Regulatory Explosion & Board-Level Accountability - Episode 218

Discover why compliance is now a boardroom priority, not just an IT task. In this episode, Todd Coshow and Adam Goslin reveal how outdated practices put organizations at risk. Learn about the shift towards real-time breach detection and the importance of translating risks into business impacts. Perfect for leaders eager to transform compliance into a strategic advantage. Tune in to stay ahead and secure your organization's future.

Episode Transcript:

Well, listen, as we look ahead, so much of what we’re talking about in the space today is around data. From a compliance vendor standpoint, my question, and our question today for the listeners is, will your compliance software vendor protect your data? Now, to be fair, Adam, this topic feels a little like discussing eating your own dog food, but let’s tee this one up for the folks.

Adam Goslin:
It is very much that. When we got into this space, my background had been in IT security and compliance for quite some period of time before we even started TCT. It’s been enlightening, I guess it’d be a good way to put it, to see the variability out there in organizations that one would think has your best interests at heart, but certain people never cease to amaze me.

It is possible that your compliance vendor is going to have an issue. If you want to talk about a more recent event where a vendor had let organizations down, then just go chitchat with some of the educational institutions about the good old Canvas breach.

The reality is that organizations depend on vendors. As a consumer, it’s your core responsibility to make sure that your third-party service providers are doing all of the things and staying bare minimum compliant. But hopefully, you have a much better sense of their care and diligence surrounding security, especially in this space, being a compliance software vendor. So you got to make sure.

As you’re thinking, “We should be able to trust the compliance software vendors,” at the end of the day, it’s where their bread and butter is, being in the security and compliance space. One would think, if anybody should, it should be them.

The cold hard truth is every compliance software vendor is different. Not every single one of them is doing their due diligence to the best of their capabilities. Some people that have landed into this space are people with bags of money that just wanted to make a software product so that they could go turn a profit. At the end of the day, it’s buyer beware.

Some organizations take it very seriously. Others don’t and do bare minimum checkbox-style compliance just to get a piece of paper that tells you that they’re secure. It’s a challenging landscape to figure out as you’re going through the process. Who am I dealing with here? Is this somebody that’s worthy of that trust or not?

There are several telltale signs that you can pick up as you’re going through evaluation and after active engagement. The stuff we’re talking about today certainly isn’t exhaustive, but it’s going to give folks a good solid starting point for going through, having their eyes open as they’re going through the process.

Todd Coshow:
Indeed. What types of vetting needs to take place during the sales process?

Because that’s where you’re really going to get to ask your questions before the answers don’t really matter.

Adam Goslin:
During that initial evaluation phase, as a consumer, you should feel empowered to ask very pointed questions around security and compliance status and approach, and things along those lines.

There’s a given here. Most organizations are going to start with, “Is this going to work for me? Functionally, is it going to work for me?” As you’re going into that process, one of the things that I’d recommend to folks is: are they only talking about the functionality aspects, or are they coming out through that sales process with, “Hey, we really want to talk to you about our security stance and how we do it”?