Brian Carmenatty is an information technology executive & strategist with over 15 years’ experience in diverse disciplines including system infrastructure, security, compliance vendor management, and Service management. He combines deep technical expertise with a strong service management focus. This allows him to work with technical and customer teams to deliver valuable outcomes.

Brian currently leads the IT department for one of the largest MSO’s in the state of Florida which consists of over 300 practices. He has built the foundation for a robust multi-location decentralized IT environment, led standardization post-M&A activities, coordinated compliance and security projects which included encryption, MFA, EDR, and MSSP rollout for the whole organization.

Episode transcription:

F: Thank you for being with us today, Brian. Pleasure to have you here.

B: Thank you.

F: All right. Just to get us started. Just tell us a little bit about yourself and what falls under your oversight within your organization.

B: So I currently work in a healthcare organization, a managed service organization here in Miami area. I oversee currently about 300 plus offices throughout the state of Florida. I handle everything from the IT operations, data center security, a little bit of a mix of different IT aspects. I also oversee all of the vendors from our multiple MSPs. I deal with over 20 different MSPs throughout the state.

And I also manage them and direct them through our different needs in the organization.

F: What are some of the ways in which you can measure the level of maturity and success of a cybersecurity program? Do you have any examples you can share?

B: Yeah. So, you know, there's a few different frameworks out there.

One of the ones we like to look at is the NIST CSF, which is, you know, it's one of the big ones out there. There's a few other ones, depending on what industry you're in, but a lot of this kind of falls into the five key areas, which kind of goes into the identify, protect, detect, respond, and recovery.

And these areas are more or less, you're going to run a baseline across your organization, and then see where you fall within these categories. Okay. You know, it's very hard nowadays to kind of say, hello, how well are you doing in the cyber security realm, especially with all the current threats and different exploits happening out there.

So, that NIST CSF, which is, you know, everybody can look at it up. You can go to nist.gov and see it and download their own spreadsheets and answer the questions. And it does give you a strong high level. So one of the things you do see a lot different when you start answering these things.

You're going to notice quickly that most companies are pretty good on that out of the five elements that you identify, you don't notice. You're pretty good. Most people are doing asset management. Nowadays most people are meeting a lot of the initial scope of, I guess, like the first element of the NIST CSF.

Then you'll start noticing when you get to protect a lot of companies investing heavily there too. For years, that's where we were all putting all of our money, right? Antivirus firewalls, you know, that's where a lot of the protect, then you start getting into detect and respond falls back on your scale a little bit.

You start noticing you've got some weak spots there. In the last few years, that's where our focus has been. Right? Many organizations are starting to try to invest heavily in detect and respond solutions. Then your next gen, EDR is in different things there. And then you get into the recovery phase, which is, more or less, you know, on business continuity and disaster recovery.

So, you know, when you look at these, you want to kind of lay these out. These are great for your board levels. Now I always tell people, you can fill these out and you don't want to say, Hey, we hit a level four. We're good. We're walking away. No. You know, you still want to go