Earlier this year, we introduced you to AJ Yawn who at the time was describing himself as a “cybersecurity enthusiast”, writing articles about AWS and the cyber risks of mergers and acquisitions.
He is a former Captain in the U.S. Army and cloud security industry expert, and in the past week he reconnected with Infosecurity to talk about the launch of a new company with his co-founder Jeff Cook.
Named ByteChek it describes itself as a SaaS company founded to automate IT audits and streamline cybersecurity reporting. Infosecurity talked to AJ Yawn about the company and his ambitions.
In a few words, explain what ByteChek does?
Our solutions are designed to automate and streamline cybersecurity assessments. We eliminate evidence collection in cybersecurity audits by connecting directly to the applications where the evidence lives.
You say that this is about making the assessment process easier – where do you feel the assessment process is failing currently? What is causing assessments to be “overwhelming and too manual“?
It's the lack of focus on security and technical accuracy that makes it overwhelming and manual. One specific problem is auditors not understanding technologies so they request evidence that does not make sense and causes an unnecessary level of effort for the organization on the other side.
The other problem stems from the current GRC tools that exist are essentially document repositories where clients have to manually upload evidence and auditors have to manually review the evidence. Both the auditors and the organizations are performing manual tasks which results in everyone just trying to get through the audit to obtain a report.
Your focus seems to be on ensuring your clients are secure, rather than having them focus on compliance frameworks. Why is this? Are there too many frameworks to try and fit into depending on what sort of businesses your clients are looking to do? Do you feel there is enough focus on security as opposed to being compliant?
There are too many frameworks: each framework is saying similar things as it relates to security. Concepts such as: ensure only privileged users have access to sensitive data, perform vulnerability scans, implement a logging solution, enable multi-factor authentication, and other common security themes. The problem comes when companies begin chasing a standard or framework, they focus on how they can meet compliance requirements (that may or may not be relevant to their organization) instead of these core security concepts.
We hear a lot about how compliance is not security, I agree. However, security can be compliance and by focusing on security companies can make smart decisions that are relevant and useful to your organization without focusing on the latest framework or standard.
Is the focus here on getting companies to be more secure first, and then to keep them secure?
That's the focus, our platform assists companies by quickly assessing their cybersecurity program against security best practices and providing immediate mitigation strategies to address any weaknesses or vulnerabilities. Once those issues are remediated, we continually assess your environment and procedures to ensure controls are consistently operating effectively.
Our platform examines key cloud security practices such as S3 bucket or other storage service security, access key security and rotation, protection of snapshots and backups, and more. At any time, our clients will know exactly how their environment stacks up against security best practices that are relevant to cloud-hosted organizations.
Finally, what is it like launching a company in the midst of a pandemic? Has being a SaaS platform enabled you to bypass some of the issues that could commonly be associated with a physical product?
It's pretty nerve-racking to launch a company when it seems the world is shut down, but it has forced us to focus on the important stuff that sometimes gets neglected when we are in the normal world. The time we saved on not attending in-person events, traveling, etc. has allowed us to focus on doing this the right way from the beginning. Being a SaaS company helps because we can grow and develop our product and business model without a need for a physical office or physical goods.
The cloud technologies that exist make it easy for startups to get an application off the ground. The thing that has helped us a lot is our team, the unknown associated with launching a company during a pandemic is a lot easier to deal with when your team is strong and works great with each other.