Episode 20 : 2026 Kickoff: Security Resolutions, Key Deadlines, and Don’t Mislead the Feds
Today on the episode, we are covering New Year's resolutions, important dates to know, and what happens when you challenge the government. Hint, it's often not a good idea. This is Distilled Security Podcast. Alright. So welcome back, everyone.
Justin:This is episode 20 here. We're filming in 2026 in the New Year. So cheers, guys. You know, another successful years of podcasting. If you count success, I don't know.
Justin:Cheers. Cheers. Cheers. Cheers.
Rick:I'm having fun.
Justin:So that's success. So segue, have you guys set any New Year's resolutions into this? I don't wanna do predictions. Everybody does predictions. It's boring.
Justin:They're always wrong. So, you know, that's that's a thing. But what are the things that you guys are thinking about for 2026? Things that maybe that worked that you wanna double down on? Things that maybe change up to refocus and get better at?
Rick:Yeah. I mean, I probably have one big one.
Justin:Okay.
Rick:And it's really I as I reflect on 2025, I ended up getting myself into situations where I was spending a lot of time on things that weren't necessarily super productive or enjoyable Mhmm. And missing out on time that I would've like, on other things that I would've rather spent time doing. So
Justin:You're talking about, like, family versus personal stuff? Yeah. Yeah.
Rick:So, like, there's there's definitely some work activities that I'm gonna find ways to get some help with in different ways or just stop doing entirely and spend more time either on personal development or reconnecting with some people that I've lost touch with and and just doing family stuff. So for me, that's the really big one. Just kinda like a reshuffling of priorities. Okay.
Justin:Yeah. Gotcha. Yeah. Cool. Joe?
Joe:Yeah. Well, I came up with the way you framed it was good. I came up with a couple that I've thought about for a while and then a third one that's a little more of just how to do things. So my three are, one, simplify.
Justin:Mhmm.
Joe:Mhmm. Everything I'm doing, there's always I'm always finding a way to do it simpler, and I think that ties in everything. And then another thing is just getting back to basics. Yep. So many things I've been jumping into and looking at a ton of it was, you know, really this this problem wouldn't have happened if we would've just done some fundamentals.
Joe:Mhmm. And that's happening throughout everything that we're doing at CISO, everything we're doing with our customers. And the third thing that's kind of new is just to reframe us something, and it's do more science projects. And I'll talk about that one in a minute, but simplify. So, you know, one of the things I was thinking, like, if everything is a priority, nothing is.
Joe:And, you know, I if I if I don't simplify, things are just gonna fall apart. And what that means to me is doing fewer initiatives, reduce the number of tools. One of the things that we're looking at is instead of having all these different AI recording tools and everything, just kinda go with Copilot. I mean, it's built into everything we can do at inside of our m three sixty five environment. So that that seems to, you know, be simpler and have fewer strategic priorities.
Joe:One of the things that we're tackling at CISO this year that we tried before and maybe went a little bit we didn't know exactly what we're doing is the EOS, the Automobile operating system. So we're we're going back at that again. And last time, we didn't really get all of our team involved. And this time, we're really getting everybody involved to make good decisions and thinking thinking about those kinds of things. And then on the back to basics, you know, the fundamentals, no matter all the stuff that's happening, we're not seeing those change.
Joe:And the the consequences are increasing dramatically Yeah. For everything that's going on. And so so many companies are they're we're still seeing them not getting the security basics right, like identity patching, inventory, backups, vendor oversight. These are the things that keep biting everybody. And and then this past year, I was looking at some news articles over the break here, and I saw a a couple articles.
Joe:And one of them was, like, what was the biggest twenty twenty five news stories, cybersecurity related news stories? And I was just going through those, I was struck by how many of them came back to the same thing. Complexity Yeah. Neglecting the fundamentals, reactive decision making. And so as we go through those, you know, the six or so core areas is able to group all these articles findings into were identity and access management.
Joe:Oh, yeah. The problems with that, patching, all the things I said before. And, you know, you zoom out and, like, the three things we're seeing are things like abusing trust Mhmm. Is a huge thing. Again, ignoring fundamentals was a huge takeaway.
Joe:And then complexity, Not being as simple, it turned these problems into crisis for Oh, yeah. So many companies on these articles.
Rick:Well, and just to add to one thing that you said, the the consequences are increasing, but the visibility too. Not to steal thunder from the first topic we have on deck, but we'll get into that a little bit. But, you know, the This
Justin:is the first topic we have on deck. Well, the second topic. Yeah. But,
Rick:I mean, I think the visibility for those problems, right, through through regulatory landscape and things like that, they're that stuff's gonna surface more and more often.
Justin:Yeah. Yeah. Yeah. I love this. They never, like, reduce regulation.
Justin:You know? It's like, hey. They we think this is worthless now. We'll just remove it. Yeah.
Justin:Not likely. No. No. It just stays there. Right.
Joe:And then my third one, let me talk a little bit more about the science projects. I've been doing this a lot at home too.
Justin:With your kids? Or
Joe:With, well, with with kids, with having conversations with, you know, the the wife, with things I'm doing at work. And, really, it's it's separating emotion from the actual analysis of solving a problem. And, you know, like, problems are yeah. They're the inputs. They're not the, like, the personal areas.
Joe:And so one of the things I'm finding is if I step back and rethink about any of these problems, there's only a finite number of real solutions. So when the problem is when you're feeling the emotions of the problem, there's infinite solutions. There's infinite number of things, and you can't get your head around it. When you step back and you say, well, look, for for that item we wanna do, for that thing we wanna do, there's there's probably only three or four realistic choices we really have. One of those is do nothing.
Joe:One of those is, you know, it's probably there's like a million of them that could be in the realm of things, but they're not in the realm of our financial possibilities Right. Our time possibilities. And so really, it comes down to we really don't have that many choices to make. There's like three things we could do if we didn't do anything. And and when I look at it that way and treat the problem like that, it stops the emotion from driving it and turns it more into a being a manageable, like, issue to solve.
Joe:And once you start to frame it that way and this worked, like, two or three times over the break. And I'm like, you know what? I just gotta add that one on to my simplicity and my Yeah. Getting back to the basics. And, man, did it really help?
Joe:So
Justin:So that's a Go ahead.
Rick:I was gonna say that's so interesting. When I heard science experiments, I or I I first thought about the experiments part. So it's like, oh, I'm gonna do AB testing or all these different things like that. Yeah. But what I'm hearing you say now is like, oh, no.
Rick:It's just more taking a very analytical, you know, and as you put, like, remove emotion from the analysis. Come up with a hypothesis, test it, you know. Very scientific method. Yeah. I like that.
Justin:Yeah. Yeah. You know, I was instantly thinking about you were talking about Tom Hanks before we started recording the movie The Burbs, you know. When they're down in the basement, that's a science experiment I was thinking you're doing. Yeah.
Justin:For the boy, that great movie. That was a good movie. Well, I've
Joe:added to the mix. Yeah. The the kids all we never go wrong. We do family movie night with Tom Hanks movie.
Rick:Yeah.
Justin:Yeah. Perfect.
Joe:Well, we haven't seen that one yet. So as a family, so that
Justin:Oh, okay. Yeah. We just showed our kids over that break. We actually watched the burps. Carrie Fisher, Tom Hanks.
Justin:What was that? Corey, the guy from the Goonies is in it, one of the neighbors. Phenomenal cast. Yeah. It's just great movie, you know, into that.
Rick:Yeah. That's excellent. What about you, Justin?
Justin:Yeah. So, I mean, there are a number of things. Well, funny enough, I always have a running list of goals that I just kinda transfer over. Some get done, you know, into that, but I always have this running list that people often make fun of me on into it because I have very, like, achievable goals onto it, like eat and drink water regularly. Oh, yeah.
Justin:Yep. You know, exercise four times a week, which I didn't really accomplish in 2025 2026 goals, you know. Yeah. Yeah. Yeah.
Justin:And all that stuff. But then I have things like see the Aurora Borealis, you know, or take a train ride in Norway because it's just a beautiful, like, landscape into that.
Rick:Was that your screensaver for a while? Was that the Norway train?
Justin:Yeah. Exactly. And that's where I got it from Yeah. You know, into that. Yeah.
Justin:And it's just a number of things like like, I want to do this. It's on the list. Like, another one is do more family vacations. Like, one thing both Jen and I are bad about is planning vacations. Like, we'll do a number of, like, short weekends, you know, like, two, three, four day little getaways, you know, type of thing.
Justin:But we're bad at, like, planning one. You know? Like, hey. We should go a week here and everything. So we're just both not that personality.
Justin:So we need to do a couple more of those a year, you know, with the family. And we did I mean, we usually do vacations as a matter of, like, convenience because we went out in Florida, you know, this past week over Christmas, but it was to the in laws. You know? So it's not really a vacation. You know?
Justin:I was going to see family, you know, into that, which, I mean, it was beautiful with Florida weather and all that stuff.
Joe:But Yeah. Getaways have different purposes.
Justin:Yeah. Exactly. But not really, like, going to the beach just with your family or something, you know, from an enjoyable standpoint. So I have a number of them that I'll be, like, refreshing and kinda going through. I definitely there's some business goals that I have coming out of the New Year.
Justin:I obviously have a lot of marketing with that I need to get better at, you know, and shift and kinda respond to, you know, where I'm seeing everything going. I want to write a book eventually, and I don't know if that's gonna be a 2026 thing. I have a number of ideas and outlines that I've already done, certain things like that. Yeah. And and just as far as the industry goes, you know, getting more efficient in what I'm doing every day, like, you know, doing a lot more with AI workflows to try to get the stuff that I do, like, repetitively and get it into something that all I have to do is review and adjust.
Justin:You know? Much like we had that article where those hackers kinda did from start to finish right. Yeah. Marketing and everything. Like, hey.
Justin:I wanna do marketing ads. And if it's not reaching these stats, pull them by, you know, this date, you know, and just do an automated stuff.
Rick:Fully automated. Yeah. Exactly.
Justin:Yeah. And just kinda driving with the data, and you can always override and stuff of that nature. But there should be a pipeline and a workflow through a lot of this stuff and just automating that as much as I can. I've been over the vacation for a lot a lot of part like, I've been doing a lot of vibe coding and everything. So there's been tasks where we didn't have, like, where you could set your own avatars Yeah.
Justin:In a PISCY. And I'm like, do this and do it for a company, and now do this. And there's a little bit of upfront work, like, where do you wanna save it, you know, and how are you gonna architect it. But they put it in, and I had it to upload, and now it supports, you know, company and your own personal avatars.
Joe:You know? That's awesome.
Justin:They're the entire the application and everything. Just little things like that, you know, with it. But, yeah, I think, yeah, this year, I'm gonna be getting a lot of, hopefully, a foundation of a kind of going by we just launched, you know, a few months ago. That's gonna be my big focus going into 2026, and hopefully get something sustainable is my goal here in the next three months is ideal. Fantastic.
Justin:To that. So, and then growing from there and then seeing maybe half year where to adjust from there.
Joe:Yeah. I like that. I like how some of the things I was thinking about for my list, you have to do for your list to actually work. Like, automate things. You don't wanna automate a complex process if you can simplify it first.
Justin:Yeah. I mean yeah. And, yeah, if there's a lot of decision factors into that, like, you need to basically write it out in a script of, like, if it does this, do this, you know, or analyze it, come up with a suggestion on a percentage wise, you know, rate something, and then make an execution based on the confidence level.
Rick:Yeah. You need the structured logic.
Justin:Yeah. Exactly. And then it's always adjusting it. You know, AI, I mean, you know, AI will be well into 2026. You know?
Justin:That's not going away anytime, and it's only gonna like, this is the worst we've had AI right now. You know? So as we're going into 2026, the the logic's gonna get better. The context, you know, everything. Everybody's building context into it so it can pull all this information, make decisions based on your tickets, your emails, your documents, your Yeah.
Justin:Whatever. Everything's gonna be connected.
Joe:So you just made a prediction. You're saying AI is not going away in 2026.
Justin:I'm pretty confident. I thought was a fad. I thought
Joe:it was a 2025 fad.
Justin:Know. Just like the Internet. Yeah.
Joe:Well, they'll shut them both down at the same time.
Justin:Yeah.
Joe:Right? But it'll be blaming on DNS.
Justin:Yeah. Yeah. Or maybe EMP, you know, goes off
Joe:or something
Justin:like that.
Joe:Well, there you go. Yeah.
Rick:We haven't talked about AI DNS yet.
Justin:So
Joe:Yeah. There you go.
Justin:I don't even know what that is.
Rick:I don't know. Calling using logical names to call agents between agents.
Justin:Orchestration. I mean, that's still DNS. Right? I mean Address.
Rick:Yeah. And effectively.
Justin:Yeah. So yeah. So, I mean, yeah, there's a lot of things that I definitely wanna get to a point where I'm I'm not doing a lot of stuff kinda like you where, like, I don't like marketing. I mean, it's a necessary thing, you know, and I need to get good at it, but I don't really like it. Right.
Justin:Know? Like, I'd rather pay somebody else to do it really well. Mhmm. You know? And tell me the pros and cons, and I'll make a decision.
Justin:But, you know, based on capital and, you know, and revenue and all that stuff. But, yeah, doing it, it's not enjoyment. Yeah.
Joe:Right. Know? Gotta get those prospects to learn who you are so they can come and sign up somehow.
Justin:Right. Exactly. Yeah. And you need it. Like, there's Right.
Justin:Remember I don't know if you guys remember the Brian Tracy, like, learn to sell back in the nineties. He got really famous, had a whole bunch of books and everything. He always talked about marketing is like, winking at a girl in the dark. Only you know what you are doing. You know?
Justin:Oh, so yeah. That's fantastic. He had a number of little, like, quips like that. Yeah. Still to this day, remember.
Justin:He's like, yeah. Wink and Edgar and the dog. Only you know what you're doing. You know? Yeah.
Justin:I find
Joe:it really interesting how the people who sell the books on sales are really good at selling their books on sales.
Justin:Yeah. Right?
Joe:But when I go and read their book, it doesn't kinda work the same way. Yeah. I know.
Justin:I was like, just sell. Sell. Yeah. But yeah. So, yeah, that's a lot of with this year and everything, and hopefully, yeah, get to a good spot and maybe we'll grow the company a little bit and get to do less stuff, you know, which will be ideal.
Rick:It's a dream.
Justin:So great. So we all wrapped up with that. Yeah.
Joe:Yeah. I think we'll probably come I I can't help but coming back to these, resolutions as you guys talk about your your items. As we hit these other items, I'm sure we'll we'll start reflecting back
Justin:to them. Yeah. Yeah. And maybe I'll actually post this on a blog and everything. I don't know if you guys could see.
Justin:I have it broken down by health, spiritual, finance, business, which I I did this. Awesome. Expand myself, read a book every two weeks, learn a language, Spanish. I I put as ideal, write a book, volunteer, teach, survival, go shooting at least once a month. Yeah.
Justin:You know? Learn archery, traps, knots, learn Krammagas, you know, like and then, like, whole bunch of hobby, family, and travel, you know, into this.
Rick:So It's funny. I have a similar thing. It's organized a little differently, but it's very similar. Yeah.
Justin:It's like yeah. Yeah. But they're all things like, these are my relatives out in California. I need to go visit them. Yeah.
Justin:You know? Like, just things like, hey. I need to get these done. And, you know, like, to get a little bit more free space and a little bit more room to breathe, I feel like then I can start doing some hobby or, you know, family oriented or spiritual oriented stuff, you know, if I get some of the pressures of business off my mind. Yeah.
Joe:Or or Rick and I, your accountability coach, so
Rick:next month, we're gonna
Justin:ask where this is at, and we're gonna see what you guys got scheduled. I launched. You know? I'm a
Rick:I'm a huge fan of backlog management. Like, I take all this back to, like, feature development and all that stuff. So yeah. I mean, if this is your backlog
Justin:Yeah. Yeah. How you gonna chunk through it?
Joe:Yeah. You're use one month sprints here and schedule this stuff out?
Justin:Yeah. I don't know. I mean, there's a bunch of, like, other stuff, like, up a distilling company that's long term, you know, type of thing. I need a good other revenue source, you know, like, that's more hobby business than anything else. But some of these, you know, I could definitely do.
Justin:But a lot of this is, you know, just time I need to carve off in my everyday life, you know Right. After that. Well, some
Joe:of this I'm thinking, like, now that I'm in the middle of the entrepreneurial operating system stuff, the COS stuff, it sounds like you have some things on there that are on your ten year target. And then the next thing you do is you define your three year, you know, your three year plan. And then from there, you can come on and say, what are you gonna do this year? That gets you to the three. Yep.
Joe:So that drives you to
Justin:the ten.
Rick:So And
Justin:by the way, something I got for Christmas, I thought I'd bring it on to there.
Rick:Oh, yeah.
Justin:So have you guys heard James Clear, the Atomic
Rick:That's a great book.
Justin:Comics and everything. Yeah. He came out this I think just got released a month or two ago or something like that. They made a workbook now. Oh, really?
Justin:Oh. That basically will help you kinda fill in the blanks of what your goals are and kinda do all that stuff and, you know, apply the book, basically. Oh, I'm a think so. Yeah. Yeah.
Justin:If you're looking at it, yeah, I got it. I just
Rick:thought it was a different cover. I didn't recognize Yeah. Is That's cool.
Justin:Of this. So Yeah. Yeah. If somebody needs a little bit more, like, planning, you know, into this, this is perfect. It has a big, you know, text boxes for you to list everything out and get it kinda organized and actually form an atomic habit, you know, into that.
Joe:I wonder if somebody created a a chat GPT or GPT on the top and train it on atomic habits so you can use that as a
Justin:I'm sure they did. To to do that. Yeah. I I'm always humored. Have you seen, like, some of the commercials for chat GPT?
Justin:No. So it's like, I wanna do 20 pull ups. And it, like, if this is a TV commercial, and they're like, here's a plan, you know, for doing 20 pull ups, you know, first week, start with one. You know? I'm like, can't they just Google?
Justin:Like, I this isn't a huge selling more just Google anymore. Yeah. It's true. Gonna ask. I know.
Justin:But it was so funny, like coupon. It was so generic of, like, I wanna do more pull ups. I'm like, I wonder how I get there. Yeah. Well, that's
Joe:a great Christmas gift. Any any great Christmas gifts on your side, Rick?
Rick:Oh, let me see. This hat? Really like this hat, Oh,
Justin:the hat.
Rick:Yeah. Yeah. Yeah. There are a couple really good things. But but ultimately yeah.
Rick:I don't know. I I have this thing where in the background of, like, when I'm on webcams and stuff I was just talking to Amber about this today. It's like, well because I kinda am developing a hat collection. So I might just change the entire backdrop to, like, hanging a whole bunch of hacker hat racks. Nice.
Rick:And then just sort of showing it I'm moving the table. Showing it all at once. So anyway, this I think this hat is the first in a long line of new hats.
Justin:So funny enough, so I didn't really get any Christmas presents because my Christmas present, I'm talking with Jen, is I wanna redo the backdrop to my camera. Oh. So in my office right now, there's a spot for a build in, and we elected not for, you know, the the company to do it because, you know, a, quality wouldn't have been great and b, you know you know, we didn't need to spend the money on, you know, a a plan just just throw something in. But yeah. So that's what I'm gonna get for Christmas.
Justin:Eventually, you know, I have to get somebody. I've been designing a little bit on ChatGPT on how I want, basically the bookshelf and everything, and I wanna have a record player and all that stuff. Oh, yeah. Base into that and plus, you know, spirit set, crystal spirit set somewhere, you know, there and all the books and all that stuff. So that's what I'm technically getting for Christmas.
Justin:I love it.
Joe:Well, I can't wait to schedule my next, video conference with each of you so I can see these. Yeah. Mine's just a blur. It's still a blur. I haven't changed from being a blur.
Joe:But, yeah, my Christmas present. Maybe maybe you can read this. What does it say?
Rick:I love that. I find your lack of cybersecurity disturbing.
Joe:That's perfect. So I got a different cybersecurity related shirt for various birthdays and Christmas.
Rick:That's great.
Justin:Nice. So that's all you get? That's all I get. No.
Joe:I gotta so it's like so did you ever get your wife a, like, a vacuum cleaner for Christmas and it's probably the worst thing? But these days now, that's like the kind of stuff showing up on our wish list. Well, she got me a small handheld, like, chainsaw that was really, you know, for getting the legs burned and stuff. You know, that was fun. And one of those and I thought they would be wouldn't work well.
Joe:So
Justin:you're a Clark Griswold fan from that? Exactly. Yeah. Fixing new post.
Joe:We just watch that. Yeah. And then another one is you put it over your shoulder and it like does like the finger neck massage and I always thought that would never work. Oh my goodness. Is
Rick:it good?
Joe:It works so well.
Justin:Really? Oh, yeah.
Rick:Oh. I did get so I think my favorite gift that I gave this year was to my wife, and it was a big towel warmer that stays in the bathroom. And that seems to be a hit so
Justin:That seems like a luxury thing. Right?
Rick:Yeah. I mean,
Justin:I guess. But it's
Rick:I mean, it's pretty easy.
Justin:So You should see, the one thing that my wife wanted, and it was it was pricey. It was, like, $400, so, like, that was her big thing, is one of those things that, I guess, like, vibrates. You're Oh, yeah. You stand up on, it just vibrates you. Yeah.
Justin:She said it's good for, like, draining your lymphatic nodes and stuff of that nature. It reminds me of the, like, the old fashioned. If you remember, like, when they were doing exercises
Rick:Oh, that's just what I was thinking of.
Justin:The you were saying yeah. They're like yeah. That's basically what it does. It just vibrates you as you stand on it.
Joe:Oh, awesome.
Justin:And I'm like, okay. And then you get off, it's like, you burned 80 calories. It's like, okay. Yeah. So could can
Joe:you drink bourbon while you
Justin:stand on it? I mean, you can if you're talented. Yeah. You know? Like, work at the center of, you know, with it.
Justin:Yeah.
Joe:Good. That probably gets you a core stability then too.
Justin:Right? Yeah. And that'll be zero calories because you're adding and subtracting at the same time. Right.
Joe:Like eating celery.
Justin:But yeah, after this, I'll show you guys upstairs and everything. It's it's interesting. It's what you wanted, you know. So it's like one of those things. Perfect.
Justin:Yeah. But, anyway, so going into from resolutions and everything, 2026 has a number of dates, and I thought maybe we'd cover a little bit of these. If you guys weren't aware of some of the dates that are going live, these are privacy things that have been updated, different regulation, mainly regulations or acts, but these are, some dates that you need to be aware of, I would think. Some of them probably not applicable. Some are EU specific, state specific, all that stuff.
Justin:But the first one here is the EU Cyber Resilience Act. It mandatory reporting starts later this year. And what does that mean from a business standpoint? Well, if you're in the EU, what they have for IoT and embedded systems, you need to start reporting vulnerabilities within twenty four hours starting 09/11/2026. So any products, you know, that you have out there, which is a lot, and you serve the EU market, this is now a requirement that vulnerability disclosures go up within twenty four hours, which I I haven't looked in too deep with it.
Justin:I'm sure there has to be some clauses in this. Caveats. Yeah.
Rick:Yeah. Have you looked in this? I know a lit I like probably maybe a little more. Okay. But yeah.
Rick:So there's some notable exceptions.
Justin:Okay.
Rick:So first and foremost, any pure software as a service or platform as a service is excluded. This is really just tied to things that is related to a device.
Joe:Like IoT.
Rick:IoT stuff or even software if Like, the must be installed on a server, for instance. Right? But if it's pure pass or SaaS play, then it's not that. Yeah. There's also some things that are accepted based on prior legislation.
Rick:So medical devices, they have a whole different thing that they have to align to. Automotive is different. Marine stuff is different. Critical infrastructure? Critical infrastructure is a part of this.
Rick:Okay. Yeah. But again, not SaaS or PaaS only. And then they have some additional stuff for critical infrastructure too. But the other thing that's notable is the the fines and the markings that things have to be like CE compliant or certified or whatever.
Rick:That is December 2027. So they're just trying to roll they're just trying to spin up the engine to receive and evaluate all these disclosures that are gonna come from all these software producers and device manufacturers. Gotcha.
Justin:Now, like I said, I haven't looked into this too deeply, but have they put considerations? Like, what if they don't have a fix yet? Are they going to you have to put it out still?
Rick:My knowledge and, again, this is somewhat cursory, but my my understanding currently is, yeah, if you have if you are con reasonably confident that your product has an issue that is being exploited in the wild Okay. You have to tell them.
Justin:Well, what is not being exploited? Well, then
Joe:yeah. One of the notes I saw here was the actively exploited Yeah. Piece which I
Justin:Oh, yeah. Yeah. Yeah. Will help you
Joe:tie down, you know, to what degree is your implementation actively exploited Right. Versus you're just using off the shelf, you know, public Yeah. Public software.
Rick:And notably too though, this is for organizations that make stuff, but also organizations that sell stuff or distribute stuff. There's there's, like, I think three designations, but they're escaping me right now. There's, manufacturer, distributor, and a third one, maybe implementer, something like that. But if you resell things that have vulnerabilities, if you're if you're responsible reselling it in the EU, you also have an obligation to disclose and so on and so forth. So I'm actually I haven't read up too much on the apparatus that the various member states are spinning up to receive all these notifications.
Rick:Yeah. But it's potentially quite a bit of information. And I'll be interested in seeing how they kind of consume it, respond to it, all that stuff. But again, the fines and real, like, the teeth of this, my knowledge is they don't they don't start until December 2027.
Justin:Oh, okay. Gotcha.
Joe:But you got about but it goes into effect. It says September 2026.
Justin:Yeah.
Joe:So you got about eight, nine months here to figure out
Justin:Yeah.
Joe:Whether this applies to you, and if it does, get a process in place.
Rick:Yeah. Yep. And and there is actually a good checklist on I think it's like, cyberresilience.eu or something, whatever the official government website for it. They have a compliance checklist kind of prebaked that that the regulating entity put out. Open source?
Rick:Open source is excluded. That's one of the Interesting. Well, actually, let me rephrase that. They have to report if a vulnerability is being exploited, but they're excluded from financial penalties if they don't do stuff about it or something like that. There there's the the financial like, the fines part.
Rick:I know they're excluded from Yeah. But they're still expected to report.
Joe:Not having looked at this, I would imagine that if there's just open source out there, it's probably not as much on the open source creator or maintainer group as it is on the company who is a for profit company making a thing that they're selling and implement that library into their their stuff. So they're gonna need to figure out SBOM. They're gonna need to figure out what's all included. It comes back to third party risk Mhmm. And understanding, are they using something that has a VON?
Joe:Do they have a process in place to know that there's new VONs
Rick:Oh, yeah.
Joe:In things they're using and tying that to act actively exploited issues.
Rick:Yeah. So I think they they said very explicitly, they're not gonna find open source companies, but they expect them to still report, like, if they know about stuff. But to your point, I think there's this weird exponential notification thing that's potentially gonna happen. Right? There's an issue with an open source library that's then used in a dozen products, that's then sold by five dozen distributors, and all of a sudden, one issue could have multiples of notifications.
Joe:Oh, right. Yeah. A lot of reporting requirements. Yeah.
Rick:So then I'm like, oh, well, one, all these organizations are gonna have to, to your point, spin up the apparatus to identify and notify. And there's all sorts of other things that go into this act like, you know, all all your standard risk assessments, and how are you gonna make sure you know if there's an actively exploited vulnerability and that
Joe:stuff. Well, most most most of the times I see open source get VONs reported. It's not the maintainers of the open source who are
Rick:Right.
Joe:Finding it. It's one of the it's one of the companies that are using it. They're doing their own testing. Mhmm. They come across something through a web app pen test.
Joe:They figure out what it was, and then they realize it was unknown Vaughn in one of the open source libraries.
Rick:Yeah. So it's potentially a big ecosystem. But right now, it's just reporting, and, yeah, you should you have a little bit of time to know whether or not you're Yeah.
Joe:But I'll tell you stuff. It'll be we'll be on episode 27 in no time, and then, you know, that will be in August, and this will be right around the corner.
Rick:Well, and like a lot of EU compliance stuff, member states have the authority to implement their own Mhmm. Tweaks to it. And so there is a confounding factor for all these organizations that build stuff or sell stuff in member state countries and that, like, well, you have to know about sort of the the the general EU regulations and the default stance there, but then you need to know about all the local member. It it's very similar to privacy.
Justin:Yeah. You have to know
Rick:about all the member states and all the different tweaks and tunings that they do and who's particularly militant in terms of enforcement and who might be less so and and all those things. So, yeah, that's a big one.
Justin:Yeah. Speaking of privacy Yeah. California updated their CCPA, and it starts kicking in yesterday. Right? Mhmm.
Justin:So this was an update they did with a little bit more, it wasn't, I would say, substantial, but risk assessments for larger companies, now start to have to be done, into that cybersecurity audits by third party companies, you know, need to be done coming a little bit later, for smaller companies and everything like that. So, yeah, if you're in California or deal with, California consumers, make sure you have your counsel and your privacy, offices, look at this and ensure you're adhering to some of the stuff and everything. Yeah. So
Joe:Yeah. That's an interesting one. And and risk assessments, they're they seem confusing, but they they really are not gonna be that they're not that hard to do if you just stand and and work on it. And I think the biggest thing is how who who's gonna explain to all these companies that process this information, even these small ones? And I'm wondering if there's any exception for a company that based on based on size for that.
Joe:And but, you know, which how big of a company do you have to be Right. Or small of the company you have to be to have to do that risk assessment.
Rick:Yeah. One of one of my absolute favorite things, and I will continue to steal it ruthlessly, Many years ago, probably a decade or two ago, I saw some Ernst and Young stuff about risk assessments. I don't know if it was public or part of an assessment that we got or something like that, but they framed risk assessments as as, you know, it's just the what could go wrongs. And Right. Yeah.
Rick:And it's just you can get wrapped around the axles on the details, and you have to have an appropriate level of formality and methodology and all that stuff. But I always loved the the framing of this is just we just need to talk about what could go wrong and what are you doing about it.
Joe:That makes sense. And, you know, we we see companies, like, get way confused or think it's too big of a problem to solve on a risk assessment and, you know, just keeping it simple. Mhmm. You know, makes a lot of sense.
Justin:Yeah. Yeah. Yeah. Yeah. We should do another topic on that at some point.
Rick:Yeah. Let's expand that. That'll be fun. Next
Justin:one is the SEC regulation, SSP compliance for smaller firms, by 06/03/2026. Large entities were already hit 12/03/2025, so fairly new for them as well. And this is basically it's pretty light from this aspect, policy procedures, incident response, you know, requirements for notifications, all that stuff and everything. But, yeah, make sure if you're a publicly listed company, you know, by the, by the SEC, you know, make sure you're compliant by a lot of this stuff here.
Rick:Was it all public companies, or was it just public companies that do financial stuff?
Justin:I would have to double check. I mean, SEC regulates all that stuff.
Joe:Right. But I think that the scope, I was hearing was more the financial services related public companies.
Rick:Yeah. I think so.
Justin:Didn't involve financial institutions safeguarding customer on public personal information.
Rick:It's like privacy
Justin:and consumer stuff for smaller financial entities. Yeah. And smaller ones cover broker dealers, investment companies, advertisers, and transfer agents. Yeah. Updating incident response plan, notification templates, enhancing vendor management, and maintaining records of these efforts.
Rick:Yeah. I'm glad you went through that because I did not have that top of
Justin:mind. Yep. Yeah. Alright. Yeah.
Justin:But that's a good point, and a good kinda separation with that. Another one here, we got three more EU AI act. Yep. This is one that I think we talked about an episode or two ago. They there were actually amongst member states in talks about cutting back a little bit about this.
Justin:But nevertheless, there are still enforcements coming up August 2026. So it's it's unclear, like, some of the implementation, still TBD from some of the member states that they're gonna be coming out to say, here's what we actually mean by this Right. Type of thing. So, again, it's a kind of a wait and see. But I think if you at least apply good frameworks of compliance in around AI, you'll probably be good.
Rick:Fully agree. Yeah. Like I to this. Because I mean, it's just like it's this is the same balance that you get with so many compliance stuff. It's like, well, if they set out just for objectives and you figure out how to do it, people are like, woah, what's enough to pass?
Rick:Yeah. And if you get, like, super prescriptive with it, then you get, like, a ton of pushback for the places like it can't apply or doesn't naturally apply. So I kinda like that they set out with a whole bunch of general objectives in a way, and I totally agree. Like, sort of do do your best in good faith to address them. And at a minimum, you're not gonna be, like, found negligent typically.
Joe:Yeah. So another one for the EU folks. Right? And this one's an August date and
Justin:Yep.
Joe:The previous one was a September date. So, hey, that that last half of the year
Justin:You should be planning right now. Oh, yeah. If not already.
Joe:Oh, yeah.
Justin:N I s two enforcement, ramping up at 2026. So, the Another EU one. Yep. A formal through the formal timelines, with EU member states, April 26, and throughout the year, is really wearing chips from kind of paper deadlines in enforcement mode. So be wary on that.
Justin:Again, risk based controls, incident response, governance oversight, and supervisory audits into there.
Rick:Yeah. And the big one on this from my perspective is, I think April 17 is the deadline by which member states define who's critical and important from a company or organization perspective. And so you might get named as someone that needs to do the extra stuff on
Justin:that date.
Joe:Yeah. It sounds like a lot of the the three things here, ISO 27,001, 42,001 from an AI perspective Yep. Twenty seven seven zero one. You bring one ISMS together and make sure you're hitting on the key concepts of those Yeah. You'll probably start to be on the right track.
Rick:Well, it gets back to the fundamentals that you were talking about before. Right? Yeah.
Justin:Oh, absolutely. Alright. And lastly, I don't know if people pronounce it CERCIA, but CIR or CIA, incident reporting framework. This is for critical infrastructure. So cyber incident reporting for critical critical infrastructure act.
Justin:So this is if you're in critical infrastructure, power, transit, gas, you know, other stuff. You know, if you're in critical infrastructure, you know, into that. They have incident response, reporting timelines. Seventy two hours to report, twenty four hours form, for ransomware notices into that. And that's, gonna be starting in 2026 here, with that.
Justin:And that'll be kinda binding Yeah. For that critical infrastructure Yeah. Into there. So, yeah, some important dates. And, you know, as we go on, there'll probably be more updates, you know, to things out in the wild here.
Justin:And
Rick:Just in general, it's a ton of stuff. Yeah. Like, it's a bunch of stuff hitting at once. And if I don't know, you know, whether whether you're figuring out your automation plays to address some of these things as much as possible or getting additional resourcing to do it or external help to do it, like, there's there's additional effort here.
Justin:So if
Rick:you're not think if you have a global organization, you're not thinking about the additional workload, you probably should be.
Joe:So, Justin, I I think this was a topic you added to the list. And I was wondering Yes. Where do you get updated? Like, what will we share with our listeners about where where they keep track of all this?
Justin:Like, how do they know what's coming up? So I monitor a lot of RSS feeds. I use Feedly to source in a lot of stuff. One thing I really like about regulatory updates is what is it? JD Supra?
Joe:Oh, yeah. Love all the permissions.
Justin:They do really good notifications. They're one one of the main things I look at in my RSS feeds at the into that. So they do really good work. Look at that. Obviously, any of the, like, privacy or incident response or, you know, stuff out there that you're looking at, will notify you onto there.
Justin:A mixture of, like, some government's sites, like, I have HHS, CMS, you know, onto there. They'll sometimes do, like, news bulletins on, you know, guidance, which is sometimes interesting when you read some of those. You know, they come down almost as mandates, you know, like, and sometimes can change things, into that. But, yeah, that's where a lot of that stuff I'll I'll look at and kinda do that, type of thing. So Yeah.
Rick:I'd also say if you're on the private side, cozying up to your legal team and whoever their external counsel is, they're typically interested in selling more things.
Justin:Mhmm.
Rick:And so they're happy to tell you about the new things that are happening in the jurisdictions where you operate. Same thing if you buy, and I'd probably advise for a more streamlined purpose built GRC tool. But if you happen to buy a big box GRC tool, they typically have giant kind of marketing arms that, again, want to equip you via their blogs or their relationship managers or whatever about You'd be surprised. That many, though. You know?
Rick:Some do. The archers and the one trust and things like that.
Justin:Does a good job on a lot of the privacy stuff and everything. So, with that, but you get it in a lot of mid market ones. You know, they'll just regurgitate Agree. And ISO and whatever.
Rick:You
Justin:know? Like, they don't go off and be like, you know, and ask two, you know, like, here's what you need do. Oh, yeah. Fully agree. Actually dive into other aspects of it.
Justin:Yeah. You know? But they're unfortunate. I think it's a good thing to, like, expand on this, and we talk about it in a lot of times even with our audience. It's not always applicable to them, but it's good to know, like, what starts in the EUs oftentimes trickles into The US Oh, yeah.
Justin:Base, you know, into that. So getting a heads up and, like, okay, what's being regulated in certain areas of the world? Is this something I need to start having in the back of my mind to just structure my organization appropriately or looking at budget or, you know, how to kinda frame what I'm doing today that it would be an easy ad, not an, an uplift, you know, type of thing. So
Joe:No. Thanks for sharing that. Yeah. I use Feedly as well. And so if you're not using Feedly, it's a great tool, and it's not all that expensive for an annual subscription.
Joe:But I just was looking. I don't have JD Supra in my Feedly list. I'm gonna add it now, so thanks for
Justin:that. Yeah. Yeah. So yeah. Great.
Justin:Do we wanna do drinks now or I forget when our break was.
Joe:Oh, I think so.
Justin:Let's do the drink now.
Joe:We can do
Justin:it now. Yeah. Sure. Because the next couple are similarly, you know, related Yeah. You know, into this.
Justin:So for our drink, because it's the holidays, even though we're kinda past holidays, it's it's still
Rick:our holidays.
Justin:You know? It's still the holidays. It's our December 1. So we decided to do High West. They come out every single year with this.
Justin:It's Midwinter Nights Drum. Every single year, they come out with this, and it's often a hit. It's one of those love or hate. Like, I I I see a lot of people that don't really enjoy this, but it's actually pretty good. It's a rye whiskey finish in pork barrels.
Justin:So if you ever had a lot of those, like angels envy is similar with that with the sherry barrels, something like that, finish in kind of a wine barrel that gets kind of that fruity palette on the back. It's nice and easy at, 49% alcohol, so just a touch under a 100 proof, you know, into this. And, yeah, it's
Joe:Who who makes it again?
Justin:High West.
Joe:And where are they at?
Justin:Great question. Kentucky? I mean, I I have a pretty good
Rick:Oh, thank you. I I love this. I also think I'm surprised that it's 49%. I almost thought it's so smooth that they'd cut it down to 40.
Justin:Yeah.
Rick:Yeah. I you said if you love it
Justin:or hate it, I I love this.
Rick:It's very good. It's not overwhelming on the port side. Like, you get a little bit of a finish pedal. Yeah. Like Angel's Envy, I think, gives me a lot more finish Okay.
Rick:With with the with the sort of wine cows.
Joe:Oh, Park City, Utah. No.
Justin:No. There you go. Yeah. I figured, you know, I have a 90% chance, you know, of getting it right. Kentucky or Tennessee or well, happy New Year's.
Justin:Cheers. Happy New Year's. Happy New Year's. Yeah, if you haven't added, it comes out once a year, usually around I think is when it goes on sale, and they make kind of limited batches to this. But excellent.
Justin:You know, definitely share it. And usually, drums are, you know, pretty good from a, you know Yeah. Holiday perspective. Alright. So diving into misleading the feds here.
Justin:I forget. Was it one of you guys that
Joe:brought up started it, and I added on some things to it. Right.
Justin:Yep. Yep.
Joe:So well, real real quick high level. I think everything we wanna talk about today is around how if you're not reporting accurately, then you're probably gonna have a problem, especially if your customer is the federal government. Mhmm. And so that comes around in, I think the the handful of articles. One of them was a FedRAMP related one.
Joe:Another one was a, CMMC Mhmm. Related one for, false claims as well. And these are turning into companies who companies and individuals who are now becoming criminally liable for certain things. So that first article, I think this is the one you posted Yep. Was a former Accenture employee was criminally charged for allegedly misleading the federal government about the security of cloud platforms used by government customers.
Justin:Yeah. And it it it's interesting that it goes into, like, some of the stuff like, you know, the attestation of what they were doing with the like, I think it was vulnerabilities to to concealed platforms noncompliance with security controls under FedRAMP, and the management, the, risk management framework, you know, into this. And, yeah, I think it it's very interesting into this here. It just sets up kind of a, you know, a precedent to say, if you're an employee, like, do not do this. You know?
Justin:Like, you don't get paid enough to mislead, you know, into this. Oh, yeah. Even though and I don't know, obviously, all the story, you know, with Accenture and or or is it Accenture?
Rick:No. Former Accenture. Former Accenture. They were working somewhere else.
Justin:Yeah. Yeah. But it was Accenture Federal Services where the the statements were actually done through this. But, you know, I can imagine, we've seen it all before, there is often corporate kind of influence Pressure.
Rick:Think pressure is a fair Yeah.
Justin:To, you know, say, is it really that big of a yield? You know, we'll get to it a big deal. Next week, you know you know, so we we'll just say it's clean, and we'll get it clean. You know? Don't worry about it.
Justin:You know? And this is absolutely saying, no. Like, you need to, no matter where you're at in the food chain of employees, you cannot do this.
Joe:This is a nextgov.com article. Looks like it was
Justin:We'll put it there. Okay. Show notes.
Joe:12/10/2025 story. And yeah. You you're absolutely right. And, you know, at the end of the day here, you know, we plan to implement or we believe it was sufficient. That's under defense for certifications when you gotta say what your controls are.
Justin:Yeah. Now saying all that, and I think I wanna segue into the next article Yeah. Here because they are very much related. And it it's interesting because you hear about, like, some of this prosecution Mhmm. Prosecutorial type stuff here.
Justin:And you read the article, and it's like, oh, yeah. They did bad. You know? Like, you come away with the impression that they misled, you know, the federal government into this, and they absolutely could have. You know?
Justin:But you don't actually see what the details are. Like, you know, I'd like to see exactly what they said about what and what state that was. Because one of the things I actually had the opportunity with, if you're not a 100% familiar, if you remember SolarWinds Mhmm. One of the things a few years ago was that when SolarWinds had that big incident, you know, where bunch of you know, with their vulnerabilities into their platform, how many and including federal government, you know, customers had this issue and had, you know, nation state actors coming into this. Well, the SEC decided to go after SolarWinds.
Justin:Not only that, they went after the CEO and the supposed CISO at the time.
Rick:Personal with personal lawsuits.
Justin:Yes. Exactly against us. And, obviously, when you get wrapped up in a lawsuit, you can't really talk a lot about that, but the SEC finally dropped all charges with prejudice Mhmm. Against the CSO, and I think dropped all the charges against SolarWinds as well, you know, into this.
Joe:Yeah. Right. A lot of the former charges were dismissed back in July 2024, but some of
Justin:these
Joe:still still lingered on. And if anybody doesn't know what it means to what does it mean to dismiss it with prejudice?
Justin:That means they can't come back Right. You know, into that. So they they dismiss it and said this is, you know, for whatever reasons, this can never be relitigated Yep. You know, into this, which is good, you know, closes the door on it. But, essentially, I had the opportunity to talk I I didn't talk to him, but it was a big conference call, like, 300 people actually joined up.
Justin:And So who hosted this call? Tim.
Joe:Tim Tim Cook, the former CISO.
Justin:CISO. Yeah. At SolarWinds. So after all this, he went into it. And he didn't get into a lot of the information into this, but some of the stuff that was interesting, like, he talked about his perceptions on oh, first off, let me, level that.
Justin:When they first came with charges with him, they said, like with anything with charges, especially from federal government, they'll often give you kind of a plea deal. Yeah. And they'll say, okay. If you plead guilty, you can no longer hold office, you know, any officer position in any company ever again, and, you know, you can't do all this stuff. And, you know, he came at it, and good for him, you know, from this, and to SolarWinds actually backed him.
Justin:Supporting him. Yeah. Supporting him through this.
Joe:And read that some that not only SolarWinds, but their their investors.
Justin:Their investors. Yeah. Stand
Rick:behind them.
Justin:Yep. So and basically said, like, we didn't do anything wrong. Like, he came out afterwards and was like, everything that they basically claimed against me was false.
Rick:Yeah. I mean, of the terms of the plea deal were basically like, hey, admit that you had systemic failures to your program. Hey, admit that you lied about those systemic failures. Yeah.
Justin:Just like
Joe:yeah. Can you give an example
Justin:of one of the systemic failures? Specific example of what the federal government considered a systemic failure was they, during a review of some of their access control Mhmm. Found, like, five users that were over permissioned. Out of? 200 or 20,000 users.
Justin:Five users out of 20,000 users. And the government argued that was a systemic failure.
Joe:That doesn't sound systemic.
Justin:Yeah. Right. And that's the whole thing. It's like, you know, they you know, it was a conversation on the call. It's like, well, were they lying?
Justin:It's like, well, it's a matter of interpretation at that point. Like, I, you know, I would say a reasonable person cannot argue that five out of, you know, 20,000 is systemic, but, you know.
Rick:Right. Well, and you can say it happened multiple times, but if the specifics of that, you know, each time is, oh, this is human error. This is different human error. This I mean, five out of 20,000 ain't a bad percentage.
Joe:Plus, what else I read was that those weren't found and discovered by the government auditors. They were found internally and corrected using the information management system they have in place. Right? Yeah. Their own processes found and fixed this problem, and they were doing the right thing by getting better, continuous improvement, letting their they actually had a process in place that discovered this, found it, and if that's the case, their security program was working.
Rick:Yeah. As intended.
Joe:As intended. Yeah. And yet, because they published that and they had proper metrics around what they found, somebody used it against them.
Justin:Right. Yeah. Another thing was, like, they got he recommended that review your roles and make sure they're spelled out very specifically. You know?
Joe:For a job description?
Justin:Yeah. Well, job description, racy roles, and when you sit on committees, stuff of that nature. One of the things that really, drone him was he was solely responsible for disclosures for the company. He's like, no. I sit on a committee for that.
Justin:I'm one of the people that, you know, offers, you know, advice and insight for disclosing for the company. And the government said, no. You know, you're you're responsible. And it's like, no. That's not a thing.
Justin:So they had disagreements on who was responsible for what. You know? And it might have been maybe a little bit vague into that because Tim went on and said, make sure it just spells it out crystal clear on, you know, who's responsible for what, you know, in certain aspects of that and everything. But they even went through like, they're really trying to avoid, like, employee depositions. He said that was really hard on the company, and they, you know, not only just opposed him, but a lot a number
Rick:of people
Justin:off his team. Yeah. And if you've ever been around a deposition or gone through it, you know it is a ton of prep and work and stress.
Joe:And And you got big bright lights on you and cameras and recording?
Justin:Oh, and by the way, you have day jobs. Yeah. Exactly. So so yeah. But, you know, they they they ended up having to depose a whole bunch of people and everything.
Justin:Another thing that he brought up was, like, they were even, like, all the depositions actually pointed to said that they were actually, like, good from a security opposite of what they were, like, doing. So their depositions were good, slanted toward their favor. There's, like, stuff that they contradicted into their into their filings. You know?
Rick:Oh, yeah. I heard that, like, the facts like, they like, the government side of the case got just slaughtered in, like, cross examination and testimony or
Justin:whatever the Yep.
Rick:Yeah. Whatever the procedure was when the facts were reviewed.
Justin:Yeah. And one of the thing was really interesting. Like, he you know, going into this was like, oh, they're just looking you know, his presumption before any of this started was like, you know, they're just looking for the truth and his ask or outlook on this totally changed. Like, that they were just looking for a base day ahead to put on a stick. You know?
Justin:I think Well,
Rick:I mean, there are times where the government or organizations look to make an example, and and that happens.
Justin:Yeah. Did he
Joe:talk about the stress levels for himself and his team as they were going through this?
Justin:Yeah. Yeah. He talked about, like, especially with the depositions and everything like that, that it it it was a lot on his team. They had to give, you know, multiple breaks and kinda, like, travel, you know, breaks because they had to go up to New York to Oh, yeah. The depositions.
Justin:But he said they they they did awesome, you know, into this. Like, a lot of it coming through ad adversary just performed super admirably, you know, through this.
Rick:And one
Justin:of the
Rick:things you started with, this went on for years. Right?
Justin:Yeah.
Rick:I mean, the the lawsuits were started years ago.
Justin:Two or three years that there were that this was going on
Rick:and everything. A lot of time to be in a very high stress environment with demands on your time that are both extremely important, extremely invisible or extremely visible, and then also, like, not necessarily directly related to you achieving your stated goals of your day job. Yeah. That's a lot.
Justin:And another thing that why this case, I think and good for Tim for, like, fighting on this. Technically, he was not an officer of the company. Know? He was, like, not a named officer. Right.
Rick:He's a CISO, like chief, but that's a title, not necessarily And the thing is yeah.
Justin:And the thing that does why this is, like, really big is, you know, like, named officers get named in lawsuits a lot of the time, you know, into this. They have cover they have specific officer coverage.
Rick:D and O.
Justin:You know? Insurance. Yeah. He was named as a regular employee as part part of the, you know, the company was. You know?
Justin:Why this was a big deal from a CISO perspective? Most CISOs, I would say, are not named officers.
Rick:You know? And if you're not, you're not covered by director and officer insurance.
Justin:Yeah. And so all of a sudden, you're like, hey. I don't have responsibility for patch management. I don't have responsibility for making decisions on risk treatments. You know?
Justin:Like, that's not my role in the organizations, and now you're charging me. You know? Like, he didn't have software development underneath him, you know, as
Rick:a CISO. And even, like, just from straight authority, like, I I risk advise. Right? But I don't necessarily direct activities of other departments and certainly not at the, you know, executive tier from a named officer perspective. Right.
Rick:Yeah.
Joe:Yeah. That's very interesting. And so, like, what so I'm I'm thinking of couple things. One takeaways, like, if you're in a public company, what should you be thinking about? And when it comes to your job description, does it make sense to have your charter and your job description explicitly spell out what you're not accountable for as a a new section?
Joe:I haven't really written job descriptions to say this role is not responsible for the actual implementation of patch management. The actual, you know, secure code writing and stuff like that. That if something goes wrong, the CISO is very easily and I commend SolarWinds for not doing this, for not making a scapegoat out of out of Tim, but for doing all of that. So what are you what are you thinking or takeaways that people need to
Rick:I've seen explicit negative statements in team charters. Maybe not super commonly, but enough that it's not, like, super weird for me. And typically, it's paired with, you don't do this, but this is how this works. Right? So, like, you advise on risk, but these are the teams that are responsible for addressing the risk or accepting or denying the risk or whatever.
Rick:Not denying. Mitigating. Whatever. But I've not really seen that in job descriptions before. So I'm not saying it's a bad idea.
Rick:I've just not seen that in the
Joe:past. Yeah.
Justin:I and I don't think I mean, I don't think that will solve anything, you know, because everybody has, you know, wrongly stated. If you're outside of the security community, they think you're responsible for all security, you know, in the organization, which is not a thing. You know? Right. Your second layer, you know, defense of the organization and oversight layer to ensure, like, everybody's doing the right thing as per the company's risk management tolerance, you know, into that.
Justin:That's your role, you know, into that. And to guide and to show metrics and to, you know, help with decision making, you know, where appropriate on, you know, what controls or mitigation steps or whatever it may be. But at the end of the day, we can't we can't actuate the change oftentimes just by the the our own department. You know? Like, that's not a thing that we can do.
Justin:That takes senior management.
Rick:You know? You your report I mean, I always I describe this probably poorly, but often describe this as like, yeah, we gotta go tell mom and dad. Yeah. Right? I mean, if you got a mom and
Justin:dad or, you know, like It's it's it's
Rick:the board. It's the executive team.
Justin:It's yeah. Yeah. That's that's all you can do, you know, other than short of maybe finding a new job because you see something coming down the the pipe. You know? Mom and
Rick:if mom and dad aren't there to support you Right. Like, yeah.
Justin:Right.
Rick:It might be time to find something else.
Joe:Clearly, make sure that you're documenting risks. Make sure that and and and I always I'm thinking, don't document your risks in a way that's going to become a problem for your company. You make sure your law department, your legal team is on board. I like having general counsel be able to weigh in on things, and sometimes I would go and get a directive intentionally from general counsel in order to go and deep dive into the risk assessment so that it's being done at the direction of counsel. And then to whatever degree I can, let counsel be in a position to defend the organization and to defend the decisions and and the information that's coming out.
Joe:And if there is any client attorney confidentiality or privilege, as they call it, yeah, I wanna make sure that's in place.
Justin:Yeah.
Joe:So as you're getting into
Rick:these
Joe:situations, you know, transparency is is key. But I also like the idea of overly documenting what the roles are that you have like you you brought up.
Justin:Yeah. And I think a lot of people when we talk about risk management and all this stuff, and this is kinda related to the SolarWinds thing, which I think just from an outside, it seems like Tim did a good job onto this. Keep in mind, like, the outcome shouldn't be your goal. Yeah. I think it should be more about the wheel that you set up to deal with the issues, you know, into that.
Justin:So I've seen a lot of companies overemphasize, like, we are a low risk. We are always a low risk, and don't bring this medium to me, you know, or high. Like, we're low risk. You know? And they get so focused on the outcome Yeah.
Justin:That they miss the picture of, like, treating it right.
Rick:You know? I expect a 4.1 every year on a scale of five. Times have
Justin:we had clients that are so focused on the outcome of it and not the wheel of dealing with it. Yeah. Even incentive
Rick:structures. Right? Exactly. And this is, like, documented in a zillion risk frameworks, but, like, it's a bad incentive structure if it's the goal is to hit a specific target. Yeah.
Rick:Like, that can be sort of a secondary thing where you have an aim and you wanna get there. But if, like, people are incentivized to hit a specific target at a certain time frame, I mean, you're just setting up situations where people are gonna hide stuff or misdirect or scope things
Joe:very intentionally. KPIs to be more aligned with the ISMS, with the information security management system, which is the plan do check act, the demoing cycle process
Justin:that we're talking about. Wheel that I'm talking about. Yep.
Joe:And to make sure that that keeps working. And so when you're really looking at the metrics that are gonna make a difference in that situation, it's how many times have we had nonconformities reported internally so we could get ahead of them before they become an external security incident or breach?
Rick:Mhmm.
Joe:How many times has a risk actually turned into a nonconformity, but that risk didn't have senior leadership sign off that that risk was acceptable for a duration of time. And it's those kinds of metrics that become not leading and the predicting KPIs that you can use.
Justin:And if they want to get better management sign off and they're okay with it, then it's not a nonconformity. That's just what it doesn't
Rick:well or or it could be, but it could be there could be accepted risk. Right? So, hey. We have this Well,
Justin:it's not nonconformity to the the Oh, SMS. Yeah. Exactly. But, yeah, if it's on your register and you accepted it and say it's good for six months away.
Joe:Document the right way?
Justin:Yep. Hey. Hey. It's good. Yeah.
Justin:And then look at your training. Yeah. If you have a
Joe:lot of of those items, but it's still written into your governance
Justin:Mhmm.
Joe:That's a time when we go back and we say, look. For the last three years, you've never hit the metric of your your your actual policy and your standard that all criticals or all highs are remediated in thirty days. I've not seen that once in this organization.
Rick:So Is the metric broken, or is your response broken?
Joe:How how would it wouldn't it be more appropriate if we just adjust a couple things? Let's make sure that our governance documents don't say things that we can't do.
Justin:Mhmm.
Joe:And second, let's make sure that we evaluate that risk and then take that risk to senior leadership and say, sign off on this risk that's balanced by this policy that we can actually obtain, and then we can do the things that we say we do.
Justin:Yeah.
Rick:Visibility and sign off and, like, sort of this concept of shared accountability for making the program better as a whole, it are some of the most powerful tools that if you're like a leader in an organization that you can leverage, I've it's funny how you'll see the conversation start to change where you go, hey, I'm here, like, surfacing this risk. I think we should do something about it. People are, wow, we can't for these resource. Okay. I just need you to sign off on the fact that we can't do anything because of resources.
Rick:Like, I need you to put your name on that.
Justin:Yeah.
Rick:And people, oh, well, well, we don't wanna do that. Okay. Well, that's fine. We don't have to. But you you're mom and dad.
Rick:You get to make the call. Right?
Justin:Are we
Rick:gonna do something or not?
Joe:Right. And I would say that be careful on how you approach that because
Justin:Yeah. You don't want that to be the It's not combative.
Joe:You're you're not a team player, and that's why you're not working for us anymore. Yes. But bring it in the right way. Bring it as a conversation. Let them know that but before you do that, build the ISMS that requires you to write these things down at the right time
Justin:Mhmm.
Joe:So that you can say you're following the process. So our internal processes, I bring this to you. We talk about it. I need to document it. That's the next step.
Joe:But first, I wanted to include you in the conversation. Yeah. Then it's gonna be documented because that's what we already agreed or said we would do. And now you're following your steps. And make sure your steps are aligning the things where you can bring that transparency and visibility
Justin:Mhmm.
Joe:To top leadership of something that they can get ahead of before that you ask them to put their name on a sign off for something that they might otherwise not be happy with you personally with. Like, don't put them in that position, and you can build your process as ways to not do that.
Rick:Well, I always see it as like an ex an exercise in setting expectations.
Joe:Mhmm.
Rick:Right? And this gets back to, like, well, what is the expectation of the role? And this, to some extent, gets back to job descriptions. Right? So is it expected that you're going to, as a leader of security and organization, solve all the security problems?
Rick:If that's the expectation, you probably need to reset that a little.
Joe:Right. Right. Or update your resume because it's time to find a little variety where you can work for people who don't have that expectation.
Rick:Yeah. But if the expectation is that you're gonna surface challenges, seek assistance in resolving things that you can't resolve yourself or direct people to resolve yourself, you know, if it's clear when you need to go to mom and dad and, you know, when mom are gonna then then typically when you enter into those conversations, you're starting on the front foot because they go, oh, you're escalating this thing that we really didn't wanna see. Well, we're happy to have the visibility. What do you need in you know, to help fix it?
Joe:Yeah. Well, I wanna talk about one more but new topic on misleading the feds, but I wanna make sure that we wrapped up anything you wanted to hit on on SolarWinds.
Justin:No. I think that's very good and everything. I guess my kinda takeaway is phenomenal what Tim did in fighting this. It took a lot of bravery, you know, because it could I agree. Yeah.
Justin:You know? Wow. With this, and it really protected a bad precedent on against all c CSOs. Yeah. You know, into that.
Justin:So I'm really glad that, you know, he stood up, you know, against us because the plea deal could have been way easier, you know, potentially into this.
Rick:Oh, and for SolarWinds to support him and all that stuff.
Justin:And all that stuff. Yeah. Kudos to SolarWinds supporting him. Kudos to Tim and his his entire team, you know, with this. And I'm glad, you know, even though, obviously, that vulnerability was really bad and, you know, all that stuff, like, it happened.
Justin:And it was a nation state. Like, you know, we look at this and it's like, you know, it will, like, bad things happened, you know, through this, and they had a whole bunch of protections. And some people even on the call were like, so what was one thing that, like, led, you know, to this? And, you know, it wasn't just, like, one thing, really. It was a series of things that led to an investigation that that then caught it.
Joe:And the issue they had was a series of things that nation states can make real
Justin:Oh,
Joe:yeah. You don't face every day.
Justin:Yeah. And he said I mean, it was one of those things that I was really patient too. So it was something, like, somebody clicked on something, but they waited, like, a week.
Rick:It was two weeks. It was fourteen days.
Justin:Fourteen days before they did anything with that opening. So, like, they clicked on it. They got foothold. They didn't do anything for two weeks. Yeah.
Justin:They just sat. They just did nothing. No probing. No nothing. You know?
Justin:And, you know, so that didn't like, normally, when you're looking at, like, SOC alarms and all that stuff, they're looking for a string of stuff. Yeah.
Rick:It was happening pretty quickly.
Joe:Well
Rick:Right. I know of some things in more recent history where nation states have been seen to wait for thirty days or over thirty, just over thirty days because it's a natural rollover for, say, live logs in some organizations or things like that. And so again, this was years ago. Right? So fourteen days, just know that that's getting more and more insidious for nation states because they can they can choose to wait.
Justin:Yeah. Right. And they hire have a higher likelihood of being there longer Yeah. If they wait a little bit. Yeah.
Justin:You know, into that.
Joe:No. I'm really glad you brought the SolarWinds topic to the table today.
Justin:But you had something else?
Joe:Yeah. The other one I wanted to talk about is so we talked about the FedRAMP one. Let I'm gonna talk about the CMMC one a little bit. So over the last year in 2025, there were multiple cybersecurity related false claims act settlements, and they were tied to the DFARS 02/7012. And that's also the stuff that NIST 08/1971 relates to.
Joe:And as companies made representations that they were in alignment, and they went as far as, they didn't have any kind of breach, but they went as far as putting into their SPRS system. That's a supplier performance risk system that you have to enter Mhmm. Your scores in if you're a company who is prime or a sub to a prime who is doing DOD related work Yep. Which I totally expect over the next few years, all of the stuff the DOD is pushing will expand to be a little bit more no matter which government agencies you're working with. So but one of the things that they had was these settlements.
Joe:And so one of these settlements and and actually more than one. A couple of them came because of whistleblower activity. Mhmm. And so something that's interesting is these whistleblowers, that activity is increasing, and whistleblowers are getting somewhere in the 15 to 30% of the settlement money Yep. Is going to them.
Joe:And so there were a couple of articles, one in the Federal News Network, which I'll make sure that we have that link as well. It was a 05/01/2025 story, and it's where contractors are being held accountable for, these false cybersecurity attestations, and the information is getting put out into the Spurs system. And these are, you know, gaps with things that were known internally, but we're still certified as compliant. And this other article that came out December 5 was from justice.gov. And what happened was a small defense subcontractor agreed to pay.
Joe:They settled for $421,000. And so this is just your smaller company, and the smaller companies Are these lot of primes or sub? These are sub sub primes.
Justin:They're sub sub primes.
Joe:Sub to a prime. And a lot of these sub the primes that, you know, I end up talking to on occasionally Mhmm. They're starting to come around and say, we don't wanna be we we know that as a small company, we're still need to do the right thing here. Yep. And and that's kind of different than I heard maybe two, three years ago Right.
Joe:When CMMC was coming around. A lot of these small companies were like, I don't know this is ever gonna be a problem for me. Let's do what we need to
Rick:do to get the deal.
Joe:I just need to do this. Let's just we're gonna put the things in to the system and say we're good. But what's happening now is that more whistleblowers are coming to the table. And in this case, this whistleblower at this company received 65,000, little over $65,000 for just calling out their company, which is a small company. That's why their settlement was only 400 and some thousand
Rick:versus these Raytheon had like an $8,000,000 one. Yeah.
Joe:Oh, right. Yeah. That wasn't that was another one out there. But and the the point I'm getting at is the size here really isn't gonna matter
Justin:Oh, yeah.
Joe:If you're a small organization. And the subcontractors is not really insulated from from this problem.
Justin:Right.
Joe:And you don't need you know, you don't have to have a need to have an intent to deceive the government. You just need to not maybe not have the right program in place to make sure that the controls you're attesting to and uploading into the system, maybe it was an accident. It didn't matter.
Rick:Right.
Joe:These things are still coming out, and employees are now being financially incentivized to report these gaps. So kinda pulling it all together is expect that somebody and maybe it's a current employee, maybe it'll be a disgruntled employee who doesn't believe that you're doing the right thing. If you're a business owner and even a small business owner, you can be in a situation where it can get reported. They're incentivized to do it, and you need to make sure that your your program is actually running the way it needs to be running and documented appropriately.
Rick:Absolutely. And this gets back to one of the things we're talking about before where the visibility of problems related to this stuff is just increasing because and I didn't know the the phrase a qui I think it's
Joe:called qui tam. Qui tam. Qui tam. I
Rick:didn't know that legal phrasing before, but it's basically the thing that allows for those types of lawsuits. Qui tam lawsuits allow it's it's essentially whistleblower, also known as, I think, Lincoln law, I think. But it's basically where, you know, you can be protected by whistleblowing on an issue, and yeah. And you'll receive 15 to 30% of the overall settlement.
Joe:Yeah. Yeah. And you can't be fired. Right.
Rick:Oh, yeah. You're you're fully Yeah. Really? Yeah.
Justin:Yeah. Because I know from a government standpoint, they have whistleblower protections onto that. But is that the same for a sub in the private?
Rick:It absolutely is. It's called so it's part of the you mentioned it before, FCA false claims act, and it came in, like, I think around the civil war so that like, Quitem like, I I went down this huge rabbit hole on this, but it ends up meaning it's from this longer phrase that means, like, you know, he who sues on behalf of the king but also for himself or something like that. And it basically means, like, hey, I'm gonna I'm gonna pull the fire alarm on this bad thing that I see happening, and I'm gonna inform the government of it. And if they choose to take it up, I get a piece of the settlement. And if they don't choose to take it up, I can still proceed with the lawsuit myself if I feel obligated to.
Justin:Interesting.
Rick:Yeah. But you have like
Justin:protections. False, then there would
Rick:I if you're wrong, the government won't take it up, and I think it just kinda goes away. Yeah.
Justin:But I I would imagine there would be no protections on
Joe:No. No. You're not protected if you're lying.
Justin:Yeah. Yeah.
Joe:Yeah. But if you have a legit item, and it's just like no retaliation. It's like the non retaliation kind of rules
Justin:Yeah.
Joe:For a company.
Rick:But to your point, Joe, yeah. So you need to be, you know, just recognize that there are incentives for people Yeah. To kind of say something.
Joe:So with threat modeling Yeah. So if you wanted to do this the entire nefarious way, what could you do? You could say, alright. Hey. I'm going to do all these bad things, but I need to come to my threat model and understand what it is.
Joe:Well, one of the threats that need to be in there is I'm gonna have somebody telling me, and so you need to know that. So Yeah. I'm not encouraged in this at all, you know, very ethical. You can only lose your integrity once and that's it. So don't do this.
Joe:But if you are doing it, know that another threat that is out there and it's been there is that somebody can tell on you. Yeah. And it's and in 2025, there were a handful, maybe about five organizations that settled just on the CMMC, the Absolutely. The seventy twelve stuff. And a subset of those, if not all of them, were related to whistleblowers who got money for pointing out that their boss, their company, were not doing the right thing.
Joe:So it's there.
Rick:Well, it doesn't have to be like like, someone could tell on us, doesn't even have to be framed in the negative in a way. It could be just like any other cybersecurity thing. Like, what if it was a a human error type mistake, right, to your point before? Or what if it was just an omission? Like, we didn't do enough in the program and someone said, oh, I don't think you're covering off bases here.
Rick:So you really I mean, it is a thing that you should be aware of is that these things are gonna get exposed more and more. And they're, like, the ramp up was some double digit percentage, like, year over year for the past two or three years in terms of these things being reported.
Joe:Yeah. That's why the second line of defense, your compliance program is so important.
Justin:Yeah. Yeah. That sounds interesting. Alright. So let me say wrap up?
Justin:I think we wrap up. Wrap up here. Alright. Well, thank you.
Rick:This was great.
Justin:Yeah. This was good.
Joe:Yeah. Happy 2026. Yeah. Happy New Year. This a great episode.
Joe:I enjoyed looking at the notes for this one.
Justin:Yeah. Absolutely. And cheers, everyone. Happy 2026. Don't forget to like, comment, and subscribe up to this.
Justin:We got some exciting stuff coming up next episode. We're gonna be switching around the format just a touch. So looking for we'll ask for feedback then, but don't forget to do that. And cheers. Have a good one.
Justin:Bye.
