New episodes every two weeks
Sept. 11, 2022

S01E09 - "Compliance and Security" - Why Can't We All Just Be Friends

S01E09 -
Apple Podcasts podcast player badge
Spotify podcast player badge

In this episode, join Paul and Jason as they talk about what is better - being secure, or being compliant. It's the age-old argument that's been around since the dawn of time... or maybe just since PCI.... 2.0. 


Jason Loomis[00:00:12] Welcome to F-Sides.

Paul Love[00:00:14] That was Jason.

Jason Loomis[00:00:15] That was Paul. And this is Offside.

Paul Love[00:00:19] The Cyber Humanity podcast.

Jason Loomis[00:00:22] Where we focus on the human side of cybersecurity. So compliance.

Paul Love[00:00:29] Oh, wow. That's a great way to start a podcast. That's very like it's almost like Star Wars credits opening up all over. Very ominous.

Jason Loomis[00:00:38] For me, it's more of a really get like, this weird taste in my mouth. It's almost like licking a shag carpet.

Paul Love[00:00:46] Well, yeah. And it's unfortunate, sometimes the only thing a security program is focused on, which I think we're going to have a great debate today on that. But yeah, I mean, compliance is good for some aspects in my opinion, but when it's your only, that's when I get the shivers too. It's like, Oh, okay, you're not really looking at the full picture.

Jason Loomis[00:01:06] But yeah, but compliance is the frenemy. It's the friend that you is your enemy and your friend, and you can use it both ways. So I think we're going to dig into that a little bit in today's topic.


Paul Love[00:01:18] Yeah, and it's it's it's definitely frustrating when it's the only business driver that an organization talks about. There are other ones that are just as important, such as rest, for instance, which I think we're all risk professionals when it comes down to it.

Jason Loomis[00:01:33] Well, this is just great, Paul. This is this is just fantastic. But, I mean, we agree. What kind of board, what kind of podcast are we rolling when we agree like this? Oh, this is this is terrible.

Paul Love[00:01:44] Well, yeah, it doesn't make for, you know, exciting viewing, you know. But so how about we do this? We talk about some of our tips and experiences on getting solid compliance structure in place so that you can move to the risk discussions.

Jason Loomis[00:01:58] All right. I'm all over that. And boy, is our spontaneous spontaneity just so transparent.

Paul Love[00:02:04] It's like this wasn't scripted at all or anything.

Jason Loomis[00:02:06] Oh, this is what a coincidence. We both agree on this and know that we're going to talk about some cool things to deal with. Compliance. Yeah, let's talk. Like how compliance could work in your favor when it doesn't work in your flavor favor. And how to use it, in my opinion, is one of the biggest levers you got in cybersecurity, especially for my favorite acronym that I throw around way too much SMB is, which means if you're a small to medium sized business, it's one of the best levers you can have to run an effective cybersecurity program. And at the end of the day, get what you want.

Paul Love[00:02:33] Not I'll agree with. It's definitely a significant motivator for organizations that don't have a strong risk tolerance culture or background. It's definitely something you can use to get kick start your program because risk is a very obtuse concept sometimes if you're not versed in it and compliance is very easy to understand, we have to comply with things every day like stoplights and stop signs and having driver's licenses and things.

Jason Loomis[00:03:00] For one, I think the word obtuse is obtuse, but I, I agree. And I throw out some very high level concept shit there. Well, let's just say that if, if you're trying to get cybersecurity done and you need to you need to explain why, which is one of the stories we always talk about, tell storytelling and get buy in from your group. And sometimes you just want to cut through all that B.S. and get your job done. All you need to do or say the words compliance. Oh, this is a compliance requirement. You wouldn't believe how fast people move and how quick things get done.

Paul Love[00:03:33] But it's the questions.

Jason Loomis[00:03:33] Asked.

Paul Love[00:03:34] Or whatever. Yeah, it's not a good long term number. I think you'll agree because it's like telling your kids because I said so. Yeah, that'll get you through a couple of years. Right. But eventually the kids going to be like, I tell me why I don't care.

Jason Loomis[00:03:46] Ding, ding, ding. We have the winner analogy of the day. That is a very perfect and fantastic analogy of the way to all of the compliance, because I told so you're not the parent. It's really the parents are sitting behind you through either PCI or HIPA or GDPR or whatever.

Paul Love[00:04:01] You're the uncle.

Jason Loomis[00:04:02] You're you're the uncle. But your parents told you to do this.

Paul Love[00:04:05] Yeah, but I mean, now. So, you know, sometimes compliance is given a bad rap, right? Which I don't think it should be. It's just part of an overall effective program, in my opinion. So one thing that you and I talk about a lot in that I strongly believe in is that there's you can have both strategic and compliance components to your program. And so let me give an example, right, that, you know, when I go into organizations, I want to understand what their motivations are like. Why do you want security, especially if I'm the first time, see, see, so or they don't have a webinar program. So I'll go and say, okay, what? What are you trying to accomplish? Almost every time you're going to get will want to comply with the applicable regulatory, legal and contractual requirements. Got it. Right. Table stakes. Very that's very easy. But I say, okay, what what beyond that do you want to accomplish? I mean, typically it's like, well, we don't want to have our customer information. Leaked or, you know, they'll give you some other things. And I think having both of those things integrated is important. So I absolutely agree that compliance is something you must do as a security professional.


Jason Loomis[00:05:13] Everybody has that same question when you go to organizations. And I think you're missing one of the most popular answers, which is sometimes I'll just reply with, Well, we want to be secure, but we don't want to spend any money doing it.


Paul Love[00:05:24] And I've heard those conversations as well. And my question is, okay, that's great. Let's talk about what is that? What is secure mean to you? Does it mean not showing up in the newspaper? Does it mean that you're not going to get signed by regulators? Like what? Help me understand what that means to you, because it's our job as security people to help get to that. Right. Like when I say to a contractor to build my house, I say, hey, I want a cool looking house. Right? The contractor doesn't just go off. Well, most contractors don't just go off and start creating plans. They'll ask you some questions. And I think as security professionals, we need to kind of look at and say, yep, got it. I understand in principle what you're looking for. Let's get to some details.

Jason Loomis[00:06:08] And let's walk through. I'm going to I'm going to dig deep into that and sort of come out with a first tip that I would have for people, which I think you're going to think you do. I talked about this earlier. You said, oh, yeah, I agree. Again, the most boring episode we've ever had. People seem to agree on this. But one tactic you can take is, okay, so you walk down this path, you say, yep, we want to be compliant, let's use let's choose credit card compliance, which is PCI. Yeah, we want to be PCI compliant and of course we want to have a secure organization so we don't get breached and we're not in the paper. Great. All right. Well, PCI requires that we do this. Not getting breached might require you do this of the same thing. Let's say it's password length. And you say, you know what, PCI has pretty strict guidelines for password. They want, you know, changed every 90 days. But you're like, well, we don't want to get breached. And really we don't need to change it that frequently to not get breached. So if you see the the the difference in the opinions is try to take the most conservative of those. And use that as your general as your general policy across the entire organization. And a lot of times, I think people will get hung up on this idea of, well, that only applies to PCI and PCI environments. So they'll only apply that policy or that password policy, for example, to the PCI environment. And I'm saying if you're a cybersecurity practitioner, just apply it to everything and then justify it by the following. These are recommendations or ways to justify it. It's lower total cost of ownership for policy, maintenance and management. So instead of saying, Well, now I got to go figure out where we are in scope for PCI and scope changes based on the auditors whim. And I have to make sure that this system has this password policy and this system has this going to be a lot easier if we just apply this across the board and then we never have to worry about not meeting PCI requirement. And it's also a great security practice because it's the most conservative is probably the best security we can get better than this other one.

Paul Love[00:07:53] Yeah. Let me go a little more in depth on that. Yeah. Because that's something I've been doing. Every organization I've gone to is to understand what we're required to comply with and choose and map those out, pull out the requirements for each one and then map them and say which ones are similar to each other. Right. There's programs that'll do this for you, but I prefer to do it myself because the programs start to get complicated. Because you.

Jason Loomis[00:08:19] Love pain.

Paul Love[00:08:21] Well, it's it's not a fun activity. But I mean, when I say we, it's the royal we in some cases. But, you know, you identify each of the requirements, map them against each other, and then you identify. I've always called it the highest minimum. Right. So what is the highest minimum? It one requirement says you have to have eight character passwords and the second one says seven character. Choose a character so that you can play across the board. Now, the scoping question you brought out, the reason I like to have that mapped out specifically. So not just I don't like to just have the standards and make the statement, you will have a character password, but I like to have it mapped out is because there will be some instances as your security and risk program mature that you'll need to make exceptions. Right. And that's by going back to the mapping and say, okay, what's applicable here? Is this applicable to regular or is this applicable to a requirement, A or B or C? Then you can start to say, okay, we have a little leeway to go to seven character in the short term and then helps you quantify risk. It does it it's more complicated. So I would say that's a way to your organization's more mature, but it builds you up for the future 2 to 3 years after you build it.

Jason Loomis[00:09:33] Yeah. You know, I want to. I think we might have a little disagreement or maybe it's a different way to look at it. I actually believe that by adopting what you call it, the minimum, maximum, the.

Paul Love[00:09:43] Maximum is a minimum.

Jason Loomis[00:09:45] I guess the minimum. I'm going to write that down. The highest minimum. I've heard this from you before. I'm playing with you, but the highest minimum, if you apply that across the board, you're not going to need as many exceptions. Agree and. Yeah. Okay, got it. We're in the same.

Paul Love[00:09:59] Yes. Know what I'm saying. So just to be clear, right. Yeah, absolutely agree. Start with the least complexity you can, but there will be a point that you'll have one outlier system that it's like, okay, this system can't get to eight character passwords, it can only get to seven. Then you can go and look at and say, okay, from a risk se from a risk perspective, there's a compliance risk associated with this because X Right. And then you can talk about the security risk and so forth. So it just allows you to have more information to provide more more details around what the specific risks are.

Jason Loomis[00:10:34] Yes. And another tip for our listeners coming from me is to use that that compliance word to your advantage. And sometimes when it comes to work or negotiations for what needs to get done. So, you know, I want to give a real life example about this. So I have a good friend of mine recently pushed for the removal of all end of life software at her organization. So they this is normal vulnerability management one on one we shouldn't have software that's no longer supported or operating systems are no longer supported because you can't get security updates. They're easily breech and hackable. And not to mention, there's now cybersecurity insurance requirements you're going to see going off through the charts about, hey, if you have end of life software, we're not even going to touch you for insurance, so you won't even be able to get insurance. There's all these business reasons why and security reasons why this is a really bad idea. So she went through this big push to get end of life software, remove something who's been hanging around for a while and she did some AB testing with it so that for one group she would go to and say, Tell it, take the time to explain why it's important to the business. Hey, this is a really big security concern. Cybersecurity, insurance, there are some compliance requirements and actually some contractual agreements that we have that makes this a really bad thing. Oh, well, okay. We think we can get to it by this spread on this date a couple of months out or a few months out. The other big group that she tested, she simply said, Oh, this is a PCI recall. It was one sentence and there were no follow up questions, and it was done by an expert. So, you know, sometimes it just it's a shortcut. And, yes, it's not the best it's best for the business to know why and to understand why. And you should always have that at your ready. But at times, if you just need to get your job done, pull the compliance card, it's like the yellow card.

Paul Love[00:12:18] You know what I mean? Again, it depends on the maturity of the organization and what motivates them. And you're right, a lot of organizations are motivated by the visible, especially like things like PCI, the highly visible regulatory and not I know PCI is in a regulatory requirement, but those external requirements that if you don't follow them, they can show up to your customers. So yeah, absolutely. I can see why that would be a motivator, but you can't use it all the time. It's like the old like when we first started in security fear, uncertainty about that work for a couple of years. And then people started to catch on like, Oh, wait, you're just Chicken Little. You're always screaming that there's a problem. And I started to not pay attention to you as much.

Jason Loomis[00:13:01] Yeah, the fear is already. Does it still do work. Just definitely not the initial go to. Yeah. Your job of tenure team seems to be a lot longer when you're not doing the fear thing.

Paul Love[00:13:12] A great right. When you can have a risk discussion with somebody and contextualize what the risk is like. I think I share with you right it's part of the storytelling is the way if you yell fire, right, is the fire in the fireplace, which is where it belongs or is it on the couch? Right. There's two different reactions and two ways to think about it. If you're always using fear and certainty about you're just yelling fire without telling the context. And then the executives typically have to go and say, Oh, wait, that's a fire in the fireplace. That's not that big of a deal that you made it.

Jason Loomis[00:13:43] Yeah. So, yeah, great point. It's all about your lovers, too. Yep. What big of a number that you're going to use and how are you going to use that level of compliance? I think we're both agreeing is a big lever, but you don't need to use it all the time.

Paul Love[00:13:54] Yeah. And it's easy to fall into that trap of, oh, I'm just because you'll see that it works right. You'll be like, Well, I know this works, so I'm going to use it every time. Eventually it will start to lose its value. You don't want to have it as your primary means of influencing, because influence is very important, I think in some cases more so than title or a different podcast. But I think it's, you know, it's, it's important to make sure that you use it.

Jason Loomis[00:14:20] Certainly that was that was a great callback. They're really big on the word callback. You watch murders in the only murders in the building. Have you watched? No.

Paul Love[00:14:28] No.

Jason Loomis[00:14:29] And it's excellent. And they're season two now and they're talking about it. They call it a callback. I mean, it's a callback to a previous episode or something they rewrote earlier in the book.

Paul Love[00:14:36] So you can kind of get self-referential on our on our podcast. So plus reinforce my, my argument because I was the one who had influence is more important.

Jason Loomis[00:14:46] So great callback. Let's talk another aspect of compliance.

Paul Love[00:14:49] Yeah.

Jason Loomis[00:14:49] Paul, it's your first day on the job you are now. It's your very first day as CSO at the leading tower of Paul. I call you that or the company that because your bookcase is like this and your video background and it looks like you're leading are going to fall over.

Paul Love[00:15:02] Yes. Let me fix that.

Jason Loomis[00:15:04] Go ahead. That's a backdrop and is your very first day and your company says, Paul, we need you to get a PCI. You need to get us through PCI compliance. Go pick an auditor. What do you look for in an auditor?

Paul Love[00:15:16] I want an auditor that will that is not just a transactional auditor, meaning just somebody who's going to come in and look at the the audits as just a okay, this is a one time activity audit. We're not we don't care about the rest of your organization. We're just going to help you achieve compliance. I know that sounds kind of odd, but when you get it, when you pick an auditor that's just focused on getting you to achieve compliance while you meet your short term goal of getting to compliance, eventually you're going to have trouble longer term, putting in the things that are noncompliance related. So if you if you choose a partner auditor who cares about you meeting your compliance requirements, but also understanding that there are other parts of the problem that you'll want to reinforce, they can partner with you on that.

Jason Loomis[00:16:09] Got it. Yeah, that's great. You know, and I want to throw in there, too, if you're if you're evaluating or doing a bake off between your vendors or your potential auditors don't cut corners. Often the business may want to go with the cheapest. Oh, look, here's this one's X dollars. This one's 20% less. Well, no brainer. Let's go with that one. And I'm going to give the eight old the age old adage, which I believe holds true, is you often do get what you pay for. And as a security practitioner, if you can get an order that partners with you in an order that doesn't take B.S. to just get you through the compliance, I'd be like, Oh, yeah, okay, that's okay. You kind of want an auditor that's going to do the right thing and take, in my opinion, as a more conservative approach to interpretation of the requirements because it's going to be better off for you as C So it may be short term pain. A short term headache of, oh, now, you know, he just pulled in my web servers and scope and I have this whole environment that wasn't supposed to be. But he pulled all this stuff in and, you know, great, because now you're going to have to have more secure environment that further down the road in a year or two. You don't have to go back and worry about securing because you're doing it through your compliance work.

Paul Love[00:17:18] Yeah, the way I think about it, if you want a secure are you want a soccer coach that's tough on you from the beginning versus one who's super easy on you because as you grow and get better, the soccer coach was super easy on you. You're not going to grow with that person. You're not going to improve. If you choose somebody who is going to look at you and look at you from a strategic standpoint and try to make you better and be tough on you, you can grow with them as you get better and you have a longer run way of growth with that that other because auditors are incredibly important and giving the CE so insight into their program but also helping to reinforce what the C so is seeing or to say, hey, you know what, we don't agree with the C, so, you know, give a competing point of view.

Jason Loomis[00:18:01] Yeah, I completely agree. Oh, okay. It's so hard to even say. I agree. I'm not used to this. Paul, what's going on with us? We're like a bizarro world.

Paul Love[00:18:09] But to pick more controversial subjects or something?

Jason Loomis[00:18:12] Yes, definitely. As as a side note, we don't often recommend things on our show, but I do want to we want to throw out Paul brought up coaching and there's this really great podcast recently that came out called Against the Rules with Michael Lewis. If you get a chance to season three is around coaching and some really good, good quality material in their podcast that speaks to this whole coaching philosophy thing that Paul just brought up about what kind of coaching, what working for you. So I highly recommend you check it out. Michael Lewis is the author of Moneyball, The Big Short and bunch of movies and TV shows and stuff he's done. So it's really good stuff.

Paul Love[00:18:45] Yeah, that's we usually we walk away like with some hand-waving and, you know, at the end of the podcast. But I, you know, I this is just I think when you when you've done this long enough, you understand that again, if you talk to other seasons who are just starting out in their journey are other security professionals. You may hear that compliance is the most important thing. And I think if you talk to people who've been around a bit, it's it's not the least important thing, definitely, but it's not the only area to focus on, especially if you want to be a CEO or security professional who is in the field and in your role for a longer period of time.

Jason Loomis[00:19:25] Yeah, I'm going to add to that. It could be it's often the business is priority. Often CISOs are hired to be, hey, our number one priority is get us compliant and then, you know, go worry about the rest of your work in securing the rest of us. So often it's the business that drives that importance for the C. So, but, you know, my, my, my take is use or my tip is to use that as a lever to improve security overall at the organization and use that to your advantage.

Paul Love[00:19:49] Yeah. As long as you're not ever in a conversation where compliance equals security. Right.

Jason Loomis[00:19:54] Because there are a lot of those do not equal.

Paul Love[00:19:56] Yeah, there is.

Jason Loomis[00:19:57] Such an audience. Those are not the same.

Paul Love[00:20:00] Yes. And you'll hear I've I've actually heard where people say, well, we're compliant so we more secure. Well, no, there's a lot of compliant organizations who have had security events. Don't. Don't rest on compliance. Compliance. And I use another analogy when I talk about this. Compliance doesn't mean that you're good at security. It's almost like a driver's license. A compliance is similar to that. Just because you have a driver's license doesn't mean you're a good driver. It just means you know the rules of the road and you meet the minimum requirements.

Jason Loomis[00:20:30] Target was compliant in 2014.

Paul Love[00:20:33] Yes. Yeah. I mean, you'll see you'll hear that of organization after organization. But if you want to go beyond the bare minimum, you know, you take extra, extra training on how to drive, you learn how to drive. And so we conditioned, you know, you take those extra steps. So compliance is look at compliance is the bare minimum to be to be a functioning organization. But know that if you're in security, you need to go beyond that, but you definitely need to hit that bare minimum.

Jason Loomis[00:21:03] Agreed. Awesome. Well, Paul, this was the most boring podcast I think we've ever had. No disagreement. Maybe one thing. No, there was nothing. This is great. Awesome. All right. Well, hey, thanks for. Thanks for joining me on this one, Paul and audience, thanks a lot. Take it easy and stay cyber safe.

Paul Love[00:21:19] Thank you.

Speaker 3[00:21:22] He's the elephant in the room.