In this special episode, we’re sharing a guest appearance I made on The Perfect Storm. During that episode, I shared how Pivot Point Security helps companies achieve security and compliance throughout different regulatory frameworks and a three-part process for validating your security processes.
- What services Pivot Point Security offers
- Helping clients understand the importance of cybersecurity
- 3-part framework to validate security
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (Intro/Outro) (00:05):
Narrator (Intro/Outro) (00:06):
You’re listening to The Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
Narrator (Intro/Outro) (00:23):
John Verry (00:25):
Hey there, and welcome to yet another episode of The Virtual CISO Podcast. With you, as always, your host, John Verry. And with me today, again, is Andrea VanSeveren.
John Verry (00:35):
Andrea VanSeveren (00:36):
Hey John. Hey everyone.
John Verry (00:38):
So this week was a little bit different. We try to take advantage of those guest podcast appearances. And so I was on a podcast called The Perfect Storm with Harbor Technologies. By now, you’ve probably had a chance to listen to it. What did you think?
Andrea VanSeveren (00:51):
Yeah, I thought it was great. You were really able to get into our value to customers, and how we can help different companies achieve security and compliance throughout whatever regulatory framework: CMMC, SOC 2, ISO, vCISO.
John Verry (01:06):
Yeah, it was kind of fun, because Matt Webster, who was the host of the podcast, is, I’d call him an old friend of mine; he’s somebody I’ve known for a while. And it’s funny, he’s our competitor. So kind of funny that he invited us on his podcast, and also kind of funny that we’ll probably have him on ours, because I think the Harbor Technology Group, I think, they’re a good group of guys, really smart, and somebody I enjoy very much seeing. We had a great time going out for a couple of beers afterwards and talking shop. So, yeah I thought it was a great podcast. I think Matt is a really smart guy. So I’m glad to hear you enjoyed it.
Andrea VanSeveren (01:45):
I think our listeners were too. And so if you want to check out John and Matt, and learn more about how to validate your security program using our proven and repeatable process, whichever standard you’re working on, you want to check out the guest appearance on The Perfect Storm.
John Verry (02:03):
John Verry (02:03):
With no further ado, let’s get to the show.
Andrea VanSeveren (02:06):
Andrea VanSeveren (02:06):
Speaker 5 (02:21):
Welcome to The Perfect Storm. A biweekly podcast for business executives and cybersecurity professionals. Industry veterans Michael Markulec and Matthew Webster chat with guests about the latest cyber news, threats and trends, and how all of it impacts their businesses. Harbor Technology Group is a cybersecurity consulting firm, that offers advisory services to the SMB. Harbor believes by taking a proactive, rather than reactive approach to cybersecurity, business leaders can develop a cybersecurity program that will address external requirements, exceed client expectations and ultimately take their organization to the next level. Harbor’s innovative processes are based on industry standard frameworks that are tailored to meet the needs of small and medium-sized businesses.
Speaker 5 (03:09):
Matt Webster (03:22):
Welcome back to another episode of Harbor Technology Group’s podcast, The Perfect Storm. I’m Matt Webster, and today I have with me John Verry from Pivot Point Security. John is the CISO/Solutions Director at Pivot Point. He’s also a dear friend, somebody whose opinion I value greatly. Interestingly enough, and we’ll talk about this a little bit, we consider ourselves competition. Both of our firms sell very similar products. They’ve been doing it a little bit longer, they’re a little bit bigger firm. They do a fine job, having talked to a number of their clients. So if you need some help around, let’s say, ISO certification or prep for it, well John will tell you more about his firm here in a second.
Matt Webster (04:07):
So John, thanks for joining.
John Verry (04:09):
Matt Webster (04:10):
Good to see you. Sorry to steal your thunder there, I should have mentioned, this is the first podcast we’ve recorded in person. So, glad to have you in the office.
John Verry (04:19):
So I have the joy of sitting across and seeing your smiling face. And the only thing different this time is normally you and I have a beer in front of us…
Matt Webster (04:25):
John Verry (04:26):
… Which probably is going to happen 10 minutes after this podcast is over.
Matt Webster (04:29):
That’s true, yeah. I think there’s a better than not chance that’s going to happen, since we’re just down the road from Troon.
