Starting a Security Program by Choice or by Force with Trava’s Marie Joseph

Jara Rowe: Gather around, as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea On Cybersecurity, a podcast from Trava. Hey friend, you're tuning into another episode of The Tea On Cybersecurity. At this point, we know that cybersecurity is important, and that we should all be taking it a lot more seriously. But what does that look like, depending on the stage of your company? I've learned that there are different motives for when a company starts a security program, and during this episode, we are going to dive into starting a security program by choice, or by force. But we know I am not the expert, so I have someone else joining me, that knows more about this area. I would like to welcome Trava's Marie Joseph. Hi, Marie.

Marie Joseph: Hi Jara, I'm happy to be back.

Jara Rowe: Yes, I'm so happy you're back as well. So for those listeners that may not have listened to our previous episode about SOC2, will you go ahead and give a brief introduction of yourself, and your role at Trava?

Marie Joseph: Of course. I'm a senior security solutions engineer at Trava. I've been doing this for about two years now. Basically, I help companies start their security program, or help mature it, and focus a lot on the compliance aspect as well. So I help companies go through audits, and get SOC2 or ISO certifications.

Jara Rowe: So important. You have such an important role, and you're such a great resource for me. In that episode, you mentioned that small business owners should start taking cybersecurity seriously from day one. Can you reiterate why that is important?

Marie Joseph: Yeah, of course. So one of the big statistics that's out there, is that two- thirds of small and medium sized businesses are the ones that are actually attacked, and the ones that hackers go for. So it's really important for those companies to take security seriously because of that. They make up the majority of the economy as well. So if most of the attacks are happening to those companies, you risk losing a lot of money or data, and oftentimes could possibly lose your whole company. You see that often with ransomware attacks in the news these days.

Jara Rowe: So we know unfortunately that there are some companies that just don't start at day one. So what stage do businesses start their security programs?

Marie Joseph: I wouldn't say there's necessarily a set stage, time period. So just when you're ready to start as a business, to take it more seriously, if you're not already. It's recommended getting started as soon as you can. So as long as you're taking some little steps initially, you're going to be making a difference in the long run. So you don't have to do it day one. But as soon as you can is really highly recommended.

Jara Rowe: Obviously we would recommend starting at the beginning. But for those that can't, or maybe don't even have the capacity to do that, they just need to start it when they're ready. Hopefully it's before an attack, or something like that happens.

Marie Joseph: Yes, of course. Then sometimes, I think people don't start taking it seriously until something happens. So it's just, take that weight off your shoulders, and get started as soon as you can, so you don't have to become that statistic.

Jara Rowe: Yeah, you definitely don't want to be that statistic. In a previous episode, Jim was talking to me about cyber risk, and everything's only getting worse. What are some ways that you've seen cyber risk changing?

Marie Joseph: Yeah, it honestly changes every day. I really knew that, going into the cybersecurity field in general. You're constantly learning, because it never stays the same. You probably see often, technology constantly changing, like your phone is constantly changing. Every year there's a new one. So as that changes, the security that protects those devices also has to change. You see that grow and evolve as technology does. As that's also changing, hackers are also evolving. So that's why it becomes so important for you to secure your devices. Anything that you store on anything digital. Anything is technology these days. Your fridge, your toasters, they all have computers inside them. So taking the right steps to make sure things are secure is really big, because the risks are just constantly evolving. There's something new every day.

Jara Rowe: Not even really thinking about the risks that come with everything evolving as quickly as it does.

Marie Joseph: Update everything.

Jara Rowe: I actually have an update on my phone right now that I need to do. I've been slacking, and I know that's not good. I know that's not good.

Marie Joseph: I think you should do it after this call.

Jara Rowe: I should. So with cyber risk ever evolving, it honestly does force companies and things like that into starting a security program. In many cases, like I mentioned, companies are being forced to create a security program. What does that look like?

Marie Joseph: The aspect of being forced is, that's an interesting word to use for it. But it is pretty true. A lot of the time, they're being forced to by a current contract they already have with a vendor. Or sometimes, one of their vendors is the government, so you have to follow their rules and guidelines. Basically because you're going to be taking on their risks, so the vendors are really wanting you to be as secure as possible. That's why the force factor is there. They want what's best for you, because otherwise they probably won't keep you as a customer.

Jara Rowe: I've read briefly about third party risks, and vendors, and things like that. If I was a CEO of a SaaS company, and I needed to partner with another vendor, what are those steps that I need to take, to make sure that they are secure as they should be?

Marie Joseph: A lot of the times, you'll see security questionnaires coming into play. If you have an initial one of those at your company, those typically get sent out. If you don't particularly have a SOC2 or ISO type of certification, they want you to fill out the questionnaire, just because they need to make sure you have those things in place.

Jara Rowe: What are some key components to a strong cybersecurity program?

Marie Joseph: Yeah, so there's typically about five components that everyone looks at, at a high level. This really goes for any framework that a company looks at when it comes to security, since there's different regulatory agencies that look at them. But at a high level, you basically start with assessing what you currently have. Some people might have nothing. But you typically will probably have something. So starting with policies, and looking at that. So you assess what you currently have. From there, you typically want to identify what gaps you have. Then you take that regulatory agency's requirements, and identify where you don't have certain things in place, like controls and policies and procedures. Then from there, you've got to plan out what you want to do next, to fill in those gaps. Whether that's mitigating risks that you find, or putting in those new controls. Depending on what the plan is, and you get that timeline. A lot of people like to look at that timeline, because it really helps, especially your third party vendors. It gives them a better understanding that you're taking it seriously... that proof. Then from that plan, you do actually execute and close those gaps. That takes some time. It's not going to happen overnight typically. So that becomes helpful. Then from there, when you close those gaps, you just continuously monitor it, and hope that you mature.

Jara Rowe: If you need help, Marie can help you, right?

Marie Joseph: Yes, exactly. I can help. I've helped a lot of customers at Trava personally. I'm here to help you get through almost any framework.

Jara Rowe: That's awesome. You mentioned regulatory agencies. Can you talk about what that is, and maybe some names, or something that people may be familiar with?

Marie Joseph: Yeah, of course. One of the most I think popular ones, you hear, NIST is thrown out a lot. One of the national ones. So that's worldwide acknowledged. Then it just gives you security best practices. That's why with SOC2, the one episode we talked about earlier, that one is really a North American standard of security. Then a lot more, if you're doing more international business, people usually focus on ISO. They're all very similar in a way, but they might just have more focus in one area. Privacy might be more important in some, and continuous monitoring aspect may be more important as well.

Jara Rowe: You just mentioned that, and we have talked about it before. But I'm just going to reiterate, to make sure my brain remembers. SOC2 is a compliance that's more geared toward North American companies. The ISO, and the numbers after that, is more international.

Marie Joseph: Correct.

Jara Rowe: So a company that needs a compliance certificate, depending on their target audience, depends on which one they would pick to be certified in first?

Marie Joseph: Yep, typically.

Jara Rowe: Look at me, remembering stuff.

Marie Joseph: Yeah, you're learning. I love it.

Jara Rowe: I'm learning. I'm learning. All right, so what is one thing, you've just given us quite a few, but what is one thing a cybersecurity plan must have?

Marie Joseph: I honestly would just say drive. Have that initiative to make a change. I don't think it's anything necessarily security related. It's all up to the people, honestly.

Jara Rowe: So I think I may know the answer to this question, but I'm going to ask again anyway. When it comes to starting a security program, we're talking about choice or force. Which one should someone want to do? Obviously, should they start it because they want to, and they know that that is the right thing to do? Or do they wait until a regulatory agency or a company is asking them? I just want, from your opinion, which is the right way to go?

Marie Joseph: I personally think you should do it before you're forced. It'll be a lot easier, and your world will feel less on fire. Typically when you're forced to do it, you are also given a set timeframe, and that's really hard. You have to drop everything now, and set up a whole security maturity program, within a month or something. That's typically, sometimes you see people say, " You'll need this in 30 days." If you start way ahead of time, before you're forced to do it, you probably already have enough in place to get the contract signed, and then accept that you don't have it all in place now, but are getting there.

Jara Rowe: Yeah, that totally makes sense when it comes to time. Again, I know that you help our customers and things like that create their programs and everything. So through your experience, what is that timeframe typically? To go from zero, to maybe at least 80%? What's that timeframe typically like?

Marie Joseph: I would say probably six months to a year. It just really depends on how many people are able to help you on your team, to get some of that technology, and get some of those policies written. Faster pace, I would say six months. Then if you really take the year, you could get to that 80% pretty easily. Especially if you're working with Trava.

Jara Rowe: Especially if you're working with Trava. We'll get you there real quick. Okay, so give me a cybersecurity prediction of yours, that you think we may see over the next five years.

Marie Joseph: I would say something with the enhancement of the deep fake AI technology. I don't know if you've seen that much recently. But it's where other people's faces, you can put them on yours, and say basically whatever you want. I honestly think that's probably going to start changing how we work remotely, especially with doing all these different video calls. I think that could really start interfering with security, and things that people agree to. If they verbally agree, I think it could start interfering with a lot of businesses. So I'm really curious to see how security changes to help with that, and what sort of attacks come from that technology as well.

Jara Rowe: That's honestly terrifying, because anyone could make me say whatever they want to.

Marie Joseph: Yeah.

Jara Rowe: That's horrible. Absolutely horrible.

Marie Joseph: It's just really interesting. If you haven't looked too far into some of those videos, there was one of Morgan Freeman, and it was super interesting. Because it had his voice too, but it wasn't him.

Jara Rowe: Technology. It's great, but it's also bad.

Marie Joseph: Right? So cool, but then you're like, " Oh, that could be used for bad."

Jara Rowe: Yeah, for sure. All right, Marie. I really appreciate your conversation today, and your insights. But before I let you go, is there anything else you would like to talk about, before we end the episode?

Marie Joseph: I think one last thing, it could be in regard to the title of the episode, is I just want to reiterate that a great security program is all about the people. So it is a team effort at your company, and every person at your company needs to take it seriously for it to be really successful. You often hear that humans are your weakest link. But with the right training and culture around your company, I think they can also be your strongest link as well. I think that's just something important to think about.

Jara Rowe: Yeah, that's a great thought to leave with. All right, listeners.

Marie Joseph: You're welcome.

Jara Rowe: Tune into the next episode of The Tea On Cybersecurity, as we dive even deeper into starting a security program, by choice, from day one. Now that we've spilled the tea, it's time to go over the receipts. The first thing I took away is that, there's no right or wrong answer to starting by choice, or by force. But you should want to take the initiative to start a security program yourself, simply because of the time that it takes to really get a secure program in place. Like Marie said, it could take six to eight to nine months, up to a year. So if you take security seriously from earlier on, you are only setting up your company for success down the road. The next thing that I took away is that, we know that everything is consistently changing. So sometimes we are forced to do things simply because of technology updates, and things like that. We want to stay updated with our updates, and all of those fun things. So we have to stay on top of the way technology is moving. Two other final things that I have, that go together, is starting your program. Marie talked about, initiative is really important. You should want to take that initiative earlier on, which leads me to my final piece. With that great program is all about people. If you want a very sound security program, you should take the initiative to get your team onboard from the beginning. Because we know in a previous episode, that employees can be weak links. But you can help by educating them, and making sure that your product, and your tools, and everything that you use, is secure for not only your customers, but your team as well. Thanks for tuning into The Tea On Cybersecurity. If you like what you listened to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.