What is your company's will? This Fireside Chat with Matt Lee tackles the Acceptable Use Policy, Written information security plan, Roles, and responsibilities. Please give us feedback, as we have a pretty healthy disagreement on a few items and are hoping that you, the listener, can help us find a new path forward.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone.
[00:00:22] Welcome everybody to another episode of MSP 1337. It is the third Tuesday of the month, therefore we are privileged to have Cyber Matt Lee on the show to talk about governance and leadership.
[00:00:39] Welcome to the show.
[00:00:41] You know brother, we've been doing this a hot minute. Like I don't know that I've done my own podcast as frequently and regularly as I've done yours.
[00:00:51] So there's clearly a lack of governance of my ability to deliver my podcast and we're gonna dig into that.
[00:00:58] So there's roughly 18 or 19 episodes now of Fireside Chat, which adds up to being about 11 hours, 12 hours worth of content that has been played back close to 2000 times.
[00:01:14] That's crazy. We've influenced tens of people now.
[00:01:17] Like tens of people, yeah.
[00:01:19] Yeah, some of it's stuck.
[00:01:20] Well, and tens of people probably influence other tens of people.
[00:01:24] You know, it's the butterfly effect here, Chris.
[00:01:26] That's right.
[00:01:27] You're not wrong.
[00:01:28] But butterflies don't last very long, so I don't like using that one.
[00:01:32] Which would make them poor forms of governance.
[00:01:34] Yeah, yeah.
[00:01:35] So governance and leadership, it's a large part of the trust mark.
[00:01:38] We spend a lot of time as MSPs.
[00:01:41] Obviously we did.
[00:01:42] We went through 18 unique episodes and never once really spent time talking about governance or leadership.
[00:01:48] And I think bringing it all back around, this is really where it starts.
[00:01:53] Yeah.
[00:01:53] Without good governance and leadership in an organization, it will have a negative impact on your culture or allow culture to sort of go any way that it wants to.
[00:02:03] The other piece of it.
[00:02:04] Well, and outcome too, right?
[00:02:05] Not just culture, but outcome.
[00:02:06] Right, right.
[00:02:07] The outcome though.
[00:02:07] The way you want to be perceived as an organization is gonna quickly, you lose control, right?
[00:02:12] The other thing that I think is important is to understand that the pieces we're gonna talk about today are the way in which you can build structure to ensure your success in governance within your organization.
[00:02:26] So, Matt, kick us off.
[00:02:29] Talk us through what is in fact governance.
[00:02:31] Yeah, 100%.
[00:02:33] So, what is governance?
[00:02:35] I like to do it with stories.
[00:02:38] Imagine you're a small business and imagine that your small business has a break room.
[00:02:45] And it's awesome.
[00:02:46] You've got the foosball table, you've got the pool table, you've got the kegerator, like all the awesome stuff.
[00:02:52] But you don't want people smoking in the building.
[00:02:55] And you say, hey, no smoking.
[00:02:57] You put up a sign that says no smoking in the break room.
[00:03:01] Right?
[00:03:01] And so, that's what a lot of you do.
[00:03:03] A lot of you say, we're gonna follow a framework.
[00:03:05] Oh, too soon?
[00:03:06] All right.
[00:03:07] So, let's say we put up the no smoking sign.
[00:03:09] The question then rapidly becomes, do you ever check?
[00:03:13] Do you ever see if people have stopped smoking?
[00:03:16] Do you actually go around and smell every now and again and go, nope, doesn't smell like cigarettes or whatever else you were trying to stop?
[00:03:22] Why are there still ashtrays on all the tables in the break room?
[00:03:24] Yeah, this is very weird.
[00:03:25] There's still soot everywhere.
[00:03:27] It's nuts.
[00:03:28] And I think the point is, is that when you think about what is governance, governance is, and I like to define it as the will of a company.
[00:03:36] Right?
[00:03:36] And if you're a one person guy running a podcast, let's say, then it's the will of that guy running his podcast.
[00:03:41] Right.
[00:03:42] I failed my own governance.
[00:03:43] But I like to say, and to steal this from Rex Frank, inspect what you expect.
[00:03:48] Right?
[00:03:49] If you are going to say no smoking and that's the will of the company and you come back to check and it hasn't stopped, then you need to change new things to stop it.
[00:03:57] Right?
[00:03:58] Or you have not actually done what you wanted.
[00:04:01] Cambridge Dictionary defines governance as the way that organizations or countries are managed at the highest level.
[00:04:08] That's you if you're listening here.
[00:04:11] And the systems for doing this.
[00:04:13] That means the things you implement.
[00:04:15] The other humans, the systems.
[00:04:17] That doesn't just mean computers.
[00:04:18] Systems means a combination of things put together for some effect.
[00:04:22] If we define it through etymology online, it comes from the original Greek kybernon, meaning to steer, to pilot.
[00:04:28] And then in 13th or 14th century France, which you can imagine what was happening, it changed to rule with authority.
[00:04:34] That seems more clearly defined.
[00:04:36] Yes, it's very clearly defined.
[00:04:38] So funny, we've been kind of, you've really made very clear what governance is.
[00:04:43] And what's ironic about the 18 controls that we have gone through, there is a commonality amongst most of the controls where it will reference things like to review, to implement, to build a program.
[00:04:57] Well, let's just address that, Chris.
[00:04:58] No, let's address that.
[00:04:58] So why is governance all of a sudden a thing?
[00:05:01] Why are you just now hearing it?
[00:05:02] I think it's this understanding as a humanity in technology trying to solve this, that we haven't won here.
[00:05:11] And when you look at, when we talk about like NIST CSF, or even if we go to NIST 800-171, the self-assessment aspect of it, if people were governing, self-assessment would be fine.
[00:05:22] People aren't governing.
[00:05:24] And so you get into a position of, well, why did NIST 2.0 add governance, an overarching function?
[00:05:29] Because they're basically saying, no, really, y'all?
[00:05:31] No, no, no, really, y'all?
[00:05:33] No, no, no, really, y'all?
[00:05:35] Like, we thought underlining a safeguard and saying governance would solve the problem.
[00:05:40] And that didn't work.
[00:05:41] Yeah.
[00:05:42] So then you look at CIS, 8.1 has added govern in a lot of places that would have otherwise been very process-oriented.
[00:05:47] You were part of a lot of that conversation, Chris.
[00:05:49] Yeah.
[00:05:50] The documentation piece was largely what it was about, adding the asset type of saying or showing through documentation.
[00:05:58] A govern function.
[00:05:58] Yeah.
[00:05:59] What is a policy?
[00:06:00] It's the rules by which we define what we are going to do.
[00:06:03] But governance is making sure that once you have set that policy, that it's actually happening.
[00:06:08] Agreed.
[00:06:08] If I'm, that's it.
[00:06:09] If I am saying-
[00:06:10] It's part two.
[00:06:12] Well, it's the, it's, it's, they're inseparable.
[00:06:15] Sure.
[00:06:16] Because if you, if you don't, you're just writing shit on paper for no value and no purpose.
[00:06:20] Well, and I think that's where leadership-
[00:06:22] That's what you expect.
[00:06:23] When we talk about leadership, leadership gets a little bit more squishy.
[00:06:26] But if you have governance that's understood throughout the organization, then leadership that follows that will make the most sense.
[00:06:33] It's not squishy.
[00:06:33] You're 100% accurate on it.
[00:06:35] Here's why.
[00:06:35] When you think about what is governance, governance is defined, at least in Cambridge's dictionary as the way organizations are managed at the highest level.
[00:06:42] Well, how does that happen?
[00:06:43] It's the leadership.
[00:06:44] Right.
[00:06:46] But I think-
[00:06:46] So that is the system.
[00:06:47] That is the function that must be defined as the leadership and the policies and processes and the inspection of those things.
[00:06:52] That is what defines governance.
[00:06:54] Not to go down a rabbit hole, but I think if you have great culture in an organization, then governance isn't just created and defined at the top down.
[00:07:02] It includes those that are part of that organization.
[00:07:05] Even if they're not in leadership positions because the reality is together, this is going to be effective.
[00:07:11] What we're having something that no one follows doesn't work.
[00:07:14] Well, and leadership does have to manage that.
[00:07:17] They're the ones that get to see the puzzle pieces of what's in front of me.
[00:07:20] Everybody says, you make your own culture.
[00:07:22] I don't know that that's fully true.
[00:07:23] You are a summation of what's there and what it can be guided towards.
[00:07:26] Okay?
[00:07:26] That's right.
[00:07:27] No smoking is a perfect example, right?
[00:07:29] If you start with they're already doing smoking because that's where they are.
[00:07:33] Yeah, that's where we're starting from.
[00:07:34] And you just come in and say no smoking.
[00:07:35] Yeah, yeah, yeah, yeah.
[00:07:35] 100%, right? Nailed it.
[00:07:37] Yeah.
[00:07:37] Leadership would instead guide towards a smoking place outside that has cool features or something and then drives like, so you could drive that change.
[00:07:44] And the point is, is that if you-
[00:07:45] A hot box or something.
[00:07:48] If you look at governance and its leadership extension, and back to your culture point, let's take one of our former culture points, which was today, not tomorrow.
[00:07:56] It was a little TNT symbol and you could say, hey, Chris just did something cool today instead of tomorrow.
[00:08:01] What does that do?
[00:08:01] It's taking and saying this culture of us being go-getters and knocking it out right now and doing it today instead of putting it off till tomorrow.
[00:08:08] We can use that towards saying we will fix those problems with a faster time.
[00:08:13] We'll work on getting things back into spec as they come out of spec quicker.
[00:08:16] Those are supportive of trying to stay maintenance on a system that's meeting safeguards, right?
[00:08:22] So you could make arguments that those cultural elements influenced and guided through leadership as an extension of appropriate governance of the will of this company and the way we're leading this.
[00:08:32] Those come together magically to deliver amazing results.
[00:08:35] The reason governance popping up in this CSF and all these others is that everybody's been trying to be a rudderless leaderless ship.
[00:08:42] Everybody's been trying to work on security from the bottom.
[00:08:46] Security starts at the frigging top.
[00:08:48] And that's what's happening here.
[00:08:50] That's like a paddle boat or one of those, yeah, paddle boats where only one person is paddling in.
[00:08:56] So it just continuously goes in circles.
[00:08:58] Yeah, yeah.
[00:08:59] And in the same breath, governance and governs, those governing and the leadership have to balance the things and the forces around them and the strategies they've chosen and the tactics that come from those to try to make money.
[00:09:13] Right.
[00:09:13] Or do their charitable organization's mission, whichever one of those two you find yourself in.
[00:09:18] And there's not much between.
[00:09:19] And so the point is, is that we act like this is an easy job.
[00:09:23] If it was an easy job, people wouldn't be leaders or it would be harder to whatever the word is, you know what I mean?
[00:09:28] Yeah.
[00:09:29] But if it was an easy job, everybody would be killing it and they're not.
[00:09:32] And I think the point is, is that we have to find governance well established and decided upon by leadership to meet business goals and objectives, to meet security goals and objectives, the things that are going to play out because you use governance to to manager.
[00:09:44] In fact, I'll put it in perfect example.
[00:09:45] Let's go back to my concrete company, my concrete company.
[00:09:49] They have governance.
[00:09:50] And if you don't know this story, I had a concrete manufacturer that did all the roads in a certain state.
[00:09:55] They were amazing at it.
[00:09:56] And I asked him one day what made him money.
[00:09:58] And he said, Matt, what makes me money is having a concrete truck appear every 30 minutes during a job pour with the right ash mix, with the right cement mix, with the right water mix, with the right aggregate that meets the pressure loads that I need to.
[00:10:14] So some lab two days later when testing doesn't cost me $15 million.
[00:10:18] He said, I need to do that every time.
[00:10:20] So what goes into supporting that?
[00:10:22] And he says, well, I have concrete trucks.
[00:10:24] What happens with drivers out?
[00:10:25] I've got extra drivers.
[00:10:26] What happens with trucks down?
[00:10:27] I've got extra trucks.
[00:10:28] What about maintenance?
[00:10:28] I have my own facility because it's faster and I can manage it myself.
[00:10:31] And I'm staffed that well enough.
[00:10:32] And I have all my stocked extra parts and I don't have to worry about supply chain.
[00:10:36] And I actually have extra ash plants.
[00:10:38] And that is governance playing out to ensure that every 30 minutes a concrete truck shows up with the appropriate amount of ash, blah, blah, blah.
[00:10:47] My point is, is that we see governance everywhere else.
[00:10:51] We don't have to talk about it.
[00:10:52] Why?
[00:10:52] Because it's directly affecting profit.
[00:10:54] Right.
[00:10:54] Well, why do we have a problem here?
[00:10:56] Because people don't believe cyber directly affects profit.
[00:11:00] We shouldn't have to destroy this whole topic just to say what is governance.
[00:11:04] We've already got that in our souls.
[00:11:05] You're already running a business as an MSP right now to make a profit and balancing all the forces and people are doing in general your will.
[00:11:13] Make it happen with cyber too.
[00:11:15] That's it.
[00:11:16] Right.
[00:11:17] I drop.
[00:11:17] I'm out.
[00:11:18] Right.
[00:11:18] So, so as we dig into this a little bit.
[00:11:21] So in, in the trust mark, I think there's like, I'm going to say, and I'm going to be wrong, but I think there's like around 19 safeguards that make up the governance and leadership section.
[00:11:34] And with the understanding that all other safeguards must have governance in order to be functional.
[00:11:38] Okay.
[00:11:39] And I know, and the ones we're going to talk about today are, are probably the, the early on defined, these are definitely governance and leadership.
[00:11:48] Yeah.
[00:11:48] Fair.
[00:11:48] You're just like throw dark.
[00:11:49] These look like a governance function.
[00:11:51] Yeah.
[00:11:51] There, there are some others that are in the trust market that I think we have in fact moved into the governance domain because of their definition in the CIS framework, which at that time did not have governance.
[00:12:03] They did not.
[00:12:03] That existed as of June of 2024, if you were curious for your fact.
[00:12:07] But what's interesting is we have in here about 11 definitively that we had at the very beginning that were uniquely tied to establishing a domain governance and leadership.
[00:12:21] Sure.
[00:12:21] So things like naming a security officer, having an acceptable use policy.
[00:12:26] Yeah.
[00:12:26] What are the compliance requirements for your organization?
[00:12:30] Let's start with the first one.
[00:12:31] Yeah.
[00:12:31] Naming a security officer.
[00:12:32] Why is that governance?
[00:12:33] Because it is establishing the leadership structure for which governance will flow through the system to meet the highest level of the organization's will.
[00:12:42] Right?
[00:12:42] So straight up, you defined your executive in charge of owning this part of it next.
[00:12:47] And it goes a little bit deeper than that.
[00:12:49] So we added an additional two safeguards to go along with that.
[00:12:52] So now that you have the officer named individual named individual, you now have to have security officer reporting.
[00:13:00] So that would you want that?
[00:13:01] Well, I mean, it's really kind of the whole gist of having the officer in the first place is who's keeping tabs on your governance in the domain of cybersecurity.
[00:13:12] I'm in my mind right now, Chris Johnson.
[00:13:14] Just I'm a domain mind blower.
[00:13:16] So you're saying not only do I have to have a human own it, they have to report upon the outcomes that they expected to receive.
[00:13:22] Is that essentially what you're getting at?
[00:13:24] Yes.
[00:13:24] And so then you take it even one step further.
[00:13:28] So it's not just that I just literally called out one specific safeguard as a part of the responsibility of a security officer.
[00:13:37] The next safeguard says that the roles and responsibilities have to be completely defined with regards to applicable laws, executive orders, directives.
[00:13:48] And they report to the most senior leadership for those responsibilities.
[00:13:56] This is not, you know, the HR department and down in the accounting section.
[00:14:01] We have someone that's goes by security officer.
[00:14:04] Just to put this in words, you're basically saying whoever you do put in that position that is reporting.
[00:14:09] So first one and second one and third one, that person must report to someone extremely high up to connect it to the governance and the will of the company.
[00:14:18] Is that essentially what you're saying?
[00:14:19] Yes.
[00:14:19] And you could in fact be the owner.
[00:14:22] If we're talking about MSPs, the security officer may in fact be the business owner.
[00:14:26] Yeah, that's fair.
[00:14:27] So there's one more that goes with this that, you know, everybody's like, wow, I think we have enough already.
[00:14:33] This last one is where it gets really interesting.
[00:14:35] And I have mixed feelings about this one in the context of the role that's already been defined.
[00:14:41] And this one is, it's L7 if anybody wanted to know which one it is in the trust mark.
[00:14:46] This comes directly from NYDFS and it states that security officer, third party vendor oversight.
[00:14:53] Yep.
[00:14:53] Or control 15 in CIS.
[00:14:55] Correct.
[00:14:56] Well, so yes and no.
[00:14:58] So in control 15, it's really about the organization as a whole has a program and it may be broken down where you have individuals throughout the organization responsible for different vendors.
[00:15:09] This is taking that and saying, no, that's not enough.
[00:15:13] You need one more thing.
[00:15:14] And that means that all of that funnels to your security officer for oversight for any one of those vendors, which today is why we had to pull that one in.
[00:15:23] I feel you might've just gotten pedantic to make an argument there, chutes and ladders, but I'm all right with it, I suppose.
[00:15:29] So it comes back to your program.
[00:15:31] But you're not wrong as far as the CSO or whatever you define it as.
[00:15:35] CSO, ISO, yeah.
[00:15:37] Whatever.
[00:15:37] Name it O.
[00:15:38] SO.
[00:15:39] Some form or fashion.
[00:15:40] Right.
[00:15:40] That person needs to be in charge of it.
[00:15:43] And 15 does really say that.
[00:15:45] And again, you're kind of highlighting this fact that you're connecting the human leadership element to the governance element.
[00:15:51] And going back to the Cambridge Dictionary, which I think they've nailed it, the way that organizations or countries, comma space, are managed at the highest level, comma space, and the systems for doing this.
[00:16:02] You're now defining the human at the highest level, the leadership element we talked about in the beginning.
[00:16:06] And then this connected point of those systems, a lot of CIS focuses on the systems and the things that need to exist underneath that.
[00:16:14] And to your point, this set of governance is connecting it back to a leader that owns this, if that makes sense.
[00:16:18] Yeah.
[00:16:19] So what's interesting is that for the most part, the majority of the governance and leadership section is defined by what you do with the role of a security officer.
[00:16:30] Yeah.
[00:16:31] Everything else supports that, right?
[00:16:33] An acceptable use policy is probably going to call out the need to point to, like if you, the old saying, if you see something, say something, right?
[00:16:43] Like, well, who do you say that to?
[00:16:44] Anybody?
[00:16:46] No, it's giving some structure to that.
[00:16:48] And then this also starts defining, you know, when you get into reporting security incidents, that also falls under that governance and leadership.
[00:16:56] Yeah. So all of that comes under that.
[00:16:57] And that is how it played out.
[00:16:58] Let's take away some of the mystique on this.
[00:17:00] Okay.
[00:17:00] When Matt Topper came in to do the security and compliance arm of our security program internally for Iconic IT, when we were working through that together, it very much started as just at least Matt being named that person and me being named my side of it, right?
[00:17:17] And I was working through the director of technology and director of security and Matt being the director of compliance.
[00:17:21] We had named titles that then fell under us as we went to go forward with these things to say, here's our Monday board.
[00:17:28] And we would meet with Tony Miller every week.
[00:17:30] And we'd show up our Monday board with our 6,000 items that Matt and I wanted to get done.
[00:17:34] Sure.
[00:17:35] And we would then get permission to do it.
[00:17:36] Well, how is that happening?
[00:17:37] Because they named an officer responsible for it.
[00:17:39] Like when I got in and put my coffee on my table, guess what I was thinking about?
[00:17:42] Security.
[00:17:43] And then when I left at the end of the day, guess what I was thinking about?
[00:17:45] Security.
[00:17:46] And when Matt came in, he was thinking about compliance.
[00:17:48] So to your point, I think, and I've hyperbolized this, it really does just start with naming individuals.
[00:17:54] Sure.
[00:17:54] And in my course that I taught about this, I said, what are your next steps as a leader?
[00:17:58] Go find that one champion inside your organization that's got enough of the humble, hungry, and smart compendium.
[00:18:06] Right.
[00:18:07] That they have enough to move forward with this.
[00:18:09] And name them.
[00:18:10] And task them with at least assessing and reporting upon the status of your organization from a security perspective.
[00:18:16] Right?
[00:18:17] Yeah.
[00:18:17] And I think if they are, there's a, I think there's a misconception that this person that's being named has to be an expert in cybersecurity.
[00:18:26] When in fact.
[00:18:27] Ghostwriter.
[00:18:27] Yes.
[00:18:28] Thank you.
[00:18:29] And there's, and there's two ways about this, right?
[00:18:31] And anybody that's really curious about better understanding it, I would encourage you to go search the NYDFS.
[00:18:37] It's 500.1 through 4, I think, where it articulates what it means to have this role within an organization.
[00:18:44] And it gives guidance around saying, hey, you may not have this capability internally to truly do what is defined by the responsibilities of a security officer.
[00:18:54] But you need to have someone in your organization named with this responsibility.
[00:18:58] And then give them the authority to say, hey, this third party, fill in the blank.
[00:19:03] I'm not going to try and tell you who that exactly is, because it's going to be unique to the organization that needs that service or person.
[00:19:10] But you can leverage a third party to help you address this responsibility.
[00:19:16] Yeah, for sure.
[00:19:16] It's not just a.
[00:19:17] I hired a company.
[00:19:18] Yeah.
[00:19:18] Okay.
[00:19:19] I mean, I wouldn't say I would spend that again.
[00:19:21] But I did in this case when Matt and I worked first.
[00:19:24] You have to start somewhere.
[00:19:25] Yeah.
[00:19:26] Well, when we first got named, it was right after we had bought the company that, that Voldemort, right?
[00:19:31] And it was right after that was laid out was when we really got serious about it.
[00:19:34] And so the first thing we did was we said, we have to have an incident response plan.
[00:19:37] So Matt had just been named the director of compliance, like just literally, he was still working in Rochester.
[00:19:41] Right.
[00:19:42] And I had been named it for what, all of five weeks, six weeks or something.
[00:19:47] And so we, we were meeting and I flew into Dallas and Tony came to Dallas and so did a Neil initiative.
[00:19:55] They came to Dallas and we sat in a conference room.
[00:19:57] Matt Topper dialed in and listened remotely and Jason Farmer was remote if I remember.
[00:20:02] And we spent eight hours for two days writing an incident response plan.
[00:20:06] Sure.
[00:20:07] It was 25,000 or $45,000.
[00:20:09] I think we spent $45,000 on a consulting with them.
[00:20:13] But to your point, bringing in that expert help, I learned terms that still right now I'm using, right?
[00:20:17] Like I understood things that I wanted to know.
[00:20:19] Containment, eradication, next steps, what the response looked like, all those things.
[00:20:24] And it was awesome, but we, we didn't use much of it.
[00:20:27] My point wasn't that we ended up changing it a lot, but my point was we brought in outside help to help us through that.
[00:20:32] And that could be very simple.
[00:20:33] That could be a V CISO.
[00:20:34] A lot of that's matured since then now.
[00:20:36] Oh, for sure.
[00:20:37] That can be peer groups where you can do those things.
[00:20:39] So the, but, but I think what's interesting and why I want to bring this back to governance is all of those things, free resources to very expensive resources.
[00:20:48] Start with what?
[00:20:49] The will of the company.
[00:20:52] And why did my will of our company change?
[00:20:54] Well, once you lose a few million bucks, your will shifts.
[00:20:57] Right.
[00:20:58] And when we lost to Voldemort, we said, okay, let's get serious.
[00:21:01] That Matt and Matt guys, those M squared.
[00:21:03] There's there may be seriously there or something.
[00:21:05] We need to do something here.
[00:21:06] Maybe something we need to do here.
[00:21:07] So this is a good segue.
[00:21:08] Cause I think the other, the other elements that make up governance, we don't need to drill down on every single safeguard.
[00:21:13] That is a policy or otherwise.
[00:21:15] Sure, but we could.
[00:21:15] And that might be a series.
[00:21:16] If you want it, you comment and let us know.
[00:21:18] Yes.
[00:21:18] Yeah.
[00:21:18] Let us know.
[00:21:19] So I think there's this last part that I think is really powerful within an organization.
[00:21:23] And in some cases probably shouldn't be created until you've got some of the policy structure that you've been working through in the top, in the, in the different domains.
[00:21:33] But that is your written information security plan, taking all of that and really being able to boil it down.
[00:21:38] The WISP or the company.
[00:21:39] Or the SSP.
[00:21:40] The WISP of the company sounds better.
[00:21:42] Yeah.
[00:21:42] The WISP is much better.
[00:21:43] So inside a WISP document, you're, you're getting into things like project lifecycle management, how you do those things.
[00:21:49] You're getting into compliance requirements both from-
[00:21:53] And you really, no, no, no.
[00:21:54] Let's demystify this.
[00:21:55] What is a WISP?
[00:21:56] In my mind, the way I would write a written information security plan today, it would absolutely be a long safeguards.
[00:22:02] I would literally be writing trust mark components and I would say, here's the one, word for word, how I need to support it, the technologies that need to be a part of it, the way I'm going to configure those things, the way I'm going to look at behaviors, and here's all the supporting documents you need for procedures.
[00:22:14] So to your point of a WISP, it has to have those as I'm going to show an outside party or an inside party depending on the scenario.
[00:22:22] Yes.
[00:22:23] How I am managing the governance, stewardship and implementation and then validation of all of the things that I say I'm doing to meet a security program.
[00:22:33] So WISP is where all that comes together in one place plus the other things you're talking about, the acceptable uses and all those other things.
[00:22:39] I would also clarify though, this isn't the policies themselves because if you do that, you're potentially setting yourself up for constant change of policy.
[00:22:49] I think what you mean is not the procedures themselves.
[00:22:51] Policies stay fairly static.
[00:22:53] It's the procedures that would delineate.
[00:22:55] So I liken policies, if I'm worse to show my WISP to a client or to a vendor, they don't need to see every little piece detail of everything happening in my company.
[00:23:06] They need to have at least a summarized version.
[00:23:08] They need to be able to see through my plan that I have enough structure for them to be confident.
[00:23:14] Now, if they want to see detail on say my acceptable use policy because they have a concern, I would produce acceptable use policy, not here's the 250 page.
[00:23:24] I would not want my WISP to become this massive document just for that purpose.
[00:23:30] I think this is another one of those where you and I get to yellow brick road and disagree.
[00:23:34] I would say that I think of an SSP or a WISP as my overarching document that will hold all of the policy elements.
[00:23:44] Now, to your point, policy for me is the guardrails.
[00:23:48] Policy is this safeguard says that I need to expire passwords after 45 days if that account hasn't been used and disable those accounts.
[00:23:55] Here are the technologies in use. It's one pager and then it breaks off to all the procedures, supported things that need to be there.
[00:24:02] But this is my guardrails. What you're really speaking towards in my mind would be some external document.
[00:24:06] And I've done many of these where I write up an overarching, here's an example of some of the things we're doing in our information security plan.
[00:24:13] But my WISP or my SSP is an overarching and pretty massive document.
[00:24:17] But to your point.
[00:24:18] I'm not saying it won't be massive to be fair.
[00:24:20] Yeah, fair. But I do think that your point, there is a need for a document between.
[00:24:24] Like think of what a SOC 3 is as opposed to a SOC 2.
[00:24:27] Sure.
[00:24:27] This external document that's kind of slimmed down, that's able to help you show that I have some degree of modicum of things in place.
[00:24:33] I'll give you an example of why I don't think everything needs to go into a WISP.
[00:24:36] I would not put the details of my pen test policy into my WISP.
[00:24:40] I might give a summary that we do a pen test on an annual basis and some structure to that.
[00:24:45] Do you consider a WISP an outside document or inside document?
[00:24:48] Because I've always considered a WISP an inside document, which means I'm not sharing it.
[00:24:51] And that's why I would put those things in that.
[00:24:53] It's my document.
[00:24:54] Yeah, so, okay, so in some respects you're treating this almost like one wooden employee handbook where everything comes together in the three ring binder.
[00:25:00] That is what I do with it, yes.
[00:25:01] That is my go plan.
[00:25:02] I have gone back and forth with this now for the last six months, and everything that I have looked in at great detail is that upon request, especially what you see with like CMMC or even going back to HIPAA, they call out being able to produce this WISP.
[00:25:17] That's correct.
[00:25:44] That's correct.
[00:25:46] I think, because here's the way I would look at it.
[00:25:47] I've seen people write down WISP and call it the written information security policy.
[00:25:52] And I think that's where we deviate from what it's intended to be.
[00:25:57] Plan.
[00:25:58] Versus a plan.
[00:25:59] And so, I think a plan can be as detailed or as high level as is appropriate for your organization as long as upon request or through references you have the underlying supporting documents.
[00:26:13] Yeah, I won't get into the – I wouldn't fault someone for the way they've chosen to do this.
[00:26:18] I've just always meant that as long as my policy document book, my SSP – and I came from that from the early 8171 kind of days and the people that I paid to give me guidance have given me and showed them similar guidance in that direction.
[00:26:34] I think it's because it's shifted.
[00:26:36] So, like, remember when we used to say EHR and EMR and those were two very uniquely different things and they finally just said people can't say it right so we're just going to say it doesn't matter which one you say.
[00:26:45] It includes both.
[00:26:47] I think we're in that world with WISPs.
[00:26:51] Fair.
[00:26:51] It's very fair.
[00:26:52] And I might be wrong on this one.
[00:26:53] Y'all tell me if you think I'm wrong on this one, y'all.
[00:26:55] But I'll be listening.
[00:26:57] Yeah, tell Matt that he's wrong.
[00:26:58] It's completely unrelated.
[00:26:59] I don't think that's what I asked for.
[00:27:00] No.
[00:27:00] I said if.
[00:27:01] There was an if component in this.
[00:27:03] Is that right?
[00:27:04] We'll get you.
[00:27:04] We'll get you.
[00:27:06] We'll get you the.
[00:27:06] I don't care.
[00:27:07] I have my thoughts.
[00:27:08] I still have my thoughts.
[00:27:09] They can be influenced, but I have my thoughts.
[00:27:11] That is fair.
[00:27:12] I think that really does cover most of this.
[00:27:16] However you do it, you need to have a translation.
[00:27:18] Let's take it back to what matters.
[00:27:19] As a governance function, at some point it has to hit the road.
[00:27:23] And I think to Chris and my point, both of our side is it has to be written down.
[00:27:27] It has to be executed.
[00:27:28] You have to be able to measure it.
[00:27:29] You need someone in charge of it.
[00:27:31] It needs to be part of your world.
[00:27:32] And it starts with assigning an officer and it starts with the governance, which is the
[00:27:36] will of your company to implement security plans in a way that can be measured that to your point, Chris, and this is a big part, can be shown to your partners that are asking for it now because they give a crap about security.
[00:27:47] And those that are doing it well will actually get the contracts and the others will not.
[00:27:50] So do those things.
[00:27:52] And I think it needs to be to clarify, this isn't just something you just whip together.
[00:27:56] Right.
[00:27:56] The program for the trust market is not something we say, hey, in 90 days, you should be ready for an assessment.
[00:28:02] This is the piece that will often cause the timeline to be extended further than most people imagine, because this program needs to be robust and it needs to have the.
[00:28:16] Well, yeah.
[00:28:17] Functioning.
[00:28:17] Right.
[00:28:18] Evidence can be collected thereof in certain time periods.
[00:28:21] Like, yeah.
[00:28:22] Yeah.
[00:28:22] So like we talk about policies all the time.
[00:28:25] So like policies created.
[00:28:26] Okay.
[00:28:27] Is it approved?
[00:28:28] Awesome.
[00:28:28] Is it enforced?
[00:28:29] Right.
[00:28:30] Are you measuring it?
[00:28:31] Yes.
[00:28:31] Are you looking for anomalous behavior against that policy?
[00:28:34] Well, let's just hypothetically say that it's not enforced.
[00:28:37] Like, don't tell me that you have a policy that's approved and enforced included in your WISP or SSP, because then when you're getting audited, then all kinds of things come into question.
[00:28:48] Be honest about the enforcement of said policies, because you can't just create and enforce in the same day.
[00:28:54] Correct.
[00:28:55] And we know that.
[00:28:56] Right.
[00:28:57] We know you as a company cannot get this done in a day.
[00:28:59] So don't lie about it, because this is the only framework, trust Mark.
[00:29:03] Yeah.
[00:29:03] It's the only one that I know of that allows us to work through iterations of good.
[00:29:08] And that means that you might get through this with a clear thing in place, but not fully enforced, or it's only enforced on these asset classes, or it's only enforced on these humans or these types of things.
[00:29:17] Like, at least be honest, because guess what?
[00:29:18] It's great places to show the improvement next year.
[00:29:51] Yes, that's reasonable.
[00:29:52] But getting there in two days isn't reasonable.
[00:29:54] And so I think showing your work and showing your iterative growth is the building block of reasonability, safe harbor, all of those things.
[00:30:01] And it's why we built the trust mark the way we did.
[00:30:04] Right.
[00:30:05] So I just want to leave you all with this, some resources, if you want to use Google instead of AI.
[00:30:13] There are two CompTIA white papers on this, embedding cybersecurity into your culture and building a culture of cybersecurity.
[00:30:21] They kind of, one came before the other to help really emphasize some overlap there.
[00:30:26] You'll see them in the culture and strategy workshop that's put on by Miles and Matt Lee.
[00:30:31] And then the other ones that I would recommend looking at is like, CISA has a risk management guide, which I think is super helpful around as you govern an organization, what your risk appetite looks like and being able to do that, which would be the risk workshop that Wayne and myself have been putting on.
[00:30:46] And then the last one is building a culture of cybersecurity from Osaka is also a great white paper.
[00:30:52] So they're easy to find.
[00:30:54] I don't need to post links for them.
[00:30:55] They're there.
[00:30:56] It's not like there's, you know, 10 Asakas or, you know, three CompTIAs, right?
[00:31:00] So they should come up pretty easily in a Google search.
[00:31:03] Matt, any last words to our listeners before we hang up the phone?
[00:31:08] I would just say, when it comes to cybersecurity in your own practice for your own tools, services and things that you own, you've already done this.
[00:31:18] You're already a profitable business.
[00:31:19] You're already moving forward in your life.
[00:31:21] You're already governing the things that it takes to be profitable of everything else you do.
[00:31:26] Just add this to it.
[00:31:28] That's it.
[00:31:29] We're making this harder than it needs to be.
[00:31:30] Just start making this part of the will of your company and empowering people to do it and they'll do it.
[00:31:35] So this is, we will be next month will be physical and environmental security.
[00:31:43] Sounds exciting.
[00:31:44] Like cameras and, you know, barbed wire.
[00:31:46] Maybe we can get Deviant Olam to join us.
[00:31:49] All right.
[00:31:51] So for those, for those of you listening, this has been an episode of MSP 1337 Fireside Chat.
[00:31:57] Thanks everybody.
[00:31:58] Have a great week.