#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 19: Compliance Discovery & Documentation
/

Episode 19: Compliance Discovery & Documentation

Jun 21, 2022 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. Brought to you by TechOnPurpose, this is Episode 19: Compliance Discovery & Documentation.

Last week, we discussed TOPcyber21 best practice number 18, Network Vulnerability and Pen Testing. Catch up on episode 18 to learn how to quickly discover your network’s weak spots, allowing your IT team (like TechOnPurpose) the opportunity to fortify your cybersecurity and mitigate costly and destructive cyber risks. 

In today’s episode, we will be breaking down our TOP cybersecurity best practice number 19, Compliance Discovery and Documentation. Here in episode 19, we’ll share how this cyber element is mission-critical for ensuring you have needed backing to maintain essential certifications and respond to normal and unplanned cycles of compliance reporting and potential litigation matters.

Stick around to learn from our cast of cyber experts about the crucial need for compliance, discovery, and documentation, as well as their available solutions that ensure your business remains compliant and secure. We’re very thankful to our cyber expert cast joining us today from Cyber Trust Alliance and Intelisys as they help us educate our clients and prospects on the road to #secure, reliable, trusted technology!

As a reminder, we began releasing a new episode every Tuesday, starting 10/20/21, and will continue to do so through early summer of 2022, with brief time off for holidays with family and friends. We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode. We hope you’ll find this an immersive, hopefully simple, educational, and enjoyable experience. So how do you tune in?

To easily follow the journey ahead, we’ve diversified your access options to all (23) of our coming episodes. You can follow along here on our blog or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered directly to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev  
Welcome back to “Who’s In Your Cloud?” TechOnPurpose’s vlog series where we explore the 21 steps to secure, reliable, trusted technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose and if you’ve been keeping up with the series, you should know that I am the host of this vlog series and that you can check out every episode on LinkedIn, Facebook, YouTube, and Spotify. Visit WhosInYour.Cloud to sign up for our free cybersecurity risk assessment, and make sure to subscribe and hit that like button down below. In today’s episode, we’ll be breaking down our TOP cybersecurity best practice number 19: Compliance Discovery and Documentation. We’ll be discussing what exactly this entails, and our cast of cyber experts will be telling you what services their companies provide to make sure your cybersecurity is secure, reliable, trusted and compliant. We have a familiar face back on the vlog today. We have from CyberTrust Alliance, Senior Information Security Officer, Jeremy Sadler. Jeremy, it’s been a while since we’ve seen that beautiful face of yours, so remind the audience who you are and what you do.

Jeremy Sadler  
Thanks a lot, Lauren. Great to be back. Again, really appreciate everything you guys do. CyberTrust Alliance specializes in health care, but several other industries as well assisting in enterprise risk management and risk assessments, including various compliance industries. An Information Security Officer role just means I’m the auditor and the guy that you see on a regular basis helping your business stay in compliance. 

Lauren Lev  
All right, and new to the vlog we have James Morrison, the National Security Specialist and Cyber Evangelist at Intelisys. Fun fact is that James is former FBI, so I’m hoping that he’ll spill a little top secret information somewhere along the vlog. James, give a little bit more about your background and tell us what you do now for Intelisys.

James Morrison  
Yeah, probably not a lot of top secret coming on, I’m still somewhat responsible at the back end, right, you know, for that. But so yeah, I am the National Security Specialist for Intelisys. I’ve been with them about three weeks as of now. Prior to that, I did a couple years working for Hewlett Packard Enterprise as a cybersecurity technologist. I worked as a CISO briefly prior to coming over to Intelisys, but I’ve been in the tech field for 33 plus years. I did military for eight prior to my Bureau time and have found myself sort of in this world that we live in, right, where as tech moved forward, security became more and more and more important. And so my last eight years in the FBI, I worked in the Houston office, working in the Cyber Crimes Task Force as a Senior Computer Scientist tearing apart the data, you know, doing reverse engineering, malware and digital forensics and all that kind of fun stuff. So we got involved in a lot of cases, a lot of national security, as well as that rise of cybercrime, right, the beginning of ransomware 2014-2015. And now with Intelisys, my job is really to be that connection point between customers and providers. A lot of cybersecurity is rising, you know, customers are getting out there and they’re not sure how to even start this conversation. How do I get from here to there? And so they come to us, you know, sometimes through local brokers and then we connect them. So that’s our goal, it’s to really just find the right fit for each company. So I think it’s a great, great conversation on a daily basis.

