April 9, 2021

With the proliferation of so many information security standards, are we nearing a breaking point? 

In the end, which standard will win? 

In this episode, John Verry, Founder of Pivot Point Security, answers these questions and more in a guest appearance on the Encrypted Economy Podcast

John covers:

  • The basics of CMMC
  • Why CMMC is the most significant standard in InfoSec’s history
  • Whether we are reaching a saturation point for security standards

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to [inaudible 00:00:27] episode of the Virtual CISO Podcast. As always, I’m your host, John Verry. Here with me today is not Jeremy, it’s Andrea VanSeveren. Good morning, Andrea.

Andrea VanSeveren (00:37):

Good morning. Hey, John, hey, everyone. It’s great to be here.

John Verry (00:41):

Welcome to the podcast-

Andrea VanSeveren (00:42):

Thank you-

John Verry (00:43):

… We say fair thee well to Jeremy, our good friend. And we say hello to Andrea, our soon-to-be good friend. So this week, this podcast is a little bit different than we typically have a podcast. I was a guest on the Encrypted Economy podcast, which is hosted by Eric Hess. We had a really fun conversation, at least I thought it was a fun and great exchange. And we ended up talking a lot about the future, if you will, of information security. We did a lot of prognosticating, which is a little different for our podcast. So I thought it would be interesting to rebroadcast this podcast here.

Andrea VanSeveren (01:14):

Yeah, yeah, I think you guys covered a lot of ground. And the discussion around security misconceptions and the potential around CMMC, to unify frameworks and landscapes will really be interesting to a lot of people.

John Verry (01:27):

Yeah, I really enjoyed it. Eric is a really bright guy. He’s the founder of Hess Legal. He also is the founder of Helical Security. So he’s got a broad level of experience on both the legal side as well as the information security side. I think he brings a really interesting perspective to the conversation. With that, let’s get to the show.

Eric Hess (01:50):

Hi, this is Eric Hess of the Encrypted Economy. In early December 2019, FireEye discovered that a threat actor had compromised SolarWinds’ network monitoring program used by multiple federal agencies, including US Treasury, Homeland Security, Departments of State and Energy and the National Nuclear Security Administration, as well as 100 technology companies. The scope of this attack, still being investigated, and the Biden administration announced recently that they would be taking executive action to address the security shortcomings that this attack uncovered. What the SolarWinds attack demonstrates is that no organization is immune from cybersecurity compromises.

Eric Hess (02:34):

The timing of this initiative coincides with the Federal Department of Defense’s Cybersecurity Maturity Model Certification, or CMMC. That’s an acronym. There’s a bunch of them in this episode. It’s a framework that’s being ramped up for adoption across multiple government agencies, their vendors, possibly their vendors’ vendors, and so on. In short, it is likely to become the new cybersecurity standard across both the government and private sectors. There are levels one through five, depending on the sensitivity of the data or the organization. One being the lowest, and five being the highest.

Eric Hess (03:12):

Today, we have John Verry, the founder of Pivot Point Security on the show, to talk about the challenges of managing third party security risks, which this relates to, as well as the CMMC framework. In this space, there’s always a lot of acronyms, so it’s hard to have a discussion about the frameworks without delving into them. For starters, we talk about NYSDFS, which is the New York State Department of Financial Services. It comes up because they issued cybersecurity standards mandated for all financial services companies in its jurisdiction. We talk about HIPAA or the Health Insurance Portability and Accountability Act. And that is the federal law that protects personal health information, also known as PHI. You’ll hear about DFARS, because the Department of Defense is the one that promulgated CMMC. And DFARS is the Defense Federal Acquisition Regulation supplement.

Eric Hess (04:09):

It’s a set of restrictions for the origination of raw materials that’s designed to protect the US defense industry from the vulnerabilities of being dependent on foreign sources of supply. You’re also going to hear references to NIST and ISO, as well as SOC audits. I know, lots of acronyms. This is the current federal government framework and guidelines that’s also adopted by the private sector. They’ve been extremely prolific in the guidance that they’ve offered. ISO is the international standard for best practice information security management systems. Stay with me, SOC is a bit different, as it’s an attestation by an auditor, usually a CPA firm, that a firm has certain business processes and security controls in place. A SOC 2 report would be the one that covers cyber security.

Eric Hess (04:54):

Now, lots of acronyms, but they are significant for organizations that are looking to strengthen and demonstrate their cybersecurity controls. Over the next five years, they’re only going to become more important. And it’s going to be harder for you, as listeners, as a professional, particularly if you have operational control, to not know what they represent. So don’t look to this episode to tell you what you need to do to secure your organization. There’s other podcasts for that. And maybe we’ll have an episode that covers it at a later time. But it does get into the standards that are likely to impact organizations in the encrypted economy, as well as the issues that companies are going to have to grapple with. Particularly as security data and systems become a higher national priority.

Eric Hess (05:41):

So with that backdrop, I bring you John Verry, the founder of Pivot Point Security. And of course, if you like the show, please leave us a review, share it with your friends and help us get the word out. Thank you.

Eric Hess (05:54):

Welcome to the Encrypted Economy, where we look at the business of regulation and security for all things encrypted; digital assets, blockchain technology, privacy and smart contracts. Hope you’ll join us while we explore these forces that are shaping the economy.

Eric Hess (06:23):

This is Eric Hess with the Encrypted Economy. I’m excited today to have John Verry of Pivot Point Security on the show. John is the owner of the business, which he’s built up over a number of years. I was looking at his profile before, and I saw that he also went to Stevens, so New Jersey boy, at least from the college, seems a great place. Welcome to the show, John.

John Verry (06:42):

Actually not a Jersey boy, not originally. And I did notice that your cell phone begins with a 646, which is a Long Island area code, which is where I’m actually from. Actually a Long Island boy originally. Went to college in Jersey and met a girl, and the rest was… I’ve been in New Jersey ever since.

Eric Hess (06:57):

Okay, there you go. So I was wrong. Good start.

John Verry (07:02):

It was a logical guess.

Eric Hess (07:03):

It was a logical guess, I saw Stevens and I just went to it.

John Verry (07:06):

Yeah, there you go.

Eric Hess (07:07):

So John, why don’t you tell us a little bit about your background?

John Verry (07:10):

Sure. I’m an engineer. I think anybody who knows me, knows that I look at things very analytically. A lot of numbers, a lot of logic in the way that we look at things. And kind of served me well from a information security perspective, as well as from a business perspective. I have been doing what I’m doing now for roughly 20, 21 years. Fully focused on information security, information assurance and in short, helping organizations that need to prove they’re secure and compliant, do so. Before that, I had a very interesting journey through lots of crazy areas. I was lucky enough to do a lot of work with Carl Zeiss. They were a fantastic West German optical manufacturer. Lenses and binoculars and things of that nature. But I did a lot of work with their microscopy groups, and ended up doing some fascinating work for a number of years that I really enjoyed.

John Verry (07:51):

Working with people like Arthur Ashkin, who received a Nobel Prize for his work on laser tweezers. And I helped him with the optics relating to that. And Dr. David Stoloff at Ethicon, he pioneered the concept of radio keratometry, which is what became a LASIK surgery. So I got to work on that kind of stuff and got to go into clean rooms, wearing the suits. And for a guy like me, who was intensely curious and an engineer, seeing the behind the scenes, I did a lot of work in like Nabisco’s manufacturing facilities. So I’d go in and help them figure out why the back pressure in the saltine packaging thing would get so high, that all of a sudden there’d be these, fountains of crackers shooting up in the air. And their response team would come and somehow get this belt working again. And these 300, like literally a football field, long oven, with just cracker after cracker coming out and automatically going into stuff. So it was a blast. I really enjoyed it and really enjoy what I do now as well.

Eric Hess (08:42):

And do you think that experience or those experiences shaped your methodology for information security?

John Verry (08:49):

That’s a really cool question. I think we are the sum total of who we’ve been as people. And I think it would be hard for that not to influence it. I do think that, just fundamentally, that my background has me take a very reasoned more methodical, more data-oriented approach to solving problems.

Eric Hess (09:06):

I also note that on a lot of your podcasts, you often start off with a question as to what somebody’s favorite drink is. And you’re actually very good at sort of going back and forth on the various beverages that are chosen. So I’m not going to ask you what your drink of choice is, because I feel like I’d be stealing your question. But I’ll frame it differently. It seems like you’re, just going through it, my investigative powers here, that you’re a bourbon, probably slightly more scotch guy. Is that…

John Verry (09:32):

No… well, bourbon absolutely, not scotch. So you didn’t do enough investigation. Anybody who mentions that they’re a scotch drinker, that’s my first thing is, why would you ruin whiskey? Definitely, I should say scotches in general, I’m not enough of an aficionado to argue a point. But most scotches that I’ve ever tried, which is not a lot, tend to have peat in them and for some reason, peat horribly disagrees with me.

Eric Hess (09:52):

Oh, you haven’t tried enough scotches then. Is bourbon, your drink of choice?

John Verry (09:56):

I would say that I’m an equal opportunity drinker. I am a huge bourbon guy. I enjoy red wine during the winter quite often. Just, both health benefits, plus just, it’s great for sitting by a fire. I’m a stout and darker beer drinker, but I also love a good Belgian, I love a good bourbon barrel-aged stout.

Eric Hess (10:12):

All right. So usually I take that question and ask about a single event that shaped somebody’s values, worldview or otherwise. But we’ve replaced that with a discussion of alcohol.

John Verry (10:23):

You know, it’s really interesting. We started to do that just because, what I was trying to do, is get people comfortable. Because people get amped up when they’re coming on a podcast.

Eric Hess (10:31):

You have Pivot Point Security, you’ve developed a number of clients. I know that a lot of them are in government, as well as a number of small to midsize firms. What’s your client base? Like how does it break up?

John Verry (10:43):

Really good question. So for the most part, when we tend to spend our time in SMBs or SMEs, I don’t know what the right definitions are. But it’s not unusual for us to be working in… Like yesterday, I spent a lot of time on the phone with two of our newer clients or potential newer clients that are 10, 15 people, so venture backed startups, software-as-a-service. We do a lot of work in the software-as-a-service vertical. So we might be companies that small. Because it really no longer matters how big your company is, it matters how big your customers are. Because our big customers have high security requirements and they no longer care that you’re a 10-person company. You need to have an equivalent security posture to them, in order for them to give you your data-

Eric Hess (11:17):

That’s a great point.

John Verry (11:17):

So that’s where it gets interesting. I’d say that we probably spend about 80% of our time in companies between a dozen people and 5,000 people. And then we probably spend 20% of our time in companies bigger than that. Maybe a little bit more than that, 25%. And we have some… the city of New York, we hold a backdrop services contract to do security for them. And that’s 400,000 people. So we’re comfortable in the bigger environments. But I’ll be honest with you, I prefer work at SMBs and SMEs. In bigger organizations, you’re there to serve a greater master and you’re more disposable. And I don’t think you’re valued quite as much. When you work in the SMBs and the SMEs, you’re looked at as an important extension of those teams. And I think it’s a much nicer place to work, and I think that our consultants really partner with our clients.

John Verry (12:02):

I think we develop really long-standing wonderful relationships. I can’t tell you how many of our customers I would call very friendly with. I’m not saying I’m fraternizing or socializing with them, but there are people I’ve worked with for years and really have a strong relationship with.

Eric Hess (12:17):

I’ve always had a theory about the larger enterprises that, basically you’re going to be hired for a specific task, a specific job, once you start getting into that size. I guess there are companies that would get the overarching, but once you have a CISO, it’s a CISO’s job to to get the tools of the trade, to hire a multitude of different partners and to assign various tasks to them. Whereas with a small to medium size enterprise, it’s more of a holistic relationship. And it also allows you to centralize the information and better manage it, as opposed to in a larger enterprise, maybe you’re just getting pieces of it. But you don’t necessarily know how it connects to the whole, that’s a CISO’s job.

John Verry (12:54):

Exactly. That’s another good reason. And again, because, and I think you said it well, because you’re assigned a specific task, you’re a more replaceable entity. And if the task is over, you’re over. Or, if they no longer decide that the task is important enough. Management cuts budget and third-party risk management has to get by with less resources. If you were helping them with third party risk management, you’re no longer helping them with third party risk management.

Eric Hess (13:17):

When you’re pitching to new prospects, what kind of progression have you seen in attitudes over the years? Speaking from personal experience, I know like when I started doing this initially in 2011, there was a lot of kick the can down the road. People just, they wanted to talk to you, they wanted to have you on the bench. And if it’s a regulated industry, and if something happened, they want to be able to call you up and say, hey, can you come on? And then it’s evolved. It’s continued to evolve, and I think to the point where you see a lot more companies that were formerly just MSPs, teaming up with bigger organizations and going into the cybersecurity business. But not necessarily having that deep understanding, much like the kind that you have in your business. Do you want to comment on that?

