first. So there are ways to implement, just like any process in the world. Again, not even speaking about the software yet to make it better and with better filters to do that safe. [00:35:30] Okay. Okay. Just like you put in helmet when you build a building, just in case if something falls on your head, you don't die, right? I would say that we can apply the same safety mechanisms for all of these things. A part of third party risk assessment is that piece. I assess the risk. Classify wherever is critical, and might impose risk on my engagement. Not even only on my company. Okay. And then create the corrective mechanisms and measurements to [00:36:00] do that better. Nobody said that it's bulletproof, right? Because eventually things might happen. You know, what's 99.9 protected? 100% breached because you have a way, right. Again, going maybe to over radical on the paranoid side. But this thing us as a process as a as an evolving process I would say that you implement something and iterate. Right. Improve. More risks are being introduced [00:36:30] to the world. You iterate again, reassess because of that, the continuous manner, just like you do. And again, if I look on the audit space SoC one SoC two SoC one if I if I'm again, I'm not a financial auditor. So I apologize if I say something that is incorrect. There is a continuous space in which, as an example, with a Sox audit, you conduct that continuously over the year with internal audit, and you bring an external auditor to audit that in an occasion once a year or something like that. Right? [00:37:00]
Isaac Heller: Yeah.
Demi Ben-Ari: That's exactly that. That's continuous. Right. Because eventually you doing that process and the continuous basis continuous can mean a lot of things. And also some customers of ours send a questionnaire once a year. And this is good enough for their space to call that continuous right. And some do daily monitoring with their external attack surface tool that we do have a portion a module that we have a that whole like engine that looks on companies like hackers.
Isaac Heller: So they can they can actually [00:37:30] I understand so they can look in real time if that company's a risk.
Demi Ben-Ari: And if there is a notification about a breach, okay. All of the AI that we've created internally in the platform can surface that. Because what happens? Think of it that when you again, I told you that small medium size companies have around 300 plus engagements. Yeah. What happens to the larger enterprises that have hundreds of thousands of relationships?
Isaac Heller: Yeah.
Demi Ben-Ari: No human team can actually, like, cover everything.
Isaac Heller: It sounds like a nightmare. I mean.
Demi Ben-Ari: It's fun, [00:38:00] fun.
Isaac Heller: A challenge, a fun challenge. Okay, so we're going to we're going to pivot to the firms and really think about how firms can build these practices. But before we do, just like another curveball. Um, you said you were in the Air Force. Yes. And then you also said you worked at Windward, which is a, you know, kind of a B to G maritime analytics. You were you were manning the seas, you know, so to speak. I mean, what maybe, maybe whether it's Air Force or in the sea. What's like one big thing you learned [00:38:30] from being in these organizations that led you to be a cybersecurity professional?
Demi Ben-Ari: So I did manage cybersecurity practices in the previous, you know, from the beginning of my career, just because it's software. And once you operate. And also, I would say hold the production environment in the air. Yeah. You need to take that pillar of cybersecurity really seriously, especially if you're in the military. And afterwards, of course, if you're selling to governments and stuff like that, it's [00:39:00] an issue. Okay. Because of data privacy, because you want to keep these bodies operational and up and running. Because if not, something really, really bad will happen, I'm telling you. Like, what happens if my missile defense system that I've developed was down? Yeah. People die. Okay. So it's really, really serious.
Isaac Heller: By the way, I must I must mention Demi and I started this podcast a little bit late. We're sitting in Tel Aviv, and there was. There was a siren. Yeah, right. And so we saw in the sky that there was an interception, which is exactly what you started out. I mean, obviously it's not a it's not a fun [00:39:30] topic to talk about, but that's, that's security people that that grow up coming figuring out how to defend. I agree. You know land against certain things whatever that is. So you learned how to just think about defense. You then learn how to be a CISO. And on top of these things.
Demi Ben-Ari: So today in my role, you said that I'm the CTO of the company, and I would even argue that I'm basically in charge of fun and doing a lousy job. And but but [00:40:00] most of my time spent today I manage our CISO function. Okay, okay, he's much better than I am on this space, but still, he's on my team. Yeah, and I'm just like. Like the auditor of the company. I'll explain why I'm not managing the R&D and product today. I'm collaborating with them. They're peers of mine. Interesting. And 80% of my work is with customers.
Isaac Heller: Oh, I see.
Demi Ben-Ari: Uh, if it's like defining the market with the, uh, sort of like the analyst firms Gartner, Forrester, and working with [00:40:30] them on scoping our space DPC, CRM, or like third party audit and also working with customers, engagement, implementation, working with our sales team, actually conducting the OEM business. Also interesting and how we are a part alliances, stuff like that, mostly like externally and also post-sale when we're implementing things with customers. Or there is, as an example, a third major third party breach. Okay, SolarWinds got breached.
Isaac Heller: A lot of one, [00:41:00] right? Yeah. Yeah.
Demi Ben-Ari: So again, it happens so much more than actually is notified in the world, by the way. And conducting these incident response processes, our processes with customers is also something that I do like. It happens always on the weekend. It's like amazing to see why the.
Isaac Heller: And the hackers just they they come out and get the.
Demi Ben-Ari: Kicks of it.
Isaac Heller: On the weekends.
Demi Ben-Ari: Yeah. And and basically speaking that response portion. Also working with customers implementing a solution. We also have a portion [00:41:30] in our product that is the supply chain detection and response.
Isaac Heller: Okay.
Demi Ben-Ari: Got it. What happens when one of your vendors gets breached and how you respond to that to mitigate that risk that actually emerge right now?
Isaac Heller: Interesting. Okay, good. So that's a perfect segue. So, you know, we've got a lot of folks who work at firms. Um, they work at the big four. Um, they work at regional audit firms. Some of them are auditors. A lot of them. Financial audit. Um, some are in advisory. [00:42:00] A lot of times, you know, in advisory or consulting, you have financial advisory. So helping with financial reporting, sometimes they're implementing systems, you know, like an ERP system or whatever. Um, generally in the big four, which which obviously are massive and do incredible amounts of, of work for a lot of different companies. I've seen the three buckets as like audit, tax and advisory. Those are kind of the three buckets in our financial world. But I've noticed in a few of these, uh, annual reports that [00:42:30] risk advisory and specifically cyber advisory is growing. Now, it's well known at the big four. I think more regional firms, uh, in the.
Demi Ben-Ari: Especially.
Isaac Heller: In the U.S., they're starting to adopt. So how how should, um, these firms think about it and maybe even some areas to get ahead because you don't want to be late or you don't want to be last because then you're competing in a new space against all the other firms who are competing as well. So give us like, like how should a firm think about it and then maybe even differentiate yourself? [00:43:00] I've already got some ideas with AI advisory, but but you tell us.
Demi Ben-Ari: So first of all, you said that correctly. Building a practice is really, really important. Yeah. Software can support practices okay. Right. And our piece of software I would call that even a solution. We can assemble the the actual program with one of these. Just like you mentioned, the big four management consultancy and even smaller audit firms. Okay. Or even like, you know what? I would I would even add to that mix the Mssp [00:43:30] world managed security service providers.
Isaac Heller: So just just to be clear, Pancrase. It's not only used by anything from SMB to big corporations. You're saying firms of ours? Yes. Partners. So they're using it to build out practices. So you know this intimately.
Demi Ben-Ari: So yes. So for it is twofold. One might be just like you mentioned okay. They create the program with the customer.
Isaac Heller: Okay.
Demi Ben-Ari: Okay. So one automotive company out of Germany I'm not saying who okay. Really. Okay. That [00:44:00] one of the big four engaged with when they assessed our solution.
Isaac Heller: Okay.
Demi Ben-Ari: Right. So the manufacturing firm hired one of the big four to conduct an audit on Pancrase of how to implement an audit process with Pancrase.
Isaac Heller: Interesting.
Demi Ben-Ari: It's kind of funny, right?
Isaac Heller: Yeah. It's like.
Demi Ben-Ari: Okay. But again, we work closely with one of the big four to implement the program according to our software pieces. Because again it's a project, right. So they hired them to create that program. [00:44:30] People will be manned to actually facilitate that program, eventually ending up of. Having a process. Got it. And the augmentation. The other flip side, what I what I said is what happens when you want the head count to actually conduct all of these processes. So the Big Four.
Isaac Heller: The internal people.
Demi Ben-Ari: Know the external.
Isaac Heller: Ah.
Demi Ben-Ari: So meaning right now you okay as a CEO say instead of hiring that head count I rather hire that service. [00:45:00] They hold the head count. They advised me of how to implement the program. And you also take the operational day to day burden.
Isaac Heller: Okay. Got it. So I'm I'm at.
Demi Ben-Ari: The mssp portion that I've mentioned.
Isaac Heller: I got it. So in this case this is like kind of a piece so that that big four consultant, just like any regional audit firm or advisory firm, they need to understand the bigger picture, right? Because obviously this large company was probably implementing multiple processes to upgrade their cybersecurity that external [00:45:30] firm needed to understand the area of third party risk, which is. Is that fair vendor risk? Right?
Demi Ben-Ari: Third party risk is a great.
