#35 - The Hidden Costs of Regulating Cybersecurity and AI Privacy - Michael Nouguier, CISO @Richey May Artwork

Cybernomics Radio

Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.

Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.

Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.

All Episodes

Cybernomics Radio

#35 - The Hidden Costs of Regulating Cybersecurity and AI Privacy - Michael Nouguier, CISO @Richey May

January 29, 2025 • Bruyning Media • Season 2 • Episode 1

On this episode of Cybernomics, Josh explores the Hidden Costs of Cybersecurity Regulations and conducts a cost-benefit analysis with Michael Nouguier, CISO at Richey May, and our guest co-host, Igor Volovich, former CISO at Invensys and Schneider Electric.

Hidden Costs of Regulating Cybersecurity:

Compliance costs (audits, certifications, and technology upgrades).
Administrative overhead (documentation, employee training, and legal fees).
Reduced innovation due to diverted resources.
Competitive disadvantage for small businesses.
Market fragmentation from jurisdictional variations.
Fines and penalties for non-compliance.
Reputational damage from perceived over-regulation.

Hidden Costs of Deregulating Cybersecurity:

Increased risk of breaches.
Erosion of consumer trust.
Economic impact of large-scale cyber incidents.
Disparity between large and small businesses.
Reactive costs post-incident.
Reputation and brand damage.
Regulatory whiplash creating inefficiencies.
Global trade implications due to weak cybersecurity standards.

Join us as we speculate on how the incoming administration might reshape the regulatory landscape, referencing historical shifts and future trends.

Josh's LinkedIn

Speaker 1: 0:09

Hello and welcome to another episode of Cybernomics, where we talk about the hidden costs of cybersecurity. This is the week of January 27. Before we jump into today's topic, here's your latest update on artificial intelligence regulation, the impact of DeepSeq on the US market and recent developments in cybersecurity research and leadership. The Vatican has recently emphasized the need for stringent oversight in artificial intelligence, highlighting concerns over AI's potential to spread misinformation and cause social instability. A document titled Antica et Nova, approved by Pope Francis himself, stresses the ethical implications of AI across various sectors, including labor, healthcare and education. The Vatican warns that AI-generated deepfake media can erode societal foundations, necessitating carefully considered regulation to prevent unintended consequences, such as political polarization and social unrest. In the United States, the regulatory landscape for AI remains complex. The US currently relies on existing federal laws and guidelines, but aims to introduce specific AI legislation and establish a federal regulatory authority. Until then, developers and deployers of AI systems must navigate an increasing patchwork of state and local laws, underscoring the challenges ensuring compliance. Chinese AI company DeepSeek has recently unveiled a model that answers questions and solves equations with the quality of OpenAI's ChatGPT, but at a fraction of the computing cost. This development has caused a stir in US markets, with NVIDIA and other tech stocks experiencing significant drops. Analysts note that DeepSeek operates more efficiently than American counterparts like OpenAI and Meta, utilizing open-source technology to outperform more expensive proprietary models. This has raised concerns about the US losing its competitive edge in AI. The situation reflects the shifting dynamics in the AI industry and the potential for disruption from more cost-effective and open-source innovations. Effective and open-source innovations.

Speaker 1: 2:47

Crowdstrike Holdings' stock hit a record high following a cyberattack on the Chinese AI startup. The attack led to an increase in investor confidence in the cybersecurity sector, with CrowdStrike's shares climbing almost 10%, making it the top-performing NasdaQ composite stock. Other cybersecurity companies also saw gains, including Cloudflare, zscaler, cyberark and Palo Alto Networks. Crowdstrike's Falcon cybersecurity platform received a perfect score in ransomware tests conducted by SE Labs, achieving a top rating for stopping all threats without false positives. Good for them.

Speaker 1: 3:29

On the regulatory front, india's central bank has urged lenders to tighten cybersecurity oversight. Governor Sanjay Maholtra emphasized the need for robust systems to prevent digital fraud and called for even greater supervision of external service providers to mitigate technological risks. This move underscores the global emphasis on strengthening cybersecurity measures in the financial sector. Jessica Rosenworcel, the outgoing Democratic Chair of the Federal Communications Commission the FEC, as we all know it has highlighted the importance of maintaining strong oversight in the telecommunications industry amidst cybersecurity concerns. Under her leadership, the FCC introduced new cybersecurity requirements for telecom operators and launched initiatives to secure internet infrastructure and enhance data breach protocols. However, these efforts face opposition from the incoming leadership. Here. To help us understand the implications of such changes and to share what he's seeing in the state of Colorado is partner and CISO at Richie Mae, michael Nugier. Michael, welcome to Cybernomics.

Speaker 2: 4:44

Thanks for having me on, josh, I really appreciate it.

Speaker 1: 4:47

Well, you've got a 10,000-foot view of this issue and I'm not going to get too much into the politics of it and I'm not going to share my opinions or what I think about the administration, and it's not a political thing. Here we're going to try to simply look at the costs of deregulation and regulation in cybersecurity. Is it a good thing? Is it a bad thing? It's really subjective, that's going to be up to public opinion. But hopefully we can kind of untangle the mysteries of an incoming administration and the changes that they will bring about and how those changes might impact businesses. And so we want to draw a contrast and bring real world examples into what's happening at the federal level, how those changes might impact businesses. But then use Colorado sort of as a temperature gauge and maybe apply that with maybe a broad of a too broad of a brush perhaps, but apply that to other states and see how other states may react and how they can adapt to those changes.

Speaker 2: 5:57

Yeah, I mean. I think it's important to note that regulation comes from multiple facets right. It's not just the federal government, it's, you know, states. It's even industry-led practices right, where requirements are enforced not just from the federal government but states and even associations across the board. And so the current freeze that's happening from a regulatory perspective doesn't mean that cybersecurity regulation doesn't exist anymore. It's just a matter of reviewing it to some extent. And you know like, if an organization's goal is to just hit compliance right, there's every security professional in the world will tell you compliance doesn't equal security. Compliance equals compliance right. Compliance equals compliance right. You're hitting what you need to hit. The goal should be aiming for security, and by hitting that target you are complying with all regulations.

Speaker 1: 6:59

Well, if we were to regulate, or if the government or the state and local governing bodies or the regulatory bodies wherever they're coming from, if they're looking at more regulation or more compliance equals more security, do you think that that would lead to a world where they're trying to aim for 100% security? And if we're going in that direction, what do you think that would do to businesses?

Speaker 2: 7:30

Yeah, I think I mean regulation comes with a cost, right, and it disproportionately impacts business as you move down from enterprise to small business to some extent. And so, right, like enforcing regulation with the broad stroke of a brush across all industry or in industry sectors let's take financial services, because it's one of the more heavily regulated, potentially over-regulated industries it disproportionately impacts the smaller businesses than it does the larger, larger businesses, right, you see, economies of scale come into place, as you're, as you're seeing these large enterprise financial services, uh organizations hitting their cybersecurity, right, they have heftier budgets to purchase tool sets, invest in people and process, whereas smaller financial institutions, smaller businesses, lack the funding, the budgeting and even the people power to do a lot of this, and so it disproportionately impacts it. Regulation is there to set minimum standards, but I don't think it's there really to build resilience. It's there to drive a basic level of security. Right, and I just hope that the people in charge aren't thinking prescriptive, as regulation can be Right, you can take, like some state regulations, like New York has the Department of Financial Services they're very prescriptive.

Speaker 2: 9:15

It requires not necessarily named technology, but types of technologies to be implemented, whereas, you know, as you get more towards the federal level. You lack that prescription and it's more just policies and procedures and monitoring. Right it's it's these loose words for protection inside the organization, but it doesn't drive resilience as much. And so, yeah, to that point you're you're not regulating security, you're regulating minimum standards and there's no guarantee that the standards that are put in right. It basically comes down to do you have a law degree and how are you interpreting said legal precedents?

Speaker 1: 10:21

no-transcript. Is it through frameworks? Is it industry specific? If I were a CIO and I realized that these changes might affect my business, where do I go to get a general understanding of how this impacts my business and what actions I need to take?

Speaker 2: 10:43

Depending on what you do, you have to comply with a different federal standard based on the department of the federal government you're working with.

Speaker 2: 10:52

So you'll understand those standards as you start to get into working with those government entities.

Speaker 2: 10:58

Whether let's take mortgage banking, for instance right, if you're working with Jenny or Fannie or FHA or HUD right, depending on how you run your mortgage, your independent mortgage brokerage right, you might be working with one of those or all of those, and you'll have to. You'll get those specific requirements from a cybersecurity perspective, mostly just notifications of incident based on how you're interacting with those different federal rate uh organizations. In healthcare, hipaa comes into play, but as a small business it's kind of a for lack of better words like the wild west, right, if you're going to start building a software that that leverages uh PHI, right, you'll start to get requirements for either from your financial backers or through contract language, stating that you need to be compliant with HITRUST or HIPAA or have a SOC 2 or something along those lines, and so it's either driven by the interactions you have from licensing in those federal agencies or it's driven through contracts that are requiring you to get certifications or have bare minimum standards before you can do business in those areas.

Speaker 1: 12:20

When you hear that there are going to be changes, are you at the edge of your seat thinking you know, I have to, I know there are changes that are coming over the fence and I this is going to affect us. Or do you sort of do like a wait and see and understand that, whether there's more regulation or less regulation, your day to day pretty much remains the same? You know, our, in other words, are security leaders constantly monitoring this stuff, or is it just sort of well, yeah, changes come and go, but it's business as usual changes in regulation aren't always a surprise, right, and very rarely are they a surprise, right.

Speaker 2: 13:02

There's usually public comments. They're garnering public opinion and building these regulations. And let's take the SEC. That was the big one that rocked the last year, year and a half or so. That required notification of a breach through an 8K and a 10K and you have X amount of hours to notify.

Speaker 2: 13:21

That wasn't unknown to the security industry. A lot of us were opining on how it would impact organizations and whether it was necessary or how strict they should be. And so when it did pass, I think that was the shocker like oh, the cybersecurity regulation is actually passing, but not all the things that we opined on and not all the things that we wanted to be implemented were implemented in that. And there's the shocker and so like it's easy to stay up to date here and ultimately right these regulations. They don't differ drastically between you know, from regulation to regulation, and so identifying the most stringent regulation that you have to be compliant with and implementing that typically has a trickle-down effect. To say, I am at. You know, if I have multiple regulations and I hit the most stringent, I hit or exceed the request from this regulatory body because I'm compliant with this regulation or this compliance framework or something along those lines.

Speaker 1: 14:25

And what's typically the largest cost associated with not being compliant. Let's set aside security, right. Let's just talk about are you going to go to jail if you're not compliant?

Speaker 2: 14:40

Are there going to be fees or that kind of stuff? Yeah, and I mean, typically you're not going to jail, right? There have been instances where CISOs or executives have been grossly negligent, where they have faced some sort of criminal penalty, to say the least. Right, and so it has to be gross negligence or borderline fraud, right, misleading regulators, something along those lines, that that leads to the criminal aspect of it, rather than you know, I didn't impose these, but I never lied about it, that's fine. So the the larger cost, you're right, it is not necessarily implementing, it's the lack of implementation where you're saving money, but fines can come into play and the gross negligence really plays in those fines, right? One instance of this is in California with the CCPA. The Privacy Act in California specifies different level of fines for gross negligence versus actually preparing and still being impacted, right and so and it's an exponential difference in cost from not doing anything to trying to do something right there still may be fines and that can still impact you.

Speaker 2: 15:57

However, doing something is better than doing nothing, and we know that in the cybersecurity industry, right Is implementing something is better than not nothing, and we know that in the cybersecurity industry, right Is implementing something is better than not implementing anything at all, as long as you do it correctly right. I think it's the IBM cost of a data breach posts the cost savings from a breach by doing implementations of different aspects right Testing a tabletop policy, doing employee training, performing penetration testing or offensive security testing in your environment Each and every one of those comes with an average decrease in the cost of a breach. And so if an organization is impacted by a breach obviously if it's ransomware right there's a ransom payment that comes along with that. That's a hefty cost. Hopefully you're covered by insurance and you're doing your due diligence to stay covered there. But the unforeseens are the regulatory fines and the legal costs that come from class action lawsuits and potential impacts to your user base to your user base.

Speaker 1: 17:06

It sounds like we're talking more to the small business, since they're disproportionately impacted by these regulations and these changes. So is there forgiveness for small businesses? Let's say they try to do as much as they can to become secure while making a profit. Is there forgiveness in terms of foregoing fees or fines that may be forgiven or overlooked If they're genuinely doing the best they can? But if they were to do everything that they're required, perhaps they would not be profitable. They'll just go out of business. So is there forgiveness for? Do you get an A for effort, in other words, Boy, I wish.

Speaker 2: 17:51

I think that comes down to legal interpretations half the time, right? And there are some regulations out there between states that define different regulations based on the size of the organization, right? And so I think there are. There is context that's applied to it, right? Also, the amount of data that a small business owns and is risking or accepting risk for collecting versus a large organization is drastically different, so you would expect to not see the fines be the same between the two, just based on pure size and collection of data.

Speaker 1: 18:36

I guess the question that I'm asking in a different way, which you've already answered, but now I'm kind of looking at it from a different lens is really is there too much of a regulatory burden on small businesses?

Speaker 2: 18:48

Yeah, I think. I think that you know that's that's industry specific, but it is. There is a potential in a lot of industries that small business can be over-regulated and therefore create a burden to that business. And ultimately, right, that cost has to be passed down somewhere right. If you're looking at having to perform a red team style penetration test, which is more advanced than just a network pen test, where somebody is scanning for vulnerabilities, potentially exploiting them, right, they're coming at this from a true adversarial perspective. The costs differ dramatically between the two and that cost has to be passed down somewhere right.

Speaker 2: 19:31

A lot of people view cybersecurity as an expense and so, with that mindset, doing something that protects your organization has to be applied to the cost of goods sold somewhere right. Looking at cybersecurity as an investment in growth and sales, in whatever your organization does, building trust, goodwill tends to have a better perspective and tends to focus the culture of that security to being more resilient for that organization. And organizations that tend to focus on an investment in cybersecurity rather than just it's an expense and we're going to budget for it as a loss or whatever, tend to create better trust in their client bases. So I ultimately looking at cybersecurity as a business builder rather than a detractor, right from a regulatory perspective or compliance perspective or whatever it is. It's not a negative thing if it helps build an edge for your business to succeed.

Speaker 1: 20:59

So those costs you're saying can be offset by the long-term gains that cybersecurity could provide in terms of this? Are you saying that, basically that the costs will be offset as long as you're not putting too much of a burden up front?

Speaker 2: 21:18

I mean, business is a dynamic study, if you will. Is it dollar for dollar? Perfect? Probably not right, but organizations that build trust with their customers tend to have a better, more engaging customer base right. They tend to have stand out right Versus, you know, organizations that have had multiple breaches. People don't want their data to be exposed, as we know, and there have been multiple studies where up to 80% of people will say I won't use a company that's been breached in the past, which, at this day and age, every company has experienced some sort of cybersecurity incident. Every company has had to go through some sort of heart attack, breach style engagement, and so it's not necessarily I won't work with a company that's been breached. It's I won't work with a company that's not proactive in their cybersecurity stance and not resilient. You can be breached, you can experience a cybersecurity incident. It's the organizations that are resilient that, I think, drive a greater trust in their industry.

Speaker 1: 22:36

SOC 2 compliance is a pretty good example of that, where if you're working with a software company, they want to see that you've got the boxes checked. From a SOC 2 perspective, cmmc is probably also the same. Going out for government contracts, it becomes a competitive advantage. So I think whenever I'm pointing to cybersecurity being I know we don't think of it as a revenue driver, but at least one that drives competitive advantage or at least that drives some sort of monetary gain. Soc 2, cmmc come to mind. What do you think?

Speaker 2: 23:15

Yeah, I mean they're marketable right To some extent If you're competing in industry where your competitors don't have a SOC 2, or if you're, if you know you're going after DOD contracts, the CMMC aspect, and that's more of a requirement in order to work with the DOD. But others would be like ISO 27001. Getting an ISO certifications in that and calling them certifications is rough. Getting getting uh aligning with iso is another way to to interact internationally with organizations. Sock2 uh really does provide some competitive advantage and really it comes down to the procurement aspects of what you're selling. Right, if you are selling software and you don't have a SOC 2, one of the first cybersecurity questionnaire questions that you're going to get is do you have a SOC 2 and why you provide it to the purchasing organization? If you don't, they may look at that contract and say, great, we're going to move on to this other company that does have a SOC 2. It's a marketable resource.

Speaker 1: 24:20

To wrap up the regulation side, we'll talk about deregulation next and how that impacts businesses. But to wrap up the regulation side, we'll talk about deregulation next and how that impacts businesses. But to wrap up regulation you're seeing some unique things in Colorado because Colorado is one of the first states I think maybe one of the only states that's heavily regulating cybersecurity and it's your neck of the woods. You can just stick your head out the window and you probably see at least two or three businesses that are probably going to be impacted by this. So what have you seen in Colorado and how are specifically small businesses reacting to the heavy regulations? I'll put heavy in quotations because that's subjective. What are you seeing out there?

