Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Non-Compliant? You May Be Losing Customers
Quick Take
On this episode of Compliance Unfiltered,Adam walks the listeners through the perilous landscape of Non-Compliance .
Curious where the cracks are in your foundation? Wondering how many organizations should actually care about their security and compliance? How much does a data breach actually cost?
All this and more on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Cheerios to your balanced compliance breakfast, Mr. Adam Goslin. How the heck are you, sir? Healthier than I ought to be, I like it, I like it. All right, well, today there is a lot of potential implications of being non-compliant. Give us a high-level overview about how non-compliance might actually be contributing to you losing customers, Adam.
All right, well, you know, when it comes to non-compliance, you know, there’s a couple of different, you know, arenas, implications, etc, certainly, you know, if you’re non-compliant and you’re getting breached, you know, there’s a couple of things that are, you know, that are coming your way. You’re going to spend an astounding amount of money to clean up the mess. Probably, I’m going to hazard a wild guess and say that several hairs will turn color. You will have many sleepless nights, but yeah, and just firehosing money to get through the process. You know you’re probably going to lose a staggering amount of, uh, you know, customers, uh, as they, jump ship and the company just starts bleeding. I always like to, to leverage the, the numbers and stats out of the Ponemon Institute in Michigan that does their annual cost of a breach survey. I like it because real companies really got breached, you know, real data, real information, you know, they do a really good job with, uh, you know of uncovering real statistics from real companies. Uh, and their average for a U S breach is $9 million. Now, you know, you figure that’s on aggregate and you know, this particular study, they do, um, they do companies, I forget what the actual numbers are, but it’s somewhere around, you know, at least 2,000 records and at most about 100,000 records. So these are reasonable size companies, you know, not the gigantic behemoths of the world, you know, type of a deal. These are like real normal companies. And on average, they really spent $9 million. So, for a lot of small companies, they won’t even survive, you know, some type of a cyber attack. Within six months, they’re out of business, you know, and lost business is a big portion of those costs. And those costs go up every year. In the latest report, which was sponsored by IBM, the Ponemon Institute was finding that the cost of lost business after a data breach rose 11% from 2023 to 2024. So, you know, your customers aren’t just taking their own cybersecurity seriously, they’re taking your cybersecurity seriously. And they’re not gonna be shy about moving their business to competitors when you breach that trust. So, you know, the bottom line is, is that you’re gonna get hit pretty hard if your company’s breached. And the funny part is, is that I’m not a huge fan of the doom and gloom and, you know, do this stuff because of these, you know, horrifying consequences. It’s just, it’s just reality, you know, but it doesn’t take a data breach to be able to lose customers, you know, companies that either have never gotten compliant or companies that were compliant and then, you know, lost their way, didn’t maintain it, those ones, even if they haven’t been breached, you know, they’re in the, you know, at the threat of losing sales to competition, you know, etc. So there’s a lot of implications, you know, kind of across the board regarding non-compliance.
I’m sure. Now, I know you’ve heard a common gripe from the business side of organizations about how security and compliance actually grind operations to a halt. Tell us more about that. Well, I’ve heard that complaint and most of the time, honestly, it’s knee-jerk reactions, maybe it’s just a fear thing, maybe they got exposed to somebody in the security and compliance space that was, we’ll call it, over-exuberant. I’ve heard that complaint from business leaders saying they don’t want to throw away money. Why the hell would they put money into the program if it’s just going to impede their real job? finger air quote, right? Right. And they do have that concern that it’s gonna grind their business to a halt. They look at cybersecurity as a hindrance to productivity, profit, customer acquisition. And certainly, you’ve got that contingent of folks in the cybersecurity professional space that do get a little bit over exuberant about protections they wanna go put in place. And yeah, it’s possible to put in an excess level of protection that, you know, indeed would make it difficult to operate the business. But, you know, it doesn’t have to be all or nothing. You know, you don’t want, you know, at the outset, you know, you’re not trying to make the company, you know, more locked down than the Pentagon, you know, type of a thing. You don’t need to go from, you know, zero to the nth level you know. But certainly, getting some real common sense protections in place for the company, you know, that’s the objective. Usually what I’ll see is, as organizations go and, you know, kind of roll out a reasonable program, they’ll start the basics and then they’ll start to expand it, etc, you know, and eventually the security and compliance program kind of forms a part of the DNA. Sure. The organization with people, you know, people taking it seriously, etc. You know, if an organization’s kind of approach is to do as little for security as humanly possible, it’s literally gonna be a matter of time until they get hit with ransomware, phishing attack, you know, and sensitive data gets exposed.
You know, your organization’s gonna be legally required to publicly announce this breach. You know, your company is gonna be losing it’s best customers as well as future deals for a long time to come.
You know, I’ve said this before, you know. you go talk to somebody in sales and you say hey how easy is it to go ahead and get somebody on board and they’ll tell you it’s challenging. Well can you imagine how much more difficult that would be if every single time that you went to go talk to some type of a prospect the first thing they do, they go google your company and they’re finding out about data breaches and whatnot. I mean you pretty much are dead in the water before you even get the opportunity to even explain what happened, and that stuff will haunt you for a long time you know. So instead of the you know the nth degree you know I’d recommend to companies you know find a middle ground you know, get some reasonable protections in your program started, um you don’t want to be gambling your whole business. I mean you know it’s not worth it to hope that you know you’re like neo in the in the matrix, just dodging all of these bullets that are flying at you, you know? It’s not a great approach to things, if you will.
Absolutely, not. Just how much do organizations these days care about the security and compliance of those they choose to work with?
Well, you know, you can absolutely bet your bottom dollar that your customers care. You know, this landscape has been, it’s been entertaining to watch unfold. You know, even if I went back as few as five years ago, you know, the vendor security surveys that organizations would do on their partners, you know, you go back five years ago and you look at, you know, what were the types of requirements that would come along with a contract or an agreement? And they were, you know, even at that point in the game, they were relatively light. These days, you know, there’s about, you know, there’s north of, you know, two thirds of B2B buyers that are, you know, more likely to do business with a company that prioritizes data privacy or security and compliance. You know, non-compliance can make it difficult for a sales team to win new deals, and it’s getting even harder. There’s more and more companies that are paying attention to the track record of the vendors, asking tougher questions through the sales process. You know, for those that are going, oh yeah, you know, this is just, you know, this is Adam blowing smoke up my ass. Well, you know, validate it for yourself. Go ask your sales and your onboarding teams. You know, how many of your new clients had some form of security and compliance validation as part of their vendor onboarding process. And then ask them, what depth did they go to five years ago, you know, the landscape is changing and that’s a piece that a lot of the business leadership is kind of missing through the process, you know, as more and more of your compliant prospects arrive. You’re gonna find yourself in a position where you’re getting locked out, you know, if you don’t have your act together from a security and compliance perspective. You know, the one thing that a lot of the business leaders don’t connect is that, pretty much the vast majority of the, kind of standard security and compliance frameworks that are out there, most of them, one of the activities of many of the controls that you need to put in place is doing an annual review of the state of compliance of your customer. So it’s not just getting them through the agreement process, but you can look forward to them asking you year over year over year for updated refreshed evidence of where you stand as an organization.
You know, the one thing, it’s kind of like a daisy chain when it comes to compliance, especially for vendors that play some important or integral part in terms of the protection of sensitive data. It’s the picture for the organization going through the process that there are certain aspects and elements of things that they need to protect, but wherever those responsibilities are shared, now they’re leaning on their trusted vendors to be able to provide controls for their part in exposure to that sensitive data. And so for the target organization going through compliance, not only do they have to maintain their own compliance, but they also need to keep their eyeball on the compliance of all their vendors. And the vendor stance on security and compliance quite literally folds up under that company’s own compliance. So if I, as a vendor, or as an organization subject to compliance, I’ll just use TCT as an example, right? If one of TCT’s vendors were suddenly to lapse their compliance, number one, I shouldn’t be selecting the vendor in the first place if they aren’t compliant. Two, when I get to my annual recertification, you know, with my QSA, you know, part of what I’ve got to prove out is I’ve got to prove out that all of my, vendors that are involved, that they’re maintaining their compliance and I’ve sanity checked it and I’ve got the evidence here, etc. If I don’t have that, now all of a sudden my compliance is at risk because my vendor dropped the ball, you know, type of a deal. So, you know, there certainly could be, you know, could be some kind of ripple implies, impacts, some ripple impacts, you know on your relationships with your clients, even if you aren’t living up to, you know, the requirements that you have for your compliance, it’s gonna come to light pretty fricking quickly. And, you know, in terms of your customers that depend on your compliance in order to leverage your services, well, they’re not gonna sit around and wait for you to get your act together, they’re just gonna go pull their business, you know, I don’t need to be dealing with this nonsense, so, all the way around. There’s a lot of reasons for number one, attaining that compliance and then, you know, secondarily taking the ongoing maintenance of that standard seriously.
Do you have any examples of organizations that were negatively impacted due to their stance on security and compliance? People that basically said, nah, it’s not that big of a deal, and how’d that work out for them? Yeah, certainly. You know, we’ve had many organizations that came to us looking for assistance, you know, specifically because they were losing sales opportunities. The vast, I’ve had a handful that had a problem and, you know, they weren’t customers, but they had a problem and were seeking help. So I’ve had a couple of those, but more often than not, which is heartwarming to be frank, is that, you know, they’re realizing because of the fact that they’re losing out on sales opportunities that they need to do something. You know, I had one company in particular, they told us as they were kind of evaluating rolling out this big program, etc, they basically told us, they said, if we had landed this one particular client, that it would have been game changer for them. But instead, because they didn’t have it together, because they didn’t have their ducks in a row, the target that they were trying to woo, you know, basically one was somebody else, and two, that was actually taking their security and compliance seriously. So, you know, I can only guess how many millions of dollars that particular organization lost out on. It’s like, man, is it worth it? You know? It’s a good question.
Yeah, well, I’ve seen organizations where they let their compliance lapse. And, you know, they lost huge contracts with existing clients as a result. You know, some of these, some of them voluntarily let their compliance lapse because they thought there wouldn’t be any consequences. I’ve seen other companies that just got lazy. They started getting red marks on their annual compliance assessments. And the problem when you have that is now when your customer comes asking questions, hey, show us your security compliance paperwork each year. Well, now I’ve got to go cough that to him. Now I’m sitting there answering tough questions from my clients. These clients take this stuff seriously. And so even if it’s something as simple as, jeez, we forgot to provide security awareness training to so and so when they got hired or whatever, materially is that in the grand scheme of things, all the controls you could lapse, is that like the worst one? Yeah, probably not. But it didn’t matter. um, the, the organizations they were having to look at it as it’s more of an indication that the company isn’t taking their, their role in their responsibility seriously and thereby, well, if they’re just going to, you know, let lapse their security awareness training for new hires, what else is it that they’re just letting lapse? That’s kind of the, the, the open question that ends up being left with the existing client or prospect at that point in the game.
Yeah, it makes sense. Now tell us more about the fallout of a data breach. I mean, it’s awful and we know that it’s awful, but, but how bad is awful? Well, I mean, when you’re not taking your security and compliance seriously, you’re basically gambling with your business each day. You know, you’re kind of hoping, hoping for the best and praying the worst doesn’t happen, but you know, I mean, you can sit at the table, you can, uh, you can spin the wheel. Eventually it’s going to land red. You know the stellar brand reputation of an organization can literally evaporate within hours you know, it doesn’t matter how highly you were perceived before the cyber attack, doesn’t matter of what, how good of a job you did, how much you cared about the client experience, how much you strived to create this service or product that was, you know, head and shoulders above your fellow competitors. Um, you know, the minute that the announcement of the breach goes out, man, you have a gigantic brand erosion instantly. The customers are depending on your organization to keep their sensitive information secure. You know, they’re doing business with you because they trust you. You know, if you get breached, you’re showing you don’t deserve the trust. Once it’s broken, man, that is a tough road. It’s a tough road to rebuild. And you know, get things in place, etc. I remember I was working with one organization who, you know, they were trying to dig out from having an issue and had, you know, kind of basically come to us for assistance. And I can tell you from working with them, it was years, it was years of hard work, years of, of doing things, you know, tons of, you know, kind of bleeding of clients and, you know, blah, blah, blah, blah. Tons of, of trying to turn the public opinion of the organization, their stance and their approach. You know, it was a really tough road we had. You go and you look at, you know, for 92% of those companies on that Ponemon report, their full recovery from a data breach, you know, including some, you know, whatever semblance I can of restoration of customer trust, that’s a process that’s, hey, Houston, we got a problem. You know, it takes more than a hundred days, you know, for one third of the companies, it’s 150 days or longer to recover from the data breach. You know, if you think about, I mean, that’s two quarters, right? That’s right. It’s a long, long time to be dealing with this stuff. So, you know, the cost of the reputational damage and the, and lost business, it’s going to dwarf the cost, absolutely dwarf the cost of it. Had you just taken it seriously in the first place you know, the bleeding that these companies go through, they probably look, they definitely look back and say, geez, you know, I wish that I’d, you know, I wish that I had done it.
You know, knowing what I know now type of a thing, if you’d already done the investment in this, you know, what people refer to, you know, when we’re talking earlier, referred to as a cost center type of thing for, you know, spending this money on security and compliance, had they done all they could do, you know, they would have only spent a fraction of the money that, that breach is now costing them. And the sickest part about it is that, you know, when you think about it, for the companies that don’t just throw in the towel and close up shop, for those that actually want to make a shot at trying to survive this process. Well, guess what? Now they’ve got to do it with no other choice. The thou shalt do all of this stuff and do it now, um, you know, type of a thing. They’re shutting, you know, they’re basically, primarily preoccupied with trying to dig out for that, you know, whatever, 150 days type of a deal. And they’re, you know, they’re having to bleed costs on a whole wide variety of different, different expenses. Losing business, having to implement all the things that they should have otherwise implemented, etc, and doing it with a pretty high cost tag and whatnot, because they don’t have the time to just lollygag and, okay, I’m gonna go meander my way through getting this done. No, no, any time for analysis, assessment, is this the best choice for us? Whatever, you’re just doing everything you can to get things locked down in place, answer your customer’s questions, try not to lose them in the process, etc.
So, there’s a general assumption from organizations that their existing client base is kind of safe, right? They operate under that notion that customers will stick with you, or maybe they’ll come back in a month or so. The reality is, is that there is a high volume of the clients that are lost through that breach process, they’re never going to come back, like ever. You know, if your customers are taking security compliance seriously, the last thing they want to do is work with anybody that doesn’t. You know, it’s not only, you know, not only is it a, you know, just a, you know, kind of an inherent, an inherent risk of, you know, kind of taking that stance, but, you know, it’s also the knowledge that if my vendor gets caught up in, you know, in some type of an issue, now I’m going to be sitting here and answering questions about, you know, about what happened. I mean, think about it, right? Here’s a great example. Go back and ask Target whether they got the bigger black eye or the HVAC vendor did, you know? Oh man.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
