TPRM Is Worthless?! NY DFS Part 500, Security Negotiation Tips & Mezcal
Welcome to Distilled Security Podcast episode 17. My name is Justin Leplein. I'm joined with Rick Yocum and Joe Wynn, and we are still in the new studio here. No back wall yet and everything. And we have a pretty interesting group of topics that I'm excited to dive into, but I wanna tell you guys first, Joe and I realized that we're laptop twinsies, new laptop twinsies.
Rick:Alright.
Justin:Bought a new one last Monday unwillingly into this. So I got a travel story for you guys before we start off. So last week, I went to the PCI conference Alright. Which was pretty good. You know, content is, you know, like, always, you know, it's run by the council.
Justin:So it's pretty controlled of what they say. Sure. You know, it's a conference of a standard with that. In fact, somebody I know that actually had a presentation, he had some jokes into there, and they axed it from the presentation. So, yeah, they're pretty controlling onto that.
Justin:Outside of that, people there, great, saw old customers, saw new customers, relationships, you know, old colleagues, you know, and everything. So it was great for that. However, traveling on Monday down to Fort Worth, Texas was where the location was. It was, like, 05:00 in the morning. I got my duffel bag, my computer bag.
Justin:I throw it in my trunk, you know, in my car, and I actually took a couple boxes out of my trunk because I didn't want these boxes. I've been meaning to ship them, you know, not sitting in the airport Yeah. You know Sure. All week and everything. And put them in my garage, started taking off the airport.
Justin:I realized about two miles out, I never did shut my trunk into this. I found out it it wasn't that long, and a lot of people are like, well, didn't you hear the window open? I was like, oh, I opened up the sunroof, you know, into this. And they're like, well, what about the beeps? I was like, there there was no beeps.
Justin:No beeps from my car whatsoever.
Rick:Well, two miles happens fast, but it's a decent amount of distance
Justin:to happen for stuff. Fell out was not a lot of people know. It's a two lane going to a eventually, a four lane highway at 228. Yeah. You know?
Justin:And so I stopped at the light there and then pulled to make make a right. And I turned around about a mile before I even got to Mars, you know, into there. Came back. My computer bag is sprung over this. It is very apparent that several cars have run over my laptop backpack.
Justin:My duffel bag is still MIA. Somebody took the clothes to it, you know, like I was like, a short fat guy. Who would want to get out close to a little short fat guy?
Rick:You have some nice sweatpants there.
Justin:I guess so. You know? But, yeah, somebody took it and those were gone. And I drove, like, when I realized came back. I got my computer.
Justin:My computer was kinda, like, bent up like this, you know? Oh, yeah. And, like, my beat headphones, I was able to, like, fix them. Okay. But my other, like, AirPods I brought, they're like, the AirPods are gone, but I have the charge case.
Justin:I brought a camera, like, nice four k camera and a a microphone because I was gonna do some content down the hotel. Right. Totally smashed, like,
Rick:just in pieces, you know, into that. From the fall or, like, go from From
Joe:the car.
Rick:Yeah. For sure.
Justin:The car running over it. My backpack's, like, kinda shredded. The only thing that survived is my, like, eight year old iPad mini, which is so old, it doesn't even get updates anymore from Apple. Like, it's that old. However, like They
Rick:don't build them like they used survived.
Justin:There was wasn't a single crack on it. I'm like, really? The one thing that, like, I wouldn't mind replacing, you know, survives. So, yeah, it's I came home in a rush. I packed, like, grab another duffel bag.
Justin:I'm, like, throwing cars in. Jen, you know, at 05:30 in the morning, she's like, what's going on here? And I'm like, I just got back real quick. I gotta throw things, like, as fast as I can in a bag. And then finally leave, like and then I realized in Texas, I made a beeline to the Apple store to get a new laptop and everything.
Justin:I realized I packed her jeans instead of mine. So I had, like, one pair of jeans the entire week.
Joe:But they were cute. Yeah.
Rick:Yeah. Did you present?
Justin:I did not attempt to put them on because she and I are very different sizes. You know? But then, like, also something I didn't realize was the the duffel bag I grabbed was often one that I don't really like, I got a free one for ordering some clothes off website,
Joe:you know. Sure.
Justin:So it's a cheesy little duffel bag.
Joe:Good for camping,
Justin:That's what I use it for. You know? So I use it for camping. Yeah. So on the way back, coming from Fort Worth, I got pulled aside from the TSA.
Justin:They're like, is there anything sharp in here? I was like, no. There's not sharp in here. Yeah. My pocket knife was left into there.
Justin:On the way back
Rick:though, not on the way out?
Justin:No. Pittsburgh just left. Interesting. Uh-huh. Yep.
Justin:It totally went through the Pittsburgh Airport, not a single thing. And the guy was, like, laughing about it. He's like, really? He's like, it's pretty apparent. It's right there on the edge because I put in the little in some of the duffle bags, there's like the little inside zipper Yeah.
Justin:You know, that you can put stuff in there.
Rick:Just for, like, one item or whatever.
Justin:Yeah. Exactly. So it was in there. I'd I'd even know that, like, it was in there. You know?
Justin:It's like it was just in that little zipper thing. But yeah. So that was my week. I got a new laptop.
Joe:Yeah. Then you got a new laptop.
Justin:I got a new laptop. I wasn't really looking for a new laptop. Yeah. It's a little faster, and that's about it. I did get a different color, though.
Justin:I got the the gray, the slate gray. Oh,
Rick:slate gray.
Justin:Yeah. Yeah. So and Joe Anyways. Joe, why'd you get a new laptop? So Not as exciting.
Joe:I'll tell you. I was going to this conference. It was PCI, and I forgot to shut the trunk of my car and no. Not it's not happening at I just needed a new laptop. My old one is old enough and it would take forever to do things.
Joe:And every time I'm about True. To go buy another That too. I I was thinking about getting a Mac, but and so every time I was gonna go and order myself a new computer, somebody else's computer in the company just needed started going haywire or whatever. And I'm like, oh, go ahead and get one. Mine's still good enough.
Joe:I'll wait. Right. And so I waited a little bit. And then finally, I'm like, you know what? Just pulling the trigger.
Joe:And then I found like HP. I I like HP. They kinda work for me. I found HP had this 70% deal first or 60% off for seventy two hour deal they were doing.
Rick:Oh, wow.
Joe:And I was like, alright.
Justin:I'm gonna
Joe:pull the trigger. So it's a Through HP directly? Yeah. Yeah.
Justin:Oh, that's great.
Joe:Yeah. It's it's not bad. Yep. Got 32 gigs of RAM and terabyte hard drive and decent
Justin:decent So here's a question we weren't intending to talk about this. A lot of people ask me, like, well, what about all your files and, you know, like, all that? I'm, yeah, that's all good. Like Yeah. I the same with you, like
Joe:Well, the only thing I would lose is I don't sync the download folder. But I also Okay. Don't really clean the download folder out every time like something gets in there. And so there's probably hundreds of of things in there that Yeah. But it's sad.
Joe:But they're not they're not credible. Yeah.
Rick:If it's important, you like file those
Justin:items.
Joe:Sometimes I think, you know what? I can find that in my downloads folder.
Rick:Right.
Joe:But I know that I can either go get it the source from wherever I downloaded it from. You know, so every once in a while, NIST is down. Right?
Justin:Sure.
Joe:And I might have offline copies
Rick:Yeah.
Joe:But I always know that I can find a couple offline copies of 853 You'll
Justin:see once 12 the download of NIST CSF.
Joe:Oh, right. Exactly. Exactly. That's that's true. Yeah.
Joe:Parentheses 12.
Justin:Yeah. Exactly.
Joe:And so but otherwise yeah. No. My my backup strategy we should talk about backup strategy if we're gonna talk about this Okay. Even though it wasn't on topic at all.
Justin:Yeah. Yeah.
Joe:My backup strategy is I I sync everything right to OneDrive.
Rick:Yep. Okay.
Joe:And it's all going there. But then I also have iDrive, which is a a backup tool that will take anything that's local like my like QuickBooks or Quicken, the local files like that, and it'll make a a copy Mhmm. Of that. And so that's that's pretty well preserved then.
Justin:Gotcha. Yeah. I have for my files and everything, I use Dropbox. So any file that I care about
Joe:Right.
Justin:Is in that directory structure and, you know, saved into there. And then, you know what? Use so many SaaS tools nowadays. So, like, all my stuff in Notion is in Notion. You know, that type of thing.
Justin:Oh, you know, like, everything else is like, oh, yeah. That's in a website. Like Yeah. I don't need to save it. You know?
Justin:So, like, literally and then, like, all the code, you know, that's GitHub and all that stuff. So, yeah, it was pretty minimal. The surprise that there was a couple of little side projects that I never it wasn't that important. If I lost it, it would have been whatever. But there was a couple, like, little off things that I did initial coding to that was not synced to anything.
Justin:I never checked in to GitHub. I plugged in an actual monitor on my laptop and keyboard, and I was able to get all the files. Nice. But the the actual device still worked even after learning over with the car.
Joe:Your bent laptop.
Justin:So My bent laptop. Yeah. I mean, the monitor, like, even the all this stuff, like, I'll show you guys after. The whole thing is bent, but, yeah, plugging couple of devices in, it's like, yep. Alright.
Justin:Yeah. Still works.
Joe:Did you ever worry about what if the cloud service you're using? What if Dropbox has a problem or whatever else you're using and you can't get to it ever like, I did that threat model and I have a little solution I use,
Justin:but Yeah.
Rick:You know, it's funny because my strategy is actually have basically everything in a couple various OneDrives. And then, like, once probably every two weeks, but sometimes it ends up being once a month, I just sync it all to an external drive.
Justin:Oh, do you? Yeah. It's just should probably do that. I mean, I have a number of files that are offline like mode, so they're on my laptop as well Yeah. As that, but not all of it.
Joe:Yeah. I'll do the offline mode, and then I'll point the iDrive backup cloud backup to that Yeah. Folder and have it
Rick:Yeah. Pull
Justin:them. Yeah. I've been thinking about, like, like, maybe doing, like, time machine, which is similar to what you're doing for the Mac, and hooking that up to the router. I just haven't done I mean, Dropbox have been pretty reliable. It hasn't not been there when I needed it.
Justin:You know? So
Rick:Famous last words.
Justin:Yeah. I know. So Third party risk management. Next podcast. You're gonna hear me crying.
Justin:You know?
Joe:I was
Justin:like, I should've. Yeah.
Joe:Or or or because now that everybody knows you use what is it? Dropbox?
Justin:Dropbox.
Joe:Yeah. That's where the next phishing email will
Justin:come. Oh. Yeah. Yeah. I'll get a Dropbox reset your password or That's a pretext.
Justin:And I'm like, oh, I use Dropbox. I'll click on that. Yeah. Well, you know what you mean.
Rick:Even worse, it's, oh, Justin's trying to share a file with me via Dropbox.
