Talking through the CompTIA Cybersecurity Audit outcome with Jim Harryman of Kinetic Technology Group. Obtaining the Trustmark is no small feat and requires dedication and effort by the entire organization. In this episode, we will talk about where they find themselves as they navigate the next twelve months as they prepare for the next audit.
[00:00:04] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone. Welcome everybody to another episode of MSP 1337. This is episode 191 in case you were
[00:00:31] wondering how far how long this has been going on. And today I have Jim, a hairy man of kinetic technology group back on the show Jim, welcome to the show. It'd be back. I think you've been on close to like 50 of the episodes.
[00:00:46] I don't think it's been that many. Okay. But it's been a few and I thought it was fitting to have you on for this particular episode as we're seeing a pattern emerge of Comptia members who are pursuing the trust mark, reaching the point in their journey
[00:01:06] where they've achieved the trust mark. And you've been on the show before where we've talked about audits preparing for SOC 2, preparing for the trust mark or CIS and what it looks like and how to gather evidence and some other things. And what we haven't
[00:01:23] ever talked about because it hadn't happened yet is what does it look like to have achieved the trust mark knowing that it's not so much a destination as it is a sort of
[00:01:36] like a turning shift or a you break for the stop sign, maybe don't come to a complete stop because we don't want that either. But share with me, I get the journey. I think
[00:01:53] those that are listening to the show, we get the journey. It's not easy, it's often the lift is often tied to things that we didn't plan on like whoa yeah we've got policies maybe or we've got you know good process and procedures that are documented
[00:02:09] around these things and then you start digging into a safeguard it's asking a very specific set of questions or a question and you're like well we're doing part of that and now
[00:02:21] you're realizing okay what we thought was a lift that we were already doing is now a new lift that you weren't planning on so you've made it through that. So here we are at its
[00:02:35] you know the month of June I think you started your audit around the beginning of June. What did that look like and where did it feel like oh man this is just gonna I feel like I'm just gonna have to do so much more than I ever anticipated.
[00:02:48] Well honestly I never felt that way because having been through a few audits before as we discussed I'm you know I wanted to put something back onto the folks that were going
[00:03:02] to be assessing us and reviewing us and so you know if there wasn't a specific ask I didn't put it in there I'm like right for the specific then I'm you know even if it's just an example
[00:03:15] of you know a piece of evidence I you know I'm like well ask me what you really want so yeah I took that approach and for better or for worse I feel like it's been enlightening to me in some
[00:03:30] ways because it showed me areas of definite improvement needed for one it validated things that we've been working on for years which was which was great and you know confirmed the
[00:03:49] fact that I knew that I knew that this was just gonna be an ongoing process for us it's not something that we're like we're done and that's right and you know jumping into it with that
[00:04:01] approach or jumping into it with the idea that I have to get everything done before I hit the submit button is just the wrong way of thinking you know I mean that document what you do and if
[00:04:16] you feel like there are things that you should lift now prior to going that route then you certainly do it but the the the whole goal is for continued improvement right and so we're never gonna be
[00:04:30] a hundred percent ever I it's just never gonna happen no organization in the world is a hundred percent in any of these things and so all we can do is is strive to continually be better
[00:04:43] and take on the things and prioritize them in such a way that have the the largest impact at the you know at the lowest cost whether that's financial or team resources or whatever the
[00:04:59] case may be to really prioritize it in that way and that's kind of the approach that we took. I think you bring up a good point with regards to you know how you go about
[00:05:12] the areas that you have gaps right so like whatever the safeguard is that you aren't doing or or maybe aren't doing to the level that you should be maybe that's through observation of an
[00:05:22] auditor making recommendations or just your own self realization that we when you do improve upon this and so then you factor in the things like you described how about how does this impact us financially
[00:05:34] how does this impact us from a resource standpoint and and does doing the safeguard put us in a you know contrast or at you know butting heads with our goals as an organization because there's
[00:05:48] definitely uh subsave guards in there that that I've seen that are like well we don't want to go too far in that one direction because now we're alienating or reducing the the impact that we can
[00:05:58] have if that wasn't so tight on the way we lock things down. Now I'll granted that's probably especially with the trust mark I think that's not as common because a lot of the safeguards are
[00:06:10] are not geared to you know put sort of like constraints and this isn't about bumpers in a bowling you know for bowling where we're just wanting to ensure you can you know bull a strike every time
[00:06:22] but something that comes to mind that goes beyond that like you've made these decisions it makes me think of something that you hear you hear commonly talked about for those that are pursuing
[00:06:32] CMMC and that's you know the poem and for those listening if you don't know it's plan of action in milestones and one could argue that that's what we call projects but but in this plan of
[00:06:44] action milestones because this is built differently this is about we we believe at comptia and for those doing the audits that this is something that's going to take you 90 days plus if it's inside
[00:06:55] in 90 days you know we just want to hear that those are things that you're working on you plan to get them done in a short time frame timeline but getting into the the poem side of things
[00:07:06] as you went through the trust mark where did that where did you land where did it feel like the most effort is going to be as you prepare for the audit you know 12 months from now
[00:07:17] um it's going to be mostly on the administrative side I believe you know revamping some policies to line up with with everything a little more appropriately than they they did when when I submitted them and like we discussed it's not like there's anything just so out of whack
[00:07:41] that it's indecernable right but but there's there's some clarity that needs to be brought into to our policies and some you know clear consistency across the board with with them that
[00:07:58] that need to be better defined I believe and so that's going to be probably the biggest lift for us is just going through I mean we have some policies that are really really good and strong
[00:08:10] but we definitely have some that were when initially written were really processed based policies right I mean we took a process and we made it a policy just so that we could
[00:08:26] say that we technically had a policy and it wasn't I mean it would there's still a policy but there's just way too much information in some of them that need to be redacted out of the policy
[00:08:40] itself and then and then you know either referenced in some way or something along those lines and then we have a couple of spots where we didn't have specific policies in place that we are
[00:08:52] going to have to write an implement as part of our poem so that to say if you don't have a policy that means you have to write it right now either and that's the the cool thing and that would be
[00:09:07] that way within I wouldn't say any audit necessarily so to have some specific things called out that you have to have prior to getting it and then everything else you know they write down as
[00:09:23] exceptions that they want you to improve on before the next time and to the trust mark that's the poem that's going to be the exceptions these are the things that we found you're going to
[00:09:36] you're going to need to do I don't feel like there's going to be any real financial area that we need to dive into yet I think the biggest honestly the biggest thing I've seen
[00:09:54] in any of the frameworks is when they start getting into DLP and data loss prevention and I think that's probably going to be you know one of the biggest heaviest financial lifts for anybody in our industry specifically that doesn't really do that I mean obviously like Microsoft
[00:10:14] has implemented DLP to a certain degree Google has implemented DLP to a certain degree if you're using some type of you know email filtering there are some DLP built into that too but taking it all the way
[00:10:29] like you go into it you know down to the end point and you know seeing if something gets copied off to a USB driver or something I mean that gets pretty expensive so this sure can
[00:10:42] yeah absolutely I think I think that kind of covers some of the arguments you hear from a lot of participants not necessarily in the trust mark but you know going through frameworks wanting to
[00:10:54] prove or a lot of status standards and you see things where you know the assumption is well that product or service costs too much so therefore I'm going to do nothing and the reality and I
[00:11:08] think even when I had my MSP I was guilty of it too I wanted the next best thing like if the product could do more and better and it was easier to configure and it was shining here and you know although
[00:11:19] the you know polish was on it and it made it I mean look at then then I wanted to go there but the reality is when we're talking about cybersecurity is in many cases okay is actually great because
[00:11:32] previously you did not have okay you had a the hope and a prayer right like well if we're not monitoring it then we don't have to remedi it like well it's not really a good look and we've talked
[00:11:44] about this before right we talked about like what do you do with event event and alert logs how often should you look at them trust mark CIS they say you know you should be looking at at least weekly
[00:11:54] if not more frequently and you hear the we don't have the bandwidth to do that well why not like I mean what's the priority because we know that that the dangers that occur that are that are
[00:12:09] reflecting what's happening in your organization come through those those doors right like if if you're monitoring what's coming through that door need a little bell chime every time the door opens
[00:12:19] you know somebody came in and I and I think that's the the scare here is FTE is where the biggest hits gonna come from when you implement any of these new any safeguard that you haven't previously
[00:12:32] implemented is gonna primarily be on your internal resources and so the loaded question has to be what makes more sense do I engage third party to help manage this or do I have the resources
[00:12:45] that won't be overly burdened to do this with what I already have and I think that's how you must go about making decisions around tools and services anyways right because you're up again
[00:12:56] gonna buy that and then well what's the impact yeah without without a doubt and I you know like one of the things that and this kind of gets completely off on a different tangent but
[00:13:09] if you have really worked to streamline your operations and you have KPIs in place to continually meet your goals operationally speaking you will find the time and it it exists if you can't find the time then find out what is wasting your staff's time yeah and and address
[00:13:36] those things because I feel like that's one of the things that set us up for success going through these types of on it's the last five years is that we worked really hard for like a decade
[00:13:50] on operational maturity right I mean it was it was at the at the cost of financial success and profitability that lining out our operational maturity helped us find the time to
[00:14:06] put resources on the items that that we needed it's not to say that that we still you know struggle to carve out the time that we need particularly on the policy side anything administrative
[00:14:24] it's going to you know go to the point of the list because none of us are are that way but when the rubber meets the road and that's why to me going through something like the trust mark
[00:14:39] is so important is that there's a level of accountability involved where we are being held accountable to it I mean obviously we can say you know forget this I'm not gonna do this and whatever but
[00:14:52] what good is that doing you you know I mean if if you're not being held accountable to a set of standards by a third party then you know things just aren't really ever going to get down
[00:15:07] I mean at least that was my case I'm not gonna say it's not everybody but I know I know how I am and without the accountability in place it just wouldn't and so that's that's why it's important
[00:15:22] to our organization for that well I mean to some extent one can argue that the reason why you go get your eyes exam every year is because you want to make sure that there isn't something
[00:15:33] potentially wrong with your eyes you know the trust mark or any framework that you're being audited against is a place in time to be checked that you are still meeting said safeguards what I think makes a big difference between what other frameworks and are doing versus the trust
[00:15:52] mark is the goal isn't to pass at the point in time the goal is to show continuous improvement over time and I think that's a big a big difference between the goals that we set right because
[00:16:09] anybody can pass a test at some point if they've done enough prep to prepare for the exam but usually after you're done preparing for an exam and you've taken a test then you are not
[00:16:20] focused on that anymore like it's like oh we got that done got an A moving on to the next thing and you forget about it right and then 12 months have gone by like oh shoot we've got to prepare
[00:16:32] for this test again and I saw this with other frameworks like I've been through a few sock audits and I always remember like probably about 45 to 90 days prior to the next audit you know
[00:16:44] we were going back to make sure that we had updated the evidence for the different things that needed the reports or whatever it was and you know we started noticing a way to second
[00:16:54] where we're doing this almost to check the boxes off versus making sure that as an organization we're just showing more of an improved approach to being ready for that rather than having to go
[00:17:06] and hunt down and collect some you know new screenshots from you know that happened inside the last 12 months so having that's it this morning I had a meeting with with our security team and I was telling
[00:17:21] them that you know here over the next week or so we're going to be getting our poem from the Trust Mark and based on that we'll be lining up all the things that that we all have to do
[00:17:37] collectively or individually for that and I told them I'm like here's the deal I mean yes we have all these you know in our meeting minutes that we do these things and everything else
[00:17:50] and I said but we're going to start expanding that we're going to start every you know every time we do this there's going to be you know not just the meeting minutes but we're also going to have
[00:18:01] some other supporting documents that we're going to start collecting as we go through the process I mean we've been doing this long enough now where that should really be a relatively easy thing for us to do
[00:18:15] it's not easy in the beginning I mean it is like you said it's like okay oh crap we got to do all this stuff but if you you know soft to you got type one type two point in time or over a space of time and they're not
[00:18:29] if that's something that you have to do you you can't I mean I guess you could but it's on why is to you know falsify evidence or an on it for a number of reasons I mean you just you just don't want
[00:18:44] to do that and so they're going to want to see you know screenshots and and times and dates and that they are lining up if they see something with a screenshot that has one date but the date on the document
[00:18:57] is newer than the date that shows I mean it's pretty pretty obvious stuff so but that that's really to me kind of one of the next phases for us is being there we got a little lapse on it
[00:19:14] between our last sock to audit because we were going to go to a type two and then opt opted to get the trust mark instead and it's not to say that we won't try to achieve the type two again
[00:19:28] down the road that really is just going to depend on whether or not we get a demand for that type of something from a from a client or a prospect or something like that hopefully the trust mark will
[00:19:42] satisfy in lieu of but I believe I believe it will and even before when we had the sock to active we never really called out sock to we just said that we were independently audited by a third
[00:19:57] party and that usually is is sufficient which is funny because most frameworks actually have language that say you should be regularly assessed by a third party so it's in the trust mark I think
[00:20:11] it pulls the one from ISO that basically says you should be assessed by a third party so I'll be interested to sort of keep track on your progress as you guys are entering into the stage of
[00:20:23] working through the poem you know the poem isn't isn't all of it right so there's there's still the the entire trust mark areas that you may have been at the what we would call
[00:20:36] doesn't necessarily need improvement but you know how do you you got to continue to maintain it right you got to continue to make sure that it's staying at the level that your organization is
[00:20:46] comfortable with you know some might say like oh well needs to be on all systems I would question that the quality of that statement on some of the the safeguards that are in there because that
[00:20:55] might just be a little bit extreme but as you're working through this correct me if I'm wrong but you you said that this is largely an impact to business and administrative task not the the
[00:21:08] impact on your engineers and the technical side of things because really as you went through this journey and you did it before with with sock to and and I would question then is this about your staff
[00:21:22] recognizing that the poem is just part of like getting you know getting everybody rolling in the right direction those are the big items that we're just not where they need it to be but are
[00:21:33] are you seeing where your staff is saying look where we at Jim you know across the board you know we did well in these areas you know so I'm getting at 177 poem items you know so what is
[00:21:45] how is that conversation gone you had the security conversation you know what's the biggest fear now as you leap it you know leap into the poem side and recognizing that a lot of this is going
[00:21:56] to be around documentation policy how people interpret what's in those policies yeah I think that is that's definitely part of the challenge and I think as our leadership needs to to really
[00:22:13] review the policies and and start to to rework them as as as needed we will be looking at how it impacts the rest of the staff and and their their daily stuff and we you know look we've had
[00:22:28] challenges on the on the resource side as we have adopted a lot of these things and it just last week alone especially as we've started to roll these assessments downhill into our clients right
[00:22:44] I mean that's when that that's when the real heavy lifting starts to happen um as you start doing it for not just one company but you're right for a hundred dollars but I think that's part of why
[00:22:57] we do this right like because the reality is you as an as an MSP your primary function isn't how to serve your internal IT department or your internal staff is not how we got started in the MSP space
[00:23:10] it was to provide services to those that couldn't do it themselves and we largely relied on our own internal staff to do the things on their own systems that we are getting paid to do on clients
[00:23:23] system so I think and it's my hope here is that as we work towards a client profile that the big the big takeaway is what is really on the responsibility for the client as they are working towards
[00:23:38] satisfying a trust mark and how does the MSP have to be involved in that for that to be successful I don't think it's your responsibility to define their acceptable use policy but I would argue that
[00:23:53] change management that might be one they should be able to do but things like vulnerability management or EDR type stuff they are very much relying on you to make that a reality or you wouldn't be in
[00:24:05] the room with them and how well are those things actually being tracked documented and truly clearly implemented where it's not just you saying we provide the services to the client the client is saying we know these services are being deployed and we have the reports and the
[00:24:22] evidence to support that because I don't know about you but I don't know how many times we would have scenarios where we're like oh yeah we do firewall management for that client and you realize
[00:24:32] there hasn't been a firmware update done on that particular firewall in two years because it just was one they got missed and it continued to work just fine so exactly but again
[00:24:46] well and that goes back in time to when you know the exploitation of vulnerable environments I think was far less targeted than it is today for for you know damage to self and clients so
[00:25:00] you don't know what you don't know I think that pretty much sums up where we're at so any any piece of advice for anybody that's still working towards their trust mark audit or is
[00:25:13] you know looking at doing an audit through any of the other frameworks. I would just encourage them to just keep pressing on and if they're struggling with you know time and all those other
[00:25:25] things it's you know really focus on identifying you know why you don't have time to what I would consider and what I believe you know come to or any auditing body would consider time to run your business to actually run your business and because that's what this is
[00:25:45] ultimately it's all about I mean it's not just about MSPs in the space that we're in but it's like so many of us started a company because we were good at something and didn't really understand
[00:25:56] Jack's what about running a business if you're going to be in business learn to run a business and this is part of the start of there we did absolutely all right well I appreciate your time
[00:26:09] as always and this has been an episode of MSP 1337 thanks and have great week