Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: New to Compliance? This One’s for You!
Quick Take
On this episode of Compliance Unfiltered, the CU guys give the audience a solid understanding of where a company’s headspace might be, when first considering rolling out a full-fledged compliance program.
Find answers to common questions, common fears, and a enjoy some Adam-Spun wisdom for the folks just getting started.
All this and more this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the antibiotic to your compliance cold, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good. It does go under the general premise that antibiotics are actually killing off the ugly buglies, but that’s a debate for another day.
Indeed. Well, today we’re actually going to talk about something that is really designed for organizations that are newer into this compliance journey, more specifically, in general, for companies that have not yet fully adopted a security or compliance program, like where is their head space normally at?
Well, I mean, a lot, it depends, right? I mean, a lot of them that haven’t had the opportunity to get into it are taking an approach that, oh, hey, we haven’t had an issue, an issue so far that they know of, you know, to this point. So why, you know, why do we really need to spend the time and energy and money and blap to go ahead down this path? You know, others, yet others are in a mode of a false assumption that, you know, their IT folks or whether it’s internal IT folks or an outsourced IT company is appropriately protecting the organization. So, you know, they’re under this kind of, I’ll call it false assumption.I would refer the listeners to, we did a prior episode about, you know, why IT shouldn’t be exclusively responsible for security and compliance. So by all means, go ahead and leverage that content. But you know, other organizations, they’re busy taking an approach that, well, since none of their clients are mandating that they need to, you know, go ahead and get fill in the blank compliant, you know, to encourage them to take it seriously, they just kick the old can down the road. So, you know, there’s a number of things, you know, generally speaking, the head space for those organizations is not something that someone’s banging down our door to mandating that we go do and I don’t have a sense of urgency. So we’re just not going to go there yet and we’ve got more important things to do day by day running the company and all that fun stuff is kind of where their head space is normally.
Well, for those that decide to dip their toe in the water, what do they find or why do they find it so daunting?
Well, the one thing that the organizations need to understand is that security and compliance, it is a specialty. I’ve used examples before, if I need heart surgery, I’m not going to go to my general practitioner to get it done. I need to go to a heart specialist.It’s the same type of thing in the IT world. You’ve got these existing IT folk, whether it’s somebody that’s on staff or it’s an outsourced company. Those resources, I’m going to put this into the category of it is very likely that the existing technical resources that you have, they’re not going to tell you this, but they really don’t have any idea what to do. For organizations that start trying to go head down this path, they go task the gearheads with going off and, hey, go figure out what it’s going to take for us to get fill-in-the-blank compliant. The gearheads go, they pull up the standard, and then they realize, oh, cool, uh-oh, there’s hundreds of line items that we need to go in and do for this target certification or standard. They get this sense of just instantly being overwhelmed, overwhelmed by just the gravity of what needs to be done. The security and compliance arena is not as simple as, hey, we’re going to go Google it. How do I become fill-in-the-blank compliant Google Go, and poof, yeah, just all you have to do is follow these eight steps and poof, you’re compliant. Yeah, it doesn’t work like that.It’s an arena that takes a minute for organizations really to get their heads around. Going back to those internal resources, you have harped on it a couple of times. We covered in-depth on the other pod, but the poor IT folks, they’re great at doing their job. Make no mistake. One thing, do me a gigantic favor, but if you’re in this situation where you think that your IT folk really know what they’re doing, et cetera, please go listen to that episode because there is a ton of good information in there. The biggest factor that I want to get across to folks is that do me a giant favor, do not flame your existing IT people, your IT vendor, right out of the gate with, well, why aren’t you doing this? Why aren’t you doing that? Why don’t you know this? Why don’t you know that? They’re really stuck in a really tough position, so go listen to that episode. It’ll really help a lot, and nothing bugs me more than when you’ve got leadership that are flaming the IT folks. It’s not their fault.
Now, you were faced with this situation when you first started into security and compliance. Refresh our memory about how that rolled out.
Well, you know, I had worked my way up the ranks of IT, you know, for folks that are in IT, you kind of got two choices, right? I can go the gearhead route and, you know, stay eyeball deep in technology or you can go management. So I went management and worked up the ranks of IT management over, you know, north of a decade and culminating in being a VP of IT and infrastructure for a supply chain e-commerce company. And, you know, so I’ve been basically running IT and keeping in mind, just for perspective for the listener, in that position, I had the day by day IT folk that took care of like all the PCs and computers, etc. I had the people under me that were taking care of all the servers, firewalling equipment, networking equipment, etc. I had an outsourced hosting company that was taking care of the production hosting environment. I had the developers. I had the database administrators. I had interfacing with the product crew that was doing, you know, enhancements to the system that would, you know, the specs would then come over, you know, come over our way. I also had interfacing with the customer service folks, etc. So, you know, I had a lot of different people, you know, kind of all, I had all the gear heads, you know, type of thing under me. And my boss came by and said, hey, we need to go get PCI compliant. And like, no joke, I literally, you know, said, well, what’s PCI? That is how I got my start.And so, you know, I go and I start looking at this standard and, you know, and whatnot. The company had acquired an assessor. And at the time, there were very, very few people that could provide any form of assistance. So, you know, effectively, my, you know, and keeping in mind, this was two decades ago. So, my extravaganza through this was one of asking the assessor a ton of dumb questions, googling, whatever I could, trying to find the scant few vendors out there for checking boxes and coordinating with them, you know, going deep dive with the hosting company and trying to get things figured out there, you know, trying to make friends out on the internet, you know, and whatnot. It was, you know, it was really a kind of a collaborative process to try to navigate through it. From the time that I said, what’s PCI to the time that we actually had a piece of paper in our hands that said we were compliant, it was 18 months from start to finish. And it was brutal. It was just brutal. You know, there was no easy path through it in that particular organization. That was, I’ll call it the worst case scenario in that every single aspect of PCI was applicable to this company just because of their circumstances. And so, I needed to learn a ton about a just battalion of different things. And so, it was quite the experience going from, you know, kind of start to end of that. And there were really three things that at the end of it all that I kind of learned through the process.
One was despite having been in IT leadership my entire career, I learned how little I knew about security and compliance. That wasn’t a surprise for me personally, because I was sitting there going, well, I got my gear heads and they know, you know, the same assumption that a lot of these companies make and still make today is exactly where my headspace was at two decades ago. And that leads to the second, you know, element that I learned through the process was just how little my day by day, you know, folks and I had, again, I had developers, I had system administrators, I had DBAs, I had, you know, I had day by day IT people and across the board, how little they knew about security and compliance. They can make shit run, but they had no idea how to do it in a secure, compliant fashion.And that was startling, because I had always been under this assumption that, well, they just somehow magically knew how to do this stuff. And, you know, the third learning moment for me was just how little help there was in the marketplace at that time. Back then, most of the knowledge was held in the, you know, kind of the big, you know, big gigundus, you know, kind of consulting firms, you know, type of a thing, think the, I don’t know, I’ll just throw whips and the Ernst and Youngs and the PWCs and, you know, those type of organizations were like, those were the ones that even dip their toe in this water. There wasn’t anybody else to go give you a hand.And so, yeah, it was quite the learning experience, you know, kind of going through that process. And, you know, really, it led to, you know, some of my learning experience from that point, that’s the reason that I decided to step away from working for somebody else and stepping into this space was because I learned a ton through this process.And I know there’s people out there that didn’t know how to do this stuff. I like helping people. So I decided to go and step in, you know, step into the, you know, client space at the time. And, you know, it was really huge, it was really a huge learning experience for me.
Yeah. Now, what are some of the largest challenges for companies that decide to take their security and compliance program more seriously?
Well, the biggest challenge that they have, whether they realize it or not, as they commenced on the journey is just simply knowing what is it that we need to do? Um, you know, yeah, sure. I can go, I could, yeah, I mean, I got to put this into perspective for, you know, for the folks that are at the top end of the business side, right? Like, whoa, you you’ve got the, you’ve got the standard over there. You just read the standard and go do what it says, right? It’s easy.Well, the, the pro there’s a number of different problems, which will kind of come into in the, in the next section. But there’s, there’s documentation out there from the governing authority. There’s, there’s supplement, you know, that documentation, by the way, is probably when all said and done, like hundreds of pages long, like when I say hundreds, not 110, I’m talking about between 500 to a thousand pages long. Oh, documentation around, you know, the standard and what, you know, what it means and what are you supposed to do? And you typically accompanying that there’s supporting documentation that gives you a better realm of clarity and dah, dah, dah, dah, dah. This is not a, I said it earlier, you know, I can’t just go Google. What are my 10 steps to being filled in the blank compliant? It doesn’t work that way. Um, there’s a ton of things that, you know, a ton of material that you have to get through a lot of it, um, you know, a lot of it just depends on whether you’ve done this before, you know, if you don’t have somebody, uh, you know, internally that’s been to this rodeo, that’s done it end to end, you’re about to go and, and, and, and fulfill requirements. I mean, one of the big things that, that people don’t realize as they, you know, kind of start to, you know, start to go in and do this is this, a lot of people think, oh, well, this is just a gearhead thing, right? This is just going to impact it. That’s not it at all. If you’re not, if you’re doing it right, uh, if you’re doing it right, this is going to have a material effect, literally across your organization. Um, this is going to impact everybody from the CEO to the janitor. Um, this is going to impact departments far broader than just IT, um, you know, et cetera. So, you know, just knowing what to do is one of the biggest challenges and it’s not as simple as, you know, I go read the cliff note version for how to get compliant, you know, the lack of experience of the existing personnel.Um, yeah, part of, part of the part of the way it typically works is because of the bad assumption by the executive management that, Oh, well, the IT folk just must magically know how to do security and compliance stuff because there’s that false assumption and the IT folk are used to trying to figure things out on their own. It’s typically, the way it rolls is there’s an edict from on high. We need to fill in the blank complaint. They assume that the gear heads are just going to know what they want to do. And then the gear heads get to go in circles and I don’t know.
I’ll call it a complete security compliance, spirograph, uh, adventure that they’re about to go down where it’s just their circle, circle, circle, circle, circle, circle, circle. And this isn’t like the little spirograph. Imagine you’ve got a spirograph that’s like, I don’t know, maybe a mile across type of thing. That’s the type of thing that we’re talking about is you’re going in these like circles, circles, circles, circles, all the way around for a mile, you know, type of a deal. That’s kind of what it’s like.Um, you know, it, it, and it takes a while before there’s a realization. Now the realization comes out in one of a couple of ways, the upper, the uppity ups that have made the bad assumption now start getting pissed at how long it’s taking is one, um, or two, the gearheads realize that, man, we’re in over our head. We’re out over our skis and we’re going to need some help, uh, you know, blah, blah, blah, blah, but usually so much time has gone by the reticent to raise their hand and, and acknowledge that. So again, it just, it puts everybody within the organization and kind of a bad state. Um, you know, the, the sheer volume and breadth of the requirements is overwhelming.You know, uh, organizations will spend an inordinate amount of time, you know, trying to design their own, you know, homegrown tracking systems for keeping track of all of this stuff. You know, you think about it, right? If I, if I typically they’re using Excel out of the gate, um, you know, and it’s not until much later that they learn the benefit of a compliance management system. I mean, just to put this into context, let’s say that the, uh, let’s say that the required, the, the standard you’re going up against has 750 line items. Well, okay, it’s great. So it’s 750 line items, except for the fact that, you know, uh, you know, items are going to have one or more people assigned to them. Uh, items could have, uh, you know, three different types of devices per line item. that need to get addressed and each of those line items are administered by a different group within the organization. Maybe you have to take your compliance, so your security compliance stands across a multitude of locations. We’ve got this office, that office, the other office, et cetera, and they all need to be compliant, so how do we track all that crap? And it just keeps getting, it’s like a snowball going downhill is kind of the feeling because more stuff keeps getting tacked on, tacked on, tacked on as it’s rolling down the hill. And then the final thing that’s a big challenge is that just a sheer lack of knowledge within the organization about what is good enough to quote, meet this objective for this particular line item. I could solve it eight different ways, are only ways two and seven going to be acceptable? I don’t know. I’ve never done this before, excuse me. I’ve never done this before. So that lack of knowledge means that what’s going to end up happening is that the folks that are boots on the ground, they’re going to go in and have to attempt something, fail, attempt again, fail, go ask for help, get some directional guidance, okay, try it a third time, yeah, you got most of it, then I got to take a fourth whack at the ball. You know, that’s kind of the way it rolls, especially when you’re going down this experience for the first time.You’re going to hit a lot of trees on the way down the slope, shall we say?
Now, some compliance standards are more prescriptive, and some are less so. Tell us more about the benefits and drawbacks of those different types of standards.
Well, less prescriptive standards, their approach is they tend to set out some form of an objective to attain, but they’re less specific about how you’re going to go about doing it. And that sounds, to a lot of people out of the gate, they’re like, Oh, it’s great. That means that I have options, right? I could do it this way or that way and whatever way I feel like it, blah, blah, blah. The problem is, is that, you know, how do you know if your controls are actually strong enough to be considered to meet the objective? Um, I, if I were to guess companies left to their own devices that are on a, on a directional standard, um, or less prescriptive standard, if you will, uh, I would say easily 90% of those organizations come up short, uh, because they’re just going through a, Hey, let’s just get this done approach or check the box approach, et cetera. And they don’t have the requisite experience to make the right call. So as they’re making these decisions to try to quote, streamline it, to get through it faster, they’re cutting corners, they’re not doing it correctly.They don’t, you know, they don’t have the experience to do it, to do it properly out of the gate and they end up running into walls, um, you know, when they, when they have to get this validated or vetted by somebody, um, those more prescriptive standards, um, will, they’ll lay out a specific set of controls to achieve what the, what the objective is. And it leaves a lot less to interpretation as you’re, you know, as you’re, as you’re going through, going through that process. So when you’ve got that more prescriptive standard, um, it’s a lot easier because now I truly do need to, Hey, I’m just going to go solve this particular, you know, I’m going to implement this control, um, you know, in the way that it’s specified, it’s a hell of a lot easier to, to go down the path. Uh, it gives you a, you know, kind of a good roadmap. The other advantage of the prescriptive standard is that now that I have a very clear, uh, control set that also makes it a lot easier to map to secondary standards. So as an example, let’s say that the organization needs to go down the path of compliance standard number one, and they get that and they start maintaining it ongoing. And then what happens is that some other client comes along and says, Hey, that’s cool, but now I want you to be compliant and fill in the blank. If you’re using a directional standard, now you literally have to depend on it. Did the way that I define these controls in my particular case, were they strong enough to meet the more stringent requirements of this more, you know, more prescriptive standard that now I need to go map up against most of the time you’re coming up short. So it’s going to entail a lot of rework, uh, you know, through that process. Uh, where if you have the prescriptive, uh, standard in, in hand, that will allow you to then, um, easily map those controls to the secondary standards, a lot less tweaking, rework, et cetera.
Uh, and then the last thing that I wanted to say on the, on the kind of more directional standards is that with those directional standards, because it allows the latitude for the organization to define their own standard. Now, when you have somebody coming to you, like a big prospect or a big client coming to you and saying, Hey, I want to know more about your security program.If they get into starting to dig into the weeds of, okay, that’s great. You went to achieve this particular objective. How did you go about doing it as they’re reading what controls you have in place? Now it opens you up for their interpretation of, did you do it well enough? Did you do it strongly enough? Were you just trying to check the box or are you taking this seriously? You know, it really opens you up to a lot of, so we’ll call it a secondary interpretation of judging you on how well you did as you went down that path. Sure.
Now, if you just think back on your first rodeo, right? Well, then what would you do differently knowing what you know now?
Well, I can tell you without any shadow of a doubt, the very first thing that I would do is I would get some form of a basic compliance management system. What I mean by basic compliance management, you don’t need something that’s going to run your entire organization. You don’t need some massive, massive ass GRC, blah, blah tool, et cetera, with all of its complications, et cetera. Get something that’s just gonna get the job done for compliance management. Such as the TCT portal. And when you do that, force everyone involved in the program to only use that one place for your compliance, information, communication, assignments, evidence, status, things along those lines. Doing so makes it a whole hell of a lot easier to be able to manage the engagement, tell where you’re at, et cetera. It’s just all the way around.That is one thing. When I initially designed the TCT portal, I literally set about to write the tool. I wish that I had when I was first doing this. That was the reason the TCT portal was built. And make damn sure that you’re using that compliance management system when you get to year two and beyond. That way, you’ve got a solid repository for everything that was done the last time, what evidence was needed, a historical record of who did what. Which, by the way, is astoundingly helpful when you’re experiencing the inevitable turnover that’s going to happen in any organization. Can you imagine one or two people that were kind of key to your security and your compliance engagement for a particular year, and then all of a sudden, whatever, they moved. Best case scenario, they moved to a different department and they’re still accessible. But worst case scenario, they’re gone, and you don’t have them to be able to ask questions, et cetera. That system, inevitably, will be of astounding benefit because it makes it easy. Now I’ve got everything right at my fingertips, whether it’s an easy reference for what the hell I did last year, or easy reference when somebody’s taking over for somebody else. And since you’re listening so far into this podcast, you’re already armed with the knowledge that the internal folks do not know enough to run one of these engagements. So engage a security compliance consultant to act as that internal audit function. This will provide the expertise that your team desperately needs, although they may not realize it just yet.And it’s important to have a sanity check for the gearheads that you have on hand. It’s just, it is a really good function. It’s part of the benefits. And honestly, there were no security compliance consultants back in the day for me. They didn’t even exist. So you asked about what I wish that I would have had, knowing what I know now. Yeah, I wish that those people had existed because I would have absolutely, absolutely taken them up on participating and helping. That would have made a gigantic difference in my 18 month Swarai.
That’s so wild. Partying shots and thoughts for the folks this week, Adam.
Well, TCT has been in the security and compliance space for multiple decades. That’s one of the things that people need to understand about where this advice is coming from. Like I said, when I started TCT, I wanted to go about providing the services that I wished that I had access to on my first trip through security and compliance. So, definitely check into the TCT portal for a cost-effective compliance management system.It’s priced to be a no-brainer in terms of just the volume of time that it saves on engagements. What I will tell people from my experience is that the dollars that you spend for the tooling are going to pay for itself in terms of internal efficiency, even in the first year. Once you get to year two plus, it gets even better, and really a lot more long-term benefits for the organization. TCT has been doing consulting engagements, helping companies get from starting to think about compliance into full operational mode, compliance programs, and then migrating into a proactive security and compliance stance to maintain those controls that the organization now has in place. But more importantly than that, and this is the important part, especially for the leadership of the organization to understand, is that when you have a strong program like this in place, it is a real shield for organizations in terms of helping to protect them. The consulting engagement ends up costing a fraction of a full-time experience resource, and while there’s organizations that will go through and try to take a crack at pulling in one of those full-time resources, it’s really difficult today to get someone that truly has the right level of experience. And if you get them, that is an unbelievably expensive resource. So saving your organization a bunch of time and money in that process would be my recommendation.And I’ve said for years that the companies are happily paying cyber liability insurance and going under this notion that it’s going to protect them. But again, please go check out our blogs, check out our pods on my thoughts on cyber liability insurance, but suffice it to say, that should only be your emergency parachute. The activities that you take as an organization for your overall security compliance program, those are real steps to really help to protect the company, to really improve the security and compliance posture of the target organization. Sometimes things happen, and that’s where your cyber liability should come into play. But if somebody held a gun to my head, and I’ve said this before, if somebody holds a gun to my head and says, look, you have two choices. You can either pay your cyber liability insurance bill or you can manage and maintain your ongoing security compliance program. I am dropping the cyber liability in an effing heartbeat if I got to make that choice. Because of the ongoing operational program, that’s real tangible improvements to the posture of the organization.And that’s really to me what’s most important. I want to help to protect companies out there.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
