#27 Balancing business risk and digital opportunity through the CMO’s eyes

KRISTINA PODNAR, HOST: Welcome to the Power of Digital Policy! My geek meter hit a 10 when Gina Hortatsos agreed to speak with me today. Gina is the CMO of LogicGate, a governance risk and compliance solution that is cloud-based and combines functionality to engage enterprise GRC programs. Right there, you're probably getting a handful of my favorite word's so absolutely delighted to welcome Gina! Gina, thanks for taking the time to speak with me today.

GINA HORTATSOS, GUEST: Well, thanks for having me, and as a fellow geek, I am very excited about our conversation today.

KRISTINA: It is somebody said to me, make sure you let go of her on time because otherwise, you could probably spend a whole day interviewing or and I think there are right. I have so many questions for you. Well, let's start with a really fundamental one. Can you actually tell me a little bit about your background and tell us a little bit about LogicGate and what is so unique about what you do in the GRC space?

GINA: Sure. I've been an enterprise software marketer for most of my career, my career path veered in various disciplines in marketing, but it started off in athlete statistical analysis. So my background is rooted in using data to understand markets, to understand buyers, and then to interpret that data in order to maximize results and reach demand, creation from a long time back and over the years as I kind of built my career developed a really firm understanding for the power of the brand and the sort of harmony and synchronicity a brand and demand to provide a beautiful customer experience that makes future customers and customers excited to partner with the companies that I work for. So, I am a sort of a data-driven marketer, but I also love the psychology side of how people are motivated. What makes them want to seek out partnerships with tech providers and what makes those tech providers sort of win the battle of that customer's mind and heart, and I'm very excited to be applying those philosophies to LogicGate. LogicGate is about almost six years old as a company, and you know, the GRC space has been around for decades. If you look at my LinkedIn profile, I spent some time at very large enterprise software companies that had GRC practices. So even a decade ago, I was marketing GRC software. So it's a very well-known problem. It is a very large market, but the way that LogicGate is approaching. It is very different in a much more agile way and in a way that allows companies that may not have had millions of dollars to invest in a giant, monolithic system to invest in a system that still has a lot of still allows them to do all of the things that's need to do to build processes and manage processes for whatever type of risk they need to look at with just one solution instead of having to buy a giant system or buy a bunch of small point solutions that each point at one or two use cases. So we're very excited. Our customers are our run the gamut all industries, all business sizes, but kind of unified or mount around and one philosophy, which is there should be a better way of managing governance risk and compliance because risk management is everyone's business. It's not just the purview of risk managers anymore, front office employees such as myself need to make risk-based decisions almost every day, and we definitely need enabling technology to allow us to understand, quantify and prioritize the risk that we necessarily have to take every day to run our business. So that's what LogicGate provides for our customers, and it's really fun to be a part of it.

KRISTINA: That's great. And can you just differentiate for listeners a key aspect here: what's the difference between GRC and ESC? I think a lot of people get those two confused ESC meaning environmental social and corporate governance. So, how do those two relate, and how do they differ?

GINA: Yeah, GRC, governance risk and compliance is the overarching practice, and ESC is one of the pillars or one of the types of risk that companies have to manage, so underneath the umbrella of governance risk and compliance includes ESC, but it also includes things like incident management, third-party risk management, cybersecurity risk, other operational risks, like, for example, making sure that if you operate a factory, if somebody gets hurt, what is the protocol for making sure that that employee is safe and that you have everything you need to protect your business and to protect that employee. So GRC, the reason that market is so huge, I was reading an analyst report the other day that indicated that the GRC space, if you include technology services and content, is over a hundred billion dollars. The reason it's so huge is that there are so many risks that companies have to go grapple with, and the volume, variety, and velocity of those risks seem to increase almost every month.

KRISTINA: And what are the key areas sort of inside of that GRC space that you're seeing create friction and risk for the organization. What are the biggest like three drivers right now?

GINA: Well, obviously, COVID has knocked the entire world for the loop and in the GRC space is no different. We definitely saw a lot of people come to us to talk to us about managing their business continuity practices. The fact that everybody is now working from home brought a whole new flavor of cybersecurity and physical device management, and then just the increased globalization and the rise of the cloud, all of these things means that we are working with more people to get our businesses running than ever before and with each new service provider, with each new contractor, whether they provide services to fix your furnace or if they are your CRM provider, each one of those providers comes with a set of risks and a set of controls that you have to employ in order to make sure that they have enough of what they need to do their job for you but that you are also protecting your company from any harm from them in case there's a bad operator or security breach of some sort.

KRISTINA: And so, who are the traditional players in the enterprise? You mentioned a few minutes ago that everybody's pretty much impacted from a GRC perspective, but who are the traditional players, and how do you see that change, especially with digital, the cloud, just all of these new capabilities really coming to the surface?

GINA: Yeah, the traditional players, risk management functions have existed in companies for a really long time. They typically sit in the operations team, maybe the legal team, increasingly, there are risk management professionals that roll up to the CIO because the CIO typically has big purview over cyber risk and IT risk management, but we see more and more, is that non-risk management professionals are included as part of the decision-making process. So we're working with one company right now who is actually working with us to help with making sure that the advertising that they write passes certain regulatory compliance there in a regulated industry, and they actually need a risk management process for their marketing department. So I am working directly with the marketers at this potential customer to talk through what that process could look like. So these front-office employees who may be here to for just kind of took a very cursory view of risk in the form of you know, okay. I've got to sign this employee handbook for this attestation that I took some kind of training. The forward-thinking ones are really thinking about risk management as a discipline within the specific business unit and not only can they how do they actually better understand the risk that their department or their business unit maybe poses to the organization, but how do they actually view that risk and analyze that risk in such a way that allows them to make better and more strategic decisions for their companies. So we're definitely seeing more people from outside the audit department, outside the traditional risk management department as part of these buying processes, and I think that's a really good thing because just like, you know, in the old days where IT used to buy all the systems and then like shove them down the business units, the user's throats and then wonder why the business units weren't adopting it so goes with this, if you're a risk manager and your job is to make sure that, for example, the marketing department doesn't get in trouble for writing bad advertising, you actually have to work with those marketers. You have to understand how they build their processes. How they make decisions and then use that information to find a system that can enable the work that they need to.

KRISTINA: Tell us a little bit about how that happens tactically, you have this process around what is allowed or what's not allowed in the advertising space, for example, by marketers. How does that manifest itself in the software? What are we actually looking for? What are we actually doing? How is this software enabling people?

GINA: Sure. I think to answer that question; it helps to maybe provide a compare and contrast before and after. Sure, so without any enabling technology, whether it's LogicGate or someone else before, the before picture often looks like a process drawn with squares and circles and arrows on a whiteboard or on a notebook or in a PowerPoint presentation and says, okay, we have an obligation for making sure that certain regulations and certain rules are followed in order for our advertising to not draw fines or penalties. And so, the process flow literally looks like a higher agency to write ad copy, send ad copy to a certain consultant or legal team member for review, if that if not reverted within a week, then you have to ping that person again to get them to look at your stuff because you're on deadline because you have to actually like build the creative around the ad you can't have the ad without the copy. So the process follows its way through, but if you have no enabling technology, that process is executed via spreadsheet, via email, via Slack message, and if you're like anyone else and have a million different things to do and your only job is not to manage this process, but it is, in fact, to run the entire advertising budget for your marketing department, in short order you're going to be losing your mind. You are going to be in a very bad place because that process is error-prone; you can forget a step and then, you know can't remember where you left off and so without process workflow that's enabled by technology that can do a lot of those tasks quite frankly for you. If you automate those tasks in a system, like LogicGate, then you can actually build the process in the system, assign the right people to it, assign dates, upload documentation and press go in the system advances it for you the system notifies people when a certain time limit has been breached, and they need to pay attention to something, the system makes sure that people are followed up with and that the process steps are not skipped instead of a human so such a more efficient and effective way to work. It takes so much of the like mental burden off of people. I don't know about you, but I have a to-do list as long as my arm, and the stuff that I had dreaded the most is often the stuff that would probably only take me a few minutes, but it takes so much mine space because it is one of those things that yes, the task itself would only take me five minutes, but make sure to remember that if that person that is, the task that I had to complete was pinging another person that person didn't reply that I'd have to remember to do it again or I'd have to remember put a calendar invite for example to remind myself to remind that other person. So it's really about supercharging the processes that the customer has. I also think with any enabling technology, the ability to make sure that the technology can mold to the process and not that you have to mold your process to the technology is also so critically important. The process development has to come; first, the process development has to be reflective of the specific business needs, the specific rules, and the specific human being who are involved in that process and own critical steps. And if you try to bring in an enabling tech that isn't agile and that doesn't allow for each of those process steps to be built in the way that the business originally architected that it really messes with adoption, and the process itself will not operate as efficiently, and therefore the people that are owning those process will not operate as efficiently.

KRISTINA: Now you're making me grin from ear to ear, you're singing my song here because you're really talking about solving the business problem and you have the technology, but oftentimes I talk to vendors, and they're all about the technology which is great. You're proud of what you've built and what you have to offer, but I think recognizing that you're in the business of trying to solve a business problem and the technology can lend to that solution rather than lead with technology first is such a critical aspect. So like I said, making me grin from ear to ear. I have a question for you because here's the thing as someone who's worked in the digital policy space for many years; I've written a book obviously on the topic; what drives me crazy the most is when I see organizations that only focus on risk and compliance, especially when they put risk and compliance into the legal or compliance department and that's where it lives, and it only lives there. So my question for you really is around where has the opportunity gone or was it never even at the party for a lot of folks. Do you see that people are sort of flipping the conversation on its head and we're not just talking about risk and compliance but rather the opportunities that we can insert into the process and I was thinking about this as you were talking because I thought well, you know when you're going through a process such as getting advertising copy created, signed off, approved, yadda yadda yadda yadda through the marketing process, , yeah, it's all about compliance and it's all about ensuring that you minimized risk, but there's also opportunity both in the process and in the software if you can actually flip that on its head and have software take care of processes or get sign off on things that are redundant over and over again for the same type of content and only call out when there's an exception? Does that speed up the process? Can we actually build such processes into the organization?

GINA: The answer is yes, and I think it goes back to what we were talking about earlier where there's more front-office engagement in risk management than ever before and regardless of why that's happening. I think COVID set it up a little bit. I believe that it is very good. I do, and we have observed that obviously being able to manage risk in your organization and investing in technology to do that, the first gains are obviously efficiency people still buy GRC technology of any stripe with the first impetus of wanting to avoid pain, wanting to avoid fine, not wanting to be the next front-page headline for a data breach. The pivotal point is you buy for that pain, which is completely understandable. It is a pain that's in front of you and, quite frankly, is the pain that will get you the budget to buy technology in the first place. The opportunity tends to come later, and the opportunity is in, I mean, there are a million analogies around, you gotta take the risk to get ahead. You can't make an omelet without breaking eggs, obviously using risk to make smart strategic decisions is something that everybody thinks that they do, but unless you actually have a true handle on what your risk posture is, you don't have all the information that you could yield in order to make a good decision. So what I think about risk management as a discipline for a marketing leader, risk management as a discipline for a sales leader, for the manager on the manufacturing floor or someone in operations, the way that our customers are starting to talk to us about it is really couched in the promise of, wow, we've now got all of our risks in one place, and we had can actually aggregate those risks, better prioritize them, better see a holistic view of all of our risk. So now that we have much better and more comprehensive information about the total gamut of risk that we face, we can now make better, more strategic decisions not only to your point on saving people time because if you have a better-aggregated view of all your risk and that prioritizes properly, you can then take action that will be you know, 80% of the problem can be solved by 20% of the effort but it also creates opportunity in the area of making better more strategic risk, taking a better more strategic risk, making those decisions with a lot more confidence and therefore building more loyalty from your customer base, making your board more confident in the decisions that you make and of course never getting on the first page of the newspaper because you have suffered a data breach. So, you know just the market dynamics really are about avoiding that pain at first blush, but my own experience and I wrote about this in a blog, when I got hit over the head with GDPR, and it really was a clobbering at the time, it was presented to me as this law just passed, we do a lot of business in Europe. We have to determine if we are actually allowed if we're putting the right protocols in place to even market to anyone in Europe, and it had me shaking in my boots because, quite frankly, I owned a very large pipeline number to generate pipeline in Europe. We had just stood up a very sizable sales team in a new area in Europe, and we had to feed those sellers with pipeline and when GDPR past we felt paralyzed, so my pain at the time was I've got to figure out the quickest, most efficient path to ensuring that the data that we have on our European prospects and customers is it follows the letter of the law from a GDPR perspective and so the project actually became a month-long project cross-functional project with people from sales and legal and operations and it and it was the first couple weeks was, you know, sort of dread and fear because we were afraid of making a mistake, the law itself was huge and unwieldy and written in a very vague way that people might like me had a really hard time interpreting. So we needed to get help with that. But after about a couple of weeks, when we really started to dig in, I started thinking, you know what this is about? This is about the fact and the reality and my philosophy that we don't want to talk to people who don't want to talk to us. So they have a letter of you know, the letter of the law, GDPR was one thing, but the overarching ethos that I'd kind of developed was why we would want to market to anybody who actually doesn't want to hear from us? And why would we actually want to send messages to people who are either not ready to hear them or have no desire to hear them? So let's use this as an opportunity to take a good hard look at the way that we segment our data, the content that we offer to these people, and really listen to them. Listen to that market on what they want to hear from us in a much more comprehensive way. So that became my opportunity. The other opportunity that it presented me was the ability, for the first time in my entire career, really to work in a cross-functional team like that and really understand how the risk posture that marketing brought to the table with regard to GDPR compliance was linked to the strategic operational and financial risk of the overall business. I gained a lot of friendships as part of that process. I learned so much more about how corporations operated, so from a career booster perspective for me, that was also gold. It's almost weird to think about how much I enjoyed the process of complying with GDPR!

KRISTINA: That like that's why you're such a geek, see…

GINA: Yes. Exactly. There's the geek of me coming out again.

KRISTINA: I love that. I love that, but you're pointing back to a really key issue which is: you can have a lot of processes throughout the enterprise, you can capture risk, you can capture compliance issues, but somebody needs to have an end-to-end view of the entire portfolio be able to make decisions around the portfolio, how does that work generally in enterprises?

GINA: Well, it generally doesn't work very well within enterprises; risk management in a silo is the most common thing that we see. Risk management operated via email and spreadsheets, and one person over here owns risk process, another person over there owns a risk process and who never talk to each other is what we see very often and quite frankly, it's one of the reasons that people come to us in the first place. Because the system that we offer allows companies to aggregate multiple risks in one place, let me give you an example. We are working with a customer about a year ago who came to us, and their main issue was privacy management. They were trying to make their processes more efficient for privacy management at the beginning of the year, California passed the CCPA, the California Consumer Privacy Act, which was a version of GDPR, right? It had that follow the same spirit where if you're a human being that gets emails, you don't want to anymore. There's a lot of protection around your data, and the companies that market to you have to prove that they have an ability to erase you and that they are managing your data, your personal information in the proper way. So we were talking to this customer about the under the hood stuff, how our product was architected. They wanted to know they wanted to understand, and the reason that they wanted to understand it was because they had just finished a very painful cycle within one team. There is like I think maybe ten risk managers on this team, and there was one risk manager that was owning the process management for GDPR are there was another person that was managing the process for compliance with CCPA, and they didn't know that what each other was doing necessarily, was a large global organization with a very geographically distributed team. So these people didn't really sync up on what they were doing. But as it turns out about there's about 80 percent overlap, according to their estimation, about 80 percent overlap between evidence and documentation that was satisfied GDPR criteria and evidence and documentation and process and workflows that would satisfy CCPA. And so if they'd only known up front they could actually a build the process that could have complied with both with very little overlap and saved literally hundreds of human hours of time. So risk management often happens in a silo; companies are losing their appetite for that because they recognize the interconnectedness of risk. Gartner talks about integrated risk management partly because of this phenomenon and because of the fact that everybody hates to do duplicative work, and it's one of those things where you kind of shake your head, and you say we're in 2020. how is it that we have scenarios like this still, which is you know, I've got a risk manager over here, risk manager over there? They could actually blend their work and save 80% of the time. Well, it's because the way that the ecosystem has grown up and the way that the technology has grown up in the way these businesses have grown up in terms of operating the risk management functions lends itself to a siloed approach. And so companies are losing their appetite for that. I do think that COVID is actually kind of a forcing function for good; you would think that companies would be more silent with everybody at home. But because we all have this shared experience of everybody working from home. They're finding ways to connect, and they're looking at ways to operate; they don't have a physical building to lean on right now. And so we actually see more talk tracks from our customers, and potential customers around this notion of "this have got to stop." There's absolutely no reason in 2020, with all the technologies out there, that we should be operating in this siloed way anymore. So I think that that's a good thing. I think the ability to aggregate all risk in one place so that for example, the CEO and the CEO has to go to the board meeting and represent the company's risk posture to the board. It saves a lot of work if you can look at it at the departmental level for just your area that is also a win and then there were managers to you know you can sleep better at night. Because it's really hard to be a risk manager and know that your process for managing risk is in itself risky, so having all that in one place, not operating in the silo, is a win for the business and a win for the people who are actually trying to manage these processes.

KRISTINA: I'm cheering you on over here. I have my pom-poms out, and I'm saying yes, preach it. This is absolutely spot-on. I think not just with how I see the world but really what I'm seeing with clients and what clients are talking about and so, you know, one of the things that you alluded to we is it's not enough to have a GRC tool, you do have to solve the people issues, and I'm wondering what the things that you're seeing working the best in terms of the change management inside of enterprises are. What's actually getting people to change beyond just, it's a pandemic, and we're able to see clearer now?

GINA: It has to start with the whiteboard piece. You can't walk in the door and throw your software over the fence. Even if it's very intuitive and easy to use and plug it in and say, you know, best of luck, super easy, you'll totally get, its drag and drop and call it good. You have to actually sit down with these people understand what their current processes and if they don't have, one step is to build one, and it oftentimes does take the form of a whiteboard and asking really deep and rich questions about the people who are involved if there are any external parties involved. So, for example, the process of managing third-party risk needs to involve sending questionnaires to those third parties that they then have to answer to satisfy the criteria for working with you. And so and your change management needs to happen upfront, and it needs to happen organically by sitting in the customer's seat, understanding where they are and meeting them where they are, and not shoving the technology down their throat until you actually have a process that's already documented signed off on by all stakeholders and then can be rebuilt without them than seeing it in the system and going I I have no idea what this even is, and that's when you get paralyzed. So we believe that change management does not start with the installation of the software and that half-day training you have to always kind of suffer through but that the conversation happens at the very beginning and includes conversations around some of the hard stuff like, do you have people in your organization that are allergic to new technology, do you have a system in your organization that Ernie has owned for the past 15 years and would feel threatened if you actually got rid of it, we have ways of talking to our customers that help them deal with those, address those issues. But at the end of the day, we're human beings trying to provide a solution to a problem that other human beings have your earlier point, it's not just about out we built this cool thing, and we're selling you this cool thing, but we are measured on the success of our customers a hundred percent and if they don't feel like they're getting a true business partner as part of their engagement with us, then what's the point? Anybody can build software but building those relationships, building that trust, and asking those key questions and being able to stare some of those heady issues in the face is something that I believe regardless, whether it's LogicGate or any other companies, but you have to do to be successful.

KRISTINA: I don't even know that there is a way to solve this. So I'm just going to ask you for your thoughts, understanding that there might not be an answer out there, but I'm reflecting more so on what you said a few minutes ago around GDPR and CCPA and the opportunity to gain efficiencies. What are the challenges that I see over and over again is organizations our tooling themselves to minimize the risk of increase compliance first with GDPR, now a CCPA? Nobody ever talked about Nevada last October. I'm not sure why that's my first question to folks is what about Nevada? Did you skip over it? You know, we have LGPD coming up in Brazil next year, POPI Act in South Africa is kind of been adopted, kind of not, so it how does somebody, let's say on digital operations or digital marketing team, deal with the fact that there's constantly evolving privacy regulations. They just went through two waves of adoption. There's more coming at them. There are things like data localization laws based on artificial boundaries that don't apply to the web right. I mean, we don't put an artificial boundary on the web. So what are you doing to help organizations can even help organizations overcome those issues? You know, how do they leverage your services and tools, or is that just a problem of our times and not solvable?

GINA: It a combination of both. Will we ever be able to crack the nut on an instant notification powered by AI that you have to pay attention to this regulation because your business rules and the way you operate requires that you look at this law? Boy, I hope so; in the meantime, when I mentioned earlier that I was doing some research on GRC market sizing and many analysts separate the GRC market into technology services and content, that last piece content. There are many frameworks out there and many providers of content that allow companies to not have to take you know hundreds of pages of GDPR law and have to translate it into what does it mean for the marketing department? What does it mean for operations? Was it mean for sales? They actually do that work for you. So, there are frameworks like NIST Cyber Security Framework that boil down these laws and regulations into the questions you have to ask your business, and the documentation evidence you have to supply to satisfy those requirements and I believe that part of the issue can be solved by the use of the content by these frameworks in order to bump up a new regulation against what your business has to do from an operational perspective. We've seen customers that employ people who all they do, especially in industry highly regulated industries like financial services and insurance. We're literally, if you're a global financial services business, its hundreds of new regulations come off the truck every month globally, and there are people whose only job is to look at these reviews and figure out if they have to pay attention to them. So I think it's a combination of as a marketer working closely with your IT and risk management and legal teams to stay abreast of regulatory compliance splashes and also use it working with those people to look at different frameworks that you could utilize that take some of that manual and interpretation out of the equation that the framework does for you. It is very difficult. Like I said, the volume, variety, and velocity of risks and regulations in order to address those risks and increases all the time, and it's not going to slow down. I do believe that artificial intelligence-powered solutions are probably the frontier, the latest frontier and trying to solve for this very real, very relevant, and very painful phenomenon and that there are companies out there that are yeah, I believe our kind of dipping their toe in but no one has solved it yet. And just when they do, I'm sure something else will pop up.

KRISTINA: That's actually how it always goes. Doesn't it? Well, Gina, thank you so much for taking the time out of your day to come to hang out. Definitely enlightening. Certainly I learned a lot from you today, and I have to say that I was hoping to just hit that ten on my geek meter, but I think we've gone past the ten, at least to an 11. So, thanks for that.