Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Why a Strong Stance on Security and Compliance is a Business Advantage for Manufacturers
Quick Take
On this episode of Compliance Unfiltered, The CU guys delve into the critical role of cybersecurity and compliance in the manufacturing sector. As technology advances, the industry faces increasing threats and regulatory challenges.
- Join us as we explore how manufacturers can safeguard their operations, protect sensitive data, and ensure compliance with ever-evolving standards.
- Discover expert insights and practical strategies to fortify your manufacturing processes against cyber threats.
- Learn why cybersecurity is not just an IT issue but a vital component of modern manufacturing success, on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
And welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the rocket boosters to your compliance roller skates, Mr. Adam Goslin. How the heck are you, sir?
I am doing fantastic I’m just gonna make every attempt not to wiley coyote off a cliff.
That is advisable, sir, as long as those roller skates aren’t made by Acme, you should be in good shape. Today, we’re talking about how a strong stance on security and compliance is a business advantage for manufacturers. So Adam, tell us a little bit more about your backstory as it relates to manufacturing.
Well, long story short, decades ago, several, I used to, I worked in a manufacturing setting for several years. The facility that I worked at, they were building tools for other companies. My role was to first learn and then run, then a brand new rapid prototyping machine. So back then, there was like absolutely zero focus on anything related to security or compliance. And the weirdest part about it, like in that instance, you know, you think about it, I was literally running a rapid prototyping machine. I was running parts, you know, I was running parts on this rapid prototyping machine literally for the automotive manufacturers, pieces and parts that they needed for new builds and things along those lines that they wanted to go in prototype. So I can remember, I can remember making brand new, you know, kind of like side mirror housings. I can remember making, you know, then brand new designs for car vents and things along those lines, right? And so we were dealing with sensitive parts that weren’t on the market that nobody, none of these people’s competitors had any idea of. And yet, the notion of finger air quotes security, it wasn’t there, but we were dealing with some pretty highly sensitive elements as it related to, you know, vehicle design building and whatnot.And I remember I’d sit on leadership meetings at the company and there was no, not even an inkling of a security mindset with the leadership team back then, especially since I was the leader of the rapid prototyping arena. And every other leader in that company was somehow involved in the day-by-day manufacturing operations, you know, side of the business. So their focus was literally ops, you know, go, get stuff done, do it properly, effectively in a quality manner, but fast, you know, that was where they was at. And, you know, in general, you know, manufacturing companies, they’re at the beginning of just a huge shift in their industry. You know, proactive security and compliance is gaining attention. Customers are increasingly buying from manufacturers that can prove out that they’re taking their security and compliance seriously with a bunch of different standards. You know, a single manufacturing organization, depending on what they’re doing, what types of information data, et cetera, they may need to go up against five or more different security and compliance frameworks when all is said and done. So, you know, a lot of the companies that are in manufacturing, in the manufacturing sector, they’ll typically bounce up against like ISO 27001. Although in the grand scheme of things, I can tell you that there’s the number of manufacturing organizations have actually done it is probably low. You know, there’s a few of them that have actually gone there. And it wasn’t until recently that there’s really been an increased attention on the protection of customer data. You know, the manufacturers that are dragging their feet to, you know, to embrace security and compliance, they’re going to miss out on important contracts.
They could run the risk of losing existing customers. They could find themselves, you know, a target of an unbelievably public and expensive data breach. So, you know, and meanwhile, the manufacturers that get on board, get their ducks in a row, get everything organized, they’ll have a good business advantage for kind of winning over more customers. So, that’s kind of the backdrop on the, you know, on the manufacturing backstory that I wanted to get through.
Sure, you kind of alluded to this, but why is there, or about to be, pressure on manufacturers to take on security and compliance? What is changing in the landscape of things that is leading to that shift?
