Mastering CMMC Compliance: Expert Tips for Businesses with Special Guest Leia Shilobod
you're listening to stimulus Tech talk a conversation based podcast created by stimulus technologies that covers a range of topics related to business and technology hello everybody I'm Nathan Whitaker CEO of stimulus Technologies and welcome to stimulus Tech talk I'm very excited to have our first guest for the podcast this morning a good friend of mine Leia shilabad the CEO of in-tech solutions so welcome Leia thank you for having me today Nathan it's a pleasure so let me uh I'll do a little introduction uh read your brief bio here and then we'll uh we'll get into our topic of the day so um as I mentioned Leia is the CEO of Intex Solutions and a long time friend of mine so I'm excited to have her um she's the author of cyber warfare protecting your business from Total Annihilation and the three indisputable rules every manufacturer must know before purchasing any it product or service as a cyber security advisor Leia speaks frequently of venues and events such as Harvard Pennsylvania State Department events and accounting and Manufacturing industry events also known as the I.T Princess of Power Leia saves small businesses and mid-market firms from hackers and keeps them compliant by delivering Enterprise class I.T Security Solutions that would otherwise be cost prohibitive and so our topic today and what I brought Leia on is talk a little bit about security and compliance um and you know that's a topic that uh you know oftentimes business owners kind of glaze over uh when you talk to them and they don't want to hear it until they have an issue so tell me a little bit about yourself and how you've been able to you know introduce this idea of compliance especially CM cmmc compliance to business owners and you know what's your you know how do you get into them get into their head and convince them to even listen to you about this topic yeah so um I want to thank you so much for bringing me on this call to talk about my two favorite things security and compliance is that those are my two favorite things and I could talk about them all day long but how did I get to be in this place it's a good question um so I founded my firm in 2006 as a security focused I.T provider because that was always really important and really key in core with everything we did it didn't matter if the company that we worked with understood and cared about security as much as we did we cared about it and then as time went on that security piece was not as much of a nice to have it's kind of like you need it if you're going to be in business you need to be able to have security front and center sometimes there was a concern with like why am I spending money for this you know like or am I spending money in the right place and I could see this concern and I was trying to communicate the value but still was having difficulty kind of like weaving it all together for the business owner and then some of my manufacturing clients had a contractual requirement to comply with nist 200-171 cyber security standards how to protect certain government information that they were data custodians of and then I was like oh this is great like doesn't matter what they think they have to do it now and so we're going to go about doing this thing and I can kind of jump over the conversation of why and just say we have to and I'm sure you can imagine that still didn't go over very well because nobody doesn't want to have to do something they want to understand the why and the benefit not just like okay fine I have to do this because you're not going to get excited about something you just have to do um then um I actually I I studied for um and um and got a certification to be a certified information security manager my Schism certification and as I was studying for it it was actually one of the most fun things I ever did because all the stuff in here was like this is this is it this is this is helping me to like to to weave together all those things that I wasn't sure how to and be able to have that conversation with my clients about managing their information security and be able to say what does the what is the business outcome that you are looking for because we know we have to have some kind of investment in your I.T because that's related to your business process and if we do this the right way then those resources that you allocate not only do you know why you have to put money in there but you know that you're putting it in the right place instead of just trying to throw money at a problem you know cross your fingers and hope that it's going in the right place now the clarity is all there so when I talk to clients about introducing security we talk about implementing a cyber security compliance program no matter if it's going to be a c you know cmmc compliance program or you know just cyber security compliance in general and be able to have a business and operational conversation where we can say look I'm on the same side of the table as you we have to think strategically about where we put these resources because we understand your business has limited ones let's talk about risk to the organization what areas are you know are those risks in how would that impact be in your organization and then put that all into a program and then be able to make good strong business decisions based on data and then the outcomes of that program we can actually report back and it's not just like oh look like there were no incidents this month but actually like real strong metrics and information to say we got this going and then this is why our business is Flowing so well this is why operations are flowing well and um and then feel like they've making right decisions about where they're spending their money yeah it seems like you know when I talk to companies about security and compliance um they think it's maybe like insurance or um you know something like you said at the beginning is something they have to do or are supposed to do but it they don't definitely don't get excited about it they'd rather be spending the money elsewhere so it seems like you know you take a little bit different look at it it's like how can security and these compliance things help their business processes rather than just um just be something they're throwing money in a bucket and hopefully it protects them yeah right because that's like it's no way to do business and what often happens so like the the people who are thinking strategically in the organization unless you get larger like into a mid-market firm like I work with an organization out of the UK they have a thousand endpoints so their CIO and theirs and their ciso they are thinking differently about the allocation of resources because they're already in the c-suite but oftentimes that if you have internal I.T or if you just have an MSP
or mssp the RIT provider they're not having that c-level kind of conversation or they're not sure how to bridge that Gap and so they're allocated this small pot of money and maybe they don't even know the best way to allocate it and they keep saying it's not enough and it might not be enough and it might be enough and just not allocated properly but there's no you know Define strategic way of trying to assess that so everybody's just frustrated and not feeling like you're getting good outcomes and it's like you know what that's because we're not doing it the best way there's a better way to do this and you get massive value from implementing a disciplined strategic approach yeah that's really interesting I I talk periodically about it that you know we can't in the IT industry we make the mistake of just trying to scare people into buying security and and that that's not a good tactic I mean I drive around on the road here in Vegas and they have these you know Billboards up you know don't speed don't drink and drive but there's plenty of people still out there you know going 10 15 miles an hour the speed limit or having a few drinks and still getting behind the car so you know we know as people we're willing to take those risks so it's in your approach is really interesting about you know talking about the advantages of implementing these inside their business rather than just scaring them into doing something right right so um and I think that the scaring thing is like it's like the what we think is like the easiest thing to do right where um instead like we do a lot of tabletop exercises with our clients where we take a scenario and we say here's a relevant scenario of some like let's say this happened in your business you know the you know you walk in um your the server that hosts QuickBooks Enterprise for your business is encrypted um and you know that because you're trying to access it you look at the files everything looks like all jumbled up what do you do and you know I had like you know I was talking to one person about that and they were like oh well I would just email you I'm like no that's not what you do um and like let's talk about why okay because maybe if that system's compromised your email system might be compromised and also you have an emergency what if I'm not like what if I'm not looking at my email you got to pick up the phone you gotta call right or we have to make sure like do you have an incident response plan if you do you pull that out first and you do what it says if you don't why don't you have that because you need to figure out like if this happens what do you do you don't practice on a real live incident you practice before that and then as we talk through the scenario they start asking questions like well how could this have happened and then that's a great opportunity for me to say well right now you have you know this zero trust software on your server so technically things should not be able to get encrypted but let me tell you about ways that it could possibly happen and then we can talk through that so they can also understand the risk because when you allow somebody else into your system and outside organization and you give them that responsibility that's a big risk too they're forgetting how big of a risk it is that they're working with any kind of third-party vendor on this and trusting them right that's and maybe msps they don't want to talk about that yeah because if they say that then like they're they're like if I if I try to explain that I'm a risk for my client to work with like they're going to want to go away well why would they want to do that because if you're helping them to see the risk then they can start asking good questions and understand why it's important to work with you and not the devil they don't know who's not going to have the same kind of practices in place and now they understand right so you actually make them more sticky by helping them through this kind of conversation and we uncover things like well you know Insurance like do you know should we be calling your insurance company first before we touch anything well I don't know well you got to call them and find out well what kind of you know what kind of coverage do you have for this particular situation I don't know you know like at least more more questions than answers right but that's good right because I'm not talking at them I'm talking with them and getting their brain to think about like if this real scenario happened you would have to know what to do and you can't just like it's not going to be call me and I take care of everything because it can't be that way when you have a massive incident you as the business owner have to be responsible for orchestrating what happens and being involved there and so um uh and that of course like table tops are part of our compliance process yeah it's an interesting point you make because I think a lot of business owners especially small businesses want to just like hand a piece of paper to somebody and say you know I I was told to get PCI compliance or cmmc can you sign this and tell me I'm compliant and they don't realize that as a business owner um they're certifying their company as being compliant and really it's on you know they have to bring the team in to help but it's on them to ensure that their company is compliant because The Regulators will come after them and not you know not anybody else in the end yes yes and you never want to be in a situation where you abdicate a responsibility that should be yours and then be like well you know I thought I thought you were supposed to be handling this for me like nobody ever wants to be in that situation I never want to be in that situation as a business owner and I know the people that I work with never want to be in there either but maybe they don't see that that's what they're doing and you have to be able to have a way of re-engaging them so they understand that what what is their peace and their engagement that's required in order for this to be successful yeah perfect so kind of going back um you know tabletop exercises I I'm pretty sure is part of the compliance and requirements of the framework but can you tell me a little bit more about cmmc who does it apply to and you know what does a company need to do to go through that process yeah so um so before there was a cmmc um there were requirements contractual requirements that any organization that has a federal contract or is in the department of defenses supply chain has in order to protect information the two kinds of information they're required to protect is federal contract information and controlled and classified information the government has those two classifications and that's across all departments controlled and classified information and federal contract information so there's actually in the federal acquisition register the far there is a clause for basic safeguarding requirements there are 15 requirements if you have a federal contract it does not matter if it's DOD or anywhere if you have a federal contract there's those 15 basic safeguards that you are required to have and you when you sign your contract you are testing that you're doing that um and then if you have cui there's additional requirements and right now every Department kind of like approaches that differently the dod has been the one who has really taken the reins on assuring that organizations that have their information the controlled and classified information that they are actually implementing this properly and that's because so many of our secrets and important information about our defense has leaked out to our adversaries and so not only are they able to create weapons to be able to kill our people better but they also can find the weaknesses so they can so when they are using their existing weapons that they can hurt and kill our warfighters and our people and we don't want that so we have to protect that information it's been more important to the dod and they recognize I think a lot of a lot of the leaks I think in general come from vendors you know you'd think yes yeah and that's that's and that's interesting interesting perspective that they're taking yeah so um so they they actually sent out their assessors their Auditors to check to see in you know their their big primes and also in some smaller organizations how well are they implementing these controls they're 110 controls in a publication called nist 800-171 how well is it being implemented and what they found out was it was really bad um so and sometimes it was because organizations they just kind of dropped the ball sometimes they didn't think it was important and sometimes they just had confusion on how to actually implement it and what it looked like so that's where the cmmc program came from cmmc is like a how to implement these controls the 15 from the far that's cmmc level one and the 110 from nist 800-171 at level two this is if you just have FCI this one is if you have cui um what is FCI versus cui for those that don't have all the acronyms memorized yeah so Federal contract information is going to be any federal contract information so if you have information that's a federal contract that the government would not just like post out on a public website um if you have to like sign into sam.gov in order to look at that information then that's Federal contract information you're required to protect that with the 15 basic safeguards um there's other information sometimes that's like specifications drawings um technical information that the the department has they've classified that as can or categorize that I should say as controlled and classified information so it's not it's not classified if it was classified we have a whole nother set of controls we have to look at there um but it's it's still important for it to be protected it's not with additional safeguards to assure that the confidentiality of that information and so the government says if I entrust you with that then you contractually are bound to implement these safeguards to protect that information and if you don't it's a breach of your contract and not like we're not just going to fire you but we can come after you with false claims act and say you've made a false claim that you were going to protect our information this way and you're not and we're going to sue you and the the like there have been you know on the low end twenty thousand dollar fines on the high end millions of dollars in fines and it depends on the nature of the situation interesting so I'm I'm sure an organization can go out there and have somebody write all these policies put them in a book stick them on a shelf and be good right nope the answer is no um because because cmmc and compliance is not a checklist right so when I talk to a manufacturer and I said well you know you went through all this effort to have a quality program right or you went through all this effort to have a safety program in your organization they're like yeah yeah we did and like so you didn't like go through and do all this paperwork and do a checklist you'd be like well we're safe right we're good we have to do anything else because we got our checklist and now we're safe you would say that's ridiculous safety is not like where we've arrived then we're safe you have to continuously follow the processes have safety meetings maybe con maybe like continuously improve some of those processes to keep your people safe same thing with quality it's the same thing with cyber security compliance there's actions you have to take on a regular basis we call that the compliance actions Cadence things like maintenance on systems patching checking backups looking at alerts security reports running reports over time looking for vulnerabilities bringing all this information together looking at the documentation making sure we're following policy and then it's not just like you know collecting dust on the Shelf doing those tabletop exercises so we're ready when there's an incident because it's not going to be if it's definitely going to be when right um you know and collecting all the evidence that we're actually doing the things that we attested to in that contract that we are actually doing those things because a lot of people are going to have to present themselves for official assessments and become certified so how does our company get started with this let's say you know small contractor and you know maybe does have some of that confidential or you know providing information that's got to be protected by level two how what does a company need to do if they haven't started on this at all um well the first thing we need to get really clear on is what is this information that I need to protect right because if you work with okay here's here's a good tip if you ask anyone external to help you with this process and the first question that they ask you is not what is the information you have to protect and how does it flow throughout your organ your organization then you need to not work with them because if you don't you have to start there all right um once you've determined what that information is and maybe you say I don't know you have to figure out by some mechanism some way whether it's like everything that comes from ABC company we're going to treat it like it's cui I don't care what it is you do but you have to put some kind of like circle around what is it the thing we have to protect because the rest of your program is going to have to follow that information and it's going to help us understand how we're going to apply the changes the security controls and all those things in your in your organization if we don't start there we can't implement the program after that the next thing to do is to do a gap assessment because now you know how the information is Flowing who has access to it now and how you're going to need to control it to align with that requirement and so you say okay here's where we are and here's where we have to be what are all the things that we have to change when the list of all those things are like we're currently not doing this currently not doing this currently not doing this and all those not doing this is go on a poem a plan of action milestones and then you look at this list and oftentimes it's like hundreds of things that have to be changed and you say okay so in all this list let's see projects okay like maybe I see we're gonna have to upgrade our Erp or MRP because it's sitting on servers that are too old and that's like it's you know these these servers are not going to be able to meet the controls maybe that's a project maybe you recognize that the um the wireless system that you have in place is not going to be compliant maybe that's what maybe that is it it will always be documentation so there'll always be some kind of documentation project in there because no organization that I've talked to or work with even the one that has a thousand company people in it you know none of them have the required documentation in order to run the program properly um so that's going to be on there too there might be some changes in a business process because maybe a current business process like there's no way to be able to secure that properly and we have to think about different ways of doing that and so you look at all of those things create you know discrete projects assign some kind of estimated value and labor lift and then start to prioritize them to figure out how to remediate but compliance is not just the project right so at the same time while you're working through those projects you're also implementing that those cadences of the activities you have to do and collecting evidence and that also helps you to stay on track because when you're having those meetings and doing that Cadence of activities then you can also check in on the projects and make sure that they are you know going along like they're supposed to to get done yeah it seems like I mean it really does change the business it isn't something like I said you can't just put a binder on a shelf and call it good it's it's really changing the the core of the business and the way that things are done to protect that so how does for a business that doesn't require you know isn't a federal contractor doesn't require things is there anything that you've learned from this framework that any business should implement yes absolutely um and that is that um I know I realized that cmmc is not you know this this whole new world it's implementing and maintaining a cyber security compliance program and if you can Implement and maintain a cyber security compliance program you can Implement and maintain any cyber security compliance program the backbone of that is a set of controls in other words standards and controls that you want to align with and then actions and actions Cadence to make sure that those things are all happening so every business needs to have some kind of a program in place and some kind of standard otherwise you're just guessing right I think this is the best thing I think this is the best thing and actually like having a set of controls whether you use the nist controls like 800-171 or you know the cyber security um framework CSF or you use CIS controls there's a whole bunch of sets of controls no matter which one you use they all crosswalk so like there's similarities between all of them why because there are just best practices that we all say these are things that you should definitely do and then if you select controls from in one of those other you know organizations like a standard set of controls you know that like a bunch of really smart people got together and I thought about a lot of things that you probably didn't think of and so that helps you to say okay yes like here are standards for um the way that our systems are going to be configured and maintained and accessed and authorized our people are going to be maintained screened and authorized and our physical environment is also going to be maintained and authorized and how we're going to report on that on a regular basis every business should have a program like that as otherwise it's going to be incomplete there will be holes and gaps it'll be in nature and it will be in the end more expensive to the business because it's going to be fits and starts you know it's not not going to be consistent and so well excellent I I mean you gave us a ton of information here kind of an overview I'm sure there's a lot more to go over so if somebody wanted to get in touch with you what's the best way um to find out more about how to implement this inside their business okay so if you love cyber security compliance programs or you'd like to learn how to implement a cyber security compliance program for your company please call me um uh and you can find me actually a lot of places first of all like if you Google this name um you will be able to find me because like trust me like I'm everywhere so if you try to Google if you don't know how to find me then you probably don't have any business using the internet and I have no idea how you found this podcast um but on LinkedIn my handle is Princess Leia just like from Star Wars that's actually who I was named after or you can just find me on here by linking linking in me that um I'm also on Signal if you use a signal app uh Lig pre-shilabad um and um you know like uh you'll be able to find all my contact information is on LinkedIn including my email address and my cell phone number excellently I I hope that you know this was informative for everybody um definitely you know it seems overwhelming when you're getting into compliance and there's just so many things but an expert can walk you through the process and help your business um make it simpler it's not always easy but definitely simpler and and you need an expert walking through and Leia is an expert in this field so appreciate your time today and um hopefully uh everybody got something out of this Oh thanks thank you Nathan all right [Music]
2023-06-15 14:30
