Artwork for podcast The Cybersecurity Readiness Podcast Series
Is Cybersecurity Regulatory Compliance Good Enough?
Episode 2313th April 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:41:09

Share Episode

Shownotes

"The story of the RMS Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security. The ship was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. The designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required." (securicon.com) Dixon Wright, Vice President, Vice President, Compliance Management and Automation Platform, Coalfire, speaks to the importance of moving beyond the check-the-box approach and engaging in substantive information security compliance efforts. He recommends the judicious adoption and use of appropriate compliance management and automation platforms.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-23-is-cybersecurity-regulatory-compliance-good-enough/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

Officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and visiting professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I'll be talking with Dixon Wright, Vice

Dr. Dave Chatterjee:

President Product Management of Coalfire. Coalfire is a

Dr. Dave Chatterjee:

cybersecurity solutions provider. And Dixon leads

Dr. Dave Chatterjee:

product efforts for Coalfire's compliance management and

Dr. Dave Chatterjee:

automation platform. He is responsible for product vision

Dr. Dave Chatterjee:

and execution, go-to-market activities, and product revenue.

Dr. Dave Chatterjee:

Dixon mentions in his professional profile, that he is

Dr. Dave Chatterjee:

on a mission to make security compliance easier through

Dr. Dave Chatterjee:

software and automation. And so I felt that he was the perfect

Dr. Dave Chatterjee:

guest for our discussion on information security compliance.

Dr. Dave Chatterjee:

Dixon, welcome. Thanks for taking time to share your

Dr. Dave Chatterjee:

thoughts and perspectives with listeners.

Dixon Wright:

Thanks for Thanks for having me excited to be here

Dixon Wright:

and chat about something that I'm passionate about.

Dr. Dave Chatterjee:

Yeah, let's talk about your passion. What

Dr. Dave Chatterjee:

gets you passionate about information security compliance?

Dixon Wright:

Yeah, I guess, you know, it's, as someone who kind

Dixon Wright:

of came up through the ranks of IT audit started my career, at

Dixon Wright:

the Big Four at KPMG. And I've had some considerable steps

Dixon Wright:

along the way to get to Coalfire. But you know, thinking

Dixon Wright:

about how historically like, everything is extremely manual,

Dixon Wright:

it's extremely labor intensive, lots of narrative writing, when

Dixon Wright:

the essence is trying to really dissect whether or not technical

Dixon Wright:

things are implemented correctly, and then weighing an

Dixon Wright:

opinion against that. So it's just that, you know, one of my

Dixon Wright:

old colleagues said it best he's like, we hire really expensive,

Dixon Wright:

technical people and 60, 70% of their job is being a technical

Dixon Wright:

writer. Right. So, so both from a business stance, as well, as

Dixon Wright:

you know, I think from a security stance, that's probably

Dixon Wright:

not the best allocation of resources. So I think, you know,

Dixon Wright:

our, again, our vision and mission is really to make that

Dixon Wright:

easier from the customer side, but also, you know, use that to

Dixon Wright:

enable the business as well.

Dr. Dave Chatterjee:

Very cool. Very cool. So, you know, for the

Dr. Dave Chatterjee:

benefit of the listeners, provide an overview of security

Dr. Dave Chatterjee:

compliance, and the current state of affairs.

Dixon Wright:

Yeah, it's a great, it's a very, very broad

Dixon Wright:

topic, I try to do do it to the best of my ability. But I think,

Dixon Wright:

I think security compliance, like starts with third party

Dixon Wright:

trust. So when we think about, you know, why they exist, kind

Dixon Wright:

of, I would say, the foundation, the genesis of compliance was,

Dixon Wright:

hey, like, we want to do business with other businesses,

Dixon Wright:

like we need to determine whether or not they're doing the

Dixon Wright:

things we need them to do. And I think a lot of this even started

Dixon Wright:

financially with some of the Sarbanes Oxley like IT controls

Dixon Wright:

when you outsource particular pieces of your, your process

Dixon Wright:

internally. So specifically, some of the, you know, I've been

Dixon Wright:

an expert in for a while is SOC reporting. And that, you know,

Dixon Wright:

basically what happened is is like, all these third, you know,

Dixon Wright:

all of these companies wanted to go in and like audit their

Dixon Wright:

vendors. And so basically, there was, you know, things change,

Dixon Wright:

and they develop this kind of, okay, well, actually, let's

Dixon Wright:

create a standard so that third party organizations can go in

Dixon Wright:

and do their own assessments and then provide a report that can

Dixon Wright:

then be distributed across to all those customers so that, you

Dixon Wright:

know, it's do once provide many versus having these like

Dixon Wright:

one-to-one audits per customer that you have. And I think

Dixon Wright:

that's, you know, that is expanded so, you know, vary

Dixon Wright:

greatly over the last, like, you'll see, we'll call it 10

Dixon Wright:

years because all of these different kinds of industries

Dixon Wright:

and sectors have created their own types of standards that now

Dixon Wright:

all of these organizations have to comply with. And I think,

Dixon Wright:

more recently, we've seen a large amount of like

Dixon Wright:

jurisdictional specific standards pop up. So if you want

Dixon Wright:

to go and do business inside of Germany, German organizations

Dixon Wright:

may now require you to follow some type of German standard

Dixon Wright:

same in India, same in Japan. So when you think about these large

Dixon Wright:

technology, SAS providers, they have, you know, so many things

Dixon Wright:

that they have to comply with. But it all comes back, I think,

Dixon Wright:

you know, at its core is like, the, the point is to be able to

Dixon Wright:

show trust, the way in which trust is executed or is

Dixon Wright:

implemented or evidence is just now becoming vastly different

Dixon Wright:

depending on who you do business with and where you do business.

Dixon Wright:

So, you know, the larger the company, the more things you

Dixon Wright:

have to do, obviously, the you know, it gets exponentially more

Dixon Wright:

and more complicated to be able to satisfy that.

Dr. Dave Chatterjee:

Very true. Talking about getting things

Dr. Dave Chatterjee:

complicated. As you mentioned, industries have their own

Dr. Dave Chatterjee:

standards, such as PCI DSS for the payment card industry, then

Dr. Dave Chatterjee:

there are various laws and regulations such as HIPAA, GDPR,

Dr. Dave Chatterjee:

CCPA, CPA and more. There are also a whole bunch of frameworks

Dr. Dave Chatterjee:

such as NIST, ISO 27,001, Center for Internet Security controls,

Dr. Dave Chatterjee:

and more. So one of the challenges I see organizations

Dr. Dave Chatterjee:

grappling with, is to make sure they are in compliance of all

Dr. Dave Chatterjee:

they need to be in compliance off. In other words, just trying

Dr. Dave Chatterjee:

to stay on top of all these different regulatory and

Dr. Dave Chatterjee:

compliance requirements can be an extremely challenging

Dr. Dave Chatterjee:

proposition. What do you think?

Dixon Wright:

Oh, absolutely. I mean, I think there's, there's

Dixon Wright:

there's a challenge getting compliant. And then there's,

Dixon Wright:

there's certainly maybe an even even more challenge of actually

Dixon Wright:

like maintaining it. And then it's just like, you know, the,

Dixon Wright:

are you really any better off? Right? I mean, I think it's also

Dixon Wright:

you have to ask, right, it's just like, yeah, like, I'm

Dixon Wright:

compliant. And certainly, there's some benefits. And, you

Dixon Wright:

know, but I think but, you know, I think there's there's all

Dixon Wright:

these other challenges of dilution of kind of the types of

Dixon Wright:

people that are doing the assessments. There's different

Dixon Wright:

types of quality and the third parties. So, you know, one

Dixon Wright:

report from one particular third party, like, we'll call it

Dixon Wright:

auditor assessor is not necessarily equivalent to

Dixon Wright:

another that's also accredited, right? So. So I think it comes

Dixon Wright:

back, if you, if you come back to trust, it's just like, at

Dixon Wright:

what point will we start to go beyond some of these point in

Dixon Wright:

time, like pieces of paper, right, that kind of prove

Dixon Wright:

compliance to these organizations? Or when do

Dixon Wright:

organizations no longer trust a piece of paper, and I think

Dixon Wright:

we're seeing that now, like, a lot of our customers, like have

Dixon Wright:

to do it, it's contracts there, they're contractually obligated,

Dixon Wright:

or they're trying to do business with the federal government, as

Dixon Wright:

an example, I have to be FedRAMP compliant. But I think a lot of

Dixon Wright:

these like commercial like SOC 2 and ISO 27,001, it really is,

Dixon Wright:

it's kind of table stakes, like you have to have it. And then

Dixon Wright:

there's still a very vicious kind of vendor review process

Dixon Wright:

that, you know, you still may have to do a questionnaire, you

Dixon Wright:

still may have to provide, you know, scanning reports or pen

Dixon Wright:

test reports. So, you know, it's just like all this work for, to

Dixon Wright:

basically have a conversation, and then you still have to, you

Dixon Wright:

know, prove out your security.

Dr. Dave Chatterjee:

Yeah, I can totally see that. And that can

Dr. Dave Chatterjee:

be frustrating. What concerns me is organizations, finding ways

Dr. Dave Chatterjee:

of somehow meeting the compliance requirements to be

Dr. Dave Chatterjee:

eligible to be able to compete for a certain contract. In other

Dr. Dave Chatterjee:

words, organizations can be motivated to adopt the

Dr. Dave Chatterjee:

check-the-box approach. So how do you ensure that this

Dr. Dave Chatterjee:

check-the-box mentality or behavior is not encouraged?

Dixon Wright:

Yeah. Yeah, I mean, it's a good question. I

Dixon Wright:

mean, I think there's a couple of different factors in that.

Dixon Wright:

I'm obviously biased, coming from like, the third party

Dixon Wright:

world. You know, I think it's, you know, did did they use a

Dixon Wright:

reputable third party? Is that, you know, I think specifically

Dixon Wright:

in the realm of cybersecurity, right, is that is that third

Dixon Wright:

party known for really understanding and being kind of

Dixon Wright:

a technical type of company? Like, are they an audit firm?

Dixon Wright:

Right, like, you know, we can we can talk about that a lot,

Dixon Wright:

right? Like, a lot of audit firms do a lot of these things.

Dixon Wright:

And some of them are really good, right. There's others that

Dixon Wright:

aren't like, they're, you know, the, the, the resources are

Dixon Wright:

predominantly, like, they're not very technical. So I think, you

Dixon Wright:

know, being able to evaluate what that third party is doing.

