GISGID EP 30 – RegScale CEO and Co-founder Anil Karmel Joins Den Jones

Speaker 1:
Hello and welcome to Get It Started, Get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with Anil Karmel. Anil is the CEO and Co-Founder of RegScale, a firm that specializes in simplifying and modernizing governance, risk, and compliance in highly regulated industries. We hope you enjoy Den’s discussion with Anil Karmel.

Den Jones:
Hey everybody, welcome to another episode of Get It Started, Get It Done. I am your host, Den Jones. This is Banyan’s effort into podcasting, so if we fail in the software business, I guess we’re falling back to this, so fingers crossed. And I’m just glad our software doesn’t suck, otherwise we’d be screwed if we’re waiting on this one working. Anyway. Anyway, every episode I have a cool guest, someone with some life lessons, someone with an interesting story, and today is no different. We have got Anil Karmel from RegScale, the Co-Founder and CEO. So Anil, in case I butchered your name, why don’t you, and also your company, why don’t you introduce yourself?

Anil Karmel:
Yeah, great. Thanks so much, Den, for having me on your show. Really excited for this conversation. So by way of background, for those of you that have watched the movie Oppenheimer, that is where I ended up spending a decade of my life at Los Alamos National Lab. I had the opportunity to work with a bunch of brilliant scientists and engineers, and architect and implement their cloud and collaboration platforms on the classified and unclassified networks, which is where we felt the pain that we solve here at RegScale around compliance and the manual mundane task that it is. I met my fellow Co-Founder and our CTO Travis Howerton, who came out of Oak Ridge National Lab, which was also featured in that movie.

We ended up serving as the CTOs of the US Nuclear Weapons Program. So we experienced this problem at scale and went, ‘there’s got to be a better way.’

Den Jones:
There’s got to be. Yeah, and having been involved with compliance for I think, for me it’s about 25 years back in Europe, there’s an ISO certification and it just seems to be a bit of a pain in the ass. So we’re going to dig into a little bit about this. Actually, I’m probably going to ask you to do a bit of a pitch to me as I put my CISO hat on, so get ready for that, I guess. And I know you do a billion pitches and then, Anil, so you’re based in D.C., you’re part of the Cloud Security Alliance, you’re the President of the D.C. Chapter, that I think it is.

Anil Karmel:
Yep.

Den Jones:
So why don’t you share a little bit about what’s so special about D.C., what’s going on there? And what’s good about the Cloud Security Alliance D.C. Chapter? Why do you guys kick ass compared to the ones in Seattle? (laughing)

Anil Karmel:
Yeah, we’re all part of one big happy family, right? So the thing that DCD has really, is really strong at, is bureaucracy and regulations. They’re all born here. So having a company that helps with simplifying and automating that based in the land where all those things are born made a lot of sense. So the DC Chapter of the Cloud Security Alliance specifically caters to heavily regulated industries in government, in industry, as well as healthcare, to really address these challenges head on. So some of the things that the DC chapter of CSA has done is create some foundational research papers. So if you go to the CSA website, cloudsecurityalliance/dc.org, you’ll see several artifacts that you can download, bridging, bringing Trust in the 21st century. We’ve got a new one that’s coming out shortly around a MITRE and CFA collaboration called, if you’ve heard of ATT&CK, MITRE ATT&CK, you’ve heard of D3FEND, keep your eye out for ATT&CK and D3FEND with a CAVEaT. So CAVEaT is a CSA plus MITRE collaboration, specifically focused on cloud ATT&CK vectors. So there’ll be a paper forthcoming in the next … shortly that you can take a look at.

Den Jones:
In the next shortly. Now, that sounds like something I will measure. (laughing) So maybe within the next month or so. I mean, I guess the only thing you can do really is just follow the Cloud Studio Alliance maybe on LinkedIn or somewhere else, and then you’ll get the notification when that comes out, right?

Anil Karmel:
That’s right.

Den Jones:
Awesome. Awesome. Now you and I, so we met during Black Hat, not this year, the year before, I think, right? So it’s been a couple of years since we’ve bumped into each other. It always seems to be rotating around CSA guys, the meetups and then a lot of socializing. So as a leader in industry, how high would you rank this whole concept of socializing, building your network? How important is that?

Anil Karmel:
In my view it is the most important. A) people learn from people. So the ability to have real conversations with people in a social setting is so important because A) you get to understand what’s going on in everyone’s lives, both professionally and personally, which is really important because ultimately everything that we do is built off of, in my view, relationships, right? So the ability for us to have connected at several events, be able to share some witt and wisdom, (laughing) to have some conversations that were both personal and professional in nature, and then say, Hey, look, there’s some alignment here where we can have even further conversations and maybe even share them with a broader audience vis-a-vis this podcast.

Den Jones:
Yeah, and it’s funny, I think a lot of technologists, they’ll focus on technology, technology, technology, and I remember in my career in Adobe growing through those ranks, you’d get the most amazing engineer, and then they’d be like, oh, well, he’s really good at that. And all of a sudden he can lead a team of other amazing engineers and then promote, promote, promote. But really this person had no people skills. They had an amazing engineer, and they get promoted, and then all of a sudden you’re dealing with someone who’s just a bit of an ego and a bit of an ass, and they have no personal skills, and they’re really not really positive for the environment. So for me, there’s a blend, this blend, especially for leaders, where your people, your relationships, and the reality about these relationships is you actually don’t get anything done as a leader unless you’re leveraging your network and other relationships. So I think very, very vital. Now, let’s talk about, now you call it RegScale or RegScale?

Anil Karmel:
It’s funny that you bring that up because I’ve kind of run an impromptu survey and roughly 50% of the people say Reg, 50% of the people say Reg. Once I explain kind of the genesis of the word, why it’s called RegScale, regulations at scale, most people then default to RegScale.

Den Jones:
Yeah, well, so let’s do this little pitchy business. I’m going to put on my CSO hat, or my auditor hat, or some executive, and why don’t you come and pitch to me. Hey, why you guys versus everybody else out there?

Anil Karmel:
Yeah. So when you think about governance, risk and compliance, it’s a manual point in time, paper-based exercise where you’re developing artifacts that are immediately out of date, the moment that they’re created. Really what you need is the ability to simplify and automate that process similar to what had been done with development operations or DevOps, where DevOps, CICD pipelines had been created, outputting continuously up-to-date applications in environments. What if you took the principles of DevOps and applied them to GRC, where you have a discipline called regulatory operations and RegOps, GRC pipelines that integrate with the tools you already have. Identify problems from a control standpoint before you have an issue. Address those issues in near real-time and output artifacts that are continuously up-to-date that you can submit to regulators in near real-time. That’s the power of regulatory operations, plus a modern continuous controls monitoring platform that allows you to simplify and automate governance risk and compliance.

Den Jones:
So sounds great. From a requirements perspective, as a perspective customer, do you need to be 100% cloud based? Could you have cloud and on-prem? What’s the architecture landscape that you guys are more successful in?

Anil Karmel:
Yeah, so this platform was designed to work at the extreme ends of complexity and scale. So it’s designed to run in classified arrogant networks. Based on our backgrounds, it’s running in the places we came from. Los Alamos is running it, Oak Ridge is running it, as examples.

So it’s designed to basically meet you where you are, where if you’re on-premise, you can run it on-premise in a container. If you’re a cloud, you can consume the SaaS instance. Most heavily regulated organizations are a combination thereof on a journey probably to consume more cloud resources. So what the platform allows you to do is ingest or digitize the artifacts that you already have, policies, procedures, control implementations, system security plans, so on and so forth, into this API-centric platform. And then integrate with the monitoring tools that exist within your organization like your WIS’ or Tenables or Prisma or Qualys or Rapids or CrowdStrike or the list of those on and on, take the findings as mapped to those controls, and then when you fail an issue, you automated creation of a ticket in your ticketing system, like ServiceNow, Jira.

So you understand where you stand from a control standpoint of near real-time as opposed to waiting for an audit to happen and saying, oh, here’s all these issues. You got to go fetch all this evidence and you’re fetching all this evidence where, or docs, Excel spreadsheets, stuffing file servers, and it’s just this manual process that you just can’t get away from. So it’s architected to solve both sides.

Den Jones:
And when you’re selling, so that sounds great. And when you’re selling, what is the thing that customers value most? I mean, is it that you’re going to save them a bunch of money? Is it that you’re just going to take this headache away from them? What’s the value prop from their mind?

