Introduction
Key Takeaways
In a highly commoditized market where many providers are selling a one-time fix, Rozmith is focused on client sustainability. Rather than offering a tool or solution and moving on their way, Rozmith provides scalable solutions and repeatable processes that ensure continuous improvement for their customers.
We recently sat down with Rozmith’s managing director and CEO, Andrew Rozyskie, as well as COO Tom Smith to learn more about their customer focus, how they deliver cybersecurity and compliance, their approach to pricing, and more.
1. What does Rozmith do? What is your role?
Rozyskie:
Rozmith is a full-service threat and vulnerability management and compliance company. We focus on IT hygiene and proper access, using that as a driving method for setting up an enterprise for success — whether it’s success in your audit today or success down the road.
My role as the managing director and CEO is to help bring all the pieces together and drive a lot of the strategy behind where the company is going. But everyone at Rozmith plays an integral part in every account. We have that white glove, high-touch approach for each client, making sure everyone gets the face time they need. And more importantly, we make sure they’re getting the results they need.
The last thing we want to do on an engagement is give them wonderful tools like what Apptega provides and then say, “Go figure it out.” Our job is to guide them through the process, and we’re involved from the top down. For example, Tom Smith, our COO, is instrumental in guiding the operational processes and making sure things are working correctly and meeting our standards.
2. What solutions/services does Rozmith offer?
Rozyskie:
We specialize in vulnerability management. We also offer a wide array of governance, risk, and compliance services.
My background is heavily steeped in risk and vulnerability management, as is Tom’s. But we also offer a lot of professional services and consulting services around IT and program management, which fundamentally start with vulnerability management.
3. Do you specialize in any specific areas (industries, services, frameworks, etc.)?
Rozyskie:
We specialize in risk management from a technical perspective that promotes organizational controls. We take those controls and marry them to the regulatory controls that an organization may need to adhere to, making sure they are streamlined and fundamentally ingrained in the technical processes, procedures, and implementation of their specific program.
From those technical activities, we can derive certain strategic elements depending on how patches go or if we’re trying to measure compliance with a particular framework such as CIS. We can tell several things about an organization from the results of their measuring set. We can determine whether their patching toolsets work the way they’re supposed to or whether their operations include a lot of governance.
Smith:
So, it’s not just measuring the technical side. It’s taking holistic approach to eliminating vulnerability and risk within an environment. More often than not, that’s technical. But sometimes it’s process-oriented too, and we can drive that from the technical results. All that ties into the organizational controls needed to fit their regulatory framework.
We work with a lot of different domains. We’re mainly focused on the state and local government level, but we do have a wide array of experience in the financial services industry, health care, and with vendors who need to be PCI compliant and need real-time technical and organizational measures.
4. What differentiates Rozmith from others in the space? How do you stand out?
Smith:
The space is becoming this commoditized zone where everybody just wants to sell you a solution. We don’t do that. We sell you a strategy that’s unique to your organization and a solution that fits that strategy.
Through our market research, we found that most complaints involve service providers implementing something that worked well for them but not for the client to manage going forward. What sets us apart is we offer scalable solutions tailored to your organization — not just for today but for tomorrow.
If you tell me you want to be ISO compliant, I want to make sure that you’re going to pass that first ISO audit this year. But then I want to make sure that it’s a repeatable and improvable process that shows your capability to mature. And I think that’s where a lot of the commoditized professional services and products are falling short.
More and more companies are looking for that deep dive. They want a provider that wants to learn more about their company, not just their problems.
5. How do you stay ahead of a rapidly evolving threat landscape?
Smith:
We’re always improving the way we identify risks — whether that’s a compliance, regulatory, or technical risk.
We’re constantly adjusting new and critical information for addressing things like a zero day to new legislation. We partner with the industry’s best solutions and participate in the continued road mapping of those solutions. We aggressively pursue rigid deadlines using automation to remove the human element from the equation as much as possible.
We also keep up with trends and are part of conversations with legislators, partners such as Apptega, and others. Being looped into a lot of those industry conversations enables us to stay ahead of the curve, especially from a regulatory compliance standpoint.
Rozyskie:
Zero days are unpredictable. You never know what’s going to happen. But one of the things we guarantee for our customers is scanning frequency with the solutions we provide. The types of scanning we’re doing and the technical alerts we’re looking for are designed to keep them ahead of zero day. So, if they get a zero day, it’s not a panic exercise. We can look at it objectively and provide a plan to implement within a reasonable timeframe.
6. How do you scale your services to accommodate a growing list of customers and regulatory requirements?
Smith:
I think being able to scale our services requires high touch. And that high touch goes into the rigorous runbooks that we’re implementing for every enterprise, making sure those runbooks are built into a sustainable model of training and growth for our employees and customers.
As I mentioned before, a lot of commoditized services are just throwing a product at you. But when it comes down to operational expectations, wanting everything front and center, that sustainable model is lacking in two key areas: training and growth.
That’s what we’re trying to accomplish — first through our runbooks but also making sure our own employees have the right training before engaging with a contract or customer. That level of growth for our employees enables a tactical component for our customers that ultimately benefits them in the long run.
Rozyskie:
And while some larger commodity-based service companies are increasing costs to add more and more, we don’t take that approach. Security and compliance should be available to everyone who needs it, and you can eventually outprice yourself in the market. So, we believe in keeping things as simple and managed as possible.
Our rigorous pursuit of automation and automated operational processes means we can handle much larger clients with much smaller headcount, which ultimately reduces our costs. These savings also mean realized savings for our customers instead of unrealized potential.
7. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?
Rozyskie:
Pricing for our services includes a combination of software license costs and block hours for our services. So, they’re still going to pay for the licensing and key tooling the organization needs to be successful. But it’s going to come with a set of block hours to guide the customer through the project.
We basically have three levels of service. The first is our transition and transformation package, which we price on a project-by-project basis based on discovery information. Things that affect the price include the number of assets included, number of users who need access, reporting needed, etc. We also build in cautionary statements that account for the unknowns and potential price shifts as a result.
The second level of service includes the install from the first level and an ongoing continued services role where we manage the operations of the solution but don’t provide the analysis of the results.
The third option is a fully managed solution of leveraged staff and support engineers who not only run the solution daily but also work with the enterprise IT support staff to develop and execute weekly or monthly action plans.
Smith:
I feel like the industry thinks that organizations are stagnant, that they stay in one place. But in reality, you have to be able to shift to accommodate the market — cost and demand. All of that comes at a cost for IT and technology. So, we want to take the things that affect price, include the number of assets, number of users who need access, the reports they need, and make it all scalable.
We understand that our customers aren’t going to be stagnant, and neither will we. All our packages and service combinations are scalable to the point where we’re able to shift as needed. And we want to reduce those surprise costs as much as possible.
While you might not need something today, we can put a program in place that’s eventually going to bake in what you need in the future. It ultimately enables you to plan from a budgetary perspective, whether that’s a quick spend or long-term spend.
8. How are you delivering your compliance services? Is it offered as a formalized compliance offering?
Rozyskie:
From a compliance perspective, we do offer governance, risk, and compliance services as a standalone feature as well as IT and security program management, in terms of vulnerability management and those types of services. The idea is that when we get into the conversation on the controls you’re trying to meet, how you want to see your organization mature, we align to that framework using our GRC model. Then we look at which technical and organizational measures complement each other.
My biggest fear on any account is that we leave them with policies that don’t match what they can achieve from a technical perspective. So, for every solution, there’s an artifact. And that’s really where Apptega comes into play. We can take those different controls and map them to the artifacts.
9. Do you have a favorite compliance framework? Why?
Rozyskie:
Our favorite is CIS. Discussing system hardening and helping companies achieve proper understanding of how an enterprise needs to run is extremely gratifying, and we find it moves the needle more than anything else.
By implementing the CIS controls, especially the new version, you’re able to hit across a lot of different frameworks at once. This enables the organization to figure out which market segment they want to best align to. And it’s a lot lighter of a lift than it would be to just go after getting FedRAMP compliant tomorrow, for example. Can you even achieve that?
One thing that sets us apart in terms of our favorite framework is that we create custom compliance policies through our scanning tool, aligning to what your organizational standard is going to be. So, if you say passwords need to lock out after 12 minutes, we’re going to create a compliance scan that makes sure that happens.
10. What are the most common gaps or pitfalls you see when it comes to cybersecurity and compliance management?
Smith:
Lack of visibility, lack of integration with the enterprise, and lack of skill to understand how to tie those pieces together.
That all goes back to communication. And if there’s one thing we pride ourselves on, it’s being able to address that in an easily understandable and palatable format. The customer needs to understand if something’s not going well so we can start talking about how to fix it. I can think of a thousand different breaches over the past 20 years that were a direct result of somebody not being honest about their hygiene.
That’s where our risk conversations with the business come into play. At the end of the day, the customer needs to make that risk-based decision. But we believe through our visibility, integration points, and skill to understand the results and tie everything together, we can empower the customer to make risk-based decisions that ultimately protect their business, revenue, and clients.
11. What are your thoughts on compliance as a potential growth area for Rozmith (and for other providers)?
Rozyskie:
A lot of people see compliance as a hurdle. We see it as an opportunity to enable other market segments throughout whatever industry you’re going into.
States, countries — they’re all getting stricter on compliance, and as such, it’s time for security practitioners and the services companies to align with that increasing market demand. Compliance is an opportunity to acquire more customers and help them understand their risks and how to combat them.
But for companies to achieve higher market segments and really go after revenue, security and compliance should enable revenue. I feel like a lot of practitioners get caught up in the tools, but we really focus on return on investment. That’s a very powerful conversation when you’re talking to a board to get funding for this.
We understand there’s going to be an upfront cost, but the growth that follows will be exponential.
12. What's your outlook for the provider space over the next several years? What does it mean for Rozmith?
Rozyskie:
I see the provider space growing right now, but I think we’ll start to see it shrink. And I think that’s because there are a lot of commoditized offerings right now. I think they will naturally segment themselves into more professional services or consulting. But from an economic standpoint, I see the market getting tighter.
We already see it with customers when it comes to the pricing and everything else. And I can’t tell you how many FTE roles we’ve seen go away. People are thinking about which tools and services they can consolidate to increase ROI. So, doing more with less is going to be a market challenge for the upcoming future.
Smith:
Also, as AI becomes the norm, we’re going to see an increasingly rigorous effort to combat AI-enabled actors who miss nothing and can put into action even the smallest intel to great effect in pursuit of their goals.
13. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?
Rozyskie:
As I touched on in the previous question, we’re seeing a markedly strong movement to consolidate tools and staff in preparation of impending economic hardship. Every organization is looking to consolidate their services, contractors, etc.
Focusing on hygiene and actionable intel is becoming more important than ever in pursuit of a secure enterprise. As is being able to provide visibility into the real risks they face.
14. How are you using Apptega today?
Rozyskie:
We use Apptega as a steppingstone. First, we use it as the initial assessment to understand what issues an organization is facing and how we can improve it.
Then we start talking about program management, and that’s where we really leverage Apptega as a strategic advantage. Whether it’s audit readiness, internal risk assessments, or anything around compliance initiatives, we’re using Apptega to manage the program going forward.
Interested in learning more? Visit the Rozmith website.