Steve Ursillo, a Partner in the Risk & Accounting Advisory Services Practice and Leader of the Cybersecurity Group, joins Joseph Carson on Delinea’s 401 Access Denied Podcast. On Episode 93, Steve talks about meeting the challenges of costly, time-consuming compliance requirements and offers recommendations for scoping compliance programs and preparing for audits without breaking the bank or burning out your team. They discuss the nuances of cybersecurity frameworks like NIST CSF and ISO 27001, industry regulations like PCI, HIPAA, and SOX, and the differences between SOC1 and SOC2 examinations.
View All Risk & Cybersecurity Podcasts
HOST: JOE CARSON: Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the episode, Joe Carson, Chief Security Scientist and Advisory. It's a pleasure to be here with you.
HOST: JOE CARSON: Today we're bringing the latest trends, news, and information to provide you the information you need to make the right decisions in your cybersecurity strategy. This topic is very important. Sometimes it's not always the most fun topic, but it's one of the most important, and it's starting to get a bit more interesting.
HOST: JOE CARSON: I have an awesome guest to bring a lot of the details, thought leadership, and ideas related to this. Steve, welcome to the episode. If you want to give us an introduction of who you are, what you do, and some fun things about yourself.
GUEST: STEVE: Thanks, Joe. Pleasure to be here. I agree this stuff is getting more interesting as things evolve.
GUEST: STEVE: I'm a partner with Cherry Bekaert in the Risk, Accounting, and Advisory Services group. I lead the Information Assurance and Cybersecurity team. We are responsible for an array of service offerings, many of which we'll discuss today, predicated on third-party risk management, information security, cybersecurity, privacy risk management, and governance.
GUEST: STEVE: We handle a lot of the alphabet soup of certifications and attestations related to third-party criteria. Our team also provides extensive cyber advisory work, helping management and key stakeholders identify and execute cyber governance and privacy risk management initiatives.
GUEST: STEVE: We support everything from policy and procedure design to risk management execution, and the technical aspects such as system architectures, vulnerability and risk management programs, attack and penetration testing, configuration assessments, secure architecture design, and design and deployment for cloud services.
GUEST: STEVE: We also provide a combination of people, process, and technology in a managed capacity, including virtual CISO services, incident response programs, security awareness training, and governance support. We perform as a center of excellence to support the rest of the firm, providing backup and support for our accounting teams, assurance teams, financial assurance teams, transaction advisory teams, and digital transformation teams.
GUEST: STEVE: A bit about myself: I started in financial reporting and I am a CPA. Early in my career I developed a passion for cybersecurity and risk. I became an active penetration tester on both network and web application sides, and that foundation drives how I approach understanding and mitigating risk. That evolution informs the relationship between cybersecurity programs and cybersecurity compliance initiatives.
HOST: JOE CARSON: I think it's important to have that combination. Very few people have both CPA knowledge and deep cybersecurity expertise, and bringing those together is critical.
HOST: JOE CARSON: As we start down the theme of compliance and regulatory requirements—certifications and audits—what is compliance intended to do? What is its purpose, and what is it not for? Many organizations focus on "what we need to do," but what should their goals and intentions be?
GUEST: STEVE: That's a great question and often requires unpacking. Cyberattacks are increasing and the risk landscape is dynamic. Security breaches in the media have raised awareness among business owners, stakeholders, and regulators, forcing greater transparency in how organizations operate.
GUEST: STEVE: You get a perfect storm of awareness, evolving technology and threats, and the need for organizations to demonstrate fiduciary compliance and overall expectations and controls to third parties and leadership to safeguard assets.
GUEST: STEVE: Cybersecurity is broader than cyber compliance. Cybersecurity is built around an organization's risk tolerance and the overall threat landscape. Organizations design controls to mitigate risks to what they consider an acceptable residual level. Those controls can include technical components and drive into detailed areas such as kill chain and attack frameworks, MITRE ATT&CK, and systems to identify, protect, detect, respond, and recover.
GUEST: STEVE: More mature organizations adopt adaptive security programs. Others move more slowly but step in the right direction. Cyber compliance is part of cybersecurity and follows many best practices, but it is typically driven by regulatory and contractual obligations.
GUEST: STEVE: Organizations must adhere to contractual obligations, especially service providers offering services to third parties and cloud providers. Regulatory requirements depend on where and how they operate and what data they process, store, or transmit. Examples include PCI for cardholder data and HIPAA for health information. Compliance should not be the sole driver of your cybersecurity program; it is often the minimum baseline to meet legal obligations.
GUEST: STEVE: If you want to defend against modern evolving attacks, take a proactive, enterprise-wide risk management approach. Some frameworks are prescriptive and costly in time, energy, human capital, and finance, so organizations often segment or isolate data sets to control compliance costs.
HOST: JOE CARSON: For me, compliance should be part of your overall cybersecurity strategy, not the other way around. If I'm an organization, how should I prioritize and set goals? If I need to meet PCI or SOC compliance, how should I approach prioritization?
GUEST: STEVE: Start by identifying legal and regulatory requirements and understanding your assets, data types, systems, and third-party interactions. Understand contractual obligations with vendors and customers, because the type of data prescribes how you must handle it.
GUEST: STEVE: Establish data protection mechanisms and a risk management program. Consider inherent risk factors and use a risk assessment process to define controls that meet regulatory criteria. Design and execute controls to reduce risk to an acceptable residual level, keeping in mind this is an ongoing process.
GUEST: STEVE: Your risk assessment drives spending and resource allocation. The goals include gaining consumer trust, protecting reputation and brand, and meeting efficiency patterns internally and externally. Design scalable programs to address data sovereignty and geographic segmentation. This is a moving target and not a set-and-forget exercise.
HOST: JOE CARSON: That sounds like cyber quality assurance—showing the organization meets a certain standard. Compliance can also be a competitive advantage.
GUEST: STEVE: Correct. Organizations have ethical and fiduciary duties to safeguard data. Compliance helps meet legal obligations and can support reputation and service delivery.
HOST: JOE CARSON: There are many compliance standards and acronyms. What are some of the most common ones organizations need to meet, and what are the differences between them?
GUEST: STEVE: There are hundreds globally, but common ones we work with include SOC Reporting (System and Organization Controls), ISO 27001, GDPR, CCPA, HIPAA, PCI, and the NIST Cybersecurity Framework (NIST CSF).
GUEST: STEVE: SOC Reporting includes SOC 1 for controls over financial reporting and SOC 2 for operations and compliance related to security, availability, processing integrity, confidentiality, and privacy. SOC 3 is a general use report.
GUEST: STEVE: ISO 27001 focuses on an Information Security Management System (ISMS) for governance, policies, procedures, and risk assessment. GDPR protects EU citizens' data subject rights. California enacted the California Consumer Privacy Act (CCPA) with similar characteristics.
GUEST: STEVE: HIPAA governs PHI with administrative, technical, and physical safeguards. PCI has prescriptive standards for cardholder data environments. The NIST Cybersecurity Framework is agnostic and widely used for maturity assessments.
GUEST: STEVE: For government systems, NIST SP 800-53 and FISMA are relevant, and FedRAMP addresses government cloud systems and Authority to Operate. NIST SP 800-171 applies to government contractors protecting controlled unclassified information. The Cybersecurity Maturity Model Certification (CMMC) provides independent certification levels based on the sensitivity of information in the supply chain.
GUEST: STEVE: SOX (Sarbanes-Oxley) focuses on general controls around financial reporting for public companies. The SEC recently issued a final rule requiring disclosure of cybersecurity governance, risk management, accountability, and stricter breach notifications. GLBA also applies in financial services.
HOST: JOE CARSON: Breach notification timelines can be very different. For example, GDPR originally referenced 14 days but was clarified to "without undue delay," which is more risk-based.
GUEST: STEVE: Correct. Aggressive timelines force maturity on organizations. Responding to material breaches within prescribed timelines requires well-orchestrated incident response programs and rehearsed playbooks. Practice and rehearsal are essential.
GUEST: STEVE: EDRs, XDRs, SOAR, and threat analytics and reporting are important for staying ahead of emerging threats and responding within timelines. The first 24 hours of an incident are often critical and can redefine outcomes.
HOST: JOE CARSON: We met at a conference earlier this year. You discussed SOC 1 and SOC 2. What are the primary differences and overlaps between them?
GUEST: STEVE: SOC is a reporting framework, not a prescribed control framework like NIST SP 800-53 or ISO 27001. SOC 1 is auditor-to-auditor communication focused on controls over financial reporting and the assertions needed to evaluate financial risk.
GUEST: STEVE: SOC 2 is focused on operations and compliance, mapping criteria like security, confidentiality, availability, processing integrity, and privacy. SOC 2 uses points of focus, and controls can map to other frameworks such as ISO 27001 or the NIST CSF.
GUEST: STEVE: SOC 2 Plus can include additional third-party criteria, with the auditor providing assurance on both the SOC criteria and the additional mapped frameworks. Reports come in Type I (design only) and Type II (design and operating effectiveness over time), and Type II is often required to assess residual risk.
HOST: JOE CARSON: What trends are you seeing in the industry? Is AI, including generative AI, affecting compliance and audits?
GUEST: STEVE: Yes. Any compliance initiative must understand assets and systems, including blockchain and AI. As organizations adopt zero trust, AI, and other technologies, risk assessments must account for data, training, fairness, and ethical considerations.
GUEST: STEVE: Technologies shift risk rather than eliminate it. For example, blockchain can reduce some risks but introduces new ones like transaction integrity and system operations within the blockchain.
GUEST: STEVE: Automation is exploding, including incident response automation and GRC platforms that drive efficiency in compliance processes. GRC systems can streamline operations and collaboration with auditors, but auditors still have standards and must test provider controls, configurations, and data integrity.
GUEST: STEVE: Supply chain and third-party risk management remain high priorities because you are responsible for processing data even if you don't host it. Privacy regulations and AI regulatory developments, such as those in the EU, are evolving rapidly.
HOST: JOE CARSON: When using GRC solutions, explainability is important. You still need to understand how data is collected, how configurations are set, and the logic behind reports.
GUEST: STEVE: Exactly. If you have exception reporting, you must validate the accuracy of the logic and ensure it ties back to risk and controls. System integration testing and understanding control requirements are still essential.
HOST: JOE CARSON: That reminds me of an asset management example where a transportation organization believed they had 120,000 licenses, but discovery found 140,000 machines. Deprovisioning processes were failing and that created risk and wasted energy.
GUEST: STEVE: Scoping is critical. If you scope incorrectly and only cover a fraction of your footprint, that's a huge risk. Auditors should ask the right questions and understand technology interoperation with third parties to determine risk profiles.
HOST: JOE CARSON: If an organization decides to pursue a certification such as SOC or ISO, what is the best place to start and what resources are needed?
GUEST: STEVE: Start by identifying key stakeholders responsible for the effort and ensure leadership buy-in. This is a costly initiative, so weigh the value of protecting data and meeting contractual and regulatory requirements. Identify internal experts and determine where external consultants are needed.
GUEST: STEVE: Involve procurement and legal teams to understand contractual obligations and identify applicable regulatory expectations. Conduct risk assessments, define objectives, scope, and boundaries, and select the framework or frameworks to measure against.
GUEST: STEVE: Develop policies and procedures with sufficient documentation so someone with knowledge can execute processes. Implement, monitor, and test controls, maintain an incident response program, rehearse, and continuously train and raise awareness.
GUEST: STEVE: Perform regular internal and external audits and assessments. Internals are fine depending on maturity, but external independent assessments provide objective reporting. This is a continuous program that requires institutionalization.
GUEST: STEVE: External resources depend on your initiatives. Useful sources include ISACA, AICPA, ISO documentation, PCI resources, CMMC guidance, HITRUST for healthcare, SANS, and industry groups. These provide guidance, training, and certifications.
HOST: JOE CARSON: Documentation is critical for consistency and repeatability and prevents configuration mistakes that lead to incidents. Having the right people, resources, and executive sponsorship is essential. Contracts and contract management systems also help determine the effort required.
HOST: JOE CARSON: Should organizations try to do this alone or seek outside help?
GUEST: STEVE: Identify the expertise needed across legal, data privacy, controls over financial reporting, HR, technology, and operations. If you have internal expertise, leverage it and augment with external consultants where gaps exist. External specialists who operate in the space day in and day out can often navigate requirements efficiently.
GUEST: STEVE: Continuously report back to leadership and the board so they understand investment, risk, and strategy. Have the right people to deliver messages transparently without overstating risk.
HOST: JOE CARSON: Boards often request these requirements to reduce risk and increase assurance for themselves. This conversation has been educational.
GUEST: STEVE: Briefly, understand the difference between cyber compliance and cybersecurity needs. Compliance alone does not equal holistic security. Identify resources, document processes, design and operationalize controls, monitor and test, and institutionalize the program. This is a journey that evolves over time.
GUEST: STEVE: Finally, have fun. This is interesting work, and enjoying it makes a difference.
HOST: JOE CARSON: Steve, thank you for joining me today. For the audience, we'll include contact information in the show notes. Tune in every two weeks for the 401 Access Denied Podcast for more information to help your cybersecurity journey.
GUEST: STEVE: Thanks, Joe.
