Welcome to another episode of Hitchhiker’s Guide to IT podcast brought to you by Device42. On this show we explore the ins and outs of modern IT management in the infinite expanse of its universe. Whether you’re an expert in the data center or cloud or just someone interested in the latest trends in IT technology, the Hitchhiker’s Guide to IT is your go-to source for all things IT. So buckle up and get ready to explore the ever-changing landscape of modern IT management. 

(Host: Michelle Dawn Mooney)

Hello and welcome to the Hitchhiker’s Guide to IT, a podcast brought to you by Device42. I’m your host, Michelle Dawn Mooney, and today we’re talking about vendor management and cybersecurity. And we have a great guest for that conversation. Thomas T.J. Johnson is a national leader of cybersecurity at BDO Digital. He has been in security leadership for more than 20 years and is responsible for the teams that deliver security solutions to BDO customers. Thomas T.J. Johnson, or I’ll probably call you T.J. for most of this podcast. Thanks for joining me today. 

(Guest: Thomas TJ Johnson)

No, of course. Thanks for having me. I appreciate it. I go by T.J. A long story. Basically Tom Jr. So that kind of helped that out. 

(Host: Michelle Dawn Mooney)

So T.J., we heard a little bit about what you do. Can you give us more of a background just kind of what your role is with BDO?

(Guest: Thomas TJ Johnson)

Sure. So, you know, I did get started on the technology side really way before cyber was really the term. It was more, you know, IT. And I was working for a bank and computer networking, network engineer. And I was like the firewall guy. So that kind of really started my cyber career in the 90s. And from there, it really just started to morph into some of the compliance stuff that started coming down to banks and IT. And it’s that’s really kind of how I started into getting into the governance side of IT and then, you know, what eventually emerged as cyber. So fast forward a bunch of years, probably more than 20. If you did the math from the 90s, I am now leading our cybersecurity practices at BDO Digital. And I have responsibility for our U.S. market. So what that means is I’ve got responsibility for what we’re delivering from a cybersecurity standpoint, whether it be governance, risk, compliance, or even some of the technical implementations that happen that we can do for our customers. So it’s pretty exciting times. 

(Host: Michelle Dawn Mooney)

Yeah, absolutely. So let’s dive into the questions. Now, when you think of cybersecurity, I don’t think vendor management necessarily pops right up there at the forefront. So what’s really driving this conversation when it comes to vendor management and related to security? 

(Guest: Thomas TJ Johnson)

You know, it’s interesting you say that. I’m accused of talking about cybersecurity that has nothing to do with technology. And it’s like this, I teach at a college here in Chicago and I mostly teach the courses that aren’t technology aligned. And what that means is I’ve got disaster recovery and business continuity. And then we talk about vendor management, too, which, interestingly enough, it’s an important aspect of cybersecurity as well as, you know, some other non-technical stuff, kind of like making sure that people don’t click on links, for example. There’s no technical aspect to that. And we’ve really decided that in the cyber community that education is the key when it comes to getting your employees not to click on links. And that’s like not technical either. So, but as far as the vendor management piece is concerned, I think it’s a super critical component, especially when organizations are looking at migrating workloads to the cloud or using a service provider to be able to provide services, IT services to the organization. There are a number of aspects of managing that vendor relationship and a couple of things that we need to keep in mind as cyber leaders or even technology leaders, that we need to understand where responsibilities lie and where some of the risks are. Some of the misnomers of using a vendor are that, hey, we can like forklift these workloads and put them in the cloud. We don’t have to worry about it anymore. We just transferred risk. And while that might be true in some cases, there are still some aspects that we need to kind of consider when we’re working with vendors. 

(Host: Michelle Dawn Mooney)

So you mentioned the cloud and it’s huge, literally and figuratively when you think of the name and then while we’re talking about real clouds and how they got that name. So let’s talk about what is the IT team’s responsibility and a cloud vendor’s responsibility when it comes to cloud security? 

(Guest: Thomas TJ Johnson)

Now, that’s a great question. And like I alluded to before, it’s, you know, as far as responsibilities are concerned, we really need to understand what that looks like. And I think it starts with the contract and maybe a responsibilities document or maybe a responsibilities matrix that gets established when you do engage with a cloud services provider. So there are some misnomers that, you know, this cloud service provider, they’re PCI compliant. We should be able to just like take our workload and put it up there. We don’t have to worry about the PCI aspect. That is entirely not true. There are certain responsibilities that you as an IT service provider or as a consumer of cloud services have to do in order to actually meet that PCI compliance requirement, for example. So that’s like one example. And, you know, I’d like to really reiterate the fact that as a consumer of cloud services, you really need to understand what that language looks like, what that contractual component looks like. And I think, when organizations look at moving things to the cloud, there are some really interesting things that exist in the cloud services model or even software as a service that give you a ton of capabilities. And some of those capabilities really kind of are within, I’d say some of those capabilities exist that are not available to folks or at least it’s going to be really expensive for the on-prem folks. So when you do migrate workloads to the cloud, you need to understand that some of these services might not be by default enabled. Some of the things that are offered to consumers of cloud services might need to be configured in a certain way. And some of the things that come to mind are like MFA, for example. I know that Microsoft Office 365 and M365, they’re trying to like push users to enforce MFA. But, you know, for example, that was an option that needed to be enabled. And, you know, that’s kind of disruptive too when you do enable an option like that. Another good example is DLP or Day-Loss Prevention. That is available in, you know, a lot of cloud services models, Office 365, for example. That’s got to be configured. And that’s not an easy configuration. You don’t just really click the turn it on box. And in some cases, you might think that is the case. For example, Office 365 gives you the ability to manage and monitor what happens when somebody tries to send out things with Social Security numbers on it or Visa bin numbers or MasterCard. But you really need to understand what we’re going to do with that. Are we just going to report that that happened? Are we going to block those? Are we going to encrypt them? So there’s like a lot of thought that really needs to go into what we’re going to do with the cloud when we do migrate. 

(Host: Michelle Dawn Mooney)

So you mentioned there’s a lot of thought. And, you know, obviously, you can put out what needs to be done. But getting them done and trying to figure out how to do that can be a little difficult. So let’s dive a little deeper. What are the top things listeners should know about or maybe actions they should take now? Is there a roadmap, so to speak, to follow? 

(Guest: Thomas TJ Johnson)

No, there’s a couple of entities out there that have certain roadmaps. But I think as far as like, keeping it simple, you know, just engaging with the cloud services company and understanding what those responsibilities are and what the cloud services company is responsible for and what you are responsible for. You know, there are certain aspects of the cloud that are really intriguing and interesting, especially, I teach a disaster recovery class. And I said the coolest thing that ever happened to disaster recovery was the cloud, because you can utilize cloud services on demand and you really just pay for what you use. And because of that, we need to really figure out how we’re going to use those cloud services. It seems like it’s super easy, but we really need to understand how that’s going to affect our applications, how we’re going to be able to operate in that disaster recovery model and things like that. So understanding what the cloud company is going to do, what you have to do is really paramount and key. Digesting the contract too from a service level standpoint is also a key and I think it’s really important to understand what the service levels are that you’re expecting or you should be expecting. And then understanding the security configuration, what you’re accountable for, because you as the consumer of services are still accountable. You have to turn on those services. You have to turn on MFA. You have to configure. You have to turn on DLP. Also, when it comes to migrating to the cloud, you really need to understand whether your applications can handle that. If you’re going to do a lift and shift where you have a virtual server and you’re going to move a virtual server from on-prem to cloud, is that really going to work in that new cloud environment? Or are you going to move that workload to a software as a service model? You need to know that the application is going to continue to work properly. And then we also have a little bit more of a difficult challenge, which is when we’re talking about multi-cloud. So if you have assets in AWS and Azure, identity and access management becomes a little bit of a challenge. But trying to figure out how you can manage that and putting some thought into how you’re going to manage identity and access management between the clouds and maybe having a centralized database or maybe using a third-party tool to manage that is the key. I come across a lot of organizations that continue to have that a little bit separated. You’ve got credentials for AWS. You have credentials for Azure. And then some people even have GCP with some workloads there, whether it be Gmail or some of the other G products. 

(Host: Michelle Dawn Mooney)

We’ve covered a lot of territory, but any final thoughts you want to add as we close things up here? 

(Guest: Thomas TJ Johnson)

As far as final thoughts, I think really just understanding and documenting your critical vendors. I see that as a gap quite often. And everybody says, well, we know who our critical vendors are. And in some cases that might be true, but that really needs to be documented. We really need to understand what their risk is, what kind of data they have, what aspect of the applications and data they are managing, how they’re managing it, whether there is any fourth-party interaction. And that’s going to become more and more of a term that is going to be used, which is what vendor is my vendor using. So understanding that, documenting it. I think that’s key because documenting that really kind of puts pen to paper and gives you an idea to visualize, all right, what do we have? Who’s got our data? What are they doing with it? What services are we using? And then once we have that down, I think we really need to risk rate our bidders. Who’s doing the most critical things for us? And that kind of really dovetails into the conversation. Are we able to operate with them going down? What happens if they’re not able to meet their service level? What happens if they have an outage? Are we going to be able to operate properly? And then, do we have response plans that help us determine how we’re going to operate with vendor non-performance? If they’re not able to meet their obligations for some reason or they have an outage, do we have a backdoor? Do we have something supplemental we can use? How are we going to operate? Do we have response plans to help our employees figure out what they’re going to do? How they’re going to talk to their customers? Things like that. 

And then I think the last thing is understanding where the gaps in the vendor and client relationship are. Once we start documenting all of this, it usually becomes pretty clear where there are some gaps. It’s like, oh, wow, I didn’t realize that our vendor wasn’t doing that for us. I thought they were going to do that for us. Or I thought the service was turned on. We actually have to turn on that service and we have to configure it. So understanding what that looks like is going to be critical, too. 

(Host: Michelle Dawn Mooney)

And really being proactive, which this conversation was so good for that. Talking about the things that need to be done that you need to think about before the fact to reduce how much of an issue some of those things can be. Thomas T.J. Johnson, National Leader of Cybersecurity at BDO Digital. I want to thank you for your time. Great conversation, as I said. And a lot of questions I’m sure that people may have after hearing this podcast. So can you direct them to a place or to get in contact with you or to find more information about what we talked about today? 

(Guest: Thomas TJ Johnson)

Sure. Yeah, you can reach me on LinkedIn. I’m Thomas Johnson. You can probably just do a search under Thomas Johnson BDO and I should come up. And you can also email me if you have any questions or want to talk about any of this stuff, even migrating workloads to the cloud or technical controls or even anything on the governance, risk and compliance side. I’d be more than happy to help. My email address is tajohnson at BDO.com. And I’ll be more than happy to talk you through things. And if there’s a way we can help out, we certainly will. And I think it’s another aspect of, really the service provider piece I wanted to make sure you touch on is the fact that we need to make sure that we have our response plans are integrated with our service provider, too. That’s another key aspect that I wanted to at least cover, too. But that’s probably a whole other 20 minute. The next podcast. Right. So you want to have me back? I’ll be more than happy to talk about, you know, incident response and responding with with your vendors and integrating them into your process. 

(Host: Michelle Dawn Mooney)

Well, it was great to have you here, of course, talking about vendor management and cybersecurity. And Thomas, appreciate your time. Once again, great conversation. I’m sure a lot of people are asking some questions. They learned a lot, but they probably want to even learn more. So I appreciate you being here with me today. 

(Guest: Thomas TJ Johnson)

For sure. I appreciate it. Thank you for the opportunity. 

(Host: Michelle Dawn Mooney)

And I want to thank all of you for listening and tuning in to the Hitchhiker’s Guide to IT, a podcast brought to you by Device 42. Of course, you can go to device42.com to learn more information about the company and be sure to subscribe for future podcast episodes. I’m your host, Michelle D’Andrea. Thanks again for joining us. We hope to see you soon.