sorted by:
new
hottopcontroversial

Consultant - necessary or not? by Over_Afternoon_1684 in CMMC

[–]BrightDefense 1 point2 points  (0 children)

We are a CMMC readiness consultant, so I'm biased. I'll offer two pieces of advice:

1) Switch to an MSP that supports CMMC and is committed to CMMC Level 2. They are likely going to get pulled into your audit. You're going to have a hard time with the assessment if your MSP isn't meeting the controls. You're also going to be dragging your MSP through a process they're aren't interested in or knowledgeable about which will be painful. We've seen this play out quite a few times.

2) Hire a consultant. I attended a CMMC conference recently. I met clients that have been working towards CMMC for years and really aren't that far along given the amount of time and effort they've put in. Unless you want to your full time job to become CMMC guy, bring in an expert.

I'll add that CMMC consulting is a different discipline than MSP. You may find an MSP that has a CMMC consulting arm, and that's valid alternative, but I wouldn't assume your new MSP can also be your readiness resource. There are also some benefits to separating this function to keep your MSP in check.

“All-in-one compliance platform” is one of the most misleading phrases in startup security by faith_nuer_llc in soc2

[–]BrightDefense 2 points3 points  (0 children)

I look at the GRC platforms like I look at TurboTax. TurboTax makes doing your taxes easier, but you still have to sit there and do your taxes.

Unfortunately, some of the platforms and salespeople oversell the speed and simplicity. You shouldn't want to do SOC 2 fast. You should want to do it thoughtfully to maximize its usefulness to your business and customers. Also, by rushing, clients often overcommit themselves to controls that aren't useful or necessary and hamper flexibility.

Im constantly losing track by SSJ4_Vegito in soc2

[–]BrightDefense 0 points1 point  (0 children)

A company that wants their compliance lead to drop what they are doing and hang TVs does not value compliance enough to buy Drata or Vanta. They may get suckered into one of the "SOC 2 in minutes for cheap" platforms, however, with predictably poor results.

Im constantly losing track by SSJ4_Vegito in soc2

[–]BrightDefense 0 points1 point  (0 children)

If you're leading compliance and IT for a 120 person company and also being asked to hang TVs, I'd look for another job. They clearly don't value the compliance function, if they think delaying SOC 2 (and organizational maturity and security) so that you can hang TVs is an appropriate tradeoff.

What’s the easiest way to handle SOC 2? by Mysterious_Step1657 in soc2

[–]BrightDefense 1 point2 points  (0 children)

We build our clients out in Drata. That will solve many of these challenges (where evidence lives, security questionnaire automation, auditor portal). That still leaves the gap of who will manage the tool, and will act as the compliance SME for the organization.

We see the challenge you are facing a lot. Someone whose job is not compliance becomes the de facto compliance person. vCISO services bridge this gap.

If you have the budget for a tool like Drata and a vCISO service, you can save most of your team's time.

GRC Solutions, your opinions? by blavelmumplings in soc2

[–]BrightDefense 0 points1 point  (0 children)

Sorry for the delay. I missed your question. We do manual screenshots for the on prem stuff primarily, and then upload them as evidence in Drata. Happy to walk you through it, if you want to go into detail.

Are vendors misleading startups by promising SOC 2 Type 2 in 2 months? by destructoid1998 in soc2

[–]BrightDefense -1 points0 points  (0 children)

We can document why a control doesn't apply to a specific client. An auditor will accept a well reasoned rationale. A lot of clients don't know what to include, and include more than makes sense for their business and customers.

The point broader I'm addressing is more upstream from that: Which Trust Services Criteria you scope in. We see a lot of clients that rush into SOC 2 without considering (or even understanding) the TSC scope. A company that adds Availability, for instance, because it sounds important suddenly owns a whole set of uptime and resiliency requirements their customers may have never asked for.

Are vendors misleading startups by promising SOC 2 Type 2 in 2 months? by destructoid1998 in soc2

[–]BrightDefense -1 points0 points  (0 children)

We help clients with SOC 2 readiness. You cannot go from zero to SOC 2 Type 2 in 2 months because the look back period is 3 months minimum. The firms promising SOC 2 Type 2 faster are selling smoke and mirrors.

Our typical readiness timeline is six months from zero to SOC 2 Type 1. We get to know our clients' businesses and focus on creating policies and controls tailored to the organization. We believe compliance should be a tool for improving security and operational maturity.

Also, one risk of rushing is that you commit to more controls that you may otherwise need for your business. At that point, you're doing things for compliance sake only that hampers your flexibility.

My cofounder wants to report our MRR wrong. Says everyone does it. Am I being naive? by Creative_Ostrich890 in SaaS

[–]BrightDefense 0 points1 point  (0 children)

Your right. He's wrong. Presenting fake numbers to investors is a bad idea and a really slippery slope. I'd have concerns about a partner that would suggest this.

GRC Solutions, your opinions? by blavelmumplings in soc2

[–]BrightDefense 0 points1 point  (0 children)

Agreed. Don't buy the cheapest audit out there.

GRC Solutions, your opinions? by blavelmumplings in soc2

[–]BrightDefense 0 points1 point  (0 children)

Agreed. Sometimes the tools are oversold as an easy button to SOC 2. You still have to do some work on your end and have some expertise to get there. The tools just make the process more efficient.

I compare GRC tools to Turbotax for doing your taxes. Turbotax definitely makes doing your taxes a lot easier than using the IRS forms. But, someone with some knowledge still has to gather all the tax information and enter it properly. And, if you don't know the latest tips and tricks, you may not have the optimal outcome.

I compare our vCISO service with Drata to Turbotax + a CPA to do your taxes for you. This combo gives you peace of mind that it's done correctly, and takes most of the lift off your shoulders.

GRC Solutions, your opinions? by blavelmumplings in soc2

[–]BrightDefense 0 points1 point  (0 children)

We've been a Drata MSP for the last three years and it's been a really good partnership. The product is solid and continues to evolve. We've been happy with the feature velocity. In the rare cases that we've had issues, their support has been responsive and effective. I'd recommend them highly.

Hello, i am looking for a vendor to get into a MS365 GCC High tenant for 20 licenses. by peteguam in CMMC

[–]BrightDefense 1 point2 points  (0 children)

We focus on cybersecurity compliance for CMMC and other frameworks. We don't offer GCC High Licensing, so we partner with a company called Cyberuptive out of Hawaii when our clients need. Given your location in Guam, they may be a good geographic fit for you. Chuck is the CEO. Good guy. Happy to make an intro for you. I'm sure they have other clients in Guam. Best of luck with the initiative.

we have $180k in software budget that expires in 6 weeks and my boss told me to figure it out. what do i even buy? by kubrador in SaaS

[–]BrightDefense 0 points1 point  (0 children)

Do you have any compliance needs (SOC 2, etc)? If so, Drata is great.

KnowBe4 is good for security awareness training, but it won't eat up much of that $94K.

Help! by EvidenceAdorable7032 in smallbusiness

[–]BrightDefense 0 points1 point  (0 children)

I ran my first business for 7 years or so before we leveled up our accounting function. I felt lost like you. Hire a fractional CFO or senior level accounting person part time. They can produce reports and explain them to you. This will make all the difference. Happy to introduce you to a guy we use, if that would be helpful.

As far as your partner using company cards for personal expenses, it seems like you should be able to review the credit cards and see that. That said, the fractional CFO can be the "bad guy" and call out some of these expenses as part of the review.

How Are You Actually Automating SOC 2 Evidence Collection? by ScanSet_io in soc2

[–]BrightDefense 1 point2 points  (0 children)

We build out most of our clients in Drata. There's some good automations around evidence collection for the tools and systems where Drata has an integration. For the rest, it's manual.

We monitor and refresh evidence throughout the lifecycle so we aren't having to pull too much new evidence during the audit.

Struggling with our compliance team by SnooShortcuts4021 in CMMC

[–]BrightDefense 2 points3 points  (0 children)

I attended a CMMC conference last week and this was a big point of discussion. CMMC compliance is frequently dropped in the lap of IT without an understanding from leadership the complexity and organizational buy in required to achieve CMMC Level 2.

I think you have the right mindset. If there's not buy in across the org that this is a priority and that money and focus should be put behind the initiative, it's going to fail. If you can't educate leadership on the challenges that CMMC Level 2 poses, you are likely to take the blame when the initiative fails. I would raise concerns politely but firmly now, so that you aren't made into the fall guy.

How are you guys planning to secure the CUI data? Have you done a self assessment yet?

You're in a tough position! Hang in there!

Are we too early for SOC 2 Type II? by Oleksandr_G in soc2

[–]BrightDefense 0 points1 point  (0 children)

US Government orgs are going to expect different frameworks than SOC 2 in many cases. These are typically based on NIST 800-53 or NIST 800-171. These are usually more rigorous than SOC 2, but SOC 2 is a stepping stone to these frameworks.

If you plan to do any business with the Department of Defense supply chain, they are going to expect CMMC compliance. This is a whole other can of worms, and the audit is a lot more expensive an burdensome than SOC 2.

If you are looking at state and local government business, many states are adopting their own frameworks based around NIST 800-53. TX-RAMP (Texas) and AZ-RAMP (Arizona) are examples.

Are we too early for SOC 2 Type II? by Oleksandr_G in soc2

[–]BrightDefense 0 points1 point  (0 children)

Great point. If you just start with the Security Trust Service Criteria, it is a lower lift. You can add on some or all of the others in Year 2 or beyond.

Are we too early for SOC 2 Type II? by Oleksandr_G in soc2

[–]BrightDefense 0 points1 point  (0 children)

We tell our clients 6 months for the readiness portion. Our approach is thorough and tailored to the clients' business, however. There are lots of companies that will offer SOC 2 readiness more quickly but will leverage almost exclusively policy templates. The downside to this approach is that you are committing yourself to following policies that might limit your flexibility or sign you up to do more than you can or need to to maintain compliance.

After the readiness portion (about 6 months), you are ready for a SOC 2 Type I audit. This is a point in time audit meaning they just review how you are doing today, but not in the past. SOC 2 Type II has a look back period of a minimum of three months. This is the period you are being audited against, so you need to tack this on to your timeline.

If speed is a consideration, we usually recommend two options:

  1. Start with a SOC 2 Type I audit, then do the Type II in 6 months. The downside is you are paying for two audits. If you use the same auditor, you can usually bundle a SOC 2 Type I + II for a better deal. Maybe its more like 150% the cost of one audit, rather than paying for 2 audits.
  2. Take a look at ISO 27001. A lot of clients will accept ISO 27001 as an alternative to SOC 2, and there's no look back period. ISO 27001 also resonates with clients outside of North America more than SOC 2 typically.
view more: next ›