Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: What You Don’t Know Will Hurt You
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Well, welcome in for another edition of Compliance Unfiltered. I’m Todd Coshow alongside of the one and only Adam Goslin. Adam, how are you today?
Adam Goslin
I’m doing great, Todd. How are you?
Todd Coshow
Man, I can’t complain.
Todd Coshow
It is a beautiful day. I’m having a conversation with you about something that is near and dear to all of our hearts. And that is essentially what you don’t know. So much of our life is determined, Adam, by the things that just kind of pass us by, that we’re just not aware of.
Todd Coshow
And when it comes to the compliance space, it’s very clear to folks like yourself that what you don’t know will absolutely hurt you. So tell me a little bit more, Adam, about the sentiment behind that. Where does that come from?
Adam Goslin
Well, I mean, as I was going through, you know, remembering, I’ve been, I’ve been doing this for solid for closing on about 12 years of working with various companies. And so motion alert, motion alert. So, so, you know, if I whip a dart at the, you know, at, you know, kind of looking back at the, at the engagements that I’ve been on, you know, in my experience, only about 5% of those companies truly had all their bases covered, you know, and whatnot, where 15% were, you know, we’ll call them relatively strong. But what that means is that about 80% of the companies that I was interfacing with over the years, you know, didn’t have any idea what needed to be done for an effective security and compliance program.
Adam Goslin
Now, the, the more interesting part about these kind of, you know, you know, whipping jart statistics is that in almost all of the cases, the companies thought, Oh, what we’re, we’re in good shape. We just need to dot a couple I’s and cross a couple of T’s and put a couple policies in place. And now my people are doing everything right, you know, is, is typically how it goes. And it’s, it’s funny because, you know, you hear that on every engagement and, you know, and, and the reality is, it’s part of why we’re here, you know, why, why, why security and compliance practitioners, you know, exist is because, you know, they are there to help these folks, you know, navigate the waters and whatnot.
Adam Goslin
And it’s pretty eye opening for those that, that end up going through it. You know, the, the, the stark reality, there’s a, there’s a company in, in Northwest Michigan called the Ponemon Institute. And they do a number of, it’s like a research group. And at some point in the game, we’ll have to get into a little bit more depth about their, you know, kind of cost of data breaches, but this isn’t the one to get really get into that. But one of the interesting stats that they have, they have this kind of annual, you know, kind of cost of data breach. And of those companies, these are, these are real companies that really got breached that, you know, go through, you know, full scale analysis, they’re across a bunch of different industries, etc. And part of the reason why I like this particular statistic more than most is that it’s real companies that really got breached with real, you know, data coming out of that. And for those companies that actually got breached, when they went in, did the forensics and, you know, figured out, okay, well, they were aware they had a breach as of this date. But you know, when did it actually start it on average, which is the scary part on average, these companies, it took them 280 days before they even realized they had a problem.
Todd Coshow
Did you say 280 days before they realized they had a problem?
Adam Goslin
Yep, you got it.
Todd Coshow
That’s like over nine months. What are we talking about?
Adam Goslin
Yeah, that’s how long it took him and my but it kind of underscores, you know, go back to some of the some of the things I was saying a minute ago, which is, you know, 80% of the companies that I’ve actually interacted with, you know, had a lot of work to do to be able to get a real security compliance program in place.
Adam Goslin
The reality is, is that a good security compliance program, you know, it includes, you know, kind of protective mechanisms, detection mechanisms, etc. And it just kind of underscores or highlights the notion that the detection mechanisms were sorely lacking in those organizations which ended up finding they had a problem, you know, and whatnot, you know, I mean, I’ve gone through, I’ve now started two companies from the ground up. And, you know, regardless of the level of personal investment of the listener and the ownership or leadership of their current organization, at bare minimum, there’s a responsibility to the existing client base of the organization, you know, and that’s compounded, you know, by the paychecks for, you know, kind of every employee, every contractor, every vendor, or either fully or partially dependent on, on getting paid, it’s not, it’s not easy to do this, it’s not easy to run a company is certainly not easy to start a company. I’ve said to many people, it’s one of the toughest things I’ve ever had to do, you know, and so for those that are for those that are starting companies for themselves, you know, it’s, it’s tough to navigate those waters. And I can’t imagine. I can’t imagine putting this much effort into, you know, into get it making something out of nothing, only to have it evaporate in an instant, which is, you know, unfortunately what happens with a lot of these organizations that have a problem.
Todd Coshow
Well, I mean, that kind of begs the question, right, is so are there common themes and like through lines to some of these bad decisions and assumptions that you’ll see companies make?
Adam Goslin
Yeah, well, that kind of falls all over the board. So I don’t know, I’ll kind of, I’ll kind of go into, I’ll go into some, some different, you know, different examples, different stories of things that I’ve seen, but you know, many of the listeners are going to find these, these elements relatable.
Adam Goslin
So I actually get a chuckle when I, because I’ve heard this more times than I can count. Some, some company or some organization or some leader saying, you know, something along the lines of, you know, Hey, we’re too small for anybody to care about us. They’ll never find us. And, you know, every time that I hear it, I use this example often, you know, it’s, you know, you and I will date ourselves slightly with this, with this example, but it, but it, but it works.
Adam Goslin
You know, way back in the day, you know, when, when we had the first coming out of an unlisted phone number, right? Everybody’s like, Oh yes, finally. I have an unlisted phone number. I don’t need to have all of these marketing calls and blah, blah, blah, blah. And so these people pay their monthly amount together, phone number unlisted. And then all of a sudden fast forward, you know, a year or two years, whatever of pure, blessed silence. Right. And now all of a sudden the phone rings and they pick it up and sure enough, it’s somebody trying to sell them something and they’ve got this look of horror on their faces or how did this person ever get my number,
Adam Goslin
you know, type of thing. And, you know, the reality is, is that, you know, all those, all those people were doing back in the day as they would dial an area code and dial one, one, one, one, one, one, one, one, one, one, one, right? Well, when it comes to machines that are on the internet, there’s a, there’s a certain pattern of numbers. It’s like a, you know, a number, a dot, a number, a dot. There’s basically four sets of numbers separated by three dots. And the bad guys basically do the same thing, which is they’ll go one dot one dot one dot one, one dot one dot one dot two, one dot one dot one dot three. And it doesn’t matter how big you are, how small you are, your organization is getting found, whether these companies know it or not, they’re getting found by bad guys on the internet, probably six to 10 times a day, at least, depending on how popular they are. And they don’t even realize it. And so this notion of, hey, we’re, we’re too small, just doesn’t, it doesn’t wash, you know, it’s, it’s impossible to escape this light, this, this spotlight. You know,
Adam Goslin
Go ahead
Todd Coshow
Well, I’m just curious, what type of examples would you have? Because that’s a little, I mean, it’s like, hey, this is scary. It’s even scary when you’re small, but how?
Adam Goslin
Yeah, so I’ll put this in perspective. This is actually before I could really step into this space. I had the opportunity to sit and watch as a server at an organization was actively being attacked. And the bad guys had kind of gotten past the perimeter defenses. They were on the inside of this network. And how it came up is that one of the IT guys is like urgently 911 calling me to go get into the server room. And I go walk in there. We’re staring at this screen. The screen’s out actively moving. I can see things scrolling across the screen, da, da, da. And I really quickly double check. Nobody’s working on this thing. Nobody’s remoted into the server. Nope, nope. This is bad. And so long story short, ended up having to pull the. Nobody knew about it, aside from the fact that somebody happened to walk into the server room, happened to look at the screen. It was just blind luck that they were catching this.
Adam Goslin
And so we ended up pulling the network cable and doing some digging and whatnot. Well, when we started to look into it, what we found out is that these guys had gone through the random number generator to find a machine, found a vulnerability, got through it, got to the internal network. And they had a series of scripts. So the first script would run through. And it was basically looking for open ports, what ports are open. Once it found, and that would run for about 30 seconds. And then once it found all the open ports, it would hand off to another group of people. So the first IP that came in, let’s say it was coming from France, then it went silent for about 30 seconds or so. And all of a sudden, there were like four groups of different IPs from all over the world that were coming in doing more directed attacks. So if it knew that this port was open, then this group was in charge of doing this port’s testing. And they would go ahead and hammer away and do directed testing against that port. Meanwhile, there were directed port scans being done from, you know, whatever, Venezuela, another place in Mexico, another one in the Ukraine, another one from China, you know, type of thing.
Adam Goslin
And so we were watching these rounds, you know, going through, these guys had an absolutely astounding level of automation involved in this process. And it appeared to be primarily autonomous. And by pulling that network cable, ended up disrupting their script, which is about the only thing that saved this particular company, was a real eye opener for them.
Adam Goslin
And here’s the scariest part, Todd, that I watched that unfold. It was over 15 years ago. Can you imagine what these people are capable of?
Todd Coshow
The level of sophistication is night and day, my goodness.
Adam Goslin
Yeah, so, you know, so that’s one area, the whole they won’t find us, you know, notion.
Adam Goslin
You know, a second notion is that, you know, companies that believe that, oh, well, we’re just going to go ahead and pick up some cyber liability insurance and poof, we’re off and running, right? We can go ahead and just kind of cover ourselves with, you know, with the cyber liability insurance and off we go. Well, the reality is, is that when any of these companies, and here’s the startling part for a lot of the folks, especially they’re in upper level management, is I would tell them, go back, whoever it is that filled out the cyber, your cyber application, more often than not, it’s being filled out by somebody in accounting. Well, the person in accounting doesn’t have any idea what they’re filling out. Most of the time they’re just, you know, trying to answer positively or whatever, assuming that the IT crew has this, that, and the other thing.
Adam Goslin
But effectively what you do when you’re signing up for the paperwork for your insurance is you’re attesting saying, we’re doing all of these things. We have this in place. We’re performing these activities on a regular basis, et cetera. And so all of a sudden, now I’ve got this application which we filled out to, you know, look positive, et cetera. And if you have a problem, then what happens is the insurance company ends up going back, taking a look at what all you said you were doing and confirms where you’re doing it or not. And so if you haven’t filled it out right and you’re not doing these things, well, then you’re paying a lot of money for an insurance policy that’s effectively unusable and your, you know, in your insurance policy is pretty much toilet paper at that point in the game.
Todd Coshow
Man.
Todd Coshow
I mean, I guess management kind of gets put in a weird position at that point in time because I can listen I can certainly understand how when you think of something like this if it is not your bread and butter Where you would look to your heads of IT and think that they have it covered.
Todd Coshow
Is that kind of an erroneous assumption?
Adam Goslin
Absolutely. And I walk into this arena with a great amount of perspective. So when I first started into this space, as I kind of culminated my IT career before I decided to step over into the security and compliance space, I was heading up IT myself. I’d spent 15 years managing teams of people, doing development, doing help desk support, doing business analysis, responsible for infrastructure, all sorts of fun stuff. And my first real exposure to security compliance when I had to go into it in depth, when I then got from that point that I like to say that the boss came by, dropped a four -inch deck of paper off, it said PCI on the top, and I went, huh, what’s PCI? You know, when I go from that what’s PCI moment to the fast -forward 18 astronomically painful months later, once we’d actually navigated all of the PCI DSS requirements and proven to the auditor we had everything under the sun in place.
Adam Goslin
And then I looked back at just how it was staggering to me, just how little I knew when I went, huh, what’s PCI? And yet, all of my bosses all the way through, they just go into this guiding assumption. Well, I mean, they’ve got IT in their name. They must know everything about IT, which means they’ve got security and compliance, all covered. And it’s startling how little I knew. And here’s what I would say to that management, is that you can have people on your team that are great firewall admins, great day -by -day IT people, great network administrators. They can make this stuff work, but work and being secure are two different, you know, mindset, skill set. Most of these people have, honestly, for most organizations, we go back to that earlier stat I gave, right? 80% really don’t have their act together. You know, that also means then that 80% of those IT people have never been exposed to this stuff, you know? And so, you know, that’s just something that management needs to take into account.
Adam Goslin
That’s a really, really bad alignment of, you know, misalignment, if you will, of expectations, because they’re setting themselves up for failure. They’re also creating an environment where the IT folks, because of set expectation, you know, they just, they don’t want to, they don’t want to let their bosses down. They know what assumptions they’ve made, you know, depending on how the boss acts, you know, and whatnot. You know, they might actually flame the people in IT for, you know, for not, you know, not knowing this stuff and, you know, and whatnot. And really, it’s not a problem with IT. It’s a problem with the bad assumptions made by management.
Todd Coshow
So, I mean, all members of management, including the IT management team, right, you would have to think that they must understand some level of security and compliance. No?
Adam Goslin
No, not really because if you think about it, like I was saying a minute ago, making an environment work and having it be secure are different notions, different skill sets. Many of these people can make it work just fine, but they don’t have any idea about the security and compliance arena. The reality is that these guys can rock at their jobs, but it doesn’t mean that they’re security and compliance expert. It was startling when I looked back, I talked about my own self -reflection on that first trip through.
Adam Goslin
The reality is that I then looked at my devs, my network admins, my day by day IT people, and how little they knew walking into this.
Todd Coshow
That’s what I was going to ask. It’s like what does someone in management do when they recognize how ill -prepared they are here?
Adam Goslin
Well, I mean, that’s the point at which the light bulb better go on. And, you know, the reality, it’s really, really hard to find people that actually know the security and compliance arena. That’s really where, you know, having somebody come in, you know, come in from the outside third party to help out is really gonna, is really, really gonna help.
Adam Goslin
You know, the, when they put that much pressure on the, on people, make these assumptions, etc., that just literally setting themselves up for failure and the poor, either person internally, you know, or the vendor, you know, that they’ve got for day by day IT stuff, you know, they’re basically put into an untenable situation where, you know, they either, you know, keep their most, you know, most of the time they’re just keeping their mouth shut and hoping for the best, you know, or, you know, claiming they don’t know and hoping they don’t get fired, you know, type of thing. You know, it’s just all the way around. It’s just a really, really bad situation for, you know, a bad situation for everybody involved.
Adam Goslin
And I would put the onus on the levels of management to, you know, gain that, gain that, you know, please take that level of perspective, assume that your people don’t know and, you know, and walk into it with, you know, kind of an open mind, a clean slate, etc.
Adam Goslin
It’s a lot easier to have those interactions with either your internal crew or your vendors to be able to just navigate the waters.
Todd Coshow
Wait, so you’re saying security and compliance is not just an IT thing?
Adam Goslin
Far from it. I mean the reality is, is that is that you know security and compliance engagements performed correctly? They end up having impacts across damn near everybody within an organization, so While sure there’s a lot of stuff that has to do with the IT group And quite frankly they will learn a ton on their first trip to the rodeo The but this is going to cover this is going to cover your executive management This is going to cover your HR department your legal department This is going to cover every single person that is you know interacting with a customer answering a phone and answer it You know it has an email account You know your vendors. It’s ,it’s all the way across the board Everybody in some way shape or form if you’re doing it right is Connected into you know into this even down to the janitors. You know think about it Think about it the janitors have physical access to the facility, and they’ve got responsibilities around physical security, so you know it’s, it’s Everybody from top down Is going to be you know is going to be hit?
Todd Coshow
Well, as I got to ask, like, are they reading the requirements?
Adam Goslin
Well,
Todd Coshow
I mean, are they doing the, are they doing the, because I mean, that’s, that’s the thing that I kind of feel like, as we were talking through these through lines here, they’re, they’re certainly, you don’t know what you don’t know, but there’s also, there seems to be a fair amount of buck passing when it comes to whose responsibility this is and exactly what the accountability levels and chain of command should look like.
Todd Coshow
Am I wrong there?
Adam Goslin
No, I mean, you know, here’s the deal is that, you know, as dumb as it is, as dumb as it sounds, you know, the organizations actually do need to read the requirements of their target certification. You know, putting in place some form of an internal compliance management system that belongs to the company. You know, that’s important, you know, where the organization itself can store their proof and their evidence at line item level to make sure that they’re not missing anything. You know, oftentimes, I’ll see organizations which are kind of write things off to assumptions. You know what I say about assumptions. So, you know, too often, you know, we’re seeing, I’ll see companies, a great example is be antivirus, right? I’ll see companies, they’ll sit there, they’ll go, Oh, yeah, yeah, we have antivirus.
Okay, move on to the next one, you know, type of thing. And it’s dangerous, because if you go then, just using antivirus as an easy example, like under PCI DSS, there’s like 10 different things you need to make sure actually implemented across the board in relation to your antivirus. And yet, I’ll see somebody go, Yeah, we have antivirus on our laptop. So we’re cool, you know, and then they’ll whitewash it and move on. And meanwhile, they haven’t met, they haven’t officially met those requirements.
Adam Goslin
So, you know, and every time that they make these kind of bad assumptions, you know, around, you know, around the requirements that they’re subject to, that leaves openings and holes and, you know, partially backed implementations and, you know, and all sorts of stuff, which, which leaves holes open and risk to the organization.
Todd Coshow
So, I mean, do you have any examples of companies negatively impacted by having security or compliance issues beyond that?
Adam Goslin
Sure. There’s a ton of, just a ton of examples. There’s a couple that I’ll key in on. I mean, we could keep going for days about organization. Anybody that’s paying attention to the news, listening to what’s going on, hearing about some of the latest, the pipeline ransomware, the meat packing factory that got hit with the ransomware as well. There’s examples left, right, and sideways. If you have your ear to the ground and you’re actually paying attention to the stories. But a couple of ones, a couple of, one organization and a staff that I like kind of calling out, is that, and this will kind of put it into stark reality.
Adam Goslin
There was a certificate authority located over in Europe. It was called Digi Notar. This company got breached in June, turned around and declared bankruptcy in September of the same year. The customers were just fleeing this organization. It was a completely viable company in June, and then it was out of business in September. It’s like, again, I go back to that notion of, I know how hard it is to run an organization, to build an organization. I can’t even imagine, just poof, it evaporates in two, three months. It’s crazy. Another stat, for small and mid -sized businesses, 60% of those organizations that have a data breach, 60% are forced into bankruptcy within six months.
Adam Goslin
That was a study that was done by inc.com, where they were looking at this. These are elements that companies can’t afford to just gloss over. The most important part about this is, if you think about it, having a data breach, it hits you out of the blue. You end up, hey, you’re having a happy Wednesday, and all of a sudden it goes to hell. Right? There’s no notice. It’s not like they send you a greeting card. Hey, by the way, about eight months from now, we’re going to go out and hack you, and it’s going to be a full data breach. It’s going to be really ugly. They’re not sending you a Christmas card here. It’s like all of a sudden you just get smacked in the face with a data breach two by four, and you go from having a great Wednesday to having a really bad one.
Adam Goslin
When you get hit that quickly, you don’t have any room for preparation and getting your sea legs. All of a sudden, you are just in the midst of this absolute crap storm. Companies don’t have much chance or time to go get themselves prepared for it, and all of a sudden they’ve got a boat ton of costs that are having to be paid outbound from the company with no notice.
Adam Goslin
Maybe you know a bunch of companies are just sitting on millions and millions and millions of dollars. I don’t, with nothing to do with it. It’s tough for these organizations that get caught. It’s always so much better to be heading in the right direction.
Todd Coshow
So I mean, what does that look like? And what do companies need to do to truly be headed in the right direction? Because that’s, that’s where we are in this conversation now, right? Like we understand fully the pitfalls.
Todd Coshow
We understand, uh, you know, exactly how, uh, kind of turning a blind eye to the things that you think you don’t really need to pay attention to can jump up and bite you in the proverbial backside. But what do you do once you figure it out and, and, and realize you need to go forward, how do you get there? Well, thankfully, we have a couple of topics coming up in our next podcast, which will be really good overviews. So I won’t steal all the thunder from those, if you will. But one step is really kind of building a culture of compliance, making sure that the organization has really adopted a security and compliance mentality.
Adam Goslin
And that’s got to be kind of pervasive throughout the organization. And the other is either starting or reassessing your overall security and compliance program. And you’ve got to have a structure in place for making sure that you have all the right things in place, and then managing and maintaining those on an ongoing basis.
Todd Coshow
Man, that’s a lot. That was an awful lot. And the reason why I say that is because I don’t think that we can overstate the importance of taking this seriously. Adam, I want to thank you very much for your time, because that’s all the time we have today for Compliance Unfiltered.
Todd Coshow
I’m Todd Coshow.
Adam Goslin
And I’m Adam Goslin. hope to help get you fired up to make your compliance suck less.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin
And I’m Adam Goslin, hope we help to get you fired up to make your compliance suck less.
