Cyber Risk Assessments: Uncovering Your Security Vulnerabilities with Jim Goldman, CEO and Co-Founder of Trava

Jara Rowe: Gather around as we spill the tea on cybersecurity, we are talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. Cyber risk assessments, that is a term we talked a lot about in season one, but we never fully gave it its actual definition. But don't worry, that is exactly what this episode is about. We are going to dive into cyber risk assessments, why they are important, what should be done with one, and everything in between. But as we know, I am not the expert. I do have one of my favorite cybersecurity experts with me today, Jim Goldman. For someone that may not have listened to any of the episodes that you were on season one, can you go ahead and give an intro of yourself?

Jim Goldman: I'm Jim Goldman, CEO and co- founder of Trava Security, headquarters in Indianapolis, Indiana. We are a cyber risk assessment in management company. We have a platform, a product, a software product that does risk and vulnerability assessment management, and then we compliment that with services. We basically take companies and organizations from where they are to where they need to be in terms of their cybersecurity and compliance posture.

Jara Rowe: Perfect. In other words, you know what you're talking about. All right, so let's jump right into it. What is a cyber risk assessment and why are these assessments important?

Jim Goldman: When it comes to cybersecurity, people sort of immediately shut their brain off and say, " It's too complicated, I can't understand it." I often use analogies because I think that's the best way to understand it. And so a cyber risk assessment is nothing more than a diagnosis. If you look at it from a medical standpoint, you have a suspicion that something's wrong. You don't know what's wrong, and therefore you don't really know what to do to fix it. You go to a professional, a specialist, whatever, and maybe go to an emergency room, whatever. The first thing that happens is you get a diagnosis done. And sometimes it's a series of questions you could say it's almost like answering a survey to determine what the symptoms are. then there are some more objective tests. Right? Blood tests, et cetera, et cetera. It's no different with cyber risk assessment, there's a survey component. Which of these things are you doing, are you not doing, to what extent are you doing them, et cetera. Many times people will say, " Well, I never even thought of that. Never even thought that was a possibility." Again, going with a diagnosis analogy. Then there is the more technical or the more objective testing. Our vulnerability scanning is the equivalent of the blood test. It's objective, measurable data. Numbers don't lie. Right? Here's the facts. You've got these symptoms, you've got these vulnerabilities. That's really it is, you put that together just as the medical professional would, they'd listen carefully, they'd take notes. That's the survey part. Then they would combine it with, and what does the objective testing data say? We do the same thing. We ask questions. Sometimes we provide a survey that assesses maturity in different areas of your cybersecurity program, and then we do the objective testing. We put those two things together and that's what, at least here at Trava, we call our baseline cyber risk assessments. Here's your health report. If you would like to engage us to help fix these things, to help you get to a better health status, we are here to do that for you.

Jara Rowe: Why would a company even conduct a risk assessment?

Jim Goldman: It's almost like, well, let's start with what if they don't do that? What if they don't do anything at all? This is where a lot of companies get stuck because they don't even know where to start because they don't have a lot of extra money to spend on solutions. It's almost like they get petrified, for lack of a better word. In other words, they know they need to do something, they don't know what it is they need to do, they don't want to waste money, therefore they do nothing and they just get paralyzed in the whole thing as opposed to getting the diagnosis, which oh by the way, gives them a prioritized list that says, " Okay, if you're going to spend money, Trava says spend it on this first, this second, this third."" All right. Here's exactly what to do in terms of do you need a policy, do you need a process, do you need to buy some technology, what have you. That kind of thing. You could look at it as a treatment plan. Once we do the assessment, we also give you the treatment plan.

Jara Rowe: For companies, is there typically something that happens that make them like, " Oh, I should do this." Or is it just general knowledge like we're in a place where we should probably take cybersecurity more seriously?

Jim Goldman: That's a really good question. It's like where's the motivation to make action come from? It can be a variety. The worst case scenario is they have an incident of their own and then it's almost like too late. I think what's more likely is they hear a story of a colleague, another business owner that they're familiar with had an unfortunate circumstance, and then it's like, whoa, now it's starting to hit close to home. This is real. My company could be next. That's a motivation. I think the other big motivation that we see with our customers is they run into a customer or a potential customer of theirs that says, " Tell me about your cybersecurity program." They don't have a good answer. A lot of our customers don't really have a program to speak up. We've never done a cyber risk assessment. We don't have a lot of extra money to spend. We have to be real careful about what we do and where we invest. We know that our business is not going to be able to grow. We're not going to be able to acquire the customers that we really want to in the future unless we get more mature in this area. That's strategic business motivation.

Jara Rowe: I know with some type of businesses, some industries where there are some that may not think they're as vulnerable as other industries, but is this something that all companies should do? Is it a requirement or is it just something that it's a good to have?

Jim Goldman: I hate to use the word it depends, but it depends. Now let's talk about trends. Certain industries, yes, it's absolutely required. It's regulated, it's the law. Other industries are sort of headed that way. In saying that, what I'm getting at is although a given business may not be required by law to do this today, it would be wise for them to start to look into this because the day's going to come when it is required by law, and then all of a sudden they're going to have a deadline, they're playing catch up, et cetera. It's going to be more abrupt and more drastic and uplift for them as opposed to being a little bit proactive. The other thing that I would say is regardless of the regulatory necessity or the regulatory motivation, the fact of the matter is small and medium sized businesses are actually a more likely target than large enterprise customers because what you have to understand is cyber criminals are incredibly opportunistic. They are going to go for what they perceive to be the easiest mark. Enterprise companies tend to be better protected. I'm making generalizations, but they've got the budget, they've got the people, et cetera, so they're probably better protected. Your cyber criminal is always looking for the easier mark. They know that small and medium sized businesses are less protected, have invested less in this, so they're far more likely actually to hit a smaller medium sized business. The other really good point that you made is small medium sized businesses have this mistaken perception that there's nothing of value, and therefore they go right ahead and they say, " Well, cyber criminals aren't going to be interested in this. We only do X." Right? Well, actually that's not true because what cyber criminals are after is a couple of things. One is it's data and a lot of companies don't realize the value of the data that they have, and then it's usually third party data. It's not even their own data. It's their customer's data or that kind of thing. Now there's a lot of third party liability involved. If you were to have a data breach, it's like all those people and companies that trusted their data with you, they're not going to be happy that it's now publicly accessible and out on the dark web for sale.

Jara Rowe: Yeah. I remember one of the of the main things I took away from everything we talked about in season one was that you really need to start early on with all of these cybersecurity things because it takes a while, it takes a long time to even complete the cyber risk assessment, look at everything and then decide what needs to be done. The earlier you start, the better, which could honestly save you time and money in the long run.

Jim Goldman: It takes time to do the assessment. It takes time to put together the treatment plan, and then it takes time to say, okay, how aggressively are we going to tick off all the objectives, all the steps that have been outlined in the treatment plan.

Jara Rowe: Speaking of this treatment plan, and we were just mentioning it a little bit, but what types of information do like the cyber risk assessments uncover?

Jim Goldman: Yep, that's a very good question. Trava doesn't make up, here's the requirements for a good cybersecurity program. There are a lot of what are called frameworks out there, industry frameworks that have been put together by panels of industry experts. They're kept up to date, et cetera. There are a variety of different frameworks that we have available on our platform that our customers can use. For cloud- based companies, which many companies are these days, there's a framework called the Center for Internet Security Version Eight framework. That's usually our default for most of our customers is we use that as our framework or our framework reference. That particular framework and survey has 18 different control families. It's 18 different categories of things you should be doing and those things you should be doing always include a policy, a process, and some type of technology or another. Then monitoring once you've implemented it. Usually depending on the maturity of the customer, between 5 and I'll say 9 of the 18 control families really need some work.

Jara Rowe: Listening to you talk, something else like popped in my head, what is the difference or how do they work together? Frameworks and risk assessments.

Jim Goldman: You bet. A risk assessment has to be with some set of criteria over here. In other words, there has to be standard questions to ask. Again, going back to the medical diagnosis. You go in to see your doctor, you get asked the same set of questions every time, any stomach pain, blah blah, blah. Are you sleeping well at night, et cetera. Well, you could look at each of those categories of questions as a controlled family. It's the same thing in cyber. It's like the equivalent of each of those categories of questions that your doctor's going to ask you. We're going to ask you the same standard set of categories of questions and that standard set of questions, that's the framework.

Jara Rowe: Okay, so how do we then prioritize the risks or the vulnerabilities that were uncovered in these assessments?

Jim Goldman: That's a very good question. What we do is we start with which of the areas are you least mature in. You're not doing that much in this area. You don't have a lot of maturity in this control area. The next question we need to ask is, what's the worst thing that could happen as a result? That's called impact. What's the worst thing that could happen given you're not doing anything to protect in this? You have no controls in place in this area. The good news is because of history, we're pretty certain about the worst thing that could happen as a result of them not doing this. We can say, all right, this is really bad and that we rate the impact relatively speaking, like low, medium, high, very high, critical, et cetera. What happens is those things that need the most acute, most immediate treatment are the ones with the highest probability and the highest impact. That's really the underlying formula for risk is a multiplication thing. Do it on a colored table. One axis is probability, the other axis is impact. It's like how easy is this to exploit? How likely is it that an exploit could happen as a result of your lack of maturity in this control area? And then what's the worst thing that could happen? What's the impact if this weakness in a control family were to be exploited? Then the probability times impact equals risk. Then you just prioritize based on highest risk to lowest risk. And that's how you start to pick off the priority that then should be fixed.

Jara Rowe: How often should a company actually conduct a risk assessment?

Jim Goldman: At least annually, it's kind of like how often do you go for a physical once a year? At least annually do the full baseline cyber risk assessment. Then what industry best practice is at least every quarter, the senior management of the company, and not just the security people, but literally the senior management of the company is getting together and looking at the deliverables that we give them, the risk register, the risk mitigation roadmap, the baseline cyber risk assessment, and having an honest conversation about how much progress did we make class quarter on our top priority risks? Are we moving fast enough? Are we comfortable with that? Have we committed the right resources in the right area in order to make the progress that brings down our overall risk to a point where senior management is comfortable? That's a really important point because there's no right answer for everybody. And also the notion that you can eliminate, like a hundred percent eliminate cyber risk, it's impossible. It is that how much do you want to invest versus how much risk are you willing to accept?

Jara Rowe: Oh my gosh, so tough. All right, so as we wrap up this episode, is there anything else you would like to hit home when it comes to risk assessments?

Jim Goldman: I keep going back to the health analogy. It's like how many years would you go without having a physical? Do you want to wait until you're in acute pain rising on the floor? If you go to the emergency and get a diagnosis, chances are it's going to be too late at that point. They're not going to be able to do a lot to help you, as opposed to if you've taken some preventative measures and had that annual physical, you'd probably be great. Switching it back over to the world of cybersecurity, get your annual checkup, which in our case is that baseline cyber risk assessment. What the hackers are doing, in other words, what the threats are, change. Right? It's like there's always new viruses, new diseases in the air. You have to stay in touch with your physician. Same thing on cyber. The threats are always changing. You have to stay in touch with your cybersecurity assessment people so that they can say, you were great last year, but this whole new thing has broken out and you're not protected against that at all.

Jara Rowe: Oh yeah. In other words, make sure we're being proactive in our cybersecurity.

Jim Goldman: Proactive is the key word. You nailed it.

Jara Rowe: Oh, the tea was hot after we learned about cyber risk assessments. I'm here to give you the receipts that I took away from the conversation with Jim. One, you can look at a cyber risk assessment similar to you going to the doctor to get a diagnosis of something that is going on. You will look at things like your policies and conduct vulnerability scans and things like that to get a treatment plan, which is similar to you going to the doctor to get a diagnosis of your symptoms and they give you a treatment plan of what you should do over the next couple of days to feel better. The next receipt is cyber risk assessments are closely related to frameworks, and the assessment is dependent on the framework that you are trying to earn the certificate in. Each framework does not have the same set of controls that you need to meet, so what is being assessed is going to be different for each one. The next takeaway that I have is when you complete the assessment and you have your treatment plan and it shows you all of these issues, it's often like, how do I even prioritize this? You prioritize on what is least mature or would make the most impact for your company. Again, not in a good way. You want to tackle the things that are going to disrupt your business first, and you can have cybersecurity experts help you with this entire process. The last thing I took away is, please be proactive. When it comes to cybersecurity, we all have to be proactive. Just like we go to the doctor annually for our physical, we need to conduct these cyber risk assessments for our companies annually as well. We can see what's good, what's not, what needs to be worked on, et cetera. That wraps our episode on cyber risk assessments. I will see you for the next episode, which we are diving into frameworks, and that's the tea on cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.