Anthony Stevens, 6clicks: “old school methodologies and legacy GRC systems are not just archaic, but dangerous”
In the age of frequent cyberattacks, having a detailed response plan in case of an emergency is essential for any organization.
The recent incidents just go on to show that there is no room for the “ignorance is bliss” mindset when it comes to cybersecurity. With ransomware, fraud, and data breaches hitting the news almost every day, keeping up with compliance regulations and conducting regular risk assessments are a must for every organization. After all, it is their own customers’ data that is on the line.
To talk about the ins and outs of information security, we invited Anthony Stevens, the CEO of 6clicks – a company seeking to redefine how companies approach compliance, risk management, and risk assessment.
How did the idea of 6clicks come to life? What was your journey like throughout the years?
It's not that we are ungrateful for the nearly 2 decades of the current GRC process, business globally has just outgrown it, so old school methodologies and legacy systems are not just archaic, but dangerous. With many of them being either not smart enough, or too difficult to use.
Sadly, many organizations have failed in their approach to GRC due to indifference or have simply been unaware of how to tackle these activities appropriately. Many of you don’t need a minute to remember a company you know or worked for, who knew that many risks were headed their way, yet spent most of its time fleeing this truth. Or think of a business that had good intentions toward risk and cybersecurity concerns, yet mistakenly worried about the wrong ones.
You’ve already thought of one.
The cracks have formed, even for the biggest of companies, so instead of watching its impending capitulation, we decided to do something about it.
Starting in the home office (garage) with three people soon became 10 in a “proper office” (if there is such a thing anymore). Then, we blinked and before we knew it, we had no other choice but to expand globally to meet demand. It was incredible. Since its foundation, our little engine quickly grew into an unstoppable steam train.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
Broadly, our platform provides advisors and enterprises with a 360° contextual awareness of integrated GRC using our unique Hub & Spoke™ architecture. Meaning, you can view and manage all your autonomous GRC programs in one single integrated platform.
We give advisors innovation to scale their service delivery and organizations a solution to immediately save enormous amounts of time and money.
It is the perfect interplay of content and functionality. All underpinned by Hailey, our AI engine.
Sounds like a lot but we should highlight the challenge. Failed implementations are all around us. From regulatory compliance, cyber, and information security to third-party, incident response, and project risk management – headlines hit us every day with stories that no company wants their name associated with.
Sticking to cyber and information security though (for obvious reasons), 2021 was a barnstorm for regulators. I don’t know if we can say “post-pandemic” yet, but it’s something like that. They are mercilessly catching up.
Criminals are not concerned with borders or jurisdictions. Yet businesses are faced with an increasingly complex system of regulations and rules.
Many of the regulations are totally necessary of course, yet can be fragmented.
So these conflicting priorities and costs for companies, you guessed it, can weaken defense mechanisms.
Then fold in budgetary boundaries, you not only have to defend and protect against attacks but also comply with complex regulations at the same time. It’s enough to make a cat laugh.
So, it’s no surprise that it has been rocketed to the top of the board agenda in many companies.
How is AI incorporated into the 6clicks platform?
Hailey is our superstar. We launched our AI research and development division in January 2020. We had already begun work on building AI specifically for risk and compliance practitioners prior, but it was then that we realized exactly how powerful it could be, so we went full steam ahead.
To be clear, Hailey isn’t just an AI and ML ‘tool’ to complete mundane tasks, she literally underpins our entire operating system, she lives inside all of us here.
GRC processes are traditionally extremely costly, in terms of finances and time. Hailey helps eliminate all of that.
There are two main components to Hailey. The first is the provision to provide a mapping between compliance obligations or, in other words, crosswalk compliance. We know many regulations overlap, whether they be sector, industry, or jurisdiction-specific.
Hailey identifies (within seconds) similarities between them, therefore making it easier for companies to be compliant with, say, ‘regulation A’, but then very quickly identifying the extent to which they are compliant with ‘regulation B’.
Conservatively, we publicize a 14x time saving here.
The second is policy/control set to authority gap analysis. This is where Hailey took a huge step toward truly automating GRC across the board. Identifying the coverage a control set or policy has in relation to a standard.
It is the world’s first control set/policy compliance mapper.
With 6clicks, you can automatically and quickly identify areas of compliance and non-compliance against standards, laws, and regulations using Hailey’s mapping capability.
Do you think the pandemic affected the way people perceive cybersecurity?
Without a doubt. There’s nothing like a good disruption to expose the shifting sands. The global workforce was distressed and discombobulated and the cyber and infosec dangers of the remote workforce were pounced upon by criminals mercilessly.
Breach headlines went into overdrive and cyber was pushed to the top of the board agenda, and rightly so. The pandemic just accelerated that this is now a board imperative. The CEO is responsible, the board is accountable.
I will say that cyber and infosec were gaining though, a pre-covid milestone. Businesses were becoming aware that relying on an IT team they bolted onto the side of their operations and treated like an island was not a way forward, and that the reality is that there will be breaches. Cyber resilience was a relatively new mindset with messages like ‘prepare, detect, respond, recover’ being made into models by thought leaders everywhere.
But the Covid-19 milestone had an impact on the threat landscape itself. It quickly became much easier for criminals to carry out malicious activity. Residential networks that didn’t have the support of systems and controls became a massive issue that made its way into the minds and behaviors of frontline staff like never before. Likewise into the minds of network security architects.
Then feed in the legislative landscape around the world now with regulations, laws, and business drivers, etc. growing exponentially like we touched on before. It’s all feeding into a changed perception now.
What issues can an organization run into if it doesn’t have appropriate risk management platforms in place?
For the purposes of your audience, I’ll stick to cyber. Thankfully, cyber risk is an area that businesses are becoming increasingly aware of.
Cyber risk and its impact is underpinned by a number of other business risks, such as operational, financial, or compliance standards. Understanding cyber risk and how it impacts your business can allow you to protect yourself against cyberattacks, reduce the impact of cyberattacks when they do occur, and manage the cybersecurity policy in line with regulations and industry best practice guidelines that you need to adhere to.
Depending on the type of attack, the impact could lie in a number of areas. From operational and reputational damage to financial loss and even penalization from a regulatory and compliance standpoint.
It is therefore essential that cyber risk management plans are in place to not just mitigate the ensuing cyber risks but also to map out an effective cyber response plan in case things do go awry. A cyber response plan must also be ready for cyberattacks which might involve financial fraud, data loss, and privacy violations. This will ensure that the steps taken by the relevant authorities promptly address the situation.
As a result, it is essential that organizations invest not only time but money into cybersecurity and cyber risk management solutions to give themselves the best chance possible to detect, respond, and recover.
In your opinion, why do certain companies still fail to recognize the necessity of regular compliance audits?
Perhaps willful ignorance, perhaps an innocent lack of awareness. Who knows.
I think it is fair to say that one of the most frightening and not talked about issues with compliance and regulatory content is that, in my view, many organizations that (whether they admit it or not) do not know what compliance obligations they should be compliant with, in the first place.
Understandable, but frightening nonetheless. Certainly, given that the Charted IAA placed changes in laws and regulations in second place in their top risks for 2022.
Cyber and data security are number 1.
Then, on top of that, the ACA group predicts 62% of compliance budgets are set to remain flat with no change at all in 2022. Figure that one out.
Which industries do you think should be especially concerned with maintaining compliance?
I don’t mean to be terse, but here at 6clicks we designed an operating system for risk and compliance that is industry agnostic for a very good reason, and that is, all industries should be especially concerned with maintaining compliance.
Talking about the cybersecurity of individual users, what safety measures do you think everyone should have installed?
It is crucial to get your basics right as well as implement mandatory training for employees on securing their networks. It is rightly said, culture eats strategy for breakfast. Taking the time to train your staff and instill the right behaviors can go a long way. Even if you have the best tools and your technology is all in place, if your staff is not trained well, your tech won't be used effectively.
You must perform risk assessments on a regular basis. Adopting GRC tech solutions to monitor and mitigate your organization’s risk is a highly crucial step.
Scale-up Multi-factor Authentication. IBM produced a report in 2018 that looked back at a decade of attacks. It showed that two-factor or multi-factor authentication and the use of password managers alone would have prevented close to 80% of attacks that occurred over that period.
Implement a Zero-Trust paradigm by providing access to data or applications only to authenticated users.
Your organization must develop an incident response plan and must keep it updated to address changing threats and industry technological developments.
Always review your supply chain partners and your third-party service providers.
Would you like to share what’s next for 6clicks?
We’re really excited about the reporting and analytics suite which is out very soon. We will be the only platform that enables advisors and enterprises to extract transformational value from their GRC software.
We combine dashboards, custom reporting, and data storytelling we call LiveDocs™ into a single, integrated solution.
It is an entire reporting and analytical experience. There will be pre-built and self-service capability, alert-based distribution, automated signals and insights, dynamic presentations, public and private sharing, and team-based collaboration.
It will soon be the clear market leader in GRC analytics.