ITSPmagazine Podcasts

Achieving Compliance in the Cloud through Continuous Controls Monitoring (CCM) | 7 Minutes on ITSPmagazine | A RegScale Short Brand Story with Travis Howerton

Episode Summary

Learn how RegScale's continuous controls monitoring (CCM) platform accelerates GRC outcomes at a lower cost, powered by CCM automation engines to efficiently bridges security, risk, and compliance, while its AI tools eliminate manual corrosion that often stalls GRC programs.

Episode Notes

With the rapid pace of cloud adoption, less time is spent ensuring that systems are built and operated effectively and with proper cyber hygiene. As a result, continuous controls monitoring (CCM) has emerged as indispensable for ensuring both security and regulatory compliance. Travis will discuss how CCM: transforms reactive security measures into a proactive stance; strengthens security protocols and embeds compliance within cloud operations; and streamlines the protection of digital assets in an ever-evolving landscape.

With systems becoming increasingly cloud-native and ephemeral, manual approaches no longer work, can’t scale, and are not timely enough to manage risk. Continuous Controls Monitoring (CCM) is needed to allow cloud adoption in highly regulated industries without sacrificing security. The speed of the cloud, AI development, and digital transformation is quickly reaching a point where human-based risk and compliance business processes cannot keep up. A modern, compliance-as-code approach is needed via CCM platforms to ensure risk and compliance processes can execute in real-time to keep pace with modern cloud technology.

Embracing compliance-as-code to allow business processes to execute at machine speed, generate self-updating paperwork, and leverage AI and mini-robot automations to validate and assess the results. Consider more sophisticated DevOps approaches leveraging CI/CD software factories to push security from code to cloud. The new CCM approach is to shift security processes left across every layer of the application lifecycle.

Learn more about RegScale: https://itspm.ag/regscaksfb

Note: This story contains promotional content. Learn more.

Guest: Travis Howerton, Co-Founder and CEO, RegScale, [@RegScale]

On LinkedIn | https://www.linkedin.com/in/travishowerton/

Resources

Learn more and catch more stories from RegScale: https://www.itspmagazine.com/directory/regscale

Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs

Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/

Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Achieving Compliance in the Cloud through Continuous Controls Monitoring (CCM) | 7 Minutes on ITSPmagazine | A RegScale Short Brand Story with Travis Howerton

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And here we are, we're ready for another seven minutes on ITSP Magazine with a new short brand story. Today I'm joined by Travis Howerton, CEO and co founder of RegScale, a company bringing to life a continuous controls monitoring platform designed to accelerate GRC outcomes at a lower cost by efficiently bridging security, risk, and compliance, a space that I love. 
 

Travis, I'm thrilled to have you on.  
 

Travis Howerton: Yeah. Thanks for having us, Sean. We're, we're excited to be here.  
 

Sean Martin: Good stuff. So let's, uh, let's start with, I mean, GRC and that whole space has been around for a while. What, what prompted you to tackle this with the founding of a new company? What was the core problem you're looking to solve here? 
 

Travis Howerton: It's a problem. We actually get quite a bit where people ask, why did you start? with the platforms. What are the most boring spaces in the world, which is compliance, right? But we were just kind of the 2014 2015 time frame looking at what's going to change in the world of compliance going forward. And so [00:01:00] people had existing GRC tools. 
 

But when you look at cloud native world in 2030, where everything's going to be cloud, um, increasingly ephemeral, serverless, Um, these legacy tools just aren't built for that. At the same time, when you look at the growing regulatory burden, what I call the cyber Oprah effect, which is every day there's a new framework we're dealing with. 
 

Uh, CMMC, the European laws, privacy. So the scope is just growing and Moore's law was going to continue unabated. And so as a former sort of national security practitioner, who's used most of the, the big legacy GRC tools, we were just looking at it going, who's GRC program. Is built to basically hit a moving target at twice the scope at four to eight times the speed, and we couldn't find anybody who was built for that. 
 

And so we thought that's when we got the [00:02:00] idea for continuous controls monitoring and doing something different.  
 

Sean Martin: And I'm excited to get into it because the, I mean, looking back over time, very resource, resource intensive, and a lot of data that is not always. Up to date and accurate and maybe bias depending on who provides the information at some point. 
 

Um, so I like this idea of of embedded continuous monitoring and I'm probably not doing it justice. So talk to me a bit about how you approach the problem with a solution that brings things to a productive measure that it can be continuous.  
 

Travis Howerton: Sure. So the, uh, we just started by doing something technically very, very different. 
 

And so the outcomes are the same. We're not changing GRC outcomes because they're the right outcomes. You want to be compliant. You want to manage your risk. You want to govern your program. Well, we just wanted to do it in a way there's more technology forward, and it was more automated. Cause your [00:03:00] point, most of these things are just insanely manual. 
 

And so for us, it starts with a foundation of compliances code. So getting out of static Word and Excel documents that are out of date the moment they're written to something that's machine writable, machine readable, that's constantly kept up to date. Then we want to wrap it in over a thousand APIs and a graph so we can communicate with the outside world. 
 

Why make machines go update all this? Why make humans go update all this paperwork? Let's just let the machines attest to their own state. Then let's layer AI on top of that, so we can look at all this data coming in at speed, and say, what should we do? Where should we focus our humans to get the best risk outcome? 
 

And get it done out of having to be human gophers, where they're out chasing down information, trying to collect evidence. Writing control statements. We can use AI and those things for that. And so, um, that's what we set out to do. And then we wanted to bridge the worlds of security, risk, and compliance for the first time.[00:04:00]  
 

So whether you're getting your controls from a regulation, whether you've got policies that are driving operational controls you need to run your business, Or whether your controls come from risk programs where you're doing, you're modeling your assets against the threats they're exposed to, figuring out what risks you have and then putting controls in place. 
 

At the end of the day, you've got a set of controls. That are mission critical to your business. How do you make sure they're always running, always up to date, effective and self documenting. That's what we do in continuous controls monitoring. That's different from GRC. So same outcomes, just dramatically different technology. 
 

Sean Martin: And talk to me about transparency and reporting, because those are big, big parts, right? Internally, what are we doing? And are we doing it? In line with our standards or ethics or the way we run our business. And then externally, do we do it in line with the sock twos or hippos or whatever else we have to abide by? 
 

Travis Howerton: Yeah. So there's sort of a life cycle you go [00:05:00] through and we automate every step of it. And it starts with your attestation and it doesn't matter whether you're making an attestation to your board or to a regulator, you're saying, here's what we're doing to meet this control. Then you've got to collect evidence to prove you're doing it. 
 

Cause nobody believes you in this world. And then you've got to assess it and say, is this fair and reasonable, and then you're going to have problems. So you've got to fix them. And then every step of the way, you're making risk based decisions about what you will or won't do, what you can afford, what the technology will allow. 
 

And then as you make those decisions, that those governance steps need to be traceable for regulatory internal audit and other purposes. So we just try to provide. Best in class automation and tooling and every one of those steps that just pulls time, money and pain out of the process. And  
 

Sean Martin: I'm curious, um, the outcomes you said are the same, right? 
 

You're working toward the same goal. Yep. Um, I would imagine it was certainly the technology and the processes changes, the communication change with folks as [00:06:00] well. Absolutely. The CCM.  
 

Travis Howerton: It used to be we'd manage all this stuff in these big documents and Excel spreadsheets. Then the world of ITIL came along and then the world of security operation centers and real time incident response came along. 
 

What we've tried to do is thread all those things together. So we plug and play with all the scanners and hyperscalers. We update your documentation in real time. We assign tickets to engineers to fix it in Jira or ServiceNow or think an ITIL tool. And we keep all that traceable in real time with automation. 
 

So the work hasn't really changed. We're just trying to break down the silos between them and use automation to get rid of the painful handoffs that you used to see between all these things. And all that heavy manual entry that went into it. So we want to give auditors, um, their weekends back, make it easier on it professionals to modernize and just get rid of the pain of these legacy GRC tools. 
 

Sean Martin: Fantastic. Well, Travis, thank you for joining me, helping customers, [00:07:00] uh, eliminate that pain and, uh, that's seven minutes here on ITSP magazine. Thank you.