The CyberCall
In this video, Phyllis Lee and Dave Bodine discuss the importance of using CIS's Csat tool for cybersecurity assessments and improving security frameworks within organizations. They explore how the tool can help Managed Service Providers (MSPs) and other organizations better understand and implement security controls, emphasizing the value of structured assessments and Benchmarking. The conversation highlights the potential for community collaboration and the importance of iterative improvement in achieving greater cybersecurity maturity.<ul><li>The webinar focused on the implementation and benefits of the CIS controls and the Csat tool for cybersecurity assessments, emphasizing the importance of starting with Ig1 for organizations new to the controls.</li><li>The discussion highlighted the community-driven approach to cybersecurity among MSPs, with an emphasis on collaboration, sharing of experiences, and the maturity of security practices over time.</li><li>The potential for using Csat data for benchmarking and improving cybersecurity practices across industries was discussed, with a suggestion for a coordinated effort among MSPs to assess and improve cybersecurity posture.</li></ul>
Guests
Video Transcript
Welcome back everybody, and Crowdcast is functioning today. Appreciate you guys joining in. Um, we've got a really interesting cyber call today. We, um, we don't do this kind of stuff often, but um, we are going to talk about and show something. So that's kind of unique for us, right? Rus? We don't do a lot of show and tell. We we really don't. We should do more. I know, I know. It's more, you know, just, just coffee talk like Saturday Night Live, you know? Yeah, yeah.
You remember that pillow Billis is fighting a little bit of a, uh, bold there, but, um, let me kind of just, um, jump on in here, set the stage, um, and make sure both, uh, let me check chat and everything technically. Are we all good? Um, greetings everybody. Alright, we're working. Yes. A functioning one, Mike. Absolutely. Okay. Alright. So last week, um, by the way, we pivoted over, uh, to Zoom and my zoom wasn't, um, uh, uh, uh, redundant west.
I didn't do any DR testing and therefore failed big time on that tabletop. But, um, we are gonna have Chris Garrett's back next week to do a version two of that on this platform. If you missed it, it was, uh, really, really good. Um, I sent out the zoom link to everybody, so I hope you got it. Um, it's up on YouTube.
So today in kind of, um, of that backdrop where we were really digging into, you know, a specific technology slash control, um, you know, I was thinking of Phyllis and you know, the Phyllis, that we look at that and what we've talked about in the cyber cast is malware defense, um, or Control 10.
If we look through the lens of CIS and, um, one of the things that I really wanted to dig into is, um, you know, how is it that we can be doing a better job using the controls from a people process and technology perspective? And are there things out there that CS a, uh, cisa, cisa CIS provides? Gosh, if I could only only speak, um, to m Mss p. So with us, um, Phyllis was gracious enough to agree to talk about cis a and we're gonna be ideally speaking more about it.
Um, yeah, drop the a thank you Phyllis. Um, and um, because they have both a self-assessment free version as well as a multi-tenant version that MSPs are using to, uh, to do assessments for both themselves and their clients. So Phyllis also, um, pulled in. David Dean, who will introduce momentarily, by the way, Dave, did I get that correct on the last name? Yeah. Yep. Perfect. So Phyllis, um, most everybody on the call knows you, just in case we have some new people.
Can you give everyone out there just a brief overview of who you are and what you're up to these days? Yeah, sure. So my name is Phyllis Lee. Um, I'm currently the VP of content development. That means the CIS controls and the CIS benchmarks fall underneath me. Also, the cloud team, we do, um, offer hardened images, which are, um, operating systems and different technologies, containers or whatever, um, hardened to our benchmarks or, um, secure configurations.
We offer those in the different service provider environments. Um, prior to CISI spent around 25 years at the National Security Agency. Um, and the bulk of my time there was spent in defense. Awesome. Yeah. And, um, Phyllis, um, we are gonna be talking, it's really amazing, um, three years now. I think I was, I was counting, um, that you've been doing stuff with the MSPs. So that's my first question I'm gonna ask you.
But before I get there, Dave, you, uh, hail as product manager over, uh, csat. So welcome and really cool of you to join us, uh, kind of last moment here as we kind of did some pivots in the background, uh, for today. So thanks for joining. Tell us a little about your ba your background 'cause it's pretty cool. Um, and I see some guitars and gaming stuff, so, uh, get us on the fairway. Yeah, yeah, yeah. Happy to be here. Um, so my name's Dave Bodine.
I'm the product manager for CS a and for another product that we have called BIA. It's a business impact analysis tool that partners with CSAT to give a little bit more specific reporting on ransomware threats. Um, so I've been with CSAT for just over or CIS just over two months. Um, prior to that, uh, I've spent about 17 years in product management ranging from the public sector with universities to the private sector. Um, did in consulting, uh, kind of worked in the Bay area here.
I'm, uh, I'm based in Sunnyvale, California. And, uh, a lot of my work, uh, transformation, um, either self-managed to, uh, to cloud products or larger scale operational transformation in the product space, rebuilding product organizations. Um, my, uh, my educational background is in international, uh, tech policy and game design. So that's where, that's where the neo geo comes in. Um, and then the guitars. I'm also a luthier, so I build guitars. Oh wow.
That's how you end up with a bunch of guitars is you start building them. Interesting. Cool. Alright, well let's rock on Phyllis, um, three years in the making. Um, I think it's been now with CIS really kind of just, and, and thanks to you 'cause you, I reached out to you. We started talking and you were, um, that or something in there. Yeah, I dunno what that noise is from. Holy, that might be me. The garbage truck just swung by. Oh, okay.
I was gonna say maybe Crowdcast has some new enhancements. We, since last week's meltdown, like, yes, you know, we can have, uh, you know, restaurant music and, and all sorts of things. But Phyllis um, you know, you and Kurt have been instrumental in, you know, working with MSPs.
