Rhymetec is proud to announce the promotion of Kyle Jones to the newly created role of Chief AI Officer (CAIO). Since joining Rhymetec on October 17, 2022, Kyle has been a driving force behind our rigorous security standards. His elevation to the executive leadership team marks a bold new chapter for Rhymetec as we solidify our position as a deeply tech-forward organization dedicated to pioneering the future of cybersecurity operations.

Meeting the AI Uprising Head-On

The rapid, unprecedented uprising of artificial intelligence has fundamentally altered how industries operate. For forward-thinking organizations, AI is no longer a peripheral tool; it is a foundational shift. Navigating this new era requires a rare blend of leadership, someone who deeply understands the uncompromising world of information security, yet possesses the cutting-edge technical mastery required to harness advanced AI responsibly.

Kyle Jones is uniquely qualified to bridge these two worlds. Already a highly respected industry professional holding the prestigious CISSP (Certified Information Systems Security Professional) credential, Kyle anticipated the AI wave early. Over the last few years, he has focused heavily on the practical applications of machine learning, recently completing a suite of advanced certifications from IBM, including their Generative AI Engineering Specialization, as well as rigorous frameworks covering Generative AI Applications with RAG and LangChain, and LLM Architecture.

This powerful combination of elite security expertise and advanced AI engineering makes Kyle the ideal visionary to guide Rhymetec into a hyper-efficient, tech-driven future.

Driving Internal Efficiency to Elevate the Customer Experience

At Rhymetec, our technology investments are always guided by a single, customer-centric mission: How can we make our clients’ security and compliance journeys smoother, faster, and more robust? As Chief AI Officer, Kyle’s mandate is not isolated to a development sandbox. Instead, he has been actively working across every corner of the company: collaborating cross-functionally with Sales, Customer Success, Marketing, Operations, and Security teams. By architecting and deploying sophisticated internal AI systems and intelligent workflows, Kyle is transforming how Rhymetec operates from the inside out.

For our customers, this internal optimization delivers immediate, tangible competitive advantages:

While these internal advancements serve as our primary efficiency engine, they also naturally lay the foundational groundwork for our broader technological ecosystem, including the future evolution of Rhymetec’s internal platforms.

"We are living through a tech revolution, and staying ahead means being willing to disrupt your own workflows for the benefit of your clients. Kyle has been the mastermind behind our internal AI evolution. Appointing him as Chief AI Officer ensures Rhymetec remains an industry trailblazer, delivering a premier, tech-forward experience to every business we secure," 

— Justin Rende, founder and CEO of Rhymetec.

Charting the Path Forward

In his executive role, Kyle will oversee the holistic integration of intelligent systems across Rhymetec while maintaining an ironclad commitment to risk management. His core focus areas include:

By appointing a Chief AI Officer with Kyle’s unique caliber of security and machine learning expertise, Rhymetec is doing more than just adopting technology, we are redefining how modern cybersecurity services are delivered.

NEW YORK, Apr. 7, 2026 – Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announced a partnership as an Official Small Business Partner of the Brooklyn Nets.

This Small Business Partner Program empowers New York-based businesses by unlocking collaboration opportunities with one of the NBA’s most iconic teams. The collaboration merges Rhymetec’s mission to provide seamless, premium security partnerships with the Brooklyn Nets' dedication to community and team excellence.

Partnership Highlights

For Rhymetec, the partnership represents continued growth and expansion of its presence in New York, where the company was founded in 2015. What began as a penetration testing company serving local startups has grown into a global cybersecurity and compliance partner supporting more than 1,000 organizations worldwide.

"In 2015, I was riding around New York City on my bike, delivering Google Homes to the offices of companies I wanted to work with. To go from those local roots to partnering with an iconic New York institution like the Brooklyn Nets is a massive milestone for our team,"  — Justin Rende, founder and CEO of Rhymetec.

What started in New York City with a single client has quickly grown into a global operation. Today, Rhymetec has served more than 1,000 clients, ranging from early-stage startups to established enterprises. Rhymetec removes cloud security complexities so innovative companies can grow faster and achieve their goals without limits.

Through the Brooklyn Nets Small Business Partnership, Rhymetec reinforces its commitment to the city where it all began, bringing its message of seamless, proactive cybersecurity to the NBA arena stage.

About Rhymetec

Rhymetec delivers premium cybersecurity and data privacy solutions for modern SaaS businesses, combining human expertise with innovative technology. The company builds, deploys, and manages offensive security, compliance, and data privacy programs directly within clients' environments, enabling organizations to move fast, operate confidently, and focus on what matters most. With Rhymetec as a partner, companies can move freely, grow without limits, and focus on building the business they envision. For more information, visit www.rhymetec.com and follow Rhymetec on LinkedIn.

With a Registered Practitioner on Staff and a Proven Track Record, the Company Solidifies Its Role as a Leading Partner for Defense Contractors Navigating New CMMC Requirements.

NEW YORK, May 28, 2025 – 

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces it has achieved the status of Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) through CyberAB. Developed by the U.S. Department of Defense (DoD), the CMMC Program is a set of rules designed to strengthen cybersecurity and protect sensitive government information shared with defense contractors.

As a CMMC RPO, Rhymetec is equipped to provide expert advisory and compliance readiness and maintenance services to help organizations understand CMMC requirements, implement necessary controls, and prepare for audits and assessments. This milestone is especially timely, as the final CMMC requirements take effect this month, making compliance essential for contractors looking to win or retain DoD contracts. Rhymetec's commitment to advancing CMMC readiness is further demonstrated by its active participation in industry events such as CEIC West and recent collaborations with leading compliance partners like Vanta and A-LIGN.

"With the final CMMC requirements now in effect, defense contractors and subcontractors are under real pressure to get compliance right," said Justin Rende, founder and chief executive officer of Rhymetec. "Achieving RPO status reinforces our commitment to guiding clients through this critical process with clarity, confidence, and deep expertise."

In addition to being a designated CMMC Registered Provider Organization (RPO), Rhymetec's chief information security officer (CISO), Metin Kortak, has earned the credential of CMMC Registered Practitioner (RP). This distinction underscores the company's dedication to cybersecurity excellence and hands-on expertise. Having a certified RP on staff is not only a requirement for RPOs but also enhances the value of Rhymetec's advisory and managed services, enabling more strategic guidance and tailored preparation for organizations seeking certification under the latest CMMC standards.

"CMMC isn't just about checking boxes; it's about building a resilient security posture that can stand up to real-world threats," said Metin Kortak, CISO of Rhymetec. "As a Registered Practitioner, I'm proud to help organizations cut through the complexity and take actionable steps toward long-term compliance and protection."

If your organization needs guidance navigating the complexities of CMMC compliance, including conducting gap assessments or self-assessments, developing System Security Plans (SSPs), drafting a Plan of Action and Milestones (POA&M), implementing required security controls, and supporting remediation efforts, Rhymetec can help.

You can read the original press release on PR Newswire.

About Rhymetec

Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on LinkedIn.

Deepak Chopra once said, "All great changes are preceded by chaos." This has never been more accurate than when it’s applied to the current AI and cybersecurity environments—and the regulations that govern them.

New frameworks like the Digital Operational Resilience Act (DORA), the EU AI Act, the Network and Information Systems Directive 2 (NIS2) and the Cybersecurity Maturity Model Certification (CMMC) are reshaping how businesses handle security, risk and compliance. These regulations aren't just about ticking boxes—they carry major financial penalties and demand real operational changes.

For companies in financial services, AI development, critical infrastructure or defense, staying ahead of the changes is vital to avoid penalties, protect data and maintain trust. Let's look at what each entails.

DORA: Protecting Financial Institutions From Cyber Disruptions

Financial institutions face constant cyber threats and operational risks. DORA aims to empower financial organizations to weather system disruptions and continue operating smoothly.

DORA requires penetration testing, vulnerability assessments and disaster recovery planning. It focuses on business continuity to ensure that if a system fails, a plan is in place to keep operations running. Banks, insurance companies and investment firms must validate security controls through rigorous testing.

This regulation is a wake-up call for financial institutions to take cybersecurity resilience seriously. The penalties for non-compliance are severe, making it crucial for businesses to invest in robust security testing and operational risk management.

The EU AI Act: Setting The Global Standard For AI Compliance

AI development currently operates in a regulatory gray area, but the EU AI Act is changing that. One of the first laws to set clear boundaries on AI usage, it focuses on ethical risks, security concerns and prohibited applications.

The most important takeaway is the significant financial penalties for non-compliance: These can be up to 7% of a company's global annual revenue or 35 million euros, whichever is higher. That's more than GDPR, which has already forced businesses worldwide to rethink their approach to data privacy.

This law explicitly bans certain AI applications, particularly those that exploit vulnerabilities. The ban includes AI-powered cyberattacks, social manipulation and unethical facial recognition practices. Article 5 of the act outlines prohibited AI uses, such as systems that exploit people's age, disabilities or socioeconomic circumstances.

This isn't simply a privacy factor; its purpose is to prevent AI from being weaponized.

A common misconception is that this law only affects European companies. That's not the case. Any company developing, deploying or processing AI systems in the EU—or serving EU customers—must comply. For example, if a U.S. company hosts its platform in an EU data center or processes European customer data, this regulation applies.

The EU AI Act is setting the stage for global AI governance. Similar regulations are expected to emerge worldwide, making it smart for businesses to adapt now rather than scrambling to comply later.

NIS2: Strengthening Cybersecurity For Critical Infrastructure

Also in the EU, the NIS2 Directive expands cybersecurity requirements for critical industries like energy, healthcare, transportation and digital services. It builds on the original NIS Directive but goes much further, applying to more organizations, increasing security expectations and enforcing stricter penalties.

The enhanced reporting requirements are one of the biggest challenges. Companies must notify regulators of cyber incidents within 24 hours, provide a complete assessment within 72 hours and demonstrate they are actively managing security risks.

The directive also emphasizes stronger supply chain security, holding companies responsible for ensuring their vendors meet cybersecurity standards. This means businesses can't just secure their own systems—they must also vet suppliers and partners to prevent weak links in the supply chain.

Beyond reporting and supply chain oversight, NIS2 enforces stricter governance requirements. Organizations must appoint security officers, conduct regular risk assessments and develop robust cybersecurity policies. Those that fail to comply face heavy financial penalties and increased regulatory scrutiny.

Compliance isn't optional for companies operating in or serving the EU market. NIS2 is setting a new cybersecurity standard, and businesses that don't act risk fines, operational disruptions and reputational damage.

CMMC: Raising the Bar For U.S. Defense Contractors

The CMMC is a requirement for companies working with the U.S. Department of Defense (DoD). It builds on cybersecurity frameworks like NIST 800-171, ensuring that defense contractors follow strict security protocols to protect sensitive government data.

Recent changes to CMMC include a new self-assessment option for Level 1 compliance, making it easier for smaller contractors to meet requirements without hiring third-party auditors. However, higher certification levels still require independent verification, adding layers of accountability.

With the new compliance requirements going into effect in mid-2025, businesses need to act now. The DoD has made it clear that CMMC certification will be mandatory for contracts, and companies that don't comply risk losing business.

Evolving Security Frameworks: A Smarter Approach To Compliance

For organizations handling sensitive data in healthcare, finance and other regulated industries, new security frameworks present a way to prove compliance with strict privacy and cybersecurity standards. In the past, certification required a lengthy, one-size-fits-all assessment, but newer models offer more flexible options with fewer controls, reducing complexity while maintaining security.

Many businesses don't realize that certification levels vary, and choosing a lower-tier option may not meet regulatory or customer expectations. This is especially important for HIPAA compliance, where recognized certifications can demonstrate that companies meet security standards. As cybersecurity laws evolve, understanding these frameworks ensures that businesses stay compliant, competitive and prepared for future regulations.

Laws like DORA, the EU AI Act and NIS2 are designed to keep technology from becoming a threat. AI development currently lacks clear rules—without oversight, it can be used in dangerous ways. These regulations force businesses to prioritize security and ethics upfront, preventing bigger problems down the road.

To stay ahead, organizations must:

  1. Identify relevant regulations and update security policies.
  2. Invest in risk assessments, penetration testing and employee training.
  3. Stay informed—more regulations are coming.

Compliance isn't just about avoiding penalties but about building a safer, more resilient digital future. Companies that act now will lead, while those that wait will fall behind.

You can read the original article posted in Forbes by Rhymetec CISO, Metin Kortak.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

Leading cloud security company celebrates 10 years of success attributing sustainable growth to its highly skilled team, strategic partnerships and expanding globally. 

 

(NEW YORK — March 28, 2025) –

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance and data privacy services to modern-day SaaS businesses, today announces multiple significant accomplishments in honor of its 10-year anniversary. These include continued company growth, both in the U.S. and internationally, service expansion, and strengthened strategic partnerships.

"I could not be more proud of the accomplishments of our team at Rhymetec. For the past 10 years, we have continued to evolve to meet our client's needs, while navigating constant changes in the industry," said Justin Rende, founder and chief executive officer of Rhymetec. "We've built a network of trusted partners to better serve our customers and looking to the future, we remain committed to the same mission we started with — to deliver sustainable compliance strategies with the highest security standards."

Since its founding in 2015, Rhymetec has experienced notable milestones and accomplishments, including:

Company Growth:

New Frameworks and Compliance Offerings for 2025:

These offerings are alongside Rhymetec's Virtual CISO (vCISO) service:

Rhymetec's strategic partnerships and active participation in key industry events have been essential to the company's success and growth. Over the years, collaborations with industry leaders like VantaDrataA-LIGN, and others have not only solidified Rhymetec's role as a trusted partner but also fueled momentum for shared growth. Joining together on events such as Vanta's company kick-off and Drata and A-LIGN's sales kick-off serve as opportunities to strengthen relationships, exchange insights, and drive collective innovation in the cybersecurity and compliance space.

These partnerships, along with sponsorships at major conferences in Q1 like ViVE, reinforce Rhymetec's commitment to elevating industry standards, supporting clients through their growth phases, and driving forward the shared mission of delivering top-tier security and compliance solutions.

Further notable in Rhymetec's success is in its strategic approach to employee development. The company recently announced the promotion of Endri Domi, one of Rhymetec's first employees, from security program manager to information security manager. In his new role, Domi will help lead Rhymetec's team of highly skilled security professionals.

"I am grateful for the trust and support from my colleagues and leadership at Rhymetec," Domi said. "I am excited to tackle new challenges and continue delivering excellence in information security for our clients."

To learn more about Rhymetec and its suite of cybersecurity services, visit www.rhymetec.com.

About Rhymetec
Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (virtual CISO) program, ISO internal audits and a variety of penetration testing services. For more information, visit www.rhymetec.com and follow on Twitter or LinkedIn.

You can read the original press release on PR Newswire.

To Learn More About Rhymetec's Services

Businesses often rely on a network of vendors to support their operations, yet many don’t realize this reliance comes with significant cybersecurity risks. Because of this, strengthening vendor risk management isn't just a necessity; it's a critical component of maintaining customer trust and safeguarding sensitive information. Here's how businesses can strengthen their vendor risk management practices and stay ahead of potential threats:

Start With Due Diligence

Before onboarding a vendor, conduct a thorough evaluation of their security practices. This means more than simply reviewing their policies or taking their word for it. Begin by requesting detailed information about their cybersecurity measures, including network security, data protection protocols, and any certifications or attestation reports they hold (e.g., ISO 27001 or SOC 2 compliance).

Next, conduct interviews with their team, ask for case studies and request references from other clients. A vendor's security posture should be robust and transparent, and any hesitance or vagueness in providing this information should be considered a red flag.

Implement Ongoing Monitoring And Review Processes

Onboarding a vendor with strong security practices is just the beginning. Cybersecurity isn’t static, and your approach to vendor management shouldn't be either. Define a process for ongoing monitoring of your vendors' security postures. This could involve quarterly reviews, where you reassess vendors' network security, business continuity plans, and any incidents of data breaches.

Regular reviews help verify that vendors maintain the standards agreed upon at the start of your partnership. After all, a vendor's security measures might lapse or become outdated over time, posing a risk to your business. You can identify and address potential issues by staying proactive and conducting regular assessments before they escalate.

Strengthen Communication And Transparency

Transparency is key in vendor relationships, especially when it comes to cybersecurity. Establish clear communication channels and expectations from the start. Your vendors should be aware that you expect to be informed of any security incidents or changes in their operations that could impact their ability to safeguard your data.

You may also want to consider asking your vendors if they have a trust center or public page that outlines their controls and practices, reporting on their security status in real time. This kind of transparency builds trust and allows you to address potential risks swiftly.

Leverage Technology For Continuous Monitoring

As the number of vendors you work with increases, so does the complexity of managing them. To stay ahead, you can invest in technology solutions that help automate the monitoring process. Tools that continuously track vendor performance, security updates, and compliance status can provide real-time insights, enabling you to act quickly if a risk is identified.

These tools can also help you maintain an up-to-date inventory of your vendors, track the flow of data between your company and its vendors, and identify any potential vulnerabilities. In the cybersecurity landscape, where threats evolve rapidly, leveraging technology can provide a significant advantage in staying ahead of potential risks.

Tailor Your Approach Based On Vendor Risk Levels

Not all vendors pose the same level of risk to your organization, so a one-size-fits-all approach to vendor management can be inefficient and ineffective. Instead, classify your vendors based on their access to your sensitive data and the potential impact on your business if their security were to be compromised.

More stringent monitoring and controls should be in place for high-risk vendors, such as those with access to critical systems or sensitive customer information. This might include more frequent reviews, higher standards for cybersecurity measures, and more detailed contractual obligations. A less intensive approach may be sufficient for lower-risk vendors, but they should still be subject to regular reviews to ensure they meet your security expectations.

Cultivate A Culture Of Security Within Your Organization

Strengthening vendor risk management starts with a culture of security within your own organization. Your team should understand the importance of cybersecurity and be trained to identify potential risks when interacting with vendors. Encourage your employees to follow best practices, like verifying the legitimacy of vendor claims and reporting any suspicious behavior.

Develop A Vendor Incident Response Plan

Incidents can still occur no matter how robust your vendor management process is. As such, it’s crucial to have a vendor incident response plan outlining the steps your company will take if a vendor's security is compromised. This plan should include clear communication protocols, roles and responsibilities, and a process for mitigating the impact of a security breach.

By planning for the worst, you can respond quickly and effectively to minimize the damage to your business and your clients. A well-prepared incident response plan can also help to reassure your clients that you are committed to protecting their data, even in the face of unexpected challenges.

In Closing

Strengthening vendor risk management is not a one-time task, but an ongoing commitment. By implementing comprehensive due diligence, ongoing monitoring, clear communication, and leveraging technology, businesses can significantly reduce their exposure to cybersecurity risks. Prioritizing cybersecurity and ethics in vendor management protects your business and builds the trust essential for long-term success in the digital era.

You can read the original article posted in Fast Company by Rhymetec CEO, Justin Rende.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

Interested in reading more? Check out more content on our blog.

Rhymetec Wraps Up 2024 with Major Milestones and a Continued Commitment to Cybersecurity Excellence

 

(NEW YORK — Dec. 10, 2024) –

/PRNewswire/ — Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces significant milestones as it closes out a transformative year. Following 61% employee growth and the launch of an internship program in 2024, Rhymetec has further solidified its position as an industry leader through ongoing efforts to drive continuous improvement in services, build strategic partnerships, and maintain the highest standards of security and compliance for its clients.

“We’ve always believed that security and compliance are not ‘one-and-done’ efforts—they need to be integrated into the foundation of an organization’s operations,” said Justin Rende, founder and chief executive officer of Rhymetec. “In a market where many competitors offer solutions so companies can check the box of security, we remain true to our mission of delivering ongoing, sustainable compliance strategies and the highest security standards. As we look ahead to 2025, we’re dedicated to further progress, transparency, and partnerships that help our clients achieve long-term success and meet the evolving challenges of global regulations.”

This year, Rhymetec launched an internship program to cultivate cybersecurity’s next generation of talent. The company enjoyed celebrating its success throughout the year and strengthening its partnerships with key industry players during a company retreat in Cabo San Lucas. Representatives from Vanta and A-LIGN joined the retreat, where the teams discussed plans for further collaboration.  In 2024 alone, Rhymetec solidified its partnerships with organizations like Johanson Group and Drata—becoming a Drata gold partner—and further developed partnerships with Picnic, A-LIGN, and BARR, to name a few.

“Johanson Group has been working with Rhymetec for five years,” said Ryan Johanson, partner at Johanson Group. “They have always done a fantastic job helping clients implement a GRC platform and getting them ready for audit. They are responsive to clients’ needs and insightful about the technology and compliance roadmaps. When we see a client working with Rhymetec, we know the client will be well prepared for the audit.”

In 2025, Rhymetec is preparing to introduce new frameworks and compliance offerings to address emerging global regulations, including DORA, NIS 2, and the EU AI Act. Additionally, the company plans to enhance its application security offerings, focusing on more proactive, offensive solutions.

To learn more about Rhymetec and its suite of cybersecurity services, please visit www.rhymetec.com.

About Rhymetec
Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers’ unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec’s services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on Twitter or LinkedIn.

Read the original press release on PRNewswire.

To Learn More About Rhymetec's Services

Compliance Gap Assessments, ISO 42001 Guide and a New Strategic Hire, Highlight Rhymetec's Growth and Commitment to Excellence 

 

NEW YORK, Oct. 1, 2024  - PRNewswire  -

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces notable company updates. The company spent the quarter expanding service offerings, including compliance gap assessments, to support a new market of clients, continuing to build a market presence at conferences globally, and creating new resources including a comprehensive ISO 42001 guide. Additionally, Rhymetec made a vital hire to evolve and lead their penetration testing efforts.

"Q3 has been a remarkable period of growth for us," said Justin Rende, CEO and founder of Rhymetec. "From making our compliance gap assessments accessible to clients outside of our vCISO services to introducing our ISO 42001 guide, we've hit key milestones that enhance both our service offering and industry presence. Bringing on additional penetration testing leadership also underscores our dedication to strengthening our security expertise as we continue to scale."

Rhymetec's new offering of compliance gap assessments as an individual service, was historically offered as a perk of Rhymetec's managed vCISO services. Gap assessments help businesses identify areas where they may fall short of compliance requirements and also help them determine how well their organization aligns with key security and privacy frameworks like NIST, SOC 2, GDPR, HIPAA, FedRAMP, and ISO 27001. The assessments' real value is in what comes next–a clear roadmap to compliance that prioritizes resources and offers actionable steps to close any gaps. By offering this new service a wider array of SaaS businesses can take full advantage of a 3rd party assessment on their infosec program in preparation for external audits and certifications.

In addition to adding compliance gap assessments, Rhymetec:

"ISO 42001 is essential for organizations looking to build trustworthy AI systems, but navigating compliance requirements can be challenging," said Metin Kortak, CISO at Rhymetec. "At Rhymetec, we've developed a comprehensive ISO 42001 guide to streamline this process, offering a clear checklist to break down readiness steps, a timeline cheat sheet to assess certification duration, and a detailed FAQs section that addresses the most common concerns. With these tools, we aim to empower businesses to implement ISO 42001, enhancing their AI governance while aligning compliance efforts with broader business goals."

To learn more about Rhymetec and its suite of cybersecurity services, please visit www.rhymetec.com.

About Rhymetec

Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on Twitter or LinkedIn.

 

 To Learn More About Rhymetec's Services

Metin Kortak, CISO with Rhymetec, talks about how organizations are approaching data privacy and security compliance, and thinking about risk management policies, when it comes to generative AI in the workplace.

Below is a lightly edited transcript from the Decipher podcast conversation.

Decipher Podcast Website Image

Decipher Podcast: Metin Kortak

Lindsey O'Donnell Welch: This is Lindsey O'Donnell Welch with Decipher and I'm here today with Metin Kortak, CISO with Rhymetec. Thank you so much for coming on today. It's really nice to speak to you.

Metin Kortak: Thank you very much for having me.

Lindsey O'Donnell Welch: Can you talk about your path into the cybersecurity industry and what drew you to the CISO role?

Metin Kortak: Yeah, absolutely. I have a computer science background, and when I first started working at Rhymetec, we were actually only offering penetration testing as a service to our customers, and then later on, we realized that with our customers, there's this demand for becoming compliant with various cybersecurity frameworks, which at that time wasn't my specialty - I was more of a network security person. But as we realized that this is a very big demand from our customers, we expanded our business more for compliance and providing cyber security solutions services.

Lindsey O'Donnell Welch: I know that you do a lot with compliance and privacy, and I wanted to talk a little bit about what you're seeing there, specifically with AI being such a big topic over the past year with generative AI and the general availability there. How does AI fit into companies' existing compliance and privacy frameworks, from your perspective?

Metin Kortak: Yeah I always say that because technology evolves so fast, laws, regulations, any sort of compliance frameworks, they always come after the technology has been created and actually built in a proper manner. We have been actually working with AI systems for the past couple of years but not until recently there has been some more compliance frameworks and regulations that became more solid. Recently we've been working with ISO 42001, which has been a recent cybersecurity framework that was really created to secure artificial intelligence systems. 

But this framework hasn't even been in place up until just a couple of months ago, and even with the auditors that we're working with they're not even yet accredited to conduct audits against these frameworks. So it's all just very new and there are a lot of concerns from our customers because they want to make sure that they're doing the right thing, they want to make sure that they're complying with certain regulations. But at the same time, the regulations are not really available to them. So they don't have a lot of guidance from the government or from other cybersecurity framework providers. So it has definitely been difficult, and what we have been doing is following these guidelines, and sometimes we have to create our own guidelines for ensuring data privacy on data security.

Lindsey O'Donnell Welch: Outside of the Biden administration's executive order around AI and security, there haven't been really any official types of things that people or companies can point to and say, here's what we need to do about AI and privacy and security. I know in the EU they recently passed the AI Act that outlined some of the governance policies that companies need to follow. Is that something that is top of mind for companies?

Metin Kortak: Yeah, absolutely, we've been following the key frameworks, we have also been following the NIST AI frameworks that have been released but are not really being used by a lot of companies right now. But on top of that, as you know, GDPR, has been around for a long time. 

And on top of that, in California, there has been CCPA for data privacy acts, and even if there wasn't an official artificial intelligence cybersecurity framework, what we have been doing to kind of like get around that is ensuring that our customers are still complying with frameworks like GDPR, CCPA, while they are producing artificial intelligence systems because even though there aren't specific AI guidelines, there are guidelines around data privacy and data security and we can interpret those guidelines and ensure that AI systems are still complying with those frameworks.

"It has definitely been difficult and what we have been doing is following these guidelines and sometimes we have to create our own guidelines for ensuring data privacy and data security."

Lindsey O'Donnell Welch: Yeah, so it seems like the main approach here is to look at the the existing frameworks and see if those policies can encompass what we're seeing with AI and lean on those existing ones?

Metin Kortak: Correct. For example, when we're working with artificial intelligence systems, there are language learning models - LLMs- language learning models capture personal information and other data, and based on that data, they will yield results. And they continue to learn from that data. And when we're talking about a data privacy framework like GDPR, end users do have the option for their data to be removed. So what we do is implement procedures in place so that their personal data can not only be removed from databases but also from language learning models, so that data cannot be used for teaching the artificial intelligence learning behavior.

Lindsey O'Donnell Welch: Do you see companies thinking about data governance at all, is that top of mind or people as it relates to AI, or are people mostly just diving in headfirst and saying, “Here's this really cool AI application that we can deploy," and then not really [thinking about] dealing with the consequences after?

Metin Kortak: Yeah I've been seeing a lot of companies just like jumping on the bandwagon. Whenever AI is out there, they're like, "We have to do something AI, we have to do something AI," and they're working with all of these third-party providers, they're trying to build their own artificial intelligence systems. But they're trying to do it in a fast way because it's no longer about data security governance and privacy, and it's more about competing in the marketplace. 

Everybody wants to make sure that they have some type of AI product because now it makes them better than the competitor that doesn't. So I have been seeing very little attention to cybersecurity and data privacy when implementing these artificial intelligence systems because companies mostly care about how they can be better when it comes to their competitors. And because there weren't a lot of regulation/compliance frameworks, it was almost like a free for all - you can do whatever you want, you can create your AI system, you can opt your users in, you can capture their data without really having some solid consequences from a legal standpoint. 

I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems. But before that, what I have seen is that companies just try to utilize these AI systems as much as they can without having a lot of consequences.

Lindsey O'Donnell Welch: Yeah, that seems to be kind of the overall trend. When you're looking at the data governance policies themselves, what I'm seeing for one best practice for companies that are implementing AI systems is to map out all the different data sources that are being used in the AI model training. And there's so much there, right? It's crazy. But a lot of the types of models aren't really publicly available. So what's the best way to navigate something like that?

Metin Kortak: Yeah, a lot of these companies are now using open-source artificial intelligence systems, meaning the AI platforms are learning from publicly available data, publicly available images, text, Google searches. So there's definitely a difference between publicly available data versus privately owned data by end users. If data is publicly available, there aren't any regulations there that prevent companies from using publicly available information. I can go do a Google search, I can use information I see from articles and other links that I see, and utilize that information to teach my AI model to respond in a certain way. 

Where it gets more tricky is when behavior is based on personal information, like if a lot of people like the color yellow, and they say that they like the color yellow on their Instagram stories, or they say it on their Facebook posts or whatever, that information can be personal data, and if AI models are making decisions based on private information like that, then that's when it becomes an issue from a data governance and some privacy standpoint, because now the AI model is not just learning from publicly available information. It is actually obtaining that data from individual user accounts and utilizing their personal information to make certain decisions.

"I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems."

Lindsey O'Donnell Welch: I'm curious more from the defense side of things, how you're seeing AI transforming actual cyber security practices this year. How does that compare to what you've seen in the past as well?

Metin Kortak: Yeah, so like I said, when I started working at Rhymetec, we were just in penetration testing services, and penetration testing is pretty manual labor. You have to understand what vulnerabilities are in place and then, at times, exploit those vulnerabilities in order to identify any issues with the networks, any issues with servers and other platforms. 

With artificial intelligence recently, we have been seeing that AI models have also been used in aiding penetration testing, or they have been actually conducting the penetration test on their own by identifying security vulnerabilities and eventually exploiting them. Now, this is great from a pen tester standpoint because now they have an easier way to conduct these penetration tests and understand these vulnerabilities. However, it can also be dangerous in the hands of the wrong people, because that means now people have a much faster way of identifying and exploiting security vulnerabilities. 

So how I see this impacting the future of cybersecurity is that I think in the beginning, it might be definitely dangerous because people will be able to identify these security vulnerabilities a lot faster, but at the same time, I think that if this practice became more common then a lot of organizations can also implement much better security controls in place and the standard for cybersecurity can be a lot higher.

Lindsey O'Donnell Welch: I think you bring up a really interesting point - this has been kind of one of the biggest discussions around AI - which is who's this going to help more - the defenders or the threat actors? And when I was at RSA a couple of weeks ago, it seemed like the consensus was that right now the defenders and the ways that you know we're using this on the defense side seem to be more sophisticated right now than what they're seeing from threat actors which is kind of basic uses for content and phishing lures, things like that.

Metin Kortak: I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence. I think that they're likely using more manual and sophisticated ways to reach networks. But I think that on the defense side, absolutely, I think using artificial intelligence can be very beneficial. I think it can help us identify these vulnerabilities a lot faster, a lot quicker and then remediate them. But I think that if somebody is really looking to breach a network, they probably have a lot better options than relying on artificial intelligence models.

Lindsey O'Donnell Welch: How is AI being used in differing capacities in ways across different industry verticals, whether that's health care or banking, and as a follow-up question to that, given the compliance challenges that each of these industries deal with, how is that a factor in how AI is being used?

Metin Kortak: So in the cybersecurity field, I have been saying that artificial intelligence has been used more in things like intrusion detection platforms to identify anomalies and suspicious activity. We already have intrusion detection systems in place, but they usually identify the anomalies and other suspicious activity and other security-related issues using a certain algorithm. 

With AI, because it is using learned behavior, it is able to identify these security incidents a lot better than simply just following an algorithm. So we have seen that with things like intrusion detection systems, and vulnerability monitoring platforms, there is definitely an added benefit to utilizing artificial intelligence systems. In addition to that, we have also been seeing artificial intelligence systems and platforms, for example, answering security questionnaire services or like answering RFPs for customers. With those really tedious processes that take a lot of time manually, I think that using artificial intelligence has actually helped us complete those types of work in a much faster way. 

When it comes to other industries like healthcare and banking, artificial intelligence is never 100 percent. It may give you a very solid answer and then it might give you a really bad answer the next time. So when an industry is impacting someone's life, like when you're in the healthcare industry, we don't really see artificial intelligence being used that much because it is still unpredictable, and there are still answers that we can get that may not yield good results. I think that it can still be used to aid doctors and other systems that they're using for healthcare, but I do not see it really being used for systems that might directly impact a person's life.

"I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence."

Lindsey O'Donnell Welch: As a CISO, what do you see in terms of CISO interest in AI use cases and then also how it fits into security programs within companies?

Metin Kortak: Yeah, so recently, I've been seeing a lot of third-party vendors that we work with automatically enabling artificial intelligence learning models without really asking us. Especially if you're using a SaaS product, there is a likely chance that if you go to the settings stage, there is an option to disable artificial intelligence or keep it enabled, and you will see that also the time it has been enabled by default. So we have been really just seeing that option enabled by default, and it has been really making our jobs a lot more difficult because it's essentially a new product that's being enabled without really asking our consent, and that's creating issues with third-party security assessments. 

So because of that, we have been actually reviewing some of our customers' products and other critical third-party vendors that they work with and either disabling the AI tools or conducting further assessments to ensure that enabling AI will not really cause any compliance or other governance-related security concerns. 

So that has really caused some issues with third-party security assessments. However, we have also been using artificial intelligence for things like answering RFPs, answering security questionnaires, analyzing logs, and analyzing security reports to better gather information in a much faster way. So I do think that it has been very valuable to us. I think that it has made our jobs a lot easier, but at the same time, we have been doing a lot more strict due diligence because of how common AI has become recently in the platforms that we use on a day-to-day basis.

Lindsey O'Donnell Welch: I think that brings up a good point which is, a lot of companies I talked to are saying, "We want AI, but we want to make sure that it solves a business problem that we have. We don't just want it slapped onto a product." As a CISO, when you're looking at different things for AI, what sticks out to you where you say, "This could be something that is applicable and might be useful for an organization," versus, "Okay, that seems like it's more hype."

Metin Kortak: I really see AI as an efficiency improvement. I think that if something is taking a long time manually, it can be likely done faster using artificial intelligence, which is why we started using AI for analyzing security logs and also identifying certain security incidents, because doing manual log reviews or reviewing certain systems manually, it just takes up a lot of time. And I think at the end of it this saves organizations a lot of money and resources because they can actually allocate those resources for solving better problems.

Lindsey O'Donnell Welch: Are there any trends related to AI and cybersecurity that you think are going to be big or something to keep our eyes on over the next year?

Metin Kortak: I would definitely keep your eyes open for any other cybersecurity regulations that are coming up. I think ISO 42001 has been becoming a lot bigger. We have a lot of customers asking us about that framework. We have already started working on that framework with some of our customers. 

But on top of that we are expecting some additional cybersecurity frameworks and regulations to be released soon. So I think those should be definitely important to watch out for. Because we're expecting that in the next couple of years, a lot of organizations are going to start requiring these frameworks if you're utilizing an AI system. If you have not implemented these security controls or if you haven't really followed the guidance from some of these cybersecurity frameworks, that means you might have a lot more work to do later down the line.

You can read the original article posted in Decipher Podcast, by Lindsey O'Donnell Welch and Metin Kortak. 

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

Interested in reading more? Check out more content on our blog:

Vendor management is a crucial component in safeguarding company cybersecurity. As businesses increasingly rely on various external services and products, ensuring these external partners uphold strong security standards becomes imperative. I've found that the rapid progression of technology in the cyberspace, companies must completely understand each vendor with access to transmit or store end-user data. They must have in-depth knowledge of the vendor's security profile and monitor it diligently to mitigate potential risks. From my experience, here are some of the top reasons why many companies aren't secure in this respect.

1. Increasing Vendor Numbers

Companies are increasingly engaging with larger numbers of vendors due to globalization, the need for specialized expertise, and the drive for cost efficiency. Statistics show that organizations' average number of third-party SaaS vendors increased by 62% between 2020 and 2022. This trend is fueled by the desire to focus on core competencies, leverage technological advancements, and enhance competitive positioning in the market.

2. Higher Supply Chain Risks

The growing number of vendors is one reason for the higher percentage of supply chain attacks. These occur because key suppliers or vendors may be more vulnerable to attack than the primary target, making them weak links in the overall network. In 2020, Accenture reported that 40% of cyberattacks originated from the extended supply chain.

For instance, in 2017, NotPetya malware spread via a Ukrainian accounting software company called M.E.Doc. The malware spread to other companies that used M.E.Doc's software, including Maersk, a global shipping company. The attack caused Maersk to shut down its IT systems for several days, resulting in a loss of $300 million.

3. Lack Of Continuous Monitoring in Vendor Management

The absence of continuous vendor monitoring in vendor management can lead to missed vulnerabilities and escalating risks. Continuous monitoring is crucial for detecting changes in vendors' security postures and guaranteeing adherence to security standards. Without it, companies may find themselves blindsided by security breaches originating from their vendors. Remarkably, research from the Ponemon Institute shows that 50% of organizations don't monitor third parties accessing their sensitive and confidential information.

4. Cost-Cutting Measures

The pressure to constantly cut costs is another threat to vendor cybersecurity programs. Research shows over two-thirds of organizations spend less than 10% of their IT budgets on security. Such cost-cutting measures can lead to inadequate security practices, such as failure to renew certifications or maintain compliance annually, leaving companies vulnerable to data breaches and cyberattacks. While reducing expenses is a common business goal, it should not come at the expense of robust security measures.

5. Risk Of Non-Compliance in Vendor Management

Non-compliance with cybersecurity standards also presents considerable risks. A checkbox approach, where companies merely meet the minimum requirements for compliance, is insufficient protection against cyber threats. One study found that 59% of organizations experienced a data breach caused by a third party. This statistic emphasizes the importance of ensuring all vendors comply with security policies, as their non-compliance can lead to severe and costly security incidents, damaging both the company's data integrity and its reputation.

6. Reactive Security Approaches

Reactive third-party security approaches leave companies vulnerable because they focus on responding to breaches after they occur, allowing damage to unfold unchecked. A lack of continuous monitoring and proactive vendor risk assessments can result in unnoticed security gaps, increasing the risk of data breaches.

For example, intrusion detection is only good after the fact; it doesn't protect a company from risk. With 4,145 data breaches at an average cost of $9.44 million each, the financial impact of the 59% caused by third-party vendors in 2022 was $22.9 billion. Companies struggle to keep pace with evolving cyber threats, which can lead to non-compliance with regulatory frameworks and compromise their security posture further.

7. Inadequate Security Training

A common shortfall I've seen in vendor management is the lack of comprehensive security training for employees. Humans are every company's biggest risk factor, and training significantly impacts employees' awareness and behavior regarding information security. For example, research into permissions provided to third-party vendors in cloud environments showed that 82% of enterprise organizations provided vendors with highly privileged roles. Seventy-six percent gave vendors roles allowing full account takeover, and over 90% of cloud security teams were unaware they had given such high permissions to vendors.

How To Prioritize Security in Vendor Management

A comprehensive vendor security analysis includes sending suppliers questionnaires to vet their security profiles and continuously monitor their postures. As it stands, 98% of organizations globally have relationships with at least one breached third party, and those that haven't been breached yet aren't immune to it happening to them.

Vigilant vendor management is vital to maintain a secure business environment. The primary risk lies in how people understand and handle their data. This understanding extends to vendor management, where the real challenge is ensuring that every vendor involved in the company's operations maintains a high security standard.

I find it critical that companies have a proactive approach that focuses on intrusion prevention and comprehensive employee training. Understanding vendors' capabilities and continuously monitoring their security postures is vital for fostering a security culture that permeates every aspect of the business, ultimately safeguarding the company's future.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Our experts have been disrupting the cybersecurity, compliance and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business—Some of our customers have gone on to be acquired by Meta and Zoom. Our customers trust us to help them reap the benefits of having a stronger security program.

What makes us unique is that we act as an extension to your team. We consult on developing stronger information security programs within your environment, and provide the services to meet these standards. Most organizations offer one or the other. From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR and more) to Penetration Testing (Web Application Pentest, API Pentest, External Network Pentest and Mobile Application Pentest) and ISO Internal Audits, we offer a wide range of consulting, security, vendor management, and managed compliance services that can be tailored to your business environment.

If you’re ready to learn about how Rhymetec can help you, contact us today to meet with our team.

Interested in reading more? Check out additional content on our blog: