47. Architects of Defense with Lori Crooks

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Justin Shelley (00:15):
Welcome everybody to episode 47 of
unhacked. I did it right thistime. This is take two, guys,
because I really screwed thatup. Somehow we we reverted to
episode 17. I don't know.
Time machine engaged. Guys, we,as always, have a a special
guest here today. We're gonna dosome quick intros. Unhacked is a
podcast where we sit down weekafter week, and we talk about

(00:38):
how we could keep businessowners like you from a, being
breached by the Russian hackers.And as Mario pointed out last
week, it's more than just theRussians, but I do like to pick
on them.
B, keep the government out ofour bank accounts and
businesses. I mean, they'rethere, but we wanna keep them
happy anyways. And C, if allthat fails, we want to make sure
that the attorneys don't comesniffing around and taking the

(00:59):
rest of our money. So a lot atstake here, and we are here to
prevent all of it because here'sthe reality of it. 97% of these
breaches that we read about werepreventable.
Basic security measures. We'regoing to talk about frameworks.
We're going to talk about how toput these measures into place.
But if you don't do that, and ifyou get hacked, you're done.

(01:20):
It's game over a lot of times.
You really cannot get unhacked.So it's a little bit of a
misnomer. We are not talkingabout how to fix it after the
fact. We're talking about how tomake it never happen in the
first place. I am JustinShelley, CEO of Phoenix IT
Advisors.
I work with businesses in Texas,Utah and Idaho. And I'm here as
always with my faithful loyal cohost Mario. Mario, tell

(01:41):
everybody who you are, what youdo, and who you do it for.

Mario Zaki (01:44):
I'm Mario Zaki, CEO of Mastic IT. We specialize in
working with small to mediumsized business businesses in the
New York, New Jersey area. We'vebeen in businesses business oh
my god. I might have to take myown dick.

It's all of us today. I don't know. Laurie,
you're next. You better screwsomething up.

Lori Crooks (02:04):
Oh, boy. Trish is at it.

Mario Zaki (02:07):
Twenty one years now and, you know, we we specialize
in, you know, everything Justinjust said, keeping businesses
safe from all those hackersaround the world. And we
specialize in helping businessowners sleep better at night.

See, Mario's afraid of the Russians. That's
why we he won't call them out byname. Chew them up and spit them
out for fun. Not true. Okay.
So Mario, as always, thanks forbeing here. And now I'm gonna go
ahead and introduce our guest.Laurie Crooks is the founder and
CEO of CADRA Inc. Is that how Idid I say that right Lori?

Yes, you did.

Your organization focuses on security
assessments and securitymanagement projects. So there's
some some similarities to whatwe do. A career focused in
information securityassessments, developing policies
and procedures, everybody'sfavorite topic, and advising
clients regarding theirinformation security
requirements. Laura, you bringan understanding of information

(03:05):
security controls to all of yourclients. Say hi and tell us a
little bit about yourself.

Sure. Hello. Thank you for having me on the podcast
today. So as Justin mentioned, Iam the CEO of Quadra. I live in
Atlanta with my husband and mydog.
I've been doing audits andassessments for about twenty
years now, so I've been beenaround and seen a lot of changes
and excited to talk about ittoday.

Nice. Awesome. Assessments for twenty years.
Everybody's like, yes.

Yes. Dream come true. This is what I grew up
wanting to be when I was achild. Alright.

Alright. Mario, Just a quick

I

gonna

ask you I was gonna ask

Mario Zaki (03:47):
you one question, but now I wanna ask you two
questions. A, what's the dog'sname? And b, when you work with
with these when you do this, doyou work with, like, companies
like us, like managed serviceproviders, or do you work
directly with the companythemselves?

Sure. Well, we'll cover the most important thing
first, my dog. Like, she is mypride and joy, but her name is
Georgia. I know that's we'reliving in Atlanta, but she was
born in Brandon, Georgia. So hername is Georgia, so she's a
wicked spaniel if anyone'sfamiliar with that.
She's the sweetest So back tothe not so boring,

but still boring

side. We work with all types of clients, to be
honest. We work directly withcustomers, helping them prepare
for their audits, prepare fortheir assessments, document the
policies, procedures. But we dohave some partners who are MSPs,
and we help them with theirclients, again, preparing for
any audits, spot checks, gapassessments, that type of thing.

(04:46):
So we're happy to work with withanyone who needs assistance.

Awesome. Now Laura, you said something and
I've been poking fun at thepolicies and procedures. It's
mostly because when I go out andtry to talk to somebody about
this, they just don't getexcited with me. I actually do
love this kind of thing, but yousaid it's exactly what I wanted
to be when I grew up and Ithought you're being serious and
then dot dot dot I lie. Soundslike there's a story there.

(05:12):
Tell me how you got into this ifit's not what you dreamed of
doing as a little girl.

Yeah. You know, you go to college, you have these
big dreams of becoming a medicaldoctor or physical therapist or
something like that. But once Istarted getting into those
classes, I was like, this is notfor me. So I kind of laundered a
little bit. I went down theteaching degree for a little
bit.
I did psychology for a littlebit. Like, I couldn't find
anything that fit. And then Ifinally ended up with financial

(05:42):
accounting of all things, and itjust the numbers made sense
literally for me. And so I endedup doing financial auditing for
a while. Did that as a careerfor about a year and a half
before I got board CrunchyMembers and was working for the
state of Georgia and somebodyliterally upstairs was hiring
for cybersecurity auditing andthey asked me to apply.

