Episode 2 - How to Build a Trusted Cyber Compliance Ecosystem to Manage Cost and Risk

Show Notes

This episode is for informational purposes only and does not constitute legal advice.

 In this episode, I break down why building a trusted ecosystem of vendors, consultants, peers, and industry voices is essential to managing both cost and risk in today’s regulatory environment.

I walk through how to properly vet each component of that ecosystem and what to look for, what to avoid, and where organizations consistently get it wrong. From evaluating vendor capabilities and consultant credentials to leveraging peer insights without falling into echo chambers, this episode focuses on practical, defensible decision-making.

The goal is not to outsource responsibility, but to build a network that strengthens your governance model, reduces unnecessary spend, and positions your organization for sustainable compliance.

If you are trying to navigate CMMC, NIST 800-171, or broader regulatory expectations without overspending this episode provides a structured approach to doing it right.

The NICE Cyber Workforce Framework can be found here: https://niccs.cisa.gov/tools/nice-framework

Transcript

Speaker 0:00

Hello and welcome back to Ooey Cooey. I am Leslie Weinstein. Today I want to talk to you a little bit about building a trusted ecosystem and why it is essential to establishing and maintaining a low-cost yet effective compliance program. Before jumping into what a trusted ecosystem is and how to develop one, I want to give you a little bit more information about my background because at the end of this, I hope that you will include me as part of your trusted ecosystem. I joined the Army right after college. In fact, I missed my college graduation because I was in Intel school. Over the last 20 years since joining the Army, I have spent time as a personnel officer and I went to Afghanistan for a year where I served as the executive administrative assistant to the commanding general of the 101st Airborne Division. When I came home, I moved to the Fort Belvoir area where I served as a civilian within the Military Intelligence Readiness Command, the MERC. As an Army officer, I've been assigned to the Army CIO, as well as spent some time on active duty orders in the Army G3 in Demo Cyber in the bowels of the Pentagon. I've also been deployed in support of U.S. Cyber Command operations, as well as to the Defense Intelligence Agency as a declassification officer. Now you may think that spending two years as a declassification officer is somewhat unrelated to a podcast about cyber and CUI, but actually my time at the Defense Intelligence Agency gave me a lot of the skills that I use today. When I help companies identify CUI in documentation and in files, I know how to do that because my main job was to identify classified information within a document and redact it. And then to identify the controlled but unclassified information and redact that in public versions of the document, but to leave it unredacted when creating classified versions of those documents, but just bringing the classification down from a high level down to a lower level. So being able to distinguish very particularly and specifically between something that is CUI and secret and top secret is something that I have done for a living as a full-time job. And now it's a skill that I bring to my clients. And shortly after my time at DIA, I like to say I was hoodwinked into cyber, both on the military side and also on the civilian side. As a civilian, I've spent time as contract support to DOD CIO as well as OUSDANS, which is the office of the Undersecretary of Defense for Acquisition and Sustainment. OUSD ANS and DOD CIO are the two DOD offices where the CMMC has lived at one point or another. In addition to my government background and my experience with identifying ownership equities within information, I graduated from law school earlier this year. Yay! I also have an MBA from Cornell University, so I understand how business works and how compliance works and how it should all work together. And I also have a master's degree in strategic intelligence from the National Intelligence University. My master's degree in strategic intelligence does nothing to bolster my credentials here. I just think it was a really fun experience and I wanted to throw that out there. All right, so let's get started about trusted ecosystems. A trusted ecosystem is your curated network of vetted subject matter experts and service providers and tool providers that your organization deliberately relies upon to design, implement, and sustain your compliance program. And this ecosystem does include, but doesn't only have to include, people that you pay to be in your ecosystem. The people that you pay to be in your ecosystem are things like your vendors, your tool and service providers, maybe your MSSP, as well as consultants, your subject matter experts that you rely on for specific guidance, but maybe they also help you design and implement your entire cybersecurity program. And almost as important as the people that you pay within your ecosystem are the ones that you don't pay. The ones that you don't pay are your friends, your peers in your industry that are facing similar challenges as you, as well as the influencers in this space. While I would never voluntarily call myself an influencer, I must recognize that I am, in fact, making a podcast with views and opinions on cybersecurity governance. And as a reminder, while I have gone to law school, this is not legal advice and you should never take legal advice from a podcast. The first reason why you should build your own trusted ecosystem is regulatory alignment and consistency. Alignment and consistency when seeking new guidance for new challenges is absolutely essential to keeping your costs low because you want to ensure new solutions for new problems do not conflict with solutions for prior problems that you have solved. The second reason you should build your own trusted ecosystem is for trust assurance and risk reduction. The best way to keep your risk low is to not introduce new risk. Every time you have to add someone into your ecosystem, you're inherently adding risk. So by establishing an ecosystem that you can turn to regularly, you're not going to introduce new risk unnecessarily. The third reason is cost control and efficiency. And these two things relate back to the regulatory alignment and consistency. If your solutions and your guidance that you're receiving are consistent and they align with regulatory requirements, you're automatically going to build in some of that cost mitigation and efficiency because all of the advice and guidance will be moving you towards the same goal. And the last reason I would implore you to build a trusted ecosystem is because of the quicker response time. For example, I have a group chat of people that I hold within my trusted ecosystem. We've been messaging, if not daily, at least regularly for the last five years. They all know, and I know, if we pose a question to this group chat, that there will most likely be an answer or a response from somebody by the end of the day. That being said, you can't let just anybody into your trusted ecosystem. I'm going to give you some tips for vetting each part of this ecosystem. And the cool thing is, once you vet one part of your ecosystem, you can use that vetted part to help you vet other parts of your ecosystem. The first group within this ecosystem I'm going to talk about are vendors. And I want to be sure to distinguish my advice for how to vet vendors when it comes to getting advice versus vetting vendors for solutions and tools and due diligence before you sign contracts. You may have a vendor within your company that you didn't sign and you didn't pick, but they exist in your ecosystem and now they are saying things. And you want to make sure that you vet that advice and that vendor differently because purchasing a solution to achieve some control objectives is far different than listening to somebody provide advice and guidance on how to solve future problems. But if you don't have a vendor to ask at all, it is okay to ask your peers and your friends, people in your ecosystem that exist already. Maybe they are not in your cybersecurity compliance ecosystem. But as long as they are similarly situated companies facing similar challenges, asking for a reference for a vendor is the right thing to do. They may have experiences and face the same challenges and have solved them successfully. Asking them how they solved it and with which vendor is appropriate. But just make sure that the people that you're asking for references are in fact similarly situated. And by similarly situated, I mean they have a similar complexity when it comes to their environment. You wouldn't ask a large enterprise consulting firm advice for a vendor if you are a small machine shop with one endpoint that can access the internet and you're going to be printing out hard documents to carry around a shop floor, for example. And once you find a vendor or if you already have a vendor, just realize that the vendor exists to sell you solutions. I personally would not approach a vendor to ask questions and also procure solutions at the same time. I would approach a vendor with a solution in mind that I think I already need based on advice and guidance from other people in my ecosystem. And then once I procure those services or tools and put them within my environment, at that point, that vendor becomes a little bit more trusted because they've already sold you their bill of goods and you're just seeking advice for how to configure it or how to get the most out of your product, but you're not asking them if you should or should not buy their product. Of course, they're going to tell you that you should be buying their product. Which brings me to my next group within this ecosystem, which are consultants. Consultants directly influence how your compliance program is designed, how it's implemented, and how it's represented to regulators and assessors. Poorly qualified consultants can introduce incorrect interpretations of requirements, which can expose the company to audit failures, contractual liabilities, and can even create exposure for false claims act cases. And consultants, just like vendors, exist to sell their services, but unlike vendors, they don't usually have a tool to sell you. So one thing you should ask a consultant that you have not worked with before is if they have any referral agreements with any companies that they are offering to refer you to for any services that they recommend in order to obtain compliance. Now, the existence of a referral agreement between a consultant and a service provider is not automatically a bad thing. It's just something that should cause you to dig a little bit deeper to get underneath what exactly the consultant is telling you that you need. You may consider seeking additional advice from somebody who is outside of that relationship because you know that this consultant is going to make money by referring you to this other service provider. You just want to make sure that the recommendation from the consultant is genuine and that the referral is going to get you the level of compliance that you know you need and believe that that tool is capable of providing. Before you get that far with the consultant, make sure that you are looking at the qualifications of these consultants before buying into their advice. When I say legitimate qualifications, I mean things like education and prior work experience. Where has this person worked before? Not just where they work now, but where have they worked in the past? Are there big name firms in their resume, or have they worked at small places? Have they worked in-house before? Or have they always been consultants on the outside? Does this person have government experience? Do they have cybersecurity experience? Do they have assessment experience? All of these things should be taken holistically. There's not any one dispositive qualification that would mean that somebody is qualified 100% of the time. But look at their entire background and also consider professional licenses, things like certified public accountant or an attorney. Those types of licensures are incredibly important to the person who holds them. And if they were to lose those licenses by engaging in bad business practices, they would lose their livelihood. CPAs and attorneys both have codes of ethics, and violating those ethics can lead to disciplinary actions, which means two things for you as a client. The first thing being these professionals are not likely to engage in activities that they believe could lead to their disbarment or to losing their credentials. And the second one being the level of accountability that these professionals have that are available to you as well. As a client, you are able to make complaints to these professional licensure bodies. And these bodies will take your complaints and will investigate on their own, which is what makes a professional license distinctly different from a certification. And the certification are things like a CISSP or a SEC Plus. Those are things that anybody from any educational background can study for and go take a test and obtain. For more information about which certifications are applicable to which cybersecurity work roles, you should check out the National Initiative for Cybersecurity Careers and Studies. There you will find the NICE Cyber Workforce Framework. There is a DOD Cyber Workforce Framework, which is based on the NICE framework, but it's a little bit different for DoD's needs. Both the DCWF and the NICE Cyber Workforce Framework, or the NICE framework, will both help you identify the various cyber work roles as well as how to ensure that your cyber professionals are qualified to fill those work roles and which certifications are applicable to each of those work roles. You can use this framework to help vet any consultants or professionals or SMEs that you are considering hiring or bringing into your ecosystem. But circling back to what I said earlier about evaluating someone's credentials holistically, having a certification is not a hard and fast rule that indicates that somebody is qualified for any position whatsoever. And similarly, having a badge from the Cyber A B does not make one more qualified than other people with similar education and experiences. The only time that you must hire a company that has a Cyber A B badge is when you are hiring a C3 PAO to conduct an assessment for record that the DOD will accept. Otherwise, you are free to choose any consultant or implementing company that you would like. All of the necessary information that the Cyber A B training provides can be found online for free on the NIST website. NIST 800171 is the framework upon which the CMMC is built. Anything relating to assessing controls or implementing controls all relate back to NIST 800171. There is an assessment guide for NIST 800171 called NIST 80171 Alpha. It is also freely available. And NIST provides a wealth of information on their website to fully educate and inform any consultant or any person who wants more information. The Cyber A B is not the gatekeeper to this information. The presence of a Cyber A B badge does not grant any additional knowledge that is not already out there in the ecosystem. And it might be good to know that anyone who has an RP badge from the Cyber A B has paid $600 to apply and it has a $500 annual renewal fee per person. And per company, it's $6,000 to apply for the first time and then $5,000 annually, which means those companies who obtain those badges for their individuals and for their company are paying these fees every year, and they must somehow recoup those costs through passing them down to their clients. Moving on to the part of the ecosystem that you don't have to pay for. And those are the compliance influencers as well as your friends and your peers. A compliance influencer, they often call themselves evangelists. These are people who promote awareness or who provide interpretation or adoption guidance for regulatory frameworks through posting content on social media, through their speaking engagements, and through their community engagement when they go to conferences. While they can be an incredibly valuable source of information and provide some level of education and trend visibility, just be aware that these people do not have any accountability when it comes to implementing the guidance that they are touting. It is also important to consider who they work for. If they are a mouthpiece for a vendor, keep in mind that they have a vested interest in selling their company's solutions. If they're a consultant, they have a vested interest in spurring you into action. Consider the tone that they are giving. Is there fear and urgency in their voice? Ask yourself why. These are things you should consider when you're listening to the message being provided before you jump into action or spin out of control based on the content of their messages. And don't forget, you should treat their guidance as informational only and not authoritative. Validate what they are saying against what you know using original sources, just like you would validate the credentials of any consultant or vendor that you're thinking about bringing into your ecosystem. You should similarly verify the credentials and education and professional background of these compliance influencers. And don't forget that their number of followers does not create or establish any sort of credential. That is just the number of people who enjoy listening to them on social media. And I want to wrap up by talking about our friends and our peers. Friends and industry peers can provide practical insights, they can share their experiences with you, and provide informal benchmarking across similar compliance challenges. However, keep in mind that their environments and their risk tolerance and their contractual obligations and their system architectures may often be really different than yours. And as a result, solutions that have worked for them may not translate into a solution for your organization. When engaging your friends and peers in conversation about compliance challenges, ask targeted questions with a specific scope and or a specific outcome in mind. You're much more likely to get a helpful answer if your friend understands the exact nuance of your question and the question is small enough that they can answer it in their free time. If your friends or peers are able to provide answers to your questions, make sure that you are validating their recommendations independently. And if your friend is unable to provide an answer for you, but you later get an answer elsewhere, be sure to contribute back to the ecosystem and follow up with that original friend and let them know the answer that you got. Contributing to the ecosystem is incredibly important and the ecosystem only works when we all contribute. My dad always told me it's not what you know, it's who you know. So be sure to vet, validate, and verify anybody that you let into your trusted ecosystem. Never skip your due diligence, never assume credentials equals competence, and never ever outsource your decision making. If I'm not already part of your trusted ecosystem and you liked this episode, please connect with me on LinkedIn, follow this podcast for future episodes, and don't forget never say cooey, because that would be ooey.