**Breaking Cybersecurity News Raw & Unfiltered** From Zero-Trust to Zero-Day: An Interview with PreVeil's Compliance Wizard, Noël Vestal

Show Notes

***In order to get the breaking cyber news to you guys FAST we are posting these right after the live broadcast! If you prefer your news more filtered, keep an eye out for the edited posting tomorrow!***

In today's podcast, PreVeil's compliance manager, Noël Vestal, discusses how using Zero-Trust end-to-end encryption helps fight the Zero-Day attacks that are all the rage today, and why having trusted vendors is crucial to help implement compliance standards, especially when a government contract is on the line.

Compliance takes hard work, even with vendors there to help, but knowing who to trust makes all the difference.

Links:

•  Google Chrome Bug Actively Exploited as Zero-Day
•  Apple Rushes Out Patches for 0-Days in MacOS, iOS

Special Guest: Noël Vestal, Compliance Manager at PreVeil
Host: Craig Petronella
Co-Hosts: Blake, Erin, & BJ

Support the show - Call 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

• YouTube PetronellaTech
• YouTube Craig Petronella
• Podcasts
• Compliance Armor
• Blockchain Security
• LinkedIn
• Call 877-468-2721 or visit https://petronellatech.com

Transcript

Craig: 0:38

All right. We should be live on our next podcast. We have a special guest today. Noel, please introduce yourself.

Noël: 0:48

And I'm the compliance manager at prevail.

Craig: 0:50

Welcome. We also have Aaron and BJ.

Erin: 0:54

Yep. And we very happy to have, you Noel,

Blake: 0:56

Don't forget about me. I'm

Craig: 0:58

Oh, on Blake's on there too, right? Sorry, Blake.

Blake: 1:01

Quiet as a mouse.

Craig: 1:02

Yup. He's in the background.

Erin: 1:05

Yeah. So I guess today, Some of the big, exciting news was a couple more zero days occurring. There's two more with apple iOS and then one with Chrome, I believe it was which we'll link that. But it's saying here too, though, that with apple, that they're on track to have like more zero days than before. And I'm actually, I'm curious about that. Like I wonder, is it just because the hackers are getting smarter or is it because like they're things are getting rushed out of production?

Craig: 1:38

I think it's always a rush, it's push it out. We talked about this before, push it out and then do security or backups later. Do damage control. I think it's maybe heightened awareness, maybe apple is investing more in cyber and maybe they're having more reviews and they're finding things and maybe they have also teams that are searching the dark web and looking for exploitation of their different, iOS and Mac iOS operating systems. So I think it's maybe a combination because obviously with the heightened threat landscape, I think that's like most good companies, they should be increasing their cybersecurity investments and their testing and checks and review of things. So I think it's a combination.

Blake: 2:20

I think it has to do a cost too. It's just so much easier for them to push an update out. Let everybody complain that everybody found the, find the vulnerabilities and report them back. It's just this practice, this business, these days that.

BJ: 2:34

But I think Craig used a very interesting term when he said heightened awareness, because I think heightened awareness is affecting a lot of things these days. And there's probably a lot going on with all types of companies with their software and technology. And it's just requiring, a lot of agility and mobility to keep up with, whatever is at the cutting edge right now. So you have a heightened awareness is a whole unchartered territory. Isn't it?

Craig: 2:59

Every company should be under heightened awareness and alert, to be looking after their systems. Obviously following good cybersecurity, hygiene, security, risk assessments, pen testing, all that fun stuff. But I think now it's more important than ever before to, to those things.

Erin: 3:16

And then actually Noel, you work for prevail. And I think that's, that could actually really tie in to this. So if you want to tell everybody a little bit about prevail and and what you guys do.

Noël: 3:28

Yeah, certainly. So I'm prevail is a zero trust and end encrypted email and file storage systems. So totally, exactly. In line with what we're talking about right now. And it's something that I think, to everybody's point, it needs to be at the forefront of everybody's minds. I know now that one of the things that, I deal with all types of different compliance, you are internal compliance as a company, the different, frameworks we have to be in line with, but also I deal with external compliance that all of our customers have to deal with, like NIST 801 71 CMMC now version two. That's a perfect example. You're talking about the department of defense and the defense industry based the DIB that's I think it's something like 200 to 300,000 different companies all over the country and in different countries as well, who are working directly with the department of defense to, do all different types of things, manufacturing, staff, augmentation. I There's a bunch of stuff that different companies do. All these companies have access to sensitive information, every single one of them to some degree, varying levels, obviously some way more sensitive than others. In, I think it was December of 2017, the DOD came out and said, okay, we really want to take cyber security seriously. Okay, great. So we're going to do that. Every single contract is now going to have a requirement that states that you have to be in compliance with NIST 801 71, there's 110 controls. They never followed up with anyone. It was just, Hey, you're going to say that you do this and we're going to believe you. And that's it. And that's exactly what the standard has been. So what we're all talking about, this is a perfect example. All these zero-day vulnerabilities and exploits that are coming out, you can't just assume that everybody is doing what they say they're supposed to be doing. And also that they even understand that they're doing it correctly. I Like the average company, most of them do not have some cybersecurity person or some compliance person who has any understanding of this kind of stuff. So you're asking, hundreds of thousands of companies who, they might just be making widgets, in the middle of nowhere, and they don't really care about, zero day exploits from apple or Google, like they use windows. So what does it matter? don't even think they probably don't even hear about a lot of this stuff. I'm really happy, honestly, it makes me feel a little bit more secure, but of course I'm obviously an it security nerd. So that's take this with a grain of salt, but I'm really happy that we're finally getting to a point where people are getting ch there's like a check and balances with it. And CMMC is doing that, it's okay, now we're actually going to come out and make sure you understand what you're supposed to be doing and that you're doing it correctly, hopefully to, keep us all a little bit more safe. I really hope too, that it spreads out more into, and I know that there's some frameworks to on the commercial side, more than a few that do those types of things like ISO 2,701, and there's so many different ones, but I'm hoping too that like maybe other agencies will also get on the bandwagon. I know that the department of justice has one is I think it's called CJ. I S they have one, but it's it's a little bit less involved in some ways and more involved than others, but I don't really know of a whole lot of others that are more or less. Specific frameworks for different areas of the government, but I feel like there definitely needs to be. And I think that like the standard, unfortunately government is usually a bit behind commercial obviously

Erin: 6:31

I'm just a little.

Noël: 6:32

is like a smidge a little bit. I think we're finally seeing that a little bit of that catch up, but of course there's, there's the bureaucratic red tape. There always is with these types of things and we're still, still chugging along, but I am really, I'm hopeful, optimistic, I'm optimistic, but cautious. I'm hoping that it will all work out fine, but I definitely, I think it's so important to make sure, we all on this call and I'm sure everybody listening, it's almost like we're preaching to the choir. Everybody here is yeah, absolutely. We need to do this. Okay. How do we do it? That's the tricky part.

BJ: 7:02

No, I think it's really important to to help listeners and, maybe today's listeners and who knows who will be listening tomorrow or a week from now. So I think it's important to frame the context for our listeners because you have a very interesting background and in this space in compliance in cybersecurity in general, there's so much confusion. There's so much misunderstanding and confusion. So I think It's important because at textile technology group and especially Craig Petronella for years and years has really. placed a lot of focus on, keeping up with how this space is evolving. And then also always trying to vet the right partners and the right technology solutions. So your background, because you come from a background where you worked with the DOD and, you presented regularly to, start military generals and things of that nature. So you have this background that screams of like high level experience and you made the choice to go to prevail and prevail is one of our top partners that we, believe strongly in the quality of the technology. So with that being said with your background and your choice to go to prevail, I think that's important context that I think our listeners would love to hear more about.

Noël: 8:11

Absolutely. No, I'm glad you brought it up. Yeah. It, I take care. I seriously, you should write my resume. That, that sounded amazing. My God it's wow, that sounds really great. So I actually started out my it, this is, this is the really funny part of the conversation. I started out as a high school English teacher.

Erin: 8:28

Oh, I didn't know that.

BJ: 8:29

Oh, which explains why you have an ear for good writing.

Noël: 8:32

I do. Yes. I love good writing. I love good writing. It's also, I always get roped into writing all the documentation everywhere. But that's fine. I'm okay with that. I like it. And I ended up working for a small company that was doing contracting work. It was, this was, gosh, this is 15 years ago. Worked for this small gas company that was doing work for, different partners government partners, federal partners private partners. What have you? I didn't know anything about contracting. I didn't know anything about any. And it works there for a while. I ended up working for DC government actually for a couple of years. So I was a portfolio manager in the office of unified communications, which is they host all of the emergency management for the district of Columbia. I wrote their continuity of operations plan at the time. Did all kinds of you managed the budget? You name it? I probably did it. And then. The DOD came and knocking. Basically I was what was DOD government. It was contracting and ended up in DOD contracting for quite a while. I've worked for the army primarily DCMA as well. I've done, there's not a whole lot it related. I probably haven't done. I've run help desks. I've run massive programs. The first program I ever ran was actually an application that was in every single branch of the United States army. So across the whole world. And yes, like you said, I have, so we were talking right before this, about how there's always technical issues. I remember when there was like a huge, we're talking 150 people in a room, huge. I was supposed to do a live demo of our system. And I tried to tell everyone that was a terrible idea. And of course it was. So it went down the minute that I started touching it in front of 150 people, all stars on so many shoulders. And people are just sitting there staring at me like, why is this not working? And I was like the internet here is really bad. I'm so sorry. So yes, I have been in that situation many times where very important people are staring at me and wondering why I look like an idiot. It's good. It's good practice. It's very humbling. Very humbling. Yeah. I very much loved my time with DOD, but I actually, yes, a hundred percent. The reason why I came to prevail is cause I was actually a prevail customer. And I loved, I love this product so much and believed in it so much that I came to work here. It's, it's I really it's funny cause I, I'm the only person at prevail, at least at this point, who was a customer before, everybody else came on board it's the company is only about three years old surveillance came on from other things and what have you. So I'm the first one, probably not the last, but I'm the first person to have that perspective, which is great. It's a wonderful company. Aside from the fact that technology is fantastic, this is a company that genuinely wants to do right by all of our customers. We really do. It's, I will never, I'm going to do my absolute best to never tell anybody something that isn't true. I want to make sure, because like you said, there is so much confusing information. In cybersecurity in general. And then you put compliance on top of that, and then you put DOD related compliance on top of that. And you've got just like an absolute perfect storm of insanity where, I've heard rumors, everything from oh, CMMC, is it real to it's not going to be a thing to, I don't really need to do this, even though I have CUI, which is controlled unclassified information, which is literally the whole crux basically of CPMC. I've heard it all.

BJ: 11:41

And so you, before you came to probate prevail oil, you were in the capacity of having to help from the DOD side, having to help get CMMC going get the machine moving. In the capacity of the last job you were in and in that capacity, prevail was a solution that you chose.

Noël: 11:59

Correct. Yeah. So I was actually at yeah, I was at a defense contractor, yeah, I was basically in charge of all of the CMMC, slash NIST now compliance. And I'll tell you that, I knew what these things were, obviously I've, I've looked into it, but I had never dived into them anywhere near the level that I had to all of a sudden. And I think that so many different people are in that space right now, there are some, because small companies, you guys know, like in a small company, one person never has one hat. That's never how that works. You usually have seven or eight, at least my ex 10, 12. I don't know. I don't think there's ever been a person who worked at a small company who only had one hat that they ever wore. Like I don't think humanly possible. And so obviously, I was dealing with, all of our, all of our management at the, like at the headquarters level of all of our different programs we had with the DOD. Plus trying to get all the compliance stuff done. It's a lot, it really is. And I've told people this so many times, I've been in it for a long time now or a decent amount of time. And, I have my master's is in it, I have all these fancy little certifications and I was confused with CMC implementation. I was confused like, okay is this what this means? Or is this what this means? There's so much room for interpretation on it. And so if I feel like if I can get confused, what happens to the person who's just making widgets, in the middle of America who really genuinely doesn't care. And it's I just want to make widgets, let me make

BJ: 13:18

That is such a powerful point that you make. That's such a powerful point that you make, because you're not, you don't represent the average DOD contractor because of your vast experience in it and the DOD right. Directly. So the average contractor is at a disadvantage compared to uh, you were feeling confused, but you were at an advantage because you had that, you had that specific viewpoint where you had, been involved with the DOD and it for a long time. So to someone that, like you say is just doing widgets. just they just want to produce this one thing. And doesn't have it background and doesn't have the DOD background. The confusion can probably feel just overwhelming.

Noël: 13:56

Oh it's insane. I, so we actually have at prevail and I believe this is on our website. If, if you prevail.com and that's P R E V E I L just because it's not prevail the AI, but there is actually we have something that our marketing team has pushed out where it's 15 minutes compliance calls with me for free to anybody who wants them. And so they've been really eye-opening to me. I ended up having a call with somebody, one of those 15 minute calls this week with somebody who told me that they have. A contracting company come out, that said, oh yeah, we're going to help you with all this. We're going to get you compliant. No problem. He said, they came out and there, they were a manufacturing shop. They came out, forced them to spend like a hundred thousand dollars. She said on all these different things to, get them quote unquote compliant. They had to then go through and rip all of it out because it was all wrong. So the grand total ended up being over$200,000 that this company had to spend between paying for the consulting, paid for the actual equipment and then paying for like the consulting and equipment to get it all removed when they realized that it was all wrong. There are G I mean it's, and this is not the first time I've heard this. This is like the seventh time I've heard this,

Craig: 15:01

Yeah. I remember when we went through the training, the CMMC training, cause we're all registered practitioners on the call and we've got three others. But when we went through the training, there was so much misinformation and so much scams out there. They actually had to have a signed code of conduct around, you're not allowed to do guarantees or anything like that. It's just such a big mess. I like what you said, Noel, about how you feel like CDMC should go in and bleed into other areas. And I've said that for many years, ever since it was in beta HIPAA was enacted in 1996. I think there would be huge benefits to rolling out a CMMC 2.0 program to medical practices. But I think what also needs to happen is a little bit more teeth in it from the DOD side on look, this is what's happening. You need to do this. Here's the signed order. You have three years or five, whatever they want to put on the board, but put something on the board.

Noël: 15:54

Yeah. It's gosh that's such a good way to put it, put something on the board. The problem is that many things get put on the board and then they get shifted around or like other stuff gets put on top of what was on the board before,

Craig: 16:06

Yeah, but isn't it isn't like this, the sorry to interrupt, but isn't this kind of a matter of national security at this point with Russia and Ukraine and the world crisis happening. Don't you think that pretty much any business would benefit from the maturity model of CMMC 2.0,

Noël: 16:20

There's exactly, you make such a valid point. There is a reason why NIST 800, 1 71 exists. It is, it's the national Institute of standards of technology. That is why we have it every again, like I said, every one of these companies was supposed to be doing this for the past five years. Anyway,

Craig: 16:36

And Yeah. But see the, but I think that just to back up for our listeners a little bit, so if you go to N I S T like Nancy, indigo, Sam, tom.gov, you can go and download the NIST 801 71 framework. It's a PDF. It's about 300 pages. Most of you, it's going to look like Chinese or Greek, but the point is that it's available to everyone. It's a framework that's been designed and it's effective. The problem is the confusion. People get deer in headlights. They're like, I don't even know where to start. There's overwhelm, we obviously can help them. And, w we love solutions like prevail. Not only we love it because we use it like, Al we we, we use it every day, right? So we like to use what we recommend because we vet and test things, like BJ was saying, and we found that it to be a very proven, effective tool to increase our own security very rapidly. And we've, set up like bundles and exclusive discounts for our customers that go through us to, to use the prevail ecosystem. Because I feel like it's not only a great product, but it's an accelerator. It really moves them from. Typically a negative system security plan score, or SSP score or SPRs score rather it moves them to a positive, very fast, as long as they can get policies mapped over and things like that. But the point is, I feel like it's a catalyst.

Noël: 17:56

Thank you. And thank you. And absolutely that's what we're trying to be. That's really what we're trying to do at prevail is make it accessible. Like you said, it's so confused. There's 110 controls and each one of those controls honestly, can get more confusing than the last and controls connect to other controls and there's information online control. That's going to be found on another control and then there's, you have to write a system security plan. Okay, cool. But there's also significant like procedure and policy behind that system

Craig: 18:23

that's right.

Noël: 18:24

It's just, it is, it can feel like the most overwhelming thing in the world. And I genuinely understand that cause I know that's how I felt. I was like, oh man, how am I going to do this? This is, and I, And I worked for a small company and this was, less than 40. It wasn't like we had a ton of end points floating around and what have you, but it's still, so I can imagine again, like being in a situation where if you've got five to 10 employees and you're trying to find a solution, that's, cost-effective, that's a huge one. Not only just the time it takes, but also something that's a solution. That's not going to break the bank, but still, like you said, get you to that compliance as quickly as you want it as quickly and easily as you can. And something that's not going to interrupt what you already have. And that's one of the things I loved about prevail and that's why we went with prevails. That's why we were prevail customer because it doesn't change what you already know. If you have office 365, you have 365 commercial and you want to keep commercial. Great. No problem. You can do that. Prevail is installed. I think you can install prevail usually in less than like an hour. know, We say less than a day, but truly I think it took me less than an hour to install it when I had it. And I was like, oh that was okay. That was easy. It's just, it's very easy and straightforward and then you can scope everything down. That's the thing, like if I can, man, I will get that tattooed on my forehead. If I have to probing is your friend

Craig: 19:35

yeah, I think w I think what confuses a lot of people though, is they, like you said before, Noel, a lot of, especially small businesses, they wear many hats, right? So everybody's wearing about a dozen hats, especially nowadays with COVID and short staff, we're all wearing more hats than ever before. But I think that the part that adds to the fuel of the fire, so to speak around misinformation or confusion is a lot of these small businesses. They're not just using one application. So they might be using Microsoft. You've mentioned Microsoft office 365 commercial,

Noël: 20:07

yep,

Craig: 20:07

It's a disqualifier, it's not us citizens, Microsoft says, look you have to use a different product called GCC high, but that product super expensive and usually cost prohibited, which is what prevails a great alternative. However, if you choose that, that prevail for your data and your email, which is an awesome solution, that's what we chose. You still have to know how to deal with CUI. Like you can't go and send a coworker, a CUI document in teams, for example, now you're going to have an issue. You have to make sure, but companies don't know this stuff right there. They're like, oh, you told me that when he could use commercial. Yeah, but you have to understand data flow and you have to understand proper handling of CUI. And I think that, it adds to the confusion where a lot of people use QuickBooks for financial, for example. If they're doing sales orders and quotes and they've got DOD clients or declines, vendors, whatever. Now that could be FCI or CUI. And if it's not clearly marked, now you've got a problem with that ecosystem. So now you've got a map, a system security plan to that.

Noël: 21:08

Oh God, it you're absolutely right. That's why I'm saying that is a perfect example. Scope it down as much as humanly possible. That is going to be the saving grace. That is one of the things we tell all of our customers make an enclave in prevail of all your CUI anything's DUI related. You only communicate it through, CUI, encrypted and encrypted email. You only file share there. You only give access to the people who need access. It's, you have to, you, you have to make. One of the things I think is really great about there's a few different things, obviously, quite a few, but one of the things I really love about TMC is it's forcing people to scope down because really up until now, it was like, oh, everybody can look at CUI, whatever. Sure. Like, why not? I'll just have this guy look at it and that person and whoever, so now everybody's scoping it down because it's easier and it, but it also is significantly safer. You shouldn't have it unless you really need to see it for some reason and technically see why is not, on the need to know basis, but really it should be,

Craig: 22:03

treated that way

Noël: 22:04

absolutely, it should be

Craig: 22:05

And like I tell our customers, when in doubt better to secure it than not, and find out later, oh, crap. Now I'm in huge hot water because I didn't secure that, better have the culture put in place now.

BJ: 22:16

The feeling of regret. is not worth it by any means, but every time Noel keeps driving home, this point about scoping it down. And it's so interesting because Craig, you say that a lot as well, but every time I hear Noel saying this about scope it down and scope it down in my mind, I see like basically like a picture of like laser focus. When you do that, like you're focusing your best cyber hygiene practices, right? With your best tools, you're laser focusing them so that your, all your vulnerabilities, you're putting your laser focus on them. And then, you don't have so much to worry about at your perimeter because your laser focuses on your important stuff. And so along the lines of that scope, I think it's so important also to touch on Noel. You mentioned something last week when we were talking offline about basically like people having. Looking at this the right way. And scoping even your viewpoint on how you look at CMMC because as Craig has driven home for years with us, like it's a combination of people process and technology, right? That's your cyber security and your compliance. It's a combination of people, process and technology. For CMMC and I think you agreed to you moved to a private technology company. Technology is really at the tip of that triangle. Now, I guess it's the forward progress tip, right? But people in process are still very much a part of this. And to get your people in process aligned with your strategic technology at the cutting edge, you have to scope and laser focus, you have to align everything so that you have something that is streamlined and, prepare to be in that stream of forward progress.

Noël: 23:47

Absolutely. No I feel like Craig and I are probably spirit animals, but I'm yes, I see hundred percent. Can I tell you how much I agree with that? The thing that I always like, what I always say to our customers too, all the time is there are three things that every auditor or assessor is going to look at. They're going to examine your documentation. That's the first thing. So if you have a policy that states I'm going to have password complexity, it's going to have 12 characters minimum. It's going to have this many special characteristics, many uppercase lowercase, numbers, what have you. Okay, great. That's what they're going to examine. They're going to see in your system security plan, here's the procedure on how we enforce that? We've got 365 we use as your and Intune. And we make sure that there are group policies and blah, blah, whatever. Okay. And then the next part, and this is the part that I think so many people forget is the interviewing part. They're going to interview people who work at the company and it's not just going to be it people they're probably going to interview your HR person who may not know anything about it at all. But if they say to that person, Hey is there a password complexity requirement? And they go There is that's you have to be able to have, like you said, like you've got to have the people and processes and the policies and the technology altogether. If you forget the people, part of that, you're not going to pass an assessment. And more importantly, you're not going to be secure because if you're not training and ensuring that it's habitualized like through your entire organization, that everybody knows, oh yeah, obviously we have a password complexity. It's no problem. I know that it's in the employee handbook or I know it's in the, system security plan that I looked at when I first got hired or when. Then the auditor assessor can say, oh, okay, cool. These people actually understand that cybersecurity is important. They understand this password complexity policy is important. And then like you said, at the tip of that is the actual technology itself. And then they go in and they look and they say, oh, okay, here's the policy for this. Okay. Got it. I see that there's a group policy in Azure or whatever, if you don't have that trifecta of yeah. Those processes documented, those policies, documented those people educated and trained. And really, and again, more than that step beyond where it is. It is part of their day to day habit. They don't even have to think about it because. I don't even know how many times I've taken systems security training. I am just as guilty of this as everyone else, you take it once a year and you're like yeah. Let me push the button where I go through this. I have something else to do click next click. Like I'm just as guilty of it as everyone. So it's more than that. You need to make it where it's in their brains all the time constantly, and making sure like that whole awareness and training section of NIST and CMMC, it's only three controls, but they are very involved, it's knowing about insider threat. It's knowing about what the, what their roles are and those risks that you can have with CUI because of the role that you had and that kind of stuff. It's so important. And I think that a lot of people forget that.

BJ: 26:23

But what you're describing Nobel is so strategic, right? Because you, it's not good enough just to have the trifecta as you worded it, of people, process and technology in place, because that's the easy part. Just sending up those three points. But the hard part is to get them in deep alignment with each other, because it's that depo Ironman, it's that deep alignment that you picture, then that triangle then, start spinning and it's a flaming triangle at that point and it's activated right. It's activated. And then just from a scientific perspective, that deep alignment creates more of a quantum phenomenon because now it's activated. And now it's able to actually set to purpose. And so what you're describing is truly a solution.

Noël: 27:04

That's, and that I, that is such a good way of putting it. Exactly. It needs to be a solution. That can, because I think unfortunately, so many times you get so folk, like you get so focused okay, I've got to do this one. This one control cabinet gets this one control. Okay, great. Okay. I'm going to get this X to me for. Okay, great. know, And you go down the line, like it's a bunch of check boxes and I understand that mentality completely because that's what it appears to be when you look at it and read it. And when you're diving into each one of them and there's so much convoluted information, and if you are not an it person, or even if you are, it can be very overwhelming. And then there's the fact that, like CMMC is technically not the same as and has different things and SEMA it, there's so much confusion. So I think that having that, like you said, that solution looking at it as a holistic solution for your company, don't look at it as, this is just an it solution. Cause it's not, it is a company solution. Everybody is involved here. Like I mentioned, the HR person that HR person is going to be, I assume, involved in your onboarding and offboarding, is there an end point that somebody is going to have to get issued to them or they're going to have to give

BJ: 28:09

Not to mention in the internet age, the digital age and the internet of information like compliance is literally eat compliance equals business continuity, like cyber security equals business continuity. There's No, separation of the two anymore.

Noël: 28:25

No, there's not, that's actually a really excellent point because yeah, this is something that I always like to bring up when whenever these kinds of conversations happen is that, one of the things and this is how it is in the DOD, but I know that, most of the other agencies have something similar to this, but I can only speak to the DOD one since I know it the best, but there's something called the false claims act. So if you are, let's say just a regular company, that's working with the DOD and you make your widgets, and you're just trying to get stuff done. Like everybody is, you have an incident. Incidents happen. We just talked about that at the top of this podcast are, incidents happen for everybody. It's not just, it's not just the Googles and apples, it's everybody. So let's say that there's an incident of some kind, there's some sort of spillage of CUI and you have to manage that. You have to report that to the DOD and then the DOD decides whether or not they want to investigate it. If they come to investigate and come to find that you did. Have any reasonable slake, CUI protections in place. If you did not have those NIS controls in place, they can Sue you for twice the, of your contract.

BJ: 29:24

And to add salt to what you're saying, because you are so correct. We learned in the registered practitioner training that there's also something that applies to that exact concept you just described. Even if people don't have it in their contract, that clause, the deforest clause where the false claims act can be applied. There's something called the Christian doctrine. And this applies to pretty much everyone, because if there would be a logical reason for that. Cause if you should expect that would be in your contract, even if it's not there, you can be held to it. So it's like a catch all. It's like you have CUI, you might want to just assume that these things apply to you,

Noël: 29:59

Absolutely because really, and truly, and one of the things I always like to mention too, is that even if let's say that there, there is an investigation from the DOD and they have this investigation and maybe they find that maybe you weren't actually in a situation where you weren't, know, you maybe it wasn't really your fault, you did as much as you could or something like that. Even just having that investigation, unfortunately can cause a lot of ripples for companies because people find out about it and they're like, oh my gosh they got investigated you, what did they do wrong? Unfortunately, there is that public opinion. That can really harm a company. So making sure that you have all those checks check boxes in place, you are ready to go, making sure that you have some sort of assessment or audit done to say, oh, say look, we did it. Even if it's in this 800, 1 71 audit or assessment, just to make sure that, to give yourself that sense of oh, okay. Yeah. If something happens, we have that, even if there was an investigation at that point, you could say look, we pass this audit. We were doing the right thing. It makes it a lot easier for people to swallow it. Whereas if you're just, again, if you're just making widgets and not thinking about it, which again, a lot of, and I don't blame anybody in the DOD, again, there, these are not it or cyber security people, they're just trying to get stuff done. So it can be, there's that sort of, double-edged sword of yeah, you obviously want to get your work done and make sure that everything is, is up to snuff on you're under contract, but you also really do have to worry about how safe everything is. It can be overwhelming

BJ: 31:17

yeah, the best pathway forward is always the path of least resistance. And so in this situation, like for us, we consult with contractors and almost every single company that we've consulted with thus far, we find them up on prevail because it's just such a logical part of the picture. That emerges. And so some of our clients now, like they came to us very confused and not knowing what to do. And we put together a blueprint for them and prevail was a major, what's the landmark on that blueprint. And now those check boxes that you keep talking about yes, people feel they need to check these boxes and it feels tedious and it feels overwhelming and cumbersome, but the beauty of it is right. We're at the cutting edge of change with this stuff because cyber security is quickly evolving. So the beauty of it is that when you check these boxes and you do it in a holistic manner, like you described, there's a synergy that's created, and those check boxes can start to emerge as something completely different, something that's almost a shield for your business. Like almost look at Craig's background and Aaron's background, like a neural net of sorts, and it comes together in a state of synergy. And then, the benefits that can be reaped from that can be, very much worth the time and effort put into getting there.

Craig: 32:25

I also think that table top is important too. Like when Noel was talking about buy-in from the employees, we do incident response tabletop, and we should really talk about CMMC tabletops and drills and, scenario, examples of look, let's assume that. Five o'clock or, tomorrow at three o'clock in the afternoon, DOD shows up, what do you have? What are you going to do? What do you show? We create these fictitious scenario, examples and drills, and just know who's going to show up to the meeting. How are we going to handle? It's your, you have legal there. Do you have HR there? What are they going to do? How do you handle bad? Public relations w what's everybody do, what's your plan?

Noël: 33:06

That is such a good point. So I, my, my background, when I first came into, it was more risk management. Like I said, I wrote cottony with operations plan for DC government. And like that, that was huge. They tabletops were huge then. And so when coming into CMMC I was like obviously you would want to have tabletops here. This just makes total sense. So yeah, I've definitely done. That was something that I did at the company I was at before we had tabletop exercises, it was at least by annually, sometimes quarterly, where it was okay. Something terrible has happened. What do we do? And it was, physical things like, okay, there's natural disaster, but also, okay. We have a COI spillage, what do we do? Okay. So now we have to report something to, to DevNet, which is the DOD where you have to report incidents. Okay. How do we do that? Who does that? Who's informed, everything was documented. Okay. We are, we had a phone. And went through the phone tree. Hey, is that everybody's numbers, correct. Make sure that you understand this person gets called first. That person gets called next, all weight, et cetera. You want to make sure you want to also make sure to, this is something that I think, again is like overlooked, but it's very much part of this conversation. It gives your employees a sense of ownership and that is so key because if your

Craig: 34:12

But not only the sorry to interrupt, but not only the employees, but you should have buy-in from the C levels and the

Noël: 34:17

Yes, definitely.

Craig: 34:19

not just an idea. And then a separate department that's clearly defined as cyber. This is not just related to those two sections of your company. This affects all of your company. So really the leaders in all of your company need to be on the same page. And it's such a different experience. When we talk to especially small DIB companies or small businesses in general, and we say, look, we usually talk to the it manager or whoever is, the office manager may be at a small company, but it's look, what about upper management? What about the C levels? Are they, are you getting buy-in on CMMC or whatever from them, do they, are they aware? And we have a customer that we recently did, a virtual CSO or CIO type services. And we're like, look, you should really bring in your owner or your C-level and have them join our meeting. And it was such an eye-opening experience for him to be there and be present and listen and understand, oh, okay. We understand. Or I understand that. Why we need to invest in this and the value of it. It's not just doing the right thing, but it's also to strengthen the company and, help them get, have a stronger foundation moving forward. But also, with the current threat landscape to make them more secure to.

Noël: 35:29

Absolutely. You are, you really hit the nail on the head there because truly, I know that I know you guys have, have customers just like we do, and you've seen all those different types of. Setups in these small companies, especially where, yeah. I've seen multiple companies where it's just, like you said, it's oh, I'm the it manager. Okay. Is your CFO, CEO, CIO, somebody involved? No, not really. They just told me to do this and now I'm just doing it. Wow. Okay.

BJ: 35:51

Yeah.

Noël: 35:52

I feel like it probably be involved exactly. How is that working for you? Is it working?

BJ: 35:56

Now more so than ever. your. point is so valid Noel, because I think we're at the we're at the cusp of a major change, right? In our society. Everything has become so reliant on the internet. That's not disputable at this point and you can go on Twitter and quickly see that AI driven tools are trending. Like it's businesses are really starting to adopt artificial intelligence at a very exponential rate now, right? And this is where we're at. We're at, this is this is a point of major change. And here the underlying foundation must be cyber security because to these futuristic tools that are going to just completely change how we do business and how we operate as a society, the backbone is cybersecurity. So to neglect that is, is foolhardy to the utmost degree, so we're at that place right now.

Craig: 36:46

but also not to assume that your it guy or it company is doing cyber either because there are different roles at a lot of upper management and owners, they don't understand they have Brian or Bob or Joe, their it guy for the past few years where they have a managed service provider. That's been doing their it for 10 years or whatever. And that's great. But those folks can't also do your cyber and compliance.

Noël: 37:10

absolutely. That is, oh yeah, that seriously, a hundred percent. I just, I'm going to take that and put it on a beautiful little banner and just have it under my name. Every time

BJ: 37:19

he requires that CMMC requires a separation,

Craig: 37:22

Well, not only CMMC though. But cybersecurity insurance as well

Noël: 37:26

Oh gosh. Yeah. Yeah. That's a whole other conversation, but yeah, I think you're so right that there are so many people, it is like to both, you're putting your BJ when you're talking about the fact that, we're changing so rapidly. And I think that's a wonderful thing, but it's also a problem because we do have you're talking about Craig, those C-level individuals, CEOs who have been CEOs for 25 years or 30 years of their small company. And they've just, they've done it the same way this whole time. And everything's been cool. So like, why do I need to change? I don't need to think about anything else. I have my MSP. I pay my little fee every month. They handle all the stuff. I don't have to worry about it. Great. Done. Moving on to the next, which I totally understand because you're busy. My gosh CEOs are extremely busy, but it is that point of having that education of, yes. That is great that you have somebody managing your services. That is fantastic. That is a wonderful thing. However, that person at that MSP does not necessarily have any understanding of cybersecurity. They might, but they probably don't and they may not have any understanding of compliance. So unless you get an MSP who has that compliance experience and that cyber experience, you're not going to get the full holistic approach that we're talking about. You're going to get parts of it. Your end points will be managed. Great. You're going to have your virus protection. Awesome. But are you going to have any understanding of threat management? Are you going to have any understanding of incident response? Are you going to train your employees? No,

BJ: 38:40

right there like that right there. What you just said should be re it's recorded, but that should, that segment should be played like for every board meeting, because that's such a major thing that needs understood, that there is a difference between it and cyber and a good way to, for them to understand it. I looked at it from this viewpoint picture. It is like the 3d world, right? Like it's the framework. like you actually plug everything in and it's all physical. Then picture cybersecurity on top of that as a quantum viewpoint, because you're looking at all the space, all the holes, all the vulnerabilities, and there is infinity there.

Noël: 39:12

Definitely.

BJ: 39:13

Must blend together.

Noël: 39:15

Exactly. You're trying to fill those holes wherever you can and have the thing that, that is really hard sometimes for our customers to understand who are new to this and, new, to new, to cyber new, to CMMC new compliance. Where have you, I've, I had conversations today about this, where it was like, oh, I don't even know what NIST is. I don't even know what this means. And there are a lot of people who were coming at it from that point. And a lot of people, I think now too, since we're about a year out from official rulemaking on CMMC, so people are starting to go, oh, I only have a year to do this now. Oh gosh. Okay. So I should probably get on it like now. And I'm so glad that people are finally taking notice of it enough to say, okay, I need to start doing this because this is not something that is going to take you two weeks and you're done. It's going to be involved again, if we're talking about this holistic approach and you're trying to mitigate what VJ just pointed out is still an infinite number of possible horrible things that could happen.

Craig: 40:06

Not only that, though, that you have to choose a certified registered practitioner to work with. Cause you don't want to fall into a pitfall and lose a hundred or$200,000 to a managed service provider. This is, oh yeah, we could do that too. And they're not properly qualified.

Noël: 40:20

Absolutely. That is such a good point too. There are so many, those like snake oil salesman, if you will, you know where it's oh, I'm going to sell you. I heard somebody, one of our, one of our other customers was like, yeah, I spent$50,000. Cause these people told me that they could just give me compliance. Just that was it done. Here we go. And I'm like, that's no, that's impossible. No one can promise you full compliance.

Craig: 40:39

Can't outsource the responsibility

BJ: 40:41

Yeah. And that's a matter of education, right? People need to understand what the roadmap looks like because ignorance is not bliss. Ignorance is just, ignorance is bliss. The bliss part was a lie,

Noël: 40:52

constantly, it can be extremely expensive to be that ignorant. Like we were just talking about with false claims. You can, this can be like company destroying, unfortunately, if you've got a$5 million contract and you're only got five employees and you get sued for twice the twice, the total value of that contract, you're out of business, this is not just, this is not just, oh this sounds really great. So I'm just going to go ahead and do it. You have to really it's so sad that we have, unfortunately, these people out there in the community who are trying to sell. Hey, here's your easy solution you're done now. Nope. That's not possible. You've got to have, you've got to have it again like that. Trifecta, and another trifecta that we always talk about with prevail on our webinars is you want the technology you want the partner to. So don't just say you were just talking about Craig, having an RPO that you can trust, having partners that you can partners like you guys, who can come in and you can trust and say, oh, okay. They actually know what they're doing and they're going to help me get there. And I don't have to worry that they're going to say, okay, just give me X amount of dollars and you'll be fine. We'll be great.

Craig: 41:48

No.

Erin: 41:48

Run run. If somebody says.

Noël: 41:50

runaway, do not go near that.

Blake: 41:53

I think too. If you're going down this rabbit hole, Make sure you go to the CMMC AP like database. And like before you work with somebody, make sure that they understand what they're going into, because if they're selling you a magic pill, then they're really not accredited.

Craig: 42:07

Well, and, and you have to also, that's a good point, Blake. You want to definitely go to the marketplace, but you want to try to be selective on the RPO and the RPS that you choose to because it's a risk, right? So you don't want to choose, you probably don't want to choose a company that only has one RP, because what about, you want to have redundancy. So like, when we were talking about tabletops earlier, what happens if you're hosting or you're doing something with your MSP, what's your plan. If something happens to the MSP.

Noël: 42:35

That is such a good point. Yeah.

Craig: 42:37

If they're running your company, then what's your plan. And if you're going to do a tabletop, which I highly recommend, and there's so many different kinds of flavors, but the point is, if you're going to do the game, the battleship game, how are you managing these risks for your own organization? And you have to have these checks and balances, like even our company, we have another company that we work with. That's vetted and tested and they check our security and we do other stuff for them. And it's, it's a two way partnership and you need to have that in, at really, at all organizational levels and all redundancy areas. And that's why I was saying, I'd be leery about choosing a company that only has one guy on staff and maybe it's an employee and not even the owner. And, that's risky in my opinion. To have that one person, and then what happens if that person leaves or gets sick or whatever.

Noël: 43:20

That is such a good point. And to that end to piggyback on that too, it's not even just with consulting companies, there's also a technological solution. So like a prime example is, we're a cloud service provider. So according to 7 0 1 2, we have to be federate moderate or. And we are, if you're talking to a technological solution and they can't give you that, it's one of those weird sort of catch 20 twos, you can be technically CMMC compliant and not D compliant. It's one of those weird sort of things. So if you're CMMC compliant, that's great. But if you can't be D for 70 12 compliant, you're not going to get a contract with the DOD. So having CMMC compliance is all well and good, but the DOD isn't going to hire you. If you can't say that you can meet know

Craig: 44:02

That's awesome. That's an awesome point, Noel, because I think that consumers and businesses need to put more pressure on their vendors to show the proof, show the evidence. How are you helping me on my journey to deforestation, NIST and CMMC compliance. Show me the FedRAMP paperwork, show me the access station letters. Show me the proof, and I think all these vendors, especially the big names, the big three, they call it. They, I think they all could do better. I think they all could do better to help the little guys and make this easier. I think prevail has done a wonderful job of in their space, but how like QuickBooks call, call your QuickBooks rep and say, are you going to be CMMC 2.0 maturity level two compliant. And your rep most likely would be like, what is.

Noël: 44:48

I don't even know what you're talking about. Yeah.

Craig: 44:50

Oh say far soreness and I bet they'll say the same thing. My point is that there needs to be a raising of the bar for companies like QuickBooks and lot of these line of business applications that a lot of these deep companies and small businesses are using, they need to step up the plate up to the plate and do more in regards to security and compliance.

Noël: 45:08

I think you're absolutely right. And that's something I, and that's something we take various, obviously security is the backbone of everything we do here. So we are a zero trust application and then encrypted, right? I Every, our founders are some of the most security focused humans I've ever met in my life. We are very big on that. So the minute that we could get fed ramp at a station, that's exactly what we did. We were SOC two certified, like it's, all of our entire, our application and our, our cryptography is all FIPs one 40 dash two. You could look it up right now. If you wanted to see that certification, like we have those, if you can't get that, like you said, to your point, if you can't get those types of. It's not just, oh man, that makes me feel better. But also, the FIPs one 40 dash two, I, so I actually, one of our customers went through a dip cab audit recently and I was on the phone with the DIB CAC auditors, which there were quite a few of them. And one of the things that they drove home is that every security asset has to be FIPs one 40 dash two. And it was like, oh, wow. Okay. All right. Good to know. They had a firewall that was in place that, had 2 56 encryption and that wasn't. No, we need to have you one 40 dash two. Everything needs to be one 40 dash two. So to your point, that's the kind of questions you need to ask vendors. Hey, do you have this one 40 dash two? Where is that certification? I need to be able to look that up. If you can't do that, this is not going to fly. So I think what's been happening, again, to everybody's point, things have changed so much now and everything's been floating around in the ether and now it's coming into focus more so people can say, oh no, I really do have something I can ask you for because before, any cloud service provider could say, oh yeah oh, sure, we're super safe and it's going to be fine and don't worry about it. And there was nothing really that some poor customer could say, Hey, no, I need to see this receipt. Show me this. And now there's only that exactly. Show it to me. I want to see, okay. If you're secure, show me where you're

Craig: 46:48

In a common and that's so true. And another common misconception is, consumers shop for like for example, data center services. A lot of data centers will say, oh, we're SOC two type two and ISO 27,001 compliant and all this stuff right at the data center level. But what the customer doesn't understand is. The data center got all those great certs and they paid all that money to do that. And their physical security is probably awesome. And they might have a hand scanner or retinal scan or whatever, but what happens about when you have public ratable IP addresses, now you're responsible for all the equipment in the rack,

Noël: 47:22

Exactly. Exactly. And there's so many different, again, is there's so many different like loopholes and sort of ways around it. That is a perfect example of one. So yeah, it, it really is one of those situations where again, I've been on the other side had been that customer and I, and I had to do that due diligence. You really have to commit to doing the due diligence. You really do find those reputable companies, work with people like, like Petronella work with people. I know that on, on our side, we, we have bunches of partners like you guys who are the trusted, we know that these are vetted companies that are going to be able to help you. You want to find a partner, that's going to be able to help you find it. It's vice versa with both of us, you guys can say, oh, we have a great technological partner that you can trust. We can say, oh, we have a great partner. You can trust for all your consulting. No problem. So it's, you want to find one that you can really start with? And if they don't have that partner network, that's a concern too, because if they don't have a partner, that means there are partners that we're like, oh, we don't want to partner with you. We're not feeling comfortable about that. So if there isn't a network, that's another red flag to look for. If you can't ask. Yeah. If you can't ask a question and say, Hey I'm looking for an MSP that I'd like to use. Oh yeah, no problem. We've got a list of MSPs that we use in your area. They're great. Here you go. If it's, oh, we don't really have any why do they not have any, there's a possibility that maybe it's because those MSPs that are reputable and have all those calls, we're like, eh, we're not really feeling good about you. So it's definitely something to keep in mind too.

BJ: 48:45

Yeah, there's just certain characteristics that you fit when, you're bringing your 18 and it's being prepared and having, like Noel, you talked about, Craig mentioned the word battleship a while back. And if you picture that in the world, you were talking about basically how things are, these things have been floating around in the ether. And when they're looking for somewhere to land, they're going to look for a. good framework.

Noël: 49:05

Absolutely

BJ: 49:06

Somewhere that's already ready. Like players are ready player one, right? Like here we are, where we've got our foundation laid and we're Ready to go.

Craig: 49:13

A lot of things with customers sometimes when they get cyber insurance, for example, that they'll or they want to get cyber insurance because they want to do business with a vendor. What comes to mind for me is oftentimes that vendor will send them a risk questionnaire that we call them a vendor security, risk questionnaire. And sometimes they're a hundred questions or less. And sometimes they're like 600 questions depending on how mature that the big guy is. The bigger corporations usually have the really long ones that have all these tabs with the. My point is that businesses should be familiar with those kinds of risk questions and documentation, and they should be risk scoring the vendors and the partners that they do business with because all these third parties, like you said before, Noel scope it down. Scope of town. If you're Mr. Small business, you're wearing 12 hats and you got 50 partners. You can't have 50 partners go on handling your CUI, cause your audits going to be a nightmare and your expenses are going to be through the roof. So you need to scope it down and again, go through these exercises to score these vendors and make sure you don't you do, you really need all of them. Can we reduce this and make things more secure and more simple?

Noël: 50:18

And I think you, had a really excellent point too, that we haven't really talked about is scoring the vendor. I think that is such an important thing. That is something that we did internally at the company I was out. That's why we ended up with prevail. We scored multiple vendors and said, okay. And score them on cost on agility. You know, How easy is it for us to implement it into our already existing processes? Cause I wasn't going to rewrite all the processes just to have some technological solution that was not going to make any sense. How long was it going to take, to actually implement it? How easy was it to use? There are all these. High-level sort of, they seem sort of high level, but really they make a huge difference if it's not, if you have a product that's really just garbage to use, it doesn't matter how cheap it is or how easy it is to implement. If nobody's going to use it. That's not really useful. It's not going to really get you in here. Yeah. So definitely I love that. You said that. So scoring those vendors as to all those different things, and also think about this in your scoring, can they help me get somewhere else? Can they help me get to another partner I need? Can they make my life easier by if I come to you guys and say, man, I don't know what I'm doing. I need some help here. And you go, oh, here's 10 partners. We have, that would be great to do X, Y, and Z that you're having issue with. I'm going to be much more likely to come to you guys because you just made my life so much easier and I'm going to save hours of time having to run around, trying to figure out who's right.

Erin: 51:34

And I also, I think it's important to to maybe mention before we head out. We do recommend different vendors, especially for people that are trying to implement things like that. And a lot of people come to us and they have. Negative scores especially if they don't have an SSP, because then you automatically fail. But do you know, are you able to tell people about how many, spurs points they can add just by implementing prevail? Do you have that information

Noël: 52:00

absolutely. So as, as long as you're building again, this is what the assumption, right? Because no vendor should be able to say to you, oh yeah, implement what we're doing. And if you're going to get immediately this score, because that's not possible, really you have to have policy and procedure behind it. None of that, none of the 110 controls, can you just not have a policy or procedure or some kind of documentation? Okay. So just let's say that across the board first, but if you implement prevail, especially we have a documentation package as well to get people started on SSPs and policies. And when that sort of thing, you can get to a positive 40 with that work, that's. And I know that. Yeah, that's not 110. We're not, no, one's going to be able to get you to 110 right out of the, that's not going to happen. You have to put the work in and that's something. I also, that's something that's really big at prevail too. We do not think that we are everybody's solution. We absolutely do not think that we think we're the right solution for the people who really do need us. And for other people, we're like, Hey, if there's a better solution, absolutely. We just want you to find the thing that's best for you, best for your company, best for what you're dealing with in your business processes.

Erin: 53:01

40 is pretty good.

Craig: 53:02

Yeah.

Noël: 53:03

Thank you. Thank you. We work really hard.

Craig: 53:07

like you said, you can't outsource the responsibility, so even though you can bring 40 to the table it's all work that they have to do on their part to make sure that those 40.

Noël: 53:17

Yeah. Not an

Craig: 53:18

Well, this has been great. I appreciate it so much. But thank you guys. I appreciate it.

Erin: 53:23

Yeah. Thank you for joining us.

Noël: 53:25

Yeah. Thank you so much for having me. This was great.

Erin: 53:27

Hope

Craig: 53:28

We should do it again

BJ: 53:29

Great conversation.

Noël: 53:30

Definitely.

Erin: 53:31

Happy Monday, everyone.

Noël: 53:33

Bye everybody.

Blake: 53:34

Bye.

BJ: 54:02

Hi.