Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q2 Security Insights 2026
Quick Take
On this episode of Compliance Unfiltered, join the CU Guys as they give you the blueprint for Q2 2026, on how to transform compliance chaos into a manageable, continuous process. This episode reveals how shifting from a reactive, annual sprint to ongoing, automated oversight can reduce stress, enhance productivity, and fortify your security posture. Learn practical steps to automate routine tasks, manage evidence proactively, and turn compliance into a strategic business asset. Ideal for security teams and leaders eager to embed security into their company’s DNA and eliminate last-minute audit stress.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the fresh pair of running shoes for your compliance marathon. Mr. Adam Goslin, how the heck are you, sir?
I am doing just fantastic today, Todd. How about you?
I can’t complain. I cannot complain exciting that we get the opportunity to chat today because it is in fact that time again, security reminders for q2 of 2026.
Adam, before we jump right in, as always, we do want to remind the folks if you’d like to get in touch with us have some comments or feedback you would like to share, please do so [email protected]. All right, Adam, the security reminder as we look at it for this quarter reduce compliance management to bite sized chunks help the folks chop it up.
So, you know, this is a topic, it doesn’t matter whether you’ve been doing, you know, doing compliance for a decade already, you’re brand new to the game. You know, it really doesn’t matter. You know, there’s a lot of organizations that will kind of approach their compliance event as this like once a year extravaganza. And so it’s almost like, oh, it’s, you know, I feel like I’m back in the day aging myself of course with, you know, duck season, rabbit season. You know, it’s compliance season, right? You know, everybody goes from their normal day jobs into kind of compliance mode. We put our heads over into the compliance stuff frantically for some period of time, the typically last months for some of the folks on the team. And then everybody just goes back to their normal day job, you know, type of a deal until they, you know, until the bell goes off to go do it all over again.
You know, it’s like a real bad episode of Groundhog Day. But, you know, the purpose of, here’s what’s lost in a lot of organizations is that, okay, are there some companies that they go in, they’re there to check the box and get their piece of paper and, you know, be able to prove to third parties that they’ve done these things. Sure, there’s some that carry that notion. I would strongly recommend, look at your program differently if that’s the way that, you know, that it’s being, you know, kind of being operated. You know, really you need to look at security and compliance as this is an active measure to help to protect the company, protect the organization, protect the stakeholders, protect the clients, protect all of the people, whether it’s, you know, personnel or vendors, you know, that depend on, you know, this company. You know, make it part of your DNA, you know, for the organization. You know, it’s not compliance season for three months of the year. It’s compliance season every fricking minute every day. And so, you know, kind of on a normal compliance engagement, there are things that are supposed to be happening, you know, that are done every day, every week, month, quarter, twice a year, and once a year. You know, but a lot of organizations will kind of pop up at that once a year moment and then try to gather everything for the year. You know, and, you know, realistically, those periodic tasks, those are the ones that, you know, really are assisting with the active protection of the company, you know. So, you know, if you’re only going in and, you know, dusting these things off once a year, you’re not running a security and compliance program. You’re just surviving an audit, so. Sure, that makes sense. Yeah, I mean, so as you go from, you know, compliance season over to, you know, something different, which is, you know, kind of more a regular recurring rigor, you know, et cetera, at TCT and literally, when we created the portal back in 2015, I believe it was 2016 is when we jammed in operational mode. And, you know, this will spread out those tasks. And, you know, I’ve had a lot of folks go, well, geez, you know, why a decade ago did you, you know, did you go and turn on operational mode? Well, why?
Because if I was sitting there, you know, helping clients get through their security and compliance engagements and not finding out until the last second that somebody on the internal team had dropped a ball months or quarters ago, you know, type of a deal. And now it’s coming to light. And guess what, at what time that’s coming up right in front of the F and assessor. And it’s like, are you shitting me? You know, I don’t like, I’m not a fan of surprises. I know assessors aren’t fans of surprises. And once the clients realize what’s happened, they find themselves also not a fan of surprises. So, you know, you wanna shift to just a continuous rhythm for your program.
You wanna move away from, you know, this, you know, once a year sprint to, you know, to something that kind of spreads that load out. You know, it really has the capability for transforming compliance programs. You know, things run a hell of a lot smoother. You’re gaining more control, you know, all sorts of fun stuff. So, you know, there’s, you know, you wanna make the move in that direction. Certainly, you know, migrating over into this operation, it doesn’t have to be overwhelming. A lot of people go, oh my God, well, we have this hellscape that we go through for three months of the year. We don’t want that all year long. It’s not like that. You’re taking the hellscape and you’re, you know, kind of your peanut butter spreading it out across the course of the year. You’re actually lightening, you know, lightening the load as a result. And it can be completely automated, especially for, you know, for folks that are using, you know, using the TCT portal, it’s literally a flip of the switch. We can, you know, we can set your engagements up in this manner. So you can, you know, kind of automate everything. It’s running in the background. It’s popping up. It’s reminding your people. So a lot of times when we’ll dial on the, you know, kind of the operational mode, it’ll get dialed on with a quarterly cadence surrounding it. So if you’ve got an annual cycle from January to December, just to make this super easy, you know, the quarter one compliance test, they’ll start coming due at the end of March, you know, all of those periodic and circumstance-based evidence items like quarterly vulnerability scans, or did we have an incident, you know, those are the types of things where, you know, you basically just get these items assigned to the right people and the system will, you know, kind of wake up two weeks before the, you know, before the end of the quarter, remind everybody, hey, you’ve got, you know, this many items that are coming due, you know, and it basically gives the organization direct line of sight to exactly what needs done and, you know, and all of that fun stuff. And when, by whom, you know, et cetera, and now I’m, you know, now I’m taking advantage of that spread. You know, the other piece that’s a huge risk on security and compliance engagements is when you have personnel turnover.
So if you have somebody on the team that’s been, you know, kind of doing the job for the last six years and all of a sudden they are no longer, whether they, you know, whether they, you know, left at their own volition or the, you know, the organization had cuts or whatever it may be, you know, the bottom line is, is that, you know, somebody knew has to step into that role, but the person that left and the person that’s now inbound, well, they didn’t do all of the handoff that they were supposed to do. Well, if you’re in annual scramble mode, guess what? You’re right back to what I was saying earlier, right? If, you know, if the new person didn’t have any idea they were supposed to be doing fill in the blank, well, guess what? You’re gonna find out about it in front of your assessor when you’re gathering up all the evidence right at the end of the year when you can’t do anything about it.
You know, so that’s a really, really, a really, really, you know, sweat bullets moment when that occurs. Where if you’ve got your engagement set up in an operational mode, you’ve got the ability to catch things sooner. Everything’s documented within, you know, within the portal. You’ve got near term insight as to whether or not somebody’s dropped the ball, something not done, you know, whatever it may be. It doesn’t even matter. Even if Bob didn’t train Mary properly, you know, told her some of the things that she needed to be able to do, but not everything, it doesn’t matter because Mary can go log into the portal. She can see what did Bob do last year? What did he pass over to the assessor? What specific evidence was it they were looking for? Which screenshot, you know, et cetera. So they can see what the assessor approved. So she’s actually able to get up to speed, fast and efficient in terms of being able to, you know, quickly step in and kind of take things over. You know, the other side and the other benefit of doing your engagement in this manner is that it really allows you to improve the relationship with your assessor. You know, for a lot of them, they would applaud an organization that’s moving into this operational mode. They love it. When the company has detection mechanisms in place, they see that you’re, you know, discovering things, getting them addressed, correcting them in near real time. You know, that you’re taking your compliance and security seriously. You’ve got your act together. All of those things go a long way to improving the level of trust between the organization and the assessor.
You know, the cool part is that as you start to kind of go in and, you know, go in and do this kind of move into the operational arena, there’s two different things that I would suggest. I would suggest that if you go from the annual scramble and into like an operational compliance mode, do that, walk through that for your kind of your first year, right? Perfect things, dot I’s, cross T’s, et cetera, come year two. And then that way you can, you know, you can then move into kind of the next evolution for, you know, for the spreading of the, you know, kind of of the task.
And that is all of those items which are only do once a year. Now, what I would suggest is, you know, take those items, sit down and take a look at them, figure out how can I move these out across the course of the year. I would strongly suggest do that planning in association with your assessor. The assessor may have certain elements evidence. They’re like, you know what? I know this is only a once a year thing, but I want you to do it right before I’m about to go look at your stuff. So they may have certain artifacts that they want in your compliance Q4. However, things like the annual review for policies, maybe they’re cool with, yeah, that’s something you can do in your compliance Q1. Maybe you go and handle all of your security awareness and training activities in Q2, you know, et cetera. But that way I can spread out all of these annual tasks across the course of the year.
So that instead of everybody sweating bullets for the three months, now we’re literally taking the compendium of all of the things that need to be done across the course of the year, spreading it out over the year. And now you’re, you know, now you’re really gaining, gaining some serious benefits. But for a lot of organizations, the spreading of that, the spreading of that annual evidence, that’s something that I’ll see typically come into play as the organization really kind of gains their sea legs on an operational mode and is kind of ready to move to that next step. And for a lot of organizations, that’s, you know, kind of two, three years, you know, down the road after has taking the step in the operational mode direction. That said, the final thing that I’ve got here is, um, you know, you’ve got, if you’re, if you’re taking that, you know, kind of three month sprint and now sprinkling that out across the course of the year, guess what? The other benefit is, the other benefit is, is that you’re lowering stress. You’re making things less overwhelming for your team. Um, they actually improve their, improve their productivity. Um, it becomes more part of that day by day DNA. Um, you don’t have to go send them off into, you know, compliance season for months at a time, you know, et cetera. And, and instead the, the, the, the fringe benefit is, and here’s where all the project managers and, you know, kind of upper upper mid-level management is going to be happy is that now, instead of it being, everybody goes off into the compliance cave for this long period of time. Now I’ve got, I know that, you know, this person’s going to need to spend, you know, a day and a half a week, you know, on compliance related stuff. Uh, you know, this other resource may need to put in two hours every two weeks, you know, type of a deal, depending on how much load they’ve got, but now it becomes dependable. Now it becomes repeatable. Now I know well in advance, when are certain activities going to be happening across the course of the year? It really allows for a, you know, it really allows for a much higher, uh, you know, level of planning capability that the, you know, that, that the folks at the organization can now learn to kind of depend on.
And it really, it really helps everybody out at the end of the day.
That sounds that way now quick tip time. Easy cert is the compliance interface for non techies as a relatively non techy individual myself. I’d like to hear more about this.
Sure. So when it comes to easy cert, it was some functionality that we released a little bit ago. We just wanted to flag it in the security reminder for the folks that are on the TCT portal. The person that’s on your team that’s living, breathing compliance day in and day out, the TCT portal interface, it is a very powerful tool. There’s a huge amount of capability, and for power users, that’s exactly what they need. They want to be able to slice it, dice it, and have a lot of options, and be able to see everything six ways from Sunday, and I got to looking at this person’s stuff, that person’s stuff, et cetera. But there’s also, in terms of the user base, there’s those users that maybe you are on the once a year scramble. Maybe the users haven’t seen the interface in a year. Maybe it’s somebody like HR, where they have a scant few items that they need to supply once a year type of a deal. Regardless, a lot of times, what people feel like when it’s a non-technical user, and they’re staring at the breadth of capability of something like the TCT portal, and all of its full-featured glory, they feel like they’re sitting down at cockpit of a fighter jet when all they wanted to do was drive to the grocery store.
You know what I mean? I do. And so they don’t want that complexity. They want to be able to go in, get their shit done, and get out type of a deal, and that’s where EZ-CERT came into play. It’s a simplified, streamlined interface. It’s designed specifically for control owners who, basically, all I need to see is my stuff, I need to get my shit done, and then I need to move on. I don’t need all the other bells and whistles. I just want to get through it. And so when a user’s logging in with the EZ-CERT, they literally get an active dashboard that gives them complete clarity on what they’ve got. What do they have? They’re only seeing their items. How far along am I with my items? They can see a progress bar, where they’re at in the grand scheme of things. What’s next? Type of a deal, they can be guided through each of their elements of evidence that they need to go in and provision for their engagement. So the cool part is that the client can actually control who sees what. The EZ-CERT, it’s not like everybody has to be on EZ-CERT mode, or everybody has to see the TC portal. It’s down to the individual user level. So if you’ve got three power users on your team, they want all the features and functions of TC portal, cool. The remaining six people that are on your team provisioning evidence, they just need EZ-CERT, you literally dial it on user by user as you’re going through. For the organizations that are listening, that are either consultants or assessors, the EZ-CERT’s a game changer for new client engagements. When you’re starting onboarding a brand new client, just start them in EZ-CERT mode from day one. They’ve never seen the full portal. Their impression is a clean, focused, intuitive experience that they can go ahead and run through, get their stuff done and improve the efficiency of the overall engagement.
As you’re going through, we’ve had a mantra for a year or three about how we love to make compliance management suck less. And so it’s really about people.
We wanna strip away the busy work and kind of interface overhead that they feel and make compliance suck less for everybody that’s involved. So certainly the EZ-CERT capability, it’s available to all of the TC portal customers. So if somebody wants to know a little bit more about EZ-CERT, just go ahead and contact portal support and we can go get them headed in the right direction. You can play around with it if you haven’t seen it already.
What’s new in the news? Listeners can always access links to the various news stories by going to TCT’s website at gettct.com. Click on resources and click on security reminders. Adam, what’s new in the news?
Ah, the good old fashioned news grab bag, gotta love it. So some things going on. Under Armour had a ransomware breach where they had 72 million customer records show up over on the dark web. This breach happened, it was reported in Jan, 2026, but it was an exposure that came following a November 25 attack by the Everest ransomware group. So the leaked database reportedly contains 191 million records, which covers 72 million unique emails. And it’s got names, phone numbers, locations, genders, detailed purchase history, et cetera. So under Armour’s official communications were initially cautious. The Everest group published the data after the company allegedly missed a ransomware deadline. So it kind of highlights that double extortion tactic where attackers are not only encrypting systems but then exfiltrating leaking sensitive data to try to pressure victims leading to those kind of secondary risks of targeted phishing and identity theft. So yeah, that was not a fun one.
We had Conduant had a data breach, which was among the largest in US history. They had a breach from October of 24th through Jan of 25. It involved the theft of sensitive healthcare and personal data for 25 million individuals, their compromise exposed social security numbers, regulated health information that led to some massive regulatory scrutiny, class action lawsuits, et cetera. So it was particularly notable because of the delayed notification timeline. While they sent disclosures to regulators in early 25, the impacted individuals weren’t directly notified until October of last year. So it really increased the risk of long-term harm, identity theft, financial fraud, et cetera, which has the possibility to haunt folks for many years after their data first appeared on the dark web.
We’ve got another one for critics calling the FCC router rule a big swing that could create more supply chain uncertainty. So the FCC is looking to ban foreign made routers in the United States. It was kind of a vaguely rolled out announcement and it’s causing an immediate either slowdown or halt in router and Wi-Fi device sales for foreign companies such as TP Link. So meanwhile, the router and Wi-Fi device manufacturing in the U.S., such a neck gear starling, they’ve been seeing jumps in sales. So we’ll kind of keep an eyeball on what ended up happening there.
Next up, there was an Axios NPM package, which was compromised to deploy malware. This one was interesting because somebody took over a legitimate maintainer account. Updates were made to a couple of different versions of Axios. It’s a widely used JavaScript, HTTP client for web and Node.js applications. The scary part was that the attacker published unauthorized package updates that appeared to be legitimate. So it made users, organizations, unable to tell that they were loading up nefarious updates to those packages.
Imagine you go onto your phone or your computer or whatever and search for updates to install. It literally would have appeared like this was a valid package that was ready to go get updated. And again, the listeners can go to our website, connect up to links to all of these news stories so that if you need to, if your organization’s using Axios, then I’d recommend make sure you’re validating the versions that you’ve got installed and if you have any of the bad ones, so make sure you get those updated ASAP.
There was a, moving on to a different one, there was a SIM swap that exposed a critical flaw for identity security. So it was a new type of physical attack that makes that kind of trusted phone number anchor, misplaced mindset. So they call this a SIM swap attack. So basically what happens is the cyber criminal gets a mobile carrier rep to transfer the victim’s phone number to a new SIM card that’s in the attacker’s possession. Once it’s reassigned, that attacker now can take on the identity of the mobile device that can intercept one-time passwords, MFA prompts, initiate password resets, token resets for banking apps, all sorts of fun stuff. So certainly something for folks out there to kind of keep their eyeball on it.
And finally, we had an article that came out about Iran had built a vast camera network to control this end and Israel turned around and turned that into a targeting tool. So Iran’s got hundreds of millions of cameras throughout the country. They’re on shops and homes, street corners, other places. The Iranian government was warned that these cameras had been compromised, but the officials didn’t heed the warning. And that was ultimately determined to be the reason for the Ayatollah being taken out.
The irony of these authoritarian countries is that the systems that they put in place to squash dissent, if they’re compromised, now turn into a huge detriment. So there was a security engineer from California that figured out he could hack millions of cameras globally without even leaving his home. So it’s just a… Was it the Roomba guy? Yeah, I didn’t go look at the who of that security engineer and connect him to the Roomba guy. Thank you.
Well, that’s the guy that I know of from the security engineer from Southern California that didn’t like the way that his Roomba was operating and basically built an entire new operating system. And when he brought it online, he realized he had control of like thousands of that same model of Roomba throughout the world.
That’s hysterical. A lot of times, that’s kind of how it goes, right?
You get somebody tinkering and starts to mess with devices, effectively jailbreak some of whatever, and they end up figuring out backdoors to go get in and cause all sorts of ugly buglies. It’s a good time.
no doubt about it any party shots and thoughts for the folks this week i know that’s not our standard operating procedure here but is there anything else you want to get out on um no
You know, just, I mean, I go back to, you know, we talked about, especially the, you know, kind of the, the security, security reminder for, you know, kind of spreading out your compliance, you know, and the ease of the, you know, of the EZ-CERT. If these are not things your organization is doing, do yourself a favor, go send something into the portal support crew, you know, send something to, you know, to Compliance Unfiltered and ask, you know, ask your question. You know, we’d be happy to help folks.
So the bottom line, you know, we got into the space to help people with making their compliance suck less, you know, kind of improve their programs, et cetera. You know, both of, both of those, those things are things that will significantly help organizations with, you know, kind of improving their posture while making things easier. It’s just, it’s kind of a no brainer, if you will.
That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin hope we help to get you fired up to make your compliance suck less
