What Drives Compliance?

Thank you so much Kayvan and welcome to Expert In The Loop 2022...virtual style. I want to start with a major congratulations to Compliance.ai for the tremendous growth trajectory in a space that truly needs what you're providing and solving for...and a big shout-out to the new CEO, Asif Alam.

Today, I'm truly honored for several reasons:

1. to know and be associated with Kayvan and NOW Asif...and the incredible team assembled at Compliance.ai
2. to be considered and selected to Compliance.ai's Board of Advisors, and
3. to be delivering this keynote to kickoff what promises to be a truly educational and unique forum - The Expert-in-the-Loop Forum on Regulatory Change Management for the Banking, Financial Services, and Insurance industries (BFSI).

SETUP

Last Summer I was working in my home office, half focused on writing a vulnerability assessment and half-focused on listening to my 4 and 7 year old girls play, argue, and love on the family dog. One argument led to another and suddenly my 4 year old was in my office with a Magic 8 ball:"daddy, I need help with this Magic 8 ball"

"sure sweety, what's the problem?"

"I need you to ask it a question"

"sure thing - what question am I asking the 8 ball?"

"ask it WHY IS MY LIFE SO HARD?"

SPOILER ALERT - Her life is NOT hard! But I promised in that moment to never forget this exchange and to refer back and use her misguided self-assessment in nearly every aspect of my life moving forward.??

The message of that moment was this:

• not everything is as hard as it appears.
• Sometimes there's a tool...or a platform...or a daddy - that provides an easier path in life.
• This includes fighting with your 7 year old sister as well as implementing regulatory and compliance change management.
• Figuring out how to drive towards a solution is the key to life if you will. And when I say 'drive' I mean this - what's steering us to the decision of making life easier?

VALIDATION

So, who is this daddy speaking to you this morning? I'm John Caruthers and I bring a 27 year FBI career to this discussion. A career that enabled me to investigate

• white collar criminals
• drug cartels
• 9/11 terrorists
• child predators
• cyber bad guys...
• and more

I served 3 overseas assignments: Russia, Ukraine, and The Netherlands.

My last FBI charter was to lead Cyber programs in the San Diego FO as well as fulfill a personal mission to de-mystify the FBI to the private sector and truly explain the FBI's mission of protecting the American people and upholding the constitution.

I retired from the FBI in 2019 and was selected to lead a major biotech's Information Security team for a year. I then transitioned to the work I enjoy most - executive advisory work. In this capacity, I've led numerous compliance assessments, IR TTXs, privacy readiness assessments, what I refer to as "documentation uplifts," and much more.

Today, I'm proud to represent San Diego-based Triden Group as their Executive Vice President - CISO. We are a premier solutions integrator that I guarantee can help solve for any problem set you're facing in the IT, networking, and security spaces. That said - I'd be honored to engage anyone in attendance today in a discussion of the challenges currently faced by you or your company.

As a tee-up for today's talk, I have 2 confessions:

1. I'm not a compliance expert. If you want a deep dive on the inner workings of compliance and the nuance of the industry, I am not your expert in the loop. What I CAN tell you is this - compliance matters and compliance deserves a seat at the adult table. Thankfully, we're graced, in this forum, with many EXPERTS IN THE LOOP! And, personally I can't wait to hear their thoughts in the many amazing sessions lined up in the curriculum.
2. I'm terribly sorry to share this news but...last night, I failed for the first time in MY LIFE - to solve the Wordle. I got overconfident and wasted a word (V-A-U-N-T) instead of bearing down and thinking it through. As a result, I sit before you this morning as a first time Wordle LOSER. But I shall persevere and push through today...

Now...on to the topic of today. What's driving compliance???

CONTENT

Earlier I asked what's driving us to an easier life. The context of that question this morning revolves around our work life and, specifically...compliance.

What are our triggers? Our motivators? Our drivers on the road to compliance? From the passenger seat, I see 3:

1. Regulatory requirement(s)
2. Contractual dependencies
3. Journey to increased program maturity

Pulling the thread on these drivers leads to some fun and maybe provocative discussion...

(1) REGULATORY REQUIREMENT(S)

If you are operating in a highly regulated industry (and aren't we all???), motivation is fairly easy to identify...

• if you aren't lawful with industry regulation, you won't be in the industry for long...the motivation is survival.

So...the reality is that certain industries direct us down the road of regulatory compliance. This is especially the case with BFSI. And this is okay - it takes the guesswork out and accelerates budget conversations with finance departments, etc.

On the topic of regulations...

When I was in the FBI, I got the question all the time - "what is the government doing to help us in the fight against cyber criminals?" Having a very narrow optic and thinking somewhat linear, I struggled against telling audiences that we (the FBI) were available to

• give briefings
• conduct forensics analysis
• reverse engineer discovered malware code, and
• be an active participant in your company's incident response plan.

