Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode 7: Cybersecurity as an Asset, Not an Obligatory Cost.

Zach, Mike, and Lauro discuss using cybersecurity as an asset and competitive advantage to drive revenue, rather than just a necessary cost. The advantages of cybersecurity are discussed along with the ins and outs of cybersecurity questionnaires that all B2B tech companies get when they're trying to land enterprise clients. The team discusses the benefits of cybersecurity and steps needed to align your company with the best cybersecurity framework, plus navigating potential audits and avoiding security pitfalls.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe! 

Transcript

welcome to the cyber rants podcast where we're  all about sharing the forbidden secrets and  
slightly embellished truths of corporate cyber  security programs we're ranting we're raving  
and we're telling you the stuff that nobody talks  about and their fancy marketing materials all to  
help you protect your company from cyber security  criminals and now here are your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome to  the cyber rants podcast this is your co-host zach  
fuller joined by mike rotondo and lauro chavez  we have a good episode planned for you today  
but before we dive into that let's start off with  the news mike hey good morning i started out with  
the top 11 headlines of southern normal 10 today  because there's some interesting stuff out there  
uh first the hackers are actively probing millions  of wordpress sites again the word wordpress issues  
are expanding and people are looking for  them something interesting from a cloud  
world multi-cloud environments leaving business  at a risk due to complexity of multiple cloud  
configurations um it's now seeing increasing risk  so if you think it's just stating things in the  
cloud is a good thing it makes everything  safe it ain't hey guess what microsoft  
advises ditching voice sms multi-factor  authentication apparently that's no longer  
safe according to microsoft because they know  everything about security um next one nearly  
two dozen aws apis are vulnerable to abuse this  is according to palo alto so be careful with aws  
um this is an interesting piece especially people  in the pen test world uh alleged decompiled source  
code of cobalt cobalt strike tool kit leaked  online it's at github for cobalt strike 4.0 so you  
know maybe save some money malware activity spikes  128 percent using office document phishing um so  
be aware uh they're using a lot of uh a lot of  office documents with Emotet uh embedded in it so  
ain't good uh microsoft says three  apts have targeted seven code19  
vaccine makers um if you don't know what an  apt is advanced persistent threat organization  
we've got people from russia north korea and  china all attacking vaccine manufacturers  
um hey guess what microsoft again windows kerberos  authentication breaks due to security updates  
so that's always good news that's cbe 2020-17049  take a look at it next thing cyber crime moves the  
cloud to accelerate attacks amid data glut there's  so much data out there the cyber criminals are now  
migrating to the cloud so keep that in mind  it's kind of scary and kind of sad uh healthcare  
organizations are sitting ducks for attacks  and breaches um biggest problem is it takes  
up to 118 days to 181 days to fill a cyber  security position at a healthcare organization  
simply because of demand which is good  for those of us in our business dozens  
of ransomware gangs partner with hackers to  extort victims i guess this is called hacker  
synergy uh they are now partnering together  to make themselves that much more virulent  
and that's it lauro anything on exploits i hope  i get i hope i get some time sometime to say  
no i have nothing this week to report  unfortunately that's not the case  
and for everybody out there who's got their  websites or web presence or running whatever  
blog that they think they need on  wordpress make sure you get the word fence  
web application firewall for that works very well  all right into vulnerabilities a couple things  
if you're running mozilla firefox or thunderbird  there's some pretty serious stuff so check out the  
20 20 49 series of patches get that installed uh  apple ios the older versions 12 4 and 14 have some  
security updates um nothing extremely major but um  all good for embedded apps and for the operating  
systems to get that done uh there's certainly a  pretty serious one for mongodb so if you're out  
using mongodb for for rest services make sure you  check the vendor for that nosql injection patch  
pretty nasty and then finally salt stack if  you're using salt stack out there there's a  
shell side injection for rce so make  sure that you you get that patched  
and that's that's really it for vulnerabilities  this week stay vigilant all right thank you  
mike and lauro today we're going to talk about  something that i'm um particularly excited about  
this is something that we've we've come to realize  over the last couple years here and something that  
a lot of people in our industry aren't talking  about and that is using cyber security as an asset  
to the company right most people think of it as  a sunk cost they think oh we gotta you know spend  
budgets on this i'm talking about those of us  outside the field right so you go to your average  
cfo or ceo ceo they're going to look at this and  say okay great i guess we have to do this but  
uh i'm going to drag my feet a little bit right  we're going to try to get by with the bare minimum  
but companies are starting to realize that cyber  security uh really can be used to grow revenue and  
open new opportunities it's a business enabler and  one of the examples that we've seen of that was a  
organization that we helped actually land a  a million dollar per year revenue contract  