Well, really, there’s two different arenas that are causing the pressure, both of which are external. Honestly, and this is just being realistic, I have dealt, I mean, I’ve been in this space now for multiple decades, and generally speaking, organizations aren’t waking up on a miscellaneous Wednesday and saying, you know what would be a great idea today is to spend our time going and doing security and compliance. It doesn’t work like that, right? They’d rather put their efforts into day by day operations and efficiencies and profit and things on those lines.So it’s usually something from the outside, and it’s the same scenario for the manufacturers. There’s a couple of different external pressures that are forcing manufacturers to take on security and compliance programs. You know, more and more clients or customers are requiring security and compliance measures to be in place. And the other external pressure is certain client groups are also making demands. So as an example, if the manufacturer is doing work for folks that are somehow involved in the DOD life cycle, if you will, as a tier one, tier two, tier three, whatever supplier, then the DOD arena is getting a ton of pressure to meet CMMC standards and whatnot. So it could be those two. And you may also have, depending on what types of information and data you’ve got, that may be driving it as well. If I do have credit card data or medical data, et cetera, and we’ll talk about that a little bit more. But the customers are really where the primary driver is going to come out of that honestly could have a direct impact on the company’s well-being. In the past, a lot of manufacturing companies, they were dismissive of the notion of the need for security and compliance because they’ll use the expression, oh, well, we’re just making parts, type of a thing. But what they don’t realize is that depending on how the facility is operating, you could have a ton of sensitive information that makes you a prime target for a cyber attack. On the flip side of that, the manufacturing customers, they are, in many cases, whether they’re asking the question or not, they’re walking in with a general premise of trusting your organization with any sensitive data that they’re sharing and going under the guiding assumption that it’s being protected. So you could have, as a manufacturer, you could have schematics for client data that includes intellectual property or competitive advantage. I go back to even making rapid prototyping parts three decades ago. And like I said, they were making brand new, not been seen on the market air vents and things like that that they’d view as a competitive advantage over the other folks in the space. So when you’ve got data like that, if that information were to get leaked, it could have a huge impact on not only on your customer’s business, but it’s also going to blow back on you.
Well, what happens when every organization that you’re dealing with learns that you can’t be trusted to keep their information protected? Now you’ve got a real effing problem. So as you’re storing and handling sensitive data about your employees, you’ve got pay information. You may have information around medical condition, medical leave reasons, insurance information, their contact information, even background checks and whatnot. And so as any customer concerns are raised, there’s going to be an increasing demand for proof that the manufacturers are doing their due diligence to protect that customer data, that they’re complying with certain security standards is going to be a really good way to be able to show that you’re a safe manufacturer to be able to do business with. And so it’s not just sensitive information that you’re handling day by day for clients, but depending on your business and what all you’ve got and what all you’re exposed to, you could have the medical data, you could have insurance information, employee data, how you’re taking credit cards or processing payments, you could have credit card data, you could have ACH details, wiring details, et cetera for banks, you could have client proprietary information, intellectual property, and not the least of which is the intellectual property of the manufacturing organization themselves. The reality is that you’re a manufacturer for a reason. There’s a reason you haven’t gone out of business. That’s because you’re really good at doing something that someone’s willing to pay for. Well, that’s a competitive advantage of yours over your competitors. So that basically allows or lines up the fact that you need to protect that as well. So just based on that list of stuff that I was going through, if you think about it, if you had all of those various bullet points, you could be obligated to comply with several security standards. You could be required to adhere to HIPAA. You could be required to adhere to the payment card industry data security standard. You could have ISO 27001 in the mix. ISO 27001 and or possibly SOC 2 could be required by some of the clients. And if you’re doing work in the DOD supply chain arena, both go add CMMC into the mix as well. And given your clients and your employees are the two biggest stakeholders the organization has, if they lose trust in you, then you’ve lost your business. So ignoring your due diligence in this arena, it’s just simply a real bad business move for a manufacturer.
It sounds that way. Now, for a manufacturing organization, what is the business case for security and compliance?
Well, I mean, if a manufacturer is visibly listening to this and isn’t convinced that so you’re taking security and compliance seriously is a good idea, you know, I understand. But the prospect of complying with multiple security standards isn’t a pleasant one. Most manufacturers are trying to run lean and exercise prudence. They’re not going to take on a new initiative because it sounds like a great idea. Like I said, nobody’s waking up on a Wednesday and saying, hey, let’s go fill in the blank. Right. So, you know, unless it’s a really good business case or you flat out mandated to go do it because you have to for a really important client, then it’s probably not going to land into a priority situation. But, you know, I find there’s a couple of questions that can, you know, be pretty damn clarifying when it comes down to the business case, you know, what information are you storing that you’re, you know, well, receiving, storing, processing and or transmitting that your employees, your vendors or your customers are trusting you to keep private. And the second point is, if any of that data were to get breached, how would those stakeholders react and what would it do to your business? You know, as an example, if your employees don’t want their employment records to be accessed, they don’t want their ACH information stolen for their personal bank accounts. You know, they don’t want bad actors knowing about, you know, medical leave details and insurance information, you know, on the business side, you know, you always have something to protect, a processed product, deliverable that somebody else want to pay for. So, you know, if somebody is willing to pay for it, somebody else is going to be willing to steal it. And so, you know, manufacturers are they’re increasingly they’re dealing with clients that are bringing security requirements to the table as a stipulation for doing business. So, you know, the clients may come in and requiring, you know, proof of compliance with the list that we’ve already gone through, you know, of various standards, depending on what all you’re you’re doing or up to. And if you cannot provide the proof that, yes, we’re compliant and here’s our piece of paper signed off by somebody else, et cetera, in all likelihood, you’re going to end up, you know, losing out on basically winning bids or, you know, re-upping the, you know, the contract that you’ve got, you know, type of a deal. So the business case becomes pretty clear, pretty quick.
That makes sense to me. Now, what possibility exists for manufacturers to lose their existing clients?
Well, you know, you may already have contracts and here’s, here’s the challenge. Right. You could have contracts as a manufacturer that already have stuff in there related to security and compliance, but because nobody was actively enforcing any of those provisions within the contract, it may very well be that something was signed three, four, five, eight years ago. And yeah, it was a line item on there, but nobody gripes. So we just all kind of forgot about it, et cetera. Um, you know, so that’s one possibility. Another is that, you know, as your, you know, kind of cornerstone customers are, you know, taking their own steps to move towards security and compliance initiatives, they’re then going to expect that their vendors do the same. And one, one thing that manufacturers don’t understand about this space is that many of the, uh, many of the standards and requirements out there, uh, require elements like vendor due diligence, uh, like, uh, annual validation that the vendors are, you know, doing, doing their part as it relates to, you know, as it relates to the security and compliance endeavors, you know, for the, for the organization and protection of that customer. So quite literally these clients that are starting to have light bulbs twinkle about, Hey, we need to get our security and compliance shit together. As they go down that path, part of the standards that they’re going to go up against mandate that they’re holding you, you know, the manufacturing organization that’s a supplier of theirs with access to sensitive information, holding them accountable as well. This is literally manufacturers should just be listening to a giant clock ticking because it’s not, it’s not going to be, geez, we may never have to, you know, have to worry about this. I can’t imagine that there’s a manufacturer out there in the grand scheme of things, it’s not going to land up with a mandate at some point in the game that they need to take this seriously. So it’s coming. It’s just a matter of when, um, you know, regardless of, of what forces, you know, customers to, to, to head in, into that arena, um, you know, as they do, then you can rest assured you’re going to be on the list for needing to prove it out to them of your, of your compliance. And if you’re not, that’s where you’re going to run into that danger of losing the customer. Do I realistically think there’s a client that has a manufacturing vendor, uh, that, um, you know, where they would say, Oh, you know, we’re going to instantly stop doing business with you. You know, they, they, they talk to you on a Tuesday and kill the business on Wednesday, probably not, but you’re not, I can also similarly imagine you’re not going to have years to get around to doing this. They are going to expect that you move expediently, move fast, that type of thing. So, um, it’s going to be, uh, it, it, it, it’s common. Um, you know, every single, every single client of yours though, uh, as a manufacturer, every single one, I can tell you, I can tell you unequivocally believes you’re protecting their stuff and, you know, whether the contract requires it, whether it’s in writing or not, whether there’s some specific compliance standards you’re supposed to meet as a, as a man, their manufacturer or not, they just at their base are saying to themselves, we’re entrusting these people with our valuable information. They better damn well be taking it seriously. That’s where their heads are at, regardless what’s in the contract. Um, so they’re already trusting you with sensitive data and they have that kind of firm belief that you’re going to go, um, you know, do, do the right things, take the right steps to be able to protect their information.
Yeah. What are your recommendations for manufacturers getting started with security and compliance in their organizations?
Well, you know, that just for a lot of manufacturers that are out there, there hasn’t been a lot of exposure to cybersecurity and compliance. That lack of familiarity is going to make it difficult to get up and, you know, getting their program running, running appropriately and running smoothly, you know, just as a manufacturer. And keep in mind, my comments aren’t, they derogatory to manufacturers, you got to keep in mind my background, right? I literally started into this space as somebody that didn’t have an, I came up through the ranks of IT, but I didn’t have any exposure to security and compliance. And boy, was that a learning experience for me. Even having been in IT for my entire career, when I had to take on security and compliance, it is a completely different animal, completely different beast. And I can tell you that practitioners, you know, in the IT space, they just do not possess. A lot of organizations go into this guiding assumption that, well, because they can spell IT, they must know how to do security and compliance. It’s just not true. You know, for manufacturers, you know, the first thing that I would recommend is they need to think through and then document all of the sensitive data, all the various realms of sensitive data, you know, that should be protected, whether you’re receiving it, whether you’re simply processing it, whether you store it, whether you send it somewhere, you know, so, you know, thinking through things like customer’s intellectual property, how is that coming to you? Where is that getting put? Where are we sending it to? Where do we save it? You know, things along those lines, okay. But you want to do that with customer intellectual property, credit card data, any banking or ACH information, employee contact data, medical information, whether it’s through medical leaves, whether it’s through insurance, etc. Any background check information you may run on your personnel, your financials, your, you know, your details about how you’re running your business financially, you know, any of your manufacturing procedures or processes, and anything else that you don’t want to be made public, think through how are we getting it, processing it, storing it, and transmitting it. You know, let’s get an idea of what do we have, where is it, where does it go, how does it flow, you know, all that fun stuff, because now once you’ve gone through that exercise, you know, etc., you know, and you go through that exercise of saying, hey, you know, if my employees, customers, vendors found out that I blew it, and this stuff became public, and or, as I’ve unfortunately had a number of organizations come to me over the years, that literally found out they had a problem because their breach was posted on Google, as an example, you know, it’s, it sucks. Oh, God, is that a bad day? Oh, it’s a horrible day. But, you know, you don’t want to be that guy, you know, you don’t, you don’t want to be that organization that blew it.
It is so much easier and so much less expensive to just get your ducks in a row, etc., right out of the gate. So, you know, my recommendation is, once you’ve got all of that in line, reach out to an expert that can help to figure, help you to figure out how to protect that information and that data. Certainly, us here at TCT, we’d be happy to have a high-level dialogue. If we can help, cool. If we can give you a recommendation, we know a whole bunch of different, you know, consultants, assessors, vendors, etc., we just, I got into the space to help people. So, you know, reach out, get somebody to give you a hand and give you some direction.You know, because there hasn’t been that historical focus on information security, I go full circle to the notion I was talking about earlier, which is that IT people, they can spell IT, they can make your day-by-day IT hum, but are they necessarily cybersecurity experts? Probably not. You know, almost definitely not. So, don’t lose sight of the fact that this isn’t something you can just go hand to your IT team, tell them to Google it. That’s going to be a horrifying mistake and give you a false sense of security. You know, they’d be fantastic partners to whoever’s kind of giving you the right directional guidance. They’d be fantastic at implementing and they’re going to learn a ton, you know, but they just do not possess that experience to be able to go through, you know, and do their thing. I would definitely instead go get yourself a compliance consultant that can help you get your cybersecurity and compliance program up to speed. A good compliance consultant is going to give you sound advice on direction. What should you do? They’ll look at what you have. What do you need? What are you going to need to be able to support the requirements that your organization needs to go up against, you know, et cetera, and do so in a cost-effective fashion. You know, at the end of the day, the consultant only cares about helping you with your objectives. You know, working with that consultant will give you a clear roadmap for how do we meet and or exceed the bare minimum that we need to go and step into, you know, but also, you know, how to go about lining up different solutions that will actively shield the company from a cyber attack. You know, the compliance consultant, as you come in, that’s where their vendor recommendations will be able to come in helpful. They’ll be able to give you recommendations based on what you’ve got and what you need. What should you do? You know, should you take this existing vendor and extend their footprint, you know, in such and such a way, or are you better off to go get a brand new vendor and replace five others, you know, type of a deal? That’s the type of guidance and advice that the consultant will be able to kind of bring to the table. So, and really customize it based on your particular, your particular solutions. But, you know, probably the most important part that you get out of that consultant relationship is that they have the capability to recommend, eventually, you’re going to need to go through a third party assessment in order to, you know, in order to appease the folks that are going to be coming and asking. Now, maybe out of the gate, you can start working with the consultant, but at some point in the game, you’re going to need to be able to go through a third party assessment and the consultants can give you rock solid advice on assessors that are great to work with, ones, you know, ones that might have been painful, you know, before, ones that are going to be a good fit for you culturally, things along those lines, you know, and look at it from a, from a cost-effective perspective as well.That relationship with the consultant is absolutely effing huge.
Sounds that way. Parting shots and thoughts for the folks this week, Adam
Well, I feel like I’m beating the dead horse here, but I’ll reiterate several things. One, it is not a matter of if we’re gonna need to take security and compliance seriously. It’s coming. May have already arrived at your doorstep and you managed to do the dance, et cetera, for the time being. It may be that you were forced to go head down this path. It may be that you haven’t heard a blessed word from a single individual about anything, but rest assured, it is coming. And so knowing that, I’ll put this into perspective for the folks that are listening to this, is that my very first, like I’ve been an IT for my whole career, I got faced with security and compliance, not knowing a dumb thing about it. And me as an experienced IT leader, it took me 18 months to get through my first swing at the bat on a security and compliance engagement. And that was 18 solid months of just getting shit figured out. It is not easy. And so any organization that’s kind of has not yet entered this realm, do yourself a favor, mentally plan, that the adventure you’re about to go walk into without help is probably gonna be a two-year adventure, would be my recommendation, kind of on average. Now, how can you shore that up? You can shore that up by going ahead and leveraging help and assistance. Part of the reason why I stepped into this space is I love helping people. And I knew by the time that I finished that first engagement, how little help there was out there of whatever help there was, how effing expensive it was, et cetera. So I stepped into this place to try to help people not have to go through the same 18 dimensions of BS that I had to go through on my first round because it was absolutely horrifying. So go down the road, get yourself, if you wanna work with TCT, cool. But the recommendation stands, go get yourself somebody that really knows how they’re doing in the security and compliance space that can act on your side in a consulting fashion. Don’t go straight to an assessor, but get a consultant that’s gonna be on your side, that’s gonna help you navigate the waters. That’s what you really, really want to have in place. So that’s my best recommendation, especially for the poor manufacturers that get the absolute joy of heading down this path for the first time like I did a couple decades ago.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
