Pramodh Rai Speaks: Cyber Sierra’s Journey in Cyber Governance and Continuous Controls Monitoring

Cyber Sierra, a prominent Singapore-based Cyber Governance, Risk, and Compliance (GRC) platform, has recently been acknowledged in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2024, as a Sample Vendor in both the Cyber Governance, Risk, and Compliance (GRC) and Continuous Controls Monitoring (CCM) categories. 

The recognition highlighted Cyber Sierra’s work in addressing complex cybersecurity issues for Chief Information Security Officers (CISOs) through a platform that seamlessly integrates GRC and CCM.

In an era where cybersecurity threats are becoming increasingly sophisticated and complex, organizations seek solutions to safeguard their assets and ensure compliance with evolving regulations. 

In June 2021, Pramodh Rai and Subhajit Mandal established Cyber Sierra to assist businesses in obtaining essential cyber insurance. While cyber insurance is crucial, it often presents complexities for many organizations. They recognized the need for support in developing strong cyber hygiene practices and continuous monitoring, leading to the creation of Cyber Sierra as a comprehensive risk management platform that integrates insurance.

The platform offers a range of features, including automated security alerts, threat intelligence feeds, anti-phishing measures, vulnerability scans, expert guidance, and employee security training. These tools empower organizations to enhance their security posture effectively. 

Recently, AsiaTechDaily conducted an exclusive interview with Pramodh Rai, co-founder of Cyber Sierra.

In this interview, Pramodh shares his perspectives on the growing complexities of cyber threats, the transition from traditional governance methods to automated solutions, and the role of Continuous control monitoring in redefining how organizations approach cybersecurity and compliance.

Cyber Sierra was recently recognized as a Sample Vendor in Gartner’s Hype Cycle™ for Cyber-Risk Management, 2024, in both the Cyber GRC and Continuous Controls Monitoring (CCM) categories. How does this recognition reflect your company’s achievements and growth?

We view the inclusion in Gartner’s Cycle for both Cyber GRC and Continuous Controls Monitoring (CCM) categories as a sign that we are heading in the right direction in solving some of the most complex issues in cybersecurity compliance.

It also reinforces our core philosophy in managing cybersecurity – that there is no more a one-size-fits-all solution to effective cyber security. There needs to be a comprehensive architecture which takes into account governance, risk and compliance along with real-time active supervision and monitoring.

Our platform incorporates both Cyber GRC and CCM to provide a comprehensive solution to the increasing complexities that are experienced by modern CISOs. 

While having mentions from leading industry bodies add credibility to our body of work, it’s also a motivation to continue innovating as well as pushing the boundaries of what’s possible in cyber risk management. We are just at the start of a huge wave of progress and will remain focused on what our customers value.

The landscape of cyber threats is growing more complex each year. How have you seen these challenges evolve in recent years, especially for CISOs in the Asia-Pacific region?

CISOs the world over has a challenging job, and it’s only become more demanding with the shift from opportunistic attacks to sophisticated, and at times, state-sponsored campaigns. CISOs are trying to navigate complex regulatory landscapes while actively managing risks stemming from increasing cybersecurity threats across globally distributed networks.

Let me share what I’m observing in APAC – it’s fascinating how each country is taking its own approach to cyber regulation. For instance, Singapore’s cybersecurity laws are robust and applied in a systematic manner. In emerging markets, there are notable differences in how governments regulate cybersecurity, which influences how both the public and private sector are activated in tackling cybersecurity risks.

This regulatory patchwork can give most CISOs significant headaches. Consider running a regional operation – you might be fully compliant in Singapore but need different controls to meet Japanese requirements. CISOs must stay ahead of these changes to ensure compliance while maintaining a robust security posture.

Another critical issue we’re observing – and this is supported by IMDA’s findings – is the significant shortage of cybersecurity talent in the region. This talent gap affects how organizations manage and respond to threats. That’s why automation has become such a game-changer; these solutions are helping bridge the skills gap, enabling CISOs to maintain effective oversight of their security operations.

In your opinion, why have so many CISOs moved away from traditional, manual approaches to cybersecurity governance and compliance?

To be specific, we are seeing efforts in the industry that involve building upon existing GRC tools. This is happening for a few reasons. 

For one, the sheer velocity of cyber threats has made manual processes cumbersome and unsustainable. When you’re dealing with thousands of alerts daily and constant changes in attack patterns, having teams manually review spreadsheets and checklists is nearly impossible. We’re essentially setting ourselves up for a challenge that cannot be surmounted.

Second, the regulatory landscape is growing more complex. Based on MIT Sloan’s report in Sept 2024, more than 170 regulations have been passed in the past 2 years. Imagine a CISO who’s managing multiple regulatory frameworks while actively handling risks from increasing cybersecurity threats across globally distributed networks. This is no mean feat – and it’s only getting more challenging by the day.

Manual processes also aren’t cost-effective in the long run. A CISO has to demonstrate clear ROI and dedicate focus on many subtopics within cyber risk, and thus we are seeing an emergence of new categories of tools, including GRC specific to cyber.

In current times, there’s a real move to demand continuous assurance, automation to address cyber risk, which thus create opportunities for new firms to innovate and also existing ones to evolve. 

What’s been your experience with this transition? Have you seen similar drivers pushing organizations away from manual processes?

The most striking pattern I’ve seen in this transition is how the tipping point varies across organizations – what finally pushes an enterprise to choose automation. 

For some, it’s a painful audit finding or a near-miss security incident. I remember an APAC-based financial service firm that stuck with manual processes until they had a close call with ransomware. Their incident response was severely delayed because they couldn’t quickly identify which systems were at risk. That was their wake-up call.

For most, it’s often the realization that they’re spending a lot on cybersecurity tools but can’t effectively measure their impact or compliance levels. An enterprise I know was spending over 200 hours per quarter just collecting and validating compliance evidence manually. When we worked with the team to calculate the cost of those hours versus an automated solution, the decision became obvious.

What’s particularly interesting is seeing how the mindset has evolved. Five years ago, many CISOs viewed automation with skepticism – worried about false positives or loss of control. Now, they’re actively seeking ways to automate more of their GRC processes, especially in highly regulated sectors like banking and healthcare.

How does Continuous Controls Monitoring (CCM) transform the way organizations manage cyber risks compared to traditional, point-in-time assessments?

Let’s use an analogy to understand this. Think about how we used to handle home security – we would only know about a home break-in after it happened. And perhaps as a response, we would install an alarm system in response. This reactive approach, while common, wasn’t particularly intelligent.

Traditional point-in-time security assessments are similar – they provide periodic snapshots of an organization’s security posture, much like checking your home’s locks just once a month. While useful, these snapshots leave significant blind spots between assessments, during which security incidents could occur undetected.

Now imagine having a smart home system that not only monitors everything 24/7 but actually learns patterns and alerts you when something looks off. Maybe it notices your back door lock is wearing out or spots someone suspicious casing your neighborhood. That’s the kind of transformation CCM brings to organizational security.

Continuous Control Monitoring fundamentally shifts your organization’s paradigm from periodic snapshots to a real-time security heartbeat. However, its impact extends beyond intelligent and continuous monitoring. CCM democratizes security across the organization, moving it beyond the domain of IT and security teams. It helps embed security into organizational culture, transforming it from an annual compliance exercise into part of the organization’s DNA.

For CISOs, CCM enables a more strategic approach. Rather than dedicating hours to manual control verification, it frees them up to focus on addressing identified issues and enhancing security measures. Additionally, CCM streamlines audit preparation by maintaining continuous compliance evidence, eliminating the need for last-minute report compilation.

Cyber Sierra uniquely integrates CCM with GRC in a single platform. Could you explain how this integration helps CISOs better manage their security and compliance obligations?

Our vision at Cyber Sierra is to make security compliance easy for enterprises using AI. We see a future where security and compliance are powerful tools for business growth and innovation, one in which CISOs are strategic partners in the C-suite.

This is why we are building a movement that is revolutionary. Our platform is a complete relook of how organizations approach security and compliance. While we see early positive results, this is work in progress and we are excited to work with customers and design partners to progress on our current status quo.

Right now, most companies are managing dozens of different tools, each giving a view of a tiny piece of the puzzle.

Cyber Sierra seeks to enable an intelligent platform approach to the following use cases: Governance, CCM and Third-Party Risk Management. This is because we believe that true security isn’t about checking boxes – it’s about understanding your entire risk landscape in real-time. It’s time to bring the security theater into actual cybersecurity resilience work.

This integrated view helps organizations make smarter decisions about their risk appetite – essentially, knowing how much risk they can and should take on. With our platform, compliance and risk management aren’t siloed activities but part of the enterprise’s core business operations.

With Cyber Sierra’s AI-powered platform, CISOs get a platform that provides them near real-time insights and advanced analytics and constantly crunches data, looking for anomalies to flag for noncompliance. Less time to be spent on spreadsheets or manual checks. Our platform frees up CISOs and their security teams to reduce repetitive grunt work as well as integrate security operations with other business functions.

This is the future we’re building through Cyber Sierra.

Can you share how CCM supports the transition from reactive to proactive cybersecurity? What advantages does this give organizations in terms of risk mitigation?

CCM is pushing us into a proactive paradigm, in near real-time. As the CISO goes about his/her day, the CCM tool tirelessly crunches data, sifts through the noise to spot anomalies, and sounds an alert when controls break. No waiting, no delay. 

With the addition of predictive analysis to CCM, you can perhaps peek into the future too and glimpse into the potential threats looming on the horizon. 

Rai emphasized the transformative potential of Continuous Controls Monitoring (CCM) for organizations navigating the complexities of cybersecurity. He describes CCM as a game-changer, highlighting that it not only enhances security but also enables organizations to approach their security posture more intelligently. With CCM, organizations gain near real-time visibility into their security measures, allowing them to receive advanced alerts that help them identify and address vulnerabilities before they can be exploited by cyber threats.

This proactive capability means that organizations can adjust their security controls and strategies swiftly, ensuring they remain compliant with ever-evolving regulations. Rai acknowledges that while CCM significantly improves cybersecurity management, it is not a comprehensive solution to all security challenges. “Now, I am not saying CCM is a silver bullet. But it’s definitely worth keeping in your security arsenal,” he underscored.

This perspective encourages organizations to view CCM as a vital tool in their overall cybersecurity strategy, enhancing their ability to mitigate risks effectively in an increasingly complex threat landscape.

As we look to the future, the landscape of cybersecurity will continue to evolve with technological advancements and the increasing sophistication of cyber threats. Organizations will need to embrace a proactive mindset, leveraging solutions like Continuous Controls Monitoring alongside emerging technologies such as artificial intelligence, machine learning, and blockchain.

Rai’s insights highlight the necessity for businesses to stay informed about the latest security trends and best practices, ensuring they are equipped to manage risks effectively. By prioritizing ongoing education and strategic innovation, organizations can navigate the complexities of the cybersecurity landscape and maintain strong defenses against emerging threats.