Validating Your Cybersecurity Preparedness with 405d HICP

Related Soundbites

Validating Your Cybersecurity Preparedness with 405d HICP (Video Transcript)

Jen Ryan: Thank you very much, everybody for joining today. I’m Jen Ryan with Tausight, and today, welcome to the webinar on Validating Your Cybersecurity Preparedness with 405D HICP, HICP meaning healthcare industry cyber security practices. We’re delighted to have at the moment too, but hopefully shortly three experts, IT security experts in the industry join us to talk about ways that you can help reduce risk and increase resilience at your healthcare organization. So I know I’m going to learn a lot today and I hope you do as well. The session’s designed to be interactive. So please, if you have any questions, put them into the Q and A, and we will address them. So we’re also recording this session so we can send you a link to it at the end. And if you’d like to share it with your colleagues, terrific. So before we jump into the questions, I’d like to ask the panelists to introduce themselves and to share why 405D is relevant in the work that that they’re doing today. So David, would you like to go first and introduce yourself.

David Ting: Good afternoon and thank you for being on this webinar, I’m looking forward to talking to you. I’m David Ting, I’m the CTO and founder of Tausight. Many of you will know me as the CTO and co-founder of Imprivata from a long time ago. I started Tausight about three and a half years ago to address the issue of how do we give you the healthcare industry, better visibility to what goes on across your endpoints and across your system specifically around PHI and the risks to it. All in a manner that will be in alignment with the best practices for cyber hygiene as prescribed today by the HICP best practices recommendations coming out of the 405D. So, I’m looking really forward to talking more about it and getting questions from the audience. I will turn that over to will.

Will Long: Thank you, David and Jen, and thanks for having me today. I’m Will Long. I’m chief security officer ADP for First Health Advisory. I’ve been at First Health Advisory about a year and a half. We’re a firm that helps healthcare organizations all over the country with implementing better cyber programs and using NIST and 405D obviously are important frameworks in those programs. Prior to that, I spent about 21 years in the payer side of the industry on IT and cyber work. And after that, I worked at Baylor Health and Baylor Scott and white, and it was also the CISO at Children’s Health in the north Texas area. Thanks again, Jen.

Jen Ryan: Hopefully we’ll have Aaron Miri joining us soon. I know he’s trying to join, so let’s get started. I think the first question we were going to direct to Will anyway. So let’s start with a quick overview of 405D and the task group itself, and what is HICP, the acronym that people talk about so much. There are many different interpretations out there, and there’s some confusion over which 405D HICP and how that relates to NIST. So Will, you’ve been doing this for years as a CSO. Maybe if you could take a moment to explain your thoughts on NIST, 405D, the task group itself, HICP how they all work together, how they relate, that would be very helpful.

Will Long: Thank you, Jen. I think they work together and relate very well. NIST of course have been around quite some time and is a very comprehensive framework that you can build and measure your cyber program against, a very comprehensive set of controls. And HICP or H I C P was put together several years ago and it really targets – you can think of it as the way I think of it as a more tactical framework for especially smaller and mid-size organizations. It works really well as a tactical framework to really focus on the major threats of the organization. And iif you look at H ICP and you see that the five top threats and you look at that focus, the focus around email, ransomware, loss of data encryption, accidental data loss, insider threats, connected medical devices, those major categories of threats; it works really well for an organization to focus around those.

Inside of those categories, there’s a lot of practical advice on how to implement a cyber program to protect against those threats. When you look at what are causing breaches today, or what are causing breaches in the past few years, many of the breaches involved; lack of security controls or deficiencies in those areas. And so for some organizations, especially the smaller and midsize organizations, when I’m advising someone in the healthcare market in that space or that size, I tend to gravitate toward 405D first. Especially for programs that are behind in their maturity curve that are not where their peers are yet; we tend to use 405D as our guidance to really raising the bar quickly against those major threats. It’s very important that you work against the major threats against your healthcare and understand what your threats are, understand where your weaknesses are. We still use NIST as a great framework for measuring the entire cyber program and the whole ecosystem of the protection of cyber in your risks, and it’s still a great thing. And I think they work very well together. I see many customers use 405D to be more tactical, what do they need to focus on now in short term, and how do they grow up into a complete program that is measured against NIST. Anything you think I missed there, Jen?

Jen Ryan: I think that was very comprehensive. David, anything to add?

David Ting: No, I think Will you’ve summarized it really, really well. NIST is the underlying foundation that is similar to all the best practices used both in the US as well as around the world. The foundations fit are indisputable. Application of that broader framework to healthcare is what the 405D recommendations using the best practices in HICP, being very much more prescriptive to the current risks that we see in healthcare. And I think over time, those risk will change as we get better at defending and protecting. And I think the 405D recommendations will come out and evolve with it. I think it’s a great baseline for healthcare to follow up, to get to the cyber hygiene, to get to the status where you could say I’m done all these things that fundamentally we should be doing in a complex environment, such as healthcare. And Will, you certainly have seen a lot of healthcare systems and the challenges, and now is part of the things that we saw on the previous task force that recommended following NIST cybersecurity framework, and that became the basis for the 405D committee. So, very practical.

Jen Ryan: Great. That is actually a nice segue into my next question, David. So you were on the original HHS cybersecurity task force referred to as 405C. And you were one of the co-authors of the report that that group published on improving cybersecurity in the healthcare industry. It’s actually five year anniversary. It was 2017 in June that that was published. Many people still use that report today as their guide. And just wondering, what big changes you’ve seen since you were on that initial committee and working on that report, which I think took a year for a group of the leading experts in the industry to pull together. And how does HICP align with what you were doing five years ago? And what gaps are there?

David Ting: Interesting, it’s been five years. But when we started in 2016, it was really the spade of breaches that caused the presidential cybersecurity task force to be formed. And the initial thinking was why can’t we just adopt in healthcare, the best practices from financial, transportation, energy and manufacturing. And it became really obvious that healthcare was totally different. It had all the aspects of all the above, and increasingly even more distributed as healthcare becomes this ecosystem of care providers that all operate to deliver quality care for the patient. The thing that we wanted to do was to start with a framework and then narrow it down, and that’s what the NIST cybersecurity framework, that’s why it was chosen as the underlying foundational guidelines for best practices. I think the 405D did a great job in assessing out of all those practices, what were the major risks that were being felt.

You can remember that in 2016, we had the want to WannaCry Attack, and just about the time we were ready to publish the recommendations. WannaCry Ransomware completely stopped the rollout of the recommendations for almost a month as healthcare focused on cleaning up. That hasn’t changed, I think it’s only gotten worse. I think the visibility to the concerns that we have in healthcare is even more pronounced now that we’ve survived the expansion of systems, allowed physicians to work at home, allowed more and more downstream care providers to take PHI data to work connected to the major healthcare provider centers. I think those are the things that we need to deal with, gaining more visibility to what’s going on.

Following onto that, that was actually with the Genesis for why I started Tausight. Tausight was saying, we have so much need for visibility, we have so much data that we need to adjust and analyze for insight to find the things that will cause us breaches, will cause us concerns. We don’t have the skills, the staffing that we need, we don’t have the ability to retain those staff that can look over the threats and analyze what’s going on. Newer advances in AI, newer advances in IOT technologies, newer advances in multiple technologies dimensions are now available five years later to allow us to leverage that. So what we built in Tausight was really trying to address that by saying, how do I give IT that situational awareness, leverage the backend analytics that you have in cloud native analytic platforms to do a lot of the analysis to come out with the things that you need to worry about and give you visibility across all your thousands of endpoints, including downstream stuff.

Jen Ryan: Great. Thank you. We did receive a question from the audience, it’s probably worth clearing up, and Will, maybe you can take this. The question is, what defines a mid-sized organization? How do the breaks go in terms of small, mid-sized, large and are they cut and dry?

Will Long: I’m not sure they’re exactly cut and dry. I’ve seen what I would call mid-size operations or healthcare systems with have maybe a hospital or two or a few hundred beds, have relatively well funded and mature cyber programs. And I’ve seen just the opposite. I’ve walked into healthcare systems with several hundred beds that have one cyber person and a set of tools that are terribly deficient. And I think it’s more about where is the state of your cyber program no matter what size you are. And I think 405D really helps give some clarity on where to start. What I see when I walk into organizations, whether they’re a handful of clinics in a clinic organization, whether they’re a hundred bed hospital, or maybe they’re several hospitals and 10,000 employees; I see a lot of struggles with where to start.

Maybe they’ve had NIST or other frameworks they’ve been using, and they have very large lists of gaps and risks and things that they need to address. And I think you really need a tactical approach to that, to where do you start? And 405D really provides some guidance on what are those risks. You should be working on all the gaps and things in your respective analysis or assessments that you’ve had, that really target your biggest risks. That’s where to start. And 405D really boils that down for those organizations. So, that’s why when I go into an organization, pretty much regardless of what size they are, I just see it more in the midmarket segment and the small market segment. I see a more significant set of risks and gaps in those organizations typically. It’s not always true, but typically I do, and 405D in those cases is a great place to start. It really allows them to – the problem is prioritization. What am I going to work on? I can’t work on 49 things to build my cyber program. I need to be working on probably five that hit on the biggest risk first and get my maturity curve improving. And so, that’s why I think 405D is such a great, more focused tactical threat-based program of where to start in healthcare.

Jen Ryan: Great. Thank you. I was going to ask you about any specific approaches that you see as the most impactful. You kind of touched on that already. Anything else to add when, I mean, the prioritizing seems to be top.

Will Long: Well, you know, that’s our first one. If you go to the 405D page and you go to the top five threats, the first one that’s on the list is email security. And I think we all know the examples; we can name many, many threats and risks and bad things that can happen with email security and just having a comprehensive email security platform and program and implementing everything that you can around that, there’s a lot of tactical advice on really building that up. And the awareness, awareness is part of it with the employees. But when you go back and look at the data and the stats and multiple different industry reports, so many breaches start with email, and that’s why I think this is a good example of why is 405D relevant. It’s got the top five areas that cause the most breaches, and you will also see… I think there’s another question you wanted to ask me and I might be skipping ahead, but if you look at what the insurance carriers are asking about your cyber programs when you go to cyber’s insurance, there is a big overlap between what they will ask for and 405D. And why is that?

Well, 405D is based on what are the threats against healthcare? What are the insurance companies trying to protect themselves against? They’re trying to protect themselves against losses in healthcare. So, what are they going to focus on? The biggest risks in healthcare, and what’s causing the breaches. And so that’s why – it’s not a one-to-one, but you will see a huge overlap in what the insurance carriers dig into when they look at your cyber program and what 405D focuses on because both, they’re looking for the big risks. Where are the biggest risks? Where can you move your maturity needle the fastest? And so, that’s where I think there’s a lot of practicality to it.

David Ting: Now, completely, I think increasingly as we [unclear16:49] and CIOs, that overlap, the fact that the premiums have gone up, the fact that a lot of these carriers have had to pay out for remediation; the questions they’re asking are now really addressing how are you securing it? Do you have a guideline? Do you have a framework? Are you addressing these critical threats that will cause us to have to pay out and clean up? I mean, I think over time they will even do more due diligence to see how close you are to those guidelines. I’d be curious to have your perspective on that, Will, as our threats increase and cyber insurance keep going up. What are your thoughts on the carriers even being more prescriptive along that 405D?

Will Long: I’m already seeing it. I’ve helped a number of insurance. I mean, a number of healthcare systems go through renewal processes in recent years. And I see an increasing due diligence. The questionnaires are getting longer. The interviews are getting longer. They’re digging in and they’re digging in more. I see them even deploying tools to look at your network and see what your posture really is. In other words, prove it. Don’t just tell me you’ve got a great vulnerability management program and visibility, I’m going to take a look for myself. I’ve seen a lot more denials in the past few years, a lot more.

When you look at the carriers, they really have five or six things. They’re not a one-to-one exact match with 405D but they’re close. And I’m seeing a lot more of those top five turn into, if that’s not mature, our answer is no, we don’t need to go any further. And we weren’t seeing that 5, 6, 7 years ago. It’s really drastically changed and the carriers have gone from 25% lost ratios just a few years ago to 80%.

David Ting: 80 plus, that’s what I was told.

Will Long: It’s 80 plus now, and it’s very hard for them to make money in cyber insurance. So it makes sense that they’re going to dig in, and they know they’re having to pay for these breaches. They have access to the forensics reports. They pay off these claims, they see the data, they know what causes these breaches, so it just makes sense that what they’re digging into and what they’re asking; those are what’s causing them to lose money.

David Ting: Yes.

Will Long: Those are what the threats are in healthcare, and 405D is so closely aligns to that and to focusing on threats. And like you said, those are going to change. And the insurance companies will ask different questions over time, and 405D will have to grow and adjust with its recommendations as these threats in our industry changes. As you mentioned, not only is the cyber threat and bad actors and things that are going on changes, but healthcare is changing, technology is changing, care delivery is changing, remote work – COVID obviously pushed lots of change. And healthcare by itself, I talk to lots of people that ask me, you know, about healthcare that work in other industries, and just understanding the complexity of the healthcare model itself is so complex. And it makes it harder to secure complexities.

Anything that is more complex is harder to secure. As somebody coin to phrase, complexity is the enemy of security. It makes it harder. And our physical, our buildings, our visitors, our wireless networks, our care delivery, our plethora of applications, our SAS and cloud, and the use of healthcare; when you put it all together, there’s so many complexities that some other industries don’t deal with on that scale. Not to mention that some of our devices are connected to people keeping them alive which other industries, you know, when it comes to medical devices or things that can radiate people and things like that. So, we have so many, many complexities in this industry that we need to be very tactical about what our biggest threats are and not try to work on everything at once. And that’s why I think 405D really helps in this complex world.

Jen Ryan: Thank you. I see we have a very good question, but just to stick on this topic of breaches for a moment, can we just switch gears and talk about HR 7898, what’s referred to as a Safe Harbor Act that was signed into law in 2021. So Will, if you could explain how it works. I know that… well, we’d like to know, is HICP a recognized security practice under that law. And how can healthcare providers use HICP to make sure that they’re doing the due diligence and that they can prove that they’ve been taking the right steps? So maybe a little bit about what’s [unclear21:44].

Will Long: Actually, it is in HR 7898. It’s not a very long document. I encourage everybody to go read it. It’s about a page, page and a half, so it’s not complex. It’s not a 2,500 page bill or anything, so I encourage you to read it. But yes, it does call out NIST and NIST and 405D HICP has recognized security practices in that law. That became law, I believe January, correct me if I’m wrong, David, if I get my date’s wrong. It was January 5th of ‘21; I think is when it became law. And it calls in there for – you need to show that you’re meeting best practices and doing that due diligence for the previous 12 months. And so, you need to do assessments, you need to continually analyze, you need to show progress, and if you do, then it does provide guidance for reducing the fines, reducing the time of the audits and the scope and keeping. And so, while I don’t necessarily refer to it as a complete safe harbor; it is a really big step in the right direction, in reducing fines, reducing the overhead. As long as you are proving to the regulators that you can show that you are compliant with those practices, and show that over time that you’ve been doing it for at least a year. Anything to add on that, David?

David Ting: Yes. So one of the things that was discussed in the 405C task force was how do we move healthcare into a better spot, and how do we gently persuade them to focus more on cybersecurity and cyber resiliency? I think the key there is cyber resiliency. There was a recognition that breaches and cyber incidents were going to happen is not a matter of whether, it’s a matter of when. And when it does happen, how resilient can the organization be? So the movement and the recommendation from the task force was let’s not make it another HIPAA security rule, was strict penalties for failing to meet guidelines, because they’ve already done that. The idea was how do we incent the industry to improve? And HR 7898 is an incentive. It’s the carrot versus the stick.

There was a feeling that as cyber’s insurance became more prevalent, cyber insurance was going to be more the stick, because if you don’t meet these requirements, we will deny you, we will raise your premiums. So there was this competing, how do we make healthcare be more focused on cyber resiliency and cyber security, both from the private sector, as well as the public sector? Public sector being, let’s reduce the penalties, let’s be aware that if you had done good things, we’ll give you a waiver for having a cyber-incident, knowing that the cyber insurance industry, which was at that point in a fairly nascent state five years ago, as you pointed out, people were only starting to consider buying cyber insurance. Now it’s a matter of course, everybody has it, but the [unclear24:59], that insurance industry was going to be a force in making sure healthcare really does align with these best practices, so we have both forces for us.

Will Long: Yeah, I’ve seen that. I’ve seen a number of organizations now step out of cyber insurance and not get it. Behind self-funding those things, and that there’s a movement of that going on, just because it’s gotten so expensive. But when you think about it for a second, the whole carrot and stick and penalties and waivers; I like where 7898 is taking us, because it helps remove some of the penalty and some of the stick, and that way that money can go back into making those cyber programs even better. And so, when somebody does have an issue, you know, reducing your fines so that you could put some of that money, maybe reduce or eliminate those fines, and now you can put that money rather than paying a fine to the government, that’s not going to result in that money, improving your program, now you can put that money back into your program rather than paying a fine.

So, I think in that respect, it really incentivizes to move in the right direction. And then when you think about it, if you are complying with 7898 in order to have a better stance and reduce your fines and take that carrot, if you will, if you think about it for a second, you are setting yourself up for a much better cyber insurance renewal process. Because now you are showing for the past year, not just for 7898, but you’re also showing you are meeting recognized security practice, and you can go into your cyber renewal on an annual basis now in much better shape. It’s not the end of the journey. It’s not that first renewal, that first 12 months; that’s not the end of your journey in cyber. You will need to broaden out past the first five.

If you get all of those mature, you need to broaden out to the rest of the model. You need to broaden out to NIST. Cybersecurity is a journey, and that journey may have adjusted along the way as we’ve talked about some of the threats and risks in cyber and technology and in healthcare may change. But I think it’s a really good start to helping you get better positioned for insurance, helping you reduce your premiums, hopefully your coverages don’t go up and you can reduce your exposure to fines and penalties and that’s to some extent. And I think all of that works really, really well together.

Jen Ryan: Great points. Great points. Thank you. We do have a question that I’d like to address for the audience. So the question is, having high trust built off HIPAA and 405D built off NIST, can you talk about the alliance between them both? Will, do you want to take that or David, who wants to jump in on that question?

Will Long: I don’t view them as mutually exclusive. You know, high trust is built. I worked in organizations and have worked closely with high trust in the past. I don’t view them as mutually exclusive, and high trust really is a framework of frameworks in the end, and high trust is very easily mapped to several different frameworks. So there’s a lot of overlap between those, there’s a lot of mapping compatibility. And while high trust is focused on getting you to the places you need to be for HIPAA, it actually maps nicely to the other frameworks such as NIST. And I think there’s a lot of input from some of those other frameworks. And high trust, I wouldn’t say is exclusive to HIPAA, it’s actually being used by other organizations outside of healthcare too. It’s not as prevalent, but it is. Anything to add on that, David?

David Ting: Yeah, there are high trust mappings to this cyber security framework. There are also mappings between, and I’m thinking NIST has them for how high trust maps to 405D HICP as well. I believe there are well-published studies on how they map.

Jen Ryan: Great. Good. Okay. Another question, just switching gears a little bit. So the recently signed cybersecurity incident reporting regulations, I think that was earlier this year. They call for reporting to DHS cybersecurity to CISA, within 72 hours if you have an incident and I think 24 hours, if you pay ransom. So there’s some, I guess, ambiguity about when that takes effect and how could HICP and the work that you might be doing there help prepare for that. David, do you want to explain a little bit more about that new regulation?

David Ting: Yeah. The new regulation is really a focus on how do we get more visibility in what’s going on across multiple industries, not just healthcare. And the demand and the signing of that law basically now gives of the visibility in what’s going on. The fact that you have to report in 72 hours as to what went on, puts a lot of drivers behind keeping better audits and having a mechanism for reporting; discovering incidents and reporting those incidents. The fact that if you paid ransom and forcing you to have a 24 hour reporting window, really does shorten the interval for a lot of organizations. CISA has a year to basically come out with the guidelines as to what will be in the required information to be filled out.

But if you look at the current reports, it’s fairly simple. I had an incident, here’s what happened. I think they’re going to be much more prescriptive now in terms of what will need to be reported so that you can get more forensic data. And I think it goes back to, how do healthcare organizations start to think in terms of keeping better that level of forensic detail and understanding what goes on across their system, so that they can do better incident reporting, they can have better forensic, they can have, start to think about how you build up a immutable audit trail that won’t be compromised as part of an attack. So that you can report, you can recover faster and you can also share the attack patterns, the TPTs, if you will, to the other industries. Will, you have anything to add to that?

Will Long: Yeah. I’m watching out how these reporting requirements come out. I’m interested to see how this is all going to play out with their requirements, but I think there’s the potential for some very valuable data and response from our industry. With this information I think there’s the potential that we can move quicker as an industry to protect organizations when CISA use trends in healthcare, when we see bad actors attacking healthcare across our industry; we can learn faster those techniques and tools and things that they’re doing. And so, I think there’s a potential here that we could really help protect other organizations faster and better and prevent some of the ransomware attacks, prevent some of these breaches. If we have the right data it’s reported well quickly, and it’s done the way I think they’re going to do it. It should help us down the road, be able to better empower organizations to be protected faster. Some of the bad actors move quickly, and it’s important to move quickly and get the data out and help those organizations adjust their posture as necessary to make sure that they’re protected. I’m looking forward to seeing the guidance coming out, as you mentioned.

David Ting: No, same here. I think it’s going to be much more aligned along the NIST cybersecurity framework of having baselines understanding how to detect deviations from those baselines so you can respond with more accuracy and more quantitative data around, “Hey, my system operated fine. Here’s what happened.” I can report on that variation that anomaly occurred, so you can send that information and shared across industry across multiple organizations. We’d love to see an attack pattern that showed up in one place, got quarantined and be shared to other people, other organizations to be alert.

Will Long: Yeah, you’re right. And it’s not just about detecting the knocks on the doors either; you know, those techniques and things that they could potentially share from this when they see an attack; if we learn that about actors targeting healthcare, and maybe they’ve already breached many healthcare organizations and they’re laying low for their attacks. If we can spread the right information to those organizations and learn what’s going on, and we can detect and help organizations find those bad actors in their networks before all of the damage is done, then it’s the right thing at the end of the day. And we will have not only protected these organizations’ networks, and systems, but ultimately protected the patients that they care for.

David Ting: I think if you look at HR 78 98 and HICP, the whole model is, how do you first get into a good state relative to cyber hygiene, but also now moving past that to getting more advanced, getting more visibility to how do we detect and track the forensic data that we will need to respond or detect variations and respond to bad things. Oh, you’re so quick with that, Will.

Jen Ryan: Thank you, Will, for doing that for us. Great. Okay. Well, we’re running out of time here. Let’s just have one last question. And if anybody in the audience has questions, please send them in. Thank you. That was a good question we just got from Lisa, and Will has posted the link that she’s interested in. So David, I’ll start with you on this last one. So for our audience out there, how can they assess and measure how they stack up or what their cyber preparedness is whether or not it aligns with HICP where they stand? Any advice on that? I guess we’ve discussed all why it’s important, but just how can you get into that groove of making sure you know you’re constantly adhering?

David Ting: So I think Will hit it earlier on that there are two volumes, the small – and then small, medium and large. If you read both, you start and say, “Hey, if I can only meet the stuff in the first volume for small medium, I’ve got a lot of the dimensions covered.” The metrics that are in the volume one that relates to very practical things like percentage of encrypted machines, use of privileges, use of finding out how well you’re patched across all your machines that you’re patched to the latest references. Those are fundamental things that you should look at and say these are metrics. These are quantifiable numbers that I can show. If I can see that my system is staying at those metrics where I can get, let’s say 95, 98, 99% of all my machines are encrypted, that I have really good patching, that I know that my PHI on these machines are all protected or encrypted at least, and have good access privileges that I don’t have a really high percentage of privileged users roaming around with privileged accounts, you’re starting to get to that.

The best practices isn’t something that you should just apply once to get your insurance carrier to say, Hey, you’ve met the requirement. This is something that you really need to do continuously. It’s one of the things I’m prescribing or I’m saying is security is not something you do as a once a year exercise. It’s something you need to constantly be vigilant, and constantly have a mechanism to do that. I mean, we built our whole company on the basis of, if I can give you that visibility, if I can give you those metrics, why wouldn’t you watch those and say, Hey, look, we just found our percentage of encryption has gone down for some reason, or we added machines, but we forgot to turn them all on. Or that new patches come on and we’re behind on a bunch of machines because they were being used in the OR, or some other reason. It is really diligence. It is really keeping up with what’s going on. It’s trying to keep your systems as current, as up to date, and as consistent as possible. It shouldn’t take you 200 days to find out that there’s a new application that’s been installed across your machines that you didn’t know anything about. I mean, that’s just fundamentally what’s happening when we have APTs – Advanced Persistent Threats of sitting out there and nobody knows about them. Will, I’m sure you have tons of advice in this space.

Will Long: Yeah. We help a lot of customers. We help a lot of organizations measure their risk, measure their compliance to these frameworks. And for those of you that are new to 405D and [unclear39:07], I encourage downloading those volumes, look at the metrics, look at the controls, look at the practical advice, and you can start documenting how am I doing. Go through all the best practices in email security, for example. Take those top five first, go through there. How are you in compliance with those controls? And then look at those metrics sections what you should be measuring. And now using those controls and using the metrics, you can create documentation quarterly if you wanted, to show here’s how I’m doing, here’s what I’m improving.

There’s tools out there. We use tools, we use process and procedures to help assess and measure customers and show changes in risk posture over time. But that’s a great place to start. And that’s how you can start creating this trail of documentation that shows, I’m improving this program, my metrics are looking good, I’m moving things in the right, and then you can move on to the other volumes. And then you can move on to a greater broader set of controls and things in the other volume or move to complete NIST visibility. And we map things to many different frameworks and show that risk and trend over time. That’s what they’re going to want to see when they come in and you’ve had an issue and you want to show that you’ve been compliant over the last 12 months or longer. Once you’ve been in this program for a while, you want that audit trail, you want the trend and the risk graphs, the controls and the metrics to show that you’ve been doing this, you’re committed to doing this, and there’s a trail to show it.

Jen Ryan: Great. Thank you. Well, we are out of time. Once again, I’m terribly sorry about Aaron Miri. He tried hard to join. It was a snafu on our end – technical side, so please forgive us. If there’s anything that you would like to ask Aaron, I know he would be happy to answer your questions. And I think you all have my email address, so please feel free to send any communication through me to Aaron. And we’ll try to find out another way to share his point of view because I know that he has some very interesting perspectives to share. So, thank you very much Will Long and David Ting, we really appreciate you taking your time to share your thoughts with us today. It has been a very interesting session. And if anybody has any further information, please do follow up. Otherwise, we’ll send you a link to the recording as well as a link to some of this other useful information around 405D HICP. Thank you very much for your time.

David Ting: Okay, Jen, thank you, both. I think we could have kept on going for another easily hour.

Jen Ryan: Thank you all. Bye-bye.

Will Long: Thank you.