2024 Technology Planning/ Risk Assessments (Podcast)
Our guest host and PCG Senior Network Engineer and Security Advisor, Steve Ripper, and President Dave Hodgdon discuss the importance of 2024 technology planning and risk assessments.
Steve: Welcome to Tech Tuesday. Can all of you tell that this is not Dave Hodgdon doing this? This is Steve Ripper doing the hosting duties today. And I have Dave Hodgdon with me today. How are you today, Dave?
Dave: Excellent, Steve. Great to see a new host over in the other side of the podcast studio here at PCG.
Steve: Yeah, I’m taking over. Right. Love it. Do you get paid better when you’re the host?
Dave: When you’re the host, you always get paid more. Yes.
Steve: So today we’re going to talk about a technology and security plan, having it be tied to your business plan, and why is it vital, why do we need that?
Dave is the master of talking to customers and clients about WHY YOU NEED A PLAN. So he’s had to figure out the plan for us. He’s had to steer PCG to where we are today. And so one of the biggest things that he does is steer clients on this big picture item. So, Dave, let’s get into it a little bit.
How do you go about getting a plan? How do you put a plan in place? How do you start to get a technology and security plan together?
Dave: Fantastic, Steve. Like most businesses without a plan, you’re steering your ship, but you don’t know where you’re going into port. So the focus is to tie the business plan – your business, your financials, your goals, your sales – to where you want to take the business. Our job is [to ask] how can technology help you with that plan?
And of course with that, there’s going to be various investments you need to make, not only in your people, your resources, your building, and how security can help with that. So the first thing is you got to start with all the assets. What do I currently have in place right now?
And from that point, let’s decide what you can use, what you can’t use, and if it needs to be replaced. The key to this plan, Steve, is not just thinking 3-6-12 months, but let’s think 1-3-5 years. So as we invest in this technology in the…[Steve: So big picture, right?}
Dave: Big picture. I mean, you just want to keep this simple. Absolutely.
Steve: Yeah. So, Dave. No, that’s fantastic. So what vendors should be included? It’s easy to get into this trap of just thinking about yourself. What do I have? What do I need? But everyone has vendors, right? So what should you be thinking in that way?
Dave: The hard part is people think you want to separate your vendors. Of course you’re going to have people like us that are supporting that. But you’ve got to look at all the applications that you’re using, whether it’s on premise or the cloud.
ALL of your maintenance: you’ve got to talk to your copier folks; you need to be looking at your internet service providers; you need to be thinking about if you’re paying for people’s home Internet providers. So think about ANYTHING RELATED TO IT: hardware, software, maintenance, warranties, internet providers, cyber insurance.
Think about all the players coming in there and flush that out. Because as with any plan, there are vendors that you don’t like, and you might want to plan who to replace. So to flush them all out, I use a checklist and I go down the list. Do I like them? Are they staying in place? Are they giving me a fair value? You review their agreement with you, and it’s important that you call them on the pricing.
Steve: Yeah. And do you feel good about the security posture that they have? Do they make you pause? Do you worry about them? That’s a really big question.
Dave: That’s huge.
Steve: Yeah. And speaking of that, does security – like physical security, the security of your organization, and cybersecurity – do they need to be a part of this?
Dave: 100%, Steve. We weren’t thinking about this 5-10 years ago. Of course, maybe the firewall in its day, but as security has come around, not only is there surveillance of your building, there’s the key card access system, there’s the security to the people accessing your network.
And we all know, recently it’s all about cybersecurity. That’s not cheap anymore and that’s typically what’s not in people’s budget. That’s also going to tie back to your cyber insurance. So all those items to protect your data, to protect your business, and to protect the integrity of you and your reputation, those are all things – in order for you to stay in business and grow – that have to be part of the plan.
Steve: Sure. So there’s a lot of tools out there. There’s a lot of processes that you can be guided through. How does a RISK ASSESSMENT benefit you? How does it help you come up with this plan?
Dave: The best thing as you run a risk assessment, it shows all the gaps and vulnerabilities. And a risk assessment just isn’t about the IT, it’s about YOUR PEOPLE. It’s about your processes. It’s about how you hire, how you handle your paper.
So as you go through the risk assessment, a lot of it does tie back to technology: what do you have that’s good, what do you have that’s bad, and what needs to be replaced? And then you PRIORITIZE it. Because a risk assessment is a big project. There’s a lot of action items that come out, and you can’t do it all at once.
You have to walk before you run. And I think you can chip away at many issues – gaps and vulnerabilities [first]. [Or] let’s say you have compliance in a particular industry, you might need to address that more than other companies [do].
But baby steps. Just chip away at it, and you’ll be in good shape.
Steve: Yeah. And the thing I tell customers all the time, because I do a lot of the risk assessments, it’s an already-built list of things. Sometimes it’s really overwhelming for company owners or decision makers to be like, well, where do I start? So these lists already exist.
NIST, as an organization, has already created controls that we’re LEADING YOU THROUGH when we help you do a risk assessment. [We’re] asking you the questions that you should be thinking about:
- Do you have cyber insurance?
- Are you doing background checks on your employees?
- What are you doing with your shredded documents?
- Do you have firewalls?
- Do you have MFA?
Those lists exist already, so you don’t have to come up with them on your own. Right?
Dave: A good point on risk, Steve. I always look at the continuity that your key equipment, your servers, your firewall, those things need to be under warranty and also know what the [response time] expectation is. Is it same business day? Is it next business day? Is it within four hours?
Those are all things [that impact] your uptime. So depending on your business, you might be okay being down for a day or two, but other people can’t. That all gets flushed out in the risk assessment.
Steve: Sure. So Dave, can you just do this once and forget about it? How often are you doing it?
Dave: It’s like anything: kind of like when you’re doing investments and planning your future with your financial person or [with] your health, you’re meeting with your doctor. You need to be VIGILANT. And once you do it once, you should be reviewing it each year.
- Are we on track?
- Are we falling off somewhere?
- Did we do an acquisition of a new business?
- Is something changing in our business?
But if you’re constantly reviewing this, you’re able to guide that ship to where you want to go.
Steve: Yeah. So, I tell customers all the time. Listen, when we give you the recommendations, try to do as many as you can, but you don’t have to do all of them.
It should be a ROLLING PROCESS, where we’ve done the big ones; we’ve done the ones that we know we have to fix. We’ve got to get MFA done.
But there might be smaller ones that we’re going to work on. And when you’re doing higher level CMMC things, [you can create] a POAM, plan of action milestones, where you can write in when you’re trying to do that. It would say, ‘I’m not ready to do this now, but I have a plan. I’m going to do it in six months, I’m going to do it in a year.’ Because maybe the budget isn’t in for it now.
So you write that out, but you have a plan and you’re rolling through your security needs, right? So the last thing is what is the BIGGEST VALUE? What are you getting out of this? Do you get some sort of tangible benefit by doing this?
Dave: I think the most important part is there are NO GOTCHAs. So you flush out where we stand right now. Are we in decent shape? There are some major investments that need to happen, but it’s all really driven back to the original business plan. Where are we trying to take it? For sales, for growth, with people…and then how technology comes into it.
And if you know the budget of something there, you can PLAN for it. There’s nothing worse than having something [come up] – you need to replace your server; your infrastructure is gone – and now you’re getting a bill for $50,000 that’s not part of the plan. So if you know what’s on the table – and again, it’s similar to the risk assessment – you PRIORITIZE it. Yeah, I can try to squeeze a little bit more out of that server as the warranty’s [still] in place, but at least you have an idea what’s going on. It’s not throwing you off.
From the finance side, they LOVE having the financials of each thing. You can’t get everything done, but it’s like the wish list from my son for Christmas: you can’t get everything under the tree, but you chip away at the most important parts.
Dave: And it’s just imperative that the whole LEADERSHIP TEAM is seeing how technology is helping their business grow. You have to invest in it, and if you let this stuff go, go, and go, eventually it’s going to be a huge investment to fix it. I’m a believer in chipping away at it – you look at your assets, you just chip away quarter by quarter and that way it’s NEVER A BIG HIT. It’s on the business plan. And then both sides are HAPPY!
Steve: Yeah. I always tell customers, try not to do it via “flaming datum.” We gave away $10,000 or $80,000 in a phishing scam, so now we know we need to do MFA. Try not to do it that way! You could DO IT THIS WAY and learn ahead of time, instead of making a really expensive mistake.
Well, this has been fantastic, Dave. Thank you very much. Take care. Glad you guys were all able to join us for Tech Tuesday, and we’ll see you next time.
Dave: Fantastic.