CSO SPOTLIGHT

Navigating the complex world of cybersecurity is nothing new for Andy Larin, CEO of AllCare IT  

Can you briefly describe your role and responsibilities as a CSO?  

Setting a “security-first culture” in our organization as well as with our clients.  Choosing frameworks and software, policies and procedures that all help align to those frameworks.  

What motivated you to pursue a career in cybersecurity?    

It feels like cybersecurity chose me.  I started my business in 1996. At that time, it was mostly building computers and break/fix work.  As the industry changed, I learned to change with it.  There was no more profit in building computers, however, cybercriminals were becoming increasingly prevalent, and it became clear that offering IT Support for businesses without cybersecurity was like selling a car without airbags, seatbelts, or brakes. The bonus in all of this is how much I love cybersecurity.  I enjoy being challenged and that is never lacking in this field.  It means a lot to me to be able to protect business owners from experiencing the pain of an incident.  

Industry-Specific Challenges 

What are some of the unique cybersecurity challenges faced by clients you service?    

Budget is almost always a challenge.  Our clients want to be secure, but security is not cheap.  They are faced with a tricky game of balancing budgetary concerns with business risk.  The challenge for me is to properly educate my clients on the risks.  You’re dealing with a world of “what if’s”.  I have no way of knowing how or when they will be attacked.  

The environment in Canada is a little different from the US because we have a lack of compliance regulations. I believe they are coming, but they’re not here yet.  The challenge is if no one is telling organizations what security they must have in place, it’s the wild west.  So having these strategic conversations with businesses who do not understand how cybersecurity affects their business can be difficult.  

How do regulatory requirements impact your security strategies and practices?  

We’re seeing CMMC starting to be required for Canadian manufacturers who do business with the DND.   

We work with many businesses who either have a Cyber insurance policy or want one.  We review their current policy for them and are able to provide recommendations to bring what they testified was accurate into alignment with their current security.    

If a client is in the process of getting a policy, we help them go through the process to ensure they fully understand the questions on the application forms (these can be very ambiguous) and help them set securities in place that allow them to procure a good price on their policy.  

Using Compliance Platforms as a vCSO  

Can you explain why a compliance platform is crucial for your clients?  

A compliance platform takes a very complex job and simplifies it.  You can cross map between different compliances that the organization needs to adhere to.  It greatly simplifies the evidence collection process and makes it easy to track progress and make continual improvements.  I love using a third-party compliance partner because you can’t check your own work.    

How does your compliance platform help your clients collect evidence and maintain audit trails?  

Things change for one reason or another.  Whether it’s human error or software, regular checks for technical drift is crucial.  Compliance services enable constant scanning that   monitors any drift and allows us to get it quickly back in line.  Reports are compiled and kept so that if the need ever arose, we could prove that all security was in place.  This protects both allCare IT and our clients.  

What are the most important features you look for in a compliance platform for your clients?  

The quality of their team is extremely important.  They need to be highly competent and ready to help my team.  Ease of use is also a factor.  

Success Factors 

What strategies or practices have contributed most to your success as a CSO?  

Most important is to surround myself with people who are smarter than I am.  I learn so much from other amazing business owners and cybersecurity professionals.  The more I learn, the more I realize what I didn’t know.  This field is massive and there’s so much to learn.  

That is one way I keep up to date on cyber-trends.  The other important factor is always reading and learning and listening.  The cybersecurity world changes at an extremely fast pace.  To keep our clients protected against emerging threats, it’s critical that I am on top of these changes and know how to respond.  

When building our security stack and compliance services, it’s important to choose best-in-breed tools and partners.  I trust these partners to continue to educate me and help me keep my clients safe.  

Can you share an example of a significant challenge you faced and how you overcame it?  

I’m naturally good at IT and Cybersecurity, but there are aspects of running a business that don’t come naturally to me.  For example, I love to do things myself, but to teach others, delegate and lead them is something that doesn’t come easily to me.    

“The Law of the Lid” by John Maxwell really struck me.  It states that a person's leadership ability is the lid on their overall effectiveness. So, the level of a leader's competence directly limits how successful they and their organization can be. If a leader's ability is strong, the organization can achieve greater success, but if their leadership ability is weak, it caps the potential of the entire team or business.  

For example, if a leader is a "6" on a scale of 1-10, their organization's effectiveness will not surpass that level. To improve the performance of a team or company, the leader must first raise their own leadership abilities.  I’m still working on this, but to be a good leader, I need to keep learning from great leaders and applying what I learn.    

Another aspect that I struggle with in business is staying organized.  Our company is implementing Traction EOS to help all of us (especially me) stay focused and on track with our top priorities. I’m excited to see our growth with this new tool.  

Best Practices

What best practices do you follow to ensure your organization remains compliant with regulations?  

We follow frameworks and standards such as NIST CSF, CIS (Center for Internet Security), PCI v4, and Canadian Standards such as PIPEDA, PHIPA and others dependent on the industry of our client.  Frameworks are great, but they often take a long time to change and keep up.  Cyber Insurance though is run by private companies who change their requirements quickly and as often as required to keep up to date with emerging cyber trends.  We also monitor changes to MITRE ATT&CK and the Cyber Kill Chain.  

How do you stay updated with the latest compliance and security trends your clients need?  

I read a lot!  Blogs, Podcasts, Webinars, Conferences, Industry Leaders, and Peer Groups that we belong to all keep me in the know.  Our team also has a culture of sharing internally so my team shares what they find as well.  

Future Trends 

What emerging trends or technologies do you think will impact cybersecurity for your clients?  

AI of course.  Deciphering a malicious email is no longer an easy task.  All the tell-tale signs have been removed with the use of AI.   What used to be bad grammar and graphics that were out of place are no longer the case, they are generally picture perfect, so it takes AI tools to fight the AI that the bad guys use. 

Another trend is Deep Fakes with voice and video. This will be a constant social engineering issue in the future. 

Automated attacks.  We’re seeing clients being signed up for thousands of accounts or services all at once. 

Zero Trust is going to become more needed.  Verification will be needed constantly.  

How are you preparing for these changes in your role?  

I need to be knowledgeable about what tools are out there to counteract these threats, and how we can educate our clients on the risks they face. 

Advice for Peers  

What advice would you give to other CSOs or cybersecurity professionals?  

A real thirst to learn is essential, as well as humility.  If you think you know everything, you don’t know very much!  Surround yourself with industry leaders as much as possible and share with others as well.  This community is a joy to be a part of.  

How can smaller firms or those new to the industry benefit from advanced compliance platforms?  

By choosing a platform with a provider you trust, they will help guide you.  You will never have enough time for everything, so you’ll need to rely on these partners heavily.  They will help you understand how to talk to your clients about compliance without getting technical by talking about business risk rather than talking about tech and tools.    

Personal Insights  

What has been the most rewarding aspect of your work as a CSO?  

I really love people, and I enjoy helping business owners navigate the dangerous world of cybersecurity.  I enjoy educating others on a topic I am so passionate about.  I find it incredibly rewarding when we are able to stop a business from being breached and having their data leaked, which could damage the business in a way they might not recover from.  Or helping businesses recover from what could have been a catastrophic event.  

How do you balance the need for rigorous security measures with operational efficiency?  

It’s always a balancing act!  Convenience vs. Security is a constant battle. If something is convenient, it’s not secure.  At the same time, too much security is impractical, causing too many hoops for users to jump through.  I tend to lean toward security over convenience but ultimately the client is the risk owner, so my job is to lay out the risk and educate them to make a good decision.  

“I enjoy being challenged and that is never lacking in this field.  It means a lot to me to be able to protect business owners from experiencing the pain of an incident. ”

-Andy Larin, CEO, AllCare IT