Streamlining Cybersecurity Compliance with ControlMap

Speaker 1  00:02

This is CyberSound, your simplified and fundamentals focused source for all things cybersecurity.

Jason Pufahl  00:11

Welcome to CyberSound. I’m your host, Jason Pufahl joined, and I said this because all of a sudden we’re trying some different software. So I’m joined fully virtually today by Michael Grande and Steve Maresca and we’re always in studio, so there’s gonna be a different dynamic.

Steven Maresca  00:27

Hey there.

Jason Pufahl  00:28

I like saying studio, because it sounds so official, and all of a sudden we’re home, then we’re giving a shot this way so, and we’ve asked Dan Fox, today, the Co-Founder of ControlMap, to join us. Dan, it’s a pleasure. Thanks for, thanks for coming in.

Dan Fox  00:44

Hey, thanks for having me!

Jason Pufahl  00:46

So, Vancord has been using control map now for, I want to say, 18 months ish, we and in that time frame, you know, we had the the honor of being one of the three ControlMap finalists, partner finalist of the year. We ultimately did not win official partner of the year. But I think, you know, I don’t know all that criteria. I think if we knew it ahead of time, maybe we could have pushed harder, but, but, you know, we’ve really begun. We’ve really come to a place where we rely on the platform, in particular, I think, you know, Steve, for the delivery of what you do on a, you know, really on a day to day basis, which is sort of monitoring and managing, you know, security posture and sort of regulatory compliance for clients, among a variety of other things. So Dan, knowing, you know, kind of knowing how much we use it, but maybe not everybody that’s on the podcast is familiar with it, you know, let’s spend a few minutes on, you know, what is control map? What’s your positioning, kind of, in the industry, you know, in comparison to some of the other, you know, sort of GRC tools that are, that are out there. Yeah,

Dan Fox  01:55

it’s a little bit of a specialized GRC tool, really. We, we were built to help you through your compliance journey. We started off with with SOC II and ISO 27-001 and focused on those around 2020. Is when we got off the ground and expanded to now 60 different frameworks. So we are very framework focused, I would say. But we also have become, over the last couple of years, focused on working through partners and making sure that we can deliver what you need for your customers. So we end up, we’ve ended up going down a couple different journeys that way. What used to be, hey, let’s just work on collecting evidence and automating that the best we can for a third party audit has now moved into, sometimes you’re going to be using an assessment. Sometimes you’re just looking to present up the risks to your customers. Sometimes you’re just looking to create a holistic plan and not go through a third party audit, and other times you are trying to go through a third party audit. So there’s these different use cases that we’ve we’ve started building toward, if you will, over the last couple of years that started with this one journey. And then, you know, has has been guided by all of your customers, actually, in a way.

Steven Maresca  03:10

And I think it’s fair to say we have customers all in each of those example cases that you just went through. Some just want to self assess. Others are very actively pursuing their own SOC II or ISO 27-001, formalized, very business focused, revenue generating, customer reassuring outcomes. So it, we enjoy working with all the various corners of the platform. I think our customers do too. I

Dan Fox  03:39

I think we’re still quite early in this, this journey as well. I mean, when you look at where we are in time, all of us here, we work on it every day. We feel like we’ve probably been in the trenches for a long time. But when you pull back and you look at the timeline here, you know, really a lot of these security conferences, these security frameworks, have just launched in the last five years, some of them in the last three years. And so we’re very early on in trying to tackle the risks that have come up from living in a digital age over this last decade. And everything’s kind of a, you know, slow response, if you will, over over the years. And so I feel like we’re just kind of coming into a new space where we’re all starting to understand it. We’re all speaking the same language and trying to get behind basically reducing risk for organizations using best practices like frameworks.

Jason Pufahl  04:34

So you actually, you teed up my question, which is nice you give me a sense, how many frameworks do you support and and part of that, because a bunch of them are new, one of the capabilities that you bring to the table is the ability to you’re mapping all these frameworks in the back end, and when a customer, or when somebody needs to adhere to a new framework or standard, a lot of the pre existing answers to questions they’ve done important to those new frameworks, and can save a bunch of time in terms of adopting something that all of a sudden they feel like they have to be compliant with. So I don’t remember the number, but it’s got to you must have 30 or 40 different standards and frameworks, at least in the platform today.

Dan Fox  05:17

Yeah, there’s over over 40 different unique ones. We have over 60 total. But some of those are different, different flavors, if you will, like NIST, for instance, NIST CSF, 1.1 and 2.0 we support both of those. So in that sense, there is a little bit of duplication. But that’s because when you move from one to another, there’s actually a kind of a time lapse, you’ll you can continue today, actually, to use NIST CSF, 1.1, and it will, it won’t phase out for a couple more years. But, yeah, it’s grown to over 60, and I don’t think we’re anywhere near done. I think over the coming years, it’s, it’s probably going to approach 100 because each one focuses on its specific industry, and each one’s focus focuses on a specific region. You know, think of the different laws. Think of different countries. And so there’s, there’s a lot out there. It’s a global response. This isn’t localized to just the US. This has been a global response effort to reduce risk. The estimate is like it’s a 10 trillion problem that we’re tackling with cybersecurity risk globally. That’s the to give you a you know, put that in perspective, the GDP of Germany is four and a half trillion. We’re talking to Germany’s. We’re talking to Japan’s. I mean, it’s a lot.

Jason Pufahl  06:33

So you’ve got, you’ve got privacy frameworks in there. You’ve got, so do your more traditional security frameworks? I don’t know the answer to this. We didn’t discuss it ahead of time. I’m curious, is there a framework or two, or that you see as just most, most commonly used across all industries, or anything that really bubbles up to the top?

Dan Fox  06:54

Yeah, in our in our world, that would be CIS and NIST CSF are the two generalist frameworks, I would say, and then you get into the industry specific ones from there. So if you’re working with anybody with public funding right now, so we see a good example, airports, water authorities, power companies, anybody with public funding will come through into CSF, anybody outside of that public funding arena would go through CIS as a generalist framework. Those are being recognized by cyber insurance to provide discounts, or just actually, you know, basically, be able to ensure that you’re meeting their standards. And from there, you get into kind of the specialist ones, which I think you’ll, you work on to it, right? CMMC has really been a huge uplift, little bit shaken with the Trump administration coming in, but, you know, we’ll, we’ll see how that plays out this year. That one could be an interesting time.

Jason Pufahl  07:55

Heaven forbid, though CMMC doesn’t have some sort of question marks associated with it at all times, right?

Dan Fox  08:02

Right.

Steven Maresca  08:03

For way too long,

Jason Pufahl  08:05

And we thought we were done with that, but I guess not.

Michael Grande  08:07

Dan, are there sort of use cases, or, you know, where ControlMap can be used outside of direct compliance activities?

Dan Fox  08:14

Yeah absolutely, so. I mean overall, just reducing risk and and basically following best practices. We do like to focus on a framework. The reason why is because you reduce the risk from following your own best practice, your own good ideas, if you will, like, Hey, we’ve got a great idea. We’ve got custom framework that we want to use. When you use a framework that’s established, you’ve shifted the risk off your shoulders to this best practice, and that’s seen also from liability inbound if a breach occurs. Now, the whole point of this is to reduce the risk of breach, but if, let’s say a breach does occur, you can say, look, I followed all these best practices. Here’s all the work we did, that actually does reduce the remediation risk and litigation risk for yourself and your customers on that breach. So that’s why we think working with a framework is always a good idea, and that is outside of the world of compliance. That is just a good idea. Those are just best practices. Right?

Speaker 2  08:14

In this regard, we have multiple customers that we’re working with, or they are working independently, using your risk register capabilities, and just from a generalized risk management as a discipline, it’s extremely helpful to help frame those conversations. Risk management is one of those things that requires translating something from subject matter experts to departments that don’t really understand they’re calling the shots in terms of business risk acceptance, so structurally, even if we’re not talking about compliance, it’s a big, big help in that, aid in that realm, without a doubt.

Dan Fox  09:53

Yeah, that’s a really good point. Do you have you had a challenge, Steve, Michael or Jason? Have you had a challenge of translating that for customers, or would they prefer to just not know? They think, okay, if I just don’t know my risk is reduced. Or,

Steven Maresca  10:08

I think it’s incumbent on us to say, you know, head in the sand is not a sound approach to risk management. No, we haven’t had a major challenge there. I think especially in the risk register elements. They’re very common sense, type business, revenue focused, health safety focused, framing in terms of, you know, impact analysis that is extraordinarily helpful. It makes it far more tangible compared to some of the more esoteric language attached to, you know, framework controls those require more translation, but in risks in particular, no, it’s, it’s much more in reach for many folks.

Dan Fox  10:51

That is good to hear. I do think the education has gone up over the last few years, partially because of breach news. I mean, we’re seeing big breaches every every month, something that’s that people are talking about. I think breach of the year last year was maybe United Health, maybe, I don’t know, arguable, there’s a there was a few. The the automotive industry was hit by the auto dealership. I can’t think of the name of that company that basically was the supply chain of the entire automotive industry for managing inventory of all parts and inventory of all of all cars. And then they had a breach, and it kind of impacted that whole industry for over the whole summer, actually. So yeah, I mean, those do tend to educate folks, because they make the headlines, not just in our tech world, but in the Wall Street Journal world. And it kind of can translate for the executives that are trying to make these decisions out there.

Jason Pufahl  11:50

Yeah. I mean, I I do think that we’ve seen sort of a maturation from clients where they understand that it’s worth your tracking, risk tracking, at least their security strategy against a framework. You know, even if they’re not, you know, maybe mandated or compelled to do that. You know, there is a why behind it. You know, some clients feel like I’ll get a break on cyber liability insurance if I could at least demonstrate I’m doing the right things. And, you know, that’s a that’s a positive. But certainly most, I would say, Indeed, you know, Steve, keep me honest here. But most are probably looking at it because, you know, they have to, you know, CMMC is driving them towards it, maybe or, or maybe they’ve got some clients that are asking them questions and they want to adhere to, like, a, you know, a framework, like SOC two or something.

Steven Maresca  12:35

Yeah, that aspect in particular is a big driver, even if the, you know, organizations not compelled in some sort of regulatory sense, simply business drivers. How can we enter into markets that are more highly regulated? How can we reassure third parties that we’re doing the right thing? Those are all intrinsically beneficial to, you know, putting on a good face, demonstrating competence. And there are absolutely components in ControlMap, that assist that and Dan, but please elaborate, but I’m thinking of the trust elements, yeah, absolutely,

Dan Fox  13:12

Yeah, yeah, absolutely. I mean, that is the goal, is to take these, you know, 100 or so best practices that each of these frameworks touch, and they touch everything. They don’t just touch technology, right? They touch technology. They touch people. They touch governance, and then basically put it into something that’s easy to manage, and consumable integrations are one piece where we can look across hooking into, let’s say Azure or AWS, and look across all the assets, and you have hundreds of assets, and how am I supposed to manage all this? And know, you know, do I, do I have my root account locked down? Do I have my encryption enable, like, when you can just hook in and just, you have an API that tells you, there you go. That just saves a lot of time. That’s the goal where we’re where we’re building for and what we’ve been designed for for years and continue to build on. So, yeah, that’s the that’s what we want to do, is make this easier for everybody to reach these best practices and stay secure is the, ultimately, the end goal. But you’re right. There’s still the business drivers there to meet these objectives. That’s what’s really pushing people toward it in the first place. That hasn’t really changed in the last several years.

Michael Grande  14:29

So, Dan, you touched on early on, you know, maybe a little bit of uncertainty with, well, we talked CMMC at that time with new administration, but maybe sort of more holistically, GRC as a whole, you know, looking forward, looking down the road. Do you see any, any monumental changes coming? Do you see more refinement? And then, you know, one of the hottest topics, it’s, it’s constant. It’s, it seems ubiquitous, right, is AI and integration into all things. You know, maybe if you wanted to share your thoughts on that and how it relates to everything?

Dan Fox  15:03

Yeah absolutely. I think AI is is a game changer for all industries, and it’s a game changer also for security. Cisco was already talking about AI based patching that they released to about, I think, Q3 and they’re just kind of refining that. That’s a really cool concept, where it’s looking across now all of your you know, all of your actual vulnerabilities, and then trying to automate the patching on that. So you’ll see that in the coming year, same with GRC. So what we’re looking at is using AI to connect the dots between the tech that you’re using, the risks that are out there and actually giving you a clearer picture and mapping that into these best practices. So it’s kind of a three step process there. All three of these need to connect. We’ve done that through some manual mappings, and we have nice frameworks like SCF that sort of connects the dots across 1000s of these things that helps us, but there’s enough data there that AI sitting on top of that can provide a lot of value and insights and guidance and ideally save, you know, time for for Vancord, save time for your clients, and be able to get to that executive summary faster, like, here is the real, you know, the real kind of gold here, in all the in all the dirt. Like, what do we really need to focus on? Because we only have so much bandwidth. We can’t, we can’t tackle it all, all the time. So that’s, I think, where AI is going to be enormous for us. And we’re, we’re building toward that right now, we’ve got great foundations for it, and are layering that in. So you’ll see that coming out in the coming quarters, which is, which is exciting.

Jason Pufahl  16:48

I’m surprised. You want to put effort into streamlining answering all those questions. I find everybody loves to spend multiple hours answering question after question. So I that’s gonna be that’s a real loss for us.

Dan Fox  17:00

Yeah, I’m sure everyone would be out about that. They would,

Jason Pufahl  17:03

I mean, 100 110 from CMMC, you know, you do that in one session, and that’s a fun day,

Dan Fox  17:10

Well, you still need, you still need to, I mean, AI is not going to take that 100% on the table. You still do need to assess yourself doing that does become like the foundation that you need to have. You have to have somewhere to level set otherwise, you know, you’re just taking it from thin air. ,

Jason Pufahl  17:31

Yeah, it’s chaos, right? Yeah. So here we keep talking control map. You’re on video here. You’ve got your ScalePad. Shirt on so you work, ControlMap was acquired by ScalePad. There’s a lot of we use scale prod products as well as ControlMap. What, I guess, what integration can we look forward to in the over the next year, for example? And in what ways do you see that benefiting those customers like us that have multiple products of yours.

Dan Fox  18:04

Yeah. So one of the one of the key reasons we joined in to the ScalePad umbrella was because ScalePad hooks into just about all the tools that are used in the MSP and the tech community, primarily the RMMs, the PSAs, remote management and monitoring, which is the tools that are remote, remotely managing endpoints and servers and systems. They have the APIs hooked into 50 different systems. So we’re able to use that almost like an API aggregator we did build into that last year, and so that you’re already able to use today, which is awesome. The next level is being able to then talk with that data back and forth. So take something like a risk and say, okay, I want to put it into my business plan and say, This is the five things I want to focus on next you next year or next quarter. Make it part of your QBR, your quarterly business review, and say, here’s here’s the basic cost, here’s what we think we should be doing, here’s the menu of the other items we could do, but here’s, here’s why. This is number one and number two and number three, and this is what we want to present to you, you know, customer to work on next quarter. And that’s, that’s the next piece that we’re getting into. And then we are also opening up our API for other folks to talk into us. So we have a recent, yeah, like insurance underwriters want to be able to pull in our data to be able to, you know, if you want to sign up for for cyber insurance for yourself and for your customer, and just do it with a click of a button and say, I feel confident in where I’m standing. I just want to be able to submit this. And the underwriter goes, sure, here we’re going to pull it over. So that’s coming this year as well, which is, which is pretty cool.

Steven Maresca  19:47

I work with many carriers and brokers, so I’m confident that that will be a topic of interest as soon as it’s available. Let’s put it that way,

Dan Fox  19:56

Same thing, right? This, those come with questionnaires. You know, you’re just. Basically re answering the same data is what you’re doing.

Steven Maresca  20:03

Yes. It’s agonizing at times. Anything that makes it easier, everyone be happy.

Dan Fox  20:07

Yeah. And behind the scenes, those carriers are starting to align to things like CIS Absolutely. All we need is that one mapping, if you can kind of connect those dots, if you’re you know, you have this 50 questions from the insurance carrier, and they’re like, they have each of those tied to cis on the back end. Now we have your CIS, or whatever you use, maybe use CSF, but we have NIST CSF map to CIS, right? So now you can see, I can pull this all in. Oh, everyone wins. We all just take right, have a huge load off. Yeah.

Jason Pufahl  20:38

And you know, one of the other things. So we didn’t touch on it a lot, right? We really focused a bit on answering questions and sort of developing the roadmap that you to address the gaps that you identify and all of that. But part of this is you are pulling in all of the evidence, and so you get to see what policies you’ve written that align to your specific control questions or standards questions, you get a better understanding of, you know, how you’re managing your vendors throughout this, this single application so it, we’re using it essentially as that sort of single source of truth for all the things that we do on the security side. And we’re starting to see that move by clients to really integrate all their data into the platform. Ideally, you know, at some point when, when, when customers are going through assessments. Maybe CMMC is an example. It really should make the job of the assessor really easy to be able to walk through and say, well, here’s, you know, here’s your answers, here’s all the information you’ve got relative to your objective statements, and here’s all of the the evidence, whether that’s screenshots or your policy documents or whatever, in one location, you know, hopefully that can reduce some cost in terms of going through those assessments later too.

Dan Fox  21:48

Absolutely. So you, you’re like, in a lot of folks say when you first in the first year, it’s a bit of an uplift, right? And this, a lot of these things are annual, recurring, or every couple years, like ISO is every two years, even though you actually do an annual internal audit in between, and CMMC is in the same, the same boat where that’s what is that every, every three years for CMMC, and you still have to do an annual you do, yeah, yeah. So once you have that kind of level set, we have a couple automations that are already built in, where you can refresh the year, it’ll pull in, you know, what you have, and you can just kind of validate, is this the same, or here’s what’s new, which is, which saves a lot of time. And then on the auditor side, we do have a built in auditor workflow where the auditors can answer, you know, be able to look through and put their own notes in, look through all that evidence by framework, or you can export it out in a big zip file that’s organized by framework control, which then they can use in their third party system, because some auditors just insist on doing it in their own system, which you have to work with, if that’s what you’re you know, CMMC is a good example. They will not use any third party system. They want you to upload the data to them, and that’s the requirement. So that’s, yeah, just do it.

Jason Pufahl  23:16

So we’re pretty well up against time. Anything. I think we covered. We covered everything I think we talked about, you know, when we when we met, to make sure that we wanted to get a few topics in, Dan, anything that you wanted to cover that maybe we haven’t or, you know, any, any your key GRC, GRC things,

Dan Fox  23:36

I think we touched on a lot of good stuff. But I’d love to hear, you know, this is something I threw out there to you earlier was the idea of MSPs sort of working together. How do we how do we collaborate together and work together? Because, you know, for instance, you guys are in a really good spot to be able to to manage some of the cybersecurity and compliance needs, whereas other folks want to continue to be the boots on the ground, the on prem tech, but they maybe don’t want to tackle this. How would How would you envision that working together with yourselves and maybe some other MSPs?

Steven Maresca  24:09

It’s an interesting question. I mean, we work with other MSPs that you know are in the day to day work, supporting some of our customers. It’s not as though we support the entirety of them in that complete way. It’s a very unique question in the sense that it’s it’s somewhat set by the disposition of each organization. So there are plenty that are very happy to collaborate. They see it as a net benefit. It’s a demonstrated value to a customer. I think that’s the right framing. You know, some prefer to be the one tool to fix all problems. And those are, those are more difficult discussions, but I think that the customer here sets the tone, and ultimately we support where all customers require. I think that’s the i. That’s the emphasis and the projection that needs to be done in order to be very collaborative. The tools we’re talking about support that type of thing. There’s no barrier in that regard. It’s just a matter of setting expectations and working together across organizations. And the bigger you are, the the more of a base expectation that is,

Jason Pufahl  25:21

Well so that it so. And I think I’ll add to that a little bit, I think we, Vancord, we’ve made some real investments in standing up a security team, as in a security a set of security products. So I think we bring expertise. We’ll stay focused on, say this the assessment, sort of GRC space, you know, we bring some real expertise with Steve’s team to be able to help do the vendor risk assessments, to work with insurance to identify sort of best products for a particular company, to do the assessments and interpret questions that might be, you know, you know, challenging for the client, or maybe challenging for other MSPs who don’t have that same sort of security team behind it. So I think there’s the challenge always is, how do you make sure that you’re working with, you know, in our case, a competitor, but in a way that is really transparent and open, so that, you know, you’re not stepping on each other’s toes, so that we’re delivering sort of the security value, maybe. But then, you know, not, not looking at any way to disrupt a pre existing relationship and make sure that they’re engaging with, you know, their client positively and in a way that that sort of facilitates them growing in that relationship, right? So I think as long as you can, you can maintain that openness and and transparency, sort of with, you know, competing, competing companies, because that’s, you know, that’s where we’re at. I think it can work really well. It’s just a matter of finding out, like, what’s the niche that each org brings, and staying in your lane. And, you know, it’s not, it’s easy to say, it’s not always easy to do. But I think you don’t want to, you don’t want to over you don’t want to spend a lot of time necessarily, overthinking that in in sort of documentation and contracts. I think you really want to develop, you know, an actual working relationship to be able to have the conversations around like, hey, we’ll do the assessment, we’ll hand you the report, you address the gaps, and we’ll get out of your way. And I think that works. That works really well from our experience.

Dan Fox  27:25

Yeah, absolutely. I’ve been seeing that working well out there as well that. And actually, as a mature framework, CMMC has the shared responsibility concept, which just kind of creates those lines for everybody to work together. So I would just love to see the community working together more. I think there’s a lot of great knowledge out there, and that’s, that’s what I would love to see over the coming couple years, is more collaboration, everybody, kind of being on the same team, not competing, but actually, like, hey, we have our lane. Let’s work together.

Jason Pufahl  27:57

Steve and I come, our background is in higher ed originally, and that is the way higher ed works. I mean, you go to these conferences and everybody is sharing information, and everybody is, well, they’re sharing information, they’re sharing vendors. You know, a lot of times you sort of end up with the similar approaches, even if they’re not always the best approaches. But everybody’s working together. An industry is a little more challenging to do that, and I think we always bring the perspective of, there’s got to be a way to work together and make this easy, ultimately easier for our customers, right? I mean, that’s really the end game here. How do we find a way to do that? And I think if you do it now, the customer sees you as a partner, the industry sees you as a collaborator, and everybody wins to your point. Yeah, absolutely. So all right, well, I think on that positive note, maybe we can find better ways to do it. But Dan, it’s always fun you run a regular webinar that we’re part of, so we’ve had the opportunity to talk a whole bunch of times even leading up to this, but it’s always a pleasure to have a conversation with you. I’m really glad you were able to join today. I’m really glad to have control map as a of ours, because we’ve gotten a lot of value for it. And you know, I know we’re looking forward to working with you more as the year goes on.

Dan Fox  29:09

Absolutely. Thanks for yeah, thanks for having me on and we’ll look forward to working together in the coming New Year here.

Jason Pufahl  29:15

Yeah, sounds good. And you know, as always, if anybody has questions about, you know, ControlMap about how to deal with assessments and all the things we talked about, reach out to us. We’re happy to have conversations. We can always bring Dan to a conversation if need be. We’ll go from there. So thanks, everybody. Thanks, guys, all right, thanks, thanks.

Speaker 2  29:32

We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.