Episode Transcript
[00:00:00] Speaker A: Nia, welcome aboard to the show. So happy to have you on today.
[00:00:03] Speaker B: So great to be here with you.
[00:00:04] Speaker A: Ari, I appreciate you. There's. I was looking kind of doing my gentle stalking, as one of my colleagues phrased, and saw something interesting that I haven't seen in a while. Cmmccm, cmmi, what is that? It's not naturally something that you would think of in context of security. You kind of think ISO 2701, you think SOC, you think NIST.
What is that? Tell us more. And how did it even come to life? It didn't even originate in security.
[00:00:35] Speaker B: So my exposure to it, it actually was implemented by way of the government. And I came across CMMC when it was a draft concept in terms of maturity. So instead of like your ISO or your nist, instead of like looking more security controls, you're talking more the maturity level of your policies, your processes and your people. So basically stating if you're stuck in a manual state where all of your reporting, all of you know, your data points are manually pulled together, your maturity will stay stagnant at a zero. And then depending on the types of data you process. Right. There's certain levels of security maturity that we would like to see in order to comply with things like ISO or NIST or GDPR or any of the other regulations that are out there. But think more, less audit and more maturity kind of roadmap on how to get to the levels of security you need. Those are the biggest differentiators. And then CMMC specifically is a certification. That's what that final C stands for. And CMMI is more your integration. That's what I stands for. So it's telling you how to integrate technology to mature your security to protect sensitive data.
[00:02:00] Speaker A: So, so I, I'll make an argument, let's see if you agree or disagree.
[00:02:03] Speaker B: Okay.
[00:02:04] Speaker A: I think there's something fundamentally flawed in the way that ISO and SOC kind of happens as a one time, once a year audit manual evidence that CMMC is trying to tackle. If you could, if, if you agree, talk to me. What are those pains or challenges that CMMC is trying to tackle?
[00:02:23] Speaker B: Oh, that's a loaded question. But to start, Ari, I do agree. Right. Where we're trying to get away from what is a moment in time, right. So pre audit, post audit, exam audit, like actions where you're taking screenshots and including the date time stamp, for example, that's moment in time. What CMMC to NIA really helps organizations try and do is get you to a continuous monitoring level of security and Visibility right across all of your executive leadership. And the pain points is, how do you do that? Because typically that requires some level of automation that also may require an additional complexity layer through tooling, external tooling, where then you have to get into conversations of where the data lives, is it allowed to leave the network, things like that, because proprietary data, for example, or even hr, think HR files, right? Lots of sensitive data sets. You don't want that leaving your enterprise. You don't want a vendor that's hosting a service through a tool to have that data on their network. Right. You want their tool to enhance your visibility in your blind spots. And so that can become a bit of a conversation and a long journey in order to approve these, you know, capabilities that are critical to a maturity level of a 3, which is where most organizations today, across public and private sector, they really need to be focused. It's how do you protect the WHO of your organization and the sensitive data that they share? But then more importantly, let's say your business model has some type of financial transaction component to it. You want to protect that financial data just as much as you want to protect an employee's HR folder. So tools that are giving you that visibility, who has access into them, things like that, yes, those are critical for level three maturity. Right? But then what are the guarantees that that data stays proprietary to the company that has the visibility problem?
[00:04:32] Speaker A: I want to kind of hammer on this point. There really is a different perspective here in how we're looking at the world. On the one hand, we're saying, okay, let's check that we're doing this right once a year. On the other hand, we're saying, well, how are we doing this? Not from a what is our security requirements, but how are people actually working? What are their policies? How are they actually doing the job? Which allows us to basically say, what is the inherent risk inside of the policy? It's a very different perspective.
Cmmc, is anybody mandated to do this or is this completely opt in? What does the field look like?
[00:05:10] Speaker B: So coming from public sector, because that is where I got my start, it is a mandate to be at a certain level of maturity when processing very specific data. So unclassified, not so much. It's more of a guideline. They still strongly prefer level 3 maturity on assets, right? That house sensitive data sets, or, you know, what they call controlled unclassified information. They want that. They want you to be able to demonstrate that level of maturity as less of a guideline and more of a requirement. And then the structure is built so that you can pull off of NIST to then look at those security controls that are required to safeguard controlled unclassified information. Right. A little bit of a challenge for private sector is it's, it's more of a best practice and it's a more of a get there than it is a requirement. Where the requirements come into play is when you're dealing with regulations and laws so such as GDPR, FFIEC, GLBA, NYDFs, right? Those are where you're going to learn what I call and consider your must dos. Because if not you're non compliant. And then oftentimes if you look at the cm, the CMMI or the CMMC roadmap, from you know, zero to once upon a time it was five, now we're really just focused on three. But the answer is there, right? And it's, it's pinpointed, it's targeted, you can unpack it. You could use, you know, NIST171, you could use NIST853 to help you tailor that in if you are a private sector organization. But like I said, the biggest difference is on the gov side, on the public sector side where if you are client facing to the government, it's a must do. And then we're also kind of learning though it is equally a must do, but it's, it's just different, it's delivered differently. Instead of saying you must adhere with CMMC, it's FFIC, set certain specifications. Socks, you brought up socks. There's two, two different versions. You have SoC 2, right? Which is the audit. I think you were referring to that moment in time. But then you also have Sarbanes, Oxley, which again you're looking at a regulation that has a lot of words, right? So you have to decipher it, you have to come to concurrence on it and what it's telling you to do from a security perspective. And then oftentimes I do find the answer sheet is level 3 cmm.
[00:07:40] Speaker A: Have you seen beyond the requirement for compliance if you're going public or if you're a government entity, for example, talking about socks, are you seeing people gain actual value for their organizations through these process improvements?
[00:07:56] Speaker B: Yes and no. Cmmc, it was like a fumble, right? So think football a little bit. We had a really good idea, we practiced the play a million times, we spearheaded it in the public sector and we were bringing it to private sector and we were saying no, no, no, this really works like utilize it. It's a great roadmap tool Build your strategy to it and then have your strategy break down into tactical application. It's gonna be great. Well, unfortunately, over the span of about 5 years, we quickly realized it takes a lot more. There's more behind the curtain than. All right, let's just go for level three maturity in our cloud or in our capabilities. Right. Because that's the other nuance is in some spaces it'll be cloud maturity model. I've heard capability maturity model.
I've heard cybersecurity maturity model. So I've heard all three in the last year alone. And Tim nia, that says we still have miscommunication. And if we have miscommunication at interpretation, how are we supposed to be crystal clear on application? Right. So I think in practice it is still more of that. It's a guideline. It's a here's how you can. But then we're giving businesses the autonomy to figure out how they solution for it if they want to do it through a cloud service provider, for example, to mitigate some of that control ownership risk that's associated with monitoring it. That's a strategy and that's a common one. We are seeing where we're leveraging AWS cloud, we're leveraging Azure Cloud, Google Cloud to help kind of bring in the capability with the tooling. But then it's a shared liability and the compliance. But then through that tooling, we have the visibility that level three maturity requires.
But that's my take.
[00:09:48] Speaker A: But there's a fundamentally important problem here. Right. So we don't really have a good solution to say, okay, we're SOC 2 compliant, we're ISO 2701 compliant, but what is the level of our security posture?
And this is a somewhat of an open problem. We really don't know how good an organization security is.
You know, cmmc, I think, takes a really interesting cut at that. That originally came from software development processes. So I thought that was really interesting. What do you think the future holds here? Is there a need for us to standardize security maturity levels so we can really know how good an organization is?
[00:10:33] Speaker B: I think the answer for that comes by way of these really strong GRC teams that we're seeing stand up and be integrated and staffed for. Right. There's no shortage of GRC positions out on LinkedIn even today. Right. And as a GRC specialist, I can tell you it's been a journey from being a controls analyst all the way up into what it actually means to assess the GRC compliance of an organization.
And the reason why these teams are going to become a more critical function. And again, this is my opinion, but in the next one to five years is because what it allows is instead of NIA having to come in and aggregate this, I don't know metrics, if you will, that maps everything that is applicable to your organization's security. I have a team like I'd be able to work and integrate with a team and a director that, you know, reports up in through either the CIO or the ciso. So you have that executive buy in that's going to be very, very critical. But I actually think that while big government is trying to come to consensus. Right, because that's the struggle here is do we really want to institute it? And it was shut down again this year. Right. They don't want to do it at the federal levels here in the United States. States. And at the state level we're even more wishy washy on even just the core concepts of data protection, data security and data privacy. Right. So what it takes is somebody or in a team that works together and you specialize in one or two. Right. But you understand that the core, like where we pull our controls from is really the feeder data. And so if we're, if we can reach consensus on what control set we're using, are we using FedRamp, are we using NIST? Right. You can go as granular as you want and you can go as high level as you want. And then you're able to also map it across other, you know, regulations that depending on what market you're in, may or may not be in scope. But ensuring things like Sarbanes, Oxley, pci, DSS for an example. Right. A lot of organizations, those are must dos from a regular, from a regulation lens. Right. Where we have a little bit more flexibility is in piecing together what that looks like for them and giving the executives and the C suite a way to assess that daily. Right. To be able to log into a dashboard and be able to clearly see where they're at in that specific moment, I think that is going to be a massive shift going into 20, 25, 26 and 27.
And if in, in the meantime, because I do agree that it can be problematic right at the end of the day, then who is responsible? Now we're talking about accountability, which is a huge part of grc and I think that is why, you know, governments, state legislators are, they're having such an issue is because now we're defining responsibility and accountability when you aren't compliant. Right. And we're giving the insurance brokers an opportunity to also come in and be able to assess compliance in a way. Right. Through very targeted questioning. So if our practices are becoming more stringent, I would hope that the government will eventually get there and then, you know, we can decide maybe here. Yes, it will. It's a state's, you know, legislation concern. But this is what's dictated bare minimum, like minimum viable product, right. This is what you must comply with because this is, these are the drivers.
It's just I think in the meantime though, we find that flexibility in between the rigidity so that we are looking out for business best interest and more importantly for that hack we know is it's not an if, it's a when. Right? We hear that all the time in cybersecurity. So it's preparing them with the knowledgeability of a couple of things. We say we figure out a way to demonstrate performance and highlight what's working really well for an organization so that then your CIOs and your CCUs are empowered to raise up their one to two high level critical risks and roadmap items for the upcoming year to comply with and point those right at your moment in time. Audits, right. If you're a banking institution and you're going through the SEC exams and you're going through the FDIC exams, and these are regular practice every single year, right. Make sure your solutions are aimed at those biggest problem areas and again, rely on those GRC teams because they're going to assess from your written administrative policy overhead all the way through your actual procedures of how they do it, how they do the action, and then assess that over 1, 2, 3, 5 years.
[00:15:44] Speaker A: This is an incredibly important point, and forgive me for the oversimplification, but what you're really saying is to align the actual risk of your business with your efforts. When it comes from a GRC perspective, how do we even attack that? How do we kind of disassemble? Where is the risk in the business?
[00:16:03] Speaker B: Well, I think it's becoming more clear depending on your level of academic knowledgeability or just accepting that if you're in cybersecurity, you're a lifelong learner. But this year was especially enlightening for me in that I came across something known as the FAIR Act. And it's a really good way to assess your key risk indicators across, across your business, across your enterprise. It gives you 10 areas of focus.
Right. And my challenge, what I actually turned that into was, okay, cool, well, where there's a risk, there's typically a must do action associated with it, is that not performance?
So is there a way where we can now say our critical focus for the first quarter of 2025 is I is in defining enterprise level KPIs that traverse those 10 areas that are defined. And then now we're going to turn around and we're also going to just down lens and look at it from a KPI perspective.
And now let's talk policies, now let's talk standards, now let's talk procedures and span those across your business units or your lines of business or, you know, the offices. Right. So we have very depending on the business structure, but it's pretty straightforward. And then the challenge to those teams is to work with your GRC arm, to work with your risk arm along with your executive leadership to get it, you know, stage it out. Right. Who's ready to do it right now versus who do we really need to spend a little bit extra time on because of the type of data they process? Right. And again, if 12 months isn't realistic, what is realistic? I always want to hear the challenge back and I like challenging teams to look at it from a. Okay, if you, if staffing wasn't a concern. Right. And budget wasn't a concern, how fast could we go and what would it take? Right. Because again, it comes down to the data sets and then in some cases with some of the lines of business, the tooling capabilities, that's where we start to find a lot of gaps. But again, you're starting with the definition of something very simplistic and critical to your business. Right. KPIs and Kris. But now we're looking at them from a cybersecurity lens across areas like cloud versus on prem versus asset management versus Right. Even GRC management. You're looking across the whole thing and then understanding that almost all of them should apply to every line of business. And where they don't apply, I would expect leadership to be able to articulate why.
Is it because we can't see it or is it because it's truly not applicable to what we do and what we deliver for the business?
[00:18:56] Speaker A: I appreciate that. When you look through organizations going through this process, what is the most difficult aspect of the process?
[00:19:05] Speaker B: Which.
[00:19:08] Speaker A: Assessing the risk of the business and then changing processes and increasing these KPIs from a security prospect, where is, where do people face the most challenges?
[00:19:18] Speaker B: I think where people face the most challenges, it's twofold. You have your manual processes. Right. So getting those to lift and shift is not always an Easy and easy journey.
The other aspect to it is how well is it defined? And when we're translating down layers, right down into the engineering teams that are typically telling us how they're doing them, there's a lot of outcry in the sense of they don't. They don't understand. Right.
They understand if things are working well or things aren't working well. They understand what the best practices are. But there is a gap in understanding that. Let's just say you're, for example, you're an engineer, you're an AWS engineer. And yes, I see it from their perspective in that, well, the vendor defines the controls that we comply with.
The vendor can define the controls that they comply with. Right. And they have those definitions. But that doesn't take away from your inherent. As a business. Right. And so that's a little bit of a red point. And the other biggest part is teams don't like documenting gaps because they feel like inherently they're telling on themselves. Right. So there's a lot of fear that kind of develops when you have that context switching occurring because they're trying to upskill and learn a new concept. And so it becomes very safeguarded or it becomes very. We'll talk to the vendor about that talk. Right. Very deflective or very protective.
[00:21:10] Speaker A: And this is a really important point. I've experienced this firsthand. What. Have you seen any approaches that work when you're kind of talking from the CISO or security, grc, compliance with actual software, aws, whatever, engineers, what is the framework or philosophy that helps you overcome these problems that you've described, where it's like, oh, it's my fault or we messed up, as opposed to something else? How should we approach this?
[00:21:43] Speaker B: Yeah, so I like to use a couple of different techniques. I can typically sense it before it becomes more of an issue. And so what I like to do, my first is manage up. Right. So the first person to observe it needs to be the one that raises it up to management. But you have to raise it up to management in a way of. We need to be able to come into a space, bring the temperature down on the situation. Right. We need to very clearly, as pragmatically as we can, just explain what's happening, explain how they can help us. Right. Because you're kind of incentivizing by asking, being direct with a favor that you need to solve a bigger problem. And also. And that brings me to my third part. You give them the problem they're they're solving for. Right. And you kind of try, you're trying to incite this team mentality that's excited about moving a really important metric at the executive level. Right. A lot of people within an organization, that's what they want to be a part of. They want to know the work they're doing every single day matters. Right. And so sometimes when you just bring down that temp, you give them the big picture and sometimes it's a slide or two.
What I've learned is if you can get it into a slide in an image that translates with minimal wording, it quells so much.
If you're able to take something hyperly complex and simplify it down and then talk to them, it really makes a huge difference when you are able to just jump in. It could be a 30 minute working session, hour long working session, however long you need to be there. So they feel heard, respected, but also empowered.
And that tends to help a lot. But managing up is, first you see something, you raise it. And then my suggestion is always a little bit of a working session. We give them the information very directly, very succinctly, we point them to the metric they're moving and helping like, and we can celebrate it and make a big deal out of it, but then they're able to go in action. What they're doing, because you gave them purpose, you helped them understand this isn't about getting in trouble or not getting in trouble. The reality is, if you're going through these audits every year, we already know the business already knows. If not, I wouldn't be here and I wouldn't be asking you for that information.
And so taking the fear out really, really helps. And then also you're fostering an environment of trust where they know they can come to you and they can feel heard. A lot of times if they're leaving meetings and they're not feeling heard or appreciated, that's only going to drive performance down.
[00:24:43] Speaker A: Yeah, that's so important. I mean, the best way to have people not give you any kind of feedback moving forward is by ignoring them when they do it for the, you know, the first, second and third time. That's a great way to shut people down.
There is a challenge in the security environment where there's just so many things to do. It can be overwhelming. It can give a feel, feeling like, you know, we're just not ever going to get to everything. How do you mitigate that? When working with the teams, I always.
[00:25:13] Speaker B: Suggest, and this is just personal for me, I have a quadrant, so. And it's Four, but top personal for me that I need to get done. So like things like training reports, a meeting, a critical piece of information that would go my first quadrant right next to that is business critical. Right. What are my executives critical business focus for the month. Right. I'm giving and that's broken out over four weeks. And then, then typically it's like standard workflow. Like what is your day in, day out, daily activities that you're going to have to do. And then what is team driven if you're in a management position, right. So what do you, what pulse checks do you need to get on a daily basis with the team that feed one of the other three quadrants. And I like to train that mentality when working and managing a team. But I came across it because I was a work manager first and I needed to get myself organized. Typically where I find a significant breakdown where people are like, well nothing's a priority because everything's too high priority. Right.
You don't have your own personal workload broken out. That's what that screams to me is that when you come to work, you dial in or you get into the office, it's just one heap of stack of, you know, papers on your desk instead of it being broken out with purpose in a way that drives. And then more importantly work tracking. Right. Like yes, I get it. Nobody really likes to take notes on what they do on a day in daily basis. Especially if you're an engineer or you're an architect or you're an executive like that. It's time consuming. But if you can time box yourself and develop discipline that says a minimum of two to three times a week, you're going to dedicate 15 to 30 minutes to writing down what you're doing and where you've made progress. Like your own personal little project plan.
It, it just, it takes the panic out. And then when you do have a true inbound that you weren't tracking, that's your number one top priority. And then for nia, typically it's that managing up getting a touch point with who I report into and saying hey, this just came in. Are you aware of it? Do you want me to deprioritize xyz?
But being able to show it in a tool and there's multiple tools that do this for us where. And it doesn't have to be overly complex or anything like a little Kanban board, right. You have the toss down and it moves across until it's done. Like keep it as simple as you need to, but organize and Track your work, especially your high priority work. Right, because what we were talking about earlier, we're trying to get away from qualitative reporting, we're trying to get away from the narrative, we're trying to get away from the sound bite, the moment in time. We want the metric, we want the measure of improvement or decline. And so I really do stress to managers going into this next year, right, Share your pro tips, share what helps you when they're coming to you overwhelmed. And if you don't have something I, it's a dime a dozen, you can, you can look it up on yourself, self study, you can lean out, like reach out to a mentor or a colleague that you think manages workloads really well and ask for their pro tips so you can share those with your team.
[00:28:44] Speaker A: This, this is so, so important and I think you're pointing out a very non trivial insight and that's the fact that if you're overwhelmed and if you don't know what's the right thing to do, really that's a lack of prioritization techniques. And what you shared with us is one of your personal prioritization techniques, which I love because you kind of look at it through personal team. That's a really interesting perspective. The easiest way to look at it is, you know, if something goes wrong, you know, how much is this going to impact and how bad is the impact to be and what's the likelihood of this even happening? Right, Your very simple likelihood and impact analysis. And that's so important because what happens is if something new comes in, all you do is you scale it up against everything else that exists and you say, okay, this is where it fits in. And you know what, if you don't know, you can say, hey, there's three things that are new. We don't know how to prioritize it. It's going to take us a little bit of research to figure it out. We think we'll know the answers within, you know, a couple days, couple weeks if you have to reach out to vendors, et cetera. So just having that framework of communicating with your executives and managing your own work, it really does give you a peace of mind, B incredibly powerful ways to communicate outwardly. So that's such a valuable point. I really appreciate it.
[00:30:01] Speaker B: Thank you.
[00:30:02] Speaker A: Nia. Believe it or not, we're already out of time.
So I want to ask you one final question. This has been incredibly interesting. If you had to go back to 20 something year old NIA and give her some key career advice, what would that be?
[00:30:19] Speaker B: You don't have to be the smartest person in the room.
So what I've learned throughout my journey is that you want to strive to be among the smartest people. And a lot of times that takes an exercise in being humble and brave enough to not be the best and not be the smartest, but want to grow to be looked at as one of those types of people.
That is the one thing I would tell myself.
[00:30:53] Speaker A: Mia, thank you so much for your time today. I really appreciate you.
[00:30:57] Speaker B: I appreciate you, too, Ari. This has been really fun.
