Skip to main content

Podcast: Improving your cyber hygiene with Phyllis Lee

June 20, 2023
clock 30 MIN READ

Hosts Amy Lane and Mark Tierney talk to Phyllis Lee, Vice President of Content Development at the Center for Internet Security (CIS), about her experience, how MSSPs should address security and how it relates to the infosec community as well as how CIS gathers data to inform about security events in the future.  

View transcript

Close transcript

Speaker 1 (00:03):
Welcome back to Into the Sphere. My name is Amy Lane.

Speaker 2 (00:06):
And I'm Mark Tierney.

Speaker 1 (00:07):
And we'll be your host as we explore various topics in the cybersecurity and IT world. Our goal is to provide you with tips, tricks, and tactics on topics circulating the cyber world. I'll even bring in some of my friends and trusted leaders to help dissect these topics. Hi, Mark.

Speaker 2 (00:21):
Hi, Amy.

Speaker 1 (00:22):
Tell us a little bit about who we have in the studio today.

Speaker 2 (00:25):
Well, Amy, today we have a very special guest with us, Phyllis Lee. Phyllis is currently the Vice President of Content Development at the Center for Internet Security, widely known by its very popular acronym, CIS. She has over 25 years of experience in information assurance, has performed vulnerability assessments, virtualization research, and worked in security automation among many other contributions to the cybersecurity universe. Prior to joining CIS, Ms. Lee worked at the National Security Agency focusing on the intersection between malware and virtualization, which included collaboration with MIT Lincoln Labs.

Speaker 1 (01:04):
Wow. Definitely quite a background. We are excited to have her here today to chat with us about these topics, and we're gonna ask her what she thinks about MSPs and how they should address security, what the biggest concerns are for those MSPs in the InfoSec space, and then of course, learn about CIS and how they gather their data to inform others about security events and how they're helping other small to medium businesses with those security controls. So, we hope you like this episode. Thanks for listening. This is Into the Sphere. Hi Phyllis. Thank you so much for taking time to talk to us today.

Speaker 3 (01:35):
Hi, Amy. Hi, Mark. Thanks for having me. It's a pleasure to be here.

Speaker 1 (01:39):
So, you have decades of experience in this space, and we are excited to talk to you, and of course, you are definitely the perfect person to talk to about these topics. So, thinking about how MSSP should address security, what are some of those important things that they should consider when thinking about the security of their MSSP and, and protecting their, not only their own information, but their client's information as well?

Speaker 3 (02:02):
So, this is so interesting just because I participate in a weekly webinar for Cyber Nation, and we kind of talked about this exact topic today. What's so interesting is we talked about how, you know, just three, five years ago, MSPs and MSPs were just worried about getting the sale. And I just need to be $5 cheaper than the person down the street to now evolving with ransomware and all these, you know, and the prevalence of cybersecurity attacks to evolving to, you know, what, cybersecurity needs to be a part of the conversation. We need to, number one, practice it in-house. So we always say, you know, eat your own dog food. How is it that MSPs can sell cybersecurity services when it's so many times the mentality is, oh, I need to be cheaper than the person down the street. Someone else is going to undercut me and get the sale.

(02:56):
And we really discussed, it's so important for MSPs and MSPs to have those guiding principles. What is it that you feel is important to implement on your own enterprise? What are those security controls? How is it that you're implementing them, and how is it that you're prioritizing them? How is it that you're embodying them in your own enterprise? What kind of cybersecurity training do you do in-house? And then knowing that and being able to sell that really to turn around and really believe in that. And say to your customers, OK, I'm going to onboard you. This is what it means. These are not necessarily the tools, but the services that we believe that are necessary in today's environment for an MSP as a service provider or MSSP to provide you. I do wanna make one commentary. You know, it's so funny that people like to call themselves, or the businesses are MSPs managed service providers, and there's a distinction between MSPs.

