Episode 23
Is Cybersecurity Regulatory Compliance Good Enough?
"The story of the RMS Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security. The ship was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. The designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required." (securicon.com) Dixon Wright, Vice President, Vice President, Compliance Management and Automation Platform, Coalfire, speaks to the importance of moving beyond the check-the-box approach and engaging in substantive information security compliance efforts. He recommends the judicious adoption and use of appropriate compliance management and automation platforms.
Time Stamps
Yeah, let's talk about your passion. What gets you passionate about information security compliance?
For the benefit of the listeners, please provide an overview of information security compliance and the current state of affairs.
Trying to stay on top of all these different compliance requirements can be an extremely challenging proposition. What do you think?
How do we ensure that check-the-box behavior is not encouraged?
I feel this discussion on compliance needs to be coupled with the discussion on governance mechanisms, and measures, which ensure that the tools that are being leveraged effectively and essentially, people are doing the right thing. Your thoughts, your reactions?
What does it take to create a robust cyber secure cybersecurity compliance program? In other words, if you could highlight some of the key elements of a robust compliance program?
So going back to automation and compliance, I know your organization has developed a platform to provide those services. When an organization is considering investing in such tools and capabilities, what guidance or recommendations do you have for them?
What else do you think listeners could benefit from learning about compliance management from an information security standpoint? Or anything else that you think is pertinent to this discussion that we haven't talked about yet?
Let's conclude with a few final words that you may have for our listeners.
Memorable Dixon Wright Quotes
"We hire really expensive, technical people. And 60 to 70% of their job is being a technical writer."
"All these different kinds of industries and sectors have created their own types of standards, and now all these organizations have to comply with them."
"There's a challenge of getting compliant, and then there's an even greater challenge of actually maintaining it."
"I think, in many cases, compliance is just sales. You're just doing it so that you can sell to other companies, it's not actually used as a mechanism to secure things internally."
"We need better assurance that what is being automated is legitimate."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:Officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and visiting professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I'll be talking with Dixon Wright, Vice
Dr. Dave Chatterjee:President Product Management of Coalfire. Coalfire is a
Dr. Dave Chatterjee:cybersecurity solutions provider. And Dixon leads
Dr. Dave Chatterjee:product efforts for Coalfire's compliance management and
Dr. Dave Chatterjee:automation platform. He is responsible for product vision
Dr. Dave Chatterjee:and execution, go-to-market activities, and product revenue.
Dr. Dave Chatterjee:Dixon mentions in his professional profile, that he is
Dr. Dave Chatterjee:on a mission to make security compliance easier through
Dr. Dave Chatterjee:software and automation. And so I felt that he was the perfect
Dr. Dave Chatterjee:guest for our discussion on information security compliance.
Dr. Dave Chatterjee:Dixon, welcome. Thanks for taking time to share your
Dr. Dave Chatterjee:thoughts and perspectives with listeners.
Dixon Wright:Thanks for Thanks for having me excited to be here
Dixon Wright:and chat about something that I'm passionate about.
Dr. Dave Chatterjee:Yeah, let's talk about your passion. What
Dr. Dave Chatterjee:gets you passionate about information security compliance?
Dixon Wright:Yeah, I guess, you know, it's, as someone who kind
Dixon Wright:of came up through the ranks of IT audit started my career, at
Dixon Wright:the Big Four at KPMG. And I've had some considerable steps
Dixon Wright:along the way to get to Coalfire. But you know, thinking
Dixon Wright:about how historically like, everything is extremely manual,
Dixon Wright:it's extremely labor intensive, lots of narrative writing, when
Dixon Wright:the essence is trying to really dissect whether or not technical
Dixon Wright:things are implemented correctly, and then weighing an
Dixon Wright:opinion against that. So it's just that, you know, one of my
Dixon Wright:old colleagues said it best he's like, we hire really expensive,
Dixon Wright:technical people and 60, 70% of their job is being a technical
Dixon Wright:writer. Right. So, so both from a business stance, as well, as
Dixon Wright:you know, I think from a security stance, that's probably
Dixon Wright:not the best allocation of resources. So I think, you know,
Dixon Wright:our, again, our vision and mission is really to make that
Dixon Wright:easier from the customer side, but also, you know, use that to
Dixon Wright:enable the business as well.
Dr. Dave Chatterjee:Very cool. Very cool. So, you know, for the
Dr. Dave Chatterjee:benefit of the listeners, provide an overview of security
Dr. Dave Chatterjee:compliance, and the current state of affairs.
