Settling the Risk Quantification Debate
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
Top 3 Quotes
BRYAN GRAF: Everyone understands that there's security risks and there are bad actors out there trying to get the data, but they have no idea even where to start. "Do I start with endpoint protection? Do I start with SIEM and ESOC? Do I start with a risk assessment, a penetration test?" You need all of these, but what order do you do them in?
HOST MEGAN PHEE: Hi. I'm Megan Phee, and this is GRC & Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends and more. Learn about your methods, solutions, and outlook in the space. We have a very special guest with us today. His name is Bryan Graff, and he's a senior vice president of Abacode Cyber Security. Welcome, Bryan. Thanks for joining us.
BG: Thank you for having me, Megan.
MP: All right. So today, we're going to talk all about cybersecurity. But more importantly, I want to just know more about your journey. So if we could just start off by giving us a little background about yourself. So, how did you get to where you are now?
BG: I started off my career at KPMG in IT audit, helping organizations get through Sarbanes-Oxley assessments. IT audit was still relatively new at that point. It was kind of tacked on as a component of financial statement audits. And after Enron and WorldCom, the federal government put more regulations on publicly traded companies that not only required them to shore up their financial statements and assure that those numbers were correct, but also that the systems that information was hosted on also had security mechanisms to make sure that overall the financial statements were correct. So from that organizations, then quickly realized that, "Well, a lot of my data is not on my systems, it's on a third-party system." So audits had to be completed on third-party systems so that publicly traded organizations could then sign off saying that my data is secure, whether it's on my system or not.
So from that, SAS 70s were born out, which were control assessments over organizations that are third-parties with access to financial data. That expanded into nonfinancial data, which is where SOC 1 and SOC 2 came from. So for nine years, I spent my time doing assessments and then managing and building divisions to do assessments for SOC 1, HIPAA, ISO 27001, PCI. Our firm grew into pretty much every type of third-party assessment you could do. After those nine years, we started to realize... or I started to realize that these companies that were requesting these audits were not ready for these audits. They were being requested to go through these assessments by their customers, but they would get the list of requirements and they were nowhere near ready. So I kind of switched from doing the assessments, I say, "Going the prosecution to the defense," and I helped the organizations get through that audit and put in their GRC programs.
Now, I was just doing policy and procedure, and I was documentation and compliance. I was approached by Abacode a little over a year ago because they had kind of the same roadmap where they wanted GRC as a component or really driving all of their services. So I took my knowledge of GRC and helped them build packages so that an organization going through a SOC 2 or an ISO 27001 for the first time, that has very little in terms of security and compliance maturity, instead of having to pick 10 or 11 different security services that they may need to pass an audit, now they're just purchasing SOC 2 readiness assistance, ISO 271 readiness assistance. So that's how I landed here at Abacode, basically infusing security into GRC because that's the driving force of organizations implementing security services.
MP: Yeah. Great. As you've seen client security needs evolving over time and over the last few years, what trends are you witnessing today in regards to cybersecurity?
BG: Well, the attacks are getting more and more sophisticated. It's no longer just a 15-year-old in the basement trying to hack into your system just to see if they can. These are state-sponsored organizations. These are large criminal organizations that use a variety of techniques to get into your systems, steal your data, and get credentials to your systems. So now, we see coordinated attacks where an office will be broken into, a laptop will be stolen, a phishing campaign will begin. All this is coordinated. It's not just one person doing this. So if the attack is on multiple fronts, you have to have a robust security and compliance program in place that already has some mechanisms in, already can predict, and prevent, and detect cybersecurity attacks.
MP: Great. Bryan, in working together, I've heard you talk to your clients about different compliance standards from that GRC perspective. So, how can a company understand and identify which standards apply to its own situation?
BG: The easiest way to determine is what are your customers asking for? So your customers will bring you requests for, "I need you to have a SOC 2 assessment." Or, "I need you to be ISO 27001 compliant." If you've never heard of those before, and there's a pretty easy way to determine what standards apply to you. If you have a publicly-facing web application and you are hosting customer data, if you bring in, if you transfer, or process, or store customer data, you more than likely need a SOC 2. If you are going to be doing business in Europe or anywhere outside of the U.S., basically, at some point, an enterprise customer's going to ask you for ISO 27001. If you are dealing with healthcare data in any way, more than likely you are under HIPAA regulation. If you store, process, or transmit credit card data, you are subject to PCI.
So it really depends on the industry you're in, the data that you process, store, and transmit, and whether you are acting as a third party for another organization. If you're B2B, you're more than likely under a lot more regulation than B2C. If you are a government vendor, you're probably under even more regulatory compliance requirements, but it really depends on the industry you're in and the data that you're dealing with.
MP: Mm-hmm (affirmative). Working here at LogicGate, I often hear customers want to comply with FedRAMP and we hear that often, whether they're seeking to be FedRAMP approved. Could you share with our listeners kind of the Reader's Digest version of what is FedRAMP? What does it mean for organizations? That would be great.
BG: Sure. So FedRAMP is a program started by the federal government to streamline the process of approving a service for a federal agency to use, an internet service or a web application. So if you were a government agency and you want to use a payroll application, well you can't just sign up for any payroll application. That data needs to be protected in accordance with FISMA. So if you are using a third party or if you're a federal agency and you're using a private business application, you have to ensure that that application has the same safeguards as your internal government systems and networks.
So FedRAMP was a way for an organization to go through an assessment at one time and then they could sell their services to any federal agency. So prior to that, if you had a payroll service and you got approved by the EPA, you would have to go through a separate process to get approved by the FBI or whatever other agency there was. So that made things almost impossible for anything other than the largest enterprise organizations because it's a very intense process to get approved by federal agency to sell your services, especially if you're housing their data.
So FedRAMP was an attempt to streamline that. I would say by streamline, I'm doing air quotes right now. It still is by far the most intense, arduous assessment process there is out there. If you think you want to go through FedRAMP, you are probably not ready for FedRAMP. FedRAMP requires intimate knowledge of NIST 800-53 of the FedRAMP and process, the agency procurement process. It's not like any other assessment out there. Most audits are just a test. A proctor comes to your office, and they asked you questions. They ask for evidence. You pass, you get your report.
FedRAMP is not like that. There are multiple stages. You need an agency sponsor. If you do not have a sponsor, you have to go through what's called the PMO route, meaning the FedRAMP PMO office itself and a trio of agencies will review your security package and make sure that it complies with all FedRAMP standards before you are given what's called an authority to operate, meaning that you are now allowed to sell to federal agencies. It's usually an 18-month process, and I've seen articles stating that the average cost by the time the organization has done is usually about $1.5 million.
So I've joked several times that I talk companies out of FedRAMP as much as I talk companies into FedRAMP. Because it is a substantial investment and if you don't already have an agency sponsor on the other side waiting to buy your service, you're taking a very large gamble by going through this process. So I would definitely do your research, talk to 3PAOs. A 3POA is a third-party assessor organization that has been approved by the FedRAMP program to do the assessments. I started one of the first FedRAMP 3PAOs over at Schellman back in 2015, but you really want to make sure that, A, you have the business and you have the internal commitment from management and the budget to go through FedRAMP. Because it's going to fundamentally transform the way you do business.
MP: Well, that was great. I was just going to ask you before they go down this journey, what should customers be doing internally before they seek outside counsel? So you mentioned make sure that the budget's allocated, stakeholder involvement, anything else that you think that folks should do to get their house in order before they go down this journey?
BG: Well, if you've never been through any type of assessment before, you definitely don't want FedRAMP to be your first type of assessment. If you're required to undergo FedRAMP by an agency that you're already servicing, more than likely you're under some other sort of B2B compliance requirement, be it SOC 2 for some of your other customers. So I would at least look other avenues in terms of, "What can we do in terms of compliance to drive business before undergoing FedRAMP?" Because it's basically like skipping kindergarten, high school, college, and going straight to surgery medical boards. It is the absolute hardest test you could possibly take. So you probably want some practice first, and there's probably other things you can do first.
Because ultimately, you wouldn't go through any of these assessments unless it's driving business. Security is a great driver for compliance, but really you don't want to be more secure just so you can be more secure. It's got to be a part of your overall business plan. This has to be a positive driver and FedRAMP can be that, but you have to be in the right position for that to be the case. You already have to have relationships with the program managers over in these federal agencies. Have you talked to them? Are they willing to sign a letter? Are they willing to officially sponsor you? Are they willing to sign an agreement or even a purchase order with the stipulation that you will undergo FedRAMP in the next few years?
There are ways around... not around, but there are ways to navigate the assessment process to do it in an intelligent manner. You have to engage the agency. You have to understand why you are doing this and whether it's worth it.
MP: Great. So how do you help in your role today at Abacode? How do you help customers navigate this? So once they've identified the standards that they need to implement or they understand FedRAMP is a journey that they need or want to take within their organization, how do you help them with that? Do you help them in the beginning to do that research, or where would you say you are value for customers in the market is today?
BG: Well, we would want to do a pre-assessment first, and make sure that you have even the lowest baseline of security mechanisms in place, and that it's possible for you to put in the additional mechanisms to make sure that you comply with the NIST 800-53 control requirements to pass FedRAMP. So that initial pre-assessment is vital because you don't want to start down this path and realize, "Oh, I can't put in this patch, or I can't implement this encryption protocol because of the way my system is built." So either you build a completely different system or you just wasted that last three months before you got to that control that now you cannot implement.
I do want to say that FedRAMP, it is a baseline of controls. That means you do not need every single control in the moderate baseline in place. You do have to document why a certain control isn't in place. Maybe it's not applicable to specific system or your service. Maybe you have a compensated control. So just because you can't do something NIST 800-53 is telling you to doesn't mean you can't go through FedRAMP, but if you hit three, or four, or five of those, then you have to start taking a step back and thinking, "Okay, do I want to completely overhaul my infrastructure or is this maybe something I maybe shouldn't be doing at this point?" So that pre-assessment is the first step.
You definitely need someone who has gone through this process before. I'm going to keep harping on it, but it's not just implementing security mechanisms, and policies, and procedures. It's a complete process. It's a procurement process. It is a relationship process between the agency and between the FedRAMP PMO. There's a lot of back and forth. Government agencies can throw you curveballs. To have someone that's been through that process before is completely vital. You will hit speed bumps, and you will find yourself in very uncomfortable situations. And then you'll be so deep into the process, it'll be hard for you to turn around if you don't have somebody that's been through this process several times before. There aren't very many of them because there's only been a few, maybe 200 and something organizations that have even gone through FedRAMP. So the number of personnel that have successfully seen an organization through this process is still a very low.
MP: Yeah. You hear it often, but I think those numbers kind of bring it home to think, "Is this important now in the journey of a customer's experience or in a company's organization's experience?" I love that you mentioned, Bryan, don't go at it alone. So make sure that you have a plan in place, you have resources to support you, resources who have done it before. So thank you for sharing that with us. We talked through what a company should be mindful of in regards to cybersecurity at trends and evolutions over time. We've talked through compliance standards, ways to identify what's applicable for your business, and then we talked a little bit about that journey of FedRAMP, and what to be aware of before you go down that path, and how to successfully navigate the waters. So, Bryan, anything else that you'd like to share with our listeners today in regards to GRC best practices or cybersecurity trends?
BG: I would definitely look at GRC as a part of the way you do business instead of something you tack on at the end because somebody asked you to or because it's a part of the audit. Once you start to understand the GRC process, it definitely helps in terms of implementing IT security and IT operations. As you grow as a business, these decisions become harder and harder and they multiply exponentially in terms of, "Okay, now you have to expand. Are you going to the cloud, or are you staying on-prem? Are you virtualizing? Which SIEM service are you going to use? What endpoint protection are you going to use?"
All of these questions, they're going to pop up whether you have a program to handle them or not. If you are just dealing with them as they come along, you're definitely going to make mistakes and implement security mechanisms that don't work with your other security mechanisms. And you're just trying to keep your system going at that point. To have management commitment to that, "Okay, we're going to sit down at the executive level every quarter or every six months and say, 'Okay, where are we at? Where are our biggest security and operational risks? Where do we need to focus our attention?'" That's always the start of a proactive and effective GRC program, which eventually will affect your business in a positive way because your customers will eventually be asking for this way if they haven't already.
If it's already there, then that's a market differentiator. You have to start looking at this as a positive business driver instead of something that is just a line item that just cost money at the end of the year. If you do it that way, then yeah, that's all it's going to be. But if you use it to your advantage... Your competitors are still struggling with this. So if you're the first one to stop struggling with it, you look a lot better than them.
MP: Great. Thank you, Bryan. So thank you so much for your time with us today. I have one last question. We know that you are a cybersecurity expert. You're a GRC guru. You've been a really great tactical resource on the call today with our listeners or on the podcast today. But we also know you're an avid dog lover, so we'd love to talk a little bit about your work with dogs. I know from working with you, you foster dogs from time to time, but tell us a little bit about that. Like, what led you to have that passion, and how do you work with dogs today?
BG: Sure. So I work with an organization called the Dalmatian Rescue of Tampa Bay. I don't know why it's called that. It's not specific to Dalmatians at all. But we take in dogs from high kill shelters and place them with foster homes basically just to get them out of the shelters, to give them time to get adopted. So there is an epidemic in a few different states to where there just aren't enough, especially in rural areas, there are just more animals than there are shelters and kennels. So we have a lot of volunteers that will drive and fly dogs from Georgia and from other states all the way down to Florida. We have a network of basically foster homes that we place dogs in. So I'm just a foster parent, so I just take dog every month or so. I have the easiest job. My volunteering is basically I let a dog crash on my couch for a few weeks.
MP: That's great.
BG: So the organization is great. They put the dogs up on the adoption websites like Petfinder and Adopt a Pet. It's been great. I think I've had my 11th dog fostered and adopted about a month ago. I'll be getting another one, probably the next three weeks, trying to figure out my travel schedule so that that works out. If you are interested in it, I had a few reservations when I was first starting. I was like, "Well, what's going to happen if the dog never gets adopted or if I get attached?" It's easier than you think. I think I got to say it's probably the easiest community to serve as you could possibly do.
MP: You're providing a whole nother level of security. Right?
BG: Right. Yes.
MP: Yeah. Fantastic. Well, Bryan, thank you so much for your time today. Keep up the great work on the cybersecurity and GRC front, and thanks for your work with dogs.
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
We sat down with Shannon Harrison, LogicGate’s Senior Director of User Experience, to learn why we’re making accessibility…
On this episode of GRC & Me, we explore business resilience and the differences between proactive, reactive, and…
Build a Centralized View of Assets, Risks & Cyber Controls
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.