#522 Navigating Compliance in the AI Era: Lori Crooks on Cybersecurity and Risk Management

[00:00:00] 

Mehmet: Hello and welcome back to a new episode of the CTO Show at Mead today. I'm very pleased joining me, Lori Crooks. She's the CEO of Cadra. Lori, thank you very much for being here with me today. I really appreciate as a CEO how much busy it can be. And you know, you gave [00:01:00] me the time to, to chat today. Um, you know the way, as I was explaining to you before we started the recording, I like my guests to introduce themself.

Tell us more about. You, your journey. What brought you to be, you know, the CEO of Cadra and you know, just I give kind of a teaser to the audience. We're gonna talk about compliance a lot today. We're gonna, and this is I think, a topic which will be benefit both if you are like in a startup and trying to do, you know, your work, being ready to go and sell to enterprise and maybe government customers or maybe if you are a veteran, uh, and you know, maybe you get like some other insights from Lori.

So Lori, again, thank you very much for being here. The floor is yours. 

Lori: Thank you so much for having me today. I really appreciate it. So yeah, a little bit about myself and my organization. So Cadra, like you mentioned, we do cybersecurity compliance. Um, we help a lot of our customers get ready for their third party audits, whether it be SOC two, FedRAMP gov, ramp, NPCI, iso, we, we help with the full gambit, um, helping with [00:02:00] policy, procedure development, stuff like that.

So. Growing up, I definitely did not want to be in cybersecurity. That's not what I had planned as a child. I thought I was going to be a doctor, um, and work in sort of the medical field. But when I got to college, I decided I didn't like biology and chemistry and all those things. So I, uh, bounced around for a while and ended up with, um, accounting.

So I actually ended up with an accounting degree and started out working for the government right after I graduated. A college and went to the state of Georgia for accounting. So yeah, started there and then kind of morphed into cybersecurity from there. So it's been an interesting journey for sure.

Mehmet: Yeah. And but I'm sure now you think like it's as stressful as being Yes. Amen. Yeah. I always do this joke with people who are in the cybersecurity. Like I was working as a technology consultant at some stage. I talk to a lot of CSOs and you know, like, uh mm-hmm. Chief [00:03:00] Compliance Officer, you know, and I say, wow, these guys are champions.

So it's, it's, it's like really tough job now. You know, looking back, you know, at, at this transition, I'm sure Lori, like you had to do some shifts in, in the way you think, and especially when we talk about compliance, of course we're gonna go into the compliance in details, but just as a journey from, you know, shifting gears and, you know, coming to something which is not easy, everyone knows.

So what is the biggest mindset shift that you thought or you, you felt that you need to do? 

Lori: Yeah, I think it's really just making sure that you're staying up to date with everything. Thankfully, I am one of those people that like to learn. Um, so that works out great in this industry because as everybody knows in cybersecurity, it changes from day to day, month to month.

You know, when I started out doing cybersecurity, it. Physical infrastructure and we would have to go to data [00:04:00] centers and actually audit the servers and make sure things are plugged in correctly, you know, all that kind of fun stuff. Um, and then from there, you know, shift to the cloud. And now we have ai.

And with AI that's kind of going back a little bit to data centers because what's gotta power ai? So it's very interesting in cybersecurity and compliance and just trying to learn how to stay on top of things. Um, and the mindset is just being open, um, and being open to learning new things. And. Being open to new challenges, honestly.

Mehmet: Cool. Now let's go, you know. Into the, you know, the real business, what you do, right? What I like always. And to simplify things because I was explaining to you, Lori, before, you know, I have like different audience of some people they might be familiar with. You know, what compliance means and what standards means.

But let's start a little bit from basics. Sure. 'cause if, you know, I, I know like some companies they maybe heard, yeah. Like for example, especially if you are in the US and you want to, you know, have like some [00:05:00] contracts with the government, you need to have something called FedRAMP. Like if you are working with, you know, the healthcare, um, you know, institutions, you need to have the hipaa, which is, you know, for the Health Protection Act.

And, and by the way. Again, it's not like only in the US in Europe, we have the GDPR, we have bunch of other like regulations. Even, you know, in some parts of the world, they started to adopt this because it's important. Now let's start with this. Why having, you know these compliance frameworks is important in the first place, and what do you think companies usually misunderstand when they want to start?

Lori: Yeah, it's great. Um, the frameworks really are. A set of rules, um, maybe a set of regulations depending on which one you are for the organization to follow, to make sure that the data is being protected safely. Um, so as you mentioned, if you have healthcare data, you need to follow one set of standards, um, to make sure you're compliant with hipaa, [00:06:00] bettering up, you know, something different.

But it's really about protecting the data at the end of the day. So if somebody's starting out, um, with an organization or it's a small organization and you're not sure whether you need to be compliant or not, you really need to just kind of look at the data and types of data that you have within the organization and what you're gathering from customers, um, or processing for customers and see if there are regulations and compliance standards around that.

Um, from a challenging standpoint, I feel like a lot of people just might not understand. Stands, especially when it comes to some of the governmental standards, everything that needs to go into it. They think it might be something that is very easy to get, um, a FedRAMP or a gov ramp or something like that.

But it's really not, it takes a lot of time and effort and it takes a lot of resources, um, from your team, from other teams. Not just financial resources, but people resources as well. 

Mehmet: Right now. You, you've [00:07:00] worked with wide range of these standards, and I'm sure like each one of these, they would have, you know, their own challenges.

But what do you think is the most challenging, you know, uh, vertical that needs to, to follow? Like, which, which one of, of these would be like, you know, having the most number of. Certifications and reg, you know, and, uh, audits that you need to go through to get that certifications, like any specific, uh, vertical, you can, uh, you can mention.

Lori: I think right now I would say the FedRAMP, so anyone working with the government, excuse me, and that has a product in the cloud and wants to sell to agency, I think that right now is the hardest vertical. Um, only because you have to have a federal agency to sponsor your product, and that's where a lot of people kind of struggle is.

They might have all the controls in place, but they might not be able to find an agency to sponsor them right now. Uh, it's great. [00:08:00] FedRAMP is going through a lot of changes right now, so that might change. Um, we'll find out, you know, soon 'cause they're about to put an announcement out very soon. Um, but yeah, I would say FedRAMP and FedRAMP is very specific to about what things have to be in place, how long passwords have to be, how long you have to, you know.

Do inactive accounts. So they have a lot of very specific parameters that you have to follow versus some of the other standards are a little bit more open. 

Mehmet: Now the question, Lori, that also, uh. Because I discussed this with some, um, founders sometimes who are especially, you know, in the SaaS space and they think that following or let's say getting, you know, these certificates is like one time job and then we are done.

So from an expert that, let's hear it from you. How, how, how the journey begins and, you know. How much time and effort these organizations would need to keep, you know, putting, so they keep their, [00:09:00] you know, certifications valid. They make sure that, you know, they, they're still on the standards. And you just mentioned, like you said, like FedRAMP would have kind of a update and maybe, you know, we, we know like the other ones, the ISOs, the socks, the, you know, plenty of these, the Yes, always they change.

So me as someone who have, you know. The responsibility of first ensuring that when I go talk to customers that, yeah, your data is safe, it's kept private, and all this, where do I start and what's my journey looks like? And especially, you know, I'm asking you the story to take us on this journey from, you know, maybe customers you onboard, how that onboarding looks like.

And then, you know what, what they should expect after they get the audits done. 

Lori: Sure. So it is not a short journey, as I mentioned, even for some of the smaller organizations, I'd say it's. If you're onboarding with us, you would, we would take time to kind of go through the [00:10:00] organization as a whole. Like I said, it really focuses on the type of data that you have.

And then we would type, talk about the type of compliance standards that you would have to be compliant with, um, based on the data that you have. And then from there, we would help you prepare. We, we have a lot of partners who are audit firms, CPAs for soc. Um, three Ps for FedRAMP. Um, we have. You know, QSA partners as well.

So depending on the type of compliance framework that the organization needs, we would pull in one of our partners to actually be the audit. But at Quadra, we would help you kind of work through the controls that have to be in place, making sure that they are in place, that they're not. We'd help with a remediation and implementation.

We would help with the documentation and policies, procedures that are required by every framework. Um, and just make sure that they're covered there and that we would be that liaison between. Your organization and the auditor to make sure that your organization is answering everything correctly. We're uploading the proper evidence for the auditor, et cetera.[00:11:00] 

And then from there really is continuous monitoring. It's making sure the controls are staying in place, it's making sure policies and procedures are staying updated and. Unfortunately, everything has to be done on an annual basis, so the next year, the auditors will come back out again. Um, but usually the second, third, fourth year, et cetera, is a little bit easier because you've already had those controls put in place.

And as long as they're still operating effectively and efficiently, then you should be okay for the following audit. It's just a matter of making sure that they're in place throughout the year. 

Mehmet: Yeah, absolutely. Yeah. Now, one aspect also, which some companies they might have, um, confusion on it, is the third party risk, right?

So, mm-hmm. And as someone who kind of touched this domain, um, uh, few years ago, uh, but I, I would like to hear it from, from your side, Lori. So. Do [00:12:00] you think that organization, they underestimate or maybe sometime even they don't see these risks that comes from the third party. Um, you know, risk aspects, let it be maybe supply chain, let it be, I don't know, maybe other vendors they work with.

Uh, so I want you to highlight this because I think also this is an underrated risk aspect, which can first. It, I would say affect, you know, the cybersecurity hygiene of a company. Yes. And then it might affect also, you know, the compliance. So tell us a little more about this, why it's important and to do it in early stages is before you know it, it goes out of control.

Mm-hmm. 

Lori: Yeah, definitely. Third party risk is definitely something that is. I, I consider it high risk, especially if those vendors have access to your data or your network. Um, for example, the target reach was because of a third party vendor, um, who had access to [00:13:00] something that they weren't supposed to. So third party risk is definitely.

Important, um, and making sure that somebody is going out there and verifying that the vendors have proper access. Um, making sure, again, kind of going back to du monitoring, making sure there's some sort of background check performed on them, or non-disclosure confidentiality agreements, making sure they're doing, supposed.

What they're supposed to be doing is also key. I recently had a small business who relied on a, um, MSSP to, you know, make sure their laptops were encrypted, antivirus was installed, and all that. And when we came in to help them prepare for an audit, we found out that the MSSP was not doing their job. Um, so nothing was encrypted, antivirus wasn't turned on.

Um, it was quite a mess because that. That small business didn't know that they actually had to go out there and kind of verify that the vendor was supposed to be doing what they were supposed to be doing. Um, one of the things with third party management too is asking maybe if the vendor has like a SOC [00:14:00] two or some sort of.

It's standard that they go and perform on their side. Um, you can review that and look through and see if they have any deficiencies, stuff like that. But it's becoming such a risk that in the latest version of N eight a hundred fifty three, rep five, they actually added a whole control family around supply chain risk management.

So organizations at least that are applying this 853 actually have to. Check their supply chain, um, and check their vendors on a regular basis to make sure that there are no issues. 

Mehmet: Laurie, you just gave an example of small businesses and you know, part of what I try to do in, in the show is talk about small businesses, startups also as well.

So whose responsibility is that? So. You know, probably, you know, at the beginning, maybe they don't have someone who's responsible for cybersecurity, like mm-hmm. An enterprise would have a CO. So you mentioned like they maybe have [00:15:00] A-M-S-S-P, which is managed security service provider, or maybe they are dealing with a virtual CO kind of someone.

Give them the guidelines, uh, what they should focus on when they deal with their security providers, if they don't have that in-house. From compliance perspective, like what are the main things you think that they should as a business owner? Because let's say imagine I, I have a small business, maybe I have a startup.

Uh, maybe you have like maybe less than 10 employees. So I don't have really a COI don't have maybe even an IT manager, but I'm dealing with someone who's taking care of that. So what are like the main things I should ask my provider, whether it's a virtual C-O-M-S-S-P to take care of when, when I want to deal with them?

Lori: Yeah, great question. And one thing I wanna take a step back to is, um, we tell people to list all their vendors and then list them by. The risk as well, especially for small organizations. Um, if you're using [00:16:00] a vendor that doesn't have access to anything, then you might not need to go out there and kind of do your due diligence as frequently, versus an MSSP or virtual CISO who have access to a lot of stuff, you might want to obviously check them a lot more, but we usually have our small organizations go out or bring somebody in like myself, who can do like security questionnaires, send out, see what that organization has in place.

As I mentioned earlier, you can gather any stock reports or anything that the organization might already have, um, themselves, and then sometimes it's just phone calls and kind of gathering data as needed. Again, with a small organization, I know time is limited, so it's a matter of trying to maximize the questions of the type of questions to make sure that.

The vendor is doing what they're supposed to be doing, and that's where we kind of bring in that security questionnaire and send those out, um, and break things by risk on the security questionnaire as well. 

Mehmet: Great. This, this is, this is by the way, a, a good also [00:17:00] practice so people can, can learn. Like maybe if they are not living in the US they don't have access to you, Lori.

So it's good to, to have this knowledge. Now, speaking of knowledge, speaking of, you know, part of the things we see a lot is, you know, every company. Small or big, uh, every vertical over the years, you know, they were, they have been told to build kind of security training programs. So basically to tell people who work at the company, you know, about the basic things and to know how to deal.

So you've built also comprehensive training programs? As I was preparing, I, I went over the profile. Um. Uh, one of the questions that always kept asked is, yeah, like, we did the training, right? So we did kind of assessments and all the other stuff, how we make sure that this stick with employees, right? So it's not like something we do today and maybe after two, three months, you know.

[00:18:00] We hear like there's an attack. And the reason is because that, that employee, he or she, they didn't remember how they should act. For example, when they see, I don't know, maybe a phishing link or maybe, I don't know. They, they, um, they clicked, they took a call and they were, you know, they really tricked by the bad actors.

So how we can make sure that, you know. Any training program, we do really stick for as long as possible. I know it's hard. Yeah. But from your experience, 

Lori: yeah, definitely. Great question. And we really like to address this because unfortunately, employees really are the biggest risk. You know, whether it's intentional or unintentional.

If they're not paying attention to security training or they're just not. You know, unfortunately remembering or thinking, you know, they might be able to divulge information that they're not supposed to. So that's where these comprehensive security training programs really come into play. Um, usually for these, we like to.

Hit it at a few different angles and a few [00:19:00] different ways. So we will do your basic security awareness training, usually upon hire, um, and then annually. And then on top of that, we'll maybe do like monthly bulletins. Um, a lot of organizations now have started, um, monthly phishing campaigns where they're actually going out there and testing the employees to see whether they are clicking on the.

Phishing link, um, or not. And if they are clicking on the phishing link, then they know that employee needs to go through additional training. Um, also posters. I know it's a little bit different with everybody virtual, but maybe like banners. Again, just reminders in different ways to be able to have the employees.

Remember, don't click on links that you're not supposed to. Don't share your passwords. Just basic training like that. And then every October is actually security awareness month, um, which I think this podcast is coming out probably sometime around October-ish. So we like to do a lot of different things around that month as well.

Making sure that, again, there's, [00:20:00] you know, town halls, maybe going through security stuff. Sending out various emails. Any of the security training programs can also be gamified right now. Um, and then we also have some organizations that will send, you know, just like quick 32nd, one minute, like training videos that look more like kind of a cartoon.

Again, just as a reminder. So I think a comprehensive security awareness training program is really layered with a whole bunch of different things to catch everyone's attention and keep it top of mind. 

Mehmet: Great. Another thing which I'm curious to know your opinion about Lori, and you know, it's, it's an old debate.

Like the more we have these policies, the more we have these, uh, let's call it paperwork. Yeah. And you know, sometimes like extra effort, people tend to complain and then they start to say, oh, like this affecting my productivity. Uh, I don't want to change my password every, I don't know how long. Right. Like, yeah.

So, and sometimes even. I very rarely I've seen it, but I've [00:21:00] heard about even some situations where someone took it personally, oh, you don't trust me, right? Like, yeah, why, why, why are you asking me this? So what have you seen working, um, you know, in, in making sure that taking care of the compliance, taking care of having the right security measures doesn't slow us down and doesn't affect on, on, on the company culture Overall, I would say.

Lori: Great question, and I think some of it too just depends on the company culture. We find organizations that take security awareness, um, and compliance seriously, from the top down to the bottom. Usually have less people who are complaining about things because they understand how important it is within the organization, especially if the CEOs and the CTOs and stuff are promoting it throughout the organization and they understand how important, usually if it's.

Not top down, it's a little bit harder. But yeah, usually when um, organizations have those types of issues where people are complaining [00:22:00] on a regular basis, we kind of take a step back and see if there is anything alternative that we can put into place. Um, you mentioned passwords. Well, in this recently came out with them in the last couple years, basically saying that you could change your password policy.

Where as long as you have a past phrase, which is a long password, like. I love my dog exclamation point, um, where it's a certain amount of characters, you actually don't have to change it as much. And so it's a matter of kind of reviewing what people are complaining about and seeing if there are alternatives in the space where you can still meet the control, but maybe do it from a different way.

And we call that a compensating control in the compliance world. 

Mehmet: A great, uh, perspective, I would say, Lori, of course. You know, I, I think since I started the podcast and my, like that I started almost the same time where chat GPT came. So it was kind of an imperative for me to ask about ai. But, you know, joke aside, uh, [00:23:00] how have you seen the role?

Not only ai, AI has been there for a long time with us. I know, but I mean, the new generation of the ai like. Chat, GPT and other tools, generative AI and automation. Because I know, like, I always stress like it's not only ai, it's always AI automation. How have you seen this, uh, easing, I would say, um, compliance audits.

Uh, or is it something we need to still wait to, to see how, how it gonna shape over the time? Have you seen any change since these tools came out? 

Lori: A little bit. I've seen some of the GRC tools try to start implementing AI on their side where it's helping gather evidence or kind of reviewing evidence from a kind of high level to make sure that it is meeting the control.

And I've also seen it kind of help with some of the policy and procedure development as well. I always caution people though, if you're using AI right now. Even though it's [00:24:00] spitting great information out, you still have to have somebody go review it to make sure that it's accurate. Um, I just, from an example that I've used, I try to create a policy based on this a hundred fifty three one, and it did a good job, but also it had like wrong controls in place and wrong headings for some of the controls.

So it's not always a hundred percent accurate. So you might be able to use it to gain efficiencies, but just make sure that you're checking to make sure that what it's providing back is accurate. 

Mehmet: Lori, another uh, thing, which I'm not sure if you started to see now, uh, we started to see AI acts and, uh, you know, regulation for the ai.

Do you think we are ready or we gonna still wait for some time before we, because these regulations are, you know, like the technology itself is still emerging. So do you think we are really. Ready to have a standard, like for example, again, I'm, I'm, and I'm ex getting the excuse from, from my, uh, um, you know, from my audience, [00:25:00] because I'm going a little bit technical today.

Let's say for banks, you know, everyone, I think even any normal person have seen the P-C-I-D-S-S before, like the ward, which is the compliance for banks or any financial institution, which is basically you need to keep the data secure, safe, you know, it's not tempered. Same thing for hipaa, for the healthcare, and so on.

Mm-hmm. Now with AI and, and of course like these, uh, standards and regulations. Evolved over time and kind of they are like not changing every, let's say, couple of months. They change every couple of years. Now. AI itself is changing so fast. So do you think we are ready to really put these regulations and frameworks now, or at the time being we still stick with whatever vertical we are in and we make sure that AI is compliant with.

These regulations, how are you seeing, you know, AI regulation space going? 

Lori: Yeah, interesting. There are actually [00:26:00] a couple new AI frameworks out there that I've seen a couple of my organizations starting to implement. ISO has 1 42 0 1, um, and then NIST has a ai, um. Cybersecurity framework, um, as well. And so I've seen organizations kind of do their regular PCI hipaa, NIST and then pair it with, um, one of those ISO or NIST standards for ai, especially the larger organizations because they know their employees are using it.

Um, but they wanna make sure it's somewhat regulated, uh, especially from a security compliance standpoint. You don't want your employees putting sensitive information to AI because. You don't know where it's going, um, on the back end of it, unless they're using like enterprise version or something where, you know, you're not using that data for training.

So we definitely, you know, prefer people to pair it with one of the AI frameworks that they can. And then, like you said, PCI, hipaa, I think they're gonna eventually catch up, but they're just not there yet because it does take a while to kind of get those updates, go through the [00:27:00] drafts and get them published, um, from start to finish to get a new version out.

Mehmet: Yeah. Funny enough, before I come to record this episode with you, Laurie, like I was talking to a friend and we're just discussing the same thing because, uh, he, he was talking to, to some founders, AI founders of course. Mm-hmm. They are very excited. The thing that, you know, came to discussion is about data that can be leaked, let's say.

I would not call it legitimate, but you know. Coming out of ignorance. So maybe I would go, we are not a public company and I go, for example, as a financial analyst within the company and say, Hey, like last quarter we did this, and you know, we are projecting that. And then I put it in a Chad G, PT Gemini, you know?

Mm-hmm. Clause. You know, and of course like a DLP, you know, which is like data, uh, uh, loss prevention, uh, data leak prevention systems. Usually they would be able to detect it. If you are like getting a file outside of the [00:28:00] organization, you're trying to access like something, right? But this, I'm sitting at home, right?

I'm not on the company network and I go open charge GPT, which no one can. Tell me No, you're not allowed to. And I, and I put these things and, and you know, this is where, you know, we, we are seeing kind of a, I would call it unclearness if, if, if the term is correct or like little bit kind of, people are lost.

Like what should we do? And I, and this is maybe back to, um. Uh, to the training and, and all the things. So do you think also this part should be part of the trainings that we give to employees that, hey, don't put sensitive data in your LLM, right? Yes, 

Lori: definitely. Yeah. It's really important right now to update that, those trainings.

To make sure AI is, you know, included, like you said, there has to be some sort of safe use for it. Don't put company financials in, don't put company sensitive information in, [00:29:00] because again, we don't know what, where is going on the back end and where it might turn back up. You know, because a lot of this is being used for training, um, purposes and it might be, it might end up somewhere that's not supposed to be.

Mehmet: Great. Now I'm gonna shift gears a little bit, Lori, and ask you about your entrepreneurial journey. And you're a solo founder, which I know from myself, it's not easy. No. Uh, but to your. To your, you know, um, you know, if now when, when you go and look back since you started it, what do you think the, the biggest surprise that you've figured out and you didn't know about it before?

Really, um, being an entrepreneur and especially in a, and let's be honest about it, in a male dominated field like cybersecurity. 

Lori: Yeah, there's a lot I can say on that, please. But yeah, I, I would say I, I've been in the industry probably about eight years now. Um, well, not the industry. I've been in the [00:30:00] industry 20 years, but I've owned a Cadra for eight years now.

So, um. I've learned so much about myself through the process as well. Like I always knew I didn't wanna report to somebody. I am not somebody who likes to be micromanaged. Like I, I knew after a couple of losses, I'm like, I'm done. I'm out. I, I need to do this myself. But. It's not just doing the work, it's learning.

You have to learn sales. I am spending a lot of time with somebody now learning how to maximize the efficiency on my CRM. I have to do the marketing. I have to do the networking. You know, it's so many hats as a solopreneur. Um, and I have a small team with me, but it's still always lands on me right now.

So it's been a, it is been a learning journey. I've grown, like I said, personally a lot, and it takes a lot for me to put myself out there, especially. In a room full of males, um, to be like, Hey, I'm here. I own my own organization as well. Let me help you, um, and bring those kind of people in to help me or bring in those [00:31:00] where I can help them on, uh, an organization side or client side.

Mehmet: I'm not sure. Also, Laurie, if maybe, I'm sure you face it. I'm not sure if you still face it till today, especially in, you know, in technology in general and when you go and wear your. Advisory slash consultancy hat and people, they ask you, okay. Like, how big is your company? Okay. I'm a solo founder. Mm-hmm.

Versus, you know, you know, without mentioning the names, but people would guess and that Yeah. I can actually mention like the, the big four they have mm-hmm. Right. Like some, some practices for cybersecurity. So did, did you. Feel at some stage. Oh, like it's a challenge. I would not be able like to, to compete there.

Or actually you find your own niche, right? And then you said, okay, let me focus on this. I will build, you know, my, my, my base there and then I can go and target like bigger customers if you can share this, you know, and the shift of the [00:32:00] mindset, because I believe this is, would be so inspiring for fellow solopreneurs and entrepreneurs.

Lori: Yeah, definitely. Um, I would say both. I definitely am intimidated by the big four, but I also know there's no way I'm gonna compete with them right now. Um, so I actually feel like I found my niche. With some of the FedRAMP documentation, um, I was finding that people didn't know how to write those system security plans for FedRAMP.

They didn't understand all the, how the controls had to be implemented for FedRAMP. So I kind of found a little niche there where I was working directly for a lot of DOD customers, um, or contractors and those SaaS companies that were selling to the facial edge. Federal agencies, um, kind of writing and doing that documentation, helping them get ready, and they were able to work with me versus a larger company because, you know, price, but also because we are.

Uh, smaller. So we are nimble, we are quicker, we can kind of get this stuff out and we have the time to spend with the client as quickly as they usually need it. [00:33:00] It's been a learning journey though, kind of with that niche, especially going back to ai, we're finding not as many people need those documentation services.

So now I'm happy to figure out, okay, where can I pivot my organization and use AI either as a tool or find another little niche where I can compete, you know, with some of those. Slightly larger organizations, um, versus just the big organizations. So it. Going back to the beginning, it's always learning in cybersecurity and owning a business.

Mehmet: It's it's own. Yeah. So this is a, we all, you know, maybe I'm repeating ourselves, at least be, you know, it's, it's, it's a journey. It's not like a static thing. And Yes. Especially in a field like cybersecurity where things change on daily basis even sometimes. Yeah. Uh, but I like this mindset, Lori, like, you know how you find your niche, right?

So, so this is the main thing, and always I tell people like, I'm sure you are. Excellent. In maybe one small thing, work on it and then [00:34:00] go and try to, because you know, I've seen people who do this mistake, they try to do everything at the same time, although they are good. Even excellent. But because they're trying to, to focus on mul multiple things, they not fail, but you know, like they, they suffer, uh, finding clients fast and, you know, closing deals faster.

So, looks like you, you find this balance of focusing on one thing and then, you know, expanding it to, to the rest Now. Uh, maybe also like a question as an opinion here, um, again, to the point that we don't see a lot of women in cybersecurity. Do you think that although, like in the recent years and I had some guests even on mm-hmm.

On the show, even founders, uh, for, for some, uh, like great names, um. But, but what we can do more to encourage more women to be like, I'm, I'm, I'm, I'm happy to see like more women in tech in general, but to have women in cybersecurity, at least, I can tell you here in, in, in Dubai and in the Middle East where I am, I started to see [00:35:00] recruiters in cybersecurity who are women, and they do perfectly good.

They understand, you know, the ins and outs when they talk to vendors, they talk their language. But to have like more, I don't know, people like yourself, who, who, who are consultants, advisors or maybe. Uh, who works hands-on experience, like I didn't see much. For example, SOC managers, I didn't see much, you know, MSSP except maybe one or two even.

They were, uh, my guests on the show. How we can encourage more women to be in this. And I'm asking you this story because I know women, they are, you know, they will be more passionate about this because it needs details and women are better than men in this. So how we can encourage more people and letting them forget about the stressful part.

Lori: Yes. Um, I would say, honestly, I think we have to start young too. I, I think it's important. I have a couple nieces, I have a couple of the goddaughters. Um, it's important to kind of show these younger girls that it is possible to be in the STEM cybersecurity, [00:36:00] and there are role models out there that can do it.

Um, and then kind of from that too, I would say there are organizations out there. There is one at least in the US called Women in Cybersecurity, where I actually mentor some of the younger women through that program, um, and help them kind of find their spot and role in cybersecurity. So I, that's definitely one of my passions is trying to help other women in this space feel comfortable in this space because again, I have been in it for so long and I want other women in there too.

It's, it's not always easy, like I said, walking into a room and you're like one of. Three women in a room of a hundred, you know, people. So I definitely wanna encourage other women to know that it is possible to go out there. It is possible to do it. And cybersecurity is, it's interesting, it's great to learn.

You know, there the world is your oyster basically. Once you're in this, once you're in this industry, you can do technical, you can do compliance, you can, you know, just do advisory services. There are so [00:37:00] many different. I would say areas in cybersecurity that, um, women can find themselves depending on what they wanna do as well.

Mehmet: Yeah. In general, as you mentioned, and this is the real, you know, regardless of, of the gender, this is in, you know, the cybersecurity domain is so big that you can specialize in multiple things. And by the way, Lori, I think it's the first time I discuss with a guest. The compliance part, like we talked about many other aspects in cybersecurity.

And uh, you know, the chance is, is to meet you today and, and, and discuss this because again, I want to stress that this is important, especially if you are a startup. Uh, and to your point, Larry, if they gonna go for this, like bigger customers, they're gonna ask you about your, okay, show us your FedRAMP. If you're working with government, show us your SOC two.

Show us like. Your, uh, ISOs, and this is where I think you, Lori, would come and, and help them, uh, uh, you know, in, in getting in shape and prepare for [00:38:00] that. Now as we are almost close, uh, to, to to, to the end, if you want to advise mainly founders, because I, I like to, to give them newer generation advices, not only from me, from my guests.

Mm-hmm. Um, what areas. Whether it's cybersecurity or not, you advise them to really not neglect at all. At all costs. 

Lori: I think it comes down to protecting the data, um, of your customers. I think that would be the, it would. Ruin the business if you lost share data, um, your customer's data. So whether that be making sure proper access controls are in place, making sure that data's encrypted, making sure it's limited to only specific personnel.

Make sure that there is protection around that data where that data's not gonna be compromised. I think that's really where you need to start. And. Any of the cybersecurity frameworks that [00:39:00] you look at are going to talk about that anyways, so as long as you start putting controls in there to protect that data, I think that's where you really need to start, and then you can grow from there.

Mehmet: Great. Finally, Lori, where people can get in touch and if they want to learn more about your services. 

Lori: Sure. Um, they can go to my website, um, Cadra, CADR a.com. Um, I'm also on LinkedIn. Uh, we do a lot of posts there, so I would say one of those two places. You can schedule a call with me, learn more about what we do, and I'd be happy to talk to anybody who reaches out.

Mehmet: Great. Again, thank you so much, Lori, for being here with me today. I really appreciate the time. I appreciate also the information you shared, the hints you shared, and also the lessons you shared with us today. For the audience, they don't have to look for the links or, you know, rewind or do anything. So everything will be in the show notes, uh, lorries.

LinkedIn profile and the company website will be available in the show [00:40:00] notes if you're listening to on your favorite podcasting app. If you are watching this on YouTube, you'll find that in description. And again, Lori, thank you very, very, very much for the time and this is how I usually my pleasure.

This is how usually I end my uh, episodes. And this is for the audience if you just discovered us by luck. Thank you for passing by. I hope you enjoyed it. If you did, so please give me a favor, subscribe, share it with your friends and colleagues, and if you are one of the people who keeps coming again and again, thank you very much for the support.

Thank you very much for the encouragement for the messages. Believe me, I read every single message you send me. And I would love to thank everyone for supporting me during the book launch, which happened last month. I really appreciate your support. From nowhere to next is available on all, uh, you know, uh, platform, mainly on Amazon if you want to order it.

And thank you for also keeping the show since Feb or March this year, till today. We are. Always [00:41:00] in one country's top 200 chart on the Apple Podcast platform. So we never missed any week not being in the top 200 chart and actually in the top. 50, I can say in one of the countries, it keep changing. I'm still waiting for my audience in the US to give us like little bit, you know, the push to get in the us.

I know it's the most competitive, but thank you very much for all you know, the support. It can't happen without you and this podcast exists because of you. So thank you very much, and as I say, always we'll meet again in a new episode very soon. Thank you. Bye-bye.