and this contract was on the line it was  being bottlenecked in the sales process  
um this is a b2b tech company and they would not  have landed this contract if they weren't able to  
leverage us or leverage somebody like us  to be able to get a get the fundamentals  
in place that they needed in order to meet the  security requirements and and more importantly  
a long-term plan of action milestones something  that they could report progress on over time to  
keep that contract um so it's pretty awesome and  since then we've been able to help clients just  
grow and there's a little bit of a shameless plug  here but i but i don't mind it just shows the  
power of it we've been able to help our clients  of science sector grow millions in revenue over  
the last couple years by getting through the  security questionnaires the sales bottlenecks  
the compliance requirements even things like sock  two audits and such so that they can put security  
at the forefront of their their organization  so um i you know i'll pause there mike and  
lauro feel free to jump in with your comments  but um i could i could go on and on and on um  
for multiple episodes about this topic so i'm  excited about what we're going through today  
well sure uh zach thanks for that and um you  know i guess kind of talk about maybe one of the  
i think one of the strong points that i like to to  kind of relate this to um and how effective this  
is is just kind of picture yourself as a as a ceo  you've just gotten you know you've got a pretty  
good company going but you're not extremely mature  yet and you get this you know big you get this  
big attorney language stuff you know maybe it's a  lawsuit or whatever you're not going to try to act  
on that on your own are you you're probably going  to hire an attorney to coordinate that type of  
paperwork and that type of information that type  of inquiry with the with the asking attorney firm  
in the same respect i think that's what what  what makes a a significant difference is when a  
large um organization right i mean like a like a  apple or google right not to drop the names but  
you know we're talking about large organization  and their cyber security team rather their  
governance compliance team hits you with a third  party security questionnaire and you you you know  
not only are not answering the questions maybe  properly or you're intimidated by those questions  
having it's the same situation like having an  attorney the security professional's gonna be  
able to to digest those questions and respond  appropriately and very quickly and thoroughly and  
most importantly accurately to your environment  and it's gonna be as two attorneys communicating  
with one another we understand the language  the cyber security professionals at the firm  
requesting firm are going to understand  the language that we're responding to  
um on behalf of the client and i think that that  translation if you want to call it that right  
for for lack of a better term it's battlefish  right it it i think it streamlines the process  
um i also think that uh you know it's important  too because a lot of the questionnaires that  
you're going to receive are not going to align  to the business model that you may be presenting  
on to that client right unfortunately  i think a lot of the questionnaires are  
pulled from requirements out of nist and  pci and things like that and they're they're  
thrown into in certain random order inside  of a spreadsheet um called the third-party  
questionnaire and sent to the client some of  them actually follow something like nist 853  
and and have corresponding control  sets um or even sometimes pci  
but you may you may receive these you may receive  these questionnaires and and look at them and say  
wow um what what am i how am i supposed to respond  what am i supposed to respond to and and i think  
you know back to what what zach was talking about  i think that is i think that is the moment when  
you realize that you need you need to reach out  to the attorney right when you get that when  
you get that paper from that attorney firm right  and when you get that third-party questionnaire  
and you're starting to to be curious about your  answers i think it's time i mean would wouldn't  
you say right yeah and the the other problem  is that they're not standardized right i mean  
like you're alluding to is that you know this com  company asks this and we be asked this and they're  
really trying to ask the same question but they're  asking it differently and if you don't you're not  
steeped in cyber security verbiage and in the  business you just don't understand it although i  
do take umbrage with being compared to an attorney  um they uh fair enough um but yeah i mean that's  
it's very much the case i mean we're you know  there's clients that we're working with currently  
that are just you know looking at these things  and they want to say n a to everything because  
it's like well it's not what we do it's not what  we do because they've been sent a boilerplate  
uh questionnaire and then they're afraid they're  going to lose a sale or they're going to lose  
you know a client because they can't answer these  questions properly or just kind of it causes a  
lot of hangering where you really need a cyber  security professional to to deal with these kind  
of issues and then you know the other thing and  i was just talking to someone the other day and  
you know they did a lot of business with very  big clients um and they're a smaller company  
and we've been talking about their third party  assessment process and it was like well you have  
one of these with you know this big company and  they said well we asked for them they basically  
told us to pound sand so um it kind of goes both  ways it's kind of it's kind of weird like the big  
companies will ask you for you know everything and  uh you ask them for anything and the answer is no  
um so i mean it's just kind of uh it's an  interesting world out there for that guy  
it is it is very interesting and and what what  you know so i i you know for those listening i  
i see security core questionnaires all the time i  mean i'm answering sometimes upwards of 20 a week  
on behalf of clients um that's that's p max but  it's still quite hefty right when you've got 80  
plus sometimes 200 online questionnaires some  people put them in portals some people are  
sending the the excel file sheets still and here's  what i say um you know to organizations what i  
see is that just like mike said is you know the  big organizations are asking you they're saying  
deliver us all your policies and some of these  companies when we come on when we when we get  
when we get involved we find out that they've been  sending all of their internal documents diagrams  
every intimate detail they can they've just been  blatantly sent into this company and what i'm  
going to tell you is that just because you work  at a fortune 50 company doesn't make you a smart  
cyber security professional okay there is a such  thing as data hoarding and as mike said it goes  
both ways okay if i'm giving you my data then  i have the right to audit you and assess you  
and request control configuration documents from  you right and that's just how it goes doesn't  
matter how how small or big you are and so in the  questionnaires when what i tell people is that  
um and this is the advice i give clients and  this is the responses that i give if a question  
if we're if we're a consulting firm and we're  doing business on behalf of a large organization  
that needs our consulting and we're not offering  a widget and we don't have a SaaS and there's not  
any kind of web application involved it's  simply just remote access from a laptop to a  
third party's web application right say you  know say we're doing you know some work in  
you know uh hubba do bahuba and they're you  know like a crm right so we're up in hubba  
hubba and you're a member of them too and  we're just you're giving us access to your  
realm and we're gonna come in and do some data  aggregation for you a lot of these questions  
aren't going to apply so what i what i respond  to is it and the questions that are that would  
would directly apply to the huba do duba crm  company i say in the questionnaire that i'm  
answering on behalf of the of the big client  say hey this is not applicable to us you can  
find this data in your security questionnaire  that you should have on file for hobonobihoba  
crm company and i throw it back in their court  and say hey look this is something you should have  
and do a better job of understanding what type of  business model that your company is is starting  
to bolt on with and to better understand how  you should really kind of tear down and more  
um more more finitely prescribe your security  questionnaire to that organization right that's  
my favorite crm by the way for anybody who hasn't  checked it out it's it's the best on the market  
yeah it's proprietary but uh i couldn't drop  the name i'm sorry i wasn't going to do this
i love it um
it's interesting too because that's when  
a lot of companies nowadays are are reaching out  when um they have that problem right so they um  
primarily i think what we're seeing is is most  of the companies in this space that are really  
having an issue with the security questionnaires  are these emerging technology companies so usually  
like a b2b tech company right and they're  going after larger enterprise clients and um  
kind of stepping into the big leagues and they  get hit with this thing and then all of a sudden  
the deals on the line so our uh encouragement  to all the companies out there is get ahead of  
this stuff um be in advance don't wait till that  security questionnaire comes down and the way you  
do that is by picking a cyber security framework  and starting working on the alignment to it right  
because if you're aligned to a good framework  then all those those questions you're going  
to be able to cover down on much more easily even  though they're never in the same format there's no  
kind of standard approach although i know there's  all these software platforms out there trying to  
create the the one standard security questionnaire  i don't see it happening because every cso wants  
to put their mark you know their stamp of  approval their methodology on it for their  
own company and as the big guys and you're trying  to get their business they don't really care if  
you have to go through a different questionnaire  every single time right it's not in their best  
interest to make it standardized um so you need  to align to a framework and start working on  
your answers that will uh that you can that  you can use for those questions um even though  
the formats are going to come out different every  single time yeah they and they you know and here's  
the thing is it's like taking a test um where they  change the questions you know they may be similar  
but they reword it and that's kind of how i look  at this but you know let's let's talk about real  
quick you know if you get these questionnaires  and you can't answer them like what happens  
right what happens when you have to click an  a and all this stuff right what happens when  
you're not really sure and you stall well this you  know and what happens when you submit this back to  
the organization okay they have they have a risk  and governance team that's you know probably you  
know third party this or that you know assurance  or something and they they'll take your answers  
and they're going to write up a risk report on  on your company based on the answers on that form  
it's basically a light you know audit essentially  that risk report is going to go on file it's going  