John Verry (04:34):
Right. And listen, thank you for that very nice introduction. And I would echo the same thing about Harbor Technology Group. Definitely a competitor of ours, but a very good competitor. I think the biggest difference between our service offerings is the people who deliver our services are a lot better-looking than the people who deliver Harbor Technology Group…
Matt Webster (04:51):
… Well, which is a super important thing. A lot of RFIs and RFPs I see, have a placed insert photo.
John Verry (04:59):
“Perhaps your board prefers a more handsome individual presenting the [inaudible 00:05:03]…”
Matt Webster (05:03):
“… Then call Pivot Point,” yeah.
John Verry (05:05):
Matt Webster (05:06):
So John, tell us a little bit about Pivot Point.
John Verry (05:08):
I think we’re pretty easy to understand. We’re an organization that helps organizations that need to prove they’re secure and compliant to do so. We do that through a group of tightly interrelated services. We do a lot of helping organizations build and optimize their cybersecurity programs, and achieve conformance and attestations, from things like ISO 27001 and SOC 2 and FedRAMP and HITRUST, and now of course CMMC in today’s world. Of course, if you’re going to act in that type of role, you need to understand the underlying regulatory compliance frameworks that will feed into those. You got to think about things like HIPAA, things about the California Consumer Privacy Act, PCI-
Matt Webster (05:46):
[Crosstalk 00:05:46] insert abbreviation here. Right.
John Verry (05:51):
Insert acronym here.
Matt Webster (05:52):
John Verry (05:52):
We have a security assessment practice where we help organizations prove that their networks and applications and cloud infrastructure are secure. Think of things like vulnerability assessments, penetration tests, things of that nature. We have, like you do, a virtual security team, virtual CISO service, where we’re flexing in both that strategic component, and then perhaps some operational component. Like most frequently in things like vendor due diligence reviews, some organizations who build them under due diligence program don’t have the staff for it, but they need someone to execute it. So we might be doing that on their behalf. And that’s the core of what we do on an everyday basis.
Matt Webster (06:29):
Not that we’re going to talk that in-depth about ISO certification or vCISO, because we both get a chance to talk about that all the time, but I would say, just for our listeners out there and the businesses that we serve, you are probably seeing a lot more business in and around SOC 2 Type 2, as well as ISO certifications being required through these third-party assessments that are coming in, as well as more interest in the vCISO model for your clients, I assume.
John Verry (06:59):
Yeah. So, attestation is the key now. So if you’re going to process somebody else’s data, you’re going to need to be able to prove that you’re doing it in a way which is responsible, and achieves their [crosstalk 00:07:11].
Matt Webster (07:10):
Your word is just not good enough.
John Verry (07:12):
Yeah, exactly. And what I also stress to people, is organizations will say, “You don’t understand, we’re a small company.” It doesn’t matter if you’re a small company. It matters how big your customer is. If you are doing work for Ford, or Microsoft as an example, if you’re doing work for Microsoft, you need to be 27001 certified. You can be a one person company. In order to get a contract, can you be 27001 certified. We recently worked with a law firm, two lawyers, 27001 certified. They spun off from a larger firm…
Matt Webster (07:40):
John Verry (07:40):
They could still double financial service organizations; big banks. And banks said, “We don’t care how big you are. You need ISO.” So, yeah. And I think the other area, and you guys know this as well, that the massive growth opportunities in the cybersecurity maturity model certification, anyone that’s in the defense industrial base, defense supply chain, which is odd 350,000 organizations is going to need to be provable to either level one, if they’re only processing FCI, or level three of they’re processing CUI and FCI. And then we know now, department of education as an example, has said they’re going to use it, and has advised its two tier education. Colleges are going to have to go towards 800-171 CMMC. So, yeah this idea of someone having a good housekeeping seal of approval, like ISO, like SOC, like CMMC, like FedRAMP, like StateRAMP, which is another new standard that’s out there, yeah our business is booming in that space.
Matt Webster (08:34):
That’s right. It’s funny. So my wife and my daughters listened to our first podcast, when Michael and I did it. And-
John Verry (08:41):
I don’t think my wife has ever listened to [crosstalk 00:08:43].
Matt Webster (08:45):
I’m not sure why they did, but they did. But they were laughing like, “It was really good and kind of funny and all that, but we didn’t understand a word of it, because there were so many acronyms and abbreviations.” So let’s talk a little bit more about, just like the human decodering for executives of companies. I know that they all take cybersecurity very seriously, and the requirements that are being placed upon them from their clients, whether it be the defense industrial base or Microsoft or insert bank name here. So how do you work with your clients, so that they can understand the importance around cyber?
