EP#26 – Rich Stever – How to Optimize Your ISMS

When ISO 27001 is optimized for speed, it’s an amazingly effective and efficient way to manage security and compliance.

Today’s guest is one of our most seasoned ISO experts in both client-facing and training roles. 

In this episode, I interview Rich Stever, IT Security Auditor at Pivot Point Security, about key artifacts for optimizing your ISMS.

What we talked about:

• Key artifacts of the ISMS, including security management policy
• Objectives during your ISMS refresh
• Privacy, ISO 27701 extensions, and all about the Information Security Management Committee
• Poe Dameron (yes, the Star Wars pilot)

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:25):

Hey there, and welcome to yet another episode of the Virtual CISO Podcast. I’m your host John Verry. And with me as always the Coke to my rum. Perhaps that should be a Coke Zero to my rum, Jeremy Sporn. Hey, Jeremy.

Jeremy Sporn (00:00:41):

Wow, are you worried about your figure right now, John? Is that what I’m hearing?

John Verry (00:00:45):

No. I was just referring to how much you bring to the show.

Jeremy Sporn (00:00:51):

Wow, that went right over my head. That sucks because that was a pretty good joke and it would have been great if I had a witty comeback, but I just thought you were worried about your health.

John Verry (00:01:01):

That’s why I never prepare you for my comeback [crosstalk 00:01:04]. So, what do you think my conversation with Rich?

Jeremy Sporn (00:01:06):

So, being that Rich is one of the most seasoned ISO 27001 experts on our team, his insights on how to optimize an ISMS are really invaluable. Not only is he doing this exact work for clients right now, but he trains his team to do it as well. And as any good teacher knows, you really don’t know a concept or really grasp it until you can teach it, and this is what Rich does every day.

John Verry (00:01:33):

Yeah, I think that everyday thing is really a lot of it. If you think about it, him and his team work in 100 plus ISO 27001 Information Security Management Systems each year. So, I think they really do get a sense of what works and what doesn’t work.

Jeremy Sporn (00:01:49):

Agreed. And for everyone listening, I actually sit on Pivot Points Security’s Information Security Management Committee, and I found it really helpful to have Rich’s perspective on just the most specific examples that you guys went through like deciding to bring in a new tool vendor, hearing guys talk about the methodology of how to think through that, how a change is really risk, and how to ensure that that risk is recognized, documented, analyzed, and communicated. It felt like I’m going to be a more effective member of our own ISMC.

John Verry (00:02:23):

That’s good because I’m not sure you could be less effective. ISMS zero, ISMS zero is the prevailing thought of this podcast.

Jeremy Sporn (00:02:35):

Man, you’re on fire today. All right.

John Verry (00:02:38):

That’s because it’s 98 degrees and I’m somehow sitting outside.

Jeremy Sporn (00:02:41):

Well, we all make questionable decisions like putting me on the ISMC. It was a questionable one of yours. So, if you’re interested in properly managing and optimizing an ISO 27001 ISMS, this is the episode for you. When ISO 27001 is optimized, it is an amazingly effective and efficient way to manage security and compliance. Listening to gain those key insights to truly optimize your ISMS.

John Verry (00:03:09):

Well, said. With that, let’s get to the show.

John Verry (00:03:15):

Mr. Stever, how are you today?

Rich Stever (00:03:17):

I’m great and yourself.

John Verry (00:03:19):

I’m chatting with you so that the day is going in a bad direction, but I’m hoping you’re going to step up to the plate here today.

Rich Stever (00:03:27):

What, a Friday afternoon with me, what couldn’t be better?

John Verry (00:03:33):

Thanks for coming on. Looking forward to this conversation. So, let’s start super simple. Tell us a little bit about who you are and what it is that you do.

Rich Stever (00:03:41):

Rich Stever, [DOC 00:03:42] practice lead here at Pivot Point Security. Been with Pivot Point coming up on eight wonderful years as John would say. Lead a team of eight professionals in the implementation and advisory services through ISO 27001, 27701, SOC 2, [crosstalk 00:04:01]-

John Verry (00:04:01):

FedRAMP [crosstalk 00:04:02]-

Rich Stever (00:04:02):

Yeah, yeah.

John Verry (00:04:04):

The list goes on for [inaudible 00:04:05]. We don’t have enough time for you to list all the crap that you got to deal with. And specifically today, why I asked you to come on was talking about your favorite subject, ISO 27001 and some of the cool stuff there. But before we get to the meat of the discussion that we always like to start off with a question that I usually ask, and I probably don’t need to ask you. What is your drink of choice? Should I answer it for you? Because I happen to know your drink of choice.

Rich Stever (00:04:30):

You could try. Let’s see, what do you got?

John Verry (00:04:33):

Bourbon. Is it Bourbon?

Rich Stever (00:04:35):

Oh, well-

John Verry (00:04:35):

It’s our drink of choice.

Rich Stever (00:04:38):

Well, that’s a drink of choice. I’m not sold on just one, but we’re in the summer months. So, being down the beach a lot I tend to go to the vodka tonic, gin and tonics.

John Verry (00:04:49):

[crosstalk 00:04:49]. Are you sure you don’t get both? Are you sure you don’t do vodka and gin? [crosstalk 00:04:53].

Rich Stever (00:04:52):

Not on the same day.

John Verry (00:04:55):

Not on the same glass?

Rich Stever (00:04:57):

Yeah.

John Verry (00:04:57):

You know what? With the summertime, it is funny. I agree with you because I’m a stout drinker. I’m a bourbon drinker, red wine are my three go twos. And then though summer at 95 degrees none of those are great drinks.

Rich Stever (00:05:09):

Exactly.

John Verry (00:05:09):

So, what I started doing it, and I don’t know if it’s a real drink or not, I kind of mimicked it off of something I bought in a can is I’ve started to take green tea, unsweetened green tea, put a shit load of lemon into it. And then I’ll get a honey bourbon and a ton of ice, and it’s delicious and refreshing. So, I’ll give you that as a hint. Try that the next time you’re out on the deck down the beach there.

Rich Stever (00:05:35):

I will.

John Verry (00:05:37):

All right, so let’s get to the important stuff. So, what would you say are some of the biggest challenges you see with organizations, and I’ll use the term growing into the 27001 ISMS. So, they get it built, and now it’s time to start using it. Where do you see people struggle?

Rich Stever (00:05:53):

A lot of times we see people struggling in just understanding the ISMS and itself. Understanding who needs to be involved, staffing it, operationalizing it. A lot of times they don’t have the direction that they need to sustain it. I don’t know if there’s anything else that would come into play there. A lot of times they get audit fatigue, we’ll call it. You go through the internal audit, and then the next two or three months you’re going through your stage one and stage two, and it’s celebration time. And then they tend to forget it for the next nine months. So then the next three months you’re playing catch up. So, a lot of times that happens. A lot of times reorganization. You have implementation team, your project team, and a lot of times those folks move on, and they don’t leave the necessary artifacts and pieces in place for somebody to come in and pick it up without a challenge.

John Verry (00:06:49):

Yeah. So, I like what you just said. So maybe that’s a good place to start. So ISO is a group of artifacts, documents, processes, all of those really. And I think you’re right. I think sometimes people don’t realize how the pieces fit together. The scope, the statement of applicability, risk methodology, risk… Why don’t you talk a little bit about the key artifacts, and how they should be thinking about how they connect to each other?

Rich Stever (00:07:15):

So, when you’re implementing an ISMS, building an ISMS, you’re starting out with your scope. You got to understand your scope. What’s the context of your organization? What’s the background of the information? What are some of the issues that are affecting the organization and one pursuing the ISO certification and maintaining or implementing an ISMS and building an ISMS, but also understanding the scope of their certification, and the scope of their services. A lot of times we drive our clients to start small. Don’t cover the entire organization. You don’t have to cover the entire organization. Your financial systems, your HR systems, they don’t have to be in the scope of your certification. You want to rely on your client specific services, one particular business unit. What’s key? What’s critical data to you as an organization?

John Verry (00:08:03):

Right. So, with a lot of our clients, I think the driver to them getting ISO certified is a client ask them, “Hey, prove to me that you’re handling my data secure.”

Rich Stever (00:08:14):

Yes.

John Verry (00:08:15):

So, are you saying that the scope of the ISMS tends to be with most clients focused on the scope of the client information that they’re processing for somebody else?

Rich Stever (00:08:26):

Yes, yes.

John Verry (00:08:27):

Okay. So, that’s how that keeps that smaller?

Rich Stever (00:08:30):

Mm-hmm (affirmative).

John Verry (00:08:30):

Okay, cool.

Rich Stever (00:08:31):

Yeah.

John Verry (00:08:32):

Gotcha. We have the scope statement. What are the other pieces, and how should someone logically link them in their brain?

Rich Stever (00:08:37):

So, within scope, now we’ve got what particular assets, what particular business unit, what particular applications are in scope. We move on to understanding risk. What are your risks to the organization? What are the risks of those assets? What are the risks to those business units? Understanding risk, assess risk. You do that through some sort of control maturity, evaluation to understand, okay, what are my remediation steps going to be to fix those risk that are deemed at that acceptable level or that tiered level that we need to take action on.

Rich Stever (00:09:08):

Building that out, you’re going to start then remediating. You’re going to put your controls in place, your technical controls, your policies, your procedures, implement some sort of awareness functionality, awareness program, socialize, and after that you’re going to move into monitoring. Okay, monitoring, and managing it. With that, you’re going to do some sort of pre… We’ll call it a pre internal audit or not pre internal audit, but an internal audit. Understand exactly where you sit today versus what the certification bodies are going to come in and look at as well.

John Verry (00:09:42):

Gotcha. But let’s get back to how do those things kind of like in your brain fit together? So, you talked about the fact that we were doing a control maturity assessment. How does a control maturity assessment relate to, let’s say, the risk assessment? Or how does the risk assessment relate to the statement of applicability? How do the pieces kind of… In a perfect world, they’d kind of come together like this, right?

Rich Stever (00:10:04):

Correct.

John Verry (00:10:06):

So, talk about that.

Rich Stever (00:10:08):

So, within your risk assessment, you’re evaluating the controls that you have in place today for this particular risk. What do you have in place that lowers that risk to an acceptable level for you? If you don’t have the controls in place, that’s where you take remediation steps on. So, with that we’re using what is defined and given to you and the standard itself is Annex A controls. We’re utilizing that, those list of controls, 114 controls to understand, okay, these are the controls that we are going to either mark as applicable in scope or out of scope based off the organization. So evaluating them as part of the risk assessment, we understand, okay, well, our access control reviews are nil. We’re not doing anything. So we know we need to put a process in place to do that. As part of the risk assessment, we’re going to identify that as your treatment, and your remediation.

John Verry (00:11:03):

Gotcha.

Rich Stever (00:11:03):

So that’ll higher your level of implementation as we go through the remediation activities.

John Verry (00:11:09):

Okay. So, the scope statement, and I’m going to oversimplify here and correct me if you think I’m off here. So the scope statement basically tells someone what we’re protecting, why we’re protecting, and what we’re protecting it from. And what systems, people, processes, assets are integral to delivering that service.

Rich Stever (00:11:29):

Correct.

John Verry (00:11:29):

Okay. Then you’re going to do the risk assessment to assess the risk to that information within that scope. So, that creates the boundaries for the scope… For the risk assessment effectively.

Rich Stever (00:11:41):

Mm-hmm (affirmative). Yeah.

John Verry (00:11:43):

Okay. And then the statement of applicability is the output effectively from the risk assessment. The risk assessment says you need to implement these controls, so we know which ones we need, which ones we don’t, and then I guess the risk assessment, and I don’t know… It isn’t necessarily in the statement of applicability also gives us a sense of how mature or how robust the controls need to be.

Rich Stever (00:12:06):

Yes.

John Verry (00:12:07):

Okay. Cool. So, we covered some of the key artifacts there, Rich. We talked about scope, statement, we talked about statement of applicability. We talked about risk assessment, risk methodology, any other key artifacts that someone needs to understand the relation to be able to visualize the ISMS well?

Rich Stever (00:12:27):

One key piece that you don’t want to avoid is not having an information security policy or a information security management policy. Typically, we see a lot of our clients they include their particular security objectives. Within that policy, proving to their clients of what they’re actually going to protect. What their objectives are, what their goals are. And within those goals and objectives, we evaluate those. We add those to the information security management metrics, or information managed system metrics. A way to show that they’re measurable, we’re accomplishing certain activities. We’re monitoring certain activities. One being third party risk management. We’re doing our due diligence. We’re evaluating our vendors on an annual basis. Another topic of conversation around those metrics is business continuity. We’re doing an annual test, business continuity test, tabletop exercise, to make sure that our policies, our procedures, our guidelines are all intact and being followed.

John Verry (00:13:22):

Gotcha. So, if I’m building an ISMS, and maybe it’s not year one because I think in year one very often people use more generic objectives. But if we’re getting to a better ISMS what am I using to set those objectives? Are those objective static, and they never change? Are those objectives… What am I using to figure out what my objective should be as I’m refreshing my ISMS?

Rich Stever (00:13:46):

Those objectives could should be coming from a number of different sources. One being your management committee for the ISMS, who’s managing it. Others could be clients. A lot of times we roll these back to interested parties that you have to identify. Who’s your interested parties in your ISMS? Who’s providing feedback that the information security management system committee should be taking into account? Understanding, okay, maybe we need to go move… Maybe we need to stop using colos maybe move into the cloud. What is our objective this year? Is that going to be a goal of ours to accomplish that? Are we now seeing different response or different commitments from clients or obligations that we need to adhere to?

John Verry (00:14:26):

Gotcha. Obviously, so realistically, that’s how the scope… As our scope changes, right? So, as an example, like you talked about a different commitment from a client. That might be that they’re suddenly giving you personal information? Or maybe there’s an external change like a CCPA comes into play. Would that be something that you typically see reflected in somebody’s security objectives for the year?

Rich Stever (00:14:51):

Yes.

John Verry (00:14:51):

Okay.

Rich Stever (00:14:51):

Yes, yeah. And even within the scope. Scope is going to drive change, change is going to drive risk, risk is going to drive your objectives and your metrics to change.

John Verry (00:15:00):

I like that.

Rich Stever (00:15:01):

Let your ISMS, live your ISMS. Let it drive your processes. Let it drive your yearly activities [crosstalk 00:15:09].

John Verry (00:15:09):

Okay, cool. So, I like what you just said. I think you’ve just painted the picture of how stuff connects together, right? So, you said that the context changes. So new requirements, new laws and regulations, new threats, things of that nature. That gets populated in my scope statement. Those as my scope change, you said change equals risk. So that means my risk assessment needs to be updated to reflect that risk.

Rich Stever (00:15:38):

Correct.

John Verry (00:15:39):

Okay. Then you said, then I will update my objectives. So, my objective is to reduce risk. So my objective should reflect my goal to reduce those risks. And then you would update the security objectives to match to… Excuse me, update the security metrics to reflect those security objectives.

Rich Stever (00:16:00):

To reflect the security objectives where measurable. Where they can be measurable.

John Verry (00:16:02):

Gotcha. So give me an example where something like that might happen. Kind of give me a logical flow through of a change that you might see in a management system, and how there’s a contextual change, it goes through the scope, it gets populated in the risk, what the objective might be, and maybe what a security metric might be associated with that.

Rich Stever (00:16:22):

Let’s see, one example. I think you brought it out earlier is the PII, CCPA. An organization is going to have to be compliant with CCPA. So, one state, one they weren’t doing business in California, or they didn’t have California residents. Now they have data on California individuals. So, you want to identify that as part of your scope. Not as part of your scope statement, but in within your scope it’s an internal external issue. There might be legal regulatory compliance that you need to adhere to now. So you’re going to be updating your scope statement. So now once we move… We take the natural flow, okay, now what are the new risks that are involved?

Rich Stever (00:17:02):

Well, before it was just client data. We didn’t know if it was PII or PHI or just plain text data. Now we’ve got a particular subset of PII that we need to protect. So we’re going to evaluate the risk around that PII specifically. So, with that we’re going to do our due diligence, our control evaluation. Do we have the necessary technical controls, policies, procedures in place to address PII, awareness training around PII for our employees. We move that as we progress through we’re making sure that our objectives now. Our objective this year is to make sure that we’re CCPA compliant. So, how do we do that within… How are we measuring that as an organization?

Rich Stever (00:17:46):

One, we’re making sure that all of our policies and procedures are up to date as part of a metric. That’s a measurable objective. And two, we’re making sure that any activities that need to come out of PII testing, whether it be vulnerability assessment, pentesting audits, compliance audits are being done, and we’re measuring them as well as a measurable artifact.

John Verry (00:18:06):

Gotcha. Another one might be third party DPAs, right?

Rich Stever (00:18:10):

Yes.

John Verry (00:18:10):

So making sure that as we realize, as we go through a data mapping exercise, we realized that our data is in multiple third party’s hands kind of verifying their security posture, verifying their privacy practices. That’d be another example of a logical security metric that’d be associated with that.

John Verry (00:18:30):

Okay, cool. That makes total sense to me. And hopefully, it makes total sense to people that are listening. So right now we’re seeing this work from home and near prior to work from home. We’ve seen a tremendous move to the cloud. With the same logical constructs that we’re talking about as an organization, let’s say moves from all on-prem or all colo. You mentioned colo transition to VPC or something of that nature. Same issues there. And does that follow the same logical flow and what are some of the things we’re seeing there?

Rich Stever (00:19:00):

Yeah. Of course, it follows the logical same issues there. One, you’re just adding in a different layer of now your third party vendors become a crucial piece of your ISMS. So, a lot more focus is going to be put into those areas and making sure that you have the proper structure in place and program in place around your supplier management. So, there’s no difference. We don’t consider it any difference being on-prem or in the cloud. It’s a matter of where the risk involved and who’s addressing them, who’s involved, or who are the interested parties.

John Verry (00:19:34):

Gotcha.

Rich Stever (00:19:34):

Who were the vendors that need to be evaluated.

John Verry (00:19:37):

Yeah, I like that, it’s funny. I mean, I always come back whenever I have a conversation with a client about this, that matrix that Microsoft put out years ago, the shared responsibility matrix. I think that’s an interesting way to look at that migration. So, if I had an on-prem system that was like a software application. That was probably accessing healthcare claims, and I move that to the cloud. Really what I’m doing is I’m moving some of the responsibility for the controls that used to be ours to somebody else’s, and keeping a certain percentage. Even if it’s a SaaS app where I still own stuff like user authentication, user authorization, I still have to be reflected in my HR practices around that, right?

Rich Stever (00:20:27):

Correct.

John Verry (00:20:27):

And then what I just need to do is step… So, that would be a good example where-

Rich Stever (00:20:31):

You’re more worried about your uptime with that vendor. Whoever, AWS, Azure, keeping the lights on at that point.

John Verry (00:20:40):

All right. So let’s take that through. And this is something you and I have talked about in the past. The difference between getting people to think about a risk assessment as being a risk register. So, right now you and I, let’s say we’re at Pivot Point, and we’re in the process of potentially moving a system to the cloud. So how does that work? What should I be thinking about? So, let’s take that through the ISO process. So, what’s the first thing I should do? How might that propagate through my ISMS? And then next year when I come back to go through my surveillance audit, how might… What documents are going to need to be changed to reflect that?

Rich Stever (00:21:16):

So, as we make the adjustment, or prior to?

John Verry (00:21:21):

Yeah, all of it. Like you and I right now. If I said to you, hey, let’s do something real. So, if I said to you right now, “Hey, why don’t we use a third party GRC application to run our ISMS internal audits for the 100 or so clients we do every year?” So, if I came to you, and if you were running the ISMS at Pivot Point, and I said to you, should we consider that? Where would the first place that the evidence that we’re thinking about that go?

Rich Stever (00:21:52):

I think the first place it would go to the committee. As part of your ISMS, you’re required to have established a management committee who are to meet at frequent intervals. It’s not stated how many times per year. It’s not stated how often. As we see in new implementations in first and second year, certifications are going, we feel that it’s best to meet regularly, in between nine to 10 times per year almost. And then as you get your ISMS running, and it’s like a well oiled machine, you can cut it down to quarterly. An annual… waiting for 12 months to have one meeting to cover everything you did in a year. You’re not getting much value out of that because you’re not having the conversations you should be having or those conversations are already happening elsewhere, and you may not be involved in them or have insight.

John Verry (00:22:49):

Agreed.

Rich Stever (00:22:50):

I think it’s one of those things that needs to be taken to the information security management committee up for discussion. Is this a viable option? Okay, well, let’s do our due diligence. Who are the vendors that we’re going to do? So, you actually adopt your procurement, your project management style to get an evaluation period going. Like does this make sense? Is there a return on investment for doing that? If the decision is made to do that, okay, well, what’s the risk? Is there a risk to moving to… So, you can do-

John Verry (00:23:25):

So, that would go… that would flow into the risk assessment. At that point that would flow into the risk assessment.

Rich Stever (00:23:29):

You could do a software assessment saying, “Okay, what are the risks? What are the some of the changes? What are some of the control? What are some of our controls? Where are we going to lose? Or where are we going to gain an advantage?”

John Verry (00:23:41):

Right. And in our case, I mean, obviously, one of the first questions we would ask is, is this what we consider ours, like ISMS’s focus on “client confidential data.”

Rich Stever (00:23:50):

Yeah.

John Verry (00:23:50):

Right. So I guess one of the things would be is if it didn’t touch client confidential data, which of course it will with an ISMS internal audit. But if it didn’t, hey, who cares? Then it’s just a business decision. It really doesn’t have to flow through the ISMS’s processes, right?

Rich Stever (00:24:04):

No.

John Verry (00:24:05):

Okay.

Rich Stever (00:24:05):

We will be utilizing it to store client data, client artifacts, client records. We would have to do some sort of pre-risk assessment, pre-risk evaluation. And then take that back to the committee. Here’s what we suggest, recommend.

John Verry (00:24:21):

Right. Question for you, so in most of our clients, would you say that the is ISMS committee and the risk management committee are the same?

Rich Stever (00:24:30):

Majority of the time they are.

John Verry (00:24:31):

Okay.

Rich Stever (00:24:32):

Yeah.

John Verry (00:24:32):

So that’s why you take it to the ISMS committee because you want to make sure that the risk component is considered.

Rich Stever (00:24:38):

Correct.

John Verry (00:24:38):

Okay. All right. So, we go to the ISMS committee, they drive it through a risk process. Let’s say that we agree that the risk is reasonable, but we still have some risk mitigation. So that gets driven through the risk treatment plan.

Rich Stever (00:24:54):

Correct.

John Verry (00:24:54):

Okay. Where else does it go from there? Where else does it… So, if you think about like an ISMS, and this will help people figure how things connect together. So, let’s say we agree that we’re going to migrate to this third party cloud application. What are the documents need to be updated, and what are the some of the other logical activities that might happen at that point?

Rich Stever (00:25:12):

Well, you want to take a look and see where you want to start. Are we going to make the change midstream? Are we going to make the change post-audit or certification? A lot of times within the risk assessment, within that risk evaluation, you’re going to understand what controls are going to be evaluated and analyzed. With that those controls are associated with policies and procedures. So, you already have your outline of, or laundry list, we’ll call it of policies and procedures that need to be updated within your technical control areas, we’ll call them. So, you’re dealing with access controls. Now, you’ve got to add context into that access control policy around the cloud provider. It’s just not on-prem. It’s not in your server that you’re managing. You’ve got to worry about, okay, how are we getting access into the… How are going to grant access? How are we going to revoke access, and what are we going to do for reviews? You have to understand all that logic. With that now, okay, we’re coming up on preparing for our certification order or surveillance audit.

Rich Stever (00:26:15):

Some of the key documents that obviously are going to have to be this new change is going to be reflected in, one is your scope statement. You’ve got to ensure that yes, we’re identifying issues, our interested parties is going to change. Our context that changes of what our scope of the certification is. Before we were on-prem, now we’re going into the cloud. So it doesn’t change the way we’re managing the ISMS, it just changes where the data is being stored. Or being stored in… We’re storing it in our on-prem applications, and this and the on-site, and the cloud based GRC application. We’ve got to identify, and understand the risks to managing both now.

John Verry (00:27:01):

Do you think there would be… Would there be changes to the SOA? Is that yes, no, possibly, it depends?

Rich Stever (00:27:08):

Changes to the SOA, it’s not going to hurt you. There are certain improvements you can make within your SOA to identify and to associate the controls to each solution we’ll call them, to the on-prem solution [crosstalk 00:27:28], to the cloud based solution.

John Verry (00:27:29):

Yeah, I wasn’t sure where you were going with that. Now I see it.

Rich Stever (00:27:32):

You can carve out your SOA in a number of different ways that benefit your organization. So, that this way you are coming in or the individual managing the ISMS wins the lottery, they move on from the organization. New head of security comes in or new ISMS chairperson comes in. The SOA helps an individual stand, okay, what controls are in place? So if I have it tied to on-prem or hosted, and hosted applications or hosted solutions, it’s easier to understand, okay, what controls apply to each of them.

John Verry (00:28:12):

Oh, I like that. So, it’s funny because that’s not… I love asking questions when I get a different answer than I thought of. And I always laugh about this, and I always think to myself, did I just learn something? Was I not thinking about something I should be thinking about? Because I was thinking more of did something which was applicable, become not applicable or did something that was not applicable come applicable? You took it in a different direction and actually in a way I like it better where you said that… I think you said that what we’re doing is that much the same way like sometimes on a good SOA, you explain why a control is relevant.

Rich Stever (00:28:50):

Correct.

John Verry (00:28:51):

So, what you’re [crosstalk 00:28:52]-

Rich Stever (00:28:52):

What’s the level of implementation and why is it implemented? Think about it this way, our ISMS, when we decided to move the internal audit to the cloud, to a SaaS operation, we never talked about all client data being moved. We just talked about audit data. So, as part of our projects and our implementations, we’re still holding records. We’re still delivering services that are stored on our on-prem solutions. So, that’s still part of the scope. We just ended our scope. So, in the SOA we’re showing that association as well. Think about it as, another logical way to look at it is if a client has a certification or ISO certification has multiple sites involved, and sites, I mean, you have the headquarters and you have remote offices. Looking at your SOA, you can divide or identify within the SOA what controls are applicable to those specific locations. HR is going to be a centralized one run out of headquarters typically. It’s not going to be… You’re not going to evaluate those controls at the satellite sites. Showing that differentiation helps your auditors understand what they’re evaluating.

John Verry (00:30:07):

Yeah, you just answered my next question. I was going to… I was exactly thinking that. And that’s one of the things that I don’t think we think about enough. And that’s the same with the scope statement as well, right? I mean, a great scope statement is something which is leveraged internally by the people that are responsible to protect it. And it’s leveraged externally by the auditor to understand how to apply the finite audit resources that they have. ISO audits can’t be just incredibly extensive, right? There’s a limitation. And it allows them to focus their audit on those places where it’s going to provide the most value, and provide the most assurance to the third party getting this certificate, right?

Rich Stever (00:30:47):

Yeah, and you bring up a good thing. You bring up a good point with third parties. So, a lot of times when third parties are looking at a particular client, they’ll ask for their ISO certification, right? They’re asking for the ISO certification. A lot of times they’re just being handed the certificate. Well, how do what controls are in play? How do what controls are applicable? What’s the scope? So, I always guide some clients if they ever have to ask for attestation that they have an ISO certification, here’s some of the documents you want to be asking for as well, the statement of applicability. You have a site, and they may have a site listed in scope, but no physical controls in play. Does that make sense? Or they’re excluding certain amount of controls, but are those controls critical to the partnership that you’re trying to establish with them?

John Verry (00:31:39):

Yeah, I think the biggest one-

Rich Stever (00:31:41):

Another one is the scope statement. Is the scope statement up to date, is it valid? So, it’s usually, ask for the scope, the SOA, and the certificate.

John Verry (00:31:50):

Yeah, I like that. And what I was going to say is that I think on the SOA, the one that would worry me the most and where I think where what you’re saying is a strong argument is the 14 stuff around the application development because it’s amazing to me how often people carve out that. Although we don’t do… But they meaning full blown application development. But yet we all like a lot of solutions have some level of software involved in them.

Rich Stever (00:32:17):

Correct.

John Verry (00:32:17):

So, you’re working with a third party like Pivot Point Security. They’re using a tool to generate a risk assessment, and you look at their certificate… You look at their statement certificate, and it says that and you’re like, “Okay, that’s good.” But you look at the statement of applicability, and a lot of the Annex A.14 controls are out of scope-

Rich Stever (00:32:36):

Is excluded, yeah.

John Verry (00:32:38):

You have to be worried about that, right?

Rich Stever (00:32:39):

Yeah, and that drives questions. Improves your third party, your vendor due diligence, you’re understanding exactly who you’re working with.

John Verry (00:32:49):

Gotcha. Cool. All right. So, I think we did a good job of helping people… I hope we did a good job. I should be less self congratulatory. I’m wonderful. I taught you everything.

Rich Stever (00:33:07):

Oh, yeah.

John Verry (00:33:07):

So, but I do think we did a good job of connecting the main artifacts of ISO, and kind of helping people understand, is as context changes, it changes risk. As risk changes, it changes controls, and as controls change we need to tune and adjust appropriately, which of course changes context again in the statement of applicability again. It’s a big circle, right?

Rich Stever (00:33:28):

Yes.

John Verry (00:33:28):

And if you go back to the previous version of ISO, and it’s [crosstalk 00:33:31], PDCA, right?

Rich Stever (00:33:32):

Yeah.

John Verry (00:33:33):

Plan, do, check, act. Okay.

Rich Stever (00:33:34):

Still see it out there.

John Verry (00:33:36):

Yeah, you do. You can always tell how long someone’s been ISO certified when you see a PDCA reference.

Rich Stever (00:33:41):

Yeah.

John Verry (00:33:42):

All right. So, quick question for you. So one of the areas that… So, some folks listening to this are on the technical side, and they’re responsibly implementing control, running the ISMS. But some of the folks are going to be CFOs, COOs, people of that nature. So, ISO is about managing risk, and it’s about “top management” being integral to that process, governing and resourcing it. What are some of the things that you see there? So, if somebody’s listening who’s top management, but not the people that are implementing the ISMS, what’s their role? And what should they be doing?

Rich Stever (00:34:19):

Their role is they should be asking the questions. What is our security objectives? They should be attending those meetings when possible because there’s a lot of decisions that are made. There’s a lot of discussions going on. It shouldn’t just be limited to two, three individuals based off the size of organization, of course, but they should be asking for the reports. Sid we meet our objectives? Looking for those one, three, five year plans of our goals from a point of security. Where do we want to be? Okay, we’ve got ISO certification, what’s the next step? What are we doing? How are we evaluating ourselves outside of these certification audits?

John Verry (00:35:02):

So, we talked about that top management has this responsibility, if you will, to validate the effectiveness of the ISMS at managing information related risk. How is that done?

Rich Stever (00:35:15):

Management should be looking at their metrics. Are they meeting their objectives? One other way, the second way we feel is through the internal audit. The internal audit is an evaluation of their processes. A lot of times the surveillance audits are only hitting on a portion of those controls, and majority, 99% of the time, our internal audits are going to be full review of the ISMS and its entirety. So, what type of results are we getting back? Are we improving? Are we downgrading ourselves year after year based off the results?

John Verry (00:35:54):

Gotcha.

Rich Stever (00:35:56):

Another way is going to be our third party. What type of questionnaires are getting from our clients? Are we meeting those expectations within those questionnaires? If there’s any findings, and third party audits as well, or assessments, we’ll call them. Are there any results from there that need to drive change within our ISMS? And are we completing them? How are they being tracked?

John Verry (00:36:22):

Are we completing what?

Rich Stever (00:36:24):

Any remediation activities.

John Verry (00:36:26):

Oh, okay. Gotcha. And I would say that would differ a little bit depending on the type of org. I mean, like one thing, which particularly, we do a lot of work in the SaaS space. And one of the things which I’m always surprised by is you get an org that’s ISO 27001 certified that really hasn’t done a super comprehensive evaluation of the software. I mean, so even from a management perspective, kind of really understanding true business risk. I mean, I think that’s a third piece is that if you own a business, you run a business, you’re someone who’s in top management, you’re doing enterprise risk management. You’re understanding how the biggest information security risks and validating that you think that the way that the ISO management system is constructed aligns with that. If you’re a SaaS, and you haven’t done an application vulnerability assessment and penetration test, that’s probably a red flag,

Rich Stever (00:37:26):

Correct. Yeah.

John Verry (00:37:28):

Yeah. Interesting.

Rich Stever (00:37:31):

ISO is not going to tell you that you need to, but as part of your ISMS, you should be including those.

John Verry (00:37:38):

Right. And that actually is the second part of the question I was going to ask about management’s commitment. So management’s got to be committed to governing it. But it’s got to be committed to resourcing it.

Rich Stever (00:37:49):

Correct.

John Verry (00:37:50):

So, if management’s not providing the funding to do a comprehensive assessment of the application, the management can’t be pissed off that it hasn’t been done. Well, or if they don’t have enough people to be able to support it and things of that nature. So, that’s the other side of this is management’s responsible to govern, and management’s responsible to resource.

Rich Stever (00:38:12):

Yeah. I mean, there has to be a balance across the organization as far as keeping the ISMS continuously improving and ensuring that you’re meeting your contractual obligations, your legal requirements that you want to do, but also on a technical side, there are a number of activities that need to be done, and they need to be managed and monitored, and how do you do that effectively with an ISMS. In a SaaS world, with a lot of our SaaS clients, they have a lot of automated tools that help facilitate a lot of activities. Through the use of JIRA, or Confluence [crosstalk 00:38:51]-

John Verry (00:38:51):

Jenkins Workflows.

Rich Stever (00:38:54):

You have that flexibility, and you have that ownership then. So, it’s getting those tools in place, those processes in place and ensuring that yeah, they all flow into metrics.

John Verry (00:39:06):

Did you listen to the podcast we did with Jim Manico from Manicode Security?

Rich Stever (00:39:10):

I have not. I believe I was on vacation. [crosstalk 00:39:13].

John Verry (00:39:13):

You should, only because the fact that what you just said was a topic of conversation that we had and this idea of, and we’re seeing it more and more where people are moving both security and compliance into workflows.

Rich Stever (00:39:27):

Oh, yeah.

John Verry (00:39:28):

Yeah, which is really cool stuff. Really, really cool stuff. And from a management’s perspective, that gives them that assurance because operationalizing this stuff is important. So that’s actually a good thing we haven’t touched on yet. So, airing dirty laundry, our own. We were as guilty as anybody else’s that I give a hard time to on a phone call of we got ISO certified, we celebrated, and I think you use the term. You spend nine months forgetting about it, then you spend three months going, “Oh, crap.” And now you’re-

Rich Stever (00:40:01):

Yes.

John Verry (00:40:02):

All right. So we were guilty of that. So, talk about, and I think we can talk about like a video teleconferencing provider that we both have worked with in the past. What are some good ways to make sure that once you’ve gotten certified, how do you operationalize it so that you know, and this is a good thing for management to govern? How do we operationalize it? What are some of the tricks? What are some of the tools people use to operationalize ISMSes in such a way that it kind of happens automatically?

Rich Stever (00:40:28):

As part of your metrics, when you’re building your metrics, and your monitoring of your controls, you’re putting checkpoints in. You want to have checkpoints. One of those checkpoints happening, are they happening monthly, quarterly, annually. And as part of a lot of times those automated tools are helping facilitate that because they’re just setting and forgetting it, but at the precise time it’s happening.

Rich Stever (00:40:55):

The other way is and a lot of times there’s an outline of events that have to happen, and you can do it manually using spreadsheets or Word documents, whatever your flavor is, or SharePoint just for tracking purposes, task management. You’re checking the box, and you’re validating some, and then as part of that, the validation of the artifacts is being reviewed.

John Verry (00:41:19):

I think I can, and I was trying to get you to talk about, and you may not have picked up on the reference. And I could be wrong about this, but what I thought they did, which was very clever is they were using a… They put their whole ISMS into a HelpDesk ticketing system.

Rich Stever (00:41:35):

Oh, I’m sorry.

John Verry (00:41:36):

You know who I’m talking about now, right?

Rich Stever (00:41:38):

Yes.

John Verry (00:41:38):

All right. So, if you think about it logically, an ISMS is just a collection of processes that all need to fire at the right time.

Rich Stever (00:41:47):

Correct.

John Verry (00:41:47):

Did you run your [inaudible 00:41:48] scan? Did you do user account management review? Were the policies reviewed was a risk assessment updated? Did you do your third party risk management? What he did, it really was helpful to me. And I hate to admit that a client taught me something because I like to think of myself as being super smart. But I looked at what he did and I said, “This is just dumb brilliant.” I mean, he laid out an entire year of his ISMS in HelpDesk tickets that would automatically be sent out. And then on top of that because you set up that ticketing system you would just attach the evidence to the HelpDesk ticket. And then he would just put the… When the auditors come in, he would just give them access to the system and say, “Here’s my ISMS. Come get me if you need me.”

Rich Stever (00:42:33):

Yeah. I think you’re making a fail proof. You’re ensuring your success at that point. Now, depending upon that, there’s also a flip side. How are you ensuring that you’re meeting those… You’re meeting your goals. Are you identifying where, what are the actions that you’re taking if something doesn’t trigger and doesn’t happen? What’s your fail safe to ensure that you have a backup option within that? And a lot of times the tools are going to do that, but-

John Verry (00:43:07):

Yeah, well, but I mean, in a perfect world wouldn’t you… I mean, not that you want to wait a year. But when you… I mean, we would certainly catch that during an ISMS internal audit.

Rich Stever (00:43:16):

Correct.

John Verry (00:43:16):

So, I think you’re making an argument, and that’s a good question to ask you. Is that an argument for doing more frequent audits? Like quarterly auditing versus… Are you an advocate of… We tend to ISMS internal audits on an annual basis, and we do the whole lot at all at one time. I think that’s what most people do, right?

Rich Stever (00:43:35):

Yeah.

John Verry (00:43:35):

Is that the optimal approach or as you become more mature should you think about changing that?

Rich Stever (00:43:40):

That’s another answer for each organization is going to make the decision that’s best for themselves. I’ve seen it work. And I’ve seen it not work during my time here at Pivot Point, and the client just felt they were in a continuous cycle of audit mode. They couldn’t get out of it. So, you brought it back or you scaled it back to, all right, we’re going to do semi annual. Then you start to miss some, things get delayed. So, it was more… A lot of times we see more success with annual internal audits. But as part of our model and part of our implementation we like to… We always want to set our clients up for success is ensuring that they have those touch points, those checkpoints throughout the year, so that when the internal audit comes, they have everything in place.

John Verry (00:44:37):

Gotcha. Yeah, audit fatigues [crosstalk 00:44:40].

Rich Stever (00:44:40):

And because a lot of times audit fatigue also aligns with third party audits, vendor audits, client audits, so it becomes… In this current state of the world, it’s becoming more frequent. Everybody’s in audit mode.

John Verry (00:44:56):

Yeah, that’s the difference between you and me. I mean, you’re streetsmart, I’m booksmart. My ISO analogy is more theoretical things because I don’t do the work very much anymore where you live in it every day. So, I do think the audit fatigue is a really good answer. And I do think that that’s a real issue. And I do like what you said there too. And I think I understood it. So I’m going to ask you this. I think that’s why you shaped some of the phase three, what we call phase three or ISMS support. So that’s that idea of us doing a quarterly, not an audit, but a check in. Like where are we at? Has this happened? Has that happened? Tell me about what content… And it really starts with what’s changed?

Rich Stever (00:45:39):

What’s changed. Yeah, exactly. We’re helping you monitor your ISMS, manage your ISMS. Making sure that you’re staying on top of things because you have a daily job as well outside of the ISMS. And we understand that even during the entire lifecycle of a project. There’s another business that has to be done outside of implementing an ISMS or managing an ISMS. Unless that’s your only true job, which we know is not the case for a lot of corporations. They don’t have just strictly people managing an ISMS or running an ISMS, there’s other responsibilities that they have to be accounted for. And that’s why [crosstalk 00:46:19]. So, a lot of it is us ensuring that, hey, okay, well, if you didn’t do this, let’s make sure we get this done. We’ll check back in, in two weeks just to make sure that, that was…

John Verry (00:46:30):

Yeah, a huge value there. And it’s actually funny, I didn’t even think of that. But you could simplify this podcast down to how do you optimize your ISMS? Ask the question regularly, what’s changed? I mean, because if you really think about it, if we, and of course we did implement a perfect ISMS for our clients. That would mean that every control has been optimally architected to effectively manage risk. And if nothing ever changed, the ISMS would never have to change it, right?

Rich Stever (00:47:00):

Yeah.

John Verry (00:47:00):

So, change equals risk or change equals potential risk and change equals should trigger the right cascade through the ISMS to is the risk acceptable? If the risk is not accepted, what controls need to be updated? What control objectives need to be updated? What security metrics need to be updated? Does that need to be rolled back into our scope statement?

Rich Stever (00:47:19):

Mm-hmm (affirmative).

John Verry (00:47:20):

Cool shit. All right, so let’s talk about a couple other quick things. Briefly touch on privacy. What are you seeing there? And what do we need to do… How does privacy change your ISMS, and how does it change the artifacts of the ISMS? And does it change the way that the artifacts interact with each other or do they stay the same? They’re just updated to reflect privacy.

Rich Stever (00:47:48):

We’re seeing privacy in every conversation now. With the introduction of GDPR, CCPA-

John Verry (00:47:57):

[crosstalk 00:47:57]. You left a few out.

Rich Stever (00:48:01):

Yeah, it shifts your SMS in a way that you now have to count for those particulars. You have those particular subjects that you need to ensure that you’re adding an extra layer of security. But as fundamentals of the ISMS, it’s really understanding, okay, what are the compliance requirements I have to adhere to as part of the ISMS? A lot of times you hear data processor or data controller. GDPR, you’re worried about your employees or European PII, personal data. So, it’s just a way of those risks need to be evaluated themselves. They’re a little bit… They take on a little bit higher priority. I would say higher priority, but a different higher sensitivity value.

John Verry (00:48:53):

I think [crosstalk 00:48:54] it’s a higher priority based on the fact that getting DPA… Based on the fact that sometimes… Well, it is a higher priority, but it’s a higher risk logically?

Rich Stever (00:49:01):

Yeah.

John Verry (00:49:02):

And on top hat if it’s new, going back to that change equals risk. Yeah, it is the highest priority because everything else was in pretty good shape until somebody threw [crosstalk 00:49:11] CCPA into that. Money that works for the CCPA. Interesting. So, is it literally… So you mentioned briefly 27701. So, if we’re going to use 27701, has that changed the ISMS? Does it change it markedly or is it a minor change? And does it change the way that we operate the ISMS?

Rich Stever (00:49:32):

It does not change the way we operate the ISMS. There’s a little bit more tangibles or artifacts requirements that you need to have as part of that. You got to understand your processing activities, record of processing activities. Where’s that personal data PII residing? And then making the determination of what’s going to be in scope for your privacy certification it. The one thing you need to know is your privacy scope cannot exceed your ISMS scope.

John Verry (00:50:00):

Good point.

Rich Stever (00:50:01):

So, your 001 scope. So if you’re not going to have HR and financial data in your ISMS scope, it’s not going to be part of your privacy scope. And what are the privacy impact assessments? So, your ISMS just expands. You’ve got a little bit more activities that need to be done, that you need to monitor, that you need to manage. Yes, obviously, your risk is going to be a little bit lengthier. It’s going to be more parties are going to be involved from inside the organization. You’re bringing in different departments, different C-level executives into a lot of these conversations as well.

Rich Stever (00:50:39):

But as far as the fundamentals, it’s just ensuring that privacy is included in a lot of these requirements and technical controls, but as far as it’s just your ISMS is built to handle that. It should be built to expand to that. Just the same as you were going to include HIPAA into your ISMS. It’s just another… It’s an expansion of your controls. Now you’re bringing in PHI. So there’s that sensitivity level of risk. But your ISMS should be able to adapt and include that as as needed.

John Verry (00:51:15):

Yeah. I like the way you said that. I’ve always said that. To me, if you build an ISMS, it can handle all inputs. All we need to do is filter that through. I think the only thing which is different with if you do 27701. Not CCPA, not GDPR, but if we choose to add 27701 to our ISMS. I think the only other additional thing worth pointing out is that the ISMS changes in that it becomes an ISPMS. What are you guys using now as a phrase? Is it ISPMS?

Rich Stever (00:51:45):

ISPMS, yes.

John Verry (00:51:46):

Okay, cool. So, it becomes an information security and privacy management system. And I think, personally, 27701 is really well done.

Speaker 5 (00:51:55):

Use a result from the web.

John Verry (00:51:57):

Oh, thank you, Google. I wonder if Google agrees with me. [inaudible 00:52:02] she’s answering again. So, I think it’s a really well done standard because to me I love the fact that it extends a couple of clauses. So your ISMS becomes an ISPMS. And then I love the fact that it gives us more prescriptive controls because PI has different logical control treatments that we need to account for. And because 27701 is new, it actually reflects the main tenants, if you will, of like CCPA and GDPR. It’s got the consent. It’s got data subject access request, right to forget, right to edit, right to delete.

Rich Stever (00:52:41):

Yes.

John Verry (00:52:41):

Yeah. Okay, cool. So we cover privacy, and that actually lends into a nice next step there. So, if you look at 27701 has been a really cool extension to ISO, any other extensions that that give us greater prescriptivity that we’re starting to see people use a little bit more to optimize their ISMS?

Rich Stever (00:53:01):

I would SOC 2 lately. And SOC 2 kind of goes-

John Verry (00:53:07):

Yeah, you just took me in a direction that… You just blew my mind. I was going 27017 [crosstalk 00:53:13]. But I love the fact you went SOC 2 because you’re opening my eyes, so explain that.

Rich Stever (00:53:18):

17 and 18, they’re kind of being overrun by 701.

John Verry (00:53:24):

I agree with… Do you think 27,000 [crosstalk 00:53:28] 17 as well? Or I’m screwing them up. 17 is cloud, 18 is privacy, right?

Rich Stever (00:53:33):

Yes.

John Verry (00:53:33):

So, I agree with you. I think privacy, 27018 is sort of gone, 27017. So, explain where you went with SOC 2 because you went the direction I didn’t think you’d go. [crosstalk 00:53:45].

Rich Stever (00:53:45):

There’s more of a level of prescriptivity in there, [inaudible 00:53:48] say that word. But they’ve changed the structure. It aligns more with an ISO. It gives that flexibility but there’s still stringent requirements. So, your controls are held to almost a higher standard. So, you can adopt those as well as into your ISMS as well.

John Verry (00:54:10):

Gotcha. So, would that be in the same way? So when you think about extending using the prescriptivity of SOC 2, is that in the same way as you would use 27017 or CSA STAR or CIC CSC?

Rich Stever (00:54:25):

Yeah.

John Verry (00:54:26):

So, it’s same concept.

Rich Stever (00:54:27):

It’s the same. Same concept, it’s just a different framework.

John Verry (00:54:31):

Gotcha. I actually like that idea, and I know that you’ve been working to do some stuff on our internal auditing program to incorporate those standards. What’s the idea that you’re trying to drive continuous improvement? What are you doing there? Why are we doing that?

Rich Stever (00:54:47):

Well, I think you come to the fork and the road. So, you can go through the motions in our internal audits, and we have a normal evaluation analysis that we do as part of the internal audits, but how are our clients go to continuously improve? And I think one of the ways we need to do that is adopting a maturity model as part of the scoring. So, as part of that, yes, okay, yeah, you base it off of zero to five. Great, you can be effective at a two, but how do you improve your ISMS? How do you ensure that you have… you’re managing it, and you’re getting to that optimization level? What are the continuous steps you need to take? And you do it on a control basis, control per control. So, I think that’s some of the some of the improvements that we’re making, and a lot of organizations are opening their eyes to it, and they’re seeing the value in it. It’s just not a repeatable process. It’s something that they can ensure that they have on their roadmap.

John Verry (00:55:51):

Gotcha. So, there’s the maturity model. And then the other thing I guess you would say, and this can sound lousy because I love ISO. I’m an ISO fanatic. But I think when the Lord giveth, the Lord taketh away. ISO gives us… The answer to any ISO question is what do the risk assessments say?

Rich Stever (00:56:14):

Correct.

John Verry (00:56:15):

There’s no prescriptivity to ISO. We don’t know how long passwords should be. We don’t know if you should use multi-factor authentication. We can’t tell if you need a pentest or not. So, that’s the other side of that what you’re doing on those internal audits as well is saying, “Okay, let’s take a more prescriptive standard. Let’s overlay it on an ISO, and let’s hold your feet to a little bit of a little more heat. And let’s see if we should step up what we’re doing.” We’ve chosen a certain level of risk mitigation. Did we get a little lazy? Did we not do as much risk mitigation as some other frameworks might suggest we should do, right?

Rich Stever (00:56:51):

Yeah.

John Verry (00:56:52):

Interesting. What’s going to be interesting too Rich, and this is just off the cuff here. I had a conversation with a client, fascinating client, a potential client, I should say, a couple days ago. And their whole thing was like NIST high security categorization. And they wanted a certification and a management system to manage a NIST high. And we landed on using ISO 27001 because you don’t have to use the Annex A controls underneath ISO 27001, and that’s something that I don’t think we’ve really done much of but that would be a cool thing to think about is imagine taking somebody’s ISMS, and holding it to a NIST 853 moderate or high security categorization as a mechanism of continuous improvement. That gets hairy because that’s a very prescriptive framework. That’d be fun. All right. So we’ve been on a while, any last thoughts besides how good I did?

Rich Stever (00:57:58):

Oh, I’m sorry. I’m sorry. [crosstalk 00:58:00].

John Verry (00:58:00):

Come on you work with me. [crosstalk 00:58:02]. You know you have to fluff my feathers.

Rich Stever (00:58:03):

Yeah, come on. I’m a little jealous that you’re on that second drink already.

John Verry (00:58:14):

I’m always on a second drink, you know that. You’ve known me eight years. No. Any last thoughts? Not on how wonderful I am. Any last thoughts on our conversation?

Rich Stever (00:58:27):

I don’t think so. I think we covered a lot. There’s definitely room for additional discussions.

John Verry (00:58:34):

Always.

Rich Stever (00:58:34):

So, we’ll take it from there.

John Verry (00:58:37):

That’s a good deal. Well, you and I always have… That’s the one thing we have a lot of the Pivot Point discussions. All right, so did you do your homework? Because [crosstalk 00:58:44]-

Rich Stever (00:58:44):

I know, I know.

John Verry (00:58:44):

Did you do your homework because I won’t ask if you didn’t do your homework.

Rich Stever (00:58:46):

No, I’ve been dreading this one. I’ve been dreading this one, but I think I’m good.

John Verry (00:58:52):

You think you’re good, all right.

Rich Stever (00:58:55):

I know it’s a pass fail type of model [inaudible 00:58:57].

John Verry (00:58:58):

All right, so what fictional character or real person you think would make an amazing or horrible CISO and why?

Rich Stever (00:59:04):

Here we go. So, obviously the last five months has been a little crazy for people, so there’s been a lot of downtime we’ll call it. A lot of movie watching, TV watching. So, I’ve done my homework. I have a good [crosstalk 00:59:19]-

John Verry (00:59:19):

Research. It was, “Honey, we need to watch it Netflix for four hours today. I’m doing research for a podcast.

Rich Stever (00:59:26):

No, no, I did my research last weekend. My research was last weekend. I think the individual that would make a good CISO is… I have it over here. So, I’m looking over here on my screen, so I’m going to kill the name, Poe Dameron from Star Wars.

John Verry (00:59:44):

Wow. Okay. Now I have to admit I’m not a Star Wars… I probably just lost half the technical geek audience, but Star Wars ain’t me. So tell me who Poe Dameron is and why [crosstalk 00:59:54].

Rich Stever (00:59:55):

He’s a pilot for the Republic we’ll call him. So, he is a pilot for the Republic. He’s got the personality. He’s got that witty but serious personality. He can play both sides. Serious when he needs to, funny when he has to be. Leads by example. His intention sometimes are good. He kinds of takes the wrong road, but he always finds his way back, but drives and motivates to get people to do things, so he’s a good delegator, so-

John Verry (01:00:30):

That sounds good like a-

Rich Stever (01:00:34):

My other option was going to be Olaf, but I didn’t [crosstalk 01:00:37].

John Verry (01:00:37):

Who’s Olaf? [inaudible 01:00:39]. Are you making up names now to make me look stupid? It’s easy to do that and make me look stupid, by the way. All right. Well, let’s listen, I’ll give you a little props. Your homework was good. All right, so last question, based on-

Rich Stever (01:00:52):

[crosstalk 01:00:52] Star Wars, start to finish, all the movies.

John Verry (01:00:56):

I’ve never… I watched the original years ago, and I’ve never really watched it. And I’m probably, like I said I know I’m losing a lot of technical credibility because it’s amazing how many people in our field love Star Wars. In fact, anyone who’s ever gotten a proposal from us, one of our proposal themes is Star Wars. All right, so last question. So you chat every day with our customers like I do. What do you think would be an interesting topic for another episode? Something they struggle with, something that you hear a lot.

Rich Stever (01:01:25):

What do clients… And I touched on a little bit today, but I think how to support the ISMS, an internal support of the ISMS, ongoing.

John Verry (01:01:37):

Like either staffing or third party [crosstalk 01:01:41]-

Rich Stever (01:01:40):

Post-certification, yeah. And then we talked about it with management commitment, but what should an organization be ensuring that they have in place because you can go… That’s a whole level, another layer conversation that we could have on that. That might be one one topic, I would say.

John Verry (01:02:00):

I like that because because it’s a lot harder than you think.

Rich Stever (01:02:05):

Well, it is because a lot of times it falls on one individual, and does that individual have the support that they need? What should we be ensuring that management is supplying?

John Verry (01:02:19):

That goes back to that resourcing question that we asked earlier. That’s actually an interesting one. Cool. I like that. All right. So, if somebody wanted to get in touch with you, how would they do it?

Rich Stever (01:02:30):

LinkedIn and/or email.

John Verry (01:02:34):

Which is [crosstalk 01:02:35] Richard.stever.

Rich Stever (01:02:37):

Yes, yeah. So, now if they wanted to get in touch me, yeah, I couldn’t tell you my Twitter handle. I don’t know what it is. I haven’t used it in a while. [crosstalk 01:02:45].

John Verry (01:02:48):

You’re not a tweeting machine?

Rich Stever (01:02:50):

I’m not a tweeting machine. [crosstalk 01:02:51].

John Verry (01:02:50):

All right.

Rich Stever (01:02:51):

You can find me on LinkedIn and on email at [email protected].

John Verry (01:02:59):

All right, sir. Thank you very much for coming on. Appreciate it.

Rich Stever (01:03:03):

Thank you.

Narrator (01:03:04):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.