Newsroom Archives

With a Registered Practitioner on Staff and a Proven Track Record, the Company Solidifies Its Role as a Leading Partner for Defense Contractors Navigating New CMMC Requirements.

NEW YORK, May 28, 2025 –

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces it has achieved the status of Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) through CyberAB. Developed by the U.S. Department of Defense (DoD), the CMMC Program is a set of rules designed to strengthen cybersecurity and protect sensitive government information shared with defense contractors.

As a CMMC RPO, Rhymetec is equipped to provide expert advisory and compliance readiness and maintenance services to help organizations understand CMMC requirements, implement necessary controls, and prepare for audits and assessments. This milestone is especially timely, as the final CMMC requirements take effect this month, making compliance essential for contractors looking to win or retain DoD contracts. Rhymetec's commitment to advancing CMMC readiness is further demonstrated by its active participation in industry events such as CEIC West and recent collaborations with leading compliance partners like Vanta and A-LIGN.

"With the final CMMC requirements now in effect, defense contractors and subcontractors are under real pressure to get compliance right," said Justin Rende, founder and chief executive officer of Rhymetec. "Achieving RPO status reinforces our commitment to guiding clients through this critical process with clarity, confidence, and deep expertise."

In addition to being a designated CMMC Registered Provider Organization (RPO), Rhymetec's chief information security officer (CISO), Metin Kortak, has earned the credential of CMMC Registered Practitioner (RP). This distinction underscores the company's dedication to cybersecurity excellence and hands-on expertise. Having a certified RP on staff is not only a requirement for RPOs but also enhances the value of Rhymetec's advisory and managed services, enabling more strategic guidance and tailored preparation for organizations seeking certification under the latest CMMC standards.

"CMMC isn't just about checking boxes; it's about building a resilient security posture that can stand up to real-world threats," said Metin Kortak, CISO of Rhymetec. "As a Registered Practitioner, I'm proud to help organizations cut through the complexity and take actionable steps toward long-term compliance and protection."

If your organization needs guidance navigating the complexities of CMMC compliance, including conducting gap assessments or self-assessments, developing System Security Plans (SSPs), drafting a Plan of Action and Milestones (POA&M), implementing required security controls, and supporting remediation efforts, Rhymetec can help.

You can read the original press release on PR Newswire.

About Rhymetec

Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on LinkedIn.

Deepak Chopra once said, "All great changes are preceded by chaos." This has never been more accurate than when it’s applied to the current AI and cybersecurity environments—and the regulations that govern them.

New frameworks like the Digital Operational Resilience Act (DORA), the EU AI Act, the Network and Information Systems Directive 2 (NIS2) and the Cybersecurity Maturity Model Certification (CMMC) are reshaping how businesses handle security, risk and compliance. These regulations aren't just about ticking boxes—they carry major financial penalties and demand real operational changes.

For companies in financial services, AI development, critical infrastructure or defense, staying ahead of the changes is vital to avoid penalties, protect data and maintain trust. Let's look at what each entails.

DORA: Protecting Financial Institutions From Cyber Disruptions

Financial institutions face constant cyber threats and operational risks. DORA aims to empower financial organizations to weather system disruptions and continue operating smoothly.

DORA requires penetration testing, vulnerability assessments and disaster recovery planning. It focuses on business continuity to ensure that if a system fails, a plan is in place to keep operations running. Banks, insurance companies and investment firms must validate security controls through rigorous testing.

This regulation is a wake-up call for financial institutions to take cybersecurity resilience seriously. The penalties for non-compliance are severe, making it crucial for businesses to invest in robust security testing and operational risk management.

The EU AI Act: Setting The Global Standard For AI Compliance

AI development currently operates in a regulatory gray area, but the EU AI Act is changing that. One of the first laws to set clear boundaries on AI usage, it focuses on ethical risks, security concerns and prohibited applications.

The most important takeaway is the significant financial penalties for non-compliance: These can be up to 7% of a company's global annual revenue or 35 million euros, whichever is higher. That's more than GDPR, which has already forced businesses worldwide to rethink their approach to data privacy.

This law explicitly bans certain AI applications, particularly those that exploit vulnerabilities. The ban includes AI-powered cyberattacks, social manipulation and unethical facial recognition practices. Article 5 of the act outlines prohibited AI uses, such as systems that exploit people's age, disabilities or socioeconomic circumstances.

This isn't simply a privacy factor; its purpose is to prevent AI from being weaponized.

A common misconception is that this law only affects European companies. That's not the case. Any company developing, deploying or processing AI systems in the EU—or serving EU customers—must comply. For example, if a U.S. company hosts its platform in an EU data center or processes European customer data, this regulation applies.

The EU AI Act is setting the stage for global AI governance. Similar regulations are expected to emerge worldwide, making it smart for businesses to adapt now rather than scrambling to comply later.

NIS2: Strengthening Cybersecurity For Critical Infrastructure

Also in the EU, the NIS2 Directive expands cybersecurity requirements for critical industries like energy, healthcare, transportation and digital services. It builds on the original NIS Directive but goes much further, applying to more organizations, increasing security expectations and enforcing stricter penalties.

The enhanced reporting requirements are one of the biggest challenges. Companies must notify regulators of cyber incidents within 24 hours, provide a complete assessment within 72 hours and demonstrate they are actively managing security risks.

The directive also emphasizes stronger supply chain security, holding companies responsible for ensuring their vendors meet cybersecurity standards. This means businesses can't just secure their own systems—they must also vet suppliers and partners to prevent weak links in the supply chain.

Beyond reporting and supply chain oversight, NIS2 enforces stricter governance requirements. Organizations must appoint security officers, conduct regular risk assessments and develop robust cybersecurity policies. Those that fail to comply face heavy financial penalties and increased regulatory scrutiny.

Compliance isn't optional for companies operating in or serving the EU market. NIS2 is setting a new cybersecurity standard, and businesses that don't act risk fines, operational disruptions and reputational damage.

CMMC: Raising the Bar For U.S. Defense Contractors

The CMMC is a requirement for companies working with the U.S. Department of Defense (DoD). It builds on cybersecurity frameworks like NIST 800-171, ensuring that defense contractors follow strict security protocols to protect sensitive government data.

Recent changes to CMMC include a new self-assessment option for Level 1 compliance, making it easier for smaller contractors to meet requirements without hiring third-party auditors. However, higher certification levels still require independent verification, adding layers of accountability.

With the new compliance requirements going into effect in mid-2025, businesses need to act now. The DoD has made it clear that CMMC certification will be mandatory for contracts, and companies that don't comply risk losing business.

Evolving Security Frameworks: A Smarter Approach To Compliance

For organizations handling sensitive data in healthcare, finance and other regulated industries, new security frameworks present a way to prove compliance with strict privacy and cybersecurity standards. In the past, certification required a lengthy, one-size-fits-all assessment, but newer models offer more flexible options with fewer controls, reducing complexity while maintaining security.

Many businesses don't realize that certification levels vary, and choosing a lower-tier option may not meet regulatory or customer expectations. This is especially important for HIPAA compliance, where recognized certifications can demonstrate that companies meet security standards. As cybersecurity laws evolve, understanding these frameworks ensures that businesses stay compliant, competitive and prepared for future regulations.

Laws like DORA, the EU AI Act and NIS2 are designed to keep technology from becoming a threat. AI development currently lacks clear rules—without oversight, it can be used in dangerous ways. These regulations force businesses to prioritize security and ethics upfront, preventing bigger problems down the road.

To stay ahead, organizations must:

Identify relevant regulations and update security policies.
Invest in risk assessments, penetration testing and employee training.
Stay informed—more regulations are coming.

Compliance isn't just about avoiding penalties but about building a safer, more resilient digital future. Companies that act now will lead, while those that wait will fall behind.

You can read the original article posted in Forbes by Rhymetec CISO, Metin Kortak.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

Leading cloud security company celebrates 10 years of success attributing sustainable growth to its highly skilled team, strategic partnerships and expanding globally.

(NEW YORK — March 28, 2025) –

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance and data privacy services to modern-day SaaS businesses, today announces multiple significant accomplishments in honor of its 10-year anniversary. These include continued company growth, both in the U.S. and internationally, service expansion, and strengthened strategic partnerships.

"I could not be more proud of the accomplishments of our team at Rhymetec. For the past 10 years, we have continued to evolve to meet our client's needs, while navigating constant changes in the industry," said Justin Rende, founder and chief executive officer of Rhymetec. "We've built a network of trusted partners to better serve our customers and looking to the future, we remain committed to the same mission we started with — to deliver sustainable compliance strategies with the highest security standards."

Since its founding in 2015, Rhymetec has experienced notable milestones and accomplishments, including:

Company Growth:

Rhymetec has more than 35 full-time employees today. Rhymetec is proud to state that they do not outsource their services.
Has served more than 1,000 clients spanning companies of all sizes from startups to enterprises
Helped clients manage more than 1,200 Audits
Completed more than 900 Penetration Tests

New Frameworks and Compliance Offerings for 2025:

These offerings are alongside Rhymetec's Virtual CISO (vCISO) service:

CMMC
DORA
NIS-2
EU AI Act
Data Privacy Framework

Rhymetec's strategic partnerships and active participation in key industry events have been essential to the company's success and growth. Over the years, collaborations with industry leaders like Vanta, Drata, A-LIGN, and others have not only solidified Rhymetec's role as a trusted partner but also fueled momentum for shared growth. Joining together on events such as Vanta's company kick-off and Drata and A-LIGN's sales kick-off serve as opportunities to strengthen relationships, exchange insights, and drive collective innovation in the cybersecurity and compliance space.

These partnerships, along with sponsorships at major conferences in Q1 like ViVE, reinforce Rhymetec's commitment to elevating industry standards, supporting clients through their growth phases, and driving forward the shared mission of delivering top-tier security and compliance solutions.

Further notable in Rhymetec's success is in its strategic approach to employee development. The company recently announced the promotion of Endri Domi, one of Rhymetec's first employees, from security program manager to information security manager. In his new role, Domi will help lead Rhymetec's team of highly skilled security professionals.

"I am grateful for the trust and support from my colleagues and leadership at Rhymetec," Domi said. "I am excited to tackle new challenges and continue delivering excellence in information security for our clients."

To learn more about Rhymetec and its suite of cybersecurity services, visit www.rhymetec.com.

About Rhymetec
Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (virtual CISO) program, ISO internal audits and a variety of penetration testing services. For more information, visit www.rhymetec.com and follow on Twitter or LinkedIn.

You can read the original press release on PR Newswire.

To Learn More About Rhymetec's Services

Businesses often rely on a network of vendors to support their operations, yet many don’t realize this reliance comes with significant cybersecurity risks. Because of this, strengthening vendor risk management isn't just a necessity; it's a critical component of maintaining customer trust and safeguarding sensitive information. Here's how businesses can strengthen their vendor risk management practices and stay ahead of potential threats:

Start With Due Diligence

Before onboarding a vendor, conduct a thorough evaluation of their security practices. This means more than simply reviewing their policies or taking their word for it. Begin by requesting detailed information about their cybersecurity measures, including network security, data protection protocols, and any certifications or attestation reports they hold (e.g., ISO 27001 or SOC 2 compliance).

Next, conduct interviews with their team, ask for case studies and request references from other clients. A vendor's security posture should be robust and transparent, and any hesitance or vagueness in providing this information should be considered a red flag.

Implement Ongoing Monitoring And Review Processes

Onboarding a vendor with strong security practices is just the beginning. Cybersecurity isn’t static, and your approach to vendor management shouldn't be either. Define a process for ongoing monitoring of your vendors' security postures. This could involve quarterly reviews, where you reassess vendors' network security, business continuity plans, and any incidents of data breaches.

Regular reviews help verify that vendors maintain the standards agreed upon at the start of your partnership. After all, a vendor's security measures might lapse or become outdated over time, posing a risk to your business. You can identify and address potential issues by staying proactive and conducting regular assessments before they escalate.

Strengthen Communication And Transparency

Transparency is key in vendor relationships, especially when it comes to cybersecurity. Establish clear communication channels and expectations from the start. Your vendors should be aware that you expect to be informed of any security incidents or changes in their operations that could impact their ability to safeguard your data.

You may also want to consider asking your vendors if they have a trust center or public page that outlines their controls and practices, reporting on their security status in real time. This kind of transparency builds trust and allows you to address potential risks swiftly.

Leverage Technology For Continuous Monitoring

As the number of vendors you work with increases, so does the complexity of managing them. To stay ahead, you can invest in technology solutions that help automate the monitoring process. Tools that continuously track vendor performance, security updates, and compliance status can provide real-time insights, enabling you to act quickly if a risk is identified.

These tools can also help you maintain an up-to-date inventory of your vendors, track the flow of data between your company and its vendors, and identify any potential vulnerabilities. In the cybersecurity landscape, where threats evolve rapidly, leveraging technology can provide a significant advantage in staying ahead of potential risks.

Tailor Your Approach Based On Vendor Risk Levels

Not all vendors pose the same level of risk to your organization, so a one-size-fits-all approach to vendor management can be inefficient and ineffective. Instead, classify your vendors based on their access to your sensitive data and the potential impact on your business if their security were to be compromised.

More stringent monitoring and controls should be in place for high-risk vendors, such as those with access to critical systems or sensitive customer information. This might include more frequent reviews, higher standards for cybersecurity measures, and more detailed contractual obligations. A less intensive approach may be sufficient for lower-risk vendors, but they should still be subject to regular reviews to ensure they meet your security expectations.

Cultivate A Culture Of Security Within Your Organization

Strengthening vendor risk management starts with a culture of security within your own organization. Your team should understand the importance of cybersecurity and be trained to identify potential risks when interacting with vendors. Encourage your employees to follow best practices, like verifying the legitimacy of vendor claims and reporting any suspicious behavior.

Develop A Vendor Incident Response Plan

Incidents can still occur no matter how robust your vendor management process is. As such, it’s crucial to have a vendor incident response plan outlining the steps your company will take if a vendor's security is compromised. This plan should include clear communication protocols, roles and responsibilities, and a process for mitigating the impact of a security breach.

By planning for the worst, you can respond quickly and effectively to minimize the damage to your business and your clients. A well-prepared incident response plan can also help to reassure your clients that you are committed to protecting their data, even in the face of unexpected challenges.

In Closing

Strengthening vendor risk management is not a one-time task, but an ongoing commitment. By implementing comprehensive due diligence, ongoing monitoring, clear communication, and leveraging technology, businesses can significantly reduce their exposure to cybersecurity risks. Prioritizing cybersecurity and ethics in vendor management protects your business and builds the trust essential for long-term success in the digital era.

You can read the original article posted in Fast Company by Rhymetec CEO, Justin Rende.

About Rhymetec

Interested in reading more? Check out more content on our blog.

Rhymetec Wraps Up 2024 with Major Milestones and a Continued Commitment to Cybersecurity Excellence

(NEW YORK — Dec. 10, 2024) –

/PRNewswire/ — Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces significant milestones as it closes out a transformative year. Following 61% employee growth and the launch of an internship program in 2024, Rhymetec has further solidified its position as an industry leader through ongoing efforts to drive continuous improvement in services, build strategic partnerships, and maintain the highest standards of security and compliance for its clients.

“We’ve always believed that security and compliance are not ‘one-and-done’ efforts—they need to be integrated into the foundation of an organization’s operations,” said Justin Rende, founder and chief executive officer of Rhymetec. “In a market where many competitors offer solutions so companies can check the box of security, we remain true to our mission of delivering ongoing, sustainable compliance strategies and the highest security standards. As we look ahead to 2025, we’re dedicated to further progress, transparency, and partnerships that help our clients achieve long-term success and meet the evolving challenges of global regulations.”

This year, Rhymetec launched an internship program to cultivate cybersecurity’s next generation of talent. The company enjoyed celebrating its success throughout the year and strengthening its partnerships with key industry players during a company retreat in Cabo San Lucas. Representatives from Vanta and A-LIGN joined the retreat, where the teams discussed plans for further collaboration. In 2024 alone, Rhymetec solidified its partnerships with organizations like Johanson Group and Drata—becoming a Drata gold partner—and further developed partnerships with Picnic, A-LIGN, and BARR, to name a few.

“Johanson Group has been working with Rhymetec for five years,” said Ryan Johanson, partner at Johanson Group. “They have always done a fantastic job helping clients implement a GRC platform and getting them ready for audit. They are responsive to clients’ needs and insightful about the technology and compliance roadmaps. When we see a client working with Rhymetec, we know the client will be well prepared for the audit.”

In 2025, Rhymetec is preparing to introduce new frameworks and compliance offerings to address emerging global regulations, including DORA, NIS 2, and the EU AI Act. Additionally, the company plans to enhance its application security offerings, focusing on more proactive, offensive solutions.

To learn more about Rhymetec and its suite of cybersecurity services, please visit www.rhymetec.com.

About Rhymetec
Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers’ unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec’s services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on Twitter or LinkedIn.

Read the original press release on PRNewswire.

To Learn More About Rhymetec's Services

Compliance Gap Assessments, ISO 42001 Guide and a New Strategic Hire, Highlight Rhymetec's Growth and Commitment to Excellence

NEW YORK, Oct. 1, 2024 - PRNewswire -

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces notable company updates. The company spent the quarter expanding service offerings, including compliance gap assessments, to support a new market of clients, continuing to build a market presence at conferences globally, and creating new resources including a comprehensive ISO 42001 guide. Additionally, Rhymetec made a vital hire to evolve and lead their penetration testing efforts.

"Q3 has been a remarkable period of growth for us," said Justin Rende, CEO and founder of Rhymetec. "From making our compliance gap assessments accessible to clients outside of our vCISO services to introducing our ISO 42001 guide, we've hit key milestones that enhance both our service offering and industry presence. Bringing on additional penetration testing leadership also underscores our dedication to strengthening our security expertise as we continue to scale."

Rhymetec's new offering of compliance gap assessments as an individual service, was historically offered as a perk of Rhymetec's managed vCISO services. Gap assessments help businesses identify areas where they may fall short of compliance requirements and also help them determine how well their organization aligns with key security and privacy frameworks like NIST, SOC 2, GDPR, HIPAA, FedRAMP, and ISO 27001. The assessments' real value is in what comes next–a clear roadmap to compliance that prioritizes resources and offers actionable steps to close any gaps. By offering this new service a wider array of SaaS businesses can take full advantage of a 3rd party assessment on their infosec program in preparation for external audits and certifications.

In addition to adding compliance gap assessments, Rhymetec:

Participated in SaaStr in September and will have a presence at the Web Summit in Lisbon, Portugal in November.
Further strengthening its already robust security team by hiring a highly-successful penetration tester with 21 licenses and certifications, including his CJIS - Level 4 from the Federal Bureau of Investigation (FBI), numerous credentials and certifications from CompTIA
Created a thorough guide to help organizations prepare for their ISO 42001 audit. Broken into four critical phases, including Foundation, Execution, Audit Preparation, and Certification, the handbook was written to help busy SaaS and tech leaders shorten their timelines, reduce their team's level of effort, and successfully guide their company through ISO 42001 compliance.

"ISO 42001 is essential for organizations looking to build trustworthy AI systems, but navigating compliance requirements can be challenging," said Metin Kortak, CISO at Rhymetec. "At Rhymetec, we've developed a comprehensive ISO 42001 guide to streamline this process, offering a clear checklist to break down readiness steps, a timeline cheat sheet to assess certification duration, and a detailed FAQs section that addresses the most common concerns. With these tools, we aim to empower businesses to implement ISO 42001, enhancing their AI governance while aligning compliance efforts with broader business goals."

To learn more about Rhymetec and its suite of cybersecurity services, please visit www.rhymetec.com.

About Rhymetec

To Learn More About Rhymetec's Services

Metin Kortak, CISO with Rhymetec, talks about how organizations are approaching data privacy and security compliance, and thinking about risk management policies, when it comes to generative AI in the workplace.

Below is a lightly edited transcript from the Decipher podcast conversation.

Decipher Podcast: Metin Kortak

Lindsey O'Donnell Welch: This is Lindsey O'Donnell Welch with Decipher and I'm here today with Metin Kortak, CISO with Rhymetec. Thank you so much for coming on today. It's really nice to speak to you.

Metin Kortak: Thank you very much for having me.

Lindsey O'Donnell Welch: Can you talk about your path into the cybersecurity industry and what drew you to the CISO role?

Metin Kortak: Yeah, absolutely. I have a computer science background, and when I first started working at Rhymetec, we were actually only offering penetration testing as a service to our customers, and then later on, we realized that with our customers, there's this demand for becoming compliant with various cybersecurity frameworks, which at that time wasn't my specialty - I was more of a network security person. But as we realized that this is a very big demand from our customers, we expanded our business more for compliance and providing cyber security solutions services.

Lindsey O'Donnell Welch: I know that you do a lot with compliance and privacy, and I wanted to talk a little bit about what you're seeing there, specifically with AI being such a big topic over the past year with generative AI and the general availability there. How does AI fit into companies' existing compliance and privacy frameworks, from your perspective?

Metin Kortak: Yeah I always say that because technology evolves so fast, laws, regulations, any sort of compliance frameworks, they always come after the technology has been created and actually built in a proper manner. We have been actually working with AI systems for the past couple of years but not until recently there has been some more compliance frameworks and regulations that became more solid. Recently we've been working with ISO 42001, which has been a recent cybersecurity framework that was really created to secure artificial intelligence systems.

But this framework hasn't even been in place up until just a couple of months ago, and even with the auditors that we're working with they're not even yet accredited to conduct audits against these frameworks. So it's all just very new and there are a lot of concerns from our customers because they want to make sure that they're doing the right thing, they want to make sure that they're complying with certain regulations. But at the same time, the regulations are not really available to them. So they don't have a lot of guidance from the government or from other cybersecurity framework providers. So it has definitely been difficult, and what we have been doing is following these guidelines, and sometimes we have to create our own guidelines for ensuring data privacy on data security.

Lindsey O'Donnell Welch: Outside of the Biden administration's executive order around AI and security, there haven't been really any official types of things that people or companies can point to and say, here's what we need to do about AI and privacy and security. I know in the EU they recently passed the AI Act that outlined some of the governance policies that companies need to follow. Is that something that is top of mind for companies?

Metin Kortak: Yeah, absolutely, we've been following the key frameworks, we have also been following the NIST AI frameworks that have been released but are not really being used by a lot of companies right now. But on top of that, as you know, GDPR, has been around for a long time.

And on top of that, in California, there has been CCPA for data privacy acts, and even if there wasn't an official artificial intelligence cybersecurity framework, what we have been doing to kind of like get around that is ensuring that our customers are still complying with frameworks like GDPR, CCPA, while they are producing artificial intelligence systems because even though there aren't specific AI guidelines, there are guidelines around data privacy and data security and we can interpret those guidelines and ensure that AI systems are still complying with those frameworks.

"It has definitely been difficult and what we have been doing is following these guidelines and sometimes we have to create our own guidelines for ensuring data privacy and data security."

Lindsey O'Donnell Welch: Yeah, so it seems like the main approach here is to look at the the existing frameworks and see if those policies can encompass what we're seeing with AI and lean on those existing ones?

Metin Kortak: Correct. For example, when we're working with artificial intelligence systems, there are language learning models - LLMs- language learning models capture personal information and other data, and based on that data, they will yield results. And they continue to learn from that data. And when we're talking about a data privacy framework like GDPR, end users do have the option for their data to be removed. So what we do is implement procedures in place so that their personal data can not only be removed from databases but also from language learning models, so that data cannot be used for teaching the artificial intelligence learning behavior.

Lindsey O'Donnell Welch: Do you see companies thinking about data governance at all, is that top of mind or people as it relates to AI, or are people mostly just diving in headfirst and saying, “Here's this really cool AI application that we can deploy," and then not really [thinking about] dealing with the consequences after?

Metin Kortak: Yeah I've been seeing a lot of companies just like jumping on the bandwagon. Whenever AI is out there, they're like, "We have to do something AI, we have to do something AI," and they're working with all of these third-party providers, they're trying to build their own artificial intelligence systems. But they're trying to do it in a fast way because it's no longer about data security governance and privacy, and it's more about competing in the marketplace.

Everybody wants to make sure that they have some type of AI product because now it makes them better than the competitor that doesn't. So I have been seeing very little attention to cybersecurity and data privacy when implementing these artificial intelligence systems because companies mostly care about how they can be better when it comes to their competitors. And because there weren't a lot of regulation/compliance frameworks, it was almost like a free for all - you can do whatever you want, you can create your AI system, you can opt your users in, you can capture their data without really having some solid consequences from a legal standpoint.

I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems. But before that, what I have seen is that companies just try to utilize these AI systems as much as they can without having a lot of consequences.

Lindsey O'Donnell Welch: Yeah, that seems to be kind of the overall trend. When you're looking at the data governance policies themselves, what I'm seeing for one best practice for companies that are implementing AI systems is to map out all the different data sources that are being used in the AI model training. And there's so much there, right? It's crazy. But a lot of the types of models aren't really publicly available. So what's the best way to navigate something like that?

Metin Kortak: Yeah, a lot of these companies are now using open-source artificial intelligence systems, meaning the AI platforms are learning from publicly available data, publicly available images, text, Google searches. So there's definitely a difference between publicly available data versus privately owned data by end users. If data is publicly available, there aren't any regulations there that prevent companies from using publicly available information. I can go do a Google search, I can use information I see from articles and other links that I see, and utilize that information to teach my AI model to respond in a certain way.

Where it gets more tricky is when behavior is based on personal information, like if a lot of people like the color yellow, and they say that they like the color yellow on their Instagram stories, or they say it on their Facebook posts or whatever, that information can be personal data, and if AI models are making decisions based on private information like that, then that's when it becomes an issue from a data governance and some privacy standpoint, because now the AI model is not just learning from publicly available information. It is actually obtaining that data from individual user accounts and utilizing their personal information to make certain decisions.

"I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems."

Lindsey O'Donnell Welch: I'm curious more from the defense side of things, how you're seeing AI transforming actual cyber security practices this year. How does that compare to what you've seen in the past as well?

Metin Kortak: Yeah, so like I said, when I started working at Rhymetec, we were just in penetration testing services, and penetration testing is pretty manual labor. You have to understand what vulnerabilities are in place and then, at times, exploit those vulnerabilities in order to identify any issues with the networks, any issues with servers and other platforms.

With artificial intelligence recently, we have been seeing that AI models have also been used in aiding penetration testing, or they have been actually conducting the penetration test on their own by identifying security vulnerabilities and eventually exploiting them. Now, this is great from a pen tester standpoint because now they have an easier way to conduct these penetration tests and understand these vulnerabilities. However, it can also be dangerous in the hands of the wrong people, because that means now people have a much faster way of identifying and exploiting security vulnerabilities.

So how I see this impacting the future of cybersecurity is that I think in the beginning, it might be definitely dangerous because people will be able to identify these security vulnerabilities a lot faster, but at the same time, I think that if this practice became more common then a lot of organizations can also implement much better security controls in place and the standard for cybersecurity can be a lot higher.

Lindsey O'Donnell Welch: I think you bring up a really interesting point - this has been kind of one of the biggest discussions around AI - which is who's this going to help more - the defenders or the threat actors? And when I was at RSA a couple of weeks ago, it seemed like the consensus was that right now the defenders and the ways that you know we're using this on the defense side seem to be more sophisticated right now than what they're seeing from threat actors which is kind of basic uses for content and phishing lures, things like that.

Metin Kortak: I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence. I think that they're likely using more manual and sophisticated ways to reach networks. But I think that on the defense side, absolutely, I think using artificial intelligence can be very beneficial. I think it can help us identify these vulnerabilities a lot faster, a lot quicker and then remediate them. But I think that if somebody is really looking to breach a network, they probably have a lot better options than relying on artificial intelligence models.

Lindsey O'Donnell Welch: How is AI being used in differing capacities in ways across different industry verticals, whether that's health care or banking, and as a follow-up question to that, given the compliance challenges that each of these industries deal with, how is that a factor in how AI is being used?

Metin Kortak: So in the cybersecurity field, I have been saying that artificial intelligence has been used more in things like intrusion detection platforms to identify anomalies and suspicious activity. We already have intrusion detection systems in place, but they usually identify the anomalies and other suspicious activity and other security-related issues using a certain algorithm.

With AI, because it is using learned behavior, it is able to identify these security incidents a lot better than simply just following an algorithm. So we have seen that with things like intrusion detection systems, and vulnerability monitoring platforms, there is definitely an added benefit to utilizing artificial intelligence systems. In addition to that, we have also been seeing artificial intelligence systems and platforms, for example, answering security questionnaire services or like answering RFPs for customers. With those really tedious processes that take a lot of time manually, I think that using artificial intelligence has actually helped us complete those types of work in a much faster way.

When it comes to other industries like healthcare and banking, artificial intelligence is never 100 percent. It may give you a very solid answer and then it might give you a really bad answer the next time. So when an industry is impacting someone's life, like when you're in the healthcare industry, we don't really see artificial intelligence being used that much because it is still unpredictable, and there are still answers that we can get that may not yield good results. I think that it can still be used to aid doctors and other systems that they're using for healthcare, but I do not see it really being used for systems that might directly impact a person's life.

"I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence."

Lindsey O'Donnell Welch: As a CISO, what do you see in terms of CISO interest in AI use cases and then also how it fits into security programs within companies?

Metin Kortak: Yeah, so recently, I've been seeing a lot of third-party vendors that we work with automatically enabling artificial intelligence learning models without really asking us. Especially if you're using a SaaS product, there is a likely chance that if you go to the settings stage, there is an option to disable artificial intelligence or keep it enabled, and you will see that also the time it has been enabled by default. So we have been really just seeing that option enabled by default, and it has been really making our jobs a lot more difficult because it's essentially a new product that's being enabled without really asking our consent, and that's creating issues with third-party security assessments.

So because of that, we have been actually reviewing some of our customers' products and other critical third-party vendors that they work with and either disabling the AI tools or conducting further assessments to ensure that enabling AI will not really cause any compliance or other governance-related security concerns.

So that has really caused some issues with third-party security assessments. However, we have also been using artificial intelligence for things like answering RFPs, answering security questionnaires, analyzing logs, and analyzing security reports to better gather information in a much faster way. So I do think that it has been very valuable to us. I think that it has made our jobs a lot easier, but at the same time, we have been doing a lot more strict due diligence because of how common AI has become recently in the platforms that we use on a day-to-day basis.

Lindsey O'Donnell Welch: I think that brings up a good point which is, a lot of companies I talked to are saying, "We want AI, but we want to make sure that it solves a business problem that we have. We don't just want it slapped onto a product." As a CISO, when you're looking at different things for AI, what sticks out to you where you say, "This could be something that is applicable and might be useful for an organization," versus, "Okay, that seems like it's more hype."

Metin Kortak: I really see AI as an efficiency improvement. I think that if something is taking a long time manually, it can be likely done faster using artificial intelligence, which is why we started using AI for analyzing security logs and also identifying certain security incidents, because doing manual log reviews or reviewing certain systems manually, it just takes up a lot of time. And I think at the end of it this saves organizations a lot of money and resources because they can actually allocate those resources for solving better problems.

Lindsey O'Donnell Welch: Are there any trends related to AI and cybersecurity that you think are going to be big or something to keep our eyes on over the next year?

Metin Kortak: I would definitely keep your eyes open for any other cybersecurity regulations that are coming up. I think ISO 42001 has been becoming a lot bigger. We have a lot of customers asking us about that framework. We have already started working on that framework with some of our customers.

But on top of that we are expecting some additional cybersecurity frameworks and regulations to be released soon. So I think those should be definitely important to watch out for. Because we're expecting that in the next couple of years, a lot of organizations are going to start requiring these frameworks if you're utilizing an AI system. If you have not implemented these security controls or if you haven't really followed the guidance from some of these cybersecurity frameworks, that means you might have a lot more work to do later down the line.

You can read the original article posted in Decipher Podcast, by Lindsey O'Donnell Welch and Metin Kortak.

About Rhymetec

Interested in reading more? Check out more content on our blog:

Vendor management is a crucial component in safeguarding company cybersecurity. As businesses increasingly rely on various external services and products, ensuring these external partners uphold strong security standards becomes imperative. I've found that the rapid progression of technology in the cyberspace, companies must completely understand each vendor with access to transmit or store end-user data. They must have in-depth knowledge of the vendor's security profile and monitor it diligently to mitigate potential risks. From my experience, here are some of the top reasons why many companies aren't secure in this respect.

1. Increasing Vendor Numbers

Companies are increasingly engaging with larger numbers of vendors due to globalization, the need for specialized expertise, and the drive for cost efficiency. Statistics show that organizations' average number of third-party SaaS vendors increased by 62% between 2020 and 2022. This trend is fueled by the desire to focus on core competencies, leverage technological advancements, and enhance competitive positioning in the market.

2. Higher Supply Chain Risks

The growing number of vendors is one reason for the higher percentage of supply chain attacks. These occur because key suppliers or vendors may be more vulnerable to attack than the primary target, making them weak links in the overall network. In 2020, Accenture reported that 40% of cyberattacks originated from the extended supply chain.

For instance, in 2017, NotPetya malware spread via a Ukrainian accounting software company called M.E.Doc. The malware spread to other companies that used M.E.Doc's software, including Maersk, a global shipping company. The attack caused Maersk to shut down its IT systems for several days, resulting in a loss of $300 million.

3. Lack Of Continuous Monitoring in Vendor Management

The absence of continuous vendor monitoring in vendor management can lead to missed vulnerabilities and escalating risks. Continuous monitoring is crucial for detecting changes in vendors' security postures and guaranteeing adherence to security standards. Without it, companies may find themselves blindsided by security breaches originating from their vendors. Remarkably, research from the Ponemon Institute shows that 50% of organizations don't monitor third parties accessing their sensitive and confidential information.

4. Cost-Cutting Measures

The pressure to constantly cut costs is another threat to vendor cybersecurity programs. Research shows over two-thirds of organizations spend less than 10% of their IT budgets on security. Such cost-cutting measures can lead to inadequate security practices, such as failure to renew certifications or maintain compliance annually, leaving companies vulnerable to data breaches and cyberattacks. While reducing expenses is a common business goal, it should not come at the expense of robust security measures.

5. Risk Of Non-Compliance in Vendor Management

Non-compliance with cybersecurity standards also presents considerable risks. A checkbox approach, where companies merely meet the minimum requirements for compliance, is insufficient protection against cyber threats. One study found that 59% of organizations experienced a data breach caused by a third party. This statistic emphasizes the importance of ensuring all vendors comply with security policies, as their non-compliance can lead to severe and costly security incidents, damaging both the company's data integrity and its reputation.

6. Reactive Security Approaches

Reactive third-party security approaches leave companies vulnerable because they focus on responding to breaches after they occur, allowing damage to unfold unchecked. A lack of continuous monitoring and proactive vendor risk assessments can result in unnoticed security gaps, increasing the risk of data breaches.

For example, intrusion detection is only good after the fact; it doesn't protect a company from risk. With 4,145 data breaches at an average cost of $9.44 million each, the financial impact of the 59% caused by third-party vendors in 2022 was $22.9 billion. Companies struggle to keep pace with evolving cyber threats, which can lead to non-compliance with regulatory frameworks and compromise their security posture further.

7. Inadequate Security Training

A common shortfall I've seen in vendor management is the lack of comprehensive security training for employees. Humans are every company's biggest risk factor, and training significantly impacts employees' awareness and behavior regarding information security. For example, research into permissions provided to third-party vendors in cloud environments showed that 82% of enterprise organizations provided vendors with highly privileged roles. Seventy-six percent gave vendors roles allowing full account takeover, and over 90% of cloud security teams were unaware they had given such high permissions to vendors.

How To Prioritize Security in Vendor Management

A comprehensive vendor security analysis includes sending suppliers questionnaires to vet their security profiles and continuously monitor their postures. As it stands, 98% of organizations globally have relationships with at least one breached third party, and those that haven't been breached yet aren't immune to it happening to them.

Vigilant vendor management is vital to maintain a secure business environment. The primary risk lies in how people understand and handle their data. This understanding extends to vendor management, where the real challenge is ensuring that every vendor involved in the company's operations maintains a high security standard.

I find it critical that companies have a proactive approach that focuses on intrusion prevention and comprehensive employee training. Understanding vendors' capabilities and continuously monitoring their security postures is vital for fostering a security culture that permeates every aspect of the business, ultimately safeguarding the company's future.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Our experts have been disrupting the cybersecurity, compliance and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business—Some of our customers have gone on to be acquired by Meta and Zoom. Our customers trust us to help them reap the benefits of having a stronger security program.

What makes us unique is that we act as an extension to your team. We consult on developing stronger information security programs within your environment, and provide the services to meet these standards. Most organizations offer one or the other. From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR and more) to Penetration Testing (Web Application Pentest, API Pentest, External Network Pentest and Mobile Application Pentest) and ISO Internal Audits, we offer a wide range of consulting, security, vendor management, and managed compliance services that can be tailored to your business environment.

If you’re ready to learn about how Rhymetec can help you, contact us today to meet with our team.

Interested in reading more? Check out additional content on our blog:

The industry leader in cloud security expands team and welcomes new and expanded partnerships with Drata, Picnic, and A-LIGN.

(NEW YORK — April 30, 2024) –

Hiring Growth

Since its inception in 2015, the Rhymetec leadership team has worked to build a dynamic culture that strives to pioneer the way in SaaS security, compliance, and data privacy for their clientele. The company currently boasts an innovative team that works hard to serve more than 600 clients globally today. Rhymetec has grown substantially over the last year and has doubled its employee headcount to meet the growing demand of new and existing clients.

New and Evolving Partnerships

Rhymetec is proud to announce strategic partnerships with industry-leading organizations Picnic Corporation and A-LIGN, adding to the list of vetted and trusted industry partners the company works with.

Picnic Corporation is a cybersecurity firm that provides enterprises with the capability to manage their external human attack surface by detecting, preventing, and protecting against social engineering and credential-stuffing attacks. The partnership with Picnic will help Rhymetec clients globally build more effective and compliant infosec programs by complementing technological controls and helping organizations effectively address the dynamic nature of cybersecurity threats.

"At Picnic, we're excited to announce our partnership with Rhymetec, empowering their clients worldwide to fortify their information security programs effectively," said Matt Polak, CEO and founder of Picnic Corporation. "By leveraging Picnic's innovative managed solutions, Rhymetec's clients can proactively mitigate human-centric cyber threats, moving beyond mere detection and response to true attack prevention."

A-LIGN is the leader in high-quality, efficient cybersecurity compliance programs, trusted by more than 4,000 global organizations to mitigate cybersecurity risks. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of audit services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and HITRUST and a top three FedRAMP assessor. With this newly established partnership, Rhymetec clients can access high-quality cybersecurity audits.

"A-LIGN is proud to partner with Rhymetec, a company that shares the same goals and objectives that we do for our more than 4,000 global organizations we work with," said Ryan Grace, CRO at A-LIGN. "We are looking forward to extending our tailored, top-tier cybersecurity audit services to Rhymetec's clientele."

Rhymetec has had a long-standing collaboration with Drata, a leader in security and compliance automation. In February of 2024, Drata debuted "Launch - The Drata Alliance Program," headlining Rhymetec and one other partner as a Gold Tier channel partner. This top tier achievement is based on business, performance and certification requirements set by Drata. This enables Rhymetec to continue to provide comprehensive cybersecurity solutions more effectively to Drata customers as a trusted partner.

"Rhymetec is an extension of Drata's GTM organization and we share the same core mission to build trust across the cloud," said Kevin Kriebel, vice president of partnerships at Drata. "As a Gold Tier partner, Rhymetec has proven to be a valued and trusted partner for Drata customers and we look forward to long term success."

Educational Initiatives

With a commitment to thought leadership and providing valuable educational resources to SaaS businesses and startups, Rhymetec has set a company-wide goal to become the go-to hub for cybersecurity, compliance and data privacy. One of the company's initiatives includes the release of a comprehensive "Cybersecurity for Startups" guide, aimed at equipping emerging businesses with the knowledge and tools needed to navigate the complex cybersecurity landscape successfully. The guide dives into the five practical steps small businesses can take to improve their business security, along with insights into the most frequently asked questions about cybersecurity and more.

International Growth

The Rhymetec team headed down to Rio de Janeiro to attend the Web Summit Rio 2024 conference this month. The organizers of Web Summit conduct some of the world's biggest and best tech conferences, hosting over 100,000 attendees from around the world throughout their portfolio of shows, including founders and CEOs of tech companies and emerging startups. This is the company's first international conference to expand its global reach and audience.

"At Rhymetec our commitment to partnership fuels our ability to innovate and provide cutting-edge cybersecurity solutions that meet the evolving needs of our clients," said Justin Rende, CEO and founder of Rhymetec. "Our recent achievements, including new partnerships with Picnic Corporation and A-LIGN and our recognition as a Gold Tier channel partner with Drata, showcase our ongoing dedication to our partners and reinforces our ability to deliver cloud security solutions that assist in safeguarding our clients' assets. We're excited about our continued growth as a company and will continue to serve our clients with unparalleled expertise and dedication."

To learn more about Rhymetec and its suite of cybersecurity services, please visit www.rhymetec.com.

About Rhymetec

To Learn More About Rhymetec's Services

Since the pandemic began, remote work has grown in popularity to the point that many companies now operate remotely. The Bureau of Labor Statistics found that around 27% of the U.S. workforce worked remotely at least part-time as of August and September 2022, but some academic surveys suggest the number was closer to 50%. With technological advancements driving the remote revolution, companies grapple with cultivating a cohesive culture without physical proximity. Is fostering a true team spirit and camaraderie in a remote setting a paradox? How does the lack of in-person interactions affect team dynamics, and what are some potential solutions to bridge this gap?

Here are some innovative approaches for nurturing a remote culture that resonates with the essence of the traditional workplace environment.

The Remote Work Paradox

Building a thriving culture remotely seems contradictory. The essence of a company's culture often lies in the intangible connections formed between its members. However, when interactions are confined to screens, this essence is challenged. The lack of personal contact and impromptu conversations (think: watercooler exchanges) that shape the organic development of relationships in a traditional office setting is acutely felt. Without in-person interactions, employees often miss out on small, unspoken signals, leading to potential misunderstandings.

Maintaining team morale and motivation is another challenge. In an office setting, the energy and enthusiasm of colleagues can be contagious; however, in a remote environment, maintaining this vibrancy becomes a chore. The spontaneity and warmth of face-to-face interactions are hard to replace in a virtual environment.

When employees work remotely, they often take a siloed approach to their tasks that can make them feel particularly isolated. This kind of separation makes building a united and friendly work atmosphere—which is important for success—difficult. Creating a sense of belonging and loyalty to the company is more difficult when workers don't interact with the organization's space and people.

These challenges demonstrate the importance of finding innovative ways to build a strong, interconnected remote culture.

Breaking Down The Barriers

Our cybersecurity firm recently tackled the remote culture conundrum head-on by organizing a company retreat. The retreat aimed to bridge the gap created (by working online) and build genuine connections between team members. The agenda was carefully crafted to balance formal business discussions with casual, fun activities designed to help team members bond and get to know each other outside of work.

The retreat was a game-changer. Team members, who only knew each other through computer screens, got to share experiences and get to know each other better in a relaxed environment. Meeting face to face broke down the usual formalities and helped everyone understand each other as co-workers and as people.

After the retreat, we saw a significant change in how the team interacted and cooperated. Colleagues who used to communicate primarily by email and online meetings formed personal bonds. These new relationships led to easier conversations, better teamwork and a stronger feeling of being part of the team. The retreat proved that while remote work is undoubtedly viable, meeting in person occasionally is critical for building a strong and united team culture.

The Impact Of In-Person Interaction

The value of in-person interactions in shaping a remote culture is massive. Meeting face to face helps people understand and relate to each other in ways that are hard to do online. The in-person meetings at the retreat enabled team members to get to know each other better and learn about each other's personalities, how they work and their lives outside of work.

This better understanding improved the way everyone communicated. Talks became more open and relaxed. It became easier for everyone to talk to each other, leading to a friendlier and more supportive atmosphere at work.

Tricky, But Not Impossible

Despite the challenges of remote work, the company remains committed to the remote model. However, we now know that meeting in person is important, too, so we aim to continue holding retreats and events a couple of times a year. We believe this will help keep the team's spirit and culture strong, like when employees meet in person.

Creating a remote work culture is tricky but possible. As the way we work keeps changing, combining the freedom of remote work with occasional in-person gatherings appears to be the right way to keep a team happy and productive and build a lively and effective culture.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Rhymetec was founded in 2015 as a Penetration Testing company. Since then, we have served hundreds of SaaS businesses globally in all their cybersecurity, compliance, and data privacy needs. We’re industry leaders in cloud security, and our custom services align with the specific needs of your business. If you want to learn more about how our team can help your business with your security needs, contact our team for more information.

Interested in reading more? Check out our blogs: