With FFIEC retiring the CAT assessment in August 2025, it might seem daunting to consider other frameworks as a path forward. I sat down with Dan Sitton of Guardian Technology Group to discuss his background in working with banks and some suggestions for the future.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:22] Welcome everybody to another episode of MSP 1337. I'm joined this week by Dan Sinton of Guardian Technology Group. Dan, welcome to the show.
[00:00:32] Thanks, CJ. It's good to be here.
[00:00:34] Dan, we've been talking about doing an episode or at least been talking mostly about things that are tied to FFIEC and the announcement of the CAT assessment going away in August of 2025.
[00:00:51] And I thought it'd be a good idea to have this conversation and you and I have gone back and forth on this as it pertains to, well, what does that mean for banks that have been, you know, annually going through the CAT assessment and, you know, measuring their maturity in the cybersecurity space against that model?
[00:01:10] And, you know, we talked about the announcement and how they kind of went into detail of like, basically, we don't want to compete anymore with what we see as the maturity of other frameworks sort of saying, hey, this CSF version 2 and CIS top 18 and so on and so forth.
[00:01:29] But I think, and I'd love you to elaborate a little bit. One of the things that you pointed out and I agree is, well, what about the things that banks have been measuring for that are no longer found in those frameworks that are currently being maintained and moving forward?
[00:01:48] Yeah, so we both have a lot of questions, CJ. So, and so far they haven't released anything specifically. So just to give like a quick overview, overview in case somebody is not, not familiar with the CAT, the FFIEC CAT.
[00:02:05] It's a cybersecurity assessment tool for the FFIEC, which governs and regulates the banking industry. And it's like 513 questions that each bank has to go through.
[00:02:15] They answer those questions with a multitude of different domains. The way that you answer the questions says whether you're like sub-baseline. Baseline means that this is, you've got to do at least this.
[00:02:29] You're meeting the minimum requirement.
[00:02:31] Yes. And then it goes to evolving and then it goes to so on and so forth, advanced. And it lets you see where you're at.
[00:02:39] Now there is tools out there that are like actually like tandem that will tell you how you compare to your peers of same, same asset size.
[00:02:47] Sort of a radar with your industry, right?
[00:02:50] Yeah. It's an awesome, awesome tool. Oh, and I mean, there's banks that, I mean, they, they live in, I mean, there's banks that just do a whole drone whenever they have to do it.
[00:03:01] But at the same time, it's, it's a great tool. It's got a lot of great stuff in it. Our big question was, is, so if we do a gap analysis or, or if we take like any of the major three or four frameworks and we compare it against the FFIEC cat, what happens with those, with those pieces that fall outside that are in the FFIEC?
[00:03:27] Let's say we use NIST CSF 2.0 or CIS-8 and you've got this, you've got this group of different controls that are no longer, that don't fit inside one of these frameworks or one of the frameworks.
[00:03:41] What happens to those controls that are just laying out there that are no longer being looked at or, or, or managed or maintained?
[00:03:49] Is that going to be an expectation for the examiners? Are they going to, is it, since it's in the FFIEC IT workbooks and handbooks, they're just going to expect you to do it regardless?
[00:04:04] I don't know.
[00:04:06] I call that the implied or the unwritten, you know, I think has been around for a long time, but, but specifically to your point, the thing that concerns me is the lack of direction around that as far as a public announcement, right?
[00:04:22] Like, Hey, there's, here's some options. We're not going to tell you which one you should use, but here's some options.
[00:04:29] And you're like, well, these are very different options in the way both that they were written for the, for the audience they were written for.
[00:04:37] And the, the spirit of the way in which they approached the, the prescriptive, you know, outcomes like, Hey, minimum objective is X.
[00:04:45] Well, not all industries would have the same.
[00:04:51] If we were having a conversation in the break room and you're banking and I'm, you know, retail, they're not necessarily going to be, you know, close enough together to be like, Oh yeah, your minimum objective and mine are, are identical.
[00:05:04] And there's a lot more at stake feasibly for the bank than there is for the, the mom and the mom and pops retail shop.
[00:05:12] Yeah. And the other thing is the national credit union association has still not come out with a statement saying that they're going to no longer use the cat.
[00:05:23] So we could have a fork in the road here with credit unions versus banking.
[00:05:27] As far as they're concerned right now, and the credit unions are concerned from water, from the, like the, just talking to different people that I've, they're still, they're still using the cat, the FFIC cat tool.
[00:05:39] Well, I don't know what they plan on doing, but because I know that they're going to retire it, but they still NCUA is not came out with a statement saying that we are no longer using the cat.
[00:05:50] The FFIC cat.
[00:05:51] And they, we should start looking at other, I think that what they're going to do, especially examine examiners next year, just from, I've been in banking for 20 years and worked with examiners from the state and the federal level.
[00:06:03] Most every year for, I don't know how long, but I think that they're going to do like, um, if it's in the handbook, because there's, there's multiple different handbooks with in different domains of cybersecurity and IT management.
[00:06:19] Um, I think they're going to say, if it's in the handbook, then we're, there's going to be an expectation and they're going to do kind of a best effort.
[00:06:25] Uh, and, and they'll know that there's going to be like some growing pains there because these risks that were these are these concerns that we're talking about.
[00:06:35] There's no way before that statement was released that they didn't come up by somebody.
[00:06:40] Right.
[00:06:41] Uh, and, and was, I don't, I don't understand either why there wasn't more guidance, because if you look at the FFIC handbooks and the work programs that the auditors use,
[00:06:53] they're both available on the FFIC website, I mean, they are very, very, uh, concise.
[00:07:00] And, um, I mean, there's tons of documentation out there.
[00:07:05] They're usually really good about putting out stuff and making it clear.
[00:07:08] I tell you, one of the things that I am excited about, especially for these smaller banking institutions, like the smaller credit unions and banks is being able to use something like the CIS eight.
[00:07:21] To where, to where, to where, to where, cause when you look at the FFIC cat, I mean, it's, it's written for banks that are 50 million up to 50 billion.
[00:07:32] Right.
[00:07:33] And some of that stuff questions in there.
[00:07:35] Yeah.
[00:07:35] And there's 500.
[00:07:37] Yeah.
[00:07:37] There's 500 questions.
[00:07:38] And some of that stuff is just like, man, there is no way a bank.
[00:07:43] Like under like 5 billion could afford to do some of that stuff or do all the due diligence involved with maintaining it correctly.
[00:07:53] Now they can, they can check the box, but I mean, doing it to the spirit of the letter as in what me and you would say, Hey, I feel good.
[00:08:01] I put my stamp on this.
[00:08:02] I'm good going forward on this.
[00:08:04] It's just impossible.
[00:08:05] Having something where you've got like, Hey, here's the baseline for a smaller institution.
[00:08:09] Here's the one for a medium institution.
[00:08:11] Here's one for a large institution.
[00:08:13] That is kind of, that is nice.
[00:08:14] And I think that will be beneficial.
[00:08:16] Well, I mean, so I think this, this actually puts us in a spot to sort of like a transition
[00:08:22] here into what they think bigger than, than how this conversation started.
[00:08:25] And that is when I look at all of the frameworks that are out there and there's a lot and they
[00:08:31] keep coming, right?
[00:08:32] We've had, you know, FTC safeguards is, is relatively new.
[00:08:36] We got CMMC final ruling, you know, going into effect in, in the coming, well, not too far
[00:08:42] out.
[00:08:43] And, and there's just all of the conversations have come back to what you just said, based
[00:08:48] on the size of the organization, uh, the capability of the, of the organization is largely
[00:08:53] dictated by the resources that can be allocated or the money that can be, uh, allocated to, you
[00:09:00] know, at least bring in third party, you know, the capability doesn't say, you know, you have
[00:09:04] to do this with your own staff of, you know, allocate one of your seven employees and get
[00:09:08] this done.
[00:09:09] Obviously you can, you can outsource and, and obviously this fits with where you're
[00:09:13] at and the role that you play as a consultant.
[00:09:15] But what I think is a commonality across all of these frameworks is they're trying to solve
[00:09:20] problems without targeting a specific business size or industry, right?
[00:09:26] Yes.
[00:09:27] FFIC obviously is very specific, but when you look at some of the others that are out
[00:09:30] there, they're targeting specific data types, not necessarily the industry that that business
[00:09:35] is serving.
[00:09:36] And so what I think, what I see happening, and I think this is where we have a big opportunity
[00:09:42] is we need cyber hygiene to mature across all businesses.
[00:09:47] And I think when you look at the spirit of the frameworks that are out there and the goals
[00:09:52] that they largely have, it's to increase the protection and reduce the probability of exfiltration
[00:09:59] of data.
[00:10:01] And so that means that you have a lot of options now with maybe the cat, you know, sort of
[00:10:06] going away in this context.
[00:10:08] And the reason I say that is if I am working with a small bank and they only have, let's
[00:10:12] say they're that sub 10 million, you know, 20, 30 employees, maybe they're just a one-off
[00:10:17] regional bank, right?
[00:10:19] How do you go about helping them with that cybersecurity without it being like, well, this
[00:10:24] isn't in our budget?
[00:10:25] Yeah, no kidding.
[00:10:26] Maybe banking shouldn't be in your budget either.
[00:10:28] But when you start having the conversation, I don't know any business that's not intentionally
[00:10:34] in the cybersecurity space as their business that walks into the, you know, the boardroom
[00:10:40] or the conference room on a Monday morning is like, hmm, I think we should allocate 5% of
[00:10:45] our revenue to cybersecurity.
[00:10:46] Yeah.
[00:10:46] What do you guys think?
[00:10:48] Um, and that's the reality.
[00:10:50] Like if someone were to come in, say it was you coming in, say, Hey, I don't know if you
[00:10:55] know this, but if you want to stay in business, you should be considering somewhere between
[00:11:00] five and 10% of your revenue should be allocated to a budget that improves your cybersecurity
[00:11:05] hygiene.
[00:11:06] And I think they would all laugh.
[00:11:08] Well, we don't have that kind of budget.
[00:11:10] Well, why not?
[00:11:10] Well, we have this and we have this and we have this.
[00:11:12] It's like, yes.
[00:11:13] But until I had this conversation with you, that wasn't even a consideration.
[00:11:17] And I think that's the piece that we desperately have to change.
[00:11:21] I think vendors have to help us with this.
[00:11:23] You mentioned tandem.
[00:11:24] Um, you know, and it was funny before we got on this call, I literally just started laughing
[00:11:28] in my head.
[00:11:29] Like how many tools can we talk about in a 30 minute conversation that is, you know, as
[00:11:36] many grains of sand as there are on a beach are the approaches to GRC.
[00:11:41] Um, like what for you as a consultant, what gets you excited about a GRC platform when you
[00:11:48] see it for the first time?
[00:11:49] What's, what's a trigger for you to be like, Hey, I want to explore this further.
[00:11:54] Well, I mean, of course, for, for me, it's going to be like, how, how, how automated is
[00:12:00] it going to make things and how much more efficient is it going to make my consulting business?
[00:12:05] So like from a data collection standpoint, yes, from data collection, but also in risk
[00:12:11] categorization, uh, that's, that's super important.
[00:12:16] Also just being able to manage it, the project management capabilities of the, of the software.
[00:12:22] So the other thing is like, yeah.
[00:12:25] And, uh, being able to like, um, how about cross framework walks where I have an answer
[00:12:33] for a safeguard and, you know, maybe get a prompt that says, Hey, you want to be
[00:12:37] answered a similar question.
[00:12:40] Would you like to see that answer?
[00:12:42] You're like, well, as a matter of fact, yes, I would.
[00:12:45] Yes.
[00:12:45] And, and also being able to add in your own risk.
[00:12:49] So that's one that's not in a lot of them.
[00:12:52] Um, but being able to put in like, Hey, this is not specific to every framework, but this
[00:12:59] is organizational specific.
[00:13:01] And it's something that's a high, like a critical risk that we need to take care of, or it's
[00:13:06] in our risk appetite statement.
[00:13:07] Being able to put something like that and then manage it with a short midterm and long-term
[00:13:12] strategic goal.
[00:13:13] Sure.
[00:13:14] That's awesome.
[00:13:15] That's very nice.
[00:13:15] I mean, that's something that usually stands out to me or would stand out to me.
[00:13:19] I would, I would add a business impact analysis is often not found.
[00:13:23] Oh yeah.
[00:13:24] Because that is, that's rough, especially if you haven't done quite a few of them, like
[00:13:30] you have CJ.
[00:13:31] Uh, I mean, the first time you do one, it's, it's like eating an elephant.
[00:13:36] It's very intimidating.
[00:13:37] Uh, and the questions that get asked, you know, like what, what's the probability of flooding
[00:13:42] or fire or, you know, a lot of the natural disasters and like we have insurance for that.
[00:13:47] Well, that's maybe true, but like when we look at it, it's still going to happen.
[00:13:50] Yeah.
[00:13:51] And do you have the offline procedures for when it does happen?
[00:13:54] Yeah.
[00:13:55] Communication, uh, management ready to tell everybody, Hey, don't come in or, or, uh,
[00:14:02] Yeah.
[00:14:02] It might be a very different communication protocol for California than it is for, you know, you
[00:14:08] know, Chicago, right.
[00:14:09] Or for like, yeah.
[00:14:11] Yeah.
[00:14:11] Or for Miami.
[00:14:13] And so with those things in mind, you know, I often think that we're kind of talking about
[00:14:18] the low hanging fruit.
[00:14:19] These are, these aren't necessarily easy to have answers for, but they're at least realistically
[00:14:25] something that we can plan for because we understand what those things potentially look
[00:14:30] like.
[00:14:30] It's not the same as going, well, I think we're going to get ransomware through 365 on
[00:14:35] a Tuesday.
[00:14:35] Uh, you know, it's going to hit active direct, like those are not things that you can plan
[00:14:39] as easily for, uh, because they don't have predictability.
[00:14:43] Now I'll tell you, I did use, I did use a GRC platform in the past that actually did look
[00:14:49] at like you would put in your location and it would actually look up demographics.
[00:14:53] The, the risk demographics for your area.
[00:14:56] And it would tell you, Hey, this is a higher risk.
[00:15:00] But that's on a much smaller scale than what we've seen in the broader GRC players that
[00:15:05] are out there.
[00:15:05] So, so do you, so we've highlighted the things that we say we want in the GRC platform.
[00:15:10] I bet for every five platforms we look at, we wouldn't get more than three of those things
[00:15:16] that we've listed.
[00:15:17] If we're lucky, we'd get four or two, probably two.
[00:15:20] That's fair.
[00:15:21] Because I mean, it's, it's a lot of work.
[00:15:23] So, uh, I, I mean, I, I don't know.
[00:15:26] I think, uh, I'm using Synomi right now and I'm really impressed with it.
[00:15:30] That's a good product.
[00:15:31] Yeah.
[00:15:31] For good things about that.
[00:15:32] It is nice.
[00:15:34] Um, it doesn't have everything in it.
[00:15:36] It doesn't have a lot of the customization in it.
[00:15:38] Uh, I think that's a good point to bring up.
[00:15:40] Like when you're looking at GRC tools, what, where's your area of expertise?
[00:15:44] Like if you're out there looking for a tool that helps you with CMMC and you land on a product
[00:15:49] that's really good with HIPAA compliance and that's their primary focus.
[00:15:53] That's probably not the right tool to use with the goals that you have for, for consulting
[00:15:59] or, or even as a business that needs to meet, you know, those, those safeguard requirements.
[00:16:04] It, this all makes me come all the way back to the cat.
[00:16:08] And, and the reason why it does is the one thing that GRC tools really are not is their,
[00:16:14] their focus isn't as much on the gap analysis as it is on giving you the glorified spreadsheet
[00:16:21] to plug your answers in and then give you some sort of like, uh, output of like you've
[00:16:26] successfully completed this.
[00:16:28] Yeah.
[00:16:28] Or you need to put this into your poem.
[00:16:30] The cat tool, um, the CIS, uh, CSAT light and CSAT pro.
[00:16:36] Those are all tools that are designed around you identifying where you have gaps specifically,
[00:16:43] as opposed to, as opposed to a, just walk through and answer all 500 questions.
[00:16:47] Right.
[00:16:47] Like, um, you know, I, I, can I, can I amend my answer right quick?
[00:16:51] Yeah.
[00:16:52] Other, other things.
[00:16:54] The other thing that would be so awesome is if they had the maturity model and, and like
[00:17:00] either one through four or it's implemented, it's partially implemented, it's documented,
[00:17:06] but it's not managed.
[00:17:07] It's, it's managed, maintained and measured.
[00:17:10] Yes.
[00:17:11] Uh, if they had that, that would, and then take those into the risk score.
[00:17:16] Or because I mean, if you've got, let's say something's very critical and you, you answered
[00:17:23] yes, because you sort of do it in a sort of way, or you've got a third party that kind
[00:17:27] of does it.
[00:17:28] Well, it's a lot higher critical risk if it's not being monitored, maintained and measured.
[00:17:33] Well, so let's ask that question.
[00:17:34] So you brought up a good one of like a way in which to, to do, I don't want to call it
[00:17:39] accurate scoring, but it's definitely accurate as far as what they're doing.
[00:17:44] If you looked at that, like this, like ISACA CMMI model maturity, maturity model.
[00:17:49] Yeah.
[00:17:50] Like that.
[00:17:50] I mean, if, if you could do something like that and then, and then run that into the risk
[00:17:56] score and build the strategic plan, uh, based off of criticality off of that, that'd be
[00:18:02] awesome.
[00:18:02] And isn't that the same?
[00:18:04] That's the same as the, is that follow the same as NIST, the one through five?
[00:18:08] Yeah.
[00:18:09] It's exactly the same.
[00:18:10] Okay.
[00:18:11] So pretty much the same.
[00:18:13] Well, what, what bothers me is, okay.
[00:18:14] So we've described a five point model, which is the, the NIST score, right?
[00:18:19] The one through five you've gotten, I think five is like, you are exceeding the requirements.
[00:18:24] It's a very mature model.
[00:18:24] It walks you through like ad hoc, uh, documented, but not automated some of that stuff.
[00:18:30] And obviously there's some things that you can't automate.
[00:18:32] They're already done, but it's not documented.
[00:18:34] Right.
[00:18:34] Right.
[00:18:35] Uh, and then that gets into like, now you're talking about like the CIS model.
[00:18:38] When you look at, you know, uh, do you have a policy?
[00:18:41] It's like, uh, informal, not documented formal or sorry.
[00:18:45] Yeah.
[00:18:46] Documented, not so on and so forth.
[00:18:47] Right.
[00:18:47] And then you can put not applicable.
[00:18:49] Well, CMMC is another one, what they have the three point model where it's like, uh,
[00:18:54] or maybe it's, you can have it in your poem.
[00:18:58] If it's a, a one, you can't have it in your poem.
[00:19:01] If it's, I mean, there's so many things that are out there right now from a maturity standpoint,
[00:19:05] I think at the end of the day, when I'm looking at the maturity process, I want to have a clear
[00:19:11] picture on, and I would even approach this from like more of like the standards-based grading
[00:19:16] model partially or does not meet, meets or exceeds.
[00:19:21] And that's it.
[00:19:22] Yeah.
[00:19:23] That, that would be fun.
[00:19:24] Because everything, everything beyond meeting a safeguard from a compliance standpoint has
[00:19:29] gone from objective to subjective, right?
[00:19:31] That's your interpretation of what they've shown you.
[00:19:34] Let's just say, you know, fill in the blank, you know, tool that you're using for the
[00:19:38] authentication becomes no longer a security best practice, or you don't like the app that
[00:19:44] they're using.
[00:19:44] You don't like the password manager that they're using.
[00:19:46] Okay.
[00:19:47] So now can you maintain the objective when you go beyond meeting the requirement that they're
[00:19:52] using a password manager and go, well, you use this one.
[00:19:56] They had a breach last year.
[00:19:57] They were compromised this way.
[00:19:59] I'm not going to give you an exceeds.
[00:20:00] I'm going to say meets and you're going to need to do more.
[00:20:03] And you're like, wow, that's essentially managed.
[00:20:05] I didn't even ask them for that.
[00:20:06] Like we can go back to this model that says nothing we do is going to be measurable consistently
[00:20:14] across more than one assessor because, and we see that, right?
[00:20:18] What organization wants a different assessor the next time around?
[00:20:21] They don't.
[00:20:21] Generally speaking, you're paying to have a third party assess you in year two and year
[00:20:26] three.
[00:20:27] You're like, oh, let's just go switch assessors.
[00:20:29] Let's get a different company in here.
[00:20:30] Let's see what they say.
[00:20:31] Oh, it's worse.
[00:20:33] Awesome.
[00:20:33] More work for us.
[00:20:35] Right?
[00:20:35] Like I'm not saying you never do that, but like you're hiring them to help.
[00:20:38] But that does follow best practice.
[00:20:40] You shouldn't use the same assessor after three years.
[00:20:43] Correct.
[00:20:44] But, but along those lines, I think if we could really help this model, you know, materialize
[00:20:51] where it's like, no, our, our goal is, are you meeting the requirement first and foremost?
[00:20:56] If not, is there a trajectory that you're on?
[00:20:59] And a definition of meeting the requirement.
[00:21:01] Correct.
[00:21:02] And that you were on a path at some point that has a clear picture that is, is measurable
[00:21:07] to when it will be implemented.
[00:21:09] Not like, yeah, we're looking to do that in the next five to 10 years.
[00:21:11] Okay.
[00:21:12] That's not realistic.
[00:21:13] And then the third one would be you're, you're exceeding it.
[00:21:16] Right?
[00:21:16] Like, I mean, when someone starts to exceed the requirements, do you really need to keep
[00:21:22] measuring them to see if they're making it go up higher or do you need to just keep
[00:21:27] track of like where they're at?
[00:21:28] And so it doesn't go down or let them know when something goes down.
[00:21:33] I mean, once they meet or exceeds, um, I feel like I always used to tell my guys, Hey,
[00:21:41] let's focus where the risk is the greatest.
[00:21:43] So if we've, if we've got it, if we've got our attack surface where it's lowered right
[00:21:48] here and I don't, I want you to keep on, keep it maintained, keep it managed, keep it
[00:21:55] measured.
[00:21:55] But if we've got this vulnerability and a hole in the fence over here, we need to patch
[00:22:00] that thing.
[00:22:01] We need to get it back up to where it's on the same level as these other ones.
[00:22:04] So, yeah, I think once you hit meet or exceed, you need to focus on there's always, there's
[00:22:09] always higher risk somewhere else.
[00:22:11] Well, right.
[00:22:12] And then, and the ecosystem is always changing.
[00:22:14] You know, I think about like, I live where there's lots of, lots of fence lines, right?
[00:22:18] Whether it's for corn or for cows or pigs, whatever it is that I had someone tell me
[00:22:24] this, they're like, you don't, you don't just go and patch the fences where the animals
[00:22:29] are, you have to make sure you patch the fences where the animals are not because at some point
[00:22:35] in time, you're going to need to move those cows or those whatever into another pasture.
[00:22:41] And if it's not being maintained, you may be letting them loose into an environment that
[00:22:46] they just kind of all randomly disappear out of the fence because you didn't realize it's
[00:22:52] open.
[00:22:53] Yeah.
[00:22:54] Yeah.
[00:22:57] So, but, but yeah, back to the cat.
[00:22:59] I didn't mean to interrupt you.
[00:23:00] It's just that the maturity thing was like, uh, that's something that is always interested
[00:23:05] me.
[00:23:06] Honestly, I think that's probably, if there's one thing for the audience to take away is
[00:23:10] you have to come up with a maturity model.
[00:23:13] If one is not being defined for you and it needs to be one that you agree upon with the
[00:23:17] client you're working with to say, Hey, I know you have to meet or exceed the requirements
[00:23:21] that are in this framework.
[00:23:22] And we're going to go and approach this from the standpoint of you are not meeting it.
[00:23:28] You are partially meeting it.
[00:23:30] Those are still the same score.
[00:23:32] I think it's just more of like, if someone's partially meeting a safeguard, I think they
[00:23:36] need to be aware of it because that usually means it's a lesser of a lift to get to meeting
[00:23:40] the safeguard.
[00:23:41] Then you just be like, yep, you have a gap there.
[00:23:44] You're at zero.
[00:23:45] Um, meeting is three.
[00:23:46] Then partial needs to be two.
[00:23:48] Fair.
[00:23:48] So we give you, um, well, I'd give you a zero for not meeting it like a zero if you're
[00:23:53] not doing anything.
[00:23:54] Okay.
[00:23:54] So zero, one, two, we'll just do zero, one, two, three.
[00:23:57] So zero is you have nothing in place.
[00:23:59] A one is you're partially meeting the safeguard.
[00:24:02] So like I could see things like where you might have MFA to remote and, but you don't
[00:24:06] necessarily have, you know, MFA on everything in the ecosystem.
[00:24:10] I would say it's a partial.
[00:24:11] Two other SAS that, that have PII in it, but you're not using MFA on those.
[00:24:16] Right.
[00:24:17] And so you've got, you have some work to do meets means that everywhere that it should
[00:24:21] be happening, it's happening.
[00:24:23] And then exceeds is probably getting into the way in which you're meeting the safeguard
[00:24:27] goes beyond the actual minimum requirements of what's asked of the safeguard.
[00:24:32] We're getting into best practices.
[00:24:34] Right.
[00:24:34] And I think any organization that's going through an assessment cycle, if their approach is
[00:24:40] to do this with that in mind, then I think most organizations will meet or exceed over
[00:24:46] time almost any framework.
[00:24:51] And I think that goes back to the cat, right?
[00:24:53] Like it's asking, yes, it's 500 questions, but at the end of the day, it's not that it's
[00:24:57] 500 questions.
[00:24:58] It's the problem.
[00:24:59] It's that many organizations without hiring a third party, especially the small ones.
[00:25:03] Don't know how to answer it sometimes.
[00:25:04] Don't know how to answer it.
[00:25:06] Or they can answer it, but they don't have the means to put the what's asked of them
[00:25:11] into their own environment.
[00:25:12] It's either they don't know how to transition to say maybe a compensating control or a roadmap
[00:25:18] that has it in the budget for a future date that is realistic, like not five years out.
[00:25:24] Yeah.
[00:25:25] Or how to do it within the budget without spending a crazy amount of money because they're hearing
[00:25:30] different salesmen tell them different things that you have to do this.
[00:25:34] You have to do that.
[00:25:34] But there's ways to get around those things.
[00:25:37] It's just like, man, I'm sure you've looked at somebody's cybersecurity insurance questionnaire
[00:25:42] and they wrote yes on everything.
[00:25:44] And you're just like, man, you are not doing this.
[00:25:47] I know somebody may have told you that you're doing this, but you're not doing this.
[00:25:51] Well, this could be a whole other episode, but like I think when you look at questionnaires,
[00:25:56] I think sometimes it's easy to put down the answer yes or no, depending on the question,
[00:26:02] because the question for someone who has never read it before assumes that it's asking them
[00:26:07] about one thing.
[00:26:08] And in some cases, it naturally is.
[00:26:11] In many cases, though, it's asking you to satisfy, you know, half a dozen things that
[00:26:16] your yes is looking at.
[00:26:17] So, you know, it puts us, you know, as we go to wrap up, one of the things that comes
[00:26:23] to mind about what you said as far as factoring into budget, you know, there's a lot of open
[00:26:27] source tools out there that allow you to meet requirements that are in frameworks.
[00:26:32] And I don't know how many times I've heard someone say, oh, well, we're using this free
[00:26:35] tool over here.
[00:26:36] We're using this over here.
[00:26:38] Or maybe they found a paid product that is, you know, super low cost and they're going
[00:26:43] to put that in.
[00:26:44] But I come back to this one question.
[00:26:47] Somewhere in the equation, there is a cost burden and it's either happening on the
[00:26:53] checkbook or it's on.
[00:26:55] Yep.
[00:26:55] That's the third one.
[00:26:56] So I was thinking, so you got, so you have technical debt could be one, like what's it
[00:26:59] built on?
[00:27:00] Does it integrate?
[00:27:01] Does it have the means to carry you over the next however long?
[00:27:04] The second one is...
[00:27:05] How much does it take to maintain and manage it?
[00:27:07] Maintain.
[00:27:07] That would have been my second one.
[00:27:09] And then of course, the third one is, can I write a check for it and solve for those
[00:27:13] other two things not being problematic?
[00:27:17] Because I think there are cases where you can, like a bigger, sometimes a bigger transaction
[00:27:21] on the checkbook, another zero in there might be brand new tech or you're truly outsourcing
[00:27:27] so it's not managed by yourself.
[00:27:28] Or managed solution where it's, they're actually taking care of everything that you need.
[00:27:33] Right.
[00:27:34] So I think those three, every product service you look at, consider those three things.
[00:27:40] I think you'll do just fine.
[00:27:42] Any other thoughts you have?
[00:27:43] Obviously, we kind of circled away and back to the cat a few times.
[00:27:47] I have definitely sent us down 12 different roads and I'm sorry for that, CJ.
[00:27:52] That's okay.
[00:27:53] There's a lot of roads to travel.
[00:27:55] Yes, there is.
[00:27:57] Maybe we can do a follow-up show sometime.
[00:28:01] But I think that mainly, it's not always expensive to do so.
[00:28:08] Sometimes there's just common sense controls that you can do that may be not as convenient,
[00:28:14] but still cost effective.
[00:28:16] And you can put it in there and it's going to take care of the risk that you're trying
[00:28:20] to mitigate.
[00:28:21] But also, FFIC, you need to put out some further documentation on what needs to be done.
[00:28:31] What is meet?
[00:28:31] What is not meet?
[00:28:32] What is partial?
[00:28:35] And help these, because I think about the MSPs that are managing banks right now, not
[00:28:41] only in the IT departments that are doing that.
[00:28:45] And talk about the flip side, the examiners and regulators that are going to have to go
[00:28:50] in next year and start doing the assessments on these banks without solid concrete information
[00:28:59] on the direction that they need to go.
[00:29:01] So that's the thing, like you said, when you get these different regulators and one of them
[00:29:07] is super duper tough or interprets it a completely different way than it has been interpreted
[00:29:12] the last three times you've done it, and it's hard to argue with them about it, then
[00:29:21] that's a bad place to be.
[00:29:22] Well, we've seen this before with Sarbanes-Oxley, right?
[00:29:26] And some of the other auditors where it's like, I need to see a screenshot.
[00:29:31] You know, when you make changes to Active Directory so that we know that bad things didn't happen.
[00:29:35] And I'm thinking, well, if I'm taking the screenshot, I probably wouldn't be doing bad
[00:29:38] things, right?
[00:29:39] Like, I'm only going to include the good stuff if I'm manually doing this.
[00:29:44] And obviously, we've gotten to a place where there's a lot of automation to solve for
[00:29:48] that.
[00:29:48] But like, you know, there are flaws in every framework that we can exploit from a, you
[00:29:53] know, I don't have to do that.
[00:29:54] Or, you know, we're just doing this thing to show how we're meeting it.
[00:29:58] But if we're following going back to that scoring model that we talked about, I think if that's
[00:30:02] the intent, if as an organization, you're working with those to help you achieve a goal
[00:30:07] that says, I want to get to a place where we meet or exceed, this will be a far safer
[00:30:12] place.
[00:30:14] Yeah, I was going to ask you, when you talk to individuals, do you usually push a maturity
[00:30:19] model?
[00:30:20] Because I enjoy using them.
[00:30:22] I feel like it makes the communication of the board and the executive team and the IT
[00:30:27] team, it makes it a lot easier to explain to them, hey, this is where you're at.
[00:30:33] And this is where we need to be.
[00:30:36] So yes and no.
[00:30:37] So I like the scoring model.
[00:30:39] I don't care if it's a letter grade.
[00:30:40] I don't care if it's a point system.
[00:30:42] I don't care if you're using, you know, verbiage like we said, you know, partial, fully,
[00:30:47] et cetera.
[00:30:48] What I have a problem with is using scoring of any kind on the first time through.
[00:30:53] So and the reason being is every time you do a gap analysis, there's gaps, right?
[00:30:59] And some of those gaps are significant.
[00:31:02] I very rarely see where it's just a handful.
[00:31:05] It's just a little bit.
[00:31:05] It's very rare.
[00:31:06] And what you don't want to have happen is to have the conversation with the client or
[00:31:13] the client's board of directors where it's like, wow, that's really bad.
[00:31:16] Please don't show that to anybody.
[00:31:17] Let's fix it all and then do it again.
[00:31:19] And you're like, well, that doesn't create for a very clear baseline because we've basically
[00:31:24] made your baseline almost to a state of perfection.
[00:31:28] And you've got to get that baseline speech before you even start.
[00:31:32] So I like saying, hey, this is just a starting point.
[00:31:37] Yeah.
[00:31:37] Yeah.
[00:31:38] Yeah.
[00:31:38] Hey, we've been out of shape for 20 years.
[00:31:40] This is the first job.
[00:31:41] Right.
[00:31:41] Yeah.
[00:31:42] Like we're not going to have you get on the scales on day one.
[00:31:44] That's it.
[00:31:44] Yeah.
[00:31:45] Yeah.
[00:31:45] And I think that's, you know, if you had a goal tomorrow of like, hey, you're going
[00:31:49] to go run a marathon.
[00:31:50] I don't think the requirement is to find out how much you weigh.
[00:31:54] Perfect analogy.
[00:31:55] Yeah.
[00:31:55] We're not going to time ourselves on that first run.
[00:31:58] No.
[00:31:59] And I think that's to your point.
[00:32:01] Yes.
[00:32:01] I love doing the maturity to help them recognize that they have a, they're making progress.
[00:32:07] They're moving forward.
[00:32:07] They're seeing reds turn to greens.
[00:32:09] All of that matters.
[00:32:10] But I think if you start with that being where you're like your, your blood pressure
[00:32:14] is too high.
[00:32:15] Well, no kidding.
[00:32:16] I wouldn't have called you if it wasn't problematic with my blood pressure, but like, those are
[00:32:21] not good ways to get started because you start with then that deflated, you know, paralysis.
[00:32:27] You just don't want to do anything at all.
[00:32:29] It's depressing.
[00:32:30] Yeah.
[00:32:30] And where do you go?
[00:32:31] Right.
[00:32:32] And where do you go?
[00:32:33] And I think that's, that would be my number one thing to get feedback on is scoring's great.
[00:32:37] Once you've had a chance to get the ball rolling and they see, you know, especially when they
[00:32:41] have easy wins and they see that something's been changed from a red to a green or, you
[00:32:46] know, a yellow to a green or something along those lines.
[00:32:49] I think if you start with, you scored a 25% out of a hundred.
[00:32:53] So you might as well not even try.
[00:32:56] Yeah, no, I always start with the, like the strategic roadmap after we do the assessment
[00:33:01] and then say, Hey, let's not even look at where we're at.
[00:33:05] Let's look at these.
[00:33:06] Let's look at these top three criticals.
[00:33:08] Let's come up with a plan on how we're going to address these.
[00:33:12] And let's let that be our focus.
[00:33:14] We'll work on these other ones as we go along this journey, but these are the ones that we've
[00:33:19] got to focus on so that we can lower that attack surface.
[00:33:22] Well, and sometimes you can't predict what a fix will actually change.
[00:33:25] Right.
[00:33:25] So I have seen times where like you fixed three or four super low hanging fruit really is
[00:33:31] not even going to impact your score overall because they were low only to find out that
[00:33:34] those fixes actually changed like 25 or 30 things throughout the organization.
[00:33:38] So that's the other reason why not to go in with setting expectations of how good or
[00:33:44] bad you might do after fixing one or two things.
[00:33:47] But to your point, whether they're three highly critical items, or maybe they're just, you
[00:33:51] go, I know this is such an easy one.
[00:33:53] We're going to change the lock screen to 15 minutes from 45 and boom, you've addressed,
[00:33:58] you know, eight or nine other things that were underlying concerns without having it be.
[00:34:03] Because if you have change happen too fast, sometimes you just get so much pushback.
[00:34:08] The friction has, you know, shadow IT comes into play and you've got bigger problems than
[00:34:14] closing holes in the gaps.
[00:34:16] Because if you're the other thing, and you know this as well as I do is, hey, security
[00:34:23] is important, but business strategy and business enablement is even more important.
[00:34:28] There is no reason for security if there is no business.
[00:34:32] So you've got, you've got to support them and be creative to put in controls that lower
[00:34:38] that risk while they're able to make money and do what they need to do to make things happen.
[00:34:41] I mean, that's just the way it is.
[00:34:43] And if you don't, if you use a, uh, iron fist, like you said, shadow IT is going to come
[00:34:50] into place because they will, where there's a will, there's a way and they will find a
[00:34:53] way to get around.
[00:34:54] They will.
[00:34:54] Absolutely.
[00:34:55] They have, they have their own goals and KPIs that they have to meet and it's not tied
[00:34:58] to cybersecurity.
[00:34:59] They got to put food on, put food on the plate.
[00:35:02] And they don't, they don't care as much about that.
[00:35:05] That's why it's important to find out what the business strategy is and tailor your security
[00:35:10] recommendations towards that while maintaining it.
[00:35:13] And anybody that's worth their stuff, I mean, you can find a way to be creative, control risk
[00:35:19] and still let them make money and do what they need to do.
[00:35:22] Well, there you have it, everybody.
[00:35:24] Uh, this has been an episode of MSP 1337.
[00:35:27] Dan, thanks for being on the show and for everybody else.
[00:35:29] I appreciate you.
[00:35:30] Thanks CJ.
[00:35:30] Have a happy Thanksgiving.
[00:35:32] Take care, man.