Justin:Yeah. Right? Yeah. Exactly. Highly targeted.
Justin:I'll never share files with you guys. Okay. Perfect. Anyways, let's get on a little bit more pointed to topic. Our first thing that I wanted to address is New York DFS, Department of Financial Services.
Justin:A few years ago, they came out with what's called, like, part 500, their cyber security regulation. And it was it's interesting. There's multiple kinda variants to it. When it first came out, I remember, like, I had some clients. They mandated, like, ten years worth of log retention.
Justin:Oh, it was a lot. And it was like, what are you talking about? Like, who's gonna pay for that storage? Are you kidding me? You know?
Justin:And then they rolled it back and all that stuff. There's a lot of particulars, you know, into there, and they have it tiered both on how big the company is, both by employees and by revenue Mhmm. You know, into that. And then because of they have a lot of complications into it, they rolled out requirements on a timetable and everything.
Rick:Right.
Justin:The reason why we're bringing this up now and a little bit of discussion is there's a few new ones on November 1 Mhmm. Coming in Trigger. They are do you have that up in front
Rick:of MFA is one.
Joe:Yep.
Justin:Yep. Enhanced MFA. I know. I had
Joe:to really research what enhanced meant, and it's then not what I thought it would be.
Justin:No. Not the Robocop, you know, enhanced enhanced mode type of thing. And then also asset management.
Rick:Oh, inventories. That's right. That was the other
Justin:one. So, yeah, you're essentially I mean, it doesn't call out CMTB, but it's essentially CMTB.
Joe:Yeah. Must implement written policies and procedures for maintaining a complete accurate documented inventory. So it's like the call out, the way I'm reading it, is you actually have to write a policy and procedure for the thing you're supposed to do.
Rick:Yeah. Have to formalize how you're managing the inventories.
Justin:Yeah. And technically, you could get away with spreadsheets into this.
Rick:Using a document that talks about how you use the spreadsheets.
Justin:Yeah.
Joe:Yeah. Which So that won't be enhanced, though, but that doesn't apply.
Justin:The enhanced doesn't apply at enhance. Yeah. Yeah. Exactly. But yeah.
Justin:So what are your thoughts on this, guys? Have you, first off, had any experience with New York DFS? Minimal. Minimal. Yeah.
Justin:Yeah. And it's also interesting too. One of the things I learned about, like, dealing with this, it's not just like financial insurance companies. I heard of this one scenario where a retail store was given basically, like, you know, pay later
Joe:Mhmm.
Justin:You know, thing. And because they did the pay later, that was looked at as a, like, a micro loan into that.
Rick:Oh, right. Right.
Justin:They got roped into DFS because they did that for, like, a TV. Yeah. You know? So it's like four payments of whatever. You know?
Justin:They're roped now into DFS because they do that.
Rick:Right. Yeah. I've done I did a ton of it, but it was, like, a year ago, and I really looked at it for the past
Justin:year. Hasn't changed. Well, it's changing now? Yeah. Yeah.
Justin:In fact, yeah, what was that? It was last year, the they did a second amendment Yeah. To that. Yeah.
Joe:It was like a earlier this year, that went into effect, and then a few months later here, this one's going into effect. So enhanced MFA. What so I had a really push the AI limits of asking it to define and keep looking for reasons for it to tell me what exactly is enhanced. And it just says, it what's a stricter version of the multifactor authentication required? And and what does that mean?
Joe:Well, applies to all users, not just admins or remote users. So that makes it enhanced like it's everybody. And it does say that require stronger methods, so your SMS based two factor is not preferred, but it's it's okay if no better alternative exists.
Rick:It can be, like, accepted if you do risk assess it.
Justin:Yeah. A lot of the and I'd have to double check the regs. A lot can be accepted by the CISO.
Joe:Yeah. And I looked up some stuff on that too. Yeah. Yeah. That was interesting.
Justin:So they give yeah. If the CISO accepts it, they they give some allowances where they can do that.
Joe:Yeah. They can accept it if it's a compensating control or a stronger control. But one of the things it says is that if a CISO doesn't exist at the organization, you can't even get the go go for the compensating control. And so I was looking into that a little bit, and I found it interesting that, you know, you can use the reasonably equivalent or more secure compensating control if the CISO approves it, but what does it mean to be a CISO at one of these places? Mhmm.
Joe:And I was like, what's the requirement? You can't just name anyone a CISO, But it doesn't say that anywhere in the rules. It really says you must be a qualified individual. But they don't define So Bob
Justin:the Janitor is out?
Joe:Well, I think he's out. Unless you can find a way to show that he has appropriate experience and expertise in cybersecurity. But what is that? And then by capable be capable of designing, implementing, and managing the program. Okay.
Joe:That's a little bit tougher. And then report to the board or senior management on cybersecurity risks. And so kinda looking at that, I'll also understand regulatory compliance. So you look at that, and I couldn't find anything directly that went into all those details Mhmm. But I think there were some notes.
Joe:So there's, like, not in the thing, but DFS made their recommendation separately of what they define things are to be.
Rick:Yeah. There are some I I they have issued some guidance and clarifications, and I think you're right that they have some notes on that one specifically. But I actually think it's it's interesting, like, with all the general counsels I've worked with in the past, you ask these questions and you go further and further because you're trying to, like, explicitly, like, what can I do? What can't I do? What's allowed?
Rick:What's not allowed? Help me draw the boundaries. And oftentimes, I've found when I pull that thread far enough, eventually they go, oh, it's just reasonable person doctrine. And I go, what's that? And they go, well, would a reasonable person think that this thing is acceptable or not?
Rick:And if you haven't experienced this in the enterprise for our lovely viewing audience, It ends up being like the thing one of the things that frustrates me the most often when we're talking about legal stuff is how ambiguous it is. And we always go, oh, how come they don't specify this or that or the other? And and at the end of the day
Justin:Does the lawyers have to get paid at the end of the day?
Rick:Well, kind of. But but really, like, there's a lot of if you if you try to define everything, you never get anywhere.
Justin:Yeah.
Rick:Right? And so ultimately, all this stuff boils down to, like, reasonable person doctrine. And so that's why you see like, oh, use industry best practices or whatever. And although I am the first person to tell executives and boards like when they say, well, what are our benchmarks and all this stuff? Right?
Rick:I go, well, you're asking the wrong question. Like, just because your neighbor doesn't lock their house doesn't mean you can afford to not lock your house. Right? But this is the one place where I know of a good exception for it, which is legally to not be found negligent, you need to do roughly what your peers are doing. And so to the point about the CISO and reasonable person doctrine and all that stuff, it's like, well, if your CISO is reasonably as qualified as other peer organization CISOs, you're fine.
Rick:And if they're not, you're not.
Joe:Now, that makes a lot of sense.
Justin:So they have to have a CISSP. That's what I got out of this.
Joe:You gotta have
Justin:a CISSP. Yeah. It's not gonna
Joe:I guess I
Rick:guess not me.
Joe:Well, I did find I'm trying to see if I have my notes here, but I think that it was called out in at least at least I think it was just in Copilot. So Copilot said, doesn't require them to have a degree or a certification in cybersecurity.
Rick:Right. Yeah. I mean, the there there are again, it's like very few hard requirements other than is it reasonable to experts in the field? And when it really comes down to it, if someone was like if you had an expert witness in cybersecurity, like one of us or whatever, testifying Yeah. Is this person do they seem like a qualified CISO?
Rick:You'd want one of us to be like, yeah. That seems fine.
Joe:Yeah. Yeah. Even having the title, how long how do I wanna answer this? I've seen organizations who had people with the title of CISO Mhmm. Who seem like they should be doing all the right things.
Joe:But under oath, I don't know if I could answer that they are. That's fair.
Rick:Yeah. I I agree and share that experience.
Joe:So in August
Justin:Well, you're talking about that on paper, they look qualified, but they're not.
Joe:Right. Right.
Justin:Well, yeah. I mean, that's how do you prove that, you know, outside of seeing their program and, you know, the the fruit of that. And even if that, there's a lot of variables into there, like, they properly funded? Do they have the right people underneath them? Do they have control over firing, you know, their people?
Justin:I've Right. Met some people who are like, yeah. They've been with the company twenty years. There's no way I can fire them. You know?
Justin:Yeah. And they're just coasting. You know?
Rick:Well, then it's like, no. They're good, and their intent is good, but they're not allowed to do anything.
Justin:Yeah.
Joe:Are you
Rick:a good CISO or not? It's like, oh, that's a tough one to answer.
Justin:And plus, I mean, we had this conversation a few episodes ago. Yeah. Whereas, like, security doesn't really own anything. You know? I can be yelling at the moon that, you know, patches aren't being applied, but, you know, at the end of the day, it's not my job role to patch, you know, at there.
Justin:So what are you
Joe:gonna do? And it's not your job role to accept the risk that you presented about what could go wrong if they're not patching.
Rick:It's advising.
Justin:One of the things I do like about DFS, though, I mean, there's a lot of kinda regulatory mess into it, but they have to report up to the to DFS Right. Once a year
Joe:Mhmm.
Justin:And everything. And one of the things that they have to attest to is whether they have enough resources to execute on all this. You know? It actually be has to be in the report, you know, into that. Now you could argue that's kind of a catch 22.
Justin:Like, are you actually gonna admit that in a report that's gonna be reviewed by senior management and legal? You know? Like Well, but if you put it in the report, they're like, this isn't going out the door.
Rick:Well, there's some truth to that, but, like, there's a long tail effect to that as well. Right? Because if you then have a security incident, which is also reportable
Joe:Mhmm.
Rick:To NYDFS and it's related to a issue that you reasonably knew about before, now you're in a world of hurt. So the organizations that I worked with on this before, a lot of them were actually, I I would say, more forthcoming than I've seen in other, you know, in other regulatory schemes because they didn't want to not cover a potential risk scenario in year one. And then if something bad happened in year two, they knew that the hammer was really gonna come down. So they typically would self report as a self preservation technique, which I think from an oversight perspective is actually the ecosystem you kinda wanna set up. You want people to be telling you what's wrong.
Rick:You just need to be careful with how hard you hit that hammer.
Justin:Yeah. Exactly. Yeah. I mean, I I think you can actually you know, you have leverage there. Yeah.
Justin:Because if you ask for, you know, three extra people three years in a row and you keep getting a no, you know, all of a sudden, you have a difficult conversation with, you know, senior management. You're like, how can I answer this in good good conscience, you know, that, you know, I've asked for staffing and still no, you know, type of day? Yeah. You know? But I think it and who's gonna answer that we're not getting?
Justin:That won't go out the door. You know?
Rick:Well, yeah. I mean, I think I've seen versions of that. Yeah. Because again, the the way that NYDFS has it set up is and this was a bit of a mess in year one because at first, only, like, lawyers had access to the NYDFS portal.
Justin:Go to the portal.
Rick:Yeah. And the CISO, like and they would only give one login per organization. So typically, that would go to, like, general counsel because you're interacting with a regulator. So CISOs was like, hey, you're asking me to say like, tell you things, but we don't have any other logins? Like, how do you actually wanna see this?
Rick:So they've figured all that out and cleaned it up. But because it's the CISO attesting to it themselves, there happened there's typical what I've seen is a a good amount of honesty, but it's it's certainly in collaboration with general counsel. Mhmm. And and the organizations I've worked with have done a really good job in that collaboration and getting way in front of what might be a reportable issue. So it isn't actually reportable by the time they get there.
Rick:It's almost like the thing we're talking about in the last podcast where you're like, hey, you know, the bus is coming. Right? I'd much rather, you know, I I I'd much rather you not be in front of that bus, but if it comes down to it.
Joe:Yeah. I'm stepping out of the way.
Justin:Right. Yeah. Right.
Joe:Yeah. Yeah. So in yeah. August 2025 Yeah. Just a few months ago, there was
Justin:You're looking up the same thing I am.
Joe:Oh, yeah. Yeah. I saw I saw that earlier. Yeah. There was a a New York based dental insurance and management company.
Joe:Mhmm. And they specialized in both government funded and commercial dental programs.
Rick:Yeah.
Joe:And they ended up having a we'll call it a consent decree. So a settlement aka a fine for $2,000,000
Justin:Mhmm.
Joe:For failing to implement multi factor authentication, lacking a
Justin:data said they did.
Joe:Right. And lacking a data retention policy, delaying breach notification, falsely certifying compliance with cybersecurity regulations, and all in violation with, you know, the part 500. Yeah. And one of the so I was trying to find out, does this company have a CISO? And I looked and looked and looked and I They have could not find out.
Justin:They have to have somebody designated in that spot.
Joe:Right. They do have compliance chief compliance officer and some other people with those c levels. But I could not find a CISO Mhmm. Titled person there. And maybe I just didn't find it, but I couldn't find one.
Justin:Think they got axed right after this?
Joe:Well, I just don't think they had one
Justin:Yeah.
Joe:Yeah. At the time of the breach either. And so somebody else was acting as or be how'd you say it? They were had to be appointed somebody else had to be appointed to that responsibility even without that title. So that I thought that was interesting.
Rick:Yeah. And and again, I'll I'll say a lot of those the the big fines in my experience have been related to people that say one thing to the regulators. Mhmm.
Justin:Mhmm.
Rick:And then the reality is a different thing. I've seen a couple times, and and I would not advise anyone to rely on this too heavily, but I've seen a couple that where, again, people self report some issues. And as long as you report that alongside your plans for fixing those issues in a reasonable manner, you can get a little bit of grace.
Justin:Yeah. Yeah. Absolutely. Yeah. And one of the things I I before we close out this topic here, now I can't find it, the multifactor Mhmm.
Justin:Talk amongst yourselves, guys. Why? It's not like we're live or anything like that. Yeah. Here it is.
Justin:Starting on 11/01/2025, a covered entity will be required to use MFA for any individual accessing any sis information systems of the covered entity regardless of the location, type of user, type of information contained on the information system being accessed unless a covered entity has a CISO that approves in writing the use of reasonable equivalent or more secure comp state controls. So, basically, it's like you need MFA everywhere. Alright. You know? That's
Joe:why I'm taking it.
Rick:That is exactly right.
Justin:Yeah. So, yeah, it's it's a pretty big deal. I I actually did a few consulting engagements where, you know, they were saying like, well, some systems don't do this. And it's like, well, you can go through some type of a portal.
Rick:Yeah. Put a gate in front of it.
Justin:Yeah. Exactly. But, you know, a lot of times, you know, that could lead to disaster recovery issues, you know, because you have to think about, like, if your gateway is going through and that's down, then all of a sudden, like, there's a whole bunch of systems that and it's in general even with two factor. Like, if you implement it within the GINA or the login screen, you know, you still could potentially have issues if it's checking that multifactor somewhere
Rick:else. Right. Well and and to some extent, like, well, some systems just don't do this. Like, be honest. Are these current systems?
Rick:Right. Are these systems we've self developed ten years ago?
Justin:Are, you know, notorious. It's like you need a, you know, a 6 figure packet from IBM to maybe support it or maybe not, you know Right. Right. Thing. So yeah.
Rick:But I think this will drive, honestly, and maybe it's part of the intent is to drive some modernization. But I I actually
Justin:Do you agree with this?
Rick:I do. I I I do. Multi factor everywhere? Yeah. I think I do.
Rick:Because, like, how many times do we see, like, a zero day that then allows lateral movement and whatever? Like, this is really it's just like, no. You have to lock every door and every window.
Justin:But and I guess it comes down to potentially how they define multifactor. Like, if they do some type of device signature and authentication Like
Rick:cert based or whatever.
Justin:Pass keys. Yeah. Well, so pass keys are, you know, one thing. But, like, if they have, like, the device is actually a authentication measure, but that that wouldn't
Rick:Like MAC address registration or something?
Justin:Like, it would be some type of signature
Joe:Okay. Certificate based.
Justin:Yeah. Yeah. But the problem is if I have malware that I clicked on, you know, that one factor doesn't matter because I'm still coming from that device.
Rick:You know? I mean,
Justin:that's And if I'm typing in passwords, I'm gonna be able to scrape those off too. You know? So you say, like, there is some protection, but, like, it it could be defeated. Yeah. But there's
Rick:no such thing as, like, perfect protection anyway.
Joe:Yeah.
Rick:So I do like the fact that it's sorta like, oh, yeah. No one's ever paid attention to this trash can emptying scheduling server or whatever. And therefore, we never secured it the way that, you know, in equivalency with all these other things. And, oh, by the way, we had this, you know you know, remote access Trojan hanging out on the system for the past, you know, x years and eventually it got invoked. Well, thanks, man.
Rick:Yeah.
Joe:And and I think that's why I when I saw the part about if you wanna do a compensating control or you wanna do something else Mhmm. You really need somebody qualified. And their way of saying qualified is that CISO Right. Type position who could say, alright. Well, this is a reasonable alternative Right.
Joe:And then create a risk assessment around it and be able to make it defendable.
Justin:Yeah. And it's also independent from the operational side, you know, where they would potentially whitewash, you know.
Rick:Oh, yeah. Yeah.
Justin:Conflict of interest, you know. Whereas the CISO would be like, well, you know, my my butt is on the line. Like Right. Out there. You know, like, I'm, you're like, I'm not gonna just blanket sign on anything here.
Rick:I need a really good reason Yeah. To sign my A really
Justin:good raise. Yeah. Yeah.
Joe:So takeaways. My my first takeaway is, hey, if you're one of the covered companies, make sure that November 1 requirements, you're
Rick:Ready to
Joe:go. Pretty much ready to go by now. And the other one is if you're a CISO at a company that's in their scope, in a New York DFS scope, you need to think about what you're gonna do if leadership won't actually fund or give you those resources because it might just be time to, start looking.
Justin:Right. Yeah. And those are compensation. I'd again, I like the premise of it that it's reportable, you know. So it forces to have those conversations, you know.
Justin:Whereas in typical organizations, it would be the CISO presenting the budget to whomever they report to. And they're like, no. You need to cut 15% off this, you know, or Right. All that stuff. You know?
Justin:Now there's, like, more of a active conversation into this. I'm not saying that they could, you know, not cut, you know, like, that would be unreasonable too, but allows the conversation like, okay, are we still good by doing this?
Joe:Yeah. Here's the risk assessment of that reduced funding. So what probability or impact goes up and where memorializing that? I ain't gotta speak. And then who besides the CISO does the CISO go to that says, you know what?
Joe:We can cut that 15%, but I need to do a risk assessment, and I need you to sign off on this being acceptable. And then, oh, and only then can I feel comfortable going and say that we're managing the risk around this when I go online to the DFS and do my report? Yeah. And hopefully, that gets you the we'll go look for that 15% elsewhere.
Rick:The formality and the attention, I think definitely drives
Justin:Yeah. Activity. Great. Yeah. Done?
Justin:Yeah. Done? Done. Alright. Next topic I wanted to talk about here.
Justin:So we're venturing into the next couple of topics, third party risk management here. One of the things that I actually just had a conversation this week, I had through a customer acquaintance, all that stuff, they are a donation company. They help hospitals and other various places raise money Mhmm. You know, into this. Whereas by the hospital system that they're working with, that they need to be high trust certified.
Justin:They're not getting any PHI, you know, anything like that. But and it was in the intros of conversation. You know, my advice to them is you need to talk to you need to get somebody common sense on the phone. You know? It's like, let's talk about the level of service you're doing, how minimal it is, or do they have alternate stuff Yep.
Justin:You know, because that's very expensive, especially for a I think it was a 15 person company or something like that. Like, kinda ridiculous. And especially for the service that they were performing. Like, don't send me PHI, and we're good, you know Right. Type of thing.
Justin:So the whole topic and bring up this premise is negotiating security, especially, you know, I've seen this more from a small to midsize going up to a large. Yeah. Where have you guys seen successes into that overzealous, you know, you know, provisioning, you know, where they're like, yeah, we need you to secure like Fort Knox. And it's like, what? Like, I I actually I got a funny story.
Justin:A lot of times, you know, I work with bigger clients. Yeah. And they're like, ugh, you need, like, x amount of insurance. And I have insurance. You know?
Justin:I think I have up to, like, 5,000,000 or something like that now. It's a lot for a single consultant that doesn't have access to their systems. Right. You know? Like, I have an email account.
Justin:I have, you know, Teams account, but, like, no configuration, no admin, nothing like that. I'm like, guys, like, I don't think I can cause $5,000,000 worth of damage. Like, are you kidding me? Type of thing. And oftentimes, I'll get away with the, yeah.
Justin:You're small. Okay. Yeah. Right. Not my stature, but the size of my con company.
Justin:Yeah.
Rick:I the first thing that comes to mind when you talk about that is like when CMMC was just starting to brew in terms of like overzealous enforcement because the really big defense contractors, the, you know, the the the Boeings of the world Mhmm. Type people, they would just go, well, this is coming, so we're just gonna require all of our suppliers to be CMMC compliant. Right? Before the contracts had any data notation. Right?
Joe:Back when it was the last version
Rick:of Right. Right. Right. And and it it's the perfect conversation for, like, negotiating security though because they were just like, oh, everyone has to do this. Go do this.
Rick:You can't get formally certified yet, but you need to attest to us that you are. And my conversation with them was always like, well, you need to push back. Like like the clients that I work with, you need to push back. And they'd be like, well, I don't know how we can and they're our biggest, you know, customer and all this. Was like, yeah.
Rick:But if you try to do this without any clarifications, you're gonna be doing a disservice on both sides of the coin because they shouldn't have to monitor your compliance if there's no need for you to be compliant in the first place. They have thousands of other clients they need to monitor compliance for. You're wasting their time
Justin:screws, you know, for something.
Rick:Yeah. You're wasting their time too. And and you don't even know what the scope of this thing is. Right? Like CMMC notoriously is a follow the data type, you know, assessment.
Rick:And so well, none of that's scoped right now. So how could you even attest to the fact that you are or are not? You could say, well, we're thinking about it. And if in the future you give us a contract that has some of this stuff in it, here's how we'll deal with it. That's fine.
Rick:But you can't really tell them, yeah, I promise I have all this stuff in place right now
Justin:because you
Rick:don't know it's
Justin:gonna hit. Just go off $1.71 with the definition of coupie there? Is that what Pretty much. Yeah.
Rick:Yeah. Yeah. More more or less.
Joe:Were expecting your well, what they were pushing on was really getting serious. I saw a lot of the a lot of smaller organizations who were serving primes to the DOD. Yep. Or is it DOW now? And and Yes.
Justin:One of us.
Joe:Yes. And they were yeah, doing exactly what you said. Somebody in their third party vendor risk management program was saying, go and tell everybody they need to do this. We need them to get their SPUR system all updated with all their scoring. Now some of that that was way pre CMMC
Justin:Yeah.
Joe:But since, you know, for the last, like, ten years, they were supposed to be doing certain things anyway. Yeah. And do following this day, hundred one seventy one. So those were all supposed to be in there. And so they were just starting to push their their people to do that.
Joe:Now, were they when when the conversations I've had, it's were they gonna just discontinue your contract if you don't get this done in a reasonable amount of time? No. It really wasn't the case. They weren't worried about losing the contract. But what I was worried for them was, well, now, wait.
Joe:What if you somehow get selected for a review, and there were constantly reviews going on, just didn't have a lot of the government have
Justin:a lot of
Joe:manpower to do it. And you didn't Oh, and you're not compliant. Yeah. Should have your SPURS number in there. Right.
Joe:You know, you didn't do any of this stuff.
Justin:Mhmm.
Joe:And and so that was some of some of the thing that I was seeing.
Rick:But but a lot of it, I what I found was those big primes, they would say, well, we don't really have the time or the resource on our end to figure out who's actually gonna have CUI or not. Just make all of our suppliers do this. Right? Like that
Justin:happens scary in and of itself.
Rick:It happened You know? A lot. A lot. And so but but so the negotiating security side of it is like, hey, does this apply to us? How does this actual actually apply to us?
Rick:If you guys got this information, how would you send it to us? Like, would it be in a zip file that goes to one of our salespeople that has all the engineering drawings in it? Or would it be like later on when we get CAD drawings because we need to build certain screws for you or whatever? Like all that actual tactical like workflow stuff, business process stuff really mattered. And I saw great success having those conversations because the vendor teams typically were like, yeah, we would actually love to scope you out because we have because we sent this to every single one of our suppliers.
Justin:Right.
Rick:So we'd much rather have one less of these if you come at if you come to us with a reasonable description of why you don't think it applies and what you'll do if it ends up applying. Yeah. They were more than happy to to scope people out of those assessments typically. But it was the suppliers themselves where I would get resisted. They'd like, well, we can't possibly tell our biggest client that we can't do it.
Rick:It's like, no no no. It's not that you can't do it. It's that neither of you actually want to do this. Or should. Or should.
Rick:Yeah. Right.
Joe:Exactly. That makes a lot of sense. At first, when you started to talk about how it was going down and it wasn't quite following where you're going with it, but I really love where you ended up. And that's that, you know, if you know, just have the meaningful conversation because if it doesn't make sense, you're just wasting everybody's time, and that's a lot of money.
Rick:Well, and that you're wasting everybody's time even if it's a clean assessment. If you have a couple bumps or whatever, well, now you're talking about those things and you're having clarifying info you know, calls and why does this evidence look like this and this isn't what we're it's like none of that's needed. Why are you doing any of this? Yep. Yeah.
Rick:So getting the reasonable person on the phone, exactly what you said at the beginning of this, that is crucial.
Justin:Yeah. Yeah. Because I'm sure I mean, every company has a workaround process. Right. You know, nothing's that rigid.
Justin:Even when they're like I see it more, not necessarily in the high trust side, but, like, give me your SOC two or ISO certification. You know? Yeah. Like, that's their blanket. Hi, you know, hi, mister vendor.
Justin:Now give us your outside attested certification.
Joe:Who's asking that question?
Justin:Procurement, probably.
Joe:And where are they getting the way to ask that question?
Justin:From a form.
Joe:From a form. And where'd that form come from? Some probably security team.
Justin:Oh, yeah.
Joe:And so all of a sudden oh, just just to, you know, twenty minutes ago, we're talking about competent people with the skill sets Right. To do a job, and now we're asking procurement who may not really be a security engineer Mhmm. To go ask security questions, and do they have access? So what I've seen is, well, your procurement person is asking these questions Mhmm. And it's probably not even a senior procurement person who's sending it out.
Joe:And sometimes it's sent out through an automated system and, you know, you're the recipient of this.
Rick:Yep.
Joe:Who are you even gonna talk to in order to start the negotiation process? But then when you do, you end up talking to somebody at procurement who is saying, well, do you have a SOC two? Well, here, I'll show you one and shoot them over Take your yeah. I was going with Azure.
Justin:You're going
Joe:to AWS. Yeah. So we'll send them over GCP's Right. SOC two, and they get it. Well, are they just checking the box?
Joe:Because they said, oh, I need a SOC two. You gave me
Rick:a SOC two.
Justin:Yeah. Right.
Joe:Alright. Check the box. So
Justin:I had one client. I mean, it was it was for a PCI engagement, and they asked for a SOC two for their data center. Yep. And they collected it. And, of course, I opened it up.
Justin:It had all the controls in it were deleted. Like, it just had the description of the environment, you know, the top part of the SOC description. Yeah. And then all the controls they tested and the results of those controls were just deleted. They should have bought a Sox three.
Justin:And I was like I was like, guys, like, you realize, like, there's more to this report.
Rick:Right.
Justin:And they're like, oh, really? No. I didn't realize that. And then we got them on the phone. They're like, we consider the control sensitive.
Justin:I'm like, yeah, they fail. It's on the controls. Like, nobody like, you guys talk to to release it out to people, not to keep it in house. Right. You know, like Yeah.
Joe:My favorite part to read is that table at the end and skim through it at first and just look for all the the exceptions. Yeah.
Justin:Yeah. No no nothing notable or whatever, you know, all the stuff and everything. Yeah. It it it was funny. But you get that all the time, you know, into there.
Justin:I had something in the financial industry when I worked at Diebold. We had this big bank, and I'll leave it at that. And they were big enough that warranted an on-site assessment, you know, for this. They we prep prep for it on-site, had a numb number of SMEs, you know, coming in attesting to this. We come to find out, like, they asked, like, oh, on your ATMs, are do you encrypt the data?
Justin:Because a lot of people don't know there's an electronic journal file on ATMs that store a lot of, like, the card data and the track and all that stuff. And I was like, I don't know. Do you pay for that module? Because we sell it, you know, that you can encrypt it. But It's
Rick:like an optional add on.
Justin:Yeah. Exactly. I was like, do you pay for it? They're like, I don't know. I was like, okay.
Justin:Well, that's the answer. Like, if you pay for it then and then we come to, like, find out, like, a little bit more. All we were doing for them, we didn't handle any data for them. The except for they sent us alarm codes on the ATM. So, like, printer jammed or, you know, some type of sensor malfunction so that we would get the alarm codes and then, you know, send out a
Joe:tech Right.
Justin:You know, automatically. They're like, well, are you are you handling our sensitive data? I was like, we're literally just getting alarm codes for you. Everything else is like you purchased an ATM. You know?
Justin:They're like, that's it? I was like, yeah. I was like, why are we here? Right. I was like, I don't know.
Rick:Right. You you called this meeting.
Justin:Yeah. Exactly. I didn't call you to come on at me, you know, type of thing. But, yeah, it goes into, like, you know, not even, like, some of the third party risk management people know, like, the full scope of service, you know, a lot of the time. You know, if they're just following, like, you're a critical vendor, so give us the world, you know, type of thing.
Joe:Right. Oh, talk about the negotiation there.
Justin:Yeah. Right. Did you
Joe:at least get dinner out of it?
Justin:No. We paid for it. No. I was gonna say Yeah. Yeah.
Justin:Yeah. You're
Joe:the vendor.
Justin:Yep. Yep.
Rick:I was on the other side of that that type of conversation recently where there's a big project for an organization I'm working with, and I'm responsible for making sure that the security stuff's going go well. And it's all this operational and mechanical stuff. And we were working with a partner and I'm like, okay, I need to like assess what the partner is doing to make sure that their security is gonna be okay and equivalent to ours and so on and so forth. And we get on the call and I start asking questions and they're like, well, we're not gonna do that. We're not gonna And I'm like, oh, okay.
Rick:Well, the contract says, oh, you must have had an old version. Right? We scope this stuff out to someone else. But but basically all the stuff that you're worried about, you decided to do yourself as an organization. And it's just these couple little things that we're going to be doing.
Rick:I and I see the same things like, oh, I guess I guess we're done here then. Yeah. Like, 15 into, like, a hour long conversation, like, oh, great. And and frankly, like, I couldn't have been happier. Right.
Rick:Because there was this whole host of work Right. That I thought I was gonna have to do even if all the answers were good in terms of memorializing it and all that stuff is, oh.
Justin:One of those guys that actually opens the SOC two report. Right.
Rick:I try to. Yeah. Yeah. But but anyway, the palpable relief on on the other side side of that table when someone comes to me and is like, I don't think we need to do any of this stuff that you're asking about. And reasonable conversation, done.
Rick:Everybody's happy.
Justin:So, I mean, I think that's the biggest takeaway, you know, from this conversation is don't take it as set in stone, whatever they're asking. Yeah. It's negotiable, you know, into that. Ask them for alternative processes. Give them a clear description of the service because oftentimes, they might not have a clear, you know, thing.
Justin:And even if it is in-depth, like you are handling data, there may be ways around
Rick:it. Right.
Justin:You know, type of thing. Anything else? Yeah.
Rick:I would just add one little thing is, like, culturally, though, know who you're working with. Because I'm currently working with individuals kind of around the world and I can tell you the negotiation tactics for individuals say in The Middle East are very different than say Canada. And those are very different than say The UK. So although Can you give a for example? How?
Rick:So for example, often in The Middle East, the individuals on the other side of the table are tasked with showing their managers victory in some way, shape, or form.
Justin:They have to give them something?
Rick:You have to give them something. Gotcha. So you can often negotiate your way out of this stuff, but you might say, oh, well, it's not necessarily, but you work with your commercial arm to be like, but we can cut like, you know, point 01% off of the thing. So they still get something in every interaction. Gotcha.
Rick:Because that's just a part of work culture. And again, these are generalizations, not alternates. Yep. But the experience I've had in that is like that's if if you don't go in with that, then they're like, well, why would I budge then?
Justin:Right? That's interesting. Yeah. Do you and I haven't you bring up a good point and everything I had and haven't had to work a lot with The Middle East, but I I'm wondering if there's a correlation with a lot of, like, bartering more bartering type Absolutely. You know, cultures versus America here, we don't barter all that much.
Justin:Yeah. Very little. If you unless you count, like, eBay or something like that. I don't know if that's counted. I've been in total, like, face to face.
Rick:You know? Right. Cool. And Asia is another example. Like, if you if you show up very respectfully and you interact like what we as Americans, I think, would think is overly respectful.
Justin:Mhmm. Right? I have the same impression.
Rick:Right. So so if you go into it that way, again, you'll end up in a reasonable outcome, but just know who you're working with culturally because it it can make a difference. And and if you kind of take the form of the conversation in the right way. Yeah. I I've not yet hit a culture where you don't get to that, you know, get the reasonable person on the on the call and you'll get to the right outcome.
Joe:Yeah. Yeah. So are we gonna maybe talk a little bit about the value or the worth or the worthlessness?
Justin:Before we get into that, I thought this would be a good segue to what we're drinking. Absolutely. Highly worthy. So we broke off here. It's not a bourbon.
Justin:We've done scotch before. Yep. So it's not like we've totally broken off, but it's called distilled security for a reason, you know, even though we favor a lot of the bourbon side of things. This is a mezcal. I'm still good.
Justin:Nope. Taught me off. It's called one of us, which sounds very cultish, I thought. You know?
Rick:I I'll join this cult.
Justin:Yeah. Yeah. I I just feel like somebody should be chanting it.
Rick:One of us.
Joe:Oh, it's so tasty.
Justin:Yeah. So it's aged 10 to 14 year old, and I'm not a huge mezcal person from a knowledge standpoint, but it's 10 to 14 year old Magui Magui. Magui. Think.
Rick:I think.
Justin:Which is what I think Mezcal is made out of. But anyway, so this is very, you know, I wouldn't say exclusive, but, you know, it wouldn't be the bottom shelf Mezcal that you're looking for. I found it online. I follow a few sites that actually recommend certain bottles, and this is a newer one that came out, and it is delicious. Super good.
Justin:If you haven't had a mezcal before, it's it's a little bit smoky. It's actually really interesting how they make it. They basically put all this stuff and put, like, little fires and then put put a dirt over it and let it, like, smoke, you know, into this.
Rick:And then old processes are, like, roll big stone wheels over must have its name.
Justin:Yep. Yeah. So it's really interesting. The the old fashioned way of actually, like well, I say old fashioned. There's a lot of places still making it like this.
Justin:But yeah. So but it has a good, like, smoky flavor Mhmm. You know, into it. This one, because of the age, it's super smooth. Like, you get smoke on the back end, but at the sip, it's very easy to just.
Justin:What's the ABV? Oh, that's a great question. 200 now. Because
Rick:it is shockingly Alright. Yeah.
Justin:Yeah. 45% pickle.
Rick:Yeah. Really, really good, though.
Justin:Yeah. It's delicious. So yeah. Cheers, guys. Cheers.
Justin:So now segueing into third party risk management. Unpopular opinion, third party risk management is worthless. And, actually, I think I probably have the closest opinion even though I'm not I you know, we say that worthless because it's a good little, you know, catch line
Joe:Yeah.
Justin:Yeah. Yeah. Clickbait, all that stuff. But I'm probably the closest to this Mhmm. As an opinion.
Justin:I think if you follow a few rules to live by and use more popular vendors or bigger vendors or at least more solidified vendors, you know, that you can largely get rid of third party risk management outside of it's required. Know? Like Yeah. You can't really do this. But we're talking about, like, the worth of it.
Justin:So going through, doing questionnaires, grabbing SOC twos, ISO reports, is it worth it?
Rick:Man, I'm so torn because on on the one hand, I think, you know, how many legitimate programmatic decisions have I made or seen made based on the results of third party risk management program? I've been party to and on the receiving end and managing quite a few. Mhmm. I mean, it's a point o one or point o 2% of all the ones I've ever there've
Justin:been a couple.
Joe:Right. Probably count on my one hand.
Justin:Yeah. Exactly.
Joe:That's exactly no
Rick:to. Right. Yes. But it's a lot of work.
Joe:Yeah. And convince leadership that no was the right answer.
Rick:Right. But then if I think about, like, not having it, I go, oh, that doesn't feel right at all.
Justin:Yeah. I mean, I've so there there have been ones we've done assessments on, and somehow they got through on the initial, but we find out they're egregious, and we shut them down immediately. Again, on one hand, you know, type of thing. But there are other ones that, I guess, it would be counted as that. Like, we were reviewing a new HR system for a 100 person company and everything.
Justin:Yeah. And somebody found a new flashy SaaS tool that looked like it was cool. I was like, cool. Guys, can you give me any, like, attestations, or can you fill out
Rick:this
Justin:questionnaire? And I sent them a sick light. They're like, we're not filling this out. I'm like, then we're done here. You know?
Justin:Like, we're giving you all our employee data, Social Security number, all this stuff, and you're not giving me anything. You know? They're like, yeah. That's correct. I was like, okay.
Rick:One other thought I have Yeah. Is I guess I can count on two hands the number of times I've been able to equip our procurement teams with some data on things that felt not great from a security perspective to, like, aid negotiations and getting a better price.
Justin:Yeah. That's true.
Rick:But but ultimately, again, you know, 15 or less in in twenty plus years of third party risk assessments.
Joe:Yeah. One time I well, more than one time I ended up doing that. Yeah. And I said, well, look, here here's really where they need to work on it. And it was such a need, like, pet project, but a very important project to a very top exec.
Joe:So my job as well as running cyber security, infrastructure security, business continuity became coaching this company
Rick:Oh, helping them get
Joe:long time on a continuous improvement process to get to where they needed to be. So I became I Chief consultants? BCISO before BCISO was even a Did that
Justin:exec have a stake in the company?
Joe:No. They didn't. Unfortunately, and neither did I. So this company got a lot of maturity advice and made their stuff better because our company that I worked for at the time wanted to do this.
Justin:Yeah. Yeah.
Rick:What do you think, Joe? Worthless Yeah.
Joe:As worth? I I think it can be totally worthless if not done right for many reasons. I like to think of the workflow. And so I'm thinking of, like, what makes this something worth doing? When should security even be in the process the whole thing?
Joe:And I'm going right through this right now with more than one customer. And one of the things that we see is that the data come or the request come in, and then there's a instead of saying, well, let's make sure we're doing a very thorough risk assessment and find out what's meaningful Yeah. It's a speed to get things done. Mhmm. And so when your security team is challenged to get that done fast, what's gonna happen?
Joe:You're gonna end up more on a worthless side because you don't have the resources or time committed to being able to say, well, where does this fit in?
Rick:Well, and is this because like the business has a roadmap and a plan on implementation, and then, oh, security is doing the assessment, and we've allotted the minimum or the median amount of time for that assessment. So when you hit a question, oh, now it's gonna delay the road map timelines. Is it that kind of thing?
Joe:I think you're being very
Justin:brought in at the eleventh hour.
Joe:That too. I think you're being very generous to say that there was even a so that's why I'm thinking workflow and process, and a lot of organizations aren't even built out to a point where you build the SLAs to say secure so security had absolutely so by the time security got it, everybody wanted it a month ago.
Justin:And Oh, yeah.
Joe:Now when you get this done, can we use it? Daily reminders, daily questions. Can we get this done? Are you done reviewing it? Well, no.
Joe:This is pretty significant.
Rick:So quite literally when you started, you were already late.
Joe:Yes. When you got the request, somebody at another level already wanted it done. So thinking about workflow. So what's really important is, yes, this this could be totally worthless because the people who are already overworked are being asked to quickly go through the process and get it done. And so then what happens?
Joe:Well, they're going to succumb to the pressure, look at it. They might even be the ones who are like, well, what what am I looking at here? Can I find anything? And what I like to do is say, well, who else all who else needs to approve this? And where's it gonna go next?
Joe:So I like to look at the workflow. And something that I worked with in a company where it became a very successful program years ago was myself and a law department got together.
Rick:Mhmm.
Joe:And that contract attorney, she was great. She really pushed for saying, procurement, why does the company even want this? And even before that, it's somebody requested it, and it goes from that somebody to their boss at a at the budget level to say, should this even be purchased? Because I've been in scenarios where we did a bunch of reviews. I talked to the company, got their data, did risk assessments of the stuff, just to have it later be their boss said, oh, we don't have budget for that.
Joe:Like, why did I get a security review before you could have already declined it within a moment's notice?
Rick:I've seen that a lot lately. Okay. Totally agree.
Joe:So the so here's my ideal workflow just to kinda run it through is I love it to go from requester to budget owner in that requester's department
Justin:Yep.
Joe:And then from there to procurement to say, should we are they even going to shut it down? And then from there, it could go a couple ways. I like to see it go to probably to, like, an enterprise architect layer to say, does this even fit into the company? This is a larger organization that'll have that.
Justin:Yeah. And then where are you looking at the deduplication? Is that at the architect layer?
Rick:Yeah. Typically.
Joe:Well, procurement to say
Justin:requested three of the same SaaS, you know Right.
Joe:Procurement to say, do we already have an approved solution for this that's in the Yeah. List of things? And if yes, then go have that conversation. Why are we gonna buy a one off unless procurement
Justin:We already have Copilot. Why are we buying chat, Chippy,
Rick:Dude, it's so funny you're saying this. I'm working literally on a ton of AI governance right now, it's exactly the flow that you're talking about is exactly like flow that we're building, and your examples are absolutely
Joe:So after then then after a procurement says that, you know, they don't have anything or it's okay or the use case makes sense, then it goes to enterprise architecture to
Rick:say,
Joe:is this gonna fit into the model? It is it gonna interface with the things or the is it gonna accept the flows? Is it gonna put out the flows?
Rick:You're asking for GCP to like, and we're we only have Azure tenants. Like, what are you talking about?
Joe:Right. Right. And then after that, before it gets to security, I like to go to legal privacy first.
Justin:Mhmm.
Joe:Because I want them to take a look at it and say, will this actually work within the privacy policies and the GDPR, the CCPA, whatever else we have to do, will it even work there? And that's usually a pretty quick yes or no, because they can look at a few things, understand it a whole lot faster. All those steps seem to happen with a lot less rigor needed. Maybe the enterprise architecture needs a little bit more than the security team getting it and doing what is industry standard, to go back to what we talked about earlier, the reasonable security review. And what I've seen by putting that step those steps in place is that the security team, if they wouldn't have needed it, either be so far behind or would need to add multiple people to be able to keep up with the demand, but they filtered so many out before it got to them.
Rick:That's such a cool point though, because a lot of these other teams are figuring out how can this be done right? The security team is figuring out what are all the things that could go wrong. Mhmm. Right? And that just naturally takes a lot longer because on the one hand, you're figuring out like, what's a path that could work?
Rick:It's a satisfier conversation, and and the other half is the security thing. That's really cool actually, the
Justin:Yeah. And I think legal Work it
Rick:that way.
Justin:Aspect as well. I mean, that's why they're putting all
Rick:Oh, yeah. Yeah. There's lot of risk assessment. Yeah.
Justin:Yeah. Yeah. All that stuff and everything.
Joe:No. And that's why the legal I was with said, they don't even wanna look at the they're not even gonna review the contract till security is done. Right.
Rick:And they
Joe:can't go to security till it does these other steps.
Rick:I like that.
Justin:Yeah. Yeah. I mean, that's not like a 100% rigid process No. And everything. Like, I'm thinking if marketing needs a tool and there's always exceptions to it, you know, or something like that, but three people need a tool in marketing, like, going through that rigid of a process might not
Rick:May maybe start with privacy.
Justin:Yeah. Exactly. And then in that case use that. Right. But like but it could potentially, like, you get Adobe and get Adobe Cloud, and now you're storing stuff
Rick:Oh, yeah.
Justin:In another cloud provider and all that stuff, you know, and everything, even though it might just be marketing markups, you know, or something like that. But, yeah, that's yeah.
Rick:But so you talked about a flow that I really, really like, but that flow seems in the context seems to be in the context of there is value to third party risk assessments.
Joe:Well, it's worthless unless you're actually putting the time to do the right flow.
Rick:Right. Right.
Justin:Right. Alright.
Joe:That that was my point.
Rick:Well, and and the examples you gave before too where you're already late, it seems like there's an inherent assumption that this thing's just gonna sail through. And so even when I think about, like, even like financial fraud and all that stuff, like, that's the perfect storm of, like, executive pressure, no time to do something, you know, all these things that have people do, like, historically where people have made bad decisions for organizations. So making sure you don't put the security organization in that in that place, I think, is a huge point.
Joe:Yeah. Something I built a long time ago at a company, and then I tried to do it at customers where it makes sense. I call it the security management framework. I think might have mentioned it here last year. And really, what it is is just a process inventory of all the things, how much time it takes to do the process, and being able to normalize that across everything that your security team has to do.
Joe:You can even do it on the if you have a if you're big enough and a couple companies I'm talking to have a dedicated third party risk management set of the cyber security group. Mhmm. And when they're doing this, the most effective ones are the ones that have had here's our SLA. We need this many days to do a review. If you get it into us by this day, we'll get our stuff done by this day given that your vendor is responsive.
Joe:Otherwise, our work starts when we actually get the information
Rick:Right.
Joe:And so on and so forth. And so by putting that workflow together, communicating it, and even publishing a one we published a one page, easy to read, almost it wasn't quite an infographic, but I wish it would have been, of what gets your vendor approved.
Rick:Oh, nice.
Joe:And being able to workflow that out Yeah. And just show people.
Rick:Well, another point I think we touched on a little bit before that that you made that I loved was that there's there's probably some value from a legal defensibility perspective too, right, in terms of vendor reviews?
Joe:Yeah. Yeah. We we were talking about that before the cast here.
Justin:And So it's just CYA?
Joe:Some sometimes it is.
Justin:Be value in that. Yeah. A little. Yeah. I guess I'm looking at is, like, are you gonna discover something that's actually gonna be materially, you know, affect the decision?
Justin:You know?
Rick:Well, but but what you might do is discover something. You might not affect the decision, but you might affect your implementation or the compensating controls you put around certain things.
Justin:Yeah. But that's more on the how do you, like, you're putting it in. That wouldn't come out on a standard vendor review. That might actually go into the more of the implementation. So Well, I don't know.
Justin:Like A good example is, like, I'm I'm measuring Salesforce, you know, and I'm setting up another thing like, do you patch? Do you protect from malware? Do you do with this or that? But when I'm implementing Salesforce, now we're looking at, okay, Do we integrate our multi or do we integrate our authentication systems with Salesforce, get SSO in place? How are we doing backups?
Justin:Are we in control the backups? How are we controlling encryption keys? Do we control that? That wouldn't go through a standard vendor review.
Rick:What? So I think there are things that might though. So, like, if you're thinking like like CIA type stuff. Right? And you hit the availability stuff from a vendor review or whatever.
Rick:Yeah. Okay. Fine. And then you find out that you don't love their backup rigor, but you were thinking that you were just gonna rely on
Justin:them for instead of five nines.
Rick:Whatever it is. Whatever the reason is. Right? It it could absolutely impact, like, how you architect the solution or the integrations with them, Or or even if you don't love kind of their security models and modes in general, you'll be like, well, we were initially thinking just send them this entire table in this database, but they kinda stink a little more than we had hoped. So these two columns, they don't technically need.
Rick:So we're gonna take an extra step up front during ETL processes or integration processes to cut those out.
Justin:I mean, you should do that anyway.
Rick:You should do that anyway. But but but, you know, sometimes you build for the future and you go, well, we're thinking we're gonna use them for this use case now. We might use them for three more in the future. And you go, oh, actually, no. You can't do that because we can never send that there.
Rick:Yeah. So I again, I don't know that it's hugely common, but I can see times where the results impact mitigating controls. And it gets back to the CYA stuff. Right? Because you go, well, we did learn during vendor reviews that they weren't doing these things particularly well.
Rick:Here's the activities we did to try and mitigate the damage that that sort of thing might cause if it went awry. And now even if it does go awry, you had all the conversations.
Joe:Well, that's where I like to pick it up from. I like to look at it and say, alright. It's it's two years after we signed this contract that nobody's thought about it again. It was significant enough that it did go through of the annual, you know, critical vendors. So we looked at them again every year.
Joe:We ask them all the questions. Are you doing all these things? We looked at all the evidence we could get. It looked pretty good. How many times has somebody been SOC two compliant, PCI certified, x y z, and suffered a data breach that breached the information.
Joe:So let's look at that. So your customer or say the customer of mine is giving me their data.
Rick:Right.
Joe:They're entrusting that to me. They don't know who I'm giving it to, but in order to process it to do the job that I promised them, I'm now sending it out to this vendor. This vendor passed all the security reviews, and on top of that, that vendor ended up taking the data, doing their processing of it, got breached. Yep. They got breached, and my customers coming to me and saying, alright, you're getting sued.
Joe:The FTC is coming to me saying, you're getting sued or you're we're investigating you. The regulators are at your door. Now, we're in defense mode. Yep. What are we gonna try to do?
Joe:We're gonna say, well, we're as much of a victim as the my customer because we were under the impression after doing our reviews, we looked at what they told us, what they told us made sense, it was all reasonable. Yep. And what what did you
Rick:say earlier? It's the reasonable Oh, reasonable person theory.
Joe:Yeah. Yeah. Yeah. And when that happened, we're there. So now all of a sudden, I'm not I'm positioning my company who is doing good reviews into a place where they can be on the same side as my customer against the vendor who actually ended up getting breached because they said they did something.
Joe:We looked at all the audits. The audits made it look like they did something, but they didn't. Somebody missed it. Whatever it was, didn't matter. I was trusting that they were gonna do this, and I wanna make sure that we're not in identifying each other inappropriately for this.
Justin:Right? They're held held accountable. Counterargument to that. Scratch out that it's common for vendor risk assessments today to scratch it out. And you've contractually obligated them to follow all the security that you expected them to do.
Justin:You can contractually obligate. You're not really measuring into that. They're still at breach, you know, into there. Whether you measure them one thing or not, whether they supplied a compliance talk to, whether they filled out a questionnaire and answered all yes, they're still couldn't tragically obligate. They still dropped the ball, you know, into that.
Joe:Right. But my argument against that is if I didn't do a review of what they told me, then I'm probably by my customer more on the side of you just went and hired somebody. They agreed to everything, but you didn't even look to make sure. You didn't even do the background check. You didn't even do the look.
Rick:Trust me verify.
Joe:You're as much at fault, and I'm trying to take the company that promised the customer we protect their data and be on their side. I wanna sit on the same side of the table as them by saying I did as much as I could to look at that company that I'm gonna before I sent your data to them, I looked at it as much as I could, and I didn't ask them to say yes and have them sign the contract. And so because I can say I did those things, I'm hoping to position myself on the right side of this
Justin:whole conversation. Again, comes down to CYA.
Joe:Yes. Yeah. I never said it
Justin:to him. Yeah. Yeah. Yeah. So and that's where I'd like, I hate things just for CYA purposes, you know, into that.
Justin:Yep. So,
Joe:like But we're a very we may not barter, but we're a very litigious society.
Justin:We are. Yeah. And that's why I'm like, again, third party risk management. It's not going anywhere. You know?
Justin:It's Oh. You know, keep doing it. Yeah. Exactly. It's obligated everywhere up and down.
Justin:I'm just looking at is I think you should actually put more focus on responding to a vendor actually mishandling data one way or another, you know, breach or otherwise, and actually focus more on the resilience of your vendors, not necessarily the security, which is kinda incorporated, but I think it paints a little bit bigger picture. You know? So if you have a high criticality of a vendor that you rely on for payroll, for Mhmm. Data storage, for what whatever it is, you need to have some assurances that you can get at that data, maybe have an alternate, like, vendor in play, you know, whatever that is, because they could get hit by ransomware and Sure. Be there tomorrow.
Joe:Right.
Justin:Right. You know, with that. We've seen that with Change Healthcare Yeah. You know, into that of the high you know, a bunch of places had high reliance. I've shamed, showed the, like, the lens onto that, you know, that I think there was probably too much reliance.
Rick:Yeah. Concentration risk was
Justin:Exactly. Very high. So and just kinda treat security as part of that. But, again, if you're getting a SOC two every single year or they're answering a questionnaire and it's one of their salespeople just going down and saying yes to you every single year, that's just busy work.
Rick:Right.
Justin:You know, like, outside of the CYA, outside of being regulatory and contractually compliant to do that stuff, again, like, I'd rather prepare for, you know, the worst, contractually obligate them, force them to carry insurance, and name me as a a claimant onto Yeah. You know, something like And then deal with the situation when it arises, you know, and use bigger players. Like, I'm not gonna potentially use a three person company. I I say that as a, you know, small company.
Joe:One person company. Yeah.
Justin:Exactly. You know? But, you know, if I'm a, you know, Fortune 50 bank, like, that's not a thing. Like, I was working with one, like, big software provider. They paid three guys that apparently, their address went to, like, a Chinese restaurant and everything.
Justin:And they they I I forget what the core product was, but they use it, like, for QR generation or something like that. They use this in their core product, and they just disappeared. Yeah. You know? Right.
Justin:And they didn't have the source code, anything like that. And they're like, it's gonna cost us, like, 6 figures to replace us. You know? Yeah. And, again, that's too much of a reliance onto that.
Justin:It wasn't security issue that, you know, into there. That's a a reliance issue. But there's there's truth
Rick:to that, though. Like, what you just said, like, when Microsoft has a bad day, most companies have a bad day that same day.
Justin:Like the CrowdStrike thing. Oracle CrowdStrike. Like Or AWS when the regions go down.
Rick:And frankly, from a defensibility perspective, it's it's kinda like the old Azure. Like, oh, no one gets fired for using Deloitte or no one gets fired for using PwC. It's kinda like, well, you know, if Microsoft goes down, it's like, well, look, man. It's it's it's easy to show that to the board or or litigate like, regulators don't come after you because Azure was down and It's nearly an act
Joe:of God. Right?
Rick:Right. It's it's about as close to it. Right? And and there is this weird, I think, unspoken safety in using very big providers Yep. For those types of things.
Rick:Because, like, if it goes down or they have a security breach or something, it's not like everyone's kinda shrugging at same
Joe:time. Earlier. Yeah.
Rick:Reasonable person.
Joe:You not only that, but if you look at your peers, you're gonna be judged to the same level your peers are
Rick:judged. Yeah. Exactly.
Justin:Yeah. Another argument I would give, like, especially, like, measuring, like, really big people, like AWS, for example. They're probably the most audited company in the world, you know, maybe Microsoft. One of. Yeah.
Justin:They're they're One of. For sure. Top tier ones that they get, you know, hundreds of certifications a year. Mhmm. You know?
Justin:Can you imagine their compliance team and working on that? It's crazy. Anyways, like, let's say you reviewed something and had an issue. Do you think AWS cares?
Rick:You know, it's funny. I was reviewing I was reviewing a contract for, like, a big well known vendor today. And, you know, you go to their website and they're like, oh, you know, the our MSA, you can find it on our website. It's like, yeah. I'll review it, but it was for the same reason we talked about before, to see if internally we needed to theoretically adjust or mitigate any of our typical controls because the chances of us getting them to change how they do things for all their other giant customers, not gonna happen.
Rick:Yeah. So, yeah, I I I fully agree.
Justin:Yeah. So it's like, okay, like, I get it. And they get all the certifications and all that stuff and you can download them. That's great, you know, type of But they're all gonna be compliant, you know. Right.
Justin:You know, you know, they have a track record of doing that. And, yeah, that's you're just doing busy work, you know.
Joe:Right. You had a lot of click throughs, you're not gonna get a whole lot of ground moved on trying to do that. But it did work for a company who was able to get Adobe to change some terms in order to favor the the buying company.
Rick:Really? Yeah.
Justin:That's a
Joe:big deal. Yeah.
Justin:Adobe's gone downhill though.
Rick:So Ever since they ever since they signed that contract. Yeah. Right.
Justin:Yeah. That's funny. Alright. We good? We're good.
Justin:Yeah. We have one more topic here. Is that the next one here? Which one are we talking about?
Joe:Well, we we skipped over the one that I thought
Rick:you were interested in.
Joe:I'm not sure if you wanna hit that one.
Justin:So no. I think we're good with that. So Department of War or Defense or War? This is Which one do you guys like better?
Joe:I don't like change, so Yeah. Was gonna say, I like staying with what it was, but it's
Rick:I get that. I'm always a fan of the throwback jerseys.
Justin:Yeah.
Joe:Yeah. So But this this document's labeled Department of War.
Justin:Yeah. The retro jerseys, you know, and everything. Yeah.
Joe:Part of the document's labeled Department of War, but then you look at the at the the sub documents that you can link from and they still say DOD on them.
Justin:Mhmm. Gotcha. Well, let's introduce it, you know, into this. Joe, you wanna take this one?
Joe:Yeah. I'll kick it off. So Department of War announces the new cybersecurity risk management construct, which is essentially a new way for taking a look at what the military should be doing in the field when they're doing risk assessments. And the the it's supposed to be better because the and it's called the cybersecurity risk management construct, which is just a weird name in itself.
Rick:Right? Right.
Joe:And but it's supposed to be better because the old system used static checklist and manual reviews, and we're supposed to be slower, and they couldn't keep up with the fastest the new fast changing cyber threats. So but, you know, high level take on it. Nothing seemed really newer groundbreaking in in this. There's been, you know, some of these best practices that they're saying they're doing. I think the civilian world's been doing cybersecurity things like this for for years.
Joe:Right. So they're not really inventing anything new, but what they're doing is institutionalizing them and enforcing them in a way that makes them work faster, maybe more unified and tailored to military needs. So that that's high level. Do you what do you guys wanna take what the, you know, main phrases are.
Justin:The phases? Yeah. So they implemented five phases to this, design, build, test, onboard, and operations. I know I told you guys, like, what first came to mind Yeah. Was the waterfall.
Rick:Absolutely. You know? Yeah. It looks like a
Justin:lot new waterfall. Build tests, you know, just screams, like Right. Waterfall methodology and everything. And then activate and
Joe:operational
Justin:is then, you know, the wheels. Like, okay. Now it's in motion, you know, type of thing.
Rick:And then there's, like, ten ten concepts that are supposed to flow throughout. Right?
Justin:Yeah. And they actually mapped it to the risk management framework, the RMF Mhmm. With the with some of the the steps into there. Right. Really, it's the first one design is prepare, categorize, and select, and the other ones are it's single steps, you know, with each of those, and everything.
Justin:I guess, you know, like, same with you, Joe. I wasn't very impressed looking at this, you know, like, it seems pretty rudimentary. I guess the thing that I would wanna know and, obviously, I would probably never know is why was the old way insufficient, you know, into this, and how is this addressing those gaps? Because, I mean, anytime you're doing a root cause analysis of like, hey, insufficiencies, we're gonna optimize this. We're gonna get it to move faster, better quality out of it, whatever it is, you're first identifying what's not working.
Justin:Yep.
Rick:You know?
Justin:And then you're saying, okay. Let's put some steps in to make it go faster, but be better quality, whatever that is. And why is this solving that? You know? Because we look at this and we're like, this is just doing something.
Justin:This is doing the thing that didn't do. Just like, yes. You think about it. You then build it, then you test it, you know. It's like we're like, how else would you do this?
Joe:Yeah. Well, and one thing I didn't say is this actually was published yesterday.
Justin:Mhmm.
Joe:So and today is the September 25, so it was published yesterday. Yeah. And a few of the things that I found when I was just reading about it and trying to read what other people were saying about it is, you know, how is this being enforced and scaled across the military? So what what's different about it? Number one, you know, I came up with, like, I found five things.
Joe:One is mandated integration. They're making these practices mandatory across all departments of defense systems and not just recommended. Mhmm. So that's one of the things I realized or I think that is a little bit different. Okay.
Joe:Unified framework is is supposed to have number two, a unified framework. It's supposed to replace a fragmented slow approval process with a single streamlined model. So it's hoping to get approvals faster for things that used to take a lot more bureaucracy. Three, mission driven focus. So unlike civilian frameworks that focus on compliance and business risk, this is built around operational survivability.
Rick:I do see that.
Joe:And so it's to keep systems running during attacks.
Justin:Mhmm.
Joe:So that's something that I don't have to do a whole lot of.
Justin:Like my risk vendor risk management, it's should be operational survivability. Resilience. Yeah. Resilience.
Joe:Yeah. Right. Yeah. A lot of your well, not a lot of my customers are actually having missile shot at them, but I don't know about yours.
Justin:But it's about keeping the lights on. Yes. Absolutely. Yeah. Yeah.
Joe:Yeah. And number four is reciprocity and adherence. So it formalizes reuse of security assessments, reduces duplication, speeds up deployment. So that's another thing they're trying to go for. And number five was automation at scale.
Joe:They're looking for pushing to use more automated tools across thousands of systems, which is a major shift for the DOD. Right. So those are the things I was able to find as to why what I'm hoping when this thing gets put in place
Justin:Mhmm.
Joe:It's gonna be useful.
Justin:So it's not really the design of the pillars. It's the mandates that's coming behind it.
Joe:That's what I'm getting. Yeah.
Rick:Yeah. Which
Justin:I get that. Yeah. You got it.
Rick:Well, I was gonna say, the reasons behind it, I think, make a lot of sense. And some of the stuff like survivability and reuse, I actually do see in the framework itself. I did spend a little bit of time with it today though, and I will say, I don't know that it to me personally, and I'm not an expert in risk management and theater of war capabilities. Right? But I've done a lot of risk management.
Rick:I don't know that the flow hangs together particularly well for me. Like when I read through it, I had a handful of, I think, questions and what felt like without additional explanation because like it should be known for people who haven't looked at this. There's like basically a very short website blurb and then like two PDFs, neither of which have a ton of words on them. They're one page PDFs each. So but I would say I I felt I found some like logical inconsistencies, some redundancies, frankly, some typos as well.
Rick:And so it did feel to me like this was three fourths baked maybe as opposed to fully baked. But
Justin:I mean, there shouldn't be typos anywhere in here.
Rick:That well, in both PDFs, there's typos.
Justin:Yeah. That shouldn't be a thing. You sure it wasn't like The UK version where they had, like, had s's disease? Because I'm hoping our military is using The UK version of that one. Yeah.
Justin:They stole it from another country. They're like, this is ours now. No. It's it's No.
Rick:I'm kidding. It's stuff where, like, they put the space in the wrong place between two words or, like, capitalization is, like, clearly off or, like, a word is duplicate. I think on the the second PDF that's talking about the 10 capabilities, just one example. And this is not like the biggest deal in the world.
Justin:Yeah.
Rick:But, like, the first word of one of those descriptions, which are all short. They're like one or two sentences. The first word is duplicated.
Justin:And so That's ironic. Right.
Rick:I I just I don't know what level of scrutiny this has really had. And and I mean, you guys know. Whenever whenever you see little things like that, it puts you in the mindset of, oh, are there even bigger things? And Yeah. And again, I'll say I saw some redundancies and some logical maybe flow like challenges with the flow of activities that I go, oh, I wouldn't be surprised if that get gets adjusted in the future.
Joe:Well, when it's supposed to be a document or a concept in order to improve quality, And then you're seeing these, you you gotta so it's a DevSecOps strategic tenant is the one that says they're going to integrate integrate security and automation That's
Justin:really integrated.
Joe:They're really integrating that stuff.
Rick:Maybe they mean it. I don't know. Maybe it's my bad.
Joe:Yeah. We're gonna integrate the integration.
Justin:Right. I don't know.
Joe:But one of the things I was because because you you mentioned this kind of on our on our signal channel before. And by the way, our signal channel is fully sanctioned. We're not doing anything, you know, no no top secret stuff going on across
Justin:our Even though we delete it after five minutes, I'm bad.
Joe:Oh, yeah. Yeah. We always do.
Rick:But I thought I thought it's backed up to your iCloud.
Justin:Yeah. Yeah. Yeah. Yeah.
Joe:Hope not. Anyway, so, you know, what is the agile versus waterfall approach? And so when I was looking at this a little bit, and of course, I I threw some of this stuff in the AI and told it tell tell me about this. What's your thought on it? And then I can kinda get my head around a little bit.
Joe:And it it it classified as a hybrid. It keeps a structural rigor of waterfall, which is needed for defense systems, but adds agile speed automation adaptability to handle modern cyber threats. So it's not strictly waterfall or agile, but leans tries to lean into the agile principles in in a few ways.
Justin:So And so they're basically arguing that because phase three and phase five has a assess and remediate wheel, that's agile. Yeah.
Rick:It's weird though. Right? Because like at the end of the day, what a lot of this stuff is intended to get at is does someone have authorization to operate, right, in ATO. Right? So I can appreciate some elements like a pragmatism there.
Rick:Like, oh, we have a bunch of people in the field and they're using this technology and it's an active war zone. And so, oh, what? Okay. You found a security issue and then you're gonna revoke authorization to operate. Okay.
Rick:Now what? Like, so there are some iterative elements there. I think that that make a lot of sense to me. But by the same token, like like exactly what you said, like, you know, is it truly, like, iterative, innate? Like, are you actually iterating on the design live?
Rick:Like, when
Justin:No. That's on testing. The iteration. Yeah. Yeah.
Justin:I One of the thing it's I got two comments here. One of the things that I always hate reading through stuff on onboarding, next gen CSSP risk management performs risk reviews. Like, why are you calling it next gen? Like, come on. Like, seriously?
Justin:Well, I I didn't say this Word at it.
Rick:I didn't say this to you before, but there there might be some chat GPT like elements in some of the descriptions of the things on this PDF.
Justin:You're basically saying that intern made this. Yeah. Well yeah. Yeah. So Yeah.
Justin:But it, like, I it it instantly drops a bar of respect if I see, like, next gen assessment, you know, or something like that. I'm like, okay.
Rick:I could see this bearing out into something, like, that's potentially valuable and and achieves the purposes, but I think it might need a little more time to
Joe:bake. Yeah. Maybe there's maybe there's two gens. The first one has to review it, and the next gen has to do it too.
Justin:Next gen.
Rick:And that's why you iterate iterate.
Justin:Yeah. Iterate iterate. The other thing is like, because, you know, they kinda map this to RMF and everything. I mean, you guys know, like, devil's in the details on how you actually, like, perform this. Is this all a qualitative assessment, you know, based on this?
Justin:Like, are they, like, putting critical high, medium, low, and that's, like, how this is going through? Like
Rick:Well, I had a similar question on the reusability stuff. So that phase, I forget if it's four or five, but towards the end of it, they talk quite a bit about, like, reusing and sharing and all this stuff.
Justin:Operational repeatable playbook to manage real time risk.
Rick:So like well, some of that, but even like it might be the very last bit or maybe right after that. But but there's a lot of stuff around, yeah, reusing assessments that have been done by others. And I think there's a lot of value to that if done right. But I also think you guys will probably agree, there's a lot of human nature that'll try to take the easy road on assessing some of these stuff, particularly if you're being pressured to do things quickly and so on and so forth. And so you get, yeah, this new system is just like this other old system.
Rick:We're just gonna use the risk assessment on this other old system. Right? So I'll be pretty interested in understanding like, well, what are the guardrails around allowing reuse versus not allowing reuse? And if that's not fairly prescriptive, I don't know how you get away with it in a way that's useful and not destructive.
Justin:Yeah. The other thing I think is crazy in here, I don't know if you guys caught it, in the test phase, they call out penetration testing, but only for high risk systems.
Rick:Yeah. I saw that.
Justin:I was like, why would you share that? You know? Like, I get it. You can't pentest everything, but you're putting it right into the, like, public available documents as like and as everybody knows, like, you can test low risk systems that you can find some juicy stuff of people that overlook, you know. The whole
Rick:point of CMMC was, like, to just to a large extent, like, oh, there's stuff that typically you don't think of as particularly scary. Well, you should still secure it because of things like inference attacks or all those things. Like, this is a an analogy to that. Like, well, you know, I don't know. Someone's watch might not be considered like the what NTP might not be the high risk system.
Justin:File share. Right. Thinking like, oh, file share is not that size. So but surprise, surprise, somebody stored a password Excel database, you know, or something like that.
Rick:Right.
Justin:It's like, oh, well, now it's high risk, you know. Right. Right. Or they have Social Security or whatever it is. You know?
Justin:Obviously, this is in DOD or DOW, you know, type of stuff. But, you know, you look at criticality of systems, and oftentimes, they're labeled wrong, you know, into that. Yeah. So I I don't know. Like, I think expressing that, you know, what they're going to be doing into this is definitely a mess.
Rick:Well, and you could have just said security testing as applicable or whatever.
Justin:Yes. Or just security testing. Yeah. And then your actual operational documents classifies the risk and the the amount that you're doing to that and everything. So Some
Rick:I I like I think I like the intent. I I can appreciate some of the objectives. Yeah. I don't know if it's quite ready.
Joe:Well, maybe we'll have to keep an eye on this and then see how it's being used and see what kind of stuff's coming out of it, maybe report on this in a couple couple future episodes.
Justin:Yeah. Now here's the question. Is NIST gonna adopt anything from this?
Joe:My guess is I don't my guess is no, because I think it's relying a lot on what the public domain is already doing.
Rick:I don't wanna get terribly political, but, I mean, how does how's funding gonna work? Is there gonna be expectations? Is there gonna be pressure? Like, I think there's probably a lot I could see it go frankly, I could see it going either way depending on how the narrative evolves.
Justin:Yeah. I would guess without an executive order of a mandate, you know, type of thing. And then, typically, those come with funding, you know, in Yeah. Sure. I don't think Nessus do anything by themselves, you know, because they're already citing RMF.
Justin:And honestly, I'm not crazy about the the structure of this format. So I think NIST, you know, they have their own body. So they're gonna make their own decisions absent whatever the Department of War is gonna be doing, you know, into that. Yeah.
Rick:That's probably true.
Joe:Yeah. I'll give them kudos that it's they're doing something to make something better. And maybe they're not quite to the point where we're we're not making a little bit of fun of some of the things here. But hopefully, it does improve stuff. Hopefully, it saves money.
Joe:Hopefully, it makes things a little bit more efficient. And I'm hoping that they get the intent they're trying to out of it.
Rick:Yeah. Yeah. Agreed with that.
Justin:Yeah. I mean, bottom line, the intent is to make better decisioning, you know, out of this, you know.
Joe:So And faster.
Justin:And faster. Yep. So Cool. Great. All done.
Justin:Any last comments here?
Joe:Well, I just signed the contract for the b sides, casino, for next year. So Alright. Just a little planning is starting to go.
Justin:What's the check do? Not till closer?
Joe:What's that? Oh, the check? No. The first the first of the deposits was is due There's a couple. Yep.
Joe:Yeah. So we had to Does
Justin:your arm get tired writing all those zeros? You know?
Joe:Yeah. No. No. Because John Ziola handles it.
Justin:Oh, okay. Cool. Yeah. Yeah.
Joe:I signed the contracts, he pays the bills.
Justin:And he's
Rick:very strong, so his arm doesn't
Justin:get tired. Did you
Joe:see those things? Holy cow. Anyway, yep. So planning is underway. And I think Rick and I have been working a little bit with our coordinating team on getting some sponsorship stuff out.
Joe:So Nice. We'll hopefully have the sponsorship stuff out. So if you're May maybe by the time well, probably not by the time that this is released, but shortly after, we expect to be able to get some initial sponsorship going and wanna wanna publish wanna publish that. I think we're gonna probably release the sponsorship stuff. Let some folks take Yeah.
Joe:A look at at the packages, get what they want because there's a few sponsorship levels that only have quantity one and come with some pretty cool perks. And so if you can get that, great. And the next thing that'll happen is once once that initial stuff dies down, if your favorite vendor or favorite, you know, sponsor of b sides is listening and they're they're getting ready, we'll probably try to get some end of year sale if you have money that you can use for some of this stuff. So goal first month, maybe it'll all just be the price it is, and then, you know, potentially doing a little bit of a discount for any end of year stuff. So if you can use budget, and they can motivate you to do that, make the investment sooner, great.
Joe:And then, come closer to, cutoff date, it'll go back to normal price. And k. I'll tell you, if it's, this this experience from this last year, there were a lot of sponsors who were coming out of the woodwork, and that's why all the tables got done. Right. And I think they all decided they're gonna try to go after it sooner.
Joe:So Well, and it it makes
Justin:have, like, a battle arena at the end of the conference, conference, like, like, two people people are are fighting fighting for for the the number number one one spot. Spot.
Joe:That would be fun.
Justin:Verbal, you know, type of thing. Yeah. I would be like, know, cage match, two vendor two vendor vendor,
Rick:one vendor leader. Yeah. Yeah. Well, but, you know, it it's not unreasonable to to think about stuff stuff like that a little bit because I I did a little bit of informal research on this actually. And of the b sides in the world, Pittsburgh's is like easily top 10.
Rick:I think like tied for five in terms of like attendance and how well respected and and and level of formality and and cultural impact that it has. There are not many others like it. And so, you know, it's it's not surprising that people wanna be sponsors wanna be seen there. It's cool.
Joe:Yeah. Do little more.
Justin:And the other thing I wanted to mention as I'm dishing out important bottles, you're good, is we will be at Tris.
Rick:Oh, yeah.
Justin:Tris is coming up at the October as a conference. The camera is not coming to me, but that's alright. Oh, there we go. We'll be at the Tris event. We'll actually have a booth.
Justin:We're also sponsoring the after party into that, so come join us after the the conference. I think we're going to that same brewery Was it Helltown last time? Helltown. Yeah. And everything.
Justin:But there'll be announcements and all that stuff. But please come by, say hi. The next time we record, it'll probably be post that conference. So this is your one notice, you know, to go sign up for that. Another thing too that we just finished recording this week, there's a handful of actual speakers that I've been talking to this week here
Rick:Oh, great.
Justin:That we recorded and got a little bit of great information about their talks, some of the information with that, and there's some good talks there coming. And we're gonna be releasing that over our YouTube channel, and we're also gonna be doing some LinkedIn Shorts and all that stuff. So stay tuned for that. That'll be coming out, and, yeah, it should be
Joe:good now. Tris, October 29. Twenty ninth.
Justin:Yep.
Joe:At the David L. Lawrence Convention Center downtown.
Justin:Yeah. So buy tickets for that and come say hi.
Rick:Yeah. Perfect.
Justin:Alright. Well, all good?
Rick:All good.
Justin:Alright. Cheers. Yeah. Cheers, guys. Thank you everyone for joining us for this episode here.
Justin:Don't forget to like, comment, and subscribe, and we will see you next time. Bye, y'all.
Joe:Bye bye. See you.
