We interviewed Rick Folkerts, Principle Security Analyst at Truvantis. Rick is a specialist in governance risk and compliance, including data privacy. We asked him about his experience and approach to helping organizations of all sizes and types, with a wide range of security challenges and goals. He also shared with us his personal security journey as well as what it’s like working at Truvantis.
Q: How do you change your approach based on the type of client?
A: A lot of it is dependent upon industry. For instance, I ask a health care organization completely different questions than a financial organization which is different than a sports team, and so on. Each has unique data that’s important to them.
A publicly traded financial organization is generally going to have established security and compliance practices in place.
If they're a startup, they're not going to have that requirement yet. They usually have specific goals and a lot of the things that make them special. Often, they didn't think about security yet except for the very basics.
With a younger company we usually apply a framework like CIS, take a very good foundational look and start fairly basic and simple. CIS has three different implementation groups and the first implementation group gives you the basic modicum of security. It also starts you on what I call a maturity journey. Maybe you'll get IG1 knocked out in the first year after we take a look, then we come back assess the weak points and move on to IG2 and maybe six months to a year later, look at IG3. They kind of build on each other.
Q: You work on different types of projects for all different types of clients. How does your process differ for each client, for example, a medical client, or health-tech client, or professional sports?
A: It's scope and their main mission. If they’re a sports team, what exactly do they need to do? Are we testing the building, are we doing their full security suite or are we just making sure that they're compliant with a framework like PCI DSS for their jerseys and tickets sales?
Whereas with health care, you're dealing with patient information. Maybe you're dealing with two clinics, maybe you have 27 clinics or maybe you're a huge HMO or a small clinic within the HMO.
I usually go in somewhat blind. You know, you just heard of a company, kind of what they do and what they're doing. And then you start pulling on threads and find out their weaknesses. You see all kinds of weird stuff. It’s actually one of the fun parts of what I do.
Q: What's the most exciting thing that you've seen on a defender front?
A: What William does. It's fun to watch him take apart a network and decide where those vulnerabilities are and then what I can do on the front end to help them.
When I see somebody that has a particular skill that I don't have, it's fun to watch him do it.
Q: How would you explain a complex technical issue to a client?
We have to know the client to start with. Are they complex technical people? Because sometimes I'm not even as complex and technical enough to what they need.
You avoid using jargon and avoid specific technical terms. You just say this is what should be happening, this is what's not happening in plain English.
Q: What makes you unique and describe your professional journey or defining moment in your career, which brought you here to Truvantis.
A: There's a thousand moments, right? I've done a lot of different things during my T.O.E.. I joined the military at a very young age and worked on things like …
A flexible vCISO service can give you the same level of expertise as an in-house security team and can be a permanent, safe, and cost-effective solution. Truvantis offers world-class vCISO services customized to the scope and objectives of your organization. Buy the services you need when you need them without the overhead of a full-time in-house staff.
Contact Truvantis now for a vCISO consultation.
Truvantis is a cybersecurity consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security, privacy and compliance programs. We specialize in helping our clients improve their cybersecurity posture through practical, effective, and actional programs – balancing security, technology, business impact and organizational risk appetite.
CISSP, CRISC, CDPSE, PCI QSA
Rick Folkerts is a Principal Security Analyst, specializing in Governance, Risk and Compliance including Data Privacy.
He has implemented security, risk management, and privacy systems; developed information security, PCI DSS, and privacy training; and authored and implemented policies and procedures across the whole spectrum of information security.