Transcript – What is compliance in GRC? Jacob Cane from Salus GRC joins

hey what’s up everybody happy Friday uh Tim here team Tim with Tim schner Jesse Miller and our good friend Jacob you all get me in your face one more time again this week live turn my volume down over there while I’m restreaming and hey all right it’s like I’ve never done this before so hey everybody happy Friday um you know really excited to be back again here with Team Tim I know we kind of lost our Cadence we’re trying to get back into the groove except I’m leaving again this week so uh Mr snner hey buddy come on up say hello how are you my friend what’s going on uh yeah it’s great to be back I know we’re we’re doing these at a little different Cadence now but uh Tim schner I work at a a company that I founded called leas trust uh least trust.com uh that does uh Harden laptops for retirees High net worth individuals um um Chrome books but we use some uh they’re really dedicated towards invest investing in finance um so great episode coming up this week this is part two of our three-part GRC what is governance what is risk what is compliance I actually got the order screwed up so this week we’re talking about what is compliance but uh you know excited to have Jacob on uh who really is someone I’ve uh I’ve learned a lot from in our short convers ation in the past so excited to have him on and talking about uh you know what is compliance hey Jacob so we’ll give you a second I just want to touch on something Tim said right it’s funny because I’ve talked to a few different msps in the last couple of months and two specifically are doing kind of what you’re doing over there at least trust they’re going after high net worth kind of individuals and you know firms and that kind of stuff and it was really interesting I should make sure I remember who they are and connect the two of you enough of that Jacob how are you give us a little shout out talk a little bit about yourself all right well I’m doing well thanks for having me here uh I appreciate being on um so Dave Kane I I head up the cyber security risk practice here at sales GRC so I was bound to be here for this series company name there is the the governance RIS and compliance um and what we do is uh a combination of regulatory compliance uh and a c in cyber security um I up that cyber security group primarily for investment firms so uh long time in the space a an MSP veteran and X MSP person myself but now here fulltime on that cyber security side of things nice so you’re doing a little Crossover with Tim on the whole F you know Finance worth stuff a little bit of crossover hey Jacob if you need help with that stuff and hardening those end points and managing those I got a friend over over here Tim that can do as an MSP that can help you do that that is awesome we do not want to manage we do not want to harden as uh we always say when we’re working with MSP Partners at different ones of our clients a lot of our team we we’ve been in the MSP business it is a hard business we are very happy where we are now we do not want your job well that’s why that’s why if you don’t want their job it’s probably because they’re not totally operationally efficient which is why we have Jesse oh man look at that segue it’s like you have done this before so yeah I’m Jesse Miller uh founder of power PSA Consulting and founder or creator of the power good vcso system we help msps msps and vcos crack the code for VC so Prof vcso profits oh my goodness so Jesse’s on crack now with the code for VC the just like aren well wait a minute Tim’s the one like Jersey and New York and hold I don’t know where you’re going with that talk a little bit about us Tim golden founder CEO of compliance scorecard where we help keep your risk in check see across the bottom where compliance scorecard helps you and your MSP have that risk ation with your customer using our scorecards all right enough of that all right what the hell we talking about today it was supposed to be risk but we all got it messed up or my dyslexia and now we’re talking it was me I apologize to him but yeah so what is compliance once again another kind of call it nebulous term right I mean we talked about governance last week and we two weeks ago we stumbled through it a little bit but we did get to I think a pretty clear definition of what is governance why is it important how do we do it you know what is it involved so this week what is compliance um you know I I came into cyber security five 10 years ago and I think the word compliance was pretty strange to me um I actually Jacob you know I used to work in financial services and compliance would mean uh you know don’t trade on things that the firm was working on or you know I I come from more of like a you know SEC compliance or finra compliance or um Boiler Room if we’ve ever seen some of these movies right like don’t do that kind of stuff right uh Wolf of Wall Street so what is what is compliance you know I guess start with that I think we’re gonna talk a little bit about cyber security compliance but um why don’t we start with what is compliance Tim looks like you’re ready to go first well I was going to say like you know 20 years ago when I before I got into this mess of stuff compliance in my head kind of meant like uh like the UL right like making sure the electrical things in my house are compliant to I don’t know energy stings or or or you know having seat belts in our car so that we’re compliant for seat things but when I got thrown into this mix back in 2006 it was a whole different world 800 nist 853 FTC SEC all the act all the m full of crown and compliance in a nutshell yeah things that are regulated that you have to do in my brain simply yeah that’s interesting I yeah I was I was gonna as we were talking about this leading up to this week um I was thinking about this and you know immediately I wanted to jump to well it’s a government it’s a government mandated thing but that’s not necessarily true right you have things like PCI or industry regulated standards which which aren’t right exactly which aren’t which aren’t regulated by any sort of government or state entity they’re an industry mandated term so I think we do have to broaden that a little bit and I like what Tim said but I think where you can to for me you draw the line is when there is some sort of punitive measure to enforce a standard that to me makes compliance Jacob part is interesting yeah I feel like Jesse took a bunch of it there so yeah definitely looking at that of of some idea right whether that’s a government or other regulatory body or industry Association but there are some external set of rules that have a minimum standard of uh of your compliance with them and again I think that’s a good way of putting a chz right punitive down where those are right not just operating at your own risk but there could be some form of C right right yeah I like that I like I like where you’re going there and sro’s self-regulatory organizations um which seems like probably the Lion Share of compliance at least in cyber security right like there are some FDC SEC some uh you know regulatory bodies that are government related but I think a lot of it is SRO with like sock 2 um even nist is uh although it is a standard who’s actually uh enforcing it um I think that you know it there’s it’s a little it’s a little shaky there so we we obviously have a lot of Standards we have a lot of uh compliance regulations either from self-regulatory organizations or government based um which creates kind of a Mixed Field of when we say compliance is it you know what are we actually chasing here or why is it and I think I think there’s one there where Tim T Head Upon something you know about this right where sometimes the difference between a framework and a compliant standard yeah right those are not always one and the same they often leverage one another where they might be clicking on something that’s saying hey you need to be compliant we might suggest that you use nist or CIS or some other framework for doing it but there’s a different set of requirements which are technically those that need to be uh you know done from that Regulatory Compliance ask our friends at right on over here yeah I think the last component of that that Jesse touched on is you know violations that could result in legal penalties Financial losses or reputational damage and Jesse what are the three ours three and a half that we always talk about I think that was yours because I always forget it’s something like Risk risk risk reputation and then Jesse always threw in regts regts there you go right with the tattoo what movie was that uh Were The Millers actually yeah I do know that did did I side’s quick aside here did I ever tell you that uh my family got to see a pre-screening special screening of that movie because they sent out mailers in the town to everyone named Miller and we got we went to this theater and it was all Millers in the theater to see a free screen of We’re the Millers did you like meet some distant relatives you never knew and you’re like oh Cousin Bob right right exactly so interesting aside there but hey Aaron hey how you doing like yeah via framework and penalties censure love that too so what is compliance I love what Jesse said about it’s got teeth right it’s got weight you know it’s got fines it’s got risk revenue and reputation and regts because you know we work with a lot of msps who work with a lot of HIPPA customers who don’t care why because it doesn’t have teeth until it does yeah until it does and then it has big teeth right yeah and I think it’s interesting you know we talk about compliance and regulations and sometimes those are used interchangeably but I think it’s kind of like the the whiskey and bourbon thing thing right is um not every whiskey is a b not every whiskey is a bourbon but every bourbon is a whiskey it’s the same thing not every regular or not every compliance is a regulatory statute but every regulatory statute does have a piece of compliance to it so point being is that we have to think about um when we’re talking about compliance what’s the reason for compliance and so I think that is the next thing that I want to equal security you took the words right out of my mouth so Tim go with that run with so we do hear a lot you know and we see this on LinkedIn everywhere where it’s compliance equals does not equal if and or else then equal security yeah however whatever you put in that operator in the middle compliance security whatever that operator because there such big debates about that I tend to look at a compliance risk management framework RMF as a road map as a guide as the Playbook and compliance becomes the referee or security right compliance has the rule book The Playbook the things to referee security so think of it think of it this way football right it’s football season now right you have the guys throwing the flags on the field they have a Playbook they do that because they don’t want the other person getting their head smashed in breaking a leg Tom Brady or whatever they are the compliance people keeping the safety security of the people in play at least that’s I think one important bit there right it’s also about who security so most of the time we’re looking at cyber security and risk right organizations are doing that and that is about their security Now there are often times where there’s a compliance regulation that may be improving my security but it’s not always about that right it might be about improving the security um of those around me whether that’s a systemic risk right where it may be a requirement about incident reporting right incident reporting doesn’t help me that helps the industry know what is out there or records retention requirements on a compliance that often doesn’t make me less secure from legal standpoint right but it’s really making sure there’s that evidence to protect those around me and the others right that they’re in that spot to be able to hold me accountable I’m glad you brought that up you know so I spoke I spoke last week at a conference in New York and it was about Insider threat and Regulatory Compliance most Regulators only care about privacy data right like they they don’t care about your security necessarily they care about the security of the customer dat data um they actually don’t care if an employee walks out with your secret sauce and crown jewels most most most Regulatory Compliance does not care which is incredible right because like you know what percentage of your assets are fall in that category so Jacob that’s a great point on you know who’s who’s who’s detriment who like who who are they trying to protect right clearly the consumer is number one I think in most Regulatory Compliance or the compliance talking about yeah yeah you look at the new FTC safeguards and that’s exactly it yeah yeah I was say the FTC safeguards the ruling that just came out the other day with the oneclick unsubscribe cancel thing right but I would say here’s another sort of compliance doesn’t equal security blah blah blah We’re All Tech Geeks right we all want to push ones and zeros and buy shiny tools to push buttons and make things happen on the security side we don’t spend enough time on the privacy side you know when we consult msps and they’re like we’re going to do a HIPPA security assessment I was like well what about the Privacy assessment oh is a privacy like we don’t ever really talk about the Privacy side as it security people we spend all of our time on the ones and zeros btes and bits and not necessarily the gdpr’s and the door by the way gdpr door just came out n two just came out Australian 8 like we don’t spend enough time on that privacy side and if if you look almost every state has a privacy law on the books yeah I think that’s interesting is that that something that seems to be the way the winds are blowing is that compliance is going to become more privacy Centric and less cyber security Centric which leads to the point that I was thinking about as we were talking all that about all this you know privacy doesn’t equal security and I think that’s largely because up to this point many compliance Frameworks and regulatory requirements have cyber security as part of a much broader set of rules that businesses have to align with you know you think about SEC for example and SEC does a great job of you know baking in I think pragmatic cyber security requirements for the organizations that are part of it but there is a much larger if you read the entire SEC rule the entire book that’s like one small piece of all the regulations that you have to adhere to and so as a cyber security professional and Jacob you know you’ll you’ll attest to this is that you’re typically working with a compliance team who’s working with like ey or somebody else or you know Salis right to to handle to handle their to handle their business regulatory requirements and cyber security is a portion or a subset of that so many times if you don’t have somebody like Salis doing it it becomes a box checking exercise like what’s the least we can get away with to satisfy this portion of the rule and get on to the really important stuff right and so I think that’s where that stigma comes from but I do see as we ship toward a privacy Centric Focus that that is changing somewhat so I’d love to get your thoughts on that yeah no that’s that’s really hit the nail on the head there I mean that that is increasingly the case and those elements are convergent so particularly for the SEC right they’re there’s some matter of limbo because the there is a large cyber security rule but that’s still not fin but it’s really what it is is it’s codifying almost everything in that proposed rule already exists it’s just in bits and pieces in other non-cyber security related regulations right in a mix of things that are in rules that say a lot of you know us take reasonable measures right or appropriate measures and what does that mean well then that’s in separate risk alerts that are listed right so take things you know but here are some suggestions and here’s a list of of of how you might tackle that and you often see it tucked in it’s sort of like we often see this at the government legislation in other areas right there’s something tucked in that’s a pet project that maybe has seemingly little to do with you know the intended uh the intended point and there a great example like so so regg SP uh had amendments is an SEC one particularly for people who are managing information money for for private individuals um and there a privacy you know part of that that Privacy Rule where they’re also talking in service provider assessments as that as a requirement on where it’s kind of a tortured right an Extinction of privacy it’s on the cyber security side you’re GNA evaluate the cyber security of a third party and you often have to kind of Follow that trail for a bit yeah yeah that’s that’s super it’s funny that you mentioned that because uh you know we could probably share some some back room stories about exactly how that’s being navig in certain organizations right now but um some doing it better than others I want to pop I want to pop up here real quick because uh hold on let me do this let me do this jacob said something interesting as well about reasonable so like some of these things get pretty vague as well right like in terms of what’s the litness test on reasonable security go to yeah no I was just saying like we were talking about privacy right and if we look at the Privacy tracker the link is in the CH is in uh on LinkedIn if you look at the Privacy track like there’s a lot of States already that you know have things on the books in the works like this little map the link is in the comments uh oh Jesse look this one applies to you the Minnesota one right you know there’s at least you know 20 or so that have laws on the books ready to go and so us as MSP professionals we need to make sure that yes we’re looking at the security components but the Privacy things are equally important right and there’s a whole lot of green on that chart that says ped and signed so it’s you know it’s not going away well but I think it matters as well like enforcement right so like let’s let’s see if F FTC turns out to be like Hippa right like are there Hippa banging on your door right or is it just something from a compliance expected that it only really matters when the damage is done and they’re in lawsuit five years from now they’re like oh he didn’t do hippo right like it’s just another like thing to say you know my you know my answer for this one right yeah you know where I’m going I’m gotta go right back to the very beginning of the conversation which is the seat belts yeah right how many of us grew up with no seat belts in the car and then they started to show up in the car and then now you can’t drive through a state without click it and ticket everywhere right so you know as these things progress and I actually think FTC is going to be the one that starts to roll it out some of the cmmc stuff that you’re seeing now too in my brain is a little test bed like they have a group of organizations that they can start to force this on and we’re going to see this thing come out over the course of the next maybe five or 10 years where every small business just like they did with nis2 Dora you know cyber Essentials over in the UK every business is going to have to do something they’re going to have to protect their crap and their customers crap and so just like the seat Bel laws seat bels started showing up in the cars in the 70s and now you can’t drive through anywhere without clicking a ticket you’re gonna see FTC I don’t know maybe a version of 853 cmmc or some equivalent of that in the next five to 10 years that is my prediction I think often it happens right where it enforcement isn’t direct you know give an example right so you’ve got all those privacy laws those privacies laws may have damages there are points about disclosure reputational risk that other side right the states might not be enforcing that directly until something is already out of the gate and that’s a problem but cyber insurers are very aware right when they’re looking at risk what are they looking at they’re looking at R somewhere they’re looking at pii records they’re looking at the damages of what would happen if they have to pay out on that and so in a lot of cases the Cyber insurers effectively become that enforcement agent because now they understand like the stakes have really been raised on the financial damages with those regulations which increases their liability right we see something similar um you know in the financial world where you know even for the SEC who does have real enforcement um it’s also right heavily on particularly for people deal with institutional investors right those institutional investors see that risk they’re aware of that risk and they in many ways become the the strictest enforcers of these regulations Jacob how many of your clients uh use insurance or as like a qualifier right like is there has it come to that point where like oh you’ve got a great insurance policy you must have great cyber security is it a it’s not proxy I’m guessing it’s I don’t see it um tremendously in in in my space because they they tend to be we’re mostly working with investment firms that are fairly sophisticated and they’re usually going to have uh a direct due diligence process that is more intensive than that so they kind of skip over that they definitely will look at that with some of the vendors and service providers that they use we we’ll see that less so directly with our clients but we’re going out to their insurance brokers or their Outsource bookkeeping organizations or um you know even sometimes they’re law firms right they’re critical service providers that we’re looking at that is something that will come up as a question and a point that we’re looking at and and if someone doesn’t have insurance we’ll raise it as a red flag and largely for that reason Tim right it’s it’s yeah we want you to have the insurance but more importantly we want you to prove that you can get the insurance yep yep yeah it’s interesting you know uh you were talking about you know how compliance doesn’t equal security and how compliance is only getting more mature but I found something super interesting that was brought to my attention is the uh new FF approach that the cat their cyber security assessment tool is being retired and now they’re taking an SEC standard approach where they want people or they want Banks to start just applying a framework that they choose to their cyber security program and it’s more of a ambiguous do your due diligence type of thing and then we’ll audit you after the fact or we’ll you know you’ll the Auditors will decide if the standard you’re applying meets the overall security requirements so I’d be interested if anyone has a take on that or some thoughts on that I’ve been reading this because we get a lot of msps asking us for you guys see like again the acronym doesn’t flow off the tongue very well they ask me all the time do you have that framework yes we have that framework but right it’s probably going away it well I seven months ago I could couldn’t you know me I live in absolutes so probably versus is right so so you’re right and as we have been digging deeper into that like pick a framework okay what framework great I’m just going to pick some random framework or I’m going to make something up and so you know there’s this whole shift that we’re seeing you know Florida just did this not too long ago right they have this Safe Harbor thing where if you pick a framework and you’re doing your diligence and you’re proving that you’re doing that diligence through whatever framework for that matter and then they list a couple suggestions and something happens you could fall into this new Safe Harbor component that Florida has you know for msps who are probably the bigger attack surface than Bob’s Donut or Joe’s Lut right I tend to have msps and suggest to them the CompTIA trust Mark but the reality is pick a framework we say this all the time right how do we relate this back to if we’re talking about what is compliance relating this back to our msps and our listening audience here with what is it what’s in it for me why should I care as an MSP there’s 10 million things where do I go what do I do yeah small businesses like I think people say you know compliance hasn’t equal security and I’m like well you’re in like the MSP Channel kind of conversation on LinkedIn over here I’m like you realize that a lot of the times for small businesses compliance is a great place to start right like with framework as you said Tim pick something do something go somewhere right like um they pick up CIS they pick up just CSF whatever it is like they yeah you know they have a security Charter right they start doing all the things so um clearly you know with big businesses uh they’re much further down the road uh Jacob deals with some very sophisticated clients that understand kind of he’s not he’s not getting a uh you know total novice in the sale process so but I think with with a lot of these small businesses you know the Johnny’s lug nut as Tim said or the donut shop it’s a great place to start so you know I think it does equal security there so right and I think look it’s a potential immense differentiator for msps and I think actually you know we could look at this as something dangerous or or scary when you actually get the more vague these Frameworks is actually in a lot of ways increased opportunity particularly right for that MSP differentiate to specialize in a vertical I mean we the investment firm for for years right and a huge amount of people most people in that space you know will use specialized msps who get to charge a significant premium and part of that is because they understand the nuances of where they’re heard like where in the world you know has reasonable and customary been defined right it’s not in that regulation you have to understand that for this set you know reasonable measures for a firm of this type in this market of what that expectation is going to be means this but not that and where those elements are and I think that’s an opportunity for those msps who come to understand those elements to drive that as a as a huge differentiat for themselves right to to be a premium and to really then help those businesses right and their clients to become more valuable on that other end because to clients um you know they need to do that for their critical stakeholders and clients right so helping them to be able to be at that Forefront of we’re really ready for this regulation you know we’re we’re moving ahead that becomes you know something on the revenue side not just cost yeah sorry sorry Kender I don’t know why it shows LinkedIn user it does that to me hear yeah um well no so it’s it’s really interesting is something just occurred to me as we were talking um you know compliance does not equal security but I think that the equation’s wrong right it’s compliance plus security equals resilience and so that’s what I think msps should be talking to their clients about is you know being helping the business be resilient giving you the outcomes that you need for your stakeholders for your clients and for your bottom line and I think that’s the way to think about it great now you’re adding more operators the I it’s my favorite subject I can’t help it no but but I think I think it’s really important to to think about it in that way is that you know when you’re telling your your client compliance does not equal security uh why my question would be why are you saying that right like compliance should equal security right like that’s that isn’t that the intent of the comp so it’s almost like we’re trying to hack the compliance system at that point and that’s not the way to approach it right I think it we should say how can we use compliance meet these requirements and leverage that to be not only a differentiator for your business but to be a not less than a zero sum game for the business less than a cost one of the things one of the things that we notice a lot too is it’s actually a really great way for the MSP to then present to their customer yeah the other tools in the other services in their business like using it as a force multiplier to say Hey listen you know you you fall into this guideline stuff and you know we’ve identified some gaps and some risks and we can fix all that but this compliance thing like it’s not us telling you anymore it’s insurance it’s in it’s it’s a regulation it’s a law it’s a rule it’s a compliance framework it’s somebody other than the big bad MSP that just wants my wallet taking my money it’s some other thing saying hey you should probably do this and the MSP is best served to deliver that to you as a small business right how how can we leverage this to get some things done in your business that you wanted previously right so calling you out Jesse and some some of those are dollars some of it’s a matter of we’ve been telling them you know you really need MFA and your VPN for two years and the CEO doesn’t want to do it because it’s inconvenient and that’s another you know it becomes that lever I’d say almost every time we go in somewhere we wind up with a conversation somewhere with the MSP and I’m saying you know thank you we’ve been we’ve made that same recommendation five times over the last two years but now the compliance people come and say you have to do it right you have to do it and that’s that’s way blame me I’m good I got big shoulders I can take I want to get back to uh Aaron’s comment here about disagreeing with Jesse so I’m gonna P out give you a second to read it Jesse and then I’ll pop you up and let you respond yeah I’ll respond to it as well so standards aren’t perfect right so I think that’s a little bit what he’s getting to is uniformity and but standards are without standards there’s no way to judge people or judge Security Programs or you’d have to go and do full du diligence on everyone so standards are only there to save Cycles I think and save save expense and save time um they’re clearly not like every single one of us probably are like that’s a useless control in some framework right and if you going through C8 and the whole you know Matt Lee activities right like and they’re trying to improve it right like yeah CIS is three four three five years old right version eight so what’s happened last three years with the attackers so that’s why I made that comment on curiosity equals security because you’re you need to be today right you you need to be current like you need to be changing things up so um it’s it’s going to be stale but but at a you know at a minimum so go ahead Jesse yeah no I think you know I wish we had the ability to like pull somebody in because I think this is a really great conversation and I think the way the frame oh we do if he wants to join we should talk through this this is awesome um all right cool yeah that’d be great so you have to go back to again my deeper background with SEC regulated and you know uh investment and publicly traded companies is that when you’re thinking about materiality right and I think my understanding of what I said the punitive measure of compliance as I look at compliance as anything that’s going to have a punitive result if I don’t follow it so when I look at the fact that I could get shut down or I could have massive fines or I could have things that are end up being highly material to my business and by being compliant I protect myself from those things or at least mitigate those things that’s where I’m looking at it from a resilient perspective and saying that compliance does actually bleed into resilience and that if you’re not compliant you’re less resilient as a business and I’ll take that a step further and say it actually helps build that defensibility right yeah you know we talk a lot about defensibility right we talk a lot about due care due diligence right oh and here he comes all right we’re gonna bring him on up we talk a lot about this we’ve seen you right figured we’d pop you on in over here how are you welcome to the team give two second introduction afternoon with Tex squ uh we are the MSP that you guys keep talking about um so that’s pretty much my two seconds so I thought I let me move Jesse over here and let the two of you just kind of beat it out for a minute because I’m just gonna pull this up here hey you disagreed well fine let’s have a conversation about that’s Jesse go ahead so yeah I’ll just quickly re reiterate what I said is that um I think the the frame that I’m looking at that through is kind of how I started off the show with my my definition quote unquote of compliance so I think compliance has to do with anything that has a punitive measure to it and so uh this is fresh in my mind because I was doing some resilience planning with uh the executive team of a publicly traded company that I do a vciso engagement for and we were talking about how to create resilience in the organization through compliance adherence saying that you know if something material happens and we don’t report it properly and we don’t adhere to the compliance report properly we’re subject we’re subject to fines uh business slowdowns even existential level events from the SEC to our business and so that’s where I say compliance does have a hand in resilience in that if we’re not compliant we create a less resilient organization so that I guess that was the frame that I was looking at it through okay so from the punitive damage side of things as opposed to actual resilience of the business continuity which was the frame that I was looking at it from right I figured so I look at it from smoke detectors being required they are nothing but an audible alarm versus being optional camera systems actually protecting the actual investment and saying ah now we can apply punitive to the interloper the Intruder or the person that actually uh started the fire versus a smoke detector or fire detector just tells people to get out so that was the framework that I was coming from was business continuity side of things as opposed to punitive damage side yeah and I figured it was like a category definition thing right so but Tim I think that speaks exactly to what you were just saying so I think you should reiterate again right mean defensibility or or Tim no I’m sorry Tim golden where you’re talking about how compliance facilitates resilience there right and because because it helps build that defensibility right so uh Aon maybe you’ve experienced this maybe you’ve asked your customer hey you know that accounting system it has tofa we want to enable that for all of your people that can touch money and your client says no right maybe you’ve experienced that I don’t know I’ve talked to a lot of msps where they’re like we keep telling them and they don’t just don’t do it it’s hard right right but I was just gonna say and the standardization of practices throughout the MSP are going to be what dictates that to J’s point of the pun D is if you’re not going to your point earlier Tim you said uh MSP is being the largest attack uh area or largest attack Becker they’re the golden goo so if you don’t have those standards in your practices that say hey we’re doing this not hey do you want to do this there in lies both the resilience and the business continuity aspect of if you’re not doing this then we’re probably not a good fit and we both need to go separate ways love to hear an MSP say that pulls in both yours Tim and yours Jesse of punitive damages and compliances is you are going to be compliant with our requirements for your business or you’re not going to be yeah we’re not to service your business let’s make a very clear distinction of the words that you just said I am the MSP and I’m gonna rephrase and hopefully get it right I am the MSP I’m you and you the words that you said were were Jesse your business is going to be compliant with the way that we run as an MSP which is vastly different than compliance that we’ve talking about for almost 40 minutes right to Jesse’s point of it being a framework a yeah perspective framework you’re you are you you are your own SRO in that in that matter everyone have the same penalty is you will not be our customer there is a penalty there right yeah just that just that was a very unique distinction there which was we want to make sure we have our own house in order as an MSP you know drisk ourselves as an MSP build maintain our own defens ability and when Jacob doesn’t want to put tofa on accounting like yeah probably not a good customer not that Jacob is doing that but CE but I think there’s a point right how far you’re going to take that line like Thea thing might be there we see this that in in highly regulated Industries the msps operate in highly regulated Industries they tend to be more successful at being able to have a higher minimum standard right like okay everyone’s gonna do MFA but okay what’s the point now where we’re gonna decide right and a lot of msps have that as a standard does every MSP stand you know have only company enrolled devices you know with MDM and Mam and full conditional access policies shall be allowed to connect to any company resource at any time right like not everyone has that one it is a lot easier to get that one sold when the regulatory agency says you should put in access controls such as mobile device management right conversation easier so it’s still a way for the MSP to continue elevating their standard on where that requirement is going to be I I think that’s I’d like to hear from Erin is that what you were asking when you said the thoughts of the regarding comp of compliance being used as a scapegoat for security is that what your question was referring to it is okay yeah so I think I think Jacob just put a nice little bow on that for you well you talked about safe farbor as well right him in Florida so I mean if you’re doing compliance to a bare minimum like it’s kind of this you get a free pass to some degree so yeah so uh any parting words before I kick you out because we’re gonna wind down you can’t you can’t say I disagree with you Tim no I don’t I I think I think the realignment in the framework of uh security and compliance in that conversation I think was probably beneficial not only to me but to others watching uh just because perspectives and uh areas from which we’re looking at is going to greatly change the definition so to Jacob as well appreciate that bow at the final r on that yeah thanks for joining hey thanks for joining we’ve never done that before I’m like hey somebody over there we should P them in so hey great test use case so thanks for thanks for coming on happy Friday have a good rest of your week well well that was fun we’ve never done that before yeah that was great love love doing off the cuff yeah so now no one’s going to come because they’re going to be like they’re going to ask us to jump on live now I had a podcast a while ago where they gave out the streamyard link so like everyone was in The Green Room there was like 50 people it happens maybe they didn’t have some sort of compliance checklist to make sure that it yeah funny Just Go With It All Right we’ve got about 15 minutes here you know we started the conversation of trying to figure out a definition of compliance we landed on on you know some framework some regulator some some controls some lists but also the component of risk revenue and reputation in regs like Financial components like losing money like so we kind of tie wrap that up nicely into a bow like compliances following a thing that may be a law that might have some money tied to it in the simplest terms you know as an MSP what does that mean to me well Aon said it directly if you’re not complying with us as an MSP on how we’re operating we’re probably not gonna have you as a customer well and I think I think to piggyback on that and to take that a step further right if you are an MSP that’s operating in a regulated industry and you’re providing controls and kind of helping helping or enabling a customer of yours to skate the line of like you know playing with that you know check box checking or almost unethical way of meeting standards you’re putting a lot your business at a lot of risk in that industry by doing that and by the regulations by doing that so I think for espec especially for msps in regulated industries that is a great um a great way to approach the conversation right schner or Jacob anything to say to our MSP audience about everything that we’ve talked to thus far yeah so yeah like I said I think it really is a bare minimum standard I think standards as soon as they’re put out gets stale attackers are evolving they’re quick right so you need to continue to be curious about uh new tactics right new ttps and and how uh how these attackers are getting in looking at the Verizon breach report every year at a bare minimum like how am I going to stop those top five attacks so compliance is great and compliance is largely you know based on Frameworks that are somewhat stale or you know the Lion Share of it is good practice right like so and that bare minimum will get you you know potentially insurance and uh a get out the jail get out jail free card out of Florida is Tim so but I think it’s that doesn’t exist harb something vastly different than do not pass Cod collect your 200 bucks right so but but so like I said iance is great but don’t don’t think that’s the end all be all you need to continue to be curious you need to continue to iterate and and look at how these attackers are getting in so um that you know and I think that’s a gripe with a lot of people about compliance equal security because it’s not you know how old is nist 800 171 then right like how old is nist 853 yeah exactly exactly so um what’s happening that time right AI automation so that’s a big thing and you know we need some kind of standard because if no one if there was no standard how are you going to evaluate the good from the bad so compliance is is just that well think of it like FDR decided as part of his presidency that he was going to build roads and infrastructure why because there was no guidance there were no paths there were dirt streets they weren’t maintained nobody knew how to get to where they wanted to go safely and efficiently compliance can do that it can help you that Frameworks can help you get to go where you want to be in a safer sort of guided manner yeah and I think as we have this conversation all of our talk about the uh you know what’s the right operation of compliance equals security compliance is not equal security where those are flashing through my mind more and more in this conversation is not the not the operation but the VIN diagram right compliance doal but those are two circles on the VIN diagram with a whole lot of overlap between them there are going to be some things that you do just to check that box they’re there for compliance are they there for you know someone else’s security there’s some security stuff that compliance framework don’t care about but there’s a whole lot lot of this stuff right where there is some really good overlap and you know and I think about you know what these things for you know mean for the MSP you know I kind of hit this already before but repeat because I I do believe passion my MSP mostly worked with investment firms um you know been in that space as well that those regulations the opportunities to differentiate yourself as a higher value MSP and those opportunities to use that as a way to advance what you’re looking for from a security perspective and to get clients compliant with your standard um I think that those are just incredibly powerful tools well yeah and so I mean I think even if we’re talking about the ven diagram taking that a step further is if we think about like in Cal 2 when you take the area underneath the curve and you wrap it around the I’m just kidding I watched him like I watched him get mad at me in real time there that was funny mad at you just but it’s fine we have Marne stock for all that math conversation we should bring Marne on at some point she has all that math actually wasn’t Marne the very first one that we did I’m thinking I think yeah anyways I digress I don’t know squirrel well so last thing on this I know we’re running out of time here but I you know I kept wanting to go back to this because I key on something Jacob said about um you know reasonable the the language of like a reasonable approach so you have to know for the industry that you’re working in what the barometer or what the barometer for that industry is for the size of client or size of organization that you are and so one thing that popped into my head was the word about defensibility right so I think a lot of these standards are moving toward a defensible narrative for why you did what you did and you can’t do that with box checking that is where you need a security program again the ffi uh change is a big is a big um is a good example of that because they’re saying we want you to demonstrate how you’re measuring risk and providing due care through those risk management methods well you could do that you know 20 different ways especially depending on the type of organization that you are and so it’s on you to create a narrative with an ongoing security program and so I think as Jacob said that provides huge opportunity for msps and other providers who are building out these programs to be able to do that oh look what CIS just put out not too long ago a reasonable cyber security guard what is that what is the fourth word make your cyber defense I.E defensible reasonable right you know there is a guide to actually defining reasonable cyber security so yay to our friends at sisa it’s a little vag I’m sure but yeah Chris Christian Redmond uh you guys know good security is reasonable insurable legally defensible so there you go legally yep well and that’s the point right that’s the point of of this whole conversation is you follow a thing that thing has some some been been put together by a bunch of super smart people it gives you some guidelines and some road maps you know our friends over at sisa gives you reasonable right in a court of law what’s the word they always say Beyond A Reasonable Doubt yeah right which is basically what our entire Society here in the United States has been built on Beyond a reasonable XYZ right and depending on the framework you know some something you mentioned there Tim just just resonated the sense of depending on the framework right reasonable could be not necessarily complying with every item on it but going through that framework and having the justification right so one of the things we tell clients all the time with we’re going through a risk assessment that you know we’re not expecting you to get a 100 on this test no one gets a 100 on this test if you’re doing it you’re spending too much and you’re making your life too inconvenient but what you should come out of this is where there’s no question that going to surprise you and whenever you have that question you’re challenged on something right you’re not doing it you can expl why why you thought about it you made that reasonable defens yes and you’re prepped for it y exactly so we we have our last seven minutes we tend to you know talk through and have at least one key takeaway from us um I don’t know if Tim or Jesse or Jacob either of you are ready for your key takeaway um let me see over here up yeah uh good yeah yeah so go ahead uh here yeah so my final thought is that uh Security Plus compliance equals resilience that’s my story and I’m sticking to it spicy um so no but I think that um doing that and looking at it through that frame and talking about it that way with your clients is something new that maybe they haven’t heard and so I think you can use it as a differentiator to start positioning yourself as an expert in their industry and showing them how compliance insecurity is not a zero some game it’s actually a uh competitive Advantage for their business love that what about you Mr Tim you got something or you bring Jak Jacob up instead I’m good to go so let me do this well doesn’t matter um so complian is I think it’s almost like a certification right you have these professional certific that are very common in White Collar jobs uh it’s a bare minimum standard um maybe not bare minimum but it’s best practices like it’s usually you know targeting some kind of framework it is not the end all be all and attackers don’t care about you know a framework that was put out 10 years ago so um you’re looking to protect your data you you’re going to need to continue to evolve and that’s why I think we consistently get this compliance as an equal sec security because it’s lagging uh you know new ttps that are out there so just continue to be curious continue to evolve you know you can have endless curiosity and and never satisfy it because attackers are going to continue to to make that next move so I love the Curiosity didn’t they say curiosity killed the cat maybe curiosity oh I love this curiosity cured the compliance all three well how about this the ffi cat is gone curiosity killed the again lasts I’m a dad you know not mine won’t be as snazzy as the the other guys here but um you know building off what Tim said I think that’s some of that area right where compliance and security I think they’re they do not is a lot of overlap but it’s also important to understand where those differences are as as you know Tim was mentioning those areas of security that might not be covered by compliance but then the other thing which is if you look at compliance not as an onerous bare minimum that you need to accomplish it really can become a huge opportunity both for that value differentiation but also for accomplishing the things that most of that stuff is stuff you want to do and you know you should do anyway good thing good things I suppose I should probably give my two cents as well uh so one thing that I’d like to have our msps take away from today’s conversation on what is compliance you know as you’re building these Services out as you’re adding potentially a compliance as a service offering number one don’t be afraid there are plenty of experts out here in the space willing and wanting to actually help whether it’s Jesse or Jacob or ourselves there’s dozens and dozens and dozens of us here willing and wanting to help you and your customers along along the way by using compliance to build that defensibility in you and in your customer almost like I practiced that you CH background you got the I love it always be S no it’s just so so uh I know I have a call coming up so I got to kick everybody out here in a couple minutes but hey Tim what’s going on in a couple weeks we’re trying to get back on this schedule well part three right so I screwed up the order but we’re saving the best for last uh what is risk right and I think it’s really game I used to play as a kid there’s not a lot of people that have the title of header risk at smbs at msps how do we incorporate first of all what is risk why does it matter uh Jesse does a really good job I think bringing this into a lot of his curriculum uh Dr V you know Dr vciso that he does so um why is it important and what and you know how we we’ll talk about it all right like how why is it how can you help sell and build trust with risk um you know really span the gamut on why risk is important and why you should keep a better eye on it so you say you say what is risk uh it’s interesting because you know I’ve been playing with with with titles CEO all the things and I came up with one and I got shot down which was Chief risk Wrangler got shot down I thought it was great they’re like yeah know you can’t not Chi I’m like it’s great because you know you gotta Wrangle the risk right I don’t know sounds Michael Kelly somebody I have I have some friends uh one in particular who is a ciso for a larger Corporation and they changed his title to Chief risk officer so interesting interesting shift we’re seeing yeah yeah it is a thing it is a thing all right everybody Mr Wolf just keep bannering I’m just gonna end the stream hey do the things right you know the what what is it that we always try to do like and subscribe no no no I I think it’s this how about try 500 tours how many I have in my stack go get to the vendor do it now all right everybody what num would what num skull would let themselves be recorded saying something like that that’s what I want to know I don’t know it’s a risky thing thereat guys subscribe now