We were fortunate to get an hour with Ray Espinoza, Director of Security at Pentest as a Service company, Cobalt.io, as he joined our very own CISO, Lenny Zeltser, for an informal Q&A yesterday. We’ve highlighted a few big ideas here, but you’ll need to catch the entire webinar available on-demand for all the valuable insights and discussions.
The Journey to Cobalt
Ray’s career path stemmed from the client side of Cobalt, which undoubtedly eased his integration and shortened the learning curve. But even more importantly, he explained that it was a culture match, “I felt that the CEO, the co-founders, all of the folks that they hired were just high caliber folks, really honest, really transparent. And I love the way that they do business.”
Lenny added, “That’s probably the best way to join a company, because it lowers the risk of being surprised in an unpleasant way.” Ray’s advice? Be open to opportunities, if you are lucky it might find you, but don’t be afraid to spot something and pursue it.
There is a lot of unpredictability in the CISO world, however, the day in and day out is routinely filled with complex security pressures—compliance, audits, cyber attacks, staffing, IoT influences, BYOD, company financials, resource allocation, and way more than we could list here.
One of Ray’s priorities is completing the SOC 2 Type 1 audit. Service Organization Control (SOC) 2 is an auditing procedure designed to ensure that third-party service organizations can securely manage data to protect the interests and privacy of its clients. Developed by the American Institute of CPAs (AICPA), it sets criteria for managing customer data based on trust service principles of data: availability, confidentiality, processing integrity, privacy, and security.
Ray explained, “Type 1 is a point in time audit. It looks to see if you have all of these controls, policies and everything in place today. And if so, fantastic.” It doesn’t stop there. Ray continued, “When we go for our SOC Type 2 in nine to 12 months, it’s now, ‘Are you doing all those things that you showed us during the Type 1 on a recurring basis?’ We’re really looking forward to getting over this first hurdle, but we know that the real work is just beginning.”
These certifications will help provide confidence and peace of mind for organizations contemplating an engagement with Cobalt.
Why SOC versus ISO 27000?
Inquiring minds want to know. Lenny asked, ”Why didn’t you pick the ISO 27001 standard? It’s a set of controls that the auditor reviews and sees if you’re compliant with the expected state of those controls.”
Ray’s plans will include ISO 27001 with a targeted completion by the end of 2020 or early 2021. With the majority of his business currently in the U.S., SOC 2 makes more sense for Cobalt. He explained, “It’s a quick win with a certificate in hand within three to four months of real work that we can use to help build some trust with our customers and new prospects.” The challenge is real, he added, “All of our international customers are asking us about ISO 27001 and so we’re trying to manage those expectations around how quickly we can deliver to that framework and where we are currently.”
Ray used Tugboat Logic, a commercial GRC platform tool that manages the different controls and how they line up with the different compliance frameworks so that all work to date can be applied to the controls that will be required for ISO or any other future standard.
Lenny shared, “Now that I’m in a role of a CISO having to document my controls, having to deal with auditors, demonstrate evidence of compliance to keep track of various projects and not just what we’re doing but why we’re doing this, I find myself overwhelmed with tracking all of the information without having a tool like the one that you described.”
CISO – where the “S” is sometimes Sales
We learned that communication and a bit of good salesmanship are pivotal for Ray’s success in his role. He starts with getting buy-in and setting expectations with all stakeholders, selling why security is important. In the case of the upcoming audit he explained, “Early on I try to manage expectations and really help others understand what the value is that a SOC 2 audit will bring to Cobalt overall as a business. Next, I help them understand the level of effort that we would expect from their team.” Continuous communication and updates help to keep everyone on the same page and moving in the same direction: forward. Therein lies the foundation of the Cobalt culture of transparency.
He elaborated, “Internally, our co-founders have set a fantastic expectation that no team should operate in a vacuum. I really want to help folks understand my perspective, why I believe the items that we’re going to focus on are the priorities, and what risks do they address and what are we building towards? So I really help bring them along on the journey with me.” For those without such a supportive environment, he advised that it takes a lot of elbow grease and a lot more one-on-one conversations. But, you still have to manage expectations and build some accountability on both sides.
It also helps to keep it simple. Here’s how Ray positioned the SOC initiative:
An audit allows you to gain trust of your customers, close deals faster. You’re more likely to close larger enterprise deals where the customer’s likely to subject you to a lot of scrutiny. And, having a third party audit just cuts a lot of that time out, less risk introduced into deal closing due to security concerns.Ray Espinoza, Director of Security at Cobalt.io
Don’t miss the entire discussion between Lenny Zeltser and Ray Espinoza as they explore Life as a CISO. Listen to the fascinating webinar on-demand for complete interview topics and insights:
- The CISO evolution — from techie, to talkie, to business leader
- How to improve your communication skills to share ideas and get buy-in from your stakeholders
- A closer look at SOC 2 Type 1 versus Type 2
- What to do when promised resources fail to deliver due to other priorities
- How stress is affecting CISOs – medication and alcohol use
- Understanding and conveying the value of security
- Pros and cons for CISOs who work for security vendors
- The ABC’s of Pentesting and Crowdsourcing
- Finding the right mentor
Lenny Zeltser is CISO at Axonius. Prior to joining Axonius, Lenny led security product management at Minerva Labs and NCR. He is also a senior instructor on the and on the board of directors at SANS Institute.
Ray Espinoza is the Director of Security at Cobalt.io. He has 20+ years of technology experience and more than 12 years in information security. Prior to Cobalt, Ray drove third party cloud security across Amazon’s retail business. He also held VP and CISO roles with Atmosera and Proofpoint as well as various security leadership positions at Workday, Cisco Systems and eBay.