Get set to embark on a journey to the heart of cybersecurity with our distinguished guest for today's episode, Metin, the CTO of Rhymetec. This tech maverick, with a background rooted in computer science, has skyrocketed to the zenith of the field, bringing forth a wealth of insights on data privacy regulations like GDPR and CCPA, and the ever-growing importance of compliance. We unravel the intriguing concept of virtual CISOs and investigate the impact of remote work on cybersecurity insurance premiums, throwing light on the balancing act between remote work and security.
Brace yourself as we delve deeper into the world of Rhymetec, a pioneer in cybersecurity solutions. Metin gives us a sneak peek into how Rhymetec empowers businesses with AI-powered solutions across industries, thereby improving their efficiency and customer experience. But, it's not just about AI; we also talk about the crucial aspect of data privacy and how Rhymetec ensures the safeguarding of their clients' data. We leave no stone unturned in this all-encompassing conversation about cybersecurity, so whether you're a greenhorn or an experienced hand in the field, don't miss out on this captivating episode.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Get set to embark on a journey to the heart of cybersecurity with our distinguished guest for today's episode, Metin, the CTO of Rhymetec. This tech maverick, with a background rooted in computer science, has skyrocketed to the zenith of the field, bringing forth a wealth of insights on data privacy regulations like GDPR and CCPA, and the ever-growing importance of compliance. We unravel the intriguing concept of virtual CISOs and investigate the impact of remote work on cybersecurity insurance premiums, throwing light on the balancing act between remote work and security.
Brace yourself as we delve deeper into the world of Rhymetec, a pioneer in cybersecurity solutions. Metin gives us a sneak peek into how Rhymetec empowers businesses with AI-powered solutions across industries, thereby improving their efficiency and customer experience. But, it's not just about AI; we also talk about the crucial aspect of data privacy and how Rhymetec ensures the safeguarding of their clients' data. We leave no stone unturned in this all-encompassing conversation about cybersecurity, so whether you're a greenhorn or an experienced hand in the field, don't miss out on this captivating episode.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
I was going to Metin. It's really good to finally have you on the podcast. I think we've been trying to get this thing scheduled for like almost the entire year at this point. I've been since.
Speaker 2:February.
Speaker 1:Yeah, yeah, it's been a while. It's been a crazy year for me overall. You know, like had my first kid and she came a little bit early and it was just it's like one life change after another. You know.
Speaker 2:Yeah, well, it's good to finally see him.
Speaker 1:Yeah, absolutely so. You know, Metin, I always start everyone off with telling their background right, how they got into IET or cybersecurity, and I feel like it gives my audience a really good picture of you know, not just your background, but that anyone can come into this thing from any background and, you know, really thrive in IET, and so I think it's always beneficial to hear everyone's you know different backgrounds, because I haven't heard the same background twice actually on this podcast.
Speaker 2:Yeah, absolutely. I'll start off with a quick introduction here. My name is Metin. I'm currently the CTO at Rometic. Rometic is a cybersecurity solutions company. We provide virtual CISO services and on top of that we also provide other cybersecurity services like penetration testing, network assessments, internal audits and all of that. And I've been working with the company for the past now six years. So I've kind of been working at Rometic since day one with Justin the CEO, and before that I was actually working as an IT specialist. I have a computer science background, so after kind of like work through IT, eventually I got into cybersecurity and compliance there.
Speaker 1:Yeah, that makes sense. So, Rometic, I guess that's an interesting area I've had on a few other people previously. It was a long time ago that did virtual CISO functions, but can we talk a little bit about that Because I haven't seen that as being in the field. I haven't seen that as much as it was promoted when I was trying to get in the field like 10 years ago at this point, right. So it seems like that landscape has completely changed in the offering and what it's like to be a virtual CISO. Can we go over that a little bit?
Speaker 2:Yeah, and I think it's really because compliance is becoming a much bigger deal than it used to be. Like we have all these new data privacy frameworks like GDPR in Europe. When it was released a couple of years ago, it was chaos. Everyone was just trying to figure out, like, what to do for GDPR, what those requirements are, because data privacy wasn't really a thing that was legally required before, and now we're seeing some states in the United States, like California, releasing CCPA regulations. So those are just some of the examples. There.
Speaker 2:I think that compliance and legal regulations around data privacy and like customer data has been increasing and because of that, these organizations whether they are small or large, they need to become compliant with these frameworks.
Speaker 2:I feel like back in the day, only very large enterprises really needed to do security compliance, but now, even if you have, like an employee you're a startup, you're a very small organization you still have to comply with these regulations, because there's just no other way to get around that. However, small companies don't need an entire security team of like 10, 15 people, and they may not even need one person full time. So what we're doing is we work with startups, we work with enterprises, we work with mid-sized businesses and we provide them a virtual CSO and essentially this person would be an extension of those organizations as cybersecurity team and, in some cases, the only person who is really responsible for their cybersecurity program. And we really just do this because these businesses may not have enough knowledge on the compliance frameworks that they need to comply with or simply they don't have the resources to create and maintain a cybersecurity team, so that's why they hire us and outsource the service.
Speaker 1:Hmm. So what does it take to be a virtual CSO? You know, do you have to be a full time CSO at another company to get the experience, to be able to do it? Is there different specialties? How does it work?
Speaker 2:I think a compliance knowledge is absolutely necessary, because we work a lot with audits, we conduct a lot of assessments based on various frameworks. So I think having some type of a baseline knowledge of cybersecurity frameworks is very important, but it is also important to be technical enough that, when you are working on implementing security controls based on these cybersecurity frameworks, you know how to implement them on the customers, cloud hosting providers, on their physical servers, databases. So I think a combination of a technical knowledge and a compliance knowledge is necessary in order to succeed in this role.
Speaker 1:Hmm, yeah, that makes sense. You know, security is such an evolving field that I feel like even just analysts and engineers have to have such a broad range of experience now and skill sets. That I mean it's it's it's becoming difficult, you know, like, even even for someone like myself you know I was at a place that was moving more into containers Well, that's, that's like an, that's an abstraction layer on top of an extraction, extraction layer, right, that that makes things more difficult. It's a whole new, you know kind of language that you're learning of. How to, you know, administer and maintain and manage you know that, that whole deployment, and you know, I'm here 10 years in the field and I'm still, I'm still learning these different, these different skills, right?
Speaker 1:So how, how do you, how do you stay on top of all the different changes, especially in the compliance area? Because I mean, here in America, right, we have, you know, 50, 50 different states. Each state can have its own compliance regulation that someone would have to comply to, especially if you're a nationwide company, like it's extremely easy for startups you know small startups to become nationwide companies. You know, overnight, to actually have customers in these other states. How do you stay on top of it?
Speaker 2:We don't expect one person to have knowledge of all of these compliance frameworks. I think having knowledge on some of the more standardized frameworks is very helpful. For example, we work with implementing NIST 853 controls, which is really a standard that was released by the US government for basic cybersecurity controls. When we're looking at other frameworks, they utilize controls from framework standards like NIST 853, NIST CSF 171. I think that having a knowledge of some of these more generalized frameworks is very useful so that when you're working with other compliance standards, you're not unfamiliar with what the requirements are.
Speaker 2:There is a lot of overlap. One of our most common cybersecurity framework that we implement is SOC2, and then afterwards it comes ISO 27001. Even these two frameworks have so many overlapping controls that just implementing one of them can help implement up to about 40-50% of other frameworks as well. Having a good baseline is very important because once you have a good baseline, it will be a lot easier for you to implement other frameworks, because there is a very likely chance that there is already a lot of overlapping controls that you don't have to do additional work. In some cases we'll implement more strict controls, like PCI DSS compliance, or we'll work with our customers to implement FedRAMP, which is a government requirement, if you're working with the US government Implementing those security controls. Some of those customers can easily pass a SOC2 audit or an ISO 27001 audit without really doing any additional work, because they're already covering almost 100% of the controls.
Speaker 1:Yeah, that makes sense With so many different controls out there. Whenever I'm asked, where do you even start, I always recommend that we start with a least-privileged model and that we try to work towards the NIST recommendations. At some point there's going to be a good amount of overlap and then you just start knocking out the things that are the outliers, that aren't the overlap of the compliance framework that you need to meet. That's probably the only way to do it now, because everyone needs to be compliant with so many different frameworks. There's probably frameworks that you don't even know that you need to be compliant of, that you are not compliant with.
Speaker 1:It's a mess that doesn't get. I feel like it doesn't get enough attention on the outside of security. What are some good ways of actually enforcing this compliance within an organization? Because as organizations get bigger, they have more people, their teams grow, the applications that they're developing and managing are increasing it's easy for these recommendations and compliance requirements to get pushed to the side. Do you recommend that companies enforce strong policies and get those built out and in place and regularly touch base with their teams, or is there other ways and methods of doing it that you found to be effective?
Speaker 2:I see compliance as a good starting points and a good baseline for any organization that wants to have a good cybersecurity program. I do not see it as the finish line. I think that just because you are compliant with the framework, it doesn't mean that you're secure from cyber attacks. You don't have to do anything now. There is still absolutely a lot more work involved. Sometimes we need to implement very strict security controls for our customers that aren't required by the compliance frameworks, just because it's a good security practice. I think that organizations need to use compliance standards as a good baseline, but they shouldn't just use that as the only way to build their cybersecurity programs.
Speaker 2:A good cybersecurity program that consists of a good compliance standard, frameworks that you're complying with, on top of that, good risk management controls, a good risk assessments, internal audits, regular gap assessments and enforcement of those security controls. For example, soc2 is a very weighted standard in my point of view. You can define the controls based on the organization level requirements. I can say something like I want my password policy to be six characters and that's it. I don't really require any other special characters uppercase, lowercase. I don't have to do that. As long as that's what it says in my policy, soc2 can be like okay, you're good on this control now it doesn't mean that you are secure. You may need to do some additional work to update that password policy so that you're actually following a good, secure password controls.
Speaker 1:Yeah, I've also experienced that back and forth on it as well, where you're pushing a compliance standard and then the teams that are actually deploying it and meeting the standard it's lacking. It's lackluster in what it provides in terms of security. Saying that you're compliant with SOC2 doesn't really mean that you're going to be able to protect yourself from a wide variety of cyber attacks that can happen. I think that's also something really important that I guess small companies would need to hear more than the bigger companies. They typically have that down. They already know that.
Speaker 1:But the smaller companies and I think back to when I was working for a smaller company they were very adverse to deploying any security. One because of the budget. Two because they felt that they were meeting the bare minimum. But we had customers that were expecting not just the bare minimum, they were expecting top tier security. I was the person that was kind of fronting that, where I'm the one that's dealing with all the blowback. I'm the one that's dealing with the complaints at 2 AM because this security thing isn't enabled and they're missing their requirements, maybe internally or their own compliance requirements. It's a difficult game to play, especially when you're a small company, because you probably don't have the head count that you would need to actually enforce some of that. Do you also provide engineering services around that to be able to actually assist in deploying some of the controls?
Speaker 2:Oh, absolutely. We do not only conduct gap assessments, internal audits and risk assessments. On top of that, our team may need to work with the customers to actually implement those controls on their hosting providers, on their technical systems. So there's definitely some engineering efforts involved there. In a lot of the cases, we work with the software engineers that work at our customers companies, so that also happens a lot, but we absolutely have to provide some type of an engineering resource in order to fully implement those security controls.
Speaker 1:Yeah, it has to be more of a full suite offering to actually have it make sense for the smaller companies. Where do you see this space going and growing over the next five years? Where do you see the virtual CSO space going? Do you think it's going to be still evolving and growing? Do you think that there will be a different way of approaching this, or what's your thoughts on that?
Speaker 2:I think it's definitely up and coming and I think it'll be required more, because I think the main reason why companies need this level of service is because of the increased amount of compliance frameworks. Now their customers are probably requiring them to comply with these frameworks in order to work with them. So, yes, there's definitely some financial aspects of that involved, but in a lot of the cases, when you become more compliant with these frameworks, you open up the markets to your organization more. Like, for example, we've just talked about FedRAM compliance. It's a one of the government compliance frameworks. If you want to work with a government agency and you need to process their data have to be FedRAM compliant.
Speaker 2:Some other government agencies may require things like state ramp and other frameworks. However, once you are compliant with those frameworks, that means now other government agencies can also work with you. So you're really opening yourself up to the market more and expanding the number of customers that you can reach. Another example would be HIPAA compliance. There's a lot of healthcare organizations out there and there's also other technical organizations like SaaS products that offer services to healthcare organizations Without becoming HIPAA compliance. You really shouldn't be working with those healthcare organizations because you don't have the proper security controls to secure electronic protective health information. But once you do become HIPAA compliant then you are able to actually work with those organizations and that can bring more customers and help your company grow faster.
Speaker 1:Hmm, yeah, it's interesting balance, because you have to be able to open yourself up, to be ready for different opportunities, as well as balance that with not putting undue stress on your team or on your organization in ways that you'd fail or it takes too long. Now the opportunity isn't the same. How long do you typically notice organizations coming up to compliance? Maybe what's the longer compliance standard that it takes for different companies to come up to compliance with? What are some quicker ones? The reason why I say that is because in security, when there's a really large problem that you have to solve, typically where you start is the low hanging fruit. What's the things that I can handle in the next seven days that'll make maybe 40 percent of a difference? Get me 40 percent of the way there. Is there compliance standards that you recommend like that, or is it something else?
Speaker 2:I don't know if I can recommend the compliance standard because I think it all depends on the regulations and really your customer network, Like what type of customers that you have, what laws really apply to you.
Speaker 2:I always tell my customers like before you really start building your cybersecurity program, you need to look at your customer requirements and you need to look at the laws and regulations that apply to you so you really understand what you need to do in order to better service your customers. We've had many customers that come to us because they needed HIPAA compliance and these organizations were already working with healthcare institutions without being HIPAA compliant. Sometimes they just don't know that they need to become HIPAA compliant. They just know that they need to do better in terms of security. But understanding those laws and regulations are very important because in some cases they fail to comply, they can have very negative consequences, both financially and legally. So I kind of see cybersecurity as also insurance to protect our organizations from these types of incidents. So you're not again just being compliant. You can also prevent any issues regarding compliance happening to your company and you can also prevent other cyber attacks because that compliance framework is going to be a good baseline to build a better cybersecurity program.
Speaker 1:Yeah, from what I understand, I guess the cybersecurity insurance premiums almost across the board doubled or tripled overnight this year and that's a crazy amount of money that you're already paying for this insurance for it to double or triple overnight when it's the exact same posture. Companies don't change their security postures overnight. It happens over a couple of years of working on it and it's just crazy. I've heard companies actually getting rid of the cyber insurance and almost underwriting it themselves and having an underwriting department actually do that for them, which is something interesting, and I feel like that feel in that area is still evolving because the premiums got so high that companies are like, okay, it's just cheaper to form our own department and underwrite this thing.
Speaker 2:Well, I think there are two things that are driving that price increase. When it comes to cyber insurance, everyone has remote work. Ever since COVID started, people have been remote. Even the organizations like that require employees to come in person. They're only doing that one or twice a week, so it's becoming very fair. I live in New York City. I don't see people go to the office anymore. I travel to San Francisco a lot and downtown is like a ghost town. People are just not there.
Speaker 2:Everyone is remote, and I think that is already introducing a lot of cybersecurity threats to these organizations because now their employees, the laptops and other systems that they're accessing they're being accessed from all around the world. So I think that's definitely increasing the threat levels out there, and I think that's one reason why these cyber security insurance companies are probably increasing their premiums. But the other thing is we now have artificial intelligence. That's becoming more and more common, not just in chat, gpt and other generative AI tools, but now AI can be also used as a cybersecurity threat. It can be used for cyber attacks, and this is going to become probably just worse and worse. That just probably means that we need also our own AI that protects us from these type of cyber attacks rather than just attacking.
Speaker 2:I always see the positives and negatives of artificial intelligence, but I think that because these things are happening more, we're seeing more data breaches, like that recent Samsung data breach that was caused by, I think, one of their employees like using chat GPT. So there's just a lot of cyber threats out there and I think because of these two things the cybersecurity insurance premiums they're probably going to increase more, but it's really increasing because the risk level is higher than any other time. Now Any company can have cybersecurity incidents and we do training on this. We try to catch up to all of the vulnerabilities out there, remediate them and also implement security controls to really protect our customers from these emerging cyber threats. But I feel like from now on it's just going to get worse unless we do a better job of protecting ourselves.
Speaker 1:Yeah, that's a really good point with the rise of AI and I didn't even think about it like that was. With the rise of AI and how quickly it's evolving, I guess insurance companies would be seeing that and they're getting extremely worried because it's an unknown risk and I think that's a great thing. With AI, of all things, it's a completely unknown risk that can really cause some great damage to an organization if it's used in the wrong slash right ways. So that is a great point, quite interesting. And then the working remote part. I didn't even realize that that would increase insurance premiums.
Speaker 1:Maybe that's why some of these companies are pushing so hard for workers back in the office. Recently, amazon came out and said that they're going three days in the office, two days from home, and then it was also released in an internal memo that they said that it would take five years to get fully back into the office. So it seems like they're not stopping at the three. Three is just a starting point and whatnot, which adds complexity, right, because now I think as a worker, as an individual contributor, it's coming to my mind, right. It's like well, what did you do during COVID? You were remote, so what's the problem with me being a remote now, but looking at it from an insurance premium perspective, there is a risk to that if you don't have the proper security stack in place and a lot of companies don't want to rip out their existing security stack and augment it with some new technology. That's typically very scary for older companies, that's for sure.
Speaker 2:Yeah, I've been seeing a lot of these insurance companies also send out additional security questionnaires to companies now and they're basically asking them about their security posture. Some of them want to conduct an audit for those companies to verify that they actually have those security controls in place. And I don't know if AI and remote work force they're definitely indirectly impacting this, because they're one of the reasons why there is more security incidents and data breaches out there now?
Speaker 1:Yeah, that makes sense. Well, Metin, I think we're coming to the end of our time here. Before I let you go, how about you tell my audience where they could find you if they want to reach out and where they could find Rometic if they want to learn more about what you guys are offering and potentially reach out to get more information?
Speaker 2:Yeah, absolutely. You can always send out a contact us form through our websites, which is Rometiccom, r-h-y-m-e-t-e-ccom. And yeah, one of our sales people will be approaching us from there, and thank you so much for having me, joe.
Speaker 1:Yeah, absolutely Well. Thanks, and I hope everyone listening enjoyed this episode. Thanks everyone.