Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:53
I was going to Metin . It's really
0:55
good to finally have you on the podcast
0:57
. I think we've been trying to get this thing scheduled
0:59
for like almost the entire
1:01
year at this point . I've
1:03
been since .
1:04
February .
1:05
Yeah , yeah , it's been a while . It's been
1:07
a crazy year for me overall
1:09
. You know , like had my first kid
1:12
and she came a little bit early and it
1:14
was just it's like
1:16
one life
1:18
change after another . You know .
1:21
Yeah , well , it's good to finally see him .
1:24
Yeah , absolutely so
1:26
. You know , Metin , I always start
1:28
everyone off with telling their background
1:30
right , how they got into IET
1:33
or cybersecurity , and
1:36
I
1:38
feel like it gives my audience
1:40
a really good picture of you
1:43
know , not just your background
1:45
, but that anyone can
1:48
come into this thing from any background
1:50
and , you know , really thrive
1:53
in IET , and so I
1:55
think it's always beneficial to hear everyone's you
1:57
know different backgrounds , because I
1:59
haven't heard the same background twice actually
2:01
on this podcast .
2:04
Yeah , absolutely . I'll start off with
2:06
a quick introduction here . My
2:08
name is Metin . I'm currently the CTO
2:11
at Rometic . Rometic is
2:13
a cybersecurity solutions company . We
2:15
provide virtual CISO services and
2:17
on top of that we also provide other
2:20
cybersecurity services like penetration
2:22
testing , network assessments , internal
2:24
audits and all of that . And
2:27
I've been working with
2:29
the company for the past now six
2:31
years . So I've kind
2:33
of been working at Rometic
2:35
since day one with Justin
2:37
the CEO , and before
2:39
that I was actually working
2:42
as an IT specialist
2:44
. I have a computer science background , so after
2:47
kind of like work through IT , eventually I got into
2:49
cybersecurity and compliance there .
2:55
Yeah , that makes sense
2:57
. So , Rometic
3:00
, I guess
3:02
that's an interesting area I've
3:04
had on a few other people
3:06
previously . It was a long time
3:08
ago that
3:10
did virtual CISO
3:12
functions , but
3:15
can we talk a little bit about that Because I haven't seen
3:17
that as being in the field . I haven't seen that
3:20
as much as
3:23
it was promoted when I was
3:25
trying to get in the field like 10 years ago at this point
3:27
, right . So it seems like that landscape
3:30
has completely changed
3:33
in the offering and
3:35
what it's like to be a virtual CISO
3:38
. Can we go over that a little
3:40
bit ?
3:41
Yeah , and I think it's really because compliance
3:44
is becoming a much bigger deal
3:46
than it used to be . Like we have
3:48
all these new data privacy frameworks
3:50
like GDPR in Europe . When it was
3:52
released a couple of years ago , it
3:54
was chaos . Everyone was just trying to figure
3:56
out , like , what to do for GDPR , what those
3:58
requirements are , because data privacy wasn't
4:01
really a thing that was legally
4:03
required before , and now
4:05
we're seeing some states
4:07
in the United States , like California , releasing
4:10
CCPA regulations . So
4:13
those are just some of the examples . There . I
4:15
think that compliance and legal
4:17
regulations around data privacy and
4:19
like customer data has
4:22
been increasing and because of
4:24
that , these organizations whether they are
4:26
small or large , they
4:28
need to become compliant with these frameworks
4:30
. I feel like back
4:32
in the day , only very large
4:34
enterprises really needed to do security
4:38
compliance , but now , even
4:40
if you have , like an employee you're a startup
4:42
, you're a very small organization you still
4:44
have to comply with these regulations , because there's
4:47
just no other way to get around that . However
4:49
, small companies don't need an
4:51
entire security team of like 10 , 15
4:54
people , and they may not even need
4:56
one person full time . So what
4:58
we're doing is we work with startups
5:01
, we work with enterprises , we work with mid-sized
5:03
businesses and we provide them
5:05
a virtual CSO and
5:07
essentially this person would be an extension
5:09
of those organizations as cybersecurity
5:12
team and , in some cases , the only
5:14
person who is really responsible for their cybersecurity
5:17
program . And we really
5:19
just do this because these businesses
5:21
may not have enough knowledge on the
5:23
compliance frameworks that they need to comply with or
5:26
simply they don't have the resources to
5:28
create and maintain a
5:30
cybersecurity team , so that's why they hire
5:32
us and outsource the service .
5:34
Hmm . So what does it take
5:37
to be a virtual CSO ? You know , do
5:39
you have to be a full time CSO
5:41
at another company to get
5:43
the experience , to be able to do it ? Is there
5:45
different specialties ? How does it
5:47
work ?
5:49
I think a compliance knowledge is absolutely
5:52
necessary , because we work a lot with
5:54
audits , we conduct
5:56
a lot of assessments based on various frameworks
5:59
. So I think having
6:01
some type of a baseline knowledge of cybersecurity
6:04
frameworks is very important , but
6:06
it is also important to be technical enough
6:08
that , when you are working on
6:10
implementing security controls based on
6:12
these cybersecurity frameworks , you
6:14
know how to implement them on the
6:17
customers , cloud hosting providers
6:19
, on their physical servers , databases
6:21
. So I think a combination of a technical
6:24
knowledge and a compliance
6:26
knowledge is necessary in order to succeed
6:28
in this role .
6:30
Hmm , yeah , that makes
6:32
sense . You know , security is such
6:34
an evolving field
6:36
that I feel
6:38
like even just analysts and engineers
6:41
have to have such a
6:43
broad range of experience now
6:45
and skill sets . That I
6:47
mean it's it's it's becoming difficult
6:50
, you know , like , even even for someone
6:52
like myself you
6:54
know I was at a place that was moving more
6:56
into containers Well
6:58
, that's , that's like an , that's
7:01
an abstraction layer on top of an extraction
7:03
, extraction layer , right , that that
7:06
makes things more difficult . It's a whole
7:08
new , you know kind of language
7:11
that you're learning of . How to , you
7:13
know , administer and maintain and manage
7:15
you know that , that whole deployment
7:17
, and you know , I'm here 10
7:20
years in the field and I'm still , I'm
7:22
still learning these different , these different
7:24
skills , right ? So how , how
7:27
do you , how do you stay on top of all
7:29
the different changes , especially in the compliance
7:32
area ? Because I mean , here in America
7:34
, right , we have , you know , 50 , 50
7:37
different states . Each state can have
7:39
its own compliance regulation that
7:41
someone would have to comply to , especially
7:44
if you're a nationwide company
7:46
, like it's extremely easy for startups
7:49
you know small startups to
7:51
become nationwide companies . You
7:53
know , overnight , to actually have customers
7:56
in these other states . How
7:59
do you stay on top of it ?
8:02
We don't expect one person
8:04
to have knowledge of all of these compliance
8:07
frameworks . I think having knowledge
8:09
on some of the more
8:11
standardized frameworks is very helpful
8:14
. For example , we work
8:16
with implementing NIST 853
8:18
controls , which is really a standard
8:21
that was released by the US government for
8:23
basic cybersecurity
8:26
controls . When we're
8:28
looking at other frameworks , they
8:31
utilize controls
8:33
from framework standards like
8:35
NIST 853 , NIST CSF 171
8:39
. I think that having
8:41
a knowledge of some of these
8:43
more generalized frameworks is very
8:45
useful so that when you're working with other
8:47
compliance standards , you're not unfamiliar
8:50
with what the requirements are . There
8:52
is a lot of overlap . One
8:54
of our most common
8:56
cybersecurity framework
8:58
that we implement is SOC2 , and then afterwards
9:01
it comes ISO 27001 . Even
9:03
these two frameworks have so
9:06
many overlapping controls that
9:08
just implementing one of them can
9:10
help implement up to about
9:12
40-50% of other frameworks
9:14
as well . Having a good
9:16
baseline is very important
9:19
because once you have a good baseline , it will be a
9:21
lot easier for you to implement other
9:23
frameworks , because there is a very likely
9:25
chance that there is already
9:27
a lot of overlapping controls that you don't have to do
9:29
additional work . In some cases we'll
9:31
implement more strict controls , like
9:33
PCI DSS compliance , or
9:35
we'll work with our customers to implement
9:37
FedRAMP , which is a government
9:40
requirement , if you're working with the US government
9:42
Implementing those security
9:44
controls . Some of those customers can easily
9:46
pass a SOC2 audit or an ISO 27001
9:49
audit without really doing any additional
9:51
work , because they're already covering
9:53
almost 100% of the controls .
9:57
Yeah , that makes sense With so many
9:59
different controls out there . Whenever
10:01
I'm asked , where do you even start , I
10:04
always recommend that we start with a least-privileged
10:06
model and that we try
10:08
to work towards the NIST recommendations
10:11
. At some point there's going
10:13
to be a good amount of overlap and
10:15
then you just start knocking out the
10:17
things that are the outliers , that aren't the
10:19
overlap of the compliance
10:22
framework that you need to meet . That's
10:26
probably the only way to do
10:29
it now , because everyone needs to
10:31
be compliant with so many different frameworks . There's
10:33
probably frameworks that you don't even know that you need to be
10:35
compliant of , that
10:38
you are not compliant with
10:40
. It's
10:43
a mess that doesn't
10:45
get . I feel like it doesn't get enough
10:47
attention on the outside of security
10:49
. What
10:52
are some good ways of
10:55
actually enforcing this compliance
10:57
within an organization ? Because
11:00
as organizations get
11:03
bigger , they have more people , their teams
11:05
grow , the applications that they're developing
11:07
and managing are increasing
11:10
it's easy
11:12
for these recommendations
11:15
and compliance requirements to get pushed
11:17
to the side . Do
11:20
you recommend that companies enforce
11:23
strong policies and
11:26
get those built out and in place and
11:28
regularly touch base with
11:30
their teams , or is there other ways
11:32
and methods of doing it that you found to be effective
11:35
?
11:36
I see compliance as a good
11:39
starting points and a good baseline for
11:41
any organization that wants to have a good cybersecurity
11:43
program . I do not see
11:45
it as the finish line . I
11:48
think that just because you are compliant
11:50
with the framework , it doesn't mean that you're
11:52
secure from cyber attacks . You don't have to do anything now . There
11:55
is still absolutely a lot more work involved
11:58
. Sometimes we need to implement
12:00
very strict security
12:02
controls for our customers that aren't required
12:04
by the compliance frameworks , just because it's
12:06
a good security practice . I
12:09
think that organizations need to
12:11
use compliance standards as a good baseline
12:13
, but they shouldn't just use
12:15
that as the only way to build
12:17
their cybersecurity programs . A good cybersecurity
12:20
program that consists of a
12:22
good compliance standard , frameworks
12:25
that you're complying with , on
12:27
top of that , good risk management
12:29
controls , a good risk assessments , internal
12:32
audits , regular gap assessments and
12:34
enforcement of those security controls
12:36
. For example , soc2
12:38
is a very weighted standard in my point
12:41
of view . You can define
12:43
the controls based on
12:45
the organization level requirements
12:48
. I can say something like I
12:50
want my password policy to be six characters
12:52
and that's it . I don't really require any
12:54
other special characters uppercase
12:56
, lowercase . I don't have to do that . As long as that's
12:59
what it says in my policy , soc2
13:01
can be like okay , you're good on this control now it
13:04
doesn't mean that you are secure . You
13:06
may need to do some additional work to
13:08
update that password policy so that you're actually
13:10
following a good , secure
13:12
password controls .
13:17
Yeah , I've also experienced
13:19
that back and forth on it
13:22
as well , where
13:26
you're pushing a compliance standard and
13:29
then the teams that are actually deploying it
13:31
and meeting the standard it's
13:34
lacking . It's
13:39
lackluster in what it provides
13:41
in terms of security . Saying
13:43
that you're compliant with SOC2 doesn't really
13:45
mean that you're going to be
13:48
able to protect yourself from a
13:50
wide variety of
13:52
cyber attacks that can happen . I
13:55
think that's also something really
13:58
important that I
14:00
guess small companies would need
14:02
to hear more than the bigger companies
14:04
. They typically have that down . They already know
14:06
that . But the smaller companies
14:09
and I think back to when I was working
14:11
for a smaller company they
14:14
were very adverse to
14:16
deploying any security . One
14:21
because of the budget . Two
14:24
because they felt that
14:26
they were meeting the bare minimum . But
14:29
we had customers that were
14:32
expecting not just the bare
14:34
minimum , they were expecting top
14:36
tier security . I was the
14:38
person that was kind
14:40
of fronting that , where I'm
14:42
the one that's dealing with all the blowback . I'm the one
14:44
that's dealing with the complaints at 2 AM because
14:47
this security thing isn't enabled and they're
14:49
missing their requirements
14:52
, maybe internally or their own compliance
14:54
requirements . It's
14:57
a difficult game to play , especially
14:59
when you're a small company , because you probably don't
15:01
have the head count
15:04
that you would need to actually
15:06
enforce some of that . Do
15:08
you also provide
15:11
engineering services around that to
15:13
be able to actually assist in
15:15
deploying some of the controls ?
15:18
Oh , absolutely . We do not
15:20
only conduct gap assessments
15:23
, internal audits and risk assessments . On top of
15:25
that , our team may
15:27
need to work with the customers
15:29
to actually implement those controls on their
15:31
hosting providers , on their technical
15:33
systems . So there's definitely some engineering
15:36
efforts involved there . In
15:39
a lot of the cases , we work with the software
15:41
engineers that work
15:43
at our customers companies
15:46
, so that also happens a lot , but
15:48
we absolutely have to provide some type of an engineering
15:50
resource in order to
15:52
fully implement those security controls .
15:56
Yeah , it has to be more of a
15:58
full suite offering to
16:01
actually have it make sense
16:03
for the smaller companies . Where
16:07
do you see this
16:10
space going
16:12
and growing over
16:14
the next five years ? Where
16:17
do you see the virtual CSO space going
16:19
? Do you think it's going to be
16:21
still evolving
16:23
and growing ? Do you think that
16:26
there will be a different way of approaching this
16:28
, or
16:30
what's your thoughts on that ?
16:33
I think it's definitely up and coming and
16:35
I think it'll be required more , because I think
16:37
the main reason why companies
16:40
need this level of service is
16:42
because of the increased amount of compliance
16:44
frameworks . Now
16:46
their customers are probably requiring them to
16:49
comply with these frameworks in order to work
16:51
with them . So , yes
16:53
, there's definitely some financial
16:55
aspects of that involved , but
16:58
in a lot of the cases , when
17:00
you become more compliant with these frameworks
17:02
, you open up the
17:04
markets to your organization more
17:06
. Like , for example , we've just talked
17:08
about FedRAM compliance . It's a one of the
17:10
government compliance frameworks
17:13
. If you want to work with a government agency and
17:15
you need to process their data have to be FedRAM
17:18
compliant . Some other government agencies
17:20
may require things like state ramp and
17:22
other frameworks . However , once
17:24
you are compliant with those frameworks
17:27
, that means now other
17:29
government agencies can also work with you
17:32
. So you're really opening yourself
17:34
up to the market more and expanding
17:36
the number of customers that you
17:38
can reach . Another example
17:41
would be HIPAA compliance . There's
17:43
a lot of healthcare organizations out there and there's
17:45
also other technical organizations like SaaS
17:48
products that offer services to
17:50
healthcare organizations Without
17:52
becoming HIPAA compliance . You
17:54
really shouldn't be working
17:57
with those healthcare organizations
17:59
because you don't have the proper security
18:02
controls to secure electronic protective
18:04
health information . But once you do become
18:06
HIPAA compliant then you are able to
18:08
actually work with those organizations and
18:11
that can bring more customers and help your
18:13
company grow faster .
18:15
Hmm , yeah
18:17
, it's
18:20
interesting balance , because
18:22
you have to be
18:25
able to open yourself up , to
18:27
be ready for different opportunities , as
18:31
well as balance
18:33
that with not
18:35
putting undue stress on
18:38
your team or on your organization in
18:41
ways that you'd fail or it takes
18:43
too long . Now the opportunity
18:45
isn't the same . How long
18:48
do you typically notice
18:51
organizations coming up to compliance ? Maybe
18:53
what's the longer compliance
18:55
standard that it takes for different companies
18:58
to come up to compliance with ? What
19:01
are some quicker ones ? The
19:03
reason why I say that is because in
19:06
security , when there's
19:08
a really large problem that you
19:10
have to solve , typically
19:13
where you start is the low hanging fruit
19:15
. What's the things that I can handle
19:18
in the next seven days that'll
19:20
make maybe 40 percent
19:22
of a difference ? Get me 40
19:24
percent of the way there . Is
19:27
there compliance standards that you recommend
19:29
like that , or is
19:31
it something else ?
19:34
I don't know if I can recommend the compliance
19:37
standard because I think it all depends
19:39
on the regulations and
19:41
really your customer network , Like
19:43
what type of customers that you have , what
19:46
laws really apply to you . I always tell my
19:48
customers like before you really start
19:50
building your cybersecurity program
19:52
, you need to look at your customer
19:54
requirements and you need to look at the
19:57
laws and regulations that apply to you so
19:59
you really understand what you need
20:01
to do in order to better service
20:03
your customers . We've had
20:05
many customers that
20:07
come to us because they needed
20:10
HIPAA compliance and these
20:12
organizations were already working
20:14
with healthcare institutions without
20:16
being HIPAA compliant . Sometimes they just don't
20:19
know that they need to become HIPAA compliant
20:21
. They just know that they need to do better in terms of security
20:23
. But understanding those laws and
20:25
regulations are very important because in some
20:27
cases they fail to comply
20:30
, they can have very negative
20:32
consequences , both
20:34
financially and legally . So
20:36
I kind of see cybersecurity as also
20:39
insurance to protect our organizations
20:41
from these types of incidents
20:43
. So you're not again just being
20:46
compliant . You can also prevent
20:48
any issues regarding compliance
20:50
happening to your company and you can also prevent
20:52
other cyber attacks because that compliance
20:55
framework is going to be a good baseline
20:57
to build a better cybersecurity program
20:59
.
21:01
Yeah , from what I understand , I
21:03
guess the cybersecurity
21:06
insurance premiums almost across
21:08
the board doubled
21:10
or tripled overnight this
21:12
year and
21:18
that's a crazy
21:20
amount of money that you're already paying
21:22
for this insurance for it to double
21:25
or triple overnight when
21:28
it's the exact same posture
21:30
. Companies don't change their security postures
21:33
overnight . It
21:35
happens over a couple of years of working
21:37
on it and it's
21:40
just crazy . I've heard
21:42
companies actually getting
21:45
rid of the cyber insurance and almost
21:47
underwriting it themselves and
21:50
having an underwriting department
21:52
actually do
21:54
that for them , which is
21:57
something interesting , and I feel like
21:59
that feel in that area is
22:02
still evolving because the
22:04
premiums got so high that companies are
22:06
like , okay , it's just cheaper to form our own
22:08
department and underwrite this thing .
22:11
Well , I think there are two things
22:13
that are driving that price increase
22:16
. When it comes to cyber insurance , everyone
22:18
has remote work . Ever since COVID
22:20
started , people have been remote
22:22
. Even the organizations like that require
22:24
employees to come in person
22:27
. They're only doing that one or twice a week
22:29
, so it's becoming very
22:31
fair . I
22:33
live in New York City . I don't see people go to the office
22:35
anymore . I travel to San Francisco
22:38
a lot and downtown is like a ghost town . People
22:40
are just not there . Everyone is remote , and
22:42
I think that is already introducing
22:44
a lot of cybersecurity
22:48
threats to these organizations
22:50
because now their employees , the
22:53
laptops and other systems
22:55
that they're accessing they're being accessed
22:57
from all around the world . So
23:00
I think that's definitely increasing
23:02
the threat levels out there , and I think
23:05
that's one reason why these cyber security insurance
23:07
companies are probably increasing their
23:09
premiums . But the other thing is we
23:11
now have artificial intelligence . That's
23:14
becoming more and more common , not
23:16
just in chat , gpt and other generative
23:19
AI tools , but now AI
23:21
can be also used as
23:23
a cybersecurity threat . It can
23:25
be used for cyber attacks , and
23:28
this is going to become probably
23:30
just worse and worse . That
23:32
just probably means that we need also our own
23:34
AI that protects us from
23:36
these type of cyber attacks rather
23:39
than just attacking . I always see
23:41
the positives and negatives of artificial intelligence
23:43
, but I think that because
23:45
these things are happening more , we're seeing more
23:47
data breaches , like that recent Samsung
23:49
data breach that was caused by , I think
23:52
, one of their employees like using chat GPT
23:54
. So there's just a lot
23:56
of cyber threats out there
23:58
and I think because of these two
24:00
things the
24:02
cybersecurity insurance premiums they're probably
24:05
going to increase more , but it's really increasing
24:07
because the risk level
24:09
is higher than any
24:12
other time . Now Any
24:14
company can have cybersecurity incidents and
24:17
we do training on this . We
24:19
try to catch up to all of
24:21
the vulnerabilities out there
24:23
, remediate them and also implement security
24:25
controls to really protect our customers
24:27
from these emerging cyber
24:30
threats . But I feel like from
24:32
now on it's just going to get worse unless we
24:35
do a better job of protecting
24:37
ourselves .
24:39
Yeah , that's a really good point with the
24:41
rise of AI and I
24:43
didn't even think about it like that was
24:45
. With the
24:49
rise of AI and how quickly
24:51
it's evolving , I guess insurance
24:53
companies would be seeing that and they're getting
24:56
extremely worried because
24:58
it's an unknown risk and
25:00
I think that's a great thing . With AI , of all things , it's a completely
25:02
unknown risk that
25:04
can really cause some
25:07
great damage to an organization if it's
25:09
used in the wrong
25:11
slash right ways . So
25:15
that is a great point , quite interesting
25:17
. And then the working remote part
25:20
. I didn't even realize that that would increase
25:23
insurance premiums . Maybe that's why
25:26
some of these companies are pushing
25:28
so hard for workers
25:30
back in the office . Recently
25:34
, amazon came out and said that they're going
25:37
three days in the office , two days
25:39
from home , and then
25:41
it was also released
25:44
in an internal memo
25:47
that they said that
25:49
it would take five years to
25:51
get fully back into the office . So
25:54
it seems like they're not stopping at
25:56
the three . Three is just a starting
25:59
point and whatnot , which
26:01
adds complexity , right
26:04
, because now I think as
26:06
a worker , as an individual contributor
26:08
, it's coming to my mind
26:10
, right . It's like well , what did you do during COVID
26:13
? You were remote , so what's the problem with me
26:15
being a remote now , but looking
26:18
at it from an insurance premium perspective
26:20
, there is a risk
26:22
to that if you don't have the proper security
26:24
stack in place and a lot of companies
26:27
don't want to rip out their
26:29
existing security stack and augment
26:31
it with some new technology . That's
26:33
typically very scary for older
26:35
companies , that's for sure .
26:38
Yeah , I've been seeing a lot of these insurance
26:40
companies also send out additional security questionnaires
26:42
to companies now and
26:45
they're basically asking them about their security
26:47
posture . Some of them want to conduct
26:49
an audit for those companies
26:51
to verify that they actually have those security controls
26:53
in place . And I
26:55
don't know if AI
26:58
and remote work force
27:00
they're definitely indirectly
27:03
impacting this , because they're one
27:05
of the reasons why there is more security
27:07
incidents and data breaches out there now
27:11
?
27:12
Yeah , that makes sense . Well
27:14
, Metin , I think we're
27:17
coming to the end of our time here . Before
27:20
I let you go , how about you tell my audience
27:24
where they could find you if they want to reach out
27:26
and where they could find Rometic
27:28
if they want to learn
27:30
more about what you guys are offering and potentially
27:33
reach out to get more information ?
27:35
Yeah , absolutely . You can always
27:37
send out a contact us
27:39
form through our websites , which is Rometiccom
27:42
, r-h-y-m-e-t-e-ccom
27:45
. And yeah , one
27:47
of our sales people will be approaching us
27:49
from there , and thank you so much for having me , joe
27:51
.
27:52
Yeah , absolutely Well . Thanks , and
27:55
I hope everyone listening enjoyed this episode
27:57
. Thanks everyone .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More