Rules Navigator

Transcript: Rachael Pashkevich Koontz podcast

Rachael Pashkevich Koont
GRIP Montage: Private

GRIP

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

We spoke about how these certifications and audits are just points in time – but they can add greater confidence regarding corporate data security controls.

This is a transcript of the podcast Rachael Pashkevich Koontz on cybersecurity certifications and cyber audits, a discussion between GRIP’s GRIP’s US content manager, Julie DiMauro, and Rachael Pashkevich Koontz, Associate General Counsel of Cybersecurity and Data Protection at Booz Allen Hamilton.

[INTRO]

Julie DiMauro: Greetings everyone and welcome to an Intelligence and Practice podcast. I am Julie DiMauro, the US content manager here in New York.

The podcast is being brought to you by the Global Relay Intelligence and Practice service that we call GRIP. It’s a service that features a daily website of articles on a variety of compliance and regulatory topics, plus podcasts and other deep dives into trends and best practices. You can find the service at grip.globalrelay.com, and please connect with us on LinkedIn.

Today’s podcast session is on cybersecurity audits and certifications, why they matter now more than ever. We have a great expert joining us today. Her name is Rachael Pashkevich Koontz, Associate General Counsel of Cybersecurity and Data Protection at Booz Allen Hamilton.

Rachael, do you mind introducing yourself and telling us about your background, please?

Rachael Pashkevich Koontz: Thank you. I’m very excited to be here. I wouldn’t be a lawyer if I didn’t start with a disclaimer so everything I’m about to say is my personal opinion, and nothing I say is reflective of any actions or opinions of any current or former employer, also nothing I say is legal advice. So hi I’m Rachael, I am a cybersecurity attorney, been an attorney for a little over 10 years now and I have a non traditional background because I have worked in house quite a bit for from the startup world to the Fortune 500 world, but I’ve also worked in a cybersecurity department, writing their cybersecurity policies building cybersecurity compliance programs and I’ve actually helped obtain cybersecurity audits and certifications at multiple companies I’ve worked at so I’m a lawyer with a bit of a an interesting connection to the audit and certification world.

Julie DiMauro: Thank you so much for that. And that brings me back to when I first met you. I thought your background was incredibly interesting. I first heard you speak about cybersecurity audits and certifications that was in 2021. That sounds long ago, but it doesn’t feel long ago, and it was at the SCCE’s annual event in Vegas. Three years have passed. Why are we still talking about this and will we ever stop?

Rachael Pashkevich Koontz: Well I hope not because it’s good job security for me.

The reality is, we’ve moved from a trusting environment where we trust our partners and our vendors to do what they say they’re doing for the contract to a trust but verify environment. And that’s really where cyber audits and certifications come in, people need something tangible that proves you’re doing what you said you were going to do. So, regardless of your organization size. If you haven’t kind of taken the time to sit down and have a discussion and a stance on the role of cyber audits and certifications how they are, what’s their role within your organization and also your expectations of their, the role of them with third parties, then honestly you’re behind the curve. So this is a really good topic for people to kind of think about it like, have we taken a stance on it and if not, what do we need to do next so I’m very excited to talk about this.

Julie DiMauro: Now, for those unfamiliar with the different types of cybersecurity audits and certifications, can you provide us a quick primer?

Rachael Pashkevich Koontz: Yes. So when I’m referring to cybersecurity audits and certifications I’m referring to something that is externally validated certificate or audit report or proof of your cybersecurity controls. So the two that you’ll hear about the most are the ones I’m most familiar with our ISO 27001, which is a certificate and SOC 2, which is an audit report.

And ISO 27001, I’m always upfront that I’m a little biased that one’s my favorite because it’s more globally known. It’s from the International Organization Standards and they have a list of controls, and then you determine which ones apply to the scope of your organization you apply them. It’s just a very clean process and I feel really good that when I’m looking at different ISO certificates for different organizations like I have a good idea of the controls that they likely have in place.

SOC 2 is a little different because it’s an audit report. So the nuance there is ISO 27001 certificate is literally a certificate, you can post it on your website. It’s not highly confidential or anything. It’s a great benefit of it, but a SOC 2 report is an audit report. So you’re not posting that on your website. You might put on your website that have a SOC 2, type 1 or type 2, but typically you’re going to require an NDA for potential customers or customers to see it.

They do go through a similar process, but what’s a little nuanced about a SOC 2 is that they have something called trust services criteria. Think of them kind of like control objectives like high level, like this is what you should be trying to accomplish. And then each organization writes their own controls for how they’re accomplishing that criteria. So you can tailor SOC 2 a little more to your organization, but it takes a little more effort to thoroughly review the report and make sure you’re comfortable with the controls organizations put in place.

So there’s the two I hear about every day, all the time, but are also industry specific frameworks. So if you work with credit card data or even the financial industry, you’re going to be more familiar with a PCI DSS or Payment Card Industry Data Security Standard.

Or if you work with like healthcare, you might be more familiar with a high trust, which is the Health Information Trust Alliance Common Security Framework. That’s a mouthful.

Or in the federal contractor space, which I am now in, you’ve heard about CMMC or the Cyber Security Maturity Model Certification. That’s a new one I might talk about a little later. That’s, the DOD is pushing that out. Very, very interesting. And you know, maybe you’re in a different place in the world and there are also regional ones. So if you are in the UK, you might try to obtain a cyber essentials plus, or perhaps you’re in South Korea, they’ve got a K-ISMIS, which I like to describe… I’ve worked on this before. I like to describe those as kind of South Korea’s take on ISO 27001.

So the reality is like people hear about ISO 27001 in SOC 2 and they feel like they have to fit into those two boxes. And those two are very important. But you really want to take into account your customers and then the industry you’re in and the location you’re in and get one that makes sense for you. And then you have the right story to tell when you’re giving that to customers.

The bottom line of certifications is scope is key. You can get a certification for a room in an office building. You can get a certification for a product, a whole office. I mean, you can scope it any way you want.

And there’s a lot of nuance to that. So the number one takeaway, if you know nothing about cyber audits or certifications, is always ask to see them and read the scope statement. It’s the number one thing you need to know. Always read the scope statement. So when someone is handing it to you, you know, does this apply to the product I’m actually buying or is it what some office halfway around the world got and isn’t actually relevant to me?

Julie DiMauro: I’m wondering, what are the different reasons why organizations seek these audits and certifications? What are they trying to prove?

And then let’s get into and cut to the chase in terms of the cost and investment to obtain a new cybersecurity audit or a certification.

Rachael Pashkevich Koontz: The two main reasons that an organization would to obtain an audit or a cyber auditor certification are one, internal maturity. Like I’ve been in a cyber department, you know, you want to benchmark yourself, you want to hold people accountable. I do think it can really help increase morale and confidence in your cyber program or if you’re scoping it to a product or something. It’s really nice to sometimes you don’t have the teeth when you work in compliance to get people to do the training to get people to implement that new tool. And if you’re like, hey, our audit rides on this, you have a lot more support to get people to do the things you want them to do because you don’t want to be the one to make us fail our audit. So internally, there’s definitely a value and benefit to them. But the main reason people get them is to satisfy their customers. So again, going back to that first line, trust, but verify.

It’s much more common nowadays when customers are seeking. I don’t want to say customers are generally more in the business sense. Consumers usually aren’t asking for these.

But businesses want to know the people they’re going into business with. They can trust that they have some basic security controls around the data at their enterprise level. And this is the piece of evidence you hand over that often is what differentiates you or helps you seal the deal. That’s really the driving force. But getting into cost, I get asked that a lot.

I’m going to be a lawyer and say it depends. But I do think it’s helpful as you’re thinking about, you know, if you don’t have something like this, what is the budget for it? So again, totally going to depend on size of your organization, whether you’re smaller big, whether you’re global, whether you’re interested in using big four. I think we all know what that refers to in terms of like the US market, but big four consultants to support you because you will need external support for audits. Or whether you’re more comfortable if you are comfortable going kind of mid market. I will say I don’t have a strong stance mid market versus big four. I love cost savings. I’m a big supporter of that.

The reality, okay. So let’s just focus on ISO 27001 or SOC 2. So you’ve got two components. You’ve got external spend. So dollars you are spending outside of the company and you’ve got headcount. So we’ll start with external spend. And I’m going to go in the kind of rough chronological order of like how you would spend it. So you do have to buy the ISO and SOC 2 materials. They are not free. So you would have to go to ISO, buy their materials online. It’s roughly like $600 US to buy it. Or if you want to buy the SOC 2 materials just to know what you have to meet, you buy that from the AICPA. And theirs is cheaper, I think it’s like $250, but you have to buy it.

If you’ve never done this before, I highly encourage some employee training from an external resource. Now you could get away with doing that for free. There’s lots of online content, YouTube, other training sources where whoever is going to lead this program could learn about it. So it could be free. If you wanted to put a line in your budget for it, I would benchmark $2,500 per person who’s going to do some training. I think that’s a good number. Again, that’s optional. Also, if it’s your first time, something I highly recommend, but again, it’s optional, is a readiness assessment.

So any of the frameworks I mentioned before, you can find a consultant who will do a readiness assessment for you. And it’s almost like a pre-audit or something like that. I think these are invaluable if you can fit it into your budget because they’re going to tell you how ready you are. And that helps you manage your timeline, your messaging to leadership. And it makes you aware of things that if this is your first time, the things that you need to know to be successful the first time. You don’t want to go through all this and fail your external audit.

Those, for a small company, a mid-sized vendor, I say on the smaller side, I would say 5 to 10K on the low side. On the upper side, 30,000. I’m going to throw that number out there. Again, if it’s like a specific scope, we’ll say put it in your budget for around 30,000 if you’re going to go again. And I’m basing these numbers more on mid-tier vendors. Again, if you’re going big four, double every number, I say. There’s value in them, but there is cost in them.

Okay, so now we’re getting to more necessary components, an internal audit. So for the ISO, you have to do an internal audit. It can be a component of SOC 2. And if you have an internal audit team that already knows how to do one of these audits or that can do some training how to do these audits, it could be free. Again, you can repurpose one of your internal auditors.

A caveat there is I tend to see internal auditors who are SOX auditors, S-O-X. And SOX is a very specific way of auditing with very specific evidence requirements. And obviously, those people can be trained to be ISO or SOC 2 internal auditors. But ISO for example, has a lot less evidence requirements in terms of what has to be written versus what is just evidence. And I’ve seen some struggles when they’ve tried to use internal auditors who’ve never done ISO before, tried to do an ISO audit, causes a lot of frustration.

So I would definitely encourage if you are going to repurpose your internal auditors, which is cost saving, make sure they receive the prerequisite training so they understand the differences in evidence collection. But if you are going to hire some externally, I’m just going to throw out there like $25,000 to $50,000 to do an internal audit.

And then the big thing, the external audit, this is the most important thing because that is who is writing your SOC 2 audit report or is issuing your ISO 27001 certification. They’re putting their name on it, so they’ve got to get in the game as well. On the very, very low side, I’m going to say 20, 25,000. And on the upper side, I mean, it can be at least 100,000. It depends on your scope. And for example, if you’re an international organization and you have multiple offices in scope, they’re going to have to send their auditors to different locations. So there’s a lot of factors at play.

When you go out to consultants and ask them, “Hey, what’s the cost of an internal or external audit?” They’re immediately going to say, “What’s the scope? How many places do I have to travel?” They can’t just give you a number because it could range from very low to very high. It all depends.

And then the one thing you’ll never know until you go through it are audit remediations. That is an unknown cost. So let’s say you go through the audit and they determine you would really benefit from a security tool filling this gap for you that may have additional cost. But for every organization, that’s going to be an unknown until you’re going through it. So packaging that all together, like the key necessary parts of buying the materials, an internal audit, and an external audit. On the very, very low side, if you’re a small organization, I’m going to say 25,000 a year. I’m putting it out there.

If you are a larger organization or have a really big scope, we’re talking at least $150,000 a year, maybe more. Really big companies aren’t going to bat an eye at that. But that’s just trying to put some numbers out there so people can kind of digest, “Is this appropriate for my business at this time?”

So they do cost dollars. That’s the reality. But one thing people often overlook is there’s also a headcount component because someone has to own that program all year long. Someone is making sure the meetings happen, the audits occur, we’re fixing the findings, we’re doing all those things. So maybe you already have someone in compliance, governance, GRC governance, risk and compliance or different or within whatever program is getting scoped. I would throw out there, I think it takes 50% of a full-time employee’s time to manage this throughout the year. So I don’t think you need a full person.

You could probably benefit from it, but I’d say you’re going to at least need 50% of someone’s time for a full year, and then that’s every year. So I’ve definitely been in spaces where I’ve heard executives say, “Who do I have to pay to get one of these?” It’s like, “Oh, if it was only that simple, but then it wouldn’t be as valuable.”

So yeah, there is an external spend component and a headcount component, and you need to kind of consider both of those when you are budgeting for this, pitching to the business, why it’s a good idea and working together. It’s just really important to remember those recurring costs.

Julie DiMauro: It made me also think of smaller organizations. How can they afford it? What do you recommend in terms of them beginning their journey toward a cybersecurity audit certification, considering smaller budgets and headcount?

Rachael Pashkevich Koontz: Yes, also a question I hear a lot for really small groups.

So I am a cyber compliance person at heart, kind of like stepping back from this, there’s an audits world. And if you’re a young organization, small organization, and you are just starting to think about cyber compliance, my favorite thing to tell people to do as a starting place because it feels the least scary is to Google the Department of Justice or the DOJ’s Evaluation of Corporate Compliance guidelines. And you’re like, what does that have to do with cybersecurity?

Put the word cyber in front of all of the requirements, and that is a really helpful starting place to building a cyber compliance program. So even though you’re like, oh, it’s for corporate compliance. Do you have policies? We’ll put the word cyber. Do you have cyber policies? Do you do cyber risk assessments? Do you do cyber training? Do you consider cyber in your third party risk management? So it’s a really soft, easy, you don’t have to be technical and scary way to start to think about, do we have the pieces in place to feel pretty good about our cyber compliance program as a starting point. So excellent starting point.

Then I would recommend moving on to the free framework. So as we mentioned, ISO, SOC 2, others like they are not free to even get the materials, they’re not free. So NIST is an excellent place to start. Again, this is more US focused, but that’s a National Institute of Standards and Technology. They put out a lot of free frameworks. And the NIST cyber security framework, commonly called the NIST CSF, that’s a really great starting point for organizations who are starting to be a little more mature.

You want to perhaps benchmark yourself against some sort of framework. You want to know where to start. That is a great one again. And it builds upon some of the things that if we’re starting from the DOJ mindset on those things. So it’s like, do you have policies? Are you updating them every few years? Do you have leadership support? Like, do you do training? Do you do more tailored training for people with heightened access? So it’s starting to kind of build on that maturity

So I’d encourage that to be the next step. And if you’re not quite ready to go out and get externally audited again, maybe you don’t have the cost or something like that. What we were talking about from the beginning is evidence. So if you don’t have cyber audits or certifications to hand over to a customer, potential customer, the reality is they’re going to ask you for evidence instead. Because you can’t prove someone else audited you, so they’re going to have to do some sort of audit-lite. And they’re going to ask you for copies of policies. They might ask you for screenshots of user access controls or lockout screens or other things.

So sometimes it can be really helpful if you do some sort of self-assessment and package it in a way to be able to hand over to customers and potential customers to say, “Hey, we’re not third-party audited yet, but we have done a self-assessment and here’s what we feel.” Obviously talk to your internal lawyers and talk to your business people because there’s a balance there of being, you should always be transparent, but sometimes your lawyers are probably going to encourage you not to highlight a lot of your gaps and things like that. So maybe that’ll be some fuel for you to get budget to fix those gaps.

But the goal is to just get something to make it easier on yourself. So every time you have a customer, you’re not handing over your policies and handing over other stuff and dragging out a procurement process, like trying to build that confidence with what you’ve got, where you’re at. And then what, you know, let’s say you’ve done those things, you’re feeling pretty good, then I would recommend starting to budget and work towards something more universally known like ISO 27001 or SOC 2.

And another piece I perhaps forgot to mention earlier is that certifications and audits take time. They are not something you can snap your fingers and get in a month. That’s, you know, the very first time I implemented a program, I went for an ISO 27001. It took 12 months beginning to end. And I was so proud of that timeline. That was going from nothing to like all the audits, all the meetings, like everything and having a certification in hand, which you better believe I printed out and made people take pictures of me while I was doing it because I was so proud.

But that’s why, you know, for people listening to this conversation, again, if you don’t already know your organization’s stance on this, a big piece of that conversation is where does our organization want to be in 12 months, 24 months? Because if they, you know, and then look at your marketplace and look where your competitors are, but if they’re like, oh, hey, we’re noticing other people are putting on their website, they’re getting these things. Or we’re hearing from our customers that they’re getting these types of cyber audits and certifications from others. Know that you’re going to have to build in time and budget to get these things. So, yeah, it’s a lot of planning.

Julie DiMauro: Terrific. This is great. Rachael, I’m thinking about a conservative approach from a resource standpoint within a business’s leadership group. How does a compliance officer and chief information security officer best convince a recalcitrant executive leadership to provide enough resources for the type of certifications needed for the business, especially when the business might be facing other budgetary constraints?

Rachael Pashkevich Koontz: Yes, always a valid point because budget is everything in terms of the dollar spent and the headcount. Fortunately, compliance, I think, is no longer strictly a back office function. It was five, ten, fifteen, longer years ago.

But because customers are asking for evidence, it really puts compliance and the GRC function at the forefront because you are now directly supporting the business when your business clients are asking for these things. Proactively reaching out to consultants and auditors and coming up with a budget so you have a number to give to your leadership is incredibly important because, as I mentioned, could be twenty five thousand dollars, could be two hundred and fifty thousand dollars. It’s going to depend. And when you go to your leadership, you need to have an idea of what it’s going to cost and a timeline so they can digest and see if that’s something that makes sense with their business plan.

And then also, have you lost any deals because you weren’t able to produce something like this? That is perhaps one of the biggest driving factors I’ve seen in organizations that really was like the straw that broke the camel’s back when they were like, “Eh, we thought about it for a long time. We weren’t ready to invest the dollars or the headcount”. The first time they lose a big dollar deal solely because they don’t have that, that changes executives’ perspective.

Which is kind of said, you know, we’d like to be a little more proactive, but business is there to make money and you need to prove why this spend is going to drive dollars and sales. So like I said, there is an internal benefit to benchmarking and driving internal compliance. That’s particularly why I love them. But for the business, like they need to know this is going to drive sales. And they do. This is the new expectation.

Julie DiMauro: Absolutely. I’m thinking about when your data is breached. Let’s say you’ve just had a breach at your organization. Does meeting the requirements of these frameworks help prove to any interested parties that you did everything in your power to follow proper procedures?

Rachael Pashkevich Koontz: In my opinion (this is not legal advice), but in my opinion, yes, they help. But the reality is that audits are points in time. So when SolarWinds happened, you better believe the first thing I did was look up whether they had cyber audits and certifications because I was curious, like, what were you telling your customers? What did you already have in place? And they did. And it’s interesting. So having these things doesn’t mean you’re foolproof.

Cybersecurity is changing every single day. It is very hard to keep up and stay on top of the bad guys and the accidents that employees make as well. Like, it’s a mix of bad guys and accidents. So it’s a tough place to be. And it affects every single organization. Like, you know, there are large organizations who realize they’re targets, but everyone is a target. Even really vulnerable organizations and industries we would like to not get hit, such as hospitals and education facilities.

So everyone is a target nowadays. I do think they help because, again, they show and they’re part of your story that we care, we value this, we’re trying, we’re already investing in this. So I do think it helps that overall, you know, your maturity and the confidence with your customers because it shows you were already investing money and time into this. And it’s not just a reactive measure like, oh, God, we got breached. Well, now we’ll start to care about it. So I do think it’s very beneficial before something bad happens to really focus in this area.

But it’s never too late to start and to hold yourself accountable to these things. So, yeah, I do think they help. Obviously, they don’t make you bulletproof.

Julie DiMauro: Now, what are your predictions, if you don’t mind sharing, for what we’ll be discussing related to cybersecurity audits and certifications, maybe three years from now?

Rachael Pashkevich Koontz: Okay, in three years, I’ll add two parts to this. What I think we will be discussing is CMMC. So that, again, is the US Department of Defense’s cybersecurity maturity model certification. So this directly impacts DOD contractors and subcontractors. This is something that’s been in the works for at least five years. I remember when they first published this, we were all hopped up on it. They had five levels and all of that. It’s been very interesting to have a front row seat to see a certification and a framework, get created, go through iterations, take all this public feedback.

And it is not finalized yet. The expectation is it will be finalized and go into effect in 2025. It will start to be incorporated into DOD contracts. So we’ll start to see organizations have to meet these requirements and produce these certifications. And the reason why this is so unique is everything, most of the certifications we’ve been talking about are voluntary. So like ISO, SOC 2, you want to get them because they make your customers happy, not because they are some sort of legal requirement. Perhaps you have a contractual requirement with the customer to get one, but you’re choosing that.

Most frameworks are voluntary. So this is one where if you want to be a DOD contractor or even in that supply chain, you need to be thinking about that, preparing for that. And because it’s related to the US government, they have to take feedback, there’s been pushback, and how is this all going to work? So it’s been very, very interesting. And when we actually see it go into effect, I’m interested to see if that changes things. Again, people are going to change their opinions of cyber audits and certifications to say, this is no longer a nice to have. We see how DOD is rolling this out. It may eventually apply to all of the government groups. If it’s successful, that’s not written down, that’s just speculation.

And how is that going to impact other industries? If this goes really well and the DOD and the US government sees it’s really shaping up their contractor base and really proving that they’re taking cybersecurity seriously, how is that going to affect the other critical infrastructure groups and what’s now going to be required of them? So I’m very, very curious to see the trickle-down effect of this if it is successful, as we expect it to be. But I will say, the thing I’d like to see in three years is a cyber audit or certification that’s focused on small businesses.

Because that is what I hear in conferences and talking to colleagues and people in other industries. Like, that’s great. That’s so great that your company can spend $250,000. It’s so great you have a team dedicated to this. I’m not that. And my cyber insurance premiums are going up because I need to prove that I have controls in place. But I am a one-man shop. I’m a 10-person shop. Like, how do I do that in a cost-effective way? And I think that’s a gap in the market to come up with a universally accepted framework and certification or audit report that everyone agrees with. There are vendors out there that will do similar things for you. So I’m not going to say there’s nothing out there.

But I don’t think there’s anything universally accepted that is geared towards small, really small businesses that helps them become more mature and then like validates it. So I would love to see that in a few years. So we’re being holistic with our supply chain because, you know, some of these certifications like that are very difficult for small businesses. So I’d love to see something focused in that area.

Julie DiMauro: Thank you so much, Rachael Pashkevich-Koontz for joining us today and sharing your expert insights with us. Thanks to all of our listeners for joining us in this grip podcast. Again, don’t forget to check us out at grip.globalrelay.com and we’ll see you back here for another program soon.

Listen to the audio.

You may also like