#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 20: Compliance Management & Reporting
/

Episode 20: Compliance Management & Reporting

Jul 12, 2022 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. Brought to you by TechOnPurpose, this is Episode 20: Compliance Management & Reporting.

Last week, we discussed TOPcyber21 best practice number 19, Compliance Discovery and Documentation. Catch up on episode 19 to find out how to maintain essential certifications and respond to normal and unplanned cycles of compliance reporting and potential litigation matters through the use of compliance discovery and documentation.

In today’s episode, we will be discussing last week’s not so distant relative, Compliance Management and Reporting. Here in episode 20, learn how how this cyber element will help simplify the task of tracking and reporting variances or shortcomings in internal or third-party vendor compliance requirements, so that you can focus on doing what you do best.

Stick around to learn from our cast of cyber experts about the crucial need for compliance management and reporting as well as their available solutions that ensure your business remains compliant and secure. We’re very thankful to our cyber expert cast joining us today from ConnectWise, JumpCloud, Keeper, and Stellar Cyber as they help us educate our clients and prospects on the road to #secure, reliable, trusted technology!

As a reminder, we began releasing a new episode every Tuesday, starting 10/20/21, and will continue to do so through early summer of 2022, with brief time off for holidays with family and friends. We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode. We hope you’ll find this an immersive, hopefully simple, educational, and enjoyable experience. So how do you tune in?

To easily follow the journey ahead, we’ve diversified your access options to all (23) of our coming episodes. You can follow along here on our blog or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered directly to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev  
Welcome back, you guys. I’m Lauren Lev, Marketing Manager for TechOnPurpose and the host of this soon to be critically acclaimed vlog series, “Who’s in Your Cloud?” 21 steps to secure, reliable, trusted technology. Before we go any further, hit that like and subscribe button down below. It really helps us out. And we’ll help you out by giving you a free cybersecurity risk assessment, which you can sign up for at whosinyour.cloud, because you can’t know where you’re going on your cybersecurity journey if you don’t know where you’re at. Okay, so pause right here. No really, like pause the video, press the down below and go sign up, whosinyour.cloud. Super simple. We’ll wait for you. We’ll be right here. Alright guys, welcome back again. Today we’re moving on to top cybersecurity best practice number 20, compliance management and reporting. The not so distant cousin of last week’s topic, compliance discovery and documentation. So now that you’ve done your research and documented all the things, now you have to track and report your data while ensuring you’re following your industry’s compliance requirements. Well, what I don’t know is the answer to that question. What I do know is that I’ve brought along this team of sassy and savvy cyber experts to answer that question for me. So joining us back on the vlog, we have Frank DePrisco, Director and Head of Cybersecurity Task Force at ConnectWise. Frank, that is a mouthful, but congratulations on your new title. I feel like we’re below your pay grade now, so thanks for coming back.

Frank DePrisco  
No, so I was part of the IT Nation Team, and we created the secure group last year. We’re made up of cybersecurity experts and every one of us has over 20 years of experience. And our goal was to put together training and education for our partners around cybersecurity, because we saw there is a lack of that, or very expensive. So we created some programs, we created a framework, we call it the MSP plus framework, which is based off of NIST and ISO and some others that are geared towards MSPs. Because there’s things MSPs and small businesses can’t do that the enterprise level companies can do. So we wanted to create something to guide MSPs towards having a framework and we’ll talk a lot about frameworks. And we’ve talked a lot about frameworks. There’s a lot of frameworks. This is just another one, but we think it’s a good one. But then a few months ago, maybe three or four months ago, we created these business units at ConnectWise. And one of them is cybersecurity, which is led by Raphael Marty, who’s the GM of our cybersecurity business unit. And my team moved over to him. And so he couldn’t say IT Nation Secure anymore because we weren’t under the IT Nation. So we created what we call the Cybersecurity Task Force. And I’m working this month to define what that is, what we’re going to deliver for our customers and our partners this year. So I’m meeting with a lot of different people trying to put together what we’re going to do and a lot of it’s going to be around compliance. I know vendor risk management is a big piece of that. We have a partner program, and education and training are still going to be a piece of that. So we got a lot to do for the rest of this year.

