Have you ever wondered how to streamline HITRUST, SOC 2, as well as other certifications and attestations? Well, in this episode, that is what you will find out. We’re going to explain how to streamline the process of developing policies and procedures, how to conduct a gap assessment & risk assessment, how to facilitate incident response exercises, how to upload evidence and meet with auditors.
Brian: First, Sierra, thank you for inviting me to do this podcast.
Webb Adams is a veteran-owned business. We're based out of Central Florida, and the team is comprised of Cybersecurity and Policy professionals. These roles are versed in designing, managing security, privacy, and compliance programs.
We've added former assessors, auditors to really bring balance to our team and ensure that we're aligned with the latest standards, and by extension, to ensure our clients pass any of their audits or attestations without any kind of issue.
Basically, our goal with Webb Adams is to provide a white glove compliant service to our clients from the cradle to the grave. Meaning we develop policies and procedures, conduct the gap assessment, risk assessment, facilitate instant response exercises, and upload evidence.
Anything to meet our auditor's demands, core focus, HITRUST, ISO 2701, Stock Two certifications, and any attestations as well.Sierra: Okay, great. I used to work for HITRUST, so I am very familiar with them and Stock Two. Again, I'm so excited to hear you speak with Michael Parisi of HITRUST at the Summit. Brian, can you give our listeners some background on yourself in your focus specifically?
Brian: Of course. I graduated from Drexel University, Philadelphia, PA. I joined the U.S. Army immediately after graduating as a Counterintelligence Agent. It set me up for my first job after leaving the military. I worked for one of the largest defense contractors out there. I was conducting physical and vulnerability assessments on U.S. military bases.
Again, physical vulnerability assessments. So that meant I was actually hopping fences, literally climbing into dumpsters with trash and everything. All in the name of trying to steal sensitive documents. I am looking for that confidential, secret-type document. Little did I know as I was sitting in those dumpsters that it was really setting myself up for a career in policy and management.
After leaving the Defense Contractor, I started and spent a decade and a half writing security policies and procedures for entire branches of the U.S. government, trying to protect against what I was doing. Many protect against the threat actors that are trying to steal sensitive documents.
From there, a few years ago, I decided to leave the Federal Space and went private. So, here I am now, Owner and Compliance and Standards Practice Lead at Webb Adams.Sierra: That's great. You know, you were dumpster diving. No one could say that you are not committed, Brian. With Webb Adams, it seems to be composed of former offensive Cyber Operators, Intelligence Officers, and Security and Compliance Experts. How does this set you guys apart from your competitors?
Brian: In my opinion, we bring the right balance between tactical and strategic value. Our Cyber Intelligence team members bring real-world, frontline experience. Combating threats, either physically, again jumping into dumpsters, or in cyberspace behind the keyboard or whatnot.
They have defended against terrorists, criminals, and insider threats. When the situation called for it, they were on the offense and again doing the bad things. They truly are experts in the field. However, it is in my experience that operators tend to avoid policymaking at all costs. It only obstructs the mission and only slows them down.
As a brief aside, one of our team members had recently told me that when anyone starts talking about policies, they get itchy and start breaking out in hives. So they avoid policies at all costs. Therefore, to really try and bring balance to our team, we hire Policy and Compliance Experts. They are the head down, see the world in black and white, professionals.
These Policy and Regulation professionals know exactly what the clients need. They have the standards and the regulations and do everything that our client needs to meet their compliance goals. What appears to be an opposite kind of skill sets, and those offensive operators and head down compliance professionals. It really brings a great deal of bounce to our teams in the Security, Compliance, and Risk space.Sierra: Okay, great. Thanks so much for going into a great deal of detail with that. Who is your ideal client or customer?
Brian: An Ideal client customer, I would say, the organizations that lack mature security policies. They have no real internal compliance expertise. The organizations that are being pressured to certify quickly by an external party. Those are the clients where we provide the most value.
I know it seems negative, but it's where we can provide the most to them. We've worked with small startups out of their garages, and we've worked with large publicly traded companies in almost every single vertical that's out there. They all have their own challenges, from being a blank canvas to a security perspective, which requires a lot of resources to implement security to multi-decade old, rigid corporations that have a ton of security controls but also extremely resistant to change. So there really is no ideal client, in my opinion.
There are some qualities that I do make the certification readiness process go much smoother. Some of those qualities include leadership buy-in. You always kind of hear it, and it sounds cliche, but having that open communication with the leaders from our client throughout the entire process really alleviates pain points. It helps us avoid surprises, fosters a partnership, as opposed to providing just a check the box type service.
Other things that are really important to me are that clients are having realistic expectations. I mean, for instance, HITRUST requirements. States that organizations never have to send unencrypted sensitive information via email. For those clients that only deal with sensitive information.
For Healthcare, for instance, writing a policy that prohibits sending sensitive information is probably not a realistic option and provides minimum risk mitigation. It doesn't make sense. However, having a client that understands implementing a HIPAA compliant tool like email encryption tool, which Paubox offers, is something smart to do.Sierra: What industry standards do you guys provide ongoing support for? I know we mentioned HITRUST and Stock Two, but what else?
Brian: Those two, for sure. For our US government clients, we do provide CMMC. Readiness as that certification is still kind of in the launch phase. So we are preparing clients for that.
We also use FedRAMP readiness services. Some that are not necessarily in the certification space, but you want to kind of test and be compliant. We do some privacy things: GDPR HIPAA, CCPA, Berkner, PCI, DSS, NIST, cybersecurity framework. You name an acronym; we probably are touching it or can prepare you in some way, shape, or form.Sierra: Fabulous. What do companies seek you out for? Like why do they reach out to you? What challenges are they trying to overcome?
Brian: The majority of our clients reach out for two reasons. They either have a lack of resources on their side, or it's the speed of execution of how quickly they need to be compliant, or they need that certification. They need that gold star at the end of the day.
I'll start with the speeder requirement first. A typical call from a protective, prospective client generally always starts the same way. They have a large contract; it’s dependent on them being HITRUST certified, on them being ISO 2701 certified, or they promised a client that said, " I told them last year, my risk assessment that I was going to be ISO certified by the end of 2020.
However, it's 2021, and I haven't even started, and I'm at risk of losing a large current contract." So to combat this, Webb Adams eliminates all the excess processes services that are not getting you closer to that gold star or not getting you certified. We've eliminated that and streamline it, trying to remove all the waste and be as efficient as possible.
The other thing again, as I said, the lack of resources. They just don't have that human capital to prepare for the certification. They have full-time jobs, and usually, it's an army of one. It's one person wearing many hats and trying to stuff certification onto them, which just doesn't make sense.
So they look at something like Webb Adams. We provide that single tier of service, thorough and exceptional. Again, we write those tailored policies and procedures.
We conduct those risk assessments, lead the incident response exercise, respond to all the orders, and request upload evidence. We can really lead their team through everything, and we try to really take that heavy lifting as much as possible.Sierra: What are the key components of a resilient security program?
Brian: I've used this example for almost all my clients to try to explain it.
If you could imagine a pyramid in your mind, if you close your eyes and imagine a pyramid, at the base of the pyramid, even before you lay that first stone, you have the soil, you have the earth, the sand, whatever you're building this pyramid on. That goes back to that leadership buying. They truly are the foundation, the rock bed, the driving force to the tallest pyramid that you ever want to build.
Then at the same point, with a pencil whip, they can also topple that largest pyramid ever as well. So you need to have that leadership buy-in before we even really try to build a resilient security program.
After that, creating that strong foundation going back to my roots, is you have those sturdy building blocks. That's your documentation. You have policies; you have procedures, something that everyone can come back to. That starts to set up the rest of the pyramid. It determines the shape of the pyramid. If you have a tall, skinny pyramid, you're gonna have a fat wide. A short pyramid, it's everything that goes into your security program.
Lastly, then the different layers that you have in there, you start adding security training, you start adding incident, exercises, risk assessments, and then any other additional tools that are there to mitigate any kind of risks.
Each layer is important, with no layer being more important than any other. They all depend on each other. Each component cannot be independent of the other. It helps to build a security program that really can, you know, like a pyramid that stands the test of time.
As a visual learner, it helps me have that pyramid. It helps me explain what a resilient program looks like to the C-suite and executives of the company.Sierra: That was a fabulous example. I started to close my eyes and visualize what you were talking about. So I'm sure that was useful for our listeners as well. Brian, thanks again, and to our listeners, thank you for joining our HIPAA Critical podcast. Our next virtual conference is the Paubox Spring Summit 2021, Secure Communication During a Pandemic. As I mentioned, it will take place on April 6th and will be virtual. As a reminder, you can listen to other podcasts at paubox.com or subscribe via Apple Podcasts, Spotify, IHeartRadio, Stitcher, or Amazon Music. Thanks again, and see you next time.