0:53

I was going to Metin . It's really

0:55

good to finally have you on the podcast

0:57

. I think we've been trying to get this thing scheduled

0:59

for like almost the entire

1:01

year at this point . I've

1:03

been since .

1:04

February .

1:05

Yeah , yeah , it's been a while . It's been

1:07

a crazy year for me overall

1:09

. You know , like had my first kid

1:12

and she came a little bit early and it

1:14

was just it's like

1:16

one life

1:18

change after another . You know .

1:21

Yeah , well , it's good to finally see him .

1:24

Yeah , absolutely so

1:26

. You know , Metin , I always start

1:28

everyone off with telling their background

1:30

right , how they got into IET

1:33

or cybersecurity , and

1:36

I

1:38

feel like it gives my audience

1:40

a really good picture of you

1:43

know , not just your background

1:45

, but that anyone can

1:48

come into this thing from any background

1:50

and , you know , really thrive

1:53

in IET , and so I

1:55

think it's always beneficial to hear everyone's you

1:57

know different backgrounds , because I

1:59

haven't heard the same background twice actually

2:01

on this podcast .

2:04

Yeah , absolutely . I'll start off with

2:06

a quick introduction here . My

2:08

name is Metin . I'm currently the CTO

2:11

at Rometic . Rometic is

2:13

a cybersecurity solutions company . We

2:15

provide virtual CISO services and

2:17

on top of that we also provide other

2:20

cybersecurity services like penetration

2:22

testing , network assessments , internal

2:24

audits and all of that . And

2:27

I've been working with

2:29

the company for the past now six

2:31

years . So I've kind

2:33

of been working at Rometic

2:35

since day one with Justin

2:37

the CEO , and before

2:39

that I was actually working

2:42

as an IT specialist

2:44

. I have a computer science background , so after

2:47

kind of like work through IT , eventually I got into

2:49

cybersecurity and compliance there .

2:55

Yeah , that makes sense

2:57

. So , Rometic

3:00

, I guess

3:02

that's an interesting area I've

3:04

had on a few other people

3:06

previously . It was a long time

3:08

ago that

3:10

did virtual CISO

3:12

functions , but

3:15

can we talk a little bit about that Because I haven't seen

3:17

that as being in the field . I haven't seen that

3:20

as much as

3:23

it was promoted when I was

3:25

trying to get in the field like 10 years ago at this point

3:27

, right . So it seems like that landscape

3:30

has completely changed

3:33

in the offering and

3:35

what it's like to be a virtual CISO

3:38

. Can we go over that a little

3:40

bit ?

3:41

Yeah , and I think it's really because compliance

3:44

is becoming a much bigger deal

3:46

than it used to be . Like we have

3:48

all these new data privacy frameworks

3:50

like GDPR in Europe . When it was

3:52

released a couple of years ago , it

3:54

was chaos . Everyone was just trying to figure

3:56

out , like , what to do for GDPR , what those

3:58

requirements are , because data privacy wasn't

4:01

really a thing that was legally

4:03

required before , and now

4:05

we're seeing some states

4:07

in the United States , like California , releasing

4:10

CCPA regulations . So

4:13

those are just some of the examples . There . I

4:15

think that compliance and legal

4:17

regulations around data privacy and

4:19

like customer data has

4:22

been increasing and because of

4:24

that , these organizations whether they are

4:26

small or large , they

4:28

need to become compliant with these frameworks

4:30

. I feel like back

4:32

in the day , only very large

4:34

enterprises really needed to do security

4:38

compliance , but now , even

4:40

if you have , like an employee you're a startup

4:42

, you're a very small organization you still

4:44

have to comply with these regulations , because there's

4:47

just no other way to get around that . However

4:49

, small companies don't need an

4:51

entire security team of like 10 , 15

4:54

people , and they may not even need

4:56

one person full time . So what

4:58

we're doing is we work with startups

5:01

, we work with enterprises , we work with mid-sized

5:03

businesses and we provide them

5:05

a virtual CSO and

5:07

essentially this person would be an extension

5:09

of those organizations as cybersecurity

5:12

team and , in some cases , the only

5:14

person who is really responsible for their cybersecurity

5:17

program . And we really

5:19

just do this because these businesses

5:21

may not have enough knowledge on the

5:23

compliance frameworks that they need to comply with or

5:26

simply they don't have the resources to

5:28

create and maintain a

5:30

cybersecurity team , so that's why they hire

5:32

us and outsource the service .

5:34

Hmm . So what does it take

5:37

to be a virtual CSO ? You know , do

5:39

you have to be a full time CSO

5:41

at another company to get

5:43

the experience , to be able to do it ? Is there

5:45

different specialties ? How does it

5:47

work ?

5:49

I think a compliance knowledge is absolutely

5:52

necessary , because we work a lot with

5:54

audits , we conduct

5:56

a lot of assessments based on various frameworks

5:59

. So I think having

6:01

some type of a baseline knowledge of cybersecurity

6:04

frameworks is very important , but

6:06

it is also important to be technical enough

6:08

that , when you are working on

6:10

implementing security controls based on

6:12

these cybersecurity frameworks , you

6:14

know how to implement them on the

6:17

customers , cloud hosting providers

6:19

, on their physical servers , databases

6:21

. So I think a combination of a technical

6:24

knowledge and a compliance

6:26

knowledge is necessary in order to succeed

6:28

in this role .

6:30

Hmm , yeah , that makes

6:32

sense . You know , security is such

6:34

an evolving field

6:36

that I feel

6:38

like even just analysts and engineers

6:41

have to have such a

6:43

broad range of experience now

6:45

and skill sets . That I

6:47

mean it's it's it's becoming difficult

6:50

, you know , like , even even for someone

6:52

like myself you

6:54

know I was at a place that was moving more

6:56

into containers Well

6:58

, that's , that's like an , that's

7:01

an abstraction layer on top of an extraction

7:03

, extraction layer , right , that that

7:06

makes things more difficult . It's a whole

7:08

new , you know kind of language

7:11

that you're learning of . How to , you

7:13

know , administer and maintain and manage

7:15

you know that , that whole deployment

7:17

, and you know , I'm here 10

7:20

years in the field and I'm still , I'm

7:22

still learning these different , these different

7:24

skills , right ? So how , how

7:27

do you , how do you stay on top of all

7:29

the different changes , especially in the compliance

7:32

area ? Because I mean , here in America

7:34

, right , we have , you know , 50 , 50

7:37

different states . Each state can have

7:39

its own compliance regulation that

7:41

someone would have to comply to , especially

7:44

if you're a nationwide company

7:46

, like it's extremely easy for startups

7:49

you know small startups to

7:51

become nationwide companies . You

7:53

know , overnight , to actually have customers

7:56

in these other states . How

7:59

do you stay on top of it ?

8:02

We don't expect one person

8:04

to have knowledge of all of these compliance

8:07

frameworks . I think having knowledge

8:09

on some of the more

8:11

standardized frameworks is very helpful

8:14

. For example , we work

8:16

with implementing NIST 853

8:18

controls , which is really a standard

8:21

that was released by the US government for

8:23

basic cybersecurity

8:26

controls . When we're

8:28

looking at other frameworks , they

8:31

utilize controls

8:33

from framework standards like

8:35

NIST 853 , NIST CSF 171

8:39

. I think that having

8:41

a knowledge of some of these

8:43

more generalized frameworks is very

8:45

useful so that when you're working with other

8:47

compliance standards , you're not unfamiliar

8:50

with what the requirements are . There

8:52

is a lot of overlap . One

8:54

of our most common

8:56

cybersecurity framework

8:58

that we implement is SOC2 , and then afterwards

9:01

it comes ISO 27001 . Even

9:03

these two frameworks have so

9:06

many overlapping controls that

9:08

just implementing one of them can

9:10

help implement up to about

9:12

40-50% of other frameworks

9:14

as well . Having a good

9:16

baseline is very important

9:19

because once you have a good baseline , it will be a

9:21

lot easier for you to implement other

9:23

frameworks , because there is a very likely

9:25

chance that there is already

9:27

a lot of overlapping controls that you don't have to do

9:29

additional work . In some cases we'll

9:31

implement more strict controls , like

9:33

PCI DSS compliance , or

9:35

we'll work with our customers to implement

9:37

FedRAMP , which is a government

9:40

requirement , if you're working with the US government

9:42

Implementing those security

9:44

controls . Some of those customers can easily

9:46

pass a SOC2 audit or an ISO 27001

9:49

audit without really doing any additional

9:51

work , because they're already covering

9:53

almost 100% of the controls .

9:57

Yeah , that makes sense With so many

9:59

different controls out there . Whenever

10:01

I'm asked , where do you even start , I

10:04

always recommend that we start with a least-privileged

10:06

model and that we try

10:08

to work towards the NIST recommendations

10:11

. At some point there's going

10:13

to be a good amount of overlap and

10:15

then you just start knocking out the

10:17

things that are the outliers , that aren't the

10:19

overlap of the compliance

10:22

framework that you need to meet . That's

10:26

probably the only way to do

10:29

it now , because everyone needs to

10:31

be compliant with so many different frameworks . There's

10:33

probably frameworks that you don't even know that you need to be

10:35

compliant of , that

10:38

you are not compliant with

10:40

. It's

10:43

a mess that doesn't

10:45

get . I feel like it doesn't get enough

10:47

attention on the outside of security

10:49

. What

10:52

are some good ways of

10:55

actually enforcing this compliance

10:57

within an organization ? Because

11:00

as organizations get

11:03

bigger , they have more people , their teams

11:05

grow , the applications that they're developing

11:07

and managing are increasing

11:10

it's easy

11:12

for these recommendations

11:15

and compliance requirements to get pushed

11:17

to the side . Do

11:20

you recommend that companies enforce

11:23

strong policies and

11:26

get those built out and in place and

11:28

regularly touch base with

11:30

their teams , or is there other ways

11:32

and methods of doing it that you found to be effective

11:35

?

11:36

I see compliance as a good

11:39

starting points and a good baseline for

11:41

any organization that wants to have a good cybersecurity

11:43

program . I do not see

11:45

it as the finish line . I

11:48

think that just because you are compliant

11:50

with the framework , it doesn't mean that you're

11:52

secure from cyber attacks . You don't have to do anything now . There

11:55

is still absolutely a lot more work involved

11:58

. Sometimes we need to implement

12:00

very strict security

12:02

controls for our customers that aren't required

12:04

by the compliance frameworks , just because it's

12:06

a good security practice . I

12:09

think that organizations need to

12:11

use compliance standards as a good baseline

12:13

, but they shouldn't just use

12:15

that as the only way to build

12:17

their cybersecurity programs . A good cybersecurity

12:20

program that consists of a

12:22

good compliance standard , frameworks

12:25

that you're complying with , on

12:27

top of that , good risk management

12:29

controls , a good risk assessments , internal

12:32

audits , regular gap assessments and

12:34

enforcement of those security controls

12:36

. For example , soc2

12:38

is a very weighted standard in my point

12:41

of view . You can define

12:43

the controls based on

12:45

the organization level requirements

12:48

. I can say something like I

12:50

want my password policy to be six characters

12:52

and that's it . I don't really require any

12:54

other special characters uppercase

12:56

, lowercase . I don't have to do that . As long as that's

12:59

what it says in my policy , soc2

13:01

can be like okay , you're good on this control now it

13:04

doesn't mean that you are secure . You

13:06

may need to do some additional work to

13:08

update that password policy so that you're actually

13:10

following a good , secure

13:12

password controls .

13:17

Yeah , I've also experienced

13:19

that back and forth on it

13:22

as well , where

13:26

you're pushing a compliance standard and

13:29

then the teams that are actually deploying it

13:31

and meeting the standard it's

13:34

lacking . It's

13:39

lackluster in what it provides

13:41

in terms of security . Saying

13:43

that you're compliant with SOC2 doesn't really

13:45

mean that you're going to be

13:48

able to protect yourself from a

13:50

wide variety of

13:52

cyber attacks that can happen . I

13:55

think that's also something really

13:58

important that I

14:00

guess small companies would need

14:02

to hear more than the bigger companies

14:04

. They typically have that down . They already know

14:06

that . But the smaller companies

14:09

and I think back to when I was working

14:11

for a smaller company they

14:14

were very adverse to

14:16

deploying any security . One

14:21

because of the budget . Two

14:24

because they felt that

14:26

they were meeting the bare minimum . But

14:29

we had customers that were

14:32

expecting not just the bare

14:34

minimum , they were expecting top

14:36

tier security . I was the

14:38

person that was kind

14:40

of fronting that , where I'm

14:42

the one that's dealing with all the blowback . I'm the one

14:44

that's dealing with the complaints at 2 AM because

14:47

this security thing isn't enabled and they're

14:49

missing their requirements

14:52

, maybe internally or their own compliance

14:54

requirements . It's

14:57

a difficult game to play , especially

14:59

when you're a small company , because you probably don't

15:01

have the head count

15:04

that you would need to actually

15:06

enforce some of that . Do

15:08

you also provide

15:11

engineering services around that to

15:13

be able to actually assist in

15:15

deploying some of the controls ?

15:18

Oh , absolutely . We do not

15:20

only conduct gap assessments

15:23

, internal audits and risk assessments . On top of

15:25

that , our team may

15:27

need to work with the customers

15:29

to actually implement those controls on their

15:31

hosting providers , on their technical

15:33

systems . So there's definitely some engineering

15:36

efforts involved there . In

15:39

a lot of the cases , we work with the software

15:41

engineers that work

15:43

at our customers companies

15:46

, so that also happens a lot , but

15:48

we absolutely have to provide some type of an engineering

15:50

resource in order to

15:52

fully implement those security controls .

15:56

Yeah , it has to be more of a

15:58

full suite offering to

16:01

actually have it make sense

16:03

for the smaller companies . Where

16:07

do you see this

16:10

space going

16:12

and growing over

16:14

the next five years ? Where

16:17

do you see the virtual CSO space going

16:19

? Do you think it's going to be

16:21

still evolving

16:23

and growing ? Do you think that

16:26

there will be a different way of approaching this

16:28

, or

16:30

what's your thoughts on that ?

16:33

I think it's definitely up and coming and

16:35

I think it'll be required more , because I think

16:37

the main reason why companies

16:40

need this level of service is

16:42

because of the increased amount of compliance

16:44

frameworks . Now

16:46

their customers are probably requiring them to

16:49

comply with these frameworks in order to work

16:51

with them . So , yes

16:53

, there's definitely some financial

16:55

aspects of that involved , but

16:58

in a lot of the cases , when

17:00

you become more compliant with these frameworks

17:02

, you open up the

17:04

markets to your organization more

17:06

. Like , for example , we've just talked

17:08

about FedRAM compliance . It's a one of the

17:10

government compliance frameworks

17:13

. If you want to work with a government agency and

17:15

you need to process their data have to be FedRAM

17:18

compliant . Some other government agencies

17:20

may require things like state ramp and

17:22

other frameworks . However , once

17:24

you are compliant with those frameworks

17:27

, that means now other

17:29

government agencies can also work with you

17:32

. So you're really opening yourself

17:34

up to the market more and expanding

17:36

the number of customers that you

17:38

can reach . Another example

17:41

would be HIPAA compliance . There's

17:43

a lot of healthcare organizations out there and there's

17:45

also other technical organizations like SaaS

17:48

products that offer services to

17:50

healthcare organizations Without

17:52

becoming HIPAA compliance . You

17:54

really shouldn't be working

17:57

with those healthcare organizations

17:59

because you don't have the proper security

18:02

controls to secure electronic protective

18:04

health information . But once you do become

18:06

HIPAA compliant then you are able to

18:08

actually work with those organizations and

18:11

that can bring more customers and help your

18:13

company grow faster .

18:15

Hmm , yeah

18:17

, it's

18:20

interesting balance , because

18:22

you have to be

18:25

able to open yourself up , to

18:27

be ready for different opportunities , as

18:31

well as balance

18:33

that with not

18:35

putting undue stress on

18:38

your team or on your organization in

18:41

ways that you'd fail or it takes

18:43

too long . Now the opportunity

18:45

isn't the same . How long

18:48

do you typically notice

18:51

organizations coming up to compliance ? Maybe

18:53

what's the longer compliance

18:55

standard that it takes for different companies

18:58

to come up to compliance with ? What

19:01

are some quicker ones ? The

19:03

reason why I say that is because in

19:06

security , when there's

19:08

a really large problem that you

19:10

have to solve , typically

19:13

where you start is the low hanging fruit

19:15

. What's the things that I can handle

19:18

in the next seven days that'll

19:20

make maybe 40 percent

19:22

of a difference ? Get me 40

19:24

percent of the way there . Is

19:27

there compliance standards that you recommend

19:29

like that , or is

19:31

it something else ?

19:34

I don't know if I can recommend the compliance

19:37

standard because I think it all depends

19:39

on the regulations and

19:41

really your customer network , Like

19:43

what type of customers that you have , what

19:46

laws really apply to you . I always tell my

19:48

customers like before you really start

19:50

building your cybersecurity program

19:52

, you need to look at your customer

19:54

requirements and you need to look at the

19:57

laws and regulations that apply to you so

19:59

you really understand what you need

20:01

to do in order to better service

20:03

your customers . We've had

20:05

many customers that

20:07

come to us because they needed

20:10

HIPAA compliance and these

20:12

organizations were already working

20:14

with healthcare institutions without

20:16

being HIPAA compliant . Sometimes they just don't

20:19

know that they need to become HIPAA compliant

20:21

. They just know that they need to do better in terms of security

20:23

. But understanding those laws and

20:25

regulations are very important because in some

20:27

cases they fail to comply

20:30

, they can have very negative

20:32

consequences , both

20:34

financially and legally . So

20:36

I kind of see cybersecurity as also

20:39

insurance to protect our organizations

20:41

from these types of incidents

20:43

. So you're not again just being

20:46

compliant . You can also prevent

20:48

any issues regarding compliance

20:50

happening to your company and you can also prevent

20:52

other cyber attacks because that compliance

20:55

framework is going to be a good baseline

20:57

to build a better cybersecurity program

20:59

.

21:01

Yeah , from what I understand , I

21:03

guess the cybersecurity

21:06

insurance premiums almost across

21:08

the board doubled

21:10

or tripled overnight this

21:12

year and

21:18

that's a crazy

21:20

amount of money that you're already paying

21:22

for this insurance for it to double

21:25

or triple overnight when

21:28

it's the exact same posture

21:30

. Companies don't change their security postures

21:33

overnight . It

21:35

happens over a couple of years of working

21:37

on it and it's

21:40

just crazy . I've heard

21:42

companies actually getting

21:45

rid of the cyber insurance and almost

21:47

underwriting it themselves and

21:50

having an underwriting department

21:52

actually do

21:54

that for them , which is

21:57

something interesting , and I feel like

21:59

that feel in that area is

22:02

still evolving because the

22:04

premiums got so high that companies are

22:06

like , okay , it's just cheaper to form our own

22:08

department and underwrite this thing .

22:11

Well , I think there are two things

22:13

that are driving that price increase

22:16

. When it comes to cyber insurance , everyone

22:18

has remote work . Ever since COVID

22:20

started , people have been remote

22:22

. Even the organizations like that require

22:24

employees to come in person

22:27

. They're only doing that one or twice a week

22:29

, so it's becoming very

22:31

fair . I

22:33

live in New York City . I don't see people go to the office

22:35

anymore . I travel to San Francisco

22:38

a lot and downtown is like a ghost town . People

22:40

are just not there . Everyone is remote , and

22:42

I think that is already introducing

22:44

a lot of cybersecurity

22:48

threats to these organizations

22:50

because now their employees , the

22:53

laptops and other systems

22:55

that they're accessing they're being accessed

22:57

from all around the world . So

23:00

I think that's definitely increasing

23:02

the threat levels out there , and I think

23:05

that's one reason why these cyber security insurance

23:07

companies are probably increasing their

23:09

premiums . But the other thing is we

23:11

now have artificial intelligence . That's

23:14

becoming more and more common , not

23:16

just in chat , gpt and other generative

23:19

AI tools , but now AI

23:21

can be also used as

23:23

a cybersecurity threat . It can

23:25

be used for cyber attacks , and

23:28

this is going to become probably

23:30

just worse and worse . That

23:32

just probably means that we need also our own

23:34

AI that protects us from

23:36

these type of cyber attacks rather

23:39

than just attacking . I always see

23:41

the positives and negatives of artificial intelligence

23:43

, but I think that because

23:45

these things are happening more , we're seeing more

23:47

data breaches , like that recent Samsung

23:49

data breach that was caused by , I think

23:52

, one of their employees like using chat GPT

23:54

. So there's just a lot

23:56

of cyber threats out there

23:58

and I think because of these two

24:00

things the

24:02

cybersecurity insurance premiums they're probably

24:05

going to increase more , but it's really increasing

24:07

because the risk level

24:09

is higher than any

24:12

other time . Now Any

24:14

company can have cybersecurity incidents and

24:17

we do training on this . We

24:19

try to catch up to all of

24:21

the vulnerabilities out there

24:23

, remediate them and also implement security

24:25

controls to really protect our customers

24:27

from these emerging cyber

24:30

threats . But I feel like from

24:32

now on it's just going to get worse unless we

24:35

do a better job of protecting

24:37

ourselves .

24:39

Yeah , that's a really good point with the

24:41

rise of AI and I

24:43

didn't even think about it like that was

24:45

. With the

24:49

rise of AI and how quickly

24:51

it's evolving , I guess insurance

24:53

companies would be seeing that and they're getting

24:56

extremely worried because

24:58

it's an unknown risk and

25:00

I think that's a great thing . With AI , of all things , it's a completely

25:02

unknown risk that

25:04

can really cause some

25:07

great damage to an organization if it's

25:09

used in the wrong

25:11

slash right ways . So

25:15

that is a great point , quite interesting

25:17

. And then the working remote part

25:20

. I didn't even realize that that would increase

25:23

insurance premiums . Maybe that's why

25:26

some of these companies are pushing

25:28

so hard for workers

25:30

back in the office . Recently

25:34

, amazon came out and said that they're going

25:37

three days in the office , two days

25:39

from home , and then

25:41

it was also released

25:44

in an internal memo

25:47

that they said that

25:49

it would take five years to

25:51

get fully back into the office . So

25:54

it seems like they're not stopping at

25:56

the three . Three is just a starting

25:59

point and whatnot , which

26:01

adds complexity , right

26:04

, because now I think as

26:06

a worker , as an individual contributor

26:08

, it's coming to my mind

26:10

, right . It's like well , what did you do during COVID

26:13

? You were remote , so what's the problem with me

26:15

being a remote now , but looking

26:18

at it from an insurance premium perspective

26:20

, there is a risk

26:22

to that if you don't have the proper security

26:24

stack in place and a lot of companies

26:27

don't want to rip out their

26:29

existing security stack and augment

26:31

it with some new technology . That's

26:33

typically very scary for older

26:35

companies , that's for sure .

26:38

Yeah , I've been seeing a lot of these insurance

26:40

companies also send out additional security questionnaires

26:42

to companies now and

26:45

they're basically asking them about their security

26:47

posture . Some of them want to conduct

26:49

an audit for those companies

26:51

to verify that they actually have those security controls

26:53

in place . And I

26:55

don't know if AI

26:58

and remote work force

27:00

they're definitely indirectly

27:03

impacting this , because they're one

27:05

of the reasons why there is more security

27:07

incidents and data breaches out there now

27:11

?

27:12

Yeah , that makes sense . Well

27:14

, Metin , I think we're

27:17

coming to the end of our time here . Before

27:20

I let you go , how about you tell my audience

27:24

where they could find you if they want to reach out

27:26

and where they could find Rometic

27:28

if they want to learn

27:30

more about what you guys are offering and potentially

27:33

reach out to get more information ?

27:35

Yeah , absolutely . You can always

27:37

send out a contact us

27:39

form through our websites , which is Rometiccom

27:42

, r-h-y-m-e-t-e-ccom

27:45

. And yeah , one

27:47

of our sales people will be approaching us

27:49

from there , and thank you so much for having me , joe

27:51

.

27:52

Yeah , absolutely Well . Thanks , and

27:55

I hope everyone listening enjoyed this episode

27:57

. Thanks everyone .