Introduction
Key Takeaways
As CISO and a managing/founding partner of CriticalMatrix, Nim Nadarajah is helping organizations understand that cybersecurity is a continuous journey. And it’s becoming increasingly important to monitor security posture over time rather than once a year.
We recently sat down with Nadarajah to discuss why CriticalMatrix takes an advisory-first approach, speed vs. trajectory, and the value of continuous compliance.
1. What does CriticalMatrix do? What is your role?
CriticalMatrix is a full-service cybersecurity company that specializes in cyber, data, identity, and governance. We have an advisory-first approach that isn’t motivated by product sales. Instead, we focus on thought leadership and CIO/CISO/CXO advisory projects.
I’m one of the managing and founding partners of the firm as well as chief information security officer.
2. What solutions/services does CriticalMatrix offer?
Our specialty is Microsoft platform security services. Right now, we’re focused on data governance, AI readiness, and compliance as a service.
3. Do you specialize in any specific areas (industries, services, frameworks, etc.)?
We offer services across five major areas: commercial real estate, natural resources, health care, aviation, and finance (insurance is funneled into finance).
The industries we work with are all compliance-driven, and we’re usually working with either ISO 27001 or NIST. We also have customers who work with HIPAA and PCI, but NIST is typically the baseline framework that we use.
4. What differentiates CriticalMatrix from others in the space? How do you stand out?
Our deep talent and technical expertise set us apart. Most people at our company have 22 years or more of experience in their respective areas of expertise.
And we don’t start our engagements with a product-based sale. I find that a lot of cybersecurity companies are interested in selling a product and then offering to manage that product. That isn’t security. We believe in customer intimacy — the whole advisory piece. We work with you to understand the roadmap, gaps, and how you get where you want to go.
Compliance as a service is important because it paves the way and shows you what to focus on to achieve your goals.
5. How do you stay ahead of a rapidly evolving threat landscape?
We’re continuously connected to the industry and industry leaders. We participate in, listen to, and contribute to many podcasts, webcasts, webinars, and other events. And we also do a lot of public speaking events. We make sure we’re all connected to industry influencers and can give our customers the latest, greatest information.
Overall, we make sure that our team’s skills continue to evolve so we can align with changing requirements.
6. How do you scale your services to accommodate a growing list of customers and regulatory requirements?
We have an entire team dedicated to our compliance practice. They focus on understanding what’s changing in their verticals of expertise. For example, we might have someone focused on manufacturing, aviation, and natural resources. That person would stay on top of changes so we can highlight them to our customers.
We’re also constantly growing our team, looking for new talent, partners, and tools to better help our customers.
7. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?
We bundle compliance as sort of the predecessor to other services. For example, we recently started using compliance to evaluate customer AI readiness. We’re doing quick compliance assessments paired with data readiness assessments that feed into our AI, showing us whether an organization has done what is needed to be AI-ready.
8. How are you delivering your compliance services? Is it offered as a formalized compliance offering?
We’ve been managing compliance manually using Excel spreadsheets that we’ve produced over many decades. The quality is good, but the process is manual, onerous, and time-consuming.
We have a formal compliance as a service offering that includes not only that assessment piece but also data governance, automated pen testing, cloud configuration scanning, policy gaps, and security awareness training.
Our methodology includes a compliance review, tailored approach, inventory review, ownership assignments, and proof gathering.
9. Do you have a favorite compliance framework? Why?
My favorite is the NIST Cybersecurity Framework. It’s diverse and easy to understand, and we have a way of relating it back to everything we do. We can map NIST back into every other framework: CSF, ISO, PCI, HIPAA, etc.
NIST is also quick to implement. I think 95% of customers need rapid posture assessments that don’t take months. The assessment shouldn’t be obsolete by the time you get it, which is something I think many of our competitors are doing wrong. NIST enables us to go fast and stay relevant.
Related Reading: See how CriticalMatrix used a thorough NIST 800.53 assessment and a BCP/DR assessment to help a customer achieve a robust cybersecurity and continuity planning framework. Read the case study.
10. What are the most common gaps or pitfalls you see when it comes to cybersecurity and compliance management?
The most common pitfall is starting over every time you do a cybersecurity posture assessment. Organizations often think they need to start with a blank spreadsheet every 12 to 14 months, which makes no sense at all.
Your cybersecurity roadmap is a continuous journey. Some items in your roadmap may cause compliance to regress, but you’re regressing to stimulate progress. You take two steps back to take two or three steps forward.
If you start over each time, you’ll have no idea how to track progress year over year to improve. A lot can happen between assessments, so continuous compliance is the right way to go.
11. What are your thoughts on compliance as a potential growth area for CriticalMatrix (and for other providers)?
You can’t measure what you can’t manage. And with bad actors introducing a new threat every 39 seconds globally, it doesn’t make sense to only benchmark your standards every 12 to 18 months — or two years because you didn’t get the budget for it and cut the assessment. Compliance is best implemented on a continuous basis to ensure a strong security posture year-round.
When I buy a car, I don’t need a heads-up display to get me where I’m going. But I get it because it prevents me from being distracted for even a nanosecond. It’s giving me continuous information on what’s happening without having to shift my eyes. It may not have a major impact, but if I didn’t have it, what else could have gone wrong?
12. What advice would you give organizations on cybersecurity and compliance management?
Speed is not as important as trajectory.
You may be moving quickly, but your trajectory could be changing without notice. And the problems happen when you start moving fast in the wrong direction.
The one thing I ask my security and technology directors every year is, how confident are you that we’re still on course?
The problem with cybersecurity posture assessments is that we don’t do them enough. It’s becoming increasingly important for organizations to continuously monitor the divergence or convergence of their security postures over time. “We checked that six months ago,” isn’t good enough.
Related Reading: See how CriticalMatrix worked with a customer create a strategic roadmap with a clear trajectory for ongoing security improvements. Read the case study.
13. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?
When there’s a budget crunch at home, the first things to go are the gym membership and healthy eating.
Posture assessments and greater overall visibility into your security journey are often seen as frills and bonuses you spend money on — not as a necessity to steer the course. So, the assessments get cut.
CIOs and CISOs are assessed to death. Most I talk to come back and ask for someone to stop the assessments. Just fix what’s broken.
Continuous compliance as a service eliminates the need for point-in-time assessments. It also alleviates some of the financial pressures the industry is facing because we can offer it at a lower cost, spread out over time, with a higher yield and value.
It’s about showing organizations that value. Next year, you’re not going to pay me $60,000 for an assessment. Instead, you just update your answers. If you want me to update them for you, it’ll cost you a couple grand. That’s the value.
14. How are you using automation today?
We just started using Apptega to help us automate some of our security and compliance tasks. I think it will help us add more value for our clients and close more deals in the compliance space — especially when we’re selling it as part of an AI program. We can do an AI readiness assessment and easily pair that with NIST.
Related Posts
