August 15, 2024 • 17 mins
Governance, Risk and Compliance, or GRC, helps organizations manage risk, achieve business goals, and comply with regulations. When it comes to CMMC, the GRC approach an organization takes can mean the difference between passing or failing third-party assessments. In this episode, Mark Berman, CEO of FutureFeed, talks about what GRC tools should do for you and the benefits of using one above passing an assessment.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10-ish
minutes.
Here's your host, Derek White.
All right.
Welcome back everyone to another episode of the Quick 10 Podcast.
(00:27):
As always, if you're listening on your favorite podcast platform, make sure to like or subscribe.
And if you're watching over on YouTube, please do the same so you don't miss out on any of
the new episodes as they come out.
Today, my special guest is Mark Berman, CEO of Future Feed.
Mark, thank you for joining.
(00:49):
Very happy to be here and thanks for inviting me.
You bet.
You bet.
Today, we're going to get into talking about governance risk and compliance, also known
as GRC.
So we're going to say GRC a lot.
So that's what it stands for.
If that's a new term to you, and there are many terms to understand in the world of federal
government.
So if that's a new term to you, look that up, Google that.
(01:11):
But today we're going to talk about what GRC means to you and what to do.
So the first thing I think that would really be helpful, Mark, is can you give the listeners
and our watchers a checklist of what a GRC tool should do for them?
Sure.
I'm happy to do so.
So what a GRC tool needs to do and rather than a checklist, we'll just kind of talk
(01:36):
the picture a little bit.
But what it really needs to do is take all of the minutia that we have to track in order
to be assessed by a complete stranger who's going to walk into our business or really
a team of them, because it's usually two to five people, who will come in in a two week
period.
(01:56):
They maybe have never heard of your company.
They don't know whether you make hydraulics or you make computers or you do services.
They have to understand how you're using IT.
And then they have to understand everything about your IT to know if it's secure or not
secure.
That's a lot of detail.
And not only do they have to understand it, but then they have to look for proof that
(02:18):
you follow your policies and procedures.
So in order to find proof that you follow your policies and procedures, they're probably
going to need to read them or at least read some of them.
So what you're looking for with governance with GRC or GRC tool is a place where you
can take all of that detail.
And this really comes down to three lists, Derek.
(02:40):
There's a list of the people that you have and the roles that they perform for your company,
right?
Every company.
We don't just have people, we have people of jobs.
So we have the people and their roles.
We have the tools and services that make up the IT.
So when I say tools, it's not just the tools that are installed on your computer because
it's 2024.
Last time I checked, we're using the internet an awful lot.
(03:03):
So a lot of our data may not be anywhere on our network.
It could be out there in the world.
So we have our people who are using tools and services.
And what do our documents do?
They tell the people what the rules, boundaries and limitations, if you like, sees them or
are.
That's what he says all the time.
What are the rules, boundaries and limitations for using our tools and services?
(03:23):
And exactly what are the instructions as to how to use them?
So what we need with the GRC tool is a place where we can take all of that data and organize
it in a way that complete strangers in a very short period of time can consume it, evaluate
it and give you hopefully a score of 110 and let you keep doing business with the government.
(03:45):
Yeah.
And that's thank you for clarifying that there's, you know, GRC governance, risk and compliance
is a huge aspect of the word compliance to a lot of people, right?
They hear that, but they don't really understand exactly what that means.
And it depends on the framework, it depends on what you're applying that to.
(04:05):
But when it comes specific to the CMMC world and the day is coming where you're right,
it is a scary thing to think about no matter what kind of third party assessment you're
going through, whether it's OSHA or anything related to things that you're required to
do.
Organization is a huge thing.
I think a lot of people jumped into evidence collection, you know, trying to self assess
(04:29):
and throw stuff somewhere and the first thing that you heard feedback from third party assessments
on that stuff is where is it and who answered it, who is responsible for it.
And you're right, having that organization is very, very key.
What also is important is I think you hit on too, is the assessments are essentially
moment in time, but the expectation and requesting to expectation, the requirement is that you
(04:52):
keep it there.
And if you're thinking that, hey, got it done, I'll pay attention to this down the road.
That's, that's where I think a lot of people are going to fall short is that they have
the right to ask you at any time.
So some of the hidden benefits then, if we want to get into that topic on, you know,
(05:12):
the hidden benefits of compliance, kind of, you know, going beyond just the assessment,
talk a little bit about that if you can on on what that means and how a tool like, you
know, what Future Feed does, for example, can be something you can't just put your fingers
on what those benefits look like.
I'd love to address that.
So my background was not actually doing this kind of work.
(05:34):
For 20 plus years, I ran a chocolate factory.
And one of the things that I learned about quality is that when you deliver quality consistency,
consistently, you deliver profits to the ownership of the company.
And so quality is driven by by doing things in a repeatable way.
(05:57):
What is what is compliance really about?
You have to have a list of controls.
In the case of CMMC or NIST 800 171, you have 110 controls and 320 objectives.
So for each one of those objectives, basically have to write down somewhere how you do that.
And then the proof is in the pudding.
So the proof is, do you have some evidence that you're repeatedly doing those things
(06:21):
that you've written down?
Well, those in another world, we don't really use the term SOP, standard operating procedure,
very often in the compliance world.
But really, that's what we're doing.
We're saying when we do backups, we're going to follow this checklist of how to do a backup.
When we review a change, we're not going to review the change randomly.
We're not going to ad hoc have a different change management meeting every single time
(06:44):
we look at a change.
We're going to look at what are the security implications?
How are they going to help our company move forward?
We're going to evaluate the change.
We're going to then send it to approval.
Somebody is going to approve so that we have good communication.
We're following these steps in the process.
That's a standard operating procedure.
When a company follows standard operating procedures, if you're a candy manufacturer,
(07:06):
your candies come out with the same taste and experience for every single customer.
If you're a car manufacturer or a tank manufacturer or something that you're doing for the government,
some product that you build, you're going to have doors that close with the same gap
every time.
There are engines that run that have a reduced tolerance because even when you hire somebody
(07:27):
on the first day, you're going to whip out this standard procedure.
It could be an IT procedure.
They're going to follow those steps.
With compliance, they're going to sign off and you're going to keep a record that they
followed the steps.
When you do that consistently across your business, an interesting thing happens.
The culture of the business changes.
People then start to pay attention to process.
(07:49):
When you pay attention to process, you pay attention to quality.
Quality means repeat customers even if the government is your customer.
You become the go-to contractor and you deliver profits.
As the Willy Wonka of GRC, then you're saying the single point of failure could be a huge
problem.
No.
There's free marketing things.
(08:10):
If you haven't done that yet, then maybe the next time you're on, you should be dressed
as Willy Wonka.
It'd be great.
We can do that.
I think my Willy Wonka hat has been retired.
Shoot.
I could say I could think of some people that could be your Oompa Loompas.
It'd be great.
On that, I think the single point of failure quotation, that's one of the things that we
(08:34):
see too and across this supply chain is a lot of small to medium size, most oftentimes
disadvantaged when it comes to experience on cybersecurity and technology and stuff.
We see a lot of that when you get into the future feed side of things.
You get into the tools like you're talking about that responsibility, accountability,
the racy side of who and what and where.
(08:56):
There's a lot of times where the finger gets pointed back to the same person.
That's Mark's job.
Absolutely.
What happens if Mark doesn't want to work here anymore?
Mark wins the lottery, he takes off.
What happens to your program?
You can't have everything change just because there's a new person in the role.
An important part of the GRC tool is it has to match the process that you're going to
(09:16):
go through for the assessment.
We understand that the whole process, I just spoke to the fact that that's going to help
quality and profitability, but how's the tool going to take that process of actually going
through an assessment and make it efficient?
The process is actually three components.
It's interviewing your people.
It's examining the documents that you provide for them that tell the people what to do.
(09:43):
It's testing your systems.
What we try to do in our product and hopefully other GRC tools do the same is for the interview
part, for everything that they're going to look at, we happen to use the racy model.
We're basically identifying a person in charge of that thing.
Your assessor isn't wandering throughout your company saying, who do I talk to about this?
(10:04):
Who do I talk to about that?
If they randomly pick people, they're likely to get very helpful people who will give the
wrong answers because it's not their area of expertise.
We want to identify who to talk to for each thing.
Because they're an assessor, they're not just a tourist, they're going to ask the same questions
to the person in charge as they're going to ask to one of the people responsible for doing
(10:26):
the work.
Hopefully, the answers are going to match.
If they don't match, they're going to dive deeper and you may get a finding.
That's one of their tricks is just ask the same question to two different people, the
one in charge and the one that does the work, and then compare that to the policy and see
if it matches.
The second thing that they will often do is look at your documents and then they want
(10:49):
to see if your documents all match up with each other.
If you have a policy that says that you do something every 30 days and then you have
records of doing a procedure every three months, there's a finding.
The requirement may have been to do it every six months, but you chose to make a document
that said every 30 days and your records are showing every 60 days and the real requirement
(11:15):
is every six months.
The difference between what you do and what you say you're going to do is a finding regardless
of whether what you do is actually over and above what's needed.
You don't want to overly create your policies that direct your team to do something in a
way that you can't actually sustain and support because that's going to create a problem with
(11:37):
your assessment.
So your tool should be able to capture all these documents to inspect for the assessor,
but also the tasks or some evidence that you're actually doing those things.
And certainly we try to do that in our product.
The last part, the testing, is a little bit harder to capture in a GRC tool.
It's a little bit more random.
This is where the assessor is going to come in.
(11:59):
They will not go in and log into your system and just explore it.
In fact, they're not allowed to.
But what they will do is stand over your shoulder and ask you to bring up an Active Directory
report, bring up this report or that report.
And then they will watch to make sure that whatever you're representing on the interview
and examine actually has some reality in your systems.
(12:23):
And for that part, you're pretty much going to just have to be there.
What you do need is a list of your systems.
And I think one of the great aspects of CMMC is they have you categorize all your tools
and services.
Which ones are CUI assets that store, process or transmit CUI?
They're going to focus really hard on those.
Then they're going to focus on the ones that protect those CUI assets.
(12:47):
They're called security protection assets.
And then there are a couple more categories of assets where you're basically saying, okay,
this could be relevant, but it's not normally in the process of doing CUI or it's completely
out of scope.
So actually when you make a list of your stuff and you say, here's 10 things that are relevant
to the assessment and here's 40 things that are not relevant, you're finding focus and
(13:10):
you're going to go through that assessment more quickly.
So you want to make sure your tool, if you're using a tool to organize all this information,
imagine if all this information was just like randomly in SharePoint or in Excel, it'd be
very hard to maintain and support.
That's why we have tools to help with the problem.
Well, that's well said and to kind of wrap this up then the golden ticket to the Wonka
(13:34):
factory is a really good tool that organizes and traces everything back to what you need
to make things efficient.
And I thank you for hitting on the efficiency side because that is, think about five years
ago when CMMC was first coming from behind the curtain.
I think the number one feedback on any sort of consulting engagement or any sort of third
(13:55):
party view of was I can see a lot and it's all over the place, but this is going to take
forever until we figure out how to organize this.
And in fact, organize it and then we'll come back because otherwise we're going to end
up spending three times as much time and that's money.
Money in time is money.
So well, that's good.
Thank you, Mark, again for being my guest today.
(14:17):
But more importantly, where can people learn more about Future Feed and how it helps on
everything that you were talking about today?
It looks like it's right under my picture on the screen, futurefeed.co.
You can check it out.
QuickTrack is a fantastic partner of Future Feed.
They can give you some implementation answers like how hard is it to do?
(14:37):
How long does it take?
All of those things and they'll help you walk through it.
It is a lot of information, but at the end of the day, having all this information that
you gather up about your network and about your people, just having the information isn't
enough.
So make sure that whatever your process is, you have a tool so that you can quickly and
easily find that information and make it useful.
(14:58):
And whether it's Future Feed or another tool, what you're really looking for is a place
where you can quickly access the information because there's so much of it.
I'm going to leave you with one last thing.
All this information that you gather, which is really mostly summary form, this is your
system security plan.
This is the keys to your castle.
Make sure that if you're putting all that data, you're putting into something that you're
(15:24):
putting into something that you feel good about the security of.
We use the AWS government cloud.
So it's the Gov cloud.
We are kind of almost at the end of our journey to be FedRAMP moderate equivalent.
Make sure whatever product, no matter how wonderful it is, if it's insecure, you're
really allowing the bad guys to come in and not just steal information from you, but steal
(15:49):
the plan on how to get, where is all your information, how to get there and all that.
So make sure that you're considering the security of your platform as you are looking at various
products in the marketplace.
Well, there's probably an everlasting Gobstopper reference to make there somewhere, but we'll
save that for next time.
Well, thank you, Mark.
This is going to be a good episode for people to reference for quite a while still.
(16:13):
We still have plenty of things to learn from how these assessments are going to go.
So thank you for joining today.
That's going to wrap our episode.
And as a reminder, as always, make sure to pop that subscribe button on your podcast
platform that you're listening on.
And if you're on YouTube watching over there, you can hit the subscribe button and that
fancy little bell too, if you want to get the notifications when new episodes come out
(16:34):
in the future.
So again, thank you, Mark.
And thanks for everyone for listening and watching.
But we will catch you next time.
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10-ish
minutes.
Here's your host, Derek White.
All right.
Welcome back everyone to another episode of the Quick 10 Podcast.
(00:27):
As always, if you're listening on your favorite podcast platform, make sure to like or subscribe.
And if you're watching over on YouTube, please do the same so you don't miss out on any of
the new episodes as they come out.
Today, my special guest is Mark Berman, CEO of Future Feed.
Mark, thank you for joining.
(00:49):
Very happy to be here and thanks for inviting me.
You bet.
You bet.
Today, we're going to get into talking about governance risk and compliance, also known
as GRC.
So we're going to say GRC a lot.
So that's what it stands for.
If that's a new term to you, and there are many terms to understand in the world of federal
government.
So if that's a new term to you, look that up, Google that.
(01:11):
But today we're going to talk about what GRC means to you and what to do.
So the first thing I think that would really be helpful, Mark, is can you give the listeners
and our watchers a checklist of what a GRC tool should do for them?
Sure.
I'm happy to do so.
So what a GRC tool needs to do and rather than a checklist, we'll just kind of talk
(01:36):
the picture a little bit.
But what it really needs to do is take all of the minutia that we have to track in order
to be assessed by a complete stranger who's going to walk into our business or really
a team of them, because it's usually two to five people, who will come in in a two week
period.
(01:56):
They maybe have never heard of your company.
They don't know whether you make hydraulics or you make computers or you do services.
They have to understand how you're using IT.
And then they have to understand everything about your IT to know if it's secure or not
secure.
That's a lot of detail.
And not only do they have to understand it, but then they have to look for proof that
(02:18):
you follow your policies and procedures.
So in order to find proof that you follow your policies and procedures, they're probably
going to need to read them or at least read some of them.
So what you're looking for with governance with GRC or GRC tool is a place where you
can take all of that detail.
And this really comes down to three lists, Derek.
(02:40):
There's a list of the people that you have and the roles that they perform for your company,
right?
Every company.
We don't just have people, we have people of jobs.
So we have the people and their roles.
We have the tools and services that make up the IT.
So when I say tools, it's not just the tools that are installed on your computer because
it's 2024.
Last time I checked, we're using the internet an awful lot.
(03:03):
So a lot of our data may not be anywhere on our network.
It could be out there in the world.
So we have our people who are using tools and services.
And what do our documents do?
They tell the people what the rules, boundaries and limitations, if you like, sees them or
are.
That's what he says all the time.
What are the rules, boundaries and limitations for using our tools and services?
(03:23):
And exactly what are the instructions as to how to use them?
So what we need with the GRC tool is a place where we can take all of that data and organize
it in a way that complete strangers in a very short period of time can consume it, evaluate
it and give you hopefully a score of 110 and let you keep doing business with the government.
(03:45):
Yeah.
And that's thank you for clarifying that there's, you know, GRC governance, risk and compliance
is a huge aspect of the word compliance to a lot of people, right?
They hear that, but they don't really understand exactly what that means.
And it depends on the framework, it depends on what you're applying that to.
(04:05):
But when it comes specific to the CMMC world and the day is coming where you're right,
it is a scary thing to think about no matter what kind of third party assessment you're
going through, whether it's OSHA or anything related to things that you're required to
do.
Organization is a huge thing.
I think a lot of people jumped into evidence collection, you know, trying to self assess
(04:29):
and throw stuff somewhere and the first thing that you heard feedback from third party assessments
on that stuff is where is it and who answered it, who is responsible for it.
And you're right, having that organization is very, very key.
What also is important is I think you hit on too, is the assessments are essentially
moment in time, but the expectation and requesting to expectation, the requirement is that you
(04:52):
keep it there.
And if you're thinking that, hey, got it done, I'll pay attention to this down the road.
That's, that's where I think a lot of people are going to fall short is that they have
the right to ask you at any time.
So some of the hidden benefits then, if we want to get into that topic on, you know,
(05:12):
the hidden benefits of compliance, kind of, you know, going beyond just the assessment,
talk a little bit about that if you can on on what that means and how a tool like, you
know, what Future Feed does, for example, can be something you can't just put your fingers
on what those benefits look like.
I'd love to address that.
So my background was not actually doing this kind of work.
(05:34):
For 20 plus years, I ran a chocolate factory.
And one of the things that I learned about quality is that when you deliver quality consistency,
consistently, you deliver profits to the ownership of the company.
And so quality is driven by by doing things in a repeatable way.
(05:57):
What is what is compliance really about?
You have to have a list of controls.
In the case of CMMC or NIST 800 171, you have 110 controls and 320 objectives.
So for each one of those objectives, basically have to write down somewhere how you do that.
And then the proof is in the pudding.
So the proof is, do you have some evidence that you're repeatedly doing those things
(06:21):
that you've written down?
Well, those in another world, we don't really use the term SOP, standard operating procedure,
very often in the compliance world.
But really, that's what we're doing.
We're saying when we do backups, we're going to follow this checklist of how to do a backup.
When we review a change, we're not going to review the change randomly.
We're not going to ad hoc have a different change management meeting every single time
(06:44):
we look at a change.
We're going to look at what are the security implications?
How are they going to help our company move forward?
We're going to evaluate the change.
We're going to then send it to approval.
Somebody is going to approve so that we have good communication.
We're following these steps in the process.
That's a standard operating procedure.
When a company follows standard operating procedures, if you're a candy manufacturer,
(07:06):
your candies come out with the same taste and experience for every single customer.
If you're a car manufacturer or a tank manufacturer or something that you're doing for the government,
some product that you build, you're going to have doors that close with the same gap
every time.
There are engines that run that have a reduced tolerance because even when you hire somebody
(07:27):
on the first day, you're going to whip out this standard procedure.
It could be an IT procedure.
They're going to follow those steps.
With compliance, they're going to sign off and you're going to keep a record that they
followed the steps.
When you do that consistently across your business, an interesting thing happens.
The culture of the business changes.
People then start to pay attention to process.
(07:49):
When you pay attention to process, you pay attention to quality.
Quality means repeat customers even if the government is your customer.
You become the go-to contractor and you deliver profits.
As the Willy Wonka of GRC, then you're saying the single point of failure could be a huge
problem.
No.
There's free marketing things.
(08:10):
If you haven't done that yet, then maybe the next time you're on, you should be dressed
as Willy Wonka.
It'd be great.
We can do that.
I think my Willy Wonka hat has been retired.
Shoot.
I could say I could think of some people that could be your Oompa Loompas.
It'd be great.
On that, I think the single point of failure quotation, that's one of the things that we
(08:34):
see too and across this supply chain is a lot of small to medium size, most oftentimes
disadvantaged when it comes to experience on cybersecurity and technology and stuff.
We see a lot of that when you get into the future feed side of things.
You get into the tools like you're talking about that responsibility, accountability,
the racy side of who and what and where.
(08:56):
There's a lot of times where the finger gets pointed back to the same person.
That's Mark's job.
Absolutely.
What happens if Mark doesn't want to work here anymore?
Mark wins the lottery, he takes off.
What happens to your program?
You can't have everything change just because there's a new person in the role.
An important part of the GRC tool is it has to match the process that you're going to
(09:16):
go through for the assessment.
We understand that the whole process, I just spoke to the fact that that's going to help
quality and profitability, but how's the tool going to take that process of actually going
through an assessment and make it efficient?
The process is actually three components.
It's interviewing your people.
It's examining the documents that you provide for them that tell the people what to do.
(09:43):
It's testing your systems.
What we try to do in our product and hopefully other GRC tools do the same is for the interview
part, for everything that they're going to look at, we happen to use the racy model.
We're basically identifying a person in charge of that thing.
Your assessor isn't wandering throughout your company saying, who do I talk to about this?
(10:04):
Who do I talk to about that?
If they randomly pick people, they're likely to get very helpful people who will give the
wrong answers because it's not their area of expertise.
We want to identify who to talk to for each thing.
Because they're an assessor, they're not just a tourist, they're going to ask the same questions
to the person in charge as they're going to ask to one of the people responsible for doing
(10:26):
the work.
Hopefully, the answers are going to match.
If they don't match, they're going to dive deeper and you may get a finding.
That's one of their tricks is just ask the same question to two different people, the
one in charge and the one that does the work, and then compare that to the policy and see
if it matches.
The second thing that they will often do is look at your documents and then they want
(10:49):
to see if your documents all match up with each other.
If you have a policy that says that you do something every 30 days and then you have
records of doing a procedure every three months, there's a finding.
The requirement may have been to do it every six months, but you chose to make a document
that said every 30 days and your records are showing every 60 days and the real requirement
(11:15):
is every six months.
The difference between what you do and what you say you're going to do is a finding regardless
of whether what you do is actually over and above what's needed.
You don't want to overly create your policies that direct your team to do something in a
way that you can't actually sustain and support because that's going to create a problem with
(11:37):
your assessment.
So your tool should be able to capture all these documents to inspect for the assessor,
but also the tasks or some evidence that you're actually doing those things.
And certainly we try to do that in our product.
The last part, the testing, is a little bit harder to capture in a GRC tool.
It's a little bit more random.
This is where the assessor is going to come in.
(11:59):
They will not go in and log into your system and just explore it.
In fact, they're not allowed to.
But what they will do is stand over your shoulder and ask you to bring up an Active Directory
report, bring up this report or that report.
And then they will watch to make sure that whatever you're representing on the interview
and examine actually has some reality in your systems.
(12:23):
And for that part, you're pretty much going to just have to be there.
What you do need is a list of your systems.
And I think one of the great aspects of CMMC is they have you categorize all your tools
and services.
Which ones are CUI assets that store, process or transmit CUI?
They're going to focus really hard on those.
Then they're going to focus on the ones that protect those CUI assets.
(12:47):
They're called security protection assets.
And then there are a couple more categories of assets where you're basically saying, okay,
this could be relevant, but it's not normally in the process of doing CUI or it's completely
out of scope.
So actually when you make a list of your stuff and you say, here's 10 things that are relevant
to the assessment and here's 40 things that are not relevant, you're finding focus and
(13:10):
you're going to go through that assessment more quickly.
So you want to make sure your tool, if you're using a tool to organize all this information,
imagine if all this information was just like randomly in SharePoint or in Excel, it'd be
very hard to maintain and support.
That's why we have tools to help with the problem.
Well, that's well said and to kind of wrap this up then the golden ticket to the Wonka
(13:34):
factory is a really good tool that organizes and traces everything back to what you need
to make things efficient.
And I thank you for hitting on the efficiency side because that is, think about five years
ago when CMMC was first coming from behind the curtain.
I think the number one feedback on any sort of consulting engagement or any sort of third
(13:55):
party view of was I can see a lot and it's all over the place, but this is going to take
forever until we figure out how to organize this.
And in fact, organize it and then we'll come back because otherwise we're going to end
up spending three times as much time and that's money.
Money in time is money.
So well, that's good.
Thank you, Mark, again for being my guest today.
(14:17):
But more importantly, where can people learn more about Future Feed and how it helps on
everything that you were talking about today?
It looks like it's right under my picture on the screen, futurefeed.co.
You can check it out.
QuickTrack is a fantastic partner of Future Feed.
They can give you some implementation answers like how hard is it to do?
(14:37):
How long does it take?
All of those things and they'll help you walk through it.
It is a lot of information, but at the end of the day, having all this information that
you gather up about your network and about your people, just having the information isn't
enough.
So make sure that whatever your process is, you have a tool so that you can quickly and
easily find that information and make it useful.
(14:58):
And whether it's Future Feed or another tool, what you're really looking for is a place
where you can quickly access the information because there's so much of it.
I'm going to leave you with one last thing.
All this information that you gather, which is really mostly summary form, this is your
system security plan.
This is the keys to your castle.
Make sure that if you're putting all that data, you're putting into something that you're
(15:24):
putting into something that you feel good about the security of.
We use the AWS government cloud.
So it's the Gov cloud.
We are kind of almost at the end of our journey to be FedRAMP moderate equivalent.
Make sure whatever product, no matter how wonderful it is, if it's insecure, you're
really allowing the bad guys to come in and not just steal information from you, but steal
(15:49):
the plan on how to get, where is all your information, how to get there and all that.
So make sure that you're considering the security of your platform as you are looking at various
products in the marketplace.
Well, there's probably an everlasting Gobstopper reference to make there somewhere, but we'll
save that for next time.
Well, thank you, Mark.
This is going to be a good episode for people to reference for quite a while still.
(16:13):
We still have plenty of things to learn from how these assessments are going to go.
So thank you for joining today.
That's going to wrap our episode.
And as a reminder, as always, make sure to pop that subscribe button on your podcast
platform that you're listening on.
And if you're on YouTube watching over there, you can hit the subscribe button and that
fancy little bell too, if you want to get the notifications when new episodes come out
(16:34):
in the future.
So again, thank you, Mark.
And thanks for everyone for listening and watching.
But we will catch you next time.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com