Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2024 New Years Cyber Resolutions
Quick Take
On this episode of Compliance Unfiltered, the CU guys ring in the new year with a high level overview of some of the key topics on every cybersecurity pro’s mind in 2024.
- Curious about how to properly take stock of your cybersecurity positions?
- What can you do to better prepare your organization for the security challenges of 2024?
- How can you more effectively communicate your compliance management approach across the organization?
All these answers and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the old to your old lang zine, Mr. Adam Goslin. How the heck are you, sir? Oh, I’m just about partied out, but not quite. I like it. One more go around, at least. Oh, man. Well, we have a new year upon us, so let’s chat at a high level about some resolutions for those in the cyberspace this year, shall we? Sure. Well, yeah, some to throw into the contemplation mix. Certainly not an all-inclusive list, but let’s start with taking your security seriously. As strange as that sounds, for some of the people that are listening to this, I’ve been at this for a minute or three, and there’s definitely companies out there that don’t, so take it seriously.
Taking stock of your responsibilities for cyber. What types of things are you? Do you want to do, need to do, obligate to do things along those lines? It’s a good time of year for touching base with internal personnel on struggles that they may be having in relation to the objectives that have already been set forth and other things that may be coming. bad assumptions about the capabilities of your internal personnel or vendors and some of the drawbacks with bad assumptions. And, you know, certainly easing your pain with managing compliance, enhancing reporting capabilities for your executives, your board level, those would all be, those would all be good notions that would fall onto the resolution list for those in the cyberspace, shall we say?
Most certainly. Now, can you expand on what organizations should do to take their security seriously? Well, you know, you’ve got to remember any of the listeners are especially for us are in a broad spectrum of, of states of being shall we say so we’ve got folks that have been doing this since you know since Computers were invented and you know, I’ve heard I’ve heard the you know The war stories about how I yeah, whatever I used to use you know, I used to use cards in a you know, like paper cards in a back room and, and all sorts of fun stuff in the early days of computers and you know all the way up to you know, honestly organizations that You know that that take this stuff super seriously and at the other end of the spectrum those that you know Really, you know take an approach of well, we haven’t you know, we haven’t had a problem So why should we waste the money on you know doing anything? And so, you know, it’s, it’s, it’s, It’s interesting, you know for you know for organizations are out there I mean the one the one thing that that The one study there’s a lot of studies out there about how much it costs for a cyber event It’s out around one of the one of the studies that I that I like most is the, The Ponymon Institute in Michigan does a does a study annually I don’t know for the last number of years. They’ve been finger-quote sponsored So you know some, some big gigantic corporation, you know collect up contact information on people interested and whatnot But the interesting part about that particular study is that they break down actual breaches to You know to Total cost for the organization how many records did they have exposed and they’re able to break it down to you know effectively like a cost per record and You know one of the things that I would you know that I would recommend to organizations Is you know instead of the approach to cybersecurity of I’m going to put my fingers in my ears and repeat the words la, la, la, la, la you know and hope that it doesn’t happen to me you know there’s that there’s a much more there’s a much more effective way to go about doing it you know certainly you know for, for companies in that in that space them being able to just look at you know how many how many whether it’s personally identifiable information whether it’s PHI whether it’s credit card data intellectual property you know regardless of the you know kind of, of the realm if you will of the realm of the data that they’ve got breaking it down to you know how many records do we have what could this potentially cost us you know things along here that starts to open up the dialogue it starts to connect some dots for folks internally. And in all likelihood, the folks on the, I’ve heard this repetitively, the folks on the front lines, the folks that are doing the day-by-day system administration, the folks that are your day-by-day developers, the ones that are literally boots on the ground for what’s going on day-by-day in the organization, they typically have had a much higher sense of, this is something that we need to take seriously. And yet as they raise that issue, they become frustrated because the folks at the upper end of the food chain are just, they’re busy with their finger in their ears repeating la, la, la, la, because they don’t wanna spend the money on what they deem is a waste of time. Well, that only makes sense until such point as you actually have an issue. And at that point in the game, then it’s too late. So, you definitely don’t wanna be, you don’t wanna be the company that finds their name in lights. You don’t wanna be the company that didn’t take any steps to protect the information you’re responsible to protect, only to find out that it’s not. So, really for companies and organizations, this is something we’ve actually done, we’ve done pods about, blogs about, et cetera, is just, a lot of companies will take this approach of, well, I’m just gonna, I’ve got cyber liability insurance, so I’m good. And there’s, that’s way too much depth of material to go into for the sake of this topic, but go find those, go listen to them, etc. You do not wanna be in that position, so. No, absolutely. Yeah. There was a laundry list of them this year too, and then their security position comes out and you learn. more about it and you’re like really that company only took those steps? Yeah exactly and it’s actually it’s, it’s quite frankly astounding some of the some of the organizations and how large they are with just how little they do yeah it’s, it’s mind-numbing so you know don’t, don’t be those guys you know you can take it more seriously than you do and you should so, so yeah but, but all I gotta say about that.
How should organizations go about taking stock of their responsibilities for cyber? Well, there’s a couple of different ways that they can go about doing it. First and foremost, just look at the information, the data that you have that you need to protect, and then look at the security controls that we have in place. That’s one way to go about doing it. Several of these are gonna kind of intersect, right? So we’ve got, what should we be doing? For some organizations, they possess the capability to make that determination with the skills that they have internally, but frankly, few of them do. Really, I would recommend or suggest, take some advice from somebody that’s outside, get together a list of what all do we have, what are we doing with it, things along those lines, and then turn around and have some conversations with folks that are in the cyberspace that can give you some high-level input, direction, guidance, what should that organization be doing. That’s the one side to go about doing it. The other is kind of an interesting exercise, and it’s funny, for organizations that haven’t taken this stuff seriously and really don’t know what they’re supposed to be doing, etc, if they will go, go have conversations with your salespeople. Find out what types of security certifications that prospects and existing clients are asking about. Find out about, go in and look at your actual agreements with clients and customers. Go find out who in the organization is, one, filling out your cyber liability application, and two, is responsible for receiving any of the vendor security questionnaires that your existing clients and or prospects request of you. All of those form great inputs into what are our clients looking for, what do they expect of us, things along those lines. Additionally, you’ve got the notion of You know, you’ve got the notion of looking at the types of data that you have, which also will drive what are your responsibilities. So, as an example, if we are dealing with it in any way, shape, or form credit card data, well, then you’re subject to the payment card industry data security standards. If you are dealing with personally identifiable information, you know, now there are various, you know, kind of data security requirements, both at federal and state levels, you know, that will come into play if I’m dealing with medical data, even patient names, et cetera, you know, then you’ve got requirements and responsibilities under HIPAA. So, you know, that’s a third, kind of a third realm that drives, you know, what should we be doing in terms of a, you know, kind of a cyber stance for the organization.
You know, and it’s interesting, a lot of companies don’t put that lens on it. They just, you know, like I said, they’ve got their fingers in their ears and, you know, repeating the words. Yeah. La, la, la, la, we got them absolutely. Now, do you have any, some examples of what you’re thinking when it comes to touching base with internal personnel about their compliance struggles? Because, I mean, that’s not necessarily something that I know a lot of personnel would want to like tell you that they’re having struggles with unless they’re having struggles. Does that make sense? Yeah. The, here’s the thing is that, you know, for a lot of organizations and the way that they work, you know, it’s, it’s this notion of, well, I’m just going to go tell such and such a department that I want fill in the blank. And the orders come down, you know, come down the pipe and some poor soul at the bottom of the food chain ends up picking up the, you know, whatever actually makes it to their level, they attempt to catch it and do something with it and, you know, etc. And from the, from the top line executive board. level or whatnot all they know is I made a request for something and I got something back but there’s a big chasm between the ask and the delivery you know and so you know it’s interesting when you when you start talking to the internal personnel especially if you’re an organization that does have any measure of controls for you know security compliance cyber you know those personnel are struggling with various things that that kind of face them you know internally they, they may be faced with spending an inordinate amount of time to go in and respond to certain you know to certain requests something that that an executive would think oh well this is this is simple right all I want to know is where we at You know type of thing and they don’t realize that effectively what they’ve done is they’ve you know Pull a rip cord on you know on a process which is going to take some poor soul You know four hours to just piece together and the minute they start assessing where the hell we at Uh, you know in terms of gaining our fill in the blank compliance, you know, they but the minute they start that process Um, it’s their information is already outdated um, you know in terms of where we at so, you know, there’s that there’s um, you know personnel that Don’t really understand the the requirements that you know that they’re being faced with uh, and they’re basically Kind of taking their best shot uh, trying, trying their best to, to, to fulfill these requests without really understanding what it is that you know what it is that’s Going on in their world. So Um, you know, there’s, there’s a lot of examples Um, not the least of which is going in and looking at you know Simple things like how do the people that are on your team that have to produce results? How do they know what they need to go in and do? Uh, how do they know, uh, you know which tasks that they have? Um, you know, how is it communicated if they’re given a task, but you know bob gets a task But it’s really a merry task, you know, how does that work? How does that get tracked etc? you know, so really looking at at the the the arena from the perspective of You know tracking managing, you know things along those lines just simple stuff. Um, you would be You’d be surprised what you learn when you get in and sit and have a conversation with the, the personnel that are kind of producing Um the elements artifacts evidence, uh in a an organization that has security compliance and cyber controls Um, you know what all they’re dealing with and on Honestly, it may be very, very insightful to see what those personnel, how they’re doing things, how they’re tracking things, the level of redundancy within the organization of various people having to track the same stuff. It’s probably going to blow your mind when you go in and actually start asking all the, I like to say, all the dumb questions. Yeah. And when you come in and say that, it’s funny, anybody who’s listened to you use that verbiage more than once knows what’s coming next, which is anything but a dumb question.
So what are some of bad assumptions that, I don’t know about the capabilities more than anything else as an organization? That an organization makes regarding internal personnel. vendors? Well some of the some of the bad assumptions are for a lot of organizations they go under this just general guiding principle that well I have IT people on staff I have developers on staff I have people that run my network on staff or a vendor that doesn’t so because of the fact that I have someone that basically keeps the you know keeps the vehicle on the rails you know day by day they must know what they’re doing in terms of security and it honestly is one of the most the biggest and most dangerous assumptions that especially you know mid to high level management and board members make it within an organization it’s it’s it’s it’s crazy you know how they you know how they think that I don’t know the best the best way I can describe it is it’s kind of like I go and I’m standing on the side of a road right and I have all of these people that are driving by me in cars and so you know so what I do is I just randomly pick somebody right and I’m gonna point at a car and they’re gonna pull over you know well the first car that I point at and pull over well it’s somebody that’s 17 years old that just got their license etc yes they managed to get behind the wheel not operate a vehicle you know but they’re brand new at it you know the next one that I point at so you know you know somebody that’s, that’s elderly and their, their response times and diminishing you know and, and they’re just not don’t have the same capability they used to have you know type of deal you know you got somebody else even that’s a you know a you know a mom you know mom, mom in a minivan got you know tone three kids to soccer practice etc right well you got all these people that you just randomly you know randomly pull off to the side of the road and now I’m making an assumption well you know how to drive a vehicle so you must know how to drive that in combat situations you know how to drive that vehicle you know to the very upper limits of its capabilities aka race car driver right well you you know how to drive a car so you must know how to do all of these things you must know how to do pit maneuvers you know to you know to spit out cars off of freeways because of the fact that you can drive and it’s like I don’t know what to tell you man there’s a big difference a giant chasm between I know how to drive and I know how to do all these specialty things and it’s the best way that I can articulate it to some of these kind of upper level people is that, yes, they’re great at running networks and firewalls and they’re good developers. And it does not mean they have clue one when it comes to what they should be doing from a security or a compliance perspective. They’re really completely different animals. And I’ve seen teams that started not knowing anything that grew and grew and grew over time that really used the opportunity to have them and their personnel learn far more about the world of security and compliance so that they could indeed raise their knowledge level, raise their capability level, etc. But there’s a couple of things that play in here. One is that these people aren’t bad people. They just haven’t been exposed to this stuff. So I always give the guidance to leadership and organization, I’m like, look, do not, just because you made the bad assumption, don’t hold it against these people. They don’t know this stuff. They shouldn’t know this stuff. You’re the one that’s in the wrong for making the bad assumption. So don’t put, no, don’t be all worked up when they don’t know this stuff. It can be a really good learning experience for an organization to go through this process and have everybody increase their knowledge level. But the one important part that I’ve seen about good quality security compliance managed programs is that there’s a realm of responsibilities. You’ve got the roles and responsibilities for the frontliners doing what they’re supposed to be doing, when they’re supposed to be doing it, supplying evidence that these things are happening.
But you’ve got to have a check and a balance. there. And honestly, I’d much rather have the check and the balance be somebody kind of that’s on our side, that’s here to help, etc. A security and compliance consultant. They can work with the team, help guide the team, help to improve the team. But they’re also there as a sanity check. That’s great that you’ve defined all these controls, but it doesn’t key any damn good if you’re not, you know, evaluating are we doing what we’re supposed to be doing when we’re supposed to be doing it, you know, type of thing. And when you put those keys into the hands, the frontliners are supposed to be doing it, you know, how many of them are really going to raise their hand and say, yeah, no, you’re totally right. I’m not, I wasn’t doing fill in the blank, you know, they’re not good. They’re unlikely just from a human preservation perspective to serve themselves up. And yet, as an organization, it’s critical that you’ve got insight into, you know, where we at, what are we doing? Is it, is it done things along those lines?
Now, how can organizations ease their pain with managing compliance and I guess why is it helpful to enhance the reporting capabilities to the executive and board levels? Well, I’ll start with the reporting side of it. The reality is that more and more and more organizations are waking up, they are heading in the right direction, they are starting to implement programs, ask better questions than they were five years ago, let’s say. So that’s all good. Part of the challenge, and we were talking about this a little bit earlier, is that they think it’s just an easy, whatever, we’ve got 600 things that we need to go in and do where we at, type of thing. It sounds like a simple question, however, what they don’t realize is that there’s 600 items, there are 40 different people that are working on those items. Of those 40 people, there are personnel from five vendors that are involved. There are, in some cases, arenas that are shared responsibilities. We have a workflow that goes from the frontliners producing evidence to our security compliance consultant to our external assessor and all of these 600, the 600 actually could be broken down even further by saying, let’s say that one of those items has a quarterly component to it, we need to be doing this thing once every quarter. Well guess what, that 600 just turned into 603 when I add the three extra quarters worth of visibility of are we doing what we do when we’re supposed to do it. That’s just one example, type of thing.
On a large scale security compliance engagement, there are many items which are intended to be done daily, weekly, monthly, quarterly, semi-annually and annually. The real number. If it was 600 high level items to start, maybe that translates into 7 or 800 total items when all is said and done. So it’s a ton of complicated and complex number of intersections that could be in the answer of, hey, where are we at? And so that’s where really the way that organizations can ease their pain, stop tracking this crap on spreadsheets, stop tracking this crap on internal systems, stop using basically, I love to use the word human glue, but it’s literally a bunch of human beings that are patching all of the frickin’ holes in the crappy process that you’ve got and make use of, take advantage of. a compliance management system. Certainly, we’ve got TCT Portal, but we’re definitely the only game in town, but please don’t do it manually. Just don’t do it manually. These people wrote these systems to help. And the one thing for the listener to understand is this comes from a personal perspective where I used to have to struggle through this stuff. I used to have to do it myself. I used to have to be the human glue that held the spreadsheet together. It sucks. It absolutely sucks. So don’t do it. Use a compliance management system. It is well worth the dollars you put into it when all is said and done.
Love that. Now, parting shots and thoughts for the folks this week. Well, we’re talking about New Year’s resolutions. I’ll echo what I said earlier. Gone are the days where companies can just say, geez, we didn’t know we needed to fill in the blank. Everybody is expecting you’re taking this stuff seriously. Hell, even end users that are using social media platforms don’t like it when they hear about cyber attacks and their data getting breached and getting dark web alerts from their credit card company and then end. So, yeah, everybody is starting to pay attention. You need to take this stuff seriously. You know, kind of get your, spend the early part of 2024 while you got a second to breathe before everything starts going haywire and take a fresh look at where do we stand in the grand scheme of things from a cyber perspective? What do we need to be doing? What do we want to be doing? Talk to your internal personnel, get their input, you know, do not fall victim to the bad assumptions, you know, the same, you know, makes an ass out of you and me. Everybody, yes. Yeah, and so, you know, don’t make the bad assumptions, you know, check up on your vendors and what they’re doing for security and compliance and most certainly, you know, if nothing else, At bare minimum, ease your capability to produce reports on the question which inevitably comes, which is, hey, where are we at? By being able to punch a button from your compliance management system and produce a report that shows exactly where we are. You know, don’t invoke pain and tracking and managing at all levels of your organization with manual procedures and processes. Use a compliance management system. You know, you do those things. Your 2024 will be better. Your personnel will be happier. Your company will have an increased capability in terms of their cyber stance. And you’re going to have a lot easier conversations with both existing clients and prospects if you make those adjustments early and get them adopted over the course of 2024.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
