Jara Rowe: Gather around as we spill The Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. We've covered different compliance frameworks in our previous episodes of The Tea on Cybersecurity. But now we're taking a closer look at what it truly takes to obtain a specific compliance certification. If you've ever wondered about the benefits of ISO compliant and the potential challenges you may face during the certification process, you're in the right place. But as we know, I am not the expert in any compliance framework. But during this episode of The Tea on Cybersecurity, I have not one but two cybersecurity experts, some of my coworkers at Trava. Hello, Marie, and Anh. We're going to do some brief intros. Anh, you have not been on an episode of the podcast yet, so I would love for you to go ahead and introduce yourself first.

Anh Pham: My name is Anh Pham. I'm currently the senior security engineer at Trava. I'm responsible for Trava entire internal security program. I'm also helping on the product side in terms of contributing to the different scanning features, assessment feature, and security feature that we have in the platform.

Jara Rowe: Sounds like an important role. Marie, I know you've been on a few episodes, but just in case someone's tuning in for the first time, please go ahead and introduce yourself, as well.

Marie Joseph: Of course. I'm Marie. I'm a senior security solutions engineer at Trava. I help mainly with the compliance engagements at our company. I help them get through different security and privacy frameworks.

Jara Rowe: I'm honestly going to token you as a compliance queen for this episode.

Marie Joseph: Wow, perfect.

Jara Rowe: With that also, Marie, I'm going to throw this first question at you. What is ISO 27001?

Marie Joseph: It's considered the international standard to manage your information security. It's internationally recognized. It's published by the International Organization of Standardization. Mouthful, but that's what ISO stands for, so it just focuses on the security aspect of that.

Jara Rowe: How does this compliance certification fit into a company's broader cybersecurity strategy?

Anh Pham: For me, it fit into a broader strategy in multiple ways. First, it provides a structure framework for us to really approach our security program. A very structured way for us to bring up everything from the ground zero. Secondly, ISO heavily focuses on using a risk- based approach to everything. By aligning with ISO and really practicing ISO principle, we automatically incorporating risk- based assessment, risk- based decision- making into all security initiative and projects that we have. Third, and this is probably just my opinion, but a lot of ISO control align with many other regulation and compliance framework. By starting with ISO, you get a head start if you want to achieve any other certification or compliance later on. Then having ISO on the business side really help with customer confidence in the product. By it showing that we've taken the step that we need to do, and that we need to take to really improve our security and protect the data.

Jara Rowe: If I was a SaaS company and I was just looking for one framework to start with, ISO 27001 would be a good one because it's a head start for another framework?

Anh Pham: That's correct.

Jara Rowe: All of my listeners go ahead and note that. What are some additional benefits that a company can get from achieving this certification?

Anh Pham: Besides the one that I just listed, some additional benefit is competitive advantage. When a customer shop for a product and they compare in between vendors, obviously, the one that is certified and an established framework is probably going to have a bit of an edge. Two, it increase, for lack of a better word, business resiliency. Following consistent processes, establishing just security program, you're more resilient to cyberattack. If anything happen, you have a better chance of recovering, you have a better chance of protecting your data and your customer data, and really continue to provide services. Lastly, it also help with increased efficiency and security and operate. So security is better, operation is better, business is better, as well. Those are some of the additional benefit that I see and Marie can chime in.

Marie Joseph: Those are all great ones and you worded it probably better than I was going to. One other thing I was going to say is that, typically, when you do get audited and have that certification, you do get less security questionnaires. Just because you can send them that certification and that usually checks most of the boxes to help them with deciding with their prospect.

Jara Rowe: So that definitely ends up being a time saver, as well, for the companies?

Marie Joseph: Yep.

Jara Rowe: Okay. Let's talk about Trava in our process and becoming certified. Can one of you let me know what even motivated us to go after this certification?

Marie Joseph: I know one of the main reasons is since we help customers so much with all these different frameworks, we really needed to start practicing what we preach. It didn't look great that we did not have one of these certifications that we're constantly getting customers through, and telling them they need to have to get started with security and to look better to their market. It was really the practice what we preach aspect, and we're a cybersecurity company so taking security seriously is very important.

Jara Rowe: Again, I know that the two of you played huge roles in that process. Can you tell me about how the two of you fit into the equation?

Anh Pham: I guess my role in the entire process has been a lot more on the technical side of things. Being the security engineer at Trava, I'm responsible for a lot of policy, procedure, process creation for security work at Trava, and even for normal operation when it comes to making sure we operate securely and safely. Then I'm also responsible for a lot of the technical implementation of control that are required and identified in our risk assessment and in our ISMS, but implementation of the control that we identify as needed for us to achieve compliance.

Jara Rowe: Cool. Marie, what about you?

Marie Joseph: I helped with some of the documentation and then I was mainly project management and planning. That's where I helped the most, and with mainly holding people accountable for the things that they were assigned to and owning, to make sure that we were hitting certain goal dates and being ready by the time we wanted to be audited.

Jara Rowe: Marie, I know you helped Trava's customers through this process, as well. Do they typically have one person that leads on their side? Or do they have multiple people, like how you and Anh split responsibilities?

Marie Joseph: Yeah, it definitely varies. Sometimes it is just one person whose sole duty is to get them through different security achievements. Otherwise, it is sometimes a smaller team just depending on how fast paced they want to get through it.

Jara Rowe: I know what my contribution was to this process. I was really just signing documents that you guys told me to sign. But how were other employees involved at the different levels of Trava during this ISO 27001 certification?

Anh Pham: One of the main thing is we need to ensure that the appropriate stakeholder for each process that we're established is aware of the process and know what they're supposed to do, especially in their daily life work. It is really related to that process. What you said, read the policy, yeah, test the policy, make sure you fully understand it. We also need to ensure that people working in different business units and business area understand the different control that will be in place, how they affect their work, what they are and how they can protect our data and customer data. It's really come down to good communication and transparency. Make sure everybody understand why we are achieving ISO, what are the things that we are rolling out that will affect them, and how they can contribute to it.

Jara Rowe: One of the things that I've learned through talking to other experts and things, is that cybersecurity is a team project. It takes the entire organization to take part of it. That totally makes sense to get everyone involved, even if it's just all I had to do was read the policies and sign off on them. Since you guys went through this with Trava, what were some of the biggest challenges that were faced during the auditing process?

Marie Joseph: One of the biggest challenges with any project is making sure you make the time to accomplish all the different steps. A lot of the times it feels like procrastination always comes into play, and finding the bandwidth for yourself to fit it into the schedule, just to work on it and hold it as a priority, I think that's always one of the biggest struggles. Because it's like a side job, almost, not your full job but a side gig.

Jara Rowe: Again, Marie, since you help our customers, were there any lessons learned that you received from this that you will now have our customers do during these auditing processes?

Marie Joseph: Yes. It's always nice going through different audits with different auditors. I definitely got a lot of feedback on different documentation that we help customers with. They would give us critiques or recommendations, so it was nice. I can take some of that back and give it to our customers, too, to make sure that they don't have that same roadblock.

Jara Rowe: Next question for Anh. What ongoing maintenance and monitoring will Trava, or any other organization, have to do now that we've passed this auditing step?

Anh Pham: One of the biggest thing about ISO is to ensure that you follow the process that have been established by you. For future compliance and for ongoing compliance, you really need to make sure that anything that you put in place, you follow it and you audit it. You regularly check and monitor to make sure that all of your KPI being met, all your risk are regularly review. Your ISMS, you regularly review. It's really, it's coming up to stick to the things that have been established. If you said you're going to do quality access review, just make sure you do it. It doesn't have to be formal. It doesn't have to be perfect. To start, you follow those processes and document everything, you should be good.

Jara Rowe: Now looking back, since we're pretty much through this process, is there anything you would have done differently during the process?

Marie Joseph: I would say making sure scheduling out time where that's the only focus is getting through a lot of that documentation. That's it.

Jara Rowe: Anh, did you take anything away that you wish you would've done differently?

Anh Pham: One of the biggest lesson for me was that try not to stress yourself out at the very beginning when you look at the framework. The framework is not meant to force you to put in something that's 10 out of 10 at the very beginning. It's not about doing these exact things. It's more about having a process in place to achieve the goal that are laid down here. If you need to review your administrative access regularly, you find your own process for that. It doesn't tell you how. At the very beginning, I definitely was very stressed. I was trying to ensure that everything is perfect. That can be overwhelming, especially for a smaller organization where there's not too much of an established process in place. Looking back, I would have taken it a little bit more easy at the very beginning.

Jara Rowe: Don't stress yourself out early on. Got it. You guys were just giving me some advice, but what advice would you give to other organizations that are considering pursuing ISO 27001 certification?

Marie Joseph: There's probably a few things I would suggest. Making sure you have enough time to achieve your goals. If you have a target date, making sure that you have some things in place already, probably, if you're doing a shorter one. But if you give yourself a year, it will probably be easier to achieve and feel better. The bandwidth of your team, making sure that they have the time and the day to also have focus on this depending on how that is, whether it be a little time a week or whatnot. Last thing is that the hardest part is probably the first initial year and getting the program started. After that, once you have everything in place and have all those decisions made, it's really easier to follow the continuous monitoring aspect, and keeping things aligned since you've made all those final decisions.

Jara Rowe: We need to make sure we have the time and bandwidth built in, then the hardest part is the beginning. Once that's all said and done, it's smooth sailing with the occurring maintenance, you would say?

Marie Joseph: Yeah, for the most part.

Jara Rowe: All right. Do you have any advice for anyone?

Anh Pham: I guess, I already alluded to it. Focus on the process, not the quality of the outcome at the very beginning. Make sure you establish a good process and that you have a way of following it consistently. If you audit something and it came out not perfect, you're always a chance to improve and work on it. But having the process and the groundwork in place is very important.

Jara Rowe: We're going to take a brief step away from compliance. I'm going to ask you guys a few, funner cybersecurity questions. Not that ISO isn't fun, but these are a little more lighthearted, I guess. Question one, if you could create a new cyberattack, what would it be called?

Marie Joseph: That's really hard. That's a good one. Now I feel like it'd be cool to have one named after myself, so something with my name in it.

Jara Rowe: The Marie Joseph Protect.

Marie Joseph: Yeah, something like that.

Jara Rowe: I love it. Anh, what about you?

Anh Pham: Oh, I guess the Ahnstoppable would be the name.

Jara Rowe: Ahnstoppable. Oh, I love it. That's perfect. All right. Next question. If you could compare your job to a superhero, who would it be and why?

Anh Pham: I guess it would be close to Captain America. You're put in this place where you're responsible for protecting a lot of different things. Some of the thing you do people may not like as much but it's important, so you still have to put your foot down and do it anyways. It's a balance between making sure that people are protected, and at the same time not make them dislike you too much.

Jara Rowe: Yeah, that's a good one. All right, Marie?

Marie Joseph: I would say maybe Spiderman just because the whole your friendly neighborhood Spiderman aspect. I like to take security from a friendlier view. A lot of people take it as a nightmare, like when they hear cybersecurity and cyberattacks. But making it easier and less scary is always my goal when I help customers. I feel, in our field, we're a superhero to a lot of people just because we make their lives a lot easier, and we're really helping protect their businesses.

Jara Rowe: As we wrap up this episode, I have one final question for each of you. If you had any other general cybersecurity advice to give to someone, what would it be?

Anh Pham: Go out and turn on MFA on everything and anything that you have. To this day, I see you have to occasionally help family and friend recover lost account simply because they didn't have MFA on in the first place.

Jara Rowe: I totally understand. Turn on MFA everyone. All right. Marie?

Marie Joseph: I would say on the same aspect that Anh was just on with dealing with your family and friends doing things. I would say just not clicking on links and opening the emails, in general. I have people in my life that see the funny titles of hackers trying to get some information from you, so they open the whole email, read the whole email and like, " Ha, did you see this? This is hilarious." I have to be like, " Just don't open it at all. You should just throw it away. Every time you just open those emails, you risk it, as well."

Jara Rowe: Now that we've spilled the tea on ISO, it's time to go over the receipts. I don't know about the rest of you, but I feel like I learned a lot during that episode from Marie and Anh. Here are a few things that I took away. To start, ISO 27001 is an international standard for security. I have two benefits of ISO. One, it gives you a competitive advantage over some of your competition. And, two, it builds customer confidence. If you are trying to sell your product, if a customer asks that you have some sort of compliance framework, you can show them your certification for ISO. Another thing that I took away is just some advice that Marie and Anh have for this process. One of the main things that Marie stressed several times is that you need to ensure that you build in enough time and bandwidth to achieve the goal. Make sure that everyone has the time set aside and don't procrastinate during the process. One of the things that Anh said for advice was don't stress at the beginning. Just make sure that you establish the process, and just go through the checklist and you should be good to go. One of the bigger things that I took away, as well, personally, is that if you are looking at a compliance framework, although the ISO process may be a little larger than some, like SOC 2, for instance, if you start with ISO, it honestly gives you a headstart for another compliance framework because of the standards that they make you meet. If you're thinking about getting SOC 2 and ISO, it may be beneficial to start with the ISO process. Once that is all set in stone and clear, and you've been audited, we're good to go, then you can go to SOC 2 because you already have so many of the policies and controls in place. All right, listener, I hope that you got as much as I did out of this episode. I can't wait to continue to learn with you on future episodes of The Tea on Cybersecurity. That's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.