Lauren Lev  
Awesome. Well, we’re very glad to have you here. You’ve come very highly recommended by your cohorts at Intelisys. So as always, we have our sassy and savvy tech on purpose Founder and CEO, Matt Tankersley, who’s trying to twin with me in our matching shirts today. You got the memo, I appreciate it. 

Matt Tankersley  
I can follow instructions. Yeah, most of the time. Right guys, welcome back to all our audience and all of our cyber cast. Guys, thanks for being here with us today. A quick shout out to Mr. Sid from Cynet, we’ve had Sid on before. You guys might remember Sid from LastPass, he was an evangelist and cybersecurity evangelist. We loved having Sid on multiple episodes. Sid, we miss you buddy, hope you’re okay out there. So compliance, wow. You know, I expect we could have a year long series, and we’ve done this 21 series episode just on what we call our 21 best security practices. But breaking down compliance alone is, you know, probably a lifetime career journey. But you know, as we pursue the goal of simplifying the cybersecurity conversation for our many SMB and MPO and enterprise clients, we’ve broken this topic compliance into two main areas, discovery and documentation. And that’s what we’re going to talk about today, and then reporting and management. And I think we’ll find that we can’t talk about one without talking about the other. But hopefully, we’ll arrive on target here, and some of what you’re gonna hear today will be helpful, especially if you are in an environment or an industry or organization that has some compliance requirements. We’re also going to not have this conversation without talking even independent of compliance about what the insurance implications are of these topics. So there’s a very, you know, close line, if you will, between these two, as we started this series and said, Look, how do we help our clients and our prospects to make this complex topic simplified? Right? Well, you know, many times, we’ve had folks who just say, Man, I can’t afford cybersecurity or I just don’t understand it. Well, hopefully, we’re helping with that process. But more and more, what you’re going to find, like most of our clients, is your insurance company is not even giving you an option. So I expect we’re gonna be having a conversation about it. So in this session, we’ll try our best to focus on the facts and the solutions that aid with completing discovery and documentation that drives the accurate intelligence that we need for compliance, reporting and management. And then we’ll discuss all the things that helped to – or some of the things, as much as we can in our brief time – to help us assess and measure risk and so that we can benchmark that reporting, risk management exercise and measure and monitor going forward as our risk changes. There are a myriad of regulatory compliance frameworks that many clients will find themselves responsible for understanding, measuring and reporting. You might recognize some of the terms like PCI, or HIPAA or NIST or SOC, SOC 2, and that’s just a few of them, right? So we will not focus on any specific frameworks today, but hopefully we’ll answer the question, why compliance and where do I start this compliance conversation? I think we’ve got the right cast with us here, Lauren, to do that. So without further ado, I’d say we plug you in, Jeremy. Really quickly, talk to us about the why, when, how and who of compliance. And we’ll come back around and learn more about your organization and how you help with that. Let’s just talk about the issue. What is it? Why do we need it?

Jeremy Sadler  
Yeah, thanks, Matt. You know, it’s interesting, because we talked about compliance, and we talked about the importance of discovery and documentation with compliance. And the two go very hand in hand, and in that, one of the things we like to say at CyberTrust is, if it’s not written down, it doesn’t exist. Or if it wasn’t written down, it didn’t happen, right, because documentation is your only form of proof or evidence. And I love the list that you gave of various compliance frameworks, because regardless of what compliance framework you’re using, whether it’s regulated, and it’s being imposed upon you, whether that be HIPAA, PCI, or whether it’s self selected for something like NIST, or Sans, and you’re choosing it as a guideline, the only way you know how you stand against that compliance is to document and show evidence of what you’ve got implemented. And, you know, we find all too often organizations, they want to jump right into the doing. They want to, and it’s not to their discredit, but they want to, in many cases, put the cart before the horse and jump right into you know, remediation without really understanding where they are and without really having a clearly documented roadmap of where they’re trying to get. Too often, I’ll have organizations that have healthy security budgets or healthy security teams come and talk to me about, well, what SOC should I be using? You know, a reputable nationwide SOC that we can use for our security incidents, we’ve had a couple of breaches. And I’ll do a review of their most recent risk assessment and find that they’re missing 50% of their policies and procedures. And I go back and say, listen, these compliance requirements, these policies and procedures are here for a reason and they’ve got to be your starting point. Whether the administrative controls is your starting point, or whether it’s the discovery, taking it a step back even further and saying, just discovering and understanding where you are, so that you know what your first step really should be and that that’s an informed decision, are all super critical in that compliance journey. Again, if it’s not written down, it doesn’t exist. And you can’t possibly know what your first step should be. If you haven’t taken a look and documented what steps you have in place today.

