From Zero-Trust to Zero-Day: An Interview with PreVeil's Compliance Wizard, Noël Vestal

Show Notes

In today's podcast, PreVeil's compliance manager, Noël Vestal, discusses how using Zero-Trust end-to-end encryption helps fight the Zero-Day attacks that are all the rage today, and why having trusted vendors is crucial when implementing compliance standards, especially when a government contract is on the line.

Compliance takes hard work - even with vendors there to help - but knowing who to trust makes all the difference.

Links:

•  Google Chrome Bug Actively Exploited as Zero-Day
•  Apple Rushes Out Patches for 0-Days in MacOS, iOS

Special Guest: Noël Vestal, Compliance Manager at PreVeil
Host: Craig Petronella
Co-Hosts: Blake (we didn't forget you this time!), Erin, & BJ

Support the show - Call 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

• YouTube PetronellaTech
• YouTube Craig Petronella
• Podcasts
• Compliance Armor
• Blockchain Security
• LinkedIn
• Call 877-468-2721 or visit https://petronellatech.com

Transcript

Craig: 0:38

All right. We should be live on our next podcast. We have a special guest today. Noel, please introduce yourself.

Noël: 0:48

And I'm the compliance manager at prevail.

Craig: 0:50

Welcome. We also have Erin and BJ.

Erin: 0:52

Yep. And we very happy to have, you Noel,

Blake: 0:55

Don't forget about me.

Craig: 0:55

Oh, on Blake's on there too.

Blake: 0:57

Quiet as a mouse.

Craig: 0:58

Yup. He's in the background.

Erin: 0:59

Yeah. So I guess today, Some of the big, exciting news was a couple more zero days occurring. There's two more with apple iOS and then one with Chrome, I believe it was which we'll link that. But it's saying here too, though, that with apple, that they're on track to have more zero days than ever before. Actually, I'm curious about that. I wonder, is it just because the hackers are getting smarter or is it because things are getting rushed out of production?

Craig: 1:27

I think it's always a rush. We talked about this before, push it out and then do security or backups later. Do damage control. I think it's maybe heightened awareness, maybe apple is investing more in cyber and maybe they're having more reviews and they're finding things and maybe they have also teams that are searching the dark web and looking for exploitation of their different, iOS and Mac iOS operating systems. So I think it's maybe a combination because obviously with the heightened threat landscape, I think most good companies should be increasing their cybersecurity investments and their testing and checks and review of things. So I think it's a combination.

Blake: 2:03

I think it has to do a cost too. It's just so much easier for them to push an update out. Let everybody complain that everybody find the vulnerabilities and report them back.

BJ: 2:11

I think Craig used a very interesting term when he said heightened awareness, because I think heightened awareness is affecting a lot of things these days. And there's probably a lot going on with all types of companies with their software and technology. And it's just requiring, a lot of agility and mobility to keep up with, whatever is at the cutting edge right now. So you have a heightened awareness is a whole unchartered territory. Isn't it?

Craig: 2:34

Every company should be under heightened awareness and alert, to be looking after their systems. Obviously following good cybersecurity, hygiene, security, risk assessments, pen testing, all that fun stuff. But I think now it's more important than ever before to, to those things.

Erin: 2:50

And then actually Noel, you work for prevail. that could actually really tie in to this. So if you want to tell everybody a little bit about prevail and and what you guys do.

Noël: 2:59

Yeah, certainly. So prevail is a zero trust and end encrypted email and file storage systems. So exactly. In line with what we're talking about right now. And it's something that I think, to everybody's point, it needs to be at the forefront of everybody's minds. I deal with all types of different compliance, you are internal compliance as a company, the different, frameworks we have to be in line with, but also I deal with external compliance that all of our customers have to deal with, like NIST 801 71 CMMC now version two. That's a perfect example. You're talking about the department of defense and the defense industry based the DIB. I think it's 200 to 300,000 different companies all over the country and in different countries as well, who are working directly with the department of defense to, do all different types of things, manufacturing, staff, augmentation. I There's a bunch of stuff that different companies do. All these companies have access to sensitive information, every single one of them to some degree, varying levels, obviously some way more sensitive than others. In, I think it was December of 2017, the DOD came out and said, okay, we really want to take cyber security seriously. Okay, great. So we're going to do that. Every single contract is now going to have a requirement that states that you have to be in compliance with NIST 801 71, there's 110 controls. They never followed up with anyone. It was just, Hey, you're going to say that you do this and we're going to believe you. And that's it. And that's exactly what the standard has been. So what we're all talking about, this is a perfect example. All these zero-day vulnerabilities and exploits that are coming out, you can't just assume that everybody is doing what they say they're supposed to be doing. And also that they even understand that they're doing it correctly. The average company, most of them do not have some cybersecurity person or some compliance person who has any understanding of this kind of stuff. So you're asking, hundreds of thousands of companies who, they might just be making widgets, in the middle of nowhere, and they don't really care about, zero day exploits from apple or Google, they use windows. So what does it matter? They probably don't even hear about a lot of this stuff. I'm really happy, honestly, it makes me feel a little bit more secure, but of course I'm obviously an it security nerd. So take this with a grain of salt, but I'm really happy that we're finally getting to a point where there's a check and balances with it. And CMMC is doing that, it's okay, now we're actually going to come out and make sure you understand what you're supposed to be doing and that you're doing it correctly, hopefully to, keep us all a little bit more safe. I really hope too, that it spreads out more and I know that there's some frameworks on the commercial side, more than a few that do those types of things like ISO 2,701, and there's so many different ones, but I'm hoping too that maybe other agencies will also get on the bandwagon. I know that the department of justice has one. I think it's called CJ. I S they have one, but it's a little bit less involved in some ways and more involved than others, but I don't really know of a whole lot of others that are more or specific frameworks for different areas of the government, but I feel like there definitely needs to be. And I think that the standard, unfortunately government is usually a bit behind commercial obviously.

Erin: 5:38

Just a little.

Noël: 5:39

A little bit. I think we're finally seeing that a little bit of that catch up, but of course there's, there's the bureaucratic red tape. There always is with these types of things and we're still chugging along, but, I'm hopeful. I'm optimistic, but cautious. hoping that it will all work out fine. I think it's so important, we all on this call and I'm sure everybody listening, it's almost like we're preaching to the choir. Everybody here is like, yeah, absolutely. We need to do this. Okay. How do we do it? That's the tricky part.

BJ: 6:00

No, I think it's really important to to help listeners and, maybe today's listeners and who knows who will be listening tomorrow or a week from now. So I think it's important to frame the context for our listeners because you have a very interesting background and in this space in compliance in cybersecurity in general, there's so much confusion. There's so much misunderstanding and confusion. So I think It's important because at Petronella technology group and especially Craig Petronella for years and years has really. placed a lot of focus on, keeping up with how this space is evolving. And then also always trying to vet the right partners and the right technology solutions. So you come from a background where you worked with the DOD and, you presented regularly to, start military generals and things of that nature. So you have this background that screams of high level experience and you made the choice to go to prevail and prevail is one of our top partners that we, believe strongly in the quality of the technology. So with that being said with your background and your choice to go to prevail, I think that's important context. I think our listeners would love to hear more about.

Noël: 7:04

Absolutely. No, I'm glad you brought it up. Yeah. seriously, you should write my resume. That sounded amazing. So this is the really funny part of the conversation. I started out as a high school English teacher.

Erin: 7:12

Oh, I didn't know that.

BJ: 7:14

Oh, which explains why you have an ear for good writing.

Noël: 7:16

I do. Yes. I love good writing. I love good writing. I always get roped into writing all the documentation everywhere. But that's fine. I'm okay with that. I like it. And I ended up working for a small company that was doing contracting work. This is like 15 years ago. Worked for this small gas company that was doing work for, different partners government partners, federal partners private partners. What have you? I didn't know anything about contracting. I didn't know anything about any. And it works there for a while. I ended up working for DC government actually for a couple of years. So I was a portfolio manager in the office of unified communications. They host all of the emergency management for the district of Columbia. I wrote their continuity of operations plan at the time. Did all kinds of you managed the budget? You name it? I probably did it. And then. The DOD came and knocking. Basically I was what was DOD government. It was contracting and ended up in DOD contracting for quite a while. I've worked for the army primarily DCMA as well. There's not a whole lot it related. I probably haven't done. I've run help desks. I've run massive programs. The first program I ever ran was actually an application that was in every single branch of the United States army. So across the whole world. And yes, like you said, so we were talking right before this, about how there's always technical issues. I remember when there was a huge, we're talking 150 people in a room, huge. I was supposed to do a live demo of our system. And I tried to tell everyone that was a terrible idea. And of course it was. So it went down the minute that I started touching it in front of 150 people, all stars on so many shoulders. And people are just sitting there staring at me like, why is this not working? And I was like the internet here is really bad. I'm so sorry. So yes, I have been in that situation many times where very important people are staring at me and wondering why I look like an idiot. It's good. It's good practice. It's very humbling. Very humbling. Yeah. I very much loved my time with DOD, but I actually, yes, a hundred percent. The reason why I came to prevail is cause I was actually a prevail customer. And I love this product so much and believed in it so much that I came to work here. It's funny cause I'm the only person at prevail, at least at this point, who was a customer before, everybody else came on board. The company is only about three years old surveillance came on from other things and what have you. So I'm the first one, probably not the last, but I'm the first person to have that perspective, which is great. It's a wonderful company. Aside from the fact that technology is fantastic, this is a company that genuinely wants to do right by all of our customers. We really do. I'm going to do my absolute best to never tell anybody something that isn't true. Because like you said, there is so much confusing information. In cybersecurity in general. And then you put compliance on top of that, and then you put DOD related compliance on top of that. And you've got an absolute perfect storm of insanity where, I've heard rumors, everything from oh, CMMC, is it real to it's not going to be a thing to, I don't really need to do this, even though I have CUI, which is controlled unclassified information, which is literally the whole crux basically of CPMC. I've heard it all.

BJ: 10:05

Before you came to prevail, you were in the capacity of having to help from the DOD side, having to help get CMMC going get the machine moving. In the capacity of the last job you were in and in that capacity, prevail was a solution that you chose.

Noël: 10:21

Correct. Yeah, I was at a defense contractor, yeah, I was basically in charge of all of the CMMC, slash NIST now compliance. And I'll tell you that, I knew what these things were, obviously I've looked into it, but I had never dived into them anywhere near the level that I had to all of a sudden. And I think that so many different people are in that space right now because you guys know, in a small company, one person never has one hat. That's never how that works. You usually have seven or eight. I don't think there's ever been a person who worked at a small company who only had one hat that they ever wore. I don't think humanly possible. And so obviously, I was dealing with, all of our management at the headquarters level of all of our different programs we had with the DOD. Plus trying to get all the compliance stuff done. It's a lot, it really is. And I've told people this so many times, I've been in it for a long time now or a decent amount of time. And, I have my master's is in it, I have all these fancy little certifications and I was confused with CMC implementation. I was confused like, okay is this what this means? Or is this what this means? There's so much room for interpretation on it. I feel like if I can get confused, what happens to the person who's just making widgets, in the middle of America who really genuinely doesn't care. And it's like, I just want to make widgets.

BJ: 11:27

That's such a powerful point that you make, because you don't represent the average DOD contractor because of your vast experience in it and the DOD Directly. So the average contractor at a disadvantage, you were feeling confused, but you were at an advantage because you had that specific viewpoint where you had, been involved with the DOD and it for a long time. So to someone that, like you say is just doing widgets. just they just want to produce this one thing. And doesn't have it background and doesn't have the DOD background. The confusion can probably feel just overwhelming.

Noël: 11:59

it's insane. so we actually have at prevail and I believe this is on our website. If you prevail.com and that's P R E V E I L just because it's not prevail the AI, but we have something that our marketing team has pushed out where it's 15 minutes compliance calls with me for free to anybody who wants them. And so they've been really eye-opening to me. I ended up having a call with somebody, one of those 15 minute calls this week a contracting company come out, that said, oh yeah, we're going to help you with all this. We're going to get you compliant. No problem. They were a manufacturing shop. They came out, forced them to spend a hundred thousand dollars. She said on all these different things to, get them quote unquote compliant. They had to then go through and rip all of it out because it was all wrong. So the grand total ended up being over$200,000 that this company had to spend between paying for the consulting, paid for the actual equipment and then paying for the consulting and equipment to get it all removed when they realized that it was all wrong. And this is not the first time I've heard this. This is like the seventh time I've heard this.

Craig: 12:52

When we went through the training, the CMMC training, cause we're all registered practitioners on the call and we've got three others. But when we went through the training, there was so much misinformation and so much scams out there. They actually had to have a signed code of conduct around, you're not allowed to do guarantees or anything like that. It's just such a big mess. I like what you said, Noel, about how you feel like CDMC should go and bleed into other areas. And I've said that for many years, ever since it was in beta HIPAA was enacted in 1996. I think there would be huge benefits to rolling out a CMMC 2.0 program to medical practices. But I think what also needs to happen is a little bit more teeth in it from the DOD side on look, this is what's happening. You need to do this. Here's the signed order. You have three years or five, whatever they want to put on the board, but put something on the board.

Noël: 13:41

Yeah. that's such a good way to put it, put something on the board. The problem is that many things get put on the board and then they get shifted around or other stuff gets put on top of what was on the board before.

Craig: 13:52

Isn't this kind of a matter of national security at this point with Russia and Ukraine and the world crisis happening. Don't you think that pretty much any business would benefit from the maturity model of CMMC 2.0?

Noël: 14:03

Exactly, you make such a valid point. There is a reason why NIST 800, 1 71 exists. it's the national Institute of standards of technology. That is why we have it again, like I said, every one of these companies was supposed to be doing this for the past five years anyway.

Craig: 14:17

Yeah. just to back up for our listeners a little bit, so if you go to N I S T like Nancy, indigo, Sam, tom.gov, you can go and download the NIST 801 71 framework. It's a PDF. It's about 300 pages. Most of you, it's going to look like Chinese or Greek, but the point is that it's available to everyone. It's a framework that's been designed and it's effective. The problem is the confusion. People get deer in headlights. They're like, I don't even know where to start. There's overwhelm, we obviously can help them. And, we love solutions like prevail. Not only we love it because we use it. We use it every day, right? So we like to use what we recommend because we vet and test things, like BJ was saying, and we found that it to be a very proven, effective tool to increase our own security very rapidly. And we've set up bundles and exclusive discounts for our customers that go through us to use the prevail ecosystem. Because I feel like it's not only a great product, but it's an accelerator. It really moves them Typically a negative system security plan score, or SSP score or SPRs score rather it moves them to a positive, very fast, as long as they can get policies mapped over and things like that. But the point is, I feel like it's a catalyst.

Noël: 15:27

Thank you. And absolutely that's what we're trying to be. What we're trying to do at prevail is make it accessible. There's 110 controls and each one of those controls honestly, can get more confusing than the last and controls connect to other controls and there's information online control. That's going to be found on another control and then you have to write a system security plan. Okay, cool. But there's also significant procedure and policy behind that system security. It can feel like the most overwhelming thing in the world. And I genuinely understand that cause I know that's how I felt. I was like, oh man, how am I going to do this? And I worked for a small company and this was, less than 40. It wasn't like we had a ton of end points floating around and what have you, but it's still, so I can imagine again, being in a situation where if you've got five to 10 employees and you're trying to find a solution, that's, cost-effective, that's a huge one. Not only just the time it takes, but also a solution. That's not going to break the bank, but still, like you said, get you to that compliance as quickly and easily as you can. And something that's not going to interrupt what you already have. And that's one of the things I loved about prevail and that's why we went with prevails. That's why we were prevail customer. It doesn't change what you already doing. If you have office 365, you have 365 commercial and you want to keep commercial. Great. No problem. You can do that. I think you can install prevail usually in less than an hour. know, We say less than a day, but truly I think it took me less than an hour to install it when I had it. And I was like, oh, that was easy. It's very easy and straightforward and then you can scope everything down.

Craig: 16:46

I think what confuses a lot of people though, is they, like you said before, Noel, a lot of, especially small businesses, they wear many hats, right? So everybody's wearing about a dozen hats, especially nowadays with COVID and short staff, we're all wearing more hats than ever before. But I think that the part that adds to the fuel of the fire, so to speak around misinformation or confusion is a lot of these small businesses. They're not just using one application. So they might be using Microsoft. You've mentioned Microsoft office 365 commercial, It's a disqualifier, it's not us citizens, Microsoft says, look you have to use a different product called GCC high, but that product super expensive and usually cost prohibited, which is what prevails a great alternative. However, if you choose prevail for your data and your email, which is an awesome solution, that's what we chose. You still have to know how to deal with CUI. You can't go and send a coworker, a CUI document in teams, for example, now you're going to have an issue. But companies don't know this stuff. They're like, oh, you told me that when he could use commercial. Yeah, but you have to understand data flow and you have to understand proper handling of CUI. And I think that, it adds to the confusion where a lot of people use QuickBooks for financial, for example. If they're doing sales orders and quotes and they've got DOD clients or declines, vendors, whatever. Now that could be FCI or CUI. And if it's not clearly marked, now you've got a problem with that ecosystem. So now you've got a map, a system security plan to that.

Noël: 18:09

you're absolutely right. that is a perfect example. Scope it down as much as humanly possible. That is going to be the saving grace. That is one of the things we tell all of our customers make an enclave in prevail of all your CUI anything's DUI related. You only communicate it through, CUI, encrypted and encrypted email. You only file share there. You only give access to the people who need access. One of the things I think is really great, there's a few different things, obviously, quite a few, but one of the things I really love about TMC is it's forcing people to scope down because really up until now, it was like, oh, everybody can look at CUI, whatever. Sure. Why not? I'll just have this guy look at it and that person and whoever, so now everybody's scoping it down because it's easier but it also is significantly safer. Unless you really need to see it for some reason and technically see why is not, on the need to know basis, but really it should

Craig: 18:56

treated that way,though.

Noël: 18:57

it should be.

Craig: 18:58

And like I tell our customers, when in doubt better to secure it than not, and find out later, oh, crap. Now I'm in huge hot water because I didn't secure that, better have the culture put in place now.

BJ: 19:08

The feeling of regret. is not worth it by any means, but every time Noel keeps driving home, this point about scoping it down. And it's so interesting because Craig, you say that a lot as well, but every time I hear Noel saying this about scope it down and scope it down in my mind, I see basically a picture of laser focus. When you do that. You're focusing your best cyber hygiene practices, right? With your best tools, you're laser focusing them. All your vulnerabilities, you're putting your laser focus on them. And then, you don't have so much to worry about at your perimeter because your laser focuses on your important stuff. And so along the lines of that scope, I think it's so important also to touch on Noel. You mentioned something last week when we were talking offline about people looking at this the right way. And scoping even your viewpoint on how you look at CMMC because as Craig has driven home for years with us, it's a combination of people process and technology, right? That's your cyber security and your compliance. It's a combination of people, process and technology. For CMMC and I think you agreed to you moved to a private technology company. Technology is really at the tip of that triangle. Now, I guess it's the forward progress tip, right? But people in process are still very much a part of this. And to get your people in process aligned with your strategic technology at the cutting edge, you have to scope and laser focus, you have to align everything so that you have something that is streamlined and, prepare to be in that stream of forward progress.

Noël: 20:32

Absolutely. I feel like Craig and I are probably spirit animals. Can I tell you how much I agree with that? The thing that I always say to our customers too, all the time is there are three things that every auditor or assessor is going to look at. They're going to examine your documentation. That's the first thing. So if you have a policy that states I'm going to have password complexity, it's going to have 12 characters minimum. It's going to have this many special characteristics, many uppercase lowercase, numbers, what have you. Okay, great. That's what they're going to examine. They're going to see in your system security plan, here's the procedure on how we enforce that? We've got 365 we use as your and Intune. And we make sure that there are group policies and blah, blah, whatever. Okay. And then the next part, and this is the part that I think so many people forget is the interviewing part. They're going to interview people who work at the company and it's not just going to be it people they're probably going to interview your HR person who may not know anything about it at all. But if they say to that person, Hey is there a password complexity requirement? And they go There is? You have to be able to have, like you said, you've got to have the people and processes and the policies and the technology altogether. If you forget the people, part of that, you're not going to pass an assessment. And more importantly, you're not going to be secure because if you're not training and ensuring that it's habitualized through your entire organization, that everybody knows, oh yeah, obviously we have a password complexity. It's no problem. I know that it's in the employee handbook or I know it's in the, system security plan that I looked at when I first got hired or when. Then the auditor assessor can say, oh, okay, cool. These people actually understand that cybersecurity is important. They understand this password complexity policy is important. And then like you said, at the tip of that is the actual technology itself. And then they go in and they look and they say, oh, okay, here's the policy for this. Okay. Got it. I see that there's a group policy in Azure or whatever, if you don't have that trifecta of yeah. Those processes documented, those policies, documented those people educated and trained. and again, more than that step beyond where It is part of their day to day habit. They don't even have to think about it because. I don't even know how many times I've taken systems security training. I am just as guilty of this as everyone else, you take it once a year and you're like yeah. Let me push the button where I go through this. I have something else to do click next click. I'm just as guilty of it as everyone. So it's more than that. You need to make it where it's in their brains all the time constantly, and making sure that whole awareness and training section of NIST and CMMC, it's only three controls, but they are very involved, it's knowing about insider threat. It's knowing about what their roles are and those risks that you can have with CUI because of the role that you had and that kind of stuff. It's so important. And I think that a lot of people forget that.

BJ: 22:54

But what you're describing Nobel is so strategic, right? It's not good enough just to have the trifecta as you worded it, of people, process and technology in place, because that's the easy part. Just sending up those three points. But the hard part is to get them in deep alignment with each other, because it's that deep alignment that you picture, then that triangle then, start spinning and it's a flaming triangle at that point and it's activated right. It's activated. And then just from a scientific perspective, that deep alignment creates more of a quantum phenomenon because now it's activated. And now it's able to actually set to purpose. And so what you're describing is truly a solution.

Noël: 23:31

That is such a good way of putting it. Exactly. It needs to be a solution. because I think unfortunately, so many times you get so focused okay, I've got to do this one control cabinet gets this one control. Okay, great. Okay. I'm going to get this X to me for. Okay, great. You go down the line, like it's a bunch of check boxes and I understand that mentality completely because that's what it appears to be when you look at it and read it. And when you're diving into each one of them and there's so much convoluted information, and if you are not an it person, or even if you are, it can be very overwhelming. And then there's the fact that, CMMC is technically not the same as and has different things, there's so much confusion. So I think that having that solution looking at it as a holistic solution for your company, don't look at it as, this is just an it solution. Cause it's not, it is a company solution. Everybody is involved here. Like I mentioned, the HR person that HR person is going to be, I assume, involved in your onboarding and offboarding, is there an end point that somebody is going to have to get issued to them?

BJ: 24:26

Not to mention in the internet age, the digital age and the internet of information, compliance equals business continuity, cyber security equals business continuity. There's No, separation of the two anymore.

Noël: 24:38

No, there's not, that's actually a really excellent point because yeah, this is something that I always like to bring up whenever these kinds of conversations happen is that, this is how it is in the DOD, but I know that, most of the other agencies have something similar to this, but I can only speak to the DOD one since I know it the best, but there's something called the false claims act. So if you are, let's say just a regular company, that's working with the DOD and you make your widgets, and you're just trying to get stuff done. Like everybody is, you have an incident. Incidents happen. We just talked about that at the top of this podcast. Incidents happen for everybody. It's not just the Googles and apples, it's everybody. So let's say that there's an incident of some kind, there's some sort of spillage of CUI and you have to manage that. You have to report that to the DOD and then the DOD decides whether or not they want to investigate it. If they come to investigate and come to find that you did. Have any reasonable slake, CUI protections in place. If you did not have those NIS controls in place, they can Sue you for twice the, of your contract.

BJ: 25:32

And to add salt to what you're saying, because you are so correct. We learned in the registered practitioner training that there's also something that applies to that exact concept you just described. Even if people don't have it in their contract, that clause, the deforest clause where the false claims act can be applied. There's something called the Christian doctrine. And this applies to pretty much everyone, because if there would be a logical reason for that. Cause if you should expect that would be in your contract, even if it's not there, you can be held to it. So it's like a catch all. It's like you have CUI, you might want to just assume that these things apply to

Noël: 26:05

Absolutely because really, and truly, one of the things I always like to mention too, is that even if let's say that there is an investigation from the DOD and they have this investigation and maybe they find that maybe it wasn't really your fault, you did as much as you could or something like that. Even just having that investigation, unfortunately can cause a lot of ripples for companies because people find out about it and they're like, oh my gosh they got investigated you, what did they do wrong? Unfortunately, there is that public opinion. That can really harm a company. So making sure that you have all those check boxes in place, you are ready to go, making sure that you have some sort of assessment or audit done to say, oh, say look, we did it. Even if it's in this 800, 1 71 audit or assessment, just to give yourself that sense of oh, okay. Yeah. If something happens, we have that, even if there was an investigation at that point, you could say look, we pass this audit. We were doing the right thing. It makes it a lot easier for people to swallow it. Whereas, again, if you're just making widgets and not thinking about it, which again, I don't blame anybody in the DOD, again, these are not it or cyber security people, they're just trying to get stuff done. So there's that sort of, double-edged sword of yeah, you obviously want to get your work done and make sure that everything is up to snuff on you're under contract, but you also really do have to worry about how safe everything is. It can be overwhelming and really don't.

BJ: 27:12

yeah, the best pathway forward is always the path of least resistance. And so in this situation for us, we consult with contractors and almost every single company that we've consulted with thus far, we find them up on prevail because it's just such a logical part of the picture. That emerges. And so some of our clients now, they came to us very confused and not knowing what to do. And we put together a blueprint for them and prevail was a major landmark on that blueprint. And now those check boxes that you keep talking about yes, people feel they need to check these boxes and it feels tedious and it feels overwhelming and cumbersome, but the beauty of it is right. We're at the cutting edge of change with this stuff because cyber security is quickly evolving. So the beauty of it is that when you check these boxes and you do it in a holistic manner, like you described, there's a synergy that's created, and those check boxes can start to emerge as something completely different, something that's almost a shield for your business. Look at Craig's background and Erin's background, like a neural net of sorts, and it comes together in a state of synergy. And then, the benefits that can be reaped from that can be, very much worth the time and effort put into getting there.

Craig: 28:16

I also think that table top is important too. When Noel was talking about buy-in from the employees, we do incident response tabletop, and we should really talk about CMMC tabletops and drills and, scenario, examples of look, let's assume that. Five o'clock or, tomorrow at three o'clock in the afternoon, DOD shows up, what do you have? What are you going to do? What do you show? We create these fictitious scenario, examples and drills, and just know who's going to show up to the meeting. How are we going to handle? you have legal there? Do you have HR there? What are they going to do? How do you handle bad? Public relations what's everybody do, what's your plan?

Noël: 28:53

That is such a good point. My background, when I first came into, it was more risk management. Like I said, I wrote cottony with operations plan for DC government. That was huge. They tabletops were huge then. And so when coming into CMMC I was like obviously you would want to have tabletops here. This just makes total sense. So yeah, that was something that I did at the company I was at before we had tabletop exercises, it was at least by annually, sometimes quarterly, where it was okay. Something terrible has happened. What do we do? And it was, physical things like, okay, there's natural disaster, but also, okay. We have a COI spillage, what do we do? Okay. So now we have to report something to DevNet, which is the DOD where you have to report incidents. Okay. How do we do that? Who does that? Who's informed, everything was documented. Okay. We are, we had a phone. And went through the phone tree. Hey, is that everybody's numbers, correct. Make sure that you understand this person gets called first. That person gets called next, et cetera. You want to also make sure to, this is something that I think, again is overlooked, but it's very much part of this conversation. It gives your employees a sense of ownership and that is so key.

Craig: 29:50

Not only the employees, but you should have buy-in from the C levels and the management too. is not just an idea. And then a separate department that's clearly defined as cyber. This is not just related to those two sections of your company. This affects all of your company. So really the leaders in all of your company need to be on the same page. And it's such a different experience. When we talk to especially small DIB companies or small businesses in general, and we say, look, we usually talk to the it manager or whoever is, the office manager may be at a small company, but it's look, what about upper management? What about the C levels? Are you getting buy-in on CMMC or whatever from them, are they aware? And we have a customer that we recently did, a virtual CSO or CIO type services. And we're like, look, you should really bring in your owner or your C-level and have them join our meeting. And it was such an eye-opening experience for him to be there and be present and listen and understand, oh, okay. We understand. Or I understand that. Why we need to invest in this and the value of it. It's not just doing the right thing, but it's also to strengthen the company and, help them have a stronger foundation moving forward. But also, with the current threat landscape to make them more secure to.

Noël: 31:00

Absolutely. you really hit the nail on the head there because truly, I know you guys have customers just like we do, and you've seen all those different types of. Setups in these small companies, especially where, yeah. I've seen multiple companies where it's just, like you said, it's oh, I'm the it manager. Okay. Is your CFO, CEO, CIO, somebody involved? No, not really. They just told me to do this and now I'm just doing it. Wow. Okay. How is that working for you? Is it working?

BJ: 31:21

Now more so than ever. your. point is so valid Noel, because I think we're at the cusp of a major change, right? In our society. Everything has become so reliant on the internet. That's not disputable at this point and you can go on Twitter and quickly see that AI driven tools are trending. businesses are really starting to adopt artificial intelligence at a very exponential rate now, right? This is point of major change. And here the underlying foundation must be cyber security because futuristic tools that are going to just completely change how we do business and how we operate as a society, the backbone is cybersecurity. So to neglect that is foolhardy to the utmost degree.

Craig: 31:59

But also not to assume that your it guy or it company is doing cyber either because there are different roles at a lot of upper management and owners, they don't understand they have Brian or Bob or Joe, their it guy for the past few years where they have a managed service provider. That's been doing their it for 10 years or whatever. And that's great. But those folks can't also do your cyber and compliance.

Noël: 32:23

Seriously, a hundred percent. I'm going to take that and put it on a beautiful little banner and just have it under my name.

BJ: 32:27

CMMC requires a separation.

Craig: 32:29

Well, not only CMMC though. But cybersecurity insurance as well requires.

Noël: 32:34

Yeah. I think you're so right that there are so many people. BJ when you're talking about the fact that, we're changing so rapidly. And I think that's a wonderful thing, but it's also a problem because we do have you're talking about Craig, those C-level individuals, CEOs who have been CEOs for 25 years or 30 years of their small company. They've done it the same way this whole time. And everything's been cool. So why do I need to change? I don't need to think about anything else. I have my MSP. I pay my little fee every month. They handle all the stuff. I don't have to worry about it. Great. Done. Moving on to the next, which I totally understand because you're busy. My gosh CEOs are extremely busy, but it is that point of having that education of, yes. That is great that you have somebody managing your services. That is fantastic. That is a wonderful thing. However, that person at that MSP does not necessarily have any understanding of cybersecurity. They might, but they probably don't and they may not have any understanding of compliance. So unless you get an MSP who has that compliance experience and that cyber experience, you're not going to get the full holistic approach that we're talking about. You're going to get parts of it. Your end points will be managed. Great. You're going to have your virus protection. Awesome. But are you going to have any understanding of threat management? Are you going to have any understanding of incident response? Are you going to train your employees? No,

BJ: 33:38

that right there. What you just said it's recorded, but that segment should be played for every board meeting, because that's such a major thing that needs understood, that there is a difference between it and cyber and a good way for them to understand it. I looked at it from this viewpoint picture. It is like the 3d world, right? It's the framework. You actually plug everything in and it's all physical. Then picture cybersecurity on top of that as a quantum viewpoint, because you're looking at all the space, all the holes, all the vulnerabilities, and there is infinity there. So must blend together.

Noël: 34:08

Exactly. You're trying to fill those holes wherever you can the thing that, that is really hard sometimes for our customers to understand who are new to this and new, to cyber new, to CMMC new compliance. Where have you, I had conversations today about this, where it was like, oh, I don't even know what NIST is. I don't even know what this means. And there are a lot of people who were coming at it from that point. And a lot of people, I think now too, since we're about a year out from official rulemaking on CMMC, so people are starting to go, oh, I only have a year to do this now. Oh gosh. Okay. So I should probably get on it now. And I'm so glad that people are finally taking notice of it enough to say, okay, I need to start doing this because this is not something that is going to take you two weeks and you're done. It's going to be involved again, if we're talking about this holistic approach and you're trying to mitigate what VJ just pointed out is still an number of possible horrible things that could happen.

Craig: 34:54

not only that, though, that you have to choose a certified registered practitioner to work with. Cause you don't want to fall into a pitfall and lose a hundred or$200,000 to a managed service provider. This is, oh yeah, we could do that too. And they're not properly qualified.

Noël: 35:08

Absolutely. That is such a good point too. There are so many snake oil salesman, if you will. One of our other customers was like, yeah, I spent$50,000. Cause these people told me that they could just give me compliance. Just that was it done. Here we go. And I'm like, that's no, that's impossible. No one can promise you full compliance.

Craig: 35:23

Can't outsource the responsibility

BJ: 35:25

Yeah. And that's a matter of education, right? People need to understand what the roadmap looks like because ignorance is not bliss. Ignorance is just, ignorance is bliss. The bliss part was a lie.

Noël: 35:35

And constantly, it can be extremely expensive to be that ignorant. Like we were just talking about with false claims. This can be company destroying, unfortunately, if you've got a$5 million contract and you're only got five employees and you get sued for twice, the total value of that contract, you're out of business, this is not just, oh this sounds really great. So I'm just going to go ahead and do it. It's so sad that we have, unfortunately, these people out there in the community who are trying to sell. Hey, here's your easy solution you're done now. Nope. That's not possible. You've got to have it again like that. Trifecta, and another trifecta that we always talk about with prevail on our webinars is you want the technology you want the partner to. So don't just say you were just talking about Craig, having an RPO that you can trust, having partners that you can partners like you guys, who can come in and you can trust and say, oh, okay. They actually know what they're doing and they're going to help me get there. And I don't have to worry that they're going to say, okay, just give me X amount of dollars and you'll be fine. We'll be great.

Erin: 36:23

Run. Run if somebody says.

Noël: 36:26

runaway, not go near that.

Blake: 36:28

I think too. If you're going down this rabbit hole, Make sure you go to the CMMC AP database. And before you work with somebody, make sure that they understand what they're going into, because if they're selling you a magic pill, then they're really not accredited.

Craig: 36:41

That's a good point, Blake. You want to definitely go to the marketplace, but you want to try to be selective on the RPO and the RPS that you choose to because it's a risk, right? You probably don't want to choose a company that only has one RP, because you want to have redundancy. So when we were talking about tabletops earlier, what happens if you're hosting or you're doing something with your MSP, what's your plan. If something happens to the MSP. If they're running your company, then what's your plan. And if you're going to do a tabletop, which I highly recommend, and there's so many different kinds of flavors, but the point is, if you're going to do the game, the battleship game, how are you managing these risks for your own organization? And you have to have these checks and balances. Even our company, we have another company that we work with. That's vetted and tested and they check our security and we do other stuff for them. It's a two way partnership and you need to have that really, at all organizational levels and all redundancy areas. And that's why I was saying, I'd be leery about choosing a company that only has one guy on staff and maybe it's an employee and not even the owner. And, that's risky in my opinion. To have that one person, and then what happens if that person leaves or gets sick or whatever.

Noël: 37:44

That is such a good point. To piggyback on that too, it's not even just with consulting companies, there's also a technological solution. A prime example is, we're a cloud service provider. So according to 7 0 1 2, we have to be federate moderate. And we are, if you're talking to a technological solution and they can't give you that, it's one of those weird sort of catch 20 twos, you can be technically CMMC compliant and not D compliant. It's one of those weird sort of things. So if you're CMMC compliant, that's great. But if you can't be D for 70 12 compliant, you're not going to get a contract with the DOD. So having CMMC compliance is all well and good, but the DOD isn't going to hire you. If you can't say that you can meet know paragraph C.

Craig: 38:24

That's an awesome point, Noel, because I think that consumers and businesses need to put more pressure on their vendors to show the proof, show the evidence. How are you helping me on my journey to deforestation, NIST and CMMC compliance. Show me the FedRAMP paperwork, show me the access station letters. Show me the proof, and I think all these vendors, especially the big names, the big three, they call it. I think they all could do better. I think they all could do better to help the little guys and make this easier. I think prevail has done a wonderful job in their space, but QuickBooks Call your QuickBooks rep and say, are you going to be CMMC 2.0 maturity level two compliant. And your rep most likely would be like, what is.

Noël: 39:05

I don't even know What you're talking about. Yeah.

Craig: 39:07

Oh say far soreness and I bet they'll say the same thing. My point is that there needs to be a raising of the bar for companies like QuickBooks and lot of these line of business applications that a lot of these deep companies and small businesses are using, they need to step up to the plate and do more in regards to security and compliance.

Noël: 39:25

I think you're absolutely right. And that's something we take various, I obviously security is the backbone of everything we do here. So we are a zero trust application and then encrypted, right? I our founders are some of the most security focused humans I've ever met in my life. We are very big on that. So the minute that we could get fed ramp at a station, that's exactly what we did. We were SOC two certified, our application and our cryptography is all FIPs one 40 dash two. You could look it up right now. If you wanted to see that certification, we have those, if you can't get that, like you said, to your point, if you can't get those types of. It's not just, oh man, that makes me feel better. But also, the FIPs one 40 dash two, one of our customers went through a dip cab audit recently and I was on the phone with the DIB CAC auditors, which there were quite a few of them. And one of the things that they drove home is that every security asset has to be FIPs one 40 dash two. And it was like, oh, wow. Okay. All right. Good to know. They had a firewall that was in place that, had 2 56 encryption and that wasn't. No, we need to have you one 40 dash two. Everything needs to be one 40 dash two. So to your point, that's the kind of questions you need to ask vendors. Hey, do you have this one 40 dash two? Where is that certification? I need to be able to look that up. If you can't do that, this is not going to fly. So I think what's been happening, again, to everybody's point, things have changed so much now and everything's been floating around in the ether and now it's coming into focus more so people can say, oh no, I really do have something I can ask you for because before, any cloud service provider could say, oh yeah oh, sure, we're super safe and it's going to be fine and don't worry about it. And there was nothing really that some poor customer could say, Hey, no, I need to see this receipt. Show me this. And now there's only that show it to me. I want to see, okay. If you're secure, show me where you're secure. I want to see it.

Craig: 40:58

so true. And another common misconception is, consumers shop for, for example, data center services. A lot of data centers will say, oh, we're SOC two type two and ISO 27,001 compliant and all this stuff right at the data center level. But what the customer doesn't understand is. The data center got all those great certs and they paid all that money to do that. And their physical security is probably awesome. And they might have a hand scanner or retinal scan or whatever, but what happens about when you have public ratable IP addresses, now you're responsible for all the equipment in the rack.

Noël: 41:29

Again, is there's so many different loopholes and sort of ways around it. That is a perfect example of one. So yeah, it really is one of those situations where again, I've been on the other side had been that customer and I had to do that due diligence. You really have to commit to doing the due diligence. You really do find those reputable companies, work with people like Petronella work with people. I know that on our side we have bunches of partners like you guys who are the trusted, we know that these are vetted companies that are going to be able to help you. You want to find a partner, that's going to be able to help you It's vice versa with both of us, you guys can say, oh, we have a great technological partner that you can trust. We can say, oh, we have a great partner. You can trust for all your consulting. No problem. You want to find one that you can really start with? And if they don't have that partner network, that's a concern too, because if they don't have a partner, that means there are partners that we're like, oh, we don't want to partner with you. We're not feeling comfortable about that. So if there isn't a network, that's another red flag to look for. If you can't ask a question and say, Hey I'm looking for an MSP that I'd like to use. Oh yeah, no problem. We've got a list of MSPs that we use in your area. They're great. Here you go. If it's, oh, we don't really have any why do they not have any, there's a possibility that maybe it's because those MSPs that are reputable and have all those calls, like, eh, we're not really feeling good about you. So it's definitely something to keep in mind too.

BJ: 42:42

Yeah, there's just certain characteristics that you fit when, you're bringing your 18 and it's being prepared. Craig mentioned the word battleship a while back. And if you picture that in the world, you were talking about basically how these things have been floating around in the ether. And when they're looking for somewhere to land, they're going to look for a good framework. Somewhere that's already ready. Ready player one, right? Here we are, we've got our foundation laid and we're Ready to go.

Craig: 43:05

A lot of things with customers sometimes when they get cyber insurance, for example, or they want to get cyber insurance because they want to do business with a vendor. What comes to mind for me is oftentimes that vendor will send them a risk questionnaire that we call them a vendor security, risk questionnaire. And sometimes they're a hundred questions or less. And sometimes they're like 600 questions depending on how mature the big guy is. The bigger corporations usually have the really long ones that have all these tabs. My point is that businesses should be familiar with those kinds of risk questions and documentation, and they should be risk scoring the vendors and the partners that they do business with because all these third parties, like you said before, Noel scope it down. Scope of town. If you're Mr. Small business, you're wearing 12 hats and you got 50 partners. You can't have 50 partners go on handling your CUI, cause your audits going to be a nightmare and your expenses are going to be through the roof. So you need to scope it down and again, go through these exercises to score these vendors. Do you really need all of them? Can we reduce this and make things more secure and more simple?

Noël: 44:06

And I think you, had a really excellent point too, that we haven't really talked about is scoring the vendor. I think that is such an important thing. That is something that we did internally at the company I was out. That's why we ended up with prevail. We scored multiple vendors. And score them on cost on agility. How easy is it for us to implement it into our already existing processes? Cause I wasn't going to rewrite all the processes just to have some technological solution that was not going to make any sense. How long was it going to take, to actually implement it? How easy was it to use? they seem sort of high level, but really they make a huge difference if you have a product that's really just garbage to use, it doesn't matter how cheap it is or how easy it is to implement. If nobody's going to use it. That's not really useful. It's not going to really get you in here. Yeah. I love that. You said that. So scoring those vendors as to all those different things, and also think about this in your scoring, can they help me get somewhere else? Can they help me get to another partner I need? Can they make my life easier by if I come to you guys and say, man, I don't know what I'm doing. I need some help here. And you go, oh, here's 10 partners. We have, that would be great to do X, Y, and Z that you're having issue with. I'm going to be much more likely to come to you guys because you just made my life so much easier and I'm going to save hours of time having to run around, trying to figure out who's right.

Erin: 45:16

I think it's important to to maybe mention before we head out. We do recommend different vendors, especially for people that are trying to implement things like that. And a lot of people come to us and they have. Negative scores especially if they don't have an SSP, because then you automatically fail. But are you able to tell people about how many, spurs points they can add just by implementing prevail? Do you have that information?

Noël: 45:39

Absolutely. Again, this is what the assumption, right? Because no vendor should be able to say to you, oh yeah, implement what we're doing. And if you're going to get immediately this score, because that's not possible, really you have to have policy and procedure behind it. None of the 110 controls, can you just not have a policy or procedure or some kind of documentation? Okay. So just let's say that across the board first, but if you implement prevail, especially we have a documentation package as well to get people started on SSPs and policies. And when that sort of thing, you can get to a positive 40 with that work, and I know that yeah, that's not 110. No, one's going to be able to get you to 110 that's not going to happen. You have to put the work in that's something that's really big at prevail too. We do not think that we are everybody's solution. We absolutely do not think that we think we're the right solution for the people who really do need us. And for other people, we're like, Hey, if there's a better solution, absolutely. We just want you to find the thing that's best for you, best for your company, best for what you're dealing with in your business processes.

Erin: 46:32

40 is pretty good.

Noël: 46:33

Thank you. We work really hard.

Craig: 46:35

like you said, you can't outsource the responsibility, so even though you can bring 40 to the table it's all work that they have to do on their part

Noël: 46:42

It's not an easy 40.

Craig: 46:44

Well, this has been great. appreciate it

Noël: 46:46

Oh, absolutely.

Erin: 46:47

Thank you for joining us.

Noël: 46:48

Yeah. Thank you so much for having me. This was great.

Craig: 46:50

Awesome. We should do it again

BJ: 46:52

Great conversation.

Erin: 46:54

Happy Monday, everyone.

Blake: 47:24

Bye.