Time
59 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:01
Hello and welcome sleep, Jackson. Here we are,
00:05
rolling right along its competency 10 compliance of 12 confidences of the effect of sea. So with Amoroso, Uh, very, very excited about this. Just two quick announcements. One is we sent a survey out to everyone in the group here.
00:24
Um, and it's very short. It's only a couple questions about recommendations and also about course experience. Um, and any feedback that you're willing to give us is a gift, and we really appreciate it. It helps us build our content in the right way for you.
00:41
In addition, uh, we're gonna do is instead of having the last session on August 8th, our understanding is that a lot of people will be at def Con or black hat. So we're gonna move it to the 15th of August. A czar last session. Average wealth session. Very, very excited. Uh, Ed, take it away.
01:00
Okay. Thanks. Leave. Yeah, and I think it'll be easier to do Ah,
01:03
to skip the weak and the Black cat week. One of the main reasons I know Thursday tends to travel day
01:11
when you go to Black Cat. That's always the day that
01:14
you kind of bailed to get home so that you have a nice three day weekend if you can. So leave. And I thought, Let's just push the last
01:21
session at and the last sessions important.
01:23
So I want to make sure that if you can make that when you make it, that's our one on leadership and I think that's the most important thing. I've been getting some notes from people about the the course in the competency. And as Lief said,
01:37
we have asked you guys if you can fill out the feedback to be great cause as we share this the first time through the material and I created it and it's funny, I never know what's going to kind of play,
01:49
um, in a given lecture, some of it as I'm doing it. I feel like it's great. I'm like, I love this and other times, you know, it could be marginally cringeworthy on. I apologize if their pieces that have been that. But that's how you develop a new course. I think over time will
02:07
prune it down and kind of make it into
02:10
a very sharp piece. But you guys are awesome to participate
02:15
in our first session here and the notes that you guys been sending me Very helpful. What? One question comes up a lot is you know, is there a difference between competency and habits? And and I'm not sure, Maybe not. You know, maybe this Maybe we could have called this the 12 habits of like, there've been some popular books called that
02:34
you know, the habits of the this or that?
02:37
Um, yeah, maybe. I don't know. I hadn't really thought about that, but I've been thinking of them as competencies, meaning things, skills that you need to build our awareness areas and built. I don't know that compliance is a habit,
02:50
but understanding how, in this case for today had a navigate and have the right sort of belief structure around compliance I think that is important.
02:59
So I don't know. It's good point on. Have its versus Constance Hale think that through. But for now, we sort of stick with if you'd like to be. You know, it's a point this successful Ceasar security executive, you know, these were the 12 that I thought
03:13
struck me as being present in the people that I see who are are both effective and successful,
03:22
any one of which missing causes a problem. And also things that I think will help will help you. So so again. Thank you for really been a fun 10 weeks so far.
03:34
And I'm glad we still have two more after this. But I hope you enjoyed today's. I worked on this small, weak thought really hard about this one. What I did was every
03:45
every every day this week, I tried to focus on something that I thought made sense, and I threw out about half of
03:52
the things that I have. And I came up with a group of things that belief structures that I think are necessary and dealing with compliance. That's probably a lot of people on this call who are experts in compliance, and I don't consider myself an expert in compliance.
04:08
Um, dealt with it a lot. Deal with it a lot now actually have a practice
04:12
consulting practice of deals in this. I do know a lot about the details of defiance, but
04:17
I don't consider myself an expert. Then I think a lot of you, maybe this probably some folks with good audit backgrounds, so I'll be interested to see what you think, but I'm not gonna take you through stuff you already know. This will be the first talk on the history of compliance
04:32
that doesn't mention any specific compliance standards, because I think that's irrelevant. You know, the compliance standards come and go,
04:40
but an understanding of compliance and a belief structure around it that that's lasting. So here's what I wrote is our, You know, we always write us kind of a sentence
04:49
that I think is kind of a manifesto here. It's that the cease understands the objectives of compliance for society
04:57
security, that that's the number one thing, just understanding
05:00
that one doesn't imply the other. But they both have objectives,
05:04
and they're both good. You need to do both right. It's crazy toe roll your eyes of compliance. And it's also crazy to roll your eyes at the operational security team. You know, saying really just comes down to compliance. They're both important. Both have objectives, and one does not apply the other.
05:20
And anybody in our industry who doesn't agree with that probably needs to be need to rethink that yet that it implied there portions that imply, like if I do a n'est compliance, and I hadn't been compliant before. I'm probably more secure, but compliance doesn't imply security, and they're the inverse is also not true.
05:40
And then I wrote here, develops the skills to persuade influence, to negotiate with the people who,
05:45
you know, im compliance side. And we'll talk a little bit about that because this is a
05:49
persuading kind of thing. And it developed, requires some thoughtfulness that you'll see in our case study
05:59
that we put our hero in a an interesting situation
06:03
where she has to make a decision
06:05
about an audit. And hopefully it'll be something that will ever resonate with you if you haven't already read the thing. But for me, a lot of people say, What does it boil down to?
06:17
You know, this compliance versus cyber
06:20
And here I always think of my, uh,
06:24
I spent a day with Spike Lee Guy. You did do the right thing. So you think it's Spike Lee like that's the image. When somebody says compliance versus security, no idea. Why pops up with them to do the right thing,
06:39
But it's kind of like doing things right is important. That's compliance and doing the right thing is important. That security.
06:47
I know that's not perfect.
06:50
But if you just have, if you're having a drink with a board member
06:54
and they say, Hey, you know, a bubble by what? What? What do you think is a difference between compliance and security? And you're having a drink now? They don't want a big, long lecture than one of a bunch of technical stop.
07:06
Then I found that this one works. Let's say, Hey, you know what a good way to think of it. This is compliance is making sure you're doing things right. It's important to do things right and securities, making sure you're doing the right things and usually a board member ago. I love that or yeah, so so think of Spike Lee. When when you're asked about this, that's
07:25
for me. A nation monitor.
07:27
Um, if you ever see me ask that question, you'll know what's going through my mind. It's
07:31
Spike Lee is a fellow Knicks fans and longtime suffer basketball fan.
07:39
He he gets to sit with his feet on the floor, right behind the Knicks bench and and this guy here May I stood up in the cheap seats. All right, Now
07:49
what we're gonna do is we're gonna spend a few minutes
07:54
on a
07:57
each a few minutes each on seven beliefs that I came up with it. Like I said, I pruned it down. I thought a lot about these. What is it that's made for a successful engagement for the security people doing compliance? This is air, not beliefs for the compliance team. This is not believed for the executive. This is not for thee.
08:16
Water
08:16
is for you. And I used to see so as the
08:20
broad generalization for security executive cybersecurity executive. That's what we're talking about here. If you're if you're on the team that you know, does firewalls and does authentication as I am does all that kind of work and maybe includes a sick a compliance component. But from the security team's perspective,
08:39
and these are the beliefs that you have tohave because what I think it comes down to is my observation that you can't be cynical about compliance, and you know what I mean. You can't be that person.
08:52
So when you say compliance gets that look and you know the look, I'm talking about where you think Oh, uh, compliance. Ah, brother, where you're essentially rolling your eyes
09:03
at this obligation that you have that if you could just go away, everything would be just fine. If you're that person, then you're not going to be successful and see. So you have to be someone who recognizes that there is spectacular benefit
09:18
in doing compliance properly,
09:22
but always understanding that it's just flat out different from cyber security. It's just different.
09:28
They're related. They help each other, but they're different. So let's start with the 1st 1 and that's that.
09:35
Compliance must be taken seriously.
09:39
But for example, compliance could be the difference between saving lives and not saving lives. You have to recognize that compliance controls air there because you may have forgotten something. That's really what I mean. Who says do things right? Making sure
09:56
that if there's a book you're following the book nagging, there's going to be challenged. You'll see one of my later beliefs here
10:03
kind of balances that you know there are other issues and just always doing things right.
10:09
But you have to recognize that if you don't take this thing seriously,
10:13
there could be some ramifications. Now, again, I'm gonna show you images for each of these that go through my mind
10:22
cause I'm always talking to people about compliance. And I always say, You need take it seriously and I start with this guy and that book, by the way, Ralph Nader.
10:31
So it's kind of funny.
10:33
I grew up in a household
10:35
that was my parents were away to into the sixties and and I balanced it like I think of myself as a more balanced person of my dad. He's 87 now, and I think he's still route right. Ralph Nader in every presidential election and funny guy gets a family joke that my dad
10:54
loved route Ralph Nader so much. But look, one of things Ralph Nader did back in sixties
11:00
is he's kind of the guy who drove compliance standards in the automobile industry that we all take for granted. Now
11:09
I'll admit, you know, again, it's a family joke for us because my dad loves Ralph Nader so much. Appoint my dream would have been toe find a way for him to meet him, but but But the family joke is, you know this guy's did little over the top at times with things, but look what he did. I mean, we were seatbelts because
11:28
he and others
11:30
pushed for that means lives were saved because of that kind of a lot. Like how many people could you point to and say through your efforts, many, many lives were saved. It's It's not a lot of people that you could point to and say That's again going back here
11:48
when you're taking compliance. Cirrhosis,
11:50
especially if you're in a regulated industry, are in an industry that supports regulated industries. If you're in a bank of your telcom power company, ER's, our transportation company or a military important government agency,
12:07
that really if you don't take the compliance seriously like this guy did, it could have serious ramifications for people's lives, period. That is not a conjecture. That's something that's true. So a lot of times when when you're in that meeting
12:24
and you're getting beat up over compliance thing and you just don't think a man I should have been an orthodontist. What am I doing this? I want you just if you can think of Ralph Nader
12:35
and just recognize there is some good that comes to this idea that we're gonna demand that there be compliance standards and and and frameworks in place to make sure that we're not being sloppy about things, that there's a checklist of items
12:52
arranged in a careful taxonomy that makes sense in some
12:56
meaningful kind of way. That ensures that people are not being sloppy about things that they, in fact, should be much more diligent about This is the face that comes to mind for me when I'm asked about head, Do you think we should take compliance seriously?
13:13
And I think, Well, there was a guy in the sixties who did that,
13:16
and and and as a result, a lot of Children and people have been safer because of his work. So so keep that in mind.
13:24
The second belief that I I really feel strongly about
13:31
is that
13:33
compliance should be good business.
13:35
It's it should be
13:37
that that there's a competitive advantage to doing things right now. I wanna tell you a story here
13:43
in some industries. Let's start with the airline in district.
13:48
Um, it's not reasonable to use compliance
13:52
in sort of a life's a life saving kind of situation. As a differentiator like, it would be pretty disgusting for United Airlines to say, um, we have better maintenance standards, you know? Therefore, you're less likely to crash and die in the United Airlines flight.
14:11
Then it is, You know, if you go fly the
14:13
you know, Delta, that's not That's not a great idea. Like, I I don't think anybody
14:18
would necessarily proposed doing that. Um,
14:22
I guess there are some industries. Maybe that do. And that's kind of the point. Like in banking,
14:26
it's kind of in the middle.
14:28
I would say that and I have some experience, obviously banking more from aboard perspective than as an executive working there. But it kind of does come up like, Hey, should we run ads that say We've got better security? So therefore, use our business banking service is will keep you nice and safe, and the other guys don't spend anywhere near us much as us
14:48
UN compliance and controls and so on really seen too much of that. I think that people would say that,
14:58
but I don't see it in the advertising, so they're in the middle, but then go overto telcom, and it is an open differentiator between telecommunication companies.
15:07
You're more than happy to say, Hey, you know what?
15:09
We have better security systems and and you go deal with them and they're gonna get half it. Just the fact of the matter. Just fact. Take it from a that there there is. It is a point of differentiation. But regardless of
15:26
whether you're in camp A b or C a being, you would never even hint.
15:31
The compliance is a differentiator, you know, in the context of the overall mission or in the middle, like banking or in, you know, where you do differentiate based on compliance and security,
15:43
regardless, that I think that it just flat out as good business to take it seriously to do it. And here's an example. I remember rum
15:50
when the last guy when Ralph Nader was, you know, kind of pushing
15:54
for better standards like air bags,
16:00
um,
16:00
the life insurance companies in General Motors and all the others that they fought it. And I guess they fought it because they thought it wasn't important. Astoundingly, even the low life insurance and auto insurance companies fought it. They just don't like change. If you go back and look, you can see
16:18
that the lobbying groups for insurance and for
16:22
the car industry were very unclear about whether they liked, you know, airbags and this and that, I'm sure. But once they were in place,
16:32
different story. Once everybody look the airbag, it could save your life. It will save you money at Allstate. So there's somebody taking this, You know that this this compliance activity, making sure that it's done and that they're tested and that they're at the right level. Air bags are the only road tested. An injury injury criteria tested.
16:52
Passive restraint system available today.
16:53
But but this is compliance. Wanna one here.
16:56
You can see that when you do it right, It really could be good business. It could be something that
17:03
you you you make a point differentiation. Now, one thing I think it's funny. C l State will provide a 30% discount on the medical coverage portion of the auto insurance for cars factory equipped with air bags. Look at that. Whoa, Don't do that now.
17:18
And interestingly,
17:19
cybersecurity insurance doesn't do anything like that either. I had predicted
17:25
that when cyber insurance be would become and has become an important differentiator, you know, in in the risk transfer RL in an organization, and she got every large company doesn't know. I had predicted that you would see things like 30% discount on your this or that on your coverage. If you reviews up
17:44
Palo Alto Networks Gateway Or if you're using the Ford Annette,
17:48
you know, mash to protect yourself or, you know they're nice fabric or you're using to factor from,
17:53
you know, Cisco Duo or what? Well, I was thought that what happened hasn't happened. Now
17:59
you can't get discounts for good behavior in cyber, and the reason I was predicting that is I remember reading these ads and and studying these and thinking that's how insurance and emerged. Now you don't get a 30% discount because your car has an air bag. Now that's ridiculous. But in the early days you did
18:18
like I think this is a really interesting ad
18:22
because it shows how things evolve and so on so forth. So compliance moves you forward. It becomes embedded in the fabric of what we do, and it makes things better. So if you're like me and your instinct is to resist compliance and say I it's not really security,
18:37
just remember that it's a lot of really good things that come
18:41
from demanding compliance, particularly in
18:45
in the sectors that have consequences if hacked. So that's one and two.
18:55
Number three here
18:56
is around negotiating.
19:00
I made a personal study in my career
19:04
of negotiating,
19:07
and I think I've told you guys already that the greatest book ever written was Dale Carnegie's How to Win Friends and Influence People. There is no book better.
19:15
I have
19:15
20 copies of that book.
19:18
One sits in the drawer of my nightstand,
19:22
and every year I make a point of going back through
19:26
the Dale Carnegie basic tenets. Not because it's just entertainment, but because I think life is a negotiation. I run a small business. I teach it to universities. All of those things require the ability to negotiate. And you everyone listening to my voice right now knows that's true. But nowhere
19:45
is it more important
19:48
that in compliance, it is the ground zero ground zero
19:52
for having negotiating skills because compliance is up, but black and white thing. You negotiate with the order, you negotiate with the accessory. All know that's true,
20:00
and you should be focusing on win win now all the books I've ever read and I have a library of, um,
20:07
this little dumb book by Herb Cohen that I bought a long time ago
20:14
is still my favorite, that you could negotiate anything. It's such a hokey title, and there's a lot of goofy stuff in there. But I love the book. I saved it,
20:26
and it was important for me as a young man. You know, I read this. I'm gonna guest books in the eighties or something,
20:33
and there's a bunch of other books since maybe you have something better. And like I said, Dale Carnegie is still the best,
20:38
But you can. Negotiating anything is a book that teaches you the basics. Meaning you know, when you go into negotiation with anybody you start with,
20:48
You know what? You'd like your optimal deal to bay
20:52
you. You then balance that with what you'd be willing to accept,
20:57
the least
21:00
acceptable.
21:02
But you're still willing to accept deal. So you have a range of things,
21:07
and you just know top and bottom. You know, the top is whatever. It's usually kind of open ended. But being realistic,
21:12
you say, What's the most I can hope for. Namely, that the auditor will give me a two in this area. I'm gonna be too is a great score. You go into a meeting, you're gonna talk. You have to convince the auditor that what you've got are effective enough controls to get to. So your CEO will love you. That's your goal. But you might decide well
21:32
if they want to drop it to a three.
21:33
I can accept that as long as the language and the report is what I've got right here in front of me.
21:41
So he teaches you. You don't go into a meeting open ended when somebody says, Hey, let's just see what happens And you're walking into a negotiation run for the Hills because that person doesn't know how to negotiate, period.
21:55
It's that maybe that's saying that they know something else. But if you don't have in your mind
22:00
the objective of a negotiation and then at the least
22:03
kind of acceptable outcome where it's all planned out,
22:08
then you don't know how to do it. And if the if you're negotiating partner comes and you can see your Khrushchev and Kennedy
22:15
kind of negotiating something, I'm sure pretty important.
22:19
Um,
22:21
then I'll get to those two guys in a minute because I want to tell you something about Kennedy.
22:26
Um,
22:27
And if you don't have that top and bottom that you're not doing right, If you're going to the negotiation and they start way below your bottom, then you know you got a problem.
22:36
You know, you're probably not gonna get your top.
22:38
You might try to negotiate to get them to your least acceptable,
22:44
because again, it's still acceptable. But it's your least acceptable. You can get to that. Then you know what kind of a negotiation you're in, and if they won't get there, you walk away because you've already decided
22:55
that you're not gonna accept something worse than your least acceptable. That is something. Right now, I'm gonna pause here for a minute. This couple of comments What if your auditor is right? The finding could help you get funding. We will get to that, but let me address it. Look,
23:11
if you just start out on a job and you're in a honeymoon, then you hope that the order finds a zillion problems and you blame it on the last guy or gal that za little joke, but it's true if you're new to the job, call the auditors in, find all the problems blamed the last person, get your funding.
23:30
If it's not, then it's a balance. Because, look,
23:34
you get enough bad audit findings and you're gonna be getting three envelopes, right? Were, you know, working on your resume. You you don't want him fudge the audit. You wanna have a great program.
23:47
So the idea is you should have a compliance program that will result
23:52
in great results were not it. Now, if
23:55
if the auditors is claims that they're right and they're not, you should negotiate. But if the auditors right, look the premise of the question, this is from Hunt's. If the premise of your question is, if the auditors right then I don't believe it's ethical to talk them out of it. If they're right than the right, I just mean
24:11
if there's negotiation here where there's no right or wrong, you know, the situation's right where there's
24:18
different perspectives here,
24:18
Um, then that's a a different kind of thing. So I hope that's helpful. And then Don is asking Let's see such and such an assessment, our business. What's recommended and then work with a term of the best coverage. Yeah, there's a lot of companies that will do those assessments. Now let's get to Mr Kennedy here. Kennedy's very charismatic guy,
24:38
Um, he was somebody that I know my parents loved. He was like a symbol of, ah, young new generation
24:44
and, frankly, was a terrible negotiator.
24:47
Couldn't get much done. Um,
24:49
and you know, sadly, you know his his life ended,
24:53
but the guy who replaced him
24:56
was not such a handsome guys. Lyndon Johnson.
25:00
I know that
25:02
homely, you know, dangling kind of guy who was in Texas,
25:07
just kind of a mess. But the greatest
25:11
legislator who's ever lived, at least American legislator. I've read Robert Caro's four volumes on Lyndon Johnson, and I find Lyndon Johnson to be one of the most spectacularly interesting people who we've ever had. A supple, it ical leader in the United States. That guy not only could negotiate everything, he could win every negotiation,
25:30
he would lean into a person,
25:33
grab him by the collar,
25:34
look down on the moves caught that was called the Johnson treatment. That guy knew what he was doing and the way he did it is he knew what was important to you.
25:45
And when he went into a negotiation, didn't think about what was important to him. He knew what was important to you. He knew what he needed to get, and he knew it was important to you. Now, that's not always gonna be so easy with an order. You don't audit an assessment, sir. They tend to be kind of this passionate. But look, we're all human beings.
26:04
One of the things that I I loved about Lyndon Johnson's, he knew the names of every everybody he dealt with the new, their kids names, you know what they liked. He would send them little notes. He would call to the home
26:18
and say, Hey, little Johnny would get the mommy on the phone, Tell her it's the president of the United States and it just he had a way
26:27
of making things always kind of all the skins were greased in his direction. And you could do that with auditors. Like many of you in your team,
26:37
asked maybe the audit team to come on a quarterly basis and just update you on processes and best practices and audit. Just educate us on what you do. Not about any audit, but just wanna learn who you are. Learned what you do. Come in. Come. We'll get pizza, come to a lunch and learn and teach us about best practices on it.
26:56
I'll bet you the answer is not a single person listening to my voice does that.
27:00
Is there a reason why you don't? Because you're busy? Is there a reason why you should? Of course you should. Lyndon Johnson would
27:07
he would know all the auditors names. He'd take them all out for lunch. He'd make sure he invites them to things. He created a word called The greatest auditor in the world and give it to each of the not saying you're bribing your changing or whatever these air nice things to D'oh! It's called negotiation.
27:25
So look, I'm not saying I told you it might be some hokey stuff. There's Herb Cohen there. I love his stance in that book, but there's a lot to learn by looking at the way people negotiate, and it can help you get better outcomes when you're dealing with compliance officials.
27:42
Now, the next thing that compliance is one component of a good defense. Here's my quibble with compliance. If you're dealing with an offense
27:53
that is nimble and changing and virtual and dynamic,
27:59
then you need to have a defense that has all those characteristics as well. Dynamic means the ability to change,
28:06
and the problem
28:07
is that when you burn compliance requirements into an infrastructure, if it's a hard process than the instant you're done and and we have a guest coming at the last 15 minutes who I went through this ferment many times in our career together, where you go through a compliance audit
28:25
and then you're so happy it's done
28:26
and you say, Gosh, don't touch anything is if you move the architecture of you, add something you could invalidate. Our compliance is whatever you do, they the process. We have just got a good audit. Leave it alone, you change it, then we have to get a real redone.
28:45
That's a problem, and it's a significant one if there's one criticism that I have for most compliance programs is that they don't optimize to change, and that and I talk a lot, too. I, Sacha and anybody on this call is part of the audit community. If you need me to speak with your communities, let me know. Happy, Happy did
29:06
connect up. I think I may even have one outstanding requests from someone
29:11
in this class asking that I do something with my second if I've been delayed
29:15
Ping me again. I love to talkto auditors
29:19
because elected. Make sure they understand that we do take them seriously. It is good business. It does require a win win focus. But
29:27
defense's have to be nimble and they have to be dynamic.
29:32
And compliance is usually done better when things are static. You all know that's true.
29:37
Now here's somebody who I think knows that there's see that guy with the Giants shirt on. That's Bill Belichick. That's my favorite picture. Bill Bell Check, by the way, because I think that's really where he learned football with my team.
29:49
Not that weird team he's been with for the past few years up in Boston.
29:55
Just a joke. But
29:56
what Bill Bill Bill Bill Check was a defensive coach. He built the New York Giants football defense. That's him sketching a
30:03
a defense. You know, when the Giants that Lawrence Taylor was a problem it was powerful defense is in the 19 eighties, and if you go back and look at that team, you look at the way they play. Defense was unpredictable. The Giants had maybe not a football fan. The Giants had this guy named learns Taylor and 56
30:21
and his role on the football field was basically do whatever you want.
30:26
So they would see in the little red under his elbow. Do you see the number and the circle there? It says 56.
30:33
That's Lawrence Taylor of New York Giants, and his job was, Do whatever you want.
30:40
It sort of doesn't matter.
30:41
So there was no compliance. There was no pre determination. He lined up where he wanted to go. And over on the left, there's a number 58 circle. That was Carl Banks. And he had a similar kind of roll. Maybe not as a CZ freewheeling as Lawrence Taylor,
30:56
but the way this guy, this genius Bill Belichick, who knows more about defense than any human being, and I were the football defense, and I know
31:06
um, he set up that defense to be something that was unpredictable.
31:11
Now I don't know about you But the sentence that includes the word unpredictable and compliance is it is. It is something I've never heard.
31:22
Predictability
31:23
is the essence of compliance. You've got a predictable, testable condition that's repeated and that book and that's maintained and practice through the organization.
31:37
The idea that you're gonna do some unpredictable thing doesn't make sense. And in this book, the Art of War.
31:44
There's a lot in there about being
31:48
able to shape your defense
31:51
to the offense.
31:52
And compliance standards do a terrible job of that
31:56
They're not. There's nothing in mist or GDP are anything about shaping your defense to the offense? Nothing like that. These air rigid standards that dictate making certain that if I asked you for X, I want you to get rid of all my data. You can do it
32:14
well, All right, then, here you go. That's that's important for that. Their rigid rules that these compliance frameworks are excellent for, but they're not so good for the Bill. Bella, Check here being fluid and dynamic and having a changing approach.
32:29
The way you do defense, does that make sense? So that's something that I want to make sure you you have in your mind as you think through,
32:37
You know how these compliance activities
32:39
may or may not pervade what you do as a C. So
32:44
now, number five years that you need to recognize that the compliance stuff is gonna lag leading edge innovation that just are
32:51
You're not gonna have inventive, innovative things embedded in standard. If you're going to standardize on a screwdriver, it's going to be the *** one that everybody uses, not some new thing that somebody comes up. So this guy, we think that this becomes part of the landscape in cyber security infrastructure We getting attacked
33:10
by weird robotic
33:12
this or that using a I The standards are not gonna have a good way of handling that. No. Over time, as we get some experience, we might find that you do need standards. So, for example, you see your building that robot there and he's got probably using a I ive published a framework that demands that the manufacturers
33:31
who build this kind of powerful stuff
33:34
have a way of controlling it
33:36
like a way of
33:37
pull the plug. If the thing starts going a little nuts. Allah, you know what a long musk and others are fearful of that. The aye aye is gonna come on, get us all.
33:46
Well, whatever. Then there needs to be some standards for the manufacturers of the eye
33:51
to demonstrate that if necessary,
33:53
they can. They can stop the software they can control. And if they go out of business, the need to be away for whatever they've deployed to critical infrastructure, tohave some new steward so that we don't have these orphaned Ai Ai machines floating around. That's not in any standards. Now this technology is there,
34:14
the standards or not,
34:15
compliance is not there. There's no compliance. See that guy there with the laptop in there? If you said Does does your robot meat proper compliance standards, he might say, Yeah, if I plug it into a wall, it meets the UL standard for power, you know, I mean, there's some basic, stupid, run related stuff,
34:34
but that thing is not regulated
34:36
by any proper compliance standards. Is no section and missed for a I
34:40
so recognize that you can't really expect compliance standards to do that. We can't complain that they don't.
34:50
We just need to understand and accept
34:52
that when we're dealing with a compliance standard it's going to be for technology that has existed on exists now and is the norm. It's a hammer. It's a screwdriver. It's a saw. It's a you know, it's up and then going from a hammer and nail toe a nail gun.
35:09
Okay, now you'd have safety standards around Nail guns from first nail gun came out. There was no compliance around the How about table? So's my My grandfather would have had a table saw that basically was a flat piece of metal with a groove on a big round blade. No safety, no
35:29
anything.
35:30
And he just take the wood and slide it across this open blade that would like take your You got only nose off.
35:37
Now you couldn't buy something like that. 1,000,000 years. I've never saw you something like that. There's all kinds of safety equipment. There's compliance, but the first ones that came up nothing like that. That's the way compliance works, so you can't complain about it. You just have to celebrate that we standardize on things we use, and we
35:55
in of a new things in the hope
35:58
that they'll become the norm and then they'll have compliance were wrapped around them. That makes sense. He thought it might. There's a lot of us who do. Cybersecurity tend to roll our eyes and, uh, compliance standards. They leave this out. Mata that. And yet we should be arguing if we think it's time to bring something in.
36:16
Like I've been arguing that
36:19
the breach in attack simulation
36:21
is in an area that should be in the compliance standards more prominent. No question about it.
36:27
It's not, but it should be. Everybody's using that. You could argue that, um, en Pointe data, uh, endpoint detection response should be there. There's some other areas that should be there so we can quibble about where the edges but recognize that the newest stuff is not gonna be part of any standard.
36:46
So that's that's that now related to that.
36:50
Is that standards that are selected?
36:53
You know, when you do decayed a standard,
36:57
it's not always the best technology. It's generally more reflective of what people are doing,
37:02
so that's important.
37:05
When you write a standard and you demand compliance,
37:08
I think it's wrong for compliance to be directing
37:14
what type of technology should be used. I don't think that's the purpose of a compliance or a good compliance. Then I think something's wrong
37:22
when you see a compliance standard that's
37:23
pushing with a bias toward a particular technology. I think it's better when the technology has already demonstrated that it works and then and then proven its value.
37:34
And then we say everyone must be using this. I think that's much, much more acceptable. And here's the obvious example, right in the old days, you know, old people like May you knew that Beta Max
37:45
was a better format. At better quality than the VCR is that you were using its There's this J B C. Box there,
37:55
um, and a guy checking VHS against beta
38:00
live question as to the quality Beta max is better, but everybody used VHS just because that's the way the business went. So if you were standardizing on something
38:10
and you're gonna write standards that are reflective of what in this case, you know, 90% of the market at the time was using, they were using VHS forma the professionals like if you went to a TV studio,
38:23
they used the other standard, But you recognize again going back here, the standards don't always include our reference, the best technology reference where people use and they shouldn't be directing technology decisions. They should be demanding compliance to known
38:42
demonstrated approaches that in our case, reduced risk. Okay,
38:46
and then number seven here, the last one
38:50
is
38:51
Look,
38:52
if this whole thing is done right, if it's audit comes in and there's complaints really can and should be a positive experience, it shouldn't be like Root Canal. It shouldn't be something that you just is ruining your life pieces. Be positive. Look, here's this person, you know, doing an inspection
39:10
of something. The home owner here benefits that the company, the utility company that she probably works for, benefits the compliance around, making sure things were safe. It benefits. The checklist is based on experience. Everybody's doing it in everyone's best interest here. That's what it should be.
39:30
And, yeah, I get it. They're maybe think
39:34
corrupt people. The finding problems so that they can, you know, pass you off to a contractor is gonna rip you off, lovable. I understand what I'm saying here. Audits, if done well, can be positive experiences. They are not always but they can be.
39:52
And in many cases they should be.
39:55
So look, let's go back to this list,
39:58
cause I think I want you to make sure that these are the habits the competencies that you that you
40:06
kind of internalized as you think about
40:08
how a c so approaches compliance. You probably expected when you hear this compliance, I'd be talking about specific standards and g g r c. And you probably thought I'd talk about automation and the importance of using a platform
40:24
these air competencies for you, the person I already know what you do.
40:30
I'm just telling you what you should be thinking about as you're doing it. So I already know you're using automation. God, I hope you are. I already know you have 20 different frameworks and you're complaining about it. I would too.
40:43
I already know what you know. What the beef I've missed is you got coming and I were all part of that. I'm not gonna waste your time going to thing journey. No, but this is what you're being your head. Take this stuff seriously.
40:57
Make sure that you keep in mind that it really is good business to do compliance. Right? Work on your negotiating skills that particular with the auditors.
41:06
I understand that the compliance is one component, but there's a dynamic element that's not well covered. Recognized that you're gonna lag the leading edge stuff in that standards are not the place you picked technology. They're places where you you ensure that we have general consistency around things that work
41:24
and then finally hope
41:25
that if things go well, it really can be a positive experience. Now, we'll do our case. Study quickly, and then I want to get to stand in about two minutes here. But the compliance case study here is our hero, Emily.
41:39
Um, and it's something I may have hinted at before in the context of cyber e x p that the leaf and I were talking to you all about maybe making the
41:49
a personality tendency tool available to you. But here's the case. Emily finds an error in an audit, right? You've all read the the case here,
41:59
and the question is, what do you D'oh!
42:00
What happens if you find is an audit? That's done.
42:05
Um, it's already signed. All signed, sealed, delivered. She got a score that wasn't terrible's whatever you know. She got a 76
42:15
and there was a threshold of 75.
42:19
So, yeah, she got a three audit. It's not terrible,
42:22
whatever,
42:24
but, you know, it's well below the other number. And then she looks and sees that there's a problem here
42:30
and that it may be that she would drop down below that 75 threshold. Things might get a little bit worse here.
42:38
And then again, she found it. The audits down, it's all sign any questions? What do you do here?
42:44
And I think that's a question that you and your team may wantto discuss. I think it's a good one. This is a great little short case that over a a team meeting a staff meeting a lunch and learn a pizza lunch with your team, have them read this and ask them what would you d'oh
43:02
and you get a general sense of the negotiation for me?
43:07
I always come out that I would get the team together and we discuss it.
43:09
You know, I wouldn't sweep it under the
43:12
under the carpet, but I also wouldn't immediately call the auditor. I'd want to know what's going on here. Why, why am I finding a problem in an audit. We have a process issue. What does everybody think? Here?
43:23
Um, that's what I do. You might do something else You might decide. Well, look, it's not my problem here. This is, uh
43:29
if the auditors made him stake than that's life, that's their problem. So let me know how that goes. I think that this case study is a good one. Now, I want to take in, introduce you on the phone here. I have Ah, long time colleague of mine. Stan Quinton is a retired 18 t executive. Stan was there for more than four decades.
43:49
Um, he and I do some work together now, and I asked him to join here because I have so much respect for Stan. I want to tell you a couple things about him, and then he's gonna
44:00
maybe share some insights off a couple of questions here for Stan. But Stan is someone who long before many of you,
44:07
where you were doing cybersecurity stand was essentially figuring out how to market
44:12
and and bring to market and build products. And service is in this area in cyber security. How do you do it?
44:19
He was serving. See So's, you know, just around the time the whole industry was creating itself, building more or less. The first manage security service is that we had and I worked with him at the time, and we became friends back in that era, and I watched how he did it. I learned a lot from how Stan and
44:38
and, um,
44:38
his team figured out how that this all work. And I thought he'd be a good guy to commit and share his perspective simply because he's been staring at this industry for so long, Um, and and has so much insight, So first will stand welcome. Thanks for rub. Joining our call. Can Can you hear me? OK, stand to eat. We have stands here.
44:59
Oh, great.
45:00
I can't.
45:01
Thanks for coming, Stan. I gotta start by asking you, um
45:06
as you kind of look at the whole industry here, cybersecurity and I know you, you watched it emerge and and grow and become what it is. Now. What are some of the big themes that you've seen it? Look. What? What? What's changed? Maybe from the early days to now
45:22
and not just in the sea, so roll, but just kind of across the board and cyber security. What are some of the big things that
45:28
changed from then to now in your in your mind?
45:32
I think the biggest thing that I've seen change over the past decades actually is
45:38
the emergence of private networks non I p based networks type I p networks. I think going to I p based environment,
45:50
you know, the proliferation of endpoint devices
45:54
has really, really exponentially changed. You know how we have security people address, you know, protecting our business?
46:02
Uh, yeah. I p has introduced so many different types of ah,
46:07
uh, issues and, um,
46:09
that I think keeping up with it has been very, very, very difficult for the industry.
46:15
No, I think that
46:16
a lot of other things too. I think it's happened over the past number of years is that,
46:21
uh, movie half for many, many decades
46:24
basically kept a
46:28
perimeter based type of security approach, you know, against the standard. The idea is, I ps is firewalls and the like, and we found out that you know, that's not enough way. Knew that with the emergence of I p and quite devices that,
46:43
uh, the industry now is requiring much, much difference approaches
46:47
as the perimeter starts to disappear
46:51
to security.
46:52
And, um, in addition to back, how do you address it
46:55
where
46:57
we said how dynamic and has become?
47:00
How do you start to incorporate?
47:01
Aye, aye to essentially predictive type of analysis for what's occurring in the environment.
47:09
So I think that, you know,
47:12
when I was at Sandia National Lab's work at security, everything was pretty much a closed environment all the way to, you know, working at a tea over the past year, the number of decades.
47:22
I think we see that that that massive changes occurred and by the way, a CZ you take a look at that massive changes has occurred.
47:32
It's not a linear change. Next minute with exponential change, we Right now you take a look at that exponential curve are doubling factor. Probably every know six months or eight months now for assistant used to be two years or five years or whatever
47:50
and trying to keep it up. Keep it up with that double with factor is,
47:52
there's a horrendous cash for
47:54
for si SOS and all those involved in security environment.
47:59
Now I think that's one if I agree with both your points the i P thing brought everything in Ban.
48:04
I'm needs probably see that an I o t Now we're,
48:07
um I ot things have traditionally been proprietary skate. Ah, mod bus can bus out of range from the S P I P based infrastructure as that becomes Maurin Band. You probably watch I am t devices getting,
48:23
you know, when you google, you'll probably find interfaces toe I ot devices. That air, you know, have some sort of a web interface to them. So
48:32
no, no, I want to talk about career stuff Stand. So you're somebody that
48:37
you know, you've been in the industry for so long and and this group here we get together every week
48:44
when I take them to a lecture on,
48:46
um got essentially leadership skills, and we call them competencies for cease of
48:52
as you've kind of observed and hired and managed and been part of
48:58
different groups and individuals in the industry.
49:01
Any any thoughts come to mind on some skills that you've seen in managers,
49:07
particularly around security that have been really important. You know, there's some things when you reflect back on good executives good managers in in the security kind of context.
49:19
Has it been there technical skill? Has it been their ability to be flexible as it been? Their ability to understand the business hasn't been something else? What have you seen as skills in your mind
49:32
that have made people more successful? And again, you've been doing this for so long? It's be interested to see what what comes to you.
49:40
I think you know, You know, you talk to compliance talking earlier. I think your cross just a second ago, I take all those are important.
49:51
But I think one of the biggest,
49:53
the most important skill that any individual even see so or even any type of business leader has the ability to change,
50:01
uh, changed rapidly and accept change.
50:05
If you're not willing to do that, you're gonna be stuck,
50:07
and you're not gonna be able to manage an environment that's changing around you.
50:12
So you know that ability to change
50:15
and deal with the versatility of things that are going around you and understanding that you don't have all the answers because of this change. But you're willing to word what's going on
50:29
with the new environments that are involved. I think that's a major, major skill that that any successful business person and see so is gonna have tohave, especially security. But I mean it is mentioned earlier. It's almost exponential,
50:44
and the ability to understand exactly be able to address that is important. The other thing that I think is important one of the soft skills that I think, if necessary, is interpersonal skills and their personal orientation.
51:00
I take the ability you've had a lot of around that in, You know, the qualities of, ah, of a manager or ah leader in the compliance area. The ability essentially, too.
51:12
Listen not only to your customers to your internal board members objectives. The ability to listen to your own people is very, very important. Still, that I think often leaders think they have all the answers and they don't
51:28
and that interpersonal orientation
51:30
is extremely important and being able to manage not only horizontally downward and upward,
51:37
but across the board with your customers.
51:40
You know what here, auditors, with your customers, it's very, very important to have a good or in her personal orientation, and a lot of that is around
51:50
a good, solid listening skill.
51:52
You know, I think that's awesome. Back on your point around change, Stan, Does it get harder
51:58
to change as you become?
52:00
You know, further along in your career. I know. For me the answer is definitely true. I always probably need much, much easier bull. What was your experience? Because you're a great example. Somebody. I watched you reinvent yourself 10 times in your career. Now you're doing it again. What is it? Harder. What's the secret to being able to do that? Because so many people can't.
52:21
You know what I think it is that I think it
52:23
well.
52:24
Salon factor If I could use that turn up
52:28
if you if you do it on an epsilon basis, needing it slices changes in slices.
52:36
I think that it's much easier to do. And what that requires is essentially knowing
52:40
you gonna wear that changes occurring around you
52:44
and being able to if your technician or technical or you want to keep up in the technical area or the human resource area, the ability to understand the changes going on at that point in time
52:57
and that requires a tremendous amount of you know, we didn't I do a lot of reading a tremendous amount of reading of what's going on now
53:07
and try to project this future things that are occurring.
53:09
And I think if you do that a continuous basis,
53:13
But you're here to adapt to change,
53:15
and it is to do it on, say, I'm gonna try to keep myself
53:19
up to date every year because if you fall, you do that over the years because much, much more difficult. The difficulty factor is not letting your identity because that's the natural, because you're having to catch up with,
53:29
you know, a lot of change that's occurred especially on Albert. I mentioned the double key factors current little
53:36
very, very rapidly. If you actually been up with that
53:38
changes, you have a very difficult stand. What was your experience with mentors? Did you did you? I got a theme that I brought up a few times to this group
53:50
because the importance of having some mentors that you can trust
53:53
and learn from during your career did you. I know you served as a mentor for many, but but what? What do you think is the role? And it was that something that helped you.
54:04
You know, as you moved up the ranks to, ah, senior executive in a gigantic company, what was your
54:10
What did you see? Is the role of mentorship.
54:14
Yeah, that's that's a great question, I think,
54:16
Ah, lot of folks, you know, and I'll tell you what my experience is. A lot of folks that look
54:22
for mentors are looking for matches for
54:25
for one reason. And that's how the metric and helping progress up the reins. And I really didn't do it.
54:32
I looked at matters
54:35
to help me evaluate where I waas, okay,
54:39
But they saw me that were my strange, my weaknesses, my lesser strength by greater stones. So I always looked at mentors to help me along that area. But I could figure out what I had to change what I had to do.
54:53
Once you do that, I think that you know the ability to progress
54:59
kind of becomes natural, you know it will happen.
55:04
Uh,
55:05
maybe it's gonna be a little more difficult if you don't have a sponsor, so to speak, versus a mentor.
55:10
But it's got a mentor could match her that it's actually level with you and
55:15
and telling you You know what you are, where you're at
55:20
and what you need to do.
55:21
I think you're better off than having a sponsor that
55:24
you don't have that capability. We don't have the skills and essentially help you
55:30
progress up the ranks because, you know, you know as well as I do, you progress up the ranks, and we don't have the necessary skills. We didn't fail.
55:37
Yeah, and you're gonna fail. You're gonna fail, and that's not the right thing to do. The right thing to do is
55:43
I'm not saying mind was right. They look for me. That was the right thing.
55:46
You know? Last thing I want to ask you, we've got a couple of minutes here. You know as much about risk as anybody I know there's been a career looking at
55:53
wrist related issues, and today's lecture was kind of around compliance.
56:00
I'm wondering what you think. Is that Do you think that a really, really good compliance program I know you're going to say you should have good compliance, but kind of in your mind? What? What role does compliance play
56:15
in really solid risk management in organization, right?
56:21
Absolutely. I mean, so you know, what are the characteristics? I think of a good officer, See? So
56:29
this
56:30
understanding the contextual
56:34
aspects of security or whatever disciplinarian in relationship to the old world
56:39
and understanding you know what that is is important understanding the business risk
56:45
that are around you, whether there's cyber arrest, physical risk, you know, marketed riffs,
56:52
a brand risk making a difference, I think understanding what they are
56:55
and then applying,
56:58
you know, security to help the business
57:01
and these aerials.
57:02
And to me,
57:04
you know, compliance is that is a
57:07
after
57:07
then helping, too
57:09
addressed
57:10
and had the right level of risk. Okay,
57:14
notify the right level. I didn't say 100% because I don't think there ever have 100% risk risk reduction That's not
57:22
cost effective.
57:22
The understanding, the risk model
57:25
and what? How far you have to go with compliance,
57:29
you know, to address
57:30
the risk mitigation is what's important. So compliant helps you in that area. Because compliance deaths from my perspective,
57:38
it outlines the guys post what has to be
57:43
addressed.
57:44
What are the right things to do
57:46
and what are? How do you do there? The address incorrectly. How do you implement him correctly because you know as well as I do, you could do the right thing.
57:55
But if you don't do him right,
57:58
it used to do the right thing.
58:00
And I think what compliance does help you do is to address,
58:05
you know, those right things, number one and helping do you do him right
58:09
and help you doesn't necessarily help you address how far you going in reducing that risk?
58:15
But that's another aspect I could cast it.
58:19
Interested for is you're good. So Officer has to understand that there's what you do, you understand the risks,
58:27
methodology and risk approach.
58:29
And how do you quantify risk is a great way to help address compliance
58:35
Such a useful, useful guidance. And I do appreciate it. Stand here on behalf of our whole class here. I want to thank you for making some time. And now you have busy schedule. Really wonderful that you took some kind of
58:47
share your experience like later. No. Oh, God. Straight that great to have you. And we appreciate you coming. And as for class, I hope everyone will go ahead and fill out your surveys, share them back with Lee from myself. Make sure you make note that during Black Hat Week we will skip that last week. Will push it out one week more,
59:07
and we'll look forward to meeting with you all
59:09
next week. So everyone have a wonderful rest of week and look forward to our session next week. Take care of him.

CISO Competency - Compliance

This is the tenth course in Ed Amoroso's Twelve Competencies of the Effective CISO, which focuses on the CISO Competency in Balancing Compliance. The effective CISO navigates compliance and security in supporting a balanced cyber risk management program, with an in depth understanding of industry frameworks.

Instructed By

Instructor Profile Image
Ed Amoroso
CEO, CSO, CISO of TAG Cyber
Instructor