Ask the Compliance Expert: 10 Questions with Marc Rubbinaccio, CISSP, CISA

  • October 27, 2022
Author

Emily Bonnie

Reviewer

Marc Rubbinaccio

Pursuing compliance certifications and building a strong security posture comes with a seemingly endless stream of questions: 

Should this system or application be included in the scope of my audit?

What should my audit window be? Can I change it for my next audit? 

Is there an easier or more effective way to configure my systems for continuous compliance?

Navigating them alone can be stressful and confusing. 

That’s why we pair every customer with a dedicated security, privacy, and compliance expert. They’re with you at every step, from audit readiness to final report and beyond. 

Today, we’re introducing you to compliance expert Marc Rubbinaccio. Marc lives in New York and has been with Secureframe since February 2021. He’s helped dozens of companies achieve and maintain certifications and build stronger security postures. 

1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?

I earned my bachelor's degree in Computer Information Systems from DeVry University and immediately began my career in security as an incident response technician for Colgate Palmolive, overseeing the availability of production applications and infrastructure. 

After self-studying resources for penetration testing, I landed a role at A-LIGN as one of the first penetration testers at the company. This is where I learned how to perform penetration testing against applications, infrastructure, wireless, and social engineering. After the penetration testing team was built out, I took the opportunity to learn PCI DSS and shadow the senior auditors at A-LIGN. Once I had my QSA certification I began performing PCI DSS assessments, and by the time I left A-LIGN I was a senior auditor. I have roughly 8 years of cybersecurity experience overall.

2. What is your area/framework of specialization?

I consider my framework of specialization to be PCI DSS. I was extremely lucky to work with PCI experts during my tenure at A-LIGN, performing assessments against complicated enterprise clients under the expertise of leaders in the industry. Now I am leading the PCI DSS practice at Secureframe, building the frameworks and leading our customers through successful PCI audits and self-assessments.

With my year and a half of experience here at Secureframe, I’m also extremely comfortable helping our customers go through SOC 2 and ISO 27001 assessments. 

With my experience as a pen tester, I can work with our penetration testing partners and customers to facilitate a great experience for those tests as well. 

3. What excites you most about the security and compliance industry?

When I first became interested in the security and compliance space, there were a lot of headlines about major companies getting breached and cyberattacks were on the rise. I became more interested in learning about the different types of attacks and various security methods, as well as the specific job roles within security. Application security, infrastructure security, red team/blue team — there are so many opportunities. 

What I find most exciting now is the constant evolution and the need to adapt. Five years ago I was doing walkthroughs of data centers and offices, and now I’m assisting fully remote customers hosting their infrastructure in AWS and using cloud services to meet compliance requirements.

4. What’s a common misconception people have about security and compliance?

The biggest misconception is that compliance is difficult to achieve. 

In reality, compliance is just a baseline security methodology. Compliance is having proper logging and monitoring controls. Compliance is making sure the customer data is secure. These are just underlying best practice security principles. 

There are multiple ways to meet requirements — it’s possible you’re meeting some requirements already. With the help of Secureframe, it’s easier to get prepared for compliance and it’s easier to maintain compliance.  

5. Why did you choose to work for Secureframe?

I truly believed there was an easier way to perform audits. I personally created multiple lead sheets and note-taking templates to help facilitate an easier onsite assessment, which was not ideal.  

During my initial conversations with our CEO Shrav Mehta explaining to me what Secureframe does, I didn’t believe it to be honest. I had a lot of questions. I demoed the platform multiple times and dove deep to ask, “How would you audit against this? How would you audit against that?” I then learned it would be my job to help facilitate those features in the platform — utilizing my super niche expertise to be able to help build software to make it easier for auditors all over the world. It sounded like my calling. 

6. What’s your role in the compliance process for customers?

My role is to ensure my customers are fully prepared for their audit. This begins with scoping and implementation guidance, readiness within the Secureframe platform, and helping oversee and facilitate the audit between our customers and the auditors.

The specifics of what I do all depend on the customers’ needs. They could be a fully experienced company that has gone through a bunch of assessments before and they’re looking for an easier way to do things. I come in and facilitate the onboarding of administrators and in-scope personnel into Secureframe, assist with the communication and follow-ups of the auditor, and help customers configure the software to effortlessly pull that evidence in. All of this instead of having to perform the audit manually via spreadsheets or however they’ve done it in the past. 

Or it could be a company that doesn’t have a production environment in place. Perhaps they have a staging environment and they want their implementation to be secure for their very first customer. What I do then is ask them what their tech stack is and help them introduce security services and tools and help them protect their data when they start ingesting it from customers. The goal is to have them fully secure, fully prepared, and ready for that first customer as well as a fully-fledged cybersecurity audit. 

7. What pain points are you passionate about solving for customers?

I think the biggest pain point is the actual implementation of a lot of these compliance requirements. Oftentimes there are multiple ways to meet a specific requirement and it can be difficult for customers to comprehend exactly what that requirement is. Our customers really appreciate having expertise and guidance around what you need to implement to ensure compliance without restricting the business. 

8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?

Some customers don’t have their environment fully built out, but in order to utilize certain vendors or payment processors, they have to be PCI compliant. What I have done with previous customers is determine the best way to implement a PCI-compliant environment to meet PCI requirements as soon as possible and simultaneously limit scope.

A specific example customer I assisted started with the customer looking to implement a PCI-compliant environment.  Based on the specific service, I made recommendations for tokenization partners, made introductions, and helped customers learn about how tokenization could help them de-scope their PCI compliance significantly.  Assisted with the implementation of such a solution and generated a report in Secureframe adapting to the scope of their specific implementation.  

9. What’s your #1 piece of advice for people who are preparing to undergo their first compliance audit? 

Prepare to be flexible with the processes that you currently have in place and how you do things as a company. Compliance can require a lot of changes, and sometimes the key to a strong security posture requires restriction in processes. It’s harder to fight back on requirements than adapt to security controls in order to be compliant and maintain compliance. 

10. What do you see as the biggest organizational benefit of a strong security and compliance posture?

The biggest benefit that comes with being compliant is ensuring that your customers’ data is safe. The last thing any company wants is to experience a data breach where you lose customer data and then have to publicly announce information is potentially leaked. Being able to confidently tell your customers their data is protected really gives them peace of mind when sharing their data with you as an organization. 

Get compliant with expert help

Want to work with Marc or another member of our compliance team? Schedule a demo of Secureframe to learn more about how our platform and in-house experts make security, privacy, and compliance fast and easy.