"The story of the RMS Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security. The ship was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. The designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required." (securicon.com) Dixon Wright, Vice President, Vice President, Compliance Management and Automation Platform, Coalfire, speaks to the importance of moving beyond the check-the-box approach and engaging in substantive information security compliance efforts. He recommends the judicious adoption and use of appropriate compliance management and automation platforms.

Time Stamps

01:55

Yeah, let's talk about your passion. What gets you passionate about information security compliance?

03:15

For the benefit of the listeners, please provide an overview of information security compliance and the current state of affairs.

06:16

Trying to stay on top of all these different compliance requirements can be an extremely challenging proposition. What do you think?

09:15

How do we ensure that check-the-box behavior is not encouraged?

12:46

I feel this discussion on compliance needs to be coupled with the discussion on governance mechanisms, and measures, which ensure that the tools that are being leveraged effectively and essentially, people are doing the right thing. Your thoughts, your reactions?

16:33

What does it take to create a robust cyber secure cybersecurity compliance program? In other words, if you could highlight some of the key elements of a robust compliance program?

22:24

So going back to automation and compliance, I know your organization has developed a platform to provide those services. When an organization is considering investing in such tools and capabilities, what guidance or recommendations do you have for them?

31:25

What else do you think listeners could benefit from learning about compliance management from an information security standpoint? Or anything else that you think is pertinent to this discussion that we haven't talked about yet?

37:05

Let's conclude with a few final words that you may have for our listeners.

Memorable Dixon Wright Quotes

"We hire really expensive, technical people. And 60 to 70% of their job is being a technical writer."

"All these different kinds of industries and sectors have created their own types of standards, and now all these organizations have to comply with them."

"There's a challenge of getting compliant, and then there's an even greater challenge of actually maintaining it."

"I think, in many cases, compliance is just sales. You're just doing it so that you can sell to other companies, it's not actually used as a mechanism to secure things internally."

"We need better assurance that what is being automated is legitimate."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

Officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and visiting professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I'll be talking with Dixon Wright, Vice

President Product Management of Coalfire. Coalfire is a

cybersecurity solutions provider. And Dixon leads

product efforts for Coalfire's compliance management and

automation platform. He is responsible for product vision

and execution, go-to-market activities, and product revenue.

Dixon mentions in his professional profile, that he is

on a mission to make security compliance easier through

software and automation. And so I felt that he was the perfect

guest for our discussion on information security compliance.

Dixon, welcome. Thanks for taking time to share your

thoughts and perspectives with listeners.

Thanks for Thanks for having me excited to be here

and chat about something that I'm passionate about.

Yeah, let's talk about your passion. What

gets you passionate about information security compliance?

Yeah, I guess, you know, it's, as someone who kind

of came up through the ranks of IT audit started my career, at

the Big Four at KPMG. And I've had some considerable steps

along the way to get to Coalfire. But you know, thinking

about how historically like, everything is extremely manual,

it's extremely labor intensive, lots of narrative writing, when

the essence is trying to really dissect whether or not technical

things are implemented correctly, and then weighing an

opinion against that. So it's just that, you know, one of my

old colleagues said it best he's like, we hire really expensive,

technical people and 60, 70% of their job is being a technical

writer. Right. So, so both from a business stance, as well, as

you know, I think from a security stance, that's probably

not the best allocation of resources. So I think, you know,

our, again, our vision and mission is really to make that

easier from the customer side, but also, you know, use that to

enable the business as well.

Very cool. Very cool. So, you know, for the

benefit of the listeners, provide an overview of security

compliance, and the current state of affairs.

Yeah, it's a great, it's a very, very broad

topic, I try to do do it to the best of my ability. But I think,

I think security compliance, like starts with third party

trust. So when we think about, you know, why they exist, kind

of, I would say, the foundation, the genesis of compliance was,

hey, like, we want to do business with other businesses,

like we need to determine whether or not they're doing the

things we need them to do. And I think a lot of this even started

financially with some of the Sarbanes Oxley like IT controls

when you outsource particular pieces of your, your process

internally. So specifically, some of the, you know, I've been

an expert in for a while is SOC reporting. And that, you know,

basically what happened is is like, all these third, you know,

all of these companies wanted to go in and like audit their

vendors. And so basically, there was, you know, things change,

and they develop this kind of, okay, well, actually, let's

create a standard so that third party organizations can go in

and do their own assessments and then provide a report that can

then be distributed across to all those customers so that, you

know, it's do once provide many versus having these like

one-to-one audits per customer that you have. And I think

that's, you know, that is expanded so, you know, vary

greatly over the last, like, you'll see, we'll call it 10

years because all of these different kinds of industries

and sectors have created their own types of standards that now

all of these organizations have to comply with. And I think,

more recently, we've seen a large amount of like

jurisdictional specific standards pop up. So if you want

to go and do business inside of Germany, German organizations

may now require you to follow some type of German standard

same in India, same in Japan. So when you think about these large

technology, SAS providers, they have, you know, so many things

that they have to comply with. But it all comes back, I think,

you know, at its core is like, the, the point is to be able to

show trust, the way in which trust is executed or is

implemented or evidence is just now becoming vastly different

depending on who you do business with and where you do business.

So, you know, the larger the company, the more things you

have to do, obviously, the you know, it gets exponentially more

and more complicated to be able to satisfy that.

Very true. Talking about getting things

complicated. As you mentioned, industries have their own

standards, such as PCI DSS for the payment card industry, then

there are various laws and regulations such as HIPAA, GDPR,

CCPA, CPA and more. There are also a whole bunch of frameworks

such as NIST, ISO 27,001, Center for Internet Security controls,

and more. So one of the challenges I see organizations

grappling with, is to make sure they are in compliance of all

they need to be in compliance off. In other words, just trying

to stay on top of all these different regulatory and

compliance requirements can be an extremely challenging

proposition. What do you think?

Oh, absolutely. I mean, I think there's, there's

there's a challenge getting compliant. And then there's,

there's certainly maybe an even even more challenge of actually

like maintaining it. And then it's just like, you know, the,

are you really any better off? Right? I mean, I think it's also

you have to ask, right, it's just like, yeah, like, I'm

compliant. And certainly, there's some benefits. And, you

know, but I think but, you know, I think there's there's all

these other challenges of dilution of kind of the types of

people that are doing the assessments. There's different

types of quality and the third parties. So, you know, one

report from one particular third party, like, we'll call it

auditor assessor is not necessarily equivalent to

another that's also accredited, right? So. So I think it comes

back, if you, if you come back to trust, it's just like, at

what point will we start to go beyond some of these point in

time, like pieces of paper, right, that kind of prove

compliance to these organizations? Or when do

organizations no longer trust a piece of paper, and I think

we're seeing that now, like, a lot of our customers, like have

to do it, it's contracts there, they're contractually obligated,

or they're trying to do business with the federal government, as

an example, I have to be FedRAMP compliant. But I think a lot of

these like commercial like SOC 2 and ISO 27,001, it really is,

it's kind of table stakes, like you have to have it. And then

there's still a very vicious kind of vendor review process

that, you know, you still may have to do a questionnaire, you

still may have to provide, you know, scanning reports or pen

test reports. So, you know, it's just like all this work for, to

basically have a conversation, and then you still have to, you

know, prove out your security.

Yeah, I can totally see that. And that can

be frustrating. What concerns me is organizations, finding ways

of somehow meeting the compliance requirements to be

eligible to be able to compete for a certain contract. In other

words, organizations can be motivated to adopt the

check-the-box approach. So how do you ensure that this

check-the-box mentality or behavior is not encouraged?

Yeah. Yeah, I mean, it's a good question. I

mean, I think there's a couple of different factors in that.

I'm obviously biased, coming from like, the third party

world. You know, I think it's, you know, did did they use a

reputable third party? Is that, you know, I think specifically

in the realm of cybersecurity, right, is that is that third

party known for really understanding and being kind of

a technical type of company? Like, are they an audit firm?

Right, like, you know, we can we can talk about that a lot,

right? Like, a lot of audit firms do a lot of these things.

And some of them are really good, right. There's others that

aren't like, they're, you know, the, the, the resources are

predominantly, like, they're not very technical. So I think, you

know, being able to evaluate what that third party is doing.

And then again, I mean, I think that, I do believe that, you

know, some of the compliance reports, and some of the

standardization of it are really good. But I don't think like,

that's where it should stop. Like, I think, you know, there's

additional kind of tech Bill tech, technical due diligence

that shouldn't be done. And quite frankly, I mean, I think

that's becoming common, right, I think the companies that take

security really seriously and take third party secure third

party vendor security very seriously. You know, like, I

have one customer, Silicon Valley, publicly traded customer

now. And they, they basically would just send over kind of

open ended kind of technical questions. And they, it's very

easy to detect, like when someone is, you know, is full of

it, right? They don't really know what they're talking about.

So I think just even things, simple things such as that can

really make you question whether or not like the the party on the

other end, right, that's going to hold your data, like actually

knows what they're doing and has their hands around it. So again,

I think other companies take it different places, and you know,

that it likely should be a risk based kind of decision, right?

Like, what what is being stored? What is being what are they

handling for you? Is it critical? Is it not? And then,

you know, make make decisions on the rigor that you want to put

on because you can't, it's, it's impossible, especially with the

kind of intertwined cloud services. The cloud service

used, that's gonna ramp in today's society like to go and,

you know, really do deep, deep technical reviews of every

single company, right? It's just not scalable. So so, you know,

having these kinds of kinds of ways to really early detect

whether or not this has been a you want to do business, whether

or not I think is this kind of a good approach that I've seen

some of our customers take?

That's good to know. In fact, I'd like to

pick up on something you said you talked about. Yeah, I think

you were alluding to oversight, that you can have a compliance

team in place, you know, ensuring that the organization

is in compliance of the relevant regulations. But there also

needs to be oversight to ensure that the organization is going

beyond the check-the-box approach, the approach is

substantive, that, you know, when, let's say our compliance

requirement is to have a certain type of security training,

making sure that the training is really personalized, customized.

And there's a follow up, there is assessment, there is

repetition. So I'm just using training as an example, to make

the difference between what could be somehow get it done

hire a vendor company, and they offer you an out of the box

training curriculum, let's say, and that is, that is okay. But

the organization needs to customize it, because every

organization has unique needs, has unique roles that people

perform. So that's where I feel that this discussion on

compliance needs to be coupled with the discussion on

governance mechanisms, measures, which ensure that, you know, the

tools that are being used to assess compliance, to ensure

compliance, are being leveraged effectively and essentially,

people are doing the right thing. Your thoughts, your

reactions?

Yeah, I mean, I think when, like, I think

without a layer of governance, and a strategy for like, what

you want to accomplish out of some of these compliance

frameworks, like it, I think, in many cases, it becomes like,

like, compliance is just sales, right? You're just doing it so

that you can sell to other companies. It's not actually

used as a mechanism to secure things internally, in the long

run, right? Like, will that help probably like there's, you know,

implementing controls and versus not having them is probably

effective. But I think until there's like this kind of top

down approach of like, hey, like this is, you know, we obviously

have to do this, but here's how we're gonna do like, take this

seriously, like, kind of the same customer I was mentioning

earlier, they they handle handle a lot of payments, right. And so

payments, payments, security is extremely important to their

business. And they have to take it seriously, right, like, maybe

that's the nature of this company that they run. But, you

know, it's like, security's embedded into like, every layer

of their organization, right, developers are responsible for

security. You know, and so, like, that's part of the culture

that they establish and buying in. And you know, funny enough,

like, a lot of lot of the compliance stuff is for them,

it's an outcome, it's not something that they like have to

do. And so, you know, they, they take security very seriously.

Then they get audited, and as a nature of taking security very

seriously, like, generally, their, their audits are

extremely clean and very successful. So again, I think

that that type of approach that we've seen is, is super

effective. And I think it really starts with that governance

level, or at least, like, you know, leadership being

completely bought in and to what that what that means.

Very true. In fact, yesterday, I was

talking with a CISO. And he mentioned, he said, you know,

compliance is expected, but compliance by itself, it's not

good enough, when it comes to establishing a strong

cybersecurity posture. So, I'm interested in getting your

perspective on what does it take to create a robust cybersecurity

compliance program? In other words, if you could highlight

some of the key elements of a robust compliance program?

Yeah, from a compliance person, I'm speaking

specifically to compliance not necessarily, like overall, like

security, right. But so I think for to having an effective

compliance program is really to think about, you know, what is

like what is that kind of like, you know, continuum of like,

maturity, right. So for us, like, what we see is you've got,

you know, you get this new organization, they're doing

compliance. And they're largely like, doing it in a manual

fashion, right? Like, they're kind of, they got a couple of

people, they run around, chasing people down, trying to, again,

say, like, kind of checking the boxes, right? It's not

proactive, it's reactive. Audit season is typically extremely

stressful. And you really have like, your, your fingers

crossed, that you've done all that you need to do, right. You

know, you'd be surprised at the size of companies that we deal

with where it's like, Oops, like, forgot to do a quarter

quarterly vulnerability scan. Right? Not good guys, right?

That's going to be a problem. You know, here's, here's what

we're gonna have to do so. So I think that's kind of where I

would say, like, you know, you get the most like, immature

companies, and there's probably even a spectrum of that

immaturity. Where it's like, you know, that's expected for a

startup, right? That's not expected for a publicly traded

company right. So so that lack of investment in you know, not

taking that stuff overly seriously or at least just being

thoughtful about it, I think is kind of at the very kind of

beginning and then you get into you know, what we call like

coordinated which is you understand all you need to

accomplish you think about how you build you know, solid

workflows to make that happen. You minimize the amount of like

auditors that you deal with like we call it kind of coordinated

assessments, right. So you choose you know, vendors that

can eliminate audit fatigue throughout your organization.

And you really tried to like you know, as another feature this

will be centralizing, you know, compliance across like business

units right. So if you have your have kind of a conglomerate, and

you have 30 different business units you know, and you have

every single business unit kind of does their own thing like

that's, that's not very mature but having some type of

coordinated effort and a centralized group that helps

manage some of those things. Those are some ways that we see

people kind of continue down this like maturity skip cycle.

Um, And then I think you, you start to get into this this kind

of realm of automation, right? So I would say like, the next

big bucket is okay, you know, what am I am I using really good

tooling to automate like the workflows, you know, I have a

way to have this like centralized place where all

those things are happening. I'm using very few type of

assessors. And I don't have like, you know, 10 different

kind of audit opinions being spun at me. And then I think

that kind of the next two places are really around, you know,

kind of further automating a lot of the technical components that

you you can do, which I think is very, it's a very new kind of

concept in general. And I think the adoption of that will be

slower for enterprise companies. But you know, I think that's

going to continue, like how do I start to do things and like,

report on those things in an automated fashion versus having

humans do it? And then I think, at the end of that spectrum is

just like, Okay, how do we get to this place of real continuous

monitoring for the large majority of our kind of control

environment? If 60 70% of our controls are kind of technical

in nature? You know, how do we, you know, pull that information

out and visualize it more in real time versus waiting for

internal control assessments, or annual, you know, annual

assessments for auditors to really determine the overall

effectiveness of that. So I think like to me, like that's,

that's where we're headed in terms of the future of trust is,

you know, that customer start to actually share real time

insights into actually what's actually happened versus like

people distributing, you know, PDF reports of compliance

status. And I think there's been some really large organizations

that have talked publicly about it. One of them is Equifax.

Like, right now, they have some type of program. So for their

customers, they share out, you know, dashboards of some of

their cloud environments, and what the status of those

controls are. So I think stuff like that is going to become way

more, the adoption of that is going to become much higher. And

I think as a result, you know, scanners, it will establish more

trust and can be a differentiator for these, those

types of companies that do that go the extra mile.

That's really good to hear. Because I

couldn't agree with you more, the importance of continuous

monitoring, and the extent to which we can use technology, not

only to automate the process, but also to direct the alerts to

the appropriate folks. And make sure that the alerts are being

received and acted upon. I'm very, I'm very passionate about,

you know, while organizations have monitoring mechanisms,

where they tend to fall behind, is, you know, often good

intelligence goes unrecognized. Good intelligence is ignored.

It's not responded to, and I wish we can have appropriate

tools, that reduces the possibility of that happening.

So based on what I'm hearing from you, that is very

encouraging news. So going back to automation, compliance, and I

know that your organization has developed a platform to provide

those services, when an organization is considering

investing in such tools and capabilities, what guidance or

what recommendations would you have for them?

Yeah, I mean, I think I think it really comes

down to like, what what are your organization's like, biggest

pain points? Right? You know, so we see kind of the full full

spectrum of like, what that is for organizations, we see

organizations on different parts of that like maturity cycle. And

it's different for everybody. And, you know, I think for us,

and kind of a large majority of our customer base are typically

bigger customers. And so, the problems are more complicated,

right? So they have many different business units, many

different applications, they may have, you know, applications

that are federal in nature and have to go through FedRAMP they

may have that same application in a commercial environment,

which is governed by four different kinds of commercial

standards. So it gets like really messy really quick. So I

think it's, one, just like really understanding that you

you know that you need help, and that spreadsheets aren't doing

it for you and spreadsheets and email. And then two you know, if

that's not doing for you, right? What is? What are kind of the

core pieces of your workflow? And how do you start to, like,

chip away at it? You know, so for us, like, you know, we think

like, the first kind of step that you need to solve is, do

you understand all the things that you need to do? And who

needs to do them? And at what time? Do they need to do them?

So that you kind of get your hands around? The what is the

compliance problem that you're at your organization? Right? And

then the next piece of that is like, Okay, well, how do we then

start to automate more and more of this activity? And then how

do we get to this, like continuous state of continuous

compliance, you can, you know, continuous monitoring and

continuous visualization of what's going on. So, you know, I

think, what we see right now, there's the marketplace is kind

of, it's really wild. In this, it's a new category, like, it's

not even. It's not even something that you know, is on a

quadrant within like Gartner, Forrester, it's really spun up

in the last like, two years. So you got, you know, all of these

different types of organizations popping up. And they're, they're

finding a lot of product market fit, I think, specifically in

the lower lower end of the market for these tech startups.

Because, again, the startups needed need to show compliance

to sign contracts, right. So so I think there's some really good

things that have happened and the disruption or kind of the

creative destruction that's happened with it in terms of

what it's doing to, you know, the, the, the audit assurance

space, I think, is extremely healthy. But I think it's also

has a tendency to, hey, we're just gonna hack compliance,

right, which gets us back to the old ways of checking boxes,

right, it's like, just doing automated fashion, with a SAS

tool. So I think, you know, we've seen kind of various

things, and we're trying to be intentional about how we, how

we, how we make compliance easier, but we also realized

that it's still extremely hard, and it's still very valuable to

people's business, right? It's like you do business with

federal government, you have to be FedRAMP compliant. And it's

got seven figure implications, right? If you come out of

compliance, that can be hacked, right. So you know, make just

making sure that those tools like are going to fit your needs

and kind of your use case, making sure that you you kind of

sneak about it with the goals of the company, right? Like going

and hacking SOC 2, early on, like maybe what you need, right?

But if you get a start to expand on these other things, and let's

say FedRAMP is on your roadmap, you know, maybe it's not? So do

you have a tool that can grow with you and kind of accomplish

the things that you need to do? And then, you know, I think the

other thing, too, is just like, who is, you know, these tools

make a lot of claims, a lot of which that I think we as a

company and co founder disagree with, there's certain pieces of

compliance that can't be automated, right? So large

claims, like 70% of PCI can be automated. I find that to be I

find that hard to believe. And then I think, you know, along

with that, right, it's, can I support multiple business units

and have like, the same visibility is like that I have

with one.

And then to what extent does it, you know, connect into my

technology stack. So another thing that we've seen in the

marketplace is like, these tools are great for cloud services.

They're great for like infrastructures, service

providers, so they connect into Amazon and GCP. And some of

those in Azure. What they don't do is they don't, they don't do

anything at the operating system level, right, which is really

hard. And I think it's a problem that still needs to be solved.

But like, so. Yeah. Like, you may be automating certain

components, let's say for identity and access management,

and like, who has access and who has administrative access,

right? Like you can go and kind of pull and test some of those

things. But you're not, you're not doing that at an operating

system level. Right. So when we do when we look and evaluate

security, we get to evaluate the the actual application itself,

the underlying operating systems, and then the underlying

infrastructure. So it's like you're covering kind of 1/3 of

the technology stack, not, not too not all three. So again,

it's like, I think that comes with, you know, these are

product companies, not security companies. Again, I think it's

super healthy for like, what they're doing and how they're

pushing the industry to evolve and to get out of paper, but I

think at the same time, there's still a level of maturity that

that we have to kind of establish. And it'll be

interesting, I think, you know, to see like what type of

governance is applied to like, even those types of tools,

right? Like, yeah, you can go and do your your own kind of

like SOC 2 report, your own ISO 27,000 report. But, you know, I

don't, I'm not sure like, that's the type of assurance that we

need, we need better assurance that, you know, what is being

automated is legitimate. That, you know, the green, the green,

Harvey balls that show green are actually green, the Reds

actually red and you know, making sure that you know, what

it like, what it what we are reporting, what we are

automating, and, you know, where we see some of the auditors

consuming these tools and kind of, and still checking boxes,

right? Like, just making sure that there's some due diligence

that's done, or we're going to get in the situation where,

like, there, there's like, no trust, because it's all, you

know, a bunch of garbage so. So yeah, it's a real fascinating

subject, again, tons of money being thrown at it right now.

And we're just trying to kind of wade through it all, and be

thoughtful about how we're building it and what our

customers need. But there's certainly some some really great

technology out there that I think can can certainly make a

big difference, and allow organizations to scale without

having to hire, you know, armies of people to just manage

compliance, which is something it's a kind of common occurrence

that we see for very, very large organizations.

Yeah, very true. You know, when I, when I

think about this in the big scheme of things, and obviously,

from a cybersecurity perspective, where an

organization is trying to stay as secure as possible, and be

proactive in their approach, one of the goals of compliance would

be to ensure that all the relevant controls are in place,

and they are doing what they're supposed to do. But as you

pointed out, these tools can't be left to themselves, in the

sense, you have to do your own due diligence, to make sure the

tools do what they promised to do. In other words, you can't

become slaves of the tool, the organization has to have its own

governance team by whatever name, they are called, maybe the

compliance team to review the relevant tools, recognize the

shortcomings, document the shortcomings, and also document

how they plan to address the shortcomings this way, there is

greater transparency, that, yes, we have this tool, which is

going to help us enforce controls. But we also recognize

that there are areas where we may or may have to, you know,

use other approaches. So so we are coming back to taking a very

holistic approach to compliance management as opposed to a tool

driven approach where we are basically relying on what the

vendor tells us, and we're just going with it, which I don't

believe any, any company or any right thinking company will do.

But I think it's good to caution them about it. So I appreciate

that insight. What else do you think listeners could benefit

from learning about compliance management from an information

security standpoint? Or anything else that you think is pertinent

to this discussion that we haven't talked about yet? Yeah,

I

mean, I think we've covered covered quite a

bit. You know, I think, again, I think we can talk a lot about

how compliance is challenging. Again, I think there there's

certainly benefits of compliance. I think there's

benefits of, you know, industry standards. Like I've always

been, you know, a huge fan of how the how the PCI Council is

handled, like the PCI standards, in the sense that, you know, I

think what is common is like, you know, if you go talk to 100

100 customers, and ask about how they do risk management,

everybody does it differently. Some of them do it very

incorrectly. Some of them do it really well, right. And there's

a lot of in between so, so I think like, you know, their

stance, his stance, historically is just like, oh, well, we

don't, we don't have a lot of trust that organizations know

how to do risk management, and then apply the necessary

controls to address all the risks that face, you know,

payment security. So it's like, we're going to kind of do that

for you. Right and tell you there's a 300 things that you

need to do to be secure. And if you don't do it, you need to

tell us like what else you're doing and what they call a

compensating control worksheet. So I think those types of

approaches, I think you're super healthy, in many cases,

especially if you think about the different types of maturity

levels organizations that need to be PCI compliant. But then,

at the same time, it really hurts organizations in some

cases that take security very seriously and have been very

thoughtful about compensated, how they compensate for not

having something in place because they don't need to,

because the way their systems are architected, or a different

piece of technology that they have, in the backend that solves

that problem slightly different. So, you know, I think it's, it's

all about, you know, I think it's just like we learn

something new every day, and a new standard is released every

day. And, you know, I think the more that, you know, the the, I

think, you know, as all the scares last year with some of

the third party stuff that happened and breaches. And I

think the rigor that will now be placed on vendor management, I

just think it's going to be really interesting in kind of

how it all plays out how, what does trust look like, in three

years? What does it look in five years? What does it look like in

10 years? And can we keep up right, with the pace of all

these new regulations? Like, can people really afford to do it?

Or, you know, at what point does it become such a nuisance,

right? The organization's is like, can't support it any

longer, it's too expensive. So I think, you know, we've got to be

careful around, like, what we adopt and why we adopt it. Or

else, you know, I think it can be a detriment to like moving

forward to, you know, for funding that should be spent

more on actual security or other parts that kind of enable the

business. So. So certainly the thing, a lot of other things to

watch out for is, you know, in the coming years, as I think

we're going to continue to see more, more of the same, and then

there'll be some, there'll be some additional type of

disruption that happens and, but hard to see, you know, through

all the all the smoke in terms of what that's kind of

ultimately going to look like,

yep, yep. Very interesting. In fact, the

phrase that comes to mind, while you were talking about trust, is

trust, but verify, right? We can have all the tools in the world,

but we can't become slaves to automation, tools can do only so

much. They have to be backed by good governance mechanisms,

highly trained personnel, robust oversight. So it has to be a

multi pronged approach. Even when it comes to effective

compliance. While compliance is one aspect of security

governance, it can become a very effective aspect. Once again, if

there is a real intent, there's a real commitment behind it, as

opposed to trying to outsource it and saying, okay, we have

this vendor who can take take care of this for us, we have

their platform, they have their tool, and we can look the other

way, I don't think that works. And I think you spoke to that,

that there has to be oversight, there has to be ownership. And

that's when the process will go better. Because it's a evolving

landscape, it's a moving target. And conscientious organizations,

security concerned organizations must take very deliberate,

thoughtful steps. Well, Dixon, this has been a real pleasure.

Thank you very much for your time. And let's conclude with a

few final words, if you have any for the listeners.

Yeah, appreciate you. Appreciate you having me

on. So I have been trying to talk shop about this stuff. I

can geek out about it all day. But yeah, I think for those

listening and yeah, there's a, I would say there's a huge

opportunity for folks that, you know, have interest in kind of

getting in the security realm of, you know, following some

type of like, GRC path as an entry point. Like, there's not a

lot of experience that's required. Generally, you know,

you don't even need a college degree in some cases, right.

There's a lot of security certifications out there. While

I'm not really very big on those, right, like go and pursue

cloud certifications or security certifications, but but yeah,

great entry path into the security world. And then you can

kind of pivot where you want to go, but you get a lot of

exposure to a lot of different companies and a lot of different

kinds of security measures. And so it's a great primer for folks

wanting to join and not having a big kind of hurdle to get there.

So, we're always looking for great people. So, go look us up.

Fantastic, fantastic. Yep. The

opportunities are out there for people who are interested,

passionate, who are curious, who want to make a difference. So,

so yeah, sounds great. Well, thank you again, it has been a

pleasure. Thanks. A special thanks to Dixon Wright for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also,

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization