Episode: 322 |
Lemon Williams:
Compliance Documentation:


Lemon Williams

Compliance Documentation

Show Notes

Lemon Williams is a cyber security and operational risk management professional with extensive multi-industry experience establishing sustainable cyber security programs for the public and private sector applying leading industry processes and regulatory standards including Sarbanes–Oxley Act (SOX), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), Federal Information Security Management Act (FISMA) among others.

In this episode we discuss the book he recently published: How-To Write Quality Compliance Documentation: Policy and Setting the Tone for Controlling Process.

On Amazon here: https://www.amazon.com/dp/B08C96QRDH/ref=cm_sw_r_tw_dp_x_MMoaFbW785DAQ

Lemon is the Founder of The Ionado Group, and you can learn more about his work here: https://www.ionadogroup.com/

One weekly email with bonus materials and summaries of each new episode:

Will Bachman 00:01
Hello, and welcome to Unleashed the show that explores how to thrive as an independent professional Unleashed is produced by Umbrex, which connects you with the world’s top independent management consultants. I’m your host Will Bachman. And I’m excited to be here today with lemon Williams, who is a cyber security expert who focuses on serving utilities. He runs the firm ion Auto Group, and he is the author of a new book, how to write quality compliance documentation. Lemon, welcome to the show. Thank you. Well, thank you happy to be here. All right. So might not be kind of bestseller material title. But this is the kind of book that I love to nerd out on. Tell me a little bit about kind of the audience and kind of some of the key messages of your new book, how to write quality, compliance documentation.

Lemon Williams 00:56
All right, I’ll be happy to the audience for the book, or is anyone who’s had to organize a process before that’s not fully been documented, organized? Anytime anyone’s talking about, we need to write a policy for this, or we need to have better procedures. So my experience as a consultant, this is one of the biggest pain points that I saw, is people not really being able to know where to get started, or how to jumpstart exactly what components need to be in that high level documentation to sort of, in case the process or that you’re trying to control. And really, you know, what the what the intended what the objectives were of it.

Will Bachman 01:40
Yeah. So there’s, I mean, a couple ends of the spectrum of that, and it kind of at one end of the spectrum is an internal document that you’re gonna use, just for your team, where you want to document here’s how we send an invoice out or something just to make sure everybody knows how to do it, maybe it’s just a quick loom video or something like that, at the other end of the spectrum would be where you’re really focused about making sure you’re complying with some kind of regulatory mandatory stuff for the FDA or whatever are is your book, which of this end of the spectrum is your big book more geared towards?

Lemon Williams 02:16
It’s definitely going to be geared towards the latter, this is a way to figure out how to write your top level documentation. So they they can substantiate that, that you have compliance and control over a process, because that’s really what we’re looking at when we’re looking at complying with federal and state entities, is what they want to make sure that you have is that you have a person assigned to everything you have clearly outlined what your commitment to this processes.

Will Bachman 02:44
So first, help me understand the problem statement. So what in turn, and what drove you to write this? So I give us some examples of where you’ve seen poorly written compliance documentation and the type of poor outcomes that that leads to. So why should someone care about this?

Lemon Williams 03:10
So that’s exactly why I wrote this, I brought it from a lot of my client experience consulting, where a lot of the policy documentation that was required was just very, very poorly put together. Usually, what people start with is they start with a situation where they have internal knowledge of how to do something, they will kind of formalize that into something more like a checklist or sort of a cheat sheet for how things are done. And it’s very loosely assembled. And it’s it doesn’t really have the sort of flow of flow that it needs to actually control something. So we have, we have this kind of poorly written sort of cobbled together from sticky notes and paste it down. Knowledge and tables and notes written there. What it actually leads to is poor transfer of knowledge. So two things you can’t do it both ends, the first thing you can’t do is that it’s very difficult without a lot of training and OJT for someone new to come in, and really understand actually what our job is, and really even know the boundaries of what they’re responsible for and what they’re not. It’s also in a situation where either you have a regulator that is going to want to review your processes, or there is an incident and you have to substantiate that you had enough control over your processes that you were not negligent, then this that’s also going to be not sufficient to do that. So one of the things that I was doing over and over again, was to kind of come out and outline exactly what these were exactly how to state objectives and how to state your intent, how to formulate a policy that was going to allow you to continuously augment that with that Sub documents like procedures in a very consistent way that keeps all that information neat. And together more of a library and more in tells a better story.

Will Bachman 05:11
Okay, cool. So walk us through some of the key principles in the book on, you know how to make good compliance documentation.

Lemon Williams 05:22
Alright, sure. First off, we kind of look at the why that’s our objective and intent. And we want to make sure that the the pros of it, the actual wording of it, you know, provides some awareness kind of strengthens and bolsters the program really defines what it is that we’re trying to do or control and why we’re trying to do it. And then another part of the book that goes into our general writing styles of it, that’s another thing that was happening is because, you know, this is not formal documentation in the sense that it’s not written in a hugely formal way. But it does have some some general guides to it in terms of one that needs to speak to exactly how that particular company or industry refers to things, you have to basically have a kind of a pre determined sort of catalog and titling and naming convention and system for one, make sure that you have your proper version control and, and a very centralized template, and you have been approvals in place, you want to make sure that you actually have people listed by titles and roles and responsibilities for what they what they do. And just make sure that you have this consistent look and feel throughout throughout it. And that you have things numbered in sections. I know that sounds like some very, very basic things. But this is really came from seeing us over and over again, how these documents weren’t referenceable. And it was hard for people to get on the same page, if you just typed everything in a straight piece of paper will. And you just had all this good information in there. But you didn’t really have a section one of section two or section three, and you didn’t really define what that pertain to, then it’s hard for someone reading the same document or someone trying to follow you to know that they’re on Step five, or that they’re on section 12 or, or subsection two, a. So making sure that we covered those sort of things, in general writing styles was one thing that was important. And so in the book, I sort of put in a mock policy here, and I have call outs to annotate where all those different places are, but we put in these sort of mechanical details as to how you know, when’s the last time the document was revised? What’s the documents, you know, name, you know, version number, last review date, and what the different sections of it need to be how the information needs to be broken up. In terms of the content, that’s a little bit of a different story, I can get into that a little bit. When you’re in or if you’re interested.

Will Bachman 08:02
Yeah, I am. I mean, reminds me a bit of my Navy days, in the submarine force, we’d had the rector plant manual, and you’d have for all the casually procedures, you’d have standardized sections, they’d all be set up the same way. So there’d be you know, there’ll be select some caution. So the first section, it’d be cautions, if there was any cautions about this procedure, then there’ll be initial conditions. So and this would apply both to regular operating procedures as well. Right. So before you enter this procedure, you have to have the following initial conditions. And then if it was a casually procedural it might be, here’s the immediate actions to take. And then there’s the follow up actions. And in the course of the follow up actions that would walk you through like, if this, then do that, If This Then That your test this, if you get a if you get b true false, do this, do that. So it kind of walk you through the sections. And you know, to your point, it was all numbered, and kind of know organized. So that you could refer to like section one, part two, you know, chapter three, step four, version control? What are the sections that you recommend in a, you know, well done compliance document? Like, is there something parallel to what I described from the Navy days?

Lemon Williams 09:21
It’s, it’s very similar is that it’s actually very similar are the sections that would have, you know, generally speaking, are we going to we’re going to have a policy statement and that’s just your clear statement of what this is for. And there’s also some some tips in here about your language about using, you know, shell and, and musty wheel versus using using should. So that language is a little bit stronger and strengthened and people understand that it’s not optional. We’re going to have a purpose section and a scope section. And you know, those things provide, you know, information on for who your audience that was written for and what it applies to. A lot of times, you might have this similar groups, sub sections, so your scope area there can actually, you know, take you to those sections, it kind of works as a primer, more of the entire document actually sort of works as a primer, because this is going to then maybe direct you to more detail sub sub documentations. The big one, the biggest areas that you’re going to have are your roles and responsibility area, because that’s where you really want people to understand for the function that they’re serving, what are the limits of responsibility for it, and it’s important to control that both at the low end and the high end, you want someone to know exactly what they need to do. But you also need to know what they were, what they need to not do and where, where that responsibility begins and ends that. So the other sections here that we have are want to make sure that there’s approvals here for who signed off on it, that’s more of a record keeping playing for compliance, that also sort of shows up what level the document is written in. And then you’ll have, you know, organizational information, and a lot of it is also you just audit information, the last time that it was updated and collected was changed and updated on it. So if someone you know, is familiar with the processes from what a previous version of this document, they can easily sort of see where situations and conditions have changed. So those are the the general sections. And then we just talked about writing things clear, clearly and concisely, quite a bit. And we talked about the level of maturity that you want to have for a process. So in the book, there’s a table that talks about a process going all the way from rudimentary, all the way up to it to a leading process. And we talked about that, that process maturity. And the more detail you can put and you can you can document it, the more concise you can make it by using the different sections and working the information that you need into a section where it makes sense that that’s more mature your processes want to be

Will Bachman 12:02
how what how do you recommend people do the version control? You know, if you if it’s just one person, that’s not so hard, but when you’re working across an organization? What tools have you seen? Is there good software for that? Or how, what do you recommend around maintaining version control for some sort of compliance documents or any kind of documentation that accompany?

Lemon Williams 12:28
Well, one, one thing that can be ubiquitous across all kinds of platforms. And we’ve we’ve seen them, we’ve seen them all, there’s electronic platforms, a lot of people use SharePoint or use different GRC systems to keep the documentation. But one main thing that works across all of those that is sort of agnostic technology is to have a standardized naming convention, you’re from the military. So you’re used to slps and standard operating procedures, and that sort of thing is having naming convention that works in the section, purpose, applicability, and even the version into the nomenclature of the document. That way, wherever that document goes, people understand what version they’re on and what audience it’s meant for. So if you had something that was for your operation, support it group, for your field offices in Philadelphia, they could be PHA o t it SLP 526, you know, the 002. And that way, since that version stays with it, in the document, when when, when the new version comes in 003, it’s there. And that keeps it nice, nice and neat. And people understand that they have that, that helps out a lot. Because we are using these over multiple platforms. Sometimes this is going to be even printed on paper. Sometimes it’s going to be available through an intranet. So what I what I found to do is that I want to make sure that we work that we weave that into the document and make that part of the document lifecycle. Does that make sense? Well,

Will Bachman 14:12
it does. So, but I guess I might maybe let me ask the question in slightly different way. So let’s say I’m at a company and 50 or 100 people, right? And I want to and I’m maybe accounts receivable clerk. So I am trained up on how to send out invoices, but maybe we have procedures for each individual, one of our big clients, they might have some particularities around what they need on their invoice. So I’ve been out for six months, I just came back from from, let’s say, some leave. Let’s say I came back to the company and I want to and I’m sending an invoice to client x. So I want to go and I want to find Okay, what’s the latest guidance For company x i have in my files, maybe on my desktop, I’ve saved the, you know, the, the PDF. But how do I know what the latest, you know, most authoritative guidance is? Where would I go for that? That’s sort of first part of the question. And the second part of the question is, as an organization, what system do you put in place? There’s rules around who can approve, you know, version six? And who signs off on it? Where do you file it? How do you How Does everybody know that that’s been approved by the right level of manager and then and then that replaces the old guidance, and then that makes sure that everybody when they’re accessing that document is getting version six and not using version five? So how do you maintain that old version control on compliance documentation is there some good software for that, or some system for routing approvals, getting them approved, storing the latest version,

Lemon Williams 15:57
one of the easiest to implement there is going to be SharePoint, because you have the the ability to put workflows into it. So and that’s, that’s widely available, it does. A lot of exactly what you say is that the in setting up a program like this, you want to make sure that there’s a central repository, it part of the training is to, let’s not use that PDF, it’s on the desktop, let’s always go on and make sure we check the central repository for the latest update of the information in the metadata of that you’re going to have, you need to have the information about what what documents supersedes what other document, and again, what changes have been made. So you will have a change manager or group of change managers that need to make approvals and edits to things. And then they will then update the final, you know, outward facing version of it on wherever the repository is. And then we’ll ship out notices to people that things have changed. Another unique approach that has been used that can be taken is maybe a little bit dated right now, but take like sort of a wiki approach. And that’s worked out very well for companies that have very active Internet’s. And what the wiki approach allows you to do. One of the benefits of having that is that as things are changing, you can actually sort of see where information is in red line that you can see information that has been put in or pendant. And it can actually have notes there about when these things actually are effective. And when they’ve gone into effect. And what’s been the changes to the previous process, that’s going to be a matter of how people access information and learn the best in particular organization. That’s always a learning experience. But essentially, you’re always going to want to have a central repository for where things are, and you’re, you’re going to definitely have to have custodians, for the final version of the documentation, the biggest thing is to limit those data copies coming out there. And what we try to do there is naked, put it in a place where those documents are widely accessible, very widely accessible, you should be able to just, you know, type into your intranet policies and procedures, and find that very quickly and easily. And also encourage people to make sure that there there are frequent updates. As far as information about it, the best awareness that we can do there is if you have a newsletter, if you have anything that people get on a regular basis, or the first page of the intranet, if you start with the discipline of always making those announcements, people get accustomed to checking to see if there’s something that’s changed, even if the announcements on a regular basis are things that processes policies that don’t apply to them, it still gives them that that visibility, that things are in flux and can be in flux, I should take the latest and greatest version. And that’s what I always use, and also your management and your, your your download management needs to enforce that as well.

Will Bachman 19:03
Okay, great. Let’s talk a little bit now about your practice. So one of the things that’s been a really a theme of this podcast is, is the encouragement to really niche down and focus on a narrow set of problems that you solve and defined set of clients to serve some people or, you know, start out as real generalists, which, you know, gives them a greater surface area for project opportunities, but it’s a little bit more shallow as well. And, you know, some people are a little bit concerned about getting too niche. I’d love to hear about how you came to focus on cybersecurity for utilities, which, you know, I mean, some people might say, Well, that sounds kind of narrow, but I imagine actually is a is a quite a big, big ocean for you to work in. How did you get Do that current focus and maybe tell us a little bit about the type of work you do?

Lemon Williams 20:04
Sure, um, I came to that focus, because of credibility, and I’m going to come back to that. So what I do is security for utilities, as you said. And so that’s a very specific niche. Electric Power utilities have a specific set of Federal Regulations brought down by the government regulatory agency over them, NERC that they have to follow. And this includes everything from asset management and vulnerability assessments and even supply chain physical security, around where it assets are stored. I worked in the energy industry since graduating college, so I just have a huge background in it. And I’m actually third generation energy utility, industry employee actually have a sister that works in a nuclear power brother who works in hydro, my father was electrician, my grandfather was electrician. So this was something that was dinner taught for us and tabletop, I always, you know, knew a lot about this industry. And within had, I had a deep knowledge in it. So when it came time to look at, you know, what was a practice that could serve. And so we talked about that balance between niche and generalist To me, the credibility of being able to be a person that has not only dealt with, let’s say, the technology or technology in general, but it’s also actually understands this specific business and how this particular business operates, what their, what our concerns are, how a business makes money, it’s been a very important thing, it adds so much credibility, it puts the clients more at ease. And it also results in a better product. And in a sense like this, what I always say about it, whether it’s a bakery, or a utility, or nuclear plan, or refinery, whatever sort of business that is, as consultants, if even if you’re going to consult them on the technology, and even if a lot of that technology is the same, there’s going to be differences in how they use it. And there’s going to be differences in how they focus on it, what pieces of functionality use, and also the alignment. And this is this is something that I think sometimes we miss when we’re too general, is different industries are going to have different alignments along their dependence on technology, their dependence on risk management or dependence on on finance, based on the characteristics of that particular commodity, or in product that they’re making.

Will Bachman 22:50
Can you give us some sense of the kind of it of a utility, I it certainly occasionally hear it referenced in the news that there’s concerns about that, that, you know, terrorists could hack the utility system and shut down the network. And I think I’ve heard in the past that, you know, utilities have this kind of massive network of their own, maybe it’s like almost separate from the internet, like, they’re basically a private, you know, networks that they have to sense all of the different, you know, generation and transmission and local distribution system, could you just give us a little bit of an overview of the kind of IT system that a utility has to manage?

Lemon Williams 23:38
Sure, the best way to explain that is probably to start by explaining a little bit about how electricity works in North America. It’s an interconnected grid. And we’ve heard of the power grid. And that power grid connects every utility to every other utility from from California to Maine. And it’s interconnected that way. So that it can compensate for irregularities in power supply, or you know, adverse conditions, or anything like that. So we can be able to route power from one side of the country or one place to another. That helps us keep the the electric grid as a whole reliable. us here in the United States, we’re very accustomed to turning on a light switch and the lights coming up. We’re not accustomed to having you know, unreliable power not knowing if our devices are going to work that they are not, not having, you know, widespread rolling blackouts or widespread interruptions. So there’s an interconnection between all of these power plants, substations, transmission lines and transformers, the it network that includes the systems that run and manage those power plants that move them up and down to produce more or less power when and where the demand is needed. run parallel To that network, it is not a separate system per se, because you know, someone in the industry is going to listen to this. And and, you know, take a point of order that it is not a separate system than the internet, but it does run separately encrypted. And it does connect all of these power plants in, you know, through an information tunnel, that is not the standard information tunnel that all of our other traffic’s went on. Even though it’s hopping on and off of those different systems, it works essentially, like you said, I just had to clarify that it’s not a separate internet. But it’s a separate piece of the internet that these things are controlling each other inside internally to a to a utility, it works the same way as well. utilities have their business networks, and that’s where you have accounting accounts payable, and your your company intranet, and a lot of those other things, your normal business networks that every company is going to have. And then they would have their power supply network or their skater network, supervisory control and data acquisition, those that’s the network that actually controls information about the power plants about moving a plant up and moving the plant down. And that’s the area of the grid that people are most concerned about being vulnerable for a lot of interesting reasons.

Will Bachman 26:21
Tell us a little bit about some of those concerns about some of the things that people are concerned that a bad actor might might be able to do. If they were able to access the systems,

Lemon Williams 26:35
one of the things that you’ll be able to do is that you’ll be able to deprive electricity for large areas of the country and major in major metropolitan areas that would lead to you know, huge economic impact as well as societal impact. One of the things we use for reference is the blackout that was in the northeastern United States in the early 2000s. That affected New York City. And there were billions of dollars worth of food spoilage, there was less lots of things that we took for granted at that time were because all electricity was down, hospitals couldn’t admit people, pharmacies couldn’t prescribe medicines, you had people out of work, you had different, you know, the ability to get people information was was damaged, because obviously we’re not getting television broadcasts, that sort of thing. So that’s the the worst scenario. The worst scenario is that we deprive people. And as I said, I just saw an even worse scenario is that if the plants could be compromised, and we have a mix of generation across the country, we have nucular, we have some renewable generation, we also have coal and natural gas generation. If those plants could be compromised in a way that will cause them to miss operate, you could not only just take power down and be the inconvenience of not having access to power, an area, you could also cause an environmental situation, you could call something to you know, catch fire or something like that, but it could actually cause more long term damage, and also in danger loss. You know, endanger life to people. So there’s, there’s a huge, you know, thing where we sort of take that, that for granted, that industry kind of works, because we just magically pay our power bill. And we just magically know that, you know, everything that we plug up in our house comes comes on is someone being able to access the systems that run it causes a huge concern. And then the concern there is that we’ll the power grid itself is decades old. A lot of the equipment is decades old, a lot of equipment is not as modern, because of the huge sunk costs and investment in the equipment because of the way these things have been running. And also because of the problems with taking sections of the grid down for repairs, it’s very tough to holistically upgrade a lot of these systems. And again, when you’re talking about even computer systems and software that’s even just a decade or two old, it’s going to have inherent vulnerabilities on it. It’s going to have you know, things, you know, it wasn’t built for the modern day, obviously correct. The challenge that faces is how do we protect sort of an outmoded system, but one that we can’t just wholesale update or wholesale updated across the grid. The other issue here is that there’s a ubiquity and some of the systems that are used to actually run actual power plants on the grid. And this is different than the office and corporate systems we have, you know, if you go to a utility office, it’s just like everywhere else. You know, people are going to have laptops and computers and monitors, and they’re going to have outlook and Word and Excel and, and using those, the systems that actually run the power plants are more highly niche, very specialized equipment that specifically is used to regulate a substation or to regulate a power plant. There’s a handful of companies that build the systems word, and they’ve sold those systems all across the world. So the other thing is, is that you have people in other parts of the world that have access and have an unlimited time and testbed to the same computer systems that haven’t been updated here that are running our power plants. And so there’s a huge chance of reverse engineering, if you don’t do something to prevent their access to the system, since you can’t harden or update the system itself as readily.

Will Bachman 30:58
So what what’s an example of a type of, you know, acts of a way that someone might be able to gain access to the system? Maybe, you know, maybe sort of a gap that existed four or five years ago that now most utilities have plugged? Or, you know, is it is he sort of here so many, you know, comp companies getting compromised on the more business side, you know, targets data breach Marriott, you know, that even like the White House Office of Personnel, I think that was at Twitter, you know, people breaking into that and doing the social engineering. So what are some ways that a bad actor might be able to access, you know, these utility power systems and, and what’s being done to prevent that,

Lemon Williams 31:48
it’s, it’s done in a very similar way will, where the way these systems talk to the outside world is through the internet through an outside connection, because the systems are a little bit older, and maybe their code is a little bit older, that they were set to access on very specific ports are very, very specific addresses and locations, they talk to the internet on, and they’re not able to talk to the internet through any other way. So a bad actor would know that, this if I can gain access to that data stream, because I know exactly where it’s coming from, then I can then send information back to that system. And something very simple. Whereas if we’re trying to, let’s say, regulate the output of a power plant, if I change all of the threes to fives, then you would, you know, it would call it will cause issues. So basically, just hijacking the information for you from the outside. A lot of times by coming through the actual corporate network of the system, what we’re doing, what we have to do to sort of fix that is we have to be a lot more creative in the ways the systems access the outside world. And we have to put more barriers between them. So we’ll just think about just firewalls and other network devices that interrogate traffic that do things that make sure that it’s coming from a valid source, or making sure that it’s not getting corrupted information. But it also has to do that in a timely enough fashion, not to interrupt the real time nature, which is another aspect of the energy industry, that’s very unique is that it runs in real time. You don’t you know, because the the supply of electricity to the country is 20 473 65. So what we do is we we, we just put more barriers, it’s a defense in depth, and we do more to scrub and look at data, try to look at data signatures, and read reject information that does not seem like it’s coming from the source that it should come from, or seems like it contains erroneous data, it’s just having having a less trust barrier. Also, we separate where we can through using dmvs. Also, sometimes using air gapping, where you can to minimize the number of inputs of ways into that system as much as possible. And we want to divorce it from the corporate network as as much as possible. So you sort of look at it, like, you know, if you if you have a if you have a house and you have, you know, a front door, back door side door, and you know, you need a way to get in the house, but you don’t need all three doors is like Well, let’s just board up a couple of these doors. And let’s just concentrate on looking at everything through the front door so that we know something’s not coming through the side door when we’re not when we’re not looking at it. So converses that’s what we’re doing. Then we put a lot of locks and chains and dead bolts on the one door that we’re keeping up and to make a poor analogy. That’s sort of what we’re doing in the industry. And the The architecture varies from place to place, it’s always a new challenge to do this. It’s not a one size fits all, because our, the way our electricity grid works is that it’s a it’s an interconnection between a lot of different private utilities that may use slightly different technologies and use slightly different architectures. And also have, you know, different budgets, and, and different levels of talent to put architecture together. So it’s, it’s, it’s a costly problem. And then, at the same time, while we’re retrofitting, we’re also becoming aware of newer threats and newer ways that people are get are getting in. So we’re really sort of working into both ends, I call it the kind of trying to drive a car and pave the road at the same time sometimes.

Will Bachman 35:54
How do you kind of stay top of mind with you, the buyers of cybersecurity services at utilities around the country? Do you attend conferences? Do you publish? You know, you’ve got the book, of course, do you publish much? Do you just do a lot of reaching out to people that you know, how, how do you do that client development side.

Lemon Williams 36:21
So one good thing about being in a niche like this is you’ve you’ve worked, it’s a small world, you’ve worked with a lot of people that you’ve worked with some with some of the best minds. And because it’s cybersecurity, because it’s a system where we’re all trying to use the latest and greatest techniques to stop the worst from happening. And we’re all working with some of the same architectures and infrastructures, my community is very apt to share. So what we do what we do, yes, I attend conferences, and I have a lot of talk with my industry colleagues, both at client sites of other concern and other consultants, as well. And we like to just sit while we make it make it a point that we talk to each other that we come up with scenarios and cases that we say how are you going to fix that? Because it’s so small, it’s great to touch people and people don’t mind sharing, and keeping Top of Mind with it. Also, what we do is we all will generally subscribe to the seminars that the government puts out. So what happens is when a threat becomes, you know, fairly prolific in the industry, the guidance from the federal government will rise to sort of meet that need, they’ll put down new floors. And when they update their regulations, that starts a whole chain of us talking, there’s lots of bloggers out there, there’s lots of consultants, like myself, and as well as my, my clients and my colleagues that have just regular conversations. And that’s really because he no one else really wants to talk about this with us. So we have to talk about each other, talking about with each other. That’s kind of kind of what we say up to date, obviously, because on the cyber security, any articles in the news, anything that comes across, you know, any sort of media regarding It is something that’s going to get a lot of attention for me. And to the extent that I can see this is something applicable, the first thing I’m going to do is I’m going to send it out to our colleagues. So in the socket security for utilities niche, we have a great community. And that’s one of the ways that we stay on top of things.

Will Bachman 38:36
And where do those conversations take place? Is that Is there like a private forum somewhere? Is it just in person one on one like phone calls? Or is it a conversations on Twitter? Like, where are these conversations taking place?

Lemon Williams 38:52
A lot of the conversations take place peer to peer. So you know, we will get up and give each other a call and talk there. There are some excellent blogs out there for the industry. There’s one that I like is Tom alteryx blog, he pretty much becomes the Compendium for all things, energy, utilities, cyber security. That’s a big go to it. He’s also just a friend to all of us consultants and a friend to the to the industry, in terms of being accessible. In terms of other social media, really not a lot out there. It’s pretty niche. There are some groups on LinkedIn that you know, disseminate information and do things. But really, when you’re immersed in this and you’re doing it when you’re engaged with clients and utilities that are dealing with this as a constant threat. There’s no shortage of conversations that you’re going to have with other colleagues, other consultants and other practitioners just in your day to day consulting life. So that is still kind of our main source of information. But if someone’s interested about it, When I would first off, went into Tom’s blog, and look that up and look up NERC CIP. And that’s, that stands for critical infrastructure protection. If you were to just google like a nurse NERC see IP blog, you’ll come up with several things that kind of show you where we’re at in our thinking. And again, like I said, it’s a lot of the thinking, a lot of the ways that we’re looking to deal with these threats. Information is very much out there, because unlike a lot of other things, is that there’s not really as much of a competitive advantage of hoarding information about how to keep the entire grid safe. So there’s a little, there’s less proprietary, more things that that we like to share. So I think that there’s a wealth of information out there for anyone who’s interested enough to look, and probably anyone that works in this field will be happy to talk to you a lot about it. Because we, you know, had a lot to say, and we’re immersed in it.

Will Bachman 41:02
Yeah. What about your book on uncompliant? So what have you done to sort of spread the word on that? Have you held kind of webinars or other virtual events? Or, you know, just emailed it out to people that, you know, how have you used that to raise your your visibility?

Lemon Williams 41:22
Um, well, I put this together just a few months ago, when I had a little bit of a downtime between engagements. And so far, I’ve just spread it among my friends, I put it on social media, that’s, you know, targeted at people in my industry and in my friend, group, and source, and advertise that they’re nothing larger than that. And nothing like having a having a webinar or promoting it larger than that this is really my first time talking about it, I sort of plan to do more in that realm. I did provide some copies for some former colleagues of mine, to, you know, to stay updated with, and I look forward to kind of, you know, talking with him about again, I just like to use it as a primer, I think it’s something I’m going to use on engagements, it’s something I’m going to recommend to people to just kind of take walk through the steps, because this is really a first step with a lot of people. And so it was just sort of, let’s just document this once and for all, so that we can all get on sort of a common footing into how we organize a program that’s going to keep people safe. So I really like hacking it. It’s just going to be contained in that I’m going to take with me with future clients.

Will Bachman 42:41
Yeah, sounds like a great tool, lemon, where can people find you online,

Lemon Williams 42:48
I can be found at ion Auto group.com. That’s IO n. A do. That’s the name of my consulting firm. From there, you can find contact information about me and that service lines and what we do. And you’ll be able to also find me lemon Williams, on LinkedIn. I am with the iron Auto Group. And we are based out of Chattanooga, Tennessee. The book itself is available on Amazon. And it’s also searchable under my name limited Williams, or if anyone just has the insane urge to put in how to write quality compliance documentation, they can also find it there. Those are the kind of the best places to reach me and the best ways to reach me. I try to be as accessible as possible, because obviously consulting that’s going to be the name of the game.

Will Bachman 43:45
Fantastic. Lemon, thank you so much for being on the show. This is great will include those links in the show notes and for new listeners to the show. If you like the show, and you want to give it a five star review on iTunes, that would be really appreciated. It does help people find the show. And if you were going to give it something less than five stars, just you know, really don’t bother lemon again. Thanks for coming. It was really great speaking with you.

Lemon Williams 44:14
Well, thank you so much for the time. I really enjoyed it.

Related Episodes


Founder of Junior, Harnessing AI to Extract and Structure Expert Call Insights

Dimitris Samouris


Automating Tax Accounting for Solopreneurs

Ran Harpaz


Integrating AI into a 100-year-old Media Business

Salah Zalatimo


Author of Second Act, on The Secrets of Late Bloomers

Henry Oliver