Musings from the Cyber Trench
Musings from the Cyber Trench
Compliance, GRC, cybersecurity maturity, audit readiness, AI, CMMC, and continuous security
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Too many organizations still treat compliance as a one-time audit exercise: get the certification, satisfy the customer, and move on.
In this episode of Musings from the Cyber Trench, I sit down with Sarah Lynn, a seasoned IT, cybersecurity, GRC, advisory, and audit preparation leader, to discuss why that mindset breaks down fast.
We talk about what happens when compliance is treated as “paperwork,” where programs usually fail first, and why people, process, and technology all have to work together for compliance to become part of daily operations.
Sarah also shares practical insights on:
- Why undocumented processes are a major red flag
- How leaders can move from checklist compliance to security maturity
- Where organizations underinvest and overspend in compliance programs
- Why buying a tool before understanding the process usually backfires
- AI’s role in compliance, automation, meeting notes, artifact collection, and risk
- Why CMMC, SOC 2, ISO, FedRAMP, and other frameworks require continuous effort
- How trusted advisors and peer groups can help leaders avoid reinventing the wheel
The core message: compliance is not something you “get through.” Done right, it becomes a habit, a management discipline, and a foundation for stronger security.
Guest: Sarah Lynn brings 25+ years across IT, cybersecurity, GRC, audit readiness, risk, continuity, and technology operations, helping SaaS/IaaS-driven organizations turn compliance into practical, business-aligned security.
Responsible for ICAM, Zero Trust, or identity security in a federal agency, prime, or large regulated enterprise?
If you’re trying to move from strategy to execution, start with Zephon’s Zero Trust Readiness Assessment: zephon.tech/zt
Questions or guest ideas? Email defend@zephon.tech
When I grew up, that's how you might think about a marriage. You get married, you do it, you stay there forever. I know things are different. But compliance is like that, um, in that you have to be all in. And there's a little misconception, and I've seen it with a few companies, that they're gonna get something, give it to a client, knowing that it is a commitment for a long time, and not just today, not just the checkbox, not just a paper exercise. It's a lot of a lot of work.
SPEAKER_01Hi everyone. Welcome to another episode of Musings from the Cyber Trends. Today we are going to uh talk about the mindset that we have in our industry of of uh of compliance being just a checklist. We have to move move from that to uh uh we have to move compliance from a one-time snapshot or a one-time checklist to continuous security. And to help me answer that uh that uh that question, uh I have a very special guest. She has spent 25 years in uh IT information security, GRC, advisory and audit preparation amongst many verticals like banking and financial services, insurance, telecommunications, retail, and high tech. She has a high uh she has uh a remarkable amount of energy and critical thinking and critical skills, as well as entrepreneurship that can lead any company and its staff to uncharted to new uncharted territories. Besides that, she has an extra extraordinary ability to lead teams in times of daily operations, growth, prosperity, prosperity, and emergency. With that, please meet my guest today, Sarah Lin. Welcome to New Things from the Cyber Trends, Sarah.
SPEAKER_04Thank you, Bishop. I appreciate it.
SPEAKER_01You are most welcome. And thank you for joining us. You have sat on boards, advised startups, and helped companies through various audits. What's the most dangerous misconception leaders still have about compliance today?
SPEAKER_04Well, I think I think you kind of said it at the visual in the opening. Um, there's a misconception by um new startups, new companies, new leaders that compliance and to some degree regulatory is just a checkbox. It's either a one and done or it's a paper exercise, um, and that things either stay the same or that they're just there to show an auditor and we do something else. And um the truth of the matter is uh just like in real life, um you can do the right thing and your company can prosper, or you can do the minimum and you get the minimum. And I'm always in the bucket with with do the right thing. Does that make sense?
SPEAKER_01It does, absolutely. So do it right the first time.
SPEAKER_04Do it right the first time, that's right, and then continue to do that, and as we all know, everything becomes a habit within three weeks. So just do it for three weeks and then keep going, is what I like to say.
SPEAKER_01I like that. It uh it it makes I think uh somebody had used that phrase with me, is how do you eat uh uh an elephant one bite at a time?
SPEAKER_04One bite, one bite at a time, that's exactly right.
SPEAKER_01So when uh when uh uh when organized organizations treat compliance as a checkbox, where does it usually break first? Is it people, is it process, or is it technology?
SPEAKER_04Well, I I think it breaks pretty evenly, but um the people drive everything, right? If let's say the leader leaves and everybody stops doing the things that the leader um was having us do, then everything breaks when the leader leaves, moves, changes. If technology that we rely on, if there's only one and there's no backup solution or no process that could be done in a manual way or a procedure that tells us what the technology should do for us so that we can fall back to it. If that breaks, and you see this in the business continuity uh scenarios, if the technology breaks, then of course the whole thing falls apart sometimes. And then the process is really what holds it together. People process, technology process, writing the process, doing the process, practicing the process. Um a lot of uh new companies to compliance and regulatory or new startups have procedures or they think they have procedures, but it's in here. It's not written, it can't be followed, it can't be scenario tested, and that will ultimately fail if the person is missing, the process is misunderstood, the technology is missing, it will ultimately fail.
SPEAKER_01I have heard this said, you know, that if if it is in your head, it is not a process.
SPEAKER_04Right. Absolutely. I mean, I I say all the time when people tell me we have a policy, and I'll say, where is it? And they'll say, Well, that's we, you know, we all know it. I'm like, well, then it's not a policy unless it's in writing and approved. It is not, it's it is your personal procedure or your team procedure, but it can't be replicated really if it's not as a policy without approval or a procedure without practice, and everyone knows it.
SPEAKER_01Share with us one um one uh uh example of how you have convinced to put compliance into the process while making sure that it is still continuous.
SPEAKER_04Well, you know, I I can I can tell you that uh a lot of companies do come to the table for a particular compliance certification, and they think they're going to get this to win this client, and then they don't have to worry about it anymore. But it is a continuous, I like to say forever. I know everything is not forever. There is really nothing forever, but I like to say forever. This is a continuous process forever. Once you adopt, you have throughout and you continue forever. Um, and that's kind of how you know, when I grew up, that's how you might think about a marriage. You you get married, you do it, you stay there forever. I know things are are different, and but compliance is like that, um, in that you have to be all in, and there's a little misconception, and I've seen it with a few companies, that they're gonna get something, give it to a client, get a sale, and then they don't have to do it anymore, or they only have to show that one client that they did the thing, and um, it's really not that way, and so it is important for us to get the type of compliance, certification, attestation, authorization that we need that'll be best for the business, knowing that it is a commitment for a long time and not just today, not just the checkbox, not just a paper exercise. It's a lot of a lot of work.
SPEAKER_01I'm going to borrow that. I'm going to uh what you mentioned, you know, like compliance is uh like marriage. Uh if you are uh getting uh into it, do your due uh diligence uh with the expectation that it will last a long time.
SPEAKER_04Expectation it'll last a long time and that it's a lot of work.
SPEAKER_01Yes. Daily. Daily, yes, daily. So uh when compliance is not treated as a checklist, you know, how do you think like how do you see uh the organization change like when there is that mindset mindset shift? What changes uh do you see?
SPEAKER_04At first there are small shifts um in things that surprise you when you visit. Like if I visit on a quarterly basis to a client, I'll see small shifts, I'll see more physical security, more awareness, uh more communication, maybe there are signs up about communication, um, and reminding people to be aware uh or report on things. At first, there's that. But ultimately, as you visit with the leaders, whether it's uh uh a security manager, an IT manager, a CIO, a CISO, a VP of security, a VP of IT, when you meet and visit these leaders, if the commitment is there, you will see them change. And what I mean by that is that they have questions for you about things that they have recognized in a small period of time. And for those of us that have been doing this for 25 plus years, it's part of our life. I can be at the grocery store and I'm paying attention to security, whether it's cybersecurity, physical security, uh being aware of my surroundings, and it's part of my life. And I do know lots of people that I've known for years that have been through different facets of this process, that now it's part of their lives. And um, you know, some people, I mean, I like to call it being paid to be paranoid, but um it is you do see it on leaders that it it takes on a different life, and um, and it's not um what people externally might think that uh a CISO is in their role just to acquire budget people and technology. No, we're in those roles to find the right thing for the business, and it might be a manual process, or to find the right tool, and it might already exist and we're not utilizing it, or to find the right people, and they might already exist and they might be underutilized in somewhere else in the company. So that's the fun challenge and puzzle of it all is to put all the pieces for together for the business, and as a leader, to be open and aware of things. And you do see it on leaders as they change, you do see it on teams as they change, you do see it on companies as they change.
SPEAKER_01So if I heard if I'm getting this right, so they move away from being paranoid to being mindful, very mindful.
SPEAKER_04Mindful at the same as you would in your personal life if you bought a house, you put your family in it, and you were securing your family. You would try to have the best doors, the best alarm, the best security system. You would be aware when people are in the house, out of the house, you would be aware of the heat in the house. If the heat were doing things to the house of the people, you're very aware of what's going on in your domain. And when you're working in a company in this capacity, you're aware, become aware of what is going on in your domain.
SPEAKER_01Let's let's shift gears a bit, you know, like you have owned uh owned uh uh PL, and compliance is usually considered uh it usually has a cost center uh narrative to it. Like uh how do you balance security investment with uh with uh with uh profitability?
SPEAKER_04Well, you you really have to be aware of the things that could cost you money, that are costing you money, and the way you could flip that upside down and make those same things make money. And so it it for example, if your company or firm is not in a security program or a compliance program of any sort, and things are happening, vulnerabilities are happening, or background checks aren't happening, or uh BYOD has no controls or access has no controls, you're gonna stumble, be stumbling all the time over little problems or big problems. Um and those can cost you money every time you stumble on the little ones and for certain when you stumble on the big ones, even out in the world, your reputation. But if you can have flip that on its head and actually have your certification, attestation, authorization, do your internal audits, uh, have the right people, processes, and technology, you can turn whatever those costs are, whether they're minimal or not, into a sales feature. Our company is 2701 certified, our company is SOC2 certified attested. Our company is FedRAM authorized, CMMC certified. Whatever the thing is, advertise it. Tell the world. Now, there are people who don't advertise it because they think that that is a it attracts other people to do bad things. Let me tell you, other people are gonna be doing bad things all the time. So yeah, um, do you do the right thing and you make your company sellable because of the things that you've done that are the right thing?
SPEAKER_01Well put. Yeah, uh like the more you actually uh market it, the better value uh you gain out of that particular security investment.
SPEAKER_04Absolutely.
SPEAKER_01Sarah what signals tell you that a company is uh that a company is uh under investing in compliance in a way that it will uh hurt them in the long run?
SPEAKER_04Um well there's a there's many um kind of signals that let me know that they're under investing. First off, the people. If the people that they have have never either done the jobs before, or they're not certified themselves, or they're not educated in this themselves, or they appear not to really be interested. That's a huge red flag for me that um that this might not go as well as the company believes. And this happens a lot in startups because people get pushed into roles that they don't necessarily fit into, but they need to be filled for one reason or the other. So that's one thing. Uh processes, uh, the processes aren't in place. As I mentioned before, people will talk about policy or process or procedure, but it's really not there. It's all up in here, and people say, I don't have time to document. When you don't have time to document, you don't intend to document. And you intend to have easily changing things, you don't intend to have regimen. So that's to me a red flag. And then third is the technology. If the technology is old without upgrades, old with vulnerabilities, new with vulnerabilities. No one is managing the monthly, weekly vulnerabilities or the emergency patch Tuesday that needs to happen. If no one's managing that, or the technology doesn't have a mitigating control, maybe, oh for goodness sakes, maybe you're an agency and you're still attached to a mainframe somewhere that can't have the controls that people imagine. What are your mitigating controls? If you don't know what they are right off the top of your head, that's a red flag to me. Yeah, when I get to the part about your piece of technology that might be older, if you can't articulate your mitigating control right out of the gate, knowing that I'm going to ask about it, that's a red flag to me because you're just trying to hide that thing in the closet. And that's you know, that's just not transparency, it's not good. So it's the people, the process, and technology again, they all have their own red flag. If they're not up to par in some way, or if they don't have a way to become up to par or a mitigating control. If there's no plan, no roadmap for success in any one of those three areas, those are signals.
SPEAKER_01So having a lack of a concrete plan, like something documented in any of those three areas, the biggest track to you.
SPEAKER_04Absolutely. Absolutely. I mean, I think 15 years ago, someone told me the most compliant businesses, of course, are those that are you know in cement underground, not accessible. Well, that is true, but how valuable is that gonna be? But the real the second most that I heard was the small company that has three laptops and our and uh the internet and they don't have anything else. Well, that's true, but that doesn't mean that they're compliant just like that.
SPEAKER_02Yeah.
SPEAKER_04Um, it there's still people, process, and some technology, even if it's your laptop and the software platform that's that you work on. Those technologies are in place. So it's still the same, no matter whether you're a three-person company or a 300,000-person company.
SPEAKER_01Well uh as you cannot have a podcast or uh any kind of technical interview without mentioning uh uh AI. So I'm I'm gonna do the same thing. Yeah, for sure. Uh how has AI been a blessing or a concern in terms of meeting compliance?
SPEAKER_04Well, I have different views than a lot of other people, but uh I know it has been a blessing in that there are some tasks like meeting notes and collection of artifacts that can be done in an AI fashion or an automated fashion. Automation, by the way, has been here for 50 plus years. It's not new, it's just implemented and it's different from what AI is. But the unchecked piece is what AI does. Do you have that you don't know about the shadow AI? And what AI do you have that is not configured the way you think it is or that you haven't checked? That you had your IT department configure it or a third party configure it, and it is connected to unknown data sources. Um, and if you do AI certification of ISO 42001, you'll know that you have to do an AI inventory, and that is not the same as all your other inventory of your laptops and your desktops and your hardware. You're doing an AI inventory. To date, I have not met one client that had a solid AI inventory because it's so new and they didn't know to inventory it. And by the way, when they start the inventory, they discover all sorts of shadow AI. Let's just say that you didn't know that someone turned on AI in Salesforce. You didn't know that someone turned on AI in ServiceNow. You didn't know that someone turned on AI for all your Oracle products. If you don't know, where is it getting its storing its data? Where is it getting its source? And how much are you relying on that now for decisions that need to be justified as true decisions? Everything that AI tells you, every just the same as everything you Google or everything you look up on Wikipedia is not true.
SPEAKER_02Yes.
SPEAKER_04So we have to be diligent, we have to be smart about it. And AI is not meant to replace the workforce. AI is meant to elevate the human to another level of decision making. So be that human that gets elevated.
SPEAKER_01Hey, quick context for listeners so you know where I'm coming from. My day job is running Zephon, where we've helped federal agencies and large enterprises fix broken zero trust and anti-teach programs. In about 90 days, you get a clear baseline, a strength and risk cap analysis, a 12 to 18 month roadmap and an exec ready deck. That's a platform to track your progress over the years. That real world work is what shapes the question I ask on this show. Alright, back to the discussion. You mentioned Salesforce service now, and uh I'm sure there is a reason you mentioned that. Uh we all know the news, we follow the news. Uh, do you think there we are still lacking in terms of having uh compliance framework for these service providers who are providing us service and just adding uh uh the AI features on top of on top of it without doing the due diligence?
SPEAKER_04Uh yes and no. I think that the compliance frameworks that are and guidance that are coming out from ISO, NIST, and a couple of other people in the world that are working on AI frameworks with globally, they are necessary. They are truly necessary.
SPEAKER_03Yeah.
SPEAKER_04To be able just to say that I'm taking this AI thing, let's say copile it or Gemini, and I'm just tossing it into my ISO certification, or I'm just tossing this into my other attestation. It's a it's just an application. It's not just an application, it has a lot of tentacles and does a lot of things. So the frameworks that we're seeing and the guidance we're seeing, yes, they are built for people who haven't had other certifications and they had to have the foundation. And then there's 90 controls, 100 controls, a thousand controls, thousands of controls, times every place that AI might be in use, times checking to make sure that it's not shadow AI and in use somewhere you don't know about. I think that the AI assessments alone to uncover what you uh you can't know what you don't know. Yeah, I think those are about 10 times larger than anybody thinks they are. But there is always a good start, and the good start is to acknowledge that we should do an assessment against AI and find all the AI, find the configurations, find the the sources, and find out if they are what we expect and want.
SPEAKER_01So in we talked about uh uh uh uh uh under investing in compliance. Where do you see uh uh organizations uh overspending like or putting money in the wrong places when it comes to compliance?
SPEAKER_04Really, if you don't understand the process, buying a tool is the it's the wrong time to buy the tool.
SPEAKER_02Yes.
SPEAKER_04If you have one or two people that understand the process, you document the process, maybe you make a workflow. I'm a big whiteboard girl, I just put things on whiteboards and start going on the whiteboard. Um if you understand that, you will start to get your requirements for your tool. And if, for example, you have five tools, what no matter whether they're what the other company uses or not, or what you've heard about, or what got advertised, if you have five tools and you have your requirements, and your requirements are there's 20 things I care about, and this tool must have those 20 things. When you start to compromise on your requirements, for any reason, you start to give away the power of a tool. And sometimes the tool's not the most expensive one, it's not the most advertised one, and it may not even be right for you in the moment to get one that's the highest in uh the Gartner Magic Quadrant. It may not be right for you at the moment. Um, there are many tools there that are meant for the enterprise, meant for more mature organizations that have gone through process and process and process. But just start back at the process level. It doesn't even matter if you start with a spreadsheet and a workflow and your requirements. You will then start to see what is needed and wanted for you. Uh, a big example of that. Sometimes people fall for, I'm gonna buy this tool, it's gonna make me compliant with SOC2 overnight. I'm going to put my company information in there, and then tomorrow it's gonna tell me what to do, and I'll be good, I'll be done, and I can get I can call the auditor and I'll be good. And I suggest you call the auditor and ask them that question, and you'll find that there's still a process of the doing that has to be in place, and one size does not fit all, one tool doesn't fit for everybody, and one scope of any compliance where it's SOC2, ISO, FedRAMP, no matter what, is not the same company company to company, similar, not the same.
SPEAKER_01Not the same, yeah. Yeah, I come from uh the uh the INIT access management background, you know, and the first thing we do is we understand the process. Yes. Uh, because the companies buy spend millions on tools, but if it's not willing to fix the process, it won't really help. Yep, precisely just make it worse.
SPEAKER_04Make it worse. If you go to a company and you see this wonderful looking camera system, but it's not collecting data, what good is it?
SPEAKER_01Yeah, yeah, you just spent money, time, uh and it it it it also becomes its own maintenance nightmare itself, you know, like just you're doing work with no ROI. Absolutely. So uh for uh leaders currently who are feeling uh uh uh overwhelmed by compliance, what's a single mind shift that mindset shift that would help them most right now?
SPEAKER_04Well, uh in my mind, it's uh it's two things. One, every leader started somewhere with a certain level of knowledge and made the decision to become a different kind of leader in a different technology, or they became a security leader, a compliance leader, whatever. Every single leader had a pivot point where they changed from this techie or this administrator to the leader, the leader in security and compliance. And that could be you. You could be at a pivot point. So it could be you. The other thing is that sometimes you need other leaders to talk to. Um and it can it can be fearful because you don't want to uh break the confidence of your company. So having either a round table of a small round table of selected other companies that you do business with and other uh like roles or uh a small group of like roles where you can talk about things openly is great. Or, you know, my favorite, of course, is having an advisor who comes in, and it could be one person, it doesn't have to be a team, it doesn't have to be uh a large project. Maybe you have an advisor that comes in for a day or uh you know a monthly phone call. I have a client that just does a monthly phone call check-in that allows uh just two people in the company to say, are we still doing good? And here's our hurdles to to doing what we said we were gonna do. What are what do you see? And we just explore for that time period. It's just an hour or so. Maybe I go have lunch to them and we just have that conversation, or we have the conversation over Zoom or WebEx, and we just talk about the hurdles they have, or we just talk about um the possibility of something that can correct some stumbling block they have at the moment, or we talk about the um the wonderful advances they've been able to make in the period, and they just want someone to talk about. I mean, there's no one how many times do you feel great and you want to go home and high-five somebody and say, Woo, I I had the best day helping a client or with myself doing X, and there's there's no one to high-five. And we were in the offices together, we could high-five all day long, but now we're you know, there's there may not be as many people to high five. So having an advisor or having a little round table of like-minded people that are maybe even your vendors, that will give you um uh an outlet to be able to talk confidentially around the problems that you're having or the high fives that you want that you have or want to have.
SPEAKER_01I uh you make an uh you make a uh a very excellent point. You know, like having that small circle of people that you can surround with who can motivate you because uh heading into compliance, you know, without uh people to talk to is is a lot of work. Like it's uh it uh it uh can like the the the the sheer number of controls that you have to uh satisfy can be challenging, you know. And if somebody has done it in the past, why to just reinvent the wheel and and uh and not seek help from people who have who who have uh who have already been there, done that.
SPEAKER_04Absolutely, and there's always people that have done the process or seen a process, and that's what advisor is good at. We've seen hundreds and hundreds and hundreds of different compliances and different mitigating controls to different problems that different companies have had. And of course, we keep the confidentiality about the client, but we say this is a possibility. There are other mitigating controls, you're gonna be okay, but also you will see that with small groups of uh you know like-minded people, maybe someone is your vendor, or maybe your uh uh maybe they're your customer, and you say, This is you know, this is new and big and challenging for us. How did you solve it so that we can have it similarly?
SPEAKER_01Excellent. So uh let's shift gears a bit, Sarah. Yeah, let's get to get to know you as a person. So, where did you grow up?
SPEAKER_04Well, I grew up in Durham, North Carolina, the Raleigh Durham area. Um, that's where this accent comes from. I've tried to shed it, it doesn't work. I talked to my mother or my sister just enough to get it back at, you know, and then and keep it. Um I grew up uh working uh inside of retail and working my way through audit, internal audit, into being uh Novell administrator back in the day, working for IBM, then working later for Cisco Systems, finding my way to California, and here I am. And um then uh it about 27 years ago, I started my own business and focused then as a techie. I focused those two things. Uh plus my very uh engineering father, my stepfather was a risk manager and an insurance uh MetLife, so a very big insurance company, and my mother was an executive director in the Life Underwriters Association. So those all those three people live inside this body, and I took that, put that together to create a business to provide advisory to businesses who need to be or want to be secure and compliant. And so um that I mean that's kind of where I started uh before that. If you want to know about that, I grew up my first two years in college. I was a music major and just I don't know, flip that on its head. It is very similar. People who haven't participated don't understand the similarity, I think, but it's very methodical and pattern-like, and it and it just fits right along with the uh security compliance mindset.
SPEAKER_01So, how was that particular transition moving from uh being a southerner to being in Silicon Valley?
SPEAKER_04Well, uh, you know, um I it already worked for Cisco Systems. I was just on the East Coast at the Cisco site. So transitioning here was uh a cultural awareness because uh you know people were just uh all sorts of different people that I had never been exposed to, um all sorts of different food that I'd never been exposed to. I didn't know the difference between guacabole and wasabi because I'd had neither and they're quite different. Um and so um California is the land of all sorts of um foods, and um it's a land of different people where all the personalities are different, all the people are different, and and people can collaborate. Um and I think that that's just a model for other parts of the world. I don't think it's the only part of the world that has it by any means. I just think it's a model. And uh the last thing for me too, I don't have to suffer through uh I don't have to suffer through snow and ice anymore. It's uh you know, I can see it on the Hallmark channel if I want to. Uh but you know, I we have fires and we have earthquakes, so everybody has their own different thing. I enjoy California because it's warmer in general without being too hot. And um, but of course, I could move to Hawaii next, who knows, and it would be beautiful there too. Um, but it's it is it's different, but I do find myself on Sunday afternoons with a book, finding my favorite restaurant, Sheila's, here in uh Fairfield, California, which is a southern restaurant, and sitting down with a book and just enjoying uh fried chicken and catfish or something like that, and by myself and no one pays any attention to me. They just think I'm the odd lady over there reading a book.
SPEAKER_01I was going to ask you about food, about like uh missing southern food, but I think you uh you have that covered.
SPEAKER_04Iced tea, sweet, sweet iced tea. That's a that's a missing uh McDonald's hasn't been able to cover that very well.
SPEAKER_01Yeah, I think uh I moved to uh uh Dallas, Texas from New Jersey. I don't really realize how much uh iced tea is a thing in South. Yes, it's everywhere, yeah.
SPEAKER_02Everywhere, yes, yes, yes.
SPEAKER_01So uh you you did post-secondary educate education in music. You know, how has that uh uh helped you change the way that you think you see patterns and so on?
SPEAKER_04I didn't I don't think I knew this when I was 17, 18, 19, 20. I don't think I knew that I was seeing patterns.
SPEAKER_03Uh-huh.
SPEAKER_04I think that I just it just felt intuitive uh to the patterns felt intuitive. Um I and I don't think I thought I was good at math at 17, 18, 19, 20. Uh, but now I realize practically everything I see is a pattern, and practically everything I do is a math problem. So um it's just um it's just uh being aware um and over time you're more and more aware, and you're more aware of uh of things that you didn't know at all when you were that age, and you were still educating yourself because you it was the right thing to do, you were going to college and doing the thing. But uh, you know, the that's just a s that's just a stamping time. It's just like being compliant. I got the degree, now I have to continue to educate myself for the rest of my life, and that is when the security maturity or the lifetime um patterns and other types of maturity come into play. Theoretically, you know, I'm 24 in my mind. I know I'm not 24 in my body, but I'm 24 in my mind. But theoretically, I have a lifelong learning here, and every every year is different.
SPEAKER_01Uh now talking about each year being uh being uh being different. So over the years, you know, uh what is the hardest uh decision that you have had to make and what did it teach you?
SPEAKER_04The hardest decision I've ever had to make. If we're talking about business, the hardest decision I've ever had to make is when to make a major change. Something isn't working anymore, and let's make a major change and try to move the people with it and try to find the new right technology. Um, I think that's that's the hardest because it's um you're affecting a process, but the process has no feelings, and you're affecting the technology, and the technology has no feelings, but you're affecting people and they have feelings.
SPEAKER_01Understood. Tell us about what you do at uh at uh BPM.
SPEAKER_04Uh in BPM, I um run the cyber IT compliance and IT security advisory practice. Uh we have tentacles with two other partners that do penetration tests and IT security and IT implementations and manage services. And then my team, uh, along with Lauren Bradner, um, our director of compliance, we work with our clients on pure advisory to become compliant with those certifications, accertations, authorizations, or regulatory or security programs, all the way from startups to enterprise. So it's a very enjoyable work to do. And then we have the tentacles when it's necessary to implement or validate with uh uh external test. We have those tentacles along our with others. So it's good.
SPEAKER_01Nice. Okay. So do you see a lot of log coming over because of uh of CMMC?
SPEAKER_04I so CMMC has taken on a life of its own, I think, in the last year and a half. It was a thing, it was coming, it didn't have teeth. There were some companies out there adopting in advance because they knew that it would have teeth. Then it had a lesser priority, now it's having more of a priority. And the people it's having the priority with are those clients who really have to be certified to continue their practice inside the government. Um, and those clients are not willing to lose millions to not be certified to the right level. And I believe that we'll see CMMC level two and above a lot over the next two years, and I believe that we'll see CMMC one adoption, uh, the self-assessment, please help me get going, um uh, you know, also increase.
SPEAKER_01Okay. Uh coming back to music, sir. Do you play any uh any musical instruments?
SPEAKER_04I play a lot of musical instruments, I don't play them enough. Um, uh the the instruments that I picked up and went to college with were the clarinet and uh the guitar and piano. Those were my instruments uh as along with all percussion things that I could find and touch and play. Um and in my adult life, I think I feel like I can play anything except the violin. For some reason, I have in my mind that I can't play the violin. And somewhere before I retire or die, whichever comes first, not sure which, um, I will learn to play the violin.
SPEAKER_01I think uh it was uh Yoda who said if you yeah, if you think you can or cannot do you are right, something of that sort, right?
SPEAKER_04Yeah, you're right. Whatever it is you think, uh if you think you can do it, you can do it. If you think you can't do it, you cannot do it. It's it is true.
SPEAKER_01In terms of like uh you uh your current uh uh role, uh are you using a lot of AI in like like what I'm seeing in in the market is like people are using uh an AI chatbot as a V CISO. You know, so uh what do you say to people who are depending on AI as uh as a uh virtual CISO?
SPEAKER_04Uh again, I go back to the AI is not intended to replace the human, it's intended to elevate the human. I I think it's a mistake to think that AI will replace any human or be instead of any human. I think that it provides uh efficiency to the human. I think that it replaces mundane tasks that a human may have to do, but the decision should always be with the human and an experienced human, and it should the AI should elevate the human to go after more uh subject matter expertise and more uh elevated experiences. And so uh I believe in my practice, we use AI to take meeting notes, to summarize the notes, and we go back and we look at them and change them ourselves. We do not rely on AI to be the decision maker even on minute notes, but we do take the minute notes just as you might use recording on a uh any type of Zoom or WebEx or Teams meeting or et cetera. Um there are other areas where we see benefit for our clients for AI, and we certainly assess them. I personally don't use AI much more than that. I put my energy in understanding the configurations, what AI should do, what it could do, and what disasters could happen if you don't do it right.
SPEAKER_01Yeah, my experience has been like AI is so willing to please, you will just do whatever to just please the person who is using it, you know, and not consider the facts.
SPEAKER_04Absolutely. I um played around a little bit with AI on a uh eight-hour drive I took by myself last year. And uh so I talked through the speaker in my car as I drove and asked AI questions, and then it gave me back answers, and I would say, no, that's wrong, and it would say, You're right, Sarah, and it would go on and give me another answer. So it conforms quickly to um anything you say, therefore, I can't trust that any of its research can be completely justified unless I'm in control of the data source. If I tell AI, here's three data sources that I believe are factual, go summarize this data from these three data sources and gives it back to me, I feel a lot more confident than open-ended asking AI questions. And I believe in the world, just like we did Google searches or you know, uh any other search engine we used before Google, uh, we are relying on whatever we ask it to be the answer. The answer, the top answer, the one that has the most hits is the winner. And that just can't be true.
SPEAKER_01It always comes to uh what you can call it uh zero trust, you never trust, you always verify.
SPEAKER_04I'll trust and trust and verify. Verify is important.
SPEAKER_01This has been uh has been great, Sarah. Tell us how people can uh can reach you.
SPEAKER_04Sure. Uh so any anyone that wants to uh read further about our services uh can go to the bpm.com website and uh also uh be able to just hit the people button and you can go right to me, Sarah Lynn, and see anything you want. Um and then if for some reason you want to reach out an email, uh my email is S-A-Lynn, first initial, middle initial, last name, and also the license plate on my car if you follow me down the street, and at bpm.com and you can get directly to me. And and of course, um you know uh you can call into the BPM main office, and uh the phone operator will direct you directly to this office or sometimes directly to my phone, depending. So there's lots of ways to get me. I'm also on LinkedIn. I accept most messages from people on LinkedIn unless you're trying to sell me something I'm not interested in. Um, so um you can hit me up on LinkedIn as well.
SPEAKER_01Awesome, thank you so much. Uh, I'm sure our listeners will love our uh our conversation. Uh tied to making sure that compliance is not just a one-time checklist, it's continuous security, and about finding good Southern food in California.
SPEAKER_04Yes, absolutely. Yeah, I'm always interested in people if they only want to talk about Southern food in California. I'm interested to talk about that too.
SPEAKER_01Okay, uh, I am sure our listeners will bear that in mind. Okay, sounds good. This brings us to an end of another episode. I'll see you on the next one. Thank you. Bye-bye. Thank you, Vishw. If you are responsible for Zero Trust or entity security at a federal agency, a prime or a large enterprise, this is what my team does all day at Zefan. We have helped organizations like the IRS, DLA, and the SEC fix fragile server environments and actually execute ZeroTrust roadmaps in production, not just assess, execute. If you want to know where your organization actually stands, the easiest starting point is our free Zero Trust baseline tracker. You answer a set of questions across the core Zero Trust pillars, it's about 30 minutes, and you walk away with this code baseline of your current posture for foundational Zero Trust. You will see exactly where your solid inventor gaps are. Go to zefon.tech forward slash zp or hit the link in the show notes. And if this episode sparks something or you want to dig into your specific situation, reach out directly. I read every message. I'll see you in the next video. Thank you. Bye.