What makes a security certification actually reliable—and how do you measure that value over time? In this episode, HITRUST shares findings from their 2025 Trust Report, revealing how real-world threat data, quality assurance, and continuous validation are reshaping the way organizations—and their partners—view risk, resilience, and trust.
The HITRUST 2025 Trust Report sheds light on a critical question organizations continue to ask: can you really rely on a certification to mean what it says? According to Vincent Bennekers, Vice President of Quality, and Bimal Sheth, Executive Vice President of Standards Development and Assurance Operations at HITRUST, the answer comes down to one word: reliability.
The conversation highlights how HITRUST goes beyond a simple checklist by layering in both threat intelligence and maturity modeling. Their framework isn’t just built on abstract risk—it incorporates real-world attack techniques, aligning controls to the MITRE ATT&CK framework. This means that the certification reflects actual adversarial tactics rather than hypothetical risk scenarios.
Bennekers shares that 99.41% of HITRUST-certified organizations did not report a breach in the last year, and that consistency over two annual reports points to meaningful outcomes—not just marketing claims. Sheth explains how each certification is reviewed in full by HITRUST, not just sampled, and every control is assessed for maturity—not pass/fail. It’s a model that helps companies continuously improve, while also giving relying parties better information.
For executive teams and boards, the report surfaces where organizations commonly struggle, including access control, vulnerability management, and third-party risk. It also highlights a growing use of external inheritance—leveraging cloud service providers’ security posture—as a strategic move for organizations with tighter budgets.
Looking ahead, the conversation points to continuous assurance and the evolving role of AI—both as a source of new risks and a tool to enhance security operations. HITRUST is already exploring certification models that reduce drift and increase visibility year-round.
For organizations wanting to build more than just a paper shield, this episode unpacks how certification—done right—can be a strategic, measurable advantage.
Note: This story contains promotional content. Learn more.
Guests:
Bimal Sheth, Executive Vice President of Standards Development and Assurance Operations at HITRUST | On LinkedIn: https://www.linkedin.com/in/bimal-sheth-248219130/
Vincent Bennekers, Vice President of Quality at HITRUST | On LinkedIn: https://www.linkedin.com/in/vincent-bennekers-a0b3201/
Host:
Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.com/
______________________
Keywords: sean martin, bimal sheth, vincent bennekers, hitrust, trust report, cybersecurity, compliance, certification, quality assurance, risk management, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Resources
HITRUST 2025 Trust Report: https://itspm.ag/hitrusz49c
Webinar: Beyond the Checkbox: Rethinking SOC 2, Cybersecurity, and Third-Party Risk in 2025 — An ITSPmagazine Webinar with HITRUST (https://www.crowdcast.io/c/beyond-the-checkbox-rethinking-soc-2-cybersecurity-and-third-party-risk-in-2025-an-itspmagazine-webinar-with-hitrust)
Visit the HITRUST Website to learn more: https://itspm.ag/itsphitweb
Learn more and catch more stories from HITRUST on ITSPmagazine: https://www.itspmagazine.com/directory/hitrust
Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new brand story here on ITSP Magazine. This is Sean Martin. And, uh, here we get to talk about all kinds of new technologies that help organizations, uh, safeguard their business from, uh, all types of risk and help them meet. The requirements they face, uh, from a compliance perspective.
And, uh, yeah. Both of those things can be challenging depending on what sector you work in and, and the, the threats you face because of the technologies that you've deployed and the data you collect. And. The teams, you, uh, the teams you have running the business and protecting the business. And, uh, information is key.
Understanding the risks, understanding where they come from and understanding what's important to your business, um, requires partnerships and support from others. And I'm thrilled to have Vinny and Bimal on from, uh, HITRUST today. Good. Good to see you guys.
[00:00:58] Vincent Bennekers: Hey, Sean. Glad, glad to [00:01:00] be here.
[00:01:00] Sean Martin: Yeah, su super fun. I love working with the, with the Irus team, uh, at the, at the Collaborate Conference. And, uh, we've had many conversations around third party risk and compliance and, and how to, how to mitigate or deploy controls successfully secure the business and, and also meet compliance requirements.
Today we're gonna be talking about, uh, the trust report. That your team's pulled together and we're gonna, um, explore what that means to businesses, uh, looking to protect themselves. So, so before we get into, uh, all, all the goodness that is the trust report from HITRUST, maybe a few words from each of you about your role at HITRUST and what you're up to.
Bimal. I'll start with you and then Vinny, after, after Bimo.
[00:01:44] Bimal Sheth: Sure. Uh, so this is Bimal Sheth. I'm the EVP of Standards Development Assurance Operations here at HITRUST. Uh, so what that means is that my teams are responsible for developing the HITRUST CSF, our framework, and [00:02:00] then also processing, uh, the certifications, uh, that come in, uh, ensuring those meet our high quality standards.
[00:02:10] Vincent Bennekers: And my name's Vincent Beers. I'm the VP of Quality at HITRUST. So our quality department really oversees the quality and integrity of all the certifications we issue, um, including setting the rules for the certifications, overseeing that those rules are being followed and enforcing those rules. Um. And so our department also, um, develops rights and helps produce the, the trust report, um, which I think we'll talk about here in a minute. I think you're on mute. Huh?
[00:02:48] Sean Martin: So now that you're sideways, bill, I'm gonna ask you to introduce yourself again.
[00:02:55] Bimal Sheth: Uh, beam Chef. I'm the EVP of Standards Development and Assurance [00:03:00] Operations here at HITRUST. And so what that means is my teams are responsible for, uh, developing our framework, the HITRUST CSF, and then also processing, uh, the certifications that come in, uh, to make sure that they, uh, meet our high quality standards.
And then working with customers, uh, in the post certification process as well.
[00:03:24] Sean Martin: A few, a few things going on in there. And I'm always interested in that whole process, which, uh, if I ask a question, we'll, we'll stay on that topic the whole day, which, uh, would be fun, but not the point of this conversation. But, uh, so Vinny, let, let's get into the report. Maybe. What, what's the history report?
When was, when was the first report written and what, what was the main objective
[00:03:49] Vincent Bennekers: Yeah, so we started issuing the trust report last year, uh, 2024. So we issued the first annual. Trust report, I think it was [00:04:00] April 15th, 2024. Um, our, our goal with issuing a report was really to provide the market with a perspective on all the things we do at High Trust that, um. Helps produce a reliable and relevant certification for the customer. Um, so we, we knew at HITRUST that there were a lot of steps that we took to ensure the quality of those certifications, but we wanted to make sure the market knew, um, everything that we did and really what set sets HITRUST apart from some of the other, uh, other certifications that are out there. Um, and so we continued, um, with the annual certification, uh, annual trust report this year where in February of this year we issued the 2025 version of the trust report, where we looked back at some of the, the data [00:05:00] points that we provided in the 2024 report looked at, were there differences?
How are, how are things trending related to the quality of our certifications and. And the reliability and relevance metrics that we were looking at.
[00:05:15] Sean Martin: Yeah, and the re reliability has been, I mean, quality obviously is key, but ultimately from a business perspective, the reliability is what it all boils down to. And so what, um. What are some of the elements in the report that, uh, yeah, readers should be aware of? I think you speak to, uh, like benchmarking and assurance, maturity and
[00:05:42] Vincent Bennekers: Yeah, so for, for reliability, um, we really, we have a quality assurance program here at HITRUST, um, where we perform a review of every assessment that gets submitted to us. And, um, [00:06:00] our QA analysts take a, take a deep dive into, um, the testing that assessors performed. Um, ensuring that it meets all the requirements that we have set out, um, that are needed for, um, for an organization to achieve certification. So I think it's really that. That third party review that we do helps set us apart from other certifications. 'cause a lot of other assessments and certifications. There's usually the customer involved and then there's the assessor or auditor. So, but we've taken the extra step to introduce ourselves as a third party to provide additional legitimacy and so that customers can, uh, can really be able to rely on. A certification and results of that certification. Um, the second
piece of that is that relevancy that I mentioned, and I think that's very important as well, um, [00:07:00] for, for customers because you can have a report that's reliable, but if it's not relevant for your organization. Then it's, it's not really useful for you.
Right. So some of the things we looked at related to relevancy are, um, are how, uh, HITRUST assessment is tailorable for the organization and how the assessment is able to be. Um. Done at different levels. Uh, so different sets of requirements provided based on the size of the organization, based on the needs of the organization. Um, but then also we looked at metrics related to how are organizations, um, organizations that are high trust certified. Um. Does it really provide them with that additional level of security? And I think that's where we looked at the number of breaches that or HITRUST certified organizations have, have had. And in 2024, the first [00:08:00] year we issued it, um, that was one of the key, uh, metrics that we really, uh, identified is that 99 point. Um, three, 6% of customers who had a high trust certification had not reported a breach to us. And then this year in the 2025 Trust report, um, it was a very similar number in that 99.41% of customers had not reported a breach to us.
So I don't think the 2024 number was an outlier. I think it just, I think this year we, we really demonstrated that. That that number is, is, is accurate and correct, um, and that customers
are are still.
not high trust certified customers are not experiencing breaches.
[00:08:50] Sean Martin: Right. And yeah, so, so much to pull on here. So the, so I'll just summarize this then. Bmo I'm gonna come to you in a second. Uh, 'cause I'm gonna ask the question that [00:09:00] I held off in, at the beginning here. Um, but I mean, that's the ultimate goal, right? Is to run an organization that's resilient and also compliant.
Um, compliance hopefully drives some of the resilience. Um, but it isn't, the, the checkbox isn't the end game of, of resilience and. When organization, when customers are engaging with a, a business and when businesses are engaging with each other, they want to know that whoever they're working with is doing the right things with respect to privacy and security and, and adhering to regulations, whatever they may be.
And so there's a whole, so to have the certification from I trust. It says something meaningful and then the quality numbers that you're pulling out in the report demonstrate that it is meaningful and you, you can trust it. Hence the name of the trust report, I presume. So, you know, this is where I wanna bring you in.
Can, I'm gonna put you on the spot. It might be difficult in a few, in a few minutes, but [00:10:00] can you describe the certification process? Because it, I think it's important to note that. Irus for decades has put a lot of effort into what are the risks, what are the controls that mitigate those risks? How do we identify those controls within the organization, who then should validate or verify that they're in place?
And then, then who should invalidate that that assessment was, was done. And then obviously Vinny comes in with the, the, the quality to, to show that. All that stuff does actually indeed look good. So I did it a high level. Maybe give some more details in that, that flow that will help understand people, understand what HITRUST is doing, to really give the relevancy piece and the the stuff that's driving that resilience number.
[00:10:50] Bimal Sheth: Absolutely. And I, I think one of the first things to think about is really the construction of the framework. Um, and it, how it ensures relevancy. So one [00:11:00] of the things that our teams do to ensure relevancy is they ingest. Uh, cyber threat intelligence data. They're ingesting data from multiple providers.
And what they're doing is they're leveraging, they're mapping that data to, uh, the minor attack framework and looking at the techniques and the mitigations that minor, uh, recommends. And then from there they are mapping high trust requirements and controls to those techniques, or to the mitigations, I should say.
That minor recommends. And so what you have there is relevancy because you're ensuring that the assessments have the right controls in there to mitigate real world threats. So it's not someone doing a risk assessment and sitting in a room thinking about the different types of risk and organization faces.
These are actual, it's based on actual data of risk that organiza threats that organizations [00:12:00] have faced. And are facing out in the wild. And once we have the framework, organizations then can go into ICSF, our SaaS platform and tailor their assessment based on their risk, their unique risk factors. So you know, the different technologies that they're using, the different compliance requirements that they may face, and that tailoring, adjusts the controls that would be recommended.
Um, from there, what. Almost every organization does is work with an external assessor, so a professional services firm to do a readiness assessment. Make sure. They understand the state, the current state of their environment, and that assessor can help guide them on steps that they may need to take to remediate, um, or indicate that they may be ready for an actual certification.
Um. And so they go, they perform, uh, their certification. Once the remediation has [00:13:00] been completed in my CSF, they're uploading evidence. The assessor is reviewing that evidence. And really what makes us, uh, a bit unique is that we use the control maturity model to evaluate, uh, control. So it's other, um.
Certificate, other certifications and other control frameworks kind of use a, uh, pass fail type methodology. So you say, oh, it worked or it didn't. Um, our approach is to say, you know, really. Performance of the control can be, uh, a little bit more shades of gray, uh, rather than black and white. And there may be cases where a control didn't completely operate and maybe it partially operated.
And we need to understand that. Um, it's not a complete failure, but it's also not a complete success either. Um, and so our maturity model allows the assessor and the customer to score that control based on its performance. And from there, uh, that [00:14:00] scoring is then aggregated, uh, to determine if the assessment has passed the minimum bar required for certification, um, and what, uh, what we call caps or corrective action plans are required.
So these might be. Items and controls that scored a little, that scored, uh, a little lower than expected. And the organization has a little bit of remediation work left to do, but they did meet the minimum bar for certification, um, in some other certifications. That's really where the process ends. There's, uh, not some, there's not anything else, uh, certification is awarded.
What makes HITRUST unique is that we think, as Vinny mentioned. Another layer of quality control is really necessary from us as the certification body. And so what my CSF does is take that entire certification package and send it to HITRUST for evaluation and. Our evaluation is [00:15:00] multifaceted, and really what we wanna ensure is that the scores that are represented in that assessment truly are supported by the evidence that was collected and maintained, and they accurately reflect the control environment that that, uh, customer has.
So the first step in that quality assurance process is automated. We use our assurance intelligence engine, our a IE, to do multiple analytics and scanning of each assessment, looking for, uh, indicators where there may be maybe issues with the evidence. There may be some scoring challenges or a number of other factors, um, that.
That data is then fed back, um, for the assessor to address. Um, if, if there are things that the assessor needs to address or forwarded to a QA analyst, and I think it's worth noting that a hundred percent of high-trust certifications are [00:16:00] reviewed by HITRUST. We don't do a sample, we don't, uh, pick every fifth one or anything like that.
Every certification is reviewed by a HITRUST QA analyst and, um, multiple layers of HITRUST management. Uh, before it's awarded. The QA analyst is looking, QA analyst is using some automated tools, um, as part of the a IE, and then they're also reviewing certain requirements and controls to again, make sure that scoring is accurate.
And then once all the items have been addressed that the QA analyst has found, um, and they're satisfied, it goes through our executive reviews, um, on the HITRUST team. Um, so the, uh, the analyst manager and then also I think very importantly, uh, a member of Vinny's team will also review as well. And only then is a certification, uh, awarded, [00:17:00] uh, and posted in my CSF, uh, for the customer, uh, to then share with their, uh, with their stakeholders.
[00:17:09] Sean Martin: And a stakeholder can be a, a business partner or perhaps even a, a third party vendor. Um, well, I guess that, uh, Ben, yeah. Business partner I, business partner, I would say they, they also may receive some from their own business partner from a third party, but some of, some of the report you can share with each other, right?
Which, um, the reliability and the, and the scoping and the verification and all this stuff becomes even more important. Not just, not just an internal use.
[00:17:38] Vincent Bennekers: Yeah, customer,
a customer can really have, uh, any number of what we call them is relying parties. So it's those parties, they are willing, they want to share the HITRUST certification with or who they need to, in some cases, if they have contractual agreements to, to share the, the HITRUST report or certification with, um, [00:18:00] to ensure they meet that, that level of security.
[00:18:05] Sean Martin: Yeah, not, not visibility and the, the credibility or. Liability is, uh, I trust refers to it is super important when somebody got, is looking from the outside in, right? Because they, they what the spreadsheet's no good to validate
[00:18:18] Vincent Bennekers: Yeah.
[00:18:19] Sean Martin: a spreadsheet questionnaire saying We did this isn't, isn't nearly as good as what you guys provide Clearly.
[00:18:25] Vincent Bennekers: Yeah, and I think going back to the first question on why we produced the trust report, I think when you look at those relying parties, we, we really wanted to give them the information around, Hey, this is what we're doing on why you can trust or rely on a high trust certification that you're getting from your customer.
Right? Um, so these are, this is everything we do to, to ensure the integrity of that, that certification.
[00:18:55] Bimal Sheth: I think it's also important that relying parties, you know, those people who receive the [00:19:00] report, um. Under understand that it actually produces better outcomes, right at the, at the end of the day, um, you know, many people view, um, assurance reports as kind of a, a check the box type exercise, right? And we want part of producing the trust report was to say.
No, there's actually value here in having a third party come in, look at your environment, um, using this rigorous methodology and framework and then. You know, having the certification body perform more quality assurance, um, procedures, but the end result is really tangible and that's a, a significantly lower breach rate.
And that's the outcome that everyone wants. And we want to start the conversation with those relying parties to say, you know, the other assurance mechanisms, you know, whatever they are that you're [00:20:00] accepting, you know, can they produce that same, you know. Proof that they work.
[00:20:08] Sean Martin: Exactly, and so in this report you, you're monitoring. We're analyzing the, some data points from all of these, uh, certifications and the, the submission packages. And you, I presume, look for trends, anomalies, and, and the data. Um, and the purpose of that is one, as you described, to give, give, relying parties a sense of.
More than just comfort, a sense of knowing, right. Some insight into that these certifications are relevant and, and accurate and in line with what businesses are facing, but then also to help perhaps them tune or individual organizations, tune their own programs to kind of get ahead of some of the trends you're seeing or [00:21:00] make sure that the anomalies you're seeing are aren't affecting their own programs or
[00:21:04] Vincent Bennekers: Yeah.
[00:21:04] Sean Martin: how does that look?
[00:21:05] Vincent Bennekers: Yeah, definitely. I think one of the items BM o mentioned, um, that's unique to a high trust certification is that we have, have scoring on each requirement, and it's based on a maturity model, right? So when an organization receives their high trust report, there's, they're often not achieving the full a hundred. Score that they could get. So I think there's always room for improvement within an organization to improve your security on, on really every requirement that you have. But it, but it helps you identify, okay, which requirements are the lowest scoring? And by lowest scoring, I mean probably the, the. The less mature requirements that an organization has. And so in the trust report, one of the [00:22:00] areas we identified is, um, which domains, um, our organization scoring the lowest in. And so what we found is that, um, it's mostly related to vulnerability management and access control. Um, and this is also consistent. With what we noted in the trust report related to what's for customers who did experience a breach. And reported one to high trust. That's also similar areas, um, that we saw that resulted in breaches. So I think when an organization looks at this report and just wants to know, okay, what do we need to focus on in maturity, I think that where most organizations struggle is related to vulnerability management.
So making sure you're protected from security flaws in [00:23:00] software and hardware. That you're implementing those necessary controls to not just protect you but detect any security flaws. 'cause a lot of the breaches, um, that were reported to us were related to zero day vulnerabilities, which are very difficult to defend against.
But if you have to detection process in place, you're able to to identify those more quickly. And so I think some of these are examples of items we've noted in a trust report that will help. Organizations, um, generally understand where they should focus their efforts.
[00:23:37] Sean Martin: And, uh, I have a few questions I wanna ask. Um, broadly, uh, broadly looking at, uh, what the report has in it, are there any, any areas that, in addition to when you just disclosed, any other areas that you wanna highlight in terms of interesting findings or key finding?
[00:23:55] Vincent Bennekers: I think one of the other areas we identified was the. Top [00:24:00] 10, um, requirements that resulted in a cap. And a cap is a corrective action plan. So it's really those requirements where an organization didn't meet a sufficient level of maturity. Um. And so when we put a have a cap in a, in a high trust certification, the organization is expected to to remediate those. Um, and so, so we identified the top 10. And when we look at the top 10, I think the top two requirements, which was really the most. Requirements that had the most caps across all organizations were related to service providers. Um, so that really comes down to making sure you're appropriately managing your service providers, your vendors, um, making sure they have the appropriate security requirements in place. [00:25:00] And then the other thing, other item we noted in the top 10 is that three of the top 10 were related to access control. And so it's probably looking at, in the report at those three requirements and seeing, hey, do we have we appropriately implemented these controls within our environment?
[00:25:19] Sean Martin: And bmo what, what, what does that say to you and your teams? Um, to me it makes, it seems like perhaps it's a misunderstanding of. The requirement and the re and the necessary controls or, or lack of maturity in, in the controls and the implementation compared to what's really required or what, but that's kind of my own view.
But I'm sure you have many thoughts based spending so much time in this space.
[00:25:48] Bimal Sheth: Yeah, absolutely. I think part of it is, um, you know, organizations are on a spectrum, right, in terms of control maturity and, and what their [00:26:00] capabilities are. Um, and I think there are opportunities, you know. I think we recognize that not everyone has, you know, an unlimited budget to help fix some of these things.
Um, and so there are some investment opportunities for folks to, to really work on, um, some of these, some of these items and, and help remediate them. Um. You know, one of the more promising things I, I saw in the report was really around, uh, the number of organizations that use, uh, what we call external inheritance.
And so this is using, um. A third party service provider and kind of leveraging their control environment, um, and relying on the controls that they've done. Uh, like a great example is, uh, one of the big cloud service providers like AWS or Azure or GCP. And I think that's an [00:27:00] opportunity for, um, customers who may not have, um, as significant of a security budget to stand on the shoulder of giants.
Really, people who are. Extremely sophisticated, um, have large security budgets, can, you know, have robust security practices, um, and build in those environments, um, where you just frankly have, uh, less of a surface area where you're responsible for security and it just makes it easier and more efficient.
And the three year trend in the trust report is. Does organiza, uh, the number of customers who utilize that is steadily increasing? So I'm, I'm cautiously optimistic that there are opportunities for organizations to further leverage, um, service providers like the CSPs to help build more secure environments.
[00:27:55] Sean Martin: Yeah, I've had a few conversations on this topic where, uh, around [00:28:00] shared responsibility, but what you're talking about is not just a concept of shared, shared responsibility, but an implementation of, of inherited controls. Right. Um, yeah. So cool stuff. I want to maybe take a moment to. Think of this from the executive level and the, and the board level are, are there any, any points in the report, risks or indicators that, um, would help boards and executive teams, prepare their programs better, prepare for, uh, compliance certifications, uh, in a better way?
[00:28:40] Bimal Sheth: I'll start off. I, I think if you're, if you're a board member, um, or in the C-suite, I, I think you have to. Asking your security function for, uh, really a, a lay of the land and understanding what the risks really are, um, and where the exposures [00:29:00] are. Because transparency here is the best form of, uh, of, uh, is the best form here because once, once you guys start, once everyone starts seeing what the issues are, you can put forth action plans to remediate them.
It. It's not something to sweep under the rug because the consequences are too severe. And I would encourage, you know, any executive to ask those questions and you know, really agree and really agree on the language it will be communicated in because you know, you want something that just isn't kind of a piecemeal saying, okay, we did a deep dive on, you know.
Five controls, you know, this year and next year we'll pick a different five, um, and see how we do it. I think you really have to look at it more holistically, um, in terms of the environment and get that feedback, [00:30:00] and have that communication about here's where we are, here's where we need to be, um, and then how do we get there?
And that has to be a two-way street in terms of the communication, um, for it to be an effective program.
[00:30:16] Vincent Bennekers: Yeah, and to add to that, I think what we are seeing with high-Trust customers or high-trust certified customers is that they. They are treating a high trust assessment as more than just a check the box exercise, as BMO was talking about earlier in that we looked at the corrective actions, um, on a year over year basis to see if customers were, were remediating those, um, those, those issues that were identified in a high trust assessment. And what we saw was that consistently. Yes, any high trust returning customers were seriously i coming up with a plan [00:31:00] and addressing those corrective actions on, in the following assessment where in an for our, for R two customers, they, uh, saw approximately a, a 20% decrease in those, um, in those corrective actions.
Uh. Year over year. Whereas I, one customers have 54% fewer caps, um, on a year over year basis. So I think the high trust customer is interested in improving their security model and we help provide them with a, a path to, I let them know what they need to improve upon.
[00:31:43] Sean Martin: Yeah, and I don't, one or both of you may be able to comment on this, but just the idea that clearly the data set you're working from are Irus certified customers. So they've already made the decision that whatever they're doing previously before Irus wasn't enough. [00:32:00] Either somebody said, we need you to do this because you wanna be a, a business partner.
Or they recognize the value of, of the high trust CSF, and it's it's method to improve their security posture in line with their business objectives. But something like a standard framework and ISO framework or a, or, um, I'll say the, the SOC two, where a lot of organizations do it just to get a checkbox, um, kind of leaves them short in many ways.
Um, so I dunno if either of you can speak to the value of what, what HITRUST CSF and the certification provides and the trust report proves that they're not gonna get from, from just analyzing based on a, an ISO standard or a, or a SOC two certification.
[00:32:50] Vincent Bennekers: So I'll start with just going back to something BMO had mentioned earlier on around the framework itself and our process in that. Um. It really [00:33:00] our, our requirements that are in a, in a, in a high trust assessment really start with a threat, um, a threat analysis. So we map, uh, real time threats into high trust requirements.
So when an organization has an assessment, it's not just a list of controls. That's sent for every organization to, to try and address, but it's, it's actual threats, um, controls related to actual threats that an organization should be implementing to reduce their, um, their risk profile.
[00:33:44] Bimal Sheth: I think one of the things I focus on, um, is really, you know, the market reaction and you know, we. I think in 2024 we actually launched our cyber insurance [00:34:00] facility. And what this is, is the ability for hydro certified organizations to get, uh, preferential cyber insurance rates and streamlined underwriting, um, from uh, when they go to get cyber policy.
Um, and. To me, that's the market saying we recognize that a HITRUST certification has a lot of value. In providing better outcomes for those organizations who achieve certification, um, because they should be rewarded with lower rates because they are less risky and the data proves that out. Um. And that was, you know, uh, our insurance facility has a Lloyd stamp and, um, I think, you know, the, the, both the brokers and the underwriters were very excited about the product because it gave them a way to understand those organizations [00:35:00] who have more mature control environments.
Versus those that do not. And you know, the feedback we got in the creation of that facility was really around, you know, yours is the tool that allows us to make that delineation. Whereas we couldn't do it with other things like SOC two or ISO certifications just because the, uh, the quality and the controls that they're testing vary so much.
Um. With HITRUST, we can do this and we can make that delineation. And they're willing to put, they're willing to, you know, back it up with reduced premiums. So I think, think that says a lot about kind of the, the HITRUST solution.
[00:35:43] Sean Martin: Yeah, and I've had, I've had, uh, we've had conversations on the cyber insurance thing, so I'll link to that, that episode as well for people to listen to an. I think the, the point I'll make in that context is, um, the, you made the point of relevancy earlier and I think, uh, [00:36:00] scoping 'cause in some of the other, some of the other options, it's easy to scope stuff out and, and you look really good when you scope the hard stuff out and, and you leave the easy stuff in.
And then of course you, you lose a lot of the relevancy and, and even if you're transparent with, some of those things are hard to be transparent with. Um, you don't know exactly what you're. What you're really getting. So I think the Hydro Trusts has a lot of detail, a lot of transparency, and of course the assurance and the reliability.
I want to, I wanna bring it to one more thing, and then we're gonna look into the, the future, but there's this idea of continuous assurance. Um, and maybe if, if one of you can describe what that means for folks in the context of, of high trust and perhaps if there's anything in the report that kinda speaks to how.
How that might look these days.
[00:36:54] Bimal Sheth: Sure, I'll, I'll kick it off. And Vinny, maybe you can talk a little bit about the report, um, and what we [00:37:00] say about it. But I think for high trust, what continuous assurance means is, um. Right now every assurance mechanism, HITRUST included, you do kind of this big bang, you test a bunch of controls, it, it's, um, hugely um, time consuming, um, and distracting for an organization.
And then you, everyone celebrates when you get the report and then you wait till the next two years or a year, um, rolls around and you do the same thing over again. And no one ever questions, why isn't there something done more frequently? Um, and this idea of continuous assurance is something that we've been percolating for many years to say.
What if you, you did an assessment and there were checkpoints along the way, um, where you're [00:38:00] using automated automation to report back more frequently on the status of those controls. Right. You know, there's telemetry coming in, it's being evaluated and you know, it's not. It's not that big bang, it's incremental.
You know, you do a few controls every so often, or maybe every quarter, and ultimately that allows your certification to go on longer. Um, and it allows you to have more assurance that the control environment hasn't drifted, right? Or if it has drifted, you're able to detect that drift and respond much more timely than you would have in kind of the Big Bang method.
And so we think there's a lot of value, one, just from a practical standpoint of spreading that work out. And making it easier to consume. And two, for the relying parties, those people who receive it, to understand that there was, you know, kind of more frequent touch points. [00:39:00] And so we're minimizing this risk of drift, um, that can happen in kind of the Big bang approach.
[00:39:10] Vincent Bennekers: So, and in the, in the report itself, we talk about where we're going related to continuous assurance. Um, and so it's. Probably a key, the key future initiative that we have on our plate, because we do think this is the, the future of assurance, um, and um, future for, for customers as well. And I think what it involves for customers is really implementing a program that allows them to monitor. That their controls remain in compliance on a, um, on a continuous basis. And then what we would do from the high trust side is just, is test and or have. It tested that [00:40:00] they are, um, continually monitoring those controls. Um, and so as BMO mentioned, this really provides efficiencies to the customers on a regular basis as they end up with a certification that really just lives on as long as their environment is still addressing all the, the necessary requirements and controls.
[00:40:24] Sean Martin: Yeah. Good stuff. And as a wrap here, I'm gonna ask, um, one or both of you, whoever, however you want to, uh, take it, but what, um, what organizations should consider looking at and prioritizing over the next 12, 18 months. And I'm just gonna. Put out my own thought here, but then maybe some more details, or correct me if I'm completely wrong.
Um, just the areas that you mentioned, vulnerability management, access control, and I think third party was another, another area that we touched on, those all, all three of those seem very dynamic, right? Employees coming, [00:41:00] going, contractors coming and going. New software, new systems, new services. Coming and going.
Um. Updates being applied, but not necessarily patches. Right. Then of course, new partners coming and going. Um, I don't know how that looks for the rest of the, of the analysis if, if they're less dynamic. Um, but connecting that to the continuous insurance, perhaps those are areas that organizations need to take a more dynamic approach to perhaps.
So that, that's my thought just based on this conversation, but I'd like to hear your thoughts on where. Organizations can focus and if there's a couple nuggets of detail in there as well. Um, please do, please do share.
[00:41:45] Bimal Sheth: Uh, I think one area, and this is very forward looking, is AI is entering your environment, whether you, um, like it or not, [00:42:00] and your, your business partners are using AI as well. Um, and what. Starting to think about what additional risk AI can introduce, um, whether it's your own deployment or deployments by partners, um, and how you start to mitigate those risks.
Um, especially on, on security because securing AI is a bit different than securing, you know, a typical, uh, cyber environment. So I think. It'd be remiss if, you know, you didn't start to consider those risks and explore them on how you mitigate them and how you monitor them. Um, and I think it's something that will change, uh, pretty regularly over the next 12 to 18 months as the, as the AI landscape evolves and changes.
Um, but it is something that organizations need to start [00:43:00] expanding for now, and their programs may need to change, um, as well.
[00:43:06] Vincent Bennekers: I think to add on that, I think it's not just. The, the risk of using ai, but I think organizations could, um. Use AI to help in their security functions as well. So as you mentioned, the, the areas that the organizations struggle with are those dynamic areas like access control, um, vulnerability management.
I think there will be opportunities forthcoming where organizations can use AI to help secure their environment. Um, and so I think organizations should look at how they can. Use that to, to enhance their security as well.
[00:43:51] Sean Martin: I love it. Well, good stuff. I, there's a ton in the report, obviously, and, uh, and I, I think it. It [00:44:00] proves that there's a lot that goes into creating the framework, analyzing the real relevant threats that organizations face that go into that so that they can take, uh, proactive measures to control the environment, to mitigate those risks.
And then the whole process after too, and to, uh, provide assurance. And then the, uh, the quality control for the certification, um, through an independent assessor that then comes and gets validated by iRest is super important. Um. Uh, I'm gonna also, and we, there's an AI certification, uh, an assessment and certification as well that you, that you have.
So I'll link to that. We did an episode on that, um, solution as well. So I'll link to that so folks can learn a bit more about that. Um, so thanks for highlighting that, that part as, uh, as a recommendation. Anything to add before we wrap here, guys?
[00:44:51] Vincent Bennekers: No, nothing else. I think we covered it pretty
well. I'm, right now, I'm, I'm working on what's gonna go into the [00:45:00] 2026 trust report, so I look forward to, to coming up with that and sharing that, uh, in. The next probably in about six or seven months.
[00:45:09] Sean Martin: Sounds good. Well, you're, you're welcome back here anytime to do that. It's always, always fun conversation and. And an important one, uh, as well, if, and yeah, sometimes difficult if you don't have the right partner in, in play. So, thank you, uh, BMO and Vinny for, uh, for this chat. Thanks everybody for listening to this brand story on ITSP magazine.
Please do connect with BMO and, and, uh, Vinny connect with the I Trusts team. Look for the HITRUST report, which I'll include a link in the show notes for. And I'll, uh, there's a few episodes that we referenced, uh, here during this conversation. I'll link to those two so you can, you can listen to, uh, a few more stories from HITRUST and of course, in the brand directory on, uh, ITSP magazine, there are a number of assets and other stories from HITRUST that you should check out.
Um, until the next time, bmo Vinny, thanks a million.[00:46:00]
[00:46:00] Vincent Bennekers: Thank
you.
[00:46:00] Bimal Sheth: you.