Assurance IT invited Insurity's CISO, Jay Wilson to discuss SaaS platform, cloud security and data privacy.
In this episode, Jay Wilson from Insurity and co-founder of Assurance IT, Luigi Tiano, discuss:
Resources:
Watch the episode: https://youtu.be/a8YWmt-QcVU
Jay Wilson’s LinkedIn: https://www.linkedin.com/in/jaywwilson/
Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/
Assurance IT Website: http://www.assuranceit.ca/
About Jay Wilson:
As an experienced technology executive across multiple disciplines and sectors, Jay leads operations, delivery and strategy across global cross-discipline teams to produce and protect innovative products, growth strategies and measurable results.
In his role of Chief Information Security Officer at Mercury Healthcare, he is responsible for advancing the information security and compliance program, ensuring our business operations and client-facing product technologies are safe from attack, exceed regulatory standards and protect the critically important protected health data assets that Mercury Healthcare manages for over 1000 hospitals. Additionally he lead our efforts to align to industry leading compliance and security frameworks, including HITRUST certification of the Mercury Patient Engagement Solution / CRM. Further, he also leads and directs the IT function at Mercury Healthcare to improve the efficacy, efficiency and effectiveness of IT/Helpdesk functions within the organization.
He is CISM, CHP and CSCS certified and has over 20 years of experience in various technology development and leadership roles. Also a graduate of SapientNitro's CMTO University program, with a background as a professional marketing technologist and a consummate student of innovation and psychology, he focuses additional effort on the potential of people in the world of business+technology convergence. He has previously led (at Healthgrades) the Learning Academy program, part of HG's previous leadership development program, to help grow our people in communication, leadership and creating impact.
His experiences in technologies are broad and diverse, but he has had the privilege of working in: Security Infrastructure, Network Engineering, Automation Engineering, Advertising Technologies, Data Engineering, Distributed Computing, Professional Video, Cloud Computing, DevOps, Containers, Front End Web Technologies, Server-side Technologies, Microservices & API Development.
About 10 Questions to Cyber Resilience:
Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.
About Assurance IT:
Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.
This is 10 questions to
Speaker:cyber resilience brought
Speaker:to you by assurance it
Speaker:released twice per month.
Speaker:Every episode brings you one
Speaker:step closer to cyber resilience
Speaker:by hearing how it leaders are
Speaker:practicing cyber security.
Speaker:Resources mentioned in the episode
Speaker:can be found in the show notes.
Speaker:If you are ready to take your
Speaker:cyber resilience to the next
Speaker:level, be sure to subscribe so
Speaker:you can catch every episode.
Speaker:Thank you for joining us
Speaker:today, Jay, on our podcast.
Speaker:I got Jay Wilson from
Speaker:Insurity on the line with us.
Speaker:I'll let Jay introduce himself
Speaker:cuz he's got a long list of
Speaker:experience and expertise that
Speaker:he's gonna share with us.
Speaker:And really happy you can make
Speaker:the time for us today, Jay
Speaker:so go ahead and introduce
Speaker:yourself before we jump
Speaker:into today's episode.
Speaker:Awesome.
Speaker:Thanks Luigi.
Speaker:Thanks for inviting me
Speaker:to talk with you today.
Speaker:Come from a wide range
Speaker:of technical background.
Speaker:Started off as a software
Speaker:developer back in the day
Speaker:and became a CTO at a couple
Speaker:startups that didn't get big
Speaker:And then moved my way into
Speaker:technical consulting at Nitro,
Speaker:before going to my last job,
Speaker:which was at Health Grades
Speaker:where I was the CISO there,
Speaker:and now I'm a CISO at Insurity.
Speaker:So wide range of background in
Speaker:software engineering, technical
Speaker:development, consulting,
Speaker:and then kind of merged
Speaker:into security and excited
Speaker:to be in the security space.
Speaker:Even more excited to
Speaker:be at Insurity as well.
Speaker:Nice.
Speaker:Sounds interesting.
Speaker:I like that.
Speaker:Being a CISO at a healthcare
Speaker:organization, that's not
Speaker:the easiest job, I'm sure.
Speaker:Yeah, yeah.
Speaker:Bless everyone who is
Speaker:still in those roles.
Speaker:Very challenging.
Speaker:You know, healthcare like many
Speaker:other sectors, but I think
Speaker:especially healthcare just faces
Speaker:so many different challenges.
Speaker:Very regulated, very targeted.
Speaker:We had a lot of targeted attacks
Speaker:that came our way, in that space.
Speaker:Healthcare data is just so
Speaker:prized by the underbelly,
Speaker:the hackers, the dark web.
Speaker:Right.
Speaker:It's very powerful information.
Speaker:Yeah, I agree.
Speaker:And that's why I wanted
Speaker:to comment on that.
Speaker:But now you've moved to Insurity.
Speaker:You're based in Colorado.
Speaker:Correct.
Speaker:Based in Denver.
Speaker:And tell us a little bit about
Speaker:Insurity, cuz Insurity's a
Speaker:pretty interesting company.
Speaker:I know them from a past life and
Speaker:I know some of the folks there.
Speaker:Give us a little bit about
Speaker:Insurity, cuz that's gonna kind of
Speaker:be a segue into our episode here.
Speaker:Yeah, absolutely.
Speaker:So Insurity is the largest
Speaker:cloud based SaaS provider of
Speaker:insurance technologies to the
Speaker:PNC market in North America.
Speaker:So we're kind of providing
Speaker:the glue for a lot of property
Speaker:casualty insurers and other
Speaker:lines of insurance across North
Speaker:America, but also across the globe.
Speaker:I just get to use largest
Speaker:when I say North America.
Speaker:Everybody likes superlatives.
Speaker:You know, we're connecting those
Speaker:insurers with the technology they
Speaker:need to accelerate their business.
Speaker:So if insurers wanna spin up new
Speaker:capabilities inside their business,
Speaker:they can lean on our systems
Speaker:and softwares and teams to help
Speaker:accelerate that work for them.
Speaker:In today's episode we're gonna
Speaker:talk a lot about SaaS and maybe
Speaker:even platform as a service and
Speaker:how to secure a cloud and SaaS.
Speaker:And not only from the enterprise,
Speaker:but also as an end user,
Speaker:what you should know, right?
Speaker:Now, being a SaaS platform.
Speaker:Let's talk a little bit about how
Speaker:we've seen the evolution of SaaS.
Speaker:Many enterprises have moved
Speaker:to a SaaS offering even PaaS
Speaker:in some ways, and this is
Speaker:kind of a question that we
Speaker:can debate back and forth.
Speaker:Now, SaaS is supposed to
Speaker:lower total cost of ownership.
Speaker:Right?
Speaker:I'd like to discuss that
Speaker:because there is a lot of
Speaker:debate around when you move to
Speaker:SaaS, there's an initial CapEx
Speaker:investment that that's done.
Speaker:But in the long term, I'd like to
Speaker:hear what you have to say about the
Speaker:caveats and of course, the pros and
Speaker:cons of moving to a SaaS platform.
Speaker:Just your experience on that.
Speaker:Sure.
Speaker:Look, there's multiple kind of
Speaker:perspectives, I'd say on SaaS
Speaker:and PaaS versus, you know,
Speaker:building things internally.
Speaker:But being an IT and security
Speaker:professional for many years now I
Speaker:would say we're not at the point
Speaker:where we're deciding whether
Speaker:we use it, but where we use.
Speaker:It isn't a choice.
Speaker:You have to use it really to
Speaker:get certain capabilities out
Speaker:the door in certain timeframes.
Speaker:So you have to be thoughtful
Speaker:in the way you use it.
Speaker:And as a SaaS provider, I would say
Speaker:that we play a similar role for our
Speaker:clients where, we're providing them
Speaker:capabilities that really they need.
Speaker:So.
Speaker:Yes, there's a certain
Speaker:balance to that equation.
Speaker:Okay?
Speaker:If we build it ourselves and we
Speaker:own it, we certainly know what
Speaker:the TCO is gonna be over time.
