Comply or Cry

Hello everyone. Let's give everyone just a couple of minutes to join. But welcome to everyone that's already here. And there's a thumbs up. It's already a good sign. That means everyone can hear us. Love. Yeah, I always ask. Hi Tim. Hi Stuart. Love how you're already straight on the uh the chats which is great. Thank you for the reactions. Appreciate we will kick off guys in just we'll do it like 3 minutes past or so. Just give everyone just a bit more time to join. Number is steadily rising. I'm sure it'll keep going for a bit longer. Oh, I think we should get started. Um, well guys, it's great to meet you. Um, everyone that's on the call currently. Uh, this is being hosted by myself and and Dakota, but we're we're here really just to talk around about compliance regulations and frameworks, which is the big deep dive that we're going to be doing here. Um, but we'll start off with some introductions because I think that's always good. I'll pass over to to Dak to go through that with you guys. Um, but just to go introduce myself, I'm Tim, one of our solutions architects here. I've been in the MSP space for around 11 years as a solutions architect. Um, and for the far past kind of five years, I've been focused in the MSP space in central London mainly on financial vertical. So very familiar with some of those crappy frameworks we have to adhere to like N2 directive, DORA that's now come out and a few others. And we kind of took took it upon ourselves to decide this is a good opportunity to go through some of these frameworks but over to yourself D for an intro. Hi everyone, nice to meet you. My name is Dakota Mcelli. I have been at inforcer since last year in October and before that I worked at Center for Internet Security or CIS. Um, when I worked at CIS, I worked on the development of the benchmarks, controls, implementing them into our tools and then also helping our customers as well implement them and use those recommendations. Um, so that's my foundational compliance background and then from there uh got a wide-scope overview of about 30 different frameworks because CIS on-ramps to those other frameworks. So had to kind of learn those uh like the back of my hand because I had to talk about them pretty frequently. Um, pretty in-depth experience with FFIC um from a banking perspective as well. So that's a fun little tidbit I didn't know about Tim and I having something in common in addition to Microsoft 365. Um, but yeah, so a lot of fun. Uh I don't think you probably will hear this often, but I do love compliance. So I'm excited to be here today and talk about that with you all. You're absolutely crazy. I love it. Awesome. Awesome. So I will go ahead and take control of the slide deck and then we will move forward. So just to get started, right? Um let's level set why the series even exists. Um compliance frameworks as we've kind of talked about already uh have absolutely exploded um over the last few years. So at the same time, Microsoft 365 has ended up right in the crosshairs of almost all of those frameworks. Um and that's not accidental, right? Identity, email, data, devices, they all live within Microsoft 365. Uh so regulators have noticed that. Um, and the goal of this series isn't to overwhelm you all with a bunch of acronyms and be like, "This is what you need to do exactly to be um, adherent to XYZ." It's to really give you a map and kind of guidance on where to start and where to go from a foundation that you've actually built. Um, you know, we're the goal too is to also give you a way to understand why these frameworks exist, um how they relate to each other and then also just how Microsoft 365 actually fits into that greater picture. Um right because you can't necessarily be wholly compliant to like let's say HIPAA just based on Microsoft 365. Obviously there's a lot of other things that uh work into that. But we're really just trying to focus on and help you and assist you with the Microsoft 365 puzzle piece. Absolutely. So this again didn't happen out of nowhere, right? Uh we had uh supply chain attacks, those changed the rules. Uh suddenly risk wasn't just your own controls, but it was every single vendor that you trust. Um and then ransomware went from just like an IT problem to a board level incident and then regulators responded to that with mandatory controls instead of actual guidance. Right? So at the same time, organizations rushed into the cloud faster than governance models could actually keep up. And now we're at this really odd place where it's like, where do we go from here? Uh, and now obviously I have to say the token word. It'll probably be mentioned multiple times today. AI has quietly added a new problem of data leakage. Uh, so most organizations don't even realize it because how are you tracking shadow AI? What does that visibility look like? Um, so the key takeaway here, right, frameworks exploded as a reaction, not because regulators love paperwork. Um, I don't know anyone that loves paperwork, but because the risk model fundamentally changed. It's going to continually change from here as well. Um, so we need to prioritize and level set where to go from here and kind of create a canonical control set from all of these different requirements. So I guess rolling into that really nicely guys is where do we start with with what we can manage and for us most of the things we work with with customers is the Microsoft 365 control plane. Um and every single one of these frameworks touches the pillars you see in front of you. So identity and access, data protection, devices, logging and detection, all of those functions are fully available and usable for these frameworks that we're touching or talking about throughout this series. And this whole idea and concept spec sorry, especially for what we're doing today is to give you guys an idea of where things sit because as Dak already said, not every single element of a framework is just Microsoft 365. Some of its operational controls. So, what are your policies that you've written into employment contracts? Are we making sure that our vendor list is meeting safeguarding protocols and meeting those standards? But what we do want to make sure we're touching on when we come around these sort of topics is where can firstly inforcer help you guys in meeting some of these control plane requirements for those frameworks, but also making sure you guys know exactly where things sit. And this brings me on to one of the areas we really want to touch on, which is what is a requirement versus recommendations. Because most people think every single framework we look at is a requirement, whether it's legal or otherwise. And the reality is that's not always the case. Not all frameworks are created equally. That's first and foremost important thing to be fully aware of. And understanding the distinction changes the way that we prioritize what we implement. So for both me and Dak we've got experience in the financial industry and understanding some of those frameworks and it's really important to know that actually they are regulated firms and so there are regulations we have to adhere to and again not all of it is Microsoft 365 specifically but there are areas in which we do have to make sure there are regulations that are met and a lot of that and in fact almost all of it really sits with the IT department to a degree outside of compliance risk and legal and HR every single point has a touching pillar with an MSP or an internal IT department and it's important for us to understand where we sit and what we should be doing and how we can help our customers ensure that those regulations are in place. But you can see in front of you, you've got your requirements which are legal, your recommendations which are guidance. The legally mandated compliance is the biggest pain in our ass. It's the most stressful point that most of our customers go through. Most people think of it as a point in time kind of audit that's done when we talk about regulations, but with the latest controls and mandatory requirements, that's seriously excelled. We've now got to the point where we're mandated to do something. It's not just a one point in time measurement now. We actually have to have continuous proof, continuous monitoring of those services. And a really good example of that is platforms like, well, a really good example is ourselves. SOC 2 Type 2 is an example. It's a continuous monitoring of making sure we're adhering to those requirements within the SOC 2 framework. So where you might have a point in time for an original framework, we then also have to make sure that we are mandated and continuously monitoring what we've implemented. And this applies to the majority of those legal requirements. It's transitioned from a point in time. Cyber Essentials on its own as an example is just a point in time reference, is really easy to get. Sometimes we recommend we don't make mistakes or mislead the regulators but we absolutely do make sure it's a point in time, whereas Cyber Essentials Plus now starts looking at continuous monitoring and that's the same with DORA, NIS 2 directive and other controls. And you look at recommendations which is our guidance and this is where Dak specializes the most with CIS. It's best practice guidance, where should we start and how do we implement these changes. Sometimes it's not just again Microsoft 365 specific but there are controls that are recommended as guidance and this stems from all of these measurements, NIST, CSF, the maturity-based self assessments is what really drives our success here but it's guidance-led. And this is why people like Dak and the controls for CIS are so important to us because we understand how we implement those measurements. So what are the three outcomes for every framework and what do they care about? And I think this rings true for everything. Correct me if I'm wrong. But the first one's controls. Put the technical and administrative controls in place to protect your environment. And they're things like MFA, Conditional Access, data loss prevention, endpoint protection, you name it. It's pretty much everything. Then it's policies and roles defining who can do what under what conditions. So yeah, it sits with Conditional Access to a degree, but what level of access do we do? So most MSPs, particularly the ones probably on the call today, we implement privileged identity management in our own environments for elevated access to control ourselves. And we use things like GDAP and Partner Center to control our access to our customer environments. And this is where we define policies and role delivery. So policy assignments. Last point is evidence. How can we prove what we're implementing? And auditors, regulators, and just general best practice guidance that we follow often say, "How can we prove what's in place? Have we got audit logs? Have we created snapshot evidence of what we've implemented and continuously monitored that result as a result?" Sorry. And then the last point is reporting. Can we make sure that what we're presenting is measurable and it's accurate and we can provide that on a regular basis? I think you're up now, Dak. Awesome. So, this series is deliberately modular, right? We separate it into digestible pieces for you all to participate in. Whether you want to watch every single episode that we are launching throughout this webinar series, um but you don't necessarily need to watch every single one, right? Unless you want the entire full picture, really understand what's relevant to you. Um, episode one today is about orientation, right? Really getting you to understand exactly why we're pushing this series and why now. Um, understanding why people currently and organizations, MSPs are struggling and then how to really think about frameworks without, you know, that internal panic of wow there's so many, if I have a customer that's looking for CMMC and then this customer is looking for NIST like where is the baseline? Um, so from there right after we're going to zoom into DORA, CIS, Cyber Essentials for the UK, NIST for the US and then also globally regulated environments as well and then we'll finish by pulling it all together. Um and then kind of seeing what it exactly looks like to make it real at scale. Um so not just compliance on paper, right? Really being able to understand that big picture. So think of this set list. We really want you to participate in all, especially if you're a global reaching MSP, but also kind of like a choose your own adventure based on your role, your region, risk profile, what's really important to you. Um, obviously, we hope that we're entertaining enough for you to join all of them, even if it's not relevant to you, just so you have the knowledge on it. Um, because we're going to try and make it fun, interactive, digestible, etc. But, um, that was kind of the idea behind it being a whole series. So now right it's kind of deciding what frameworks matter to you, which ones do I want to join in particular. Uh one of the biggest mistakes I personally see, um not just with MSPs, this even was happening with my past experience at CIS, right, organizations will make the mistake of assuming that regulations only matter if they're written for their country, right, but in reality especially if you have a global reach, for instance GDPR that hit us internationally. I mean, US cares about that. There's protections in California where privacy that every single state in the US has to take into account when they're working with California customers. It has a global reach. The UK uses Cyber Essentials. The US leans heavily on NIST and CIS. But underneath all of them, right, you keep seeing patterns of identity controls, access management, audibility, evidence, right? The intention here isn't to necessarily learn everything unless you want to. Um, it's know which episodes matter the most to you. Understand how they all connect to that same control plane. Um, I will say like because CIS is a part of the inforcer platform, that's really what we pride ourselves in. Obviously, I'm biased because I come from CIS, but um they have a really really great neural network that connects out to about 30 different frameworks, right? So, it's really nice because not only if you're adhering to CIS controls as recommendations, you can also use that work to map out to about 30 others. Obviously, it's never going to be one-to-one. No framework is. Some of them are pretty close, but I think every framework has their different scope and focus. So, it is really nice to be able to utilize CIS to kind of branch out to the others. Um, and that's kind of the last I'll be on my soap box talking about CIS, but I did want to say that's why I love that it's in the inforcer platform. Um, but again, right, really focusing on the episodes that matter to you, joining those based on your current customer scope and what's happening within your environment is definitely super important. That question for you. Do you find that most frameworks and regulation businesses look to CIS for those recommendations? Um, you know, I was kind of in a silo where that was exactly what I was dealing with every single day. So maybe a little biased based on my experience, but I do think it's a great place to start not only for customers that don't have a security framework requirement. So if you're not focused on critical infrastructure, right, where you have like a HIPAA requirement or you have FFIC, etc., it's a really great place to still get consensus-based guidance on recommendations. So it's not just an internal decision between a few engineers. This is what good looks like. It's actually using a baseline of experts. So, um, I typically will recommend it especially to newer customers, customers without a set framework, more immature internally with SOPs. Yeah, absolutely. Okay, cool. And then I will give it back over to you. Thank you. I just realized it's my turn, so apologies. Um, yeah. So, as we kind of highlighted, some of those that you guys want to pick and choose, by all means, sign up. They're on our website as an FYI. I should have added a link and I didn't do that. So, please jump onto the website and sign up to any of those frameworks that you want to look at more or have a bit of a deep dive into. But the idea of this that we it would be silly for us not to include it, but where does inforcer sit for you guys and how can you leverage parts of our product and software and our own team to help leverage those frameworks? And there's three areas. It's very similar to the defend, govern series that we've done previously. But it's all about giving you the tools to make sure we've got the configuration in place. So we set the policies, we've enforced it. So the way we always use terms with customers we work with, like yourselves, is making it sticky. Um, and those enforcements is making sure those policies stick. So that's drift detection, allowing yourselves to be confident that what you're implementing for your customers is maintained itself. That's part of that continuous monitoring that we're now seeing as mandated controls in some of those frameworks. And the last point is proving the evidence, which for this particular scenario is proving that what you've implemented on those policies, you've got continuous monitoring in place, but you can prove evidence that they're 100% aligned to that framework that you've configured. We only have to date the CIS kind of library that you guys can leverage as those configurations. But it doesn't stop any of you on this call creating those policies and configurations for the other benchmarks and frameworks that are in place and then aligning that framework to your customers. Collecting that evidence has never been easier when we can use things like the alignment report to demonstrate we've implemented X. We can guarantee it's implemented on this customer or this business industry standard. So take the opportunity to look at what you've already got currently in inforcer. Identify some of those industry verticals that you do need to meet those regulations or frameworks towards and then leverage your technical skills but also what's available on the web and what we can offer to you today to make sure you've got those configurations in place. And that's where that configured, enforced, and proven sits for ourselves. We want to make sure you've got the tools to implement the right controls and the right standards. Awesome. So, um, by the end of this episode series, right, um, and hopefully this episode too, this is kind of what we want you to be leaving with. First, obviously clarity on the requirements versus recommendations. Um, and then also what's legally mandatory and then what's just best practice recommendations. Um that sometimes you can even use as an on-ramp to legally mandatory frameworks um because obviously those drive very different prioritization, I'll say, um but they do still kind of work symbiotically together. Um and then second right we want a compliance map, understanding which frameworks actually apply to you personally for your organization and then figuring out why and where to go from there. Um and then also right we want to see Microsoft 365 um not just as a mess of portals as it can be interpreted sometimes just because of how many tabs exist in the admin center um but as a connected control plane across identity, data, devices, logging, visibility, auditing, etc. Um and then finally right we have that mental model. Uh we do have a whole series that Tim actually led of defend, govern, proof. Um if you walk away thinking, okay, now I understand how compliance in terms of M365 works. I see how they map together. I see how they fit into my individual use case. And then this is how I'm going to prioritize it from here. Uh then we've done our job. Definitely.