Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show notes: New Year’s Resolutions

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this Episode of Compliance Unfiltered, we ring in 2023 with New Year’s Resolutions for the compliance pro in your life! Adam shares his hopes for companies in the new year, while also highlighting some resolution-related modifications that organizations can make to set themselves up for success.

And don’t worry, this episode is not just for individual companies, the CU guys have resolutions for Service Providers and Assessors as well – along with the hottest compliance stats for 2023.

All on this episode of Compliance Unfiltered!

Remember to follow Compliance Unfiltered on Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside your compliance, Auld Lang Syne, the one and only Adam Goslin. How the heck are you, sir? I am doing fantabulous today, Todd. How about yourself? I can’t complain. I can’t complain at all, and I think it’s only fitting that we’re starting out with a new year and the same compliance you. But I think it’s important that we take this time to chat a little bit more about New Year’s resolutions on the compliance front. Don’t you agree? I do. So to that end, I’m going to start this with a little bit of a story.

So, I recently received another one of those effing E-mails that are all too familiar. Hey, we’ve had a security incident, and somehow we managed to expose your name, credit card information, and blah, blah, blah. But don’t worry, because we’ve taken steps to make sure it doesn’t happen again. I’m so sick and tired of getting these stupid notifications where these companies are like, oh, we really care about your security now. We didn’t give two craps about it yesterday, but we’re really sorry that we went and exposed all your stuff that we’re supposed to protect. So, no, I’m just tired of it. I’m tired of the lip service. I’m tired of getting the stupid emails. I’m tired, I’m tired. So, you know, I want people to stop putting lip service to their security, and start putting their money where their big freaking mouths are once they’ve had an incident.

Well, I certainly appreciate that. Now, I guess my question to you is, what is your hope for a resolution in terms of clients for 2020? Well, my hope is that every single freaking organization that’s responsible for protecting some form of sensitive data, and keeping in mind, I mean, this could be first names, last names, email addresses, IEPII or Personally Identifiable Information. This could be protected health information or PHI, it could be credit card data or PCI data. This could be intellectual property. Any company that’s doing business today and has an internet connection, it has something they need to be protecting, some more than others. I just, I want them to take that responsibility seriously. That’s my real hope.

I certainly appreciate that. Now, I guess what resolution related, you know, to modifications, I guess, can a company really kind of hope for, subject compliance to make? It’s kind of tough, right? Isn’t it a little muddled? Well, you know, for companies that are subject to compliance, there’s a couple of pointers. I mean, the obvious statement is, actually take it seriously. A lot of organizations, I can’t tell you how many companies , I’m like rubbing my head as I’m going through it. Because, it’s like they’re like, oh, well, you know, we host our stuff at fill in the blank, gigantic hosting organization, cloud hosting organization, so we must be secure. And it’s like, just because you’ve got your stuff someplace where it’s a gigantic company, that has a really big report, doesn’t necessarily mean that you’re compliant too. You can’t just pawn your security off to third parties. The other thing that drives me freaking nuts is, one of their requirements is to go through all of their service providers, and we’re going to validate their compliance each year. Well, validating compliance effectively constitutes them asking their service provider for their most recent report, they receive said report and then put it in a file folder. Literally, that’s all they do. And it’s like, no, no, no, no, you can’t do that, you need to, oh, I don’t know, actually look at the paperwork that you’ve got. I had an organization once, they got a report from a company, there were two different instances. In one instance, they got a report from a company and it wasn’t even for the service they were consuming, and in another case, the client got a report from a company and it didn’t even cover the location, like the scope of the report, didn’t even cover the location that they happened to be hosted at. But, so many companies will just take the report and go stick it in a folder and call it done and say, oh, our responsibility now is done because we’ve asked for a report, we got one. It’s like, man, you gotta actually look at these reports, you’ve gotta validate. Is it covering the environments that we need? What services are you consuming from this organization? Is there any detail in this report that says that those services were specifically covered as part of the scope of their engagement? And the other piece is, really looking at the exceptions list on those reports is another key element. If you get a report and the thing’s just absolutely a trove of holes , well, we didn’t validate, that our users had the right permissions, and we didn’t validate that they’d done security awareness training. If there’s all these exceptions in there, you know, what did they do about it? Is it passing report type of thing. So there’s a lot of areas that organizations need to focus in on, the third party’s aspect of this, because honestly, it’s engagement over engagement, one of the biggest gaps that I’ll see, is how laissez-faire they are with handling their service providers. That’s just a big gaping hole, but bottom line is, is that you should be looking at your overall security program and really getting everything down to line item level to confirm, yes, we actually have what we’re required to be doing in place.

Well, I guess that really opens up that Pandora’s Box is what about the service providers? Yeah, I mean, for the service providers themselves, I’m attacking this in terms of perspective, right? We talked about companies subject to compliance a minute ago, now we’re talking about, okay, so for the service providers themselves, going through and reviewing their existing services that they, this sounds dumb, but, it’s been a long time since we’ve been here, and it’s been legit, I’ve had discussions with people at service providers that don’t even know what all they do. So going through, making sure that your team is educated about what all can you provide? How are you providing that, how are those things done? The more education you can get to your crew, the better you’re gonna be able to articulate that out to your clients. Then really, for organizations, go through and do a review of the, what all is company A, B, C consuming from your organization? How better can you help them achieve their objectives? I mean, certainly knowing and understanding what security certifications your clients are subject to that you’re helping them with, etc, in conjunction with what services are they consuming today, versus what other ones you have available. It’s just a golden opportunity, number one, to help your client, and number two, hey, guess what? If you’re selling more stuff then you’re making more money, and you’re more profitable, and extending sales to an existing client that you already have, that’s a heck of a lot easier than trying to go find a new one. The other piece for service providers is making sure that they’re, and this is an area where many of them will struggle, is making sure it’s really clear, what are the responsibility matrix in terms of them, in coordination with their client, what things are covered by the service provider exclusively? What things are the customer’s responsibility? And, if there’s any shared responsibilities, which there probably are some. What level of detail do you have around what part does the service provider play in that versus the client play in that? If they took a look at their responsibility matrix. I’m practically positive, just about every service provider known to man would probably find a plethora of opportunity for improvement in their responsibility matrix.

I definitely don’t doubt that at all. And it kind of leads me to my next kind of logical question. It’s the only group of folks that we really haven’t touched on. That is… What about the consultants and assessors in this space? Well, I’d recommend to the consultants and assessors of the world, go in and take a fresh look at your engagements. It’s really, really easy to get into this mode of, oh, well, we’ve had this client for six years and we’re just doing the rinse and repeat, da, da, da, da. You’ve gotta almost start from scratch and ask the questions anew. Like you’re a small wide eyed child and, you know, let’s just look at this with a whole new set of eyeballs type of deal. Because when you do, then that’s where you end up finding opportunities for improvement, things that may have been missed, things that need to get buttoned up, you know? So, I mean, literally I was talking to somebody earlier today, that was talking about how their landscape had changed dramatically from the prior year. Starting to go in and kind of take a fresh look at, okay, well, let’s look at this new landscape, what are all the ripple impacts of it as we’re planning toward their next run at compliance, etc. You know, looking at those engagements with a fresh set of eyeballs is a really good idea. Oftentimes, what helps is instead of having the same person that’s done this from the dawn of time, do some kind of peer reviews of engagements as well, that can also help. Similar to some of the stuff I was saying about service providers, as a consultant, as an assessor, where else can you help this client? You know, they’re looking for your assistance either, preparing for an assessment, slash audit, or going through one. So how else can you help these organizations? I mean, it’s oftentimes there’s a number of players involved, we step on toes, etc. But, you know, take a sensible approach to how else can you help these people? And really what I charge the consultants and the assessors with is, your responsibilities aren’t just to the direct client that happens to be on paper, but you also by extension have a responsibility to all of their stakeholders. So, if it’s a relationship with a particular organization, maybe they’ve got a board, maybe they got interested parties, they certainly have employees that are dependent on the organization to get their paychecks. There’s, vendors that depend on the dollars coming out of that organization. So ,there’s a lot of responsibility in this arena that I’m not sure all the organizations in the space take it as seriously as they could. Encourage them to step up your game. Because at the end of the day, all of us form part of the protection of the clients that we’re charged with. The other recommendation in general for consultants, assessors, and this is something I’ve done for a long time, I don’t want this to come off wrong, but you know, don’t whitewash elements of an engagement. I’ve seen clients where they struggle, right? Especially when they’re trying to get there for the first time, it is a metric ton of change and effort and blah, blah, blah. Oftentimes, there’s a tendency to go, okay, well, you know, that’s great that you got this in place, we’ll pass it through for the sake of this run,etc. But I always make it a habit to look for those improvements. So make sure, number one, that you identify those improvements. Number two, get those documented so that you can get those into your notes for the next year, and keep raising the bar for the organizations that you’re helping. Not only will it ensure your provision an appropriate service to your organizations, you’re charged with protecting, but it also helps to raise the bar of those organizations that are going through compliance, so that they can continue to make iterative improvements year over year.

A rising tide lifts all ships, I love it. Now I’m a big stats guy, you know this, probably our listening audience knows this. Let’s share some stats with the folks just to make me happy in 2023. All right, well, let’s talk about resolutions, right? The reality is that, you know, only about 9% of people actually keep their New Year’s resolutions. About a quarter of them give up within the first week. The reality is, is that there’s usually no accountability, or meaningful consequences for those resolutions when you’re talking about dieting, or going to the gym or whatever it may be. But the challenge in this space is that, you know, there’s some potentially devastating consequences for organizations that are, skipping, whitewashing, not taking seriously their security and compliance commitments. And you can bet your bottom dollar that if you run a foul with that, well, there’s going to be a whole bunch of people that are going to be keeping you accountable. Right now we’re in, you know, 2023 and since 2011, cybersecurity breach disclosures have actually increased more than 600% with zero signs of slowing down. We need to stop believing we’ve got it covered, that type of thing, and really move more to making sure that we have things covered for our security and compliance program, so that we can live up to those obligations that others expect of us.

Incredible. Any, any parting shots and thoughts for the folks? Well, for 2023, we’re trying to do every fricking thing that we can to, reduce the trend of security breach notifications. The way I look at it, the more organizations we can help, the more of a positive impact that we’ll have. I don’t want organizations to be the next one that has to send the stupid fricking notification about a security breach, instead, resolve to have concrete validation of your security program, holding people responsible for making sure that you have things in place. And where the rubber kind of meets the road, is making sure that you’re bringing your requirements down to line item level, so that you can make sure, yes, I have this requirement covered. Here’s how I have it covered, here’s the evidence I have it covered. It’s a whole lot easier to bring it down to that level and run it through if you will, which is part of the reason why we created the TCT Portal in the first place, is that it’s just so much easier to have that accountability, and be able to have confidence in that accountability when you’re bringing it down to that level. And better yet, for organizations that take the approach of the, I call it the annual kind of compliance scramble, where it’s like, hey, it’s compliance season, and everybody just stops doing their day job and starts whipping evidence left, right, and sideways, that are all pulling together at the last second. Just about everybody that’s listening to this is basically chuckling and nodding their head. The reality is that in TCT Portal, we’ve got a mode called operational mode. Effectively, it’s a mode of the system for those that have gotten through that first year of line item level validation, and transitions them into, okay, we’ve made it and we’ve got affirmation that we’ve made it, now we want to maintain it.
What do we need to do? When do we need to be doing it? Who’s gonna be responsible for it? Did we get it done on time, etc? All those things you should be doing all the way through the year, instead of the annual scramble, start getting proactive about it. Make sure that you’ve got the stuff in place, etc. It’s a whole lot easier when you have a system that’s assisting with that. People kind of feel like compliance management is overwhelming, and a lot of that comes out of the annual scramble that they go through, because it’s just so brutal to do it that way. When we fired up the TCT Portal, and here’s the thing that some folks know already about us is that this isn’t lip service. TCT proper, we leverage the TCT Portal to manage our own freaking engagement. We are firm believers. And for those that either have gone through a miserable. experience, they’re surprised when I tell them, and I say, Look, man, it doesn’t have to be that way. This comes from, personal experience of being neck deep involved in the security and compliance responsibilities for TCT, it’s our audits, our assessments, etc. They’re looking at it line by line, you know, etc. All the evidence right where I want it, readily accessible for them, etc. Oh my, it’s so much easier. So, no matter what responsibility somebody that’s listening to this podcast may be in, it’s so much easier when you’re leveraging a compliance management system that’s as affordably priced as TCT Portal.

So my hope is that we’ll have more light bulbs going off with the folks out in the space. And certainly, if you’re already familiar with TCT, and our capabilities, and all that fun stuff, tell your friends. It won’t hurt, and it will certainly help. TCT will help accomplish its goal of helping those in the security and compliance space. And, feel free to tell your friends about Compliance Unfiltered as well. We’re always happy to take your feedback, and chat about the topics that you care about in the compliance management space.

And Adam, that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin, Hope we help to get you fired up to make your compliance suck less.

KEEP READING...

You may also like