Speaker 2: 25:01

What are you seeing out there? Yeah, I don't know if Colorado's heavily regulating cybersecurity, but they were the first state to pass their Artificial Intelligence Consumer Privacy Act. Organizations, small through large, to do something about the use of artificial intelligence and the data that they submit to ai, and so it's basically making organizations liable for their use of ai, which, uh is hard right it's.

Speaker 2: 25:40

It's it's forcing small businesses to perform security reviews of the AI that they're leveraging, whether it's a third party or built internally, and that cost can can grow Right, especially if you're talking an organization that's leveraging five, six, seven different Different programs, different software vendors that leverage AI, and now I'm taking on the liability of that to make my business more efficient. And we talk about that disparity between small and large business. A large organization has the capabilities and compliance arms to align with these and do the due diligence, whereas small businesses haven't had that in the past, and so the cost of performing said reviews on AI and taking on that liability might exclude small businesses from being able to leverage artificial intelligence, creating an unfair competitive advantage, if you will, for larger organizations to drive business towards them.

Speaker 1: 26:49

I was talking to a friend of mine, jenna Gardner Shout out to Jenna. We were talking about AI consulting. She's built a business, or is building a business, with great success so far in helping companies, especially kind of legacy companies. You know, let's say, the 50 to 100 employee companies that a large number of their employee base may be near retirement or sort of Gen X, baby boomer age and their minds are blown constantly when she's helping them to refine certain processes and to do better using AI. One of the concerns that I have and I've talked to others on my team about this is how receptive would companies be to implementing AI in their environment from a security perspective? Because, especially those companies that like, let's say, accounting firms that are very sensitive, they're using a lot of client data and clients may not want their information going on chat, gpt. So even though these legacy users are the ones that may benefit the most, they also have the most risk exposure from a security perspective.

Speaker 1: 28:28

So what is your opinion about advancing AI without? Because I don't want a world where every company has to be super secure before they start using AI. I think that that would just be detrimental to business. I think AI is just like the biggest. It's the biggest boom since the internet, right? So everybody wants to get on that bandwagon. But I understand the hesitation to adopt such a technology. It's scary number one because of the Terminator and whatever. Everybody's afraid that the robots are going to come get us. But even besides that, you don't want to put your client data in a database that's easily accessible by others, I mean, even if they use that little string.

Speaker 1: 29:13

I was talking to Randy at Compliance Aid. Shout out to Randy. He was like well, there's a little number that's behind the link in a chat that you're using in ChatGPT, and if somebody were to grab that link and pop it into their browser and they go to that URL, they'll see your chat. At least they'll see some of your data. Right, that's not super secure. I don't think they're going to be able to like that's not very likely that it will happen. But the point is there are exposures and there's a lot of risk when it comes to that. So do you think that businesses, small businesses, should go ahead and kind of, now I wouldn't say, disregard the security stuff, but start implementing AI and maybe think about the security later? Or is this what Colorado is saying? No, think about security first and privacy first when it comes to AI data, and then later on, the businesses can adapt. Do you see the trade-off there?

Speaker 2: 30:12

Yeah, I mean it's undeniable that the benefits of AI are there. Right, like not using AI will probably not exist in the future. Like you're going to have to leverage it at some point in the near future, right. So, drake, digging your heels into the ground and against the use of ai is is a problem. That being said, right, like diving in full bore without any consideration of the core aspects of your business, just because you think it's going to save a penny, is also probably not the best way to go. So, on a scale from no damage to Terminator, as you brought in right, there's an equilibrium in there somewhere to hit, which is doing so from a thoughtful perspective, asking those questions. And if you don't know what questions to ask, I mean go to Chad GPT and type in what do I ask? No, don't do that. Should I ask?

Speaker 1: 31:05

Yeah, chad GPT and type in what do I ask? No, don't do that. Should I ask? Yeah, chat, gpt will help you ask it questions, yeah.

Speaker 2: 31:10

Don't do that. It's a self-serving prophecy. Inside of chat, gpt, you know, like reach out to reach out to some professionals, right, like reach out and ask right, like it doesn't hurt. Like what should I be considering when I'm implementing AI into my organization from a security perspective? Right, the data that you give it it's going to use. Right, unless you have tight contracts and you own that data and the models and and where you're putting that data. And so it's an equilibrium. You got to use AI in order to remain efficient. Right, you can probably save a couple bucks somewhere along the line by by implementing an ai um tool set right, whether it saves you man hours or people hours, or whether it saves you, uh, from having to, you know, purchase costly other softwares to do a single thing. Right it's, the benefits are there. Let's just not forego the thoughtfulness that we owe our consumers when we're dealing with their data.

Speaker 1: 32:24

So I'm an AI consultant. I knock on your door, You're a law firm or an accounting firm and I say hey, I'm going to help you improve your processes with AI and we're going to use ChatGPT and we're not going to use the secure version, but we're just going to use the regular version. You're the CIO of that organization. You say what?

Speaker 2: 32:44

No, I say no, I say uh, right, like, our data needs to remain our data, and so there are enterprise versions of chat, gpt where you can own right, not not.

Speaker 2: 32:58

I don't want to be the organization and most people shouldn't most small businesses, medium-sized businesses, even large businesses shouldn't be the organizations training these models. Right, there needs to be data that can train them, and then independent software vendors building this stuff need to find that data and leverage it the correct way. But I don't want our consumer database to to be training models for other organizations. So I I'm I'm a little more fail, secure, like I want everything to be mine in my organization. I don't want it to be leveraged for everybody else to some extent. Right, it's, it's the purpose of right, the contracts that we have for data and a lot of organizations haven't considered this yet. But as you're, as you're dealing with your consumers data right in your customer base's data, if you haven't put contract language in there stating that you're going to leverage ai, uh, probably start considering that yeah, yeah, I hadn't thought about that.

Speaker 1: 34:03

I was just kind of thinking of like, just gunslinging, let's do it, let's just do. If it were up to me, everybody would use ai, but I forgot about wild west.

Speaker 1: 34:10

Now, yeah, yeah, I'm, I'm a cowboy, maybe I like the wild, wild west, I like the chaos, but you raise a really interesting point, which is you know these are. There are contracts, there are user level agreements, there are privacy agreements that companies have with their clients and their partners, and if you were to use AI just in a sort of a cowboy shoot them up sort of way, you may be voiding or you may be transgressing against your contracts with your partners and your customers.

Speaker 2: 34:42

Right, yeah, it's a simple terminology, right? And if organizations don't state that, right, like, I'll be honest, every meeting I've been on to purchase something for my firm, they're gung ho, selling AI. Everybody is right, like, oh, we've started implementing AI, ai, this AI, that it's the new buzzword, it's the cloud of 10 years ago. Right, it's there. And so, like the second that that term comes up, I immediately go to my procurement process and I check the box for AI. And now I'm sending out an AI questionnaire on how they're leveraging AI so that I can understand that when I go to make a decision to purchase something.

Speaker 1: 35:25

Maybe that's the lesson here, maybe this is the light at the end of the tunnel. I can't believe that I'm saying this, but maybe regulating AI in such a way that Colorado is doing would have the effect of raising awareness in such a way that most businesses okay, they're now aware of some of the things that we're talking about here where it may affect your contracts, your customers, your partners and all that stuff third-party risk, vendor risk. So maybe the implication here of the AI regulation in Colorado is that everybody kind of does better because there's more trust among businesses, everybody's sort of working under the understanding that if you're talking about AI, then there are certain safeguards that are in place that are enforced, whereas right now, since it's not enforced, you may have to do a lengthy AI risk assessment, such as the one that you've described.

Speaker 2: 36:23

Right and, I think, right like you're beholden to your consumer, right? They're the ones paying the bills to some extent, and so if you're going to leverage technology, you should be doing your due diligence as an organization to understand how AI is going to be leveraged. Right? If I'm uploading all the personal information of my consumer base to somebody else's AI models, I should know that I'm doing that and I should put some restrictions around that.

Speaker 1: 36:54

Now, without getting too political, I'm not going to ask your political views and I will not let anybody know mine. I'll keep that tucked right. But I want to talk a little bit about the Trump administration coming in in 2025 and potentially undoing. I think he already undid some things by putting a regulatory freeze pending review. But the Biden administration, at the end of Biden's term, signed an executive order to strengthen and promote innovation in cybersecurity, which it sounds like the Trump administration either wholly or partly rejects, where they're kind of like deregulate everything. That's very conservative, it's very Republican Trump. That's one of the few, I think, Republican adages that Trump has sort of held on to right. It hasn't really changed. They're the party of deregulation, less government. So do you think that the deregulation of cybersecurity or information security would lead to more business or better business, more profits, and if so, if it leads to more profits and more prosperity, is that worth scaling cybersecurity back?

Speaker 2: 38:14

I mean, you're talking to a serial cybersecurity leader, right, like I've been in cybersecurity almost my entire life, right, even when I was a little kid, I was still hacking computers, like I I'll come back to what I said at the beginning is is regulation, and compliance to regulation does not equal security in that, and so deregulating it doesn't necessarily mean that we're going to drop in cybersecurity posture. Uh, depending on where we're at, and and this is a federal this is from a federal perspective, not necessarily a state perspective. That being said, I don't I don't foresee a, a massive removal of cyber security standards. Uh, right, because there are still. Right, like it's a bipartisan understanding that cybersecurity is important. Right, every time I go somewhere and I run into people and I talk to them and they ask what I do, I say, oh, I work in cybersecurity, and never once do I get somebody that says, ah, that's a stupid career. Right, they always say that's so important. What you, what you? Right, protecting data, protecting companies, protecting what's most critical now, right, the most expensive commodity, I guess, at this point, is data. It's surpassed oil and so, yes, it's important.

Speaker 2: 39:36

And I don't think that anybody, regardless of party, is going to say we don't need cybersecurity. I think the freeze that's imposed right now is really to just review what's happening, because every department inside of the federal government pushes down cybersecurity standards on different industries from the FTC, several financial federal departments, gini, fannie, freddie, hud, fha, the SEC, right, they all have regulation and I think like it's confusing, right, you need a degree in, you need a law degree, just to understand all the different aspects of it. You have to, you know, have no other hobbies outside of reviewing all these regulations. So I think there is the potential for more consolidation in regulations, maybe more alignment across different departments, maybe in a better understanding. One thing that I think is important to note is that the CMMC, which was bipartisan backed, still has favor across the federal government and we're protecting our defense, essentially, and the data that we're leveraging from a defense, this controlled, unclassified information.

Speaker 1: 41:10

I don't see and I don't foresee cybersecurity being deregulated completely I think there will probably be more alignment towards consolidated standards and maybe leveraging states to impose cybersecurity standards rather than federal governments. Michael, thanks for being so gracious with your time. I appreciate you coming on Cybernomics. I'll see you next time, okay. Former CISO at Invensis and Schneider Electric and the founder of the Compliance Therapy Podcast, our friend Igor Volevich. Igor, how are you doing, buddy? I'm doing great. Josh, how are you? I'm doing great.

Speaker 1: 41:33

I'll give you a list of the costs of regulating cybersecurity and then I'll give you the hidden costs of deregulating cybersecurity, and then we'll just kind of go into any of those things that maybe jump out. How does that sound? Hit me All right. The hidden costs of regulating cybersecurity. That's compliance right, making sure that we adhere to the laws. What does that do to a business? You've got compliance costs right, audits, certifications, technology upgrades and so on. Administrative overhead, reduced innovation due to diverted resources, competitive disadvantages for small businesses, market fragmentation, fines and penalties and reputational damage from perceived over-regulation. So those are the costs of the typical costs of regulating cybersecurity.

Speaker 1: 42:25

And here are the hidden costs of deregulating cybersecurity. With the Trump administration coming in in 2025 and freezing a lot of what the Biden administration had done when they were going out. Then there's some talk about deregulating cybersecurity, scaling back regulation in favor of small businesses, or at least that's the idea. So here are some of the costs associated with doing that, which many people may have not considered Increased risk of breaches, considered increased risk of breaches, erosion of consumer trust, disparities between large and small businesses, reactive costs, reputation and brand damage. So reputation and brand damage kind of comes up in both spheres.

Speaker 1: 43:11

And regulatory whiplash creating inefficiencies, global trade implications due to weak cybersecurity standards. Are you a big fan of regulating cybersecurity? Being the compliance doctor that you are, you know you've kind of hung your hat on helping companies explore and wade through the waters of cybersecurity compliance. Explore and wade through the waters of cybersecurity compliance. But after all of those years that you've spent helping companies get compliant and understand compliance, are you a fan of regulating cybersecurity and privacy or do you think that we've overstepped and we're overregulated at this point?

Speaker 3: 43:55

That's a great question, right, and there's a lot there to unpack and so I'm going to put a couple of quick notes there. So to answer the immediate question, right, do I think the cybersecurity is over-regulated or under-regulated? It really depends on your perspective, right? If you're a small company trying to break into a regulated industry, like you know, defense industrial base it can seem insurmountable. You know, with things like CMMC now, in effect, folks are freaking out and going. You know, am I going to be out of business? Is the compliance going to take so much out of my hide that, you know, the juice may not be worth the squeeze anymore? Right, you know, if you're making some part that goes into some. You know fighter plane and you know you've got 100 people working for you. It can seem like you know how do I compete against Lockheed Martin? You know they've got all these resources Raytheon, you know Boeing, northrop Grumman, et cetera. You know all the big defense contractors. But the truth is it doesn't have to be this. You know huge mountain that you have to climb. You look at what's applicable to you, you retain competent firms that can help you, and it doesn't have to eat up a ton of your resources, right If you approach it in a smart way. Especially if you've seen these things coming down the pike, you know, especially things like, specifically, cmmc.

Speaker 3: 45:08

We've been talking about it for years and years and you know it shouldn't be a surprise to anybody. Now, if we look at it from a very high level and we say, okay, well, any regulation is bad, any regulation is anti-business, I don't believe that. I think the word that I prefer to use is really governance, and I've been called the governance man. People have made memes with me in a Superman costume with a G on my chest, because I talk about governance a lot and it's not so much a pivot right. But I think there's a cognitive coupling that needs to happen in people's minds when I think about compliance. It shouldn't be considered its own objective. Right, the objective is not to just check a bunch of boxes and then file some paper that nobody reads and then come back and do it again next year.

Speaker 3: 45:52

The objective is to really create a sense of control. Right, and we say compliance controls or security controls. Right, the overarching control. How much control are you able to exert over your own environment? Can you guarantee to a level of certainty that these controls are in place, that they're effectively performing their desired function, that they're controlling for the risk or mitigating against the risk that you've identified, and that's really the idea, right, kind of at the general level. So compliance is really, it's a way to do this in a consistent, repeatable manner. It's really process and it's process efficiency and that's really what it's about, right, people think of compliance as this you know giant exercise that you get into and and you do the audits and you do the assessments and you do control frameworks and all that kind of stuff. And that is the how and the what. And people tend to focus on that a lot because it's a very complicated field. But the why of it, like why are we doing it? It's really to manage risk, right, and it's to exert a level of control over our environments, and that's really it right. So if you think of it that way, compliance can be an actual driver of value. It can be a driver of revenue even, right, because your competitive position can actually increase if you're proactively compliant. And I mean again, I'll go back to CMOC as an example A lot of the DIP members, defense industrial base members, they looked at it and kind of said, eh, you know who knows the final rule hasn't happened.

Speaker 3: 47:17

We'll wait till it all shakes out. It's like no, you could have been doing this stuff the entire time. You could have been getting ready. And now, when you're competing for DOD business, if you're compliant and somebody else isn't, and you go up on a bid and the buyer asks you what's your compliance posture and what's your compliance roadmap and what's your compliance timeline, you know like we'd love to award you this business. But you know, we got to know when you're going to be compliant. If you're telling me nine months and somebody says, look, we're compliant already, you would not have the best product. But you know what? If you're selling a commodity, then yeah, it's going to go to the compliant entity, right. So I think people need to kind of have more of a strategic view of what compliance is, and if you do it right, it can actually be a bit of a superpower yeah, especially when it comes to competitive advantage, if you're thinking about stock too.

Speaker 1: 48:06

you mentioned cmmc, uh, and I'm going to talk about this a little bit more with michael nougier later in the in episode today and you know it really does come down to are your competitors out complying you? That's a great thing.

Speaker 3: 48:25

I love that.

Speaker 1: 48:27

Yeah, I mean, if you were able to turn anything in cybersecurity or privacy or compliance or governance into sort of a revenue driver and sort of make a case from a revenue standpoint, I feel like you become the hero. The CISO or the privacy officer or the compliance officer becomes more accepted into the fold, right? Because when the business people hear security, oftentimes they just see costs, right, they see money. It's like when my dad at Christmas time you know I'm having a good time and I want to go see Santa Claus and I just see Christmas everywhere but my dad's got a different lens on and so he's looking at all these things that I'm seeing the toys and the lights and all this crazy stuff. I'm having the time of my life and my dad just sees dollar bills. Like literally at Christmas time, he's looking around and he's just like I just see all the money that I have to spend.

Speaker 1: 49:18

So if I was a C, if I were a CEO or a CTO or a business owner who may need to comply, but you know what, like, I think I'm small potatoes I don't think that I'm going to get fined, I don't think that I'm going to get breached to get fined. I don't think that I'm going to get breached. What do you say to me to convince me that the costs of being compliant are ultimately worth it? And let's set aside the competitive advantage? We already know? That that's let's say I don't even buy that. What are some other things that you would say to me to convince me that you know what? We should at least have a compliant or a baseline, a baseline of compliance, in our security program?

Speaker 3: 50:02

Well, I think you said it yourself just now compliance as a baseline, right? So a lot of folks look at compliance as kind of the end all be all. You know, like, I got to get compliant because that's the cost of doing business. Right, I have to be, you know, compliant with certain frameworks because that's what my customers are asking, or that's what the regulators in my industry are asking. Right, you know, if you're going to be a healthcare provider, you're going to have to deal with HIPAA and HITECH and HITRUST. Right, if you're you know, if you're a merchant, you're going to have to deal with FedRAMP and NIST and HANA 53, and on and on it goes. So there are certain things that you just have to do because that's the business that you're in. You're going to be a defense contractor, you're going to have to deal with CMMC. But once you get past this, here's the minimal threshold we have to cross. Here's what we have to meet as our obligations on the contracts and regulation.

Speaker 3: 50:54

You're building a program that requires you to take hold of your environment, assess its posture on a continuous basis right, understandably, controls are pretty much on a daily basis now. Right, be able to detect failures of those controls proactively, remediate those proactively and basically manage this risk on a continuous basis. Right Even in the federal environment, we have things like it's called Cato right, which is the continuous authority to operate. Even there we've evolved to this thinking of like. This stuff has to happen on an ongoing, continuous basis, not take these snapshots every six months or a year because the threats don't wait for the audit right. The breach is the ultimate audit and I think I've coined that term years ago and I've been using it ever since. The breach is the ultimate audit. Consider that, understand that.

Speaker 1: 51:41

Yeah, it's like the ultimate pen test Exactly A real world pen test.

Speaker 3: 51:46

You don't want to go through that exercise.

Speaker 3: 51:48

So that happens on a continuous basis, 24-7, 365. You are doing an audit or an assessment once a quarter, once every six months. Like you get to that continuous posture. That's not just an aspirational goal, that's a smart way to run. And when you think about it from a risk perspective, if you can converge on this compliance and security and risk model, if you can bring these all together and say, look, I'm using pretty much the same telemetry to do my security management that I do with my compliance management, so why are we doing these separately? Right, so you can talk about conversions.

Speaker 3: 52:23

I've been a big proponent of conversions. I've created this term Converge, continuous Compliance and that's something that's been around for a couple of years now. You know this is my zero trust. Call it that right, something that's been around for a couple of years now. You know this is my zero trust. Call it that right. It's a philosophy, it's an idea, it's a strategy, it's a vision. Right, it's a vision for understanding this space from a different perspective.

Speaker 3: 52:43

So it's not just like I got to do compliance, you do right. But if I'm going to do it, why don't I do it smart? Why don't I do it in a way that allows me to actually cross-pollinate between my security function, my risk function and my compliance function. And if it sounds a little bit like I'm talking about kind of preaching GRC in a classic sense of what it was supposed to be, in a way, yes, right, but like the pure GRC, not what it became. You know a bunch of platforms that are really difficult to manage, that are basically a bunch of spreadsheets with fancy front ends that are very cumbersome and you have to have certifications and engineers to go implement them and it takes years and years and years. I'm not talking about that right. I'm talking about whatever you have now in hand today compliance that you're doing today already, and looking at your security program that you already have on hand, that you have to have right, and seeing where these two things can converge right.

Speaker 3: 53:32

They can cross-pollinate, you can get those. You know some economic advantages there. You can maybe converge. Just start converging on the thinking first right and then go from there. So you look for those two-fers.

Speaker 1: 53:47

Don't look at it at every part of GRC or the compliance program or security, even as these disparate, unrelated parts, but when you realize that doing one activity or one task or covering one domain can also cover two or three other things that you're trying to accomplish, that's kind of a way to circumvent those costs.

Speaker 3: 54:03

In the end, it's the same thing, right? Look, whether you look at a control from a compliance or from a risk, or from a security perspective right that control is there in place. So the compliance framework is going to guide you and it's going to give you a way to measure your posture right. It's a consistency model.

Speaker 1: 54:21

Yeah, and an efficiency model as well. You know, looking at this from a certain Potentially right.

Speaker 3: 54:27

If you're not doing these things separately in their own silos, like compliance is over here, full stop, security is over there, full stop, then risk is somewhere else, doing their weird threat models and risk models and talking to business, you know, doing analytics and stuff, and never the three shall meet right. That's the way that people mostly run their organizations.

Speaker 1: 54:46

And.

Speaker 3: 54:46

I've seen it many, many times and I've been around many organizations, many environments, big and small, right, and the bigger they are, the more that divorce seems to be the effect. Right, they tend to separate these functions. They don't think of them, as you know, having this kind of convergence or the synergy between them, and I think that's a critical failure. And I think compliance has become so complex because it's also very manual. Still, despite all the advances, all the you know, great software we have in place, it still tends to be very much a manual activity. And so, automating that to the degree possible and enabling automation Look, if we think about all the automation that we've done on the security side you know the SIMs and you know XIMs and all these kinds of things that we have. Now the compute power has become finally, it's gotten to the point where we can converge all this data, we can bring all these data telemetry points together, we can make a correlation happen on the fly and do it smart, and that we've got AI helping us, right.

Speaker 3: 55:45

And look, there is a conversation that we have to be had separately about you know where machine learning and AI are. Separate things, different things, right, and you apply them differently to these use cases, right? If somebody tells me I'm doing AI for SIM, I'm probably going to show them the door. Right, because those are not the kinds of data sets, right? Machine learning, definitely AI, no, right, so check your buzzwords at the door, but we've got a lot of capability in hand, right? Like it's not like we have to go and wait. You know, it's like I remember. You know who was it? The guy who did Terminator, right?

Speaker 1: 56:23

Arnold Schwarzenegger. Or the guy who actually created the.

Speaker 3: 56:26

James Cameron right. So, James Cameron, sorry, I had to brainstorm.

Speaker 1: 56:29

Wait, James Cameron did the Terminator I did not know that.

Speaker 3: 56:32

Yeah, he did Terminator and then he did Titanic and he did Avatar. So he actually he had the idea for Avatar like 20 years before he ever did it, because he knew the technology did not exist to do all that stuff that he wanted to do, to create those effects and to shoot it the way he wanted to shoot it. Like he had to invent his own technology and he had to wait for that to mature in order to do that right. So he had to sit on this idea. We're not in that space in compliance and security. We have all the technology. We have too much technology, in fact. Richard Steenan, whom you know right, he's now tracking what 4,200 vendors.

Speaker 1: 57:06

Yeah.

Speaker 3: 57:06

That are active in cybersecurity. We are not in any way deficient in the diversity or the power of the technology at our disposal. We are pretty deficient, I would posit, on the strategy front, like there is not enough strategy. There's a lot of product, tons of features, lots of people throwing money at the problem and lots of people asking for your money to help you quote unquote with your problem. That strategic thinking it's pretty hard to come by, and it's not that I'm sitting here and going, hey, look, I happen to be a strategist, so I'm going to pitch strategy, right. But the idea is we do really need to think about these things in these global kind of strategic macro terms. And I'm going to go back to what we talked about before we hit the record button an idea of cybernomics, right, thinking about it from an economic perspective and understanding the economic angle of cybersecurity and risk and compliance, and not just focusing on the costs and opportunities. We're really thinking about how these things interplay right, and looking for synergy opportunities, looking for ways to converge on some of these things and understand that some of these functions are very similar and very close to one another and the ability to cross-pollinate between them. It's just inherent and it needs to be on board.

Speaker 3: 58:21

We need to stop separating and treating, you know, compliance folks, like some you know old folks with you know, like accountants, like we think of compliance as kind of like an accounting function, almost right, because that's where it came from, and so we think of it that way, like audit. You know we're going to look at it once in a while and that it's very reactive. It's not proactive, it's not real time, it's sort of you know we come back after the fact oh, a control failed, what are we going to find out? Well, after it failed, we don't have to live that way. We can actually shift left in compliance as well. Right, when you get proactive with compliance, it gets cheaper, the effects become much more profound and it can have a very positive effect on the business. And I know it's like it's crazy, it sounds like I'm eating crazy pills here, right, but the reality is, if you do compliance smart, if you invested it early and if you think of it as a proactive risk management function, not a reactive capture, you know the thing after it happened, function, right, you can really change your perspective on what it means, how you pay for it, potentially in your environment right and how it can actually drive revenue.

Speaker 3: 59:25

So think about this, right, the idea of where compliance fits in your sales and procurement cycle. Just that, if you're a vendor selling to anybody, you've gotten those vendor risk management forms, and it's not just a matter of filling them out faster, because a lot of people are in that business too, like we'll fill out your forms faster. It's not the point. What's in those forms? Getting insurance, that's another thing. If your business is not insurable, that's a business breaker, right.

Speaker 3: 59:54

So how do you talk to your insurance carrier? How do you talk to your insurance broker? How do you get a policy that actually pays for something? God forbid, bad things happen and they ultimately will. Right? How do you determine what your posture is? How do you communicate your posture to an outside party that you have to to a potential client, to a regulatory entity, to an insurance carrier right? There's a lot of people you have to talk to about your posture. If you're doing this in separate ways, every time you talk to a different audience, that's going to be very expensive. So consider that as a cost, right? So you look at, there are many opportunities hidden in compliance if you do it right. Wow.

Speaker 1: 1:00:30

I wanted to talk about the whole deep seek thing but we're out of time and we're gonna have to cover that on another episode. But I do want to get your take on deep seek and what that's. This has almost nothing to do with cyber security it kind of goes into the privacy area but incredible insights about the hidden costs of regulating and deregulating cybersecurity. Ultimately, I think you're right.

Speaker 1: 1:00:55

What we're talking about here is GRC, and you know the way it was meant to be yeah, yeah, and if I can summarize everything that you've said, it's hey, be efficient with it. Have these things converge and you can save yourself to quote Donald Trump a lot of money. It can be huge, it can be huge, it can be huge. You can save a lot of money. You wouldn't believe it as money like you'd never, never, never believe Just so much money. All right, igor, thank you so much. I know you got to run and I'm always so happy to talk to you on the show Thanks for having me on again.

Speaker 2: 1:01:37

Yeah, and enjoy the rest of your day, you too.

Speaker 1: 1:01:39

We'll catch you in the next one. Absolutely All right. Bye. Thank you, Josh. If you're interested in what Bruning Media does and how we help tech companies achieve thought leadership, check us out at bruningmediacom. B-r-u-i-n-i-n-gcom. Josh out.