IT support is tricky for most businesses, especially for those not in the IT business. Thus, IT is a cost of doing business and a high cost at that. High costs drive down profits. Less profit makes it harder for businesses to invest in the products or services that they’re making and selling. Retaining IT staff is even more difficult. This is due to the extremely low unemployment rate and the higher-than-average annual salary. These two factors almost guarantee that IT staff hired by non-IT businesses will eventually get a better offer some place else. To mitigate the problem with IT staff, businesses have turned to outsourcing to managed service providers or external service providers. By doing so businesses are giving up the information necessary to make well-informed choices, instead choosing to trust the IT service providers they’re buying from. This asymmetry of information creates a market phenomenon called a market for lemons. A market for lemons phenomenon exists when sellers hold more knowledge than buyers. Because buyers are price-sensitive and are only willing to pay a certain price the market becomes distorted such that high-quality sellers are gobbled up quickly and the market is left with lemons. In sum, the market for lemons works to drive quality out of the market.

Today’s guest is Andy Paul. Andy is an engineer, data privacy professional and a Certified CMMC Assessor from Gray Analytics with more than 15 years of experience helping firms design, implement and secure everything from globally spanning networks to small boutique and highly specified and regulated networks. During our conversation, we discuss the current situation in the IT services market, the market for lemons phenomenon, how the CMMC ecosystem is setup to alleviate the problems that markets for lemons introduce, and how you can outsource confidently.

Resources:

Links:

· George Akerlof – The Quarterly Journal of Economics, Vol. 84, No. 3 (Aug. 1970), pp. 488-500

· Cyber AB Marketplace

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today’s episode, we’ll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges, tying it all to compliance, and decoupling vulnerability management from the inherent complexities.

Today’s guest is Andrew Overmyer, Security Assessor, subject matter expert, and general cybersecurity jack-of-all-trades at Kratos. During our conversation, we distill this often-nebulous concept into the concrete tenets necessary to build an effective program to drive vulnerability remediation efforts.

Resources:

· The Core Tenets of Vulnerability Management

o Asset Management: a tool or set of tools accompanied by a process that build and maintain an accurate asset inventory; an asset inventory must include but not be limited to network segments and IT assets across all types

o Patch Management: a tool or set of tools accompanied by a process that supports identifying and applying patches

o Vulnerability Scanning: a tool or set of tools accompanied by a process that support identifying vulnerabilities on IT assets; vulnerability scans must be run with credentials, to the greatest extent possible, to fully identify vulnerabilities present

o Compliance Scanning: a tool or set of tools accompanied by a process that support identifying misconfigurations on IT assets; misconfigurations are deviations from a defined baseline (e.g., Center for Internet Security benchmarks)

· Vulnerability Scanning Schedule

o Daily: Asset scans to identify assets on the network; these are not vulnerability scans, but rather simple scans to identify assets on the network

o Weekly: Vulnerability scans of all assets on the network

o Monthly: Compliance scans of all applicable assets on the network

· CVSS: Common Vulnerability Scoring System Version 4.0

· EPSS: Exploit Prediction Scoring System

· SSVC: Stakeholder-Specific Vulnerability Categorization

The number of compliance frameworks is seemingly endless. The lack of standards is problematic enough. Even more problematic, however, is how the compliance frameworks overlaps with one another. When it comes to International Trade and Export Compliance, the problem is overlap is accentuated by the fact that there is not a definitive ‘framework’ for export compliance. Nearly everything is determined on a case-by-case basis.

Today’s guest is Sara Hougland, Director of Trade Compliance here at Kratos. During our conversation, we cover export compliance at a high level, discuss the concept of “due diligence”, distinguish ITAR from EAR (and vice versa), and talk about the specifics of export compliance. As mentioned above, ITAR compliance is not a one-size fits all approach. Sara brings her extensive knowledge and experience in the field to provide great information on what, exactly, “ITAR compliant” means and how it benefits an organization.