Cyber Savvy
A successful cyber-attack has taken your company off-line. The FBI and CISA have been contacted. What now? As you know, if this hasn’t already impacted your business (either directly or indirectly), it will.
How can you make yourself a harder target, mitigating against cyber-attacks? What does all the terminology mean and why does it matter? What happens if an attack is successful?
Join DTC, Inc. as we outline, in a straight-forward manner, many of the issues surrounding cyber security which directly impact business owners. Our Cyber Savvy podcast episodes feature Mike Shelah as he brings in a new guest each month.
New episodes will be posted twice a month on the first and last Thursday, make sure to follow and subscribe wherever you listen to your podcasts, so you don't miss new content!
We would love to hear from you! Please send us your comments and questions to: AskUs@DTCtoday.com
Cyber Savvy
Compliance Frameworks and Cybersecurity Speak with Loren Larson | PART 2
This episode discusses the importance of compliance frameworks like HIPAA and CMMC in cybersecurity. Cybersecurity expert Loren Larson explains how these standards help organizations secure their systems and data.
The conversation covers the challenges businesses face in meeting compliance requirements, such as the perceived high costs. Loren and host Mike Shelah share examples of companies that ignored compliance only to face serious consequences later.
The episode emphasizes the business need to take a proactive, framework-driven approach to cybersecurity, rather than relying on hoping you won't get hacked. Loren provides guidance on conducting assessments and developing a plan to cost-effectively achieve compliance.
The key points are the importance of compliance frameworks, the challenges of implementing them, and the need for businesses to take cybersecurity seriously instead of hoping for the best.
Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!
Mike Shelah (00:01)
All right, Cybersecurity Podcast Universe. Welcome to another episode of the Cyber Savvy Podcast powered by DTC. And remember at DTC, we make sh-I-T work. We are back with my good friend, Loren Larson. And in today's conversation, we're gonna do a couple of things.
So Loren has a lot of expertise specifically around compliance, frameworks, and we're going to spend some time talking about that. And then equally important, how do you have a business conversation around cybersecurity? So Loren, welcome back. And yeah, let's talk about compliance frameworks. And I'll give you a great example. So DTC, we've been around for 25 years. We have about 440 customers currently as of today's recording.
Loren Larson (00:44)
Thank you. Appreciate being here.
Mike Shelah (01:00)
And roughly 435 of those are dental offices. So we've built a niche in that industry and we're now expanding outside of it. But one of the things that that has created for us is a need to be HIPAA experts. And not just HIPAA experts, but by HIPAA's definitions, we are a business associate. So we are compelled to follow HIPAA guidelines as well.
And I think a lot of businesses first don't really grasp the value of following a specific compliance framework, whether that is HIPAA, PCI, GDPR, CMMC, NIST, or any other acronym that you want to throw out there. But I am of the mind that where most IT companies fall short is their cybersecurity strategy is, well, these are good tools, so we're going to use them instead of taking a very practical process driven approach by following a very specific compliance framework to not only secure your business, but also secure your customers.
So let me hear your thoughts on the various compliance frameworks and how you go about supporting your clients in that.
Loren Larson (02:18)
Okay, very good. So I'm glad we're getting into this area because my wife likes to call me a high functioning nerd. I view myself as a NIST, National Institute of Standards and Technology nerd because I've been dealing with the NIST frameworks that have been coming out since back in 2005.
When I was working in the government years ago, I was on the, as I mentioned in our previous podcast, I was on the infrastructure side of the house. And so we were subjected to the new security rules and regulations that were coming down the line. And we were supposed to follow whatever guidelines that were there.
And this was in the infancy stages of the federal government putting together the security frameworks that were supposed to govern how organizations, these federal agencies manage and maintain their IT systems. And so that they're doing in responsible and and secure manner.
The first thing that came out was the NIST 826 and that was more of a questionnaire. It was a kind of go through and grade yourself best as you can based on your understanding of the question that they're asking for. And that didn't last too long because ideally really what it was was garbage in, garbage out. And you only get as good answers as what the person who was answering it understood and how to respond to it. And then right around that time, the NIST 853
Mike Shelah (03:36)
Yeah.
Loren Larson (03:46)
is the framework that was the first one that was the most specific and granular and overarching for government agencies to follow. And so that was a set of controls. And there was 17 families of controls back then that covered everything from access controls and security awareness and auditing and configuration management, identification, all these different things that go through out the physical security, things that people don't even think of.
Physical security talks about how your data center is set up and access controls into it and out of it and fire protection, all that stuff. So there's a lot of frameworks that are out there, but it's not a one size fits all scenario. This NIST 853 I'm talking about, that is for federal agencies because it's got a lot of specific areas in there that talk about budgeting and making sure that there's dollars spent on a certain amount on information security and things like that.
Other organizations have come up with and generated these frameworks and so there's an opportunity to use those but the underlying concept is these are a set of practices. A lot of them, call them almost best practices, industry standards, they're out there and a lot of them follow along the same kind of number of areas and they're very useful.
But depending on the size of your organization will dictate how well you can adopt a framework and build a security program around it so that you feel like you've adequately put safeguards in place so that your organization hopefully doesn't get attacked. And if you do have issues, you've puts things in place so that you can respond and recover rather rather well. So that's what these frameworks are all about.
Now, some organizations, some businesses, they are required by federal law or state law to meet requirements, HIPAA as you mentioned, PCI compliance, which is the payment card industry's security standards. Then there's the FERPA, which is the federal information or what is it it's the
FERPA is the Family Educational Rights and Privacy Act, which guides colleges and universities on how they're supposed to protect and maintain student information. Then there's the Graham Leach Blyley Act, which is for financial institutions who do loans and provide information, know, loans and things like that. And so the government likes to put their finger on anything along those lines and say, we need to have you protections in place.
Organizations need to know what their requirements are that they have to adhere to in order to meet the law. And then not always is there a law or something like that. So there might be other pressures. If you have an insurance company that you're trying to get cyber insurance from, they're now starting to make sure that organizations are putting in safeguards in place and that are trying to do a good job.
There's a myriad of opportunity to pick and it just really boils down to what are the requirements of your organization. And then based on that, picking the right strategy and then getting it up and operational. And a lot of these controls require purchasing or acquiring security tools that are part of the process. so, and there's not a one size fit all on those sides.
Mike Shelah (07:17)
Yeah.
Loren Larson (07:43)
things either. mean, there's so many opportunities out there. so what it boils down to is making sure that you've got the right information and that you're inputting into your organization these controls and safeguards that'll make it operationally effective for you to adhere to this compliance and this governance, yet at the same time doesn't make it so impossible that you can't work anymore and do the things that you need to do. So there's this big balance there.
And so one of the things that I do a lot is working with the organizations as a chief information security officer is help them navigate through these different correct, right? And so you gotta figure out how to make sure that you're doing the right thing. Lately, governance has become a huge part of the cybersecurity frameworks that are out there and making sure that everybody has some sort of, when we say governance, we're talking about these framework and make.
Mike Shelah (08:20)
Security's not convenient.
Loren Larson (08:40)
and sure that you've got these things in place. so some of these things are designed and built well for whatever size organization it is. Some of these things are too big for some organizations to handle because they just don't have the staff and personnel in place. But some of these frameworks are designed so that you can apply at a certain level and understanding what that is and understanding where your organization should fit in that model.
is something that you have to make sure that you've gotten that information and you put the program in place. You've got policies and procedures and then you've got the activities of everybody following those things and doing the right thing.
Mike Shelah (09:21)
I want to go back to something that you said right at the beginning of that, because I think people subconsciously recognize this, but I don't think that they go, my God, that's terrible. And it is. So you mentioned HIPAA. HIPAA has been around, gosh, almost 30 years now. been around a long time.
Raise your hand if you've gotten a letter from a doctor or a dental office or other medical facility that said, hey, Mr. or Mrs. Name, we had a cybersecurity breach and wanted to let you know that your information may have been exposed in this breach. And people get these letters and they go, I don't understand because that doctor is following HIPAA. And here's the ugly truth that I want to get at.
These companies are supposed to follow this. And this is going to lead into our CMMC conversation next, because I had this very real conversation with the owner of a government contractor during lunch on Friday. They're supposed to follow these, but they either A, go, it'll never happen to me, or B, they hire somebody like you to do an audit and they go,
Holy shit, that's a lot of money. I'm not gonna spend all of that to be compliant with HIPAA. I'll just wait for something bad happen. And I think a lot of the everyday people walking around, again, I stepped away from cybersecurity for two years and it was very eye-opening to me because in our world, you don't meet CISOs to have their head in the sand to go, we're never gonna get hacked.
Loren Larson (10:59)
Okay.
Mike Shelah (11:19)
You don't, but what you do mean is a lot of people that don't have a title like CISO or CIO or CTO that, basically, you know what, Loren, you're just being a pain in my neck. really don't need to buy that managed detection and response tool. You know, you're a smart guy. You're going to figure it out. We don't need to invest extra money in that because they're making it a technology problem instead of a business problem. They're, viewing it in that lens.
So the gentleman that I had lunch with on Friday, he's the owner of an engineering firm in Maryland. He and his brother own it and they do contracts for the DOD. And I said to him, you your contract that you have today has language in it that says, I agree to follow the NIST 800-171 guidelines for my business. He goes, yeah. I said, and you don't do it? He goes, no. He goes, we looked at it, it's expensive. I said,
But you could lose that contract. say, yeah, but only something bad happens. And that's unfortunately why CMMC is going to become a reality in 2025 because the overwhelming majority of the, particularly these subs, but even a lot of the primes are going, I'm not spending all that money. It's just the squeeze ain't worth the juice. Like I'm not going to get my return on my investment just to possibly prevent something bad from happening. So, you know, just
When you have that business conversation with somebody, you're getting a lot of that, assuming.
Loren Larson (12:50)
yeah, that's always been the biggest issue I see in the cybersecurity world with organizations. It's the commitment from the upper management to embrace cybersecurity and bring it in as part of their culture and making it part of their organization because it's too expensive, because it's over burdensome, because it makes it harder for my people to do their job. And so I'd rather not make that spin and get away with it if we can.
and we'll practice security through obscurity. I heard that term first given to me about five years ago. And that only worked for about half a year for that organization because their CFO received an email that looked like it was from an internal entity from the organization that says, hey, we got this invoice. You need to pay this. You need to prove it. And
What happened was about five months later through an audit, an accounting audit, they found out, hey, you made this expenditure, this payment. What happened? I don't know. And then they went and they investigated. Somebody's email got hacked. That individual's email led to other emails getting hacked and they paid, you know, a couple million dollar invoice that they weren't expecting. And that's where the pitfalls of not taking the action that you need to can occur.
The flip side is, if you're an organization that you've entered into a contract with the federal government and you've made the decision not to do this, you may not be doing government work anymore down the road because they are starting to take it seriously and they finally got the CMMC 2.0 ruling just released, actually it was just a week and a half ago. And so it's out there now. yeah, and it's coming.
Mike Shelah (14:34)
Yeah. We're getting real.
Loren Larson (14:40)
I've been getting a lot of inquiries from organizations who say, don't even have a government contract. I'm working for this company over here that makes widgets and you know, we're a subcontractor to them. We make this one little part, but they're asking us to do all this stuff. Well, actually that's part of the supply chain. So yes, welcome to the world of CMMC filtering down to the supply chain, you know, for all the different entities that are out there.
So it's not just the primes that are getting impacted. It's everybody's sub underneath. And so they have to do it too. And the CMMC program, as you brought up, started out several years ago, but it hit some serious speed bumps and it fell apart and got dead in the water. And they've been going through this rulemaking process for a long time now and trying to get the program up and running. That is basically there.
and you will see it filtering out throughout the entire world of contractors doing business with at this point, DOD organizations. Do not assume that this will not spread throughout the entire government. This is coming down the road. The universities that I talked about in the last podcast that I'm working with, they follow the GLBA. They are required to adhere to the NIST 800-171
which is the framework that is used in the CMMC program, which to me says the Federal Education, the Department of Education is now embracing and bringing this along and they're putting these contractual requirements on everybody else. It's going to go everywhere and so you're not going to have the choice to ignore it and not deal with it unless you just don't want to do government business. And so that's really what it's going to boil down to.
Mike Shelah (16:17)
Yep.
Yeah, I had a very interesting conversation. So somebody in my LinkedIn network was doing some research on CMMC and my name popped up when they researched it. And they said, hey Mike, can I talk to you for a little while? wanna ask you some questions around compliance and specifically around CMMC. And I said, yeah, sure, I'm happy to talk. And she's a solo practitioner. She's doing some subcontract work.
specifically around digital storage of information, transferring paper documents into digital. That's literally what our business is. And she was asking me these questions and I walked her through it and said, you have basically four phases. You have your assessment, your remediation, your certification and your maintenance. I said, depending on how you decide to do that, you could work with as many
as four vendors or as few as two, you're to have to have at least one independent person certify you, but you could technically do the other three with another vendor. said, there's a lot to it. And I said, for somebody your size, you really want to start with just an assessment because you want to get a sense of how much do I actually have to spend to stay a government contractor? Because
I think a lot of these smaller government contractors are going to look at this and go, it's not worth it. I financially can't do that. And she said to me, I'm starting to lose opportunities. Like her phone's ringing saying, hey, we'd like to work with you. By the way, have you started your CMMC? And she goes, no, I haven't. go, that's too bad. And they hang up and they move on to the next vendor. And I think, yeah, I think
Loren Larson (18:27)
Yeah, and that's happening.
Mike Shelah (18:31)
particularly over the next six months, because you and I, think I've heard the same thing around two, around 2.0 is that somewhere around June of 2025, we're going to actually start seeing the requirement in some of the DOD bids that are going out between March and June. I'm going I'm going conservative. saying, let's say June that we're going to start to see them. Now it's not going to be a flood gate. It's going to be, you know, maybe 5 % of them, but
5 % then becomes 10 % and then six months later it's 15 % and then six months later it's 20%. And over the next call it two years, almost every DOD contract up for bid is going to have this CMMC requirement written into it. And I think that's going to be the downfall of a lot of these.
particularly the subs, know, some primes will as well. But the primes at least have that flexibility to say, well, let's shift our focus to commercial where it's not quite as strict yet. Not quite as strict yet, because you made a very sage comment there that other branches of the government are now starting to embrace this. So financial institutions are seeing additional pressure. If you lend money
By the way, that lending of money is now trickling down to auto dealerships, which a lot of them aren't thinking of. like, well, I'm not a financial institution. I sell cars. so do you do any kind of financing? Well, no, we use an outside party to do the financing. Well, guess what? That makes you a lender by default, makes you an interested party. And that means you need to, because you're transferring this information from customer to lender.
Loren Larson (19:59)
Yes, it is. That's exactly right.
Mike Shelah (20:21)
That means you have responsibility, even if it's just for a moment, you have responsibility for that data. So how you transfer it and encrypt and decrypt is now part of your business. So congratulations, Bob's used car lot that sells a hundred used Datsuns on a Saturday and finances 50 of them. You are now in the cybersecurity business. How does it feel?
Loren Larson (20:48)
You are now subject to the GLBA, the Graham Leach-Bladley Act, and you must adhere. So that's what it is. Yeah, that is permeating, like we were saying, throughout. And it's catching a lot of organizations by surprise. And so to be compliant, these small organizations, it's just coming out of the blue. And then it's also the subs, like I was saying earlier, out of the blue, they're getting a request from the primary contractor
Mike Shelah (20:51)
Yes.
Loren Larson (21:17)
to show that they've got their security plan in place they got all the stuff when you said it is four steps it's really not that bad straightforward it's assessment and then you know billy that yes
Mike Shelah (21:26)
Those four steps take six months and half a million dollars, but yeah.
Loren Larson (21:31)
Right, there's a lot to it. And then a lot of organizations, smaller sized businesses don't have the staff. And so they don't necessarily have it. Now, fortunately, you can get assistance. And that's one of the things that I've been doing a lot lately is that it says a consultant for the CMMC program is advising and helping these organizations figure out, okay, we need an incident response plan. What does that mean? You know, and how does that get documented?
all these different little requirements and so you have to put all this together. You actually create a package that contains all this stuff with system security plan, policies and procedures, all these different plans like your incident response plan and security awareness training, all these things that organizations never thought they had to do before. like say the car dealership, if those are financially backed by the US government,
now government data and so they're now definitely going to make sure that you're adhering to this and it's going to follow you and so that's how it's trickling out and it's just another way to make try to make sure businesses are doing something to be cyber hygienic and protecting data and things along those lines but the biggest problem is the hurdle of understanding what are your requirements
And as you mentioned before, the first step is to get that gap analysis of where you currently meet the requirements. What you need to do is go through every single one of the controls, and there's a few of them. You figure out what is the current level that you're meeting that. If you're not meeting it at all, that's when you say, okay, this is going to require this tool to be purchased. It's going to require these policies and procedures to go along and state how we're going to implement that special requirement.
then we need to have the personnel to do it. So that gap analysis can put together for you that laundry list of everything that you need to get that'll get you into compliance. And that's your first step because that will tell you then if you put in the dollar value of it's gonna cost me this much money to acquire the system, this much on an annual basis to license it, whatever it might be, then I gotta have personnel to run it and then I gotta do other things. And that cost can be evaluated and then that can be all
brought together and give you a sense as an organization, okay, it's going to cost me $2 million to adhere to the CMMC program. Is that going to be worth it for me to go after this contract or do I need to adjust my prices and my cost of my operating expenses to meet that so that we can, you have to absorb it. Someone's going be paying for this at the end of the day.
It's not going to be just the business. It's going to be the end user. It's going to be the consumer. It's going to be the taxpayer because all of this is going to be acquired. organizations just can't pay for this out of their pocket and not expect to just bear that cost. They have to build it into their operating expenses in their contract. And that's how, when you make that first gap analysis, then you can evaluate, am I pricing this properly? If I'm going after this contract,
Do I have the price set properly? Am I going to lose business to them, but they haven't done really done the CMMC stuff. You don't know that, you know, that's all the factors that are part of that whole equation that need to be, you know, considered when you start to jump into that whole contracting.
Mike Shelah (25:07)
Yeah, Loren, this has been great stuff. As always, you're brilliant, you're on point, you're advising, you're educating. So grateful for the conversation today. Any quick parting words as we wrap up this episode?
Loren Larson (25:28)
The biggest thing is don't be afraid and don't think you can do security through obscurity. Do something that will protect your assets and understand that your assets are on the line so you got to figure out what you got to do. If you need help, go get the assistance that you need from organizations like yours, from individuals like myself who can come in and advise you and just help you guide.
Mike Shelah (25:34)
I love that.
Come and grab this.
Loren Larson (25:58)
steer through the icebergs as you're trying to make it back to port safely or whatever it is you're trying to do.
Mike Shelah (26:06)
Yeah. Loren Larson, cybersecurity strategist with Dell, exceptionally grateful for your friendship and for this time today. And again, to our viewing and listening audience, thank you for tuning in to the latest episode of Cyber Savvy and the Cyber Savvy Podcast. And we have got some exciting guests coming up for you. Just as a little tease, I'm going to have...
a threat detection expert from Johns Hopkins as a guest in the coming months. I'm going to have a C3PAO as a guest in the coming months. And if you're outside of the CMMC world, you don't know what the heck that means, but you're gonna learn. We're gonna tell you, and we're gonna have the executive directory of a cybersecurity nonprofit on in the coming months as well. So we've got some great guests coming up because at the end of it all, what we want
is for you, our viewing and listening audience to be cyber savvy. So thank you for tuning in through the cyber savvy podcast. And thank you to DTC for powering this show. And remember at DTC, we make shh IT work. Thank you.