Silent Storm Security |
||
June 24, 2019 Issue |
||
CEOCFO MAGAZINE |
||
|
||
Silent Storm Security is focused on Simplifying and taking the Stress out of Cyber Security, HIPAA and PCI-DSS Audits |
||
Interview with: Founding Partners
Silent Storm Security
Contact:
800-668-1419
spierangelo@silentstormsecurity.com
800-668-1419
aabarca@silentstormsecurity.com
Mr. Pierangelo: We aim to make the whole cyber security auditing/consulting process as simple as possible. People can go anywhere for a cyber security audit or a compliance audit for HIPAA, PCI-DSS and so on. We really do enjoy working with our clients. I have heard too many horror stories, as has Ron, of clients who have had auditors who were bossy and demanding, as well as asking for things that were not required.
Essentially, we understand that auditing is not a fun process to go through for anybody, regardless of the audit framework. Therefore, we aim to go in and work with our clients with a team mentality. We are not “higher than” because we are the auditors. We are on the same level and we want to work together to accomplish the same goal, and that is to get our clients to a compliant state with as little stress as possible.
CEOCFO: Did you recognize, from day one, that was how you should be engaging with your clients or was it over time that you realized this is the best approach?
Mr. Abarca:
It was an “over time” process from all the years of experience that we have
had in the industry. You take the best methods and ideas and all of the
feedback that you get from all the people that you work with and develop the
simplest and best approach. Ultimately, we remove the needless noise and we
listen to what the client actually requires. We provide that as
simplistically and quickly as possible. CEOCFO: Would you give us an example of how you work with a client and where the simplification might come in, how that works out on a day-to-day or an engagement-by-engagement basis? Mr. Pierangelo: In regards to simplicity, I have personally worked at various firms, that will remain nameless, and much of the time they will convolute the process and say, “You need all these different stages and you need to have all these PowerPoint’s describing processes to go through.” At the end of the day, anything in this world could really be broken down very simply. Issues only start coming up when the process becomes overly complicated. Therefore, we remove all of the bells and whistles and don’t say, “You need to purchase this and purchase this in order to get compliant.” We just get straight down to, “Here is the list of things that we need and here is the area where you can provide the evidence, and if there are any questions, we will let you know.” At the end of the day, that is really what auditing is all about. We do not pad our bill, and have very competitive prices. We are not looking to find areas to overcharge and putting it under the guise of bells and whistles of “this is a multiphase approach” and “we are going to have to do all these meetings and PowerPoint presentations.” At the end of the day, it is really not too difficult. It is essentially, “Hey, here is what we are looking for, can you provide the evidence.” That is it at its most basic element, and what we really try to stick to.
CEOCFO: Are clients turning to you because they understand that you have this approach or are they often surprised to find out that you can really ease the pain of the process for them? Mr. Abarca: That is a really good question. When they approach us, I think very quickly in terms of the relationship that we would like to establish with them. They soon realize that this relationship is going to make things move forward rapidly. We make the whole environment very amicable. We keep it very professional, but it also becomes a sort of business friendship, that even after we are done with the engagement we still touch base with the clients to see how things are going. Therefore, we work towards establishing long term relationships.
Mr. Pierangelo: Absolutely, Ron! One hundred percent on that! We have had experiences over the years with clients who said they enjoyed working with us. However, then there are also clients who have never worked with us before and we find that very quickly they start to see that we have a good collaborative and team mentality as opposed to what I had mentioned before. This is why many companies get frustrated with audits. That is because the auditor comes in and is demanding in a negative way asking at times for too much and is not willing to work with the client’s IT team. We don’t act as if ours is the only opinion that matters. Moreover, we want the client’s opinion and input. Ron and I actually talk with our clients and say, “You work with a particular firewall every day; how do you feel it meets the intent of this particular audit control.” Many times there is an element of shock from the client as they are so used to people sometimes pretending that they know what they are talking about and they will throw out all of these requests to kind of mask the fact that they are not willing to say, “I do not necessarily know too much about this particular vendor or this firewall, can you tell us about it” and they seem to really appreciate that. Now, we obviously do our due diligence afterward based on what they say, but that goes back to what we were saying. We really try to incorporate the client and whoever is on their side of the audit team. We want them to be engaged in the process and work together.
CEOCFO: Who is turning to you for services, what types of organizations and what is type of compliance are they looking for? Mr. Pierangelo: We have everything from startups to a large internet service provider as one of our biggest clients. Another one is pretty big in the medical billing industry. Over the course of both of our careers, we have experienced a wide variety of different clients. At this point, we can apply our knowledge and experience to any company that needs cybersecurity services. There is really nothing at this point that we cannot handle. Essentially we want to make sure our clients are secure. There are many clients who might say, “We are just trying to check the box.” We will obviously work with them, but our ideal clients are the ones that say, “We understand we have to get to a compliant stance, but we may want to go above and beyond. That is where Ron and I feel our biggest value is added to any engagement.
CEOCFO: Is there much change in the regulations - are they changing often or are they pretty stable? Do you know when they are going to change? Mr. Pierangelo: With PCI-DSS audits, the nice thing is that when you are a QSA firm, you are obviously kept in the loop about all upcoming changes. The PCI Council does a great job of giving all firms and assessors a good amount of advanced notice of the changes that will be coming to the PCI-DSS (Payment Card Industry Data Security Standards) framework. As a result, you usually have at least a year. There is a three-year cycle that goes on where they start these requests for possible changes and so on and so forth, in between each version change. In between, they do some incremental changes, but they will at least send out well in advance notices of these changes. They will say, “Six months from now or a year from now, here are the incremental changes you are going to see.” Additionally, at least in the case of PCI-DSS, there is not really too much that has to be changed. There are no drastic changes, even with new versions. It is still relatively the same concepts, making sure your passwords are meeting a certain complexity length and your physical security meets certain standards, your policies have at least these statements in them, etc. However, as far as every other audit framework out there, Ron and I are very good at staying up to date with what is going on. We are constantly reading our newsfeed on a daily basis and really seeing what we have to be looking out for as it relates to what might affect our clients.
CEOCFO: What goes into crafting the best solution for a client if they need to update or upgrade? What goes into the mix that less experienced people would not realize is important? Mr. Abarca: I think at first it would be just to do a risk assessment and see what kind of compliance requirements their business processes may have. Once you have that in place, you have a better idea of the scope of the requirements that they may need. Then it is just a matter of seeing what kind of control framework they may need, and the first step would be to see what kind of government regulations might be affected with the type of work they do.
Mr. Pierangelo: Absolutely. To add to that, there are many firms out there that will basically try to sell as many additional services as a part of the audit. Sometimes those services are not necessarily what is needed or there might be a free solution out there. While Ron and I are definitely in the business of wanting to make money, we would like to earn that trust with our clients and to basically say, “We are only here to tell you what you really need and if there is a free solution we will help you find it, and implement it, to get compliant.” Then we say, “However, if there is no free option available, we happen to work with partners in the industry who can help with those control(s)”. However, we implore them to shop around, and if they want we could offer that service. We are not pushy in that regard. It is also a matter of the same sort of concept, and that is we only really make sure that the client gets what they need. That is what Ron alluded to with the risk assessment. We say, “What are the areas that we really need to focus on to get you to where you need to be,” and not just throwing stuff into the statement of work or into the billable hours that just pad it. We are just about keeping it cost-effective, simple, and ultimately “What do you need to get to get you where you should be.”
Mr. Abarca: Absolutely, and just keep that transparency so that you know when you sign the statement of work, it is what we tell you we will do and that you are not getting any surprises, not getting any hidden fees or any extra things that you didn’t know about. We go in very clearly.
CEOCFO: Are there some areas of compliance and security that your clients tend to overlook or not see as necessary or you cannot really make the case for it even though you know these things should be in place? Are there some common areas that people do not recognize as important? Mr. Pierangelo: That is a very good question. If they want to get compliant they certainly do have to have the control(s) in place. Obviously, certain clients, over the years, may be a resistant to making certain changes. A big issue I’ve observed is when clients have someone who leaves the company and this person, let us say, was running their vulnerability management program. Then when their next assessment comes up they have a gap because the person who left was running all the scans. However, they did not have a process in place to make sure that when someone leaves and a new employee takes over, at least they let them know where the scans are. We have had clients that switched over to us and found that to be the situation. However, the remediation projects we offered helped get them to where they had to be. However, to answer your question, I think that any client is going to be resistant or kind of hesitant when it comes to anything of monetary value. Therefore, if we went in and told a client, “You need to install this fifty thousand dollar firewall,” we are going to expect some sort of pushback. However, that is not what we do at all. That is why it goes back to what I was saying before. We really try to find, first, if the solution is ‘A, required’. Then if that is the case then we go on to B and say, “Is there a free solution that will not hit the company’s wallet. Then if there is not, then we say, “Okay, here is what you need you to get. We could assist you with it, but we implore you to do your own due diligence searching for a solution first.”
Mr. Abarca:
It also affects the maturity level of their security program. Some clients
that we have, in terms of PCI, they might go above and beyond any single
requirement. It depends on the maturity of the security program. Then
obviously, as they are more mature they will have more stability to offer
more security changes, more layers. Therefore, the areas that maybe they
overlooked are really minimal, even to a point that might be nonexistent. CEOCFO: Are insurance companies making mandatory requirements regarding compliance over and above what the government requires? Mr. Pierangelo: That is a very good question because that is a topic that comes up in many of the security meetings that we both attend in regards to what is going on in the industry. Certainly, cybersecurity insurance is a very hot topic right now. It is getting to the point where many people in the industry are starting to say, “If you are going to get some insurance policy the insurance should mandate that you are at least meeting a baseline of security.” If you want to get car insurance, the insurance company may say, “We will insure you, but we want to make sure that your car is inspected, that you are meeting a minimum amount of security in the car, etc.” Obviously, most modern cars are good under government regulations, but to transfer over the analogy would be the same with, “I am a cybersecurity insurance company, you want me to insure your Fortune 500 company, so I want to see that you have at least passed a NIST audit or some baseline at least, which would need to be completed to meet the insurance requirements.” As of right now there really isn’t too much going on in that regard. Therefore, insurance companies are putting out these policies and basically having to insure these companies without some sort of baseline of what should be required. That would be beneficial because many companies use insurance policies as a “get out of jail free” card, but without actually doing the cyber security component of it. I think it would solve two major issues. Yes, the insurance is certainly great to assist with business continuity and disaster recovery, but let us get you to that baseline of security so you do not even have to get to that point.
CEOCFO: How do you reach out for new business? Mr. Abarca: We do a combination of networking events and word of mouth which is pretty effective in the security industry. It is basically that we sell our product and we also sell ourselves. When you sign a contract with us you build a relationship with Scott and myself. We also go out into professional events, and we belong to a variety of organizations, One client will also lead to a referral, and then to another. Therefore, it kind of trickles down in a way.
Mr. Pierangelo: Just to add to that and to reiterate what Ron said, much of the time a company can go anywhere for an audit. Ultimately, the product at the end of the day is the report. There are many firms that can definitely provide audit services, but what companies are really getting when they work with us is a boutique firm. We have a very intimate relationship with our clients. Should they ever have an issue with anything, they call us and would speak directly with Ron and/or myself. If there is any issue in regards to something with an evidence collection request, they do not have to go through the sales manager and then wait a week or two to get a response and then finally get the auditor to assist with it. We are readily available for any problem that might arise. Companies have a great experience with us and then they go on to refer us to other firms. It is really kind of more referrals coming full circle. That is because, as I said, in this industry you can get an audit report done anywhere, but what you are really buying is the advantage of working with us. While we take our job seriously, we do try to make it as fun and engaging as possible.
CEOCFO: Did you expect to enjoy it so much? Did you recognize that aspect when you started Silent Storm Security? Mr. Abarca: I have been in the information technology field for over fourteen years. I have always loved the challenge of always learning new things very quickly and I love my job. When I came across to the audit side, I kept on thinking about what it was going to be like. When I first got started with this a while ago, I said, “This is going to sound crazy, but I kind of really enjoy this, as I am reviewing evidence and reading documents and the whole aspect of it.” I was actually surprised that I was going to like it as much as I did! Therefore, I feel lucky to be able to like what I do and spend as many hours as possible doing it, as it just makes life so much easier for us and for our clients.
|
“We love what we do, and we both get a lot of enjoyment out of seeing the relief that we can provide our clients from the stress of getting audited. We go in and reassure them that, “This is rough, but we are going to work together. It will not be easy, but we are going to make it as simple as possible.” It is a great feeling when they get their passing report and are very excited. That is what we aim to do over and over.”- Scott Pierangelo
Silent Storm Security
Contact: R. Scott Pierangelo MSCS, PMP, CISSP, CISA, CISM, CRISC, CGEIT, QSA, PCIP 800-668-1419 spierangelo@silentstormsecurity.com
Ron Abarca BSISM, CISA 800-668-1419 aabarca@silentstormsecurity.com
|
|
disclaimers |
||
|
||
PCI DSS Compliance, Silent Storm Security, HIPAA Assessment, Scott Pierangelo, Ron Abarca, Silent Storm Security is focused on Simplifying and taking the Stress out of Cyber Security, HIPAA and PCI-DSS Audits, CEO Interviews 2019, Business Services Companies, Technology Company, Cyber security, cybersecurity, cyber security auditing, PCI-DSS Remediation Consulting, PCI-DSS Reports on Compliance, 23 NYCRR Part 500, HIPAA Assessments, PCI GAP Reports, PCI SAQ Consulting, Penetration Testing, Risk Assessments, ISO Consulting, NERC CIP Consulting, NIST SP 800-171 Consulting, SOC Consulting, Service Organization Control Consulting, Computer Forensics, Managed Virtual IT, Silent Storm Security Press Releases, News |
||
|
ceocfointerviews.com does not purchase or
make
recommendation on stocks based on the interviews published.