Lauren Lev  
Next up we have Chase Doelling, Principal Strategist at JumpCloud. Chase, we always love having you on and before you logged onto the recording, I was saying basically that I think you deserve the Miss Congeniality award because you always respond, you always let me reschedule on you 50 times. I appreciate it. But tell the audience a little bit more about who you are and what you do at JumpCloud.

Chase Doelling  
Well, I appreciate that and I’m so glad to be here and come back and I love these discussion topics and to dive in. So I help look after a little bit more of our internal strategy within JumpCloud. But I spend most of my time externalizing that to all of our customers and partners and making sure that, you know, we can do just that. And we can easily add in security where they need it and make it seamless for everyone involved because you know, this is our new day to day and so we can operate and keep all that together in one place. That’s really what the name of the game is. 

Lauren Lev  
From Keeper, we have Director of Product Management, Bond, Zane Bond. I bet that is the first time you’ve ever heard that.

Zane Bond  
I have never heard that. I’ve never come across that. I wonder what that’s a reference to?

Lauren Lev 
Oh no, it just sounded really good. Well, remind the audience what you do and what have you been up to since we’ve had you on last year? 

Zane Bond  
Sure. Absolutely. So I’m in the product management group at Keeper Security. Keeper Security is our enterprise password vault, amongst other things. But we do just about everything you need around password security, privileged access, and things like that. Within the product group, I get the really fun job of coming up with cool things to do going forward and then telling the engineers to do all the hard work. It’s really a sweet gig, I enjoyed it a lot.

Lauren Lev  
It’s kind of like what I do to Matt. New to the blog is Greg Vlahos, Director of Sales at Stellar Cyber, right, you’ll do a much better job of introducing yourself to the audience. So please take it away.

Greg Vlahos  
Thank you, Lauren. And I’m just grateful to be part of the savvy and sassy group here. First time, I’ve been included in that kind of classification. So thank you guys for having me. Been with stellar now since January. Really, my role is just to be kind of a concierge, I’d say to our MSSP community, so just here to help serve them and grow our relationships and that together, so that’s kind of my role with the company.

Lauren Lev  
He is my always very sassy, sometimes pretty savvy boss, the TechOnPurpose Founder and CEO and cyber evangelist. He’s a very busy man, you guys. So we’re very grateful to have you on, Matt Tankersley

Matt Tankersley  
Welcome back, everybody. Thank you, Lauren. It’s good to be here. And we’re grateful for each of our cyber casts with us here today, guys, thank you for being here. Frank, sorry you’re missing your happy hour, man. We’ll try to get you there quickly. So to all our listeners and viewers guys, this is episode 20. We’ve come so very far in our mission to help educate and equip you all on the road to secure, reliable and trusted technology, so be sure to catch all those past episodes first chance you get before we dive into this next to last series topic. Let’s do something we haven’t done before, Lauren, let’s recap what we’ve talked about in the shortlist of our TOPcyber21 best security practices. It’s the first episode we’ve done, we’re gonna see how this goes. And if it sucks, then guys, we can edit it out, how about that? I think it’s important too, that all of our audience listening to this later episode and some of the team that hasn’t been with us understands kind of what we developed here and our strategy of achieving secure, reliable, trusted technology through these tests. We want security practices. So let’s start at number one. I’ll run through this quickly, right? Security awareness training – If 97% of compromises are the result of end user error, why would you not be doing the simplest of best practices and training your team? It’s easier than you think and it’s not expensive. Dark web monitoring, number two, know when your credentials are at risk before threat actors have time to use them in dwelling your network. Number three, complex passwords and password management- insert Keeper. Number four, identity and access management including SSO and MFA guys, that’s not an option and welcome back, JumpCloud, one of our favorite IAM platforms. Number five, security updates and patch management. We do this stuff in our sleep. Let TechOnPurpose help you with that. Number six, manage endpoint security, it’s not just about anti-virus, but it is the basic building block for securing your devices. Number seven, DNS and web filtering security. Number eight, it goes by many names and definitions, but what will it mean for your company? Zero trust that’s a big buzzword in the industry and a lot is going on right there. Number nine, you’ll have to forgive me Mr. Ivan Paynter who will certainly be listening who’s not absent, don’t click shit. How do you protect yourself here, right, email and phishing protection. We got to have that right? Number 10, cloud SaaS backup. Keep that email OneDrive and Google Drive incrementally backed up so you can rapidly recover missing or compromised data. Number 11, data encryption is generally free and inexpensive, it’s not hard. Number 12, mobile device management, allows access from users to critical systems only on the devices you authorize and from the location you permit. Number 13, advanced threat protection, at the network edge, this is your firewall but a little bit of steroids there, right? Number 14, wireless security. Absolutely one of the most exploited attack vectors at work, at home, at the coffee shop and abroad. How do you secure this? We’d like to help you with that. Number 15, secure remote access, how to protect your remote access data and systems from the compromised WiFi you just connected to. Number 16, server backups and BCDR, same as cloud SaaS data but even more important. Can you instantly recover data and systems in the event of compromise or hardware failure? Managed or extended detection and response, XDR helps us to correlate data from all users systems, devices, networks and locations to proactively identify and remediate risks and cyber attacks. Thank you Stellar Cyber for being here. Number 18, network vulnerability and penetration testing. How do you tell if TOPcyber21 best security practices one through 17 are working? Let’s do some testing. Right? Number 19. compliance discovery and documentation, how you get your ducks in a row to ensure you and your vendors are compliant with regulatory requirements. And today number 20 compliance reporting and management. Lastly, don’t forget next week, we’ll talk about the final and vital topic, cyber risk insurance. Guys, that was a mouthful. Here’s the moral of the story. There is zero silver bullet in cybersecurity, it takes a comprehensive action plan to prioritize technology and solutions to effectively mitigate your risk and keep your company from being just another headline tragedy story. Don’t delay, get it right. Get your free risk assessment today by visiting whosinyour.cloud, we will equip you with your A to Z cybersecurity plan. And that’s it. I’m done. Let’s get this one going, Lauren. Frank, welcome back. Let’s talk compliance reporting and management’s cybersecurity best practices.

Frank DePrisco
We at ConnectWise, we’re a member of the shared assessment organization where we use their tool, it’s called a SIG and it’s an ongoing implementation where we can update in and add to our compliance. And so it’s constantly being tracked and monitored because we also need to report to our partners who ask us, you know, what are you doing for compliance? So our main focus has been SOC 2 over the last year. So we also get a HIPAA certification every day. And we’re working towards CMMC and ISO 27,000 001 over the next couple of years, because we take compliance seriously. And one thing we did, and I did this at the company that I was working with, is created a trust site on our page. So our prospects, or people looking at us can go to our page and see what we’re doing. And we make it open and aware for everybody to be able to see that.

Matt Tankersley
Frank, that’s a great introduction to the topic and we’re gonna pass that ball around the horn a little bit. I want us to just go format here. And that was a great segue. Apologies. But we want to talk about the issue, which is exactly what Frank just did, what is reporting and management and why is reporting and management and potentially what’s the risk of not doing this correctly. I think that’s important for our listeners to understand. And then we’re going to talk more specifically about the particular approaches that both of your or all of your companies focus on, all your company’s stake, so it’s sort of a round two. And Lauren, who’s next on our Hollywood Squares today?

Lauren Lev  
We will go Chase. Chase, tell us why compliance management and reporting is important, and why our listeners should even be paying attention.

Chase Doelling  
It’s important because it also marks several different milestones as terms of an organization. And so you can almost think of it as you know, starting at 10 people, right? And so it’s like that might be a little too much overhead. But security is really important, because you’re just starting out. But then as you continue to grow, there’s other milestones in terms of are you growing the team? Are you getting funding? All of these other different pieces, and every time you go through that, there’s these challenges that organizations say like, I promise, I promise, see, like we’re doing all the things. And so it’s just that external validation to go through that. But what it also does is it acts as a forcing function, because a lot of times people have a sense of what the technology pieces are, but they also don’t have a sense of how they’re all tied together. Right. So for example, we host in terms of identities and devices and securing those. But it’s also important to link those pieces and say, yeah, that data on that managed device is now encrypted. Now, we’re also bringing that into having multi-factor costs there. And so, having that kind of combined approach and understanding the layers that it’s involved with, helps the team come to a good understanding of what can we take on, what type of investments can we have to help mature the organization and kind of up level the infrastructure they have, right? Because this might be competing against a couple other other priorities in terms of you know what security practices we need to implement and all these other pieces. But understanding what the goalpost is and how to get there as an organization, is really important to understand from the beginning, because it really helps set you up to scale within the growth and really kind of become a contender in any industry that you’re operating in.

Matt Tankersley  
Greg, that’s a perfect segue, because I was gonna say, right, we’re talking a lot about the what and why of reporting and management. Sometimes, when we use the word compliance, we start thinking really quickly that well, I’m not HIPAA required I’m not HIPAA compliant, right? I don’t, I’m not a health care provider, you know, I don’t have to have these compliances, I don’t have to report to the government. The reality is, more and more, the two factors of insurance, your insurance companies are starting to demand that if they’re going to insure you. You’ve got to have a lot of these compliance things in place that otherwise you might not want to have. And the second thing is, I think we heard about this in one of our last episodes, we’ll certainly hear about cyber risk insurance right, regardless of whether you are regulatory required to follow any kind of framework. If you do have any kind of compromise, your documentation that you have around that these are the key things. We talked about documentation last week, right? These are the things that are going to save your backside when you start having to work through legal hoops. Right? And so we’re going to turn it over to Greg. Greg, I’m confident that Pinkertons doesn’t have to follow Pinkertons BBQ down in Houston, that you love. They don’t have any compliance requirements to follow theoretically other than is their barbecue tastier than the guy down the street, right?

Greg Vlahos  
I don’t think they will. But if they keep growing the way they’re growing, they’ll get to a point where they will, they’ll fall into some category, right. I think there’s a general understanding, at least in the US. Because I think until Europe kind of came out with their compliance, we were kind of leading the way here on industry standards for compliance, mostly because there’s an understanding that cybersecurity is a real risk to our economy, and to our citizens as consumers. And so the government, you know, they’ve got a couple of ways that they can take action. One is to create taxes, you know, we can tax the companies that are doing a poor job with security, we could subsidize the ones that are doing a good job with security. They’ve chosen to regulate as their means of impacting this threat. Problem is, is, as you mentioned, it’s very siloed. Right? There’s different industries that compliance falls under, and there isn’t a general one for all businesses across there at this time. And because it’s siloed, some industries are not going to be compliant yet. I’m confident that most businesses, as data privacies get stronger and different areas get stronger, we’ll all fall under that. But the question was compliance reporting. So now that we are in those categories, and we have to create compliance reporting, reporting and management, what does that give it? Well auditors, so being able to report on how you’re compliant, how your data is stored, what security measurements are in place, at least you keep it that regulation that the government in that silent hand that they have, you’re able to show and demonstrate to them that you’re meeting those checkboxes insurance. Right now to get cyber and security insurance, which is one of the fastest growing, if not the fastest growing insurance vertical right now, they’re going to require that you can demonstrate that you’re meeting compliance, and how are you securing and what places do you have, what measures in place and to do that you need some kind of tool that takes the aggregation of all the actions you’re taking and can report on them. And then forensics, right, God forbid something goes wrong. And you need to demonstrate you need to have a background of what actions have taken place and forensics of your data logs and storage. From there, the last thing that having that management tool, that capability then can pivot you to from a place of checkbox security, and pivot into a proactive where you’re correlating, you’re actually taking a certain strategy towards protecting yourself and your data.

Lauren Lev  
Mr. Bond?

Zane Bond  
I think it really ties into a lot of the similar topics that just got brought up here. Right. So compliance frameworks themselves, they’re kind of like the set of standards that raises all the boats in the harbor, right? Like, across a particular industry, like for PCI, anyone taking credit cards, like you must have this minimum set of things, you must you must be like this responsible with credit cards to take them or if you’ve publicly traded, you have Sox compliance, or if you have like medical data, you gotta have that, right. So the frameworks themselves, try and set that bar to just say, you must be at least this secure, this good with data, or at least most documentation. So I think from a perspective of companies buying solutions, or at least trusting other vendors to work with their data, having these various certifications and adherence to compliance, just at least gives them a certain amount of trust, like, oh, well, you’ve got your SOC 2 compliance. So I know you’ve at least documented what happens if something bad happens, right? So from an industry perspective, it’s kind of better than individual frameworks, they vary wildly. Some are really generalized and leave a lot up to interpretation. Some of them are a lot more prescriptive. And as long as the frameworks themselves have some room to evolve, like PCI continually comes up with updates and revisions, the library for auditors and people handling and processing credit card stuff, but it really just allows as the cybersecurity landscape evolves as threats, and you know, defenses evolve, like least those things continue raising up there. On the reporting side, man, and so many times, it’s kind of an afterthought. It’s like, Alright, we’ve got this thing that does this cool stuff and protects us, and, yeah we’ll get to the reporting. And I find that’s very often like, completely backwards way to think about it. When you’re implementing a solution or product, a goal or adhering to a compliance framework. Think about what you want the output to be like, What do you want the report to look like? You know, do you want a list of all your check boxes? Do you want this if you understand what the output looks like, and you kind of define that upfront, like, I want to be able to say that I’m good across all these frameworks and have this But it kind of you work backwards from that to build the business process and implement the business process to accurately communicate that we find so many times, you know, especially when compliance is just, it’s tough. There’s so many things you have to do. It’s this endless list. That’s why you have products that help you and solutions and auditors and all that, but understanding what the output is really helps you work towards that.

Matt Tankersley  
Yeah, good stuff, Zane. Thanks for that. Lauren, I think, you know, if I’m a listener right now and I have no clue about how to do reporting and management, I think, I don’t know that we’re going to answer that question for them in this episode. And hopefully, we’re gonna give them the information they need to get started on that journey. And I think that each of the folks that are with us today have tools that help in that documentation, discovery and reporting process. And I think as we shift gears in the second part of our episode here, I’d like to hear a little bit more about how your teams are intentionally designing your products to be able to report against these compliance issues that insurance companies might be asking us for, that the government might be asking us for through HIPAA compliance. I do want to give a plug for a few of our partners who are here today, this is what they do. They build platforms that procure and allow you to keep the documentation in one place, as Frank was talking about and others, and report year after year, and month after month by your compliances. So we got our friends over at OneTrust Pro, I think they’ve been on an episode with us. We have our folks at CyberTrust Alliance over in Austin, they have a great platform that has all these metrics and analytics. And so none of those tools work without these tools right here that we’ve got on this episode, which is where all this data comes from, guys. So Lauren, I’m not sure what you were thinking about next. But I’d say let’s make sure everybody is helping us understand in our last round, what are the tools and intentions that your company has to meet this need? Where would you like to go first?

Lauren Lev  
Chase, let’s go to you first, what products and methodologies does JumpCloud have to keep users safe and secure through compliance management and reporting?

Chase Doelling  
Yeah, absolutely. So a lot of compliance is really kind of answering the question, who had access to what and what did they do? The good news is, you know, being an open directory platform that we’re also managing devices and identities and all those access points, is we are able then to collect all those different pieces into one area. So it’s really helpful for folks to understand, right, when they’re joining an organization, where do they start? Which applications they shouldn’t have access to? When they’re opening up their device for the first time? What types of privileges are right and should we grant them sudo? Or not? Or should we, you know, if they’re elevated privileges, we need to think about having that person, but then also kind of behind the scenes of as that’s happening live, you know, tracking what that looks like. And then making sure that all of those permission sets are granted. And so that’s kind of the beauty of JumpCloud, is we’re able to grab all of those different types of technology and inputs that are required for compliance. Right. So like, are those drives in this good? Or is USB blocked? You know, do we have a lock-screen setup? Do we have multi-factor authentication on all resources, some resources, depending on what that looks like, network security, all of those different pieces of just kind of getting your job done and thinking about all those different access points. That’s really the power of kind of bringing that ends, because we’re able to have our fingers across all of those different areas. So we’re able to put it into one dashboard, one, you know, essentially export, right? You can pull out and say, Look, you know, here’s the running log of everything that’s happening across my organization. And we don’t have to spend mind numbing, and balance the right kind of going from system to system and try to piece together what should be a good security posture picture.

Matt Tankersley  
Love that. And then you’re doing a great job of curating all that data in one place. And then how do you correlate that data into intelligence that can help you to do threat hunting and things of that nature. And that’s where, Stellar Cyber that we’ve had the pleasure of working with in recent days, where in fact, I had a light bulb. And this is one of the beautiful parts about what we do, Laura, and working with so many vendors and partners, is we get to see where there are synergies. But, Greg, we need to be working on a connector to JumpCloud. In fact, we do a lot of JumpCloud. And there’s a whole lot of intelligence coming from that platform that will allow tools like you at yours and partners like us who use your tools to curate more intelligence through one source. All right, Lauren, where are we going next? Great job, Chase.

Lauren Lev  
Perfect segue. Let’s take it over to Greg.

Greg Vlahos  
All right. Yeah, so compliance and reporting management. How do we help? Open XDR is exactly that. So open XR means data source, everything. So we will create a connector, as Matt just requested, for any software, any product out there to get into our platform. So we go a step further. So just getting the data in there is going to help you with all that, we’ve got canned reporting for the major compliances out there. If you fall into more of an obscure one, I’d call Matt up and ask him to create one in our platform, which you can do. But taking it from there and actually then doing something with all that data centralized. That’s where we, you know, we add value on top of just meeting checkboxes, right? Our whole goal is to simplify the threat hunting, as it was just alluded to before, with all that data, so we run it all we normalize all that data into one language, it’s gonna come before it gets to those connectors in many different formats, you know, we use interflow is a word we use for it. And once it’s in that format, we’re gonna run it through a skew of gauntlet of AI and machine learning that some of the brightest people in the world have put together here, and start taking this siloed information and connecting the dots for you. And when we start connecting these dots, this is going to give you real time, high fidelity, high efficacy, you know, information, that’s gonna put you in a position to take action in real time in a meaningful amount of time to limit any kind of exposure or damage that your business and reputation and your your consumers information or data or credit cards or healthcare, whatever industry you may be in, from getting out there. And then and using these other products that we mentioned, you know, with these connectors to block these actors or to report or to quarantine or to, you know, isolate them from the network. All this from collecting, reporting, correlating and taking action on the one platform and all in real time for you. So that’s kind of how we take it from compliance and reporting and then to a proactive step on your behalf.

Lauren Lev
One point that both Chase and Greg brought up, which I think is really important for people like me who are a little bit of our target audience- Us low man on the totem pole, who are still trying to like wrap their heads around the acronyms, and we’re still on cybersecurity awareness training- but the KISS rule, like keep it simple, stupid. The simpler it is, the more likely you’re going to be able to do it. And it seems like to me, from what I gathered, that both JumpCloud and Stellar Cyber solutions keep it kiss, keep it stupid simple. So Zane, what is Keepers approach? 

Zane Bond
Yeah, sure. Absolutely. So with Keeper we’re effectively a point solution that works within the larger ecosystem of all the cybersecurity you have. We do everything related to password, password security, access, privileged access, you know, connecting to target so, obviously our solution generates all the telemetry you need from a compliance perspective around what you want. But we also specifically have a compliance reports module that’s like, hey, for this framework, you know, here’s your compliance posture, you know, whatever you need. And I think that’s something that’s really helpful is a lot of times, even if your company has to adhere to some compliance framework, you’re not experts in it, you have no idea, you know, there’s like 8000 things on a checklist, you know, like, yeah, we take credit cards, we have enough transactions, then we have to be PCI compliant. But other than the words PCI, I got no idea. So if the solutions you’re purchasing at least have some awareness of compliance, or alerting built into it are going to really help you satisfy those needs a little better. And that’s really about, you know, one of the nice things at least from, from our perspective, every framework somewhere in the beginning, like sections, one or two is, don’t be done with passwords. Like that’s, that’s just like table stakes for everything. And I know he’s defaults, you know, don’t reuse them, understand who has access audit, who actually uses their access all that stuff. So we can have the reporting module that helps facilitate that. But we’ve also allowed our customers to set up real time alerts, like in Slack or whatever, for possible compliance violations, possible company policy violations. And this allows you to have somebody do an evaluation of, you know, sharing these PCI prod system passwords isn’t necessarily a risk isn’t necessarily a problem, but it’s potentially, so let’s send that out and allow you to kind of like do the alerts as that occurs. So it’s not an oh crap an auditors here, let’s go through 1000 pages and stuff. It’s, as it occurs, like, hey, this thing was shared, is everybody okay with it? And it’s just, we try and encourage people to think of this more as like a process, something that evolves throughout the year, instead of, let’s just wait and see if we get audited. And then everybody runs around with their heads cut off and tries to figure out what to do.

Lauren Lev  
Not the best approach. Always better to be proactive, rather than reactive.

Matt Tankersley  
We’re big Keeper fans. We obviously work with one of your larger competitors, LastPass quite a bit. And I know if you look at my machine right now, I’m sharing my screen, you’re gonna see a Keeper icon. So we’re grateful for your commitment to developing the reporting capabilities that you have to help keep our clients secure and compliant. 

Zane Bond  
That’s really one of the things about password security is, it’s foundational to everything. You know, if you’re good with that, you can eliminate so many potential risks and cyber threats. So be smart with passwords.

Matt Tankersley  
Frank’s fancy, new title, he tells us that he’s the right guy to be closing out this topic today. And he you know, he’s got so much history, experience and oversight into all of these areas that we’ve talked about and all the many tools that connect YZ equips MSPs like us to serve clients like you that are listening to keep you secure, reliable and trusted. And we haven’t said it once, we’ll say it again- The fact that we were able to do the risk assessments that we do is because of the platforms that Frank and his team have brought. So don’t forget, go get your free risk assessment and know that Frank’s team is behind that empowering us to be able to do that. So, Frank, tell us a little bit more about how ConnectWise is enabling the success journey for compliance, reporting and management.

Frank DePrisco  
Yes, I think we don’t necessarily have a product for compliance tracking, we’re focused more on making sure our products are compliant with multiple frameworks. And we announced at our secure conference earlier this month, a partnership with a company called Controlcase, who is a compliance auditor, and does verified assessments. So they have integrations to our products. So if you’re using manage, control, and automate, they can go in there and pull out the controls to meet different frameworks. So whether it’s HIPAA, or NIST, or whatever, they can show you because you’re using ConnectWise products, you’re this far along in your complete compliance with these different frameworks. And the cool thing is, then they can create tasks within manage for you to go do to get the rest of the way to that compliance. So it’s more kind of a monitoring and auditing of the products you’re using. They’re working on more integrations, they’re always you know, up for building other integrations so that they can, and they also inherit, like the controls because we use AWS, right, so they inherit controls in AWS, and check the box that because you’re using AWS, you meet these controls, or Azure, or whatever, Active Directory. And so it’s pretty cool. We also have, you know, our new ConnectWise risk assessment tool, which goes back to Chase’s point, knowing who’s doing what and who’s accessing what, and user behavior. So users that have never logged in, users that haven’t logged in in 90 days, things like that, we can report on all that. And then finally, I think we bring it all back to when we acquired bright gage within the last year. And they’re really working on more and more integration so that you can build that dashboard. And we’re offering dashboards out of the box, and then ways for you, I think, like Greg said, to go in and customize what it is you want to see. So pulling all that data into one place and showing it on a dashboard, so that you have one view and you can report that to your executives to your customers, whoever might need to see that.

Matt Tankersley  
Well, we couldn’t do what we do all day, every day without each of your products. We’re so grateful for you, we use all four of you and Stellar Cyber is the newest in our portfolio. We’re pretty excited about getting underway with that team. And you all have already done a phenomenal job of showing flexibility and working with our endpoint providers, and where you may have had some things that weren’t there, your team’s already working to get those in place. And so today’s topic guys, it was reporting and management, and as you can tell, unless you have the right tools, you’ve got nothing to report in the first place. And so we’re here to equip you with the right tools. We also have the partners that can have these platforms that help you curate and document and discover these compliance requirements, pulling them in from all of these different tools and systems so you can make your insurance companies happy, you can make the government happy. And hopefully no attorneys ever, don’t ever have to keep those guys happy. But we’re here to help you. And I guess more or less maybe final thoughts on reporting management, we can let Frank get to his happy hour and you can close us out. Anybody have any last words they want to say?

Lauren Lev  
Any final thoughts? Speak now or forever hold your peace.

Frank DePrisco  
I do. I did have some statistics from earlier that I  never shared. We always like numbers, right? So these come from the ACA compliance group, the top five risk and compliance functions that can benefit from technology. Vendor oversight, 54% of the people said that technology can help with their vendor oversight, marketing reviews, compliance policy and activity tracking, you know, 41% trade surveillance. So knowing what your vendors are, if they’re doing business with companies outside of the United States, what are they doing? That’s important to know because they might be sanctioned companies that you’re doing business with. And obviously regulatory requirement technology helps with that. But what I thought was really neat is 44% of firms say they are being asked for proof of cybersecurity as part of RFPs. So that goes back to when I talked about having to do those hundreds of security questionnaires every time we have a new customer or new product. And then organizations lose an average of $4 million in revenue due to a single non-compliance event. So if you’re not monitoring your compliance, and you have an event, and like we talked about, if it’s not documented, if you don’t have that policy and procedure and stuff in place, you’re just gonna get dinged for it even more. Couple more, 45% increase in the cost of non-compliance since 2011. So the cost of not doing this is just costing companies more and more. And these last two, 50% of organizations said they spend six to 10% of their revenue on compliance costs. So you have to budget for it, you have to know it’s there. Because as this last one, US businesses spend an average of $10,000 per employee on regulatory costs. So that goes to security awareness training, and everything else that goes along with that. So I have all the references if you guys need them to publish that, they come from Thomson Reuters, the ACA compliance group, and a couple others. So I just thought it was pretty interesting and didn’t get to mention that earlier.

Matt Tankersley  
All right, guys, any other final thoughts, Zane?

Zane Bond  
Really, I think the biggest thing is, you know, compliance, while it is sometimes a pain to be compliant, like the spirit and the goal behind it is, it’s really the thing that raises all boats in the harbor. Like getting a consistent minimum set of security controls for everybody. And compliance oftentimes isn’t like, the pinnacle of security, right? It’s like the minimum set. So you know, when you’re trying to be compliant, realize that you know, the spirit behind it’s good, paperwork sucks. But you know, you still have to do it. Many times, it’s just not optional. And from there, you can always do better than the compliance framework providers just can’t do worse.

Matt Tankersley  
Yeah. And I think it’s, that’s pretty synonymous with something that everybody else has said, right. And don’t try to do this on your own. Reach out to partners like TechOnPurpose. And all these folks you get, you’re gonna, you need to make great barbecue like you make great barbecue and you need to be a CPA, and you need to do all the things that you do. You don’t need to be an IT person, you definitely don’t want to deal with this compliance stuff. That’s good stuff, Zane. Greg, last thoughts?

Greg Vlahos  
Yeah, I just think a lot of great points by everyone, really enjoyed the savviness. Could use a little more sassiness on this podcast. I’ll take responsibility for that one. My thoughts are that the business landscape is changing, you know, what, where we conduct business, the borders, change our physical warehouse things, the platform, the technology, it’s all just evolving. Trying to stay up on,  am I so compliant, am I meeting those standards as we constantly are flexible and moving. And that’s a great thing about small business, you know, we’re agile businesses. Don’t try to do it all yourself, leverage a partner, leverage an expert, reach out to like Matt, or any of these guys. And don’t try to take it all on yourself, because we’re gonna, we’re gonna miss something. It’s not what we wake up and think about, you know, as business owners out there. So, you know, outsource that to someone who does wake up every day thinking about it. And don’t try to do it yourself. 

Matt Tankersley  
So, Chase, it looks like you’ve got final thoughts. By the way, I think I’m on deck to be at your internal event in Colorado coming up.

Chase Doelling  
Yeah, that’s right. We’re excited to have you come down this way, in reverse roles a little bit. Like I think just to help close it out and you know, I think one of the pieces we talked about is compliance, you gotta do it. I’d flip that around and actually a lot of organizations like doing business with secure companies, right. And so even though it might feel like a drag on the organization, it actually helps open up your own pipeline and conversations and say, Hey, like I can be a trusted adviser to you. And so like don’t discount the fact that it will help accelerate your own sales and revenue cycles, right, regardless of what kind of company you’re in, or at least continue to establish trust to your existing customer base to help reduce churn a little bit, right. So as we start to head into some other macroeconomic headwinds, it’s always good to kind of have that riding alongside with you and kind of help those conversations. So use it to your advantage.

Matt Tankersley  
I love that Chase, that was perfect. And then you put the cherry on top of the topic and put a really positive spin on what can be really frustrating topics. Nice work, people want to do business with people who are secure, and compliant. I love that. Great job. Thanks, everybody. Lauren, do you want to close us out?

Lauren Lev  
Yes, to start a free trial for any of our solution partners here today, send an email to . And we know you’ve already done this because you paused the video in the beginning and signed up. But now’s the time to tell your friends, tell your family, tell your mom, tell your sister to sign up for our free cybersecurity risk assessment at WhosInYour.Cloud. Next week, we’re finishing off the “Who’s In Your Cloud?” series with cyber risk insurance. And I must say we’ve pretty much saved the best for last because it’s definitely one of our bests, so you don’t want to miss it. Join us here next week to help make sure your cybersecurity is secure, reliable, trusted and insured. See y’all next time. Thanks, everybody!

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey