We met Scott Price of A-LIGN in his downtown Tampa Office a couple of weeks ago. He generously took an hour out of his day to speak to us about the world of compliance and cybersecurity.
Scott Price is a risk advisory professional who has nearly 20 years of experience. Scott is regarded nationally as a SAS 70/SOC audit resource as he has completed nearly 4,000 SAS 70/SOC audits in his career.
He began his career at Arthur Andersen, where he quickly ascended to Manager within the Technology Risk Consulting practice. In the wake of Arthur Andersen’s demise in the Enron scandal, Scott co-founded SAS 70 Solutions as President, the first-ever CPA firm to specialize in performing SAS 70/SSAE 16 audits. After successfully growing SAS 70 Solutions to a national SAS 70 audit firm, Scott joined A-LIGN as a Director to provide a broader risk advisory service offering to companies throughout the world. In Scott’s role as CEO, he focuses on firm strategy, client delivery, and business development efforts.
What is A-LIGN?
Roxanne Williams: For the layman, can you explain what A-LIGN does in the compliance world?
Scott Price: We are a professional services firm. When a company wants to have a report compiled on the security of their data, the availability of their system for processing, the privacy of their data, or any other contractual commitment they may have that relates to Information Technology and security or privacy, we come in. It could be something our client wants to tell their board members, customers, or consumers. They need to be able to demonstrate their compliance around data security and privacy, with a certain published standard.
At the end of the day, clients hire us to produce a report for internal and external stakeholders that they can use to demonstrate their controls and the operations of their controls around security and privacy of data.
What does A-LIGN offer for cybersecurity?
Matt Vaughn: And what about in the cybersecurity realm? Can you give us an overview services, testing, and products you offer in order to keep businesses secure?
Scott: As you look at cybersecurity, there’s the lifecycle of it, and then there are points in time from a technical perspective.
The lifecycle is how you identify risks, what policies you have in place to mitigate these risks, how you’re executing on those, and how you’re monitoring to make sure people are doing what they’re supposed to do. I actually tell my kids that I have a job because people don’t do what they’re supposed to do. That’s looking at it from the cybersecurity landscape to say, “Ok, it’s not just a firewall or threat detection.”
It’s not just one isolated system. It’s ‘let me footprint where my systems are, where my sensitive data is, what vendors are involved in helping me deliver that process, what suppliers do I rely on, and how I exchange data with my clients and maybe pass it through to the end consumer?’ That’s gonna get me the landscape I should look at, and the policies I should put in place to cover it. How do I handle vendor risk management? And, how do I handle outsourcing threat detection to somebody else because they’ll do it very well? All those things need to be identified, and then they need to take place.
Then there are technical aspects. That may be something like penetration testing or social engineering – things of that nature. With our ISO 27001 auditing process, there’s a focus on your holistic approach. It doesn’t say what your password parameters need to be, or what threats you should detect and report on. Instead, it talks about what your information security framework should be, how you should assess vendors, where the risks are, what the involvement of the board is. We offer services around the holistic approach of it, and how you should look at it from a risk assessment viewpoint.
When you’ve done that, there are pieces that we need to have tested from a technical standpoint. That’s where our penetration testing and social engineering comes into play.
It could be looking at the application the client has. Is the application hardened? It could be that they’ve assessed a risk that may not be compliant with certain standards. For example, PCI standards around credit card processing. We’ll come in, assess the client, and make sure they’re compliant with PCI standards so they can process credit card transactions, or be involved in the process.
For example, an application that looks at fraud, an application that sends money across borders, or an application that takes money coming in from other borders and checks it against SWIFT for anti-terrorism (we have some clients that do that). How do they know that their application is doing what it’s supposed to be doing? We will test the application and the controls around it so it’s hitting the OFAC report to prevent money coming in from terrorist organizations into the US.
Those are the types of things we can do to help our clients. There are all of these standards. Some of these standards relate more to risks, policies, their execution, and their monitoring. How an organization does that can be through incident response, or something more high-level, down to the technical capability. Our team can look at the network diagram, run tools on the environment, see where the data is, and then hack in to try and get to the data. That’s the technical side of what we offer.
On penetration testing
Roxanne: Is your penetration testing a newer offering?
Scott: No. We’ve offered penetration testing for a while. Every PCI engagement requires that you have a penetration test performed. When we started offering PCI (Payment Card Industry) compliance services back in 2011, we actually outsourced our penetration testing work. However, we wanted to bring penetration testing in-house due to the service level of the outsourced workers.
In this space, I call it the God complex. People come in as auditors and they want to take the IRS approach to technical auditing. They want to come in and say, “It has to be this way” and “This is what the standard says” and that’s it. In essence, they take a very aggressive approach to it instead of looking at risk, what the organization does, and applying that to determine what the best approach for the client is.
We have over 1,800 clients, and they all want to do the right thing. I haven’t run into a single client that has basically said, “No, we want to commit fraud, we want to be the worst organization ever, and we want you to do our audit.” Maybe it’s the process where they decide they want to work with A-LIGN, and we decide if we want to work with them. We screen them to make sure they want to do the right thing and they care about securing data, keeping customer data private, and reporting on things when they do go awry.
With that being said, we’re more of a consultative nature. That’s one of the reasons we brought penetration testing in-house. The penetration testers said, “Ok, we have this CDE (Cardholder Data Environment), this is where the card data is, our job is to – per the standards – run a penetration test to ensure the environment is secure.” So we started there.
Then, with everything going around with Tampa as far as USF’s Cybersecurity degrees, or FSU’s Cybersecurity clubs, we started bringing penetration testers in right out of college. In the past, you’d never do that. You’d hire experienced penetration testers. But we found that the programs taught them much more, with all the new techniques. The bad guys are getting badder, so our good guys need to get better all the time.
Matt: It’s great that they’re teaching these specialized programs to get kids experience and certifications.
Scott: Exactly! In the past, Network Admins sort of fell into penetration testing. No formal education, no capture-the-flag programs that they put on.
For us, it became much broader. Not just PCI-related. People said, “I want to know what’s going on because I outsourced a lot of my environment somewhere else.” If you think about it, you can spin up a company with only 3 employees by outsourcing your environment to GCP, AWS, Azure, or wherever else. You can outsource your development offshore. You can outsource your firewall administration to somebody else.
At the end of the day, you have somebody who can sell, someone that does accounting, and a CEO. That could be the company. Think about it – are all these people doing what they need to be doing? Because you’ve put all these third-party vendors together, and now you need to get them assessed. We can assess them technically, as well as from a procedural standpoint.
On social engineering
Penetration testing is great, but social engineering is even better. Clients will engage us to make calls into their environment to try to get data about individuals and about the environment itself. We also will send emails. One of the best ones we did was with our client that had a restaurant on the bottom floor of their building. We spoofed an email: it came ‘from the bar’ and it basically said, “Hey, here’s a coupon, fill out this form and get the coupon.” A bunch of employees filled it out. Then, for everyone that didn’t fill it out, we spammed them again 5 minutes later. People said, “Oh jeez, I want to opt out of this” and they clicked the opt out link – so that got them too!
Matt: Double trap!
Scott: Oh yes. This idea came from recent college graduates. It came from them because those are the types of things they’ve thought about. Like, “Hey if this came from the bar downstairs, they’d click on it.” Another thing is, social engineering is great because if you say something like, “To receive your health insurance benefits, you need to go to this website and enter your information because we’re switching plans,” we get people that way too. Any time you’re messing with someone’s benefits and spoofing emails, you can get their data really quickly.
People hire us and their subordinates say, “We’re never gonna fall for that.” We had a guy say that and we got all his IDs and passwords to the company’s production databases.
Matt: Do you guys ever do it internally?
Scott: So we do run penetration tests. We have our own internal application that we developed in-house to help us with our audits. And, we do social engineering as well. With the recent news about our investment from FTV Capital, they said, “Maybe you should try this on us as well.” They already did it proactively every year, but we did it as well. Of course, it’s almost like picking on your brother or sister. You want to make sure you really get them, so you make it even harder when you compete with them.
Matt: I attended a meetup with the guys from Abacode. The manager talked about how they do theirs internally and he said, “I’ll never get beat.” An email ‘from their domain’ spoofed him, like ‘email@example.com’ but with ‘cl’ instead of a ‘d’ so it looked similar and he didn’t catch it. In the end, he relented and admitted, “Alright, guess I’m not above it.”
Scott: Yeah, no doubt about it. At the end of the day, you can have all the technical controls you want, but it’s the human element. With a lot of our clients, we help them with some of the training specific to the standards we have. You talk about the Tampa environment – that’s why companies like KnowBe4 have grown so much. It’s because of the fact that they help with that type of training. The human element, at the end of the day, is the last line of defense.
On FTV’s investment into A-LIGN
Roxanne: You just mentioned FTV Capital. Considering A-LIGN recently nabbed a $54.5 million investment from them, what does it mean for you guys? What will you focus on improving?
Scott: I think the funding provides validation, brand awareness, and the ability to utilize those funds to improve service for our current clients. We’ll also improve our A-SCEND platform. I’ll walk through what I mean in greater detail.
When you bootstrap an organization, especially professional services, from nothing to $32 million in revenue and 180 employees… Around 3 years ago, we started hiring from college campuses. We put those people on training programs where they’re only learning and running through simulations. I think it ended up a $1.9 million investment last year for our company. We made $22 million last year, so almost 10% of our revenue related to training these people to then send them out to our clients.
This funding will allow us to have the financial capability to hire more college grads and provide more in-depth training programs. Now, we have the funds to be able to weather those types of investments, rather than the bank of Price and Geiger, which is not as fruitful.
Matt: It seems like Tara went to a different college every week at that point.
Scott: Oh yeah! We’re up to 5 college that we go to now. We’re searching all over the country to meet the demand, as you guys have seen. The cybersecurity unemployment number is negative.
Matt: Especially in Tampa.
Scott: I think the community is doing a lot to augment that as well. Whether Embarc Collective, the Tampa Bay Wave, or what they’re doing at USF, all those things are moving the needle a little bit. That’s helping employers like us want to stay here. We’re finding that talent level by making this a tech hub. Out of our 180 employees, about 65 are based in Tampa, which is good, both for Tampa and us. The FTV Capital investment is going to allow us to look at our employee base further.
The other piece of it is, in the past, regulations come down and then we train up on it and service our clients. This funding allows us to be a bit more anticipatory of all the regulations, and getting us trained on them. We’ll be able to anticipate our clients’ needs instead of being reactive. I’ve said we’re always good about helping our clients fly through the storm, but I think this is going to allow us to build more infrastructure so we can fly the plane around the storm. We’re going to know what’s out there and we’ll be able to take time, sit back, and see it, versus being in it all the time.
For the brand awareness side of it: FTV invested in Trustwave, which is one of the leaders in PCI and Managed Security Services. They got into Trustwave at about the same time as they got into us, from a revenue perspective, and they had a great exit with Trustwave because they could do acquisitions globally, and guide them as well. As you look at the validation piece of it, we continue moving upstream in our clientbase as well, so we’re given more opportunities at the enterprise level. We can call FTV and say, “Hey, do you know someone at this organization?” and they can say, “Yeah, we can call over there and talk about why we made the investment in A-LIGN and why you’d make a great partner for them.” That has proved very fruitful for us.
The third piece is our A-SCEND platform. Our A-SCEND tool allows us to auto-eliminate a lot of the documentation requests associated with providing multiple compliance initiatives to an organization. What that means in layman’s terms is if you have any healthcare data, you’ll have a HIPAA need. And then if you’re processing transactions and dealing with security of data, you’ll probably have a SOC 2 need. There are only a few of us in the country that can do all these audits.
Typically, what happens is you send over an Excel spreadsheet that has all the documentation requirements, and you look at it and go, “Yeah I already gave that to them.” Our application has everything online. It auto-eliminates all those requests. It allows the user to delegate down in the organization to the folks who will be able to handle the tasks. And, it rolls back up, saves their data, and allows you to comment on it.
What we want our application to be, eventually, is a central hub for our clients’ Governance, Risk, and Compliance needs. Not only does the platform have all their controls in there, but so is our testing and our reporting. Additionally, they can send their stakeholders to the site to pull the reports down. Regulation is not going away. With GDPR, with the California privacy laws, those are going to continue to happen.
The goal for our application and what we’re building a roadmap towards is, when a client asks a customer about a compliance need, they can basically press a button and look at the gaps associated with getting there. And they can make a business decision on whether or not they want to take on that client, because that client is going to cause them to have additional controls in place. Are those controls going to outweigh the risk? Or are those controls going to cause problems in their environment that they don’t want to have? Versus a sales guy saying, “Sure we’ll comply with that, sign on the dotted line!” They hire us to do the gap analysis and they go, “Oh my gosh it’s an extra $50,000 for us to comply with this.” We would have built that into the contract.
Lastly, this investment is also going to allow us to have development staff. We’re a professional services firm, but we’re building a DevOps shop. Some of the exciting technology is, we’ll be able to start pulling log data out of our clients’ environments. Rather than them having to upload the data themselves, we’ll pull that log data out so we can do more continuous auditing so it’s not such a point-in-time process. A penetration test is a point-in-time process, but how do we continuously monitor what we’re doing? If we can pull log data out and run it through AI to be able to say ‘you’re in compliance’ or ‘you’re not,’ that will allow our clients to proactively remediate. We might still have to report it to the end user, but they can remediate quicker.
On future investments
Matt: You mentioned some of the things you liked that people are progressively doing in the area, like Embarc Collective, The Wave, etc. With you guys obtaining funding, are there any talks with the bank of Price and Geiger to, in the future, invest in startups in Tampa?
Scott: Definitely. I think the first thing we’ll be able to work on with these organizations is mentoring. From being a bootstrapped startup in late 2009 to when we got the equity investment from FTV in 2018, what path did we take? What mistakes did we make that we could help guide them on? We have competencies and are offering services that we didn’t even imagine 3 years ago.
These companies have to anticipate that as well. And you don’t anticipate it by figuring out exactly what that new tech is going to be. You figure it out with good people who know your culture, are competent, and well-trained. Our first piece for our involvement is going to be mentoring these other companies and CEOs. I had breakfast with Linda Olson just a couple weeks ago about us becoming more involved in the Wave, with mentoring these CEOs by setting up cybersecurity roundtables.
The more lights we can shine on Tampa, the more it’ll bring the value of all our companies up. I’m a firm believer that rising tides lift all ships, so let’s continue to do that in the community. I think at some point, we would reinvest our dollars locally. We’re not yet at a point financially where the bank of Price and Geiger can do that, but what we can give is our time. You’re not born a samurai swordmaker. You learned from a guy who learned from a guy who learned from a guy. That’s the same thing with us, and that’s what we want to impart on a going-forward basis.
As we went into our process with FTV, the number of PE firms and investment bankers that came to Tampa from all over the country, they would call me and say, “Hey I’m coming to Tampa next week.” I didn’t realize so much activity happened here with firms and bankers. It would be great for the dollars to be in Tampa, but we have to start somewhere with the dollars coming here and then those people staying here with those dollars to reinvest in Tampa as well.
Everything is on fire
Roxanne: Your career in compliance has spanned over nearly 20 years. Is there a particular situation that stands out as a complete success or complete failure?
Scott: Most interactions we have are of the ‘everything is on fire’ type. It’s not because someone intentionally said ‘I want to light it on fire’ – it’s just not the first thing people focus on. They focus on building revenue. I always tell our clients that we’re here to take the burden of compliance on us to let them focus on revenue, because if they don’t have revenue, they can’t pay us.
Most of our 1800 clients are in the SMB space, so $500 million or less in revenue. Many of them are 0-200 employees. We also have clients that are startups with 3-5 people. They all start off with their hair on fire because that’s not what they think of first. They just think, “Let me keep the system up and running, let me add these enhancements so I can get these clients.” Then, their one big client goes, “Oh my gosh, I need to have this control in place,” and that’s where we get involved.
We go through audits the first time, and over two thirds of our clients have never done anything like this before. And we’ve retained 94% of them. So clearly we’re good about not letting their hair burn completely off! Everyone says they have great people, but being a CPA, I say you have to look at the numbers. If you’re bringing two thirds of these people in and you tell them you’re going to give them a voluntary root canal that they’re going to pay for and you retain 94% of them, you know you’re doing something right.
The last 20 years has shown me that people want to do the right thing. We have a whole mountain theme here – climbing up the mountain. If we can just help people keep climbing that mountain, that’s what we care about. We’re not just a necessary evil – we’re hooked into you and we help you up the mountain.
Roxanne: Your Ultimate Cyber Defense Guide whitepaper had some really great information in it, and I’ll be linking it so that people can download it. Can you give a TL;DR of some simple things people can do to protect themselves and their businesses?
Scott: Cybersecurity Awareness Month is the month of October and it’s a really big deal. I think we’re going to be able to get on a few television casts that month. We’re going to simulate both a phishing attack, and a hooking up to Starbucks WiFi attack.
As far as individuals, the biggest thing is think about when you’re at work. You get hassled to change your passwords. When’s the last time you changed your Bank of America or Wells Fargo password? Probably not that often. Clearly you want to have very strong passwords, but more importantly, you want to rotate them. Where you’re not forced to change passwords, make a concerted effort to change them.
It’s also things like going to Starbucks and using their free WiFi. It’s what you’re doing on that WiFi, and how you’re exposing your environment to it. A while ago, one of our clients, Digital Hands, demonstrated their security operations center. I asked a question, because I wanted to get their thoughts on it: are the threats becoming different? Are the attack vectors becoming different?
They said if companies did exactly what they’re supposed to do with patching, updating, and things of that nature, for these known vulnerabilities, they would solve a lot of problems. And that’s the truth. If companies looked at the patches that come out to fix vulnerabilities the manufacturer identified and then stayed up-to-date on them and consistently applied them fully, it would cover a lot of the problems that they could run into. That’s extremely important from a business standpoint.
Then there’s making sure that the vendors involved in your processes have good vendor risk management and assessments. What have those folks gone through on the business side to ensure they’ve mitigated the risks they could pose to organizations that outsource their Office 365 or Datacenter or Cloud?
Roxanne: I’m glad you brought up vendor risk management. Personally, I don’t think I would have ever thought about that.
Scott: People don’t understand where their data is. They think, “Ok, I’ve outsourced my data services to ABC Company.” They don’t realize that ABC Company has outsourced their datacenter services to XYZ Company. Knowing where your data is, in the footprint of it, is huge.
On the A-LIGN culture
Matt: What’s the company culture like? What makes working at A-LIGN great?
Scott: Culture is the biggest thing. We have a remote workforce, so how do you keep it engaged? We utilize a few techniques.
For example, we have a monthly conference call where we’re very transparent about finances of the company and where revenue is. We want everyone to feel like they’ve won together. We walk through our new clients and where they came from. Additionally, we have 5 minutes to brag on that conference call, so every email we got from happy clients, we shared. People get recognized in front of their peers that way. Then we open the floor for other people to brag about each other.
We also have our monthly value recognition. We have 4 values, as a company, and we have value t-shirts. So an employee can recognize another employee for one of our 4 values, which are: do the right thing, always; innovate constantly; commit to quality; be all in. If employees demonstrate those things, they can get a t-shirt for it.
One of the best things that we do (think about our employee growth, where we’re at, and the fact that we still do this, which is crazy given our size) is our annual training event called Climb. Climb is where we bring our employees from all across the country (and their significant others) to the conference location. We also invite them to bring their families as well. We don’t pay for their families to travel there, but as I always say, I’ll feed them and house them when they get there. It’s an opportunity for our employees to come together once a year. It might be the only time someone sees someone from a different team or different part of the country.
Every year, we have a different theme. Last year’s theme was Altitude, as we continue to grow. We went over things that could affect our ability to succeed, competition, collaboration, and competency. This year’s theme was Focus, and it talked about what we can do individually to focus better on a certain thing, maybe in our personal life, and how we can extrapolate that to our professional life. Talking about focus and why it’s important for us to focus on our clients, and focus on our people. So that’s a huge event. We actually had 286 total people this year between employees, spouses, guests, and children.
Next year, for our 10th anniversary, we’re holding it at the Gaylord Rockies in Denver, because we have a pretty good presence in Denver and we’re opening an office there. We’re going to have 450 people there, most likely, between employees and their guests. We have family night with photobooths and caricature artists. And, we always do a ‘give back’ event because we’re all together. In 2018, we packed backpacks for needy at-risk children in Orlando. We donated the money for backpacks and filled them with school supplies. The year before, we built green machines for Big Brothers and Big Sisters, and we got to test them out. We rode around in big wheels at the Four Seasons – pretty funny!
The culture is really important for me. We did value awards last year. Employees nominated other employees for a value award, and they wrote out why they demonstrated that value. Then we got together as a committee and selected one person from each of those categories, which resulted in employees feeling heard. We had 89 submissions and last year we only had 150 employees – so peers recognized over half of their colleagues for an award.
Every quarter, we get our entire leadership team together from around the country. They come to Tampa and they take leadership development training programs. Our people are great technically, but we want them to become better leaders so they can engage the level below them and have them come up as well. It continues to create opportunities for leaders, given our growth. I think those types of things create the culture that we have.
Matt: Who is a person and/or an organization that you think is doing something right and innovative in the area, outside of A-LIGN? And why?
Scott: I think someone who has done amazing things for our community is Tony DiBenedetto and what he’s done at Tribridge. He talked about The Wave, mentorship, things like that. Tony provided me mentorship as well, and to hundreds of others. I know he’s recognized a lot for what he’s done in our community, but he’s definitely somebody who deserves that.
Within our cybersecurity space, I’d say Brian Murphy at ReliaQuest. Amazing, what he does on the board of Junior Achievement of Tampa Bay. He brought ReliaQuest to the storefronts, opening the first of their kind simulated cybersecurity storefront. Brian Murphy is an outstanding role model for what’s going on in Tampa, giving back to the community, and working with universities. Look at the growth he’s had with his company… I look up to him as a role model for how to be a great CEO.
On the ridiculous growth at A-LIGN
Roxanne: You recently made the Inc. 5000 list for the 2nd consecutive year, coming in at #1065. Previously, you ranked #1590. Your three year growth clocked in at a shockingly-impressive 465%. To what do you attribute this growth?
Scott: It is pretty amazing. There are other companies who have done it as well, like AgileThought – I think they’ve done it for 9 or 10 years now. For us, it’s a whole lifecycle approach. The experience that Sales gives our clients at the beginning – the responsiveness, the thought leadership – is the same through the entire process at our firm.
Why are we growing? It’s because the entire lifecycle of our clients and who they interact with is a similar process from start to finish. The eagerness they get at the time of the sale is the same eagerness they feel at service delivery. Everybody is rowing in the same direction and at the same speed. That’s huge for us.
Crypto and compliance
Roxanne: I read your blog and saw posts devoted to cryptocurrency. Do you have any clients who work with crypto? How has blockchain impacted your business in regards to compliance and security?
Scott: We do have some clients involved in crypto. It’s something that has applicability in certain marketplaces. I don’t know at what point we’ll see the adoption that many people thought we would see with it, but it’s coming.
Regarding blockchain, it’s something we focus heavily on. Think about the compliance market – our clients’ needs drive it. We’re not building new technology to move something forward, it’s focused on compliance initiatives and what we can do to achieve them. When I think about the blockchain environment in continuous auditing and setting up a public or private node where you have record-keeping in place, it’s going to be able to add more credibility to an audit.
Many of our audits are ‘reasonable assurance,’ and you would think that the definition of assurance is only going to improve. That’s what people want: they want more real-time reporting, better assurance on the numbers or the transactions, and the security being accurate. Blockchain will move us in a direction where we’ll be able to provide more assurance about these types of things, and test not just a sample, but all of the transactions.
I’m on the board of an organization, Auditchain, which is focused on blockchain and its involvement in the auditing world, so we clearly think it’s something that we need to focus on.
Matt: Any further thoughts or insights you’d like to share? Anything exciting coming down the pipeline for A-LIGN?
Scott: Every day is exciting! I tell people we don’t sell black and white TVs – the industry is constantly changing. That’s the enjoyable part.
As your cybersecurity and compliance firm, A-LIGN specialize in helping you navigate the scope and complexity of your specific security needs. A-LIGN offers comprehensive expertise and consulting for every set of compliance objectives and makes your specific path their priority. Learn more here.
Want to nominate a tech leader for us to interview? Fill out the form below!