Isaac Heller: So these. These firms should be building out their menu. Is that right. Like they should have a menu of all the different cyber.
Demi Ben-Ari: You can say a catalog your catalog. Okay okay. Just because again mostly people use that term when they're offering pieces of services. Right.
Isaac Heller: How big can the catalog be for a firm. And let's call it cyber security hundred SKUs.
Demi Ben-Ari: So [00:46:00] I would say that.
Isaac Heller: That's one, two and three.
Demi Ben-Ari: Yeah I know. I would say basically it's a handful of processes. Okay. That they might sell solutions for. One can be the onboarding piece, right. When you're onboarding a third party relationship. Here is a process. Go and do your thing. Right.
Isaac Heller: Okay.
Demi Ben-Ari: It's I would say really well known in Germany that no matter if you have an internal team, you still hire one of the big four. I mean, like with the larger companies, etc. and they reassess [00:46:30] whatever you assessed.
Isaac Heller: Okay.
Demi Ben-Ari: And provide that with nice Excel spreadsheets as reports. Okay. So all these practices when you implement a program can be done and conducted and you can divide that just like a, I don't know, take and call it a business process. Onboarding is one business process. Another ongoing business process is monitoring.
Isaac Heller: Um.
Demi Ben-Ari: Because what happens when something happens or for you to be able to respond to reduce risk, not only cyber, [00:47:00] many other things. So how you continuously monitor in the financial space, maybe an annual audit might be good enough. And you can call that continuous. And also reflecting to what's so-called external risk incident response okay. What happens and what are the playbooks to actually facilitate. Mostly happens in the SOC teams SOC Security Operations Center, not the SOC that you. Yes. But eventually speaking all of these processes, I can say that they're probably a dozen [00:47:30] that you as a, as a service provider will come up to a dozen, I would even say, because, again, you can specialize only in onboarding.
Isaac Heller: Okay.
Demi Ben-Ari: Right. And you don't have the people to do the incident response piece because it's human intent etc..
Isaac Heller: So just and and before you get into the dozen. So I'm, I'm a firm I need to have a perspective on onboarding meaning my client making sure they onboard.
Demi Ben-Ari: Yes.
Isaac Heller: A level of security protocols. And that could be a that could be a company that's never really thought about [00:48:00] cyber or hasn't thought about it enough. And so that first one is a big overhaul, almost like the first audit. And then onboarding could be I'm educated on the latest in GDPR or Dora or CcpA or the AI act, which I'm sure AI is probably going to spawn a lot of for sure. Okay. Got it. And so I can onboard these new standards, which is like, um, I don't know. You know, you've you've onboarded them as an audit client. But now there's a new standard like revenue recognition or lease accounting. And you have to help them implement [00:48:30] and onboard that program. Okay. So that's onboarding. So I got to know how to onboard. You talked about maintenance. Maintenance is like I need to go in like a quarterly or annual audit. And I need to make sure their cyber and security protocols are in place. Yes. Um, and then the incident response is I also need to be aware of the one off events and risks that can occur happens.
Demi Ben-Ari: In the.
Isaac Heller: World. My company, you know, you know, if my company, um, gets, uh, I don't know if there's a fraud, uh, potential [00:49:00] financial fraud that might happen. I is the auditor. If my company turns to me and say, hey, I think there's some money missing. I need to be ready for that incident response. So I've got all right, I just want to say back. So onboarding, maintenance, incident response. Yeah.
Demi Ben-Ari: Onboarding I would call that monitoring.
Isaac Heller: Event monitoring.
Demi Ben-Ari: Good. Right okay. Just because of the piece.
Isaac Heller: That also sounds bad.
Demi Ben-Ari: You. Yeah I don't know maybe maybe it's also maintenance, but eventually ending up of being that piece of conducting an end to end process of you and I always divide that also in [00:49:30] what we do in CRM, third party cybersecurity, risk management. There are four main pillars. One, I know it sounds naive. Inventory.
Isaac Heller: Yeah.
Demi Ben-Ari: What? Who are your third party relationships? Who are your relationships in general and covering the context of how you're engaging with that entity? Right. Okay. If I'm passing confidential information, if they are connected to my internal systems, if they get breached, will my operational like aspect will be hurt? That's one. [00:50:00] Then once we've classified all of these relationships, I can streamline the process accordingly to the proper onboarding piece. The next phase. Right. Right. I've onboarded. That's it. I started working with Trillian. They're a great company. On par, even higher than the market. I'm happy. But what happens in day zero plus one? This is like what I. I'm sorry. I'm a software engineer. Zero and one. The fundamental binary. Right? The fundamental building block of a third [00:50:30] party risk program. Okay, then if you have the capacity, the resources, the risk is high, etc., you create a monitoring piece just like I mentioned. Right.
Isaac Heller: Monitoring.
Demi Ben-Ari: Yeah. And then eventually when you have continuous monitoring, you know how to respond. You put in the mix that external threat factor. What happens on the in the world that applies to my supply chain. This is a supply chain detection response. And once you have all of these like four pillars, you can implement any program with any of the big four or [00:51:00] you know like internally and create a safety mechanism, a program that is live. Okay.
Isaac Heller: Okay. Got it. So last question. Um, this is great. So I feel like if I'm a firm I'm a little inspired enabled. Last question. It's the differentiation part, Right. So and let's, let's end it with I. Yeah. Okay. So I'm thinking I'm a firm I want to jump into the cyber game. But I don't want to do a, you know, a me to like they've already heard the other cyber pitches. [00:51:30] Give it. Go into the crystal ball. Tell us about the area of let's call it AI risk assessment AI risk consulting. Are there regulations coming in? Uh, are there ways to get ahead? That's definitely top of the CFOs. Mind if I'm guessing?
Demi Ben-Ari: Okay. So to tell about the future, I'll show you the past. Oh, okay.
Isaac Heller: I'm a history major, so I appreciate.
Demi Ben-Ari: Wow. Nice. I didn't know that. Yeah. Okay. So let's look back in 2016. Okay. What happened in the world? Gdpr was born. Okay. Okay. [00:52:00] At least the the guidelines of GDPR. Yeah. When they said that they will start enforcing that 2018.
Isaac Heller: Okay.
Demi Ben-Ari: Okay. When they actually started enforcing that 2020.
Isaac Heller: Okay.
Demi Ben-Ari: So let me take that model. Okay. And put that on I.
Isaac Heller: Okay.
Demi Ben-Ari: When did I start booming?
Isaac Heller: 2022. Let's say.
Demi Ben-Ari: You're.
Isaac Heller: Right.
Demi Ben-Ari: You're right. Okay. When they started creating all of these regulations, I act.
Isaac Heller: I didn't know about that one.
Demi Ben-Ari: 20 2424.
Isaac Heller: Okay.
Demi Ben-Ari: Okay.
Isaac Heller: 26.
Demi Ben-Ari: I [00:52:30] think that by 26 and again, Dora, they're already a date. I think it's like May 25th. Okay. That they claim they will start enforcing that that whole resilience act on your supply chain. Okay. In the cybersecurity space plus I plus stuff like that. Okay. So all of these things I think it will be a similar evolution and revolution. Okay. Okay. So right now we're at that point when they will start regulating.
Isaac Heller: Amazing. So a big takeaway for me is instead of, [00:53:00] you know, thinking about how AI is going to automate us or scare us or even, um, just embracing it internally, which you probably should do to some extent anyway. Um, start thinking about how AI is going to expand our jobs in finance and accounting As risk professionals, it's almost like redraw the line around what you do, not as finance or accounting, but as risk. You're in the risk game and I is in the bucket. Just like finance, just like fraud, just like operational risk. I is the next pillar of risk. That's [00:53:30] awesome.
Demi Ben-Ari: I think that finance today just because of again connecting it with the operational world.
Isaac Heller: Yeah.
Demi Ben-Ari: Has to be a team player of everybody. Yeah. Cybersecurity. And again I'm saying that with any of the I can call that on the practical aspect of when we come to a customer, the first thing that they might integrate is their procurement platform. Wow. Why? Because how do you engage with third parties? You purchase a solution. Yeah. And they're our best friends of identifying that [00:54:00] inventory. I would even say something that might be really bad. We have many large, large customers that that list is held in an Excel spreadsheet. I will surprise you. Yeah. So again we have to collaborate with all of these entities. And also, I must say, another important risk in the world of the third party space is that risk quantification put a dollar value on that relationship. Yeah. And how I will be impacted if a cybersecurity compromise will happen with that relationship. [00:54:30] Cyber risk quantification. It's a thing.
Isaac Heller: Yeah, absolutely.
Demi Ben-Ari: This is how we translate the cool, geeky stuff of what happens to how it will impact the business owner.
Isaac Heller: Amazing. And we all like, uh, we all like to know things in dollars in our world. So. Look, Demi, um, it was great chatting, um, from, uh, growing up in Georgia to serving in the Air Force to now being, you know, CTO and co-founder at Panera's and being a really a cyber expert, selfie influencer and a [00:55:00] great fun to talk to. So thanks.
Demi Ben-Ari: Thank you Isaac. Pleasure. And thank you very much for everybody for listening.