Matt Tankersley  
Yeah, we say it often. You know, you can’t get to where you want to go if you don’t know where you’re at. That’s another way of saying what you said and not quite as smart as the way you said it. As we prepare to pass the ball to Mr. Morrison, do you have any horror stories that might spark an interest for a listener as to the downside of not documenting and not being compliant? Obviously, there are penalties or financial risks that you can receive from not being compliant, but more than that, we see people that are unfortunately, literally losing their livelihoods. What stories might you have that are worthy for a quick share with the audience?

Jeremy Sadler  
I don’t have a specific reference, probably better that way anyway that I don’t call them out by name. But there was a small dermatology practice out of Colorado that suffered a breach years back. And as a result of that breach, of course, the Office of Civil Rights had to come in and perform an audit. And in a lack of assessment and a lack of documentation, of course, one of the first things they will do is start to put together and require an organization to respond with a detailed plan of action for remediation, right, and some roadmaps and some milestones. And lo and behold, a couple years later the same organization suffered from another breach, and had zero documentation to show that they had done anything to actually remediate from the original audit requirements that were found by the Office of Civil Rights. Believe it or not, they got a free pass, went on to conduct business and suffered a third breach. It came down to a $1.2 million fine being levied for gross negligence. And we’re talking about a small sole proprietorship, dermatologist in Colorado, this is not an organization that has deep pockets by any means. And ultimately, it could have probably put them out of business. I honestly don’t even know if they’re still doing business at this point. But it all comes full circle to the idea that, you know, he may have been doing some things, he may have solicited his IT group to implement better antivirus, better patch management, more security controls, but if none of that was documented, and none of that was demonstrated with with intelligible proof or evidence, it’s not worth a grain of salt.

Matt Tankersley  
Man, I hate to hear you say that, but I’m glad to hear you say that because I know clients right now that have been slow to adopt security practices, they didn’t do it until their insurance company told them that they had. If you haven’t heard that yet, listeners, it’s coming. Right? And yet, now we’re 12 months down the road, so what they did is they subscribed to these three services. And there’s a significant portion of the services that require, you’ve been deliberate now you have to do something, we use security awareness training. And so now they’ve been subscribed to security awareness training for a year, you go look at their analytics, 5% of their staff has taken and completed their security awareness training. I do not want to be the guy on watch when they have a breach or they get inspected. And this data is there. You had the tools and you didn’t use them. And, you know, obviously, we’re taking measures internally to ensure that our clients are smart enough to make the right decisions or maybe we’re not the right partner. Right. Wow, what a great intro. I’m glad you gave that example, Jeremy, thanks for sharing. So, James, what about compliance? Why do we need this? Why is it important? Any horror stories you have from even the FBI side or even in IT?

James Morrison  
Yeah, I was gonna piggyback off that, because first of all, Jeremy touches right in my wheelhouse, in the government if it wasn’t written down it didn’t exist, right, that’s miximo. You know, after 30 years of federal service that’s just the nature of it. But same thing, we had a company that did a pen test, you know, it was required by compliance. They did that pen test, pen test came back with multiple criticals, you know, these need to be fixed, a number of highs. A year later, they came back and did the exact same pen test and had the exact same findings. They had not fixed it. They said, well, I have to do this test for compliance, but they didn’t really. They didn’t think in their mind that they had to actually fix anything that was being identified from this compliance assessment. And of course, they suffered a breach. Same thing, you know, gross negligence, they didn’t get a pass on that second one. That first breach, that documentation came back and they said, yeah you were compliant, but you didn’t do anything to correct that. And therefore, they were held accountable. So I think when we talk about documentation, especially in the small and mid sized market, the first place I tell people to start is, you may have to go and get a virtual security officer because a lot of companies don’t have that. And so when you’re starting to look at what documentation is in place or not in place, do you have incident response plans, do you have disaster recovery plans, and then have you tested them? Right? A lot of companies will have those in place and they’ve never actually checked to see if they are. I mean, I tell the story of a company that, pretty small company, that their first rule with ransomware, they had this little playbook for ransomware, first rule was go in the data closet and unplug the internet. And so they show up at the door for the data closet and it’s locked. And they said, Okay, who’s got the key? The IT manager has the key and he’s on vacation and they literally didn’t have a secondary key. I mean, it was something so basic that they were unable to get into the data closet without going and finding the building manager and actually getting that. And so those are some of the things and just testing and tabletop exercises so that you know, who do I call? When do I call? You know, when does my legal guide get pulled in? And so, I think that’s one of the first things from a documentation standpoint is there are, I don’t care what compliance requirement you have, they’re almost always going to ask you, do you have an incident response plan? Do you have a disaster recovery plan? And have you tested them? On top of that, then once we get past sort of that initial documentation, you got to know what you got to be compliant for? Some are obvious, right? So HIPAA, if I’m in healthcare, I know, HIPAA, or high trust, whatever. But privacy law right now, state privacy law is changing at a very fast pace. And we talk a lot about things like CCPA, the California Consumer Privacy Act. And people say, well, I’m in Texas or I’m wherever it doesn’t affect me, and that’s completely not the case. State compliance can reach across state lines. And a good example was California sued Delta Airlines because of their breach, because that affected X number of California citizens. And so data breach laws, there’s 50 different states and there’s 50 different state breach laws. It’s a crazy environment. And one of the things that I was always pushing for when I was in the FBI, and of course, I was kind of a small fry, was we need federal breach notification law that standardizes that requirement, and that’s a compliance requirement. But I think privacy law is going to continue to push that conversation. And right now there’s 356 different states with privacy laws going into effect, New York, Shield Act, you know, California. But that could be as high as 12 to 15 by next year. And so it’s a very complicated compliance legal requirement, and that’s why I think having external help, sometimes if you don’t have somebody who knows compliance, somebody who knows security, it probably is a good idea to get some help on that.

Matt Tankersley  
And, you know, we’ve just talked a lot about the need for documentation, we talked about the compliance perspective of both local, and of course, federal regulation. And if you’re doing business abroad, then you’ve got to get into GDPR, and other types of appliances as well. So this is not a topic that you want to be hearing about because you’ve had a compromise or a breach. The first and foremost thing that we would encourage anybody in our listening audience to understand is, are you compliant just because? Right? And use your crossfade examples. I’m sure a few light bulbs went off for me when you were mentioning that about how I can be liable. And I imagine if I had remote workforce in California-

James Morrison  
Well, or even customers, customer data, right? So if you’re large enough like- like even states or Texas’s state law is fairly low bar, I think it’s 1000. If you lose the data of 1000 people in Texas, you have a requirement to notify DIR. I as a private proprietorship have probably over 1000 names in my customer database or companies that I’ve done business with. And I think people have to recognize that and first know your home state, right? I mean, at a minimum know your home state’s compliance requirements, but then take a look at the data that you contain. First question I would say is do you need – you know, so this is kind of outside of documentation a little bit – but do you need the data? I tell people all the time, if you don’t need to store social security information, why are you storing it? Get it out of there, right? If you can have the like, for example, I was talking to one very small restaurant here in the Houston area up in Kingswood and they had 12 employees. And she was storing all of their employees’ information in a Google Drive and it was an Excel spreadsheet in Google. And I was like, you have their social security numbers there. And she said, Yeah, and I was like, why? And it was because it was convenient. It was something that they’d always done. I said, you need to get those social security numbers off and then the only time you need them is when you do tax requirements at the end of the month or end of the year whenever you do it, but you’re actually opening yourself up to at a minimum, some compliance conversation, but you may find yourself sued if somebody has to go and get identity theft protection or something like that. 

Matt Tankersley  
Well, Lauren, as we transition into our second segment where we talk about the specific solutions that each of you helps manage service partners, like ourselves, and then their clients as well- Before we go there, we talked about really two things today, discovery and reporting really focused on reporting. And we focused a little bit on the implications and the potential risks of compliances and regulatory sort of things. But on the Discovery front, right? One of the things that we’re finding is that we have a portfolio of partners that will help with the discovery exercise. We have our own tools that help with the discovery exercise. And for our listeners out there, again, the number one thing if you didn’t pick up on it in every single episode, kind of tucked away in there, everything starts with assessment. If you’re not paying attention, we provide a free risk assessment questionnaire process, you can sign up for free at WhosInYour.Cloud. Lauren, will tell you again about that at the end of the episode, but get an assessment. Now, from an assessment perspective, right? That’s a topic we could spend months on. We want to start basically, these are the questions you need to be asking and answering to determine where your risks are. Hopefully, we’re asking the right kinds of questions that give you the ability to provide a simple right kind of answer that goes near your critical medium and high risk areas, if you will, that helps us develop a solution set to help you focus on remediation of those risk areas, right? Then there are other kinds of paid services, that aren’t necessarily expensive, where we literally put testing tools in the environment and we scan all your devices and your servers and your workstations, and we see what ports are open and what services are running. And quite frankly, you know, might have been a brilliant kind of service to help you do your job easily two years ago, well, now they’re being exploited by malicious actors. And it turns out, the risk is greater than the reward. Right? So any thoughts for the viewers right, on discovery best practices, besides the things that I’ve mentioned, or anything that enhances those things? And, James, I’ll start with you and we’ll go back to you again, Jeremy.

James Morrison  
Yeah, I think you’re talking about, you know, we talked about security assessments and stuff like that. But I would even talk about the idea of a data assessment, you need to know your data and where that data is stored right now. And it might be that, it isn’t very automated, there’s not a lot of automated tools to do that. So, if you’re in the cloud, for example, where in the cloud is that data stored? Those are conversations that are increasingly being had. If you say my data is stored outside the United States, you might find yourself, depending upon what your compliance requirements are, that that’s a risk factor, right? So, you know, when I talk about where’s your data stored in email? Do you use Team environments? I talked about earlier, using Google Drive, or some of these free file share locations, you have a responsibility, and that is going to be a compliance conversation of how do I share data between people inside my company, right? But how do I share that data outside of my company? How do I protect my customers? Again, I always come back to health care, because that’s very common. But when you’re sending data to your customer, do you send it as an open Word document or an open spreadsheet? Right? You know we laugh kind of about that, but I’ve seen it. Especially in some of the small hospitals, they’re like, Oh, I guess I have to do that differently. So you need to know how you’re handling the data, customer data, employee data, and then how am I going to classify that? And then how am I going to protect it? Those are gonna be some interesting conversations, I think, from a discovery and how you’re doing it. And then how should you do it?

Matt Tankersley  
That’s exactly right. Definitely a core part of our initial free risk discovery assessment is, where’s your data? How are you protecting etc. And viewers, if you take nothing away from today’s video, do not send usernames and passwords in an email, not to your IT company, don’t send it to your brother, your son, your daughter, your girlfriend. And I know there are easier ways, there are securer ways, and that’s not the way to do it. I can’t tell you- there’s not a week that goes by that a customer doesn’t send us a password in an email. 

James Morrison  
We’ve seen this with school districts recently where school districts have found themselves, they’ve suffered breaches, and they have HIPAA data, and they don’t think about that. You know, the school nurse could be storing data that’s considered sensitive or they’ve sent that data out to someone. So, we have to have a really good recognition of, especially in those general areas, like schools or municipalities, that data, the requirement of the data is not necessarily based upon what you do as a company, but based upon what that data is for and how that data should be protected.

Matt Tankersley  
Yeah, so Jeremy, you’re all over documentation, right? The documentation starts with discovery.

Jeremy Sadler  
Documentation starts with discovery. You know, James hit the nail on the head. I’ll tell you, I’m willing to bet you as an external auditor if I came into that restaurant owner’s establishment and asked him what sensitive data they store, process, or transmit, they’d look at me like, no we don’t have any sensitive data that we store, process or transmit. We’re a restaurant, what are you talking about? But lo and behold, you’ve got some sensitive PII, some social security data. Right? And then you start to ask them a question, Well, do you realize that if that data gets breached, you’ve got a state law that may or may not apply? You’ve got a federal Social Security Administration law that may or may not apply for breach requirements. And up to your point, right? I mean, a lot of businesses, they don’t even know what data they have, right? And so how can you even start the process of documenting and protecting your data if you don’t even know what data you have? Right. And so understanding and taking a very critical look inward to your business and your practice and what you do and what data may or may not be coming in an out of your businesses, understanding your assets, your physical software, and informational assets, and then how they’re connected and what data they’re sharing or accessing or transmitting is absolutely critical. Without that, you have no idea what you should be protecting, or where it might be, let alone getting into the very long conversation we could have about how silly users do very silly things with data. And even when you think you know where your data is, you’re probably wrong. Because it’s probably in your email, in your OneDrive in your SharePoint, and your file shares and your thumb drives and everywhere else users will put it because that’s what they do.

Lauren Lev  
That’s a very nice way to put it, silly users will do silly things.

Matt Tankersley  
So Lauren, round two, let’s focus and let Jeremy and James talk a little bit more about specific solutions they provide in the marketplace to equip companies like ours and our clients to be successful with discovery. Let’s start with James. 

James Morrison  
So yeah, I mean, I think what we’re looking at is this is what like, so we’re kind of that brokerage of, of what does a company need? Right? Virtual services are the growing monster, and everybody wants someone to come in, provide that level of expertise, tell me what I need to do, what do I need to write, help them write it, help them develop it? So that’s where we help connect people to virtual CISO services, penetration testing companies, right? So you know, you guys are doing it and a lot of companies are in that space. So depending upon budget, depending upon what you might want, after that event, right? So, you know, you want to do a penetration test, you know, and then a vulnerability assessment or, you know, a compliance assessment. Compliance as a service is really this new area, we’re seeing some companies go into that, they’re going to help you not just on that front end and doing compliance, but a continuing compliance conversation. So we’re giving you a dashboard, where you can actually see what your score is right now, what is your current compliance score? And if you added this particular technology, how would it affect your score? Because, you know, sometimes we don’t recognize I passed my assessment, right? So I’m good. You know, now I’m going to add, you know, I’m going to SDR or I’m going to add remote workforce. And what do you mean, that affected my compliance? All right. So, you know, I always say every technology, everything you add to your stack, changes risk. And that’s whether it’s compliance risk, whether it’s your security risks. And so that’s where you’re seeing a lot of this continuing conversation of doing vulnerability assessments. I know we have a number of companies that can do ongoing vulnerability assessments, and they’ll do scans of all of your websites, and they’ll do scans of all of your public facing servers, and then let you know if there’s a vulnerability that maybe you didn’t have. We see that all the time. Folina came out last week, if you weren’t paying attention to Folinas, office 365 vulnerability, that probably affects a huge number of folks. And that means we were talking earlier about patching. You know, if you only patch on that, within seven days, you might find yourself incompliant, and you didn’t even know. Last year was Log4j, next week it’s going to be something else, right? And so those are the kinds of security and compliance offerings that are out there that we help connect people to.

Matt Tankersley  
And that’s awesome. And let me summarize that and Jeremy, and we want to get your perspective on what CyberTrust Alliance can do. I apologize. But let me recap that for our viewing audience, right? James is with Intelisys, and Intelisys is this master distributor of technology solutions, right? So when you come to TechOnPurpose for our peers out in the marketplace, and you think you know what you need, or you don’t even know what you need, and it turns out it fell into these 21 best security practices, or 10 of them on the left side of the sheet as Jeremy said. You know, if we don’t have a solution that we know fits, we go to our partners like James and James is gonna send us to companies like Jeremy. Fortunately, we have a direct relationship with Jeremy. So but you know with Jeremy, we got Jeremy. With James we’ve got Jeremy and all his peers. Right. That’s the beautiful thing about the master distributor. It’s interesting that you said Folina breach right? So this is a beautiful thing that came up recently. I had one of my clients ask me, should I be on a support subscription with TechOnPurpose? Today they have a time and materials contract. That means whenever they want service, they call us. That means we’re not proactively monitoring their environment, we’re there when they need it. They asked us what are the benefits of this managed support contract, and we were talking specifically about firmware updates and patching for network devices, firewalls, switches, APS and everything. And guess what, if you’re not on my managed service contract, I will gladly do those for you when you ask me. Right, and you’re gonna pay me time and materials for my time for that. If you’re on my subscription service, then I’m going to be monitoring those for you. I’m going to probably suggest that it needs to happen when it needs to happen or I’m automatically doing it. Now the one that you mentioned, the moment that we saw that come out, we went through our managed clients. Guess what, we have our agents on all of their machines, we knew instantly who had that vulnerability, we’re able to report that back. And we were able to instantly deploy a patch that basically removed the registry key, which had to do with RDP for those offices, right. And so we were able to instantly remove that. And that’s one of the many advantages to working with a managed service provider.I hear small clients that are keeping their IT team in house so that IT seems good and hardware.

James Morrison  
Well, and you were talking about documentation in particular, and I think this is a great kind of segue into it. You get reports. So managed services are huge right now. And that’s something else that we do, manage socks, you know, people having operation centers, and 24/7 eyes on glass. And all of these companies, including y’all can give back reports saying that in the last month, the last week, here are the things that we patched for, these are the vulnerabilities that we stopped. And so when we start talking about discovery and documentation, this is a huge treasure trove of I can show you that I’ve been protected, I can show you that, you know, what my money is paying for and what the return on investment is. And I think that’s so you know, it doesn’t matter the size of the company. And I’ll reiterate that over and over and over again, I don’t care how small you are, how small you think you are, the managed services are not as expensive as you think. But you aren’t going to know until you have that conversation. And let’s get you there. I’m very passionate about getting more secure. I say all the time, I hate the bad guys winning. And when I see it, it drives me bonkers, especially when I know it’s a company that just didn’t want to spend a little extra money to protect themselves or be a little bit more compliant.

Matt Tankersley  
And then in the end, it’s going to cost you exponentially more to remediate. So yeah, we actually have that with our clients that says if you refuse to adopt best security practices on a consistent basis and you have a compromise, and you want us to remediate, our prices are exponentially increased. Absolutely. Jeremy, talk to us about CyberTrust Alliance, what are you guys doing to deliver discovery and documentation solutions for your clients? 

Jeremy Sadler  
Yeah, great questions. You know, James is talking my language about being able to understand what you need to secure, being able to document and show what you’ve secured. So CyberTrust Alliance spends a lot of our time in providing risk assessment services, audit services, and we do it for a lot of different industries. We specialize and have grown out of health care. And we actually have a SaaS product offering that goes hand in hand with our risk assessments in that space. But I’m also a CMMC registered practitioner, and I specialize in DOD contractors and subcontractors that require CMMC certification or self attested assessments even. To James’s point, get yourself a VC so if you don’t know what you need, they’ll help guide you to what you need. A lot of organizations you know, you look at things like either the lower levels, CMMC self assessments, or even the industry agnostics, the NIST or the SANS and the select your own framework, trying to find something that matches your business that you can secure yourself against. Still having an internal knowledge of where to start can be very difficult, right? And so one of the things CyberTrust does is helps match up your business to your regulatory requirements. Whether that’s regulated or not, it measures and matches you up to a framework that makes sense for your business and then helps you navigate that audit or compliance requirements. It helps you to go through that discovery process, actually performs the documentation process for you in that audit or in those findings, lays all that out. It helps you to see where your gaps are against that framework, whether that’s again, HIPAA, PCI. We’ve gotten into partnerships with SOC 2, we’re not certified public accountants so we can’t sign off on a sock two, but we can help you navigate those requirements and at least understand where your gaps are before those SOC 2 auditors come in. Or if you need us to come in and work with those sSOC 2 auditors to help you as a business representative, we do that as well. CISO services, you name it. You know, James, I actually, I want to say this a different way. I love one of the things you said, and I’m gonna say it back to you in a different way. And, you know, I love what I do, because every day that I’m on the job is a day that makes it harder for the bad guys. Right? And that’s a day that we’re potentially winning, or at least coming closer to winning. I don’t know if I can say with a straight face, we’re winning right now. I really don’t think we are but we’re getting there. Every day is a day better. Every day it’s harder for them, it’s a day that is better for us than somebody else. So, you know, that’s in a nutshell what CyberTrust does, though, right? We help you to identify those requirements that are right for your business. We help you to map against those requirements, we help you to go through that audit process. And we don’t do it, as you know, that painful audit process that people think about. We’re there to be a partner of your business, we’re there to be a partner of your practice, you, or your organization, to help you find value in what you need to do as a security program to prevent that worst case from being you next time around.

Matt Tankersley  
Great session, great topic, deep topic. Obviously, it segues exceptionally well into next week’s topic, which is hey, we’ve done our discovery. Now we’ve done our documentation. Why are we doing that? Who are we reporting to? How often do we need to do that, we’re gonna start talking a little bit about that. I know, James, you said earlier about how you have these solutions that help you create a security score, how the moment you introduce anything new into your environment, it changes your risk, which inevitably changes your score. I love, Jeremy, that your platform, your SaaS platform that you mentioned, does that very thing by the way. And so I’m constantly trying to be a matchmaker in the marketplace. And, James, if your team hasn’t looked at partnering with these guys, I would certainly encourage you to do it, because they’ve got some impressive technology. I’ll piggyback on what you both said. So we’ll take rainbows and unicorns with us to the close today. But you know, we have a saying around here, we love what we do, who we do it with, and who we do it for. You guys are definitely the “who we do it with” category. And who we do it for, right, that comes from caring sincerely for our clients and our partners. And I think to your point, Jeremy, we’ve always cared for our clients. And in the past that was helping them to be operationally efficient, to be competitive, to do what they do with technology better than their competitors. And now it’s just protecting their doggone livelihoods, man, this is a real deal. And it takes the love factor, the caring factor to a new level. I’m glad you said that. A great episode, how about any final thoughts on the topic before we let Lauren close us out? Jeremy? 

Jeremy Sadler  
Yeah, it’s been a pleasure being here today. I really appreciate you guys and what you’re doing. The series is just amazing. I really hope that the customers, partners, vendors are getting as much out of it as I see opportunity for them to get out of it. It’s just phenomenal.

Matt Tankersley  
Yeah, thanks for being here again, Jeremy. Good to have you. James?

James Morrison  
Yeah, I mean, my thing is, it’s not a lone world anymore. Right. I mean, you know, back in the day, when we were first doing tech we all felt like we were people on an island and it’s not. There’s great features like this to help us navigate a much more complex security world. But you know, there’s no reason not to reach out and have a conversation with people around compliance and around security. There’s a lot of stuff out there and it’s not as expensive as you might think it was years ago.

Matt Tankersley  
And it’s not as hard if you’re partnering with the right people. So final thoughts for me, Lauren and guys, you guys are out there, especially you entrepreneurs, you’re SMBs and you’re trying to build a future for your family and your friends and your employees. And if you’re not taking cybersecurity seriously, then you’re putting that entire future at risk. And we say way too often, it’s unfortunate, it’s not a matter of if when, it’s a matter of when now. If you’re not adopting these basic security practices, complex passwords, multi-factor authentication, secure remote access, secure WiFi and all the best 21 practices, all of the discovery and documentation is muted. You’re not going to remediation. And the last thing, I think if I remember one of our earlier conversations, when you guys do your assessments and you get to the end, there’s an entire report that says here’s everything that’s broken, you need to go get this fixed. When you’re looking for someone to get it fixed, come talk to us. That’s what we do. Awesome, guys, thank you so much for being here. Lauren, take us home.

Lauren Lev  
All right, to start a free trial send an email to . We couldn’t have made it simpler for you. And sign up for our free cybersecurity risk assessment at WhosInYour.Cloud. Next week, we’ll be discussing compliance management and reporting. So now that you’ve done your compliance research, discovery, and documentation, how do you track and report variances or shortcomings in internal or third-party vendor compliance requirements? We’ll be discussing the systems, tools, and partners built for this very task, simplifying the process of management and reporting so you can focus on doing what you do best while we handle the rest. So join us next week for that. Bye, everybody. Thank you so much!

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey