Kirstin Burke: Welcome to our TECH Talk. As always, we’re very excited to be here to just share with you some of the thoughts and insights that we are seeing out here in the market. And man, is this market changing fast. We have got things on hyperdrive over the last year or two, and you blink and things change. New things are in motion, and one of the things that we really felt like we needed to talk about in this TECH Talk was compliance.
We’ve been on the road a lot over the last few months. We’ve been talking to a lot of organizations. Even in the new business that we’re bringing on, the thing that we just keep hearing is this ripple effect that is happening with compliance. You don’t have to look too far in the headlines to see different third-party or supply chain attacks that are increasing, and, really, it’s this realization more than ever, I would say, that third-party vendors are significantly contributing to compliance risk. And how and where that plays out is really causing organizations to struggle, because they now need to comply and think about things they never had to before. And so Shahin and I really wanted to dig into this a little bit today and talk about how this shift in compliance, what’s happening, it’s kind of gone from a back-office checkbox to really a board-visible mandate.
And Shahin, I’m gonna open it up to you. What are you seeing happening and what do you think are the biggest drivers for kind of this ripple effect in compliance where it doesn’t just matter to me, but now it matters to everybody else in my vendor chain that I work with.
Shahin Pirooz: I’m gonna work the answer to that backwards. I think, I don’t think, the biggest driver is the government. There is there’s a lot of pressure coming down from the federal government and the regulatory space saying, “You have got to make sure, to local, state, and federal government entities, that your supply chain meets the same stringent requirements we have, or else you can’t use them.”
So that’s what’s driving a lot of this. So CMMC is happening. There’s a lot of work in the cloud in terms of gov cloud and the compliance in each of the production, massive multi-scaler clouds. So, what we’re seeing is that companies are being pressured and stressed and having to implement regulatory concerns that they weren’t planning to. They thought, you know, PCI and SOC 2 was sufficient and that would get them across the line to be able to sell to their constituents.
And now all of a sudden, CMMC 3 is getting dropped on their lap because they happened to become a supplier. So I think the biggest concern I have with the nomenclature we use in the compliance space is when we say third-party suppliers, sometimes we don’t realize we are third-party suppliers. Every one of us, if we’re delivering services to somebody else, which if you have a company, I guarantee you’re delivering services to somebody else, you are a supplier. So you are a third-party supplier, and you have third-party suppliers. It’s the traditional customer-vendor relationship, and sometimes you’re the vendor or supplier, sometimes you’re the customer.
So if we take that into account, if you realize you’re a third-party supplier and your security practice requires a security assessment or checklist or third-party supplier evaluation before you bring on their technology into your environment, now imagine you have to do the same thing if you’re selling anything to any state, local, or federal government entity or to a company that is selling to a state or local or federal government entity. You now have to consider yourself taking CMMC seriously. So I think that’s the big shifting sands that are happening. The government is basically saying it’s not enough to say you’re SOC 2 or HIPAA or JCAHO or GDPR or whatever local state version of GDPR, CCPA, for example. That’s not enough.
If you’re delivering services through the supply chain to a federal agency or a state agency, you have to have CMMC. And that’s not an insignificant step up from some of those regulations. So I think to answer your question very directly, the reason is the federal government mandates, what’s happening as people are scrambling to get compliance done.
Kirstin Burke: Well, and I think when you describe these groups, I think the ones that are most scrambling, if you will, or most surprised, are kinda those in the middle. I deliver services to, you know, these four companies. You know, I don’t deliver services to the government, yet the companies they deliver services to are. And so, it’s kind of that, I don’t know, forward-thinking or reverse engineering or something like that, to try to figure out “Where am I gonna be feeling this pressure?”
And oftentimes, it’s hard to anticipate, and you’re finding out with very little time to be able to comply. And I think that’s where some of these organizations are feeling the pressure, like, “Hey if I knew I had a year to do this, that’s one thing.” If I know that I’ve got two or three months, and if not, then I can’t sell to these folks anymore, that’s a serious business risk.
Shahin Pirooz: So, it’s not just that. It’s not just can’t sell anymore. It’s that you’re talking to new prospects, and they will not sign up now. So your existing customers may give you a little leeway to close those gaps. But you’re signing up new prospects to grow your business, and they will not move forward unless you are compliant with whatever their compliance requirements are. We’ve all heard the saying it’s a trickle-down. Stuff rolls downhill. And if you’re the supplier at the bottom of the supply chain, stuff’s gonna land on you. So you’ve got to be ready for it.
Kirstin Burke: Right. Well, and I think as we talk to folks about this, you know, I think compliance has always been this kind of wily thing that we talk about, like where does it fit? It fits in risk, or it’s just a checkbox, or maybe it has to do with cybersecurity. But it’s so much bigger and broader than that, and it touches so many areas of the business. Whether it be data governance or storage architecture or your security strategy.
And I think sometimes organizations trying to wrap their heads around the entirety of it, and how they need to audit themselves and then how they need to implement change. Can you talk a little bit about maybe how you advise folks to really work through this process and think about it?
Shahin Pirooz: Short answer is that you’ve gotta think about compliance beyond your own walls. You’ve got to consider that people above you in the supply chain have got requirements that you have to adhere to in addition to what you thought you had to adhere to. So that’s the first level. The concept is of a shared risk and liability. So nobody wants to be holding the torch by themselves. They want basically collaboration and shared responsibility in supporting and delivering services.
So if you’ve got a service or a product that is part of the ecosystem that delivers to somebody who mandates access or control sets that you have to implement, you now have to also implement those control sets in your compliance and security practices. There’s opportunity here because a lot of times compliance can create tension and stress in a company to quickly wrap things up. Where I think that’s usually the case is when compliance is used as a checklist, like you hinted at the beginning of this conversation, where somebody is simply going through the motions to say, “Yes, we are.”
It creates a lot of strife within the organization to quickly assemble evidence and implement controls and implement tools to achieve something. Whereas if you look at this as, this isn’t gonna be a one-time thing. It’s an annual endeavor. And if you’re doing what you just did to cross that line every year, you’re gonna stress your company out for one quarter every year trying to achieve that compliance.
So compliance can be used as an opportunity to improve your environment in a holistic and continuous way, as opposed to, we’ve got this one quarter. We gotta scramble to get things done and make sure we got all of our stuff together. And, oh, darn, we didn’t get evidence for the last three quarters. Now we’re gonna get a nick on our compliance report.
So if I were to give recommendations to someone, it’s really around three areas. It’s have an idea of data governance. Where does your data live? What is it? Who accesses it? How often is it accessed? Have audit logs associated with that. Have a storage architecture that you understand completely. Not just we know we store data in places, but tied back to that governance. Where is it and who accesses it? What is it made up of? And how do we recover if we have ransomware, if we have a failure? So these are components of every single compliance architecture. What is your risk? How do you recover from it if you have an incident?
And lastly when you think about security, when you think about implementing security controls to cover the regulatory controls, make sure you’re thinking of it strategically in the context I was just talking about. So a layered approach across all your environment, not just, “I have servers, I have storage, I have backup. Check.” It’s not enough to be able to say that. It’s how do I prevent that stuff from getting ransomware in the first place? How do I not just focus on the data architecture, but go all the way to the edge and understand how my users are working and how they’re interacting, how threats come in from outside my organization into my organization, how my supply chain impacts me and stresses me out. So all of those things.
So I would say, if think about it in the context of data governance, understanding the architecture, and then having a layered security strategic approach. Those are the three bullets I would wrap my head around in terms of answering this, as opposed to, “Oh, man, I have to add another 30, 40 controls. How am I gonna get this done?”
Kirstin Burke: Well, and I think you talked about really this being kind of an ongoing, I’ll call it an initiative, but that it’s something that you kind of internalize and operationalize so that it isn’t something that takes everybody offline in a scramble. But that… We come from a line of kind of continuous improvement and, you know, Kaizen. And, you know, that idea is that when these things are embedded in your organization, that you have continuous improvement all the time, and really that type of approach can also turn this kind of an obligation into a business opportunity, right? Because then you have a different level of possibly customer trust that you’re offering because you do have something that is just really part of your DNA, right? If you are able to handle this better, faster, more effectively than your competitors, that gives you an edge.
And then you talked about resilience. At the end of the day, we care about compliance because bad things happen. And bad things happen to data, bad things happen to systems. And that ripple effect, again, is so broad because it’s not just your customers, but it’s all of these other customers who have touched your product somewhere along the supply chain. And so from a resilience perspective, if you are able to identify, remediate, recover faster, all of these things really turn into, I would say, a business strength rather than something that you have to do.
Shahin Pirooz: Yeah, I like to think about it as compliance as a foundation for resilience as opposed to compliance as a burden or punishment. If you think about it in that context, then you really start to wrap your head around, “How am I gonna make my company better and more well-oiled machine rather than without these things?” And, you know, it’s the tying what you said back to the three things I was saying. You have to consider compliance beyond your walls, not just your supply chain to you, but when you are the supply chain to somebody else. So it isn’t just you anymore. It’s up and down the supply chain. And then, consider that shared risk. So if I’m at risk, I’m influencing risk into above me in the supply chain. If my supply chain is at risk, they’re influencing risk into my organization. So if you think about it as part of, you know, a cog in the machine as opposed to on an island, then if the whole machine is working well and is well-oiled, that’s where that compliance as a foundation for resilience really becomes a reality.
Kirstin Burke: Where do you see with the conversations that you’ve been having, where do you see folks struggling the most right now with this? I mean, that’s kind of a general question because everyone’s in different, in different places, but, where is it that folks just seem to be either misunderstanding or something that’s slowing people down in terms of getting from where they are today to where they need to be?
Shahin Pirooz: Typically compliance becomes a very manual and overwhelming vendor management. So especially in the context of third-party risk. There’s usually spreadsheets. You send out the spreadsheet to your supply chain, to all your vendors, and you say, “Fill this out,” and then somebody has to look at all those spreadsheets and compare them. Now, there are GRC solutions that help with this process, some good, some bad, some really ugly. Certainly love to talk to you about how we can help in that space. But that’s probably the biggest thing. It’s manual and overwhelming in terms of collecting the data and then correlating and analyzing the data. So, that’s the first thing.
When it comes to understanding what needs to happen, you need a subject matter expert. So not everybody has a chief compliance officer. So you need a subject matter expert that can say, here’s the regulations that apply to you. Here’s the control sets that you have. Here’s the gaps that are missing. Let’s build a security policy for you that covers the gaps that you have missing, and now let’s implement security controls to close those gaps. So that, if you’re doing it on your own, is like learning how to become an architect, designing the bridge, and then building the bridge, and then hoping the first time you drive your truck across it, it holds. Don’t recommend it. Bring in experts.
And then, as I mentioned from a federal perspective, that evolving regulatory and cybersecurity pressure. So we’re getting this continuous pressure from the regulatory bodies, federal in particular in the context of what we’re talking about today. But it could be industry, it could be internal, it could be a number of things.
And then at the same time, we’re getting pressure, cybersecurity pressure, from the bad actors who are getting better and better every day because they’re leveraging the same productivity gains we are by leveraging AI and getting rid of things that made them easy to spot. Like, for example, phishing is still, email is still 93% of all attacks come in through email. So email is the largest threat vector, and it’s getting better, which means it’s more effective, which means more phishing is actually taking a foothold because we no longer are able to easily spot bad English or choppy language or any of the things that were simple to spot. And they’re dynamically creating domains that look like domains that we [visit]. They’re using Cyrillic characters that look like characters that we would normally see. So a domain is not obviously.
One of my favorites is if you use a Cyrillic character that looks like the letter A and your domain is Bank of America, for example, there’s a few A’s in there. And if you’re not paying attention to it, any one of those A’s or all of them can be a Cyrillic character, which now is impossible for an individual to notice when they’re looking at Bank of America that looks like Bank of America. And I’m speaking about the domain.
So I would say that the evolving attack landscape and the evolving regulatory pressure is the third part of what’s really putting pressure on companies. It’s difficult. Manual, skill set gap, and pressure from both the regulatory and the attackers.
Kirstin Burke: How often do you see just with folks we’re working with. So they have to go through this process, right? They have to implement it. They have to see where their gaps are. Then they have to figure how and where they need to reinforce or build up. Obviously every organization has invested in something, right? I mean, companies out there, they probably have some kind of data storage or data backup or at least antivirus. So people have invested in things.
What is the extent when folks go through this that they have to upgrade, update, go out and buy new, and how do they prioritize what they need to do to get kind of to this green light in compliance? Like, what does that look like? ‘Cause I think, you know, I think some folks think, “Well, gosh, does this mean I just have to go through this process? Or does this mean I have to completely go through and rip up or rebuild what I already have out there?”
Shahin Pirooz: If if you’re doing this manually, the challenge that really comes to mind is every time you do an evaluation of a technology, and let’s say that you discover that you have a control gap and you need a widget to close this gap. Now you have to go and find what vendors that make this widget, and then you have to evaluate those vendors against each other.
Then you have to have contract negotiations to figure out is the pricing for this thing something that I can burden or not? What’s it look like? What’s the terms? Can I get out of this easy? Then you have to do a risk assessment of does this impact anything else in my business? Then you have to install and configure this thing, so professional services, deployment disruption in the organization. Then you have to train your people and then you have to operate it and you have to maintain that platform so it doesn’t go stale.
And that’s just one control. And in 18 to 36 months, you have to do that again for that same control because security tools have a three to five year lifespan at the greatest, and sometimes much shorter than that. So if you’re every two to three years changing out tools, you’re probably every year doing one of these technology evaluations, shootouts, contract negotiations, migrating from an old tool to a new tool, implementing this new tool, configuring this new tool, disrupting your organization with the changes, and all the way down that list. And then again, you do it again next year for another control.
Any typical mid-market organization should have somewhere between 10 and 20 security tools if they’re doing a proper layered security approach. So if you’re doing one a year, you’re probably not getting them done. You’re probably gonna be really behind and you’re probably, if you think about that five-year lifespan for tools, you’re probably doing three to five of those years. So now it gets to be every quarter, you’re doing a shootout and now pretty soon you’re going to have to have a team dedicated to nothing but evaluations and shootouts and installation, separate from your team that operates the environment.
That is fundamentally one of the things we help close the gap on with our managed security services is we have a continuously improving, evolving tech stack that is fully integrated, correlated, and managed on your behalf and with you in a co-managed model. So that could solve that pain point. And with a 30-day onboarding guarantee, you can close that gap really quickly.
We have examples of customers, in the context I’m about to talk about it was PCI, that had a quarter, one quarter to become PCI compliant from the start of the assessment to the end of the assessment. And one of their biggest gaps was microsegmentation of the in-scope systems. And we were able to get that done. We were started the implementation of microsegmentation and the assessment pre-assessment for PCI at the same time, identified the control gaps. We closed whatever gaps beyond the microsegmentation they were with a few other services.
And at the end of the 90 days, we did the assessment, the full assessment, and they were off and running with PCI compliance. They hit their targets, they came out and it was the last quarter of the year. They came into January with their PCI compliance and met their internal requirements to the board. So I don’t recommend that kind of aggressive timeline for clients. Just showing that, with our ability to close security gaps, we can help you even if you’re late in the process and have not had a lot of luck trying to close those gaps yourselves.
Kirstin Burke: Well, and I think what makes DataEndure so special, you know we definitely have a powerful managed security platform and solution for folks that are looking for that. But when we think about the other two areas that you talked about, too, data governance and storage architecture. We’ve got a 40-year track record of helping organizations really evaluate what they’ve got and whatever these new pressures or demands are on them how to get the most out of what you’ve got or how to very cost effectively move to what you need.
And so, I think as someone who who just always has a heart for the folks out there trying to do business, which didn’t really have to do with all of this data resilience and protection and everything like that, right? If you’re a lawyer or if you’re a construction firm or whatever, but, being able to go to one place that really has a deep understanding of, I would say, this whole business resilience architecture and how and where these things affect each other. You know, powerful security solution, deep, deep bench on storage architecture and the data governance that needs to really flow through all of that. So, part of this obviously we wanna talk about issues that are out there in the wild, if you will, but also just exposing folks to an opportunity if you’re feeling like you need help, if you’re in one of those situations where you’re like, “Wow, you know, just learned about this and I gotta figure out how to comply here quickly.”
We’re really in a position to help at least give you some insight if you don’t wind up working with us and try to go do it a different way, but we have some very powerful tools and assessments that can really help get folks on the right path.
Shahin Pirooz: Totally agree.
Kirstin Burke: So any closing thoughts? So we talked about this as a ripple effect. We talk about this as something that really is kind of kind of sneaking up and surprising some folks, you know, having this additional layer of complexity that they have to factor into their business. What would you like to leave our viewers with?
Shahin Pirooz: As always, we’ve got a portfolio of health checks that we can leverage in a pre-sales context to help you understand what your risks are and what your exposures are. And beyond that, we have full assessments from pen testing, the security assessments, the network assessments that can help you understand the ecosystem.
And then I would say the resilience workshop is probably one of the most interesting things to consider in this context where we can do a business resilience workshop that is helping you understand what regulatory concerns apply to you, and it really is trying to get an understanding of the things I said earlier: Understand your data, the architecture, and what the layered approach looks like.
And so the business resilience gives you an ability. It’s a workshop that allows us to interact with your top people in each of your departments and a cross-section of the organization to understand what is critical, what are the business systems you can’t do without, how long can you function without those systems being recovered, and then giving you a health report card basically that says here is the things that we think are at risk; now let’s identify what things you wanna address. And it’s from a risk mitigation perspective. That leads into potentially managed services, professional services, compliance services, a handful of things that can help you close gaps, reduce risk.
Kirstin Burke: Got it. Well thank you. Thank you for joining us and thank you Shahin for your time. We always get some new powerful nuggets from you during these TECH Talks. So, appreciate your time and we will see all of you next month.