Anil Karmel:
There’s certainly a risk-reduction aspect where from an audit standpoint, because your controls are continuously monitored, you understand what your control gaps are in near real-time, and you’re able to produce audit-ready evidence. There’s also the ability of, and I mentioned these RegOps, GRC pipelines, where traditionally in a lot of organizations you’ve got a policy with seven steps that some human has to follow. The human looks at those seven steps and says, I could do that in three. They do it in three, fantastic. And it may or may not be done exactly the right way, but it’s done. Then when the audit comes in, the audit looks at the seven steps that you wrote in the policy and says, show me the seven steps. The human does it at three, which may or may not be right, and you get a finding because you didn’t update your policy.

Den Jones:
Yeah.

Anil Karmel:
That’s a very common scenario. What if you could automate those steps, dynamically create and update the policy, and dynamically manage and produce the artifacts that people need to see in near real-time? So when the person says, show me the policy and say, here’s the policy, click, here’s the artifacts.

Den Jones:
Yeah, pretty cool. I remember years ago, Sarbanes-Oxley and we were talking about the CMDB and know all the servers know all the things you have, and it’s like you’re dealing with thousands and thousands of servers, and I remember saying to the change manager, I was like, there’s no way in the world I know all these servers. I’m assuming though, we are following the policy on what we do when we build a server, what we do when we change a server, what we do when we decommission a server. There’s some assumptions, and I think when you go through audits, most people are very nervous. They go through an audit and they’re like, God, I just hope this is okay. I hope … so I can imagine there’s a level of anxiety that you guys will help reduce within an organization. Now, from a pricing perspective, how do you price this?

Anil Karmel:
Yeah,

Den Jones:
This magic.

Anil Karmel:
Yeah. So there’s two models. So we have a … part of what we’re doing is we’re leading a movement to reimagine how GRC is done. It’s an industry that hasn’t really seen hyperautomation and innovation, I would argue in decades, since the birth of Excel and the myriad different things you can do with Excel. It’s a great platform, but it’s not really scaled to meet the needs of today’s modern enterprise. You’ve got a lot of forms-based GRCs that are only as good as humans that feed it. So how do you move from Excel and human-fed GRCs to a platform that enables you to really leverage hyperautomation coupled with efficient instance or value out of the tools you already have to scale and meet the needs of the business? So one of the things that we’ve done is twofold.

To answer your pricing question, we have a completely free community edition, 300,000 downloads worldwide. You can download a container today at RegScale.com, go click on the community edition, fill out the form, and you’ll get a link and you’ll register that instance. You can run it locally as a container, and you can get started on this journey for $0. So that’s one option.

If you want the enterprise capabilities, the integration, some of the AI/ML capabilities, then that is price-based, a 12 month annual subscription based on the size of the organization and the use case. So things like rapid certification, how do I quickly get a FedRAMP certification or ISO SOC [inaudible 00:15:21], whatnot. Things like how do I use that data that I’ve collected across multiple standards and frameworks, something we call continuous controls mapping. One that I think many organizations struggle with is access reviews. How do you ensure, Hey, I provisioned this user, okay, they’re provisioned everywhere. Okay, I de-provisioned this user. I de-provisioned that many, or show me, okay, all your identity and access management systems, which if you’re especially spread across cloud and on-premise, it’s a mess. And then you’ve got people looking at spreadsheets, producing things. The bigger you are, the harder it is simplifying and automating that. So we have different packages for each one of these use cases, and it’s appropriately sized for the organization at a price point that you can rapidly afford and get value, the ability to add these additional packages.

Den Jones:
Awesome, awesome. Sounds like a bit of a no-brainer, I guess. I mean, I think for me, you didn’t say whether it was a trillion billion or $5.99 for the enterprise version. So I’m going to go with the, you probably want to check it out, and then you probably want to engage, and then you’ll find out the price of the magic for your size and scale and situation, which it sounds like there’s some good magic in the background here. When you guys think of done, so, I kind of always think of one of the reputations I have in the industry, is I get shit started and I get shit done and I do it fast. So you guys started RegScale. You are on the path to success. What does done look like?

Anil Karmel:
So done looks like … and then I’ll kind of underline it with a mission statement. So our underlying vision is to free organizations from paper, I mean digital paper, where instead of people running around trailing out spreadsheets and word docs, let the machine do that for you. Done looks like we’re no longer living in a world where humans are having to produce documentation manually, but they’re using machines to do that work for them and outputting them on-demand. That’s the definition of done from our management, where you’re able to apply automation in areas that have historically been done, leveraging people that you can’t scale, filling out spreadsheets that are out of date over and over and over and over again. Albert Einstein once said, the definition of insanity is doing the same thing over and over again expecting a different result, and that’s what we’ve been doing in the world of governance, risk and compliance. There’s got to be a better way, and I would argue that hyper automation with efficient integration is the way you get there.

Den Jones:
Awesome, awesome. I did think of one other thing though. When you guys are … you got customer customers signed up, what does their deployment look like? Do they get the base package setup and they get up and running and then they’re like, okay, these specific controls are the ones that cost the most headache, let me just bite off and you automate piece by piece by piece?

Anil Karmel:
That’s exactly right. So let’s say I’ve mentioned some of those packages like the rapid certification package. So if you say FedRAMP, great, we’ll spin you up an instance. You’re in the SaaS version, you’re up and running in less than five minutes. You’ve got your own tenant, it’s preloaded with a FedRAMP package. We’ll then sit there and digitize your artifacts. That’ll take a day or two, bring those SSPs and artifacts into RegScale. You’ll then go out and build your package, make your updates. Let’s say you need to go from Rev four to Rev five, which is something that everybody has to do now, right? We give you a simple easy way to do that. Then we give you a push button opportunity to go A) check all of these controls, do these controls fit?, and are there better ways to state how to implement these controls?

So we use a little bit of AI/ML to do that, push a button, it’ll auto score all your controls using our AI virtual auditor, say here’s the gaps before you actually submit it to an auditor, so we’ll make sure using AI/ML, we’ll bring your packages in, virtually audit them, make sure they’re right, propose updates. Then you submit them to the auditor and the auditor can then look at them and you quickly accelerate that audit. So I’ll give you a real world example in that vein, and I’m just using rapid certification as an example.

It was going to take particular customer 18 to 24 months to go upgrade and build their FedRAMP high package to go from FedRAMP moderate to FedRAMP high, leveraging RegScale will literally do it in three, as an example. So that’s real world example. SOC 2, 300 hours down to 25, access reviews where organizations get these things called matters requiring attention, where there’s massive risk on certain organizations that you’ve got to go address things. So by integrating with tools like Okta and SailPoint and Azure and on-premise infrastructure, to be able to quickly say, here’s the state of all my access reviews, serve as a system of record and go feed your GRC tools, very rapid time to value in a matter of two months, versus it was going to cost them millions of dollars to try and scale a bunch of people filling out spreadsheets because that was the other answer.

Den Jones:
Yeah, I think when you get, for me, it’s easy, Banyans a nice small company, the smallest company I’ve been in since I’ve started my IT career really, and we can do our SOC 2, it’s easy because you can almost touch and feel and point at everything, right? But as you scale that, the Adobes, the Ciscos, the companies, whatever, when I’ve run enterprise security before, that stuff burns money. I mean, that is just a money burning machine. And like you say, it’s all manual, and it’s all people squirreling away doing crap. That’s really, the end of it for me, is all wasted work. I mean, it’s all just overhead. Awesome. So let’s jump into the funner side of life. When you’re not working, how do you describe your job to people who are not tech-savvy individuals?

Anil Karmel:
Helping people get their lives back? Yeah, it’s set up on the routine mundane activities that are done in paper where you walk in a room and everyone just goes, oh, here comes the compliance person trying to tell me all the things that they need me for me to do. Or the security professional that has to go deal with thousands of Jira tickets to go gather evidence and manually submit them. How about we invite you to be part of the regulatory operations movement to simplify and automate the tasks that are inherently human-led, right? Up-level your skillsets to move from Infosec practitioner, security assurance practitioner to Reg-Ops engineer, to giving you your, we’re enabling you to leverage automation to focus on things that add more value to the business.

Den Jones:
Awesome. Awesome. Now, as a co-founder of a company, what piece of advice would you give people who are doing the similar journey to yours where they want to start their own company? What pearly of wisdom do you have over here?

Anil Karmel:
Our journey was rooted in personal pain, and I’ve found that from a practitioner standpoint, being a formal practitioner and living the pain that we solve for our customers, it’s not some esoteric thing that you’re trying to understand from the outside in, which a lot of companies, some of them are great, but a lot of them don’t really understand what you’re walking. And our vantage point is we’ve lived this pain for 10 years and we spent five years trying to figure how to solve pain. We spent 15 years fully understanding the problem. Five years building a platform that is designed to meet the needs of the most complex organizations, testing it over time with design partners so that you can come in and say, and rest assured going, you know what?, this platform is actually proven. It’s not something that is kind of like what I need.

It’s actually built. And it’s what we hear from a lot of practitioners where they’ll say, I had an idea and I thought if I left and I went up and built something, it kind of looked like that. We built the thing we wish we had. So if you’re going to go co-found a business, spend a lot of time studying the problem so that you can build a platform that quickly adds value, rapid time to value to your customers, and that’s what we’ve done. I mean, another Albert Einstein saying, I used that a lot given our nuclear weapons background, that he was good weapon guy, the buddy was a physicist, he was actually a pacifist, but I say it from the standpoint of he was one of the founding fathers of physics, modern physics. If you had, I’ll probably butcher the analogy, if you had an hour to solve a problem, spend 99 minutes studying the problem and a minute, solving it … 59 minutes, solving it, something like that. Anyway, but yes.

Den Jones:
I know if at the same time he turned an hour in from a 60 minute to a 100-minute event, then I’d have more hours in the day, I guess.

Anil Karmel:
So I said I’d butcher it upfront.

Den Jones:
No. Okay. So look, I know we’re up on time. I really appreciate you coming on. I want you to leave with a parting word of wisdom for our guests, listeners and stuff. What piece of advice would you give everybody as they’re in their journey, either as a founder or as a practitioner? I’m hoping that, I’ll assume there’s some regulatory compliance angle to this one, but any advice for the people?

Anil Karmel:
Yeah, I mean for anyone that thinks anything we talked about just sounds too hard. And a lot of times, there were times where everything was hard. We’ll use DevOps as an example. It didn’t exist before. I’m an old school CIS admin, right? Developers would hand me code, I’d go test it, go deploy it, and there’d be a bunch of wasted time and the security folks would come in and say, here’s all these issues. Take forever to get code deployed in environments, right? So DevOps was created as a discipline, which became DevSecOps, which was a cultural transformation coupled with technology and tooling, that now we take for granted as this is the way we should operate a business. We should use CICD pipelines, we should embed technologies in those CICD pipelines. We should be able to push a button, execute those pipelines to go push applications into environments and do that in a continuous basis using Agile versus Waterfall.

So it’s things that we now kind of take for granted, but it started with a cultural transformation of, hey, we’re going to bring down silos. We’re work collaboratively together. We’re going to implement modern technology. We’re going to integrate it all together and make that work.

So the parting advice that I would give is take a look at how you can take those principles and apply it to a discipline that hasn’t seen that level of collaboration and innovation and make that real in whatever space that means to you. For us, it means regulatory operations, where now Infotech practitioners that have historically been in odd with compliance practitioners can effectively bridge the divide, work simultaneously and side by side, as opposed to warring factions that say, compliance is not equal security. Leverage security to make compliance an outcome where compliance and controls can be implemented as best practices, but you’re really employing security to output the evidence that the auditors and the regulators need. So join the RegOps movement. That’s what it means to us. But I would say apply those disciplines of things that have worked in the past before. Study your space and make innovation real in whatever area of work you work in.

Den Jones:
Awesome. Hey, well thank you very much, Anil. Pleasure to have you on the show today. Really appreciate your time. I know you’re a busy, busy guy, so we’ll hopefully catch up in person again sometime soon. Maybe I’ll try to make my way over to D.C. at some point. I hear it’s a fun, I hear it’s a fun time, so I need to go check it out.

Anil Karmel:
It is definitely a fun time and I guarantee you come here, we will make it so, show you around.

Den Jones:
Thanks bud. Appreciate it. Take it easy.

Anil Karmel:
Thank you.

Den Jones:
Bye.

Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

 

Close Transcript