Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 7 Critical Actions to Ensure I.T. and Cybersecurity Success
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd have a heart to heart on what makes a successful operation tick, from a cybersecurity and I.T. perspective.
Curious about the specialized expertise required for success? Wondering where Trust but Verify fits in? Worried about your upcoming assessment?
Well, you’re in luck! Answers on all these topics and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the backscratcher of your compliance itch, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good, Todd. How about you?
I can’t complain. I can’t complain at all, sir. And today, we’re going to have a critical conversation. That’s right. We’re going to chat about the seven critical actions to get IT and cybersecurity right. So let’s get started by talking about how specialized expertise comes into play.
Well, cybersecurity really needs some specialized expertise. I’ve said it for a long time. IT professionals aren’t security experts, regardless how sharp they are. There’s a lot of organizations that go under this mantra that, well, just because I can work in IT means I must know how to go in and take care of the cyber arena properly. And what I’ve discovered over many years, decades, of being involved in the arena is that the IT folks there, many of them are just absolutely kick ass at keeping systems running and doing troubleshooting and optimizing networks and configuring firewalls and things along those lines. But the mindset of cybersecurity, it’s a different mindset. It’s different tools. It’s a different approach. Managing servers isn’t the same as defending from threat actors. So you need to keep in mind that that specialized expertise, what I see to a lot of folks to put it into perspective is that when you’re in the cyber arena cyberspace, the number of years that I’ve been doing it comes into play. How many different organizations have I done cybersecurity for? How many different elements of infrastructure or software applications, operating systems have I worked on over that period of time? Do I have a past as a developer, as an example, may play into it? So there’s a lot of specialized expertise that folks that have been eyeballed deep in the cyber world have built up over time. So what’s the action for organizations to take? Go through, take a review of your org chart, how you have roles defined, and look at who you currently have officially responsible for security. And really thinking through, are they truly qualified to fulfill that role? I would warrant that more often than not, they really need to switch that out for somebody different.
Hmm. Now, I know you like the phrase trust, but verify. How does that work in here?
Well, you know, internal checks and balances, they aren’t, they aren’t optional. You know, every single system that you’ve got needs oversight. So, you know, just like you’ve got accounting separation between the person that manages the books and the ones that provides oversight and audit function of, you know, for the, for the financials and similarly in the, you know, in the, in the IT arena, the person that is doing the development shouldn’t be the same person that’s also deploying, you know, their modifications into the production environment. So there’s this notion of checks and balances, separation of duties that, you know, that comes into play. Uh, and, you know, when you don’t have that, you know, you’ve got increased risk for the organization blinds, blind spots, breaches that can possibly creep in, you know, things along those lines. And so, you know, what should the, you know, what should the listeners do, um, establish a cybersecurity function that’s got its own mandate authority audit responsibilities that stays independent from the team that’s actively doing boots on the ground, it work, um, you know, rigorously implementing that trust, but verify notion, uh, will go a long way to having the appropriate checks and balances.
That makes complete sense. What about risks that various IT vendors pose?
Well, you know, there’s a lot of IT vendors that are going to fake it till they make it. Not all of them are open and honest about their expertise.We’ve talked about this in a number of arenas. Again, many of these IT vendors do just a stellar job of being able to keep things running. However, they’re used to being kind of that jack of all trades where they’ll exaggerate their real security credentials so that they can win business. But, you know, security has different meanings to different people. Blindly, just throwing your hands up and handing your stuff over to the, you know, over to the IT vendor is more, from my experience, more often than not, is a complete mistake. You know, they’re, yeah, sure, they’re good at resetting passwords or, you know, running or handling alerts from antivirus, things along those lines. But, you know, a true cybersecurity professional is very, very few of these, you know, kind of IT vendors that have really have the capabilities to step into that space and do a good job of it. So, you know, those core security responsibilities and competencies, you know, boots on the ground, centralized logging and asset inventory and network diagrams and, you know, firewall configurations and appropriate authentication, you know, within the environment. Those are, you know, those are all things that are going to, you know, kind of have varying degrees of missing components, if you will. So, some of the red flags to go in and look for, you know, for an organization, if they’re, you know, kind of looking at the way they run things, you know, if you don’t have a clear and up-to-date asset inventory, if you’ve never seen a network diagram for your, you know, for your environment, you know, misunderstanding, you know, fundamental cyber concepts and file integrity monitoring or, you know, IDSI, PS, things along those lines, central logging, you know, those may be, you know, maybe things.For some organizations, you will call it missing, missing outdated or misaligned security policies. So, I was talking, it was funny because I was talking to an organization a couple weeks back where they were a, you know, they were aghast because they thought that their IT vendor had full-blown security policies in place when they had absolutely nothing. They’d never actually seen them. They were just going under the guiding assumption that they existed. So, you know, actions that listeners can take on, make sure that you’re vetting, you know, any third party that’s coming up with claims of being cybersecurity experts, you know, validate those with substantive and practical questions, you know, bring in, you know, bring in a trusted expert to assist with the evaluation before you just, you know, kind of blindly step into this, you know, into this full-scale trust mode, you know, we got a, we got a little verification we need to do here.
Tell us more about how consulting assistance is helpful, in addition to assessors.
Well, you know, I’ve often made the recommendation to organizations, and this really comes from my, you know, kind of experience over the years, is engage consultants, not just assessors. You know, the assessors are there to effectively grade or evaluate your compliance. You know, the consultants are there, boots on the ground, to assist with closing gaps, being able to ask open questions too, that you, you know, wouldn’t necessarily want to, you know, want to go in and ask your assessor. Simply asking your assessor some questions is literally going to reveal that you’ve got problems and you’re not compliant, et cetera. So you’re setting yourself up for failure as well. A lot of organizations will spend an inordinate amount of time trying to get their arms around things, figuring it out themselves and being resourceful, where, you know, those internal folks on your team, they’re critical for the running of your organization. You don’t want them spending time trying to figure things out on their own. There’s a far more effective way to go about doing it. So, you know, the assessor is there to do the evaluation, but a dedicated security consultant is going to be a partner that’s focused on operational improvement, not just, you know, initially closing gaps, things along those lines. So some things for, you know, for the listeners to kind of consider is bringing on a compliance consultant, whether it’s, you know, on the internal team or for an external vendor that has a track record with hands-on security transformations and, you know, avoid getting assessors into that operational security role. It really forms kind of a conflict of interest and, you know, and whatnot. I wouldn’t want to press that upon them. Again, you know, they’ve got a job and that’s to come in and do evaluation of the organization.
That makes sense. How is it helpful to have management use the right approach when it comes to IT?
Well, management needs to be supporting IT while they are taking a step up with their overall security and compliance posture. Don’t look at it as the IT department has somehow failed. I really would put the onus on the members of management. If you’re walking in without making this blind assumption that because I can spell IT, I know how to do security and compliance, then you’re on the right footing. And really, I look at it as a shortcoming of leadership and a management for an organization where they’ve made that blind assumption inappropriately. So when you’ve got security gaps that pop up, do yourself and especially your IT team a favor. Don’t just whip them under the bus. What I’ve seen over the years is most of the teams, they’ll rise to the occasions when they feel like they’re supported, when they feel like they’re not going to get in trouble. They’ll get their arms around it. They’ll learn. They’ll grow. They’ll become better over time. It doesn’t mean that you should just take off the trust but verify that we were talking about earlier. It does mean that be supportive of your IT folks. Their heads are generally in the right spot. They want to do the right things. But more often than not, they’re afraid to just get in their hand slap. So for the listeners, publicly affirming your IT team and congratulate them for doing their best within their wheelhouse. And have some company-wide communication that building out cybersecurity, the cybersecurity posture of the organization is an evolution and not some form of a shortcoming. Those will go a long way to putting the direction correct for the organization.
Speaking of putting the direction correct for an organization, tell us more about the value of a quality gap assessment.
Well, when it comes to gap assessments, a real gap assessment, you want to walk in with an expectation that we are going to find things that need fixed. That’s the entire point of doing a gap assessment. So a candid, expert-driven gap assessment, it will reveal flaws, missed controls, it will reveal areas where they could be improved possibly, but don’t settle for shallow reviews. You want depth here, you want to commit your resources to remediating not just a technical issue but also structural ones, procedural ones, things along those lines. So you certainly want to, for the listeners, commission an independent gap assessment of your target, scoped environment and make sure that you allocate the right authority, budget and leadership for addressing the various things that come up as part of that gap assessment. I can’t tell you how many times I’ve seen organizations go, we’re going to do a gap assessment and all of a sudden they get their gap assessment done and then everybody goes back to business as usual. That didn’t really do any good.
Finally, why does truth and transparency play such a critical role?
Well, when it comes to kind of a foundation for a successful overall security and compliance program, delusion is literally the biggest risk that you’ve got. You want honest, unbiased assessment of where are we at, what do we need to do, things along those lines, and coupling that with both the willingness and the capability to face some uncomfortable truths. It’s really what helps to keep organizations not just compliant, but resilient, but secure. You don’t want duct tape solutions in play because they’re just going to increase your overall risk of attack. So you want real foundations to start as you’re facing reality head on. So, actions that the listeners can take, insisting on transparent reporting from all of your service providers, whether that be a third party service provider supporting your compliance stance, whether it’s your security compliance consultant, or quite frankly from your staff. You want to reward the bad news bearers and the people that are telling the truth. You want to set an expectation that this is a safe space, that we can have these types of discussions, and really security leadership really starts from the top, and that’s imperative. You want the organization setting a good cultural tone for the organization, always, not just oh yeah, oh yeah, I totally forgot to go ahead and congratulate so and so or whatever, a way to go, nice job. You want it to be part of the DNA of the organization as you’re going through the process.
Hm, that makes sense. Parting shots and thoughts for the folks this week. Adam.
Well, when it comes to going through and doing your overall program, the real key here and the one thing that I really want people to get through their heads is, IT people aren’t security and compliance experts. They’re not. I see it time after time after time. And yet, honestly, some of the most rewarding engagements that I’ve been involved in are the ones where management has been supportive of the IT crew, where they’re not whipping people under the bus, where they walk in with the right mindset to, hey, these guys aren’t going to have everything buttoned up, but that’s why we’re doing this. Not getting worked up when they have things that need to get fixed or addressed. All of those things are important elements. And the most rewarding of the engagements that I’ve been on is where all of the fundamentals we’ve been talking about today, where those have all been taken into account within the organization and you get to watch this person in IT or this person in project management or whatever their role may be within the organization, where they are learning new things. They’re discovering new things. They’re not getting their ass handed to them, but instead, they’re able to use it as a learning opportunity where they ingest this input, this new world that they didn’t have exposure to before, and they’re able to turn it around, apply it to the organization where you’re seeing the lessons learned from the gap assessment starting to translate into real actionable improvement in the cybersecurity stance of the organization, because now they’re taking that knowledge, they’re leveraging it operationally with a pulse check or some oversight from somebody that is an expert in the arena. Oh, it’s just magic. It’s just magic, watching that all come together. And that’s the piece that I really, I wish that every organization could experience that. The unfortunate reality is that there’s many that don’t get that opportunity just because of the approach that management has taken to either how they fund or treat the engagement.
Hm, And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
