Podcast Transcription

Christine Izuakor:
Hello and welcome to the Veriato Insider, a podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, which is a next-generation employee monitoring and insider threat detection software provider.  I'm Dr. Christine Izuakor, your host for today's segment, and our topic is about managing security and compliance in a remote world. We have a special guest with us today to cover this. Shelby Cannon is joining us for the conversation. Shelby is an experienced cybersecurity executive with a track record for making a difference everywhere from enterprise data protection to global regulatory compliance, risk management, and so much more. She's led a variety of cybersecurity functions at large corporations like Bank of America, Tenneco, CNA Insurance, and more. So a broad range of industries. Shelby holds a bachelor's and master's in Criminology from Florida State. I love Florida, and is CISSP certified. So such a great wealth of experience here with us today. Welcome Shelby, and thanks so much for joining us.

Shelby Cannon:
Thank you. Wow. Just hearing you talk about me. Thank you. I appreciate the opportunity to come and talk about risk and compliance.

Christine Izuakor:
You are way too modest and thank you. So to start, maybe tell us a little bit more about your background and some of your experience, especially around compliance.

Shelby Cannon:
Sure, so I've been in the GRC side of the cybersecurity space, which has governance, risk, and compliance. Which is the more foundational elements. It's funny, I was listening to you do the introduction and you were talking about the sponsor and tool then, and all of the ways that they kind of can help and on the cyber side, increased security. And then it always makes me kind of laugh about, on the GRC side, because we just don't have that. There's not a lot of tools, there's not a lot of platforms. There's not a lot of really innovative things that people do to make sure you're having risk and compliance and governance and paying attention to those things. So I'm glad to be able to speak about that. But in terms of my background, I came into security about, I guess, 11 years ago. Focused on the GRC side of it.

So the policies and standards that you would need to be able to kind of govern your organization, setting up risk management capabilities and frameworks to say, okay, now that we are discovering things on the SecOps side, whether it be pen testing or those sorts of things.

How are we tracking risk against what our risk profile looks like from an organizational perspective? And then another part of that is compliance. That is making sure that we are adhering to the mandates that are required of us by both the industry that we support, as well as the geographic regions where we conduct our business to make sure that if someone external comes in and ask us, what are we doing? And can we verify that? We are able to provide adequate responses to avoid fines and regulatory impact.

How has remote work impacted compliance in organizations?

Christine Izuakor: So important to be prepared, right? And so in today's era, how has the recent vote and remote work impacted compliance in organizations?

Shelby Cannon:
So what I would say is, I don't think that it has had a lot of impact, because pretty much the one standard thing I would say from a compliance perspective is, depending on the industry that you work in, you've got socks and socks warnings, those are pretty standardized cycles. So those really aren't that a lot impacted by the Vermont workforce, as long as you make sure you have the appropriate people, and the appropriate evidence. But one of the things that I would say has been a challenge for us, at least when I was at CNA, was that insurance is one of the few industries that is not federally regulated.

So each state has their own particular set of requirements. Now most of them are generally similar, but the way that they ask for information might be a little different. So this was the first time that we were entertaining multiple States but not being able to be in the office. They're trying to figure out how we would give them remote access to be able to view the documentation, but make sure that they wouldn't be able to remove it.

So we had to put data protection on it to make sure that we were providing them the followup responses that they needed in a timely manner. Which again, when you've got all these people sitting in a room for two weeks is fairly easy. But trying to coordinate schedules and making sure that we had the right people available at the right time to answer the questions, was a bit of a challenge.

And so I think from that perspective, when you're used to dealing with regulators and kind of have the whole situation set up where you, again, like I mentioned, having them in one room and it makes it easy for the people to kind of flow through and talk to them and get them the access they need, without having to worry about them taking new information with them offsite. It's been definitely a bit of a challenge.

What's the biggest mistake companies make when it comes to managing compliance?

Christine Izuakor:
So it sounds like geographical lines get blurred, which can of course impact compliance. I mean, it's an easy mistake to make if you overlook or don't pay attention, especially when it comes to your audits and in your regulators. And so along those same lines, what's the biggest mistake you see companies making? Or greatest opportunity for improvement when it comes to managing compliance?

Shelby Cannon:
So I think probably the greatest mistake that companies make, especially on the technology side, is that they don't do a good enough job partnering with the corporate compliance function. Most companies have that because it's a requirement for most regulators globally. So I think what typically tends to happen is there's always a compliance component to technology. If you don't partner with corporate compliance in the right way, then you guys ended up kind of tripping over each other or doing a lot of redundant efforts. But if you just combined and work together would make things a lot easier.

I think in the four or five companies I've worked for them I've been responsible for technical compliance. I think that's one of the things that I've seen that I've tried to do is make sure that my first business partner, that I engage with is the chief compliance officer to make sure that we are aligned and working together, to make sure we're all kind of doing the same thing.

I think another area for improvement also on the compliance side is app dev. I think a lot of times that we have the application teams developing and making code and making products and all of that stuff, which is wonderful and awesome, and cost-effective to keep that internal. I think part of the challenge with that is they are so looking to develop quickly, that they sometimes forget that they need to be mindful of regulatory impacts to the data that they're using or managing or leveraging.

One of the big things that we are running into now is the data warehouse. We're pulling all of these different data elements together. And in terms of the developer, the more data you have, the better. Which makes sense in terms of running your algorithm, data analytics. But the problem is sometimes if you bring together too many different data elements without paying attention to them, you are creating a regulatory issue and challenge with. And one of the things that we discovered at CNA again, was we're trying to pull all these pieces of information together, which singularly aren't a big deal, but when you combine them, now you've got HIPAA issues or you've got PHI issues.