Speaker:But in the context of maybe point
Speaker:solutions you can contain it or you
Speaker:can build the right partnerships
Speaker:with the right vendors.
Speaker:I'd say, I think.
Speaker:I can't imagine building and
Speaker:owning an IT infrastructure without
Speaker:relying on critical SaaS partners.
Speaker:That's a very fair statement.
Speaker:And frankly, we do offer here
Speaker:at Assurance IT, some sort of
Speaker:SaaS solutions for our clients.
Speaker:So, I mean, it's a debate cuz
Speaker:I like to hear both sides of
Speaker:it, but ultimately I think it's
Speaker:important, as you mentioned,
Speaker:there's an evolution of, you
Speaker:know, where you're using, how
Speaker:you're using it versus, your
Speaker:statement earlier was on point.
Speaker:I tend to agree with that.
Speaker:I guess one thing that I've
Speaker:seen lately in the news, and
Speaker:maybe you've seen this as well,
Speaker:is there's a lot of articles
Speaker:pointing back to companies looking
Speaker:at bringing some stuff back
Speaker:on-prem and I know this is not
Speaker:application centric, but this is
Speaker:just infrastructure centric, and
Speaker:I know Insurity probably does a
Speaker:lot of cloud-based infrastructure.
Speaker:I know you guys are probably a big
Speaker:IaaS consumer as well, but what's
Speaker:your take on that whole argument
Speaker:about bringing our hardware back
Speaker:on-prem have you seen that as well?
Speaker:I have actually.
Speaker:I've seen it in a
Speaker:couple different places.
Speaker:It's an interesting trend and
Speaker:I think that like anything,
Speaker:there's right use cases to
Speaker:bring back and there's wrong
Speaker:use cases to bring back.
Speaker:But most commonly what I
Speaker:see around cloud, let's just
Speaker:take cloud as an example.
Speaker:You sometimes have businesses
Speaker:that have, call it a lack of
Speaker:depth in the operational side
Speaker:of using cloud, and that's where
Speaker:you tend to have those pullbacks
Speaker:have to occur because if you
Speaker:don't have the operational acumen
Speaker:to like really own and operate
Speaker:with your partner, your cloud
Speaker:partner, in the appropriate
Speaker:manner, your bill turns
Speaker:into a blank check, right?
Speaker:It gets really
Speaker:dangerous, really fast.
Speaker:So I think that the pullbacks
Speaker:that we're seeing are businesses
Speaker:recognizing, look, whichever
Speaker:way you wanna look at it, we're
Speaker:better in an operating mode
Speaker:at an on-prem kinda world.
Speaker:And that's not a judgment.
Speaker:But I can say at Insurity,
Speaker:we're very good at operating
Speaker:in a cloud environment.
Speaker:You know, every business comes
Speaker:from different DNA or bones, right?
Speaker:And I think that those are good
Speaker:decisions for some firms and, maybe
Speaker:not good decisions for others.
Speaker:So uncontrollable cloud
Speaker:costs are causing people
Speaker:to revisit their strategy.
Speaker:I think it's more predictable when
Speaker:you buy a server, and I'm just
Speaker:using one very simple example.
Speaker:You buy a server, you know what's
Speaker:gonna cost you, how long you
Speaker:can amortize it and you know
Speaker:what it costs to operate that.
Speaker:I think, like you mentioned, it
Speaker:stems from the fact of maybe having
Speaker:a lack of skill set to operate
Speaker:one cloud or multi-cloud strategy.
Speaker:There is a complexity of working
Speaker:with either one cloud vendor
Speaker:or multi-cloud vendor, having
Speaker:a multi-cloud vendor approach.
Speaker:So I appreciate what you've said
Speaker:and that makes a lot of sense.
Speaker:For a lot of companies, if they
Speaker:can't understand the cost or they
Speaker:can't contain the cost, I think
Speaker:that causes a panic, like you
Speaker:mentioned, and they just say,
Speaker:okay, let's come back on prem.
Speaker:And frankly, if you're able
Speaker:to successfully operate in
Speaker:an on-prem world and do that
Speaker:in a cost efficient and an
Speaker:operationally efficient manner,
Speaker:and one that doesn't hamper your
Speaker:engineering or R&D capabilities,
Speaker:all the more power to you.
Speaker:There's nothing wrong with that.
Speaker:It's been working for 20 years.
Speaker:I don't really have anything
Speaker:bad to say about it cuz
Speaker:I came from that world.
Speaker:Right, right.
Speaker:I think it's more to say if you
Speaker:are able to operate in a cloud
Speaker:based environment and you can put
Speaker:the right controls, processes,
Speaker:teams, expertise around it.
Speaker:And make it profitable
Speaker:to your business, then
Speaker:that's even more powerful.
Speaker:That's how I look at it.
Speaker:Like, if you can do it and do
Speaker:it well, you should, because
Speaker:cloud tends to give you more
Speaker:flexibility and capabilities.
Speaker:But if you can't and you've figured
Speaker:out how to make on-prem work for
Speaker:your business, that's awesome.
Speaker:Like neither one is a bad choice.
Speaker:It's just like everything, the
Speaker:devil's in the details, right?
Speaker:I think ultimately we're seeing
Speaker:a hybrid approach becoming
Speaker:the ultimate architecture, I
Speaker:think for a lot of businesses.
Speaker:I mean, you still have a lot of
Speaker:businesses, especially in the
Speaker:healthcare and especially in the
Speaker:utilities space, you have a lot
Speaker:of legacy hardware that sometimes
Speaker:is very difficult to transition
Speaker:to a virtual or cloud provider.
Speaker:So I think ultimately in
Speaker:the large enterprise, you're
Speaker:still gonna see some hybrid.
Speaker:The banks, the financial
Speaker:institutions, the healthcare of
Speaker:course, and insurance business.
Speaker:You're an outlier.
Speaker:I mean, you're insurance, but I
Speaker:think you've been one of the ones
Speaker:that have gone full SaaS and be
Speaker:able to provide a solution to
Speaker:your clients that's fully turnkey.
Speaker:Which is admirable.
Speaker:Can you tell us though,
Speaker:about cloud security?
Speaker:Cuz I think that's become a
Speaker:topic that people kind of they
Speaker:shied away from for a while and
Speaker:now it's become top of mind.
Speaker:Because if you're operating
Speaker:in a SaaS or in a cloud-based
Speaker:environment, you have to have
Speaker:the skill set to secure a cloud.
Speaker:Right?
Speaker:So what's your take on that?
Speaker:Can you tell us a little bit
Speaker:about your experience around that?
Speaker:Are we up to speed when it comes
Speaker:to skill sets in the market?
Speaker:Are the cloud providers giving
Speaker:us the right tools to properly
Speaker:secure the cloud and SaaS
Speaker:environments that we're operating?
Speaker:Yeah, that's a big topic, right?
Speaker:I could go lots of
Speaker:different directions.
Speaker:Yeah, I know, I
Speaker:know, I know, I know
Speaker:. So look, I think that there's
Speaker:still some catching up in the
Speaker:business on cloud and security.
Speaker:When you look at the origins of
Speaker:cloud, where did cloud come from?
Speaker:You know, it started with
Speaker:virtualization that you could
Speaker:control programmatically.
Speaker:It was an IT endeavor that
Speaker:engineers really gravitated to.
Speaker:They're like, oh, cool, I can
Speaker:turn on a server with an API call.
Speaker:And it evolved from that use case.
Speaker:So, it became an engineering led
Speaker:effort to put cloud in place.
Speaker:And engineering and security
Speaker:don't always pair up.
Speaker:I mean, in good organizations
Speaker:they do, but they don't
Speaker:always historically.
Speaker:And so I think that security
Speaker:has been, kind of catching
Speaker:up over the years in cloud.
Speaker:If you think like historically
Speaker:to where we are today, I
Speaker:think it's certainly capable.
Speaker:You can do it, you can
Speaker:secure a cloud very well.
Speaker:There's no doubt about that.
Speaker:You just have to know what you're
Speaker:doing and you know, you have to
Speaker:bring the right resources to bear.
Speaker:I think as far as the cloud
Speaker:providers, And what they're
Speaker:offering from a tooling
Speaker:perspective, the big players are
Speaker:offering very capable platforms
Speaker:on the security front, right?
Speaker:There might be smaller offshoots
Speaker:where it's a little, little less
Speaker:clear, but you know, your AWSs
Speaker:and your Microsoft's of the world.
Speaker:You've got all the
Speaker:tools you need for sure.
Speaker:There's no doubt about it.
Speaker:Yeah.
Speaker:It's very secure built in and
Speaker:yeah, they do provide you the
Speaker:tools and I do concur with that.
Speaker:I think, and just in general,
Speaker:if you're outside the IT world
Speaker:you can't fathom how somebody
Speaker:or something else is managing
Speaker:your infrastructure and you
Speaker:can't touch and feel it, but
Speaker:you wanna feel good about where
Speaker:your infrastructure is, where
Speaker:your data lies, and so on.
Speaker:So I think we have some education
Speaker:to do, frankly, just in general
Speaker:to the larger population about
Speaker:how the data will be managed,
Speaker:contained, secured, and so on.
Speaker:And to your point, I
Speaker:think it's an evolution.
Speaker:I think we have
Speaker:some catch up to do.
Speaker:We're catching up and I
Speaker:think we're doing a good job.
Speaker:In my opinion, and obviously, I
Speaker:welcome your comment on this,
Speaker:but I think whether you're cloud
Speaker:or on-prem, you face the very
Speaker:similar risks, whether you're on
Speaker:prem or in the cloud in terms of
Speaker:hackers wanting to get to you.
Speaker:Completely agree.
Speaker:I think that a lot of the surface
Speaker:area challenges have normalized.
Speaker:Whereas there are some internal
Speaker:considerations from security
Speaker:perspective that still make cloud
Speaker:implementations a little trickier.
Speaker:But when you're talking about
Speaker:your outside surface area,
Speaker:it's like the same thing.
Speaker:It's all virtualized computing.
Speaker:So it's just a question of
Speaker:how you're configuring it.
Speaker:And what is your defense
Speaker:in depth kind of approach?
Speaker:Like what are the layers of
Speaker:the onion that you're putting
Speaker:in place to prevent people
Speaker:getting into your world?
Speaker:And whether that's on prem
Speaker:whether that's in the cloud,
Speaker:they're the similar
Speaker:sets of controls.
Speaker:There's not a big divergence there.
Speaker:In fact, there's some control
Speaker:sets now in the space that
Speaker:are cutting across, providing
Speaker:services to me as a provider, if
Speaker:I had a hybrid environment, like
Speaker:you said, some people are doing
Speaker:hybrids, you know, where I can
Speaker:cut across both and that's great,
Speaker:because now you're getting
Speaker:kinda consistent control sets.
Speaker:Consistent configuration and you're
Speaker:reducing, call it some of the big
Speaker:outages that we've seen in the last
Speaker:couple years, like what the Fastly
Speaker:outage or something like that where
Speaker:somebody just like types the wrong
Speaker:thing for a specific configuration.
Speaker:You know, less chance of
Speaker:those scenarios when you have
Speaker:enterprise wide controls that
Speaker:can cut across both environments.
Speaker:Agreed.
Speaker:Agreed.
Speaker:Yeah.
Speaker:I wanna just switch
Speaker:gears a little bit.
Speaker:So we're talking about
Speaker:SaaS and infrastructure.
Speaker:I think we're talking a lot
Speaker:about cloud and infrastructure
Speaker:now, but I want to talk about
Speaker:specific SaaS applications.
Speaker:You know, like to the end
Speaker:user who may be watching this.
Speaker:I mean, they may be taking
Speaker:advantage of a SaaS-based
Speaker:application, whether it be,
Speaker:for simplicity, whether it's
Speaker:HubSpot or Salesforce, or maybe
Speaker:QuickBooks or some accounting
Speaker:or finance application online.
Speaker:One of the questions that
Speaker:we see often, how's my
Speaker:data being collected?
Speaker:Where does it reside?
Speaker:Who's managing that data?
Speaker:And more importantly, how
Speaker:does that data get backed up?
Speaker:If I'm using QuickBooks online,
Speaker:or I'm using HubSpot, how do
Speaker:I know if an outage happens?
Speaker:What happens to my data?
Speaker:Is that something that customers
Speaker:ask you guys as an organization?
Speaker:How do they get that data back?
Speaker:Well, sure.
Speaker:This is a really important
Speaker:question and in your question
Speaker:you framed up I think two things
Speaker:that are worth mentioning.
Speaker:So in the SaaS world, there's like
Speaker:consumer level SaaS applications,
Speaker:like you mentioned QuickBooks.
Speaker:And although it's a business,
Speaker:it's still kind of like
Speaker:you're a small business.
Speaker:You're almost just an average
Speaker:consumer if you're using
Speaker:QuickBooks online, typically.
Speaker:And then at the same time,
Speaker:at Insurity, where we're
Speaker:selling enterprise SaaS
Speaker:software to business.
Speaker:And so how those two different
Speaker:kind of engagements shape
Speaker:up is a little different.
Speaker:Right?
Speaker:As a consumer, you are putting a
Speaker:lot of faith in your SaaS provider.
Speaker:Almost in a blind context.
Speaker:You signed some set of terms
Speaker:and services that you can't read
Speaker:because you don't have enough
Speaker:time to, and you say, I agree.
Speaker:Yeah, sure.
Speaker:I'll give my firstborn
Speaker:daughter whatever.
Speaker:Like you have no idea
Speaker:what it's saying.
Speaker:And then on the other side of
Speaker:this, where there's an enterprise
Speaker:engagement, We're partnering
Speaker:with our clients, it's a
Speaker:different kind of relationship.
Speaker:So we're providing our
Speaker:clients evidence of backups,
Speaker:if that's the question.
Speaker:We bring in a third party to
Speaker:validate our systems and you know,
Speaker:that third party's independent
Speaker:and saying, okay, oh look,
Speaker:I've reviewed all this evidence
Speaker:and I'm gonna write a report.
Speaker:And then we hand that
Speaker:report to our clients.
Speaker:So, much different set
Speaker:of circumstances, right?
Speaker:An enterprise SaaS, there's
Speaker:this world of third party
Speaker:validation that's basically,
Speaker:I would say come about,
Speaker:especially in the last 10 years.
Speaker:And back in the day you used to get
Speaker:a certification from a data center.
Speaker:Right?
Speaker:Right.
Speaker:And that's evolved now into
Speaker:other industry standards,
Speaker:whether it's ISO certs,
Speaker:SOC two certs, things like.
Speaker:Which we all use in different ways
Speaker:so that we can trust each other.
Speaker:There are mechanisms of trust.
Speaker:I think it'd be great to see
Speaker:that continue to refine because
Speaker:it's still a big challenge.
Speaker:How we all handle that
Speaker:trust between one another.
Speaker:I like what you said, you put
Speaker:a blind trust, we're picking
Speaker:on QuickBooks right now, but
Speaker:I mean, it could be, HubSpot
Speaker:is an enterprisewide tool.
Speaker:I mean, it may not be as big as
Speaker:Salesforce, but at the end of the
Speaker:day, there's a lot of enterprises
Speaker:who run on HubSpot a lot, right?
Speaker:And you're putting a lot of
Speaker:faith, you're putting your entire
Speaker:marketing database in there.
Speaker:You're putting your entire
Speaker:client database and you're
Speaker:putting a lot of financial data.
Speaker:You're putting a lot
Speaker:of stuff in there.
Speaker:And then this is something
Speaker:that I ask customers, when
Speaker:they're talking to me about
Speaker:their SaaS applications,
Speaker:I ask them the question.
Speaker:How much do you know
Speaker:about that application?
Speaker:Yes.
Speaker:I mean, they may
Speaker:be publicly traded.
Speaker:I'm sure they've got a whole
Speaker:slew of compliance requirements
Speaker:they need to go through.
Speaker:But the day you wanna pull a plug
Speaker:with that provider, what happens?
Speaker:Who does that data belong to?
Speaker:And I think those are the questions
Speaker:that we should be asking more of.
Speaker:You mentioned you partner with
Speaker:your clients, so there's a lot
Speaker:more third party validation and due
Speaker:diligence that happens, but I think
Speaker:the blind trust needs to come down
Speaker:a little bit and you have to ask
Speaker:more from your provider because if
Speaker:a platform that big gets breached,
Speaker:they're impacting thousands
Speaker:and thousands of businesses.
Speaker:Absolutely.
Speaker:Or millions of individuals.
Speaker:Individuals.
Speaker:Those businesses put their
Speaker:data in, into QuickBooks
Speaker:or whatever it might be.
Speaker:And you're seeing that, almost a
Speaker:continuous stream of like large
Speaker:consumer data breaches that
Speaker:are sometimes a result of that.
Speaker:But I think as consumers
Speaker:we don't have great
Speaker:mechanisms for that, yet.
Speaker:Because we are still beholden to
Speaker:these third party providers and
Speaker:take QuickBooks out of the example
Speaker:set for a second, you know just the
Speaker:Apples and Googles of the world.
Speaker:We as individuals,
Speaker:we have no leverage.
Speaker:Right?
Speaker:None whatsoever.
Speaker:to force them to like, oh,
Speaker:I'm gonna send you a red line
Speaker:of your terms and services
Speaker:Good luck with that one.
Speaker:Exactly.
Speaker:Yeah.
Speaker:Yeah.
Speaker:But that leads me to my last
Speaker:question, cuz we don't have a
Speaker:lot of time here with you and
Speaker:I really appreciate the fact
Speaker:that you took the time today.
Speaker:When it comes to data
Speaker:privacy and maintaining,
Speaker:data privacy compliance
Speaker:when you're servicing customers,
Speaker:and you guys are North America
Speaker:wide, and forgive me if I'm using
Speaker:you guys as an example, but you
Speaker:may have customers globally.
Speaker:How difficult is your job when
Speaker:you have to comply with various
Speaker:data privacy rules, both.
Speaker:Locally, state level,
Speaker:federal level, and globally.
Speaker:I mean, you've got GDPR in
Speaker:Europe, you've got various laws
Speaker:in the US state, state laws,
Speaker:and of course, if you're dealing
Speaker:with Canadian laws, you've
Speaker:got various provincial laws.
Speaker:So how does a Ciso or how does your
Speaker:compliance team deal with that?
Speaker:Has that become a huge undertaking?
Speaker:Just to get into the
Speaker:intricacies of it without
Speaker:giving us too many details.
Speaker:Yeah, of course.
Speaker:It's an important area that we do
Speaker:put a lot of focus in, of course.
Speaker:Because we need to be confident
Speaker:that we're meeting all of the
Speaker:ins and outs of the regulations.
Speaker:But I would say this we try to
Speaker:find commonalities between them.
Speaker:And one of the benefits of some
Speaker:of these scenarios is a lot of the
Speaker:call it the state privacy
Speaker:laws as an example.
Speaker:They start to kind
Speaker:of look a lot alike.
Speaker:So what you tend to do as
Speaker:a business is you implement
Speaker:actually the highest bar.
Speaker:You say, okay, well which state has
Speaker:the most challenging regulations?
Speaker:Let's just meet their
Speaker:regulations and then we'll meet
Speaker:all the state's regulations.
Speaker:You do things like that to
Speaker:really kind of normalize.
Speaker:And so instead of using the
Speaker:lowest common denominator,
Speaker:using the highest common
Speaker:denominator, maybe it's a little
Speaker:more work, but you know your
Speaker:clients will be satisfied.
Speaker:You know that their data will
Speaker:be safe and be held against
Speaker:the regulations appropriately.
Speaker:That tends to be the model.
Speaker:I'm not saying that's always
Speaker:the case, but you know, you
Speaker:try to find ways to find
Speaker:efficiency across the regulations
Speaker:by doing things like that.
Speaker:Very good answer.
Speaker:So look for the best model that
Speaker:exists and strive to achieve that.
Speaker:Okay.
Speaker:Then you're exceeding the
Speaker:law in most cases, right?
Speaker:No, I agree.
Speaker:I agree with that.
Speaker:It's just that sometimes, it
Speaker:becomes overwhelming when it comes
Speaker:to regulation and compliance.
Speaker:A lot of people kind of get
Speaker:overwhelmed and then they try
Speaker:to fit everything into one box.
Speaker:But I think your approach is you
Speaker:know, bang on where you take the
Speaker:highest standard and meet it, at
Speaker:least you know it can't be beat.
Speaker:Which is a really good
Speaker:approach and I appreciate that.
Speaker:For sure.
Speaker:And it's a continuous effort.
Speaker:The regulations are
Speaker:gonna continue to evolve.
Speaker:We are continuously
Speaker:monitoring that.
Speaker:There is no one size
Speaker:fits all, unfortunately.
Speaker:Yeah, yeah.
Speaker:No, and I can concur with that.
Speaker:But I think the regulation
Speaker:is making us better as IT
Speaker:professionals, frankly.
Speaker:I know it's not always comfortable
Speaker:to have to adhere to them, and it's
Speaker:costly and it's painful sometimes.
Speaker:But I mean, we're in an industry
Speaker:where it's ever evolving and like
Speaker:you said, the attack services
Speaker:are just getting larger and
Speaker:more compelling for criminals.
Speaker:So you have to make sure
Speaker:that you're covering
Speaker:yourself in all areas.
Speaker:And especially if you're dealing
Speaker:with end users or whether you're
Speaker:B2B or b2c, I think you need
Speaker:to make sure that validation
Speaker:is done properly, especially
Speaker:if you wanna continue to do
Speaker:business with individuals.
Speaker:Completely agree.
Speaker:I think most of the terms in the
Speaker:regulations are actually helpful.
Speaker:Meaning they are actually things
Speaker:that we're doing already, right?
Speaker:Sometimes there are a couple
Speaker:gotchas, maybe a regulator
Speaker:hasn't updated their mindset.
Speaker:Every once in a while you'll
Speaker:find some intricacies or quirks
Speaker:maybe in the regulations.
Speaker:Or maybe the language
Speaker:is really vague.
Speaker:Those are the areas that cause
Speaker:most consternation usually.
Speaker:But overall, I think that data
Speaker:privacy regulations are a good
Speaker:thing in the sense that they codify
Speaker:what we should already be doing.
Speaker:I'm gonna coin that term.
Speaker:Gonna use it.
Speaker:. . Really like that.
Speaker:Really like that, Jay.
Speaker:Well, Jay, listen, you've
Speaker:given us a lot of your
Speaker:time and we appreciate it.
Speaker:I think this is gonna be a
Speaker:good episode, short, but sweet.
Speaker:We tackled one specific
Speaker:topic and I really appreciate
Speaker:what you've done for us.
Speaker:Good luck at Insurity I know
Speaker:it's only been a few months
Speaker:you've been there, and it's an
Speaker:exciting opportunity for you.
Speaker:The team's great there.
Speaker:I know them well personally.
Speaker:So I wish you the best of luck
Speaker:and again, thank you for the time
Speaker:and hope to speak again soon.
Speaker:Absolutely.
Speaker:Likewise.
Speaker:Thank you.
Speaker:Thank you, Jay.
Speaker:Thank you for listening
Speaker:to 10 questions to cyber
Speaker:resilience brought to you
Speaker:by assurance it assurance.
Speaker:It is in the cybersecurity
Speaker:space, specializing in data
Speaker:protection and compliance
Speaker:since 2011, they primarily help
Speaker:mid-sized enterprises in Canada.
Speaker:If you have questions
Speaker:about protecting your
Speaker:data, reach out to us.
Speaker:At info@assuranceit.ca