John Verry (14:01):

That is one big apple to bite, that you just brought up.

Eric Hess (14:05):

I’m just…

John Verry (14:06):

I know, but that’s a tough one to unpack. Because… so let’s take the first part of that, because you talked about MSPs. So what we’ve seen, if you go back and you’ve been in the game for a long time, you’ve been a technologist a long time as I have been. There was a day when your IT folks all worked for you. I know that sounds strange to some of the people that are listening, but it used to be, you used to employ your own IT operations. And then sometime, probably 20 years ago, because I know the MSP Alliance was started in 2000. So it’s probably that relative timeframe, people started outsourcing selectively certain parts of their IT operations. So you couldn’t afford to get an exchange admin, so you’d say, I’ll hire an exchange admin as an outsource body.

John Verry (14:45):

And then that worked out pretty well, so maybe we’ll do server maintenance that way. Okay, now we’ll do break fix that way. And let’s fast forward to 2021, and what percentage of an SMB or SMEs actually have full-time IT staff that do all of their functions? Very few, right? Most organizations are relying on an MSP. So what we’ve seen, which is a logical evolution of that is, MSPs want to be single throat to choke, MSPs want to make money. So they’ve bitten off more and more of the apple. So that’s impacted us quite a bit, because in the old days, go back to 2005, when we were doing pen testing. Normally, the phone call came in from a CIO or an IT director or somebody of that nature, because he got a requirement to do a pen test from the board or requirement to do a pen test from a vendor. And he’d, I don’t know who to call. He’d look on the internet, he’d call us and we’d do a pen test for them.

John Verry (15:31):

Now what happens, is the IT director is now an MSP. So the management comes to them and say, we need a pen test. And they say, okay, we’ll do it. Or we’ve got a partner that will do it. And that’s where you started to see organizations move from being what I would refer to as MSPs to MSSPs. So where they’re blending the IT operations with the security operations. I think there’s benefits from an end-user perspective. So if I owned a company, hey, this is great. I got one throat to choke, I can call Eric up. Eric MSP is this great group of people, and they’re doing my information security and my information technology. That’s the positive view of it. The negative view is that, we have a fox in the hen house. And we’ve got guys that are implementing the controls and they’re directing the implementation of the controls. And then they’re governing the operation of the controls. So if anything fails there, you have no belt and suspenders. And you end up with ransomware or you end up with a breach.

John Verry (16:21):

As you might imagine, and this is, I fully understand there’s somewhat of a self-serving attitude here. Our recommendation is, look, MSPs are great. You should use an MSP, if you don’t want to hire your own folks. But I think you have to be cautious and careful about how much security they do. I think security implementation, not a problem. Because if you’ve got somebody who’s directing the strategy and specifying what should be implemented and/or somebody who is validating the effective operation of it, that’s independent of that implementation, I think we’re in a good spot. So I think that’s the best way to work with that. And I think that’s a lot what’s influenced our conversations.

John Verry (16:56):

I think the second thing which has influenced our conversations increasingly, is most people don’t decide on Monday morning that, I need to become more secure because they want to become more secure. They usually decide they want to become more secure because they have to. There’s a government regulation or there’s a client contractual obligation.

Eric Hess (17:15):

Or they got hacked.

John Verry (17:17):

Yeah, or they got hacked, that’s true. And you’re a lawyer, right? So you’re familiar with the term outside counsel guidelines. You’re familiar with business associate agreements, data privacy addendums, you’re familiar with security questionnaires and dealing with all that. So typically that’s where we’re getting the phone call. And then one thing we’re also seeing echoing the same arc that we saw with IT, we’re starting to see the same thing from a security perspective. Hey, we outsourced IT, can we outsource security? So we see that in the MSPs and we’re even starting to see it now at the management level and the more second tier strategic levels. Like, hey, do I really need a data privacy officer, or can I outsource that? Do I really need a chief security officer or can I outsource that? Can I outsource my vendor risk management? So that’s the other thing we’re seeing.

Eric Hess (17:57):

I think one thing I’ve learned about vendor risk management is there’s not that much of a market for tools for vendor risk management, as much as there is a market for services backing tools for vendor risk management. You sell somebody a tool for vendor risk management, it can be very complex. And the first question, I know Prevalent went through this, they spent a lot of money building their systems. And then what they found is when they went out to everybody, everybody was like, okay, that’s great, can you do it? And it was just like, but we have this tool and we want to scale. And it’s, yeah, but that’s great. I don’t want to spend the time learning it. You’re the expert, you do it. But we’re not built as a consulting organization. And I think that was part of the reason why they ended up restructuring. And that’s just one example, but certainly a notable one.

John Verry (18:38):

Yeah, absolutely. And I think the problem, and we saw this with all of the tools, I’m a certified third party risk professional. We’ve got three of them on staff. We’ve got certified third-party risk auditors on staff. So third party risk management is something that we know an awful lot about. We’re very active in the shared assessment community. The challenge with this is that, a tool is great. But a tool has to be configured per your plan. You need a vendor risk management policy. You need a plan, you need procedures. You need procedures to deal with, if a vendor fails vendor risk management. What do we do? Do we have an exception policy? Do we have a policy about how long we’ll let them clean up certain things? So the tool without a policy and plan is nothing. And that’s really why so many of the tools have struggled a bit.

John Verry (19:19):

The other problem with third party risk management, which is dreadful and there’s no easy solution to it, is we have a client that’s a… I’ll call them a consulting organization. They’ve got 35,000 vendors. How do you do vendor risk management on 35,000 vendors? And how comprehensive a review do you do? I mean-

Eric Hess (19:36):

Risk weighted.

John Verry (19:37):

Yeah okay, but risk weighted, so there’s the question. But still, here’s the problem. People can’t afford to do vendor risk management. So what happens is they take massive risks. I know an organization that just recently, they’re trying to get the cost per vendor review down to the lowest amount possible. A low price to do a vendor risk management review, with fully automated outsourcing to a lower cost area. The Philippines, India, places of that nature. If you can get your cost per review for a medium or high vendor down to 1200 bucks, you’re thrilled. And that’s hard to do. If you’re going to do it on shore with good people and do it in a more comprehensive way, it’s not unusual for it to cross, three, $4,000.

Eric Hess (20:13):

You’ve seen a rise of these, I guess these organizations that aggregate the vendor risk reviews, so that you can just tap into what somebody else did. Of course, that doesn’t really get into specific use cases. What they answer for one doesn’t necessarily apply to you, and that’s really where it’s good to know their overall posture. But depending on the sensitivity of the data, that’s a check-the-box, and who’s reviewing that, and who’s following up on it? Are they just collecting it and saying, hey, I have it on my files. And what are the risks that you note and I’ll note them too, or is there any kind of review? And when I say risk weighting before, it’s tongue-in-cheek. Because risk weighting, somebody else has to administer to that. Like how do you risk rate 35,000 vendors? Oh, okay, thank you. I’ll now spend two years doing that.

John Verry (20:57):

Well, one thing which is crazy, you have 35,000 vendors. So clearly, you’ve got thousands of permutations of risk there. What data they have access to, what mechanisms they have access to the data through, and what laws and regulations the different types of data are subject to. The quantity of data that they have access to. Think about all the permutations, and now what’ll happen is, how many questionnaires do most organizations have? Three. Logically, vendor risk management is broken. And I’d love to tell you that I have an answer for it, but I really don’t. I think risk management’s a huge issue for the next 20 years.

Eric Hess (21:32):

So in one of your shows, you segmented clients, and I guess it’s prospects and the challenges that they face. There’s three buckets. Those who buy a product, but don’t know how to implement it. Organizations that are just framework-focused, which I don’t know is a problem necessarily, if you have the technical solutions behind it. And number three is technical solution-based organizations, which isn’t a problem if you have a framework behind it.

John Verry (21:56):

I can think of one guy in particular that I think is comical and he’s in a huge organization. But his answer, if you say to him, what’s your security strategy? He starts spooling off all the products that he’s bought and they’re tied to like the Gartner Magic Quadrants. You can go down the list, and [inaudible 00:22:10] Gartner subscriber and the funny thing is, he goes to the board and that’s his answer to everything. It doesn’t matter that they haven’t resourced the right people to run the tools. They don’t matter that they haven’t been configured properly. It doesn’t matter that not only did they have knowledge gaps, but they have coverage gaps. They’ve got monitoring gaps, so they’ve got tools that are not being properly managed. Or they’ve got multiple panes of glass instead of getting everything back. They never really truly operationalize any of the tools.

John Verry (22:34):

Like we ended up going in there to do some testing of an environment, it was comical. It was a super high risk environment. They are like, this is just a dot the I’s exercise. We scan this environment once a week. Which is really a lot, to scan an environment for vulnerabilities once a week. So we’re thinking, okay, it’s going to be a clean pen test. A minute into the pen test we’re like, these guys don’t scan this environment every week. This is a crap show. We chew up the environment, we gain all kinds of access and the guy is like, I don’t understand how this could possibly happen. He’s yelling at his people. So we take on a little extra effort. So we log into their Qualys console to look to see what kind of scanning they’re doing. And we realize that they’ve checked a little box that says, enable fast scanning.

John Verry (23:12):

And we’re like, you know what that box does. Well, you don’t scan the entire, all of the 65,535 ephemeral ports. You’re actually only scanning the top 100. So you’ve been running your scans for years wrong. And that’s an example of a product-focused guy. So if you’re listening to this podcast and you’re trying to figure out security, and you either think you should go to the market and buy something for each one of those things people tell you about, don’t do that. Or if you’re working with a vendor that the answer to every security question is a product, you’re working with the wrong people. The answer to most security questions is process, procedure, policy. They don’t know how to implement the product and to establish a policy. Management’s policy is promulgation of intent. What I want you to do. So until you define that, they can’t figure out, do they need a product or not? And they can’t figure out how to implement the product. So that was that side of it.

John Verry (24:01):

I think on the framework-focused, I think what I was referring to there is that you could be framework-focused in two ways, and I don’t remember the conversation. So we can be framework-focused, which I think is the positive way. Which is, hey, we’re going to align our security program with, and usually the two frameworks are going to be the NIST framework or the ISO framework. Which is really just well-vetted, well-documented guidance to ensure that you’ve got a comprehensive approach to information security. And an answer to any question that you have. Do I have to worry about this? Well yeah, the framework says, yeah, you should consider how you authenticate people and whether multifactor authentication should be in place. Or you need to have something to log, you should have some level of independent objective validation of things on a periodic basis.

John Verry (24:43):

It gives you all that good guidance to know that, hey, this is how I architect a program. So that’s the positive side of a framework focus. I think the negative side of a framework focus we see is where organizations say, hey, I have to comply with New York State DFS 500. Or I have to comply with HIPAA. And they look at that as being the sum total of implementation. We’re secure now, I implemented. Or we’re a medical organization, we implemented HIPAA. HIPAA only cares about PHI. You have credit card data in your environment, so that HIPAA validation has nothing to do with your credit card data. It has nothing to do with controls that live outside of that. So I think that’s where the negative of being framework-focused would be.

John Verry (25:20):

And then the technical solutions-oriented, my guess is what I was thinking about at that point, or talking about at that point, is that you have some people that come to information security from a heavy IT background. And there’s a particular framework that I think works really well for them. And that’s the Center for Internet Security Controls, they’re critical security controls. It used to be called the SANS Top 20. It’s a great set of, a simple approach to information security. So if you’re a deep dive tech admin guy that’s got bits and bytes under his fingernails every day, and somebody says, you need to become more secure and you can’t afford to hire somebody like Eric or us. Grab a copy of the CIS CSC. It’s an open standard and it’s going to appeal to a technology person. Because it’s, how do you implement technology in a way which is going to align with the greatest amount of risk, which needs to be mitigated? It’s a very technical approach to security. My guess is that’s what I was referring to, in that podcast.

Eric Hess (26:11):

Yeah, and thanks for that. And it’s funny, we all come across people who think that just buying the tools, gets you to where it needs to be. Probably not as extreme as the example, at least on my side, but it’s amazing also with the gaps in coverage that gets created, with every new tool that you bring in, to the extent you’re not implementing it. You have to make sure that they’re working together. And if they’re not working together, you have a false sense of security because every single integration, if it’s not done correctly, could itself pose a security issue.

John Verry (26:38):

And the true cost of a tool is, and I don’t know what the exact number is, but it’s probably one fifth of the actual cost of the tool. Because then each year, you need to pay for the upgrades and things. I mean like my Microsoft Office 365 is a phenomenal environment. Their security and compliance center stuff is amazing. You implement that and say, hey, we should use this. You need somebody who’s paying attention to that every day, a decent percentage of the day just to stay on top of it, just to leverage it. So you’ve got this investment, you buy a tool, you’ve got to figure out what percentage of each person’s time needs to be involved in monitoring that tool. Validating that it’s working effectively. Adapting the tool as your technology changes. Adapting the tool as your security requirements change. Adapting the tool as you do business with new customers. Adapting the tool as you put data in different cloud environments.

John Verry (27:26):

If you implement Alien Vault, great tool. You implement Alien Vault and suddenly you decide to move some stuff into Azure. You’ve got a whole project to make sure that Alien Vault is still managing that. You add a new application to your environment, so the care and feeding of this stuff is a bear and people really underestimate the ongoing cost of it and the ongoing level of effort.

Eric Hess (27:44):

And then sometimes, even I’ve seen situations where people get too much technology and when things don’t work together, somebody in IT will just turn it off. Because it’s, yeah, it was blocking me from getting into this program, so we shut it off. And it’s, okay, now that’s such a problem. If the people who are managing it, don’t even understand and they’re not coordinating and you don’t have enough expertise in it, to your point, they’re running Qualys, they’re doing a marginal scan, they’re probably telling the board and everybody else that they’re secure and they’re doing it. But meanwhile, they’re wide open vulnerable.

John Verry (28:17):

Yeah, that false sense of security is an absolute danger. And I do think tools have a tendency to create false sense of security. Certainly in management. Management needs to go to the people that are looking to buy tools or implement tools and they need to say, hey, talk to me like I’m a five-year-old child. Until I understand everything that’s going to happen here, until you stop with the bits and bytes, stop with the acronyms. And until they get to that point, they’re at a loss to know whether or not. So management doesn’t realize that they’ve got a gap. And then unfortunately, I think sometimes the people themselves don’t know they have a gap. They turn on or off a feature, like they had no idea. Management truly thought the guy directly responsible for doing the scans and the people that were his bosses and his bosses, absolutely thought that they were a 100% covered. They were shocked.

Eric Hess (28:57):

So you’ve also done a lot of work with regards to CMMC. Do you want to tell us about what CMMC is and how it interrelates with NIST and ISO 2701 or 27001?

John Verry (29:13):

You hear it said both ways. Yeah CMMC is going to go down, I think, in InfoSec history as perhaps the most significant standard, perhaps of all time. That might sound like hyperbole. And it is, but I actually think it might actually be. So CMMC started life as, it’s called the Cybersecurity Maturity Model Certification. And CMMC started life because in 2015, the defense industrial base, or the DoD said, hey, we’ve got 350,000 odd companies in our defense industrial base, our defense supply chain. And we need to make sure that they’re properly protecting data because we’re bleeding, I think the number is $650 million worth of intellectual property every year. Because they are not very secure. To that, the F 35, I think it was called, jet, which cost us, it took us 15 years and a billion dollars to build, the Chinese were flying one that looks remarkably like it, down to wingtip dimensions two years later. So they said, this isn’t good.

John Verry (30:11):

So in 2015, roughly, they came out with something called NIST SP 800-171, which was mandated by a DFARS clause. DCMA runs the budget and purchasing defense contract management association. And there are these clauses called DFARS. And it said, hey, you need to prove you’re secure to us. And the way we’re going to ask you to prove you’re secure is comply to this NIST SP 800-171. And that’s the 110 good security practices that should protect what we call CUI, controlled unclassified information. So the way that they were going to prove it is you were going to get a piece of newspaper or lunch bag, and get a crayon and put an X on it and send it to us. And now we’ll know you’re actually doing what you’re doing.

Eric Hess (30:55):

Sounds like a good system.

John Verry (30:57):

Yeah, shockingly it didn’t work. It literally, there was no enforcement, it was fully like honor system.

Eric Hess (31:02):

Maybe it was the wrong crayon.

John Verry (31:05):

Yeah. They should use marker, because that’s permanent. A crayon, you can erase.

Eric Hess (31:09):

So self-attestation.

John Verry (31:10):

Yes exactly, that’s the fancy word for it, yup. So that didn’t work. They said, we’re going to up the game a little bit, and we’re basically going to make you be subject to a third-party audit to validate that you’re implementing these controls. And while we’re doing that, why don’t we make this a little bit more robust? So why don’t we give you a CMMC Level 1 option, which is good for what we call federal contract information, which is information that doesn’t rise to the same level of treatment or risk as CUI, but still needs to be protected. And that’s what CMMC Level 1 is and it covers 17 controls, which are necessary to do that. We’ll take CUI and we’ll still hold it to 800-171, but we’re going to add a few more controls to it. So we went from 110 controls to 130 controls. But we’re going to have a more formal way that we look at the processes necessary to ensure that those practices are being properly implemented. That’s where the maturity concept comes in.

John Verry (32:00):

So now we’re up to 130 controls and 51 processes that we look at, or 130, they call them practices or controls. And then we’ll also add a Level 5, and that’s going to be for really super high risk systems. Think about space stuff, think about munitions. And that’s a Level 5 and that’s up to 171 controls with the big difference being that the 41 additional controls are largely focused on what we call advanced persistent threat. So that’s CMMC in a nutshell. And where now it’s getting even more interesting. So you say to yourself, okay, 350,000 organizations, the rough numbers, probably 40 or 50,000 of them probably fall into a CMMC Level 3. Well to put that in perspective, we probably have 40 to 50,000 ISO 27001 certificates in the world that have been issued since 2005. So now you’re saying, hey, we’re going to have the same number of organizations have to comply with a similarly complex standard in a four-year, five-year period. So that’s why it’s such a big deal.

John Verry (32:53):

And here’s where it gets bigger. So the bigger is that CUI is defined by NARA, National Archives and Records Association. And CUI is not just DoD data. Student information is CUI, and lots of other data that we operate on every day. So any agency that has CUI is suddenly going, we could use this. So now what happens is, so we heard talk about OCIE and SEC using this, there’s open talk about it being used as part of the Sarbanes-Oxley program, which would mean that every public company would have some level of CMMC going on. Department of Homeland Security was quoted last week saying they’re going to issue contracts this year that are going to require CMMC. And then lastly, well not lastly. Last week, if you’re familiar with FERPA which is, the standard which applies to student records of CUI. So all of the institutes of higher education have been put on notice that you should start looking at NIST SP 800-171 and CMMC, because we’re going to start using that.

John Verry (33:54):

And then lastly, and perhaps most important, GSA, the Government Services Administration, which is the entity that procures most IT services for the federal agencies, included it in their Polaris contract. Explicitly. So anyone who’s going to bid to be an MSP, an IT services provider, provide IT service to the government, in theory, is going to need to be conformant with. So that’s where I look at this thing and say, holy shite, where’s this going?

Eric Hess (34:20):

And it’s interesting, because it seems that the organizations that would be covered, the contractors who are servicing the government, they also have vendors. And so it starts to really trickle downstream, because if they have to comply with CMMC, the vendors that serve them, presumably also have to satisfy or have to map to those controls that they’re trying to achieve on their side.

John Verry (34:43):

That’s an excellent point. And that’s another reason where this gets nutty. So what happens is, at least in the DoD, which is where we have the actual laws and regulations that have been issued. So under DFARS, they’ve added three new clauses, 7019, 20 and 21. And specifically in those clauses, they obligate you to verify that anybody that you’re sharing the information with, any downstream vendors, anyone in your supply chain, is adhering to the same standard. So like you said, now, you’ve got 300,000 at this level, but they all have three people. And then those three people each have two people. And suddenly, you’ve got every mom and pop, you’ve got the corner bodega, needs a CMMC certificate. You know what I mean? The implications are absolutely nutty.

Eric Hess (35:25):

And is SolarWinds driving this narrative more or not really, it was being driven well before SolarWinds and hasn’t changed?

John Verry (35:34):

Yeah, so I think what SolarWinds will do is, CMMC came into the broad stream narrative probably a year and a half ago, where you started to really hear about it. So this is not a reaction at all to SolarWinds.

Eric Hess (35:47):

But is it accelerating it?

John Verry (35:48):

I think that every major breach that creates that level of awareness is going to accelerate people’s concerns with regards to the security of their information, when they share it with a third party. So I think it would be crazy to say it’s not impacting it or accelerating it. I think what it’s going to do is put an increased level of emphasis on the supply chain, this validation. So if I was going in to audit an organization, I think based on the fact that SolarWinds is so prevalent on people’s minds and that the requirement is there, I think I would probably dig a little deeper into their third party risk management processes, and confirm that they’ve truly done their due diligence with their vendors. So, yeah, I think if you’re a third party risk management person, I do think CMMC is going to have a positive impact on your business.

Eric Hess (36:36):

And if you’re an accounting firm and you’re doing SOC 1, SOC 2 SSAE 16, 18, whatever the number is, that gets released in the near future, are those firms now going to be mapping directly to CMMC controls?

John Verry (36:51):

So now you’re into another really interesting tidbit here. Recently, you’ve got Katie Arrington, who’s, I forget her exact title, she’s effectively the lead dog, if you will.

Eric Hess (37:04):

Right. And I’m going to do a little Virtual CISO promo here. Kate Arrington was on John Verry’s show. So you might also want to check that out.

John Verry (37:11):

Yeah, Kate Arrington is fantastic. She’s a patriot, she’s done a tremendous amount with this program. And I tip my hat to her. What was I saying?

Eric Hess (37:18):

I shouldn’t have done the promo. We were talking about SOC 1, SOC 2, the…

John Verry (37:23):

Oh, okay. So now you’re into to a really interesting… Katie Arrington recently said that they’re looking at reciprocity. And she specifically mentioned under reciprocity, FedRAMP and ISO 27001. We don’t know exactly what that means, because there’s a lot of areas. She did not mention reciprocity to SOC 2. Might’ve been an oversight, they might be planning it. So there’s an interest is, what is exactly going to reciprocity mean? There’s another implication, which is really interesting to me. Because we make the bulk of our money helping organizations get ready to prepare for and maintain ISO certification, SOC 2, attestations, FedRAMP, HITRUST, those types of standards, CMMC. So if your Helical organization decided was going to do work for somebody in the DIB, and you got CMMC Level 3-certified. Now, I come to you and say, I want you to be ISO-certified, or SOC 2-certified. What’s the first thing you’re going to say? It’s, hey, I’m already CMMC Level 3, which is equal to, arguably, or pretty damn close or better than. I think we can make arguments both ways.

John Verry (38:21):

If I offered you, generally speaking, if I offer you an ISO certificate, a SOC 2 certificate or I offer you a CMMC, wouldn’t you largely accept all three of those as being pretty indicative that I’ve got a good security posture?

Eric Hess (38:32):

Presumably, unless there was a requirement, presumably rebuttable, that it has to be a SOC 2 audit.

John Verry (38:37):

Right. So that’s what I think is going to happen. I think that once a company has got a CMMC Level 3, I think they’re going to say, wait a second, I’m not going out and getting another ISO or a SOC two. I do think if you look forward, N years, where N is probably more than two and less than five, I think that you’re going to see CMMC Level 3. If it goes on the arc is right now, reducing the number of companies they’ve got ISO 27001-certified or SOC 2 [inaudible 00:39:00].

Eric Hess (39:00):

You would hope, right?

John Verry (39:01):

Unless you’re a CPA firm.

Eric Hess (39:03):

Right, right.

John Verry (39:05):

Because that’s a lot of their revenue. A lot of CPA firms, their SOC 2 business is a huge part of their revenue stream.

Eric Hess (39:11):

Right. I mean, I know that there’s always new standards coming out too. There’s one called a fair framework now. I don’t know if you’re familiar with it. I’m not passing judgment on it. I haven’t looked at it in great depth. It’s another continuous maturity model. And with a lot of these frameworks, I think it gets confusing. I mean, you can sit there and you can map NIST to ISO. If you comply with NIST, somebody says to me, hey, are you ISO compliant? As long as I don’t have to do certification, I’m like, it’s NIST, okay. It’s largely compatible, we can map the controls, et cetera. But we might go with NIST, because that’s what we do more of than ISO. But where does this break? I mean, it sounds like CMMC might be sort of pushing that breaking point where companies just say, okay, how many different standards do I have to comply with?

Eric Hess (39:55):

How many people do I have to employ to sit there and say, well, it’s this control here in ISO. And then there’s this one in NIST and then there’s this one in CMMC. And then, here’s the flow chart on a single control. Okay. Here, how it maps across all these 10 different controls. Okay, next control, because there could be a lot. On some level, obviously for HIPAA, for HITRUST, for FFIEC, for the regulatory based requirements, frameworks fit into those. But if you have an obligation to comply with specific frameworks, with regards to some clients, some governmental organizations, your regulator, where do you see this all going? Because it seems like it’s unnecessary at a certain point.

John Verry (40:36):

Yes, it’s very frustrating. I mean, the only thing worse than not enough guidance, is too much guidance. And we certainly have too much guidance. To be honest with you, we make a lot of money because there’s too much guidance. Because people come to us and go, I can’t keep up with all this crap, figure it out for me. I work in three different verticals and they’re asking me for 13 different standards, how do I normalize these? How do I figure what the high watermark? That’s what we do every day. Where it gets interesting, and this is a ton of conjecture here, we’re reading tea leaves. But if you think about it logically, to this point, there’ve been two major standards in the world. There’s ISO and there’s NIST. Those are information security frameworks. And NIST is a US-based centric standard. And ISO is most of the rest of the world. Certainly Europe, Japan, England, Australia, very ISO-oriented.

John Verry (41:18):

So we had these two different, complimentary, but competing frameworks. Then what happened is that we have attestations frameworks. So SOC 2 is an attestation framework. It’s not a control framework, it has controls in it, but you probably build your controls using ISO or NIST guidance. Just to simplify things. And the reason why the CPA framework got… they wanted to make sure that the IT systems that were producing financials could be trusted. And that’s where SOC 1 rolled in and SOC 2 rolled in, accuracy in financial reporting. So what happened was AICPA is a very important, powerful part, because they were part of the financial audits and they were already in talking to management, SOC 2 became an alternative attestation framework to ISO 27001. Because there wasn’t a federal government framework. There was no FedRAMP, there was no CMMC.

John Verry (42:06):

So now where does this go? Well, what percentage of revenue and what percentage of our economy, excuse me, is tied into the federal government? An inordinate percentage. But if you think about it logically, so many people are going to end up getting the government attestation now that we have one, because by the way, all of this data that we’re talking about is considered CUI. So right now, HIPAA or the CMS InfoSec program could be totally rejiggered tomorrow to say, oh, we’re going to just use CMMC Level 3. That would mean every healthcare organization in the country suddenly is looking at their ISO certificate, they’re looking at their HITRUST certification, they’re looking at their SOC 2 and going, wait a second, I’ve got to comply with this one from the government.

John Verry (42:43):

So now you have an attestation framework from the government. We’ve never had an attestation framework from the government. So to me, I think that if you ask me who’s in more trouble, ISO or SOC, I’d say SOC, because ISO is outside of our borders. AICPA is inside our borders, and now is competing inside of our borders, that’s government mandated and government centric. And that’s where a lot of people make their money. So I think that that’s where SOC 2 is in danger. Where ISO could be in danger, and this gets really interesting, is our weapons programs and our national defense is not solely… we have the NATO Alliance. And I’m not smart enough to tell you the number, what is it, seven organizations that are part of NATO?

John Verry (43:21):

Well, what’s happening is in order for those organizations to participate in our food chain, and a lot of those members are members of the defense industrial base and defense supply chain. The NATO Alliance is starting to actually use, it was probably going to use CMMC. If the NATO Alliance starts to use CMMC and most of those NATO alliances are now ISO entities, we may see ISO take a little bit of a backseat to CMMC. If you want to pitch that CMMC is going to become the be all end all, that’s the path of it happening.

Eric Hess (43:48):

But if you think about it, unfortunately, there’s sort of two different interests at stake. If we talk about SOC 1, SOC 2, we’re going to get a little political. So if we’re rolling with the premise that CMMC is actually the right framework. It’s the one that has emerged based on the history of NIST and ISO and this is the framework that makes a lot of sense. I know, even on your show, you talked about how, and I’m going on a little bit of a tangent. You talked about how Level 1 is actually an excellent framework for small to medium sized businesses to operate from. And they’ve really focused on keeping it simpler, and more understandable. And it’s incorporated prior learnings into it. But when we think about something like SOC, and I know I’ll make some enemies with my accounting brethren here.

Eric Hess (44:30):

But on the one side, you have sort of a national arguably inefficiency. Meaning nobody likes to have to get these multiple certifications or comply with multiple frameworks, spend the additional money on SOC and then also have to comply with the CMMC and get audited there, have to pay out twice. But it is a significant inefficiency, it’s a drain on industry that they have to pay. It’s a cost of doing business, you’re reducing profitability. It has implications for the economy. For those that are doing the audits, they’re making money. So on the one side, you have the broader inefficiency, and then on a more concentrated side, you have all these consulting and CPA firms that do have lobbying forces in DC.

Eric Hess (45:16):

So I’m going to put you on the spot and you can say I don’t know, but I probably won’t accept that. Who wins? What’s going to push it over the edge when you have a concentrated group that is actually much more interested in perpetuating the current SOC 1, SOC 2 structure and maybe more resistant to seeing that go away? I’d love to get your thoughts on that.

John Verry (45:38):

That’s a great question.

Eric Hess (45:40):

He’s like, dammit, Eric, why couldn’t we just have stayed on the other topic, right?

John Verry (45:43):

Listen, I’ve got to be honest you, I love reading tea leaves. I love trying to outsmart the market and kind of get ahead of things. So it’s fun to ponder these issues. If I had to venture a guess, most of the CPA firms that I know that make a lot of money doing SOC 2 and SOC 1 and other forms of InfoSec oriented attestations, have always hedged their bet. Most of them do SOC 1, SOC 2. Most of them are ISO registrars. Many of them are FedRAMP 3PAOs. And many of them are in the process or have already become C3 PAOs. So I think to some extent, they’re going to look at this and say, do I really care if I’m charging you 40,000 bucks for a SOC 2 type 2, or I’m really charging you 40,000 bucks for a CMMC Level 3 certification? As long as I’m the one delivering said certification. And on top of that, they’re also very smart in that there will be some industry-specific standards that I think probably are not going away. Like payment card industry data security standard. There’s some uniqueness there. I think that, you’re never going to have a CMMC do a very good job of applying directly to that without some changes, which probably wouldn’t be good for CMMC.

John Verry (46:49):

So there are also QSAs. I think, to some extent, they’re going to want… I think AICPA is going to be more concerned about SOC 2 losing favor, than the actual CPA firms are. Because their logical pivot is to become, CMMC Level 3 and they’re already trusted advisors to the core business people. I think the CPA firms will navigate it well. I think the AICPA will, that’ll be a fun one to watch.

Eric Hess (47:16):

Interesting. What do you think the forces are, that’s going to result in industry or the government saying this is a net tax on business? That we don’t have a more unified framework, that there’s confusion, that they have to sort of map across different ones. And some people say, well, it’s not really that big, once you map it, it’s no big deal. But when you get into things like certifications and the import of that certification, I mean, I guess you could just say you have to certify across ISO, NIST, CMMC, and that’s one certification or one audit. But is that the path that it goes, or does it go the path where they basically say, we need a CMMC, and it just sort of… the other ones naturally fall away? What’s the triggering event that sort of starts to get some more clarity and more standardization around these frameworks?

John Verry (48:12):

I think we’re in that triggering event. I think CMMC is the triggering event. Now, whether or not it will actually go to the end game that we discussed, who the heck knows? And I also think there’s a complexity to this that will never go away, unfortunately. I’d love to tell you that we could get to a point where there was one standard. And realistically, who cares? ISO, CMMC, SOC 2, let’s get to a point where there’s one open, trusted standard. Everyone knows how to do it. There’s clear and unambiguous guidance. There’s a playbook and we’re all more secure. Where I think the complexity comes into play is that, technology evolves every day. So as we’ve migrated to be more cloud-enabled, what if your standard is not super cloud-oriented and doesn’t do a good job of addressing cloud risk? We’ve got the Internet of things, which is going to be another amazingly significant change in the world over the next five, 10 years. What we’re going to see there.

John Verry (49:02):

Well, IoT risk, embedded technology risk is radically different than risk to conventional business. Although conventional businesses are part of that risk profile and they don’t really even know it. Then you’ve got operational technology. SCADA systems and industrial control systems and smart factories and things of that nature, which are both an IoT risk and a separate operational style risk. Which, again, needs some specific guidance around it. And then the last one of course is privacy, has become just a bear. We’ve got GDPR, we’ve got APAC, we’ve got the California Consumer Privacy Act. Privacy is different. So we’ve got to address privacy. I don’t know that there will ever be a one-size-fits-everything standard. I think the question is, can we reduce the number of similar standards and consolidate to one there. So that way, the special purpose standards, which are just a natural evolution of evolution, we’ve got less to worry about. We don’t have 50 things we’re looking at, we’ve got five.

Eric Hess (50:01):

And I think ultimately on the privacy side, we will move toward a federal law. It’s in the cards, it’s just a question of when. Because various states are going to have to adopt these privacy regulations. People are going to be screaming the same cry, which is how do I comply with 50 different states?

John Verry (50:16):

Two things there, I think you’re right, for sure, what you just said. And A, there is a NIST privacy framework, I don’t know if you’ve seen that, that came out last year.

Eric Hess (50:23):

Yep, excellent-

John Verry (50:24):

And it aligns with the NIST cybersecurity framework. So I think that it kind of was built in a way that, you can integrate your InfoSec and privacy; management programs. Which is a really powerful thing. ISO does that with 27001 and 27701. So I think that’s really reading the tea leaves.

Eric Hess (50:39):

I like what NIST did, that was very prescient of them to do that. Particularly given that you’re just seeing more out of California, which is probably going to, in some ways, set the standard for the rest of the country.

John Verry (50:52):

They always do. I mean, where does all new regulation come out of? Not all, but a lot of it. California SB-314, that was the original breach notification. And then we ended up with 50 state standards. Actually, all 50 States now have… Arkansas finally produced the standard 15 years later. So I think every state has a standard now. And California is ahead of the game as well. We talked about IoT and IoT risk, California SB-327, California is a pain in the butt.

Eric Hess (51:16):

But California does have, it’s always funny because in contracts, if the other side says choice of law is California, or they could just as easily say Louisiana, which is under civil law. And I always, the first time it got back to my client is, absolutely not. We’re not stipping to California law. And it’s like, why? Well, because California is like a different country in terms of law. Louisiana does the same thing, it’s civil law in Louisiana. But California definitely has more statutes, more pitfalls, and I don’t even want to go there. I’m like, I’m not licensed in California. You’d have to get a licensed California attorney to tell you what you just signed. I can help you if it’s based on like Delaware or New York or conventional states, but California, forget about it. There’s no way.

John Verry (51:55):

Yeah, yeah it’s a different beast.

Eric Hess (51:57):

Anyway John, it’s been tremendous to have you on the show. This has been a great conversation.

John Verry (52:02):

Cool, I enjoyed it.

Eric Hess (52:04):

Yeah. We hit a lot, but I think one of the big takeaways for the people listening is, CMMC is an important development in cybersecurity frameworks. Meaning how your organization complies, versus just a technical solution. It’s what you put in place, overall governance and the framework for executing on that. And John, certainly, has been doing a hell of a lot in this space. So certainly, he can assist organizations as well. I’m not stumping for him, because I don’t do that in this podcast, but he does have an expertise in it. So certainly somebody who, I’m sure, organizations looking at this should talk to. So John, if people want to find out more about you, about Pivot Point Security, pivotpointsecurity.com, where can they find out? Twitter, social media, anywhere else?

John Verry (52:47):

Yeah we’re on all of that stuff. I mean, I think the easiest way, like you said, is reach out to Pivot Point Security, or info@pivotpointsecurity, or john.verry@pivotpointsecurity or anything, someone’s going to get back to you.

Eric Hess (52:59):

There you go. They’ve got a great podcast, Virtual CISO, that I listen to as well.

John Verry (53:04):

And I will just put in a little plug here. We have this really intelligent lawyer guy that’s going to come on our podcast as well, because I want to chat with him about, when do you call your lawyer and when do you call your information security person, and when do you call both? Because really right now, especially with privacy and information security going in the direction they are, which direction to go is not often easy to figure out.

Eric Hess (53:27):

I’d be so interested in hearing that one. I’m sure I’d learn a lot. Anyway…

John Verry (53:32):

I hope you’re interested in more than listening to it, because otherwise I’ve got to find a different guest to record it.

Eric Hess (53:38):

There you go. I’ll listen to it, for sure. Anyway, so again, John, thanks so much.

John Verry (53:43):

Same here, man. It was good to catch up.

Narrator (53:45):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.