John Verry (09:18):
Yeah, that’s a really good question. And it’s funny, because we just went through a process where we were trying to, honestly from a marketing perspective, do a better job of understanding how we bring value to our clients. And as we worked our way through that, we realized that literally every engagement that we do, follows a very fundamental process, whether it’s a penetration test for a single IOT device, all the way up through developing a cybersecurity program for a global organization. And what’s interesting about it is that I started to work with some boards and some CXO suites, to use the same basic principle of the way this process works, to be able to help them effectively manage and govern their cybersecurity programs, because it’s very hard for somebody who doesn’t know all the acronyms; doesn’t know what FIPS 140.1 level two encryption is, relative to some other form.
John Verry (10:11):
And then the second thing is that, and you know this, you’ve been in the field a long time, you get InfoSec people that bully people that don’t know InfoSec.
Matt Webster (10:20):
Yeah, no doubt about it. Technology in general is guilty of that, right now with InfoSec and cyber being such a hot thing out there. I never forget when I first got into cybersecurity. This was right before the millennium. Really the pressure on selling organizations that were working in and around cyber was like fear, uncertainty, and doubt. Just scare the crud out of everybody, which is that idea of bullying, et cetera, that we’re smarter than everybody else, we really know how much trouble you guys are all in. It’s really just not a good way to partner with people. And it turns executives off, for sure. Because executives, they’ve gotten to those positions because it turns out they know what they’re doing, and they’re smart people.
John Verry (11:03):
Yeah, we’re all ignorant of something.
Matt Webster (11:05):
Right, of course.
John Verry (11:06):
I always laugh with the guy who provides us with insurance, because I was in his office one time, and he’s got this T1 connection coming in from somewhere. It’s a little office. I’m like, “Why do you have a T1 coming into your office?” He’s like, “I think the insurance company put it here.” I’m like, “What are they doing with it?” “I have no idea.” I said, “Is it security?” Because I have no idea. And I’m laughing at him. And I’m like, “God, you’re an idiot.” And he looks at me, he says, “Yeah, you’re an idiot with regards to you don’t have enough life insurance, you don’t have [crosstalk 00:11:31].” So we’re all idiots about something, even the smartest executive.
John Verry (11:36):
So, the idea is that you can take a very fundamental approach, several questions that anyone can answer in theory, or anyone can ask, and if you can interpret the answer and determine, do I have an issue here or not; is our cybersecurity where it needs to be. What it also turns out is that if you use it as a CISO or an IT person that’s responsible for security, it reverses the other way, because now the question that they would ask you is if you’re communicating to them in alignment with that question. Now you’re talking in business language, not IT and InfoSec language. And what’s the value of that? Well, we both talking about risk and the same impact criteria, it’s going to help them understand what you need, how you need it.
John Verry (12:21):
Because you need, as an IT or IS director, for you to be resourced appropriately. You need enough cash, you need enough people, you need vendors, you need products. So if we can kind of bridge that gap and have them both talking at an intermediate level language between two fields-
Matt Webster (12:40):
Again, the human decodering in a sense, or the translator.
John Verry (12:44):
Yeah. So if you think about it, the way we kind of define this is that there’s three core things that you need to be secure. You need a vision, a clear picture of where you are and where you’re going to. And ideally you’ve aligned that vision with what I’ll call trusted frameworks. So that means that you’re leveraging NIST guidance, you’re leveraging ISO 27000 series-
Matt Webster (13:04):
Whatever the framework or combinations of frameworks that you’ve got.
John Verry (13:07):
Yeah, open web application, security project if you’re an application development firm or SAS or [crosstalk 00:13:12].
Matt Webster (13:11):
I appreciate that you’re not using all the acronyms at this time.
John Verry (13:15):
You’re welcome. It’s good that you’re the human decodering to my [inaudible 00:13:18].
Matt Webster (13:18):
John Verry (13:19):
So you’ve got these trusted frameworks, because trusted frameworks provide a lot of value to organizations. It ensures that every product that you buy can inter-operate with each other. You’re not after these silos. It also ensures that you’ll be able to find resources that are going to be able to support your program, whether that’s internal resources or external resources. If you align yourself with the John Verry information security program, there’s John Verry who can support you. And the minute that John Verry is no longer there, you no longer have a resilient cybersecurity program.
Matt Webster (13:49):
And that was a huge problem we were seeing before we started Harbor Technology Group. At a previous firm, we would engage with the Ian Wise and the Deloittes of the world. And they built their own frameworks that they were using to measure against. And they were basically doing that to create lock-in, where customer A or customer B couldn’t go to somebody else, because they had to basically start over. So these frameworks that have been developed, I’m a little bit biased to NIST and CSF. I also think that the cybersecurity framework is a general framework that was developed in the 2000s. It’s a way of, if Harbor Technology Group is in there doing risk management work and offer vCISO for a customer and they’ve decided they want to move on, they could easily go to your firm, and we can hand all the documentation over, and you’re like, “Okay, this makes sense.”
John Verry (14:37):
Yeah, “I can pick this up. I know exactly what this control is, I know what is intending to do, and I know how to metric it.” Yeah, I agree completely. So, you’ve got that vision. So if you are chatting with your IT director or InfoSec guy, do have a clear vision? Are they able to hand you an information security strategy?
John Verry (14:55):
The second thing is that we need to execute on the vision. So if you think about it, security is nothing… And one of the questions that I’ve heard you ask other guests is, what is cybersecurity. And really, to me, cyber security is, increasingly I think of it as just a set of repeatable processes well executed.
Matt Webster (15:12):
John Verry (15:14):
And it’s very easy-
Matt Webster (15:15):
Well executed is because the true sign of insanity is doing something over and over again for the same result. So it has to be effective, right?
John Verry (15:24):
Yeah. And the challenge you run into is that it’s easy to build a cybersecurity program. It’s hard to operationalize one. So, to me, that’s that execute side. And then once we’ve built the set of repeatable processes that hopefully we’re executing in a consistent fashion, now the next question is, is it working? Are the controls actually operating the way we intended, and are they producing the desired outcome? And do we have a way of proving that? As management, I’ve got these trusted processes. Are they creating the trusted information that I need to know that my information security risk is being effectively managed? And perhaps more importantly these days, that we’ve got an information security program and strategy that is a business enabler. Because if you are going to drive your company from $1 million to $3 million, that means you’re going to bring in new clients. And perhaps you’re processing different types of data, perhaps you’re spinning up different types of services, and you need that information. So if [crosstalk 00:16:26].
Matt Webster (16:26):
If nothing else, you’re going to be exposed to more companies, if nothing else.
John Verry (16:29):
Exactly, with more client contractual obligations or [crosstalk 00:16:32]. So you need to know, as the board or the CXO, that that information security program is going to be where you need it to be when you get there. So those are the three fundamental pieces. And then within each piece, there’s three pieces. So if you think about a vision, what does it take to get to a vision? You need a clear picture of what is the information we’re processing, what are the assets that support it, who are the people that are involved in processing the data, what are the laws and regulations that govern it, what are the threats against it, and what would happen if a risk was realized.
Matt Webster (17:05):
John Verry (17:06):
A clear picture. Then you need expert personnel, because you need somebody who’s got both domain and or industry expertise, to be able to translate that information, understand where we are, understand that picture; generate the picture very often as well, and then create the picture of the future shape, which I’m going to refer as an information security strategy.
Matt Webster (17:26):
Right. And that’s inside the vision bucket.
John Verry (17:29):
That’s exactly right. And that strategy, again, should be aligned with those up and trusted frameworks, and it really should set the course for what are we going to need to do over the next three years; what are the guiding principles that we’re aligning ourselves with, and what’s the timeframe that we’re going to achieve them in. And we can use that to vet all of those decisions that we make in terms of the people that we hire, the products and tools that we purchase, the processes that we put in place. All those can be aligned with that strategy.
John Verry (18:02):
So let’s say you’re an organization that’s a software as a service firm, and we need to get to a point where we’ve got a very mature CI/CD process where security is baked as far left into it as it can. And CI/CD is continuous integration, continuous development. It’s just in SAS world, they’re constantly pushing changes to the software by doing that in a secure way. Well-
Matt Webster (18:24):
It’s a development technique.
John Verry (18:25):
There you go. And having that vision, is going to allow us to know like, okay what tools are we going to need, and what skill sets we’re going to need to achieve that, so I can plan for that. So that’s that vision bucket. That makes sense?
Matt Webster (18:37):
Yeah, it does.
John Verry (18:39):
Isn’t that in a weird way? Think about your vCISO process. That’s exactly why your vCISO process is a lot like ours. Isn’t that what it is?
Matt Webster (18:47):
I know. I’m thinking in my head, how am I going to lift those ideas and put them into a new graphic on my documentation.
John Verry (18:52):
I’m going to show you my graphic, and stay the fuck away from it. Better not look too much like ours.
Matt Webster (18:57):
That’s great. No, it really hits the nail on the head. And I think going back to what started this part of the conversation, is being able to translate the importance and the pressures that these companies are feeling because they have a customer, the sales dude’s talking to a customer and the customer’s like we need to be ISO. I have this going on right now, and that sales dude’s like, “Well, we need to be ISO.” And I’m like, “Well, ISO’s just not a turn the key process.” So by implementing a strategy such as what you just outlined, it’s a way for the company to say, “Okay, take a deep breath. The security stuff is hard, this attestation stuff is hard, this compliance stuff is hard. I need to have set a clear vision, and the organization can’t afford the time to run around going crazy trying to play Whac-A-Mole with how we’re approaching cyber security.” Right?
John Verry (19:50):
Yeah, it’s a measured approach as opposed to an ad hoc. And to your point, we have a new vCISO client recently. And it was interesting because we got an RFP out of the blue; they got our name from somebody. It was an RFP for virtual CISO and a SOC 2 [crosstalk 00:20:06].
Matt Webster (20:06):
John Verry (20:06):
No, actually to prepare them for the SOC 2 audit; SOC 2 consulting engagement. So we jumped on the phone with them. And literally it was in my head; had just been in a meeting where I presented this model. And I put the model up on the screen, and started talking to it. And I was like, “Bob, we’ll respond to your bid. But if we did, we’d be wasting your money. So you know wat, actually we’re not going to respond to your bid. And look, we don’t have a clear picture, we don’t know where you need to go. We really need a strategy.” This isn’t going to be the only client that’s going to ask you for attestation. Why are we jumping through hoops for this particular client, when you’re not addressing the privacy component, which is going to come, because you’ve got personal information? You’re not addressing this, you’re not addressing that.
Matt Webster (20:52):
You’re being tacked. And cyber needs to be strategic at this point.
John Verry (20:57):
Matt Webster (20:58):
There was probably a time when it was okay if it was tactical, but not anymore.
John Verry (21:02):
Yeah. And what was interesting too is then the conversation evolved. And remember we talked about the idea of like you’ve got vision up top, those three things. And when we roll over to the execution component, what is execution. Well, the first part is that you translate that strategy into a near term actionable claim. Think about it. Like when you guys do your vCISO, I’m sure you do a risk assessment and you do a gap assessment. So that’s the risk treatment plans and gap remediation plans. That’s the tactical short-term plan that comes out of that strategic plan that you’ve created for them.
John Verry (21:32):
Now the next part is, okay we need to get to these repeatable processes. So that’s often in information security; developing a set of policies, procedures, standards, things like incident response plans, business continuity plans, and things of that nature.
Matt Webster (21:44):
And then in setting in the regimented processes to preview those plans, to test those plans. So all that.
John Verry (21:50):
Exactly. Ideally put them into a project plan or into a GRC tool or something which you can track.
Matt Webster (21:53):
“Oh, by the way now it’s time to do a tabletop.”
John Verry (21:55):
That’s exactly right. And then the last piece of that is do we have the people. And not only do we have the people the quantity and quality of the people, do they have the appropriate training, knowledge to actually execute these repeatable processes in a way which is effective and efficient, and do we have the tools to actually do that. And what was cool about this is that during the conversation, they were saying, “Hey, we’re going to buy this tool called Vantive. Have you heard of Vantive?” “I have. It’s a tool for SOC 2 prep.” And I was like, “Yeah, it’s a pretty good tool.” But, I literally had a picture of the wheel up. And I’m like, “So, you’re down here at execute, and you’re actually going to buy a product before you have a clear vision appear?” And the guy on the phone goes, “I was just thinking the same thing.”
Matt Webster (22:36):
After you were helping him understand.
John Verry (22:39):
“What are we doing? Why are we jumping to execute when we haven’t finished vision?” And he was the CFO. It was really cool to see a CFO connect with the model. And it was, to me, like, “That’s great, lights on. This is [crosstalk 00:22:54].
Matt Webster (22:53):
And this where the difference between maybe the clients that we serve, I think we serve typically a little bit smaller companies in Europe. Like our average size is probably like 75 to 100 people firms and no bigger than that.
John Verry (23:06):
Yeah, we have them all the way down in like we do a lot of SAS work with smaller firms, but we roll pretty regularly up into the 10,000 15,000 20,000. We don’t do a lot of work with Fortune 500 style. And I don’t want to work for Fortune 500 companies to be honest with you.
Matt Webster (23:21):
Well, because they’re down there in the execute piece.
John Verry (23:23):
And on top of that, they don’t value what you bring to the table, and they don’t value your culture. You’re a number to them. I like working for small firms.
Matt Webster (23:33):
I agree with you more.
John Verry (23:33):
And I would never go back. I’ve done work, and I’d never go back to working Fortune 500 [crosstalk 00:23:37].
Matt Webster (23:37):
And if there’s any Fortune 500 companies listening to this, please call John Verry.
Matt Webster (23:43):
So what I was getting at is we talk about this; a lot of times, there’s a reason why our mutual clients are reaching out to us. There’s some pressure they’re feeling. Very seldom is it, “You know what, we need to develop that clear vision of what we want to do. We need to acquire the resources, we need to execute on kind of mapping out what you just described.” Very seldom do they come to us with that already in place, where we’re spending the first portion of a vCISO engagement, first couple of months, kind of putting those pieces in place, so that we can then get them geared and tuned and ready to go moving forward. So, I appreciate what you said, with companies that are really down in the execute area, because we see it all the time. Like, “We’ll just buy a product to do X, Y, and Z.”
John Verry (24:37):
Right. Those are the worst CISOs in the world.
Matt Webster (24:37):
John Verry (24:37):
And that’s another great question. If you’re some the CXOs would onboard, and you talk to your information security person with regards to their information security strategy and it’s a product strategy, get rid of that person.
Matt Webster (24:49):
That’s not a strategy.
John Verry (24:50):
That’s it, but they’ll portray it as a strategy. And if you’re not from our field and you haven’t had the experience of sitting on our side of the fence, the information security strategy as a product strategy is a guy that you want to give [crosstalk 00:25:02].
Matt Webster (25:02):
That’s right. It’s not to say that products can’t fill a piece of the strategy. They absolutely can.
John Verry (25:08):
You’re going to need product in there.
Matt Webster (25:09):
Generally speaking. That being said, really it’s about personnel in our industry right now.
John Verry (25:14):
Personal and process.
Matt Webster (25:15):
Yeah, and process for sure.
John Verry (25:16):
If you take those three Ps, personnel, product and process, I would argue that the least important of those three Ps is the product, because I can make with just anything.
Matt Webster (25:25):
I was talking to a PE firm just today actually, just doing a roll up. And similar to you, our phone rings off the hook a lot. And talking about different product companies they were bringing in to this umbrella firm that they were trying to create. And I’m like, “Yeah, that’s cool tech. Yeah, that’s pretty cool.” Organizations don’t have that problem anymore. It’s not exciting. So the problem with that product P is that, and I don’t know if this is uniquely cybersecurity, but the security threats and the risks that organizations face, change very quickly, and something that is an absolute must have, from a product perspective or a capability perspective for a particular organization in 2015. By 2019 it may not be something that anybody cares about anymore. So products are really tough investments to make without the proper processes and people and ultimately strategy.
John Verry (26:24):
Right. Plus on top of that, people don’t typically understand the complexity of optimally implementing the product, making sure that people are appropriately trained and updated, and maintain that, ensuring that we don’t have coverage gaps, implementation gaps, monitoring gaps. There’s a good book of business out there just to go around and validate that people’s tools actually are working the way they think they are.
Matt Webster (26:47):
John Verry (26:48):
We did that for a large city. And it was funny because we got called in to do a penetration test. And they said, “Look, this is just validation. You really don’t need to probably put a lot of time in here. This is the most locked down environment that we’ve ever [crosstalk 00:27:03].”
Matt Webster (27:03):
[Crosstalk 00:27:03] for sure.
John Verry (27:04):
And people knew what they were doing in this particular agency of this particular city. And we had done a lot of work there. So we thought it was going to be. We go in, and like we’re 15 minutes in and we’re like owning the environment. And it’s like, how is this possible? So we’re like, “Guys…” And, “No, look, all our vulnerability scans are clean.” “You must have your vulnerability scanner misconfigured.” So they engaged us to actually review all of their tool implementation. And they were using Qualys. And Qualys has this really nice little checkbox that says “enable fast scanning.”
Matt Webster (27:37):
I know that, because we use Qualys.
John Verry (27:38):
Who wouldn’t want to enable fast scanning?
Matt Webster (27:40):
That’s right, because why do you want it to be slow?
John Verry (27:41):
That’s right. So what does fast scanning do?
Matt Webster (27:43):
It misses things.
John Verry (27:46):
It only scans like the top, like just 100 ports or something.
Matt Webster (27:49):
Yeah, it’s a sampling basically.
John Verry (27:50):
Yeah. So what happened was all the ports that it was actually scanning were locked down tight, but every port it wasn’t, was where their vulnerability was.
Matt Webster (27:58):
And to go into the deep nerdy hacker world, and all the hackers know this. So to make matters worse, they know that these products are being tooled in certain ways. And they say, “Okay, well port 2585 is not being monitored because it’s not part of the fast scanning component of the vulnerability scanners. Let’s see if we can’t use that.”
John Verry (28:20):
That’s exactly right. Or you may start a scan on an outside network and they get blacklisted or shunned for a short period time. And it’s like, “Oh, that must be this type of file. You shouldn’t scan ports.” So now they change it so it doesn’t scan port 521 or whatever the trigger port is.
Matt Webster (28:35):
By the way, anybody that was just listening to the podcast just fell asleep, but that’s just nerding out on the tack a little bit.
John Verry (28:41):
Yeah, we have a tendency to do that.
Matt Webster (28:43):
John Verry (28:44):
So let’s get back to the business thing. So we talked about vision, we talked about execute. So now let’s kind of finish that with that validate portion. So once we built these executable processes, how do we know they’re working as intended? I always argue that in the best programs that I’ve seen, you’ve got some form of security metrics. So you’re measuring in like it might be mean time to close vulnerabilities, it might be percentage of vendors that you’ve done a due diligence review on in the last year.
Matt Webster (29:11):
Some type of metrics.
John Verry (29:13):
Yeah, some type of metric, and then some type of a monitoring program. That monitoring program is going to be probably some type of log monitoring and things of that nature.
Matt Webster (29:21):
John Verry (29:21):
Exactly, and it’s probably going to be some mechanism to validate, monitor, that the controls that we have operationalized are actually being executed. Ideally, it’s like you said, you’re using a GRC tool that helps you do that. Or if you’re using it, you put it into a project, you put it in a SAN, put it in line, I don’t really care, but put it in your help desk ticketing system; make them all tickets. We want to make that if somebody says they’re doing monthly user account reviews or doing monthly vulnerability scans is critical to your security posture, how do you know that’s actually happening? So we call that active measurement or measurement monitoring. Then you want to also, like a hallmark of good information security, is what I refer as independent objective review. Always a good idea to make sure that you have an independent objective third party that comes in on occasion and says, “Yap, this is working the way that you think it is.”
Matt Webster (30:07):
And that comes in all sorts of shapes and sizes. Pen testing to just vulnerability testing or a full blown assessment.
John Verry (30:14):
That’s exactly right. And the other thing too is that you want to have someone who is willing to say, “Your baby’s really not all that good looking.” Got to be done gracefully. And then that last piece, of course, I think this is where you and I probably see the most amount of our business is at some point, most of the people that come to us need respected proof of their security posture. They have somebody they need to prove to that they’re doing the right things.
Matt Webster (30:39):
John Verry (30:41):
Matt Webster (30:42):
John Verry (30:43):
… CSEC, it’s an investor. Very often it’s a customer. And they have to produce an ISO 27001 certificate or a SOC 2 Type 2 auditors report or-
Matt Webster (30:52):
Some type of attestation of some sort from a respected company.
John Verry (30:57):
Right. So if you think about it, that’s really that whole process, and it’s not rocket science. But what I like about it is that it’s very simple to understand. And I think it’s the kind of a conversation that allows a business person who really might not be a bits and bytes and know a lot of the acronyms that we were talking about, but I think it allows them to have a conversation with the teams that are responsible for architecting, operating and validating their information security posture, in a way that I think they can get to a point where they know if things are good or not.
Matt Webster (31:26):
When you think about the high level there, it’s how you run a company, it’s how you run a sales organization or an operational organization. Now the devil is in the details, of course. So it should make sense to every executive out there. It may not be how they’re running their own company, but the idea, the concept is very clear.
John Verry (31:44):
I agree completely.
Matt Webster (31:46):
So we’ve gone way over the time that I said I was going to take of yours today.
John Verry (31:50):
And I told you that if you were able to shut me up in 20 minutes, that I would find that remarkable.
Matt Webster (31:55):
That’s right. I’m more worried that the beer might be getting warm over there at Troon.
John Verry (32:00):
If the beer has been poured, then this podcast is over. Let’s be clear.
Matt Webster (32:05):
That’s right. Well, so everything you had to say, I think our listeners will really find a lot of value in this podcast. So I really appreciate the time.
John Verry (32:13):
Yeah, I’m glad I can help out, and that I’d love to return the favor. If we can maybe find a good topic for you to visit up here on our podcast, that’d be awesome.
Matt Webster (32:20):
That sounds great. So as we end and every podcast, we are Harbor Technology Group, we always ask our guests to provide or give us an idea of some place they’d like to go that’s on the water. Like on the beach or at a harbor, and a place to grab a beer or have a burger or something. I’m putting on the spot.
John Verry (32:36):
Oh yeah, you’re putting me on the spot. I saw this question on your website, so I’m prepared for it. But I’m not prepared to give you one. I’m prepared to give you more [crosstalk 00:32:45].
Matt Webster (32:45):
Of course. As you just said, you’re going to take longer than 20 minutes.
John Verry (32:47):
There you go. This is going to take 20 minutes, just giving you the list of places. Now, I’m going to give you a couple that I think are really cool places. Some of my favorite memories and they all involve vacation with my family. In Nantucket, which is a wonderful place. There’s a place called Galey ,G-A-L-E-Y on the beach in Nantucket, where you’re literally dying with your feet in the sand. Awesome place. Really a lot of [crosstalk 00:33:10].
Matt Webster (33:10):
Weren’t you just up there?
John Verry (33:11):
No, I was just in the Hamptons. And the Hamptons, if you’ve ever spend a day in South Hampton like at Cooper Beach, which was recently rated as the number two beach in the United States, not far from there is a restaurant called The Plaza Cafe, rated really high from a seafood perspective. Best oysters that I’ve ever… Oysters on the half shell with a little bit of caviar, incredibly fresh. It was like heaven because we’re drinking the best seaboard ever. It was so good. And then in Antigua, there’s a really cool place called Sheer Rocks. It’s built on these cliffs. And what they do is they build these platforms that extend out over. So you’re sitting there and you can look down, and you’re 50 feet over the ocean pounding against rocks below you. And there these billowing white curtains, really cool.
Matt Webster (33:57):
That sounds amazing.
John Verry (33:57):
And then if you want a Harbor, in the English Harbor, also in Antigua, there’s a place called The Admiral’s Inn, and I think the restaurant is called Pillars, which is one of the most beautiful places I’ve ever dined, at these old concrete pillars, and they have these up-lights on them. And you’re sitting right on the water. And there’s these weird-like channels that kind of extend into this really old building. And what it turns out is that when they did the sugar trade, this was where they would bring the ships in to repair the mass and the sails.
Matt Webster (34:27):
Very cool. So that’s where they’d slide them in.
John Verry (34:30):
Matt Webster (34:31):
So, Nantucket, South Hampton and Antigua.
John Verry (34:35):
Yeah. And I’ll give one more.
Matt Webster (34:36):
John Verry (34:36):
And not as nice in terms of that, but one of my favorite place is Pappagallo in Grand Cayman, which is awesome. It’s on like a little lagoon.
Matt Webster (34:46):
I think that’s on Michael’s list as well.
John Verry (34:48):
Pappagallo is such a great restaurant. One of my favorite places.
Matt Webster (34:51):
That’s great. Well, thanks for that. And thanks again for all the time, and being a great friend over the years, John.
John Verry (34:56):
Yes, I appreciate it. Same here.
Matt Webster (34:57):
Narrator (Intro/Outro) (35:00):
You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player.
Narrator (Intro/Outro) (35:19):
Until next time, let’s be careful out there.
Narrator (Intro/Outro) (35:21):