I'm just curious, you know, with all the events you've been to now and things like that, or gimme a top three, uh, if you would, things that you've learned or things that stood out for you about MSPs, uh, before we get into here.
So, um, what's changed and what I've noticed over the last three years, when I first came, first off, no one had ever had ever heard of the CIS controls or really any kind of security framework to actually implement within their own enterprise other than, hey, their client has to be PCI compliant or HIPAA or something like that.
So, um, so what, thanks to you and Wes and, and Gary and all the people on this call who have evangelized on behalf of the ci IS controls, we're seeing great adoption across the community and we're seeing adoption within, um, the tool stack that MSPs use. So I really appreciate it, and to me that really shows maturity of, they recognize everyone's recognizing security is a priority. We always say, you know, start at home first, implement it on your own enterprise before you can offer it up.
And so I've just been really impressed by how this community, um, has really strived to work towards being, I don't wanna say more secure, but more secure, you know what I mean? And, and, and are concerned, uh, about, um, you know, attacks, et cetera. Um, I would say the second thing is, um, kind of dovetails into that, the maturity of the organizations. When I first came, every single MSP at every conference said, um, well, my clients don't wanna pay for security.
Can you tell or gimme some slides on how to get my clients to care about security and pay for security? And then of course, we've got Gary Pika on this call who every week is saying, what do you mean? You just haven't explained it to them properly? And so I get that question less and less. Um, again, this call Gary, um, talked about, about, you know, you also have to have your own kind of, um, guiding principles on who you wanna have as a client, who you don't want to have as a client.
Like maybe it's not about being $5 cheaper than the MSP down the street because you can be liable for certain attacks and things like that. And so what I've seen is of, you know, Phyllis tell me, tell me how to make people care. But I think more and more MSPs are understanding I have to relate cybersecurity risk to business risk. Um, we're not all there, but it definitely, that conversation has matured, um, over the last three years.
And then I think also one of the things that is, um, impressing that impressed me from the beginning of MSPs, and maybe it's just me being naive, is, um, how everyone really just wants to help each other. I get that everyone's in competition with each other, but one of the things that I love about the community is, um, people really do wanna try and help people wanna try and, um, share success stories, horror stories, all those things.
You know, I've done a lot of talks with Eric Woodard and he just shares about his own experience. He got permission of one of his friends who was compromised as an SMSP to share that experience and to hopefully let people learn, Hey, don't get caught. Like, I got caught with my pants down. So, um, you know, I really appreciate that a lot about this community. Yeah, I just, I wanna jump in and say, um, I I'm, it, it's exciting, right?
Like I think, Andrew, you would agree it was probably very ambitious of us to say, Hey, we think we among many others, you know, Matt Lee and you know, the folks at Black Point and Hunts and, and others that have really been carrying this torch, right, too, but in so many MSPs. But I guess my point is, it, it's working, right? It's sort of like an animal herd. We are moving together and we are moving in the right direction, and here we are three years down the road.
And I think it's so great for MSPs to walk in saying, I have the confidence now to say, you need to do this CIS thing, this client, because if you don't, you're going to end up with a maturity problem that's gonna have ramifications that affect me and you. And I know my other competitors gonna be, if they're doing the right thing, they're gonna tell you the same thing too. I just, I love that, I love that we're moving in the right direction.
We, it may still be a few more years before we see like nationwide impact to all of this, but it, but, but it's happening and I'm, I'm excited for it. Yeah, yeah. No, we Wess really well said. I mean, if you think about it all the way back to you and I first meeting in 2016, even right where we are today, eight years, just about eight years later. That's crazy, by the way. It's crazy.
Um, but, but eight years later, I mean, you know, holistically MSP's involved, like in this call, um, you know, you guys, I'm really, I have to say, incredibly proud of the, um, diligence and the care that you give one another in sharing. So it's, it's really good stuff. So, yeah, I mean, good point. I remember the first time I, I came on this, um, the cyber call and even in the chat people were like, how do you get people to buy Want security?
And then Gary Pico was like, what are you talking about? So, um, it, it, and you know, you don't see those questions as much anymore, really. Yeah, yeah. Yeah. Good, good things are happening. Absolutely. Phyllis, so today's about CI's Self-assessment tool or csat, um, as Gary likes to say. And speaking of Gary, um, can you get us on the fairway a little bit about what this is? 'cause um, we got your head of product here with us, so I'm excited to talk about it. Yeah, sure.
And so I would say oftentimes what's great about working at CIS is that we can respond to organization's needs. And one of them was, how do I know if I implemented this correctly, how is it that I can actually assess against controls without buying, you know, a really expensive GRC tool? And, um, luckily enough for us, um, someone donated the control self-assessment tool, um, the, the one that's free, and we, you know, kind of modified it a little bit.
And so what we really try to encourage with organizations who implement controls or really any framework is that we know you're not gonna get a hundred percent starting off, right? It's too difficult, it's too expensive, it's very resource intensive. And so what we really want organizations to do is just get started iterate over time. And that's what CSAT allows you to do. It's not pass or fail. It is, hey, 20% of my, you know, devices are accounted for 40, 60, 80.
And so we're trying to show improvement over time. Um, and that's really what the self-assessment tool is about. It's not about an auditor coming by and failing you. It's about you figuring out how well have I implemented, um, CIS controls and how is it that I can improve over time? Good stuff, good stuff, Dave. Um, let's talk about, you know, the breadth and depth of csat. Is it getting adopted? How long's it been out there? And kind of give us lay in how many folks are using it. Yeah.
Uh, c a's been around for, for a bit, um, but in terms of usage across the two different products, uh, in terms of, we have certainly more visibility into the hosted product in terms of how it's being used, what sort of results people are seeing, the status of different assessments, um, all anonymized of course. But, uh, we see about a thousand downloads per quarter of Csap Pro. So that's the, yeah, and it, it's split between, uh, SLTs and me and paid members.