Dixon Wright:

And then again, I mean, I think that, I do believe that, you

Dixon Wright:

know, some of the compliance reports, and some of the

Dixon Wright:

standardization of it are really good. But I don't think like,

Dixon Wright:

that's where it should stop. Like, I think, you know, there's

Dixon Wright:

additional kind of tech Bill tech, technical due diligence

Dixon Wright:

that shouldn't be done. And quite frankly, I mean, I think

Dixon Wright:

that's becoming common, right, I think the companies that take

Dixon Wright:

security really seriously and take third party secure third

Dixon Wright:

party vendor security very seriously. You know, like, I

Dixon Wright:

have one customer, Silicon Valley, publicly traded customer

Dixon Wright:

now. And they, they basically would just send over kind of

Dixon Wright:

open ended kind of technical questions. And they, it's very

Dixon Wright:

easy to detect, like when someone is, you know, is full of

Dixon Wright:

it, right? They don't really know what they're talking about.

Dixon Wright:

So I think just even things, simple things such as that can

Dixon Wright:

really make you question whether or not like the the party on the

Dixon Wright:

other end, right, that's going to hold your data, like actually

Dixon Wright:

knows what they're doing and has their hands around it. So again,

Dixon Wright:

I think other companies take it different places, and you know,

Dixon Wright:

that it likely should be a risk based kind of decision, right?

Dixon Wright:

Like, what what is being stored? What is being what are they

Dixon Wright:

handling for you? Is it critical? Is it not? And then,

Dixon Wright:

you know, make make decisions on the rigor that you want to put

Dixon Wright:

on because you can't, it's, it's impossible, especially with the

Dixon Wright:

kind of intertwined cloud services. The cloud service

Dixon Wright:

used, that's gonna ramp in today's society like to go and,

Dixon Wright:

you know, really do deep, deep technical reviews of every

Dixon Wright:

single company, right? It's just not scalable. So so, you know,

Dixon Wright:

having these kinds of kinds of ways to really early detect

Dixon Wright:

whether or not this has been a you want to do business, whether

Dixon Wright:

or not I think is this kind of a good approach that I've seen

Dixon Wright:

some of our customers take?

Dr. Dave Chatterjee:

That's good to know. In fact, I'd like to

Dr. Dave Chatterjee:

pick up on something you said you talked about. Yeah, I think

Dr. Dave Chatterjee:

you were alluding to oversight, that you can have a compliance

Dr. Dave Chatterjee:

team in place, you know, ensuring that the organization

Dr. Dave Chatterjee:

is in compliance of the relevant regulations. But there also

Dr. Dave Chatterjee:

needs to be oversight to ensure that the organization is going

Dr. Dave Chatterjee:

beyond the check-the-box approach, the approach is

Dr. Dave Chatterjee:

substantive, that, you know, when, let's say our compliance

Dr. Dave Chatterjee:

requirement is to have a certain type of security training,

Dr. Dave Chatterjee:

making sure that the training is really personalized, customized.

Dr. Dave Chatterjee:

And there's a follow up, there is assessment, there is

Dr. Dave Chatterjee:

repetition. So I'm just using training as an example, to make

Dr. Dave Chatterjee:

the difference between what could be somehow get it done

Dr. Dave Chatterjee:

hire a vendor company, and they offer you an out of the box

Dr. Dave Chatterjee:

training curriculum, let's say, and that is, that is okay. But

Dr. Dave Chatterjee:

the organization needs to customize it, because every

Dr. Dave Chatterjee:

organization has unique needs, has unique roles that people

Dr. Dave Chatterjee:

perform. So that's where I feel that this discussion on

Dr. Dave Chatterjee:

compliance needs to be coupled with the discussion on

Dr. Dave Chatterjee:

governance mechanisms, measures, which ensure that, you know, the

Dr. Dave Chatterjee:

tools that are being used to assess compliance, to ensure

Dr. Dave Chatterjee:

compliance, are being leveraged effectively and essentially,

Dr. Dave Chatterjee:

people are doing the right thing. Your thoughts, your

Dr. Dave Chatterjee:

reactions?

Dixon Wright:

Yeah, I mean, I think when, like, I think

Dixon Wright:

without a layer of governance, and a strategy for like, what

Dixon Wright:

you want to accomplish out of some of these compliance

Dixon Wright:

frameworks, like it, I think, in many cases, it becomes like,

Dixon Wright:

like, compliance is just sales, right? You're just doing it so

Dixon Wright:

that you can sell to other companies. It's not actually

Dixon Wright:

used as a mechanism to secure things internally, in the long

Dixon Wright:

run, right? Like, will that help probably like there's, you know,

Dixon Wright:

implementing controls and versus not having them is probably

Dixon Wright:

effective. But I think until there's like this kind of top

Dixon Wright:

down approach of like, hey, like this is, you know, we obviously

Dixon Wright:

have to do this, but here's how we're gonna do like, take this

Dixon Wright:

seriously, like, kind of the same customer I was mentioning

Dixon Wright:

earlier, they they handle handle a lot of payments, right. And so

Dixon Wright:

payments, payments, security is extremely important to their

Dixon Wright:

business. And they have to take it seriously, right, like, maybe

Dixon Wright:

that's the nature of this company that they run. But, you

Dixon Wright:

know, it's like, security's embedded into like, every layer

Dixon Wright:

of their organization, right, developers are responsible for

Dixon Wright:

security. You know, and so, like, that's part of the culture

Dixon Wright:

that they establish and buying in. And you know, funny enough,

Dixon Wright:

like, a lot of lot of the compliance stuff is for them,

Dixon Wright:

it's an outcome, it's not something that they like have to

Dixon Wright:

do. And so, you know, they, they take security very seriously.

Dixon Wright:

Then they get audited, and as a nature of taking security very

Dixon Wright:

seriously, like, generally, their, their audits are

Dixon Wright:

extremely clean and very successful. So again, I think

Dixon Wright:

that that type of approach that we've seen is, is super

Dixon Wright:

effective. And I think it really starts with that governance

Dixon Wright:

level, or at least, like, you know, leadership being

Dixon Wright:

completely bought in and to what that what that means.

Dr. Dave Chatterjee:

Very true. In fact, yesterday, I was

Dr. Dave Chatterjee:

talking with a CISO. And he mentioned, he said, you know,

Dr. Dave Chatterjee:

compliance is expected, but compliance by itself, it's not

Dr. Dave Chatterjee:

good enough, when it comes to establishing a strong

Dr. Dave Chatterjee:

cybersecurity posture. So, I'm interested in getting your

Dr. Dave Chatterjee:

perspective on what does it take to create a robust cybersecurity

Dr. Dave Chatterjee:

compliance program? In other words, if you could highlight

Dr. Dave Chatterjee:

some of the key elements of a robust compliance program?

Dixon Wright:

Yeah, from a compliance person, I'm speaking

Dixon Wright:

specifically to compliance not necessarily, like overall, like

Dixon Wright:

security, right. But so I think for to having an effective

Dixon Wright:

compliance program is really to think about, you know, what is

Dixon Wright:

like what is that kind of like, you know, continuum of like,

Dixon Wright:

maturity, right. So for us, like, what we see is you've got,

Dixon Wright:

you know, you get this new organization, they're doing

Dixon Wright:

compliance. And they're largely like, doing it in a manual

Dixon Wright:

fashion, right? Like, they're kind of, they got a couple of

Dixon Wright:

people, they run around, chasing people down, trying to, again,

Dixon Wright:

say, like, kind of checking the boxes, right? It's not

Dixon Wright:

proactive, it's reactive. Audit season is typically extremely

Dixon Wright:

stressful. And you really have like, your, your fingers

Dixon Wright:

crossed, that you've done all that you need to do, right. You

Dixon Wright:

know, you'd be surprised at the size of companies that we deal

Dixon Wright:

with where it's like, Oops, like, forgot to do a quarter

Dixon Wright:

quarterly vulnerability scan. Right? Not good guys, right?

Dixon Wright:

That's going to be a problem. You know, here's, here's what

Dixon Wright:

we're gonna have to do so. So I think that's kind of where I

Dixon Wright:

would say, like, you know, you get the most like, immature

Dixon Wright:

companies, and there's probably even a spectrum of that

Dixon Wright:

immaturity. Where it's like, you know, that's expected for a

Dixon Wright:

startup, right? That's not expected for a publicly traded

Dixon Wright:

company right. So so that lack of investment in you know, not

Dixon Wright:

taking that stuff overly seriously or at least just being

Dixon Wright:

thoughtful about it, I think is kind of at the very kind of

Dixon Wright:

beginning and then you get into you know, what we call like

Dixon Wright:

coordinated which is you understand all you need to

Dixon Wright:

accomplish you think about how you build you know, solid

Dixon Wright:

workflows to make that happen. You minimize the amount of like

Dixon Wright:

auditors that you deal with like we call it kind of coordinated

Dixon Wright:

assessments, right. So you choose you know, vendors that

Dixon Wright:

can eliminate audit fatigue throughout your organization.

Dixon Wright:

And you really tried to like you know, as another feature this

Dixon Wright:

will be centralizing, you know, compliance across like business

Dixon Wright:

units right. So if you have your have kind of a conglomerate, and

Dixon Wright:

you have 30 different business units you know, and you have

Dixon Wright:

every single business unit kind of does their own thing like

Dixon Wright:

that's, that's not very mature but having some type of

Dixon Wright:

coordinated effort and a centralized group that helps

Dixon Wright:

manage some of those things. Those are some ways that we see

Dixon Wright:

people kind of continue down this like maturity skip cycle.

Dixon Wright:

Um, And then I think you, you start to get into this this kind

Dixon Wright:

of realm of automation, right? So I would say like, the next

Dixon Wright:

big bucket is okay, you know, what am I am I using really good

Dixon Wright:

tooling to automate like the workflows, you know, I have a

Dixon Wright:

way to have this like centralized place where all

Dixon Wright:

those things are happening. I'm using very few type of

Dixon Wright:

assessors. And I don't have like, you know, 10 different

Dixon Wright:

kind of audit opinions being spun at me. And then I think

Dixon Wright:

that kind of the next two places are really around, you know,

Dixon Wright:

kind of further automating a lot of the technical components that

Dixon Wright:

you you can do, which I think is very, it's a very new kind of

Dixon Wright:

concept in general. And I think the adoption of that will be

Dixon Wright:

slower for enterprise companies. But you know, I think that's

Dixon Wright:

going to continue, like how do I start to do things and like,

Dixon Wright:

report on those things in an automated fashion versus having

Dixon Wright:

humans do it? And then I think, at the end of that spectrum is

Dixon Wright:

just like, Okay, how do we get to this place of real continuous

Dixon Wright:

monitoring for the large majority of our kind of control

Dixon Wright:

environment? If 60 70% of our controls are kind of technical

Dixon Wright:

in nature? You know, how do we, you know, pull that information

Dixon Wright:

out and visualize it more in real time versus waiting for

Dixon Wright:

internal control assessments, or annual, you know, annual

Dixon Wright:

assessments for auditors to really determine the overall

Dixon Wright:

effectiveness of that. So I think like to me, like that's,

Dixon Wright:

that's where we're headed in terms of the future of trust is,

Dixon Wright:

you know, that customer start to actually share real time

Dixon Wright:

insights into actually what's actually happened versus like

Dixon Wright:

people distributing, you know, PDF reports of compliance

Dixon Wright:

status. And I think there's been some really large organizations

Dixon Wright:

that have talked publicly about it. One of them is Equifax.

Dixon Wright:

Like, right now, they have some type of program. So for their

Dixon Wright:

customers, they share out, you know, dashboards of some of

Dixon Wright:

their cloud environments, and what the status of those

Dixon Wright:

controls are. So I think stuff like that is going to become way

Dixon Wright:

more, the adoption of that is going to become much higher. And

Dixon Wright:

I think as a result, you know, scanners, it will establish more

Dixon Wright:

trust and can be a differentiator for these, those

Dixon Wright:

types of companies that do that go the extra mile.

Dr. Dave Chatterjee:

That's really good to hear. Because I

Dr. Dave Chatterjee:

couldn't agree with you more, the importance of continuous

Dr. Dave Chatterjee:

monitoring, and the extent to which we can use technology, not

Dr. Dave Chatterjee:

only to automate the process, but also to direct the alerts to

Dr. Dave Chatterjee:

the appropriate folks. And make sure that the alerts are being

Dr. Dave Chatterjee:

received and acted upon. I'm very, I'm very passionate about,

Dr. Dave Chatterjee:

you know, while organizations have monitoring mechanisms,

Dr. Dave Chatterjee:

where they tend to fall behind, is, you know, often good

Dr. Dave Chatterjee:

intelligence goes unrecognized. Good intelligence is ignored.

Dr. Dave Chatterjee:

It's not responded to, and I wish we can have appropriate

Dr. Dave Chatterjee:

tools, that reduces the possibility of that happening.

Dr. Dave Chatterjee:

So based on what I'm hearing from you, that is very

Dr. Dave Chatterjee:

encouraging news. So going back to automation, compliance, and I

Dr. Dave Chatterjee:

know that your organization has developed a platform to provide

Dr. Dave Chatterjee:

those services, when an organization is considering

Dr. Dave Chatterjee:

investing in such tools and capabilities, what guidance or

Dr. Dave Chatterjee:

what recommendations would you have for them?

Dixon Wright:

Yeah, I mean, I think I think it really comes

Dixon Wright:

down to like, what what are your organization's like, biggest

Dixon Wright:

pain points? Right? You know, so we see kind of the full full

Dixon Wright:

spectrum of like, what that is for organizations, we see

Dixon Wright:

organizations on different parts of that like maturity cycle. And

Dixon Wright:

it's different for everybody. And, you know, I think for us,

Dixon Wright:

and kind of a large majority of our customer base are typically

Dixon Wright:

bigger customers. And so, the problems are more complicated,

Dixon Wright:

right? So they have many different business units, many

Dixon Wright:

different applications, they may have, you know, applications

Dixon Wright:

that are federal in nature and have to go through FedRAMP they

Dixon Wright:

may have that same application in a commercial environment,

Dixon Wright:

which is governed by four different kinds of commercial

Dixon Wright:

standards. So it gets like really messy really quick. So I

Dixon Wright:

think it's, one, just like really understanding that you

Dixon Wright:

you know that you need help, and that spreadsheets aren't doing

Dixon Wright:

it for you and spreadsheets and email. And then two you know, if

Dixon Wright:

that's not doing for you, right? What is? What are kind of the

Dixon Wright:

core pieces of your workflow? And how do you start to, like,

Dixon Wright:

chip away at it? You know, so for us, like, you know, we think

Dixon Wright:

like, the first kind of step that you need to solve is, do

Dixon Wright:

you understand all the things that you need to do? And who

Dixon Wright:

needs to do them? And at what time? Do they need to do them?

Dixon Wright:

So that you kind of get your hands around? The what is the

Dixon Wright:

compliance problem that you're at your organization? Right? And

Dixon Wright:

then the next piece of that is like, Okay, well, how do we then

Dixon Wright:

start to automate more and more of this activity? And then how

Dixon Wright:

do we get to this, like continuous state of continuous

Dixon Wright:

compliance, you can, you know, continuous monitoring and

Dixon Wright:

continuous visualization of what's going on. So, you know, I

Dixon Wright:

think, what we see right now, there's the marketplace is kind

Dixon Wright:

of, it's really wild. In this, it's a new category, like, it's

Dixon Wright:

not even. It's not even something that you know, is on a

Dixon Wright:

quadrant within like Gartner, Forrester, it's really spun up

Dixon Wright:

in the last like, two years. So you got, you know, all of these

Dixon Wright:

different types of organizations popping up. And they're, they're

Dixon Wright:

finding a lot of product market fit, I think, specifically in

Dixon Wright:

the lower lower end of the market for these tech startups.

Dixon Wright:

Because, again, the startups needed need to show compliance

Dixon Wright:

to sign contracts, right. So so I think there's some really good

Dixon Wright:

things that have happened and the disruption or kind of the

Dixon Wright:

creative destruction that's happened with it in terms of

Dixon Wright:

what it's doing to, you know, the, the, the audit assurance

Dixon Wright:

space, I think, is extremely healthy. But I think it's also

Dixon Wright:

has a tendency to, hey, we're just gonna hack compliance,

Dixon Wright:

right, which gets us back to the old ways of checking boxes,

Dixon Wright:

right, it's like, just doing automated fashion, with a SAS

Dixon Wright:

tool. So I think, you know, we've seen kind of various

Dixon Wright:

things, and we're trying to be intentional about how we, how

Dixon Wright:

we, how we make compliance easier, but we also realized

Dixon Wright:

that it's still extremely hard, and it's still very valuable to

Dixon Wright:

people's business, right? It's like you do business with

Dixon Wright:

federal government, you have to be FedRAMP compliant. And it's

Dixon Wright:

got seven figure implications, right? If you come out of

Dixon Wright:

compliance, that can be hacked, right. So you know, make just

Dixon Wright:

making sure that those tools like are going to fit your needs

Dixon Wright:

and kind of your use case, making sure that you you kind of

Dixon Wright:

sneak about it with the goals of the company, right? Like going

Dixon Wright:

and hacking SOC 2, early on, like maybe what you need, right?

Dixon Wright:

But if you get a start to expand on these other things, and let's

Dixon Wright:

say FedRAMP is on your roadmap, you know, maybe it's not? So do

Dixon Wright:

you have a tool that can grow with you and kind of accomplish

Dixon Wright:

the things that you need to do? And then, you know, I think the

Dixon Wright:

other thing, too, is just like, who is, you know, these tools

Dixon Wright:

make a lot of claims, a lot of which that I think we as a

Dixon Wright:

company and co founder disagree with, there's certain pieces of

Dixon Wright:

compliance that can't be automated, right? So large

Dixon Wright:

claims, like 70% of PCI can be automated. I find that to be I

Dixon Wright:

find that hard to believe. And then I think, you know, along

Dixon Wright:

with that, right, it's, can I support multiple business units

Dixon Wright:

and have like, the same visibility is like that I have

Dixon Wright:

with one.

Dixon Wright:

And then to what extent does it, you know, connect into my

Dixon Wright:

technology stack. So another thing that we've seen in the

Dixon Wright:

marketplace is like, these tools are great for cloud services.

Dixon Wright:

They're great for like infrastructures, service

Dixon Wright:

providers, so they connect into Amazon and GCP. And some of

Dixon Wright:

those in Azure. What they don't do is they don't, they don't do

Dixon Wright:

anything at the operating system level, right, which is really

Dixon Wright:

hard. And I think it's a problem that still needs to be solved.

Dixon Wright:

But like, so. Yeah. Like, you may be automating certain

Dixon Wright:

components, let's say for identity and access management,

Dixon Wright:

and like, who has access and who has administrative access,

Dixon Wright:

right? Like you can go and kind of pull and test some of those

Dixon Wright:

things. But you're not, you're not doing that at an operating

Dixon Wright:

system level. Right. So when we do when we look and evaluate

Dixon Wright:

security, we get to evaluate the the actual application itself,

Dixon Wright:

the underlying operating systems, and then the underlying

Dixon Wright:

infrastructure. So it's like you're covering kind of 1/3 of

Dixon Wright:

the technology stack, not, not too not all three. So again,

Dixon Wright:

it's like, I think that comes with, you know, these are

Dixon Wright:

product companies, not security companies. Again, I think it's

Dixon Wright:

super healthy for like, what they're doing and how they're

Dixon Wright:

pushing the industry to evolve and to get out of paper, but I

Dixon Wright:

think at the same time, there's still a level of maturity that

Dixon Wright:

that we have to kind of establish. And it'll be

Dixon Wright:

interesting, I think, you know, to see like what type of

Dixon Wright:

governance is applied to like, even those types of tools,

Dixon Wright:

right? Like, yeah, you can go and do your your own kind of

Dixon Wright:

like SOC 2 report, your own ISO 27,000 report. But, you know, I

Dixon Wright:

don't, I'm not sure like, that's the type of assurance that we

Dixon Wright:

need, we need better assurance that, you know, what is being

Dixon Wright:

automated is legitimate. That, you know, the green, the green,

Dixon Wright:

Harvey balls that show green are actually green, the Reds

Dixon Wright:

actually red and you know, making sure that you know, what

Dixon Wright:

it like, what it what we are reporting, what we are

Dixon Wright:

automating, and, you know, where we see some of the auditors

Dixon Wright:

consuming these tools and kind of, and still checking boxes,

Dixon Wright:

right? Like, just making sure that there's some due diligence

Dixon Wright:

that's done, or we're going to get in the situation where,

Dixon Wright:

like, there, there's like, no trust, because it's all, you

Dixon Wright:

know, a bunch of garbage so. So yeah, it's a real fascinating

Dixon Wright:

subject, again, tons of money being thrown at it right now.

Dixon Wright:

And we're just trying to kind of wade through it all, and be

Dixon Wright:

thoughtful about how we're building it and what our

Dixon Wright:

customers need. But there's certainly some some really great

Dixon Wright:

technology out there that I think can can certainly make a

Dixon Wright:

big difference, and allow organizations to scale without

Dixon Wright:

having to hire, you know, armies of people to just manage

Dixon Wright:

compliance, which is something it's a kind of common occurrence

Dixon Wright:

that we see for very, very large organizations.

Dr. Dave Chatterjee:

Yeah, very true. You know, when I, when I

Dr. Dave Chatterjee:

think about this in the big scheme of things, and obviously,

Dr. Dave Chatterjee:

from a cybersecurity perspective, where an

Dr. Dave Chatterjee:

organization is trying to stay as secure as possible, and be

Dr. Dave Chatterjee:

proactive in their approach, one of the goals of compliance would

Dr. Dave Chatterjee:

be to ensure that all the relevant controls are in place,

Dr. Dave Chatterjee:

and they are doing what they're supposed to do. But as you

Dr. Dave Chatterjee:

pointed out, these tools can't be left to themselves, in the

Dr. Dave Chatterjee:

sense, you have to do your own due diligence, to make sure the

Dr. Dave Chatterjee:

tools do what they promised to do. In other words, you can't

Dr. Dave Chatterjee:

become slaves of the tool, the organization has to have its own

Dr. Dave Chatterjee:

governance team by whatever name, they are called, maybe the

Dr. Dave Chatterjee:

compliance team to review the relevant tools, recognize the

Dr. Dave Chatterjee:

shortcomings, document the shortcomings, and also document

Dr. Dave Chatterjee:

how they plan to address the shortcomings this way, there is

Dr. Dave Chatterjee:

greater transparency, that, yes, we have this tool, which is

Dr. Dave Chatterjee:

going to help us enforce controls. But we also recognize

Dr. Dave Chatterjee:

that there are areas where we may or may have to, you know,

Dr. Dave Chatterjee:

use other approaches. So so we are coming back to taking a very

Dr. Dave Chatterjee:

holistic approach to compliance management as opposed to a tool

Dr. Dave Chatterjee:

driven approach where we are basically relying on what the

Dr. Dave Chatterjee:

vendor tells us, and we're just going with it, which I don't

Dr. Dave Chatterjee:

believe any, any company or any right thinking company will do.

Dr. Dave Chatterjee:

But I think it's good to caution them about it. So I appreciate

Dr. Dave Chatterjee:

that insight. What else do you think listeners could benefit

Dr. Dave Chatterjee:

from learning about compliance management from an information

Dr. Dave Chatterjee:

security standpoint? Or anything else that you think is pertinent

Dr. Dave Chatterjee:

to this discussion that we haven't talked about yet? Yeah,

Dr. Dave Chatterjee:

I

Dixon Wright:

mean, I think we've covered covered quite a

Dixon Wright:

bit. You know, I think, again, I think we can talk a lot about

Dixon Wright:

how compliance is challenging. Again, I think there there's

Dixon Wright:

certainly benefits of compliance. I think there's

Dixon Wright:

benefits of, you know, industry standards. Like I've always

Dixon Wright:

been, you know, a huge fan of how the how the PCI Council is

Dixon Wright:

handled, like the PCI standards, in the sense that, you know, I

Dixon Wright:

think what is common is like, you know, if you go talk to 100

Dixon Wright:

100 customers, and ask about how they do risk management,

Dixon Wright:

everybody does it differently. Some of them do it very

Dixon Wright:

incorrectly. Some of them do it really well, right. And there's

Dixon Wright:

a lot of in between so, so I think like, you know, their

Dixon Wright:

stance, his stance, historically is just like, oh, well, we

Dixon Wright:

don't, we don't have a lot of trust that organizations know

Dixon Wright:

how to do risk management, and then apply the necessary

Dixon Wright:

controls to address all the risks that face, you know,

Dixon Wright:

payment security. So it's like, we're going to kind of do that

Dixon Wright:

for you. Right and tell you there's a 300 things that you

Dixon Wright:

need to do to be secure. And if you don't do it, you need to

Dixon Wright:

tell us like what else you're doing and what they call a

Dixon Wright:

compensating control worksheet. So I think those types of

Dixon Wright:

approaches, I think you're super healthy, in many cases,

Dixon Wright:

especially if you think about the different types of maturity

Dixon Wright:

levels organizations that need to be PCI compliant. But then,

Dixon Wright:

at the same time, it really hurts organizations in some

Dixon Wright:

cases that take security very seriously and have been very

Dixon Wright:

thoughtful about compensated, how they compensate for not

Dixon Wright:

having something in place because they don't need to,

Dixon Wright:

because the way their systems are architected, or a different

Dixon Wright:

piece of technology that they have, in the backend that solves

Dixon Wright:

that problem slightly different. So, you know, I think it's, it's

Dixon Wright:

all about, you know, I think it's just like we learn

Dixon Wright:

something new every day, and a new standard is released every

Dixon Wright:

day. And, you know, I think the more that, you know, the the, I

Dixon Wright:

think, you know, as all the scares last year with some of

Dixon Wright:

the third party stuff that happened and breaches. And I

Dixon Wright:

think the rigor that will now be placed on vendor management, I

Dixon Wright:

just think it's going to be really interesting in kind of

Dixon Wright:

how it all plays out how, what does trust look like, in three

Dixon Wright:

years? What does it look in five years? What does it look like in

Dixon Wright:

10 years? And can we keep up right, with the pace of all

Dixon Wright:

these new regulations? Like, can people really afford to do it?

Dixon Wright:

Or, you know, at what point does it become such a nuisance,

Dixon Wright:

right? The organization's is like, can't support it any

Dixon Wright:

longer, it's too expensive. So I think, you know, we've got to be

Dixon Wright:

careful around, like, what we adopt and why we adopt it. Or

Dixon Wright:

else, you know, I think it can be a detriment to like moving

Dixon Wright:

forward to, you know, for funding that should be spent

Dixon Wright:

more on actual security or other parts that kind of enable the

Dixon Wright:

business. So. So certainly the thing, a lot of other things to

Dixon Wright:

watch out for is, you know, in the coming years, as I think

Dixon Wright:

we're going to continue to see more, more of the same, and then

Dixon Wright:

there'll be some, there'll be some additional type of

Dixon Wright:

disruption that happens and, but hard to see, you know, through

Dixon Wright:

all the all the smoke in terms of what that's kind of

Dixon Wright:

ultimately going to look like,

Dr. Dave Chatterjee:

yep, yep. Very interesting. In fact, the

Dr. Dave Chatterjee:

phrase that comes to mind, while you were talking about trust, is

Dr. Dave Chatterjee:

trust, but verify, right? We can have all the tools in the world,

Dr. Dave Chatterjee:

but we can't become slaves to automation, tools can do only so

Dr. Dave Chatterjee:

much. They have to be backed by good governance mechanisms,

Dr. Dave Chatterjee:

highly trained personnel, robust oversight. So it has to be a

Dr. Dave Chatterjee:

multi pronged approach. Even when it comes to effective

Dr. Dave Chatterjee:

compliance. While compliance is one aspect of security

Dr. Dave Chatterjee:

governance, it can become a very effective aspect. Once again, if

Dr. Dave Chatterjee:

there is a real intent, there's a real commitment behind it, as

Dr. Dave Chatterjee:

opposed to trying to outsource it and saying, okay, we have

Dr. Dave Chatterjee:

this vendor who can take take care of this for us, we have

Dr. Dave Chatterjee:

their platform, they have their tool, and we can look the other

Dr. Dave Chatterjee:

way, I don't think that works. And I think you spoke to that,

Dr. Dave Chatterjee:

that there has to be oversight, there has to be ownership. And

Dr. Dave Chatterjee:

that's when the process will go better. Because it's a evolving

Dr. Dave Chatterjee:

landscape, it's a moving target. And conscientious organizations,

Dr. Dave Chatterjee:

security concerned organizations must take very deliberate,

Dr. Dave Chatterjee:

thoughtful steps. Well, Dixon, this has been a real pleasure.

Dr. Dave Chatterjee:

Thank you very much for your time. And let's conclude with a

Dr. Dave Chatterjee:

few final words, if you have any for the listeners.

Dixon Wright:

Yeah, appreciate you. Appreciate you having me

Dixon Wright:

on. So I have been trying to talk shop about this stuff. I

Dixon Wright:

can geek out about it all day. But yeah, I think for those

Dixon Wright:

listening and yeah, there's a, I would say there's a huge

Dixon Wright:

opportunity for folks that, you know, have interest in kind of

Dixon Wright:

getting in the security realm of, you know, following some

Dixon Wright:

type of like, GRC path as an entry point. Like, there's not a

Dixon Wright:

lot of experience that's required. Generally, you know,

Dixon Wright:

you don't even need a college degree in some cases, right.

Dixon Wright:

There's a lot of security certifications out there. While

Dixon Wright:

I'm not really very big on those, right, like go and pursue

Dixon Wright:

cloud certifications or security certifications, but but yeah,

Dixon Wright:

great entry path into the security world. And then you can

Dixon Wright:

kind of pivot where you want to go, but you get a lot of

Dixon Wright:

exposure to a lot of different companies and a lot of different

Dixon Wright:

kinds of security measures. And so it's a great primer for folks

Dixon Wright:

wanting to join and not having a big kind of hurdle to get there.

Dixon Wright:

So, we're always looking for great people. So, go look us up.

Dr. Dave Chatterjee:

Fantastic, fantastic. Yep. The

Dr. Dave Chatterjee:

opportunities are out there for people who are interested,

Dr. Dave Chatterjee:

passionate, who are curious, who want to make a difference. So,

Dr. Dave Chatterjee:

so yeah, sounds great. Well, thank you again, it has been a

Dr. Dave Chatterjee:

pleasure. Thanks. A special thanks to Dixon Wright for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization

Chapters

Video

More from YouTube