Adam Torres and Craig Petronella discuss cybersecurity.
Subscribe: iTunes / Spotify
Apply to be a guest on our podcast here
Show Notes:
What does it take to protect your company from cyber criminals? In this episode, Adam Torres and Craig Petronella, Founder & CEO of Petronella Technology Group, explore Craig’s journey as an entrepreneur and how Petronella Technology Group is helping companies become as unhackable as possible.
About Craig Petronella
Petronella Cybersecurity and Digital Forensics, focuses on protecting businesses through rigorous cybersecurity and compliance strategies. Weaving over two decades of industry expertise, they ensure clients meet stringent compliance regulations such as NIST, CMMC v2.0, HIPAA and SOC 2 Type II standards, minimizing their risk of data breaches and costly penalties. Craig’s role as a licensed digital forensic examiner and CMMC Certified RP underlines my commitment to securing sensitive data such as controlled unclassified information or CUI.
Theirr team’s approach has been pivotal in helping clients navigate the complexities of cyber regulations and emerge stronger against threats. Petronella offers over 39 layers of vetted, tested, and patented InfoSec and cybersecurity solutions. Enterprise extended detection and response (XDR), 24/7 US-Based Security Operations Center (SOC) services, managed security services and cloud security as Craig’s area of expertise, He contributed to creating robust defenses that empower organizations to focus on growth without the looming worry of cyberattacks.
About Petronella Technology Group
Petronella Cybersecurity and Digital Forensics provides services across many vertical sectors in both public and private organizations. they understand that every industry and organization can be faced with unique IT challenges. their expertise enables us to help clients navigate the requirements of their industry – such as CMMC for federal contractors, HIPAA and HITECH for medical practices and Sarbanes Oxley and NIST for Law firms – to find a solution that meets their needs.
they will partner with you to design, implement, and support a solution that meets your specific requirements. Compliance areas they are proficient with regulatory compliance issues such as: CMMC, ISO 27001, ISO 27002, SOC 1, SOC 2, SOC 2 Type II, SOC 3, HIPAA, HITRUST, GLBA, PCI, FACTA, SOX, FERPA, Sarbanes-Oxley, SOX, FDA 21 CFR PART 11 (Electronic Records) & 21 CFR 820 (Quality Systems), NIST SP 800, ISO 27001-2013, FedRAMP, COBIT, SSAE16. NIST 800-171 and more.
Full Unedited Transcript
Hey, I’d like to welcome you to another episode of Mission Matters. My name is Adam Torres, and if you’d like to apply to be a guest in the show, just head on over to missionmatters. com and click on Be Our Guest to Apply. All right, so today I have Craig Petronella on the line, and he’s founder and CEO of Petronella Technology Group.
Craig, welcome to the show. Thank you so much. All right, Craig. . Good to have you here today. And we got a whole lot to talk about because you’re a Petra Petra Nella technology group. I mean, you’re helping a lot of different companies from businesses to you work in the in the defense industry, working health care, a lot of different things.
I mean, cyber security attack. I mean, touches across across the spectrum. But just to get us started here, Craig, we’ll start this episode with what we call our mission matters minute. All right. So as you may be aware at Mission Matters, our aim and our goal is to amplify stories for entrepreneurs, executives and experts.
So that’s what we do. Craig, what mission matters to you? I want to help as many people and companies be as unhackable as possible. I’m tired of seeing all the headlines. That’s a, great mission and I’m tired of seeing those headlines too. So how, did you get into the space to where you wanted to, you know you know, , help businesses become unhackable?
Where’d that come from? Sure. Yeah. So ever since I was eight, years old, I was like technology, like to tinker. Way back then, I took my sister’s computer apart and reassembled it after she freaked out. And, you know, just was very interested in technology. Back then, you know, Internet wasn’t really, you know, common or as it is today.
It was more dial up modem based. I started my own bulletin board system back then called a BBS. If you ever remember the movie War Games, similar to that. So, yeah, fast forward, you know, to 2002, I started my company and it was really a business I. T. support and consulting evolving in 2006 with a heavy cyber security and compliance focus and, fast forward to today, we help various types of business verticals, like you mentioned, finance, healthcare, defense, industrial base. We have the latest certifications, like the cybersecurity maturity model certification, or CMMC for short. And yeah, so, you know, , in. Doing security risk assessments for these organizations and learning their gaps and vulnerabilities and helping them bolster their security and do training that’s customized and drill simulations, kind of like the military, you know, you got to practice and get better.
Right? So , it’s a lot of that type of work and just, you know, taking a fiduciary stance in regards to security controls and, you know, How they can bolster their security to be as unhackable as possible. And then at the tail end of that, we, test their security with what’s called a penetration test where we’ll have a certified ethical hacker, you know, basically look at their company from the lens of a hacker and do some reconnaissance and figuring out, hey, you know, can they get a foothold in what they have tricking across their people process and technology.
That’s amazing. And I want to stick, I want to go back to those early days, just a little bit longer here. And the reason why I want to do this is because that mission matters. One of the things that we’re always preaching and talking about is like finding your mission, right? Like, there’s a lot of, there can be pivots, there can be different things that you want to do.
There can be interests, but like, what’s your mission? Like getting to the core of that. How did you know, like, was it a, , Gradual progression from those early years? Or was it like you just knew like you were gonna be in this industry? , like how did you know you were on the right path? You know, they always say that , you know, to your point, you should really do what you love.
Right? Yeah. And it shouldn’t feel like work or for . or feel like a job, right? So I always knew that I wanted to do something. In your cyber, and I always had the dream to own my own business, but like many other people, you know, I got my 1st jobs or even back then before, you know, 14 or 16 years old, worked for a technology company even way back then.
And then. You know, try to make ends meet and worked for different types of companies and then went back to what’s called a systems integration company and then did that for a few years and, and was just frustrated because I got all the certifications and everything that they wanted me to do, but then they didn’t raise my pay and I was like, you know, thinking to myself, I could just do this on my own and do this better.
So this was my time basically. So I just took the leap and, you know, here we are. Yeah, what was it like when you first took that leap, man? Because I’ve heard a lot of different variations. For me, man, I was scared. I was like, what’s going on? Like, I came from when I went in transition. Like, what was it like for you?
I mean, I think that the 1 word would be scared. You know, I mean, I think that was me. I’m not projecting that on you. I was frightened. That was all me. Go ahead. Yeah. I mean back then it was, you know, especially, you know, I mean, you’re talking 2002, so right after 9 11, right? Oh, wow. Right after hmm. Yeah, exactly.
That’s about right. Mm hmm. Yep, yep. After the dot com bust and everything. Well, when I worked for the systems integration company for a while, , I basically honed my skills and had a pretty diverse portfolio of clients that I was supporting. And I told them on their free will, I said, look, you know, here’s what I’m planning to do.
It’s your choice. You know, if you want to stay with me or, you know, I, I don’t know what your contract relationships are. I don’t want to step on anybody’s toes, but here’s what I’m doing, you know, and here I am. So I actually had about 5 or 6 customers follow me. And, you know, give me my support.
And that was really, I’m really thankful for that because that helped me pay my bills and survive. And then it was just a lot of rolling up sleeves and pounding the pavement to, you know, I’m not generally the typical quote unquote salesperson, you know, I’m not The most outgoing in certain situations, especially, you know, in that period of time.
So just kind of really had to study up and just absorb as much as I could and try to hone my sales and marketing skills. Because if you can’t sell, then you can’t eat. So I had to figure that out. And then just, like I said, just pound the pavement and start drumming up business and. You know, even did things like gorilla marketing and, you know, I remember I had a Honda Accord at the time and I was doing heavy specialized computer support and I just did a really big phone number on the bumper, you know, big, big, obnoxious gorilla marketing type stuff that.
Quite frankly, just worked, put a phone number on my car tomorrow. Thank you for that. Go ahead. We’re taking it back old school crack. I’m liking this. Yeah. Yeah. I mean, you know, just how could you stand out? Right? You know, so back then it was like I said, you know, Advertising maggots on the car, you know, and I’m not talking small print.
I’m talking like, as large as the bumper is. You can, you can see me coming down the road, probably a mile away. I mean, but it works, you know, and it got business. So, I mean, it’s great. You know, there’s so many people that are so talented out there that are either in a job that they’re frustrated and they’re underpaid or they don’t know how to get out of the hamster wheel.
And it’s sad, you know, but like I said, I mean, if you, could be , really good at what you do and your craft, but if you can’t sell it, then you can’t survive on your own anyway. So it’s, you know, And now more than ever, I think it’s more challenging. And what’s interesting to me though, is that I feel like when you’re in the right flow or when you’re, doing what you’re supposed to be doing, , like people can tell, like people could tell from the early days and I’m sure people can tell even now, like where your heart is with helping companies with their tech.
And in this particular case, is it’s evolved into helping them with their cybersecurity, helping them stay compliant. Like, I feel like people can tell. I think you’re right. I think they can, especially in. What we do and how complicated it is. And you know, we’ve been told that , we do a really good job of distilling it down and making it more digestible for them to understand.
And we don’t expect our clients to be experts of course, but even distilling it down is still complicated. I mean, cybersecurity nowadays and compliance nowadays is just volumes and volumes of such a huge broad field. You know, when people come to me and they say, you know, how do I get a job in cybersecurity, I’m like you, I go back to them and I say, well, what makes you happy?
Why do you want a job in cyber? And what specifically do you see yourself doing and enjoying? Because what I don’t recommend is I don’t recommend people just go to college or go get these expensive certifications and things like that. And don’t do that exercise first because then you’re just going to spend tons of money.
You’re going to get into a lot of debt and then you’re probably still not going to get a job because it’s not going to be specialized enough. Yeah. And one of the things that I found interesting is I was kind of digging a bit on your background and also your your platform is you’ve also taken the next step.
When I talk about people can tell, I see that you’ve got a number of books out there on cyber security and compliance. And you’ve done even like that extra homework. You’re not just you’ve done extra to provide other types of materials and education and things for not only your immediate clients, but for anybody that wants to.
You know, that, type of education. So can you, can you speak on that a little bit and also why you chose to get into like, putting out books? Sure. Great question. So back in, it was either 15 or 16 when I came up my 1st book and the 1st book was how HIPAA can crush your medical practice and I wrote that book because HIPAA is the regulation for medical practice.
And that vertical and you’ve probably gone to the doctor’s office and filled out a bunch of forms and, you know, that that’s typically HIPAA. So, medical practices are called covered entities and then you’ve got maybe I. T. companies that work with the medical practice and they’re called a business associate.
So those 2 arms are subject to HIPAA compliance and there’s a set of rules and regulations that you have to follow. And it could be anything just from a chiropractor all the way up to a hospital, you know, or even an insurance broker. They’re all subject to HIPAA. So. I wanted to demystify HIPAA as best I could, and because HIPAA is very complicated, and that’s why I wrote the book, to try to help the little guy figure it out and give them options on how to become compliant and get More secure, so that was the reason for the book to kind of get the word out.
And you know, the latest edition that I re released them on the 3rd edition of that book gave some more insight and depth around a framework that the National Institute of technology. National Institute of standards and technology called for short, they came out with a framework called 866 by updated the latest version of the book.
For to contain this 866, and basically what that means is the National Institute of standards and technology came out with guidelines on security controls, policies, procedures, and what medical practices are required. Should be doing some recommendations and basically like a handbook like a 500 plus page handbook and distilled that down for people to To read amazing and so as we get you’ve gotten further you obviously have your books out there You’ve built a brand around this what type of companies?
Do you find that you work with that are kind of the right fit and like and whether it’s size Revenue like who does it make sense for it or what to work with you? Yeah, great question. So you mentioned before, people can tell when you’re passionate, right? People can tell, you know, we could tell when a company really wants to do the work and take the advice and really, truly make themselves as unhackable as possible versus the company that is getting pressure from somewhere, whether it’s internally at their sea levels.
Or externally from insurance company, or a bigger company they want to do business with. That’s more mature than them. That’s looking for something like a sock to type 2, or some type of evidence that, hey, they’re doing what they should be doing in regards to a certain regulation. There are companies out there that.
Don’t really value what we do is in regards to cyber security and protection. They think that they can just get antivirus or firewall, for example, and then they don’t need anything else because they’re too small to get hacked. And that’s so far from the truth. So, , our world is so complicated and a lot of our.
Discussions with potential customers is education, and that’s why we wrote the books. That’s why we have so many resources to try to get them on the right track to understand where they are in the journey. And where they’re trying to go now, , there are some prospective customers that all they care about is checking the box.
You know, we need a pen test. Okay. Well, what is the scope of the pen test? What’s the depth and with a pen test or a penetration test? That’s a test where certified hackers will act like real hackers with permission, of course, and try to get into their systems and exploit weaknesses or gaps. And the time that you pay for that hacker or that team of hackers could vary.
And it could vary as small as minutes or hours. And that time on an endpoint ultimately It gets factored into the formula of how expensive the pen test is. So there’s a lot of confusion around. Well, I could just do that with software. Well, no, that’s called a vulnerability assessment. That’s much different than a pen test where you have a human.
So there’s a lot of educational components to the work. And there’s also reasons why certain things cost more money. Like I was mentioning, time on task. If you have a company that truly wants to be as unhackable as possible, they shouldn’t box the time so tight and say, Oh, you can only spend 15 minutes on an endpoint.
It should be spent as much time as you need. You know what I mean? Like, just like, try to get into everything. Right? So there’s a lot of education that has to happen to you. Find what’s right for their risk tolerance and their type of company makes it makes a lot of sense. And what about industries? I know we talked a little bit about you know, either health care finance or things like that.
Like, talk to me a little bit about about the industries you’re working with. Yeah. So We like to focus on industries that are subject to some type of compliance mandate, like HIPAA for health care or defense industrial based as depending on the type of sensitive information they’re, they’re working with.
Sometimes that’s called controlled unclassified information, or CUI that is subject to what’s called NIST 800, 171, 172, and then there’s defars clauses. Sometimes well, now there’s going to be the CMMC 2. 0 regulation that’s going to come out or get finalized. It’s already been kind of in the tail end of the works of that.
So that’s another certification and regulation that they have to abide by. And we are certified to provide the consulting services to help them with all the readiness and all the work that needs to be done to get all that in order for them for what’s called a formal audit. Other industries are like banking, you know you got a, maybe a small local branch bank or a credit union and, you know those folks need to do penetration testing and, and training and drills and tabletop exercises and we help those folks as well.
But we like to focus on businesses that have some type of regulatory mandate. And the reason for that is because that’s usually the push that gets them to. Take cybersecurity and compliance more seriously, and the larger companies typically have maturity and they have more budget carved out. We do work with small businesses to that.
And some small businesses don’t have a specific. Regulatory compliant framework that they have to follow, but actually now as new regulations come out. Most businesses have something that they like most businesses, for example, take a credit card. So they have some form of payment card industry or compliance mandate.
Most businesses have a website and if that website is publicly available and anyone can view that website. They could be subject to ADA compliance or American Disabilities Act where your website has to be designed from a standpoint and functional from a standpoint that somebody that’s blind can use a screen reader to help with their website.
And if your website can’t adapt to that screen reader, you can get in trouble for. Non compliance with ADA. So most, businesses are regulated in some way, shape or form. They may not know it but they, they typically are. It’s very rare nowadays that there’s no regulation that applies to them. Even the FTC, the Federal Trade Commission, came out with new regulations a year or two ago and classified financial institutions.
I’m sorry car dealerships, automotive dealerships as financial institutions, because if you think about it, you know, when people buy a car, they’re typically getting some type of finance. Oh, for sure. For sure. It makes a lot of sense and a lot of information. Yeah. And if you think about the business model of how they’re making the majority of their profits.
Profit for most like Ford hasn’t made money on selling a car. And like, you know, since I’ve been born, they make money on the financing. Right. So if you think about that too, like that, that makes a ton of sense. Wow. Go figure. Yep. That’s why I do this, Craig. Learn something new every day. That’s why I hope my audience is listening, so they learn something new every day, too.
Well, Craig, I, I just have to say, it’s been a lot of fun having you on the show today, and I know we’re we’re kind of scratching the surface on this, but you got a whole lot more to offer. If somebody’s listening to this or watching this, and they want to connect, because they want to explore their, you know, cyber security needs and, and that process of becoming as unhackable as possible, how do people reach out?
Yeah, they can visit our website. The short version that redirects is what’s called PTG, which stands for Petronela Technology Group Cyber. So ptgcyber. com, they can reach out there and they can connect with us. They can get some free resources or reach out to us by the form or by our phone number.
Amazing, and for everybody listening, just so you know, we’ll put the links in the show notes so you can just click on them and head right on over. And speaking to the audience, if this is your first time tuning into mission matters, and you haven’t done it yet, hit that subscribe or follow button. This is a daily show each and every day.
We’re bringing you new content, new ideas, and hopefully new inspiration to help you along your journey. So again, hit that subscribe or follow button and Craig again. Thank you for coming up. Thank you so much for having me. I really appreciate it.