Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Mark Houpt has to stay on top of a vast range of compliance and security issues as the CISO at managed services and co-location data service provider Databank. He shares how he works with all organizations of all sorts to help them address a myriad of emerging regulations, standards and security issues across all industries and sectors.
Tim Erlin: Welcome everyone to this episode of the Tripwire’s Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today I am joined by Mark Houpt, the CISO for DataBank. Mark, welcome.
Mark Houpt: Thank you very much. I’m glad to be here.
TE: Great. So, DataBank is a managed services provider, and you’re the CISO there. Can you tell us a little bit about what that entails? How is that different from being a CISO for another type of organization?
MH: Yeah, sure. So, DataBank is a managed services and co-location data center provider. In my experience of being both a chief technology officer and a chief information security officer in other organizations, the difference here is that we have such a broad range of compliance items that we have to deal with in an enterprise type of environment or an environment where a company is singularly focused on a product or a series of products. So, a lot of my time is spent with helping customers enter into a managed services type of agreement and into the managed services environment. Customers are coming to us not completely understanding the security environment that they need to protect themselves. They need to be walked through that process—everything from understanding exactly what the compliance requirement is to how those tools and materials and documents that we produce for them are put into place.
TE: It sounds like in your role that you basically end up with the aggregate of everything that all customers might have to deal with in terms of security and compliance. Is that right?
MH: That is absolutely true. And even after the sale, we get a lot of customers coming back to us, and when they have new contracts coming down the pipe, they start asking us, “Hey, I was just told I need to be CMMC or NIST 800-171 or even ISO compliant. We don’t know what those things are. Can you help us?”
Staying Current with Compliance and Security Requirements
TE: With such a broad range of regulations and standards that you have to be familiar with, how do you keep up to date?
MH: It’s a couple of things. I spend a lot of time in the evenings reading the news so that I’m at least familiar with the various new terms that are coming out. And then as a customer approaches me, a lot of times I’ll do a little bit of research to brush up on my existing knowledge or make sure that the requirements haven’t changed. If it’s been something I haven’t dealt with in a while, it could be a challenge. It’s a kind of like playing like whack-a-mole where I need to go do some research if something pops up. Other times, it’s a standard approach of spending an hour or so or more a day reading what’s out there, what’s available and, and searching for it specifically.
So, you know, top of my reading list, the past couple of weeks, couple of months actually has been the new Department of Defense’s (DOD’s) Cybersecurity Maturity Model Certification (CMMC). I’ll tell you why that is:
The reason for that is because there’s a lot of myths out there. Even the DOD just this past week had to come out with a statement about some of those myths and the fact that they have not certified anybody yet to actually certify a provider like us. So, they don’t have a third-party assessment organization yet that can assess an organization like DataBank so we can move forward with CMMC certification. And the reason they had to come out with that is because there’s been a lot of companies, a lot of assessment and audit companies that are out there claiming to be able to certify a company against CMMC.
That’s just not the truth. So, one of the biggest challenges that I have is searching for the truth. One of the ways I do that is by going back to the source. I went back to the DOD head of that portion of the organization, and I looked at that person’s tweets and other social media posts. I ultimately found exactly what I was looking for in that article.
Continuous Monitoring: The Key to Multiple Audits a Year
TE: You mentioned a couple of different compliance standards before, and given that you’re in a shared tenant environment, I can’t help but think about the statement, “There’s no such thing as compliance without audit.” I have to assume that you end up dealing with auditors and auditing across the board in your role. Is that right?
MH: Absolutely. Well, I deal with five different audits a year.
TE: What’s your best advice for operating an environment with multiple audits like that?
MH: There are a couple of strategies that I take. First, I’ve looked at my audits and tried to group them together so we could do some of them simultaneously. I cannot do my FedRAMP at the same time as the others. Typically, the Third-Party Assessment Organizations (3PAOs) that do the FedRAMP audits may be able to do an SSAE 18 audit or another type of audit, but they typically will not do those simultaneously with the same evidence. There are different evidence pieces and artifacts that are collected. So, I break them out. I do the FedRAMP audits in the spring, and I do my PCI, my HIPAA and my SSAE 18 audits in the fall because we can reuse artifacts for those three.
The second strategy is using a common baseline for security controls. So, we’re a NIST 800-53 revision for a security control shop. Everything that I do is geared towards complying with NIST because that’s our highest standard. And if there is a particular control in another standard that causes me to raise that, I will for that one control. So, an example is that the NIST standards ask you to do a penetration test on an annual basis, whereas PCI asks it to be done twice a year. So, we raise it to that twice-a-year level. To make this work, have a continuous monitoring process in place that allows you to collect as many artifacts as you can without bothering other people throughout the organization.
TE: So, do you aim to be essentially continuously audit-ready in that sense?
MH: Yes. The heart of continuous monitoring is that you’re essentially audit ready for most of your organizations. We do daily, weekly, monthly and quarterly continuous monitoring.
TE: Yeah. And then there’s the other challenge of shared infrastructure. You’ve got tenant-specific infrastructure, and then of course, the customers have their own infrastructure. There’s some interesting boundaries there to deal with in terms of audit and compliance. Right?
MH: Absolutely. And so, one of the best things that’s come out of PCI is the requirement to have a diagram that identifies the boundaries that DataBank is responsible for and what the customer is responsible for. So, that responsibility matrix in my type of environment is paramount to success because it limits what my auditor audits. It clearly documents and defines for my customers what they need to go and do and what their auditors need to do.
TE: What about the difference between small customers and large enterprises. Are there specific verticals that are particularly interesting or challenging from a security standpoint?
MH: Yeah. It’s not the verticals that are challenging. It’s the size of the corporation.
You would think that the larger the corporation, the more people they have watching you, the bigger the problem that they will be. And that’s absolutely not true actually. The bigger they are, the more cooperation we get because they understand where the boundaries are, and they understand their responsibilities better. Where I’ve found the biggest challenge is the smaller the company and the less technical the company is, the more that they are or the less that they are informed on what they should be doing.
How Things Might Change
TE: So, from your perspective, what do you see as the biggest changes that are coming up?
MH: Well, I think the biggest change that’s coming is in privacy. There’s a federal bill that’s on the table right now that was introduced in the past week to deal with that. This law not only addresses privacy, but it puts a burden upon all companies of all sizes to put robust security controls in place. Which robust security controls they should implement are open to definition.
TE: All right, Mark, it looks like we’re at the end of our time. I certainly appreciate you spending the time with us. It was a very interesting conversation. Thank you so much for your time. I hope it was helpful, enjoyable and interesting for everyone and please join us again on the next Tripwire cybersecurity podcast.