It was in my DNA to help and I found myself struggling with over promising. Now that I've spent a significant amount of time in the deep end of the compliance pool, I know what the government is doing to 'help.' They're regulating security into law "piece by piece." So, when you ask yourself, "what's the government doing to help in this space?" I would argue that regulation is the answer...for better OR for worse.

We ask ourselves, "what's the government doing to help in this space?" and I would argue the answer is regulation...for better OR for worse.        

(2) CONTRACTUAL DEPENDENCIES

The very first question I ask every customer at the start of engagements is "why are we doing this?" I need to understand this in order to build the most relatable product for my client. It's critical to understand if a tabletop exercise (TTX) is being conducted to check a compliance box OR if the customer actually wants to battle-test their ability to respond to a R/W attack.

The answer I often get is this:

We need to be compliant in GDPR, CMMC, CCPA, ISO, etc. in order to satisfy a pending client's demand. In other words - if we're not compliant, our existing clients won't renew and new ones won't contract with us.

Which leads to a thought...at the time of my retirement from the FBI, BEC and ransomware (R/W) were the 2 attacks most investigated; then in 2020, SolarWinds happened and now supply chain is paramount. What was once always known in the intelligence community...that nation states leverage any and all vectors of attack to achieve their goals...was now above the fold for public consumption.

When assessing your supply chain (what I refer to as Third Party Risk Management - TPRM), it's easiest to ask for certification(s).

Peeling that supply chain onion a bit...I've seen and experienced this - audit teams will call out the effectiveness of your TPRM program...if it even exists. A way to solve for this would be:

• define data types (think PUBLIC, PRIVATE, RESTRICTED, REGULATED)
• identify ALL of suppliers/partners/3rd parties
• Map the data types to suppliers.

We then must strategize on how best to ensure the suppliers are security compliant...b/c guess what?! THEY are an extension of YOU and how YOU protect YOUR data. Rather than attempting to figure out their compliance status with a series of questionnaires (that are self-attesting at best), wouldn't it be easiest to ask them for compliance certifications???

All this to say...pay attention to your supply chain. The FBI now does exactly that - albeit from a national security POV.

(3) GENUINE MATURITY

The most encouraging motivational driver to compliance from my POV is a genuine WANT to be compliant for the purpose of showing that you're doing all the things necessary with your security program. This especially applies in the compliance space and is a forward-leaning way to separate from the competition.

• For example, a security consulting firm doesn't have to possess security certifications and organizations in the healthcare space don't have to be HITRUST certified.
• But, should security companies practice what they preach and seek SOC 2 or ISO compliance?
• and should a medical device manufacturer seek HITRUST to validate the hard work they've accomplished in securing their environment?

Who's not raising their hand right now??? You absolutely should be!

A common response to my earlier question of "why are we here? why are we doing this?" is a list of client priorities. I find this especially the case for vCISO engagements...clients typically have a laundry list of needs:

• in-flight projects
• documentation uplift
• ensure incident response readiness, and quite often...
• Privacy concerns are top of mind...certainly so in 2022.

When I hear these responses, my security passions stir. I'd struggle to name security controls and functions that don't align to privacy and data protection. Add to this the popular buzzphrase - 'risk-based.' If we're NOT seeking to improve our cyber hygiene, we're introducing unnecessary risk to our companies.

To close the loop on the topic of privacy...so much of privacy law is security-based. Data identification, data flows, IR, and more. These all factor in and are organic to any information security strategy or program.

Kudos to all of us that seek compliance as validation for our security efforts!        

FINAL THOUGHTS

• As a concluding thought and stick with me here as I get philosophical...life is comprised of a combination of static and dynamic existence. While people are dynamic, their behaviors remain somewhat predictable. This is what allows the FBI to solve highly sophisticated cases. Tracking behaviors provides consistent results for investigative techniques.

we, as people, almost always revert back to familiar behavior!        

Looking at industry and specifically, BFSI...

• Regulatory law, as a rule, is static. We'll always be operating under the banner of regulation
• The laws themselves and the nuance they bring, are nothing short of dynamic. So much so, that it's literally impossible to track the changes with a naked eye.
• Compliance.ai solves for this with a platform so comprehensive that, when asked to join the advisory board, I said YES before Kayvan and Maria finished the word "would" in the question "would you join our board?"
• I had been tipped that this question was forthcoming and had done my research on the company.

Bringing it all BACK HOME, If you were to ask Magic 8 ball, "is compliance is hard?" - it really doesn't matter what the icosahedron says. Yes, the shape in a Magic 8 ball is an icosa-hedron. I looked it up so you don't have to. ??

• The reason it doesn't matter is b/c something is driving you to it AND you have great vehicles to get you there. AND with the right approach and eyes wide open - you can change the question to "will I get my company to a place of compliance and regulatory requirement???"
• and the answer will surely be YES or YOU MAY RELY ON IT!

Thank you for this opportunity to speak today and also to everyone associated with today's event! I look forward to learning so much more from all the experts.