Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: What Should Your First Compliance Standard Be?
Quick Take
On this episode of Compliance Unfiltered, The CU Guys have a rousing chat focused on helping the compliance newcomers in the audience. Everyone has to start somewhere, and Adam has just the roadmap to help you get from where you are to where you need to be.
Curious on where to start? Wondering what certification makes the most sense for your needs? Pondering how much time and energy getting compliant will actually take?
Fear not – All these answers and more on this week’s Compliance Unfiltered!
Read Transcript
so let’s face it managing compliance sucks it’s complicated it’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process welcome to compliance unfiltered a podcast dedicated to making compliance suck less now here’s your host Todd Coshow with Adam Goslin.
well welcome in to another edition of compliance unfiltered I’m Todd Coshow alongside of the malt shop to your compliance sock hop Mr. Adam Goslin.
how the heck are you sir I’m feeling very 50s all of a sudden have a conversation about first today so you know going back a little bit I thought felt you know it felt pretty apropos so
We’re going to chat a little bit today about what your first compliance certification or standard should be so let’s start Adam with a broad overview of this topic for the folks. Well I mean this, this, this pod is thinking about dipping their toe in the water they haven’t really had to go down the path etc no we talk with people that are everything from you know frickin complete security and compliance experts you know all the way to newbies so it’s, it’s fun covering kind of covering this topic to give folks that are kind of trying to figure it out a little bit of directional guidance you know in a lot of cases the organization you know hasn’t had the, the necessity to head down the security compliance route they’ve done some things that they think are gonna protect the company but you know nothing official nothing with a consultant nothing with an assessor you know that type of thing you know and you and you and you figure you know these guys are sitting in that boat and a lot of them will take the nose that, well, you know, we’ll get to it when we can. You know, that never happens. You know, more often than not, it’s interesting that something will happen, either to the company itself that scares the crap out of them, or maybe, and this actually happened not too long ago, had somebody reaching out to us that one of their major competitors just got their butt handed to the names over Google and you know, blah, blah, blah. So, you know, there’s usually a compelling event rather than somebody just wakes up in the morning and says, you know what, it’d be a great idea today, a great idea, you know, to get some security compliance religion.
You know so you know it’s, it’s really stressful though for the organization that is, is needing to go head down this path it’s really stressful to figure out what the hell do we need to go do what do we want to do, what’s a good idea for us that type of things you know that’s you know there’s a lot of options out there and the reason why we wanted to wanted to do this topic so that the folks that are just kind of trying to get their arms around it whatnot that they’ve, they’ve got things kind of figured out if you will.
Absolutely, now the TCT portal I know already has over 150 industry standard certifications on it now what are the criteria that organizations should be using to kind of make the decision on which is right for them? well the you know that yeah you’re correct there’s a lot of different standards that you know that, well the number one there’s a lot of standards out there period there’s a lot of standards on the TCT portal you know so some of the things that, that these organizations can kind of think through think about etc first is the industry that they’re in you know are there specific certifications for your industry. So we use some kind of easy starter examples you know if you’re if you’re in the educational space a lot of times there’s a certification called heck of at HEC VAT you know that would apply to educational institutions if you’re in the medical space you got HIPAA you know when you’re in manufacturing you’ve got ISO for a lot of the finance and service style industries you know they’ll typically, you know you kind of head towards SOC 2 if you’re processing credit cards then you need to go down the road of PCI DSS so you know looking at you know kind of looking at some of your peers you know in your industry go look at what types of certifications they have you know a lot of times those are listed out on their websites And that will probably give you a good idea, kind of what are other folks in your area? What are they working on getting and maintaining? A second good suggestion is, and for a lot of organizations, this might sound like a strange one, but go back and check your contracts. Go check your agreements with your clients. There’s a lot of companies that have existing contracts with clients that have various references to maintaining compliance with fill in the blank standard. It’s kind of the second big piece, right? There’s what should we do type of thing. And then the checking your contracts is, what are we sort of obligated to already? Maybe some people just kind of brush pal, yeah, yeah, no, no, we’re doing all of that stuff. Well, you might as well go look at the contracts and see what’s in there, see which standards are being referenced, et. What are the standards that your clients care about? A customer agreement might say that you’re gonna operate in a PCI compliant manner or in an ISO 27001 compliant manner, etc. So the interesting part for a lot of organizations is their agreements have changed and morphed, etc., over time. The clients will have varying degrees of inclusions that they mandate being in these agreements. So they could all be different, etc.. And these agreements, if you think about it, let’s say the company’s been around for two decades, that’s 20 years of customizations and so -and -so’s legal department mandated, we put this blip in there and blah, blah, blah. So going in and looking at all those agreements is a really, really good way to go about those two areas that’ll give you a good flavor for which arenas do we need to play in the security and compliance.
Well, can you share with the listeners more about the differences between a directional and prescriptive search? That’s the second time I’ve tried to eat that word correctly. I was gonna say, it’s easier to read than say, for sure. This is actually, this is a topic that I get some enjoyment out of. And really it’s an area where, you know, for folks that have been in the security and compliance space for a while, you know, they’re all sitting there kind of nodding their heads as I’m going through this particular topic. And it’s something really to the, you know, it’s super easy just to say, well, you know, whatever. My peers are doing this standard and my agreements have these various references. So, you know, they throw all the names down on this big dial, they spin it, you know, and it’s kind of like, price is right, you know. I sold 27 ,001, great, you know. Honestly, for a lot of people, that’s usually the way it goes. But there’s some more thought that needs to be put into it, and I’ll kind of go through why. Once you go through and you’ve kind of figured out the general direction, now you’ve got some options.
When I say prescriptive versus directional standards, so the more prescriptive or specific the standard is, where it’s prescribing, thou shalt do this, is what I mean when I say prescriptive. It’s telling you exactly what you need to go in and do. Yes, it’s a more detailed list. Yes, it’s kind of more structured in terms of its requirement, etc. No, you don’t have as much wide open freedom to just go do whatever you want. The whole point is, we’re trying to follow a methodology to put controls in place to help to protect the organization.
and prescriptive standards, in effect, will kind of provide that roadmap, if you will, for thou shalt go in and do these various things. The prescriptive standards out at the gate, especially to the uninitiated, they probably sound like they’re a lot more difficult. Oh my gosh, there’s 500 things we’ve got to go do for fill in the blank standard type of thing. But I could go over here, and all I’ve got is this, whatever, 50, 80, 100 items, whatever it may be, must be easier. And that’s really where a lot of organizations go sideways in terms of their, they end up discovering too late. They should have thought about this a little more. The directional standards, they look appealing. Hey, it’s fewer items, must be easier type of a deal. And the directional standards will basically give you an objective to meet, right? And I’ve used the example of HIPAA previously, where in HIPAA, they’ll make this wide open statement.
You need to make sure that access and authentication is done in a secure manner. I’m paraphrasing, but the listeners get the point. If you then go over to like PCI as an example, man, you’ve got your 57 things that you need to go do or whatever, right? And so it appears easier, but the problem with those directional standards is what you’re implementing gonna be good enough. Is it actually gonna protect your organization? Now I’ve got all these, like just myriad of choices that I can go make around how I solve this problem, which one’s right, which one’s good, which one’s cost -effective, what’s gonna actually protect me. Etc.
And what organizations kind of end up discovering as they go. down their knee -jerk reaction is the fewer the item’s easier it must be and they pick some directional standard is they run into a couple of problems. One, they spend a ton of time trying to just research and digging and figuring out what should we be doing, etc., and whatnot. They’re just trying to figure out the how of how to solve this particular objective. They haven’t even gotten to the choices yet, and that all depends on whether or not they made good solid informed directional choices in terms of the resolution methodology. To a lot of folks, especially those that are going into these for the first time, I would quite frankly recommend that they go with a more prescriptive standard as a starting point.
And my de facto recommendation to folks is, go with PCI DSS, you know, take it with a scope of sensitive data. That way, regardless what your circumstances are as an organization, you can still use all of the controls of the PCI DSS. PCI DSS is so prescriptive, it actually provides the user with a very easy clean way to be able to map their PCI controls off to their other, you know, kind of secondary standards, etc.
So, it’s about that time, Adam, and you know as well as I do that choosing your first is extremely important. So, tell us about making the choice of that first standard. Yeah, I mean, when you’re going in, you know, all things being equal, you know, make sure that you go ahead and leverage that prescriptive standard. I mean, you know, ones that are on the, you know, you know, SOC is quite frankly provides more options and variability, you know, and is more directional in its nature, depending on what industry you’re in, certainly PCI is usually my, you know, my de facto, but ISO 27001, you know, would be, you know, would be another one if folks are in the manufacturing space, you know.
But for organizations, I’ll go under the notion of the PCI. Even if you need to do, you know, PCI and SOC as an example. And I’ve got many organizations that I’ve assisted with getting PCI compliant and SOC compliant. You know, I’ll always tell them, you know, go up against PCI first, and then go ahead and take all of your controls that you now have in place and map that off against your less prescriptive, you know, alternatives. So I’ve got some organizations where they… they’ve gone up against, they’ve gone up against PCI and SOCH and ISA 27001 and HIPAA as an example. And in those cases, we use PCI as the centerpiece because it readily maps off to all of the other ones, etc., streamlines the time for the organization to go through and do, etc., and using it in a framework of sensitive data. Well, now you can use that control framework that that’s good enough for credit cards and leverage it for other things, for PII, for intellectual property protection, etc., whatever other things that you’ve got medical records, it doesn’t matter. You can use those same controls in different ways, if you will, and it makes it a whole hell of a lot easier. Here’s some thoughts about specifically how one should go about implementing the selected standard because that’s like how you get from where you are to okay implementation has now actually occurred is a little more than a hop skip and a jump so talk to folks through it. Yeah um well for those that are, are finding, finding that they need to go up against the multiple search certainly i mentioned it a minute ago it is it’s tempting for them to try to focus on the smallest one they’re like hey let’s go let’s go knock out the little one and then we’ll move on to the bigger you know to the to the to the you know the bigger uh the bigger beasts if you will um and i would absolutely advise against that it is a lot easier in the long run get to know get to know all of your certifications and to implement them I’ll call it simultaneously so if you if you only tackle one framework at a time you’re going to find yourself redoing your prior work so even if i were to take PCI, finish it and then you turn my attention over to my SOC or my iso or my HIPAA you know you may have to go back and redo some of the work that you’ve already done especially depending on which choice you made as a starting point you know that’s really going to have a uh you know kind of a big impact uh you know on, on the organization you want to you want to take into account anything that you that is applicable for your organization and I’m not a giant fan of doing things multiple times for fun you know so you know my recommendation is you know when you’re first getting started you know with that um you know with the choice that you’ve made or choice or choices that you’ve made for a new compliance framework you know the people in your organization are literally going to feel like they’re eating an elephant it’s overwhelming it is for those organizations that are walking into this and and, and I,I bring this up from a perspective of context you know i walked into the compliance world kind of blind, if you will, was my first adventure into it. And really since that experience, I’ve done nothing other than try to help people make managing their compliance suck less. It’s a, there’s a really good reason behind, I would strongly recommend to folks that are starting to head into this space. Do not depend on your internal IT people. We’ve got, we’ve done pods and blogs about the fallacy of thinking just because somebody can spell IT that they know how to do security and compliance. they are not the same. So, you know, go dig up those resources and I’m not going to go off on that again. But my biggest recommendation is do yourself the biggest favor you’re ever going to do yourself. And I don’t care who you use, but well, I sort of do, but yeah, I don’t care who you use, but please for all that’s holy and true. rely on the experience and guidance of an experienced compliance consultant. That decision will save you countless hours, countless pain, countless calendar time, sanity, all the way around. Very, very, very good idea for organizations. Get a good one. Don’t go for the whatever, no offense to the Billy Bobs out there, but don’t go to Billy Bob’s compliance consulting shack. Get somebody that’s been there that knows what they’re doing, et cetera. It will help you big time. There’s a lot of organizations, they’ll plan on relying on their assessor for all of their answers.
And it sounds like a great idea out of the gate. The bottom line is that for the most, the assessors are there. Yes, provide you with some really high level directional guidance, et. But they’re there to do an assessment. Their job isn’t to get you to the point where you’re ready for the assessment. It’s generally not their job type of thing. There’s a lot of people that try to do the double dip. And honestly, I think in more cases than not, it ends up becoming contentious. The assessor feels like they’re getting taken advantage of. Yes, they could come back with changes of scope. And now the clients kind of got their shorts knotted up, etc. Just bypass all of the baloney and go get you a compliance consultant to help you down that path, et cetera.
The consultant gives you a couple of advantages. One, they’re not the assessor. You can have a wide open conversation about all of the various things that are completely jacked up in your environment, right? You can have that discussion openly with a compliance consultant. This is the type of stuff you don’t necessarily want to have a wide open discussion about with your assessor, right? So you want to have things buttoned up in prep for the assessment, but the consultant works for you. you, they’re on your, it’s a safe space, you can have discussions, you know, it’s sadder, the consultant can assist with confirmation, appropriate confirmations with the assessor that you have, you know, and whatnot, but the. the consultant’s gonna help big time with streamlining the overall compliance program, they’ve been there before, they’re gonna be able to help with things like mapping your compliance, various solution options, you know, what good choices based on my environment for, for solving this particular control issue that I want to go and get solved, but they also will be astronomically helpful in terms of coordination with the assessor, I think for any organization that has experienced a compliance consulting engagement with a good security compliance consultant, I don’t think they’re going to be able to do that, but they’re going to be able to do that and they’re going to be able to do that, and they’re going to be able to do that and they’re going to be able to do that, and they’re going to be able to do that no doubt.
Parting shots and thoughts for the folks this week, Adam?
Well, at the end of the day, what matters most is that your organization has a security compliance program in place that’s effectively reducing your cyber risk. Those early decisions that organizations make about their programs, which approach they’re going to implement, et cetera, that will be a deciding factor in the level of brain damage that everybody’s going to go through as they go through the process. It can make your world a hell of a lot nicer and easier, or it can make it astronomically more miserable. Certainly, if your organization engages with a good security compliance consultant, they’ll give you that sanity check that you need in making those compliance decisions.
One thing that I didn’t mention earlier that I think is appropriate and important, a lot of people have this notion that, well, we’re going to get everything buttoned up, and then we’re going to go, we don’t want our dirty laundry aired in front of the security compliance consultant, etc. Honestly, they really screw up when they do it that way. You don’t want to pull them in at the last second thinking you’re done, only to find out there’s a whole bunch of problems or you could have done it far better type of a deal. Bring them the security compliance consultant in as early as humanly possible. They will be able to streamline things. It’s important they get there early. Personnel have been actively helping organizations with navigating the security and compliance world for north of two decades. We’ve got thousands of hours of security compliance management experience that we’ve put into the TCT portal that we’ve put into our security compliance consulting engagements. We’d obviously be happy to help anybody and whatnot, but hey, at the end of the day. we’re all about helping people in the security and compliance space, you know that’s why we got into this, that’s why we got into this arena is really to help people and it’s been a it’s been a lot of fun so far.
And that right there that’s the good stuff. Well that’s all the time we have for this episode of compliance unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