Um, so that is something where we do see that fairly consistent, right around a thousand every quarter. Um, and, you know, there we don't have a lot of visibility into, into how it's being implemented, how it's being used. Um, but that gives us a good indication. Uh, and then in terms of CA hosted, there are about 29,000, um, members right now. Uh, we see in total about 8,300 surveys that have been completed across that. So there's a pretty good return rate.
Um, if, if we go in and we actually look at the stats across all the different controls, um, we can kind of see an average around, you know, anywhere ranging from, from 50 to 80% compliance across all the different controls. And it, it does vary because different controls focus on different industries. We see some of that.
Um, that is an area where we do look at in the future improving the ability to look at the granularity of that, to look at trends, to be able to not just provide that information back to the members, but also to help us, you know, proactively develop it. So like, like Phyllis was saying, get that time to first report down so that you can get in there and you can very easily address controls that are gonna have an impact immediately and then build from there.
So it's not, it's not pass fail, it's progress. Yeah. And Phyllis, tell me if I'm right or wrong, like you are basically, you can opt in to anonymize data so that CIS can compare and contrast.
And I'm curious, um, you know, with that, when you released implementation groups, 'cause I, I remember you saying, you know, people would come to you before implementation groups and you know, they've been working on CIS controls and been on control, like one dot whatever for the last two years, and you're like, you're not doing anything else.
So, so I'm curious, have the, have you, can you guys graph or have you noticed since the groups have been put in place, are people getting through it better in a, in a more, you know, methodical manner, aligned with the groups? I think so. And so I would say there's a couple of tipping points. There's, there's CSAT in which many people of course, self-assess at IG one. And, um, and we see that we also really have a lot of outreach.
So we have a partnership with, um, NetHope, which is, um, a consortium of NGOs not go non-governmental organizations and other nonprofits. And they are assessing all their members against IG one because it's so doable. And so, you know, I've talked with many of the members in NetHope who are like, Hey, I'm in a third world country, I don't necessarily have internet. What can I do? How can I, how can I assess this?
And so they really like IG one because, um, an organization like that, that is going into a country to help, for example, Haiti, if there's a natural disaster, et cetera, um, pen testing seems out of the question for them. And so, um, you know, what I like is that consortium looked across its membership and said, IG one is where we want everyone to get started and assess against. And they're using CSAT hosted for that.
And so we see a lot of outreach like that and say, oh, can we use CSAT hosted for this? Yes, of course. You know, it's free. Anyone can use that, right? So we've used a lot of that adoption, we from direct outreach and then using the tool and then of course people through, through using the tool and getting data on the tool. Very cool. It'd be interesting to see what that, you know, organization that non-for-profit group's doing.
It'd be great if we could get an inertia together of MSPs doing it, but, um, you know, yeah, that, that's, that's an interesting thought process there. Um, Willis, before I turn it over to Wes, talk about best practices, like what makes a good, you know, 'cause you talked to a lot of companies though, whether it's a state, whether it's an organ, you know, organizations reach out to you and you all start getting involved, uh, with them.
Um, maybe if you could share a story or you know, where you've seen things go right versus wrong. Where, where do people get hung up? Be interesting. Yeah, sure. And so, um, I know this is cliche, people really get hung up on just getting started in answering the questions. And so, um, IG one has really helped with that. 'cause instead of, you know, looking at 20, you know, 18 controls and all the safeguards, it's, you know, a subset 50 some safeguards, right?
And, um, what's interesting about what, I guess, you know, the best practice is number one, just get started. Number two, it's okay if you don't know the answer honestly. We always say no one's grading you on accuracy. And, and the nice thing about the tool and going through the exercise of actually answering the questions is it really makes you think, and the tool, I think, brings ideas. It's not just the IT department. It'll say, who is the organization in charge?
You can email that person and put them in charge of answering this, the questions about this safeguard or the questions about this control. So it really shows how federated cybersecurity is across the organization. So for example, security training, awareness training, education. If, um, Ryan Weeks was here, security awareness, education, um, you know, that's, that's typically HR along with it, right?
But it's not just always the IT department and folks, many organizations don't have a cybersecurity program or cybersecurity, um, experts on staff. And I would say also finally is, um, iterate over time. It's the organizations that you see in there that are actually, um, assessing more frequently are doing better, right? So you'll see that organizations actually don't close out their evaluations because they'll revisit either every quarter, every six months or whatever.
And they don't wanna close that out because they wanna keep on improving. And they'll say, oh, we scored low here, we're gonna keep on improving over time. So I think if you realize it's not just a once a year perhaps, like people who are getting audited, but throughout the year you can improve your, you can improve and, um, reassess. Well, well follow up question.
I promise I want Wes to go here, but Phyllis, you know, we talked probably a year or so ago about the, I think it was like $4 billion over the course of a year that the x amount of years that C is giving the s ltts. The first part of that was to develop a security program, and this budget was to flow down from the state.
So two part one, I'm want to ask everybody in the audience to just do a yes or no, why, or n do you work with state, local, municipal, tribal, territorial, any type of SLTT, um, Phyllis, and if so, do you envision that this could be part of that, those funds? Like if you went to a state funded or municipality that receives funding from a state and says, Hey, look, we, we as this MSP are, you know, we're working with CIS, we really understand the controls, we really understand csat.
Um, you know, is that something that could be funded and and incorporated as part of that initial scoping for their security program? I think so. I mean, if, you know, I would say that I don't know if the states are going to mandate a certain cybersecurity framework, number one, right? So like you said, initially the state gets to decide how those funds are gonna get allocated, right? They're coming up with the plan.
But, but to be fair, they did state that the, you need a, the program was the first piece of the equation. Do you remember that piece of it? Like, so that's what I mean, not a framework, but say, Hey, we have a security program, right? Mm-Hmm. And here, here's the scope around it. And so that's why I was going, you know, down, down that path. I think so, yes, because assessment is gonna be part of it, Right?
And, and most organizations will have to pay for an assessment or get help with an assessment, especially, um, the LTT part, local, tribal and territorial governments. So I think you're spot on, Andrew. We're trying to get CISA over to write a boom again this year. We are in talks with them as you know, Phyllis. So it'd be cool if we could lobby them to, uh, you know, I, I guess, you know, work with the states and you know, it, it would be great for, you know, the MSPs and of themselves.
So yes, Over to you, bud. What a great topic. Um, I think it's, it's a shame that insecurity, especially down market, uh, among MSPs that we're not doing more assessments, like assessments drive everything this world does, right? Because I can say all day long, my car is the safest, you know, I can say all day long, this factory is, this is the standard that we are running at. I can say this in everything. I can go into a health clinic and say, my knee hurts, right?
And they don't just break out the bone saw, right? They, they, everywhere we assess assessing is one of, I just wanna kick it off with this little diatribe, I guess, because it, it's, it's essential to what we do. And, and I think the MSPs that I know, the ones that are probably on this call, by the way, that are really good at assessment have learned is the ticket to unlocking where they really want to take their clients.
I just, so, so I, I, this is a great topic for us to be have having because of its importance. So Dave, I guess to get kicked off a little bit, um, Phyllis mentioned earlier a little bit about the implementation groups, right? So if, if anyone doesn't know on the call what they are, one, two, and three, I like to look at 'em as like beginner, intermediate, advanced, right?
My question is, you know, around these, these implementation groups is the recommendation from CIS just start with IG one, do a filter only work on those and start at control one and just go all the way until you're done with 18. Do it kind of like level set and see where you're at. Is that like the right starting place? Or are there better pieces of advice you might provide? Yeah, I think that's a good, a good way to start, right?
Especially if you're coming fresh to the controls, um, saying we're gonna look at IG one and we're gonna go through and we're gonna start assessing those that at least is gonna give you feedback on at a high level on where your strengths and weaknesses are. And then as you start moving through IG two and three, you can, you can focus more as you get more used to the process, more used to the controls, get more people in your organization aligned to the assessment process.
Um, and then that kind of gives you the ability to sort of level set and figure out what is the best path forward. Um, because really what CSAT is all about is really giving you visibility into where you are with implementing these things and where you have weakness. And then as you start developing against that weakness, where are your strengths have grown? Okay. That, that's, that's good. Maybe a, a follow up question.
Um, it, one of the things I think is helpful when you're, especially when you're doing CSAT itself as a tool, is it's not just a yes or no, you know, am I, let's pick a control, right? Like, are you, um, logging, uh, are, are you have logging enabled on, on your end points, right? Yes or no? There's a lot more to it that I think breaks into really healthy conversations in the organization, right? Do we have this policy defined? Do we actually have a process for this?
Is this something we do manual? Is this something we do automated? It brings up this questions where you say, well, actually we do have auditing set up in all our machines, but I wouldn't know if we actually disabled it or, um, I don't have a process for onboarding new, new end devices, uh, to make sure the auditing set. Like it brings up a plethora of really great conversations, doesn't it? I think can you just kind of chat about why that's healthy for organizations?
Because it's less about the yes and no, and more about the exploration and letting you be in the driver's seat to understand, are we okay with where we're at now or are there room for improvement? Can you expand on that a bit? Yeah, absolutely. So I mean, I, I think one of the key things is that when you're looking at an overarching policy environment, right?
Everybody understands that your policies are not always going to be completely where they need to be in terms of internal compliance that you've set for yourself, even in terms of external compliance, there's always something you're chasing. And one of the things that CSAT really empowers you to do is not just make sure that the people are responsible for those policies, uh, have that visibility into the system that other people have visibility into the status.
Um, but it adds a layer of accountability in terms of being able to say, this is when this was last updated. So if you see a policy change external to your organization that you need to react to, it gives you the ability to say, okay, these have been updated, these haven't been updated, this is where we are with these, or we do have an informal policy, or we have something drafted, but it hasn't been approved.
It really gives you a granular, uh, perspective on where you are in that policy life cycle so that you can get things locked down when you need to and prioritize them appropriately, right?
So if you're coming up against a deadline, right, where policy goes into implementation, and if you're gonna be out of compliance, it's gonna cause you financial problems, regulatory problems, something like that, you can really prioritize the actions that you need to take to get in compliance, um, and, and provide that visibility all the way up the chain through the reporting that comes out of, of CSAT through the ability to track that stuff and make sure that people who are responsible are in the loop.
Hey, Wes, just, just real quick, I want to ask you a question here, but based on what Dave said, you know, you've spent a lot of time with Fifth Wall and in the cyber insurance world, do you feel, again, this is subjective, right?
But do you feel if an MSP and their, through their client, their client got compromised and they're using something like a csat, there's policy, there's evidence, there's diligence that we're working on a security program, almost like Safe Harbor for some of the states that Phyllis talks about.
Do you think that would go some, you know, help in that, you know, from a coverage perspective, from a do care perspective, that the, that the MSP and the client would have a lot more leg to stand on for the insurance company? Well, we don't wanna pay this, you know, as something like That. Yeah, it's a great question. I've actually, that's a, I get asked this all the time, both by MSPs and even vendors, right?
Um, because a lot of our vendor friends are like, Hey, we, we can help solve this issue for the carriers and, you know, so so can't we, can't we talk to them and show what we're doing? And then that brings into that broader question that you just asked Andrew, of like assessments. I mean, shouldn't we be able to hand that to an underwriter, um, and, and have that affect policy decision making coverage? And as you mentioned, even safe harbor, right?
Wouldn't it be awesome if one day you could go to the carriers and say, I have, I'm C-I-S-I-G two, therefore I get, I guaranteed I'm going to have a million dollars in coverage as long as I can show and prove that we've maintained that level of, of certification. Like, I would love to get to that direction.
The challenge we have in front of us that's limiting that, uh, Andrew, is that the, the, the underwriters, when we speak to the underwriters, what we discover is they're so control focused because it's one of the few granular things, like, in other words, tell me if you're vulnerability scanning is looking at stuff within 30 days and, and handling crits, instead of looking at policy, policy defined, if we assess this in the organization, do we have a policy management program that's been assessed by somebody that's much more valuable, but they're not doing that because A, they don't know how, and two, they don't have a tru like a source they can trust, right?
Because if it's self assessed, what's gonna stop the, the end user from just being like, yes, yes, yes, yes, yes, yes. Versus when they say, do you have EDR fully managed by somebody else, yes or no? They can prove that you don't because its presence doesn't exist. And so, unfortunately, that's where a lot of the underwriters are at at this point.
Now the, the sands are shifting here and we're starting to see some ensure tech come into this world, go talk to Dustin Bolander, go talk to Ryan Weeks. You're, you're seeing this all starting to emerge where we're having almost think of it as like insurance middleware that's able to present to the carriers a status. I'd love to see that continue to, to to be expounded as well. If you actually can present a credible attested third party standard, I think that'd be great.
Or, or, or what CompTIA is doing around trustmark. I think that'd be great. So I, I think we're gonna get there, but I think it's gonna be a little bit longer before we get to that stage. Sorry to be so long-winded on the answer. No, I was great question. Interested In the safe harbor on side of it, Phyllis, go ahead. Yeah, Yeah, so I just have a comment about the, um, cybersecurity insurance. I have a question actually for Wes.
We have had, um, some anecdotes from, um, certain SLTT communities in particular K 12, who self-assessed against IG one, excuse me. And they worked with their cyber security insurer to say, Hey, this is where we are right now and this is where we wanna be. And then that also helped them get insurance and they were able to use the assessment to say, Hey, this is how far we are and in 30, 60, 90 days or however long it's gonna take, this is where we wanna be.
And that was an effective tool for them, um, to show insurers. Is that, is that what seems, It sounds like they're talking to a good carrier that actually gets it, right? Because remember the carrier to to, to that point, Phyllis, like the carriers are learning and maturing the same way that that organizations are too, right? And actually having a conversation with a, with an underwriter can go a long way. We run into these all the time.
Um, you know, where, where sometimes the, the application has issues or we have a yes, but, and these are some things we're not doing, or we agree that we need to be over here, but we must have cyber insurance. And so we can give you a plan almost like a, like a poam, right? In the CMNC world. Good, good, uh, underwriters can have that conversation, say, okay, that makes sense.
I think we can have that conversation and, and, and, and, you know, maybe we can, uh, grant a policy, maybe it's gonna be much more expensive this year. We can pull the cost down next year when we see the presence of that maturity that's been built out. So yeah, I, I think we do, we do see that happening.
And I would just tell everyone here, if you're not actually having conversations with the underwriters, you know, you don't just wanna be talking to an agent on the street, an agent doesn't know anything about cyber because they're not gonna help in those conversations. The agent is just sort of the paper pusher that gets, you know, the, the, the policy over to the underwriters who make the control decisions. So yeah, I, I'm glad to hear that and I, I do think good carriers can help in that.
Awesome. Thanks. Yeah. So, um, Dave, to get back to one, just maybe another thing I think was, uh, we've, we've touched on a little bit, but I'd love for you to dive in a bit more, is this idea around, um, CSAT itself with users like you, you mentioned, and Phyllis mentioned that you can actually have other users jump in and help.
I think that's a smart thing because the reality is sometimes we we're not the source of knowledge and truth, especially when it comes to the line of business applications, things like that, where you're like, you know, I don't know if that's right. So talk to me about how, how that's an important process for MSPs to consider of reaching out to others and having them jump in and help answer questions from a risk perspective. Yeah. Uh, you know, businesses are fantastically complex, right?
And they get more complex every single day. And the cybersecurity landscape across all of those different business units can be monstrous to deal with. And to expect one person to be an SME across that entire space is pretty unreasonable.
So what CSAT allows you to do is it allows you to assign individual assessments out to users that you've created in your organization, um, so that you can find those people who are the SME in that area and can give you the good information that you need to get the assessment in place to get the documentation in the system to back that up so that when you go to leadership, or if you are working with, you know, an insurance company and you're working with an underwriter, that you can provide that documentation that then proves your case, you know, where it's not just, yeah, we self assessed, but like, here's the actual policy, or here's our research that we've put together that shows that our policy is correct, right?
And it gives you the ability to, to get much more granular, reliable data across all those different areas than a single person or even a single business unit could really be reasonably expected to, to provide. Yeah. Okay. That, that's awesome. Um, a another question for you is, you know, as, as csat uh, collects anonymized data, uh, I think that's helpful for benchmarking, right?
I think one of the best things that we can do in security, and one of the things we should be focused more heavily on, um, is benchmarking. Because clients always wanna know, how do I stack up compared to others, right? We do this again in every industry. Why is security so behind in this? It shouldn't be that way. Uh, talk to us about how you're doing some of that benchmarking and how organizations even maybe in Ms.
isac have used that to like understand where they're at and use that in great conversations to move their risk maturity forward. I'd love to hear more. Yeah. We do have the ability to do, um, what's called an industry average assessment, where you can take your scores that are calculated in csat, look at them against similar, similar, you know, peers in your industry. Um, the industry, uh, is all self-reported, right?
So it is, it is incumbent upon the members to accurately categorize themselves. Um, but once you've done that, that industry average capability will give you basically an idea of, of where you fall, right? And are you doing better or worse than, than the rest of the industry that you're operating in across each control? Um, you know, and that's something where as we look at defining industries, defining, um, you know, different use cases, right?
If you're looking specifically at, uh, hardening against ransomware attacks or it OT attacks, what, whatever those happen to be, that's an area where we, we really do want going forward to make sure that that industry average capability is still there. So that if we put something in the system that gives you more granular view, we wanna make sure that you can actually see how you're doing relative to everybody else. Um, you know, that's something that I think is really beneficial.
It gets back to one of the things that Phyllis was saying way back at the start about how there is a community and people do wanna see everybody succeed. 'cause ultimately a better cybersecurity landscape across the globe is one where people are generally protected. Um, so that, you know, that is definitely the, we see it as in furtherance into that goal for sure. Wes just thought about something, Dave, I wanna ask you.
Did, do you envision any type of, um, whether it's collaboration with Atomic Red team, like as an example, because, you know, you're like, Hey, I want to do this, you know, I want to mitigate against this type of ransomware attack where you could go, well, if you, based on, you know, the way this threat actor, TTPs, da dah, dah, dah, we've aligned it and you look, you know, this is your efficacy based on these, the control implementation. So interesting that you bring that up.
Um, the, the BIA product is, is specifically targeted towards ransomware. So the way that that works, it's a separate free product that's available to all members. Um, and the way that it works is you take your CSAT assessment, load it into BIA, uh, BIA has a specific set of controls that we've targeted to show you how hard you are against a ransomware attack. And it will give you a similar score.
It also allows you to define assets so that you can say, these are the things that are at risk from a ransomware attack in my organization. This is the dollar amount I'm actually assessing to those. And then within a range. And it will give you your potential liability from a ransomware attack. So you don't, you, you don't just know how exposed you are, but what it's going to cost you if that happens. So that is sort of the approach that we've taken so far.
And that impact assessment tool today focuses on ransomware. There's definitely a desire, um, within CIS to expand that out, to look at other attack types, um, as a way for folks to really be able to kind of target in and say, yeah, I wanna, I wanna know this, or my, my CEO just heard about all the ransomware attacks in Las Vegas and is freaking out.
I need to tell them what's our exposure, what's our liability, um, and to be able to Provo provide that in a really, really good, solid way in short order. Yeah, that's, that's really cool. Phyllis, you've been holding out us holding out where, where's the BIA? It's free man. Uh, it's been, you know, it's been around. I, um, and you know, just so you know, um, BIA for those of you who are risk assessment nerds is fair based. And so really organizations, we have the, um, what is it?
The, um, CIS RAM risk Assessment methodology, which is, um, qualitative. And then people are like, no, I need numbers, I need quantitative. And so that's our first foray into that. Um, which is the BIA and Sunil is involved in fair. So Yeah, a lot. Yeah. So, you know, one camp or the other, it's a religious war and, and you know, we kind of, um, straddled the fence there to see, uh, what organizations want.
Well, and the risk of embarrassing myself, I'll say, I actually didn't know that you had a BIA tool, so I'm gonna have to take a look at that and, uh, we should do another cyber call on that. And speaking of another cyber call, Andrew, I was looking at Phyllis, your comments on policy creation and then the comments we had earlier in, um, this conversation around, uh, policy defined control objectives, all that kinda stuff.
I think, and I wanna know from everyone in chat can, will you give me a yes or a no? Would you be interested if we did a cyber call on policies like policy creation? What makes a good policy? How many policies do we need? How do they get created and edited? Um, how do we do review what's best practice because wow, I, I think, yep, there we go.
I think we really need that, Andrew, because unfortunately, um, I feel like where we're at typically in policy creation is go download one from somewhere and then just slap your name on it, control F for your name, you know, and that's really dangerous. I'd love for us to do more on policy discussions. Yeah, The, the, you know, Brian Blakely, who we've had on here many times is probably a top, maybe one of the top candidates there. 'cause he is develop zillions of them. Yeah.
Like, Yeah, that's great. I mean, you got a great response. I mean, really the policy template creation came out of someone doing csat. They, they had a third party assessor and they're like, we failed every.one 'cause we have no idea how to create a policy. And a lot of the policy templates out there are super complicated.
I don't wanna name names, but they're like, they're out there and they're really hard and The Yeah, and they'll say, sometimes they'll say like, I know Tim from Compliance Risk is, we're speaking his language here as is world too. Uh, like sometimes we download ones that are like, whoa, we put a piece of paper that says confidential over everything confidential. It's like, you liar. Not only is that a terrible process, it doesn't even, like you're not doing it.
You've created for yourself things that you're not even doing your, so like we, man, we, you Can create a lot of liability for yourself there, Wes too. Yes. Yes. And then how about when we have these boilerplate policies that don't work well because they don't meet the requirements that the regulations of that client require, right? So, so yes, we, we, I think we really need, we need to talk about this. No, this is where you can get yourself in a whole whole lot of bad trouble.
If, if there is a compromise and, and you know, we've had Spencer on here as a breach attorney. I mean, they're, they're not dumb. They're gonna go start pulling out, okay, well let's look at the policy. Oh wait, you say you do this, this, and this, but there's nothing at all backing this up, you know? And, um, so yeah, I think it'd be really interesting to do Wes. Okay, great. Um, sorry to derail us, but just it was in my mind, I felt like we really gotta talk about it.
So Phyllis, I wanna, can we talk vision for a minute? Do you see a, a, a potential in a future where, um, we have enough data, not just from csat, but from all of the data points that we're pulling in from kind of everything where, like you, where CIS could join us on the cyber call and you sort of give a state of the MSP nation, right? Like, hey, around control eight, you know, this is 80 per, 84% of MSPs are at this level, and we need, you know, we have exposure here.
Like can we, can we get to a point where you have enough data to where we could actually do something like that? Because I think that'd be so exciting and could really help us understand, you know, at at a inner international level where we, where we actually stand. Is that a capability and a possibility? I think so. I would love that. So, so let me, let me, let me put a call to action out there for MSPs, what we would love is to hear that demand signal.
So just like we've worked with consortiums who have said, Hey, my whole membership is going to do a CSAT hosted the free one, um, assessment. We wanna, we want them, we wanna be able to compare across that, that set. Can you create a category for us? Just like you have to self declare, um, what vertical you're in, right? And we got those verticals from probably like small business association or whatever.
If we had the demand signal and said, Hey, we are going to have this number, everyone from Cyber Nation, 6,000 members, we're gonna do an assessment in CSAT hosted perhaps, or we're gonna do csat, um, um, pro and you know, those of you who have controls only and we'll opt in. You can, you can opt in to have that, um, industry average and you just have to, when you opt in, you agree to have that data sent back to CSAT hosted. So we could do the industry average. All of it's anonymized, right?
So we wouldn't say, you know, west MSP did this. We would just say MSPs, if we could get that demand signal, we have the product manager right here. I'm pretty sure we could convince him to put that on the roadmap because we've done it before for other organizations.
So, you know what we could do, Phyllis, we could, I'll create some kind of contest where starting, you know, right now, well, but we'll, we'll have to get with Dave and get some kind of, you know, maybe a, a marker that we could have a grand prize winner named at write a boom could give people four and a half, four and a half months.
And we'll give out some decent cash prize for the organization that has done, you know, the best assessment, has the best documented evidence behind it and can articulate it. Um, maybe we do we do it over the closing session or something? I'll, I'll, I'll, I'll, let me contemplate that. Would you guys be open to that if we put up some prize money and Yes. Do something like that? Yes, I think so.
I think that I'll write a boom tattoo right on the back of your neck, right on the back of your neck. Bob Miller. That's What I, I think that Andrew, I think it's a fantastic idea and I think there ought to be some meritocracy to this, right? There ought to be some amount of, like, I want to tell everyone among my peers, I did this, yeah, I participated to make this better. Like, it, it'd be cool if we had it on the badge at write a boom.
I think we could probably get a bunch of vendors to even jump in and sponsor, you know, like you said, some more incentives to get that to happen. Um, I think it'd be even super cool one day to be like, Hey, the only way you get special entry into write a boom pre-reg is if you, if you've been through this already or something. But I just, man, I love this idea. I mean, I I love that that is exactly right up our alley.
Just like I talked about the net Hope, it's like Cyber Nation, you know, Hey, we're gonna, we're gonna have a Cyber Nation community and we're gonna do assessments across the community and we're gonna see how well did you do against your peers. And we can, you know, what would be great is we can see the average. We'll be like, oh, control one, control two, all these things. So, so, so here is stay tuned. I'll get with Dave and Phyllis. We'll, and I'm sorry for the noise.
I'm just writing down what we're gonna do. Um, but um, we'll do a CSAT contest and probably Wes, I would imagine we could get Pax eight behind this because their whole entire stack now is aligned against him from Matt would get behind it. Matt Lee, um, Matt Lee, I was gonna say you had him at CIS Yeah.
And, and what's interesting, I'm just sorry, we'll get back on track 'cause I know we're running out of time, but when Bob put in there about the, um, the tattoo, have you guys all seen the, uh, the, you know, the paint and manning Saturday Night Live skit where he's throwing the ball and then forces some kid to get a tattoo of him on the arm?
That, that's what I envision, Bob, that we're gonna have, you know, some you gagged up and bound and we're gonna be doing a, a write of boom, uh, uh, tattoo on your arm at, uh, at in Vegas. So stay tuned for that. Thanks For signing up for that, Dave. So kind of you Phyllis, my last question, and I just have to ask it because I think a lot of people wanna know the answer to it is, um, what's your password? I'm teasing.
Um, what from a CIS perspective, is there ever Number one That's the right answer? Is there, is there ever going to be a version nine? Um, and if so, I could see the argument to a, I know I saw you wince at that. Like I could see the argument for like, do we really need another version? Can't we just keep iterating on eight?
You know, I could see that argument, but I guess the bigger question beyond that even is, is there plans to put response and recovery functions more deeply in and because I know it can be hard to test those things, right? Response and recovery are very, um, you know, very people heavy as Sunil has taught us, right? And so it can be hard to sort of truly assess that, but I'm, I'm curious what your thoughts are around all of that. So there is going to be a version nine eventually, and okay.
And so, excuse me. Um, you know, we have had, we've heard the feedback from every organization do not update controls too frequently. It causes too much churn. Just as soon as I start to, you know, um, implement it, you you've updated it. And so we're trying to slow down our roles, so to speak.
Um, I do think that we may have to end up putting more response and recovery and I, and I believe that because of cybersecurity insurance, what I do not want to do ever is put out a controls framework like IG one in particular and just call it IG one and not have something in there that would preclude you from getting cybersecurity insurance. Um, I thought about that for 8.1, but we really weren't at that tipping point.
Um, just like you said, Wes, right now, the insurers are still gathering data. There's not like this consistency, there's not a consistent path forward as far as like what it takes to get insurance. Kind of like homeowners, right? Or car insurance. We all know there's tons of actuarial data and so we all know these requirements. Um, but um, for cybersecurity, they're not there yet.
But I can envision there being more around response and recovery and the need for those things to be included in controls. Okay. Um, Phyllis, I didn't leave you any time for questions. I'm sorry I gave you eight minutes, but this has been such a good conversation. No, I'm gonna, I'm gonna, I'm gonna, um, let me bring this up here. 'cause I wanted everybody to see, um, see what this looks like for those that haven't seen it before. Yeah. Can we do, do yes or no in chat?
Have you used CIS the CSAT before? Let's start there. Right? And you know that the CSAT Pro, so this is CSAT hosted, which is not multi-tenant, but it's free. So that's cool. And then CSAT Pro is the multi-tenant one. And so that's, um, that's where you need a, a membership, a secure suite membership or controls only. Yep. Yeah, and we'll be talking more about that, Phyllis, because I know we want to try to get more MSPs adopting. Yeah.
But, um, maybe just, you know, walk us a little bit through this with Dave and, you know, talked to us about this. Yeah, So Dave, um, he pulled up csat and so if you're onboarding an organization to CSAT, who needs to be there, um, because MSPs need to know this as they roll it out on their own, um, networks as well as when they're working with co-managed or mid-market customers, Right? Yeah.
You're gonna wanna have, um, kind of the people who have, who are responsible for that cybersecurity overview over the course of the entire company, but also the people who are gonna be able to help you target into each of these control areas so that you can then assign out to the right folks. And it may take a number of meetings to get all of those different people targeted and, and, and determined who's who's right for each of those specific assignments.
Um, but I think when you're first starting out, you wanna be able to make sure that you're able to show here's the, here's the overarching goal of what we're doing, right? And be able to say, here's IG one where we're gonna start. Here's the areas that IG one is gonna cover. And make sure that you have all the right people in the room to address those to start. Uh, and then as you move on, bring more people in. The nice thing about CSAT is as you're assigning people, they stay assigned, right?
So you can keep bringing folks from the organization into the product to help move things forward, um, without necessarily having to go back to everybody every single meeting. It also gives you the ability to target specific groups depending on what you're looking at.
So if you're trying to divide and conquer and say, we're gonna, you know, take control one, we'll take all the folks who this is assigned to, we'll meet with them, we'll, we'll, you know, go in and, and, and do any status that we need to have. Um, but everyone that goes in, they'll go in and you can see here you're basically saying, here are the, here are the, uh, here's the assessment right for, you know, for, for 10.1.
And you go in and you set your options and that's then gonna feed back over into the spider graph on the right, shows you your progress in, in, in real time. Um, and you can see down there where right now, this is unassigned. So if you were gonna assign this to somebody, you give it to somebody, set a due date, send them a message, the system will contact them, and then you'll be able to see who's responsible for what.
So if you do have stuff that's coming up on a due date, that assessment isn't done yet, you have the ability to go in and say, okay, here's where we, here's where we are from a status perspective, and I'm gonna reach out to these folks, make sure that things are progressing. If there's roadblocks that we need to get outta the way, we can help facilitate that as well.
Um, that other one that you were just on the evidence documents, that's where we were talking about, uh, uploading whatever documents, whether that's the policy itself.
If you're defining a policy, if it's things like, you know, if you're talking about automation and you wanna, you know, store automation scripts or, you know, proof of automation or logs or things like that to basically provide evidence that you have implemented this control to a reasonable standard, um, that's where you can put that. And then when we're generating reports, we have the ability to go back and you can pull that if you need to. Yeah.
Really well thought out, especially, you know, Wes, when you think about a co-managed, right, where they'd want their own instance, but if the MSP really, you know, rolls up their sleeves and gets good at understanding how to do these assessments, they could, you know, the ones that are working with the larger organizations, this could be a tremendous, uh, asset for them to drive, you know, revenue, business conversations, um, et cetera.
Yeah, we have, there are quite a few consultants who are using, I mean, CSAT hosted in, in violation of the license agreement. But the point is that, um, that there are, you know, many folks that find the free tool helpful, and they are, they are, they are, you know, providing those assessments for organizations. And, um, I'm, I'm excited that we can provide something to help organizations along their journey.
Yeah, note to MSPs, don't tell Phyllis or anybody at CIS If you're co-managing somebody, Well, you won't get the multi-tenanted version is the thing, so, yeah, No, I do. Yeah. But it's funny, uh, you know, Wes asked, how do you share? And I said, join that workbench community. It is funny how people are like, Hey, how can I get my logo in there? Why won't you? It's like, oh, because this is the free tool. Yeah. Right, right, right. It's really funny.
But Dave, is it, is it fairly ubiquitous in terms of the layout? Just that we can do multi, you know, different organizations, same concept, um, and, uh, uh, you know, so that the MSP can see all customers that they're managing? Uh, yeah, I mean, it's, yeah, there are some, there are some other minor changes. The, the pro version also uses a slightly simplified scoring model, um, that we found that people tend to like a little bit more, it tends to be a little more streamlined.
Um, and I think probably moving forward, we're gonna try to unify those scoring models between the two. Um, probably something that by default is a little bit more simple, um, because ultimately the level of granularity that's available in here is, is useful. But when you start pushing that out to the rest of the organization, it's not as meaningful as being able to say like, yes, we're compliant and we're not compliant.
Getting into real, some of the weeds, um, you know, like we, we have a, we have an informal policy that hasn't been documented versus we have an informal policy that's partially documented. Like some of those different levels, um, just are, you know, not as practical as I think they probably could be. So that's, that's an area where we, you know, there are some differences between the two. Um, and we are sort of working towards unifying them more.
Uh, and then really trying to say, you know, if you're, if you're using the pro version, you know, it is more focused on multi-tenancy. It's, you know, it has some of these other features, uh, but there is more of a unified use to it. 'cause today there are some, there are some, some interesting distinctions around scoring. Yeah, and I'll, I'll close it out with this.
If you are an MSP that has, you know, a PE firm, this is something that you wanna talk to them about, where you can say, look, what if we did security assessments and posture across your portfolio, right? Because if you think about it, that's critical for them. Um, managing risk across their investments. Um, Dave, wow. Thanks for, for joining in Phyllis, as always, it was great to, uh, get your perspective on this. So we'll be talking more. Uh, Wes always great to have you back.
Um, you're being a road warrior I think, these days. So, uh, good to see you. Um, and to our audience as always, thank you all for, uh, timing in, we'll look forward to part two of Chris Garrett's next week. Uh, until then, uh, folks, make it an awesome day and a safe week. Take care everyone. Thanks everyone. Bye Everyone. Thank you. Thanks Steve.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois