Andy Vanderhoff, Quantivate.com: “an effective cybersecurity program starts with effective training”
People might assume that hackers infiltrate an organization using complex tools, while most breaches occur because someone forgot to patch a server, update the software, or due to staff negligence.
Unfortunately, mistakes are common in cybersecurity, with most occurring because of unawareness or ignorance. As such, a business owner might underestimate the potential of a data breach and fail to invest in employee training and proper cybersecurity defenses.
We reached out to Andy Vanderhoff, the CEO of Quantivate – GRC software company – to discuss why the cyber education of workers is inseparable from any company’s cybersecurity essentials.
How did the idea of Quantivate come to life? What has your journey been like since your launch in 2005?
I launched Quantivate after spending a few years working in governance, risk, and compliance (GRC) at Washington Mutual, which was the largest Savings and Loan in the country. After seeing the lack of easy-to-use GRC management solutions for financial institutions, I set out to develop a software-as-a-service platform designed for banks and credit unions by financial industry professionals.
We bootstrapped the company for over 15 years and brought on our first private equity partner in 2019. Bootstrapping any company is challenging, and I describe the Quantivate journey as one with high highs and low lows — sometimes in the same hour! I made mistakes, learned from them, and realized that having a team of smart, dedicated people is key to any successful business.
We’ve grown from one application (Business Continuity, released in 2006) to a full suite of nine software products that help banks and credit unions manage all their GRC programs and data in a single platform. Our latest addition, Issue Management, launched in August 2021, and we’re continually working to create more value for our customers in the financial services industry.
Can you tell us a little bit about what you do? Which industries do you mainly work with?
Our goal is to help leaders at banks and credit unions make better decisions by providing real-time risk and compliance oversight. The Quantivate platform integrates disciplines like IT risk and security, vendor management, and regulatory compliance through a shared technology architecture. This not only streamlines management and reporting efforts, but also gives our users full visibility into their GRC posture, data, and activities.
Any financial institution that struggles to manage governance, risk, and compliance and is looking for efficient solutions to maintain and mature its program will find that Quantivate makes a great technology partner.
When it comes to organizational cybersecurity, what myths and misconceptions do people tend to have most often?
One of the most common myths that people buy into is that cybersecurity is only solved with very technical solutions. The reality is that many problems start with employees not thinking critically. People might assume that hackers get in using complex tools, when most breaches occur because someone forgot to patch a server or update some software.
Another misconception is that cybersecurity is a problem for the chief information security officer, when it’s actually everyone’s responsibility. An effective cybersecurity program starts with effective training.
Good cybersecurity hygiene should be a company-wide effort, just like IT risk and security management should be integrated across the enterprise. A holistic approach to GRC — connecting data across cybersecurity, vendor management, business continuity, and enterprise risk functions — strengthens any organization’s security posture.
Do you think the pandemic has affected the cybersecurity industry in general?
One of the biggest challenges stemming from the pandemic is protecting devices outside your organization’s network. With employees working from home and accessing corporate systems and data from potentially insecure personal devices, companies have had to quickly address new vulnerabilities and risks.
As more organizations plan to maintain remote and hybrid working models spurred by the pandemic, this is another area where employee training and policies are critical for a strong cybersecurity program.
What are some of the worst cybersecurity habits that can put not only an enterprise’s workforce but also their customer data at risk?
Not getting the basics right can derail any cybersecurity program. Organizations that ignore the people part of the equation or bypass the fundamentals of cyber risk management can suffer damaging consequences.
Keeping systems up to date, maintaining a data inventory, ensuring patches are going out in a timely manner, and having good controls are the simple things that maintain the health of your cybersecurity program and protect customer data.
In your opinion, why do certain companies still struggle with conducting regular compliance audits?
The harsh reality is audits are no fun. Nobody wakes up in the morning saying, “Yahoo, I get to do a compliance audit today!” If you don’t prepare throughout the year, and you rush into an audit with two weeks to get ready, you’re setting yourself up for a difficult time.
To avoid this type of compliance fire drill, organizations should be audit-ready all the time. This requires processes and technology that support continuous compliance with ongoing monitoring of controls. When your organization has a standardized risk and control management framework and a single source of truth for GRC data, continuous compliance is achievable.
Which industries should be especially concerned with implementing a quality governance strategy?
Recognizable brands, companies that collect sensitive customer data, and organizations that support critical infrastructure are all huge targets for cyberattacks. But all organizations should be concerned, regardless of size or industry. At the end of the day, good governance is simply good business practice.
Talking about the cybersecurity of individual users, which safety measures are essential?
The basics of cybersecurity haven’t changed: train your staff, inventory your systems, update your devices, test your controls, and validate your evidence.
Would you like to share what’s next for Quantivate?
Quantivate is focused on the next generation of governance, risk, and compliance solutions. This year, we’ll be rolling out enhanced reporting and dashboard features for our GRC software platform to help users quickly make data-driven business decisions. Intuitive report creation, modification, and output capabilities support better program visibility and analytics, giving executives and other decision-makers an easy-to-digest view of their organization’s risk and compliance information.
Through these and other enhancements, Quantivate is providing a pathway to streamlined GRC management, lower costs, and greater efficiency and security. We're invested in the long-term success of banks, credit unions, and mortgage lenders as they grow and mature their management capabilities.