IT Compliance – Comply to Compete

Speaker 2:

My name is Frank Troilo. I'm a manager with EisnerAmper in the tech risk department. In my past experience, I have over 25 years of IT compliance, information security and risk management experience, focusing on information security programs and technology.

Speaker 1:

That's a great background. And then actually it's very apropos for the conversation that we're going to have related to cybersecurity. Obviously you've had a lot of experience in this space with practical experience as well, and so I want to understand a little bit about cybersecurity initiatives and particularly in compliance initiatives with the program. So based on your experience, what do you see as part of the common elements for a cybersecurity compliance program?

Speaker 2:

So a cybersecurity program, obviously it's a program. It consists of policies, procedures, standards to manage risk, to ensure compliance, and it basically should be part of the business objective and the business model. Cybersecurity programs need to be derived from senior management and have strong tone at the top. And so their main process is to ensure that risk is managed and compliance.

Speaker 1:

Yeah, that's pretty impressive because it does take on a whole different element of initiative by the organization to be able to comply. It's certainly not just the executives that have to go through this, it actually has to be at the employee level and even third parties that are working with the business and contractors. Is that correct, Frank? Am I off base?

Speaker 2:

No, no, you're correct, Ray. It needs to be an organizational wide effort. It's not an IT project in any way. It's driven by tone at the top, and so you are correct in what you're saying. Okay.

Speaker 1:

So when you're looking at these compliance initiatives for organizations, and we're talking about small to large scale enterprises, so I don't want to limit the conversation here, I want to make sure that we're looking at it from all of the different scales of the type of organizations, any industries that we're working with, what's your experience as far as the benefits for providing a compliance initiative? Why do I need to worry about this as a company?

Speaker 2:

Good question, Ray. So the benefits are rather vast. First and foremost, I would say awareness to employees. Employees need to be aware of the cybersecurity program, but then again, there's additional benefits. A cybersecurity program ensures that compliance and regulatory controls are maintained. There's accountability and reputation when an organization has a cybersecurity program. There's market share, so there's many benefits. What are you seeing in the industry?

Speaker 1:

No, I think it's very similar. I have to echo your sentiments there. I think the focus of compliance is not only just a check the box approach, but it's also looking at it from the perspective of how you are enabling the business to drive a better effectiveness, efficiency, improvements in operations, opportunities for advancement in either technology or initiatives that they're trying to address from their own industry perspective. So I look at it as compliance as not necessarily a stick, but an opportunity or a carrot, if you will, for organizations to look at new opportunities to evolve. And so I think from a compliance initiative perspective, if you have these things in place, it will foster growth and opportunities.

Speaker 2:

Good point, Ray. Yeah, I strongly agree. Nowadays, what we're seeing is that for any organization out there that has an IT function, they really should ensure they have a cybersecurity program.

Speaker 1:

Right, no, absolutely. And you mentioned this earlier that cybersecurity compliance is not just limited to IT, and there's the incorporation of the employees. So what are the things that you're seeing to engage employees as part of the cybersecurity efforts? Do they do awareness campaigns? Do they have other type of campaigns to engage with employees? What do you see as far as from an industry view?

Speaker 2:

So first and foremost, I'm seeing that security awareness training should be conducted on at least an annual basis, sometimes more frequently if the business determines so.

Speaker 1:

You're saying it could be frequently, meaning they do it on just a routine basis, like quarterly, weekly? Do you see even more than that?

Speaker 2:

Not weekly, quarterly, a semi-annually, annually. It could come in different forms aside from maybe just PowerPoint training, there could be campaigns, there could be newsletters. Various organizations utilize various forms of security awareness training in order to educate their employees.

Speaker 1:

Yeah, I think of education as a component of, if you think about grooming athletes, it's like the exercise for the employees. They have to be aware and understand, and it has to be routinely done so that they're familiar with the cybersecurity policies or the practices that the organization wants to apply. So I look at it as awareness as part of the hygiene, if you will, for the organization.

Speaker 2:

Excellent point, Ray. I totally agree.

Speaker 1:

And if I were using that analogy from a perspective of training and grooming, that's what I look at, cyber compliance, cybersecurity compliance, it's an ongoing activity that where you essentially are training all of your athletes within the organization to be better prepared for the moments that matter, correct?

Speaker 2:

Agreed, agreed. And I'm also seeing as part of a best practice. So once your organizational employees complete their security awareness training, typically they would sign an acknowledgement form that basically carries forward in terms of they understand that they receive the training and that they agree to comply with the standards, with the procedures that the organization has identified.

Speaker 1:

Okay. So besides the awareness, what other components are part of that cyber effort? What do companies do to create more structure, more rigor in their programs?

Speaker 2:

I'm seeing access control procedures are very much mandatory. And when I refer to that, I mean segregation of duties, managing privileged access, incident response programs have pretty much become a given as a must have in your security awareness program. We had one client, case in point, where we had originally developed a incident response program for them, roughly 30 pages or so, and we found out that that was just too overwhelming for them. It was well beyond what they needed organizationally. So we worked with the client and kind of scaled it back significantly, maybe to 10 pages, and now we find out that the client has adopted our incident response program. It's much more manageable for what they needed. They didn't need the 30-page compliance document that really was well beyond their expectations.

Speaker 1:

Yeah, no, that makes sense because I think that it can be very complex for an organization to try to comply with everything and have all these different components. And as you mentioned, an incident response effort that's 30 pages, not a lot of people are going to have the time of the appetite to really get into the details of a 30-page incident response program, in addition to their other functions that they're doing within the organization from a business perspective. So trying to make it manageable, making it adaptable, right sized, if you will, I think that's a component of why you have to think about compliance efforts and how you are able to persuade and engage with the employees. You can make it so that they can adapt and easily apply those principles that you have or the guidances that you have in those incident response plans as easy for them as part of their routine, if you will.

Speaker 2:

In addition to what you're saying, you also have to, as an organization, ensure that you perform some level of readiness testing, which often could be missed.

Speaker 1:

Speak to me more about that readiness testing. What do you mean exactly by that?

Speaker 2:

So I mean, for an incident response program, for example, you would want to perform a test. You would want to maybe create a scenario for an incident which might occur, possibly like a malware event or a virus, something like that. And then you would want to have your key personnel, your key members of IT and management come together and play that out as if it were almost scripted.

Speaker 1:

So almost like role play.

Speaker 2:

Role play, exactly. And there's lessons learned from this exercise. You don't want to wait until you have the incident in house where you're trying to dust off your plan. That pretty much ensures failure at that point. So often it's bypassed, but really should become part of your normal monitoring and management of risk activities.

Speaker 1:

Okay. So in addition to doing incident response, are there other things that organizations should do to ensure that they are complying with the program? I think what I'm leaning towards is how do you actively monitor for that type of effort? Because certainly there are things that you need to do from a compliance perspective that are tied to whether it's an industry specific regulation or requirement or state or federal type of requirement. But how do you keep up with that? Is it some type of monitoring that you're doing ongoing?

Speaker 2:

Yeah, so one of the aspects of monitoring could be periodically testing your program, hiring an outsourced vendor, or if you have the resources internally that are technically competent, they would conduct an IT audit and they would go in and basically test the controls around your information security program, validate that controls are in place, that you are effectively safeguarding assets and managing risk. So again, lessons learned out of all of these things can often be missed, but definitely would be mandatory activity.

Speaker 1:

No, that's great. And from your experience, obviously you have a vast knowledge of doing internal control reviews, so you understand from the perspective of looking at it from all different fronts, from access controls and for the systems on how they're being configured and managed and how you look at it from an actual implementation of a system, as an example, do they follow the appropriate practices to protect not only the assets, but the information, the data itself, is that accurate?

Speaker 2:

Yes, that's very accurate. Typically, there's always areas for improvement. An IT audit is not viewed as something like a gotcha mentality. It's designed to improve the controls in the organization, and it should be a collaborative experience between the auditor and the auditee. And often that isn't the case, but in my experience, it's actually been getting better.

Speaker 1:

Okay. So we talked a little bit about awareness. We talked a little bit about incident response. We talked a little bit about different assessments and auditing and testing, evaluating the program. Are there other things that you need to think about from an organizational perspective to ensure that you have proper coverage? Because I would think sometimes that you need to understand what type of assets, if you will, that you're trying to protect. Have you had any experience where you've done some, I guess, asset management or asset inventory of different systems and databases? Is that part of a cybersecurity compliance?

Speaker 2:

Yes. Knowing your assets in your organization is key because you essentially can't protect what you don't know.

Speaker 1:

Yeah, Peter Drucker, management guru.

Speaker 2:

So with that said, having inventories, having asset listings, ensuring that all your hardware and software is inventoried in your organization is crucial in terms of managing the risk around those devices.

Speaker 1:

Okay. And then also looking at it from the perspective of, many times you hear the triad of security, confidentiality, integrity, and availability, I think there's a component of resiliency. I would think that is part of that compliance effort. Not only are you trying to protect the assets, but you're also trying to make sure that they're available as needed. So can you speak to any of the business continuity or other situations that clients have to apply?

Speaker 2:

Yeah, well, I would consider business continuity, disaster recovery planning, also a must have in your written information security program. It's about readiness in terms of testing those programs. Some organizations we find might have a disaster recovery plan, but not a business continuity plan.

Speaker 1:

And those are two distinct things. I'm sorry to interrupt, but two distinct things.

Speaker 2:

Good point. Disaster recovery plan could cover what is done in terms of a disaster that might impact the organization. Business continuity is more focused on departmental objectives and how a department might respond in terms of when there's an event or a disaster. Two distinct components typically referenced hand in hand, but I would say that they're also must haves as far as your cybersecurity program.

Speaker 1:

Okay. All right, great. So when I look at the things that you're mentioning as part of an overall program, there are going to be things that are within control that you can manage, and then there are things that may not be as easy to control. So how do you manage that knowing that there are things that are going to be the unknowns? Are there things that organizations can apply in practice to help deal with that type of void, if you will?

Speaker 2:

In my experience, some organizations might not have the bandwidth to roll out a full-blown cybersecurity program. That's okay. You should work to include what you have, even if you're starting out small. Again, this is a journey. This isn't a one and done. And so you're constantly reinforcing and rebuilding what you have and enhancing it going forward. Something is always better than nothing when it comes to security controls and managing risk.

Speaker 1:

Yeah, because I look at it from, obviously you hear about the big players that are out there, they have these very diverse teams that are there from a cybersecurity perspective, they have technologists, they have analysts, they have all kinds of different types of resources, but for smaller organizations in particular, which I've seen many studies related to cyber incidents, cyber events that are occurring more at the smaller organizations because they're less mature as part of their efforts point. They don't necessarily have those type of resources. So what we're talking about here and what you're highlighting is really promoting the ability for even the small organizations to look at their cybersecurity efforts and start small, if I'm understanding it correctly.

Speaker 2:

Yes, we always encourage that.

Speaker 1:

And then as they develop these capabilities, that's a maturation, if you will, of the capabilities, and it enables them to get to the state where there's much more risk posturing and mitigation that they can have, management is more of the word I was looking there. The other thing I wanted to highlight was you mentioned outsourcing, or maybe I alluded to that, looking at outside help, if you will. In your experience, do you see that as the opportunity for organizations? Do you see it as, do they need to have a focus to do it internally or is it beneficial for them to look at?

Speaker 2:

I think that each organization is different. In terms of resources, in terms of financial spending, some will manage it internally. They may have a CIO, a CISO, CTO and a staff, and so they could manage their cybersecurity program internally. Others are not at that level of maturity, so they need to outsource to a group of trained professionals with information security backgrounds, IT backgrounds that can help to manage the program externally.

Speaker 1:

Seeking outside help is not a bad thing?

Speaker 2:

No, not at all, no.

Speaker 1:

Okay. So where you need that support, get the right specialist involved, the experts. In addition to resourcing, are there other things as far as helping support and manage risk that companies are starting to apply now? I hear about cyber insurance. Is that something that you've come across? What are your experiences with cyber insurance?

Speaker 2:

Cyber insurance is becoming very, very prevalent in the industry now, and the purpose is to transfer risk. You're never going to fully avoid risk. You're transferring risk to another organization, an insurance company who's willing to sell you a policy and help you to get to where you might want to be. But I'm finding in my experience that the process is very rigorous and intense.

Speaker 1:

You mean the insurers themselves?

Speaker 2:

The insurers, yes. They're coming in with very detailed and thorough questionnaires asking management essentially questions about their cybersecurity program. And the questions are all driven around all of the topics that we're talking about today, but in greater detail. Some of our clients, we're working with them now to support them in their efforts to obtain cybersecurity insurance.

Speaker 1:

So what I'm understanding is that they're becoming more educated as well, the insurance providers, and they're asking these type of questions that are related to a program and it's demonstrating... Well, obviously they have to underwrite.

Speaker 2:

Yes, definitely so.

Speaker 1:

So before they underwrite, they want to make sure that they're dealing with a party that has demonstrable capabilities within their cybersecurity compliance efforts. So what that speaks to me is that you already have to think about that as an organization. If you want to basically balance out your program and still get cyber insurance, you have to have some of these components in play already, meaning policies, you have to have the awareness, you have to have the incident response, you have to have the resiliency capabilities, you have to have the access controls that we're talking about here. So all of this comes-

Speaker 2:

All included.

Speaker 1:

All included, right? So it's not like you can just start with one little thing and then just automatically get cyber insurance. You won't get it.

Speaker 2:

No, you won't get it. The programs are very, very thorough, very complete and comprehensive. They're driven to determine that you have controls in place in your organization, that you're managing risk, that you're safeguarding information assets. And we're finding that, let's say for example, you've indicated no on one of your questionnaires. Well, the follow-up from the insurance company is when do you plan on implementing this control? So they're ultimately trying to get you to a yes in all cases. And the nos are what could get your policy denied essentially.

Speaker 1:

Oh, wow. That's interesting. Yeah, so this speaks volumes related to overall compliance efforts that you already have to have that in place or at least working towards that in order for you to achieve some of the cyber insurance as an example. So all of the different things that we've talked about today are components that an organization, a company, whether small or large, they all have to have some demonstrable capabilities in place to even go down the path with insurance.

Speaker 2:

Excellent point. And I would expect that going forward, the criteria will only become more vigorous, more intense because the insurance company is not going to underwrite the policy without getting confident, getting comfortable that the organization has the necessary controls in place.

Speaker 1:

Okay. So as we're wrapping up here, I want to get a perspective from you. Is there anything else that from an overall compliance, if you were to leave some thoughts related to what are some leading practices or things that you need to consider as part of a compliance effort, what advice would you give?

Speaker 2:

Some of the takeaways would be that this is more of a journey. This isn't a one shot deal. You shouldn't develop your cybersecurity program and put it up on the shelf. It has to constantly be reviewed. It's like the analogy that you presented with being an athlete. You're constantly looking to raise the level of your game. So the journey component is very, very important. You want to test your program, you want to have continuous monitoring. The testing we spoke to with regards to performing IT audit reviews, a lot comes out of those. And so that's part of the testing and monitoring processes. I would say that they're two of the takeaways in terms of how to maintain your security posture and your written program.

Speaker 1:

Okay. No, that's great. Thank you, Frank. I appreciate that. And for the audience, I want to take a moment to thank Frank and appreciate your time for spending a few minutes with us to chat about cybersecurity compliance programs and understanding how complying can enable you to be more competitive in the market space. So thank you for your time.

Speaker 2:

Thank you, Ray. This was great.

Speaker 1:

Great.