October 22, 2021

 

As public trust in technology erodes — for the first time — it’s clear that we need to reevaluate our approaches to security and compliance.

The way we’ve been doing it is no longer working…

But continuous compliance might.

Today’s guest, Mosi Platt, Senior Security Governance, Risk, Compliance & Assurance Partner at Netflix, joins the show to explain why.

 

In this episode, we discuss:

  • The benefits of continuous compliance and what you need to know to implement it
  • The role continuous compliance can play in regaining trust
  • How continuous compliance factors into auditing

 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

 

 

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:06):

Narrator:You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:25):

Hey there. And welcome to yet another episode of The Virtual CISO Podcast. With you as always, John Verry, your host, and with me today, one of the smartest people that I know in the industry, Mosi Platt. Hey, Mos.

Mosi Platt (00:00:38):

Hey John. Happy to be here.

John Verry (00:00:40):

I did put the pressure on you there with that intro. So, I hope you’re going to live up to it. Okay?

Mosi Platt (00:00:45):

Only time will tell.

John Verry (00:00:49):

All right. I’ll always start easy. Tell us a little bit about who you are and what is it that you do every day.

Mosi Platt (00:00:54):

All right. Sure. I consider myself to be a security GRC and assurance expert. So, a little less humble to being the smartest person you know, but-

John Verry (00:01:03):

You did use the expert word, which denotes a lack of humility, but I’m just saying.

Mosi Platt (00:01:09):

That’s right. But I felt like I’ve earned it with 19 years of experience, because that’s how long I’ve been doing it. And I feel like when I think about it, what my career has really been about is helping organizations build security and privacy programs. And now my goal is to help them do that in a way that provides continuous trust in the organization or the program’s capabilities, right? To create and protect value.

Mosi Platt (00:01:31):

That’s what I want to do. Right now, my areas of interest are cyber risk quantification, continuous audit metrics, continuous assurance and content security, especially for cloud providers. So, I pursue those interests as a senior security partner for governance, risk, compliance and assurance in Netflix. I’m an advisor for RiskLens, and I volunteer for the Cloud Security Alliance and the Content Delivery & Security Association.

John Verry (00:01:58):

Excellent. Now, it’s been a while since you and I broke bread together. What’s your drink of choice these days?

Mosi Platt (00:02:05):

I’m seasonal. So, spring and summer, it’s Casamigos Anejo Tequila with some fever tree ginger ale, a pink grapefruit. And fall and winter, I like a Pierre Ferrand Cognac with cream soda.

John Verry (00:02:21):

You’ve classed it up since I knew you.

Mosi Platt (00:02:24):

You knew me when the Pierre Ferrand, I just didn’t drink it as frequently. But that was my drink of choice when I lived in New York. That’s where I actually got introduced to it, in Harlem. This shop in Harlem sold it.

John Verry (00:02:37):

So, I can participate a little bit in the tequila conversation, but I have to admit, I don’t even know that I’ve drank … I’ve probably drank cognac. Like when you look at things like a Drambuie, is a Drambuie in that cognac family?

Mosi Platt (00:02:52):

I don’t know enough.

John Verry (00:02:54):

And you don’t know Drambuie. Okay. Before we both embarrass ourselves any further, let’s get to really why you’re here. You covered a lot in that first thing, right? Really what I was hoping to chat with you about is a concept that we see growing in import and growing in general recognition of its importance.

John Verry (00:03:16):

And that’s the concepts of continuous auditing, continuous compliance and continuous certification. So, could you start by just defining or giving us a basic description of what each of those is?

Mosi Platt (00:03:26):

I can. And these are going to be very simple definitions and I can flesh out some examples. But when I think of it, and I actually don’t even break them up into those three buckets, I simplify it even further from that. To me, there’s continuous compliance and there’s continuous assurance and I feel like continuous assurance covers the auditing and certification parts.

Mosi Platt (00:03:47):

For me, continuous compliance at the end of the day, it comes from continuous performance evaluation and improvement of operations. What does that mean? Examples of that could be anything from automated vulnerability and discovery scans, security logging and automated alerting, cloud security posture management tools, attack simulation is a new thing and all down to agile auditing, right?

Mosi Platt (00:04:16):

Instead of just doing audits once a year or every quarter, having an agile audit process where you’re doing a different audit every two weeks or every month. Continuous improvement, right? That could be from robotic process automation for triaging security events, or having workflows in like a ServiceNow or a JIRA for triaging security alerts or corrective action and continuous improvement plans or your POA&Ms, right?

Mosi Platt (00:04:39):

To me, that’s all continuous improvement. Continuous assurance I think comes from continuously reporting the security programs’ outcomes to stakeholders. That can be done via audit, that can be done via certification. I think the method doesn’t really matter as long as it’s continuously done and not the point in time reporting that we currently do.

John Verry (00:05:00):

Got you. So, a couple of things there, so continuous is a weird word, right? Continuous implies some temporal rate.

Mosi Platt (00:05:11):

Right.

John Verry (00:05:11):

And there’s no true continuous, right? Because certain things only happen at a certain periodicity. So, is there a definition of the temporal rate that something crosses over from point in time or four times per year to continuous?

Mosi Platt (00:05:27):

At that point then I’d go with the Cloud Security Alliance’s definition, for them continuous is at least monthly.

John Verry (00:05:32):

Okay. And then if we get to aspire to truly continuous, that speaks of that generally we’re talking about something which would be automated in some way?

Mosi Platt (00:05:42):

When you say truly continuous, you mean like real-time?

John Verry (00:05:44):

Well, even anything which is happening, like you talked about agile and let’s say we had some type of pipeline process that occurs and someone’s doing three builds per day type of thing, it would be impractical, possible, but impractical to do continuous auditing in a human manual manner in that situation.

Mosi Platt (00:06:03):

Correct. Yes, continuous requires automation or otherwise it doesn’t scale.

John Verry (00:06:08):

Okay. And it would require automation both on the, I would assume it would require it on the gathering the data side, as well as the storing, presenting, processing data, validating the data side?

Mosi Platt (00:06:22):

Correct. Correct.

John Verry (00:06:23):

Got you. I’m a huge fan, and you know this from your work here at Pivot Point Security. By the way, Mosi was the first employee ever at Pivot Point Security and was with us for, I think, 16 years or something nutty like that.

Mosi Platt (00:06:35):

16 years.

John Verry (00:06:37):

An awesome 16 years. We were blessed to have him. Mosi was one of the people who actually helped to establish our ISO 27001 practice and helped us be the kind of a company that aligns with open trusted frameworks. So, I know that you probably brought that concept anywhere you’ve gone. What open trusted frameworks would someone look to align with if they were looking to move towards continuous compliance?

Mosi Platt (00:06:59):

That’s a good question. I have started to think about frameworks differently since I started thinking about this and I think there are different types of frameworks, and I think it’s important to break them apart to recognize what your framework is for. Otherwise, a list of confusion and problems.

Mosi Platt (00:07:13):

So, like there are governance frameworks, right? And for that, I like ISO 27001 because I spent over a decade working with it as a consultant for Pivot Point. For risk, I like FAIR. If we quantify the risk, it resonates more with the business and it means more to the people who actually need to do something with the risk output. It’s something tangible that they can do something with and it becomes more instructive that way.

Mosi Platt (00:07:38):

For control frameworks, I’m not too religious about control frameworks. I feel like as long as the control framework can be mapped or is mapped to other frameworks and it’s relevant to your organization, that’s what’s most important. As a person who works in cloud native companies, I like this Cloud Security Alliance’s cloud controls matrix because it’s mapped to so many different frameworks.

Mosi Platt (00:08:01):

It’s mapped to over three dozen other frameworks and it has controls that are relevant to cloud native companies. And then for an assurance framework, I’d like the Cloud Security Alliance’s open certification framework.

Mosi Platt (00:08:14):

Some of the same reasons of the control frameworks, that it’s open and it maps to so many other, not so many other, but it maps to other certification frameworks. It’ll map to ISO 27006 and it’ll map to the AICPA standards for SOC 2. So, I like that open certification framework for those reasons, because it’s flexible.

John Verry (00:08:37):

I’m not familiar with the open certification framework. Is that different than the CSA STAR?

Mosi Platt (00:08:42):

The CSA STAR is based on the open certification framework. Yeah.

John Verry (00:08:44):

Okay. Okay. And if I’m not mistaken, we’re still at a point where the CSA STAR, it used to just be you could build that on top of 27001, but now you can build it on top of 27001 or a SOC 2 attestation?

Mosi Platt (00:08:57):

Right. 27001, SOC 2, and then there’s also ISO 17021.

John Verry (00:09:03):

021?

Mosi Platt (00:09:05):

Yeah. I believe it’s also able to build on top of that, and that-

John Verry (00:09:05):

Yeah, I don’t know that one. Do you know that?

Mosi Platt (00:09:06):

That’s for GDPR.

John Verry (00:09:07):

Yeah. And by the way, the weird thing about 17021, I think that’s the one that they also add into the requirements to become a C3PAO. So, I don’t really know that 17021.

Mosi Platt (00:09:19):

Okay.

John Verry (00:09:21):

I might be wrong. It might be like 17020 or something, but there’s a couple of them that I had never heard of and never got around to looking them up, unfortunately.

Mosi Platt (00:09:29):

Right. And so, the only reason I bring that one up is it’s interesting because I think in order to be considered a GDPR certification scheme, your certification scheme has to be based off of that ISO standard.

Mosi Platt (00:09:41):

And I think the issue is 27701 is not. And so they’ll either need to change the regulation or change the standard, or go with something besides 27701 for GDPR certification, whenever that scheme is approved by the different jurisdictions in the EU.

John Verry (00:10:00):

Yeah. And it’ll be interesting to see what they decide to do on 27701 because I think one of the values of 27701 is that, much the same way 27001 is, it’s a framework that can encompass multiple frameworks, right? It’s not designed just for GDPR or CCPA. So, I think that there’s the pro and con of them making some changes specific to that.

John Verry (00:10:22):

I would think that a company might end up getting a 27701 to speak to the broadness of their overall program and then maybe a GDPR add on, if you will, might be done through some type of an audit firm to confirm the implementation is consistent with the GDPR requirements.

Mosi Platt (00:10:39):

Yeah. But as a practitioner, I would love it if I only had to get audited once.

John Verry (00:10:43):

Yeah. When you used to live on our side of the fence, you would’ve liked that.

Mosi Platt (00:10:51):

Right.

John Verry (00:10:52):

And now on your side of the fence, and it’s funny because even just chatting with you casually as we have over the years, it’s funny to watch your shift in your thinking associated with … because you spent so many years living on our side of the fence and now to, to hear you talk, I definitely see that shift in you. So, it sounds to me like I think the value proposition makes sense, right? I know that compliance in and of itself is a lot of work.

John Verry (00:11:19):

Continuous compliance sounds like it’s even more work. So, if someone’s listening to this and going like, “Hey, this sounds like something we should be doing, but it’s going to be a lot of work,” how are they going to justify that level of effort? What are the benefits to the organization and the key stakeholders that they’re going to get out of putting a level of effort into this?

Mosi Platt (00:11:38):

It’s tricky because there’s self-interest and motives for different groups to pursue it or not to pursue it and it has to be communicated in a way that everybody understands how it’s in their best interest or in the best interest of the organization. Because for example, as a compliance professional, so if you’re on the compliance team for an organization, your selfish reason for doing continuous is it actually makes it less work for you, right?

Mosi Platt (00:12:03):

It’s more work for an organization overall, but instead of all that work being concentrated within one group, it’s dispersed and pushed out to where the people are actually doing the operational activities. And so, the compliance happens closest to where the work is being done. And so, instead of being on one team, it’s on all teams that are within the scope of a compliance program. That can come off as a selfish reason, the compliance team want to do this so they can do less work.

Mosi Platt (00:12:28):

Well, yes, but it’s better for those operational teams because instead of coming to the compliance team as a gate before you can get your work done, you are now empowered to manage compliance for yourself. And the compliance team has enabled you with the tooling and the context so that you can make those decisions that you know when you’re making the decisions it’s in the best interest of the organization, and you’re not putting compliance at risk.

Mosi Platt (00:12:50):

And so, you can move faster, right? That’s one benefit. The overall benefit for society, I think is the current approaches to assurance just are not building sufficient trust and they’re not going to become more effective over time. They’re just going to become less if we keep doing the same things that we’re doing. As technology evolves, as the business ecosystem changes. And you know this, right?

Mosi Platt (00:13:15):

Customers would come to us when we first started building the ISO practice or the GRC practice and say, “Hey, I want to get a certification so I get less questionnaires from customers that I have to complete.” But that’s no longer true. You can get a certification, you can provide a client or customer a SOC 2 report and they’re still going to ask you to fill out their security questionnaire more often than not.

Mosi Platt (00:13:36):

So, the security questionnaires are increasing over time, they’re not decreasing even though more people are getting certified or getting attestation reports. So, that’s one problem. The other problem is security breaches. Security breaches are going up and decreasing trust in an organization and an audit report or an attestation report isn’t mitigating that decrease in trust.

Mosi Platt (00:13:56):

And we saw this start with PCI, right? When PCI certified organizations started getting popped for credit cards like Target, I think to me, that’s the signature moment when they’re like, hey, that’s when the trust and assurance began to decline, right?

Mosi Platt (00:14:12):

And then you take that with more security breaches and you put the supply chain issues, so now as there more security breaches, it’s the supply chains that become less trustworthy and everybody has a supply chain, right? Because it’s all interconnected. So, where is the trust in the system going to come from? And I think that’s the ultimate goal of security. What we’re here to do is we’re here to build trust.

John Verry (00:14:33):

Yeah. Trust is a lubricant.

Mosi Platt (00:14:34):

Right? And so, if we’re just providing you something that you can’t trust once a year, how are we building trust? And so, we have to start being more transparent and we have to repeatedly tell people how we’re doing. Because the change is constant. There’s a breach reported every week, right?

Mosi Platt (00:14:52):

There’s a supply chain issue all the time. Security questionnaires go every time a new customer or vendor is onboarded. So, we need more frequent provisions of trust, and that’s where the continuous trust comes in.

John Verry (00:15:04):

Okay. So, I’d like to unpeel that a little bit, because you said about three or four things, I was like, I got to write that down. I got to write that down. I agree with you that we are getting to a point where as the complexity of what we’re doing goes up, that existing compliance measures just simply don’t work.

John Verry (00:15:22):

So, the question though is that, are we in a never-ending race as the complexity of our infrastructure and deploying infrastructure and code and agile development and more and more releases and Kubernetes, which creates theories of inception, right?

John Verry (00:15:44):

As that all continues to rise and we begin to increase the complexity of our automated compliance mechanisms, continuous compliance, are we going to be able to keep up with that? Or is it going to be just the never-ending race to this endless summit?

Mosi Platt (00:16:03):

It’s a good question. Continuous compliance doesn’t work without continuous context, continuous leadership, continuous planning, continuous support, continuous operations. Everything has to become continuous. Right? Everything needs to become agile, essentially. Everything has to change in order for this to happen. I don’t think we can do one as a front end for the other, right?

John Verry (00:16:29):

Right. Yeah. If you really think about it, and I love what you just said, because you need continuous context, you need continuous risk understanding, you need continuous understanding of control implementation matching up with those things, continuous validation that these controls are actually operating the way they’re intended, continuous validation that they’re actually producing the desired result even if they are operating as intended, right?

John Verry (00:16:53):

You’re right, continuous compliance isn’t just the purview of the compliance area. It’s an organizational change.

Mosi Platt (00:17:01):

That’s right. That’s right. And so, you’ve got to have communication throughout the organization. And one thing, before you get that continuous context, you’ve got to have continuous leadership updating or making changes to the vision as appropriate so that you’re managing expectations.

Mosi Platt (00:17:15):

That way, you don’t feel like you’re in the never-ending rat race of playing keep up. Because leadership has said this is where we need to be. And as long as we’re doing that, we’re not worried about everything else out there and trying to chase squirrels or shiny objects.

John Verry (00:17:31):

Yeah. Because you said at the very beginning, I agree with you, and I think you used an old COBIT line, move from value preservation to value preservation. I remember you telling me that was value IT or something like that. You were the one who pointed that out to me the first time and said, “This is important. This line right here is really important.”

John Verry (00:17:49):

And I use it to this day, by the way, and increasingly more so now than I ever did. And I always used the term that we want to convert information security to a business enabler. So, what you’re even saying with the continuous compliance is it can create that business enablement by building trust with our key stakeholders, but it can only do it if the business continually gives us the input that we need to know where we need to have the program in six months, one year, three years.

Mosi Platt (00:18:13):

That’s right. That’s right. Yeah.

John Verry (00:18:16):

Yeah. I love the idea. Now, you work in, I think one of the world’s premier organizations for insane levels of deployment, right? I don’t remember what the numbers are, but you guys created your own containers, you spin up 30,000 containers a day or an hour. You see these nutty things about, does it take an organization of the scale and sophistication of Netflix to do this? If someone’s listening to this and they work in a 500 person SaaS firm, is this just pie in the sky stuff or is there a path for them to achieve this?

Mosi Platt (00:18:55):

There’s absolutely a path to achieve it. When I was at a 300 person SaaS company, this is what we were strategizing to get to. I presented on it at an employee summit when the company was 200 employees and the CISO was completely bought in and the strategy was absolutely to get to a path to continuous trust within three years, three to five years, give or take.

Mosi Platt (00:19:19):

So, it’s absolutely doable. And there are pros to being a smaller organization than Netflix, because at a smaller organization, when you don’t have the talent to build everything yourself or the capability to do everything yourself, you go out and buy what you need. And sometimes the market will provide solutions faster than you can develop them yourself.

Mosi Platt (00:19:42):

When Netflix started developing its own orchestration platform, Titus, that was pre-Kubernetes. Kubernetes didn’t really exist then, which is why they started creating it. And now Kubernetes exists, but you’ve got so much invested in Titus, now it’s, what do we leverage from Kubernetes?

John Verry (00:20:00):

Yeah. Sometimes your legacy drags you down.

Mosi Platt (00:20:04):

Inertion is a real thing.

John Verry (00:20:05):

Yeah. Yeah.

Mosi Platt (00:20:07):

When you’re smaller, you have less inertia, so you’re able to adjust quickly as new solutions come to market that you can leverage for something like continuous compliance.

John Verry (00:20:16):

Two other things that poked by interest around that original answer. You mentioned, and I agree, that continuous compliance distributes the compliance requirements more broadly across the organization and down to the people, the operational people that are responsible for actually operationalizing the control.

Mosi Platt (00:20:33):

Right.

John Verry (00:20:34):

Do we need to worry about segregation of duty, segregation of function? Have you wrestled with that issue? Because one of the values of compliance being an independent objective function is we can trust the compliance data we get. If as we move it closer and closer to them and they have more control of that, do we lose that? And are there mechanisms we can use to ensure that we can trust that data?

Mosi Platt (00:20:57):

I don’t think we lose it because I think the three lines of defense still exists. And so, we’re just moving compliance … So, the way it works typically now is there’s a compliance person and they go out and they gather the evidence from the internal control owner. And they review it and hand it off to an auditor who says, “Yep, I got that.”

Mosi Platt (00:21:20):

And they’ll do some rudimentary testing, maybe, depending on what the control is. Sometimes they may be checking for the existence of the evidence, not even on the quality of the evidence, but then maybe they do some rudimentary testing of the evidence. But it’s all largely performative. Most of the times, it actually doesn’t make the organization’s performance any better.

Mosi Platt (00:21:38):

Because the people who are doing the assessments lack the context of the control owner. So, I think if the control owner’s responsible for knowing their compliance requirements and making sure they meet them, they can do their own self-assessment of whether they’re meeting the compliance requirements, but it doesn’t mean that the second and third lines of defense can’t do their own review.

Mosi Platt (00:21:59):

It’s just a question of the scale of their review. Do they need to look at everything that’s collected or can they just look at failures or can they look at certain successes because they want to understand, hey, how was this process so effective? I think it allows them to be more focused and get more value out of those reviews beyond just saying, “Yes, we did this so we can provide a level of assurance that people no longer trust.”

John Verry (00:22:19):

Yeah. One of the things you said that’s interesting there is that you’re speaking to perhaps the importance of communicating the value proposition to the control owner of continuous compliance and making them a vested stakeholder in that, right?

John Verry (00:22:34):

As an example, if we were talking about an agile methodology and we were doing code review during integration testing, or unit testing or something of that nature, if they could see the improvements in the quality of code and the reduction in time to either time to market, or they could see reductions in the amount of rework that’s necessary after going through UAT or things of that nature, then what we’ve got is somebody who is no longer looking at compliance as being a speed bump on their way, they’re looking at it as more being an enabling technology.

Mosi Platt (00:23:05):

Right. And I think the burden is not just on them. The burden is also on the compliance professional, because I think it’s two-way street. As a compliance person, we can’t just go to the control owner with the compliance requirements and say, “Hey, you need to account for this in your business process.” Because they can say, “Dude, this is completely irrelevant to our business process.”

Mosi Platt (00:23:22):

And so, now you have to figure out, okay, well what should the compliance requirement be in a way that it preserves and creates value? Compliance folks have to be willing to adapt the compliance requirements to the business instead of just carrying them like tablets from on high that says, “Yee must comply.”

John Verry (00:23:45):

What you’re saying is that we’re going to ask our compliance personnel to have a more consultative style?

Mosi Platt (00:23:53):

Correct.

John Verry (00:23:54):

And that’s a bit of a challenge, right? Because compliance is often in an organization, an entry-level position because it’s perceived, I think by a lot of people that sometimes it’s a check the box. Hey, go out, make sure the data is there. Look at the data, does it have these three attributes? Okay. Check the box, pass it off to the auditor who will actually do the critical thinking and opine on it.

John Verry (00:24:17):

So, that’s an interesting question, right? Does it also mean that if we’re going to get to this continuous compliance and we’re going to make the control owners stakeholders in the process, give them value, we’re going to have to change the style and perhaps even the quality and experience of the compliance folks?

Mosi Platt (00:24:33):

Right. And that’s where you have to make the business case like, hey, we aren’t currently providing enough trust that our stakeholders need, how do we make this more valuable? You’re going to have to invest in it. But you have to make sure that you have a business that’s like, if we invest this much, we get that much out of it to justify it. You can’t just create value without putting any value into it. We have to have skin in the game. It’s going to cost something.

John Verry (00:25:02):

At the beginning, I asked you to define continuous audit compliance certification and as I recall, you took audit and certification and put it into assurance bucket.

Mosi Platt (00:25:11):

Right.

John Verry (00:25:12):

So, let’s talk about the assurance bucket for a second, because it occurred to me when you were chatting earlier and made a note here, are we seeing, and is it a logical extension of what you’re trying to accomplish that our continuous compliance is exposed through a GRC platform to our stakeholders?

John Verry (00:25:27):

So, if I’m going to tell you that I’m doing all of these right things, and there’s five of them that are uber-critical, let’s say that I’ve got a third-party service provider who’s business resilience is critical to me. Do you see us moving towards a world where a key stakeholder like me could go to a GRC platform or some type of a tool and I could literally see the evidence of these controls that are critical to me in near real-time?

Mosi Platt (00:25:55):

So, I’m the user of the third-party services or I’m the third party?

John Verry (00:26:00):

Yeah.

Mosi Platt (00:26:00):

Okay.

John Verry (00:26:01):

Yeah, let’s say you’re the user of a third-party service. Some type of a SaaS application, ERP application in the cloud that’s business critical to you. Them implementing continuous compliance, you being told that they have that, and that being one of the reasons that you chose them, do you see this in the future where almost we all have these exposed dashboards that you can almost look and validate? Is that a logical extension of this continuous assurance?

Mosi Platt (00:26:25):

In the world I want to live in, everybody would have a trust.yourdomainnamehere.com and they’re exposing … just like we have the status.yourdomainnamehere.com today where you can see the status of a cloud service, right? There should be a trust page that’s the equivalent and it’s the status of your assurance, right? That’s the world I want to live in.

Mosi Platt (00:26:46):

So, it’s not static, it’s dynamically updated when we get to that point where we know we can scale the technology to that point to support that. So, we can get to that real time. In the interim, it’ll probably be monthly at best.

Mosi Platt (00:26:58):

But if we can get to a point where in real time you have an update on, hey, this is how well the access controls are performing for vendor XYZ. This is how well the privacy controls are performing for vendor XYZ in real-time, that’s where I think we need to live in so we get to the point where we battle this declining trust that we’re currently seeing.

John Verry (00:27:19):

I see more and more orgs embracing GRC platforms. The data’s going to be there. They have interfaces that are externally exposed let’s say for audit purposes. I don’t see no reason why you couldn’t expose something like that to key suppliers.

Mosi Platt (00:27:34):

Right.

John Verry (00:27:34):

And then the weird thing about that is like, I think most people’s concern would be, oh my God, but what happens if we miss something? Actually, if you miss something in a strange way and they’re able to see that, you are building trust.

Mosi Platt (00:27:46):

Yes. Yes. And that’s how we need to think about it. We have to look at the audit as not as the scary thing, but it’s just a means for us to build trust with continuous improvement. If our audit isn’t finding things that we can improve upon, then our audit isn’t helping us. We don’t want an audit to come out clean. We want an audit to find things that we can use for continuous improvement.

Mosi Platt (00:28:06):

And that’s why I think we need to be more agile about everything because that’s an agile principle, right? We want to have continuous improvement. And so, in order to really be continuous improvement, we have to change how we think about failure.

John Verry (00:28:18):

From your lips to God’s ears. I tell every single client now, I said, “You need to set an expectation with your management that you are going to tell your ISO auditor, your SOC 2 auditor that I want every nonconformity, every exception, every OFI that you can find. You’re paying $35,000 or $45,000 for an audit anyway, why not get your money’s worth?”

John Verry (00:28:40):

And I think the only reason people don’t get their money’s worth is because management often looks at a nonconformity or an OFI or an exception as a failure. We have to change that. I think, especially as we go to continuous compliance, if we can’t change that mindset that that’s a failure, and you know one of our clients that you worked with quite a bit, somebody that was in the healthcare space who would fight you to the death over an OFI because the board would give them such a hard time?

John Verry (00:29:07):

In order for continuous compliance to really be what you want it to be, we’ve got to change that mindset across the industry, I think.

Mosi Platt (00:29:14):

Yes. One of the biggest hurdles is, I’m probably going to say the biggest hurdle is culture. We have to become more transparent. Now, I fully recognize in order to get there, nobody’s going to flip this on if they think it’s going to show that 50% of their controls are ineffective or insufficient, right?

Mosi Platt (00:29:35):

So, there’s some internal reps that you have to go through before you build enough confidence that, hey, most of our controls operate as intended. And when they don’t, we have a robust improvement process to get them from a noncompliance state or an ineffective state to an effective state in a fairly reasonable amount of time.

Mosi Platt (00:29:57):

So, you have to have trust in your operations, you have to have trust in your improvement processes if you really want to do continuous compliance. And so, you have to build that confidence in both.

John Verry (00:30:06):

And even if you exposed an interface that showed a potential client that you have a couple of issues, if everyone else they’re looking at is a black box and isn’t willing to do it, that is going to be a competitive advantage, right?

Mosi Platt (00:30:22):

Right. Because everybody has issues, right? We see the breaches. You see all these breaches are happening and nobody’s having any issues? At least we’re telling you about ours before it hits the newspapers.

John Verry (00:30:36):

I agree completely. The more we chat, the more I’m a fan of all of these ideas. So, I think we’ve touched on some of the challenges to achieving these ideals. What didn’t we, in terms of some of the challenges, right?

John Verry (00:30:50):

We talked about culture, we talked about complexity, we talked about segregation, we talked about updating the skillset and consultative capabilities of our compliance folks, we talked about changing management and the way they react to failures and nonconformities and things of that nature.

John Verry (00:31:07):

We talked about their requirement to feed us continuous information that comes into our information security and compliance programs. What else? What else are you seeing that you think are some of the challenges?

Mosi Platt (00:31:17):

I think one is, I don’t think we’ve talked about this one yet, and this is on the compliance professionals. We’ve had to change the culture from the desire to have prescriptive requirements to embracing self-determination. It’s been interesting volunteering with the Cloud Security Alliance and these working groups for continuous audit metrics and star level three.

Mosi Platt (00:31:41):

There’s a lot of compliance professionals who just want someone to tell them, “Just tell me what to do so we can do it.” As opposed to, “Let me figure out what to do, communicate that to my stakeholders, and then prove to them that I’m doing what needs to be done.” I think that’s a minority position right now. And so, that culture has to change.

Mosi Platt (00:32:02):

And maybe on the auditor side, we touched on this a little bit, so maybe I don’t need to get into it, I’ll just throw it out there. You tell me if we need to talk about it some more. But I think we need to shift from auditing for efficiency to auditing with context, right? And so, instead of, “Hey, how can I do the audit in as few days as possible to control the cost so I can secure this contract?”

Mosi Platt (00:32:19):

To, “How can I do an audit that’s going to provide my customer value because I understand their business and I’m not just doing an audit because a prescriptive requirement says I have to? I’m doing an audit because this is where the risk is in their business.” Because I also think that’s what drives the management feedback on we don’t want findings, because so many of the findings are annoying and useless.

John Verry (00:32:38):

I agree completely. In fact, I’ve had some conversations very recently with auditors across different standards so it’s not a knock against anyone’s standard, but I’m amazed at how certain auditors, how lightly they hold people’s feet to the fire. I mean, we have SaaS clients that have certifications that you’d be… Impressive certifications.

John Verry (00:33:02):

And we go in and we start looking at some of the things that are going on in their SDLC software assurance programs, and it’s dreadful. And you’re like, but yet they have the certificate, they have the type two report. But the auditor really didn’t dig into the places where he really should have.

John Verry (00:33:21):

He didn’t do the context. He hasn’t taken a risk-based approach to auditing. And the question becomes, in some cases, is, do they have the awareness? Do they have the understanding? That’s the context. Do they have the skills? That’s another question. And then the last thing is, and it ties into exactly what we were talking about, sort of the other side of the coin is, auditors are in a tough spot.

John Verry (00:33:39):

And I’m glad I’m not an auditor because you want to grow your business, they’re trying to grow a business and you’re trying to maintain a tenuous relationship with your client. How do you tell your client that their kid is ugly, their baby’s ugly, at the same time that you want to continue to grow your business with them? It’s really not an ideal … it would be interesting if we could find a better way to have a relationship between the auditor and the auditee.

Mosi Platt (00:34:06):

But see, I think that’s where they have to have the cultural shift of like, “Hey, I’m not telling you your baby’s ugly. I’m telling you, you told me you want to achieve these things and I found these issues that are going to prevent you from doing those things if you don’t fix them.” Or, “You say that you want to do these things, and it looks like it’s costing you X amount of time and effort and money to do those things. But if you address these issues, it’ll cost you less time, effort and money.”

Mosi Platt (00:34:31):

And if they start putting it that way, then it’s not that you’re ugly or that what you created is ugly, it’s that what you created can actually give you … you can get more of what you want from what you’ve created if you address these issues that we found.” But the auditors have to find those issues and not the, “Oh, you had a grammatical error in your policy document.”

John Verry (00:34:51):

I actually love what you just said. That is inherently the problem and I never thought of it that way with the audits that we’re doing. They are doing a controls audit. They’re looking for petty inconsistencies in implementation of controls instead of looking at how those controls impact the net objectives of the organization.

John Verry (00:35:19):

And you’re right, if they tied it to that, like nobody likes … we’ve all had the damn findings where it’s like, and we had it this year, “Your so-and-so policy refers to the system security manager instead of your CISO.”

Mosi Platt (00:35:35):

That’s right.

John Verry (00:35:37):

And I’m like, “We define them the same way in our organization.” “That’s a nonconformity, somebody might not know how to do that.” And you’re like, “This is crazy.” And you understand why they give it to you, but really that has no bearing. That provides no value to the organization.

John Verry (00:35:51):

But if they turned around and looked at, “Hey, the tool that you recently deployed that does not yet process in scope data, but your practice lead told me was that was in the plans for this year hasn’t gone through an appropriate risk assessment and/or security analysis. And if you deploy that tool prior to that happening, you could be at significant risk.” Now, that’s a valuable nonconformity, corrective action, opportunity for improvement.

Mosi Platt (00:36:23):

Right. Right. Exactly.

John Verry (00:36:24):

I love that. Just out of curiosity, I know you talk with a lot of the registrars and CPA firms, right? You’re very active in the community. Have you ever talked with folks about that? Because I think that’s a really, really very significant observation and idea.

Mosi Platt (00:36:40):

In the working group, Willie Fabricius is one of the members of the working group.

John Verry (00:36:46):

Did you see he just changed out works.

Mosi Platt (00:36:48):

Yes. Yes. He announced it to us last week.

John Verry (00:36:52):

Yeah. I traded emails with him today. He’s a trip. I love Willy.

Mosi Platt (00:36:55):

Yeah. I was like, “Wow, the world has changed.”

John Verry (00:36:59):

Exactly.

Mosi Platt (00:37:00):

Willie and John DeMarie, not at BSI.

John Verry (00:37:03):

Exactly. Exactly. Like did the world tilt on its axis? You know what I mean?

Mosi Platt (00:37:07):

But Willie’s position is, and I think it’s a respectable position, he’s like, look, the way he balanced the tension between auditors and auditees is I’m never going to find an organization that has it all together. And I don’t expect them to. And if I compare them to each other, like you said, like the one client had bad software assurance but they still had an attestation report, so does probably all of their peers.

Mosi Platt (00:37:36):

Or at least half their peers. Right? He’s like, “My job is to tell you what’s wrong and make sure that you actually do continuous improvement. So, if I find you in state A in year one, I’ll give you your certificate as long as you’re meeting the requirements of the standard.

Mosi Platt (00:37:53):

But when I come back in year two, I need to see that you’re making progress on addressing those issues.” He’s fine with you can pass an audit without a perfect system, but it has to be a continuously improving system. And that makes sense to me.

John Verry (00:38:09):

That’s exactly the way ISO is supposed to work, but that’s still not the issue that we were just talking about.

Mosi Platt (00:38:11):

It’s not, but that gets it … Well, and also, Willie is one of those few auditors who would actually ask you about the business before the audit starts. And he would try to give you findings that are relevant to your business, but he would not expect you to be perfect. Personally, he would try to do that. So, how do you make that a systematic thing, I think is the challenge.

John Verry (00:38:36):

That’d be driven by the certification body, AICPA, UCAS, ANAB. Would it have to be at that level to change? Because really what we really should do is redefine what the objective of the audit is.

Mosi Platt (00:38:49):

The problem is the auditing standards say that now, it’s just-

John Verry (00:38:51):

Do they?

Mosi Platt (00:38:52):

Yeah, it’s just not practiced. And so, I don’t think it can be at the accreditation body level. I think it’s something within the audit firms themselves. I know we’ve all made jokes or we’ve heard the jokes that auditors get paid by the page. I think it’s something in that mindset.

Mosi Platt (00:39:09):

And it’s not just in auditing, right? It’s even in security. So, security vulnerability scanners operated off the premise, that the more findings our scanner generates, the better our scanner is. So, I think it might be a security compliance thing practitioner issue that needs to be resolved.

John Verry (00:39:24):

Yeah. We’re all trying to justify our value proposition and that information that we provide is supposedly some measure. And if we stop measuring it based on the number of pages and we started measuring on the value to our business, we’d all be better off. I’ll be honest, I’m sitting here thinking to myself and I’m being critical of these external auditors, I’m thinking about our internal audit process and I’m thinking to myself, “I don’t think we’re doing as good a job as we could and should be doing.”

John Verry (00:39:52):

Now you have me thinking like, “Okay, how can we improve our internal audit process?” So, it’s so funny. You you’d appreciate this. One of the things we’re changing in our ISO 27001 process is we’re changing our scoping a lot more to arrive, not only at an actual plan at the end of that phase one concept that we have, but also to align that with some type of an information security strategy.

John Verry (00:40:14):

A set of principles that we’re building against that are aligned with the one, two, three-year goals of the organization. Like you said, we can move it from value preservation to value preservation, plus value creation.

John Verry (00:40:27):

So, now as we do that, that’s interesting, I thought of that and the way that it changes the way that we do like an ISO phase one, what we now call a vision exercise, vision and actual plan. But now it gets interesting is how will that concept change the internal audit process?

Mosi Platt (00:40:45):

Right. Yeah.

John Verry (00:40:48):

That’s really interesting, did we actually align the actions and inactions of the organization with the strategic plans that we developed? That’s a value, right? Because if we didn’t align with the strategic plans and we didn’t achieve everything in the actionable plan, and if it hasn’t forced the updates to the ISO 27001 objectives, then can we get to where we said we needed to get to in two years or three years?

Mosi Platt (00:41:12):

Right.

John Verry (00:41:14):

I hate talking to you. I always leave every meeting with you with a list of shit to do. I already have enough stuff to do.

Mosi Platt (00:41:24):

I’ve been on that side. Hey, I’ve issued the 93-page audit report and it’s not for an organization, it’s just for one system. I’ve done that.

John Verry (00:41:35):

Yeah. All right. So, what industry or what verticals do you think would benefit most from a continuous audit, continuous assurance style approach?

Mosi Platt (00:41:46):

Yeah. When you sent me the outline for the show, I thought about this question. And my first reaction was like, I think cloud native companies in any industry can benefit from it because I think they have the infrastructure in place to take advantage of it faster. But if I want to think about specific industries, there’s this report that goes out annually, the Edelman Trust Barometer, have you seen it?

John Verry (00:42:09):

I’ve heard of it, but I don’t know that I’ve ever actually looked at it.

Mosi Platt (00:42:12):

So, they measure trust in industries across the globe and the industries that had the lowest scores, well, one, 2021 was the first year where technology had a declining trust score. So, it’s the first time trust in technology went down, which goes to what we were talking about earlier.

Mosi Platt (00:42:27):

But the industries that had the three lowest trust scores are social media, financial services and fashion. I have no idea why fashion is not trusted. I don’t know if that’s from knockoffs or what happened. I don’t know. But obviously any industry that’s struggling with trust can benefit from it because the purpose of it is to build trust.

John Verry (00:42:44):

That’s a really good answer. Curious, you did a lot of work with us in the legal vertical.

Mosi Platt (00:42:52):

I did. The issue with legal, and it slams me to say this because I’m in media entertainment now and media entertainment has a similar problem, they are technology laggards.

Mosi Platt (00:43:04):

And so, that’s going to be their struggle. There’s a people and process component that we’ve talked about for continuous compliance, but there’s a big technology component to it also and they are going to struggle with that part of it. So, that’s the issue there.

John Verry (00:43:19):

Yeah. There is an interesting, so there’s the trust side, which I think is a very critical part of it and I thought your answer was great. I feel like there’s also the risk side, right? Because the greater risk you’re at, the more value there is to knowing that you’re doing the right things to mitigate that risk, logically. Like when I think of law firms, as an example, and I think of the insane levels of data that they have on highly sensitive topics, that’s why.

John Verry (00:43:44):

But I agree with you, even sitting here trying to envision putting a continuous auditing program in place in a law firm, I struggle to see a path to that where I see it intuitively in a technology organization, because they’re already in that agile methodology. They’ve already got these continuous processes. It’s a matter of trying to figure out how do we now take our expertise in developing continuous processes and extend it into a new area.

Mosi Platt (00:44:06):

Right. In Atlanta, there’s this lawyer who chairs the information security group for the Technology Association of Georgia. His name is Roy Hadley. And so, back when we would meet people in person, it was a, I guess it was the last ISACA Christmas party in 2019 and he and I were talking and I was just asking him about some of this stuff for law firms and he was like, “Come on, man. You know law firms.”

John Verry (00:44:34):

Yeah. The land where paper still exists as a digital media.

Mosi Platt (00:44:40):

Right. Because he’s been doing a lot of-

John Verry (00:44:43):

Healthcare, health doctor’s offices and law offices.

Mosi Platt (00:44:45):

Right. And you shouldn’t leave out hotels. Maybe they’re not as bad as they used to be, but I remember my first PCI audit for this management group for a bunch of hotels, and it didn’t even occur to me going in, “you’re going to have to account for the triplicate receipts for the credit card impressions.”

Mosi Platt (00:45:05):

“What?” There was a lot of paper in those hotels, receipts and data. But Roy does a lot of consulting for smart cities and he’s like, “I do this smart city work so I could be exposed to cutting edge tech. The law firm stuff doesn’t get me there.”

John Verry (00:45:21):

Yeah. So, you mentioned CSA and CSA is a great organization. We like a lot of the stuff that they do. So, you’re involved in the continuous STARs program? I know they recently released their continuous audit metrics catalog. Talk a little bit about STARs program, how that continuous audit metrics catalog plugs into that. And I know they have different levels, like on L1, L2, L3, but I don’t really understand how they work.

Mosi Platt (00:45:49):

Sure. Well, first thing I liked, I like the name. It’s talks about all the things we’ve talked about, Security, trust, assurance, and risk. That’s the STAR program and they have this public facing registry. So, it has-

John Verry (00:45:55):

That’s what it actually stands for?

Mosi Platt (00:46:03):

Yeah.

John Verry (00:46:03):

As long as I’ve known about the STARs program, I never knew that was what the acronym was. I love it. Security trust-

Mosi Platt (00:46:09):

Assurance, and risk.

John Verry (00:46:11):

… assurance, and risk. Really well done.

Mosi Platt (00:46:12):

Yeah. I loved the name because somebody thought that through. And then it’s a registered, right? So, it’s publicly accessible. It has transparency built into it. What they want to do is they have these different levels of assurance, level one, two and three. Level one is a self-assessment.

Mosi Platt (00:46:31):

So, any organization can assess itself against their cloud controls matrix and assert that this is our attestation of compliance with these controls, right? So, you fill out the questionnaire, you fill out the matrix and you post it in the registry or submit it to the registry where it gets reviewed by someone at the CSA who validates it and boom, now it’s publicly available.

Mosi Platt (00:46:52):

In theory, hopefully instead of competing a security questionnaire, a stakeholder can go there and see what you say. Level two is you get independently audited on what you say by a CPA firm or by ISO 27001 certification body and they will issue a report with an executive summary of whether or not you are actually doing what you say. And then it’s up to the organizations if they want to expose any of the detail audit reports.

Mosi Platt (00:47:24):

In interest of transparency, I’d love to see more organizations post their SOC 2 report in the STAR registry. CSA doesn’t advocate for that, but I would love to see that. Or see a company certified with ISO 27001 post their SOA in the STAR registry. I would love to see that. But that’s level two. And then level three is what’s being developed now.

Mosi Platt (00:47:48):

Level three is, instead of once a year or once a quarter if you’re a larger company like Microsoft, they do quarterly SOC 2 audits, every month you can update your STAR registry entry with an independent assessment. And so, that will require evidence. And so, they want the evidence to come from these, what they call continuous audit metrics.

Mosi Platt (00:48:12):

And so, an organization will develop metrics that they can be continuously audited against for a security program. An auditor will review those metrics and say, “Yeah, we think these metrics look good.” And then look at the data output by those metrics to determine whether or not they’re actually achieving the defined objectives.

John Verry (00:48:31):

Question for you. If you were layering CSA on top of 27001, would we logically make the continuous audit metrics that we’re going to report our security metrics from our ISO 27001 program and logically close the loop and make this simpler to execute? Because we’re already doing the security metrics, so why not do it that way?

Mosi Platt (00:48:55):

That’s what they should be. Yes.

John Verry (00:48:58):

That would be awesome.

Mosi Platt (00:49:00):

When I’m in these, I talk about clause nine, nine.one when I’m in the continuous audit working group. And even at STAR level three, I talk about that and ISO 27004. Like if you want to know how to develop good metrics, there’s an ISO standard for that that you can use.

John Verry (00:49:16):

That is interesting. Have you ever worked in FedRAMP? Would you consider like if somebody is listening and they’re familiar with the [conmon 00:49:25] concept of FedRAMP, same idea, right? Where we’re submitting some frequent reports to some body that’s responsible for our continuous assurance, continuous audit processes?

Mosi Platt (00:49:35):

When I was at Elastic, that was my first exposure to FedRAMP because when I was consulting at Pivot Point I refused to do FedRAMP work because I didn’t want those headaches.

John Verry (00:49:45):

I remember.

Mosi Platt (00:49:45):

It’s funny, when I left Pivot Point, the two things I refused to work on, FedRAMP and GDPR, were the first things I had to work on when I left Pivot Point. I had to work on GDPR at BetterCloud and then I went to Elastic, I had to work on FedRAMP. So, I had a good FedRAMP teacher at Elastic, this woman named Gail. 35 years of federal security experience. She has 800-53 memorized, both versions, four and five. I couldn’t believe it.

John Verry (00:50:15):

That’s saying something because if somebody’s listening, there’s like 325 controls at moderate.

Mosi Platt (00:50:22):

I couldn’t believe it. It was mind blowing. I thought I was impressive because I had memorized 27002 and 27001, but her memorizing 800-53 was next level.

John Verry (00:50:34):

Yeah, you don’t hold a candle to her at that point.

Mosi Platt (00:50:34):

It was next level impressive. But anyway, she taught me how to do continuous monitoring because we had to do it monthly and it was her job. And so, everyone at junior had to be cross-trained so she could take a vacation. I had to do it for one month and I think this continuous STAR level three, I think it gets at some of it there.

Mosi Platt (00:50:51):

I believe John DeMarie is in conversations with FedRAMP now about how to leverage STAR level three for FedRAMP, because there are some additional requirements that FedRAMP requires beyond just an independent auditor looking at some metrics. Like you’ve got to have POA&M updates and things like that that aren’t necessarily required-

John Verry (00:51:09):

Right. And you got the whole JAB, GSA, and there’s a little bit of a … you’ve got to make sure that if it went through that process, that it gets to them as well.

Mosi Platt (00:51:17):

Right.

John Verry (00:51:17):

They’re integral to that process. But conceptually, it’s the same idea.

Mosi Platt (00:51:22):

Yes.

John Verry (00:51:23):

So, we’re seeing principles of maybe not continuous, but more frequent, right? FedRAMP is kind of leaking us this way, StateRAMP is following FedRAMP. We saw, I think the executive order, it certainly spoke a lot to some ideas around sharing of incident data, which speaks to more frequent sharing. So, I think we’re getting to the world that you want to live in, but here’s my opinion, right? And I’m curious as to, if you agree.

John Verry (00:51:56):

The only thing that really changes most of our customers’ behavior change is a customer saying, “We’re no longer going to do business with you unless you do X. Unless you get ISO certified, unless you’re GDPR compliant, unless you’re SOC 2 attested.” In the industry, how far away are we from seeing people ask for, or even insist on some form of more continuous compliant assurance?

Mosi Platt (00:52:23):

Yeah, so I don’t think customers are going to be the driver only because they’re not the largest constituents. The largest constituents are the people. Right? Why does the federal government have continuous monitoring? Because there are 350 million people in this country.

Mosi Platt (00:52:38):

And their representatives determined this is the best way to have some assurance that the organizations the government is using are meeting some set standard. But in the B2B model, there’s far fewer corporations than there are people. And the largest companies that we have aren’t B2B companies, they’re B2C companies. So, they’re not going to have the same pressures. They’re not going to have customers demanding.

Mosi Platt (00:53:05):

Like they’re not going to have another corporation demanding that they do some continuous monitoring, right? Because like Apple doesn’t do business with other companies. Apple does business with you and me. Facebook doesn’t do business with other companies, that is not their biggest stakeholders. Their biggest stakeholders are their users.

John Verry (00:53:22):

All right. So, let me ask you a question though there because I’m not sure I agree with one assertion you’re making. The federal government is the customer of the people that are getting FedRAMP certified. So, the only reason people are getting FedRAMP certified is because the government makes them. Their customer made them. So, I don’t think that that’s a, there’s 350 million people. That’s not a B2C, that’s a B2B.

John Verry (00:53:42):

That’s the government forcing their providers to do that. To me, that’s the only way I ever see change. I shouldn’t say the only way, but people don’t wake up and find security is religion. Right? It’s like people realize they got to have security when somebody who gives them money says … now, you might be right.

John Verry (00:54:02):

But do you think that people … I just don’t see. As a group, we’d have to band together and we’d have to create some way that people that are all using Facebook would turn around and group together and say, “Facebook, we’re no longer going to use you unless you do X.” Do you think that’s realistic to think is going to happen?

Mosi Platt (00:54:21):

I think two things. One, for the government point, right? It’s not that the government is the only B2B relationships, but the government has 350 million stakeholders. That’s what gives them the scale to do what they do. It’s very few companies that have, the only companies that have that many customers are the B2C companies. They have that leverage. And those big companies, like the fan companies, they’re the ones that are going to drive change in tech at the very least, right?

John Verry (00:54:51):

Yeah. Like Microsoft, right? Microsoft, I think is one of the hardest companies to work for without having good attestation. Maybe we’re saying the same thing. You’re saying that companies that have a lot of stakeholders, constituents have the ability to drive change.

John Verry (00:55:05):

I’m saying the same thing that unless Microsoft and Oracle and Facebook and the US government are forcing the people that are service providers to them, cloud service providers, SaaS, things of that nature, to move towards continuous compliance, I think it’s not going to happen.

Mosi Platt (00:55:21):

See. I think those companies themselves actually need to move to it, right?

John Verry (00:55:25):

Yes, they’ll have to do it first.

Mosi Platt (00:55:27):

Exactly. And so, until they move, nobody else is going to do it. Even if they try to hold other companies accountable. Like Microsoft can ask its vendors to be 27701 certified all it wants to, it holds no weight if Microsoft wasn’t 27701 certified. It can actually talk to what it requires. So, I think it has to come from those organizations in order to do it. And I think it will happen.

Mosi Platt (00:55:49):

And it doesn’t take all of the constituents to band together. Because there’s so many of them, you just need 1%. Usually one loud minority of a user group. And I think also you need the government on your side. That’s the people’s leverage is they have a government that can say … people, when will people demand regulations? When they’ve had enough. And so, as the security breaches continue to mount, people get fed up.

Mosi Platt (00:56:13):

As the trust lowers, people get fed with their information causing them headaches. I think security drives change. I think in the future it would be, it’s not so much the money, like you said, trust is a lubricant and the trust will affect the money. If there’s not enough trust in the system for this system to do what the businesses need it to do, that’s what’s going to drive your change, I think. And I think that lubricant is drying out pretty quick.

John Verry (00:56:41):

I think that’s the tagline of this episode right there. This has been awesome and a lot of fun. Anything else we should discuss before we wrap?

Mosi Platt (00:56:53):

No, I didn’t have any other notes that I thought about on this topic. You’ve pretty much-

John Verry (00:56:58):

Exhausted you?

Mosi Platt (00:56:59):

Anything I have documented around my thoughts on this topic, your questions cover it. Anything left is just stuff that’s been in my head banging around and haven’t really formulated.

John Verry (00:57:09):

Yeah. Listen, I think you floated a couple things that really got me thinking. So, this has been a lot of fun. I like to have a little fun. Hopefully, you actually prepared for this question. Give me a fictional character or a real person you think would make an amazing or horrible CISO and why?

Mosi Platt (00:57:25):

This is the only question in your outline that stumped me because I couldn’t make between which fictional character, should it be a real person? Because there’re some real people I think would make good CISOs, but they haven’t really gotten a chance. So, that’s why I was debating. I’ll give you one of each. Fictional character, it would be, there’s a book I recommended to you that you didn’t like, Parable of the Sower.

Mosi Platt (00:57:48):

The main character, Lauren Olamina. In Netflix, that was the book of the month for August for the book club for the Black Employees in Netflix Resource Group. I re-read it and I think she would make a good CISO with qualifications.

Mosi Platt (00:58:06):

Like Gary McGraw, who retired from synopsis, did this study on the four types of CISOs and he said there’s the CISO that views security as a business problem, the CISO that views security as a technology problem, the CISO that views it as a compliance problem, and the CISO that views it as an incident management problem.

Mosi Platt (00:58:25):

And so, in the Parable of the Sower, the main character is this teenage girl, Lauren, who is trying to figure out how does she survive in society that is crumbling around her, right? And so, her father’s a pastor and so she creates her own religion because she sees her father’s religion is not preparing him for the future. And sure enough, her father gets killed and she has to survive.

Mosi Platt (00:58:47):

So, she creates her own religion to survive and she believes in adherence to this religion. So, I think she’d be a good compliance CISO because she was such a strong believer in the adherence of the religion she created.

Mosi Platt (00:58:59):

But she had the vision to create her own religion from scratch when the tools she had available weren’t suiting her. So, I think that would be a good CISO. Someone who could create their own compliance regime to serve their needs or the needs of their people.

John Verry (00:59:11):

Man, that almost covers that other … the first domain, I think you said that somebody who’s looking at it for the business, right?

Mosi Platt (00:59:16):

Right.

John Verry (00:59:17):

Because that’s like the overarching objective and what she’s trying to achieve. So, in my mind, the way you said it, she almost checks two of those boxes, right?

Mosi Platt (00:59:26):

I debated whether she be a business CISO, the only reason I made her compliance is because-

John Verry (00:59:29):

I think she’s compliance too. I think she’s both though. I think she’s got elements of both, right? She created the vision of what needed to happen to align with the objectives she was trying to achieve. And then she’s going to check the box and make sure that it actually occurs the way it’s supposed to.

Mosi Platt (00:59:42):

Here’s what led to me not calling her the business CISO instead of the compliance one, it’s because in the second book, she completely failed. And probably the reason she failed is because she was slavish to her ideology.

John Verry (00:59:58):

You already spoke to the fact that I didn’t like the book, so I never read the second one. I might’ve come to the same conclusion.

Mosi Platt (01:00:03):

That’s the reason, that’s why I was like, you know what, she’s a slave to that religion so she’s definitely more compliance over the business. Because she didn’t have that as thing scaled.

John Verry (01:00:13):

All right. Who is the fake, the fictitious character?

Mosi Platt (01:00:14):

So, she’s a fictitious character.

John Verry (01:00:15):

She’s a fictitious, who’s the real?

Mosi Platt (01:00:18):

The real person is actually a former client of yours, Curtis Smith from-

John Verry (01:00:23):

Curtis Smith? Yeah.

Mosi Platt (01:00:24):

… IgnitionOne. He was the security architect there. Now he’s a business information security officer for Home Depot.

John Verry (01:00:30):

Is he?

Mosi Platt (01:00:31):

Yeah.

John Verry (01:00:31):

I haven’t talked to Curtis, God that’s years ago.

Mosi Platt (01:00:36):

Yeah. I don’t know if he’s had-

John Verry (01:00:38):

We used to go to their office in New York City.

Mosi Platt (01:00:41):

Nice office.

John Verry (01:00:41):

Yeah, they had a beautiful office and we worked with the one guy in the information security guy and then the attorney as well, right? And that was always who-

Mosi Platt (01:00:48):

Yes.

John Verry (01:00:49):

Yeah. Yeah, they were good people.

Mosi Platt (01:00:50):

Yeah. He just bought his own firm now.

John Verry (01:00:51):

Did he?

Mosi Platt (01:00:51):

Yeah.

John Verry (01:00:54):

And who’s the other guy’s name?

Mosi Platt (01:00:56):

Curtis? His name was also Craig.

John Verry (01:00:59):

Craig.

Mosi Platt (01:01:00):

Can’t remember Craig’s last name right now.

John Verry (01:01:01):

Yeah. I can’t remember Craig’s last name either. Do you know what happened to Craig?

Mosi Platt (01:01:04):

I think he got bought out for IgnitionOne.

John Verry (01:01:09):

Good. He was a nice guy.

Mosi Platt (01:01:11):

Yeah. He was the first person who told me about Sonos.

John Verry (01:01:12):

Oh yeah.

Mosi Platt (01:01:15):

So yeah, now I have Sonos devices, but back then it was just a dream before he told me about it. But great. I don’t know if you had any BISOs on the podcast.

John Verry (01:01:22):

Mm-mm (negative).

Mosi Platt (01:01:23):

But yeah, I think he would make a great CISO. He’s one of the few people I’ve talked to who have the technical chops and the business understanding. We were talking of how rare it is to find those people, like compliance professionals. He has it. He’s one of the few people who has it. I think if he could apply that as a CISO, he would be pretty good.

John Verry (01:01:45):

Yeah. I had a guy on the podcast, one of the early podcasts, Derek Han. He heads up an MSP, VelocIT. And I talk with him about the difference between like a CIO and CTO and the dangers of letting your MSP be your CIO, a defacto CIO. And you would love some of the things that he said in that podcast because they echo and build on, in a much more elegant way than I could ever.

John Verry (01:02:11):

He’s really well-spoken. But he spoke to why most CIO’s, and it applied directly to CISOs, are not who they should be and how important the business component is versus the technology component. He even goes so far as to deemphasize to a very significant level the ability to be a practitioner versus … and his belief is the more that you are vested in the business objectives, and then you’re looking at IT as a way of fulfilling them.

John Verry (01:02:42):

And I think to an extent, that’s what you’re referring to with Curtis, right? He’s got this idea. Now he has the added advantage and he’s got the technology chops to know when his team is bullshitting him.

Mosi Platt (01:02:51):

Right. Right.

John Verry (01:02:51):

But same idea.

Mosi Platt (01:02:53):

And it’s funny because now if you talk to Curtis, Curtis is like, “I don’t want my hands on the keyboard.” He’s like, “That’s not what I’m here for. That’s not what’s going to make me successful. We need to get my hands off the keyboard if we’re going to be successful.” So yeah, he’s gone with the way that your other guest was talking to.

John Verry (01:03:06):

Well, sir, it looks like it’s time to wrap. If somebody wanted to get in touch with you, what would be the best way to do that?

Mosi Platt (01:03:13):

Best way is LinkedIn. So, M-O-S-I, first name, last name, Platt, P-L-A-T-T. You search me on LinkedIn. I actually respond to most messages on LinkedIn.

John Verry (01:03:22):

Are you the only Mosi Platt on LinkedIn?

Mosi Platt (01:03:25):

That’s a good question. I don’t know.

John Verry (01:03:27):

Because it’s funny, because I have an unusual name. John Verry is not a very common name and there is another John Verry on LinkedIn. Actually, the comical thing is that he’s a risk management guy from Australia and I’ve had people confuse me with, “Oh yeah, you spoke at this big event in Australia on risk. I remember hearing you speak.” And I’m like, “That wasn’t me.”

Mosi Platt (01:03:56):

That’s funny. I think I am. But if not, it’s Mosi-K-Platt, that’s my LinkedIn URL.

John Verry (01:04:01):

Well, listen, I’m jealous that you have a unique name and I don’t. Just one more thing I’m jealous about you, sir. Listen, this has been awesome. Thank you.

Mosi Platt (01:04:11):

Thank you, John.

Narrator (01:04:11):

Narrator: You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.