(06:02):
And I said, sure. And I appliedand never looked back. So long
story short, that's how I endedup in cybersecurity, not what I
wanted to do, but that's whereI'm at, and I actually enjoy it
a

lot now.

Mario Zaki (06:14):
Think that's what we all have that same answer.

Yeah. Oh,

not what I wanted to do. I mean, listen, I
I've told this before manytimes, but I got into this
business because I like pullingcircuit boards out of my Apple
IIe and plugging in somethingdifferent, know, adding memory
back when it was like 12 bytesor I mean, obviously not true,
but it just started blowing mymind as as things developed and

(06:40):
constant change and technologykept getting better and better
and cheaper and cheaper. And itwas just a rush. I loved it from
the time I was a little kid.Then one day a client got
hacked.
I'm like, Oh shit, I'm not inthe business of putting in sound
cards. I'm in the business offighting Russian hackers. And
they actually were from Russia.So that's why I say that. Then
it's evolved even more becauseit's like, we're not just

(07:01):
fighting the hackers now we'refighting the government, we're
fighting attorneys.
It's turned into a lot of legalstuff. I'm not an attorney, but
now I have to act and think likeone. I'm not an auditor, but I
have to prevent against those.So interesting developments,
right?

Yes. We have

Mario Zaki (07:18):
to fit employees now too, because these employees are
just clicking and opening anddeleting and all this stuff.
It's like, come on, you know,like, why would you just do any
of this stuff?

But Yeah.

No it's a typical day. I might have to add
that one into my rant. We'reprotecting against our
employees. And that's the wellmeaning ones because we don't
really talk much about themalicious ones that on their way
out they set kill switches andstuff like that. That was a
recent headline I read.
Good stuff. All right. So onthis note, I've been
intentionally playful aboutthis. Why do I care? And that's

(07:54):
what I want to talk about.
So I'm going to put my businessowner hat on because it is what
I am. And like realistically,don't I don't have any
anticipation that I'm gonna getaudited. Probably. Not a lot of
regulations apply and this iskind of a scary fact, but in the

(08:15):
IT world, we are not directlyregulated. Indirectly, we kind
of are through our clients, butdirectly we don't have
frameworks that we have tofollow.
I have good security in place.Why, Laurie, does compliance
matter to me?

Because it should. That's an easy answer. But no.
Because you have data protect,you have your clients to
protect, it's like you at home.You wanna protect your house.
You wanna protect everything init. That's basic compliance.
You're trying to protect yourbusiness. You're trying to
protect the data that you haveinside of it. You don't wanna
become hacked, like you said,beginning of this.

(08:55):
So what are some ways to preventthat from happening? Well, it's
basic cybersecurity compliance.And compliance is great because
there are frameworks out therethat can tell you what controls
should be in place to helpprevent against anybody trying
to steal that data that you needto run your business. And if you
lose that data, you could loseyour company, you could be sued,

(09:17):
you could end up paying millionsof dollars of fines for various
things. It's scary if you don'thave compliance and security in
place.

So I will agree a %. It's a prevention, right? I
mean like for being honest it'sinsurance. We have to buy life
insurance for example. Buthere's the truth, I don't plan
on dying.
So do I really need lifeinsurance? I mean, if I do but
it can be a hard sell from ourperspective and as a client

(09:50):
who's getting ready to writethis big check because
compliance is not cheap, it's asignificant investment. So while
prevention is a huge part of it,% agree. Let's see if we can
maybe brainstorm some actualbenefits that besides just
because here's the best casescenario when we're selling

(10:11):
compliance and cybersecurity ingeneral protective measures,
it's best case scenario, nothinghappens. The ROI is nothing.
You get nothing for what, foryour investment. Right? That's
it. One example though, that Ican point to, for example, CMMC,
Right? Here's here's a if youare doing manufacturing and
you're working for governmentcontracts, specifically

(10:33):
Department of Defense, you haveto be compliant.
You have to go through theirprocess. Now the benefit there
though, is you can actually canget a lot of contracts that your
competitors aren't. You can gaina competitive advantage with
compliance. What about that?What else is there besides that,

(10:54):
that where where compliancewhere this investment can
actually turn into something, anROI of sorts instead of just a
check that we write with thebest case outcome of zero.
Mario, thoughts, Lori, anybody?

Mario Zaki (11:07):
Yeah. No. It it it it's absolutely true. So like,
you know, using your example,like in the managed services
world, and we we know, you know,somebody in our weekly group
group that is compliant withCMMC and only works with
companies that, know, require tobe certified in CMMC or

(11:29):
compliant in CMMC. You know,he's able to charge top dollar,
you know, for his servicesbecause it's a group, you know,
select group of people that canhelp him become compliant and
stay compliant with that withthat certification.
So, you know, you become a aspecialty, you know, when, when

(11:53):
you're compliant with with someof the stuff.

Okay. Laurie, any thoughts there?

No. I agree. I think it definitely is an
advantage. You'll see a lot oftimes contracts now have
security as a baseline thatyou'd need to have some basic
cybersecurity in place toprotect the customer's data. And
if you already have that inplace, it does give you that
competitive advantage oversomebody else who might not.

K. Here's another thought. Let's say that
I don't fall under anyregulatory frameworks. I don't I
don't need CMMC. My clientsdon't require it.
I don't, I mean I actually haveto comply with HIPAA because I
have health clients inhealthcare, but let's say I
don't. None of these thingsdirectly apply to me. Is there a
benefit there? I mean again,we've got the obvious of we want

(12:42):
to protect everything that wehave. I mean, even related to
that or what other benefits arethere where compliance isn't
required, but might still be anadvantage to a business?
Any thoughts?

Mario Zaki (12:53):
Well, I think it also depends on the type of
compliance you're you're youknow, everybody has some sort of
compliance that they have to gothrough. So for example, and we
actually just renewed oursyesterday, our PCI compliance.

So if

Mario Zaki (13:09):
you take credit cards at all, if you accept
credit cards in a matter, ifit's, you know, a physical
machine on your website, verbalor something, if you take any
type of credit cards, you haveto be compliant. If you which we
definitely recommend and we'vementioned it in all 46 other

(13:30):
episodes that we've done. If youhave cybersecurity insurance,
you have to be compliant withwhat they're requiring. Some of
the things that they're askingis, do you have two factor
authentication? Do you havebackup?
Do you have this? If you'resaying yes to any of it, that
you have to be compliant bythat. So there's some everybody,

(13:52):
90% of the business out thereyou know, fall between certain
of these certain categories likePCI, you know, cybersecurity,
even some states like New Yorkstate require you to be
compliant with certain things.Just if you are doing business
in in that state, you have to becompliant in that state. Right?

(14:17):
Lori, go you know, you I'm sureyou know about it more than I
do.

Yeah. No. Definitely. I I agree. There's a
lot of different standards outthere that you have to be
compliant with.
Like you said, credit cards,health care information, you
have to be HIPAA. It's kind ofgoing back to Justin's comment
too. Like, if you don't havecredit card data or you don't
have health care data, there arestandards out there that you can
still apply if you have to havesome sort of compliance for

(14:41):
industry or for insurancepurposes or state purposes. For
example, like the NISTcybersecurity framework, CSF,
that's a great starting point.And that really is for small
businesses.
They've just kind of redone itwhere they make it more
accessible to smallorganizations to actually have

(15:01):
some sort of framework that theycould use for cybersecurity. Or
you could look at, like, ISOtwenty seven zero one, which is
more of an industry in thisinternational standard. And so
that's really talking aboutmanagement systems and being
compliant for management systemfrom the top down. And so a lot
of organizations who, again,might not have to comply with

(15:24):
stuff and actually choose to putall this in, there are options
out there for them as well.

So here's two things that come to my mind.
Number one, and I'm putting myjust my CEO hat back on, I'm not
a cyber security expert rightnow and let's just say I don't
really know anything at allabout cyber security, but I'm
writing a check every month tothe company who is telling me
that I am properly protected.How do I know? And this is

(15:52):
something I run into all thetime too when I'm talking to
prospects, I'm like, hey, we cando a third party assessment for
you or whatever. Listen, I getit.
They don't know who I am yet.They don't trust me yet. But I
always hear this phrase, we'recovered. My IT company has us
covered. My IT guy has mecovered.
And I don't push, but what I'dlove to say is prove it. How do

(16:16):
you know? How do you know?Because you're writing a check.
That's all you need to know toknow that you're safe.
Well, what? When you getbreached, you know who they're
coming after? It's not your ITguy. I mean, might indirectly,
but Mr. CEO, Mrs.
CEO, they're coming after you.That's who you're going to that
they don't care about anythingelse. It's still your fault that

(16:38):
these protections weren't inplace. So if you're writing that
check and you're happy andyou're sleeping well at night
and you don't have any way toreally hold your IT company
accountable, I'd be worried, I'dbe nervous. And then this is one
that really never gets talkedabout is in marketing.
So if we just kind of flip theroles now, whatever my industry

(16:58):
is, and I'm trying to sellsomething to a client or a
patient or a customer, whateveryou call your who you're serving
and I'm in this transaction,they're giving me personal
information. I'm gonna lead withthat like, we're whatever we can
do NIST, we can do CIS, we canwhatever we can prove now. And

(17:20):
last week we talked about SOCtwo, which is another great one.
But when we can say here is theframework that we're following,
here's our audit, ourassessment, even if it's
internal, we really would likethat to be a third party
assessment. But now we know thatpeople do business with those

(17:40):
that they know like and trust.
How do we get that trust piece?So I think it's a missed
opportunity where we can usecompliance as a way to really
promote our businesses. So mysoapbox is over. Guys, any final
thoughts on why we should careas business owners about
compliance?

Yeah, I'll speak to that just a little bit. Talking
about depending on your ITprovider, just an example that I
had recently who again, smallbusiness had IT provider that
they knew and trusted. And wecame in because they had to go
through a kind of internalassessment. We came in. We
started looking to see what thisIT provider was doing, and not

(18:23):
everything that IT provider saidthat was being done was being
done.
For example, VPNs weren't beingencrypted. So all the
information that they weresending back and forth was out
in clear text. They could betterintercept it at any point in
time, and it was sensitive data.Antivirus wasn't turned on for
all computers. Simple thingslike that.
So it goes back to my motto,trust but verify. Like, there

(18:44):
should be some sort of check onthat IT provider, whether, like
you said, is it internalassessment? Is it external
assessment? And it really goesto continuous monitoring these
days as well. It's like there'syou should always be checking
and just double checking to makesure that things are in place
because you never know whatmight get turned off
accidentally or it just nevergot put in place in the first
time.

Me ask you a question on on the this
transaction, this relationship.What was the confidence level of
the one writing the check-intheir IT provider previous to
the assessment?

It was good. Was full trust, know, fortunately
it's a small business, theydon't know anything about
security or IT. Right. You know,they're focused on their part of
the business, and they hadoutsourced it to somebody and
thought it was being done anddidn't know to check, and it
could have been bad at the endof the day.

Mario Zaki (19:40):
So, Laurie, you you need to tell me you have to turn
on the antivirus on every singlecomputer?

At least centralized. Sure. I I need that
the right track managementsystem. Yes. Yeah.
Please every computer should beencrypted, have antivirus.

Well listen, we're laughing but Mario, do you
ever have your client wellprospects, I don't really get
this much from clients, butwhere they say, know, because
we're we're in the negotiatingthe price phase and they're
like, we don't really use thiscomputer that much. Let's leave
it unprotected. Do you ever get

that one?

Mario Zaki (20:13):
Absolutely. Absolutely.

I get that all the time. All the time. Probably
almost a % of the time.

Mario Zaki (20:18):
And I tell them, I'm like, listen, we we don't have
we don't make you run through alot of hoops. You know, we we
you know, a lot of white glove,you know, support and stuff like
that. You know, we only have onerule and that one rule is
everything has to be covered,you know. And I tell them,
you're only gonna be as strongas your weakest link. If you
have that computer that only theintern uses during the summer,

(20:43):
then that computer needs to bedisconnected, you know, all year
except for when they're coming,you know, coming in.
And then that's when wereconnect it and that's when we
put the security on. But if it'snot being used for nine months
out of the year, that needs tobe disconnected, put in a closet
somewhere, it cannot be active.

Right. Alright, guys. Let's go ahead and move on
to the next section. Mario, I'mgonna go ahead and punt this one
over to you.

Mario Zaki (21:09):
Yeah. So Gloria, I wanted to kind of paint a little
picture here. So let's say I'm aCEO of like a company, say 50
employees, specializing in, Idon't know, construction
industry or something like that.And I'm the CEO and I wear a
million hats and something likethis slips through the cracks.

(21:32):
And I realized, oh, you know,what it's time I have to do this
or somebody's, you know,requiring this.
Kinda run through with me, whatdoes it look like? You know, how
do you get started? You know youknow, how how does that picture
look like?

Yeah. Sure. So it starts off with a phone call
most of the time. And then Italked to about what kind of
data they have, where is thisrequirement coming from, and
just trying to figure out what,if it is a regulatory standard,
what they have to comply with sowe could kind of go from there.
Typically, we do a gapassessment as well.

(22:09):
So once we signed the contract,then we kind of get in there. We
take that standard and we doassessment against it, just kind
of an internal assessment to seewhat is in place, what isn't in
place, and then work with themthrough remediation process for
anything that's not in place.Typically, those also don't have
policies and procedures. Again,you're a CEO of a construction

(22:32):
company, you have a billionthings going on, you're not
gonna have time to documentstuff. So we help document any
of those policies, proceduresthat are necessary for your
organization and for thecompliance standard that you
have to meet.
So it's a lot of back and forth.It's a lot of us kind of helping
you throughout the process,understanding, getting an
understanding of yourenvironment, and helping you fix

(22:54):
what might be broken.

I've got a question on that though. Because
again, I've kind of been talkingabout the the pain of the
process. We're I I wanna know ifthere's some value in it on the
other side. But can I ask youwhat the price tag is on this?
And and again, we'll use greatexample, Mario.
Fifty employee constructionfirm. I'm not sure which

(23:17):
framework we're gonna talk aboutthere, but let's say they're
building something for DOD.Let's call it CMMC. What
timeframes and cost? What are welooking at?

Gosh, that's a good question because it can reach

Give me the range. Know that. So let's do
without putting you on the spot,let's just do a high and low, a
best case and worst casescenario. Yeah.

For full implementation, I would probably
say and this is with, like,tooling and stuff probably mid
five figures, like, maybestarting 50,000, maybe a little
bit more. 6 3 to 6 months isprobably the short end of it.
Again, that's just really smallin the tooling. So it could be a

(24:02):
little less depending on thetools that you get because there
are tools out there for CMMCthat you just put your
environment their environmentand then you're covered, but
those typically come at a littlebit higher cost because they're
managing and taking most of therisk. Right.
And that the higher end couldbe, you know, 6 figures, 12 plus
months.

Oh, 6 figures. That's I mean, this is exactly
the problem. Right? This is andwhere I'm asking, what if these
don't apply? Should we still doit?
Here's where the pushback is.Because this is not simple. This
is and definitely not cheap.

Mario Zaki (24:39):
Yeah. I mean, most of the time, if it doesn't
apply, they're gonna avoid it,you know. Yeah. You know,
especially when we're talkingabout even on the low end, like
say $50,000, you know, that'syou know, even if it's $10,000,
you know, it's something thatnobody's gonna wanna just
voluntarily do. But it's theyhave to understand that, you

(25:01):
know, if they need it, ifthey're in an industry that
requires it, they have to do it.
But it also pertains to a lot ofthe stuff that we've been
talking about for months isgetting those in the event a
hack happens or a breachhappens, all right? What's gonna

(25:21):
end up happening is thoselawyers are gonna come around
and lawsuits are gonna comearound. And if you say, hey,
we've taken the properprecaution to protect ourselves.
You know, nobody's gonnaguarantee a %, you know,
protection, but hey, we're we'recompliant. We you know, here's
our latest compliancy report.
You know, we we've beenproactive in upgrading this and

(25:44):
this and this. You know what?There's no case. You know? It
just you know, the hackers endedup just winning that day, but,
you know, you did everything youwere supposed to do.
And, you know, chances are therewon't be a valid lawsuit at
least.

I'm gonna throw an example out there and I'm
gonna I'm gonna get a littleshout out to HATZ AI, h a t z,
HATZ AI. Mario, are you familiarwith oh god. I can't talk. Are
you familiar with them?

Mario Zaki (26:14):
Yeah. Briefly. Yeah.

Okay. So one of the problems with AI is that the
the data that it ingests, whenwe feed it information, uses
that to train future models thatthat becomes part of the the IP
of the AI engine. Right? So theynow own your data. This can be a

(26:37):
major security problem.
So HAT AI, what they do isthey've got these their own
secured environment where I canput my stuff into that and I
know it stays there. Now back tomy point of using this as a
marketing advantage, they're notrequired by any regulatory
agencies to be secure, butthey've gone out and got their

(26:59):
SOC two. I think they have typeone and they're getting ready
for two. So they've beenassessed by a third party,
they're following frameworks,That's their proof that they're
keeping my data secure. So I ammuch more likely to pay them and
I'm actually getting ready tocut out some other services that

(27:20):
I've been using, because I don'thave that same level of
assurance from them.
So now all of a sudden thisinvestment which is large, we
can use as a major competitiveadvantage and and possibly even
squeeze out some of thecompetition. I I do think that
there is definitely a financialbenefit to becoming compliant

(27:42):
even though it's nobody wants tobe have it forced down their
throat by the government, whichis where this usually comes into
play. Alright. Any other anyother thoughts on this one guys?
Either one of you.

Just to your point too, Justin, a lot of my clients
come to me because they aretheir contractual obligation
have to go through your SOC two.Right. So it's something that
their customers are requiring.They're like, okay. If I want to
sign this, you know, I need thistype of auto.
So it is happening a lot.

I mean, really we can look at it as developing
skills, investing into our, youknow, anything, anything, Jesus,
it's one of those days, All thestuff that we the time and the
money that we put into betteringourselves and bettering our
business. This really is a placewhere we can do that. And if
done properly with the rightmindset, we can leverage this to
really springboard ourorganization. So Lori, one thing

(28:39):
you said which kind of caught myattention when Mario asked what
the process looks like, you saidwhat you find on your initial
assessment is that they usuallydon't have policies and
procedures in place. Tell me alittle bit about that.
What do you find? Do they haveanything?

Honestly, they'll usually have some technical
controls in place. They usuallyhave a firewall. They might have
some basic AV. So they'll havesome technical controls in
place, but when it comes to someof the management operational
policies, procedures, those areusually lacking. There's not
usually a risk assessment.
There's not usually vendorassessments, you know, those
types of things. So they they'retrying with the technical piece,

(29:16):
which is great. But forcybersecurity compliance, you
kinda need a little bit ofeverything.

Do they have do you find the basics? I mean,
let's talk about BYOD policiesor acceptable use policies. Do
you usually find those in placeor no?

Sometimes. I'll sometimes see acceptable use
policies, rules of behaviorpolicies. Those are the most
likely that I see becauseusually from a technical
standpoint they might have tohave users signed up as part of
the onboarding agreement.

So let's take that example, one that you do
find in place and you just saidthe attorneys made them do it.
This wasn't really somethingthey wanted to do. What happens
generally speaking in yourexperience, they've created the
policy, make people sign it whenthey onboard, which by the way
is making somebody signsomething under duress if you

(30:04):
think about it. And fun fact, myattorney once told me that you
cannot retro like I can't bringin a new policy and make my
employees sign it. I can enticethem to sign it, but I can't
make them sign it.
You can do it when you bringthem in, But once they're hired,
you can be like, Oh, new policyhere, sign this. So there's
there's some fun ins and outsthere.

But

well, had to I had to bribe them basically, to
my attorney, and I don't know,this has been a while, but he's
like, you have to pay them,like, offer them a hundred bucks
to sign the policy, you know, inin consideration. I don't
remember all the legal terms,but there there there's a lot of
fine print in this stuff. Butwhat is generally the attitude

(30:46):
when at least just go for thisone that they have in place? Is
there any kind of like ongoingdiscussion or culture around it?
Or is it just sign this with thestack, by the way, of 100 pages
that you just had to read andsign off on?
What does it look like after thefact?

Yeah. Like you said, it's usually signed off
and then it sits there until thenext person gets onboarded that
they have to sign it, Especiallyfor, like, separate use policies
that those have to go through alegal review again. It usually
just sits there and they justsign the same thing every How

often do you find them being reviewed on
average?

Not very often, to be honest. If they don't have to
comply with anything, it'susually once and done. I'll go
in and have policies that arefive, six, seven years old. They
they wrote it. They haven'tlooked at it.
They're just making people signit.

It's like, don't use Myspace on company time.

Yeah. Now what Exactly.

Mario Zaki (31:46):
Once you know, you mentioned, you know, the
onboarding, the setup, three tosix months could be a year. What
happens after that one year? Doyou do they retain you for like
a, you know, monthly, you know,call six months, something like
that? You know, what happensafter the the initial and then

(32:06):
after like, alright, here's our,you know, SOC two compliance
certificate, you know, you know,plaque, whatever they give you.
I don't know.
Trophy.

It'd be nice. Think they used to. Very early days, I
think, from SOC twos, they wouldget sent out, like, little
plaques. Some companies did. Soit's kinda funny.
But but yeah. So they they canretain me for a little bit just
to on a monthly basis. There'susually a small retainer fee, so
I'm available for phone calls ifthey have questions. But during

(32:37):
let's take a step back. Moststandards have an annual audit.
So once you become SOC twocompliant, it doesn't mean
you're done for you actuallyhave to go through an audit the
following year as well. So whatI like to do from that in
between period from one year tothe next is to make sure, again,
controls are still being inplace. Continuous monitoring, we
call it, is being done. Thepolicies are being reviewed

(33:01):
throughout that year, makingsure, you know, HR is doing
their job by bringing people on,security training is being done,
etcetera. So so, yeah, we helpthem on a monthly basis based on
the type of framework that theyhave and the controls that they
need reviewed throughout thatyear.
And we just kind of spot checkthroughout the year to make sure
everything works properly, andthen we help them make sure and
prepare by pulling the evidence,gathering it, working with the

(33:22):
auditors that they need our helplike that.

Got it. Larry, I I wanna say that you have
confirmed my initial hypothesisthat people don't like policies
and procedures. This is notsomething people talk about over
a beer after work. What butthey're important, right? Can we
agree on Like at least in thisroom, we can agree on that.

(33:47):
You have any tips or tricks fora business owner to maybe build
a culture or do something tomake these things more than just
a document that gets signedunder duress and then put in a
file and never looked at again.

Yeah. It really comes from the top. If you wanna
build a culture aroundcybersecurity, it becomes with
awareness of training, making itfun. A lot of the training
programs now are moreinteractive. They were more
gamified.
And so it kinda takes thosepolicies and breaks them down
into things that people canactually understand and relate

(34:25):
to on a regular basis and makesit fun. I'm using the air quotes
as much as you can make policiesfun, but they try to make it fun
through the through the games,you know, the kind of examples,
like quizzes and stuff likethat. So I I think that's the
best way to do it. It's just areminder too. It's, like,
reminding people monthly everyother week, like, hey.

(34:46):
Don't forget this tip that'sfrom your information security
policy or this tip to don'tleave your laptop in the car, so
somebody can steal it. You know,those types of things are good
as well.

Do you have any examples of the gamification?

I'm trying to think now now that I say that. I
haven't used one personally, butI had there are a lot of more,
like, fun videos where youcould, like, click on emails to
open or you click on like posterboards to try to find something
kind of unusual within the roomand stuff like that. It's been a

(35:21):
while, but I remember kind ofgoing through a while ago. It
was interesting.

I had a and I this has been a while, but when
we in our company, when we weswitched to a new vendor for
security awareness trainingMhmm. And one of the things that
they had was a leaderboard. Atthis time anyways, my techs were
very competitive. And so theywould run around bragging about

(35:48):
their score, their risk score,and like I'm better than you. I
loved it.
And what what has frustrated meever since is the same company
that has this leaderboard. Theywhen each employee signs
themselves up or, you know, goesin and configures their their
account, it randomizes theirusername so that nobody else
knows who it is. I'm like, why

in the world That's purpose.

I know it. And I keep asking them, I'm never
gonna quit until they actuallydevelop this. I want a kiosk
display with real names where wecan publicly reward and also
publicly shame and humiliatebased on their score of are they
clicking on the stupid phishingemails? Are they reading and
accepting the policies andprocedures? Because that's part

(36:32):
of it.
Are they taking the annualtraining? Are they taking the
weekly micro trainings? But I dothink that until we find a way
to really make this part of ourculture, we're never going to
have anything other than dustypolicies.

Yeah, agreed.

They're just because the government of the
attorneys made us do it, or moremore realistically, they're just
not there at all. Now that we'vefully developed this fun topic
of policies, let's get into tellme and I know there's a lot of
frameworks, but if we just couldpick a couple, let's say one,
two, maybe three policies thatare the most bang for the buck,

(37:09):
what would you say those are?

We talked about the acceptable use policy. I think
that one's important. Again,rules of behavior, how people
should be using their computer,how they should be using their
computer, how they should beusing the data and stuff. So
definitely acceptable usepolicy, I'd say, is one of the
top ones. Typically, seeinformation security policy too.
This is more geared towardscybersecurity as a whole, more

(37:36):
towards some of the IT people aswell, but it's good for general
users to read through as well.And then I'd say incident
response, I would say probablybe very round out the top three.
As we all know, unfortunately,we're probably gonna have an
incident, knock on wood, at somepoint in time. So there should
be a policy for your ITdepartment on how they need to

(37:58):
detect that, how they need toinvestigate that, how they need
to respond to that, and how theyneed to notify people that there
is a potential incident.

Mario Zaki (38:07):
Okay. Have you been seeing a lot of AI policies
coming up? I

have some. And AI, I think, is getting a little bit
better, but kind of what Justinwas saying earlier, I hesitate
telling people to put stuff init because you don't know what
what where it's being stored onthe back end, what's gonna
happen. But I think AI could begood to enter into their
policies, but you still have tokind of fine tune it for your
organization and kind of thepeople that you have and the

(38:34):
tools that you have within theorganization.

Mario Zaki (38:36):
Yeah.

So, Laura, you you quickly kinda mentioned what
should be included in anincident response plan. Let's
talk about the the acceptableuse in the information security
policy. What are just, like,some some key components
headlines that need to be inthose policies? How about I
write one?

Yeah. Sure. Acceptable use is really, as it
says, it's what you can use yourcomputer for, what you could use
company information for, Andthis is usually the one that the
lawyers like to sign and reviewbecause it's telling people what
you can and can't do with thecompany information. So don't
post company information onwebsites. Don't go out x now

(39:19):
and, you know, save all thecompany data or share all the
company data.
Don't use public Wi Fi whenyou're transferring sets of
information. Like, those typesof things should be included in
your acceptable use policy forusers to understand this is good
things to do with the companyinformation. This is bad things

(39:40):
to do with company information.And so then you have your
information security policy,which really could take a lot of
different topics. And kind ofroll up into one.
So it could include accesscontrol. So it could talk about
your username and passwordpolicy where your passwords are
minimum of eight characters andspecial numbers and special

(40:01):
letters and numbers and all thatcombination. It could include
some remote access, so tellingusers they need to use a VPN as
part of logging in remotely fromfrom their home into the work
into the work area. So words arehard today too for me, Justin,
so you're not the only onestruggling.

Mario Zaki (40:24):
You know, with that last part said, and I I don't
know about you, Justin, but Iget this every once in a while.
You know, almost every newcustomer we set up for and, you
know, tighten up security. Wehave at least one customer or
sorry, one employee for thiscustomer that says, I don't want
to use 2FA or I don't wanna usemy personal phone for two factor

(40:46):
authentication. You know, whatwe usually tell them is like,
this is the same person that'sprobably sitting there texting
all day while they're supposedto be working. But what do you
usually, you know, how do youusually attack something like
that?

That's a good question. You know what? It
kinda goes to the company atthat point of time. It's like,
are they willing to buy them asecond phone to have that
authentication? Otherwise, youhave to use some sort of hard
token, which, again, I don'tmost people are gonna wanna deal
with anymore either to plug intotheir laptop and return their

(41:23):
login.
So I don't think there's a wayaround it. I think to
authenticate that it's here tostay. Again, it's gonna be
either they either buys them aseparate zone to use it if the
company's good with that, or,you know, they just get push
notification to their phone.

So Yeah.

Mario Zaki (41:39):
I usually give them those two options, or I usually
give them a third option is tellthem to get the hell out of the
office.

Yeah. Well, there's I I think that and
again, on the subject of justcreating a a positive culture,
we want to make people some skinin the game interested in it. If
they're pushing back, first ofall, I would wanna find out why.
What's what's the real problemwith using your phone? Is it
that you just don't wanna useit?
Then fine. Here's a secondphone. Is it that you feel like

(42:07):
you shouldn't be financiallysupporting the company? Then
fine. Here's $30 a month or $20a month or whatever to to offset
your cost for your cell phone orto show you that we care, know.
But Mario, you're right.Ultimately, we can't in some way
get them into this securityminded culture, They can't be

(42:28):
there. They've gotta go. Like a%, if you've got somebody that's
a security risk, fire them.Right?
Yeah. Just ask Donald Trump,You're fired.

Mario Zaki (42:41):
And that's exactly what I've had conversations
with. I'm like, you know, ifyou're asking me to not enable
it just for this employee, theanswer is no. It's not gonna
happen. You know, Unless youwanna sign off on a bunch of
stuff saying, you know what?Don't call us when something
happens, you know, which nobodyever agrees to, you know?

(43:02):
But, you know, we tell them likethis this is those are the
people that, you know, will endup clicking on something and,
you know, causing a problem and,you know, like you have to be
firm and you know, like this isthe, you know, price of doing
business or being an employee ofthis company. You have to use

(43:23):
two factor authentication andyou get one of those people like
every once in a while. It'slike, I don't wanna use my
personal phone.

And then it comes down to again, I would
wanna find out why. Is there avalid reason for it? Fine. I'll
accommodate. Is it just becauseyou wanna be an ass?
Well, you don't fit our cultureand you gotta go. Right? I mean,
because if if you've only got ahandful of people that are being
we can call this defiant again,unless there's a real reason for
it, then we don't want themthere anyways. If they're not

(43:56):
going to follow this policy,what else are they not going to
do? I mean, it just seems likethere's this person probably
needs a therapist more than asecond phone.
Just my thoughts. Alright guys,listen, we I think we've kind of
covered everything that I had inmind for the day. Is there
anything else? Have we missedanything Lori that you would

(44:19):
like to talk about before wewrap up?

Not off the top of my head. Okay. This is a great
conversation.

Perfect. So then let's go ahead and do this. I
kinda like to wrap up with keytakeaways. Let's assume that
nobody listened to anything butthis part of the podcast. What
do you want them to know abouteverything we discussed today?
And, Laura, I'm not gonna putyou on the spot. I'll give you a
minute. I'm gonna have Mario gofirst. So you've got as long as
it takes him to answer thisquestion to think up your own

(44:48):
answer. And then I'll and thenI'll have you give yours, and
then I'm I'll I'll tell peoplehow to get ahold of you, and
we'll go ahead and wrap up forthe week.
So, Mario, key takeaway for thisweek. What do you got?

Mario Zaki (45:00):
You know, for me, the a key takeaway for this is
that it's every business outthere is gonna fall under some
sort of bucket, you know, somesort of compliance, you know,
like we mentioned earlier or Imentioned earlier, you know, it
could be something small likePCI, you know, or it could be
something huge or like CMMC. Butif at the very minimum, if you

(45:26):
have some of these policies inplace, you'll you'll be ahead of
the game, you know, probablystand out from, you know,
competitors and and, you know,have a better workplace, better
culture, you know, for youremployees and for your
customers.

Okay. Alright, Laurie. Your turn.

Oh, pressure's on. No. I think it goes back to kind
of I think Justin said it besttoo. It's kind of the the
culture of compliance andcybersecurity. I think it's
important for cybersecurity tostart at the top and go down
through the organization.
And that's really the only wayeveryone is going to get on
board, is if you have thatappropriate culture. And I think

(46:10):
that should be for everyorganization, whether there's a
regulatory standard out therefor you or not. I think it's
important and it gives you thatcompetitive advantage.

I mean, I I couldn't agree more with the
whole start at the top. And it'sI say this out of experience
because getting the top, gettingthe leadership to go through the
cybersecurity awarenesstraining, they don't feel like
they have time for that, Largelyspeaking, I'm not saying it's a
%, but that is that is aconstant problem. And I'm sorry,
but if you aren't doing that, ifif you're not personally taking

(46:41):
it serious, you cannot expectthose that work for you to do
any better. You just can't. So %agree with that.
I would say my key takeawaytoday is that everything that we
are dealt in life can be I'mgonna put some asterisks on
there. There are exceptions tothis rule. Generally speaking,
we can look at things as aproblem or we can look at them

(47:02):
as an advantage. And so where weare forced into a world where we
do have to prove that we aretaking security measures
seriously, whether that'sthrough mandated compliance or
voluntary compliance. I reallybelieve that this can be an
advantage to us personally,because while I was sleeping
ignorantly by writing a checkthinking my IT company had me

(47:25):
covered, now I at least havesome confidence in them.
If I know that they're followingthe frameworks and and maybe
even pushing pushing them on me.But then the other side of that
when I'm trying to sell myservices to somebody else, when
I can show that I'm doing this,that I'm taking their privacy
seriously and I've got it backedup. I could document it. I
really do believe that to be a acompetitive advantage where we

(47:46):
can probably reclaim asignificant amount of the
investment to get there in thefirst place. So that's, that's
my take on it.
Laurie, thank you so much forbeing here. I'm gonna go ahead
and plug your services.Cadra.com, C A D R A Com. And we
always have links to our guests.You can go on unhacked.live and
get more information about Lori,who she is.

(48:09):
But Lori, if you want to sayanything, any elevator pitch or
any final words about yourbusiness, what you do, who you
do it for, you're welcome to dothat now.

Sure. So we focus on small to medium sized
businesses who might notunderstand cybersecurity
compliance and what the need is,and we try to take complex
environments and legal languageand kind of tone it down so the
normal person can understand,and we help implement and walk
you through that process. Wehand you hand through you

(48:40):
through the entire process frombeginning to end and help you
get through the assessment forwhatever compliance standard
that you need.

And I think I heard you say earlier that you
do on occasion work with MSPslike us if they want some help
from an outside firm. So we wedo get some of our peers listen
to our show, so we'll put thatplug out there for you as

well. Thank you.

Alright. Mario, always a pleasure. Thank you for
being here. Thank you, Justin.Guys, like I said, if you have
any, want to check us out onunhacked.live, we've got all of
our links up there to ourguests, to our social media.
We have free assessments that weoffer. Go ahead and hit up
unhacked out live. And untilthen, thank you guys both for

(49:24):
being here, and we will see youguys next week. Take care.

Thank you. Bye.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Boysober

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}47. Architects of Defense with Lori Crooks

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Boysober

Crime Junkie

All Episodes

47. Architects of Defense with Lori Crooks

On Purpose with Jay Shetty