(03:54):
MSSP is that extra S for security. And I always say, you know what, end organizations think they're getting that extra S whether or not it's in your, you know, name or not. And more and more MSPs are providing that extra S, right? And, you know, also these organizations, and we all do, even as a, you know, someone who provides cybersecurity controls, we need to learn how to speak to your customer's level. How is it that you can describe cybersecurity risk to the business risk? Right? And, you know, we talk about how organizations, the reason why an organization won't pay for cybersecurity is because we're not saying it in the right way. We are not making the right argument for organizations to really understand what does it mean to implement cybersecurity? Why is that critical to your business? Business owners know how to make business decisions and risk decisions for their business. Many business owners don't understand the cybersecurity risk to their business. And I think the number one thing we can do is, number one, believe in those controls that you have, implement them on your own network, and really understand how you can describe the importance of cybersecurity to another organization.

Speaker 1 (05:16):
Yeah, those are definitely all critical.

Speaker 2 (05:18):
Yeah, thank you, Phyllis. We love that answer, because it, it sort of resonates with how we think about things. We come, SEI Sphere comes from that world where we were heavily regulated and we have, you know, we have that already in the terms of eating your own dog food. We're consuming it every day on our side because we're protecting our own financial business and financial businesses across the spectrum of our financial organizations. But I wanted to look at it from the other direction, from the small to medium-size business. How did they look at their MSP or how they, from the business side, how can they look at that and say, OK, we are, these are the right controls. These are, how do these, whether it's metrics or, you know, they don't always have a large information security team. How can they be sure that their SSP is following the kind of controls that CIS put together?

Speaker 3 (06:21):
Right? I think that's an excellent question, and I often get that question, and I would just outright ask your MSSP, what security framework do you implement, right? How do you implement it? How is it that, you know, how would you respond if there were an incident? Who's responsible for what? So as an MSSP is onboarding you, they should be describing to you who is responsible for what. We laugh at the shared responsibility model kind of internally at CIS because it's not a shared responsibility, it's a, you get what you pay for, right? And so, it's really understanding, you know, what an organization is doing internally and trying to break down what is it that you are getting. So, for example, if there is an incident, who's responsible for the cleanup, right?

(07:18):
How can I recover my business? How long will it take for my business to recover? How long will it take you to help me recover my business? You know, and all these other questions about if something were to happen to your business, how can you recover, right? So most organizations understand, oh, I, you know, for the IT part, I need this many workstations, I need this many servers, I need email, you know, these other services. And so now you need to think, well, what if it goes down due to a cybersecurity incident? What are those critical resources that you need in your business? And how long will it take? Or how can your service provider make sure that if there's an incident you can recover from that incident?

Speaker 1 (08:05):
It's all about the cyber hygiene of both the, not only the MSSP, but also the small to medium-sized business that the MSSP may be working with to then envelop them in that good cyber hygiene. I like that idea of really asking the detailed questions to that MSSP, right? To see what they're doing, but then also extend it into the services that they're providing that small to medium-sized business.

Speaker 2 (08:29):
Yeah. And I think it highlights the partnership more of that vendor piece, but you have to be a partner and work together being that cyber fiduciary.

Speaker 3 (08:38):
Exactly. And you know, the MSSP has to be willing to engage in that conversation. And hopefully many times the MSSP is leading that conversation. If you go into a relationship with an MSSP and they're not asking you questions about your cybersecurity, I see that as a serious red flag. I would say almost every MSSP is doing that now, and they're asking you about your cybersecurity, your cyber hygiene, what kind of security practices you have, you know, who, what other service providers you're relying on, for example, for payroll or for email, and those types of things. And you should expect those kinds of questions from your MSSP.

Speaker 1 (09:19):
Yeah, that makes sense. Because even those vendor relationships are then an extension of potential services that that business is getting from their MSSP. And that, I think that definitely helps the MSSP provide the better service or solution to those clients. I think that's really important. Right? And it can't be just done in a vacuum, right? <laugh>, it has to be, it has to be all-encompassing, and a shared responsibility like you said, but it's also, you get what you pay for. But at the same time, like you said, it's an ultimate responsibility of that provided that the small to medium business has secured for their posture. So I'm gonna switch a little bit because we really wanna know a lot about what the CIS is doing or the Center for Internet Security, and what your role there is and how, not only what you do with not only the controls, but also how you ended up there and your experience even at the NSA, all of that, that trajectory into the CIS would be a great conversation, and we'd like to learn a little bit more about that.

Speaker 3 (10:26):
Yeah, sure. So, I spent 25 years at the NSA. It was a great career there. I worked the book on my time on the defensive side, you know, giving out security advice, providing, you know, doing pen testing, you know, vulnerability testing, et cetera. And so, you know, when I was early on in my career, I always thought, why is it that people just don't listen to us? Why don't they just patch? Why don't, you know, here we go 30 some years later, it's the same questions over and over again. But you know, now my response, I think I'm a little more mature where I can say, you know, how is it that we can provide the tools to make it easier? Right? It's not that everyone doesn't care or everyone is so dumb and everyone's not doing it, and why can't they just listen to us?

(11:13):
You know, we have to flip that and say, what is it that, you know, the software vendors or we as you know, security practitioners, what is it that we can do to make it easier for end organizations to implement? What is it that we can do to help enable the market? And so I've kind of changed my conversation that way. You know, after 25 years, I wanted to spend some more time at home. It was a very family-friendly place, but you had to work at work <laugh> because of that environment. And so, you know, I was looking for a place where I still believed in the mission. You know, Center for Internet Security has a strong defensive mission where not-for-profit, which I loved. And so I knew some people who worked here. So, you know, it worked out that I was able to apply and get a position here.

(12:06):
And lo and behold, during that time, there was a pandemic and it really, you know, everything happens for a reason. I was very fortunate because then my, you know, fourth grader and sixth grader were at home on, you know, laptops all day, which I thought was funny, I was at NSA. I came home, the kids' school closed down. Yeah. For what we thought was just gonna be two weeks <laugh>, which turned into almost two years. Right. Anyway. And so, yeah, so I ended up at CIS. We are a not-for-profit, I'd like to say there are two sides of the house. We have the multi-state information sharing and analysis center, MSIAC. And underneath there is also the EIIAC, the Elections Infrastructure ISAC. So those organizations provide threat information sharing. They provide incident response on recovery to the M MSIAC for the SSLT; state, local tribal and territorial governments.

(13:02):
And the EIIAC does that for elections. While elections are state-run, it's interesting to note that they have separate ISACs because the infrastructure is run separately. And those are fully funded by the federal government through a cooperative agreement managed by CSAs, which of course falls under DHS. The other side of the house is security best practices, and that's where I work. And so, we provide free best practices to any organization that wants to consume it. So underneath me are our benchmarks, which are secure configuration guides, as well as the critical security controls. So, I used to be the head of the controls and of course the controls are our technical and procedural activities that organizations can implement on their enterprises to help defend against top threats. And so, what I love about the controls is we work hard to make them practical and really achievable.

Speaker 2 (13:59):
Phyllis, you had mentioned earlier about Covid and how that, you know, worked into what you were looking from your job and how it all of a sudden, you know, changed the way we were doing business, that it looked prompted CIS to look at things differently as well. We were already in an aggressively changing cybersecurity world, plus that was sort of an accelerant to it. And then recently you guys came out with a new version, version eight, that sort of addresses a lot of things that came about, or at least were rapidly advanced through Covid. Can you talk a little bit about version eight and some of the changes that are included there?

Speaker 3 (14:38):
Yeah, sure. So, during that time we did, as we did decide it was time to update the controls. And prior we had thought we should include cloud and mobile. However, while we are creating the controls version eight, the pandemic occurred, which even drove that home even more. And so while there still is a cloud companion guide and a mobile companion guide, we thought it was really important to try to address cloud and mobile in the main document. So when we talk about enterprise asset management, we wanna talk about cloud assets as well as your mobile assets. And you know, it was very fascinating, during that where, you know, someone had said to me, and I, and I quoted all the time, the edge of your network is at the edge of your organ is at the edge of your user's fingertips.

(15:31):
I mean, there was this wholesale move to home. We all had to figure out how everyone could work from home and everyone scrambled and we made it work, right? And you know, that really did affect, like you said, Mark, how we shaped the controls. So, in a recognition of, you know, a boundary-less network or enterprise, we reorganized the controls by activity versus by who manages them, right? So prior it was really more typical enterprise assets, and it was OK, your kind of CIS admin, manages like, you know, workstations and end-user organizations and you have network admins that, they're, you know, doing routers and files, et cetera. And so we really organized by activity. So, you'll see something like audit logs is now wrapped up into one, control versus you had audit logs under, you know, end-user, equipment and audit logs under, you know, network equipment, et cetera.

(16:31):
And what's also interesting, by doing that, we got rid of three controls, but we added another control, on service provider management, right? And again, another critical control as a nod to, or in recognition of the fact that, you know, we are getting a lot of services from third-party service providers, and we need to document them. We need to help organizations understand that, like I said, you get your payroll from over here, maybe you're doing, you know, OS 365 or M 365 and, and you got all these different, ways in which you're getting your infrastructure or other services. And so it's important to document them. And so that's why we added that service provider management control.

Speaker 2 (17:22):
Yeah. Thank you. I know we are looking forward to version eight. I know it's been released and, did a lot of new and very, very cool stuff on. I feel like you've given us, you both made it more effective, but even given us a little bit less homework, which is always a good thing cause you've reduced the overall number of controls. But I wanna go back to something you said about, you know, it's free CIS controls are free to any organizations that, to implement it. And I think, it's been so widely adopted despite it not being, you know, a regulatory mandate or not, nothing's being forced upon people. And I think that speaks to how effective it is and how easy it is to use. Can you talk a little bit about why that is? And for example, I think CIS is the only folks that prioritize, you set up, prioritize activities, or you set up, implementation groups to make it easy to work through implementations, from start to finish. Can you tell us a little bit more about those aspects of CIS controls?

Speaker 3 (18:28):
Yeah, sure. And I agree with you. When I first came here, I was like, why is it that they're such wide adoption? They aren't mandated. I came from the government where you only did something because you had to. Yeah. Right. And especially for cybersecurity, no one volunteers to, you know, for the additional overhead of implementing cybersecurity. So, you know, I really looked into why is it that people like the controls? Why does it have such wide adoption and the things that you mentioned are true? And we try to, you know, be true to those reasons why organizations like implementing the controls. And that's really part of our guiding principles that I talked about in the beginning of the podcast. Number one, they are prioritized. And so we know that an organization regardless of size, even a multimillion billion-dollar Fortune 100 company can't implement all controls all at once, you know, in a short period of time.

(19:29):
And so we are the only framework that say not everything is equally important. What we wanna do is we want to recognize that there are small medium businesses or small medium enterprises that perhaps have a low-risk profile that don't have any resources that they can dedicate to it or cyber. And that, you know, they don't have a lot of money either to dedicate towards cyber. So, but they still are subject to many attacks. And so, someone that's not perhaps subject to a bunch of regulatory frameworks or has high-value data, we do have that also assumption for, small medium businesses. What is it that those organizations really need to implement? And so that's how we came up with Implementation Group One, I Implementation Group One, or IG One, is what we refer to as essential cyber hygiene. And we expect all organizations regardless of size to start with IG One.

(20:23):
But it is more geared towards small medium businesses. And so, like those attributes that I just previously described, we hope that those organizations can find IG One a more palatable and more consumable for implementation. And all the feedback has been positive that they can. And we also wanted to make sure that when we actually provided these recommendations that organizations can still defend against top threats. So, we did the work in our community defense model to show that, the contr, the safeguards supporting safeguards, or SubT controls and IG One can defend against the top five threats as reported out by several threat reports that we looked at really globally. Another reason why we believe that people adopt the controls is that they're also, how would I say, easy, not easy to implement, but they're easier to understand and understand whether or not you implemented it successfully.

(21:24):
So, we try to make sure we have one ask per safeguard. If you were ever to read another controls framework, you have one control, but really you have to do like 10 or 15 things to support that control. And so, we have one ask per safeguard, and then we also wanna make sure that we provide the tooling that organizations, can track their implementations. So, we have the Control self-assessment tool, which is a free web app in which organizations can go in self-select IG One and just, rate themselves on how well they've implemented, implementation group one, two, or three. And you know, it's again free. And so what we've done is really listened to organizations that have asked, well, where do I start? What do I do to actually implement this control? How do I know if I implemented it successfully? How do I track my controls program? And so, we've tried to supply those tools to organizations really of all size so that they can actually answer those questions.

Speaker 2 (22:25):
I would argue that the, you make a, there's a point there too about budget and having a laid-out plan and a prioritization of these controls can also help organizations with their budgeting as well. I would think that this is super helpful, especially to small to medium-sized businesses.

Speaker 1 (22:44):
I was just gonna say too, the, the fact that the small to medium businesses can look at the controls and see why it's important to them, maybe like you said, the resources may not have the knowledge or the capabilities or even the talent that they potentially need. But then understanding why those controls are important to them I think is really important too. I was just reading through them. The other thing I saw that was interesting on the website was the mapping of different, I know you talked about certain organizations that don't necessarily have regulatory requirements, but then if they do have regulatory requirements, that mapping to certain, like the FFIEC, which SEI Sphere and or SEI is under was really interesting too, because then you're extending it even further and all of the information that you guys have gathered is mapped and available, which is awesome.

Speaker 3 (23:33):
Yeah, no, thank you for that. Yeah, so we also provide mapping to those regulatory frameworks. So many organizations including really large organizations, start with controls because of those reasons that we discussed earlier. So, IG Two, implementation group two is geared towards a medium business that has perhaps more regulations. And then, implementation group three, which includes all the controls and safeguards, is really for that mature organization. And like you said, Amy, which is why we mapped in NIST C S F 800 dash 1 71, the dash 53 iso, you know, cmmc, of course, is a most recently asked one, but yeah, so we mapped to, almost 30 different frameworks, just because of that. And you know, Tony Sager at my work, he calls it the fog of more <laugh> because, you know, these organizations are just buckling under the pressure of all these different regulatory frameworks as you well know, right? And so that's right. It's like, again, how is it that we can ease that burden? What is it that we can do to help organizations, alleviate that pressure of 50 different auditors coming on their doorstep, <laugh>.

Speaker 1 (24:45):
On different cycles too. They're not all at the same time. Yeah. Which would be so helpful. <laugh>, Can I report this once instead of 18,000 times? Sure. That'd be great. Wait, right. Can I prove this out one time instead of the, I did see too that you guys have community, I would say, not, maybe not groups, but people that also, weigh in that they're not necessarily employees of the, of CIS, but they help get to where, maybe reviewing controls and things like that, it's almost like boots on the ground. <affirmative> people that would potentially help you. Have you had any experience with those, with those folks and what kind of resources are they to you guys?

Speaker 3 (25:21):
Oh yeah. You know, I neglected to mention that when we, when I was introducing CIS, we are all our products are consensus-based. So we get SMEs (subject matter experts) from all over the world to help contribute to our products. And so when I created, or when I led the community that created controls version eight, we had international folks, we had local folks, we had someone representing big companies, we had someone representing pen testing, we had someone representing small medium enterprises. We had, you know, just people from all over. And really our volunteer community like fuels all our products. And so I love it. And, and what we have also is a custom tool we called Workbench in which you can go and download the, you know, different work products we have and then join all the different communities that we have. Again, it's free to be a member of Workbench and we really listen to the feedback that we get in our communities. And so the, for example, the controls version eight community, people have questions like, why did you word it this way? Why is it that we, have you thought about X, or have you thought about Y? Some of them are really interesting. Some of them can get down to what does bimonthly mean? And it depends on which part of the world you're from. <laugh> 

Speaker 1 (26:41):
Interpret twice a month, they're every other one who does.

Speaker 3 (26:43):
Yeah, exactly. And so, it is interesting, in that regard. But you know, what I love about working at CIS, one of the many reasons is that we truly get to listen to the feedback from end organizations and end just users. And, and I do love that because that really shapes our products, and it really helps us provide the tools and the products that organizations need.

Speaker 1 (27:10):
That's awesome. Mark, is there anything else you wanted to ask Phyllis about the CIS or I always keep calling it the CIS, but just CIS <laugh>.

Speaker 2 (27:20):
I would like, I always like to ask an unfair question. <affirmative>. So, and a leading one, this is my unfair question, you're allowed to ask for a lawyer or not answer, but starting from zero, how long does it take to implement controls? Like what can, especially for a small to medium-sized business, what can they expect? Are we talking days, months, year, a decade? And I'd say it's unfair because there's such a large number of small every small to medium-sized business is different in its own way, and they have different resources. But can you give us a sort of a general idea of that and if, if they, that timeframe can be aided in any way by leveraging a MSSP?

Speaker 3 (28:09):
Right. So, that is an excellent question, and I can't say that I have a really excellent answer. <laugh>, What I will say is that there is a lot of overlap between a lot of the controls and supporting safeguards in essential cyber hygiene or IG one and really just the regular day-to-day management of your network. So, for example, it would be, you know, one of the, safeguards 1.1 is having an enterprise asset management policy and actually, you know, counting your assets, right? So, while maybe you don't have a policy maybe in your head, you kind of have some things that you know, you're keeping track of, it's actually documenting that policy. And then of course, actually counting your assets and making sure that what you have is what you really think you have on your network. So, a lot of the things like the software asset management and the hardware asset management, you know, and data management, hopefully data management, you know, are already kind of things that you do, but just for your day-to-day business but may not realize it and perhaps not in a formalized way where you have a policy around that.

(29:24):
So, I would say many organizations would be surprised at, how many things they already have done. Now, having said that, I would say there is a difference, excuse me, when we talk about small medium businesses, you know, there's the small mom-and-pop shop up to like, depending on which website you read 1,000 people, right? So, I'll kind of address it in a few ways. So, if you are a small mom-and-pop shop, I would expect that it would take you probably anywhere from eight months to a year to actually implement. And I would expect that it could be longer because perhaps, you know, when you have that small mom-and-pop shop, half the stuff, like do you know what multifactor authentication even is, right? Mm-hmm. <affirmative>. And so that, that is a concern and we do try to provide those tools like a whole guide to essential cyber hygiene and how you would implement it, for example, on a Windows machine, or perhaps here's some low to no cost tools for that organization, we would recommend you should go to an MSSP for cybersecurity, right?

(30:37):
And that MSSP should have already implemented IG one on their own network, quite honestly, right? These are really basic things and I would say most of my discussions with MSPs and MSPs, the bulk of them have done the, I have implemented IG one to some level. We always say that it's an iterative process, right? So we don't expect you to be perfect right out the gate. I think an advantage we have, at CIS is that there is not this fear of an auditor coming <laugh> to grade you, you know, for auditors it's pass or fail. You either get a hundred or you get a zero for CIS controls, you know, you can kind of grade yourself on a scale and improve over time. So, hopefully it's less intimidating, especially for small medium businesses now for a larger organization up to like a thousand.

(31:31):
Again, I believe many of those organizations have already implemented IG one. So, for example, we recently talked to a small city, and you know, we do have the SLTT and, and they were like, oh, we've already implemented so much of IG one. Now again, it is an iterative, iterative process where you say, oh, cities are becoming smart cities now they're like, you know, your, what is it, the parking meters? And then there's, you know, so many things that are now digital that, organizations have to take into consideration. So again, an iterative process and, and part of the advantage of actually going through the controls and actually looking at the service provider management control, I've gotten a lot of feedback is that organizations, organizations were like, oh, you know, I never, I never really, thought about the dependency that I had on this other organization.

(32:32):
So, I just recently worked with the court system and they're like, oh, we go to this database for X and then we go to this database for bankruptcy, we go to the, you know, for, you know, traffic, and this, that, and the other. And they're like, oh, is that a service provider? Yes. Because you need that for trial, right? And so you have this trust relationship with that other organization and you are getting a service from them. So, you know, what I found as well is, again, it helps inform someone's implementation of the controls where they thought they were doing pretty well, perhaps, and then they realize, oh, but I never thought about that, and so now I need to go back and rethink it. And, you know, that's fine. You don't fail. You know, everyone's, like I said, it's an iterative, iterative process. I can't say that word today. And you just continually improve over time.

Speaker 1 (33:22):
Only way is up, right? Yep. <laugh> always striving to be better <laugh>. I think even as individuals, we'd like to, we'd like to think that that's the, our mantra too. But for sure on the security side, <laugh> awesome. Well, I don't have anything else. Mark, do you have anything else? I know they're,

Speaker 2 (33:39):
So, we, like, for every one of our podcasters, I don't know what it's called. We, like Amy and I like to learn a little bit about their personal life. So, we, today, we bring you a question inspired, by one of the sales guys on Sphere. He, he starts every meeting that he hosts, he starts by asking, you know, folks what their favorite, TV show is. Now his, his point is to, he hopes, you know, you reply with, Hey, Game of Thrones, then he could talk to you about Game of Thrones for the next couple hours, <laugh>. But with that inspiration in mind, and for our audience, any recommendations? A TV show, TV series, what are we watching these days? Phyllis?

Speaker 3 (34:21):
Yes. So, I love K-dramas, Korean dramas. I personally am Korean American, so, I love to look at the food and of course the culture and, thank goodness Netflix has a lot of K-dramas. I don't wanna plug that, that app, but I mean, I do love it. And so, I have to say my favorite K-drama my favorite show of all time is Crash Landing on you. And so I have to forewarn you that sometimes with these Korean dramas, you just kind of have to forego reality and just kind of, you know, kind of lean into like the story. So just so you know, for Crash Landing on you, there's this really super wealthy woman who goes on a hand glider kind of ride to test out her, you know, she runs a clothing store to test out the hand glider, I guess, jumpsuit or whatever. And there's a weird wind that picks up kind of like in Wizard of Oz and she ends up in North Korea, <laugh>. Oh no.

Speaker 1 (35:26):
Oh gosh.

Speaker 3 (35:28):
You know, in the beginning,

Speaker 2 (35:31):
I, I love a good, Phyllis, we'll write one down and, we're gonna watch that on our side, so, yeah. Well, I do wanna thank you so much for, for take for that answer and, and for all your answers and for taking the time to talk to us today. It has been super informative and quite frankly a pleasure. So thank you. You've given us a lot to think about. Amy, what do you think?

Speaker 1 (35:59):
I thought it was great. You're definitely entertaining Phyllis, and I love the fact that you just have so much experience and knowledge, but then the softer side is that the Korean drama comes into play, and you can, you know, enjoy those times probably with your family. I'm not sure if your kids are watching, but hopefully <laugh>

Speaker 3 (36:15):
They love too. We watched it as a family during the pandemic.

Speaker 1 (36:18):
Yeah, absolutely. That's great. I think for our audience, we like to wrap up with kind of the three things that we learned, and in looking back at our conversation, I wrote a few things down, but, looking at, of course, the MSPs and how they can also use the CIS controls in their own organizations, but also helping the small to medium-sized businesses that shared responsibility from an MSSP and the services that they are providing, those small to medium businesses as well as the resources that are available for those organizations that may not realize the framework that you provided in these controls and how, quote unquote easy it is, but also relying on a community of people to help them implement those types of controls in their organization. And extending, not only their own security posture in their own organization, but also looking at their providers, their service providers themselves. So those are the three things that I took away. Mark, did you take anything else away that you'd like to share?

Speaker 2 (37:16):
I'm good, Amy. Thank you. And thank you to our audience for tuning into this episode. As always, we are your hosts of Into the Sphere. I'm Mark Tierney.

Speaker 1 (37:25):
And I'm Amy Lane. If you have any questions or recommendations for future podcast guests, send us an email@sphereseic.com. That's SPHERE Seic.com. Thanks again for listening to today's episode. Don't forget to subscribe or visit our website to learn more @www.seic.com forward slash sphere talk soon.

Speaker 4 (37:50):
The views, thoughts, and opinions expressed in this episode are the speaker's own and do not represent the views, thoughts, and opinions of SEI or SEI Sphere. The material and information presented is for general information purposes only. This episode does not imply endorsement or opposition to any specific organization, product, or service.

Phyllis Lee

VP of Content Development

Center for Internet Security (CIS)

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.