July 15, 2020

Covid 19 has created lots and lots of challenges and opened our eyes to ones that lay dormant.

One of the most stark realizations is how much we rely on our critical vendors.

But how can you know a vendor is safe to work with, is reliable, and figure this out quickly and at a low cost?

Enter ARM. Accelerated Risk Management  

Pivot Point Security’s answer to the need for rapid risk assessment.

If you are looking for a paradigm shift in the way you manage risk and assess your vendors this is the show you need to hear.

Kevin Hermosura, one of our Third Party Risk Management & Vendor Due DIligence Security Consultants here at Pivot Point Security talks with John Verry about using ARM to assess vendor’s risk (in minutes, not days).

What we talked about:

  • Third party risk management is generally lousy.
  • Thanks to Covid, businesses are relying on vendors more than ever.
  • Vendors are a massive security risk!
  • There is a better way to assess and manage vendor risk

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

John Verry (00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information, security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to another episode of The Virtual CISO Podcast. I’m your host, John Verry and with me as always, the giggling beast to my beauty, Jeremy Sporn. Hey, Jeremy.

Jeremy Sporn (00:36):

Oh, bonjour, John.

John Verry (00:39):

All right. I’m not going to even go there. What’d you think of my conversation with Kevin? Kind of a little unusual for us having an internal guest on the podcast.

Jeremy Sporn (00:48):

Yeah. Because of that, I really would like to start off with a disclaimer. This conversation is all about a piece of technology we developed internally. It’s a Pivot Point Security expert system, and we’re not presenting this as a sales pitch. The goal of the conversation is really to really educate everyone on how vendor due diligence and really third party risk management as a whole has just missed the mark for a while. Companies are extremely reliant on vendors and vendors are a massive security risk, yet efforts to manage that risk are incredibly time consuming and expensive.

Jeremy Sporn (01:28):

This dilemma is something that people in organizations have been facing for a long time. That’s why we’re sharing our answer to this challenge and who better to talk about it than Kevin Hermosura who uses this tool in our own third party risk management practice.

John Verry (01:43):

Well said. I think from my perspective, the concept of embedding 20 plus years of our security expertise, our third party risk management expertise into a tool offers some significant advantages that we’re really excited to have developed and look forward to continuing to advance with some due diligence automation ideas that we have as well. Fun stuff, interesting stuff.

Jeremy Sporn (02:07):

Absolutely. I won’t sugar coat this, if you are looking for a paradigm shift in the way you manage third party risk and assess your vendors, this conversation is for you in almost every case in the world. If you want something faster, cheaper, and better, they say you can only have two, but with our accelerated risk management tool, you can have all three.

John Verry (02:27):

Yeah, definitely a paradigm shift. With no further delay, let’s get to the show. Kevin, how are you today?

Kevin Hermosura (02:39):

Good, good, good. How about yourself?

John Verry (02:40):

Good. Good to catch up. Thanks for joining me. I usually like to start super simple. I’m going to make it about as simple as you can. Tell us a little bit about who you are and what is it you do?

Kevin Hermosura (02:51):

All right. I’m the practice lead for third party risk management here at Pivot Point Security. We help organizations in a variety of different ways. We help organizations build their vendor risk management program from the ground up, improve their existing programs, perform some vendor reviews, whether that’s remote or some sort of onsite validation using popular tools, popular mechanisms like shared assessments, SIG or the SCA or popular software tools like tools from OneTrust or Prevalent.

John Verry (03:26):

Got you. That’s why we have you here today. Right? We wanted to talk about third party risk and some cool stuff we’re doing there. You’re joining us from the sunny climes of… I hear warm climes of LA today, right?

Kevin Hermosura (03:37):

Yeah. Yeah. We’re in the middle of a heat wave. It’s a great place to be, I guess.

John Verry (03:43):

Yeah. Let’s just say if we’re going to be in lockdown, heat wave in LA doesn’t sound too bad a place to be being forced to be locked in. Before we get down to business, we have a tradition. We like to ask… Personalized you a little bit. What’s your drink of choice?

Kevin Hermosura (03:59):

My drink of choice is… I keep it simple. Jameson Irish Whiskey.

John Verry (04:05):

That’s pretty good. Neat rocks?

Kevin Hermosura (04:09):

Many different ways. Man, when I’m not drinking Jameson, it’s a nice glass of red wine.

John Verry (04:15):

Got you. On the Jameson, have you had the Caskmates?

Kevin Hermosura (04:20):

No, actually. No.

John Verry (04:22):

You got to have Jameson Caskmates. They did a version called Caskmate where it’s a Jamaeson-aged in a… I think it’s a bourbon barrel. It might’ve been sherry, but anyway, really… Because Jameson’s is an excellent little whiskey. It adds a little bit more interest to it.

Kevin Hermosura (04:41):

Oh, yeah. Thanks.

John Verry (04:42):

On the red wine side, do you go… Are you a blend guy, a cab guy, a pinot noir guy?

Kevin Hermosura (04:49):

Mostly blends. It really just depends on the time of day and the mood that you’re in. One of my favorites…

John Verry (04:57):

[crosstalk 00:04:57] time of day, you’re not talking about morning, are we?

Kevin Hermosura (05:00):

Well, that depends, I guess. No. One of the things I can remember, there’s a winery called Robert Mondavi up in Napa and they make a bourbon barrel-aged cabernet. It’s actually really, really cheap and you can get it almost anywhere.

John Verry (05:19):

Yes. Yeah. [crosstalk 00:05:20].

Kevin Hermosura (05:20):

For about 13 and $14 here, you can get it and it’s excellent. I’ve had it. Yeah. I actually just bought a bottle of…

John Verry (05:28):

Is it Beringer?

Kevin Hermosura (05:28):

A Zin that was bourbon barrel-aged because I hadn’t seen that. Usually, you see the cab, but that’s enough liquor talk for now.

John Verry (05:36):

It’s not a worry to people. Let’s get to really why we invited you to be on the show and we don’t often have internal people on the show, but really the idea here is that me personally and us as a team have been working on something we call accelerated risk management, which is a mechanism which provides… It’s an expert system, if you will, for generating risk assessment. You and I were chatting about that and you were using it when you were pitching in and helping out on some ISO internal audits and things of that nature and we had this idea of this might be cool to look at from a third party risk management perspective had that evolved from your perspective.

Kevin Hermosura (06:19):

Yeah. I think in a way, we’ve been using that arm tool for quite a while. Right? Like you said, I think we started thinking about… We’re using it for a lot of these other ISO engagements. It’s a natural progression to have that solution trickle into or other lines of business or service lines, if you will.

John Verry (06:47):

Yeah. If you think about… From my perspective at least, the way I looked at it was really, is there much of a difference? Risk is risk. Risk is risk, whether or not we’re looking at it from a… The scope is purely internal or the scope is working with a third party. Correct?

Kevin Hermosura (07:04):

Yeah. Yeah, yeah. I think like you said, risk is risk and whether you’re assessing privacy risks or security risks, or vendor risks, financial risks and so on and so forth, risk is risk these days, right?

John Verry (07:20):

Yeah. Yeah. Why is this so important? This idea of what we’re trying to accomplish, right? Making risk asses, vendor risk management faster, cheaper, better. Why is that so important at this particular point in time?

Kevin Hermosura (07:33):

Yeah. This is quite important because organizations are increasingly placing the reliance on third parties to run their organizations. Folks aren’t really hiring a bunch of developers nowadays to develop any sort of internal systems, they’re just going to go buy something off the shelf. These days, I think the statistics say that over 60% of the breaches can be directly or indirectly related to a third party. Examples of that, that I can think of off the top of my head, Quest Diagnostics at a breach last year, I believe it was sometime over summer. They had a good number of patients and that was due to a… I believe a billing collections vendor. Then, the one that I like to talk about from a long time ago is Target because that one was through an HVAC vendor, which sounds very, very surprising.

John Verry (08:24):

Yeah. I’m sure no one thought that. Right? I think the other thing too, to point out is that as we deal with COVID and I think when we think about the post-COVID world, I don’t think the genie’s going back into the bottle. I think this work from home and more diverse workforce and increase use of cloud to provide a resilience and business continuity. I think this is just going to get worse. Right? If we don’t have a fast, effective, repeatable, reliable cost effective way to manage vendor risk, I think we’re going to be in trouble.

Kevin Hermosura (09:00):

Yeah. Yeah. We don’t want to be in trouble. At the end of the day, we need to have vendors and we need to be confident that these vendors can securely transmit and store data quickly and reliably of course.

John Verry (09:14):

Yep. What are some of the biggest challenges that as we started out down this path with trying to use the accelerated risk management expert system, what were some of the challenges we were trying to solve?

Kevin Hermosura (09:28):

Yeah. One of the challenges is that vendor risk management is a… It’s hard to scale. It’s very time consuming. It can take 10 plus hours. It can be quite expensive. You may need to hire staff. You may need to outsource. You may need to manage the folks you outsource to, things of that nature. Then, a couple of the other things, existing programs these days, existing mechanisms, sometimes the results are quite marginal. You’ve got these, most often than not, these one-sized questionnaires yield an incomplete view of your total risk as it relates to vendors kind of ignores the shared responsibility model. These standardized TPR and practices always point… They point the finger at the vendor, or they pointed at the cloud provider. They rarely ever point the finger back at ourselves and our responsibilities as it relates to these vendors.

John Verry (10:25):

Yeah. If you think about it, when you get to even a small to moderate-sized organization, it’s not unusual for them to have 50 or 100 or 200 vendors. Correct?

Kevin Hermosura (10:41):

Yeah. Yeah. When you start looking at those sort of volumes, it’s quite overwhelming for a lot of these organizations and obviously there’s a time and a cost associated with having to review that landscape there.

John Verry (10:51):

Right. Right. I like what you said about shared responsibility. One of the things… That goes back to Microsoft, I believe it was, did a great job and we’ll ask them to put up this graphic during the podcast is Microsoft had that shared responsibility grid that they did, which I think is fantastic where it speaks to the difference between a SaaS where in a SaaS, you largely still always retain the responsibility for the information, the devices and the accounts and identities. Most of the technology stack below that is the responsibility of the vendor, where if you go to an infrastructure as a service, right? You’re still going to own, let’s say the application, the network controls and the operating system. That’s what you mean by this idea of this shared responsibility, correct?

Kevin Hermosura (11:37):

Yeah. Yeah. Yeah. I think like you said, it depends on the model of the engagement of the service that’s being provided, that dictates who’s responsible for what in this case. A simple sort of analogy I like to think of it as is I could go out there, I could buy the best front door lock in the world for my house from the top vendor in the world, let’s say, I do that, but if I fail to lock it, that’s my responsibility. The entire solution falls apart.

John Verry (12:07):

Right. Right. It’s interesting. The other thing I like you pointed out was the one size or two size fits all questionnaires, and logically, you have to do it that way because it’s very difficult to have dozens of different questionnaires that fit dozens of different use cases. But that being said, the questionnaire that you would send to somebody who’s coming and doing plant maintenance, or like we’ve got one law firm where they’ve got a guy that comes around in shining shoes, right? The vendor questionnaire you would issue him is going to be a little bit different than the guy that’s your IT service provider that’s coming in to do, let’s say break, fix on machines, which can be a little bit different than Salesforce or NetDocs or document management.

Kevin Hermosura (12:49):

Yeah. Yeah, yeah, yeah. You’re not going to be asking a shoe shiner vendor about their… Let’s say like technical information security controls, because that’s not necessarily relevant in this case.

John Verry (13:01):

Right. Right. Same thing with if you’ve got someone coming onsite to do plumbing, right? What are we really… As an example, right? What would be the only questions that would matter for someone being onsite doing physical work of that nature?

Kevin Hermosura (13:14):

Yeah. They’d be probably focused on those HR controls, the background checks and things of that nature to make sure those folks are the appropriate folks to perform that kind of work.

John Verry (13:27):

Exactly. All right. Let’s talk a little bit about ARM, right? Then, we can walk through how you’re using ARM to improve vendor risk management. Right. From my perspective, ARM is an expert system that we’ve created. What we’ve done is it has a predefined library of vulnerabilities and threats and ARM is able to accurately quantify the likelihood and impact of every one of those threats in the threat library acting on every vulnerability in the vulnerability library for every data type that you process. It literally calculates every potential risk in your universe. What you’ll do is you’ll explain what information. For the ARM portion, you explain what types of information you have? What the impact would be in a numeric way of low, medium, high way to your organization if that data was compromised. What it will do is calculate the inherent risk for each of those scenarios. You looked at this and said, “Well, this is great. How do I properly contextualize that?” The first thing that you did was you started thinking about how different vendor types vary that risk. Correct?

Kevin Hermosura (14:50):


John Verry (14:50):

Talk about how that worked out? What types of vendors you were looking at, and some examples of how the risk differs between different types of vendors with different levels of access to different levels of data, different types of data?

Kevin Hermosura (15:02):

Yeah. Yeah. Each vendor obviously poses a different level of risk to the organization. We take a look at a SaaS vendor that has a persistent connection to our environment. Obviously, they’re going to pose a certain level of risk, which may be quite high in that case versus the shoe shiner or the… Let’s say janitor or something like that, who was just coming in to vacuum the building or mop the floors and things like that. They don’t have a network connection or anything like that. You take a look at those different types. You also take a look at obviously the data elements that are involved that janitor likely won’t have any access to any sort of confidential information as long as the organization as a clean desk policy in place, obviously.

John Verry (15:53):

Or good physical security controls where the person’s being escorted or physically restricted through access cards or something of that nature. Right?

Kevin Hermosura (16:01):

Yeah. I think what we’ve done as it relates to a third party risk management with this ARM solution is we’ve been able to right size the questionnaires. Obviously, these janitorial or vendors with physical, but don’t have any sort of access to data, you need a certain type of questionnaire. Then, these SaaS or infrastructure as a service providers, they’re going to need a different type of questionnaire obviously that focuses on different set of controls.

John Verry (16:35):

Right. Sure, what you’re saying is that you’ve developed… Call them profiles if you will, for different types of vendors and then determined what type of risk each of those pose based on their method of access, the type of data they have access to, the model by which they engage with you. Is that what you did?

Kevin Hermosura (17:00):

Yeah. Yeah. There’s a couple of different profiles, which we’ve added there depending upon the type of vendor. You’ve got your SaaS vendors, your PaaS, your infrastructure as a service. Let’s say you’ve got like a managed service providers, consultants, so on and so forth. Obviously, depending upon the nature of the engagement, the nature of the data elements they have access to, what they’re handling that poses a different level of risk. Based on all of these elements, the ARM solution is designed to create a questionnaire that is just the right size.

John Verry (17:41):

All right. I think you’ve got a four-step process that you follow. Why don’t we walk through that four-step process at a high level? I sit down. I’m about to do a vendor risk assessments for a particular vendor. What does that look like? What do I actually do?

Kevin Hermosura (17:58):

Yeah. I think it starts with step one, which is generating an inherent risk score for the vendor based on the context of the engagement there.

John Verry (18:10):

Right. To do that, what type of data are you providing?

Kevin Hermosura (18:15):

Yes. A couple of different things. You need to understand the different data elements. You need to understand… Let’s say it’s a personal health information, payment card data, things of that nature. You need to understand, obviously the data volumes that you send off. Obviously, a vendor that you only share five records with is going to pose less of a risk than a vendor you send millions of records to every single month.

John Verry (18:45):

Right. That’s biggest of the cost of breach notification as an example?

Kevin Hermosura (18:49):

Yeah. Then, the next step here, we take a look at dynamic regenerating the questionnaire. Like I spoke about earlier, obviously we create a right size questionnaire for that specific vendor that caters to the specific risks that that vendor poses to the organization.

John Verry (19:13):

A vendor that would never be onsite would have a different question or than a vendor that would be a hosting a cloud service? Something like that.

Kevin Hermosura (19:20):

Yeah. Yeah. Precisely.

John Verry (19:22):

Got you.

Kevin Hermosura (19:24):

Then, you would take that questionnaire, which is exported in an Excel format these days, and that’s universally accepted format these days, and we’d send that off to the vendor that you would get… Which is your typical process. They answered the questionnaire and you get it back. What you’d be able to do is import that questionnaire and have the tool calculate the risks for you.

John Verry (19:54):

Got you. We start with inherent risk. We send a questionnaire, which is specific to their risk, that vendor specific risks based on the type of vendor they are and the type of data they have access to and the quantity of data they have access to. They’re entering into that… What? The maturity of the controls?

Kevin Hermosura (20:14):

Yep. Yes. The questionnaire is… It’s aligned to the SCF, which is the secure controls framework. Within that questionnaire, the vendor has the choice to answer all of the questions that we’ve chosen for them, or I guess the tool has chosen for them. They have the ability to input their level of maturity for each of those questions. Then obviously, we take that maturity and suck it back into the system and the system does its work here.

John Verry (20:48):

Got you. As an example, if one of the risks was that a non-knowledgeable employee would be socially engineered, which would result in the disclosure of our data, we would have a control around, let’s say security awareness education. If the maturity of that control in their environment was very high, that would reduce that risk more than if the maturity that control was moderate or low. Correct?

Kevin Hermosura (21:14):

Yeah. Yeah, yeah, yeah.

John Verry (21:15):

Got you.

Kevin Hermosura (21:15):

That’s precisely what it would do. Yep.

John Verry (21:18):

All right. What happens if the residual risk is not where it needs to?

Kevin Hermosura (21:26):

Yeah. If the residual risk is too high, the ARM tool will automatically flag those and make those aware to you.

John Verry (21:36):

Got you. Got you. The other thing which I think is really cool is that it will actually even give you some automated recommendations based on that. As an example, it will know… In that particular example I gave, it will know that really in order for you as our vendor to meet our risk tolerance levels, you would need to improve that security awareness education program from its current maturity of one to a maturity of 2.5 or three in order to reach our acceptance risk criteria. Correct?

Kevin Hermosura (22:09):

Yep. Yeah. It would make those specific recommendations, like you said.

John Verry (22:15):

Cool. Let’s talk about the one thing, which I’m also excited about with what we’re doing together is this concept of shared responsibility. You just walk through and we ended up with this questionnaire for our vendor, but we also ended up with another questionnaire. Who is that for?

Kevin Hermosura (22:32):

Yes. In the tool, we can generate a questionnaire that we can issue internally. The goal of that questionnaire is to understand our internal control environment. The reason we do that is because of that shared responsibility model, we need to take a look at our internal controls as well as the vendor’s controls and combine those two controls into what I like to call total solution risk.

John Verry (23:02):

Got you. Give me an example, right? As an example, let’s talk about the… Go back to the custodian. What would we probably ask about if they’ve got a custodian? We want to make sure that the internal controls are sufficient for secure custodial access.

Kevin Hermosura (23:23):

Yes. Internal controls that we would be concerned with it at our organization in that case would probably be… Let’s say our physical and environmental controls that we have in place, closed circuit television, electronic badging, things of that nature. Those are the [crosstalk 00:23:45].

John Verry (23:45):

[crosstalk 00:23:45] things like that?

Kevin Hermosura (23:46):

Yep. Yeah. Those are the things that we would be responsible for. Obviously, the vendor is responsible for background checks like we talked about earlier, and that’s a great example of the controls that they have and the controls that we have and bucketing those together and taking a look at the total risk there. Right?

John Verry (24:05):

Right. Exactly. If we look at like a SaaS, as an example, if we put our data all on Salesforce and that’s great, right? Because we get a SOC 2. We get an ISO 27,001 certificate from Salesforce, but does that mean we’re secure?

Kevin Hermosura (24:19):

No. No, not at all. I could go by Salesforce and Salesforce is a very popular, very secure solution, but let’s say I don’t have multifactor authentication and I set my password to password, we take a look at the lack of controls that I put in place combined that Salesforce has controls and no matter what Salesforce does, it’s my fault here in setting my password to password.

John Verry (24:46):

Right. Exactly. Because we, despite the fact we’re using Salesforce, are responsible for user management. I was a subject matter expert in a lawsuit and it ended up that they had implemented Salesforce and they made 45 people, global admins. When the guy from the East Coast stole the sales and marketing list for the worldwide organization, you weren’t surprised, right? Or if you don’t have… Can Salesforce protect you against bad vulnerability and configuration management or a user being fished? No. Right?

Kevin Hermosura (25:26):

No. No, not at all. That’s why we’ve got to take a look at that total risk profile there. We can’t just rely on these cloud providers, these SaaS providers or any vendor for that matter. We’ve got to take a look at what they’ve got as well as what we’ve got in place and combine those two and have a better understanding of the entire risk landscape.

John Verry (25:51):

Got you. I think last week, we were chatting about this and I think you used the term faster, better, cheaper, which that breaks the law of constraints set. Tell me about that. From your perspective, why do you think that this is such a significant breakthrough?

Kevin Hermosura (26:09):

Yeah, yeah, yeah. The law of constraints kind of says that you can only pick two out of the three there. You can’t can’t have your cake and eat it too. Right?

John Verry (26:24):

We’re saying you can, so [crosstalk 00:26:25].

Kevin Hermosura (26:25):

Yeah. We’re saying you can with this solution. We think this is faster. Automated due diligence reviews, we feel that a lot of these can be completed in 15 minutes or less. Obviously, if you add some sort of human validation or QA component of that, it’s going to add some hours. We think that this is definitely a better solution, properly contextualizing that risk, looking at the vendor risk as well as looking at the risks that we have, the controls or lack thereof. Is it a better way to look at vendor risk management? Then also, we try not to use this word, right? Obviously, leveraging automation is going to make things a lot cheaper. Leveraging this automation to rightsize these due diligence questionnaires allows them to get done in a shorter timeframe and the shorter your questionnaire, the more accurate the answers are likely to be.

John Verry (27:28):

Well, not only are they more accurate, but you’re going to get them faster. Who hasn’t had the experience… You’ve been a third party risk management forever. An idea within a lot, acting with CISO and virtual CISO places is that it’s not unusual that it takes a month or six weeks to get an answer from people. Really, it makes sense. I’m your janitor and I just got 140 security questionnaire that asked me about my business continuity plans and my incident response plan. What? How am I going to respond to that? I do like the idea that by rightsizing the questionnaire, you end up with multiple benefits, right?

John Verry (28:07):

One is it allows them to answer those questions because there’s less of them, better. Right? We get a better result. It allows them to then more quickly respond to it, so it improves our time, right? Our time to market with new solutions. Then, the third thing is, is that because the fact that we’ve limited those questions, that improves our own efficiencies on the backside as well. Right? If you have to grind through 300 questions on a due diligence review, look at all their answers, look at the artifacts they provided, that’s going to take a hell of a lot longer than if you’ve got to look at 50 or 60.

Kevin Hermosura (28:43):

Yeah. Yeah. I think the problem these days with some of these standardized questionnaires… I’m not going to name any names, but some of these lengthier questionnaires out there is that it holds up the procurement process. That’s not the intention here. We want to foster positive business relationships while maintaining obviously a certain level of risk management and due diligence. Having questionnaires that, like you said, are the janitor taking a look at… Having to answer about business continuity, that’s not the right context. That’s the wrong questionnaire. If we can address that, I think we’ve put ourselves in a better place to deviate faster, better and cheaper.

John Verry (29:32):

Right. I think part of the other better well is that shared responsibility. I find it remarkable when we consider outsourcing a solution that we don’t consider our contribution to the security of that solution. I think this forces that concept, right? Forces that consideration.

Kevin Hermosura (29:50):

Yeah, yeah, yeah. I think this is something that a lot of people overlook. It comes up in conversations every now and then, but when folks think about vendor risk management, they only think about the vendor risks, the controls or lack of controls at that vendor. They never really take time to self reflect and look at what they’ve got in place, and what their people have in place.

John Verry (30:16):

Right. Probably in the majority of the times that you’re outsourcing a service to somebody, probably the bulk of the risk is on your side especially if you’re using the big guys. If you’re outsourcing something to AWS or Microsoft or Salesforce or Google, those are giant companies with pretty significant track records on security. What’s the likelihood that they’re going to be the bigger risk than you in that relationship?

Kevin Hermosura (30:48):

Yeah. I think you’re always going to be the weakest link, right? I can’t count how many times I’ve seen some sort of system misconfiguration, SSH open to the world kind of thing.

John Verry (31:03):

Right. Yeah. If there’s an S3 bucket that’s exposed, that’s on you, not on Amazon, right?

Kevin Hermosura (31:08):


John Verry (31:09):

You didn’t do your due diligence. You didn’t understand your responsibility. Right?

Kevin Hermosura (31:13):


John Verry (31:14):

Cool. I think one of the things, which is interesting to note just because if anyone’s curious, and there’s always a concern about putting a lot of risk information up in the cloud. One of the things that we’ve done to this point is we actually chose to not keep any data in the cloud. Huh?

Kevin Hermosura (31:30):

Yeah. Yeah. It’s a good thing to… You’re talking about the ARM solution, right? With ARM, we’re not storing any of the information that gets inputted into the platform there. We’re using the industry standard, which is Excel spreadsheets. A lot of folks either love him or hate him, I guess.

John Verry (31:53):

Yeah. Or an API. If somebody has got an internal GRC or tool or something of that nature, and they want to talk to them via an API, we’ll do that. But still the idea is that we’re not maintaining any state, any of this information, which I think is pretty cool as well.

Kevin Hermosura (32:06):


John Verry (32:07):

Cool. I think we beat it up pretty good.

Kevin Hermosura (32:12):

Yeah. I think…

John Verry (32:13):

Any last thoughts?

Kevin Hermosura (32:14):

I think that pretty much covers it.

John Verry (32:16):

Yeah. I was thinking the same thing. We always like to have a little fun and get different people’s perspectives, so I’ll ask you the standard question we ask. If I was going to ask you for a fictional character or even a real person that you think would make an either amazing or a horrible CISO, who would it be and why?

Kevin Hermosura (32:34):

All right. This might surprise you, but I’m going to go with an amazing CISO. The person that would make an amazing CSO would be Michael Scott from The Office. Hear me out here. Hear me out here.

John Verry (32:49):

Well, wait. Would he have a plaque that said, “World’s best CISO?” I just got to know.

Kevin Hermosura (32:56):

Probably actually. Business cards would probably say the same thing, but as ridiculous as that sounds, I think he makes the workplace an enjoyable place to be with all his antics. He’s got a very strong work hard emphasis on the play hard mentality, but I think he does a great job of distracting his employees from a very mundane task. They sell paper, which isn’t the most exciting job in the world. It keeps them feeling appreciated, motivated. If you’re a fan of the show, you’ll notice that he considers everyone a friend and family. I think at the end of the day, as a CISO, you can choose to run your team like a boring summer camp, or you can accomplish all the same things with a smile on your face and everyone else’s face. I think he’s a great candidate for one.

John Verry (33:52):

Yeah. That is definitely on the unique side of the equation. Does that make Dwight a horrible CISO?

Kevin Hermosura (34:04):

He does know martial arts and things of that nature. Right? He was provisional police officer for a while, right?

John Verry (34:11):

Yeah. I think you just need a good balance. I think you need a very dynamic team.

Kevin Hermosura (34:17):


John Verry (34:17):

No. That’s an interesting thought process like if I had asked the question as who would make a good security team, then it gets a little bit interesting. When you start to think about the doubters like Stanley and the dreamers like Jenna and Gia, they would make a good virtual security team, I suppose, huh?

Kevin Hermosura (34:38):

Yeah. Yeah. I think they’ve got a healthy balance over there.

John Verry (34:43):

Yeah. There you go. I love that show. In fact, I was so disappointed. At home, I downloaded an office… It’s the scene from Michael’s office as my backdrop. I’m sitting here like this and you got Stanley. You can see Stanley out through the glass door. I was like, “Oh, I’m going to pop it up now. It’ll look funny,” but I realized you keep them on your local machine. It’s not stored on the cloud. One last question. I know every single day, you’re chatting with people about information security and very often third party risk management, and you know this podcast is listened to by information, security, business leaders, people of that nature. Any interesting topics you’d suggest for another episode?

Kevin Hermosura (35:30):

Yeah. I think an interesting topic would be art of reverse engineering recent data breaches. Talking about how we can protect ourselves from a similar situation, prevent it from happening to you. I think everyone’s going to make mistakes, and I think I’m a firm believer that life is too short to make all of the mistakes that you could possibly make. Learning from other people’s mistakes is a great way to go about it.

John Verry (36:04):

That’s pretty cool. Yeah. It was so funny because I was just listening to a YouTube video. Jim Monaco was a… Lost guys is going to be on the show and I was listening to something that he did. He had a clever idea for exactly that kind of an idea. The idea was is that if you’re running a SaaS, you should be looking at pay spin, and have I been pulling insights of that nature and you should be dynamically blocking compromised username, password combinations to prevent credential stealing attacks.

Kevin Hermosura (36:36):

Yeah. That’s an interesting topic. I can take a look at that.

John Verry (36:39):

Yeah. I thought right away, I’m like, “Well, that’s pretty clever.” He’s a really smart guy, and then you literally, right after that, came up and almost said the exact same thing in a more generic way. Yeah. That actually is a pretty cool idea. Anything else?

Kevin Hermosura (36:53):

No, I think that’s pretty much it.

John Verry (36:56):

Cool. Well, thank you. I appreciate you coming on. Before I say my final farewell, how can folks get in contact with you if they had a question or want to chat?

Kevin Hermosura (37:06):

Yeah. Yeah. Folks can email me at [email protected]. I know that’s an awful or feel free to reach out to anyone here at Pivot Point Security. I’m sure they’ll forward you off to me or anyone can reach out obviously on LinkedIn as well.

John Verry (37:24):

Cool. Kevin, thanks man. Good to catch up.

Kevin Hermosura (37:27):

Thanks, John.

John Verry (37:28):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. If there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.