Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Why Implementing Overall Security Is Important
Quick Take
On this week’s episode of Compliance Unfiltered, we take a hard look at why implementing overall security is so critical. Gone are the days of getting by with the bare minimum when it comes to security/compliance – despite what some companies think.
Curious why companies choose to focus on minimizing the scope of their assessment to overcome lack of bandwidth? Wondering what other things within the company environment need to be on your overall security radar?
The CU guys will cover all these topics and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who will help you through any form of PEBCAK you may experience. Adam Goslin, Adam, how the heck are you? I am doing fantabulous today, Todd. How about yourself?, pluses and minuses, sir, it’s like the elevator business, it has its ups and downs, one way or the other.
Today we’re talking about why implementing overall security is important. And I’m curious, what exactly do you mean by that specific phrase, why is implementing overall security important? Well, just so you know, your phone connection is garbling out a little bit, I don’t know if there’s any way to improve that, but just so you are aware. But, the reason why the implementing overall security is important is, for some organizations, they will attempt to do the bare minimum to get through what they need to get through. Some companies just want to save dollars by saving on security tool costs across their organization. Some companies run into internal labor resource bandwidth issues, they don’t have internal bandwidth with their security and compliance people to do it in their mind’s eye. They don’t have time to have their operational personnel focused on implementing additional security controls across the environment, and across the board. For some organizations, they’ll deliberately focus on minimizing the scope of their assessment so that they don’t have as broad an environment that is subject to assessment.
Why would companies minimize scope of their assessment though? Well, there’s a couple of reasons why they would do it. Certainly, if you’re trying to get through an assessment or audit, depending on what you’re going up against, you could have either 50 to 1000 various data points, elements, etc., that you need to validate to the assessor, and the broader the scope of what all we’re assessing, can have some pretty dramatic impacts on the amount of time and effort it takes to navigate the assessment. Certainly, the assessor is going to charge more if it’s a gigantic scope. So, a lot of them will minimize that scope, both to facilitate their, I don’t want to call it ease, because none of these fricking engagements are easy, but facilitate relative ease of getting through their security and compliance engagement, and to mitigate the external or out-of-pocket costs that they’d have to go ahead and put dollars into with the assessment firm, is typically the reason why they’ll make attempts to minimize the scope of that particular assessment.
Sure. Okay. Well, what are the examples of other things within the company environment that they would need to worry about? Well, and here’s where the rubber starts to meeting the road, right? Sure. So you figure if the organization, let’s say that they’re doing some form of software development, they’ve got a web-based platform, or something along those lines that they’re going to have sub-environments. So, they’re going to have maybe a development environment, a testing environment, a staging environment, QA environment, whatever they decide to call it. Yeah. As that cold code, if you will, goes through change, their change control life cycle, all of those sub-environment come into play. They could have internal file servers, internal web servers, database servers, maybe not related to the scope of the assessment that they’re in the process of going through. But, just for their own corporate entity, having a variety of different servers will come into play, there could be various SaaS solutions that come into play. So, an example there, a lot of organizations will leverage Azure AD. Sure. hosted at Azure. But again, that’s something that, sure is Azure, quote, secure, sure. But, some of it comes down to how did you configure it, and set it up, and what switches got flipped, etc., so, you’ve got that to worry about. You’ve got connected entities, but long story short is that some type of, typically there’d be like a vendor or a partner that has some type of a secure tunnel into the environment, for fill in the blank business purpose, or something else. You’ve also got things like intellectual property that will come into play. I mean, any business that’s in business, they’re either producing a product, or provisioning a service, or has a solution that others are willing to pay for, AKA intellectual property of varying forms, so they’ve got all of those. I mean, there could be things like load location. So, depending on the business model of the target entity, maybe they need to get files from their clients, go ahead and load them onto fill in the blank production system, but the drop zone for these initial loads or periodic loads goes to some secondary system or whatever. There’s a ton of examples of things that can come up, that are outside of the walled garden that is the scope of their assessment if you will. But, that’s some of the examples that organizations can and really should be paying attention to.
That makes sense. Any recent events that spurred this topic? Well, actually the one that really triggered me was LastPass. I thought you were going to say that. I’ve been saying to myself for ages, I’m just like, at some point in the game, one of these big secure password storage vendors is going to have some type of an issue. I thought for sure it would be, somebody actually breached them, gained access, etc. In this particular case, it was interesting, because it wasn’t that they ended up coughing up passwords and whatnot, which ,in the back of my head, I’m just waiting for the shoe to drop type of thing. But that wasn’t it. What it was is they had a development environment, that had a breach of a developer account. And that particular developer account allowed the bad guys to go in and gain access. Remember, we were talking earlier about those sub-environments. All the bad guys gained access to a sub-environment and were able to gain direct access to internal source code, proprietary, intellectual property, about how the site and the system works. And in some ways, well, granted, It wasn’t, so far, a direct, yeah they gained access to a number of accounts as a result. But the interesting part is, that with that information and that knowledge that the bad guys gained, well, now they’ve got access to the code.
They can now look at a level of detail about how LastPass does what they do, and be able to find ways to poke holes in the security, doing it from an insider’s track perspective, that in and of itself is dangerous, let alone the fact that they spilled intellectual property out there.
But, I went out and took a look at the latest data breaches and whatnot. They don’t stop. But some examples. I mean, LA School District had a breach recently, Samsung had some exposure of customer data that happened recently. You’ve got various countries that are griping about other state actors that are pushing ransomware at their country, in some directed manner, etc. But, this is stuff is going on every day of the week, all the time. And, it’s part of what, especially when we were talking about some of the scenarios early on today, about why it is that organizations will try to mitigate that scope, and what are some of the reasons for doing so. It just really should impress upon those organizations, because one of the things I hear from companies a fair amount is, oh, whatever, we’re too small, we’re not a big enough target, we don’t have juicy enough data. They’re going to care. You want to know what? At the end of the day, bad guys really don’t give a crap about if you’re big or you small, they’re going to keep poking, mindlessly, poking regardless. They’re just looking for IP addresses, they can go in, hit bypass, and then they’ll figure out whether it’s worth it or not, or what can they get to and gain access to, and what damage can they gain. Just pulling on door handles. Yeah, yeah, I mean, it’s nuts. But, there isn’t the notion, whatever, 15, 20 years ago, that there was you know, a valid case to be made, not valid, but a reasonable case to be made for, well, we’re not big enough, and blah, blah, blah, and we can do these couple of things to try to shield ourselves, and we’re going to be okay. That’s just not the case anymore. You know what I mean? Yeah.
And, so here’s the real question, right? What should companies be doing? Well, in the grand scheme of things, companies need to be taking this stuff seriously. Don’t just fall into that bad habit of, just looking at your production environment, and just kind of making sure you have this battalion of provisions in place only for that. There’s a lot of other stuff that companies need to be protecting. What I typically recommend to organizations that I’m working with, helping, etc. Is, when you talk on a compliance engagement, about putting together your inventory as an example. Well, don’t just put together your inventory for just your arena.
But if you’re working with a reasonable assessor, you’re all on the same page about what the scope is, right? So with that agreement in mind, don’t sit there maintaining, well, this is the assessor inventory, and this is our real inventory. Eff it, just move past all that, get to the point where you’re sitting down with your assessor, having real conversations, and you simply say to them, look, I’m going to add a bit field to the inventory, that’s going to say, this is the crap that’s in scope, and this is the stuff that isn’t, but we don’t want to maintain two sets of books here. I just don’t want to be able to have everything in one spot. And that way, if you set things up with your assessor appropriately, you walk in with that right mentality, now you can just use the inventory.
Well, I guess that makes a lot of sense, as you’re looking ahead at this, though, it’s still scary for some. And I guess my question is, why should this be easier than companies fear? Well, when organizations take that type of an approach, where you don’t have these two sets of books, you’ve got your singular inventory, etc. What it does, is it allows the organization then to just take a standardized approach to how they’re doing, what they’re doing and where. Really look at it globally, make some conscious decisions about rollout of these various tools that they’ve got, for being able to be able to protect the environment. If you think about it this way, you already have security, and or compliance people, whether it’s an internal person that’s taking care of it, or you’ve got a security compliance consultant, in play, you’ve got the presence, because you’re going through assessments, somebody is performing this function, right?
Your day by day people, whether it’s HR, legal, developers, your infrastructure people, or your vendors that are taking care of it, etc., they’re out there, and they’re doing their thing and they’re managing and whatnot. The real divisional line between, this knee jerk reaction you see out of companies, to try to mitigate this scope, versus just incorporating it across the board, it’s a whole lot easier if you take on that holistic approach. That way, I don’t use two different sets of rules for, okay, well, this is the stuff for the assessment, so we’re going to treat it this way, and then this is the non-assessment stuff, we’re just only going to do this little bit over here. If you’re just doing everything in the same manner across the board, you end up really gaining synergies. Now, getting there in the first place, that’s the challenge. When I start working with organizations to get their system set up, and get their head in the right spot, etc. If you just start out of the gate with, hey, you want to know what this assessment is about, this assessment is about making the company’s stance stronger across the board, not just in this one little corner, and if they do that, I think they’ll be surprised, once you’ve gained that rhythm.
A lot of companies will fear security and compliance, they’re like, oh man, we’re going to have to do all this stuff to appease the security compliance gods, and all of this ridiculous mumbo jumbo, that we otherwise wouldn’t need to do. And so, that’s the approach that they’ll take. And yet, if you look at the activities that are done in a secure compliant organization, the activities that those people are doing, and going through, those are activities that take a active positive protection role for the organization, it really comes down to, how seriously is the company in question going to take it? And, how have they really thought things through about why it’s important?
Any parting thoughts and shots on this? We’ve given the people a lot to think about today, in a short amount of time. Yeah. Here’s the thing, I’ve built a couple of companies from the ground up. I’ve said to people that doing so has literally been one of the hardest things that I’ve ever done. It’s not easy. And the way that I look at it is, I look at the activities that TCT takes to protect the organization, that’s an active protection of the investment that I’ve made into building the organization. It’s the way that you’ve got to go in and take a look at it. We talked earlier about basically building in and standardizing the organization’s approach across the board. And, I often will refer to it as building security, and our compliance into everybody’s DNA. Make it part of the, yes, I need to breathe today, and I’m going to need to do my security stuff in a secure manner. You make it part of their DNA, and it becomes second nature for everybody. And the cool part about watching an organization unfurl this notion of, across the board, global, consistent security and compliance, is that now as the light bulbs start to go on with all of the personnel, it’s not just an IT thing, but every day thing. Everybody within the organization is taking an active role in making sure that the organization is doing what they need to do. It’s funny because now all of a sudden, instead of it just being the security and compliance people, or the IT folks that are waving their arms and legs, now you’ve got a whole bunch of more people that will go out and have their eyeballs open, be reporting things, being vigilant. It’s actually fun watching those light bulbs start to turn on at an organization.
If you look at it this way, you imagine, just imagine for a second that the worst has now happened. You’ve come in on the miscellaneous Thursday and your phone is getting lit up with people saying that there’s some massive problem, massive IT security problem with the organization. You could have an issue on your hands that’s going to cost you millions of dollars to dig your way out of. And meanwhile, are you really going to take solace that we managed to save thousands of dollars for some particular period of time? It’s not even worth it. I have not been a party to an organization that has suffered a direct data breach. But oh, I can only imagine, just how absolutely atrociously, hellish it must be to be living that, at the company that either you own and or are responsible for, and or work at. I’ve helped a lot of companies that have found themselves with their bum in that butter, if you will. But I haven’t been right in the thick of it. And to close this topic out. I like to tell folks, especially the executives, right, I’ll tell them, I’ll say, look, you go talk to your salesperson, you go ask them how easy it is to get customers. And they’re going to come back and they’re going to tell you that it’s extremely difficult to get customers, the amount of time it takes, the amount of effort that it takes to convert somebody from an initial phone call or email, to signing on the dotted line is a process, and it’s not an easy process, and a lot harder for some organizations than others. And now, just go back again to that issue I was talking about a minute ago, where you come in on the miscellaneous Thursday. Well, imagine now how much harder it would be on Friday of that week, when your data breach has now gone public, your company name splashed all over Google, and every single time that one of these salespeople has to go to talk to somebody, what’s the first thing that they do? They start Googling about the company, and if everything popping up is talking about how the organizations just had a data breach, and worse yet, they’re still finding this in the Google feeds a year later, five years later. Well, I’ll tell you what happens, Adam, is they stop answering the phone. Yep, you got it. I mean, if that’s what they’re seeing, they’re never going to trust you. It takes years for these organizations to recover, quite frankly, if the company even ever does.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Gosling. Hope we helped to get you fired up to make your compliance suck less.
