100% Compliant, Breached Anyway: Spektrum Labs CISO Joshua Brown on Why GRC Failed

Estimated reading time: 6 minutes

Companies pass their audits. Then they get breached. Joshua Brown thinks the industry should stop pretending those two facts live in different universes. Brown is Chief Information Security Officer (CISO) at Spektrum Labs, the Indiana-based cyber resilience startup. He joined the Cyber Insurance News & Information Podcast to explain why compliance keeps failing as a proxy for security. He also described what insurers might use instead.

The conversation runs wide. Brown traces how basic hygiene failures, not exotic exploits, drive most breaches. He explains why small businesses carry outsized risk with undersized budgets. He unpacks the lawsuits now hitting managed service providers after client incidents. Brown also predicts that continuous monitoring will become the industry norm within five years. He also names the sector he expects to deliver the next public wake-up call.

The link connecting all of it is a single distinction. Compliance is a promise. Security is a condition. The industry keeps grading the promise. “You can be a hundred percent compliant and still be breached,” Brown said.

That sentence should unsettle anyone pricing cyber risk off a questionnaire.

Podcast graphic reading "A CISO Explains, 100% Compliant, Breached Anyway" on a dark navy background with the Cyber Insurance News Podcast logo. Podcast covers continuous control validation.

Get The Podcast Here

YouTube

Spotify

Apple

Amazon

The Category Mistake

GRC stands for governance, risk, and compliance. In theory, it exists to produce better security outcomes. In practice, Brown argues, the industry conflated the paperwork with the protection.

Frameworks like SOC 2 and Sarbanes-Oxley began with noble intentions. They impose real burdens: policy construction, audit preparation, procedural discipline. Brown’s complaint is that companies now design systems to produce auditable artifacts.

“We should design for security, not design for compliance,” he said. Compliance should fall out as a byproduct.

The distinction sounds academic. The claims data suggests otherwise. Fully compliant companies get breached every day. Executives then ask why the security budget bought an unqualified SOC 2 report and a ransomware incident in the same fiscal year.

The Other 364 Days

Brown’s sharpest critique targets the attestation model itself. A company promises it runs multi-factor authentication everywhere. It supplies a screenshot. The auditor nods.

See also  Artificial Intelligence Risks - Are You Covered?

Even honest attestations expire the moment someone takes them. “They’re only good for the moment they’re taken,” Brown said. “Everything else after that is drift.”

What happens on the other 364 days of the year remains anyone’s guess. Point-in-time audits sample 30 days and extrapolate. Brown considers that extrapolation to be the industry’s foundational fiction.

He sees insurers arriving at the same conclusion the hard way. Carriers keep paying claims for insureds who were technically compliant but practically exposed. The gap between what applicants attest and what their systems actually do has a name in Brown’s telling: a truthiness gap.

Below the Cyber Poverty Line

The problem compounds at the small end of the market. Brown describes businesses that fall below what he calls the cyber poverty line. Think of a dental practice with six locations, no IT team, and a receptionist who once changed the backup tapes. That practice still holds health data.

These firms cannot staff a security operations center. They rely on software vendors and managed service providers to carry the load. Brown notes that insurers have started suing MSSPs after client breaches, demanding proof that the contracted services actually ran.

He sees a market failure here. “The cybersecurity industry as a sales function has failed these small and medium businesses,” Brown said. Enterprise budgets attract the vendors. The firms that drive most of the American economy receive the least attention.

Proof Instead of Promises

Spektrum’s answer is continuous control validation. Its Fusion platform, launched out of stealth last October, connects to a company’s existing security tools. It records their configuration state in encrypted, immutable tokens.

“We’re like a flight recorder for your resilience posture data,” Brown said.

The insurance application is the obvious use case. Brown says the platform can convert a cyber policy’s technical requirements into code and check them daily. He told us that 22 insurers and five brokers now accept the platform’s output as proof. The company’s head of insurance solutions, Max Perkins, made the market case on this podcast in January.

See also  CyberCube Launches Exposure Manager to Enhance Cyber Risk Assessment

The distribution side is already live. Spektrum embedded Limit’s wholesale marketplace into its platform in March, letting validated companies move from posture data to bound coverage.

The approach echoes telematics in auto insurance. Progressive’s dongle traded privacy for pricing accuracy. Continuous validation offers the same bargain to cyber underwriters. More data, better pricing, fewer disputes at claim time.

One early partnership points the direction. Spektrum and Sophos launched the Insurability FastTrack program in March, built around managed detection and response. Sophos reports that its MDR customers show a breach frequency below 0.01 percent. Insurers noticed. Discounted premiums and reduced retentions for validated MDR coverage followed.

The company is also staffing for growth. Spektrum named Mark Cravotta, formerly of Keeper Security and CoreView, as chief operating officer in late June.

The Wrong Question

Brown closed the conversation with a reframe worth stealing. Every CEO eventually corners a CISO in an elevator and asks whether the company is secure. Brown considers it an unanswerable question.

“The right question is how resilient are we?” Brown said. “Can we take a punch and come back from it?”

That reframe applies whether the puncher is Scattered Spider or a nation-state crew. Brown’s parting standard is blunt: attestations are not proof, and neither is evidence. Underwriters betting billions on questionnaires might want to sit with that for a moment.

FAQ – Continuous Control Validation

What is GRC in cybersecurity?

GRC stands for governance, risk, and compliance. It covers the policies, audits, and frameworks companies use to prove oversight. Common examples include SOC 2 and Sarbanes-Oxley.

What is continuous control validation?

It is the automated, ongoing verification that security controls are configured and working. It replaces annual attestations with daily evidence. Insurers and regulators are showing growing interest in the approach.

What is the “cyber poverty line?”

The term describes businesses too small to afford real security expertise. Think of a multi-location dental office with no IT staff. These firms hold sensitive data but lack the resources to protect it.

Who is Joshua Brown?

Joshua Brown is the Chief Information Security Officer at Spektrum Labs. He previously served as CISO at H&R Block. He joined Spektrum after advising the company during its early development.

What is Spektrum Labs?

Spektrum Labs is an Indiana-based startup focused on provable cyber resilience. Its Fusion platform records security tool configurations as encrypted, immutable tokens. Companies use that evidence for boards, insurers, and regulators.

Transcript – Confirm elements against the recording.

Leave a Comment

×