And those are things that developers don't pay attention to. So you've got to make sure that you are working with them to keep them mindful of saying, "Look, just because we can pull 27 different data elements. We need to be mindful of that wherever, how we're storing them or how we're accessing them, could create regulatory challenges." I think making sure that you get aligned to corporate compliance is a big opportunity. And I think also making sure that you keep the people that are building out databases and data warehouses or doing any sort of data development, are mindful of what the compliance departments are.

Key tips to navigate compliance during the remote era

Christine Izuakor:
What are some key tips you'd give leaders looking to navigate compliance issues during this remote era?

Shelby Cannon:
I think the first thing I would say is don't try to boil the ocean. Well, I think one of the common misconceptions about compliance and regulatory requirements are, like I mentioned. It's about kind of where you do business, what data you're using to do your business and geographically where you're located. So those are the three pretty much big buckets that we look at from a compliance perspective. And when that comes back, I mean, there's going to be hundreds of regulations.

What you've got to make sure that you focus on are the ones that are the number one, the most impactful. Number two, that you have the most... What's the word I'm looking for? Most impactful, most interaction with. That's word I'm thinking of. And then the ones that are on a more consistent basis, like I mentioned, like socks and stuff before, right? So you try to keep your scale small that, because most of the compliance requirements all are pretty similar.

It's just, like I said, it's a matter of how the information is presented. So just focus on the biggest ones that are the most impactful to your organization, and start there. Don't worry about trying to meet or be compliant with every single regulation externally, because that's something that will never happen.

And I think the other thing that I would remind leaders of is make sure that you stand up an internal compliance program as well. Like, as I mentioned, there's policies and textbooks and all of those sorts of documentations that are developed from kind of a governance perspective.

A lot of those documents in a kind of mature organization are based on regulatory requirements. So as long as you are tracking and making sure that you are adhering to your own internal set of documents, that will also give you a leg up in terms of being prepared for any external engagement that you might have. So I would say, again, make sure that you keep your scope small and focus on the regulations that have the most impact, but also make sure that you are spending the amount of time to check your internal requirements and making an internal compliance program. Because I think that will really help as well.

Key tips to navigate compliance during the remote era for small to medium sized business

Christine Izuakor:
A quick followup question on that. You talked about the need to collaborate with corporate compliance, and then you have your information security compliance group. And now there's internal group that you've mentioned. For some of the smaller and medium sized businesses listening today, who might not have all of the large teams and the large resources that a large enterprise has. Do your recommendations or tips changed at all for that audience? What can you add?

Shelby Cannon:
So, I would say no. And I know scale is everything. It's much easier to point at somebody else and say, okay, you do this one thing, you do this one thing as opposed to people having to wear 27 different hats. But I would say that the two things, again, that I would focus on are the regulations that have the most impact and then aligning your internal policies and standards and documentation that you use, foundationally. If you can get those two things going and working, then I think the rest of it will come together. Because again, it's just making sure that you are going to be prepared if somebody comes and asks you that you are able to provide appropriate evidence.

And again, if you are maintaining compliance and following in line with what you're internally asked to do, I think the rest of it will work. So yeah, you might not have as many people to throw at the problem, but I think if you start with those two basic foundational pieces, then you'll be fine.

Christine Izuakor:
Got it. Yeah. That was really important. So as we wrap up any final thoughts you want to share on this topic?

Shelby Cannon:
It's interesting about compliance. I think when security first started, the first thing that everybody heard was compliance, because kind of stocks came out and everybody's like, okay we've got to be mindful. And it was compliance because they used this sort of a stick to make people do things and to carry. And I think, whereas now I think compliance is viewed as a little bit more of an assistance.

It's like, okay, if going to do this, or we're going to expand our capabilities, how do we make sure that we do that while making sure that we are adhering to the laws and regulations, but not necessarily, thou must, right? It's how do we do this together?

And I think that, that's been nice to watch. Is that when you bring up compliance requirements that people aren't like, "Ugh! Now what?" It's more like, "Oh, okay, well, how do we pay attention to this?"

And I think giving people a greater understanding of what we need to do from a data protection perspective and a data user's perspective, I think has been huge. And I think that's come from how compliance has matured across the information security area.

Christine Izuakor:
All really good points. Well, hey, Shelby, thanks so much for joining us today. That concludes the Veriato Insider podcast for this week. Again, this has been brought to you by Veriato, an award-winning cyber security company recently recognized with the gold award for best insider internet solution of 2020. Their solutions are anchored around four core pillars of cybersecurity, including employee monitoring and web filtering, insider threat detection, ransomware support, and workplace investigations.

All solutions that can definitely help address some of the concerns that companies have, especially in today's remote world. So to learn more about how Veriato can help protect your company, check out veriato.com. Thanks for tuning in and a special thanks to Shelby again for joining us today.

Shelby Cannon:
Anytime. I like talking about stuff that I find interesting, because it is not a lot of stuff. But if you do want to do a podcast about baby Yoda, I am all over that.

Christine Izuakor:
Love it. Awesome. Hey, I am Dr. Christine Izuakor, CEO of Cyber Pop-up, and it's been my pleasure to share these insights with you alongside Shelby, and until next time, stay safe and secure.

Listen To Podcast