Navigating Cybersecurity and Compliance in 2024

Jara Rowe: We're going over navigating cyber security and compliance in 2024, your journey to security excellence. And if you've heard me before, you know that I am not the cyber security expert, so I will not be the one presenting. That's what my team is here for. And just to set the stage with the agenda, we will be doing quick intros. What we'll be covering today is why what we're talking about matters, the current and upcoming threat landscape, compliance and data privacy. The team will also have some best practices for everyone, and then a Q and A at the end. And then I will allow the team of experts to go ahead and introduce themselves and I will disappear for a little bit.

Jim Goldman: Well, good morning everyone. Jim Goldman, CEO and co- founder, Trava Security.

Marie Joseph: Hi, Marie Joseph, Senior Security Solutions Engineer here at Trava.

And I'm Michael Magyar. I work with a lot of customers in the role of a virtual Chief Information Security Officer.

Jim Goldman: So what we wanted to start with was sort of predictions for 2024. Obviously this is crystal ball stuff, no one knows for certain, but we spend a lot of time trying to monitor trends and then trying to project those trends into the future. Sometimes trends converge, that type of thing. And so when we were preparing this webinar, these were some themes that we came up with. The fact of the matter is, although it may be uncomfortable to admit, cyber criminals are still winning and I think they will be for the foreseeable future. It's sort of a sad truth and unfortunate truth, but we can't bury our heads in the sand. That is the fact of the matter. There's a lot of reasons for it. We won't debate that here, but I don't think there's any escaping the fact that cyber criminals are winning and one of the reasons why they're winning is the challenges for us trying to protect our businesses are continuing to increase. So in other words, there's always new threats that are out there. There's always new attack vectors that are being identified. And yet we as cyber security and compliance professionals don't have unlimited budgets, don't have unlimited resources, especially for those of us that are not enterprise multi- billion dollar companies. Now, even multi- billion dollar companies don't have unlimited budgets for security, but the smaller the company is, the smaller the budget for security and compliance. However, and I don't think I have to tell our audience this, smaller companies are just as likely, if not more likely to be the victims of cyber crime. Now, I don't know whether you would... The third trend that we wanted to talk about, and depending on your perspective, this is either good news or bad news, is regulations are increasing. And I'm going to talk about this a little bit later on. The SEC, Securities and Exchange Commission has just issued new guidelines. And so what's happening is as we hear about new breaches almost weekly it seems, and these are high profile. 23andMe for instance, just had all sorts of DNA information stolen, etc. And so our government agencies are feeling like, Hey, something needs to be done. And really the only tool that government agencies feel they have at their disposal to do anything to react with is to create new regulations. So I think you're going to see new regulations. They might be industry specific from industry organizations. The source of the regulations may vary, but I think that there's going to be a notable increase in, let's just call it written expectations of companies in this space. They may be government regulations, they may be industry regulations, but I think that there's going to be increased agreement on expected level of compliance to security. I'll stop there.

Michael Magyar: Yeah, so we wanted to talk a little bit about what we've seen in the industry and what we've seen across the threat landscape. So obviously some of these are recurring themes that we see on a regular basis, but we see some of these also changing and morphing a little bit too. So ransomware for example, has been around for a while, but we're seeing the threat actors become more sophisticated. We're also seeing them attack a little bit differently. So we're seeing a lot more focus on laying low and deleting backups. If you have your backups connected to Active Directory and they compromise your Active Directory, one of the first things they're going to do is look for that. So we're seeing a lot more sophistication from the initial compromise before they actually encrypt everything. We're also seeing a lot more focus on trying to ransom your data other than just encrypting it, but also trying to expose it to the public. We even saw some interesting examples of that with a university that was compromised back in May, and the threat actors actually sent out information through the emergency broadcast system to let everyone know that it was compromised. We also saw a company be ratted on to the SEC for not disclosing that on their form. So we're seeing the threat actors in ransomware become more sophisticated and really try to find alternate ways of getting payment for your data other than just being encrypted. We are seeing a lot of supply chain attacks. Obviously there've been some high target ones. I mean, this has been on for a while if you think about Target and SolarWinds a year or two ago, but now we're seeing a lot of issues. Okta having a lot of breaches recently, and that affecting some big security companies like 1Password and Cloudflare and BeyondTrust as a downstream thing. So this is, I think something that we're just going to see more and more as the actors start targeting the supply chain of that because it's not even just your security, it's all of your vendors and all of the software you use and it's the security of them. IoT has obviously been around for a little while, but we're seeing this increase more and more with more industrial automation. I just bought my first smart light bulb a couple months ago, so even at the home side, we're seeing a lot more use of this. And I think what we're going to see is, especially if we couple that with supply chain attacks, we're going to see IoT become even entry points into people's networks, whether it's a corporate network or even your home network as we see more work from home. So I think this can be really not just botnets of IoT devices attacking things and performing denial of service attacks, but also as entry points. AI obviously is one of the biggest things that's happened this last year, and there's a lot of issues there, but I think the big thing we're seeing as a threat for data is companies accidentally leaking their data or customer data back to the model and then having that be able to be pulled back out. And then even though this doesn't seem like a security threat, actually, I think customer and regulatory noncompliance is one of the biggest threats that businesses are seeing. Because at the end of the day, if you don't have revenue, you don't have a business, and if you lose customers because you're not keeping up with your cybersecurity requirements and the increased requirements that customers are placing on you, then that's going to end up becoming a problem for you from a business standpoint. So that ends up being a risk. I think we have a, if you hit one more, Marie. Yeah. With this, we're seeing a lot of trends too. We're seeing more and more focus on zero trust and strong authentication methods coming along with that. We're seeing a lot vendor products that come about with that. Some of them are great, some of them are really complicated. There's a lot of effort to put those in. We are seeing a lot more cybersecurity awareness training being pushed on other organizations. I hope in the future in 2024 we'll see consolidation. I seem to have to do that for about 16 different companies that I work with. Each one of asks me to do the same cybersecurity training. Obviously AI is not only becoming an issue from a threat standpoint, but it's also allowing us to become more powerful from a defense standpoint as well. We'll talk about that in a minute. And I think as we've all seen so far, vendor and customer requirements are really becoming a big trend, and I think we're going to see this even more in 2024.

Jim Goldman: Hey Michael, one example of the IoT security that got some publicity recently that the listeners on the webinar may not be aware of is there is an Iranian cyber criminal group that attacks several water treatment plants in the United States based on their access to these IoT devices. They're sometimes also called SCADA devices. So some of you may have heard that term before. So if any of you are from municipalities or government agencies that, electrical utilities, water treatment facilities, anything that has industrial controllers, please take a extra close look. Unfortunately, and we hear this all too often, the cyber criminals were able to get in because the default passwords hadn't been changed on the industrial control devices and that's all too common a story.

Michael Magyar: It really is. And that's a great point too with SCADA devices and industrial control systems. One of the biggest problems too is you might've spent a million dollars on that system and if you want to upgrade it or change the security or patch it, it might cost you another million dollars to buy a new one. And so it becomes very tricky to find alternate controls to put on that to do network segmentation and keep them off the internet. It's very hard to defend against those types of attacks. Yeah, I think Jim-

Jim Goldman: I muted too fast. Sorry, this is my slide. So ransomware does seem to get a lot of headlines these days, and I suppose correctly so. The United States is obviously targeted somewhat disproportionately. You have to understand that this is strictly a money- making venture on behalf of these cyber criminal groups. I would say two things, two trends, and Michael actually mentioned one quickly that I want to elaborate on. The Securities and Exchange Commission as I alluded to earlier, has come out with these new breach notifications that within four business days, any publicly held company has to report what they consider to be a material breach or a material incident. What is interesting is the cyber criminal groups themselves are, the word tattletale- ing comes to mind, are informing the SEC of successful attacks that they've accomplished and yet hasn't been disclosed to the SEC by the target that they attacked. Does that make sense? So it's almost like they're telling the teacher. Now to what end? I don't know, maybe to put pressure on the company that's been attacked to pay their ransom, but I just found it interesting that cyber criminals are actually informing a legitimate government agency. So who knows where this is all going to end up. So the point is, what do we do about this? And again, this notion that we shouldn't be paying the ransom to these cyber criminal groups because we're just funding unknown terrorist activity beyond just the cyber crime. There is an alliance. I have to tell you, I think it's a noble gesture, but if I'm a CISO or a CEO of a company that's offline and facing going out of business, it's going to be real hard for me to say, " Yeah, I'm not going to pay that ransom. I'm sorry."

Michael Magyar: Yeah, 100%. And then there's also issues there with the designated entities that you might be breaking the law by paying that ransom. And so that becomes a very tricky problem for a lot of the companies that are facing those issues.

Jim Goldman: Absolutely.

Michael Magyar: Yeah. So as we mentioned, obviously there's a lot of emerging trends and emerging threats. So here's a few technologies we just wanted to touch on that we're obviously seeing a lot of. The first one obviously on here on top of everyone's mind with ChatGPT, the explosion of that is AI and machine learning. And specifically with this, there's a lot of things that we can talk about here. I think the big thing from a cyber security standpoint, we can really crunch a lot of data now very quickly using some of these models. So I think we're going to see this allowing us to identify anomalies even more so than we have tried using machine learning in the past to do that. But I think it's really going to be interesting to watch the offensive AI versus defensive AI and how that struggle goes back and forth against each other. On one hand, we're punching all this data for anomaly detection, but on the other hand, we see threat actors using AI to predict exploits or using phishing attacks by creating deep fakes or mimicking voices. So even our voices on this webinar could be used to try to impersonate us back to either somebody internally for our company or elsewhere. So it gets very scary when you think about what AI can do even on the offensive side. I do think that one of the other things to keep in mind is that offensively you only have to be successful once, whereas defensively you have to be successful every time. And so even from an AI standpoint, when we think about hallucinations and other issues that are as far as if, let's say an AI system is wrong about an anomaly on the defensive side, there's a lot more damage there than if the AI is just not as successful in attacking. So I think it's going to be a really interesting thing to monitor. I do think, again, we mentioned the biggest thing that we're seeing in AI is just company data accidentally being leaked back. And my two big things here are making sure A, that if you have an acceptable use policy, define what your company's use of AI is, what's allowed, what's not, and take a look at your systems and see what AI components are enabled and do an evaluation to see what type of data might be going back to that. And then the second thing is the same concept on the customer side. If you have an application and you're building AI capabilities in, what does that look like for them? Do they have the ability to opt out? Is it in your privacy statement, et cetera, et cetera. You don't want to accidentally be leaking their data into a model. As far as EDR or whatever acronym we're using nowadays, XDR, EDR, all these other things, I think we're seeing a lot more consolidation of products. So I think we're seeing a lot more solutions that are full stack, and I think that's great in a lot of ways because that's less to manage. It's a lot easier for smaller companies to implement them, but it also means sometimes that components that we used to have best in breed over here and best in breed a different company by consolidating these, sometimes we might be losing capabilities that we had. So I think we just need to be careful of that as we're working through implementing full stack EDR solutions. I do think it's amazing that we can now use these and to support our endpoint at home. We're seeing a lot more network detection and response on endpoints, and so that's really helping us to handle this remote workforce that we're seeing nowadays. And lastly, biometric authentication is great. I'm loving this. We all use our fingerprint on our phones to open up applications and we're seeing more and more of that being pushed to web applications in our browsers through, obviously we've had FIDO2 for a while, but now we're seeing pass keys get a lot of traction. And so those are excellent. We should definitely be implementing those for our users if we can. In a way, it seems like it is dropping it down to single authentication, because now it's just your fingerprint, but you still have to have access to the device that the key material is stored on. So it's not quite that, but it's really helping our users be able to not have to wait for the code after they typed in their password and all these other things. And most importantly, they're phishing resistant. And so I think that's really beneficial when you think about inline phishing proxies and other issues like that. I will say the biggest concern here though is obviously it's privacy issues a little bit. If it's stored on your device only, that's less of a privacy concern. But my concern long- term is you only have one fingerprint. I mean, obviously you have I guess 10, but there's only 10 fingerprints and so you're not really able to rotate that key material. So I think the nice thing with things like pass keys is at least it's not just your fingerprint, it's a key material that was exchanged with the server and stored in your TPM chip and where in your key vault. And so then when you use your fingerprint, that's just unlocking the key vault. So still not perfect, and that is going to be a challenge going forward, but at least it's a little bit less than just your fingerprint being able to be used from anywhere. So some interesting technologies nowadays.

Jara Rowe: All right, as we move on, the team is going to talk more about compliance, but before we get into that, I do have another poll question for you all. It just launched. We are curious, who handles compliance efforts for your company? We'll give you a minute or so to respond. And also Trava team, while we're waiting for people to respond, we did have a question come in the chat about ISO 27001: 2022. Is that the focus for more cyber security and compliance? Do you all want to go ahead and answer that as we wait?

Jim Goldman: Yeah, Michael and I have both kind of replied. Marie may as well. Michael, why don't you go with your-

Michael Magyar: Yeah, and I think unfortunately I replied just to the host and panelists and so I don't think that went out to everyone.

Jim Goldman: I got tricked by that too and then I found everyone tab.

Michael Magyar: So I just responded, Rochelle for you. I hope I pronounced your name correctly, but yeah, we are seeing that a lot more. I know Marie's about to talk about that a little bit, so I'll maybe pause and answer that question after a slide or two if that's okay with everyone.

Jim Goldman: And the only context I added was that that Trava is ISO 27001: 22 certified and I'm happy to walk through the rationale of that decision with anyone.

Jara Rowe: Fantastic, team. All right, go ahead and end the poll. And it looks like the majority of the team is either IT handles it or a CISO or other. I'm super curious about what the other is. So if anyone that chose other could let us know in the chat what your other is, that would be fantastic. All right, Marie, you can go ahead and take over.

Marie Joseph: Awesome. Yeah, we're going to move into some compliance trends and changes that are happening or are going to happen in the near future. So every year there's more pressure to become compliant in different frameworks. The past few years I've noticed a constant flipping between security and privacy compliance frameworks being priority in the SaaS industry specifically. So yeah, the constant change, but I think right now going forward, both are very important. They're not going to go anywhere in the near future, especially if you think about what Michael was just talking about. All of those changes are making privacy and security just even bigger than they already are. And what Jim said earlier too, the cyber crime is just getting worse, not better. So these frameworks have to change and grow with the industry itself. So that's why we're looking at some of these trends and changes that are happening that are listed here on this slide. We're going to see many changes in the security and privacy frameworks due to those technology changes every day and those threats specifically impacting them. Listed here are just a few of the most common certifications and regulations that businesses are being pressured to have or want to have to improve business. Both SOC 2 and ISO are driving the space of security for SaaS companies. So I know that's kind of talking about the question we were referencing earlier. So there's going to be revisions to ISO that happened this past year. So with the 2022 version, that's a bigger one impacting the ones more international based if you're dealing with more international companies. And then SOC 2 is also considering an update too, that drives more of the North American client base, so that's why people go for SOC 2 specifically. Both are great for security, but there's reasons to pick one over the other which we can talk about if people have questions at the end. Other ones we have here that you are probably recognized as HIPAA, that security and privacy that any company should really be dealing with this if they are dealing with any health data in particular. So updates are probably going to be happening to this one soon too, so we can watch for that trend. CMMC has had new changes over the past couple of years. They transitioned from having five different levels to three. Anyone with government contracts will now need to actually prove their security posture to continue contracting with the government. So that's one of the bigger changes there. And then with FedRAMP, they've made some major changes to improve supply chain security and with NIST, they're looking to create new risk management frameworks for critical infrastructure sectors.

Michael Magyar: Yeah, and I'll just make one quick point on CMMC. I think we'll see CMMC actually become, because right now it's not actually a thing from a DOD standpoint, I think we'll see that actually become officially a requirement next year at some point in 2024. I think we're going to see a little bit of a slow rollout. So it's probably, if you're really concerned about CMMC, I don't think you're going to need to get audited if you're a smaller organization or especially maybe not day one, but I think there are two reasons why you may still want to go through and do that. One is that you may be a subcontractor under a prime contractor and if they're required to have that right away, they may want to see your attestation on your side as well too right away. The other thing is it might give you more time to identify the gaps and address them. One of the big things with that is you have to fill out your SIPR score to be able to show where you are there. And so we're seeing a lot of organizations that have filled that out and said that their compliance with 800- 171 is stellar and 110 out of 110, but the issue that we're seeing with that too is that then when they're getting audited and all of a sudden that SIPR score drops because now all of a sudden they're self attestation that they're complying with everything, now all of a sudden it turns out well actually they kind of misunderstood certain things. And so I think it's good to be aware of where your actual compliance is with that so that you don't go from this self attestation that's better than it should be to CMMC audit and then looking a lot worse.

Jim Goldman: And then one quick comment I would add on the NIST 2.0, which I think is supposed to be ratified sometime in the first half of next year is the big addition is they've added controls around governance, which is a little bit unusual. I mean, I'm thrilled about it personally, but if you think, those of you familiar with the NIST Cybersecurity Framework, it's always been fairly technical. You need to do this technical control, that technical control, that kind of thing. And so I think it's great that they've come to the realization like other standards have. I mean, ISO has always been strong in governance, but I think it's great that NIST is saying it's great that you have these technical controls in place, but if you don't have some kind of governance umbrella over it, the whole thing could easily fall apart

Marie Joseph: And always good to get ahead of the changes that are about to happen since you kind of know what's coming and that way you have better planning and don't have to procrastinate before that audit. Next we're going to talk a little bit about essential tips for effective compliance. So this is kind of some high level best practices you can think about. One thing we want to touch on that I think is going to answer some questions that people have is identifying compliance framework. What framework is going to be helping you as a business and helping your security and privacy postures too. A lot of this time, like we said, there's so many different frameworks out there, so deciding which one's actually going to drive your business and drive a profit for you is really important there. What is more important to your customers is what's important there. So what's going to protect your customer's data is what they're looking for and that's why a lot of audits need to happen too because they want a third party to confirm that you actually have that framework in place, but you can also be compliant without being certified. So proving that you have all those controls in place is important too, but selecting the correct framework for you is important, and we have a group of experts here that can help you with that. Another thing is the designation of compliance ownership within your company. This is really important to have someone advocating for compliance within your organization. If someone's not driving the importance of why you're doing it, it's really not going to have the importance for people that are probably in your marketing or sales part. That's why a lot of people kind of name drop certificates and frameworks when they're in the sales process just because it can possibly get you a contract, but then you have to make that promise of getting there. So kind of figuring out which runs are important back to the first point, and then having someone owning it, which ones are we actually going to work on and put into process within your organization. Another important feature here is conducting regular risk assessments. So at Trava we help a lot of clients with this specifically, but a risk assessment is something you should be doing annually as a best practice. There are many ways you can continue to improve security throughout the year and improve your assessment over time. And one good thing is having vulnerability scanning going on a continuous basis. Typically, you have to have that monthly anyways with any compliance framework and showing that you're mitigating those vulnerabilities. A lot of people are going to be looking for that in particular, especially now as everything's constantly changing. You should be running those vulnerability scans pretty often and then just keeping up with any other business risks that are going on within your company. Another point I want to touch on is leveraging compliance technology tools. There are so many tools and solutions that can help make compliance easier for you, starting with some manual processes and then looking for tools that can automate some of those more difficult or time- consuming tasks. You do not need to buy all the tools out there, but invest in the ones that are going to make your life easier along with your security responsibilities. You don't need to have a million contracts with a million softwares. There's some things that are pretty easy to do on your own, you just have to figure out which things are more beneficial to you. And then I want to talk about conducting regular compliance audits. So I've touched on that a few times, but certifications are huge. It's an industry thing that probably isn't going to go anywhere. Certificates are huge in security and technology, so doing that is good to check yourself, check that your own self- attestation, you're doing good, and then having that actual third party confirming that you're doing everything right. Going through those audits is like getting a report card so you can possibly fail them, but you really want to go for the straight A's. And then staying informed on regulatory changes. The world of cyber crime is changing every single day, and as Jim mentioned before at the start, it's only getting worse, not getting better. So keeping up to date with security changes that could impact your business and get you ahead of possible bad scenarios. Then just to touch on, again, seeking on professional guidance. There are a lot of cybersecurity experts out there. You do not necessarily have to be one yourself, especially if you're wearing many hats within your company. Trava is a great place to start for guidance too, but there's other people out there obviously, and just to focus on those changes that are happening in our everyday lives, technology's everywhere so you constantly have to put in those different mechanisms to protect yourself, but there's people that can help you with all the different security and privacy changes that we talked about earlier because next year it's just going to be a little different too.

Michael Magyar: Awesome. Hey, Marie, a question for you, if you don't mind. Of the compliance technology tools, what do you think are the most valuable features or things that they can help you with, if you don't mind?

Marie Joseph: That is a great question. I think a lot of times I see anything that can help with your end point management is a big one. I think that's a bigger, and patch management, those are usually bigger for people to manage on their own and do manually. And then I would say just any GRC tool is really helpful. Otherwise, working out of just spreadsheets and whatever drives you have and having everything everywhere, it gets really hectic by the time your audit comes around if it's not all just living in one place and if you have to go... It's easier to make that evidence gathering throughout the year instead of right before the audit because your life will be miserable.

Michael Magyar: Yeah, I see a lot of organizations that are just, what do we even need to collect and when do we need to do things and what do we need to do each quarter? And I've seen organizations do that successfully with spreadsheets, but also very unsuccessfully with spreadsheets too.

Marie Joseph: Yeah, it's nice to have. It's another check for you too because you can only manage it manually so much, but you'll have something flashing at you saying, " Hey, this is missing." You don't want your auditor to catch you in that.

Michael Magyar: Yeah. I love all the new features we're seeing too with even vendor management and policy creation. It seems like the GRC tools are getting better and better every day too.

Marie Joseph: I completely agree.

Jim Goldman: Thanks, Marie. I'd like to elaborate on one thing you mentioned there, the designate compliance ownership. I would go so far as to say that needs to start at the top. In other words, if senior- most management isn't convinced that this is important, I wouldn't bother to do it, quite frankly because it'll be nothing but frustration for the people trying to do this. One of the measures I would say of the level of senior management support, one of the required elements of a legitimate security or cyber risk management program is what I call quarterly security council meetings. And when we conduct those four and with our customers, there's always C- suite type people there. Usually the CEO, CFO, chief legal counsel, etc. That's the level of people I kind of call them where the buck stops. That's the level of people that need to be informed in no uncertain terms of the cyber risks facing the company. Those same people are always informed of every other flavor of risk, financial risk, brand reputation, risk, competitive risk, etc. Cyber risk needs to be at that same level of exposure.

Michael Magyar: Absolutely.

Jim Goldman: End of editorial comment.

Marie Joseph: No, that's such a good point though because then those people become liable of those cyber risks if no one's owning them. So identifying them is what's really important.

Jim Goldman: They are, you're right. They are in fact the owners of the cyber risk. That's right. And the board, even more to the point, now there's matter of fact, the SEC ruling, there are requirements about the board must legitimately be informed of the cyber risk facing the company.

Marie Joseph: Now I think we're going to have you recap it, Jim, just a little bit more so we can preach a little more of these points.

Jim Goldman: Yeah, okay. How do we keep everybody from getting off of this seminar and driving their car off a cliff? So here's what I would say. Compliance is not intuitive for people that don't have a background in it. It's like any other field of study. You have to have some expertise. Unfortunately, Michael mentioned the compliance platforms, the GRC platforms, et cetera, compliance management platforms, they're spending millions of dollars every month on marketing. And some of my best friends of marketers, I don't mean to insult them, but unfortunately the marketing is at least misleading and potentially deceptive in that they would have you believe that these compliance management platforms are magic and that if you buy it, the platform, they're going to say, well, it's AI driven and you're magically going to be ready to be SOC 2 certified. And they all try to outdo each other. One will say two months, the other one will say two weeks, the other one will say two hours. It's not the case. The analogy I very frequently use is anyone on this call could go out and buy a chainsaw, but that doesn't mean we're qualified to cut down a large tree next to our house without dropping that tree right on our house. It's the same thing with a compliance management platform. Yeah, you can go out and buy one and you can believe that it will magically make you SOC 2 or ISO certified in some amount of time. It's not true. You have to have some measure compliance expertise, and I don't mean to sound this like a plug, but that's where Trava comes in. We have helped many, many customers that unfortunately fell for that and marketing hype went out and bought the platform, got nowhere, were frustrated, and then we came in and were able to help them. So I think that's an important thing just to comment about compliance in general. It's like any other field of study. You need competence in the field in order to properly use the tools that are available.

Michael Magyar: And if you don't mind, I'll actually add one item on that. We had a question from Molly that asked, what tips would you give to a newer startup company that just doesn't know where to begin at all, but that knows need to start with some security? And I have a couple thoughts on that to what everything Jim you just said I think applies directly to that question as far as guidance can really help. Having somebody who does this the same reason, you're not going to start writing a web application without knowing how to code. You're going to find a coder to do that for you. I would also say, I think there's a couple other aspects to this too. One thing I like to talk about is compliance itself. We always look at this as well, compliance, I have to go do this because this compliance framework's forcing me to do it. And I would actually almost turn that upside down. I think compliance, we actually do compliance all the time. Your HR function of your company, even if you're a very small SaaS, does compliance to make sure that the person actually is employable. Otherwise, you could have fines. Or makes you do a background check where even in your interview process, you do compliance to add people to your company. So I think the question really becomes what do you care about as an organization? And if you say, well, what do we care about? We care about making sure that we don't lose this data in this repository. So then the analysis should be what do we do to protect that? Do we have good backups of that? Do we have strong authentication on that? And so I think if you're trying to get started and you're not really sure what to do from a security standpoint, identify what you care about in your organization and put internal control regardless of all the frameworks and all the other things, decide what you care about and design something to make sure that what you care about works the way you want it to. And that might be something simple and stupid to say, but honestly, that can really drive a lot of everything that we do. And then you can augment that. You can say, well, let's see what other organizations are doing and what the standard of the industry is. And you could use something like NIST's Cybersecurity Framework as Jim referenced earlier, or you could use the CIS Center for Internet Security Critical Security Controls, or even something as simple as the Australian Essential Eight. So pick something simple that's a common framework and just say, let's read through this and try to understand which of these might apply to the things that we care about. Going back to compliance being almost an internal thing for what you care about. And then if in the future you have companies that are requesting you to be SOC 2 or ISO, we can always overlay that on top of that. But I think if you're just trying to get started, try to figure out what you care about and if you still don't have a lot of direction, leverage one of those three that I just mentioned, either NIST, CIS, or like Australian Essential Eight. And then as Jim said earlier, there's a lot of people out there that can help too.

Jim Goldman: Michael, I'm really glad you brought that up. One of the things we often tell our customers and potential customers is there's a difference between compliance and certification. And we're not saying that the only way to do this is to go all the way through an external audit and get a SOC 2 certificate or an ISO 27001 certificate. We've got customers that are SOC two compliant and just we help them get there. They just for a variety of reasons, don't see a compelling need right now to go through that external audit and get certified. And that's absolutely fine, every business is different. But you're right, I would say compliance is essential, certification is optional. That's another way to look at it.

Michael Magyar: Yeah, and then defining what that compliance means to you as an organization is really going to come from a lot of factors. Do we care if our systems get encrypted and now we have to pay a ransom to get our data back? What is our mitigation for that? Do we care if people can access the data in our systems or do we have good authentication capabilities there? So it's identifying what you care about. And sometimes that is the certification because that's a customer requirement. Or sometimes that is maybe we are dealing with defense CUI, confidential unclassified information, and we have to get CMMC certified what our Department of Defense is requiring of us. So I think it's exactly right. Identify what you care about and try to make sure that that is working for you properly. And if you need the certification on top of that for a regulatory or customer requirement, great, work for that too.

Jim Goldman: So here's a little bit of a shameless plug. As I alluded to before, we very often help customers that have tried to do this on their own, maybe with one of these compliance management platforms that we talked about. That's sort of what the column on the left, GRC only, governance, risk management and compliance, and what we're able to do, the value that we're able to add is sort of on the right there. In other words, you're dealing with real people, not just a software platform. And the platforms are great, but without the expertise, you're really going to spin your wheels for quite a while and waste a lot of time, which leads to frustration obviously. So we're here to minimize that frustration and get you to whatever goal you might have in the time period that you wish.