Dixon Wright:Yeah, it's a great, it's a very, very broad
Dixon Wright:topic, I try to do do it to the best of my ability. But I think,
Dixon Wright:I think security compliance, like starts with third party
Dixon Wright:trust. So when we think about, you know, why they exist, kind
Dixon Wright:of, I would say, the foundation, the genesis of compliance was,
Dixon Wright:hey, like, we want to do business with other businesses,
Dixon Wright:like we need to determine whether or not they're doing the
Dixon Wright:things we need them to do. And I think a lot of this even started
Dixon Wright:financially with some of the Sarbanes Oxley like IT controls
Dixon Wright:when you outsource particular pieces of your, your process
Dixon Wright:internally. So specifically, some of the, you know, I've been
Dixon Wright:an expert in for a while is SOC reporting. And that, you know,
Dixon Wright:basically what happened is is like, all these third, you know,
Dixon Wright:all of these companies wanted to go in and like audit their
Dixon Wright:vendors. And so basically, there was, you know, things change,
Dixon Wright:and they develop this kind of, okay, well, actually, let's
Dixon Wright:create a standard so that third party organizations can go in
Dixon Wright:and do their own assessments and then provide a report that can
Dixon Wright:then be distributed across to all those customers so that, you
Dixon Wright:know, it's do once provide many versus having these like
Dixon Wright:one-to-one audits per customer that you have. And I think
Dixon Wright:that's, you know, that is expanded so, you know, vary
Dixon Wright:greatly over the last, like, you'll see, we'll call it 10
Dixon Wright:years because all of these different kinds of industries
Dixon Wright:and sectors have created their own types of standards that now
Dixon Wright:all of these organizations have to comply with. And I think,
Dixon Wright:more recently, we've seen a large amount of like
Dixon Wright:jurisdictional specific standards pop up. So if you want
Dixon Wright:to go and do business inside of Germany, German organizations
Dixon Wright:may now require you to follow some type of German standard
Dixon Wright:same in India, same in Japan. So when you think about these large
Dixon Wright:technology, SAS providers, they have, you know, so many things
Dixon Wright:that they have to comply with. But it all comes back, I think,
Dixon Wright:you know, at its core is like, the, the point is to be able to
Dixon Wright:show trust, the way in which trust is executed or is
Dixon Wright:implemented or evidence is just now becoming vastly different
Dixon Wright:depending on who you do business with and where you do business.
Dixon Wright:So, you know, the larger the company, the more things you
Dixon Wright:have to do, obviously, the you know, it gets exponentially more
Dixon Wright:and more complicated to be able to satisfy that.
Dr. Dave Chatterjee:Very true. Talking about getting things
Dr. Dave Chatterjee:complicated. As you mentioned, industries have their own
Dr. Dave Chatterjee:standards, such as PCI DSS for the payment card industry, then
Dr. Dave Chatterjee:there are various laws and regulations such as HIPAA, GDPR,
Dr. Dave Chatterjee:CCPA, CPA and more. There are also a whole bunch of frameworks
Dr. Dave Chatterjee:such as NIST, ISO 27,001, Center for Internet Security controls,
Dr. Dave Chatterjee:and more. So one of the challenges I see organizations
Dr. Dave Chatterjee:grappling with, is to make sure they are in compliance of all
Dr. Dave Chatterjee:they need to be in compliance off. In other words, just trying
Dr. Dave Chatterjee:to stay on top of all these different regulatory and
Dr. Dave Chatterjee:compliance requirements can be an extremely challenging
Dr. Dave Chatterjee:proposition. What do you think?
Dixon Wright:Oh, absolutely. I mean, I think there's, there's
Dixon Wright:there's a challenge getting compliant. And then there's,
Dixon Wright:there's certainly maybe an even even more challenge of actually
Dixon Wright:like maintaining it. And then it's just like, you know, the,
Dixon Wright:are you really any better off? Right? I mean, I think it's also
Dixon Wright:you have to ask, right, it's just like, yeah, like, I'm
Dixon Wright:compliant. And certainly, there's some benefits. And, you
Dixon Wright:know, but I think but, you know, I think there's there's all
Dixon Wright:these other challenges of dilution of kind of the types of
Dixon Wright:people that are doing the assessments. There's different
Dixon Wright:types of quality and the third parties. So, you know, one
Dixon Wright:report from one particular third party, like, we'll call it
Dixon Wright:auditor assessor is not necessarily equivalent to
Dixon Wright:another that's also accredited, right? So. So I think it comes
Dixon Wright:back, if you, if you come back to trust, it's just like, at
Dixon Wright:what point will we start to go beyond some of these point in
Dixon Wright:time, like pieces of paper, right, that kind of prove
Dixon Wright:compliance to these organizations? Or when do
Dixon Wright:organizations no longer trust a piece of paper, and I think
Dixon Wright:we're seeing that now, like, a lot of our customers, like have
Dixon Wright:to do it, it's contracts there, they're contractually obligated,
Dixon Wright:or they're trying to do business with the federal government, as
Dixon Wright:an example, I have to be FedRAMP compliant. But I think a lot of
Dixon Wright:these like commercial like SOC 2 and ISO 27,001, it really is,
Dixon Wright:it's kind of table stakes, like you have to have it. And then
Dixon Wright:there's still a very vicious kind of vendor review process
Dixon Wright:that, you know, you still may have to do a questionnaire, you
Dixon Wright:still may have to provide, you know, scanning reports or pen
Dixon Wright:test reports. So, you know, it's just like all this work for, to
Dixon Wright:basically have a conversation, and then you still have to, you
Dixon Wright:know, prove out your security.
Dr. Dave Chatterjee:Yeah, I can totally see that. And that can
Dr. Dave Chatterjee:be frustrating. What concerns me is organizations, finding ways
Dr. Dave Chatterjee:of somehow meeting the compliance requirements to be
Dr. Dave Chatterjee:eligible to be able to compete for a certain contract. In other
Dr. Dave Chatterjee:words, organizations can be motivated to adopt the
Dr. Dave Chatterjee:check-the-box approach. So how do you ensure that this
Dr. Dave Chatterjee:check-the-box mentality or behavior is not encouraged?
Dixon Wright:Yeah. Yeah, I mean, it's a good question. I
Dixon Wright:mean, I think there's a couple of different factors in that.
Dixon Wright:I'm obviously biased, coming from like, the third party
Dixon Wright:world. You know, I think it's, you know, did did they use a
Dixon Wright:reputable third party? Is that, you know, I think specifically
Dixon Wright:in the realm of cybersecurity, right, is that is that third
Dixon Wright:party known for really understanding and being kind of
Dixon Wright:a technical type of company? Like, are they an audit firm?
Dixon Wright:Right, like, you know, we can we can talk about that a lot,
Dixon Wright:right? Like, a lot of audit firms do a lot of these things.
Dixon Wright:And some of them are really good, right. There's others that
Dixon Wright:aren't like, they're, you know, the, the, the resources are
Dixon Wright:predominantly, like, they're not very technical. So I think, you
Dixon Wright:know, being able to evaluate what that third party is doing.
Dixon Wright:And then again, I mean, I think that, I do believe that, you
Dixon Wright:know, some of the compliance reports, and some of the
Dixon Wright:standardization of it are really good. But I don't think like,
Dixon Wright:that's where it should stop. Like, I think, you know, there's
Dixon Wright:additional kind of tech Bill tech, technical due diligence
Dixon Wright:that shouldn't be done. And quite frankly, I mean, I think
Dixon Wright:that's becoming common, right, I think the companies that take
Dixon Wright:security really seriously and take third party secure third
Dixon Wright:party vendor security very seriously. You know, like, I
Dixon Wright:have one customer, Silicon Valley, publicly traded customer
Dixon Wright:now. And they, they basically would just send over kind of
Dixon Wright:open ended kind of technical questions. And they, it's very
Dixon Wright:easy to detect, like when someone is, you know, is full of
Dixon Wright:it, right? They don't really know what they're talking about.
Dixon Wright:So I think just even things, simple things such as that can
Dixon Wright:really make you question whether or not like the the party on the
Dixon Wright:other end, right, that's going to hold your data, like actually
Dixon Wright:knows what they're doing and has their hands around it. So again,
Dixon Wright:I think other companies take it different places, and you know,
Dixon Wright:that it likely should be a risk based kind of decision, right?
Dixon Wright:Like, what what is being stored? What is being what are they
Dixon Wright:handling for you? Is it critical? Is it not? And then,
Dixon Wright:you know, make make decisions on the rigor that you want to put
Dixon Wright:on because you can't, it's, it's impossible, especially with the
Dixon Wright:kind of intertwined cloud services. The cloud service
Dixon Wright:used, that's gonna ramp in today's society like to go and,
Dixon Wright:you know, really do deep, deep technical reviews of every
Dixon Wright:single company, right? It's just not scalable. So so, you know,
Dixon Wright:having these kinds of kinds of ways to really early detect
Dixon Wright:whether or not this has been a you want to do business, whether
Dixon Wright:or not I think is this kind of a good approach that I've seen
Dixon Wright:some of our customers take?
Dr. Dave Chatterjee:That's good to know. In fact, I'd like to
Dr. Dave Chatterjee:pick up on something you said you talked about. Yeah, I think
Dr. Dave Chatterjee:you were alluding to oversight, that you can have a compliance
Dr. Dave Chatterjee:team in place, you know, ensuring that the organization
Dr. Dave Chatterjee:is in compliance of the relevant regulations. But there also
Dr. Dave Chatterjee:needs to be oversight to ensure that the organization is going
Dr. Dave Chatterjee:beyond the check-the-box approach, the approach is
Dr. Dave Chatterjee:substantive, that, you know, when, let's say our compliance
Dr. Dave Chatterjee:requirement is to have a certain type of security training,
Dr. Dave Chatterjee:making sure that the training is really personalized, customized.
Dr. Dave Chatterjee:And there's a follow up, there is assessment, there is
Dr. Dave Chatterjee:repetition. So I'm just using training as an example, to make
Dr. Dave Chatterjee:the difference between what could be somehow get it done
Dr. Dave Chatterjee:hire a vendor company, and they offer you an out of the box
Dr. Dave Chatterjee:training curriculum, let's say, and that is, that is okay. But
Dr. Dave Chatterjee:the organization needs to customize it, because every
Dr. Dave Chatterjee:organization has unique needs, has unique roles that people
Dr. Dave Chatterjee:perform. So that's where I feel that this discussion on
Dr. Dave Chatterjee:compliance needs to be coupled with the discussion on
Dr. Dave Chatterjee:governance mechanisms, measures, which ensure that, you know, the
Dr. Dave Chatterjee:tools that are being used to assess compliance, to ensure
Dr. Dave Chatterjee:compliance, are being leveraged effectively and essentially,
Dr. Dave Chatterjee:people are doing the right thing. Your thoughts, your
Dr. Dave Chatterjee:reactions?
Dixon Wright:Yeah, I mean, I think when, like, I think
Dixon Wright:without a layer of governance, and a strategy for like, what
Dixon Wright:you want to accomplish out of some of these compliance
Dixon Wright:frameworks, like it, I think, in many cases, it becomes like,
Dixon Wright:like, compliance is just sales, right? You're just doing it so
Dixon Wright:that you can sell to other companies. It's not actually
Dixon Wright:used as a mechanism to secure things internally, in the long
Dixon Wright:run, right? Like, will that help probably like there's, you know,
Dixon Wright:implementing controls and versus not having them is probably
Dixon Wright:effective. But I think until there's like this kind of top
Dixon Wright:down approach of like, hey, like this is, you know, we obviously
Dixon Wright:have to do this, but here's how we're gonna do like, take this
Dixon Wright:seriously, like, kind of the same customer I was mentioning
Dixon Wright:earlier, they they handle handle a lot of payments, right. And so
Dixon Wright:payments, payments, security is extremely important to their
Dixon Wright:business. And they have to take it seriously, right, like, maybe
Dixon Wright:that's the nature of this company that they run. But, you
Dixon Wright:know, it's like, security's embedded into like, every layer
Dixon Wright:of their organization, right, developers are responsible for
Dixon Wright:security. You know, and so, like, that's part of the culture
Dixon Wright:that they establish and buying in. And you know, funny enough,
Dixon Wright:like, a lot of lot of the compliance stuff is for them,
Dixon Wright:it's an outcome, it's not something that they like have to
Dixon Wright:do. And so, you know, they, they take security very seriously.
Dixon Wright:Then they get audited, and as a nature of taking security very
Dixon Wright:seriously, like, generally, their, their audits are
Dixon Wright:extremely clean and very successful. So again, I think
Dixon Wright:that that type of approach that we've seen is, is super
Dixon Wright:effective. And I think it really starts with that governance
Dixon Wright:level, or at least, like, you know, leadership being
Dixon Wright:completely bought in and to what that what that means.
Dr. Dave Chatterjee:Very true. In fact, yesterday, I was
Dr. Dave Chatterjee:talking with a CISO. And he mentioned, he said, you know,
Dr. Dave Chatterjee:compliance is expected, but compliance by itself, it's not
Dr. Dave Chatterjee:good enough, when it comes to establishing a strong
Dr. Dave Chatterjee:cybersecurity posture. So, I'm interested in getting your
Dr. Dave Chatterjee:perspective on what does it take to create a robust cybersecurity
Dr. Dave Chatterjee:compliance program? In other words, if you could highlight
Dr. Dave Chatterjee:some of the key elements of a robust compliance program?
Dixon Wright:Yeah, from a compliance person, I'm speaking
Dixon Wright:specifically to compliance not necessarily, like overall, like
Dixon Wright:security, right. But so I think for to having an effective
Dixon Wright:compliance program is really to think about, you know, what is
Dixon Wright:like what is that kind of like, you know, continuum of like,
Dixon Wright:maturity, right. So for us, like, what we see is you've got,
Dixon Wright:you know, you get this new organization, they're doing
Dixon Wright:compliance. And they're largely like, doing it in a manual
Dixon Wright:fashion, right? Like, they're kind of, they got a couple of
Dixon Wright:people, they run around, chasing people down, trying to, again,
Dixon Wright:say, like, kind of checking the boxes, right? It's not
Dixon Wright:proactive, it's reactive. Audit season is typically extremely
Dixon Wright:stressful. And you really have like, your, your fingers
Dixon Wright:crossed, that you've done all that you need to do, right. You
Dixon Wright:know, you'd be surprised at the size of companies that we deal
Dixon Wright:with where it's like, Oops, like, forgot to do a quarter
Dixon Wright:quarterly vulnerability scan. Right? Not good guys, right?
Dixon Wright:That's going to be a problem. You know, here's, here's what
Dixon Wright:we're gonna have to do so. So I think that's kind of where I
Dixon Wright:would say, like, you know, you get the most like, immature
Dixon Wright:companies, and there's probably even a spectrum of that
Dixon Wright:immaturity. Where it's like, you know, that's expected for a
Dixon Wright:startup, right? That's not expected for a publicly traded
Dixon Wright:company right. So so that lack of investment in you know, not
Dixon Wright:taking that stuff overly seriously or at least just being
Dixon Wright:thoughtful about it, I think is kind of at the very kind of
Dixon Wright:beginning and then you get into you know, what we call like
Dixon Wright:coordinated which is you understand all you need to
Dixon Wright:accomplish you think about how you build you know, solid
Dixon Wright:workflows to make that happen. You minimize the amount of like
Dixon Wright:auditors that you deal with like we call it kind of coordinated
Dixon Wright:assessments, right. So you choose you know, vendors that
Dixon Wright:can eliminate audit fatigue throughout your organization.
Dixon Wright:And you really tried to like you know, as another feature this
Dixon Wright:will be centralizing, you know, compliance across like business
Dixon Wright:units right. So if you have your have kind of a conglomerate, and
Dixon Wright:you have 30 different business units you know, and you have
Dixon Wright:every single business unit kind of does their own thing like
Dixon Wright:that's, that's not very mature but having some type of
Dixon Wright:coordinated effort and a centralized group that helps
Dixon Wright:manage some of those things. Those are some ways that we see
Dixon Wright:people kind of continue down this like maturity skip cycle.
Dixon Wright:Um, And then I think you, you start to get into this this kind
Dixon Wright:of realm of automation, right? So I would say like, the next
Dixon Wright:big bucket is okay, you know, what am I am I using really good
Dixon Wright:tooling to automate like the workflows, you know, I have a
Dixon Wright:way to have this like centralized place where all
Dixon Wright:those things are happening. I'm using very few type of
Dixon Wright:assessors. And I don't have like, you know, 10 different
Dixon Wright:kind of audit opinions being spun at me. And then I think
Dixon Wright:that kind of the next two places are really around, you know,
Dixon Wright:kind of further automating a lot of the technical components that
Dixon Wright:you you can do, which I think is very, it's a very new kind of
Dixon Wright:concept in general. And I think the adoption of that will be
Dixon Wright:slower for enterprise companies. But you know, I think that's
Dixon Wright:going to continue, like how do I start to do things and like,
Dixon Wright:report on those things in an automated fashion versus having
Dixon Wright:humans do it? And then I think, at the end of that spectrum is
Dixon Wright:just like, Okay, how do we get to this place of real continuous
Dixon Wright:monitoring for the large majority of our kind of control
Dixon Wright:environment? If 60 70% of our controls are kind of technical
Dixon Wright:in nature? You know, how do we, you know, pull that information
Dixon Wright:out and visualize it more in real time versus waiting for
Dixon Wright:internal control assessments, or annual, you know, annual
Dixon Wright:assessments for auditors to really determine the overall
Dixon Wright:effectiveness of that. So I think like to me, like that's,
Dixon Wright:that's where we're headed in terms of the future of trust is,
Dixon Wright:you know, that customer start to actually share real time
Dixon Wright:insights into actually what's actually happened versus like
Dixon Wright:people distributing, you know, PDF reports of compliance
Dixon Wright:status. And I think there's been some really large organizations
Dixon Wright:that have talked publicly about it. One of them is Equifax.
Dixon Wright:Like, right now, they have some type of program. So for their
Dixon Wright:customers, they share out, you know, dashboards of some of
Dixon Wright:their cloud environments, and what the status of those
Dixon Wright:controls are. So I think stuff like that is going to become way
Dixon Wright:more, the adoption of that is going to become much higher. And
Dixon Wright:I think as a result, you know, scanners, it will establish more
Dixon Wright:trust and can be a differentiator for these, those
Dixon Wright:types of companies that do that go the extra mile.
Dr. Dave Chatterjee:That's really good to hear. Because I
Dr. Dave Chatterjee:couldn't agree with you more, the importance of continuous
Dr. Dave Chatterjee:monitoring, and the extent to which we can use technology, not
Dr. Dave Chatterjee:only to automate the process, but also to direct the alerts to
Dr. Dave Chatterjee:the appropriate folks. And make sure that the alerts are being
Dr. Dave Chatterjee:received and acted upon. I'm very, I'm very passionate about,
Dr. Dave Chatterjee:you know, while organizations have monitoring mechanisms,
Dr. Dave Chatterjee:where they tend to fall behind, is, you know, often good
Dr. Dave Chatterjee:intelligence goes unrecognized. Good intelligence is ignored.
Dr. Dave Chatterjee:It's not responded to, and I wish we can have appropriate
Dr. Dave Chatterjee:tools, that reduces the possibility of that happening.
Dr. Dave Chatterjee:So based on what I'm hearing from you, that is very
Dr. Dave Chatterjee:encouraging news. So going back to automation, compliance, and I
Dr. Dave Chatterjee:know that your organization has developed a platform to provide
Dr. Dave Chatterjee:those services, when an organization is considering
Dr. Dave Chatterjee:investing in such tools and capabilities, what guidance or
Dr. Dave Chatterjee:what recommendations would you have for them?
Dixon Wright:Yeah, I mean, I think I think it really comes
Dixon Wright:down to like, what what are your organization's like, biggest
Dixon Wright:pain points? Right? You know, so we see kind of the full full
Dixon Wright:spectrum of like, what that is for organizations, we see
Dixon Wright:organizations on different parts of that like maturity cycle. And
Dixon Wright:it's different for everybody. And, you know, I think for us,
Dixon Wright:and kind of a large majority of our customer base are typically
Dixon Wright:bigger customers. And so, the problems are more complicated,
Dixon Wright:right? So they have many different business units, many
Dixon Wright:different applications, they may have, you know, applications
Dixon Wright:that are federal in nature and have to go through FedRAMP they
Dixon Wright:may have that same application in a commercial environment,
Dixon Wright:which is governed by four different kinds of commercial
Dixon Wright:standards. So it gets like really messy really quick. So I
Dixon Wright:think it's, one, just like really understanding that you
Dixon Wright:you know that you need help, and that spreadsheets aren't doing
Dixon Wright:it for you and spreadsheets and email. And then two you know, if
Dixon Wright:that's not doing for you, right? What is? What are kind of the
Dixon Wright:core pieces of your workflow? And how do you start to, like,
Dixon Wright:chip away at it? You know, so for us, like, you know, we think
Dixon Wright:like, the first kind of step that you need to solve is, do
Dixon Wright:you understand all the things that you need to do? And who
Dixon Wright:needs to do them? And at what time? Do they need to do them?
Dixon Wright:So that you kind of get your hands around? The what is the
Dixon Wright:compliance problem that you're at your organization? Right? And
Dixon Wright:then the next piece of that is like, Okay, well, how do we then
Dixon Wright:start to automate more and more of this activity? And then how
Dixon Wright:do we get to this, like continuous state of continuous
Dixon Wright:compliance, you can, you know, continuous monitoring and
Dixon Wright:continuous visualization of what's going on. So, you know, I
Dixon Wright:think, what we see right now, there's the marketplace is kind
Dixon Wright:of, it's really wild. In this, it's a new category, like, it's
Dixon Wright:not even. It's not even something that you know, is on a
Dixon Wright:quadrant within like Gartner, Forrester, it's really spun up
Dixon Wright:in the last like, two years. So you got, you know, all of these
Dixon Wright:different types of organizations popping up. And they're, they're
Dixon Wright:finding a lot of product market fit, I think, specifically in
Dixon Wright:the lower lower end of the market for these tech startups.
Dixon Wright:Because, again, the startups needed need to show compliance
Dixon Wright:to sign contracts, right. So so I think there's some really good
Dixon Wright:things that have happened and the disruption or kind of the
Dixon Wright:creative destruction that's happened with it in terms of
Dixon Wright:what it's doing to, you know, the, the, the audit assurance
Dixon Wright:space, I think, is extremely healthy. But I think it's also
Dixon Wright:has a tendency to, hey, we're just gonna hack compliance,
Dixon Wright:right, which gets us back to the old ways of checking boxes,
Dixon Wright:right, it's like, just doing automated fashion, with a SAS
Dixon Wright:tool. So I think, you know, we've seen kind of various
Dixon Wright:things, and we're trying to be intentional about how we, how
Dixon Wright:we, how we make compliance easier, but we also realized
Dixon Wright:that it's still extremely hard, and it's still very valuable to
Dixon Wright:people's business, right? It's like you do business with
Dixon Wright:federal government, you have to be FedRAMP compliant. And it's
Dixon Wright:got seven figure implications, right? If you come out of
Dixon Wright:compliance, that can be hacked, right. So you know, make just
Dixon Wright:making sure that those tools like are going to fit your needs
Dixon Wright:and kind of your use case, making sure that you you kind of
Dixon Wright:sneak about it with the goals of the company, right? Like going
Dixon Wright:and hacking SOC 2, early on, like maybe what you need, right?
Dixon Wright:But if you get a start to expand on these other things, and let's
Dixon Wright:say FedRAMP is on your roadmap, you know, maybe it's not? So do
Dixon Wright:you have a tool that can grow with you and kind of accomplish
Dixon Wright:the things that you need to do? And then, you know, I think the
Dixon Wright:other thing, too, is just like, who is, you know, these tools
Dixon Wright:make a lot of claims, a lot of which that I think we as a
Dixon Wright:company and co founder disagree with, there's certain pieces of
Dixon Wright:compliance that can't be automated, right? So large
Dixon Wright:claims, like 70% of PCI can be automated. I find that to be I
Dixon Wright:find that hard to believe. And then I think, you know, along
Dixon Wright:with that, right, it's, can I support multiple business units
Dixon Wright:and have like, the same visibility is like that I have
Dixon Wright:with one.
Dixon Wright:And then to what extent does it, you know, connect into my
Dixon Wright:technology stack. So another thing that we've seen in the
Dixon Wright:marketplace is like, these tools are great for cloud services.
Dixon Wright:They're great for like infrastructures, service
Dixon Wright:providers, so they connect into Amazon and GCP. And some of
Dixon Wright:those in Azure. What they don't do is they don't, they don't do
Dixon Wright:anything at the operating system level, right, which is really
Dixon Wright:hard. And I think it's a problem that still needs to be solved.
Dixon Wright:But like, so. Yeah. Like, you may be automating certain
Dixon Wright:components, let's say for identity and access management,
Dixon Wright:and like, who has access and who has administrative access,
Dixon Wright:right? Like you can go and kind of pull and test some of those
Dixon Wright:things. But you're not, you're not doing that at an operating
Dixon Wright:system level. Right. So when we do when we look and evaluate
Dixon Wright:security, we get to evaluate the the actual application itself,
Dixon Wright:the underlying operating systems, and then the underlying
Dixon Wright:infrastructure. So it's like you're covering kind of 1/3 of
Dixon Wright:the technology stack, not, not too not all three. So again,
Dixon Wright:it's like, I think that comes with, you know, these are
Dixon Wright:product companies, not security companies. Again, I think it's
Dixon Wright:super healthy for like, what they're doing and how they're
Dixon Wright:pushing the industry to evolve and to get out of paper, but I
Dixon Wright:think at the same time, there's still a level of maturity that
Dixon Wright:that we have to kind of establish. And it'll be
Dixon Wright:interesting, I think, you know, to see like what type of
Dixon Wright:governance is applied to like, even those types of tools,
Dixon Wright:right? Like, yeah, you can go and do your your own kind of
Dixon Wright:like SOC 2 report, your own ISO 27,000 report. But, you know, I
Dixon Wright:don't, I'm not sure like, that's the type of assurance that we
Dixon Wright:need, we need better assurance that, you know, what is being
Dixon Wright:automated is legitimate. That, you know, the green, the green,
Dixon Wright:Harvey balls that show green are actually green, the Reds
Dixon Wright:actually red and you know, making sure that you know, what
Dixon Wright:it like, what it what we are reporting, what we are
Dixon Wright:automating, and, you know, where we see some of the auditors
Dixon Wright:consuming these tools and kind of, and still checking boxes,
Dixon Wright:right? Like, just making sure that there's some due diligence
Dixon Wright:that's done, or we're going to get in the situation where,
Dixon Wright:like, there, there's like, no trust, because it's all, you
Dixon Wright:know, a bunch of garbage so. So yeah, it's a real fascinating
Dixon Wright:subject, again, tons of money being thrown at it right now.
Dixon Wright:And we're just trying to kind of wade through it all, and be
Dixon Wright:thoughtful about how we're building it and what our
Dixon Wright:customers need. But there's certainly some some really great
Dixon Wright:technology out there that I think can can certainly make a
Dixon Wright:big difference, and allow organizations to scale without
Dixon Wright:having to hire, you know, armies of people to just manage
Dixon Wright:compliance, which is something it's a kind of common occurrence
Dixon Wright:that we see for very, very large organizations.
Dr. Dave Chatterjee:Yeah, very true. You know, when I, when I
Dr. Dave Chatterjee:think about this in the big scheme of things, and obviously,
Dr. Dave Chatterjee:from a cybersecurity perspective, where an
Dr. Dave Chatterjee:organization is trying to stay as secure as possible, and be
Dr. Dave Chatterjee:proactive in their approach, one of the goals of compliance would
Dr. Dave Chatterjee:be to ensure that all the relevant controls are in place,
Dr. Dave Chatterjee:and they are doing what they're supposed to do. But as you
Dr. Dave Chatterjee:pointed out, these tools can't be left to themselves, in the
Dr. Dave Chatterjee:sense, you have to do your own due diligence, to make sure the
Dr. Dave Chatterjee:tools do what they promised to do. In other words, you can't
Dr. Dave Chatterjee:become slaves of the tool, the organization has to have its own
Dr. Dave Chatterjee:governance team by whatever name, they are called, maybe the
Dr. Dave Chatterjee:compliance team to review the relevant tools, recognize the
Dr. Dave Chatterjee:shortcomings, document the shortcomings, and also document
Dr. Dave Chatterjee:how they plan to address the shortcomings this way, there is
Dr. Dave Chatterjee:greater transparency, that, yes, we have this tool, which is
Dr. Dave Chatterjee:going to help us enforce controls. But we also recognize
Dr. Dave Chatterjee:that there are areas where we may or may have to, you know,
Dr. Dave Chatterjee:use other approaches. So so we are coming back to taking a very
Dr. Dave Chatterjee:holistic approach to compliance management as opposed to a tool
Dr. Dave Chatterjee:driven approach where we are basically relying on what the
Dr. Dave Chatterjee:vendor tells us, and we're just going with it, which I don't
Dr. Dave Chatterjee:believe any, any company or any right thinking company will do.
Dr. Dave Chatterjee:But I think it's good to caution them about it. So I appreciate
Dr. Dave Chatterjee:that insight. What else do you think listeners could benefit
Dr. Dave Chatterjee:from learning about compliance management from an information
Dr. Dave Chatterjee:security standpoint? Or anything else that you think is pertinent
Dr. Dave Chatterjee:to this discussion that we haven't talked about yet? Yeah,
Dr. Dave Chatterjee:I
Dixon Wright:mean, I think we've covered covered quite a
Dixon Wright:bit. You know, I think, again, I think we can talk a lot about
Dixon Wright:how compliance is challenging. Again, I think there there's
Dixon Wright:certainly benefits of compliance. I think there's
Dixon Wright:benefits of, you know, industry standards. Like I've always
Dixon Wright:been, you know, a huge fan of how the how the PCI Council is
Dixon Wright:handled, like the PCI standards, in the sense that, you know, I
Dixon Wright:think what is common is like, you know, if you go talk to 100
Dixon Wright:100 customers, and ask about how they do risk management,
Dixon Wright:everybody does it differently. Some of them do it very
Dixon Wright:incorrectly. Some of them do it really well, right. And there's
Dixon Wright:a lot of in between so, so I think like, you know, their
Dixon Wright:stance, his stance, historically is just like, oh, well, we
Dixon Wright:don't, we don't have a lot of trust that organizations know
Dixon Wright:how to do risk management, and then apply the necessary
Dixon Wright:controls to address all the risks that face, you know,
Dixon Wright:payment security. So it's like, we're going to kind of do that
Dixon Wright:for you. Right and tell you there's a 300 things that you
Dixon Wright:need to do to be secure. And if you don't do it, you need to
Dixon Wright:tell us like what else you're doing and what they call a
Dixon Wright:compensating control worksheet. So I think those types of
Dixon Wright:approaches, I think you're super healthy, in many cases,
Dixon Wright:especially if you think about the different types of maturity
Dixon Wright:levels organizations that need to be PCI compliant. But then,
Dixon Wright:at the same time, it really hurts organizations in some
Dixon Wright:cases that take security very seriously and have been very
Dixon Wright:thoughtful about compensated, how they compensate for not
Dixon Wright:having something in place because they don't need to,
Dixon Wright:because the way their systems are architected, or a different
Dixon Wright:piece of technology that they have, in the backend that solves
Dixon Wright:that problem slightly different. So, you know, I think it's, it's
Dixon Wright:all about, you know, I think it's just like we learn
Dixon Wright:something new every day, and a new standard is released every
Dixon Wright:day. And, you know, I think the more that, you know, the the, I
Dixon Wright:think, you know, as all the scares last year with some of
Dixon Wright:the third party stuff that happened and breaches. And I
Dixon Wright:think the rigor that will now be placed on vendor management, I
Dixon Wright:just think it's going to be really interesting in kind of
Dixon Wright:how it all plays out how, what does trust look like, in three
Dixon Wright:years? What does it look in five years? What does it look like in
Dixon Wright:10 years? And can we keep up right, with the pace of all
Dixon Wright:these new regulations? Like, can people really afford to do it?
Dixon Wright:Or, you know, at what point does it become such a nuisance,
Dixon Wright:right? The organization's is like, can't support it any
Dixon Wright:longer, it's too expensive. So I think, you know, we've got to be
Dixon Wright:careful around, like, what we adopt and why we adopt it. Or
Dixon Wright:else, you know, I think it can be a detriment to like moving
Dixon Wright:forward to, you know, for funding that should be spent
Dixon Wright:more on actual security or other parts that kind of enable the
Dixon Wright:business. So. So certainly the thing, a lot of other things to
Dixon Wright:watch out for is, you know, in the coming years, as I think
Dixon Wright:we're going to continue to see more, more of the same, and then
Dixon Wright:there'll be some, there'll be some additional type of
Dixon Wright:disruption that happens and, but hard to see, you know, through
Dixon Wright:all the all the smoke in terms of what that's kind of
Dixon Wright:ultimately going to look like,
Dr. Dave Chatterjee:yep, yep. Very interesting. In fact, the
Dr. Dave Chatterjee:phrase that comes to mind, while you were talking about trust, is
Dr. Dave Chatterjee:trust, but verify, right? We can have all the tools in the world,
Dr. Dave Chatterjee:but we can't become slaves to automation, tools can do only so
Dr. Dave Chatterjee:much. They have to be backed by good governance mechanisms,
Dr. Dave Chatterjee:highly trained personnel, robust oversight. So it has to be a
Dr. Dave Chatterjee:multi pronged approach. Even when it comes to effective
Dr. Dave Chatterjee:compliance. While compliance is one aspect of security
Dr. Dave Chatterjee:governance, it can become a very effective aspect. Once again, if
Dr. Dave Chatterjee:there is a real intent, there's a real commitment behind it, as
Dr. Dave Chatterjee:opposed to trying to outsource it and saying, okay, we have
Dr. Dave Chatterjee:this vendor who can take take care of this for us, we have
Dr. Dave Chatterjee:their platform, they have their tool, and we can look the other
Dr. Dave Chatterjee:way, I don't think that works. And I think you spoke to that,
Dr. Dave Chatterjee:that there has to be oversight, there has to be ownership. And
Dr. Dave Chatterjee:that's when the process will go better. Because it's a evolving
Dr. Dave Chatterjee:landscape, it's a moving target. And conscientious organizations,
Dr. Dave Chatterjee:security concerned organizations must take very deliberate,
Dr. Dave Chatterjee:thoughtful steps. Well, Dixon, this has been a real pleasure.
Dr. Dave Chatterjee:Thank you very much for your time. And let's conclude with a
Dr. Dave Chatterjee:few final words, if you have any for the listeners.
Dixon Wright:Yeah, appreciate you. Appreciate you having me
Dixon Wright:on. So I have been trying to talk shop about this stuff. I
Dixon Wright:can geek out about it all day. But yeah, I think for those
Dixon Wright:listening and yeah, there's a, I would say there's a huge
Dixon Wright:opportunity for folks that, you know, have interest in kind of
Dixon Wright:getting in the security realm of, you know, following some
Dixon Wright:type of like, GRC path as an entry point. Like, there's not a
Dixon Wright:lot of experience that's required. Generally, you know,
Dixon Wright:you don't even need a college degree in some cases, right.
Dixon Wright:There's a lot of security certifications out there. While
Dixon Wright:I'm not really very big on those, right, like go and pursue
Dixon Wright:cloud certifications or security certifications, but but yeah,
Dixon Wright:great entry path into the security world. And then you can
Dixon Wright:kind of pivot where you want to go, but you get a lot of
Dixon Wright:exposure to a lot of different companies and a lot of different
Dixon Wright:kinds of security measures. And so it's a great primer for folks
Dixon Wright:wanting to join and not having a big kind of hurdle to get there.
Dixon Wright:So, we're always looking for great people. So, go look us up.
Dr. Dave Chatterjee:Fantastic, fantastic. Yep. The
Dr. Dave Chatterjee:opportunities are out there for people who are interested,
Dr. Dave Chatterjee:passionate, who are curious, who want to make a difference. So,
Dr. Dave Chatterjee:so yeah, sounds great. Well, thank you again, it has been a
Dr. Dave Chatterjee:pleasure. Thanks. A special thanks to Dixon Wright for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization
