The GRC Illusion: Why Third-Party Risk Is Still Broken ft Val Dobrushkin, Director of GRC @ Tricentis Artwork

Security & GRC Decoded

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

All Episodes

Security & GRC Decoded

The GRC Illusion: Why Third-Party Risk Is Still Broken ft Val Dobrushkin, Director of GRC @ Tricentis

April 21, 2026 • Season 1 • Episode 34

0:00 | 55:21

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into true business enablers.

This conversation dives into the disconnect between frameworks and reality, the limits of SOC 2, the role of GRC in revenue and M&A outcomes, and why solving for today while building for the future is the key to long-term success.

Key Takeaways:

Third-party risk management is fundamentally broken due to over-reliance on questionnaires and weak enforcement of meaningful controls.
SOC 2 is too flexible and inconsistent to be relied on as a true indicator of security maturity.
GRC has a unique advantage over security in directly demonstrating business value and revenue impact.
“Solve for now, build for later” is critical for startups and fast-growing companies preparing for IPO or acquisition.
Strong GRC programs can directly influence company valuation by identifying contractual and compliance gaps early.

What You’ll Learn:

Why questionnaires and annual vendor reviews fail to capture real third-party risk
How GRC teams can prove revenue impact through customer trust and assurance
The hidden role of GRC in M&A, IPO readiness, and contract validation
Why most GRC metrics fail and what meaningful measurement should look like
How to implement a “solve now, build for future” strategy in fast-growing companies

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Val Dobrushkin | Director of GRC | Tricentis
Connect on LinkedIn: https://www.linkedin.com/in/dobrushkin/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

Raj Krishnamurthy (00:00.933)
Hey, hey, hey, welcome to another episode of Security at GRC Decoded. I'm your favorite host, Raj Krishnamurthy. Today we have the fantastic Val Dubruzkin joining us today. Val has more than 10 years of experience building security programs, running security programs at companies like No Name Security, Forged Rockets, build those security compliance programs there, and is currently the director of GRC at Tricentus. Val, welcome to the show.

Val Dobrushkin (00:28.568)
Thank you, Raj. Let's be here.

Raj Krishnamurthy (00:31.001)
Well, I want to jump straight into the heart take, right? Maybe give us our listeners a view. What is the heart take? One heart take you have, one controversial opinion that you hold on security and GRC.

Val Dobrushkin (00:43.886)
Just how much we're all terrible at third-party risk management that most companies don't do it right and don't place enough emphasis on making it effective, practical and meaningful, especially for GRC.

Raj Krishnamurthy (00:56.973)
That's it. So third party risk management sucks.

Val Dobrushkin (01:00.578)
Pretty much.

Raj Krishnamurthy (01:02.105)
So how do we make it better?

Val Dobrushkin (01:05.742)
I think we need an industry change and I'm surprised that we keep seeing these major data breaches that are caused by supply chain attacks and vendor integrations attacks, but we're not changing our practices and we don't have enough compliance standards that really enforce

meaningful third-party risk management. Most of our current standards are, they can be done as compliance theater, check the box, you know, you get some security off the station, the report for a vendor and or send them a questionnaire and that's good enough, but that's not, that's clearly not enough. So the way to do it, I'm trying to change it from an industry perspective by

Raj Krishnamurthy (01:38.096)
.

Val Dobrushkin (01:58.85)
collaborating with other petitioners, speaking at conferences, helping other voices that are moving to change our industry, but it's very slow process. I'm hoping that things like FedRAMP, CMC, as they become more common in the industry overall, even outside the US, those kinds of more prescriptive supply chain security practices become the norm, but

Raj Krishnamurthy (02:10.927)
you

Val Dobrushkin (02:28.302)
at a minimum as GRC partitioners, as cybersecurity leaders, you know, it's on us to change it, at least our company, one company at a time. And, you know, when we come across others that have similar challenges, you know, share our practices, our experiences with others in the field to make it better. You know, the bottom line is you look at your resources, you try to figure out the risks, you work with your

procurement program and process to make it easier so that this is part of business as usual as much as you can. There are some technology companies, some startups that are doing this better, a more modern approach of almost continuous monitoring of risks for vendors by connecting with your security and IT technologies and monitoring where the data is going, what access a vendor has.

Raj Krishnamurthy (03:19.639)
Hmm

Val Dobrushkin (03:25.46)
and can even alert you if, let's say, you approve the certain vendor to access one type of integration or send data, this one geographic region. Now, this tool can tell you that, some engineer allowed this tool to greater access or now they're sending data to maybe more suspectful region or country. looking at those kinds of technologies that help us move away from this.

once a year, you know, assessment of a vendor, but more on a continuous basis and trying to focus on the risks. But even with annual assessments, you know, we can do better, right? I don't like questionnaires. I think they're the bane of our existence on both sides of GRC from customer trust and assurance. You know, you're drowning in these questionnaires that are different and mostly meaningless to customers.

And on the third party risk management, know, we're sending questionnaires that are generic, even though companies are supposed to, you know, reply honestly, honestly, there's not a lot of evidence unless we ask for, you know, screenshots or other kind of evidence, but then you're duplicating, you know, their SOC 2 and ISO and other audits and it just extra effort and everyone. So there's not a lot of guarantee that their answers are accurate. We also have AI tools that help answer these questionnaires.

We're getting into technologies that analyze questionnaire. So we're almost at a point where AI is talking to itself and, you know, as much as we can trust that there's a question there. But we can also look at the actual security documentation that the vendor provides, figure out again in the procurement process that the point is the business needs vendors and we don't want to slow them down.

And it's on us to figure out what our security really come in. Where do we need to hold the line? Which things we can let go depending on the risk, the value, you know, maybe if they have cyber insurance and some other controls, that's enough for a certain type of vendor, but some other ones we want to see more. And what we can do is look at their SOC 2 attestation or ISO 27001 controls out of reports.

Val Dobrushkin (05:45.792)
and really dig into the details and see what controls are actually covered and how they're covered. And normally, you'd need to have some understanding and expertise on how these reports are written to be able to pick out that, this vendor might have business continuity practices, but the way the report is written, it's not really tested well, or it doesn't cover the services that I need. But now we've also seen in the GRC tool space that

A lot of vendors are building AI analysis capabilities that can scan these reports and we can work with these tools to tell us, for a given risk of a vendor, I want to see this number of controls, so the controls have to be warded this way or implemented. You you could look at vulnerabilities, know, triaging and for critical vendors, you can have more requirements on their vulnerability practices or remediation timelines versus your medium and low vendors and use

these GRC technologies to help you analyze them. So you can make this a lot faster and ideally automate it. So again, you don't have somebody reading these reports manually, but you can have the tool inform you of, yes, these controls are in place. And if not, then you can follow up with the vendor and figure out where this gap is and if it's a real risk.

So it's both on the standard practice of even if you're doing just annual assessments, there's a lot of things you could do better. And ideally moving towards more automation and continuous monitoring of vendors. But also the bottom line is we need enforcement from the executives, right? Because even if we have these great practices, even if we find that, okay, this vendor is a high risk to the company.

Val Dobrushkin (07:30.272)
Unless somebody cares and is able to either walk away from a vendor or force them to change their practices. None of this matters, right? We could have the best, you know, TPRM program and automation, all of this. But if we keep highlighting those risks and the business says, I don't care, we're still going to do business with this vendor, still going to allow them to integrate and send the data wherever, then it doesn't mean anything. So we need to build trust and relationships and get the buy-in from the executives so that...

Val Dobrushkin (07:58.762)
when we raise risks, when it comes for vendors that it really matters. It enforces the company to change the practices, reevaluate things and, you know, protect the business better. so it's about not crying wolf all the time and focusing on the vendor risks that really matter and are truly impactful and building a good story behind it to justify why we feel this is warranted so that when it comes to the business, you know, they understand

Val Dobrushkin (08:27.916)
and they can see the logic that this is really important. mean, ultimately, again, it's not on us, right? If we wanted to build a secure program, we wouldn't have a business, right? Because we'd spend all our time and money building it securely rather than building services. So it's on the business to decide where that balance is and our job to inform them and give them the information they need to make the right decision. And of course, you we can make suggestions and try to prove our case. But at end of the day, we also have to accept that

In some cases, we may disagree with the business, but it's not our call. But we have to see enough of positive change over time that, okay, we keep making these cases and when it really matters, we do see business walking away or forcing different vendor practices where we can. And this isn't just a GRC or a third party risk management program. It's part of...

Val Dobrushkin (09:23.328)
our ability to influence the business and build those relationships across the board with everything we do within GRC. It's just, again, and this vendor risk management is just a component. If we have the influence, if we have the relationships, then we'll be able to get the benefits from those in this example.

Raj Krishnamurthy (09:40.574)
Okay, good. So I heard five things. One, you're saying number one, the frameworks have to be a lot more prescriptive than what they are today. Two, you want a deeper integration with the vendor systems so that I think you talked about continuous monitoring, right? Something where you're able to evaluate them as real time as possible, as quickly as possible. Three, you talked about leadership support. Four, you talked about return on investment metrics that support

the act of doing this, right, in the investments that the business need to make. And five that you said is you need to build enough relationship with the business teams so that this can be as smooth as possible, right? Why not SOC 2? That's the point of the AACPA trust criteria, right? Why not SOC 2?

Val Dobrushkin (10:27.886)
I mean, why do we have accountants evaluating security practices? I think that's the problem with GRC in a nutshell. I mean, I love accountants. My sister's an accountant. I know a lot of really great, I have a lot of great friends who are accountants. And in some ways I have an accountant mindset too, right? This is why we do GRC. We want to check the box. We want to make sure that things don't get dropped, don't get ignored. We, you know, we dot all the Ts across all the I's or whatever the other way goes.

Raj Krishnamurthy (10:40.713)
No.

Val Dobrushkin (10:58.138)
but it's not meant as a prescriptive standard. It's really good. It helps companies, document their own additional controls, which I think is really valuable. Unfortunately, as an industry, we've come to the point where we don't have enough professionals understanding SOCTA reports. So they're just accepting anything that's written, whether it's true or not, whether it has any controls. I've seen SOCTA reports that have, you know, board meets quarterly.

