Building Cyber Resilience with Tasha Cornish | Pt. 2

Show Notes

 Join host Mike Shelah and guest Tasha Cornish, Executive Director of Cybersecurity Association, Inc., as they dive into cybersecurity legislation and initiatives planned for 2025.

Tasha discusses their advocacy efforts to expand and modernize the Buy Maryland Cyber Tax Credit, making it more accessible to hospitals, nonprofits, and businesses of all sizes. The conversation explores the financial challenges organizations face in implementing cybersecurity measures, particularly in healthcare settings where margins are tight, and resources limited. 

Mike and Tasha also share insights about various cybersecurity frameworks, upcoming events including a CMMC symposium in May 2024, and the association's efforts to build a stronger cybersecurity community in Maryland. Learn about the real costs of cyber-attacks, the importance of proactive security measures, and how businesses can get involved with the Cybersecurity Association's initiatives. 

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:01.646) 

Hello again, cyber savvy podcast universe. Welcome to the cyber savvy podcast. My name is Mike Shelah. am your host and the cyber savvy podcast is powered by DTC. To learn more, go to www.dtctoday.com. And remember at DTC, we make shh IT work.  

All right. I'm so happy to continue the conversation with my good friend, Tasha Cornish the executive director of the Cybersecurity Association, incorporated today. And we teamed up the last episode, Tasha, talking about cybersecurity in the medical world from the HIPAA perspective. And I have numerous amusing horror stories around the gross lack of compliance particularly in the medical industry. And I think everybody listening to this episode has gotten a letter in the mail from their doctor or their dentist or their eye doctor that said, Hi Mike, know, we're XYZ company and you visited us on August 5th of 2023. Wanted to let you know that we've had a security breach, and your data may have been involved in that breach. So, hey, we're going to give you a free year, a life lock to monitor and we're very sorry.  

And I think what most people don't realize about that letter is that that was the end of a very painful process for that company because the breach was identified either through ransomware or something else. Or they got a call from an attorney saying, hey, my client data was discovered on the dark web and we've traced it back to a flaw in your security. We're suing you for filling the blank outrageous sum of money. By the way, now you are legally compelled to have a third-party auditing company come in and audit you. 

For HIPAA and you have 90 days to comply to show that you're now compliant. So these firms are doing these mad scrambles to get in that framework. But that's only like 3 % of the business world. The other 97 % are doing little to nothing to prevent that from happening.  

And you mentioned to me while we were in the green room, that the big focus for your organization is going to be legislation in 2025.so you know, tell me about that. Why is that important? What are the things that you're going to be working on and focusing on? 

 

Tasha Cornish (03:05.112) 

Yeah, I think one of the most critical roles that an association can play is the advocacy, both with big and little A's, that we can do with our members. So we've done a lot of advocacy in Annapolis. This is our fourth, fifth year, my goodness, fifth year, of being really engaged and involved. And one of the topics that we will focus on, and potentially not with a bill this year, but just to start socializing it with legislators, is the huge issue of healthcare and cybersecurity. 

 The healthcare environment is one of the most complex when it comes to cybersecurity because you have employees, you have patients, you have devices, you have facilities, you have everything converging all at once. And the margins of hospitals are not that high.  

 

They don't have a lot of money floating around that they can invest in cybersecurity because a lot of it is just a lot of their IT budgets are spent keeping the building open and keeping the devices running and keeping their staff protected and working and productive and continuing the business and allowing everyone to receive the health care that they need. 

 

So, it's a very challenging situation, especially for rural hospitals, especially for smaller hospitals. Many hospitals we've all seen in the last decade or so have gone through an acquisition process and healthcare systems are building. And part of that is of course to simplify some of this overhead. But many of these smaller ones that are so critical to their communities don't have those resources. So we will be talking a lot about that. And one of the things in Maryland that we will be advocating for is the expansion and modernization of the Buy Maryland Cyber Tax Credit. 

 

 So, this was passed back in 2019. And back then, they really focused on getting Maryland cyber products into the hands of Maryland sellers. And it was a huge win for our organization to get that accomplished. As we move into 2025, the goal is really focused on the buyer here. 

 

So, there are restrictions on the buyer right now when it comes to size, specifically and the nature of the tax credit that we will be advocating to change. So first remove the size. I don't care if you're a company of 50 or as we just said a hospital system of a thousand plus you need cybersecurity and you might not have the budget. You might be a small software company with a bigger budget for cybersecurity just because of the way that that business works than a hospital. 

 

It's going to be very tough. So by removing that, hospitals and nonprofits and others who are really vulnerable to cyber threats, but might not have the right security can now access this tax credit. And you heard me say also nonprofits, and you might be thinking, how can they take advantage of a tax credit if they don't have a tax liability? Well, we're advocating that this becomes a refundable tax credit. So that means even if you don't have a liability, you're a nonprofit or you don't have an income, like your might be startup, et cetera. 

 

 But if you invest in cyber products, you can still get 50 % of that under our advocates, what we're advocating for to improve your cybersecurity and to reduce the cost of that startup. Because we all know how expensive that can be at first. It can cause real sticker shock. It can make sales cycles really long. So by providing this, it will be a great opportunity for sellers. then by proxy, will also, excuse me, it'll be great opportunity for buyers and by proxy it will support our sellers in the state of Maryland as well as they bring these services and products to more folks. 

 

Mike Shelah (07:10.712) 

Wow. I am so excited that you brought that up because I spent a lot of time in the CMMC space talking to government contractors and the Maryland Cyber Tax Credit is a big topic for what you just said. 

 

The hardest thing that I do as a salesperson is get a business owner to give me 30 minutes of their time just to say, Hey, think about this a little differently. I want you to think about this, how it's impacting the brand that you've built, how it can potentially impact the revenue of your company, how it can impact your employees. And I'm not, it's a cyber conversation that impacts every aspect of your business.  

 

And as you said, they go, well, how much does your service cost? I'm not spending $60,000 a year. Plus, you know, all these tools you want me to buy. So the Maryland Cyber Tax Credit wouldn’t solve that problem, but it can soften the blow. And the fact that you're advocating for nonprofits. 

 

 I think is critical because Nonprofits will be the first to say, that's not necessary, so I'm not going to spend the money on it until I absolutely have to. And more than that, because I've sat on the board of directors for no less than six different nonprofits in the last 20 years. They're so money conscious, they want the money to go to the community they serve. Like, if I take $60,000 out of my budget, that's one less family I can support. That's one less neighborhood I can support. And when you're trying to balance, I can do good or I can run a risk. They'll say, well, I'm going to do good. I'm going to use that $60,000 to do good. Not realizing that while that's noble, if you're not around. then you can't do good. 

 

Tasha Cornish (09:33.46) 

Exactly. Yeah. 

 

Mike Shelah (09:36.086) 

And the way that I break it down is there's roughly 240 business days in a calendar year. Take out the holidays, take out the weekends. Those are the days that an organization generates revenue. 

 

And if you take your annual revenue and divide it by 240, you now know how much money your company makes on a daily basis. 

 

Mike Shelah (10:08.814) 

So just for easy math, let's say that number is $1,000 a day. The other side of that is a large chunk of that thousand dollars goes towards operational expenses. You have your equipment, like your laptop. You have an office space, maybe you're renting, maybe you're buying. Maybe you're 100 % virtual, but once a month you take the team out to lunch so that everybody can collaborate. Maybe you do a team building event. You have an electric bill, have a cable bill, you have an internet bill. 

And that's not even to include, I have employees I have to pay, I have to provide the medical benefits. So you have all these operational expenses. So maybe of that thousand dollars a day 700 of it is already spoken for. It might be closer to 800. So now you have $200 a day that you can make a difference. 

 

So from an operational standpoint, from a cash flow standpoint, these businesses don't have significant reserves. Now, some companies will have an equity line of credit that they can dip into as an emergency fund. But when you look at like two out of listening audience, just for fun, go and Google the average cost of a ransomware attack in 2023. It's a big number. I think the last one I, the average I saw was like 2.3 million. That's a really big number. 

 

Tasha Cornish (12:00.504) 

Mm-hmm. 

 

Mike Shelah (12:02.926) 

It's so big that most business owners are going to go, I don't believe that. That's just garbage. Okay. Would you believe 10 % of that? 

 

230,000 would you believe 5 % you bring $115,000. I raise your hand if you have $115,000 to pay for mediating cyber attack. Very few hands are going to go up. And then factor in the average downtime of the cyber attack is five business days. So now you've lost that $5,000 of revenue on top of everything else.  

Plus, you still have to pay your people and everything else. So, I think what you can accomplish with your legislation is helping people take a step towards being proactive instead of reactive. Is that one of the goals? Talk to me about the goals. What do you want to see this come through as? 

 

Tasha Cornish (13:01.942) 

Yeah. Absolutely. So I think overall that is what the goal is. I think we know that cybersecurity programs are a lot stronger when they have a really good assessment to lead them off. They're not just people throwing things at the wall, willy-nilly making investments. And so it's our hope too that this will really give people, because I think assessments are one of the most challenging people or things, excuse me, people can rationalize paying for, know, so yeah, managed services, like that's still something people don't want to pay for, but that's like, you know, okay. 

 

At this point, I think some people say we need at least something in place. We've got to pay our MSP or if we don't have it in house. But if they're not thinking about their overall program and really thinking about where they're directing that through an assessment, things you can learn through an assessment, it's going to be really hard to be proactive and to be on the offensive. You'll see over the next couple of years, the US talk more and more about how cyber has, we have to stop being always on the defense. We have to take an offensive point of view. 

 

And I think that that does trickle down to our businesses because they sometimes get hit the hardest. And so by doing an assessment, by doing pen testing, by doing things like that, you can really understand where your, you know, you as an accounting office are not going to go on the cyber offensive, but you can take that offensive state of mind into your environment and really see where your holes are and really protect your business and your customers moving forward. 

 

Mike Shelah (14:39.032) 

Yeah, you just hit on the golden comment in that I'm sure people are listening to this conversation saying, well, Mike, I don't own a medical business. So following HIPAA doesn't help me. And I have two responses to that. First, yes, it would. And here's why. 

 

Following any cybersecurity framework, regardless of the acronym, makes your business better. Now, there are certain ones that are better for certain industries. As I mentioned, government contracting is CMMC. If you are in retail, you should follow PCI. If you do business in New York, you should follow the New York Shield Act. 

 

So there's numerous. The financial industry, I think, has a dozen alone. You have Sarbanes-Oxley, and the list goes on and on. But at the baseline, the National Institute of Standards and Technology came up with NIST 800.171. And the purpose of that was to say to any business, following these 110 requirements better protects you from threats and makes you a proactive company, which goes back to you protecting your brand, you're protecting your revenue, you're protecting your customers, and you're protecting your employees. 

 

 So tell me about how Cybersecurity Association Incorporated handles that landscape like the conversations you're having around the different compliance frameworks and what are your best practices and what are you telling? 

 

Tasha Cornish (16:37.912) 

Sure. So I'll put in a little plug first for the work that we're doing around CMMC because it really is taking our industry by storm and has been for years. the amount of defense industrial based folks that don't know about it or thinking about it seriously, it's still alarmingly high, but we hope to help bridge that gap as everyone else does.  

 

So we will be creating a special landing page on our website that we know will be resource to folks who are looking to where to get started, who is working in this field when they need to get quotes from others, which is something I've heard is part of a an oft part of getting together a proposal yet nowadays, right? Because the good news is, is that some of these contracts are including funds to pay for CMMC certification because they do know that these companies need to pay for this and they can't the government can't expect people to just pop it out of nowhere. 

 So they're putting it into to contracts, at least part of, you know, to offset some of the cost. And those folks need quotes, they need, you know, RFPs, whatever for that type of service. So anyways, we hope to see ourselves as part of that solution by creating this webpage and we will be doing a symposium on it in May as well. Yes, we're very excited. A lot announced here for the first time, May 14th. 

 

Mike Shelah (18:07.148) 

May 14th. All right. Can we get, do you have more details you can share with us now other than that, or just save the day? 

 

Tasha Cornish (18:12.248) 

Not at this time, save the date. It will be at the Technology Advancement Center or the TAC in Columbia, which is a great partner of ours and a great asset to our national defense and all the companies serving that mission. So we're very excited to partner with them on that event. And then for everyone else, honestly, we do some of the same, like pick your flavor of the day for medical? Is it HIPAA? Is it high tech? Is it all of these other things? Is it NIST? 

 I mean, we chat a lot about NIST, especially for those who are in the critical infrastructure. And we really like that is a great model and great framework for those folks. Um and we talk about CIS a lot too. I think especially for small businesses, CIS is a great place to start and it's very approachable as well. They've done a wonderful job over there to spread that message. 

 

Mike Shelah (19:12.61) 

Yeah, I appreciate that. And you know me, I'm a CMMC nerd. So I love that we are doing, I say we, because DTC is a member of Privacy Free Association, corporate full disclosure. That was one of the first things I did when I signed on with DTCS that we have to get involved because the work that we're doing is important. And I heard you say a couple of things in there. 

 

Tasha Cornish (19:24.224) 

Absolutely. 

 

Mike Shelah (19:41.806) 

A woman that I've known for many years, she owns a small government contracting outfit. And I think she's got like 15, 20 employees now. Most of them are 1099s, but that's common in the government contracting space. A true employee, there's few, but as far as the 1099s doing the work, because of the nature of the work on a contract basis, that's really common. And... 

 

She reached out to me and said, hey, I saw your post about seeing them the other day. Can I pick the brains? I said, yeah, absolutely. So we talked for the better part of an hour. And I said, you these are the five things you want to look at right away and figure out if you're staying or going.  

 

And That was one of the, that's one of the hardest conversations I have with a government contractor is, look, this is not inexpensive. You you're going to pay money. to someone to tell you how bad off you are. Then you're going to pay more money to have somebody fix everything that's missing. Then you're to pay more money to another organization to evaluate the work that was done to make sure that you did everything that needs to be done. And then you're going to pay more money to maintain it.  

And as you said, one of the things that DOD did is they recognized, we should probably start offering some financial offsets to help pay for this. And this woman said to me, well, I'm thinking about building an executive board and having somebody that owns a cybersecurity company on the board. I said, that's a great idea. She said, that give me an exemption? 

 

 I said, no and that's the other thing is all these companies like, I want an exemption. I want this. I want that. I'm like, it's very simple. If you are on a contract for the Department of Defense, crime or sub, you must have this certification, or you will no longer have the contract. There's no grandfathering. There's no exceptions. And know, where they're really being serious about it is the annual attestation 

 

So, the owner of the company signing off saying, yes, I'm still doing this. And then every three years, you're hiring that auditing organization to look back at the last 36 months and say, okay, you've maintained it. So you're still going forward. 

 

And so that's two big industries, medical and government. But like you said, you know, they're just the everyday business person will benefit from that. And that's, think, where cybersecurity association can make their mark is helping the other 98%. 

 

Tasha Cornish (22:52.873) 

Absolutely. 

 

Mike Shelah (22:55.31) 

So I know you're very events focused. gave us the tease for May 14th. I attended one of your breakfast networking events about a month ago, had like 40 people there. In fact, I have a call with one of the people I met there tomorrow. So let's talk a little bit about that. What's coming up in Q1 for 2025 and where we're gonna be and who we're talking to and why. 

 

 

Tasha Cornish (23:22.058) 

Yeah, absolutely. So events are a huge part of how we are building our community and how we are building that trust. think you hit on it a little earlier, Mike. This community is so much about trust and it feels like you don't even have to say it, but when you're in it, you really feel it. And by building this community and these networks through these events, know, we're really happy to be a part of that process for lots of folks. So by the time this airs in January, we would have had our business planning summit, which we're very excited about talking about finance, marketing, sales, and talent. See, okay, we're going to plan for 2025. We also have our legislative summit and reception in February. 

 

Mike Shelah (24:09.301) 

OOO okay. 

 

Tasha Cornish (24:10.488) 

Which will be very fun. We'll talk about a lot of the things we talked about today, as well as AI and privacy, which continues to be one of the hottest topics brought up at our security practitioner group. It will have an opportunity to obviously meet with government folks, legislators, et cetera. In March, we will be doing a couple of collaborative events, including a women-owned small business event doing work with the NSA. So watch out as well. 

 

Mike Shelah (24:39.096) 

Brilliant. 

 

Tasha Cornish (24:40.394) 

All for Women's History Month, great timing. And then just a month later, we'll be doing our very fun Women in Cybersocial. So this is a great way to get folks who are out supporting the industry in the industry together to just have a very relaxed time. You know our industry is still about 20, 25 % female. 

 

You know, we are very proud to have an, I think an over-representation of women in the field, especially among our women owned small businesses and others. We're very proud of that. However, you know, it's really nice to go to an event and see over a hundred women for a cyber event in one room. So. 

 

Mike Shelah (25:23.875) 

Yeah. And a few really smart men that decide to show up as well. 

 

Tasha Cornish (25:29.438) 

Exactly. Men can join as a sponsor if they, you know, step up and say this is important to them and their culture and who they are as a business leader. It's very fun. It's very fun. And then later looking later in the year, we'll have a couple other summits around our other areas of focus and our pillars around talent acquisition, as well as business growth.  

 

And we'll have our award ceremony in September again, which is a fabulous way to celebrate the ninth annual and our 10th year of existing, you know, excellence in our field. So we're very excited. We'll start planning for that pretty much we've already started. So we're announcing that very soon. 

 

Mike Shelah (26:12.142) 

So as a quick button up, two things, how do people get in touch with you? And if people are interested in joining the Cybersecurity Association, how do they go about doing that? us the pitch. 

 

Tasha Cornish (26:24.842) 

Sure, so our website is cyber-association.com. If you can, you can contact us there. They'll have our email there as well as a contact button. We also have a page on membership and the very first sub menu of that menu is become a member. So it's really part of our philosophy to keep our membership prices affordable. We will be increasing them in 2025, but right now you can join as an individual member for $75 which grants you access to most communities online, all sorts of great ways to stay engaged. 

 

Mike Shelah (26:57.646) 

Fantastic. 

 

Tasha Cornish (27:03.36) 

And then a corporate membership for cyber companies is $400. And that includes up to 10 members of your team. We talked about all the different things we do, so you can see how different ways of your team can plug into that. And it's just, really important for us to keep that accessible because we know that this, again, this industry is full of folks at every level who are contributing. So we're excited to be a part of that for many people. 

 

Mike Shelah (27:30.114) 

Wonderful. Well, Tasha Cornish, Executive Director of Cybersecurity Association, Incorporated. It has been so much fun catching up with you today. Thank you for being on the Cyber Savvy Podcast. 

 

Tasha Cornish (27:42.658) 

Thanks for having me. 

 

Mike Shelah (27:44.206) 

And to our listening audience, we hope you've enjoyed this episode. Please be sure to reach out to Tasha with additional questions. Reach out to me as well. I'm on the marketing team. So I'm happy to tell you all the wonderful things about Cybersecurity Association Incorporated and come back next month as we have a whole slate of incredible guests for you in 2025. So on behalf of DTC, I am Mike Schelah and The CyberSavvy podcast is powered by DTC. So go to www.dtctoday.com to learn more. And remember at DTC, make shh IT work.