Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How Clients that are Protective of Their Data Can Enhance Productivity While Remaining in Control
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd do a quick-fire roundtable on the how best to help those extra special organizations that are extremely protective of their data.
Why are these clients being so careful with their data? How has the significant increase in companies being breached impacted this philosophy? Curious about some horror stories on this topic?
Well you’re in luck, as the CU Guys have all these answers and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the fresh cup of compliance java to your morning, Mr. Adam Goslin. How the heck are you, sir? I’m doing just great today, Todd. How about yourself? Can’t complain, I really can’t. Today, we’re going to chat about how clients that are especially protective of their data can enhance productivity while maintaining control.
To start, what is the typical reason this comes up for a client? Well, it depends. There’s a couple of different things that play into it. It depends on perspective. We serve folks going through compliance, we serve folks that are assessors, where they have their own end customers. So either the direct client, or the client’s customer, is more often the case for the service providers and assessors of the world, where they just literally don’t trust third parties at all. In many cases, it’s because they got burned through some type of a client relationship. Whether it was clients actually getting breached. Whether it was some third party that got breached. Some third party that was doing something untoward with the information or the data. There’s a lot of reasons why organizations kind of land into that spot more and more, especially with the stream of headlines that hit. There’s some that quite literally don’t trust anybody. There’s a number of organizations where they take this stance because, it’s going to be easier from the protection perspective to just, screw it, we’re gonna keep the stuff on our systems, and we know what we do for security, but we don’t have any clue what all these other folks are doing. So, it’s just kind of a protection mechanism that some of these folks have taken. That’s where they fell on the issue. So, yeah, it makes it entertaining, shall we say. Indeed. Now, I’m sure it doesn’t help that.
Well, we have a seemingly never-ending stream of companies being breached, right? Yeah, I mean, the list continues. There was a while where I was using Twitter back in the day, now X, where I would subscribe to feeds of different specific folks. I would just get this stream that would come in of what’s new and exciting in the security world. And I tell you what, you could pop that thing open each morning, like literally every morning, and now it’s this one getting breached, now it’s that one getting breached. I mean, yeah, it’s just kind of an endless barrage of organizations that are getting hit. There’s a piece of me that sits there and wishes that they’d see the light before they ended up with their name in lights, but you can’t help save everybody from themselves. It’s just not tenable, if you will. Absolutely.
Now, choices. Talk to me at a high level about what kind of choices clients have for handling their data in an assessment engagement. Well, for those that have taken the stance of, we’re not going to go ahead and use somebody else’s system. I’m going to take this under the perspective of the organization subject to compliance, they’ve got a couple of issues. It depends on which assessor or third parties that are involved, whether it’s an assessor, a consultant, whatever it may be, that’s engaged in their annual assessment. But certainly, one option is everything stays on our systems, is one approach that I’ve seen used. Their chosen assessor has to fly people in to go and sit onsite, and just look at things on their laptops, on their systems, nothing leaves the room, that type of an approach. That gets painful, because if you think about it, if I’ve taken this stance, I’m not sharing my information with anybody. Well, then other inventive things are gonna get thrown to the side like oh, I don’t know screen sharing, right? Wow, we don’t really need to fly everybody out there, we can just sit in a screen share. Well, guess what? Now you’re sharing all the information with whatever service you chose for screen sharing. So, at the most extreme level it’s quite literally, come in sit here, you’re gonna look at it on our systems. You’re not bringing anything out with you, that type of a deal. So that’s one potential processor approach. And if they’re forced to, hey, you’re gonna need to go load your stuff up to the assessor systems. If they can make that fly, then most often what it is, is that the organization will keep everything themselves on their systems, and then create some type of Zip file, and in one shot, go and dump that over off to their assessor. That’s another approach that they’ve used.
Okay, Adam, so I know everybody’s got them. What horror stories have arisen from companies that make this a real concern? So, we talked earlier about how people got burned. Having been somebody that’s had a couple of we’ll call it, astoundingly unpleasant experiences in the business arena. Mine centered around dealing with partners, ex-partners now. But it’s almost like you can see the PTSD in people as they’re having the conversation. So when you’ve got the individual that’s like, no, my stuff doesn’t leave my environment. I don’t give a crap. I’m not going to even entertain it, da, da, da, da. Something happened to this individual to get them to stay. But, I’ve even had some folks that are just trying to do something as simple as getting a mutual non-disclosure agreement in place, right? When TCT sends one of these out, a mutual non-disclosure agreement, It has all the right stuff. Hey, I’m not gonna share your stuff. You don’t share my stuff. And the world’s this one. There’s no funny business. There’s no like Easter eggs, anything along those lines. But, you get some of these people that they’re like, no, I’m not gonna sign your MNDA. We’re only ever gonna take our MNDA. And then you go in and you look at it, and buried into this MNDA are these clauses like, hey, if you violate any portion of this MNDA, you’re gonna pay us $2 billion dollars. It’s like, you see stuff like that. It’s like, man, that’s a key indicator that something happened to this poor individual, that’s now gotten them into this state. I know from my own personal experience, that the scars are real. When you get burned, man, that sticks with you. I don’t know, I have a strong desire to see the good in things and people. So for me, it was a dark period for a while, but then I started to come out of it as I started to regain faith in humanity. But for some people that just never goes away.
We talked about horror stories. We talked earlier about this just stream of companies getting breached. Like, I just literally went and I said, show me breaches from January of 2025. And you’ve got a gravy analytics breach, it’s a location data broker that suffered a breach, exposing millions of people’s location information. It was caused by a hacker that exploited a compromised credential. You’ve got a power school breach, a educational technology company. They had a breach that affected schools in both the US and in Canada. We had Talk Talk as a target of a hacker, that claimed to be selling information from millions of their customers. And I could just keep going. But it’s this stream of people that had issues, it just doesn’t abate. And it’s part of the reason why you wish that there were ways for these organizations, instead of waiting until they have some horror story to get themselves splashed all over Google. It would be a heck of a lot better if they would just please get a well-seasoned, well-rounded security and compliance program in place proactively, before you find your name in lights on Google.
Now, as a vendor in the compliance management space, what options do we have to facilitate? Well, there’s a couple of different arenas. So, I’m sensitive to the notion of the organization that doesn’t want to share their data. They want to maintain and keep control of their information on their systems. So we have a couple of different ways that can be done. In one manner, we have a capability for leveraging what we call stub files. So instead of loading your actual network diagram over to our system, instead you can load up a stub file, which basically holds the name of your network diagram and whatnot. We can even add a hyperlink to a file location. And then those that have direct access to be able to get to it, would be able to click on that. But effectively what it would be doing is, through the browser, allowing access for that one particular individual. A second option that we have for them is, the notion of a SharePoint integration. So what they can do is, they can go and effectively integrate both directly to their SharePoint, where the quote, files within the TCT portal effectively point at the SharePoint files. And that way, what it allows the target organization that’s got concerns to do, is keep that on their systems. It allows access to those files based on the permissions they have control of that they’ve set. That way, it’s fully within the target organization’s capability to control who’s going where, getting what, getting access to what. So certainly those are a couple of options. The one thing for the players to kind of think through, as they’re envisioning doing this dance with one another, to go down the road of either managing their compliance, or managing the assessment for one of their customers is, just look at the kind of the workflow that’s involved as they go through that process. There’s a lot of things for folks to kind of think through as they go down that path.
Parting shots and thoughts for the folks this week, Adam. Well, it depends on which vendor you’ve got involved. TCT has been through the security ringer with everything from single practitioner shops, all the way up on the other end of the spectrum to multi-billion dollar international style organizations, and everybody in between. And if you’ve got a good vendor vetting process, if you can establish that level of trust with the vendor that you have, it’s going to be better overall for your engagement workflow, if you can gain the assurances that you’re looking for. And that’s the best case scenario. The difficulty for the assessors out there is, that they don’t necessarily have full control over exactly where their clients are going to fit, or fall, in terms of their head space when it comes to the handling of their data. But if it doesn’t look like you’re gonna be able to go in, do the vetting of the chosen organization you’re working with, and you need to go to an alternative solution, make sure you’re selecting vendors that you can work with, that are gonna have solutions that will kind of seam into your compliance management approach, and overall workflow for your engagements. I would certainly recommend taking things on a test run, or proof of concept for a little bit, just to kind of work out the kinks in that process. Whenever you’re moving to a compliance management solution, it’s definitely not, despite all of the fairytale BS out there in the marketplace. It’s not cross your arms, twinkle your nose, nod and poof, you’re now managing compliance. I don’t know what to tell anybody, but it’s not quite that easy, despite the BS that you’re dealing with, with the snake oil salesmen out there.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
