One Step Beyond Cyber
Welcome to One Step Beyond Cyber, the ultimate IT and cybersecurity podcast that's sure to keep you on the edge of your seat! Whether you're a tech guru or a total newbie, our hosts Scott Kreisberg, and Tim Derrickson will make sure you're entertained and educated every step of the way.
As technology advances, it can be challenging to keep up with the latest trends and developments. Don’t worry, our hosts are here to help! They will discuss real-world IT-related problems and solutions, as well as provide tips for simplifying tech.
Whether you're a business owner, IT professional, or someone interested in navigating the cyber world — this podcast is for you. We understand the challenges of managing technology, and we're here to help. Sit back, relax, and join us as we dive in, providing you with the knowledge and tools you need to succeed in this rapidly evolving field. Subscribe now and become a part of the One Step community!
One Step Beyond Cyber
EP 4 Beyond the Checklist: Navigating the Dynamic Cybersecurity Compliance and Regulations Landscape
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, Scott, Tim Derrickson, and Roman Stanton explore the significance of cybersecurity compliance and its impact on businesses across various industries. They discuss regulatory requirements, both self-imposed and those established by standard-setting organizations like ISO and credit card companies. Understanding compliance is crucial, as it helps mitigate risks and provides a competitive advantage, especially for small businesses.
Navigating the challenges of achieving cybersecurity compliance can be daunting for businesses. Our experts emphasize the importance of planning and avoiding rushed attempts to achieve compliance overnight. They recommend implementing Plans of Action and Milestones (PoAMs) for DoD regulations and other risk management strategies, such as the Written Information Security Policy.
To become compliant, best practices involve meticulous planning and allocating ample time to implement necessary tools and measures. Compliance is an ongoing activity, not just a checklist to be ticked off. In the event of a data breach or cybersecurity incident, the regulatory implications can be severe. Compliance efforts, however, can significantly mitigate potential consequences and safeguard the company's reputation.
Podcast Video One Step Secure IT - YouTube
Learn about our services https://www.onestepsecureit.com/
Host by:
Scott Kreisberg - CEO & Founder of One Step
Produced by One Step Secure IT
----
LinkedIn:
https://www.linkedin.com/company/onestepsecureit/mycompany/
Facebook:
https://www.facebook.com/OneStepSecureIT
Twitter:
https://twitter.com/onestepsecureit
1
00:00:00,000 --> 00:00:07,560
Hi everyone and welcome to episode four of one step beyond cyber and I'm your host Scott
2
00:00:07,560 --> 00:00:14,440
Christberg but before we get started in this episode I have a very minor request. If you
3
00:00:14,440 --> 00:00:23,120
do us a big favor and if you find any value in what we go over today or you enjoy the information
4
00:00:23,120 --> 00:00:28,200
go ahead and give us a rating and even subscribe so let's go ahead and get started.
5
00:00:28,200 --> 00:00:37,200
Now today I've got Tim Derrickson and I've got Mr. Roman Staten here and what we're going to do is
6
00:00:37,200 --> 00:00:44,320
we're going to discuss the exciting topic of compliance and regulation right so we're going to
7
00:00:44,320 --> 00:00:50,840
do our best to make this entertaining but we're going to take the viewpoint from a small to medium-sized
8
00:00:50,840 --> 00:00:59,200
business owner or executive or the person who's responsible for having their company be compliant.
9
00:00:59,200 --> 00:01:06,320
Okay but speaking of compliance, Roman is there a disclaimer you would like to
10
00:01:06,320 --> 00:01:12,040
Yes as always everybody please remember that this information is for educational and
11
00:01:12,040 --> 00:01:18,680
entertainment purposes nothing that we say can be construed as legal advice so again please
12
00:01:18,680 --> 00:01:23,680
take that a consideration if you need to know anything. Reach out for us.
13
00:01:23,680 --> 00:01:27,880
So well thank you for that. Did you get your law degree? Are you? I did.
14
00:01:27,880 --> 00:01:30,280
Actually soon we'll come out of you.
15
00:01:30,280 --> 00:01:31,880
Let's try to come up something.
16
00:01:31,880 --> 00:01:37,880
Well let's go ahead and dive into this a little bit. I think I'm going to start off with let's see here.
17
00:01:37,880 --> 00:01:39,880
I have Tim.
18
00:01:39,880 --> 00:01:40,880
That would be me.
19
00:01:40,880 --> 00:01:53,280
First that's my first question. Tim what is like what is compliance and regulatory requirements?
20
00:01:53,280 --> 00:01:57,080
Why does it exist? How does it affect businesses?
21
00:01:57,080 --> 00:02:03,120
All right so we have a whole bunch of different types of compliance. We have ourselves imposed.
22
00:02:03,120 --> 00:02:08,800
We have National Institute of Standards of Technology, NIST, Framework which would be
23
00:02:08,800 --> 00:02:16,000
compliance for making sure your environments are secure. We have FTC, the Federal Trade Commission
24
00:02:16,000 --> 00:02:23,000
where we make sure that people's electronic information, credit cards, finances are kept secure.
25
00:02:23,000 --> 00:02:29,500
These are all compliance. You have your regulatory from the government which would be your FTC and then we have
26
00:02:29,500 --> 00:02:38,400
our self-imposed ones. Compliance I am going to follow a set of rules to keep my environment safe and those are the rules I
27
00:02:38,400 --> 00:02:50,600
follow. If something happens and I am following those rules FTC or even the payment card industry, I trouble with that yesterday, Roman.
28
00:02:50,600 --> 00:03:01,900
PCI you can be fine. So I mean you're going to follow a specific set of rules. They're going to test your environment or audit it and they're going to look at
29
00:03:01,900 --> 00:03:03,900
everything and make sure you're following those rules.
30
00:03:03,900 --> 00:03:12,900
So is there actually a compliance or regulatory police? Do they actually come after? Like not in most cases.
31
00:03:12,900 --> 00:03:20,900
One of the best things about compliance for companies is that it's already a set of rules. You don't have to make them up.
32
00:03:20,900 --> 00:03:28,900
So that's nice. But on the other side of it, while there's no police, they know exactly what they're looking for when they audit.
33
00:03:28,900 --> 00:03:40,900
So you do have to look at that. And that is changing. So basically when someone gets breached nowadays it's all reactive. I do a self-assessment and I look at everything and I say okay.
34
00:03:40,900 --> 00:03:51,900
I provide this to PCI, the payment card industry and they look at it and they go okay they give me the rubber stamp they say I've done everything on this list and then something happens.
35
00:03:51,900 --> 00:03:53,900
It's like a certification.
36
00:03:53,900 --> 00:04:09,900
Yeah, like a certification. At a test station. And so when they when when I do get breached, now they're coming and they're looking and they're looking at it and they go you did everything right and they give you your blessing and they figure out what happened and how they got through the controls.
37
00:04:09,900 --> 00:04:19,900
If I did everything wrong or if I didn't include everything, that's when I get in trouble. So then the then they start finding me or do whatever they're going to do.
38
00:04:19,900 --> 00:04:24,900
But that's also changing with FTC. We'll talk about that later.
39
00:04:24,900 --> 00:04:31,900
Yeah, let's get into that. Actually we might get into it now a little bit but I'm going to guide this one over to Roman.
40
00:04:31,900 --> 00:04:45,900
So can you provide a bit of an overview of the landscape for compliance and regulation as well as how how the different compliances or regulations might more apply.
41
00:04:45,900 --> 00:04:51,900
Tim just touched on it a little bit but how they might be more relevant. Let's say to one type of business.
42
00:04:51,900 --> 00:05:02,900
Sure versus another. There is always so the landscape is ever changing right. That's why you always have versions of things that come out.
43
00:05:02,900 --> 00:05:18,900
The Federal Trade Commission safeguards is actually fairly new. Standards that they've put out the Department of Defense is actually has a model which is going to go for their second third change.
44
00:05:18,900 --> 00:05:24,900
Hopefully at the end of the year there's some rumblings and I get pushed to next year. So there's always something on the horizon with this.
45
00:05:24,900 --> 00:05:31,900
The landscape is pretty broad with each business. You'd mention what some businesses have all inclusive.
46
00:05:31,900 --> 00:05:38,900
No matter what business you're in you will have infinite response plans. Business continuity.
47
00:05:38,900 --> 00:05:43,900
Obviously they want to make sure you have antivirus that you have a some sort of spam filtering.
48
00:05:43,900 --> 00:05:48,900
So all that is actually in compliance and it goes cross-border.
49
00:05:48,900 --> 00:05:59,900
But you have to mention the payment card industry right. Those are people that take credit cards. If you don't take credit cards you're not beholden to them.
50
00:05:59,900 --> 00:06:11,900
HIPAA we all know HIPAA the Health and Privacy Act. Obviously if you're not taking whether Roman has a gallstone or not right that your company doesn't do that you're not required to follow HIPAA.
51
00:06:11,900 --> 00:06:27,900
So there are some industry regulations. One of the things that I think is very interesting about compliance right. Interesting is payment card industry is not the same as the Federal Trade Commission which deals with finance.
52
00:06:27,900 --> 00:06:40,900
Two separate things. One's interested in transaction. The other one's interactions with the client. So it's a very unique nuance that each one of these have that are you know I'd say business or industry specific.
53
00:06:40,900 --> 00:06:49,900
It's also interesting when you look at it that way in the fact that they're very specific in the data that they protect and what they're trying to protect.
54
00:06:49,900 --> 00:06:55,900
And I always find that's what I find interesting because they are completely different and one doesn't cover the other.
55
00:06:55,900 --> 00:07:02,900
So it's vital that our viewers actually you know find out what they need to comply with.
56
00:07:02,900 --> 00:07:12,900
What is the best way to do that? What is the best way to do that? What is the best way to do that?
57
00:07:12,900 --> 00:07:16,900
What is the best way to do that?
58
00:07:16,900 --> 00:07:20,900
What is the best way to do that?
59
00:07:20,900 --> 00:07:30,900
That's the best way to do that. All of it is challenging every bit of it. All right so let's go next.
60
00:07:30,900 --> 00:07:46,900
No they're the main one. I would say honestly it's got the main challenge that everybody that I see runs into is when they either find out that they have to start doing this or they're first getting into it is, oh my god I've got to do it all now.
61
00:07:46,900 --> 00:07:54,900
And everything has to be done now and it's well yes you want it to be done that way. That is not always the case.
62
00:07:54,900 --> 00:08:00,900
And the reason I say that is because for instance I'll start a department of defense right. I said they have a model that they use.
63
00:08:00,900 --> 00:08:09,900
They have what's called a plan of action in milestone. So I'm trying to get everything ready so I can get this government contract and I'm going to be audited.
64
00:08:09,900 --> 00:08:21,900
As long as they see that you have a plan to implement the controls that they have and a specific timeline in which to do it that's what a plan is, you can pass that audit.
65
00:08:21,900 --> 00:08:33,900
I said you will I'm saying you can pass that audit. Same thing with the health and privacy they have a risk management that they want you to do written information security policies for other ones right.
66
00:08:33,900 --> 00:08:43,900
But as long as you can get a plan and realize that not everything has to be done today then I think you can breathe easier and that's a big challenge most people have to overcome.
67
00:08:43,900 --> 00:08:50,900
Right. I think a little easier. I think we also have to remember that they do have to have some type of security in place along with that plan.
68
00:08:50,900 --> 00:08:58,900
I mean you can't just open up your network and say I have my plan but I haven't done anything or shown that you have made any progress in the plan.
69
00:08:58,900 --> 00:09:05,900
Absolutely. Yeah. I mean, you know, I'll probably say it is three or four times but you know, a compilancy is an activity.
70
00:09:05,900 --> 00:09:13,900
So it's something you actually do and so many people are just trying to do it and put check marks that they...
71
00:09:13,900 --> 00:09:18,900
Oh, look, I do have a plan but has anybody read it? Has anybody actually...
72
00:09:18,900 --> 00:09:32,900
So, especially have you rehearsed the plan? You know, have you... So if you haven't and you just check the box odds are you have a higher probability if you get breached they might come after you.
73
00:09:32,900 --> 00:09:46,900
And I think also just to touch on it and I know that we've talked about it and all the other podcasts in the back of security, compilancy does not mean your environment is 100% secure.
74
00:09:46,900 --> 00:09:51,900
It just doesn't cover it because they're looking at those specific things. It's part of it, right?
75
00:09:51,900 --> 00:10:06,900
Yeah, it's a huge part of it. But I think that if you already have a security track working, you're working into your cybersecurity whether it's a cybersecurity stack, your network that you set up, your send, whatever it might be.
76
00:10:06,900 --> 00:10:12,900
And it's the fact of I have something in place now I'm using the compilancy to even make it tighter.
77
00:10:12,900 --> 00:10:19,900
Yeah, or the other way around, the compilancy but now I'm going to do more than what even they're expecting.
78
00:10:19,900 --> 00:10:24,900
But, you know, let's just keep that thought going, Roman, it might be a bit repetitive or not.
79
00:10:24,900 --> 00:10:35,900
What are some best practices for a business? Talk to the business owner, talk to the person inside their company that's been tasked.
80
00:10:35,900 --> 00:10:41,900
Hey, get me compliant. What are some best practices to achieve it?
81
00:10:41,900 --> 00:10:51,900
It is very similar, not to be redundant, but my father always told me plan your work and then work your plan.
82
00:10:51,900 --> 00:10:59,900
And we just talked about planning your work. However, working your plan is huge and what that means is put actions to tie.
83
00:10:59,900 --> 00:11:09,900
So, the people that are in it, they need to say, okay, by Q2, this is what I want in place. By Q4, this is what's going to be in place. Build yourself a roadmap.
84
00:11:09,900 --> 00:11:15,900
And so that you can achieve those. So you can achieve those. And I would say leave yourself enough time.
85
00:11:15,900 --> 00:11:23,900
This goes to businesses where you, in order to achieve your compliance, you're going to need a tool.
86
00:11:23,900 --> 00:11:29,900
You're going to need some sort of much time to software, but you're going to need something in place to achieve that.
87
00:11:29,900 --> 00:11:37,900
Give yourself enough time to run a demo. Find out if it's right for you. Not all solutions are 100% fit.
88
00:11:37,900 --> 00:11:44,900
So if you give yourself that time and build it into your plan, then I think that's going to be the best thing that any business can do, really.
89
00:11:44,900 --> 00:11:47,900
Yeah, it's good advice. Get back to that plan.
90
00:11:47,900 --> 00:11:57,900
And be consistent on that plan. All right. Let's turn the table here a little bit. Something bad happens.
91
00:11:57,900 --> 00:12:03,900
Okay. You know, somebody unfortunately experiences an incident.
92
00:12:03,900 --> 00:12:13,900
If one is compliant, you know, how does this help them mitigate what tsunami is bad news?
93
00:12:13,900 --> 00:12:21,900
Coming there. It actually helps a lot. It helps a lot when working with remediation, right?
94
00:12:21,900 --> 00:12:27,900
You get breached. Your email stolen, your credit card information is taken off of a computer, whatever.
95
00:12:27,900 --> 00:12:39,900
Hopefully that doesn't happen. But as long as you did everything right, according to the compliance you've formed that specific industry, your life's a little bit lighter.
96
00:12:39,900 --> 00:12:46,900
Not too late. I wouldn't say because you got breached, but you're able to look at and go, I did everything right.
97
00:12:46,900 --> 00:12:52,900
And not only did I get everything right, PCI industry, if I didn't do everything right now I'm getting applied.
98
00:12:52,900 --> 00:12:54,900
And heavily.
99
00:12:54,900 --> 00:13:00,900
And yes, heavily. If I'm doing contracts for the DOD or something, I might lose contracts.
100
00:13:00,900 --> 00:13:05,900
Now I'm losing revenue because I didn't follow the rules.
101
00:13:05,900 --> 00:13:10,900
Because they'll cut you off, especially when it comes to government contracts.
102
00:13:10,900 --> 00:13:20,900
And most of the complaints is once you're out of compliance, you need to get back in before they're going to allow you to use their tools to use whatever it is that you're using.
103
00:13:20,900 --> 00:13:26,900
Credit card machines to actually transact master card visa.
104
00:13:26,900 --> 00:13:33,900
So it definitely helps to mitigate, because once again, like we were saying earlier, it's part of your cybersecurity.
105
00:13:33,900 --> 00:13:40,900
So that piece of what they have you do to secure that information is really important.
106
00:13:40,900 --> 00:13:45,900
So let's go with one more here, Tim. You're on a roll here.
107
00:13:45,900 --> 00:13:53,900
If I'm not mistaken, even if you achieve the old might-
108
00:13:53,900 --> 00:14:00,900
Checked all the boxes by the activities I've done.
109
00:14:00,900 --> 00:14:05,900
And I've been, you know, what did you call it, not certified, but...
110
00:14:05,900 --> 00:14:07,900
Attestation.
111
00:14:07,900 --> 00:14:08,900
So fast.
112
00:14:08,900 --> 00:14:17,900
You attested that you achieved this level. Are we done? Are we like, is it all done? Or is this an ever-changing thing?
113
00:14:17,900 --> 00:14:18,900
It is changing.
114
00:14:18,900 --> 00:14:23,900
What do you suggest our viewers do to stay?
115
00:14:23,900 --> 00:14:24,900
Well, current.
116
00:14:24,900 --> 00:14:28,900
I think it's... There are a whole bunch of different sites.
117
00:14:28,900 --> 00:14:36,900
All, all, all, compliance has have their own sites that they keep up and you can read to make sure that you're staying up with all the different controls.
118
00:14:36,900 --> 00:14:41,900
And as they come out with new ones, FTC just came out with a new one, PCI DSS4.
119
00:14:41,900 --> 00:14:44,900
I know I'm not supposed to say after them, but I am.
120
00:14:44,900 --> 00:14:47,900
Well, you've already said what it's de-signal.
121
00:14:47,900 --> 00:14:52,900
But there, you know, it actually starts in 2024, but all the controls are out.
122
00:14:52,900 --> 00:14:57,900
So I mean, you can actually go to the websites and read everything or...
123
00:14:57,900 --> 00:14:58,900
It's in top of it.
124
00:14:58,900 --> 00:15:03,900
You can hire someone like us, you know, shameless plug.
125
00:15:03,900 --> 00:15:06,900
Because that's what we do. We make sure we stay up with those compliance.
126
00:15:06,900 --> 00:15:12,900
We make sure that we stay up with all the controls that are being changed as we go forward.
127
00:15:12,900 --> 00:15:17,900
And that's not even just the major controls where they actually change the actual version.
128
00:15:17,900 --> 00:15:20,900
But even the small ones in between like the patches.
129
00:15:20,900 --> 00:15:26,900
So, yeah, so just, that's really, really key is that you're really never done.
130
00:15:26,900 --> 00:15:29,900
This isn't... I keep saying it. It's a...
131
00:15:29,900 --> 00:15:35,900
You have an activity and you work out, you get in shape, do you stop working out?
132
00:15:35,900 --> 00:15:39,900
No, you got to keep the activity in place.
133
00:15:39,900 --> 00:15:40,900
That's where I went wrong.
134
00:15:40,900 --> 00:15:42,900
That's... No.
135
00:15:42,900 --> 00:15:43,900
Most of it.
136
00:15:43,900 --> 00:15:46,900
So like, you know, if you hire a third party, they should...
137
00:15:46,900 --> 00:15:51,900
Even when you, you know, attest every three months, they should be testing that
138
00:15:51,900 --> 00:15:55,900
to make sure there's no new vulnerability that has been created.
139
00:15:55,900 --> 00:16:00,900
Every time you add something to your network, I mean, how often do we patch our laptops?
140
00:16:00,900 --> 00:16:03,900
Because of changes and we don't even change anything.
141
00:16:03,900 --> 00:16:04,900
For our laptops.
142
00:16:04,900 --> 00:16:09,900
So just, just know that you've got to stay on top of it.
143
00:16:09,900 --> 00:16:10,900
And that's all. Do you want to say that?
144
00:16:10,900 --> 00:16:12,900
One of the... I do because that is...
145
00:16:12,900 --> 00:16:14,900
It actually is key.
146
00:16:14,900 --> 00:16:22,900
And the reason, I say that because some of the compliance is require you to do ongoing training and ongoing scanning.
147
00:16:22,900 --> 00:16:26,900
And it's built in. So, you know, and believe me, we're not the ones telling you have to.
148
00:16:26,900 --> 00:16:29,900
It's the government. It's visa master car.
149
00:16:29,900 --> 00:16:31,900
It's, you know, the healthcare industry.
150
00:16:31,900 --> 00:16:32,900
We're just trying to help you.
151
00:16:32,900 --> 00:16:33,900
And that's...
152
00:16:33,900 --> 00:16:35,900
Well, you have to know that you will be on a relationship.
153
00:16:35,900 --> 00:16:37,900
And that's changed over the last few years.
154
00:16:37,900 --> 00:16:38,900
We're in scans now.
155
00:16:38,900 --> 00:16:42,900
Where we're doing this vulnerability scans more often instead of doing it once a year.
156
00:16:42,900 --> 00:16:44,900
We're having to do it at least twice a year.
157
00:16:44,900 --> 00:16:49,900
We should be doing it quarterly, like you said, in the back of everything changes on your network anyway.
158
00:16:49,900 --> 00:16:50,900
So much.
159
00:16:50,900 --> 00:16:51,900
So fast.
160
00:16:51,900 --> 00:16:54,900
So again, the best practice is activity.
161
00:16:54,900 --> 00:17:00,900
Like doing things that you should be doing according to whatever you're holding yourself to.
162
00:17:00,900 --> 00:17:01,900
All right.
163
00:17:01,900 --> 00:17:03,900
Hey, Roman, so listen.
164
00:17:03,900 --> 00:17:06,900
We just talked about changes and how to stay up on the changes.
165
00:17:06,900 --> 00:17:15,900
Are there any things happening right now that some of our viewers might be, you know, interested in learning about?
166
00:17:15,900 --> 00:17:16,900
Now, now, like right right now.
167
00:17:16,900 --> 00:17:20,900
Let's do it like the next 12 to 18 months.
168
00:17:20,900 --> 00:17:21,900
Yes.
169
00:17:21,900 --> 00:17:24,900
There are actually absolutely a whole lot of stuff that is happening.
170
00:17:24,900 --> 00:17:28,900
We've touched on the payment card industry right there.
171
00:17:28,900 --> 00:17:30,900
They released their controls, right?
172
00:17:30,900 --> 00:17:33,900
So they said, "Hey, here's the rules."
173
00:17:33,900 --> 00:17:38,900
And we will give you time until March of 2024, thumbs up.
174
00:17:38,900 --> 00:17:41,900
Department of Defense has the same mentality.
175
00:17:41,900 --> 00:17:43,900
They said, "Here's the rules.
176
00:17:43,900 --> 00:17:47,900
We're not going to do anything until October."
177
00:17:47,900 --> 00:17:48,900
Maybe next year.
178
00:17:48,900 --> 00:17:49,900
We'll see.
179
00:17:49,900 --> 00:17:54,900
And if you're in the car industry or any of the finance industry, pay the loans,
180
00:17:54,900 --> 00:18:01,900
like things you wouldn't really think of that necessarily needed that the federal trade commission put out their safeguards.
181
00:18:01,900 --> 00:18:04,900
So that's new and improved if you want.
182
00:18:04,900 --> 00:18:06,900
So that started way back when it was--
183
00:18:06,900 --> 00:18:08,900
Oh, it was the PCI's out there.
184
00:18:08,900 --> 00:18:09,900
4.0, right?
185
00:18:09,900 --> 00:18:12,900
And it sounds like, "Oh, they've only had four."
186
00:18:12,900 --> 00:18:18,900
But they do, like, we just move from 3.2.1, which from 3.2, with 3.1.
187
00:18:18,900 --> 00:18:21,900
So all of these things continuously change.
188
00:18:21,900 --> 00:18:22,900
Right.
189
00:18:22,900 --> 00:18:23,900
Continuously.
190
00:18:23,900 --> 00:18:32,900
And if you want to know more, we always have information going at one step, secureit.com, or slash blogs, and you can see everything that's changing.
191
00:18:32,900 --> 00:18:33,900
Yeah.
192
00:18:33,900 --> 00:18:35,900
All right. Great, great answer, man.
193
00:18:35,900 --> 00:18:37,900
Let's go back to Tim on this one.
194
00:18:37,900 --> 00:18:47,900
How do cybersecurity compliance efforts align with the broader risk management within organizations?
195
00:18:47,900 --> 00:18:50,900
So does this help in that regard?
196
00:18:50,900 --> 00:18:51,900
Oh, absolutely.
197
00:18:51,900 --> 00:18:58,900
I think that, you know, we remember cybersecurity is either going to generate revenue or it's going to be a cost center, right?
198
00:18:58,900 --> 00:19:01,900
You're either using it to make money, because--
199
00:19:01,900 --> 00:19:02,900
There it is.
200
00:19:02,900 --> 00:19:06,900
We go out there and we make sure that people are staying within their compliance.
201
00:19:06,900 --> 00:19:09,900
We make sure that they're doing everything they're supposed to do.
202
00:19:09,900 --> 00:19:11,900
Have all their documentation.
203
00:19:11,900 --> 00:19:14,900
Make sure that all the controls are in place.
204
00:19:14,900 --> 00:19:18,900
We use it as a revenue generator for us.
205
00:19:18,900 --> 00:19:21,900
Most small businesses, it's a cost center, right?
206
00:19:21,900 --> 00:19:25,900
I have to pay for this in order to stay within a specific compliance.
207
00:19:25,900 --> 00:19:28,900
But it all has to do with your business anyway.
208
00:19:28,900 --> 00:19:31,900
You know, we're going to create--
209
00:19:31,900 --> 00:19:33,900
We're going to understand what our critical infrastructure is.
210
00:19:33,900 --> 00:19:34,900
We just how we make money.
211
00:19:34,900 --> 00:19:36,900
So we look at our infrastructure.
212
00:19:36,900 --> 00:19:38,900
We see that we have credit card machines on our network.
213
00:19:38,900 --> 00:19:42,900
We have POSs.
214
00:19:42,900 --> 00:19:45,900
And I'm not going to say that happened to him because he just floated my head.
215
00:19:45,900 --> 00:19:46,900
What is it?
216
00:19:46,900 --> 00:19:47,900
Point of sale.
217
00:19:47,900 --> 00:19:48,900
Thank you.
218
00:19:48,900 --> 00:19:52,900
You would think I'd been in the industry long enough to remember that one.
219
00:19:52,900 --> 00:19:54,900
So you have your point of sale.
220
00:19:54,900 --> 00:19:57,900
You have all these different things that are critical to how you make money.
221
00:19:57,900 --> 00:20:01,900
Well, the compliance is, once again, is part of that you build in.
222
00:20:01,900 --> 00:20:06,900
If something happened to my environment, what would happen?
223
00:20:06,900 --> 00:20:08,900
Would I lose revenue?
224
00:20:08,900 --> 00:20:16,900
Well, if I can't get the person to pay for what they're making or grabbing from your shelves or online,
225
00:20:16,900 --> 00:20:18,900
then I'm losing money.
226
00:20:18,900 --> 00:20:20,900
So that's a huge risk.
227
00:20:20,900 --> 00:20:23,900
So we're going to do a business impact analysis on that, a BIA,
228
00:20:23,900 --> 00:20:30,900
and look at that environment to see what if this happens.
229
00:20:30,900 --> 00:20:32,900
And that's what compliance and securities all about, right?
230
00:20:32,900 --> 00:20:35,900
We're trying to stop an incident from happening.
231
00:20:35,900 --> 00:20:37,900
We don't want any denial of service.
232
00:20:37,900 --> 00:20:40,900
We don't want anybody breaching our accounts.
233
00:20:40,900 --> 00:20:43,900
We don't want anybody ransomware in our environment.
234
00:20:43,900 --> 00:20:45,900
We want our environment secure.
235
00:20:45,900 --> 00:20:47,900
And that's the risk management.
236
00:20:47,900 --> 00:20:54,900
Yeah, so what I hear from what you're saying is that if you are held to any standard,
237
00:20:54,900 --> 00:20:59,900
like compliance or regulatory requirement, it's an overhead.
238
00:20:59,900 --> 00:21:02,900
In other words, I can't run my business without the internet.
239
00:21:02,900 --> 00:21:04,900
So that's an expense, right?
240
00:21:04,900 --> 00:21:06,900
Well, the internet is also helping you make mine correct.
241
00:21:06,900 --> 00:21:10,900
So I view compliance as a competitive advantage.
242
00:21:10,900 --> 00:21:12,900
Absolutely.
243
00:21:12,900 --> 00:21:19,900
So I feel that businesses that promote that they're protecting their clients
244
00:21:19,900 --> 00:21:24,900
by achieving this level of security,
245
00:21:24,900 --> 00:21:27,900
they're actually one-up in their competition.
246
00:21:27,900 --> 00:21:32,900
So I view it all as a foundation requirement by the money maker.
247
00:21:32,900 --> 00:21:36,900
Yeah, and we even had that conversation other day because reputation,
248
00:21:36,900 --> 00:21:40,900
which is something we always forget about when it comes to being hit,
249
00:21:40,900 --> 00:21:43,900
compliance does help with reputation as well.
250
00:21:43,900 --> 00:21:46,900
It actually builds confidence in what you're selling it,
251
00:21:46,900 --> 00:21:50,900
how you're handling your finances, your environment, your controls.
252
00:21:50,900 --> 00:21:51,900
Good.
253
00:21:51,900 --> 00:21:52,900
Well, thanks.
254
00:21:52,900 --> 00:21:55,900
So let's kind of wrap this episode up.
255
00:21:55,900 --> 00:22:01,900
Roman, are there any additional considerations or advice that you might give
256
00:22:01,900 --> 00:22:06,900
a business owner and executive or that person that is now responsible
257
00:22:06,900 --> 00:22:09,900
for achieving compliance?
258
00:22:09,900 --> 00:22:13,900
How to maybe navigate getting there.
259
00:22:13,900 --> 00:22:15,900
Any additional advice from what you've--
260
00:22:15,900 --> 00:22:16,900
Additional advice.
261
00:22:16,900 --> 00:22:18,900
Additional.
262
00:22:18,900 --> 00:22:20,900
Honestly, run for the hill.
263
00:22:20,900 --> 00:22:25,900
What I would honestly would say is,
264
00:22:25,900 --> 00:22:28,900
and this might be for your regulatory industry as well,
265
00:22:28,900 --> 00:22:34,900
is train or hire somebody internal that can be on top of this.
266
00:22:34,900 --> 00:22:37,900
They can study it, they receive the emails,
267
00:22:37,900 --> 00:22:41,900
so that they can help you from an internal aspect.
268
00:22:41,900 --> 00:22:44,900
Because the other half of it is,
269
00:22:44,900 --> 00:22:47,900
hire a third party company, which Tim had mentioned,
270
00:22:47,900 --> 00:22:49,900
and sometimes that's going to be both.
271
00:22:49,900 --> 00:22:54,900
So I would say that is going to be your best bet is to get somebody internal that knows it.
272
00:22:54,900 --> 00:22:57,900
So even if you do hire a third party, you have a contact point that speaks the same language.
273
00:22:57,900 --> 00:23:01,900
Yeah, and it's your larger company that can afford a full-time,
274
00:23:01,900 --> 00:23:03,900
let's say, compliance officer.
275
00:23:03,900 --> 00:23:10,900
It's almost better from a legal perspective to have that arms length gap between the person
276
00:23:10,900 --> 00:23:15,900
that they're doing and the company that's doing it and getting it done.
277
00:23:15,900 --> 00:23:16,900
Agreed.
278
00:23:16,900 --> 00:23:17,900
Agreed.
279
00:23:17,900 --> 00:23:22,900
And again, some of that, before I mention the regulatory need is FTC says,
280
00:23:22,900 --> 00:23:27,900
you have to have somebody in your company to do it.
281
00:23:27,900 --> 00:23:29,900
So you have to train and hire that.
282
00:23:29,900 --> 00:23:30,900
Are they going to know everything?
283
00:23:30,900 --> 00:23:31,900
No.
284
00:23:31,900 --> 00:23:33,900
So have a third party to help you out so it's like,
285
00:23:33,900 --> 00:23:34,900
okay, this is what I did.
286
00:23:34,900 --> 00:23:35,900
Is it correct?
287
00:23:35,900 --> 00:23:37,900
Third party can validate it?
288
00:23:37,900 --> 00:23:38,900
Boom, you're safe.
289
00:23:38,900 --> 00:23:40,900
Yeah, and most of the time it's a compliance officer.
290
00:23:40,900 --> 00:23:42,900
They'll actually say, who is your compliance officer?
291
00:23:42,900 --> 00:23:43,900
Right.
292
00:23:43,900 --> 00:23:45,900
Or who is the person who's heading up your security?
293
00:23:45,900 --> 00:23:47,900
And you have to name someone internal.
294
00:23:47,900 --> 00:23:49,900
Usually though, a lot of the smaller companies said,
295
00:23:49,900 --> 00:23:54,900
CEO of the CFO, C-O-A.
296
00:23:54,900 --> 00:23:55,900
Yeah.
297
00:23:55,900 --> 00:23:58,900
All of the acronyms out there at D.O.A.
298
00:23:58,900 --> 00:23:59,900
We tried so hard.
299
00:23:59,900 --> 00:24:00,900
We tried so hard.
300
00:24:00,900 --> 00:24:01,900
We just couldn't do it.
301
00:24:01,900 --> 00:24:02,900
I always wrote it.
302
00:24:02,900 --> 00:24:03,900
I'm sorry.
303
00:24:03,900 --> 00:24:04,900
You're missing.
304
00:24:04,900 --> 00:24:07,900
You gotta get you a Mr. acronym.
305
00:24:07,900 --> 00:24:09,900
All right, everybody.
306
00:24:09,900 --> 00:24:11,900
Thanks for tuning in today.
307
00:24:11,900 --> 00:24:13,900
We really, really appreciate it.
308
00:24:13,900 --> 00:24:18,900
And if you're listening to it on a podcast, please take the time to go ahead and review it.
309
00:24:18,900 --> 00:24:20,900
And, and review us.
310
00:24:20,900 --> 00:24:21,900
And subscribe.
311
00:24:21,900 --> 00:24:23,900
If this is YouTube, you're watching it on.
312
00:24:23,900 --> 00:24:25,900
Go ahead and like and subscribe.
313
00:24:25,900 --> 00:24:28,900
So you get informed of our latest content.
314
00:24:28,900 --> 00:24:32,900
So everybody, thank you for watching and have a great day.
315
00:24:32,900 --> 00:24:33,900
Cheers.
316
00:24:33,900 --> 00:24:43,900
[MUSIC]