Join us for a captivating FinTech Interview with Rachael Greaves, CEO of Castlepoint Systems. Explore the transformative impact of financial technology and how Castlepoint Systems is leading the way in driving innovation within the industry.
Rachael Greaves is a records and information management thought leader, and designed the Castlepoint command and control product. Rachael has consulted on large-scale records, security, and audit projects in government and regulated industries with complex integrated environments, and developed Castlepoint in response to the tension seen in organisations between compliance, usability, sustainability and cost. Rachael is a Certified Information Professional (CIP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Data Privacy Systems Engineer (CDPSE), and is certified in project, change, and records management. With a cultural anthropology and linguistics background, Rachael brings ethical, global and sustainable practices to the sector. Her innovative technology concept has transformed the compliance and risk management outcomes of multiple organisations, by automating the application of complex and multi-layered regulatory obligations to their data holdings. Rachael’s mission is to improve outcomes for citizens and stakeholders by helping governments and organisations to provide better, more accountable services.
Congratulations on winning the ISACA Innovation Solutions Award! How does this recognition impact Castlepoint Systems and its mission?
We’re incredibly proud to be recognised for our technology that makes information protection and compliance stronger, for both the organisations holding the data, and the individuals whose data they hold. We founded the company in the belief that there had to be an easier, more streamlined and manageable way to de-risk our networks and protect stakeholders. With Castlepoint, we have proven that this is not only possible, it is simple, and has enormous and rapid returns when it comes to efficiency, risk, and compliance. ISACA’s recognition of Castlepoint reinforces that cyber security strategies cannot be focused only on reducing the likelihood of breaches – reducing the impact of (inevitable) data spills is vital. The only way to do this is to know what you have, where it is, and what obligations you have to protect, retain, and dispose of it.
Can you tell us more about Castlepoint Systems and how it addresses the challenges of information governance and data security?
In both public and private sectors, good data has the potential to generate operational efficiencies, simplify service delivery, and reduce fraud and error. It is the fuel that will unlock the opportunities in artificial intelligence and allow enterprises to know their customers better.
Yet with increased awareness of the need for privacy and growing demand for tighter regulation, storing and using this information responsibly is also a major challenge. Threats are multiplying, adding additional complexity. Plus, the sheer volume of data that the world generates, while in itself an opportunity, also presents significant obstacles to not only finding the right insights but protecting them as well.
Put simply, it’s becoming increasingly difficult for organisations to manage their sensitive and high-value information properly. Fail to do so, and the repercussions can take years to recover from. Reputational damage, regulatory fines, and loss of trust (both in the public sector, leading to citizen disengagement, and in the private sector, leading to lost revenue) are all consequences of failing to be compliant in storing data and keeping it safe.
Being faster, more responsive, and smarter with data is critical to tackling these significant challenges.
That’s where Castlepoint Systems comes in. We are a category defining solution, providing a new paradigm for GRC. We provide full coverage of all data in the enterprise, for discovery, privacy, cyber, audit and records management, no matter what system or format it’s in. And we do this with true automation, using Explainable AI, and critically with no impacts on the enterprise. It’s invisible to general users, has no agents or connectors, doesn’t modify or move any source data, and doesn’t have a complex ‘rules engine’ or ML to supervise.
What sets Castlepoint apart from other governance, risk, and compliance platforms in the market?
Our full coverage, no impact model is highly differentiated, and is what has seen our company grow so rapidly across so many key organisations in our home market and globally. But one of our key points of difference is that we use, and have always used, ethical AI. Ethical or Explainable AI (XAI) is also called ‘white box’ AI. Castlepoint is built using an XAI called Rules as Code. In this model, the AI is trained on the actual policies and regulations, not on the source data. It then matches data it finds in the environment to those rules, showing exactly why an item or record falls into the scope of a particular obligation.
As well as being inherently explainable and transparent, this model is also much more efficient and scalable. With black-box models, you usually need to curate large amounts of training data, then supervise the learning process. This can be a large burden for governance teams, and needs to be repeated for every new policy or rule. XAI is much simpler to implement, and can be up and running in hours, without needing you to do the work.
Ethical AI has always been best practice, but is now becoming law in most advanced economies. Very soon, any automation or algorithm that can cause any impact on citizens will need to be explainable and contestable. This is going to make a lot of extant and emerging black-box AI solutions for GRC and cyber, such as ML, neural networks, generative AI, and LLMs obsolete for regulated purposes.
Could you elaborate on the concept of “complete visibility and control” that Castlepoint provides? How does it work in practice?
I designed Castlepoint to provide full coverage of all enterprise data risk, with no impacts. It sits in the network, managing content in place, without moving or modifying it. It is agentless, with no impacts on source systems. Invisible to normal users. And provides true automation, without burdening the governance team.
Our new model of managing information is to create a command-and-control position for GRC teams. From their ‘castle’, they can overlook the whole environment. The castle is the bastion from which the entire network is regulated, protected, and controlled. People, data, and processes go about their normal business in their own systems, and never have to be brought inside the castle walls. As long as they exist within the walls of the network, they are managed by and from the castle, without any disruption.
Castlepoint is the only system ithat tells you what information you have, where it is, and who is doing what to it – as well as what risk or value it has, what rules apply, and whether they are being met – without any impacts on the organisation or environment. It is relied upon by Executives, governance and compliance teams, auditors, and IT security to help them meet their obligations, boost productivity, and reduce enterprise risk. It addresses the entire information governance lifecycle through a single pane of glass.
What inspired you to found Castlepoint and develop a streamlined approach to de-risking networks and protecting stakeholders?
Repeated government audits and inquiries had found that almost all regulated entities were consistently failing in their obligations to protect high risk and high value information. We recognised that these organisations did have a strong appetite for governance, risk and compliance, but were limited by ineffective technology solutions. The available software for records, security, and discovery caused high impacts on users, systems, data, and governance teams, and created more problems that they were intended to solve.
We recognised that we needed a new way to manage information. It had to manage all types of data, in all platforms, on premises as well as in the cloud. It had to manage the whole information lifecycle holistically because security, compliance, and discovery are interdependent.
It had to apply any kind of rule to data – secrecy provisions, information handling rules, privacy obligations, and records retention policies. And it had to do all of this without any of those detrimental impacts. It had to be invisible to normal users, and not require changes to the systems they use. It couldn’t move or modify any data, or create a high overhead for governance teams to manage it.
The Data Castle paradigm was created. We built it with new AI technology, and architected it to be simple, scalable, and secure. It was the first true manage-in-place solution using AI, and was the start of a revolution in how information is managed. The Castlepoint product was rapidly adopted by Federal government departments within weeks of its release, and continues to be preferred by organisations of all kinds to help them know their own data, and manage their own risks.
How do you foresee the future of cybersecurity strategies evolving, considering the rising threats and accelerated breaches?
Cybersecurity threats can originate from anywhere. There is significant compliance and security risk inherent in the information businesses hold, and they have an obligation to protect personal and sensitive data. Increasingly, individuals on the Board are becoming personally responsible for taking necessary steps to protect data.
Cybercrime is a huge risk to businesses of all shapes and sizes, costing businesses billions – the average cost to UK businesses in 2022 was $3.9bn. In general, businesses have not kept pace with hackers and cyber criminals and now mostly find themselves struggling to catch up and patch the holes in their systems. The threat environment is growing, vulnerabilities are expanding and breaches are accelerating.
The only way to be fully prepared and to properly manage risks is to know exactly what data you have, where it is, what laws apply to it, and who has access to it. Relying on individual employees to properly understand risks and apply the right controls has never worked; businesses must do better and ensure their governance, risk and compliance processes are thorough and consistent, and that their ‘dark data’ is brought into the light and under control.
What challenges do organizations face in properly managing sensitive data and high-value information, and how does Castlepoint help address those challenges?
Large organisations must protect the information they hold about customers from unauthorised access or use. The best way to manage a risk is to avoid it occurring in the first place, which is why cyber teams often want to destroy risky data as soon as possible, to reduce the impact of a potential breach. Not having the data in the first place is the best way to avoid spilling it. But there is a conflicting regulation here – businesses are also required to retain information for recordkeeping and accountability purposes, with all that information subject to various jurisdictions. Records are an asset, but they’re also a liability.
There are different legislative demands around the world. In Australia, for example, following a high-profile breach of health insurer Medibank in 2022, in which all the personal data of every customer was accessed, the Attorney-General introduced a Bill to increase penalties for privacy breaches, now to be calculated as three times the value of the benefit obtained through misuse of data. The USA is well on a path to creating strict cybersecurity laws for organisations handling data, which will impact any organisation trading with the States as well as those based there. So, too, is the EU.
Laws are starting to change to deconflict retention and disposal, with a view to discourage hoarding of information about customers.
We may see the pendulum swinging too far the other way as a result of this response. When it becomes safer from a regulatory point of view to destroy customer records than to keep them, we can lose important information that those customers may want to rely on in the future for claims, compensation, or redress. The tension between records and cyber has never been more palpable.
We now have technology in Castlepoint to automatically harmonise conflicting regulation, across cyber, privacy, and records retention domains. It’s only by using AI that we can achieve this at scale, and start to manage our information in accordance with our customer’s best interests as well as our own.
As Castlepoint expands its global reach, what are your key objectives and strategies for growth in new markets?
Castlepoint Systems is one of Australia’s tech success stories. Now operating globally, the business supports large organisations to map, assess, and control their data, helping them meet regulatory and governance controls and run a better business. Data governance might not sound the sexiest of subjects but it has real world consequences when it goes wrong. People’s lives are impacted by poor governance of their personal data, and it’s imperative that businesses have a good grasp of what data they hold, where it is and who has access to it – especially given today’s heightened threat environment.
There is strong regulatory agenda in the UK and EU (and increasingly US) for our specific brand of regtech. The focus on records retention as a key component of privacy and security management makes us the best solution to address these regulatory pressures. Traditionally, cyber, privacy, audit, discovery, and records management have been treated as separate disciplines. But increasingly, they overlap:
- Cyber security – is no longer the preserve of national security agencies. All critical industry is now subject to natsec laws due to foreign state actor threats. All corporations are at risk of confidentiality, availability, and integrity attacks on their operational and IP data. Cyber is now everyone’s problem.
- Privacy – has always been vital to cybersecurity for internal staff records, due to trusted insider exploitation risk. But the Office of the Information Commissioner in the UK since 2016 has also been collaborating closely with the NCSC.
- Records management – privacy laws are changing across jurisdictions to require maximum retention of records rather than minimum, to reduce the impact of what are now inevitable breaches.
- And privacy and cyber laws in advanced economies require mandatory reporting, including discovering exactly what and who was breached, and auditing events leading up to the spill. And this has to be done in 12 hours in some cases.
Organisations have previously used one solution for each of these problems, which is inefficient and ineffective. We defined this new category of GRC software five years ago to provide one solution for all of these problems, in a compliant and sustainable way. There is a huge pull for what we do.
In addition, Ethical AI has surged to prominence. Consistently, when we compare ourselves to the market, we are the only solution offering compliant AI for regulatory purposes without impacts. Existing ‘black-box’ systems are about to be legislated out of existence for regulated purposes in the EU, UK, ANZ, and USA, and we are positioned in these markets now to address this emerging requirement.
Further to this, we can’t achieve the vision of making people safer if we only focus on Australia. The Manchester Bombing database disaster, the Windrush Generation arrival card scandal, the San Bruno Pipeline explosion, the Highway of Tears ‘triple delete’ scandal for example all happened in the UK and USA. We are a values driven organisation, and our vision is to change the way the world manages information, to make people safer. So we were born global in pursuit of this, and plan to provide the software everywhere it’s needed to improve outcomes.
How does being listed in the CyberTech100 and being recognized in the Innovate Finance ‘Women in FinTech Powerlist’ contribute to Castlepoint’s reputation and industry standing?
We have always participated in our community, both as a thought leader, and as a continuous learner. These awards are important to support, as they showcase not just us, but other incredible talents and innovations. We are all working together to make better outcomes for the wider community, and my gratitude always goes out to the volunteers who run these competitions and events all that they do to make them successful.
Winning awards no doubt helps reinforce our credibility as a world-beating, category-defining technology. But it also reinforces our own people, and rewards and recognising them for all their efforts to make and maintain both an incredible product, and also an incredible culture.
What were some of the key achievements and milestones for Castlepoint Systems in the past year?
We continued our rapid growth this year, and our wide reach. We are now deployed across most Federal Government portfolios in Australia, and a wide range of State and Local government, higher education, critical industry, commercial, and for-purpose organisations. We established alliances with key partners around the world, and delivered incredible, holistic outcomes to clients in concert with them. We grew our team significantly, while maintaining our gender balance and intersectional representation at all levels. And we were recognised with significant global and Australian awards.
Of course, our company success is really important. But the greatest achievements have been in the work we have done (and helped to do). Last year, we ticked over 500,000 systems under management for our customers, more than 20 billion data objects. We helped find evidence of child abuse, we helped ensure Indigenous data sovereignty, we helped respond to hacks, and we helped prevent them. We made a real difference to citizens and their rights, access to justice, vulnerable people, and national security.
As Australia’s most outstanding woman in IT security, what advice do you have for other women aspiring to succeed in the tech industry?
There are many pathways into a technology career, and the transferable skills from almost any higher education are as valuable as the hard skills of coding and engineering. AI and cyber is about seeing patterns, thinking ahead, and finding solutions to problems. I used these skills, which I gained in my Arts degree, to become an analyst, and then an auditor. You do not need a STEM qualification, or even an appetite for coding, to be a cyber leader.
We must strive to achieve an equitable gender balance and create companies like ours, who represent community demographics. This includes not just equal reperesnetation of women at all levels and across teams, but also younger and older people, Indigenous people, migrants, people with a disability, and LGBTQIA+ people.
Can you share any future plans or upcoming developments for Castlepoint Systems that our audience should be excited about?
We have now entered the UK and US markets, with EU to follow next financial year. You will see a lot more of our brand of responsible, ethical AI disrupting the legacy ways of managing information risk and value as we start supporting even more organisations around the world who share our values.
In your opinion, what role does Castlepoint play in driving the advancement of information risk and security management, and how do you envision its impact on the industry in the coming years?
Knowing your data used to be an almost impossible task, in an environment of exponential data growth, collaboration, and, more recently, distributed remote workforces. But thanks to new AI like Castlepoint this capability is now incredibly accessible and non-disruptive. Again: the risk of not knowing your own data is clear, and the impacts are high – and now, a solution is accessible. Having command and control of your data is becoming as important to the supply chain (and regulators) as having insurance. The stakes are high and expectations are changing to meet them.