Welcome And The Big Announcement

Rob 0:00

Welcome to the Van Ryan Compliance Podcast with Rob and Don. We help growing teams reduce risks, build trust, and stay audit ready without the overwhelm. You know, Don, what if I told you your biggest security risk isn't what you know, it's what you haven't found yet.

Dawn 0:16

Wow. And in 2026, attackers aren't guessing anymore. They're scanning, probing, and exploiting automatically.

Rob 0:24

Yep, that's true. And in today's episode is a big one for us here at Van Ron because we are launching something brand new and exciting at Van Ron compliance, penetration testing and vulnerability scanning.

Dawn 0:36

Woohoo! This is a major, yes, this is a major set for VRC and for our clients. We get asked about it all the time. I need it, I need it. I don't who can do it, who, you know, yeah, it's amazing.

Compliance Versus Real Security

Rob 0:49

And what we've seen in the industry is a lot of people have come and gone within the pen testing arena. And this is a big gaping hole for our clients' compliance programs. And it will become a requirement because HIPAA does happen, as your shirt says, which I love that. And we were going to be able to talk today about how we're going to weave in penetration testing into your HIPAA, your SOC, or your ISO programs. So let's set the stage, shall we, Don? Let's do it. You know, most organizations we work with, they're secure because they've passed our HIPAA audits, or they're working towards a SOC 2 or ISO and have passed those audits or even High Trust. We've done that. They've got the policies in place, they got the procedures in place. But the truth really is this.

Dawn 1:34

Wait for it, drum roll.

Rob 1:39

Compliance does not equal security.

Dawn 1:43

That is key right there.

Rob 1:44

Yep. Um, it exactly is. And compliance tells you what you should be happening, but this new service is about validating what's actually happening and what you're inputting, inputting and implementing.

Dawn 1:56

Yep. And remember, attackers don't care about your policies. They care about your open doors, how to get in, back doors, front doors, whatever. They just want to, they they just care about getting in.

Rob 2:06

Yep. Yep. The side doors, something like side doors.

Dawn 2:08

Yes.

Rob 2:09

How they're gonna, how they're gonna come in the side door and disrupt your basement, your addict.

Dawn 2:13

I mean, we can really get, yeah.

Scans And Pen Tests Explained

Rob 2:14

And how are they gonna delete your data? Yes. It's not ransomware is old. It's about deleting. Go back to the striker breach a few weeks ago. They deleted the data. There's no ransomware. It's gonna destroy the company. That's what they did. But we're gonna simplify this because what we've seen in the industry is good vulnerability scans, good penetration tests, but nothing there for the long term. Nothing there to continually test the environment to ensure that it is secure and to ensure that it's properly reported because you would be held accountable as clients or anybody that's in the compliance space. So our vulnerability scanning equals that continuous monitoring, where we are going to automate vulnerability scans, right? And you're gonna automate penetration tests to a point, but you still have to have that auditor that is certified and compliant, which we have here. Do those monthly, minimum monthly scans, vulnerability scans, and then annual penetration tests. Or if you have a significant change in your environment, you must do a penetration test earlier than that. And the key there is find the known weaknesses. We have to find the weak notice uh weaknesses within the environment.

Dawn 3:23

Yep. And then the the penetration penetration testing equals real world attack simulation. And this is manual and automated. And this is uh this is, you know, this is basically ethical hacking, trying to get in, trying to get into your network.

Rob 3:39

Yeah, we have an ethical hacker in Benny Cleveland in our team. He's a certified ethical hacker. He may be unethical, but we don't say that. That's you know, that's that's his night job. The day job is good. No, we're excited because Benny on our team is a certified ethical hacker. He's also certified forensic professional. So after a breach or after that incident, he can come in and we can put the pieces together because you're gonna you're gonna need, as an investigator, right, at a crime scene, you're gonna have to put that together and you're gonna have to be able to um help not only insurance companies, but more importantly, your clients understand what happened, but then also your team, what are the steps we need to take. So it's a manual plus automated and then and focusing on the ethical hacking to see who can who can break in and how we can break in.

Dawn 4:27

And the key is here is proactive.

Rob 4:29

Yes.

Dawn 4:30

Because too many people wait, don't do it, and then it's all about being reactive. So we all know how about being reactive. Oh my gosh, I gotta hurry up and scramble and do this. If we're proactive and we do your annual pen testing, we do your monthly scanning, you're gonna find all these holes and these gaps, and you're gonna be able to be able to continually work on them and and not just be surprised one day that someone got in the back door, you know? So it's it's all about being proactive. And that's that's really what our new services are at Van Ryan. And we've always been this way. We've always been, let's create these policies, let's create all this just in case something happens. So we've always we've always focused that way, but this is this is now really like this is it just in addition to being proactive. This is an another other proactive services that we can provide to our customers. And yes, Rah was right, HIPAA, it's going to be required. Beginning this year, it's gonna be required. It's not just for our SOC and ISO customers, it's gonna be a requirement.

Why We Built This Service

Rob 5:31

It's also required in the security questionnaires that you're gonna get from your clients. If you have mid-tier to l larger clients, like if you work with Chrysalis Health or you work with um, you know, anybody that is at large or a blues association or any of those, they're gonna want that penetration testing. I'm even seeing it down to some of the mid-tier clients. And maybe they have 30, 40, 50 people on their team, but they have quite a bit of exposure. They're gonna want to see that report and they want to see a third party that that does that. And being able to put penetration and vulnerability scanning right alongside HIPAA, SOC, ISO, HITRUST, NIST, it just complements it so well. Plus, our clients will be able to receive that full Van Ryne uh white glove concierge service that you've come to expect from us. And it's it's all together under one umbrella. That's what we're really, really excited about. Yeah. Within the HIPAA landscape, Bond did mention it's going to be required next month, May. We expect the final uh law to be released and penetration testing and vol scanning is going to be in there, but it supports that risk analysis and that audit we do. It also identifies real vulnerabilities in your in your environment, right? What doors are locked, what doors are unlocked that we need to take care of. Uh and then SOC Dawn, you handle all the SOC and ISO. Why don't you kind of talk about the value of pen testing there?

Dawn 6:50

Yeah, I mean, it's a requirement. It strengths strengthens your controls around monitoring and access in SOC 2. And ISO it aligns directly with your operational security requirements, your your security management system. So it is definitely something that your external auditor, the ones that we utilize, will look for.

Rob 7:10

Yeah. Yep. And it moves from that, that like you've said this before, the paper compliance to proven security. Yay, we have paper. Yay, we have great documents, yay, we have all this, we have putting the things put together, but are you actually doing it? Right. There's a saying and then there's the doing. So as we, you know, as we kind of kind of move forward here, it's like, I wanted to kind of also talk about why we did this. We know we we wanted to expand services to our existing clients. And we know our clients have continued to ask about penetration testing or vol scanning. But to be transparent, we're getting this thing going. We've already had multiple engagements that are that are moving forward. We know how to do it. We have Benny as as the certified ethical hacker and and tester. So we we trust him and what he's going, what he's doing, and how we're gonna frame it. And we're gonna frame it exactly how we produce at Van Ryan with detailed audits, the detailed action plan and report, remediation plan. Kind of goes back to email phishing. About what, two, three years ago, people said, Hey, do you have email phishing? No, we're gonna build it. So we built email phishing. So now this is just another tool in our compliance bag that that gives you what you need as a penetration testing and vulnerability scanning, and it's entirely intentional what we're what we're doing.

Dawn 8:25

Yep. Yep. And and you know, we're seeing the same gaps with clients. You know, uh it's the same question. We we ask, you know, with HIPAA compliance, we ask it all the time. Is it a requirement? No, but we ask it. It's important. Do you have penetration testing? Do you do vulnerability scanning? Some some clients have an IT provider. Oh, yeah, we do some a little bit light, like a vuln scan light, you know, something like that. And that that's fine. It's better than nothing. But, you know, we we definitely ask, ask about it, and it is important. Um, and and clients need to understand what gaps they have. So they, you know, they you're compliant, sure, if you've if you've attested to a lot of the items under a SOC or ISO or HIPAA. But that's the thing, is without a pen test, a Vuln scan, without some of these other other items, you're not, you don't know if you're actually secure. You can have all the policies and procedures in place. You could have change manage it down, you could have, I've got an IT person, your data center is secure. You could have all this stuff, but then you realize that your local network, your your VPN, whatever. You know, your remote operators are VPNing in. There's holes. It's open, it's open ports. So you don't actually know if you're actually secure, you know, with a policy procedure does not mean you're secure.

Rob 9:45

A piece of paper won't stop it. So sorry to tell you that, but uh Well, this just didn't, you know, Don and I this just didn't for Don and I, it just didn't sit right. Yeah. We're like, this isn't what we want for our clients. This is why we built this offering and it's already up and running and out the door, and we're excited for it.

Monthly Scans Plus Annual Testing

Dawn 10:02

Well, and we saw a need. We we had some testers we worked with closely, um, some friends, some colleagues of ours. And um, you know what? Uh sometimes people move on and and you know, decided to provide other services and do other things. That's awesome. That's great. Um, but we definitely have to fill that gap. So we looked internally and we're like, how can we build this? So that's why we we uh were excited that we figured out how to build it and what we're gonna do. And we have a plan and we're we're able to to launch this and and to provide this. And so we're very excited that we can we can provide this gap for our customers, for current customers and and new customers. Yeah.

Scoping Timing And One Roof

Rob 10:41

So this is this is what it looks like, right? So people are like, well, what does it look like to do a pen test? And we're gonna start actually pairing it alongside HIPAA, soccer, ISO, any other frameworks, NIST, right? Because it's a it complements um the the overall environment. So and the program. So the first step is the monthly VOL scans, is is where we've gone ahead and built an environment to do the vulnerability scans of the endpoints that our clients provide. Endpoints, webhooks, APIs, whatever, right? Those sites. It's continuously visible, uh, you know, continuously ensuring visibility in the environment with risk scoring and the remediation tracking. That's where Benning comes in, is be able to put all that together and be able to have that report and go from there. And then it's next is gonna be annual testing. So we're gonna do one test that's included. And then what we're gonna do is we're also gonna do a free retest within the first 30 to 45 days because we find a lot of those items and then items need to get resolved, and then we're gonna go and include include a free retest. A lot of people don't do the free retest. I think it's important because just like we do with our mediation reports and we put into VRC1, clients within that 30 to 40 days, they're gonna work hard to resolve as much remediation as they can. Same with penetration tests. You need to see those gaps, you need to get those done, close those doors, secure the environment, and then we're gonna come in there and test and we're gonna include it. Right. Now, five months later, you do a major upgrade or something. That's gonna be a different scope. That'd be a different Sal. But we want to include it up front so that we have those simulated attacks, that real validation, and uh that executive reporting.

Dawn 12:16

Yep. Yeah, and it's uh and the key, it integrates directly into your your existing program, you know, whichever, if it's HIPAA, SOC2, ISO, um high trust, NIST, AI governance, you know, whatever it is that you are, whatever compliance program or programs that you have with us, we're just gonna integrate it right right into there. And and, you know, different different pricing models and that type of thing. Obviously, it's dependent on your your endpoints, um, your targets, if you will, different ways to say it. But so we've got a great, you know, scoping document that that we'll get from you if you're interested. We'll send the scoping document to you, then we'll get you some pricing and time frames on on when we can do it. Um, we realize that there's a lot of our customers that are 24-7. So obviously, basically finding out the right timing. Yes. So we will ask you, is Sunday's your slow day? Tuesday's your slow day. I know a lot of you have different days. That's very specific. We will ask you that because that's important. Other customers, they just want to test their sandbox.

SPEAKER_01 13:12

Yes.

Dawn 13:12

Perfectly fine. That's great. They have a their their sandbox is a is a complete replica of their of their live environment. Yep. That's perfectly fine too. But we'll get that scoping so we're making sure that we're doing exactly, you know, uh, we've got understanding of what we're doing. Um, but yeah, it integrates directly with what you have with us. And um, yeah, we're really excited to be able to offer it. Um, so we don't have to be searching out who can do this and coordination and all that stuff. So it's all going to be under one roof.

Proactive Security Sells Trust

Rob 13:39

Yeah, we're already looking. It's probably gonna save about 40% of time between audit and between a compliance audit and a penetration test. And that 40% of time is coordination, is getting the tester on on a line, on a call, right? Or on the Google Meet or the BRC One meet, whatever meet, putting that together, reviewing all of the endpoints, all the APIs, all the webhooks and all that, we're gonna have all that information internally. You know, we've got an Emma on the team that's already putting that together. She's already in the environments, Benny on the team. So it's just a one-stop shop to make it a better experience for our clients. And what we want our clients to do and and soon to be clients is it's time to change the conversation that you're having with your clients. It's not about yes, we audit with Van Ryan, yes, we're compliant, yes, we're done, yes, we're good. It's really about changing that and saying we are actively testing our environment. We are being proactive and not reactive. We love to be reactive here. I don't know why. America loves to be reactive. We're the best at reactive. But uh, we know through like a lot of the ISO frameworks, you need to be proactive, socked to a point. Even with HIPAA, it was built to be proactive. That's why we do the audits. So we want you to get from being reactive to being proactive and saying, you know what, we are actively testing the environment and getting things dialed in so that you as a client and soon to be a client have a stronger security posture, right? Have better audit outcomes and increased credibility so that you can close more deals, keep your revenue going, and be able to uh help other people knowing that you have the best security in the industry.

Dawn 15:11

Yep. Exactly.

Rob 15:12

So here's a few of the takeaways, Don, as we kind of wrap things up. Is yeah, it's new for us. It's new for Van Rijn, but we know we have the best in the industry with the framework, the people, and the process of your RC1. That's exactly why we're going to market with this.

Dawn 15:27

Yep, and exactly what our clients need too. They they need to have that the option. Um, you know, you don't need to call, who do you use? Who do you nope? We can do it here. So yeah, so we can we can stop that, you know. So stop stop the scrambling going on.

Rob 15:42

Only scramble the eggs.

Dawn 15:43

Yes, yes, only the eggs compliance.

Rob 15:46

And it gets you going. It gets you going. And we can all, you know, when we do a kickoff or we're coming into an audit, you can say, hey, great, we're gonna audit for 30 to 40 days, do your your policies, your procedures, your training, and then we're gonna plan the pen test. We're just gonna get it done. It's planned, it's on the calendar, and we're gonna move forward and you're gonna be able to uh take that guesswork out of your everything you're doing.

Takeaways And Free T Shirt Offer

Dawn 16:07

Yep. Yep. No more guessing. You you're you're testing your environment, you know exactly what's going on with it. So you're not guessing. You're not guessing. Well, are we are we doing this right? Are we is this right? Is this is this good? Nope. You're we're testing it, so you'll know. You'll know what your vulnerabilities are. Yep.

Rob 16:21

And since we're launching, obviously, a new service here, we got to have a t-shirt with it or some merch because that's kind of fun. As Dawn is is showing, she has the HIPAA happens because it does happen, uh, t-shirt on today. And you know what? If you go ahead and email us at hello at vanriancompliance.com, and you mention that, hey, Robin Don said I need a free t-shirt, we're gonna send you a free t-shirt. We're gonna send you a coupon code. You can go shopping yourself, give you a free t-shirt. Because we thank all of our great listeners and our great clients. And we only grow because uh you're here. So if you like and subscribe, and the more you do that, the better, the better the Van Ryan Compliance podcast can grow and reach more people, how to protect their legacies and their their environments. Absolutely. All right, all right. Well, thank you all. I hope you guys enjoyed the podcast. I think that's a good one, Don.

Dawn 17:10

It is.

Rob 17:10

Alrighty. Bye.

Dawn 17:11

Bye bye.