to go to the see so it's probably going to go to  the board they're going to see it they're going  
to say hey you know they wanted to do business  with hoba crm but uh these guys answered n a  
on on all these questions and um a smart ceaser  would say okay well that that sucks too bad maybe  
they had a good product but do we have anybody  else in the realm that may be more expensive but  
also offers a better security profile for their  their application platform that's kind of how  
their thinking method's gonna go so from you who  didn't answer that correctly that's kind of what  
what they're gonna say right so depending on the  answers that you provide in that questionnaire  
and you can't lie because they do have the right  a lot of in the this is a lot of the language on  
the contracts are going to allow them to do spot  audits with within like 30 days of notifying you  
okay i see that a lot when i'm reviewing that  language um and unfortunately that's just part  
of it if you agree to that or you don't have an  attorney look through that and redline it and you  
know put stronger stipulations in there they're  going to have the right to essentially audit you  
and the way that that happens with the clients  that i serve is that typically we do a video zoom  
meeting or you know similar and um it's it's their  cybersecurity team or a subset of that asking me  
questions about the organization going through  essentially the same checklist that we answer  
every year asking to take screenshots that's  where i really like to drive these these types  
of conversations where they want to see evidence  because they need to they need to see that you  
you certainly demonstrate proper security controls  in in your documentation controls and the things  
that you're doing so they're gonna they're gonna  want to come in and audit you so it's certainly  
not a good idea to be false it's very it would be  better to say something like we don't have that  
now but we're gonna you know implement that in  the next 12 months and so i think you know that's  
probably the better answer right no i was just  gonna agree with you man it's actually you know  
most companies will accept that yeah we're working  on it you know yeah but but if you flat out you  
know say that you got it and you don't you're  just you're going to get yourself in a lawsuit  
unfortunately and then you know if again if you  don't have the controls don't be scared it doesn't  
put you out of the game you know a firm like ours  again you know we can we can very quickly assist  
you to get you know in a position where you can  answer things on that questionnaire appropriately  
however that's what's happening on the other  side when they don't receive the questionnaire  
if if you have a one-of-a-kind and there's no  one else in the world like you and you're like  
the one thing in the entire planet that does this  one thing like hoping to public crm then they may  
not have a choice and they say look it's a good  hope we got to use them and maybe they'll make  
an exception for your bad security that you didn't  you didn't remark on your security questionnaire  
i've seen also is that a lot of the security  questionnaires they'll just it'll say you know  
do you have this control in place and please  explain and all you'll respond with is a yes  
or a no there needs to be when they ask you  to explain you need to explain even if it's a  
sentence you know even if it's five words you  need to you need to fill that out and that's  
because one word answers lead to additional  questions always always they'll always come  
back with an email or request for a meeting on on  some additional information around the controls  
that you're trying to be vague about because  you probably don't have them right right so the  
moral of the story is don't try to be sneaky  be honest they will know they will know and  
you got to understand too the people sending you  these security questionnaires have they're they're  
sending them out all over the place and they're  seeing all kinds of different answers coming in so  
they're going to very quickly understand  what's kind of what's real and what's not  
yeah it kind of reminds me of the story of my  my father who does some online college teaching  
and he received three papers in one day from  the same laptop uh for three different people  
and they have the audacity to say  oh no no no we wrote it ourselves  
and uh you know that that kind of fraud is very  easy to find fairly easily yeah definitely so yeah  
so i mean before you do something crazy just you  know contact us we'll come here we'll come help  
you it's not it's it's not it's not going to break  the bank and it's certainly not going to take an  
aggressive amount of time you know i mean so i  i you know it's certainly something that can be  
handled again like you know we started this  conversation out we were we were successful  
helping that client and getting that deal in  under 14 days okay from being stalled under 14  
days we can deliver the type of program and come  in you know and continuous control sets that that  
the organization needs um to again say oh yes to  a lot of that now there's something that you're  
probably not going to be able to do like sim you  know removing all of i think another big one is  
removing all admin privileges from everybody right  even the admins need to have two accounts a user  
account an admin account and you you've that's  usually takes a little bit right especially  
for organizations who don't have something like  active directory running in their business yet  
they're you know there are options out there  lightweight options that work very very well  
but you know these things take time and they take  budget and so you know it's going to be able to  
move as fast as you can unfortunately afford to  go and how much of your culture you're willing to  
ring i guess is what i'll say because some  cultures are used to having a specific  
environment and a lot of these frameworks when you  implement things change some of the freedoms uh in  
the computing around the computing technologies  that some of your employees are going to be  
used to um so you have to certainly make that  cultural change too yeah yeah i remember when  
uh working at a large bank we were also always  called the sale killers because we you know  
made them adhere to certain things they  couldn't say whatever they wanted to say when  
we were you know copying every email they sent  and you know tracking their voicemail and all  
sorts of fun big brother type stuff for for  socks sec and finra and all sorts of things so  
yeah well now now it's no longer now a cell it's  driver it's funny how it's it's completely flopped  
the other way right you know now companies are  better by spinning to a line to a framework to  
demonstrate the good controls now because now they  get the one deal that was asking for it and now  
all the other deals just come easily and and you  know we have one client that did it way way way a  
long time ago before anybody else was doing this  sort of stuff they said hey we want to be secure  
we want to have some form of attestation  that says we're doing a certain framework  
because they wanted to set themselves apart in  the market and it worked right i mean they put  
themselves light years ahead of their competitors  because they're getting the same questionnaires  
and i know the competitors are not going to be  able to answer the same way right especially  
considering one of them may be operating out of  a garage type environment right so you just can't  
you just you never know what the technology  looks like on the other end i mean that's the  
whole point of the security questionnaires right  they have to understand how you're modeling your  
architecture you know to offer the services that  they want to buy from you one of the things too  
just just kind of as a caution is that you  know you get that questionnaire whether it's  
you know two pages or 15 pages um and there's  always that shock and awe factor of oh my god  
can i do this but most companies that have any  kind of framework or any kind of structure in  
place are generally between 40 and 60 percent  compliant with it already they just don't realize  
it and they see that we see that with this too  a lot of times is that you're already better  
off than you think you are but you still need  to improve and those questionnaires will call  
those things out but you know seeing that and  just you know letting your eyes glaze over and  
be scared by it doesn't doesn't is not a way  forward you need to that's where you need to  
engage a company like us or somebody else that  will help you you know realize where you're at  
get you to where you need to be and how  teach you how to maintain to be there  
to continue to drive those sales but yeah i  mean just don't don't just accept that oh we  
don't have any of this when in reality you might  have a lot of it yeah it's just a matter of of  
translating it to their their questionnaires or  that framework that you're required to follow and  
you know as we wrap up i think one thing that  that will help people especially if you're in  
the b2b tech space or you're trying to go after  dod type contracts put yourself in the customer's  
shoes right and understand um that if i'm a buyer  of technology that i'm going to use to improve  
operations for my organization or or or work with  data that's that's critical to my organization  
um what am i looking at first right if i'm looking  at a SaaS platform for example well i'm looking at  
all the the features the user interface will this  will this be a fit to to do what we wanted to do  
right um but everybody has a beautiful user  interface these days you know cool features  
they all sell it you know as the best the best  but so so all that stuff kind of starts to blend  
together when you're in the buyers shoes  but what's the very next thing they look at  
after that after all the features and  functionality you check the blocks  
they're looking at the cyber security program  is taking this on going to bring additional risk  
to our company and that's that's the essence  of the security questionnaire right so  
if not only on the security questionnaire side but  if you can develop your company's security program  
to really put security out there front and center  start answering those concerns before it even  
comes up in the sales discussions right right  on the website you know obviously you don't want  
to put confidential information out there but you  want to put information that adds credibility that  
shows that yes we put security front and center  in our organization it's what our it's what our  
platform or what our company is built on um and  then you can show third-party attestations things  
like sock two audits for example and you can show  that success that you can speak that language  
um right out there in your marketing efforts  that will absolutely differentiate you because  
that's an opportunity that so many companies  are not yet taking advantage of and a few do it  
very very well and they are just killing  it out there in the marketplace but you can  
turn your organization into into a market leader  in your space by leveraging cyber security we  
know that because we've done it we've helped our  clients do it we've we see that stuff happening  
out there and this is the perfect time to  do it um you know five six years from now  
it's it's going to be more standard but uh right  now there's still kind of that that cutting edge  
opportunity that you can go after so thanks  for joining us today reach out anytime if you  
have questions about any of the stuff pick up  the book cyber rants on amazon and we'll look  
forward to seeing you on the next episode