Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Data Breach in the Compliance Service Provider Space
Quick Take
On this episode of Compliance Unfiltered, the CU guys address the proverbial elephant in the room – Why service providers to compliant organizations need to take their security seriously.
Wondering why there is variability for service providers in the security arena? Curious if “trust but verify” is really that important? Trying to understand how you can get the most assurance from your vendor relationships?
Well, you’re in luck! All these answers and more on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the bunting on your compliance day float, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good, Todd. How about yourself? I can’t complain. All things considered, I can’t complain.
Now, in light of recent breach notification in the security and compliance service provider space, let’s chat today about how and why service providers need to be compliant organizations need to take their responsibility seriously. Why is there variability for service providers, Adam, in terms of how they treat security and compliance responsibilities?
Well, I mean, it’s been a mantra for a while, right? Compliance isn’t, you know, doesn’t equal security. And, you know, while the organization that, you know, kind of takes those responsibilities seriously, um, you know, and, and really strives to, you know, meet the, the, the intent if you will, of the various controls that they have for their overall program. The reality is that you’ve got a wide variety of organizations out there. You know, in some cases you’ve got, you know, folks that decided, Hey, this would be a good idea to go spin up a company that does fill in the blank with a bag of money. And in other cases, you’ve got seasoned security compliance professionals that you have decided to kind of step into the space. And so, you know, unfortunately, uh, for some, with some organizations, um, the, the checking of the box for, uh, you know, can controls against compliance does not necessarily equate to, um, to they, you know, they have a well buttoned up program and, you know, and things along those lines. So, you know, a lot of it just comes down to the, you know, to the tone or tenor of the, you know, the target organization, what their, you know, what their, their approach is, you know, two things, how diligently, they are, you know, doing enforcement and things along those lines, you know, all kind of play into the, you know, play into the notion of how well or poorly, their, uh, their, their programs may be run.
Hmm. Hmm. Now, just trying to kind of read the tea leaves here, right? Play interpreter. So you’re saying that two service providers that go through a third-party assessment for PCI DSS could be approaching their programs completely differently?
Yeah, for sure. You know, if you think about it, you know, everybody, everybody’s got to meet the, well, how do I put this? Everybody has to meet the, you know, kind of the, the, the minimum bar is the, you know, is the notion, but, you know, there are, I mean, there’s variability in terms of their approaches to the strength of their program. You know, there’s, you know, yeah, we’ve gone through, we’ve proven that we’ve done all these things, you know, kind of coming into, coming into our assessment, but, you know, what, what’s happening, what’s happening between those points? You know, how strong is there, you know, is there internal control framework? You’ve even got variability between, you know, between assessors in the space.I mean, multiple assessors at the same organization, you’re going to see some, some levels of variability, but it’s, it’s especially stark when you start to compare one organization against another, you know, even the, you know, the, the process methodology approach, diligence, you know, etcetera, the actual assessment firm kind of comes into, you know, comes into play. There’s a, there’s a stated, you know, Hey, there’s a, as a minimum requirement, we’re going to, you know, meet these, you know, these various requirements, but, you know, I’ve seen, I’ve seen dramatic differences between, you know, between even assessors that are, you know, that are in the space in terms of the quality of the program. And, you know, the other, the other kind of challenging part is that for those folks that have a, we’ll call it a looser assessment process, uh, for performing the assessment. Well, who’s going to gravitate toward those organizations? Well, probably the company that’s not taking it terribly seriously is going to also look for a, you know, look for an assessor that, you know, give them some passes and get a, get a jail free cards, you know, and then in an end. So, you know, it’s, uh, it’s a complicated arena. Uh, you know, shall we say.
No doubt. Now I know you’re a big fan of trust but verify. How does that play into evaluation of the overall program for either a service provider or an organization subject to compliance?
Well, you know, the, the, the reality is, is that there’s a certain amount that you can, that you can glean from the, you know, from the, the interactions with the, with the organization, there’s a certain amount you can glean from, you know, taking a look at their security and compliance, uh, you know, kind of pro program paperwork, etcetera. I mean, for anybody, for anybody that’s been in the, you know, in the security and compliance space for some period of time, um, it’s funny how transparent it becomes when you’re on the phone and you’re speaking with folks at an organization, um, that, uh, you know, I don’t know that they’re kind of checking the boxes, not taking it terribly seriously, etcetera, it, that it just shines through, uh, when you, when, even when you’re having the dialogue, you know, with, with the members of that, uh, of that organization.So, you know, the, you’ve got to, you’ve got to use the, you know, use your tools that you’ve got at your disposal. So certainly getting ahold of their compliance paperwork, um, AOCs or, uh, you know, reports for other, you know, for other standards they may be going up against, you know, getting those as one piece of it, but, you know, then, you know, digging a little deeper, I’ve, I’ve talked for years about, you know, how a lot of organizations that, you know, that they, they have this requirement as part of their overall program to, you know, put their vendors through a vetting process, uh, and whatnot. Well, for, for a lot of companies that vetting quite literally includes, uh, did we receive something that was called a report, you know, for, you know, against a particular standard from this organization? Yes. Great. Go to sleep. And it’s like, you know, there’s a lot of detail that’s, it’s contained within those reports that, you know, that are things that need to get sanity checked. I mean, you know, I, I’m shocked at the number of organizations that just say, oh yeah, I got an AOC, so I’m good. It, no, you know, did, did the AOC, like I, I know it turned out it was just a mistake, right? By the, you know, by, by an organization that was presenting to, you know, to one of the organizations I was working with, but you know, they, they mistakenly literally provided the wrong AOC. Um, it didn’t include any of the services that the client was consuming. It didn’t cover any of the locations that the client was leveraging, you know, things along those lines. So had they not gone in and, you know, kind of read, uh, you know, read up ask questions, been critical, then, you know, they very well could have had a, you know, could have had an issue.Um, you know, the other, the other piece that, you know, that, that I kind of like to watch out for, there’s a ton of organizations that they, they, they use their, you know, kind of internal IT people, um, and assume that, well, because they can spell IT, that means that they thereby know how to do security and compliance tasks.
And it’s, it’s shocking for a lot of, uh, you know, for a lot of organizations when the light bulb goes on, but, um, you know, the IT people, the network administrators, the firewall administrators, the developers, they’re all damn good at what they do. Um, but it does not necessarily mean that they’re good in the security and compliance space.And so, you know, kind of knowing and understanding that asking them more questions around how they run their program, who specifically is in charge of that program, what’s their relative experience in the security and compliance space, you know, all of those things should play into it. But, you know, just wave the waving that flag of caution, you know, it’s, it’s not necessarily appropriate just to hand your program over to, you know, over to IT people, because they’re in the same arena as many of the, you know, kind of many of the controls, if you will.
Now, how does the world of AI play into concerns about the security program of service providers? I know this is a huge hot button issue right now.
Oh, sure. I mean, everybody’s been dancing all over the AI buzzword. It feels like for the last 24 months at this point. But, you know, in terms of AI, you know, some of the directional guidance I give to folks, you need to ask a lot of questions. If you’ve got somebody doing the -I like to call it- the AI zombie walk, which is if it says AI, then it must be cool, you know, cool and good and, you know, wonderful and da, da, da. And it’s not necessarily the case.You know, when it comes to AI, you know, some of the some of the red flags to look out for is, you know, is this service provider literally shuttling potentially sensitive data, you know, off to a third party, you know, AI provider? You know, are they kind of containing this within, you know, within their own systems? I mean, hell, even the notion of is it really AI kind of comes into play, right? Is it really artificial intelligence or is it just, you know, coded in built in automated intelligence that they built into their platform? But, you know, certainly being critical of the use of AI. How is it being used? Where is the data going? You know, what controls are there over the exposure to that information through that process? Those are all questions that anybody in this space needs to kind of comprehend, understand and get to the bottom of. And I think in many cases, I don’t think that the organizations doing the vetting are doing a good enough job with, you know, kind of evaluating. And in the same sense, because it’s a relatively new arena, the service, you know, various service providers and organizations serving those in the compliance space. Also, similarly, aren’t doing a great job with articulating exactly how information and data is being leveraged. You know, data exposure concerns, etcetera. You’re kind of on their behalf, on behalf of their program, if you will.
Well, what should service provider leadership be considering in terms of the quality of their existing program?
Well, number one, my biggest, uh, you know, my biggest, um, you know, kind of push for, for that, that leadership of that organization is, um, take your responsibility seriously. Um, you know, you’ve, you’ve, you got into this space to, you know, I’d like, I got into the space to help people, right? And, you know, similarly your organization also got into, into the space to help people.It might’ve been, it might’ve been purely, purely monetary. We got in this space to make money. Well, that’s great, but you know, I’ve been making money for very long. If you’re, you know, if you’re doing things that are going to put, you know, your, your, the data that you’ve been entrusted with, uh, you know, at risk. And so, you know, the, the, the leadership of the organization, number one, you, you’ve got to have some type of a sanity check. Now, a lot of organizations will say, well, we go through our third party assessment, so, you know, that’s our double check, you know, I would implore these organizations do better. Um, you know, you don’t want your operational day by day folks that are, you know, running your systems, etcetera, to also be doubling as your compliance people, you know, there, there should be some separation of church and church and state there.Um, look at the qualifications of who it is that you have running your program. Um, you know, and, and the folks that are, that are, whether it is, and this would be, uh, I would call it a rare case where an organization truly has somebody that has a requisite level of, uh, you know, breadth of experience to be able to bring to the organization. That’s a special company that’s got that resource, um, because there just aren’t that many of them. And so, you know, one of the recommendations I give to service provider leadership is evaluate leveraging a third party as an internal quality assurance, you know, uh, but your portion of your program. Um, you, they would be surprised at some of the things that come out of it. Now, the other piece that I would, um, kind of implore the leadership of any organization in the space is, um, take your program seriously. There are so many companies that they look at the efforts of security and compliance as, you know, almost like a cost center, right? This is some optional thing that is just costing us money. It’s not costing you money, it’s, it’s helping to protect, you know, it’s helping to protect the organization. It’s helping to protect the clients of the organization. It’s helping to protect the personnel, you know, uh, of the organization. It’s helping to protect the vendors of that organization. I mean, you are doing your job. When it comes down to, you know, running these programs and making sure that you’ve got, you know, uh, that you’ve got, you know, high, high quality, uh, capabilities, you know, at the company, um, you know, it’s important to be able to, to, to make sure and ensure, um, that your quality of your program is high.
I mean, I’ve had conversations with people previously where, you know, they basically said, all right, we, you know, we’re going to, you basically, you’re going to get faced with a choice. Will you pay for your, uh, you know, will you put, put your dollars into an appropriately properly run security and compliance program, or do you keep your, uh, cyber liability insurance? Guess what, man, cyber liability is going out the window because the bottom line is that should be only your holy crap emergency parachute, uh, for the organization, not your primary shield of defense. Um, the thing that actually protects the company is the strength of your overall program.
When companies that are subject to compliance are trying to vet their service providers, what pointers can you provide that would allow them to evaluate the quality of their programs that the service providers are bringing to the table?
Well, there’s, there’s a, you know, a couple of different ways to look at it. Um, you know, when you, when you look at your, in any case where you are doing evaluation and vetting of, of service providers, obviously it depends on what it is that the, you know, that that provider is doing, uh, there may be certain, you know, certain industry standard, uh, requirements for that validation and vetting, um, you know, but you know, if you look at the, if you look at the way that, uh, you know, the, the types of risks that, that’s formed to the company, um, you know, look at the risk profile of these, of these service providers, are they, are they dealing with, uh, you know, are they dealing with benign, you know, benign data, um, you know, type of a thing. Is this a, is this, uh, uh, kind of a letter of vendor, uh, you know, type of thing as printing letters, uh, you know, or is it a shipping company or is it an organization that quite literally is housing and ostensibly securing, uh, you know, the, the, the, the Royal, uh, Royal jewels, if you will, uh, you know, uh, of the organization. So, you know, as you have the, the, the risk getting higher, that’s where you need to take that responsibility far more seriously of validating and vetting the, you know, the, the organization. Um, you know, you should have a scale, right? Where, you know, uh, less risky, you know, risky vendors, maybe you don’t put, you know, put, put that level, uh, you know, scrutiny up against the, the evaluation of their capabilities, but you know, where you’ve got folks that are dealing with highly sensitive data, um, you know, highly sensitive data of the, you know, of their clients, uh, where you’re going to be entrusting them with, with a lot, um, that’s where you basically, you want to be able to to, you know, kind of raise the bar, um, to the extent that, you know, potentially, uh, depends on the organization that’s kind of seeking to go through the review. But if you don’t feel like you’ve got the capability to go in and do that review thoroughly enough yourself, uh, and you, and, and it’s that critical or that important, bring in somebody to help you, uh, you know, bring in an expert to help with the, with the vendor evaluation portion, um, so that they can, you know, they can be there to, to assist you. These are, these are important, uh, important decisions that need to be made and, uh, and so, you know, making sure you’ve got the right capability, uh, to be able to do the evaluation. That’s important. You know, you can, you can really tell, um, you know, I was talking about it earlier, you can readily tell when you’re, when you, especially if you’re an experienced security, uh, you know, security and compliance practitioner, you can readily tell when you get on the phone with an organization, if you know, if you’re just getting lip service, um, you know, to the, you know, to the responses or if the person on the other end of the phone actually knows what they’re doing,
I’ve had, I’ve had several cases where the target organization that had to go through and do the, do the evaluation with where they, um, I don’t know, they had like a department or something that was, um, you know, that was in charge of doing the responses to inquiries around security and compliance. And so, um, you know, the people that were staffing that function, they weren’t necessarily the ones that, you know, really knew what they were doing in terms of capability and experience. It’s almost like they were being leveraged as a kind of a shield, uh, uh, you know, before the person that actually knew what they were doing. But, um, don’t be shy about, you know, if you’re not getting appropriate answers to your, to your questions, if the folks that are assigned to provision responses can’t answer them, then escalate, uh, you know, at that, at that target organization, get somebody higher in the food chain. They do, they better exist and usually they, usually they do, but those people are often shielded, um, you know, and whatnot. So, you know, just this is, it’s, this isn’t a game, you know, this is something that’s, that’s really important, um, to your organization and the protection of it and take that responsibility seriously, as you’re going through the conversations with, you know, with the, you know, the, the service provider out there, um, that’s hugely important to be able to, uh, be able to go through, um, and have that dialogue, uh, you know, with them, uh, you know, and, and that’s kind of, that’s kind of the approach that I would typically take. I would say most of the time there is somebody that, you know, that’s, that’s higher up that does know what they’re doing. Um, but often it’s not the first person that you’re talking to at the organization.
Finally, any red flags you can call out when doing the vetting of service providers.
Oh gosh, yeah, there’s all sorts of them that should be indicators that, you know, about kind of the overall quality of their program. But, you know, certainly, and one that drives me crazy. So, and to put this into perspective, right, TCT proper is a service provider to folks in the security and compliance arena. And so we get, you know, we have to go through security and compliance, you know, reviews and assessments and whatnot. You know, thankfully, we’ve had the opportunity, I call it the opportunity. I actually have fun when we’re doing that. But, you know, we’ve had the opportunity to have dozens, dozens and dozens of literally audit and assessment firms having to go through and validate and vet our compliance. So, yeah, I’ve been put through the ringer, you know, in terms of trying to navigate those waters. But, you know, when I’m helping organizations and customers go through that process, you know, the one thing that I see as a red flag is you’ll see this service provider just instantly starts coughing up internal documentation, you know, as part of their response process. And what I mean by that is, you know, they’re throwing over the wall. They’re, you know, they’re just readily distributing their internal policy and internal procedures, you know, handing over, you know, various pieces of evidence, you know, that they’ve leveraged for their, you know, their audit and compliance program. You know, the one that absolutely drives me nuts is, you know, when the, okay, anybody can ask any question that they’d like as they’re going through and vetting a company, right? But when I go to an organization that ostensibly is a provider in the security and compliance space, and when I say, hey, give me your latest copies of your internal, you know, your internal external vulnerability scans, as well as your full-blown penetration testing reports. If they turn around and actually hand those to you, I mean, it should be like, it should be like sirens going off, circling lights, you know, the whole bit. It’s, you know, it’s very, to me, very disturbing when you’ve got organizations responsible for protecting, you know, all of this stuff and just handing out, you know, handing out this information to third parties. I mean, as a service provider in this space, you know, your job is to protect all of your target organizations. And so your readiness to just hand out like candy, you know, the internal, highly sensitive documentation, if the service provider is going to go ahead and do that as part of their response process, well, how seriously are they really taking the notion of their overall security and compliance program? If they haven’t put enough thought into, you know, kind of protecting information that really shouldn’t be, you know, the purview of, you know, third parties, you know, one of the things that I’ve long kind of told organizations that, hey, here’s how to handle that is that like your, so let’s say you’re subject to PCI DSS, the execution of your assessment, the results in an attestation of compliance.
And there are certain things that a knowledgeable reader of one of these AOCs should be able to go through, review the AOC, and make it for inferences, right? You can see which, you know, kind of which systems and which services were targeted as part of the assessment. You can tell if they’ve marked as an example, not applicable, critical controls, you know, and whatnot, as well as an explanation as to why they didn’t, you know, go up against those particular controls. So there’s a lot that can be gleaned from it, but, you know, the one recommendation I’d have for the service providers out there is don’t be handing out your internal documentation, don’t be handing out sensitive stuff, but instead spend the time to bolster your security and compliance response process, you know, with some documentation that will support the interpretation from the listener, if you will, or the requester. So in our case, as an example, we’ve got an accompanying document that we put on the, that we put onto the AOC to assist those that may not be intimately familiar with the PCI DSS, so that they know what they’re looking at. How should they be interpreting this, you know, documentation, etcetera. You know, all of those will go a long way, but yeah, in many cases, there are a lot of red flags that will jump out to the, you know, kind of experienced practitioner in the space as they’re going through the vetting process.
Hm, parting shots and thoughts for the folks this week, Adam.
Well, we started this off at the top with, you know, talking about, you know, recent breach notifications for literally service providers that are in the security and compliance space, AKA provisioning, you know, provisioning those services to, to compliant organizations. And, you know, for, for organizations in, in this space to be having, you know, um, to be having challenges, if you will, um, that’s disturbing. Um, you know, you, you, you, as an organization in this arena, you know, you have to take this stuff seriously. You have to be, you know, a leader, you know, in the arena, you, you can’t, you, you can’t be making mistakes. Um, and certainly if you, um, you know, if your compliance program is taken seriously is properly funded, um, where leadership cares, uh, you know, where you’ve got a strong program, you know, where it’s proactive, where all of the checks and balances, you know, etcetera are not just being done when it’s assessment time, but are being done when nobody’s looking over your shoulder. You know, that’s the type of company that ought to be in this space. And, you know, I think it’s, uh, I think it’s too bad that organizations aren’t taking that responsibility seriously. But in the same sense, the organizations that are, you know, kind of consuming those, those services walk in eyes wide open, ask lots of questions. Uh, it should be a, we talked about red flags a minute ago. Yeah, it should be an absolutely enormous red flag if there’s breach notifications coming out from, uh, from a, from a company in this space. You know what I mean? Um, that’s just, that is, uh, there’s far from a good sign and, uh, and really, I’d implore those with the responsibility to, to take this seriously, to please, please do so.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
