Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Compliance Management in an A.I. Powered World

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this episode of Compliance Unfiltered, Adam gives the listeners the bottom line when it comes to the use of A.I. in the compliance management landscape.

Curious where to get started and what questions to ask as you’re considering the wonders of A.I.? Wondering about the difference between Artificial Intelligence and Automated Intelligence? Just plain worried about how A.I. is going to impact you and your team?

You’re in luck – All these answers and more on this week’s Compliance Unfiltered!

Read The Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.

Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Scorsese, to your compliance Good Fellas, Mr. Adam Goslin. How the heck are you, sir? I’m doing good, and I don’t have a bat or a gun at this moment, that may change depending upon how this podcast goes. So with that in mind, we’re going to talk about the topic, Adam. It’s on everybody’s tongue right now, and that is AI in compliance management. So let’s start with this. You like to draw a line of distinction between AI as artificial intelligence and AI as automated intelligence. Tell us more about that.

Well, I mean, I’ve said this before, everybody’s been kind of doing this AI zombie walk, right? AI is cool, and if you don’t have AI, you’re not cool, and blah, blah, blah, blah, blah. But, the use of true artificial intelligence is kind of in one camp, and in the other is leveraging what I like to call AI, and that’s automated intelligence. And, if you look at it from a perspective of you know, a lot of the features, the functions you see in these, on blast wonderment of AI, is just simply automated intelligence, that they’re shrouding as artificial intelligence. So, it’s important to draw a line of distinction between those two. If we really go back, we can go back to when true manufacturing started to take shape, back in the day, and the beginnings of automation. There’s been automated intelligence incorporated into a wide variety of things, and I just I love to draw that line of distinction. Because, there are so many people out there that are hawking, AI-powered everything, it feels like these days. And, I’d like to draw that line of distinction because, I mean, if you think about it, we launched the TCT Portal back in 2015, and if today’s kind of definition of finger air quotes AI were to be applied, then, well, hell, I had AI back in 2015. So, it’s just important to kind of look at it in that manner. When you’re talking about true AI, you’re talking about the capability for your platform to learn, to basically make your AI, make automation, and connections based on directional inputs with the machine picking up, and doing the work.

Another element of that, which I think for many organizations is kind of lost. I go back to, gosh, this brings me back. I had a stint where I needed to operate, in terms of doing central logging, a central logging system for a particular engagement. And, in that we had built in, effectively, pattern recognition into the tooling. God, honestly, this was probably 15 years ago. And, building in the capability to look for patterns in the logs, to define the log patterns as, this is a benign log pattern, this is a log pattern I’ve already identified as something we want to do some form of escalation on, and this is a log pattern I’ve never seen before. So with that kind of backdrop in mind, with any AI-related element of functionality, which is no different than what I was doing 15 years ago with a logging system, is, the quality of the intelligence is all dependent on the nature, rigor, and accuracy of the training that’s been put into the learning engine, so that it has the capability to make a good decision. So to go back to that example, If I was to erroneously define a particular log pattern as benign, when it should be a holy moly, now I’m incorporating bad training into the platform, thereby wreaking the unintended consequences, or drawbacks, not benefits of the intention of the overall platform. So, all the way around there’s a lot of things to consider when you’re looking at AI in general. Absolutely.

Now, you appear to view the responsibility of appropriate data flow, and exposure very seriously when it comes to AI, and I appreciate that, but why is that so important? Well, when you’re talking about data exposure when it relates to AI, part of the challenge is that, if I’m using fill in the blank service for AI related activity, there’s a lot of questions as the consumer of this tool, this capability, this product, this service, etc., that you’ve got to ask. I mean, it’s been a tenant of good cyber hygiene, if you will, to fully vet your vendors. Well, AI is a brand new space, there’s certain things that you’ve got to take a look at, where is your data going? Who is it being shared with? Is the system a company group solution that is being shared with others? So, there’s a lot of realms of stewardship when it comes to the data that you’re going to leverage with the target system. And unfortunately, for a lot of folks that are in the space, they’re new to the to the AI arena. And, they don’t have the experience yet of going through and vetting one of these platforms, knowing what questions to ask, etc. So, I would caution organizations leveraging an AI capability to really think it through, think of what questions to ask, think of what levels of assurance that you need to get or gain as an organization. It’s really no different than any of the major industry standard compliance standards, or frameworks that are out there. There’s ongoing care, feeding, management, maintenance, oversight that would be required for any vendor, but especially when it comes to those AI vendors, knowing what it is they’re doing with this information, Where is it going to, and who has access to that data and information? Because, it really depends on the nature of the information that you’re provisioning to the AI capabilities. Not only that, but also envision there’s, I’m just gonna make this stuff up, envision that there’s some form of integrated AI into a platform that contains a bunch of really benign data, a bunch of moderately important data, PII, etc., and then you’ve got really sensitive data, state secrets, or intellectual property or whatever it may be, just depending on what the nature of the solution is that you’re leveraging that has this AI incorporated, what all data’s in there? Does the AI engine have appropriate access to only the information that it needs in order to perform the AI functions that you are approving?. So, it really brings in a different mode, or manner, or mechanism of looking at these systems, and the validation of vetting that you’ve got to do. But, I would purport that it would cross over many of the core tenets of any good cyber program. This is data storage, data access, this is access control to the data, and data flow diagrams, exposure of the only data that’s needed for that particular business purpose. There’s just a ton of things that you’ve got to go in and look at.

Well Adam. That kind of begs the question, like what types of questions should organizations ask when looking to leverage the wonderful promises of the vendors that are hacking the AI out there right now? Well, certainly, it’s kind of a case by case scenario. So, look at the use case that you’re leveraging it for, gaining and gathering initially security related documentation as it relates to the AI, where are those boundary lines of information and data that it would have access to? Is that access relegated simply to the data that you’ve elected to put into this target system? And then, really sub-segregating the function you’re looking for as it relates to the AI, what data within the system does it need access to? Is it limited to just that? Or does it actually have access to everything in there? Depending on the nature of the AI related solution, are there local component installs that you have to do on your own systems in order to leverage the target solution? If that’s the case, where’s the boundary lines of what it either has direct access to from the local system, and or what could it gain access to through there. So, there’s a lot of questions along those lines. And certainly, reviewing their documentation.

One of the challenges that I’ve seen over the years, I’m going to put this in a PCI context, and then I’ll cycle back into the AI arena, because it’ll connect a couple of dots here. When it comes to PCI, what I’ve seen over the years is service providers that would put together, hey, are you PCI compliant? And of course, the target organizations are going to say, oh yeah, no, totally, PCI compliant, big time. And, then you go in and look at their PCI paperwork, and review their AOC, what was their scope, what systems did they have in play, and where’s the boundary lines of what they did. And as I start to look at that, I realize that while the target service provider put together a bunch of paperwork about how they are finger air quotes PCI compliant, now as you start to look at their definition of the scope, it effectively says something along the lines of, well, we really don’t have that much exposure to any actual credit card data, so we only looked at this one little corner of our world, and we only applied those things which applied to that little corner of the world. Meanwhile, the organization that doesn’t bother to go in, review the AOC, look at what the actual scope was, what breadth of coverage there gaining, or gathering, or getting, that type of thing. They can go in, and if they don’t go do the digging, they go on to the assumption that, well, everything that this company is doing is covered by the detailed control matrix that PCI brings to the table.

Well, I would recommend the same type of thing, when you go in and look at AI, again, yeah, sure, they can go throw a report over the wall or whatnot about how they’re handling their compliance. But, you actually have got to do the digging, do the reading, do the introspection of whats exactly on that scope document, what all does that apply to? Or most importantly, does it cover the features, functions, and systems that you’re in the process of evaluating, or potentially onboarding? Because, that’s another thing that I’ve seen out of the PCI space, is they’ll cough up an AOC, and you go in and you look at the scope, they’ve got eight solutions, and the context of the paperwork that they provided is covering solution three, where you’re in the process of evaluating acquisition of solution five, so they cough something up that wasn’t even pertinent to your arena. So, there’s a lot of review and analysis that needs to get done as you go through that process.

Just to put this into perspective, and this is something that I’ll tell organizations all the time. When it comes to TCT proper, we actually took a dramatically different approach, when it comes to our approach to security and compliance. We use PCI as our underlying framework. But for TCT, what we did is we basically said, we’re going to treat any sensitive data, which by the way, you then need to ask, well, what’s their definition of sensitive data, right? In some cases, sensitive data is everything that you share with us. It’s names, phone numbers, and addresses. And, it’s all of this super, super sensitive information that may be loaded up and into the system, and everything in between. But, we define the sensitive data in an appropriate context. And now, with that notion of it’s sensitive data, and here’s my definition of sensitive data, now I can go back and I can look at the suite of requirements and controls for PCI, and I can gain a real true understanding of what is this organization’s done, and in what context. But, that’s the type of thing that you want to get into as you’re going into the AI arena.

The other thing we were talking about, I forget, it was on a prior pod, or it was an intro conversation. But, we were talking about organizations, how they’ll go through and they’ll get solutions onboarded, from different areas of the company. So in other words, where I’m going with this is, your vendor vetting process takes forever, and the other business units are tired of it taking so long. So, the folks in marketing or sales or HR, they’re basically like, I just need this one little tool, and I’m just going to go ahead and pick this freeware tool, we’re just going to go pick it up and throw it into place. And, in many cases for organization’s vendor vetting process, because it’s onerous, because of the rigor that needs to be employed, ends up getting bypassed. So, I’ve seen that happen in an organization. This actually might be an upcoming pod for us. But we’re foreshadowing. Yeah, we’ll go into it in depth. But, there’s all sorts of ways that the vendors will basically skirt even the established process. So, it takes a certain measure of focus for the organization to really take this stuff seriously. Well, I mean, I think that that’s a great point.

But I guess another question is, what’s changed more recently in the true AI space? That’s like turning your focus towards increased volume of both artificial intelligence, and automated intelligence. Well, I mean, when this initially came out, about 18 months ago or so, you saw people whipping shingles on AI this, AI that, as the groundswell continued, pretty much everybody and their uncle, spoke about AI capabilities that have been built into their products. We talked about the fact that the vast majority of what people are calling AI, is really just automated intelligence. In many cases, this is features and functions they’ve had in their stuff for a while, but they’re just calling it AI now, just because that’ll get people that just blindly dive on board. So as I was keeping an eyeball on that, watching the nonsense in the marketplace, etc., I was looking for some real manner or measure of maturity, looking at the initial instances of where these platforms were spun up on open platforms really loosey-goosey, with, where’s the stuff, who are we sharing it with, what are the sources of input, and where’s the data going, and nobody could answer the question, because, it was kind of like the wild west. As I think back, there were things that over the years, I would say, well, this is the wild west of the cyber arena, then I’d say, in the not too distant past, the group or the function that would take that nod was penetration testing, Right? Because, there was such a disparity between, if I were to take the same identical scope, go hand it to five different companies to go get a pen test, I would in reality get everything from basically a glorified vulnerability scan, that they call the pen test, all the way up to the other end of the spectrum where I’ve got ninjas dropping from ceiling tiles, and you’re shipping an entire team to come and stay in a hotel for weeks or months on end, while they’re executing the pen test, and everything in between. So, I used to call the pen testing arena the Wild West of the of the cyber arena. I think, in many ways, the mobile arena kind of took the baton from the pen testing space, we’re seeing more maturity in the pen testing arena, mobile got a lot more loosey goosey with everybody and their uncle whipping mobile applications and platforms. I think it’s fair to say that mobile has officially passed the baton over to the AI space, where they’re trying to get their sea legs. But, as I’ve been watching this come together over the course of the last 18 months, we’re finally hitting a point where some of the important questions are actually able to be answered. Some of the vetting and validation that needed to be done with these platforms is capable of actually happening. We’re also recording this in the third week of January of 2025, and recently seeing all sorts of big statements about half a trillion dollars getting dumped into increased focus on AI within the US. Yes, there’s been a gigantic groundswell, but in the same sense, a certain kind of base level of maturity has started to take shape within the AI arena, which allows for that shift from yeah, I’m going to keep my eyeball on this, to, okay, I’m going to dig a little bit deeper. It’s just, I don’t know, man, I’ve seen too many things go sideways with being on the very razor’s edge of anything. And so, it’s been interesting to kind of watch all this unfold. No doubt, no doubt.

Now, over the course of about the last quarter, the TCT product team have been prepping for the upcoming 2025 functional release plan, how’d that go? It went well. We’ve talked about this many times, but the whole reason that I got into this space is because I dealt with the pain of managing compliance myself. I happen to have a background in application development, I had worked as a security and compliance consultant for many years, I’ve worked alongside teams of assessors for many years, I even had a stint as a level one PCI ROC QA for a large international organization for several years. All of that backdrop combined, brought us into TCT. And, the reason that I generated the company, was I wanted to help people in the security and compliance space. And so, when we launched the TCT Portal back in 2015, which by the way, we just recently hit a decade of this being up, running, and in live production, so yeah pretty cool. But, now that we’re a decade in, through the entirety of that decade from day one, it was always important to me. We are serving people in the security and compliance space, it was a tool that was built by people in the security and compliance space, and I wanted this system to be a cycle of feedback from professionals that leverage the platform day in and day out. So, we’ve been doing this since 2015, it was really a beautiful entree into this past quarter, when we started establishing and setting up. As I was watching this maturity happen within the AI arena, we started setting up various discussions with a number of different types of organizations. So, TCT we serve, on the one end of the spectrum ,I call them applicants, or people that are applying to be certified, so think the company that’s subject to fill in the blank compliance standard or certification, them directly is one group of clients. Another is at the other end of the spectrum, which is the assessors, and auditors for the various standards that we have on the platform, so we’ve got them as well. Plus, we’ve got clients which sit in the in the middle ground of those that serve compliant customers, or are service providers to compliant customers. So, we really went through this past quarter, we sat down and we had discussions and conversations with people from multiple groups, from each of those target client groups that we have, and talked with them about what is it you want to see in the next iteration of the TCT Portal.

TCT has had things that we’ve had on the, I’ll call it, on the roadmap. When we first generated that initial iteration of the TCT Portal back in 2015 that went live, even at that time, I had 200 things that I was like, hey, these are all good ideas for stuff we could go do. And, some of those got done over that time, some of them have just sat on the shelf waiting for the right moment. But, our list from back in the day, the inputs that we received from the clients. It’s fun sitting down and talking to a group of freaking awesome professionals that we’ve got, that leverage the system, getting their insight, getting their desires, getting their feedback, getting their input, and then being able to incorporate that into our go forward plan, including our upcoming features and functions. It’s just, it’s really, really fun having the discussions, being able to capture that information, and turning our collective inputs into reality within the platform, it’s a really, really fun process to watch unfold. So we had a great time navigating those waters. Love that.

Now, what types of functionality are you planning within the toolset? Well, I’ll tell you what. I am a huge fan of keeping TCT’s followers on our heels. And the reality is, is that, rest assured, our focus is going to remain with our primary goal of making compliance management suck less for the poor folks that have to go through the process. But, we’ve got a myriad of different features, functions, solutions, toolsets,and capabilities, all of which are getting lined up. I’ll be honest with you, there might be enough stuff in our, we’ll call it the short list, this might not just be the 2025 functional release, this very well could be the 2025, through calendar Q2, 26, it just depends on how much stuff we decide to go throw into each of them. But no, I love the fact that we were already solving problems for companies struggling with compliance management, before many of the players that are in this space even existed. We’ve been a founder in this space, and we plan to remain a big player in this space for decades to come. I love that.

Parting shots and thoughts for the folks this week, Adam? Well, I can’t underscore enough for organizations in the arena. With this inclusion of AI, really get your arms around it, especially the ancillary impacts through the vendor management process, that’s going to be huge. Because, granted, going back to what I was saying earlier about how the use of the term AI is really loosely being tossed around these days, so do you really have AI, or is this just some automated intelligence that they’re calling AI? So, knowing and understanding what the exposure is, in terms of the nature of the AI functionality, for the vendors that you’re choosing to work with, and then putting them through an appropriate analysis and vetting process. I think that I know it’s covered in legal agreements for many organizations, in terms of data exposure, but even in the legal agreements, oftentimes there’s allocations where the target organization is allowed to share data with their trusted and approved vendors, and things along those lines. That starts to get pretty fluffy when you start talking about AI system, to secondary system, to tertiary system, exposures starting to come into play. I think for a lot of organizations, especially for the upcoming, I think it’s gonna take at least two years, maybe more like five years before things finally start to kind of settle down. I don’t feel like we’re in this kind of AI wild west arena, it’s gonna take some time before things start to settle down. I know the folks that are listening to this pod, they’re practitioners in the space and they take their responsibility seriously. Just start thinking about those ripple impacts to even your day-to-day functions that you’re normally doing for your organization, for your customers, whether you’re serving compliant customers, or if you’re assessing your customer. I look at it collectively, as our collective responsibility to try to help folks protect themselves, help folks see things they wouldn’t otherwise. And, that’s part of the benefit that us as cybersecurity professionals can bring to the table, in terms of assisting and helping companies protect themselves, in addition to saving them from themselves at the same time, you know what I mean? I do indeed.

And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.

KEEP READING...

You may also like