Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Increasing Complexity of Compliance Requirements
Quick Take
On this episode of Compliance Unfiltered, the CU guys give the listeners a sound overview of what exactly is driving the growth of complexity amongst compliance requirements. Adam and Todd chat about the real-world examples of increasing threats. They also talk on how things like these push the security and compliance arena toward more complexity. Finally, Adam gives the listeners ways they can guide their organizations in dealing with increasing complexities and some resolutions currently available.
All these topics and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the credenza to your compliance foyer, Mr. Adam Goslin. How the heck are you, sir? Wow, we’re getting into big words. I’m not sure I can keep up with all this. I’m doing good, Todd. How about yourself? Big words. I’m in good shape, sir. I’m in good shape.
But I went with some complex words today because we’re going to be talking about some complexities, and specifically the increasing complexities of compliance requirements. So I guess now would be a good time, as any Adam, to ask, what’s driving the growth in complexity? Well, for a lot of folks that have kind of watched the security and security cyber compliance world, we’ll call it continuing to evolve, take shape, all that fun stuff. They’ve seen a lot of growth and expansion over the course of the last, gosh, especially for the last 10 to 20 years. It just seems like it continues and continues and continues. Some of the reasons for that growth are several things. I mean you know technology as it changes over time you know certainly the attack patterns for you know for the bad guys change in the same sense you know and you know you’ve got a you know you kind of you’ve got a predictable a predictable pattern that starts to you know starts to emerge you know technology increases occur with that comes new holes and vulnerabilities the bad guys then are discovering ways that they can identify vulnerabilities and exploit those you know once the vulnerability now is kind of known then you know the, the good guys are patching things and plugging holes and you know issuing new versions and releases you know etc to close up the holes and then in response you know the, the attackers discovering new ways to you know exploit the systems as you know as new technologies are released with new vulnerabilities so and the cycle just continues so you know, along the way, you know, the attackers get, you know, more and more sophisticated in their methods. You know, it’s interesting when you’re, you know, just kind of looking at the space overall. Although there are, you know, there are, you know, publicly, you know, publicly known vulnerabilities that occur within field of light technology, it’s actually, it’s always surprising just how many people aren’t keeping up with and aren’t doing the things that they should be doing to keep their systems kind of patched enough to date, you know, which even with some of the older style vulnerabilities, you know, give the attackers, you know, a never ending pool, you know, from which to, you know, from which to continue nibbling away at type of things. So it’s, it’s kind of interesting, you know, watching, you know, what’s going on in terms of, you know, kind of that threat landscape.
Absolutely. Now, can you give me a couple of examples of increasing threats that you’re seeing in the real world right now? Well, I’m going to kind of go over a couple of different, you know, a couple different of these. And these are just, you know, to kind of get the listeners thinking about, you know, certainly if they’re seasoned security compliance, you know, professionals and it, you know, may not, may not ring as true, but not everybody is. So I had a really, really convincing, you know, phishing attack come through that was directed at me a couple, I don’t know, two, three weeks ago. I got an email from, from Dropbox that was saying, hey, we’ve got a document link here. And it was ostensibly coming from a law firm that I know well. And so I got that cold with nothing else. I was like, I glanced at the fact that it came in and you know, went in and kept it moving. But 40 minutes later, I get a follow-up email from the guy that I know at this law firm saying, hey, a little while ago, I sent you a link to a file that I need you to go in and review, sign and return. And it was too sensitive for me to send it through email. So that’s why I went with the Dropbox link. And the typical telltale signs of, you know, somebody, you know, somebody fishing, we’re missing the email did come directly from a source that I know and trust. The original originating email address was coming from the actual law firm. It wasn’t, you know, it didn’t just have the label of the law firm, but really it was coming from somewhere and you know, Uzbekistan or whatever. This is legitimately coming from the lawyer’s email. The content of the email was professional and very well written. It didn’t have spelling or grammar errors. There were absolutely no links within the email that pointed to any unknown domain. So the document that I received, the document link, which I did go in and look at from Dropbox, it was a legitimate Dropbox link. It wasn’t, you know, repointing again to, you know, some secondary bad guy, you know, bad guy location.
And, you know, the follow-up email that was sent from the lawyer’s email address after I’d received the Dropbox link was what I’d expect to get, you know, from a law firm that would be doing due diligence. The one thing that gave me pause about that particular situation, you know, which would generally be easy to overlook because I wasn’t expecting to get anything from that law firm. You know, I also then went back and in looking at the email from the law firm, I also noticed that it was, the email was sent from the law firm to the law firm and it wasn’t sent to me. And so they’d BCCed, you know, the recipients on by one. And that kind of caught me as suspicious as well. So I went over, I actually didn’t even know the main number to the law firm. I knew the lawyer, you know, I knew the lawyer’s contact information.
So as soon as I saw, started seeing all this going down, I literally sent the dude a text directly. And I said, hey, did you send me a, you know, did you send me a file you need me to open? Um, you know and waited, um after a couple hours, I still hadn’t seen a response from him So I went out onto their website called the law firm and, and uh and got all of them And the only words I got out of my mouth were I said, hey, I just got an email And the receptionist literally cuts me off and says do not click on that link Oh Reason being many of their uh, many of their existing clients had already been duped. Oh, no You know type of thing.
So yeah, long story short is that the, the bad guys managed to take over this this guy’s email account Um, you know, they had staged up a bad file over on dropbox Uh, and, and we’re taking advantage of uh, you know kind of this ruse to you know to go ship it out Um, you know, so that was kind of that was one that was coming through Another one that I got and this was actually earlier today So I’m sitting on the phone with uh with my client and my phone rings and the phone rings from a number which is very well known to me to be the major kind of electrical company in my area. Phone number is so easy that I already have it memorized for decades, type of thing. And so if I look at the number, I’m like, if that’s the right number and it’s got the company name on it and everything, and I told my CTO, I’m like, you know what, these guys don’t, my electric company never calls me. Give me a minute. Let me see what the hell’s going on. So I jump over on this call and it’s an automated message indicating that due to lack of payment issues, that my service was scheduled for decommissioning in the next 30 to 45 minutes. I could click one to go to billing, you know, to resolve the matter or, and it got so far as, or you can hit two and I just hung up the phone. And I go call it, call out to my wife. I’m like, I need you to do me a favor. I need you to contact the electrical company directly. I want you to find out whether they got paid, you know, blah, I just got some message with, I think, which I think is BS, you know, saying that we hadn’t paid our bill and they’re going to shut off our service. So I just want to make sure that I’m not going to be, I’m not going to be lights out when Todd and I are supposed to be recording this pod today. So anyway, so sure enough, she contacts them and she, and she sends me a text back and she just says, you know, spam, you know, type of thing. But that way, again, it was a really good, it was a really good ruse, right? They basically ghosted the number out to look like it was coming from the electrical company. I’m sure a ton of people that were, you know, either not in the space or elderly or, you know, more young and don’t have enough experience would have been a heartbeat pressed one to go to the billing department to resolve the issue and, you know, potentially cough. up their, you know, their credit card numbers or debit card numbers, etc. And it’s like, you know, it just kind of goes back to that earlier topic that we were talking about, you know, about the increasing threats and how devious that the bad guys are getting and some of the things that they’re attempting to do.
And these are two easy examples that are over channels of email and over channels of phone. But the same premise kind of applies. The bad guys, their complexity is ever increasing in terms of its capability, in terms of their ability to do things at scale. You know, they’re really starting to get good at this game. and for those of us that are in the space that know what to look for and whatnot, we have a serious leg up, but I think I’m gonna keep telling people about these particular issues just to kind of spread the word. I feel bad for those that aren’t quite as keyed in as we may be.
For sure. Now, how do things like this push the security and compliance towards increased complexity? Well, as those attacks, like I was talking about, get more sophisticated than the software manufacturers, create additional elements of technology to protect. Certainly the attack patterns, the combination of the attack patterns and the security compliance space and those that are governing standards will thereby react and add additional items, add additional clarity, add additional requirements to things which will assist with protecting organizations. So you’re kind of going through this, it’s almost like a never ending arms race, right? And it’s not going to stop getting more complex. The other side of it for an organization is that there’s a lot of companies that will start going down the path of one thing, right? They decide they wanna do something for security and compliance. So they pick fill in the blank or… Yeah, that makes total sense. Now, how do things like this push the security and compliance arena toward increased complexity, Adam? Well, like we were talking about, as these attacks become… uh more and more sophisticated you know you’ve kind of got this it’s almost like an armament race right um you know the, the bad guys are finding holes and the good guys are patching holes and there’s new technology that opens holes and the bad guys are taking advantage of it and it’s like it just continues, continues continue I, I don’t see it slowing down it’s not going to stop uh you know at the end of the day so that’s the one side of it but the other side of it is, is that for a lot of organizations so you know how do they get into the security and compliance arena in some cases they’ve got you know a one particular client that you know says thou shall get fill in the blank compliant you know type of thing and it’s a mandate you know in another case um you know the, the organization just is saying to themselves man I want to do something to help protect us and plus so we’re going to go and select fill in the blank you know certification or standard that we, we kind of use as a framework to start and that’s usually how organizations like kind of start getting into the security and compliance arena but now yeah you start getting successful now you start growing a little bit um now uh you know there’s somebody develop some brand new you know certification for um you know for your industry or you get another even larger client that says well that’s great that you’re PCI compliant but we need you to be SOC 2 compliant you know as well and you need to get go get certified or we need you be ISO 27001 whatever um and so over time what a lot of these organizations don’t get is that they will have an ever increasing additional layers of additional certifications that are coming into the mix you know granted depending on which one you started with which I would usually recommend to folks hey you want to know what go up against pc i with a scope of sensitive data um is a really good starting point because PCI because it’s prescriptive will map off against those other standards. So when I then need to go and layer on a HIPAA or go and layer on an ISO or whatever, are you a hundred percent covered because you went to PCI no, but you’re gonna have a good portion of them that are covered. You know, and so now you’ve got exercise like mapping to these other standards and you know, maybe it’s doable to, you know, to do, you know, to do heroic efforts for one standard, right? It’s a, you can make do. But the minute you add that second layer, well, now I got to track everything in two spots and blah, blah, blah. I’ve got some organizations that they’re north of six. different, either certifications or standards that they go up against. And, and so your, your world is going to get increasingly more, you know, complex as you, you know, as you continue to grow as an organization, grow in terms of your, you know, your kind of capability within the, you know, within the arena. So it’s, it’s kind of an ongoing, an ongoing push toward complexity is what any organization in the space has, has to look forward to if they’re not there already.
Now, what type of load should organizations dealing with security and compliance expect, though?
Well, is compliance standards increase in their, in their complexity? You know, require more of you have more line items, cover more breath, blah, blah, blah, blah. Basically, people eventually slowly lose their minds. It is a bottom line. You know, today, you could have other responsibilities on top of your compliance, but, you know, it, but, you know, as the complexities increase, somebody feels bad for you. And they say, okay, you’re just, yeah, all you need to do is worry about the security compliance arena. Well, as the, as the, everything continues to increase, the scope and scale increase, the complexity of your business increases, you know, you eventually get to a point where that’s not good enough. And now you’ve got to bring on, you know, bring on an assistant. you know, that starts at part-time, next thing you know, they’re full-time, next thing you know, their help isn’t gonna work. You know, and you’re layering bodies, you know, into this mix, you know, type of thing, especially, you know, when you’re attempting to go through, go through that process in more of kind of a manual approach or a, you know, or a series of tools that you’ve kind of hodgepodge together on your own type of thing. You know, so, you know, you just continue going through this cycle of ever increasing scope, scale, size, complexity as you’re going. And this isn’t just a theory. You know, we had, you know, we had a client, someone that became a client, you know, who had indicated to, you know, to us, oh, you know, back in the day, you know, back in the day, PCI was, you know, going through their PCI experience was checking some boxes and, you know, it being, you know, rather high level and not as stringent, but, you know, over the years, we’re discovering that, you know, that they had PCI, you know, going, you know, turning into a full-time job for, you know, for somebody. And, you know, they couldn’t believe how much work it was, you know, at the height of their frustration right before they ended up, you know, ended up coming and having a fine chit chat with the folks at TCT, you know, they were, you know, the poor person at this organization was putting in 16-hour days just to try and stay on top of, you know, whatever it was they had going on for managing their compliance. So, you know, it’s only gonna get larger and larger, you know, in terms of its complexity. The user should, user or listener should expect that that doesn’t slow down. Well, what are some of the resolution options that companies have today?
Well, we already talked at a high level about one of them, you know, the need to bring on more people, right? You know, in today’s day and age, I don’t see a lot of organizations that have people just sitting around wondering what they can go do next, etc. So, you know, organizations are tight on resources. And if you have this ever come increasing complexity, you know, issue that you need to deal with called security and compliance, you know, then. One option is keep throwing more bodies onto the pile, if you will. So, you know, bring another person in, etc. Now, you know, here’s where some of the, you know, some of the problems come in, right? You know, a lot of organizations, ah, just go get somebody part-time to help out, you know, and whatnot. And they can, you know, they can spell PC, or, you know, they can spell IT, you know, type of thing, but that’s about where the, yeah, where the line’s drawn. There’s a big difference between getting somebody that, you know, that knows a little bit about the IT arena and getting in somebody that’s truly going to be beneficial in the security and compliance space. So, you know, the less experienced the person you bring on, you have years of training ahead of you, years, if they even get there. But in order to bring on somebody that truly has the capability and the skills, you know, to be effective in this arena, for those that are experienced security compliance professionals, you know, how much, you know, how much information, data, knowledge is needed to be able to be effective in the, you know, in the space. And you bring in somebody with that type of credentials, and, you know, she’s going to, you know, to generate a lot of benefit to the organization, or he will. You know, the bottom line is, is that, but now you’re bleeding in terms of the dollars you’re spending on those positions. So, you know, it’s expensive, and at some point in the game, and this is kind of the unfortunate part around the security and compliance arena, the organization is going to look at the spend that’s going on in the security and compliance arena, and we’ll hit a point where they, the perceived, you know, the perceived value derived from that particular department internally, in terms of its cost versus its benefit, you know, will start to, you know, appear to diminish.
So another possibility or another option for organizations is to engage a third-party consultant. You know, an outside compliance consultant, somebody that can provide expert assistance with managing your compliance program. You know, for a lot of organizations, they hit that point where they just can’t take it anymore. It makes a lot of sense to bring in a third-party consultant who’s done nothing but managing compliance for across a bevy of organizations for years. You can’t just, it’s not easy to just hire that type of a person, and if you do, oh, you would. best have the truckload of money at your fingertips because that will be an expensive option. However, these people have a great depth of experience. If they’re good at what they do, they’re able to do it in a fraction of the time of somebody else that’s trying to get their arms around it. And so the cost benefit of, is it worth having the compliance consultant in the mix becomes an easy yes because you then don’t need to necessarily staff that experience internally. Your internal staff can and will grow and build in terms of maturity and security and compliance over the years. The compliance consultant can be doing things like recommending technology, recommending good solutions, knowing how to leverage the right technology with less time and effort, etc. So there’s a lot of really good ideas why to engage that kind of third-party consultant. The third option, you know, is increasing the automation of your compliance program management. So, you know, whether you go with option one or two, option one was hiring people, option two, bringing a compliance consultant.
Regardless, make damn sure that you have a good compliance management system that you’re leveraging. It’s really important. You want to have and hold on to that repository of information for the benefit of your own organization. You want to be able to have it organized for you and your company. Things happen within an organization, right? Let’s say you change assessors. Well, if you’re using your assessor system, then guess what? That goes poof when you go to move to the second assessor. Yeah, sure, you might be able to get some zip file dump from the assessor systems of all of your files, but it’s going to be an absolute mess of a crap show. So, you know, certainly, you know, having your own compliance management system in place Really, and what I say to organizations is a lot of them don’t, especially the new ones to the space, that you don’t, they don’t see as, they look at the first year as a whole lot of work and blah, they’re not realizing the benefits they’re building as they, you know, as they go through and do it. Does it take time? Of course it does. You’re going to spend time on something, you might as well spend time on something that’s actually going to be usable. In the grand scheme of things, once you get about half, halfway to two thirds of the way through your engagement and leveraging a compliance management system, even on your first year run, you’re now starting to pull ahead seeing the benefits of being able to use this system, able to actually find things and blah, blah, blah. The real magic is when you get to year two plus, now that you’ve gone ahead and used that system for year one. Year two plus, oh my God, I can’t even articulate to an organization just how freaking awesome it is to be able to ask the question, who did this thing last year? Well, I can go look it up. It was Mary, you know. Oh, you know, where do we get this particular, which screenshot do we use for this particular requirement? Boom, here it is. You know, I can, I can pull, put my finger right on it. You know, and I, and I know damn well, there’s listeners that are sitting here chuckling because they’re, they’re, they’re recalling their pain when the person that was the central figure for compliance last year put in their notice and left, you know, or, you know, as I like to call it again, whatever, got hit by the bus for whatever the reason may be, you know, type of thing. And all of a sudden they’re gone. Well, guess what? If that person’s gone, you don’t have any repository, your human capital, you know, option for how to plug this hole just disappeared. You know, and so, you know, having all of this within, within that system, honestly, it can reduce manual labor on these engagements by as much as 65%. You know, the time that you free up from that kind of small army that you kind of perceive that you have in your security and compliance. arena. I’m dead serious. You can start to free some of those individuals up to help with other more important things for the organization. You know, it is huge, huge, huge, huge and very important for organizations to take that compliance management system seriously, whether regardless, you know, which of the options they choose to take advantage of in terms of, you know, kind of how to resolve that increasing complexity.
For sure. Now parting thoughts and shots for the folks this week, Adam? Well, no matter what, no matter which way organizations decide to go about figuring out how they’re going to respond to the burdens of compliance management, the important part is start thinking ahead. Please do yourself a favor. You will think you later. You know, the reality is that, you know, people need to start thinking about, how am I going to prepare for these complexities? How am I going to prepare for the additional requirements? How do I position myself and this organization for what is coming? Because it is coming. They’re getting more complex. Some big client’s going to mandate your layering on two, three, four more compliance standards. It’s coming. So do yourself and the organization a huge favor and figure out what are the options that are going to make the most business sense? What is a cost-effective way for you to go down the path? What things is it that you can put in place now so that you’re in a position to be able to adapt to those unknowns that are going to be coming? And the reality is at the end of the day, managing compliance already sucks. PCT just helps make it suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