Raj Krishnamurthy (11:19.632)
Mm-mm.

Val Dobrushkin (11:26.67)
basically as the only control and that's fine. Like that's acceptable. And it's the benefit and the bane of a SOC 2 that most of the controls are optional. In some cases you have more firm auditors that would like to see a bare minimum for different, you know, the security trust service criteria or others and they wouldn't allow a customer to do a SOC 2 and saying they do security availability or.

unless they have the bare minimal set of controls. But for a lot of other firms, you could have a single confidentiality control in there or a single availability one. And it would say this SOC 2 report has confidentiality and availability as trust services criteria. And so there's not an industry standard for what's acceptable and it's too flexible and it's meant to be customer driven. So a customer really decides what controls go into a SOC 2 report.

you as a consumer of those reports, you're, you're grasping for struts. You're trying to understand, you know, what does, what the side of report represents, if it has the controls it has. Also, every audit firm writes them differently, the way you just lay out and, and, you know, two reports could, could, have the same controls, but it might take you an hour to understand that they are the same, just in the way they're represented and written and even, even

Raj Krishnamurthy(12:50.633)
Got it.

Val Dobrushkin (12:52.184)
The verbish can be different. And unfortunately I've seen firms, including with some big names on them, that just fraudulent. They don't, they list the controls, but I know for a fact that they're not there.

Raj Krishnamurthy (13:04.894)
not there. And you said something very interesting. So if I think about some of the accounting metrics, for example, return on net assets that the financial controllers typically use, or sales outstanding, these are well-defined metrics. And the way that we arrive at these metrics is because there is a basic framework by which you can do accounting. What are the chart of accounts? How do you debit and credit? What is an expense? What is the revenue? How do you recognize revenue?

so on and so forth. The challenge I've consistently seen with cybersecurity is that where is the chart of accounts for cybersecurity? How do we establish the baseline first before we talk about common metrics? Have you thought about this well? Have you come across this? What are your thoughts, your take?

Val Dobrushkin (13:53.262)
Um, yeah, I mean, we, try to speak the same language, uh, and try to use financials where we can, because most of time, right, the board, executives, they look at dollars as the main talking points. What, what is it going to cost us, you know, to, protect ourselves? Or if we don't protect how much is it going to, you know, remove our revenue or our ability to do business? Um, and in some cases, uh, you can use it.

on the customer trust and insurance side, work with the sales team, look at the market, look at your competitors and say, hey, you know, if we add this ISO certification or a high trust one or whatever, will get us into this market. Then it will allow us to earn, you know, additional dollars. And a lot of times like let's use, you know, FedRAMP. It's a, very expensive program, very time consuming, a lot of changes required to, your business to get in there. So you have to justify that there's a large potential customer interest stream.

in the future that's reliable that you're going to gain if you do these things. And a lot of times you can leverage these to say, okay, we're going to do this to reach a certain market, certain revenue, but we're going to scale the controls beyond just that market that's going to be full organizational control compliance so that we're getting the benefits just to the whole company outside of a specific target market. But it's harder when we're looking at

risks, right? We can look at similar companies, the events that have happened and, you know, the kind of breaches, ransomware outages. You know, look at, you know, Jaguar, Land Rover, right? You know, the cyber incident can take down your entire business and cascade down to all the suppliers and really put so many companies, individuals out of business just because of a cyber attack.

But at the same time, I think that's the other challenge for us is that it's very difficult to make this accurate for a specific company because every company, every product, right? They use different vendors, their approaches, even supply chain security, whatever, is different. unless we do our own fair model type analysis on particular risk,

Raj Krishnamurthy (16:00.737)
Mm-hmm. Different.

Val Dobrushkin (16:16.301)
It's hard to trust the tools again a lot of GRC Technologies will give you you know, they'll find the risks the gaps in your controls or you know You can work with them to document your own risk your custom risk and they'll give you a fair estimation of this is what it's going to cost you if you don't address it and I've seen other companies that focus just on fair estimators and

I'm still yet to see something that I can trust, you know, a hundred percent that this is going to give me an accurate estimate for my company, for my particular risk in our environment. And the challenge too is that you never have enough people to spend the time to do an accurate, fair analysis on a risk. So you're still guesstimating whether you use tooling or you do it yourselves. And that's, it's a...

You know, it's a tough place to be. think the, the GRC company that figures this out accurately for specific customers is going to be extremely successful. You know, it's, we need, we need something like a whiz or orca, right? Where there is a vulnerability and you can see the exploit chain and you see like the real impact that yes, you know, out of 10,000 vulnerabilities, these 10s are the ones that are to be really impactful to us. And we need to focus on them, just like with the risk, we need to be able to see out of, you know, a hundred risk or a thousand risk in a risk register.

you know, give me the real ones that are going to have this material impact on our company so that we can focus on them. And right now, you know, I'm not seeing it. We're all doing our best, but it feels like it's still a guesstimate or some kind of just, you know, heat map reporting to executive. Making us look good like we're professionals, but the integrity of the data, I'm not certain.

Raj Krishnamurthy (17:56.039)
Got it. Good.

Raj Krishnamurthy (18:03.4)
I think it's a very interesting comment because I think my intent of the question was slightly different, although I think you addressed this much better than expected well, which is I think you're talking about the financial impact and rolling up the financial impact and demonstrating the financial impact. What I was asking is the data that is supporting the financial impact, which you also talked about, which is can there be categories of cybersecurity risks by class of companies that we can all agree on? You what are we doing in asset management? What are we doing in access management? What are we doing with

Sort of third party supply chain, right? At least software supply chain things like that where you're it's not very big to your earlier point that you were making about Being more prescriptive. That's the point you were making Is there a way we can get there where at least for class of companies we can be more prescriptive Do you think we should do that collectively as a community or can we not?

Val Dobrushkin (18:55.694)
I don't think it's possible because every company tackles those differently. Right? We can't say, I don't know, a Microsoft on a Google does asset inventory the same way or, you know, relies on the same vendors to track those assets and where are those risks? I mean, you, you look at your GCP controls or AWS controls or Azure controls, right? They're all different. How identities manage is different. You know, how the security controls

are deployed and transferred. The ability to manage those controls is different. So we don't have an industry standard for anything, unfortunately. So I don't know how that could be possible.

Raj Krishnamurthy (19:42.695)
Well, you built the security compliance program at ForgeRock. You also built the security compliance program at No Name Security, right? And then you went on to work for Akamai. These are all technology companies. worked for Tri-Centus. These are all forward-looking, forward-leaning technology companies. What has been your experience in building security compliance programs and GRC programs for companies like this?

Val Dobrushkin (20:10.094)
it's been really enjoyable. it's, it's really hard because these companies are very fast-paced. but I like the challenge. it gives you the benefits that if you have a good story, you're going to get the backing of the company that, Hey, we're changing the practices. We're adding tooling is going to save us money. It's going to automate. It's going to add more security. but at the same time,

You also have to find ways to keep up with things that change all the time. And this is where, you know, your relationship building and understanding the company culture. Every company is different, right? there are dynamics between different teams and executives and where like GRC and security can be looked in, can be involved, like building, you know, security, champions program at Ford Rock was very different than, you know, the way we did it at Cisco or.

working on that at No Name or Akamai. And you have to be adaptive. You have to learn. You have to have this mindset that, okay, I want to do things better, but I also don't want to do it the same way at every company because every company's needs are different. That security program or GRC program, their maturity might be different, where they're going is different. I look at it as solve for now, build for the future approach that

I look at what the company needs right now, but I'm putting the foundations for that exit, you know, the IPO, the acquisition, whatever, so that when the company is ready, we're going to be well ready ahead of time so that we're not caught, you know, by surprise that, we need to be, I don't know, IPO proof in a year or something, you know, have our acquisition all squared away. So it's, you know, I would highly recommend for people to work.

in technology companies and startup and fast-paced because this is the fastest way to learn. You end up seeing a lot of modern security tools that are practices you might not even be aware exist. Kind of be on the leading edge from that perspective. You see the agile development, how fast products are changing services and changing the business. You know, it's making decisions, adding services, removing services. And so you have to adapt and let's...

Val Dobrushkin (22:31.842)
the best way kind of like learning, know, sink or swim. And working for those kinds of companies, I think it's a very accelerated learning rate. And for me, it's a lot more fun to be there and also to work in a place where there's a bias for action so that if I see ways to improve things, the company culture is more embracing of that rather than, you know, larger corporations are very risk averse and...

Even though it might be the status quo that's not working, but everybody's happy, they have their jobs, they check the box, and it's really hard to convince them that, hey, we can change these practices and save you a lot of money and you can use your time for all these other meaningful things instead. They're like, no, you know what? It's not really that much of a problem. We'll just keep doing what we're doing. Okay. So, it works for me, but you have to be ready for that challenge and fast pace and then continuous learning.

Raj Krishnamurthy (23:25.913)
Got it. And this may be a naive question. Is it more the company culture or is it the leadership culture or leadership style?

Val Dobrushkin (23:33.582)
Yeah, I don't know. Good question. I think it's both. It definitely works the best where the leadership and the company staff are aligned. But I've seen it where, you know, even if some of the executives are not on board or there is a bit of this red tape bureaucracy or, you know, power dynamic challenges between executives or certain teams, there are enough

fast-paced minded individuals that the culture still remains this very active bias for action that we could still make a lot of very positive changes. mean, I think the culture is more important, but obviously over time executives have an insane impact on that culture. you know, I definitely look for that like during the interview process and understanding where the company is at.

with the executive thinking because, you know, I'm not going to be successful in a place that there's not this bias for action. And it's also very motivating, If you're surrounded by people that want to get the job done and they're working really hard, it's going to be even more waiting for you to keep up with that and support them as opposed to, you know, everyone else is happy just checking the box and doing their little work in the silo and you will...

come in there with this enthusiasm trying to change things. After a while, your enthusiasm burns dry. If you, you you have that wall of corporate culture, like just, do your job and, you know, stay in your corner.

Raj Krishnamurthy (25:14.516)
So if I rewind, I used to work in data centers and data center engineering 10, 15 years ago. And if you think about hiring a security engineer, maybe 10 years ago, you would typically go find somebody with a networking certification, Cisco certification. Because security was about perimeter protection for you. And that's not the case anymore. I think security has gone through an inflection point where

It is a truly recognized engineering discipline. We go and hire Rust engineers and Go engineers and Python engineers today. Do you see GRC at an inflection point?

Raj Krishnamurthy (25:53.441)
The old God versus the new God, to use your terminology.

Val Dobrushkin (25:58.254)
I do, I just, I kind of joke about that we need to wait for all, for most of the current GRC professionals to buy off or retire to really see the impactful change. There is a strong community of GRC professionals that are very practical and that they use, you know, tooling and good practices.

to really modernize and make it impactful and effective. And it's part of what motivates me to continue to do better and collaborate and work with others and learn from others. But overall, and I see that in larger security conferences and GRC conferences, I still get a sense of there are too many people that are happy with this checkbox approach to GRC. And so as hopeful as I am,

and I've seen a lot of positive impact and changes, especially with the GRC engineering movement. I don't see it making enough of an impact, particularly in the enterprise space.

Raj Krishnamurthy (27:03.455)
And what do you think that is? Why do think that people are still satisfied with checking the boxes?

Val Dobrushkin (27:11.502)
Uhhh...

Val Dobrushkin (27:15.374)
I think either the security leadership has enough challenges to solve for enterprise space where GRC is seen as, you know, just get me through those audits and, you know, keep the lights on kind of thing. Not so much of help me make a positive revenue impactful decision and security risk reduction decision place.

or the GRC executives themselves, they're not valued for their contribution of the GRC program to the business, but for the years they've put in and the relationships they've built with other executives. like we talked about before, it's hard to come up with meaningful metrics. so with...

Enterprises, you know, I see things like, okay, we've added a certain number of certification, attestations or locations where we've expanded our existing ones. And, you know, they get a clap on the back that, yeah, you know, we're, we're adding to our, our, market impact. but they're not being evaluated on. This is actually like reducing third party risk, you know, how much of a revenue really making on the sales process of their customer trust insurance program.

You know, our policies and training, they actually making a difference? Are they helping anybody? Or is this just, again, check the box kind of, if we have it, it helps us get to the audits, but nobody reads it, nobody understands it. None of our employees really care about our policies and, you know, the training's not actually making them do better in terms of their security practices or, you know, efficient AI, deep fake awareness or anything. So it's, I don't know. I mean, I think it's that.

kind of, again, retirement of previous leaders that needs to happen where we have more modern people that really want to make positive changes and see the impact of their work now, not in 70 years or 20 years from now.

Raj Krishnamurthy (29:20.638)
Got it. No, makes sense. And in our last conversation, you said something very, very profound that I want to bring up. You said, security is harder to justify, but GRC can. That's what it is. Do you remember you said that? Can you elaborate that for our listeners, please?

Val Dobrushkin (29:38.542)
Yeah, I mean, I think where security teams struggle is that they're viewed as either the department of now that security always says, oh, this is a bad idea. We don't want to approve this thing. Or like I see, they're looked as a cost center. know, they're there to do something, but you don't see the value until there's a breach. And then you say, why are we even been in the money if you couldn't protect us from this breach? So it's really hard to justify, but GRC, especially because of the customer trust and assurance angle.

We're directly revenue supporting business. So we help vendors or customers look at us as a trusted vendor, right? And we can both accelerate the due diligence and like onboarding process of what it takes to get our company approved as a trusted vendor by, this, this big enterprise customer. And we help the business again, reach those markets, reduce the

the overall time or decision-making that customers have that, okay, I'm vendor A from vendor B and the products look similar, but look, they've had less outages. They have a lot more of the security privacy attestation certifications. They have a really good security story on their trust center or these white papers. They sound like they know what they're doing when comes to security.

And so I'm leaning towards doing business with them. And this consists of just the approach of some enterprises, they do a lot of work figuring out which vendors they can really trust, especially for integrating with a very sensitive data or systems. And it's not just evaluating security practices, but looking at overall company approach.

And I've seen this in customer contract negotiations where there'll be some Easter eggs in there that, they put in terms that are, should not be accepted by vendors, but they're a huge enterprise or big company or they're coming in with a big contract. And so a lot of vendors would feel hesitant to push back on these red lines. And I've seen it firsthand, working with, you know, top five, whatever, pick an industry customers.

Val Dobrushkin (32:03.566)
where we've pushed back on the security provisions or, you know, other privacy, like your provisions, and we've heard these customers say, yes, now we're to do business with you because we know that you're treating these contracts seriously. You're not going to agree to something you can't deliver on. And we know, you you as a startup, you're not going to be able to deliver this because this is an enterprise requirement that's going to be too hard for you to meet. So this tells us that you do your due diligence evaluating your customers, not going to just accept any deal you want.

that makes us feel like your whole company has this approach that, you know, trust, not agree to everything just to make money, but you assess the risks and your ability to deliver the services. And so, again, as a GRC professional, this is another area that we're helping to reduce the risks for our customers, but also for our own company that, yeah, we need to push back on some things. And that's a way to demonstrate that to our customers that...

I we're good at these things. We're not going to agree to something that we cannot honestly deliver on. And it's sort of a side topic that helps with that future exit plan, right? When you go through acquisition or IPO that the lawyers come in or, you know, other security professionals do audits and they look at all your contracts and see, you know, you have all these dollars on revenue books, but they ask you of things that we don't see in your security program. So we can't recognize their revenue. So, you know, it's, it's, it's all part of that.

You you do your trust and integrity correctly within the program and help the business retain customers, retain customers. And with modern GRC tools, we have connections between our trust centers to our ARMs, right? So our sales forces and spots and whatever. So we're able to show direct revenue.

recognition that, GRC helped, you know, retain or earn this number of dollars or these customer logos for this quarter, for this month or whatever, because we have direct integration into the sales pipeline. And we were seeing, okay, you know, these are the contracts we've contributed in. These are the security attestations, reports, whatever things that the customers accessed on our trust center as part of their due diligence. And so it's, it's very easy.

Val Dobrushkin (34:28.802)
to show the actual true financial metrics and benefits that GRC program provides, as opposed to security where it's all theoretical. We protect you from something bad, but you won't know that we did it successfully, right? Either way, until it happens, we didn't do it successfully.

Raj Krishnamurthy (34:40.584)
Until then.

Raj Krishnamurthy (34:45.538)
No, absolutely. Beautifully said. So, you went through two exits, ForgeRock IPO and no-name security acquisition, Akamai acquired no-name security. Particularly going back to your previous conversation, were you able to see firsthand about, you said it beautifully, Solve the problems first and build for future, if I'm paraphrasing it. Was that approach very helpful in both these places and can you explain how?

Val Dobrushkin (35:07.352)
Yes.

Val Dobrushkin (35:12.578)
Yeah, absolutely. again, startups, not a lot of resources, a lot of responsibilities, a lot of things to do. So if I waited until the very end to build a lot of these processes in, I wouldn't have the staff or the ability to support these exits. As, you know, let's look at like customer contracts, for instance, as we're growing, right? We want to get all these deals, but we need to keep track of

What are our obligations? Where are the things that we may have gaps on? know, where these risks are coming from. And we work on identifying them. And as the renewal comes in, you know, maybe this year we weren't able to negotiate with the customer to push back on some of these things that, okay, you know, I've raised it to the business, but they chose to accept anyway and accept the risk because, you know, we need the revenue. We need to stay in business. So.

You know, it's a risk that makes sense. But next year we're, you know, we're more stable. We have more revenue. We have a better relationship with the customer. Now I can get and make the same case. Now the business is like, okay, we have this greater ability to negotiate. We're going to work with the customer to remove some of these obligations that we're not able to realistically deliver on a hundred percent. And then, you know, I've seen that over the years.

And then when we had those exits and we had the, you know, the lawyers come in and other security professionals. I, I love the feedback from Akamai where I think we were maybe their 12th acquisition by that point. And they said, this was the easiest acquisition they've ever done, for security and legal compliance, because we had all our ducks in a row. You know, we, knew where the gaps were, where the risks were. And we worked, you know, through my three years there to address them, to reduce them and.

Raj Krishnamurthy (36:53.726)
Mmm.

Val Dobrushkin (37:08.514)
You know, I think they recognize most of the revenue because they saw no gaps in our security requirements that we accept in our controls, know, our privacy practices. And we made it very clear and ready. Like we had all the evidence, we had all the computation. You know, they didn't have to spend a long time trying to figure out if we're lying to them or we're, know, so to speak, the bodies are buried. We knew that like if there were any gaps, we knew what they were. We had a process to like...

you know, accept them, like get executives to review and again, green light or red light, you know, to continue with this or try to address it again, if it was customer negotiations or some other gaps. And so it made it really easy for them to see us as like a trusted partner and to see that the practices that we had, you know, met their standards. And in some cases, you know, I think

There might've been some controls or some tooling that we had that they didn't that gave us even greater coverage. And so it's kind of like building it along the way. You look at the current processes and you see what you need right now, but what would it take to make it easier so that on a continuous basis, right? You reduce the hours you spend manually doing these things. So you bring in more tooling or you simplify the process of bringing.

Raj Krishnamurthy (38:08.389)
So, it's really going ahead us.

Val Dobrushkin (38:31.64)
you know, other team members to do some of the other components or integrate with other systems or give us information. You don't have to do it all yourself. And, you know, over time you have a process that's reliable, repeatable. You know, I like to think of it as, again, in the startup, it's like every person matters, right? You don't have anybody that's not pulling their weight, but it also means that if somebody gets sick or, leaves or you have a huge gap that you're going be able to fill. And so,

We're trying to make these processes like documented and repeatable and reliable so that somebody else can step in and easily pick up the load if they need to. Or, you know, the team can cover a little bit, even though we're always short staffed, because we have this like documented and repeatable and done well.

Raj Krishnamurthy (39:18.768)
Are you, so the general assumption would be that most deals, whether it is &A or your bank are getting through IPO, is done primarily on the business metrics, right? And security compliance has no role, almost no role to play. Are you saying that these deals can get detailed if you don't have a proper security compliance program, or are you saying that they will get delayed, or both?

Val Dobrushkin (39:40.354)
Absolutely.

I'm saying that, let's say you're doing an acquisition and the company wants to acquire you, know, let's say for a billion dollars, they'll look at your contracts that you have with your vendors and they say that, okay, maybe you're earning, you know, 100 million annual revenue. But they look at the contracts and they say, oh, you have this customer that's paying you million dollars a year and they've asked you to do SOC 2 Type 2 on all five trust services criteria.

I look at your SOC 2 report, you're just doing security and confidentiality. You're doing all the other ones. So, you you're in gap. I mean, you know, this is a very simple one, but there are other ones that I've seen where there are a lot specific controls in there that they can see this is, you you're in breach of contract. So, and obviously, right, the company's acquiring you, it's in their interest to try to reduce your revenue. So they buy you for a smaller chunk of change. So they're looking for these gaps.

Val Dobrushkin (40:41.422)
contracts so that they don't sort of paying you a billion dollars to acquire they'll pay you 900 million because again your revenue is not to the level that they expect to be to be recognized and that was that was really interesting for for me to like experience and see that and I don't think we place enough emphasis on that and the security industry that you know ultimately right most companies want an exit and this really makes a difference so if we say we're

taking on these obligations and contracts, we have to be mindful that, okay, you know, if it's a startup early in their journey and they have to take this money or they're going to go to business, that's one thing. But if you're closer to that exit line, you really have to evaluate, you know, which things that you're committed to because, know, even during an investment round, they might come in and look at you. And again, you know, they want to take higher percentage of your company to give you the same amount of money because your revenue is not to the level that you say it is because

there's security obligation meeting in your contract.

Raj Krishnamurthy (41:39.368)
Got it. No, I think that's a brilliant point, Val, and thanks for clarifying. So you're saying that the operational maturity, the overall operational maturity of the company, the security compliance, particularly the GRC team plays a very vital role in establishing that maturity, right, and the valuation. That's brilliant. Val, I wanted to go back to solve for, now build for later. In fact, that's a brilliant way to theme it.

Val Dobrushkin (41:57.57)
Yes.

Raj Krishnamurthy (42:04.283)
and I love it. For I think many GRC professionals and to the person who is listening to the show, many of us struggle, right, in terms of how to do this. How do you solve for now and bill for later? I don't think anybody would disagree with you. Any ideas, any advice that you can share in terms of how do we solve for now and bill for later? How should we think about it?

Val Dobrushkin (42:26.638)
Think about where the company is heading, work with the executives, think about the markets, the types of products that they're building or planning to roll out and where those markets are going to be in terms of regulations and similar customer requirements or potential exit paths so that you have this story and this kind of gap assessment of

Okay, in three years, the company wants to be here. How do I, as a GRC leader, support the company to get in there? And how do I build what I'm solving for now so that it's the least amount of work to get me to that three-year level? So, you know, as an example, right, you might start with a smaller SOC 2 or ICE 27001 state of applicability where you have a limited amount of controls, but you know that, okay, you're going to sell into European customers.

in a couple of years. So you're going to need to deal with your NIS 2 and your DORAs and other, you know, cyber-resilient acts regulations. So you look at the gaps that you have from now to the future and see, okay, which tools, which processes can I more easily adapt into? Or another example, okay, you're doing a SOC 2, you have international clients, but really you're just a SaaS company.

And the customers are starting to ask more for ISO 27001 because they don't care about American SOC 2 audit reports. But you can look at Cloud Security Alliance, know, STAR attestation as, this is much closer match to your SOC 2 report. It's a smaller effort and it's international standard. So maybe instead of an ISO 27001, you pursue that instead. And that could be your, okay, this is my next year roadmap or two years from now.

So, you know, look at it that way and it's kind of like the shift left mentality as well, right? Which things can I help the business change now so that it has an impact and it makes it easier for us to reach those stretch goals in two, three years from now? And that maybe, you know, right now we don't have security by design or privacy by design yet, but what do I need to do to make that...

Val Dobrushkin (44:51.914)
and the easier thing for the business to adapt and accept next year. So it's like, think of the baby steps along the way, right? That would make your journey easier to reach that, that exit or, whatever that the vision for, for the company is in two to three years.

Raj Krishnamurthy (45:10.644)
Okay, that is brilliant. Start small, continue to keep looking at from a business value perspective and continue to keep improving on. Now, it sense.

Trisent is a very interesting company. I think it has sort of created the market around shift left, especially shifting testing left towards developers. Do you see a correlation between that and what we do with GRC? And you talked about shift left just a minute ago. How do you see GRC shifting left?

Val Dobrushkin (45:45.55)
Uh, we, we saw it when we got the first, um, modern GRC tooling coming out where we could get information about our gaps or our controls coverage on a weekly or daily basis when those, uh, those evidences are connected as opposed to the annual or, you know, semi-annual audits that we would do and be like, Oh wow, I didn't realize I have this gaps and, know, my asset inventory or, know, my, uh,

MDRs are not actually deployed 100 % to everywhere. So I see this as an extension of that, that we have greater visibility into the gaps. So we're able to address them sooner rather than when we do these audits or when external audits find gaps. But it's also a mentality, right?

We have continuous improvement requirements and the extra standards that everyone kind of takes for granted, but they're there for a reason. Like everything we do, you know, every audit we go through, you know, internal, external, it's an opportunity to reevaluate and see what can we automate better? What can we learn faster? You know, where can we reduce the time we spend on these things? And that's everything in GRC. You know, how do we write our policies, right? How do we do our training? How do we...

get people to complete the training, make it more fun, make it practical, something that stays with them outside of work because a lot of personal good security hygiene is also impactful on the business. And instead of just, okay, I'll just rotate it and then roll it off and I get my checkbox. Or similar even like, I'm not getting the coverage or the completion of the training to the percentage that I need.

on the time they need, how do we make this easier? What's the problem? How do we educate? What are the stumbling blocks? The revenue sales, why has this taken so long for us to respond to these questionnaires? Or why are we not seeing as much impact on our trust center that we wanted it to have? What can we do better? So it's a continuous evaluation improvement journey.

Val Dobrushkin (48:05.92)
I was hoping when we got, when Drata rolled out their first like customer trust portal where customers could see their vendors security controls as kind of like a dashboard, I thought, okay, this is the future where we don't need to do audits. We don't need to do these questionnaires. Customers can see their vendors security controls practices just in the GRC portal, but that hasn't really taken off. We haven't seen industry adapt.

these practices, unfortunately. I'm still hoping something like that will happen. We have a lot of vendors that are trying to meet this with like integrations and have some kind of common portal that, you know, vendors and customers can access and then see documentation or some controls. And so I think potentially we're moving that way. At least I'm hoping we are. But

What I've seen the most is the GRC engineering practices where GRC teams are developing their own tools or processes. We're doing a lot more automation even with legacy systems to get the evidence, get the information faster instead of just manual audits, manual screenshots. So we're doing more of that. I don't think it's enough. I think...

We need like a security champions rethink where GRC is part of that. And I've done some of that at Cisco and for drag and, you know, I haven't had as much success with it elsewhere. But, you know, I'm working on learning my lesson, continuously improving, trying to make that more impactful. But I think that's a great possibility for us to.

Raj Krishnamurthy (49:49.878)
That's beautiful.

Val Dobrushkin (49:59.37)
shift left to educate the business, to understand where potential gaps or issues come in and where GRC can make a more meaningful impact. that's, that's the thing I love about GRC is we are so horizontally placed across the business that we touch almost every, every department. so we need a way to understand better, faster, but also to help others better and faster outside of our normal function where

you know, sometimes they would need us or we'd need them on this, you know, this annual audit comes up or this customer audit comes up. I need your help here. as opposed to now, like what are they doing right now where JRC can add visibility or has seen other teams do similar things. We can connect them so that they're getting the value from us, just be in there and they're more inclined to, to share with us, to involve us in their, their design processes and thinking processes and, you know, choosing the tooling.

So it's, there's still a long way to go. But I've seen a lot of progress in the GRC tooling and the GRC engineering space in the last decade that gives me a lot of hope that we're slowly moving away from the status quo.

Raj Krishnamurthy (51:00.646)
Got it. Got it.

Okay, love it. No, brilliantly said. We are approaching the end of the segment, Val, and I'll keep this as my last question. Something I noticed very interesting in your LinkedIn is that you used to be a management consultant and life coach. Now, can you maybe talk to us about what was that about and how did that help in your security and GRC career?

Val Dobrushkin (51:38.63)
it's helped me focus my own work to be more impactful. If I'm, if I'm helping others make better decisions, then I need to make better decisions myself and see where, where am I really making an impact? And the life coaching kind of came out of my lifelong passion for, for mentoring. And I've been blessed with having great mentors throughout my professional career and outside and.

You know, I've always wanted to give back and there's nothing more inspiring than seeing others succeed and sort of, you know, helping them expand their and take off. And I bring that approach to leading teams or collaborating with others where, you know, I'm there to help others do better and figuring out, know, management consulting side of, okay, what are the obstacles that are impeding individuals' progress or a team's progress?

And the life coach is more of an inspiration. How do I get people to be motivated? You know, what inspires them? Which things within GRC or security practices do they find most meaningful that I can connect their work task to or their purpose to, you know, their life mission to. And similarly working outside of GRC, you know, what motivates others? How do I find that trust or common purpose that we can share and connect over and get them to do the right thing?

and understand how I can help them better.

Raj Krishnamurthy (53:06.311)
Beautiful, beautiful. And Val, if somebody wants to reach out to you for the birding engineer or somebody who is trying to get into the CGRC space, and if they wanted to reach out to you, what is the best way to do that? Are you open to it?

Val Dobrushkin (53:19.264)
I just, yeah, absolutely. There's always less time in the day, you know, as we grow professionally and have more connections and friends, but at the same time, nothing is more fulfilling than giving back and helping others. So whenever I can, I'm always happy to do that. Please reach out on LinkedIn, you know, send me a message, connection request. That's probably the best way to start that conversation.

Raj Krishnamurthy (53:24.689)
Hahaha

Raj Krishnamurthy (53:45.044)
Okay, well, this has been a fantastic conversation. Thank you for coming on the show. Sincerely appreciate it.

Val Dobrushkin (53:50.882)
Thank you, Raj. Really enjoyed it.

Raj Krishnamurthy

Host