When my kids were small, there was this torturous jingle on Sesame Street that combined the letters of the English alphabet into a jumbled melody. If you parented little ones when I did, then you can sing along with Big Bird right now in your head: ‘ABC-DEF-GHI-JKL-MNO-PQR-STU-VWXYZ, I wish I knew exactly what I mean.’ Say what you will about that bad song, but Big Bird made a good point: The letters of the alphabet can only be understood with proper context.
Which brings me to the tangle of acronym-laden letters underlying modern cyber security compliance. Here is how Big Bird would sing a friendly jingle of their concatenation: ‘PCI-DSS-CSA-STA-RGD-PRH-IPA-AHI-TRU-STI-SO2-700-1MA-RSE-P2P-EPA-DSS-SOC-1SO-C2S-OC3, I wish I knew exactly what they mean.’ Maybe the good folks at ISACA should consider hiring a Big Bird impersonator to sing that song at their next security audit conference.
I had this crazy alphabet soup of security compliance in mind while chatting last week with the principals of Fairfax-based ControlCase. My good friend Norm Laudermilch recently joined the company as their COO, and I was keen to understand the team’s plans. After two enjoyable review sessions, I’m convinced that their compliance-as-a-service solution can help enterprise team deal with the complexities of modern frameworks. Here’s what I learned:
“Our compliance-as-a-service platform ingests relevant telemetry from the enterprise and then automates their security framework assessments,” explained Kishor Vaswani, CEO of ControlCase. “We provide managed services to our customers using technology tailored to collect the type of information available on premise or in the cloud, and to then support the growing challenge of audit, assessment, and regulatory review.”
The company principals have the right backgrounds for this type of work. Founded in 2004 by former EY consultants, ControlCase has grown to include several hundred experts supporting several hundred clients across the world. If you have any background in managing a consulting practice, then you know that this is not an insignificant achievement. ControlCase is a substantive player, and the addition of Laudermilch is quite a grab for them.
The ControlCase solution can be described in terms of five related components: (1) Compliance-as-a-service, (2) managed compliance services, (3) certifications, attestations, and assessments, (4) enterprise data security ratings, and (5) compliance scanning. Obviously, all these offerings are centered on their platform, which involves an appliance deployed with connectors to existing enterprise security systems such as the SIEM and vulnerability management tools.
“We turn your SIEM and VM tools into compliance engines,” Vaswani explained. “We do this by orchestrating the available information into an automated framework, and we integrate with workflow support by connecting with GRC platforms such as Archer.” I asked about supported frameworks, and that’s when I was treated to the alphabet soup of compliance mentioned above. ControlCase will have you covered, regardless of your required compliances.
I asked the team about cloud, and they went into considerable detail about their AWS integration. Apparently, they’ve managed to simplify cloud compliance for their AWS customers to click button processes in about 60-70% of the required work. The team explained that they are working now to build automation for several other cloud service platforms, and we all agreed that this is an important initiative.
The reality in our industry is that enterprise compliance concerns are growing, not shrinking, and this is neither welcome nor helpful. Once you establish strong compliance with a proper framework, then I believe this should be sufficient – just like having one home inspector check with a clipboard check your home; you do not need to hire ten inspectors with ten clipboards. But set aside the logical analogies: Compliance will grow and needs to be managed.
For this reason, the ControlCase appliance and associated set of managed and professional services look to be supremely useful for modern businesses. And I suggested to the ControlCase team that the green field of smaller and mid-sized companies – many of whom are seeing an exponential growth in their compliance obligations – will provide an excellent growth opportunity for their platform and services.
My advice would be to contact the fine ControlCase management team. Ask them to take you through their solution offerings, and if you have small children, then listen to the Big Bird song in advance of the discussion: It’ll remind you of the plethora of frameworks that need to be addressed. And as I always request, please make sure you share your learnings with the rest of us here.
Guest Author Bio:
Dr. Edward G. Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of major organizations across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016. He was elected an AT&T Fellow in 2010.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-nine years, where he has introduced over three thousand graduate students to the topic of information security. He is also a Research Professor in the Computer Science Department at the NYU Tandon School of Engineering, and a Senior Advisor at the Applied Physics Laboratory at Johns Hopkins University. He is author of six books on cyber security, and dozens of major research and technical papers in peer-reviewed journals and conference proceedings.
Ed holds the BS degree in Physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology and is a graduate of the Columbia Business School. He holds ten patents in cyber security technology, and he served previously on the Board of Directors for M&T Bank and the NSA Advisory Board.
Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy. He and his wife Lee live in New Jersey and are the proud parents of three wonderfully successful Millennials.