Cyberattacks are becoming more and more common, especially since the massive digital transformation caused companies to have more vulnerabilities.
Cyberspace is filled with felons that are trying to exploit enterprises of any size, and it’s only a matter of time when one encounters a threat. Whether it’s a data breach, ransomware, or any other attack – not preparing to respond to them can have major financial or reputational consequences.
Some of the measures to take is ensuring compliance. For this reason, we invited Brad Thies, the Founder and President of BARR Advisory – a company that specializes in cloud-based security and compliance consulting services.
How did the idea of BARR Advisory come about? What has your journey been like since?
I started BARR Advisory to remove the security and compliance barrier for mission-driven companies. A decade ago, when the cloud was still emerging technology, there was misalignment with traditional audit methodologies with the lack of leveraging security automating tooling for assessments in the cloud. There was an opportunity to help startup cloud service providers tackle the cybersecurity and compliance issues they faced. With broader cloud adoption today, the journey has taken us to cloud service providers of all sizes – from innovative startups to world-class enterprises.
Can you introduce us to what you do? What challenges do you help navigate?
BARR Advisory specializes in cybersecurity and compliance for SaaS providers and enterprises with high-value information operating in cloud environments like AWS, Microsoft Azure, and Google Cloud. We do this through two main buckets – our attestation services and our virtual CISO (vCISO) practice. Not only do we help clients provide assurance through audits, such as SOC 2, ISO 27001, NIST CSF, HIPAA, HITRUST, and others, we also have the unique perspective of rolling up our sleeves and building security programs ourselves through our vCISO services. By providing unparalleled service, following the data, and focusing on security first, we help our clients navigate the threat landscape by taking a comprehensive approach to cybersecurity and compliance. Our mission is to create a more secure world, one enterprise at a time.
What issues can an organization run into if it doesn’t have appropriate compliance certifications in place?
Compliance is a mechanism to communicate your security posture for others to understand – it means speaking the same language to internal and external stakeholders. While compliance does not always equal security, organizations should think of compliance as a way to inform necessary parties of the security controls they have in place. For a lot of clients just beginning their security and compliance journey, it can seem overwhelming to receive a security questionnaire with a litany of compliance requirements. Without the compliance standards for your organization in place, it can be difficult or impossible to respond to these questionnaires and demonstrate your security posture to potential clients, partners, and vendors, making it challenging to build trust in important business relationships and potentially leading to a loss of business. To avoid feeling overwhelmed, organizations early in their compliance journey should choose one framework based on their business and stick to it rather than focusing on every possible compliance standard they could possibly meet.
In light of the current global events, are there any new threats that you think businesses should be on the lookout for?
With geopolitical tensions on the rise, this is the time for businesses to increase their overall cyber vigilance. Following the news of Russia’s invasion of Ukraine, the Cybersecurity and Infrastructure Security Agency (CISA) stated that while there are no new or specific cyber threats to the US currently, every organization regardless of size should prepare to respond to cyberattacks and disruptions.
For many of our niche clients in the cloud ecosystem, new threats emerge from dependency on cloud products. From our perspective, the biggest threat is not just third-party risk, but a lack of governance and accountability within an organization. You can delegate everything except for accountability – as tempting as it may be to offload the responsibility of security onto a partner or vendor, organizations can prepare for the increased risk of cyber threat by delegating ownership of security within their organization.
What are the benefits of customized cybersecurity systems? Do you think it is something businesses of all sizes should invest in or is it only relevant for large enterprises?
A security and compliance program that fits the needs of your organization does not necessarily need to be complex and expensive – it can continue to mature alongside your company through every stage of the business lifecycle.
For the startup, this often looks like choosing one compliance standard that makes sense for your organization to adhere to and sticking with it. For example, the CIS Benchmarks could be a great start for an organization that needs something prescriptive for their technology stack. As for security processes at this stage, a few simple processes can make a big difference. Obtaining a reliable vulnerability scan at this stage is a simple and affordable way to gain visibility into your network and systems until your environment is ready for a more robust vulnerability assessment.
For a small to medium-sized business, they may create clear positions dedicated to security and begin thinking about how their security and compliance practices align with the external parties they’re doing business with. As for security processes, this is the time to begin taking a step further. For example, after obtaining vulnerability scans as a startup, they may choose to partner with a penetration tester or get a vulnerability assessment to improve upon their findings.
At the enterprise level organization, security and compliance is now a major component of their business. Each process has continued to walk the maturity line. They have compliance officers that ensure the organization communicates their security posture effectively and building upon the vulnerability example, they may now choose to conduct red and blue team exercises or a bug bounty program.
In your opinion, why do certain companies still fail to recognize the necessity of regular audits and tests?
Companies may fail to recognize the necessity of regular audits and tests because they view compliance as a checkbox exercise – something to do once and forget about. Ideally, companies need to recognize that regular audits and tests are a starting point for their security journey. There needs to be a delicate balance between compliance and security – in organizations where compliance is thought of as only a checkbox exercise, it’s incredibly difficult to achieve a real, sustainable security program. Real security requires not only the ability to address the risks and threats to an organization’s systems, it also involves communicating internally and consistently reviewing security posture, which makes compliance a good starting point.
Additionally, what would you consider to be the worst cybersecurity habits that are widely prominent nowadays?
One common habit is when an organization tries to entirely outsource the responsibility of security to vendors or third parties rather than taking responsibility for it themselves. While organizations can and should delegate security tasks to tools, someone in the company needs to take accountability for security as a whole.
For startups and small businesses, it’s easy to become quickly overwhelmed with the number of frameworks out there. For these companies, it’s important to understand how to prioritize and build a project roadmap for proper threat modeling. It’s become an unfortunate habit to “boil the ocean” – focusing on everything at once instead of focusing on priorities.
Another far too common phenomenon in many organizations today is living in fear of noncompliance with the assumption that compliance is the endgame, rather than security being the ultimate goal. This has caused problematic patterns throughout the security industry, with organizations sweeping security issues under the rug to avoid reputational damage rather than being transparent. Focusing on what could go wrong with noncompliance rather than focusing on what could go right with transparency holds us back as an industry.
Lastly, the cybersecurity industry has unfortunately developed a poor approach to communication, particularly with business leaders. When a security professional approaches leadership with fear-mongering, “sky is falling” language, it gives security a bad reputation. Communicating clearly in business terms why there’s an issue and what needs to be done to remediate it is far more effective.
Talking about personal cybersecurity, what safety measures do you think everyone should incorporate into their daily lives?
When we talk about cybersecurity on the enterprise level, it’s easy to lose sight of security as a truly human issue. Cybersecurity matters because real people are affected when there’s a breach. On the individual level, there are a few basic actions everyone can take to protect themselves and their data. For starters, implementing multi-factor authentication (MFA) on your accounts wherever possible has been proven to be more effective than not using it. Using password managers can help with managing complex and unique passwords for different accounts. Updating software and devices regularly, particularly when patches are necessary, can prevent individuals from being affected by vulnerabilities. Finally, making smart decisions about online behavior, such as not using public Wi-Fi to access sensitive information or accounts and setting your social media accounts private, can mitigate potential risks. These small actions are simple to incorporate into daily life and can make a huge difference for an individual’s security and privacy.
Would you like to share what’s next for BARR Advisory?
We anticipate the continued demand for cybersecurity and compliance services, but our ultimate vision is a fully automated future. Outdated assessments and manual audit techniques take countless hours today, and while these hours achieve compliance, they distract us from focusing on the ultimate goal – security and resilience to evolving threats and business needs. Compliance is important for creating a way to communicate external standards, but if we put the majority of our resources towards compliance, we’re less capable of preparing for evolving threat models that compliance and regulations cannot protect us from. Our goal is to automate close to 100 percent of primary compliance reporting (including SOC, ISO, and NIST) so that we can spend more resources implementing true security strategy.
Looking ahead, we also hope to minimize the barriers to entry in the cybersecurity industry. Cybersecurity, at its core, is a human issue – and to further build our platform, we intend to cast a wider net for pulling in new talent. Too often, cybersecurity job postings require years of experience, a number of certifications, and specialized training all for an entry-level role, intimidating potential candidates. We’re on a mission to change that by collaborating with partners and taking on industry apprentices to fill a more robust pipeline of cybersecurity talent.