We met Scott at A-LIGN’s office in downtown Tampa a couple weeks ago. He generously took an hour out of his day to speak to us about the world of compliance and cybersecurity.
Short bio on Scott:
Scott Price is a risk advisory professional who has nearly 20 years of experience. Scott is regarded nationally as a SAS 70/SOC audit resource as he has completed nearly 4,000 SAS 70/SOC audits in his career.
Scott began his career at Arthur Andersen, where he quickly ascended to Manager within the Technology Risk Consulting practice. In the wake of Arthur Andersen’s demise in the Enron scandal, Scott co-founded SAS 70 Solutions as President, the first-ever CPA firm to specialize in performing SAS 70/SSAE 16 audits. After successfully growing SAS 70 Solutions to a national SAS 70 audit firm, Scott joined A-LIGN as a Director to provide a broader risk advisory service offering to companies throughout the world. In Scott’s role as CEO, he focuses on firm strategy, client delivery, and business development efforts.
Roxanne Williams: For the layman, can you explain what A-LIGN does in the compliance world?
Scott Price: We are a professional services firm. When a company wants to have a report compiled on the security of their data, the availability of their system for processing, the privacy of their data, or any other contractual commitment they may have that relates to Information Technology and security or privacy, we come in. It could be something our client wants to tell their board members, their customers, or their consumers. They need to be able to demonstrate their compliance around data security and privacy, with a certain published standard.
At the end of the day, clients hire us to produce a report for internal and external stakeholders that they can use to demonstrate their controls and the operations of their controls around security and privacy of data.
Matt Vaughn: And what about in the cybersecurity realm? Can you give us an overview of your services, testing, and products you offer in order to keep businesses secure?
Scott: As you look at cybersecurity, there’s the lifecycle of it, and then there are points in time from a technical perspective.
The lifecycle is how you identify risks, what policies you have in place to mitigate these risks, how you’re executing on those, and how you’re monitoring to make sure people are doing what they’re supposed to do (I actually tell my kids that I have a job because people don’t do what they’re supposed to do). That’s looking at it from the cybersecurity landscape to say ‘ok, it’s not just a firewall or threat detection’ or whatever it may be – it’s not just one isolated system. It’s ‘let me footprint where my systems are, where my sensitive data is, what vendors are involved in helping me deliver that process, what suppliers do I rely on, and how do I exchange data with my clients and maybe pass it through to the end consumer?’ That’s gonna get me the landscape I should look at, and the policies I should put in place to cover it. How do I handle vendor risk management? How do I handle outsourcing threat detection to somebody else because I know that they’ll do it very well? All those things need to be identified, and then they need to take place.
Then there are technical aspects. That may be something like penetration testing or social engineering – things of that nature. With our ISO 27001 auditing process (International Standard Organization, Information Security Management System), there’s a focus on your holistic approach. It doesn’t say what your password parameters need to be, it doesn’t say what threats you should detect and report on. It talks about what your information security framework should be, how you should assess vendors, where the risks are, what the involvement of the board is. We offer services around the holistic approach of it, and how you should look at it from a risk assessment viewpoint. When you’ve done that, there are pieces that we need to have tested from a technical standpoint – and that’s where our penetration testing and social engineering comes into play.
It could be looking at the application the client has. Is the application hardened? It could be that they’ve assessed a risk that may not be compliant with certain standards – for example, PCI standards around credit card processing. We’ll come in, assess the client, and make sure they’re compliant with PCI standards so they can process credit card transactions, or be involved in the process. Some examples of that could be an application that looks at fraud, an application that sends money across borders, or an application that takes money coming in from other borders and checks it against SWIFT for anti-terrorism (we have some clients that do that). How do they know that their application is doing what it’s supposed to be doing? We will test the application and the controls around it so it’s hitting the OFAC report to prevent money coming in from terrorist organizations into the US.
Those are the types of things we can do to help our clients. There are all of these standards. Some of these standards relate more to risks, policies, their execution, and their monitoring. How an organization does that can be through incident response, or something more high-level, down to the technical capability: our team can look at the network diagram, run tools on the environment, see where the data is, and then hack in to try and get to the data. That’s the technical side of what we offer.
Roxanne: Is your penetration testing a newer offering?
Scott: No – our penetration testing has been around for a while. Every PCI engagement requires that you have a penetration test performed, so when we started offering PCI (Payment Card Industry) compliance services back in 2011, we actually outsourced our penetration testing work. However, we wanted to bring penetration testing in-house due to the service level of the outsourced workers.
In this space, I call it the ‘God complex.’ People come in as auditors and they want to take the IRS approach to technical auditing. They want to come in and say ‘it’s gotta be this way’ and ‘this is what the standard says’ and that’s it. They take a very aggressive approach to it instead of looking at risk, looking at what the organization does, and applying that to determine what the best approach for the clientbase is.
We have over 1,800 clients, and they all want to do the right thing. I haven’t run into a single client that has basically said ‘no, we want to commit fraud, we want to be the worst organization ever, and we want you to do our audit.’ Maybe it’s the process where they decide ‘I want to work with A-LIGN’ and we decide we want to work with them, so we screen them to make sure they want to do the right thing and they care about securing data, keeping customer data private, and reporting on things when they do go awry.
With that being said, we’re more of a consultative nature, so that’s one of the reasons why we brought penetration testing in-house. The penetration testers were like ‘ok we’ve got this CDE (Cardholder Data Environment), this is where the card data is, our job is to – per the standards – ensure the environment is secure by having a penetration test done on it.’ So we started there. That was the first bit of our penetration testers.
Then, with everything going around with Tampa as far as USF’s Cybersecurity degrees, or FSU’s Cybersecurity clubs, we started bringing penetration testers in right out of college. In the past, you’d never do that. You’d hire experienced penetration testers. But we found that the programs were teaching them much more, with all the new techniques. The bad guys are getting badder, so our good guys need to get better all the time.
Matt: It’s great that they’re teaching these specialized programs to get kids experience, certifications, and all the necessary things they need to get the foundation for it.
Scott: Exactly! Versus, in the past, it was someone who was a Network Administrator who sort of fell into it, without formal education, with no capture-the-flag programs that they put on.
For us, it became much broader. Not just PCI-related. People said ‘I want to know what’s going on because I outsourced a lot of my environment somewhere else.’ If you think about it, you can spin up a company with only 3 employees by outsourcing your environment to GCP, AWS, Azure, or wherever else. You can outsource your development offshore. You can outsource your firewall administration to somebody else. So essentially, at the end of the day, you have somebody who can sell, someone that does accounting, and a CEO – and that could be the company. Think about it – are all these people doing what they need to be doing? Because you’ve put all these third-party vendors together, and now you need to get them assessed. We can assess them technically, as well as from a procedural standpoint.
Penetration testing has been great, but the social engineering has been even better. Clients will engage us to make calls into their environment to try to get data about individuals and about the environment itself. We also will send emails. One of the best ones we did was with our client that had a bar / restaurant on the bottom floor of their building. We spoofed an email: it came ‘from the bar’ and it basically said ‘hey, here’s a coupon, fill out this form and get the coupon.’ A bunch of employees filled it out. Then for everyone that didn’t fill it out, we spammed them again 5 minutes later, so then people were like ‘oh jeez I want to opt out of this’ and they clicked the opt out link – so that got them too!
Matt: Double trap!
Scott: Oh yeah. So that was really neat. This idea came from recent college graduates – it came from them because those are the types of things they’ve thought about. Like ‘hey if this came from the bar downstairs they’d click on it.’ Another thing is, social engineering is great because if you say something like ‘to receive your health insurance benefits, you need to go to this website and enter your information because we’re switching plans,’ we get people that way too. Any time you’re messing with someone’s benefits and spoofing emails, you can get their data really quickly.
People hire us and their subordinates say ‘we’re never gonna fall for that.’ We had a guy say that and we got all his IDs and passwords to the company’s production databases.
Matt: Do you guys ever do it internally?
Scott: So we do run penetration tests. We have our own internal application that we developed in-house to help us with our audits. We do social engineering as well. With the recent news about our investment from FTV Capital, they said ‘well maybe you should try this on us as well.’ It was good. It tightens everybody up. They were already proactively doing it every year, but we did it as well – and of course, it’s almost like picking on your brother or sister. You want to make sure you really get them, so you make it even harder when you compete with them.
Matt: I was at a meetup with the guys from Abacode. The manager was talking about how they do theirs internally and he was like ‘I’ll never get beat.’ He got beat. He told the story: he was spoofed by an email from their domain, like ‘email@example.com’ but it was a ‘cl’ instead of a ‘d’ so it looked similar and he didn’t catch it. He was like ‘alright, guess I’m not above it.’
Scott: Yeah, no doubt about it. At the end of the day, you can have all the technical controls you want, but it’s the human element. With a lot of our clients, we help them with some of the training specific to the standards we have. You talk about the Tampa environment – that’s why companies like KnowBe4 have grown so much. It’s because of the fact that they help with that type of training. The human element, at the end of the day, is the last line of defense.
Roxanne: You just mentioned FTV Capital. Considering A-LIGN recently nabbed a $54.5 million investment from them, what does it mean for you guys? What will you focus on improving?
Scott: I think the funding provides validation, brand awareness, and the ability to utilize those funds to improve service for our current clients, and improve our A-SCEND platform. I’ll walk through what I mean in greater detail.
When you bootstrap an organization, especially professional services, from nothing to $32 million in revenue and 180 employees… One of the things we started doing was we started hiring from college campuses about 3 years ago. We put those people on training programs where they’re only learning and running through simulations. I think it was a $1.9 million investment last year for our company. We were at $22 million last year – so almost 10% of our revenue was spent on costs related to training these people to then send them out to our clients.
This funding will allow us to have the financial capability to hire more college grads and provide more in-depth training programs – because now we have the funds to be able to weather those types of investments, rather than the bank of Price and Geiger, which is not as fruitful.
Matt: It seems like Tara was at a different college every week at that point.
Scott: Oh yeah! We were. We’re up to 5 college that we go to now that we’re searching all over the country to meet the demand, as you guys have seen. The cybersecurity unemployment number is negative.
Matt: Especially in Tampa.
Scott: I think the community is doing a lot to augment that as well. Whether it’s Vinik’s hub (Embarc Collective), the Tampa Bay Wave, what they’re doing at USF – all those things are moving the needle a little bit. That’s helping employers like us want to stay here – because we’re finding that talent level by making this a tech hub. Out of our 180 employees, about 65 are based in Tampa, which is good, for both Tampa and for us. The FTV Capital investment is going to allow us to look at our employee base further.
The other piece of it is, in the past, regulations come down and then we train up on it and service our clients. This funding allows us to be a bit more anticipatory of all the regulations that are out there and getting us trained up on them. We’ll be ready to go and able to anticipate our clients’ needs instead of being reactive. I’ve said we’re always good about helping our clients fly through the storm, but I think this is going to allow us to build more infrastructure so we can fly the plane around the storm. We’re going to know what’s out there and we’ll be able to take time, sit back, and see it, versus being in it all the time.
For the brand awareness side of it: FTV invested in Trustwave, which is one of the leaders in PCI and Managed Security Services. They got into Trustwave at about the same time as they got into us, from a revenue perspective, and they had a great exit with Trustwave because they were able to do acquisitions globally, and guide them as well. As you look at the validation piece of it, we are continuing to move upstream in our clientbase as well, so we’re given more opportunities and engagements for larger clients at the enterprise level. We can call FTV and say ‘hey, do you know someone at this organization?’ and they can say ‘yeah, we can call over there and talk about why we made the investment in A-LIGN and why you’d make a great partner for them’ and that has proved very fruitful for us. So that’s nice.
The third piece is our A-SCEND platform. Our A-SCEND tool allows us to auto-eliminate a lot of the documentation requests associated with providing multiple compliance initiatives to an organization. What that means in layman’s terms is: if you have any healthcare data, you’ll have a HIPAA need. And then if you’re processing transactions and dealing with security of data, you’ll probably have a SOC 2 need. There are only a few of us in the country that can do all these audits. Typically, what happens is you send over an Excel spreadsheet that has all the documentation requirements, and you look at it and go ‘yeah I already gave that to them.’ Our application has everything online. It auto-eliminates all those requests. It allows the user to delegate down in the organization to the folks who will be able to handle the tasks. It rolls back up, saves their data, and allows you to comment on it.
What we want our application to be, eventually, is a central hub for our clients’ Governance, Risk, and Compliance needs. So not only does the platform have all their controls in there, but our testing is in there, our reporting is in there, and they can send their stakeholders to the site to pull the reports down. Regulation is not going away. With GDPR, with the California privacy laws, those are going to continue to happen. The goal for our application and what we’re building a roadmap towards is, when a customer is asked by one of their clients about a compliance need, they can basically press a button – because we have their controls already – and look at the gaps associated with getting there. And they can make a business decision on whether or not they want to take on that client, because that client is going to cause them to have additional controls in place. Are those controls going to outweigh the risk? Or are those controls going to cause problems in their environment that they don’t want to have? Versus a sales guy saying ‘sure we’ll comply with that, sign on the dotted line!’ They hire us to do the gap analysis and they go ‘oh my gosh it’s an extra $50,000 for us to comply with this.’ We would have built that into the contract.
This investment is also going to allow us to have development staff. We’re a professional services firm, but we’re building a DevOps shop within us with this application. Some of the exciting technology is we’ll be able to start pulling log data out of our clients’ environments. Rather than them having to upload the data themselves, we’ll pull that log data out so we can do more continuous auditing so it’s not such a point-in-time process. A penetration test is a point-in-time process, but how do we continuously monitor what we’re doing? If we can pull log data out and run it through AI to be able to say ‘you’re in compliance’ or ‘no you’re not,’ that will allow our clients to proactively remediate. We might still have to report it to the end user, but they can remediate quicker.
Matt: You mentioned some of the things you liked that people are progressively doing in the area, like Embarc Collective, The Wave, etc. With you guys obtaining funding, are there any talks with the bank of Price and Geiger to, in the future, invest in startups in Tampa?
Scott: Definitely. I think the first thing we’ll be able to work on with these organizations is mentoring. From being a bootstrapped startup in late 2009 to when we got the equity investment from FTV in 2018, what was our path? What are the mistakes we made that we could help guide them on? Look at where we were even 3 short years ago. We have competencies and are offering services that we didn’t even imagine 3 years ago. These companies have to anticipate that as well – and you don’t anticipate it by figuring out exactly what that new tech is going to be. You figure it out by having good people who know your culture and are competent and well-trained. So I think our first piece for our involvement is going to be mentoring these other companies and CEOs. I had breakfast with Linda Olson just a couple weeks ago about us becoming more involved in the Wave with mentoring these CEOs by setting up cybersecurity roundtables, things like that.
The more lights we can shine on Tampa, the more it’ll bring the value of all our companies up. I’m a firm believer that rising tides lift all ships, so let’s continue to do that in the community. I think at some point, we would reinvest our dollars locally. We’re not yet at a point financially where the bank of Price and Geiger can do that, but what we can give is our time to mentor these folks. You’re not born a samurai sword maker. You learned from a guy who learned from a guy who learned from a guy. That’s the same thing with us – and that’s what we want to impart on a going-forward basis.
It was interesting. As we went into our process with FTV, the number of PE firms and investment bankers that were coming to Tampa from all over the country, they would call me and say ‘hey I’m coming to Tampa next week.’ There was a lot of activity here that I didn’t realize was going on with firms and bankers. It would be great for the dollars to be in Tampa, but we have to start somewhere with the dollars coming here and then those people staying here with those dollars to reinvest in Tampa as well.
Roxanne: You’ve been in compliance for nearly 20 years. Is there a particular situation – and you don’t need to give specifics on client, obviously – that stands out as a complete success or complete failure?
Scott: Most interactions we have are of the ‘everything is on fire’ type. It’s not because someone intentionally said ‘I want to light it on fire’ – it’s just not the first thing people focus on. They focus on building revenue. I always tell our clients that we’re here to take the burden of compliance on us to let them focus on revenue, because if they don’t have revenue, they can’t pay us. Most of our 1800 clients are in the SMB space, so $500 million or less in revenue. Many of them are 0-200 employees. We also have clients that are startups with 3-5 people. They all start off with their hair on fire because that’s not what they think of first. They just think ‘let me keep the system up and running, let me add these enhancements so I can get these clients,’ and then their one big client goes ‘oh my gosh, I need to have this control in place’ and that’s where we get involved.
We go through audits the first time, and over two thirds of our clients have never been through anything like this before. And we’ve retained 94% of them. So clearly we’re good about not letting their hair burn completely off! Everyone says they have great people, but being a CPA, I say you have to look at the numbers. If you’re bringing two thirds of these people in and you tell them you’re going to give them a voluntary root canal that they’re going to pay for and you retain 94% of them, you know you’re doing something right.
The last 20 years has shown me that people want to do the right thing. We have a whole mountain theme here – climbing up the mountain. If we can just help people keep climbing that mountain, that’s what we care about. We’re not just a necessary evil. We’re hooked into you and we help you up the mountain.
Roxanne: Your Ultimate Cyber Defense Guide whitepaper had some really great information in it, and I’ll be linking it so that people can download it. Can you give a TL;DR of some simple things people can do to protect themselves and their businesses?
Scott: Cybersecurity Awareness Month is the month of October and it’s a really big deal. I think we’re going to be able to get on a few television casts that month. We’re going to simulate both a phishing attack, and a hooking up to Starbucks WiFi attack.
I think that, as far as individuals, the biggest thing is, think about when you’re at work. You get hassled to change your passwords. When’s the last time you changed your Bank of America or Wells Fargo password? Probably not that often. Clearly you want to have very strong passwords, but more importantly, you want to rotate them. Where you’re not forced to change passwords, make a concerted effort to change them.
It’s also things like going to Starbucks and using their free WiFi. It’s what you’re doing on that WiFi, and how you’re exposing your environment to it. One of our clients, Digital Hands, was demonstrating their security operations center and I asked a question, because I wanted to get their thoughts on it: are the threats becoming different and are the attack vectors becoming different? And they said if companies did exactly what they’re supposed to do with patching, updating, and things of that nature, for these known vulnerabilities, they would solve a lot of problems. And that’s the truth. If companies looked at the patches that come out to fix vulnerabilities that were identified by the manufacturer and then stayed up-to-date on them and consistently applied them fully, it would cover a lot of the problems that they could run into. That’s extremely important from a business standpoint.
Then there’s making sure that the vendors involved in your processes have good vendor risk management and assessments. What have those folks gone through on the business side to ensure they’ve mitigated the risks they could pose to organizations that outsource their Office 365 or Datacenter or Cloud?
Roxanne: I’m glad you brought up vendor risk management. Personally, I don’t think I would have ever thought about that.
Scott: People don’t understand where their data is. They think ‘ok, I’ve outsourced my data services to ABC Company.’ They don’t realize that ABC Company has outsourced their datacenter services to XYZ Company. Knowing where your data is, in the footprint of it, is huge.
Matt: What’s the company culture like? What makes working at A-LIGN great?
Scott: Culture is the biggest thing. We have a remote workforce, so how do you keep them engaged? We utilize a few techniques.
We have a monthly conference call where we’re very transparent about the finances of the company and where revenue is at. We want everyone to feel like they’ve won together. We walk through our new clients and where they came from. We also have 5 minutes to brag on that conference call, so every email we got from clients that were really happy, we share. People get recognized in front of their peers that way. Then we open the floor for other people to brag about each other.
We also have our monthly value recognitions. We have 4 values, as a company, and we have value t-shirts. So an employee can recognize another employee for one of our 4 values, which are: do the right thing, always; innovate constantly; commit to quality; be all in. If employees demonstrate those things, they can get a t-shirt for it.
One of the best things that we do (think about our employee growth, where we’re at, and the fact that we still do this, which is crazy given our size) is that we have our annual training event called Climb. Climb is where we bring our employees from all across the country (and their significant others) to the conference location. We also invite them to bring their families as well. We don’t pay for their families to travel there, but as I always say, I’ll feed them and house them when they get there. It’s an opportunity for our employees to come together once a year. It might be the only time someone sees someone from a different team or different part of the country.
Every year, we have a different theme. Last year’s theme was Altitude, as we continue to grow. We went over things that could affect our ability to succeed, competition, collaboration, and competency. This year’s theme was Focus, and it was talking about what we can do individually to focus better on a certain thing, maybe in our personal life, and how we can extrapolate that to our professional life. Talking about focus and why it’s important for us to focus on our clients, and focus on our people. So that’s a huge event. We actually had 286 total people this year between employees, spouses, guests, and children. Next year, for our 10th anniversary, we’re holding it at the Gaylord Rockies in Denver, because we have a pretty good presence in Denver and we’re opening an office there. We’re going to have 450 people there, most likely, between employees and their guests. We have family night with photobooths and caricature artists. We always do a ‘give back’ event because we’re all together. In 2018, we packed backpacks for needy children in Orlando that were at-risk youths. We donated the money for backpacks and filled them with school supplies, so that was really neat. The year before, we built green machines for Big Brothers and Big Sisters, which was awesome because we got to test them out. Riding around in big wheels at the Four Seasons was pretty funny!
The culture is really important for me. One of the things we did this year was value awards. Employees nominated other employees for a value award, and they wrote out why they demonstrated that value. Then we got together as a committee and selected one person from each of those categories, which was great, because the employees felt heard. We had 89 submissions and last year we only had 150 employees – so over half of the employees were recognized by their peers for an award.
Every quarter, we get our entire leadership team together from around the country. They come to Tampa and they take leadership development training programs. Our people are great technically, but we want them to become better leaders so they can engage the level below them and have them come up as well. It continues to create opportunities for leaders, given our growth. I think those types of things create the culture that we have.
Matt: Who is a person and/or an organization that you think is doing something right and innovative in the area, outside of A-LIGN? And why?
Scott: I think someone who has done amazing things for our community is Tony DiBenedetto and what he’s done at Tribridge. He talked about The Wave, mentorship, things like that. Tony provided me mentorship as well, and to hundreds of others. I know he’s been recognized a lot for what he’s done in our community, but he’s definitely somebody who deserves that.
Within our cybersecurity space, I’d say Brian Murphy at ReliaQuest. Amazing, what he does on the board of Junior Achievement of Tampa Bay. He brought ReliaQuest to the storefronts, opening the first of their kind simulated cybersecurity storefront. Brian Murphy has been an outstanding role model for what’s going on in Tampa, giving back to the community, and working with universities. You look at the growth he’s had with his company… I look up to him as a role model for how to be a great CEO.
Roxanne: You recently made the Inc. 5000 list for the 2nd consecutive year, coming in at #1065. You had previously ranked #1590. Your three year growth clocked in at a shockingly-impressive 465%. To what do you attribute this growth?
Scott: It is pretty amazing. There are other companies who have done it as well, like AgileThought – I think they’ve done it for 9 or 10 years now. For us, it’s a whole lifecycle approach. The experience that Sales gives our clients at the beginning – the responsiveness, the thought leadership – is the same through the entire process at our firm. Why are we growing? It’s because the entire lifecycle of our clients and who they interact with is a similar process from start to finish. The eagerness they get at the time of the sale is the same eagerness they feel at service delivery. Everybody is rowing in the same direction and at the same speed. That’s been huge for us.
Roxanne: I’ve read your blog and seen some posts devoted to cryptocurrency. Do you have any clients who work with crypto? How has blockchain impacted your business in regards to compliance and security?
Scott: We do have some clients involved in crypto. I think it’s something that has applicability in certain marketplaces. I don’t know at what point we’ll see the adoption that many people thought we would see with it, but it’s coming.
Regarding blockchain, it’s something we are very focused on. Think about the compliance market – it’s so driven by what our clients need. We’re not building new technology to move something forward, it’s focused on compliance initiatives and what we can do to achieve them. When I think about the blockchain environment in continuous auditing and setting up a public or private node where you have record-keeping in place, it’s going to be able to add more credibility to an audit. Many of our audits are ‘reasonable assurance,’ and you would think that the definition of assurance is only going to improve. That’s what people want: they want more real-time reporting, better assurance on the numbers or the transactions, and the security being accurate. I think blockchain will move us in a direction where we’ll be able to provide more assurance about these types of things, and test not just a sample, but all of the transactions.
I’m on the board of an organization, Auditchain, which is focused on blockchain and its involvement in the auditing world, so we clearly think it’s something that we need to focus on.
Matt: Any further thoughts or insights you’d like to share? Anything exciting coming down the pipeline for A-LIGN?
Scott: Every day is exciting! I tell people we don’t sell black and white TVs – the industry is constantly changing. That’s the enjoyable part.
As your cybersecurity and compliance firm, A-LIGN specialize in helping you navigate the scope and complexity of your specific security needs. A-LIGN offers comprehensive expertise and consulting for every set of compliance objectives and makes your specific path their priority.
Want to nominate a tech leader for us to interview? Fill the form below!