Episode 9: Security Budgets, AI Risks, and Data Sovereignty
Alright. Welcome to Distilled Security podcast episode nine. I'm Justin Leapline. I'm here with Joe and Rick, and thanks for joining us in this episode. We have an exciting episode with a bunch of interesting topics here, but the first one I think we're gonna be diving into is setting a budget.
Justin:If you already haven't set a budget for the year, it's probably about time if you're on the fiscal year, cycle and everything. But we figured this is a good time to talk a little bit about, you know, from a security perspective, how we've done it in the past, how we seen other people do it, the, you know, the the good and pitfalls of that. So, Joe, do you wanna start us out? Do you have any thoughts on what do you think a good budget looks like?
Joe:Yeah. Good well, there's lots of, you brought up something earlier. We're talking about should the CISO should the office of the CISO wanna have a zero budget Mhmm. And really have everybody else handle it. And, work
Justin:is that like to define that?
Joe:What do you mean?
Justin:So zero budget. So a lot of people, they'll do a continuous budget. So they'll start with all the stuff they paid for last year and assume that's going into next year and everything. But some people might not know what that
Joe:Oh, and I was even thinking of something a little bit different. How about I always wanted to have the least amount of budget in my area and have all the groups that were doing work that needed to be secured, have all the budget allocations in their budget for the just to secure what they were doing. Mhmm. And so we would offer a service. My budget would be essentially people
Justin:okay.
Joe:And then some, recurring items like IDS, that kind of things, and, MSSP, but other kinds
Justin:of security internally for the company, like an ITIL type service. Yeah. Okay.
Rick:Proactive chargeback, essentially.
Joe:I mean, exactly.
Justin:Honestly, that's the best way to do that. In my personal opinion, I'd love when companies actually treat their internal departments as, essentially service lines, you know, and account for the budgeting of that, you know, with it. But that's hard to get there.
Joe:Yeah. And then so that's not I don't I don't see the ton of people do that.
Justin:Right.
Joe:But part of what we were talking about got, you know, prompted because there were some articles out there. People were like, here's what you should do for your budget. And the article had some really cool things I I thought made sense and then some things I thought were, I don't know, a little little, interesting. Like, one is, bringing on a FinOps engineer to scrutinize the, the spending. And, I thought that was I thought that was interesting.
Justin:Well, and I also think it really depends on the size of your organization. Like, if you have a team of 10 people in your security, I'm not sure they'll be able to squeeze Right. As much out of, you know, that budget, you know, as they they really can. Now if you're a big bank and your security team is in the hundreds, you know, I'm sure there's waste in there. You know, that type of thing.
Justin:And and just a pivot optimization. Yeah. Yeah.
Rick:And just a pivot on that, like, instead of, like, a financial operations engineer, you might get more bang for the buck if you have some particularly big contracts. Right? There are all these outfits out there that essentially specialize in, like, hey. Let us analyze your contracts, analyze your current deals, look at the t's and c's, look at all this stuff, and help you understand how you can do better next negotiation cycle
Joe:Mhmm.
Rick:Because they understand the ins and outs. They know when to negotiate all those sorts of things. And for all the big players, like Office March, like the Microsofts, the Oracles, the SAPs, the Salesforce. So, like, for big things, like, I mean, yeah, you could bring in a FinOps engineer to do, like, all of it, but I would probably get more bang for the buck. And, usually, they keep people cash positive.
Rick:So what they do is they'll say, all we want is, like, 15% of what we cut out of your contract. Right?
Justin:Yeah. Yeah.
Rick:So Where
Joe:do you think FinOps engineer term came from? Is that we only hire engineers, and we got this person where they need to, look at what we're where our cloud spend is, and they'd look at the finances. Probably. So we gotta call an engineer. So, hey.
Joe:Fin ops engineer.
Rick:Yeah. I mean, maybe. I I guess I guess I I don't really know what
Justin:it is. A Gartner term somewhere. Yeah.
Rick:I I thought it was sound like like it cuts across all the, like, the verticals of finance. So, like, oh, what do you I mean, depending again on how big your program is. Mhmm. If you have a million millions of dollars of budget, then, like, what are you doing with your dollars when they're not a thing? But, I mean, usually that's finance anyway, so I don't know.
Joe:One of the things that, I took away from the article was optimizing and rationalize as the way they framed it. But to me, that's something that, you know, I'm seeing a lot of companies over the years have been buying best of breed. And what's happening, all these best of breed point solutions is they're all being integrated into each of those companies' platforms. And when they're selling them, they're selling platforms, not just renew the tool. So one of the things that I've been doing is, with our with our team is going in and looking at what a company is purchased.
Joe:What have they what do they get? What is the overlap? There's probably sixty, seventy, 80 percent overlap in what these tools do. Yeah. And as part of your budgeting process or your planning process is looking how you can reduce some of these some of those duplication.
Justin:Well, yeah. And I think that goes to a point of leadership, you know, into that because a lot of times these budgets are created through, like, whack a mole, you know, type of things. Like, we have a pain point. Let's go and get a tool. You know, it's just one department that just goes up through, you know, type of things.
Justin:Like, oh, it's only a hundred grand. You know, they need it. They said they really want it. You know? We'll just purchase it.
Justin:But there's not a lot of times an overall strategy, you know, to it. I've seen this a lot with, like, IT, like, help desk stuff. You know? Like, you know, when we're talking about, like, a GRC tool with help desk, with CMDB, and all that stuff, I mean, ServiceNow comes into play, but nobody wants to take the big bite. You know?
Justin:And it's good it takes a lot of work, you know. Like Oh, yeah. It's not something for the pain of heart, but those conversations don't happen. You know? I mean, it's like, is this best for our organization going forward?
Justin:We're 2,000 people. We're using, like, a little ticketing system, like, you know, like, I had this one client using, like, Freshdesk, which is yeah. It was it was awful type of thing. They were way past it. You
Rick:know? And
Joe:Awful for their size.
Justin:Yeah. Exactly. And it it was just you know, nobody's having the higher conversation of where do we need to go strategically, and sometimes it's called, like, a center of excellence. But it's exactly your point. It's like we need a strategy around our tooling procurement and deciding, you know, when to say no to it, when to consolidate, you know, and actually get a strategy to where we're going.
Justin:You know?
Rick:I definitely agree. That was one of the notes that I had written down about a the thing that I didn't see in this article when you guys both hit it. It's have a legit security strategy, and that's not a road map and that's not a plan. Yeah. Right?
Rick:It's an approach towards achieving the objectives that you need to achieve. So one of the things that I've done in prior lives when we were helping companies map the budgets, right, is we take, let's say, the MITRE ATT and CK framework, map all the defensive and and protective in different categories tools to that framework. Right? Look at the overlaps where you have coverage and effectiveness and all these sorts of things. And basically, you can say, oh, look.
Rick:You have these holes and and, you know, it's an imperfect framework. All frameworks are imperfect, but it gives you a decent visual across all these key tactics and with the kill chain and all that about, oh, where are we really strong? Where we where are we really weak? And I would take that one step further and say, well, as a security organization, do you need to be super strong everywhere? Do you need to be absolutely great at everything?
Rick:Or if you focus really heavy on, like, initial access, lateral movement, exploitation and ex exfiltration, is that enough for you based on the nature of your business and what you do? And you can start to, like, look at your budget in a really strategic way because, you know, the approach you're gonna take towards securing your environment is very, like, very specific with how you do it. So I think that's really important is even thinking about the budget, but think about it strategically Yeah. Backing up. How do you want to run your security department?
Justin:Well, I think I mean, that ties into, like, the rationalization.
Rick:Oh, yeah.
Justin:I see it so many times when the budget gets, like, messy, it's again, I I bring back to the whack a mole. Like, they're just getting a tool to solve a pain point, not thinking about big picture.
Joe:Not even looking to see if they already have a tool that solves their pain point. Right? So I've picked up two thoughts. One is, just on the savings. So when you go to platform route, which is something I'm I'm pretty much in favor for, I haven't really seen good arguments not to do that versus the point solution that's best of breed.
Joe:But you also get the benefit of do I have to have more people now because I have more tools. When I go to the
Justin:platform, you manage
Joe:the whole with the platform. You end up be able to simplify.
Rick:There's some efficiency.
Joe:You can
Justin:use there.
Rick:Yeah, but you still
Justin:need with a platform to, like, you need more people to manage that platform now.
Joe:But you don't need people who are experts in 10 different platforms and 10 different tools.
Justin:Yeah.
Joe:You can get some, synergies because if you go all the one route, now you can be trained up on that. So now you're you imagine, like, you're one engineer. Do they need to know four different things and how it works or just how the one platform works and understand how it interfaces within itself. So that's some efficiency.
Rick:Your integration points too. Right? If you're really trying to manage this stuff out of one place or centralized or automate whatever, it's significantly easier if it's within one ecosystem.
Joe:Yeah. Well, and so back to like the core of budgeting. Yeah. So a lot of budgets for enterprises and I see this totally different enterprises end up taking their last year's budget, figuring out what they need to do, and then kind of moving that forward. Smaller companies will do that too, but they're much more dynamic.
Rick:Right.
Joe:And so, but in either way, I usually see people have struggles with budgeting for both people and the tools and then combining my thought. So I built something years ago called the Security Management Framework. I probably talked about it in a past podcast. But basically it's an inventory of
Justin:all
Joe:of your processes. And then for each process you have, it's well, what are the, or each service? And then what is the process that delivers that service? So think of a spreadsheet. The first column is the, service and then, like, maybe it's vulnerability management.
Joe:And then what are the processes? Well, you have to inventory the, you know, keep everything up to date and, you know, you have a series of those. And for each one of those processes, you know, it takes so many hours a month to do the process. Yeah. Some processes are scheduled and some are reactive.
Joe:And so every time it happens, how long does it take? Right. So now you start to build a measurement of how much people time it takes to do a thing. Well, then as you go through that process, you can evaluate your own maturity for that process. You can have a column where you'd like link or put a link to all the tools.
Joe:And then you can say for each of these tools, back to what you said, what problems it's solving, how important is it, how much does it cost me? Yeah. And now you've blended what you said with the people that you need backing into the services you're providing in your service organization.
Rick:That's the other thing I wrote down was, like, total cost of ownership was, like, a huge thing in the aughts or whatever, but it kind of is that. It's like, what's the total cost of ownership of the security capabilities we're providing? Right? And some of that, I think, it is tools. Some of that's people.
Rick:Some of that is potentially dependencies on other teams. And if they stop doing the thing, do you have enough flex in your budget to fill that gap so that your capability doesn't fail just because their thing changed? So When
Joe:you look at total cost of ownership, how many years out do you typically do your
Rick:It's tough because because environments shift so much, but I typically think two or three usually.
Joe:Yeah. I've, I've gotten to a point where I was able to do a
Justin:Even for, like, infrastructure stuff? Yeah.
Rick:Okay. When you have when you have the data available. I mean, it depends on the environment. Right? Some are I
Justin:see that with, like, laptops and everything. You know? Like, that's a thing. But your core router, you know, is that the two or three, like, year? I think that's more to, like, five to seven Oh,
Rick:well, fair. I mean, it's spread across
Justin:If not more. I've seen it.
Rick:Yeah. I'm not saying you, like, I'm not suggesting you, like, only have a three year cycle for depreciating every piece of hardware. Yeah.
Justin:Yeah.
Rick:But when I think about, like, the time horizon by which I'm managing it, I'm usually thinking about that two or three years out. So I think about how long
Justin:is this asset gonna last.
Joe:Oh, I like the blend. I like what you're saying about the two to three year, what am I doing? What's my strategy? Yeah. But when you go buy stuff, some of these vendors will come to you with a, like, here's our five year contract.
Joe:And I'm all in favor of a five year contract because you can get a really good deal out of it. But when you're looking at that five year contract, not everybody actually takes the cost of it and, and looks at all the things that are involved across that five years.
Rick:Oh, yeah, absolutely. So,
Joe:you know, I typically would go with like, you know, do your TCO, build it on a five year model, see what efficiencies you can get, push the vendor to make sure that you know what they're gonna do to charge you over time. Mhmm. How does the support model work? All that stuff. And look at your company.
Joe:Are you gonna need how many more licenses will you need in five years? Are you growing? Right. Are you staying the same?
Justin:So Are you adopting more cloud first strategy? So you're decreasing on on prem. Like, I have a client going through right now, and they're looking at their spend on some of their data centers. They're like, we just need to keep the lights on for another two years, you know, as we migrate
Joe:Mhmm.
Justin:You know, that type of thing. So
Rick:Well, in those longer term contracts, another thing I'd say, because I've seen this across a couple negotiations recently, A lot of times, vendors, whether it's software or labor, will say something along the lines of, oh, here's how we're gonna account for inflation. And if it's labor, here's how we're gonna account for raises or price hikes, and that'll be, like, baked in. Don't forget that as the customer, you have the power to say, okay. What are you gonna do to get more efficient year over year? What are you gonna do to counterbalance those costs?
Rick:Right? Because oftentimes, particularly, like, in the labor space, you can say, oh, well, if you have, like, an MSP or an MSSP, right, they might say, well, the costs of people are going up. You say, yeah. But we expect you to get more efficient over time too. Right?
Rick:So are you gonna actually keep that flat or get closer to flat than you
Joe:are? I was going to bring up AI, but you talked about automation. Absolutely. AI might make things, easier. That was one of the points of the article.
Joe:And it was more like a, you know, takeaway. Yeah. Sure. Automate and, use AI.
Justin:Yeah. I don't think we're there yet, though. We're not going into an AI conversation. But, I mean, it helps out a lot of the stuff, but it it's just not there to replace. A lot of people are saying it's gonna replace FTEs.
Justin:Like, it saves minutes, not hours.
Rick:The best quote on this I've ever heard, and I apologize if I've said it on the podcast before, but I was talking to a lawyer several years ago, and they're like, AI is not gonna replace lawyers. Lawyers that use AI are gonna replace lawyers that don't use AI.
Joe:Well, it's funny because I have the very similar thing I've been down to say. Yeah. Yeah. AI won't take your job, but somebody who knows how to use AI will take your job.
Justin:Yeah. Exactly. Yeah. So, yeah, it's just building inefficiencies, you know, into it.
Rick:Yeah. I think the only other two budget things I have super quick were, like, one, like, as much as possible, make sure you're framing your budget as business drivers. Right? Like, it's very easy to say, I need, I need, I need, or we're not gonna secure the business if not x y z. But you can reframe that often without too much hassle by saying, well, look, the business can move much, much faster if the guardrails that I've installed are strong.
Rick:Right? Because there's a lot less chance of going off the cliff. Right? So if you can build essentially the sandbox by which, you know, in the processes by which the business can go innovate and go do the things that the business wants to do, then, typically, you'll get a lot more support than just like, hey. We're keeping you safe.
Rick:It's, hey. We're keeping you safe, but us keeping you safe lets
Justin:you go faster. Right? The fact that your tires are good lets you drive faster. Mhmm.
Rick:And then the only other thing was oh, this is just kind of a silly thing, but think about your business and, like, what it does, how it makes money, and frame the costs of the things you buy, and how many more units you have to sell. So, like, we always did this at Del Monte. When someone, like, lose a laptop, we'd be like, dude, do you know how many pallets of corn we had to sell to pay for that laptop? Right? Because because it depends on margins and stuff.
Rick:And it kinda just gives you a volumetric thing based on how you how the company, you know, does business. And I think it's useful for framing, like, oh, I'm asking for a hundred thousand dollars. Like, what does that actually mean in terms of, like, physical goods or labor or whatever that looks like?
Joe:Yeah. Yeah. That's really good.
Justin:Yeah. That's a good comparison, everything. I always, yeah, brought it up to like, when we're doing budgets and everything like that, bringing it up to you know? Because there's always a negotiation. You know?
Justin:Everybody's, like, looking to save as much or put, you know, more investment into other areas. And I often do what you did just more on the task based level, but I break it down by hours on a per week, month, you know, yearly basis. And it's a whole, you know, workload breakdown. And, typically, it's like, okay. If stuff is coming off, then what tasks are coming off with it, you know, that thing.
Joe:Yeah. If you're if you're not getting positions approved, tell
Rick:me what you don't want. Yeah. It's like
Justin:yeah. Like, I I can't work miracles, and I'm not willing to work eighty hours a week for a salary job. I'm sorry. You know? That's not a thing.
Justin:You know, let's have this conversation, you know, here. You know? And I'm not trying to hold, you know, like, never trying to hold the business hostage into that, but it's a reality. And Well,
Joe:it's really good. Yeah. Yeah. Absolutely right. So something that I've helped people with, even had that conversation today is when you get to a point that you're gonna pull back on the number of resources that you can have, you're not getting approved to get that next person or somebody left and are not they're freezing the position.
Joe:So no no rehire. What do you do? So my recommendation has been, well, you can't force the business to give you the new hire. Mhmm. But what you can do is make sure you manage that risk.
Joe:Yeah. A new risk got created the minute you didn't get the resource that you needed to do the job at the level they wanted. Something needs to change. So when you don't have the number of people to do the processes, when it takes x number of hours per month to get that process done, and you expect the business expects that you're gonna get it done in a certain time frame.
Justin:Mhmm.
Joe:Well, your OLAs, your SLAs, they're gonna have to change. You can't do it. You can't get as many things done in that month.
Justin:Right.
Joe:Well, that creates risk. Mhmm. It's risk for somebody.
Justin:Mhmm.
Joe:So make sure you update your risk register with the risk that's created because of the lack of resource. Absolutely. A person or just budget to buy the thing you needed to fix the control.
Rick:And I'd say and make sure you're that's absolutely right. And I'd make sure you're building a little bit of flex into or extra time for, you know, the the issue du jour because they're gonna come up. Right? So if your entire budget is wall to wall, like, forty hours a week for every single person on, well, this is what they're doing, you you probably need an additional category in there for, like, oh, crap moments.
Joe:Well, in fact, when you go and add this really cool little formula, where you have your twenty, eighty hours Yep. Per person per year. Mhmm. Nobody ever only worked forty hours, but let's just go with that.
Justin:Yeah. And
Joe:then You don't you
Justin:don't wanna over. Escalators. Yeah.
Joe:Then you gotta subtract out how how many holidays do we Yeah.
Rick:Does the
Joe:company give them? How many vacation days Mhmm. Will they probably take? How many sick days will they take? Let's subtract all that off.
Joe:And now your twenty eighty comes down to around sixteen hundred.
Rick:Yep.
Joe:And now you have sixteen hundred hours per person that you're gonna put across all those things. So what you end up doing is you get that spreadsheet of all the things you have to do. Yep. And then the number of hours annualized at the bottom, you're gonna have some tens of thousands of hours of things that need to be done depending on how big your company is. And then you know how many people you have and you multiply that by the 1,600, that's gonna show you a gap right there.
Justin:Yep.
Joe:I've always logged a risk for we have a risk that we aren't gonna satisfy these processes in the time frame that you want because we have this disparity between what we have and what you're asking for. Yeah.
Rick:Yeah. The language that I've always used for that is requirements require heroics. It's like my little my brief thing. It's like, look, if you need these things and we don't have a time in the day then, you know, you're relying on people to be heroes to make it happen and you can't
Justin:do that. Yeah. At least on a long term strategy.
Rick:Yes. Yes. Yes. Yeah. You can you can you can people can sprint.
Rick:Right. Right? There are there are implementation time. Like, you're in IT or security. You expect that sometimes there's long hours, but yeah.
Rick:Yeah.
Justin:Yeah. But that can't be the normal part of the job.
Rick:Should yeah. Don't if you're doing a budget, don't plan for it
Justin:to be. Yeah. Yeah. Yeah.
Rick:That's great. Okay.
Justin:Good first topic. Yeah. Rick, you wanna introduce us to the, Bourbon Du Jour?
Rick:Oh, sure. Sure. Sure. So I was, lucky enough to be invited to, speak to some lovely people. They asked me, what my favorite bourbon was, and I said something I can't get in Pennsylvania.
Rick:And so
Justin:Very open, open policy, though. Yeah. It's true. They they were
Rick:they were spoiled for choice. But they they picked a a lovely a lovely bottle. It's a rabbit hole or high gold, cask barrel or single barrel cask strength.
Justin:Okay. Yeah. And we did a little bit of research, coming on to this. So they have high golds out there readily available. But the, single barrel, this is a special release.
Justin:They have a whole bunch of different artists doing different things on this. This is a total d and total dum, and this was only released in Ohio. I think that's
Rick:right. Yeah. Yeah.
Justin:Yeah. It says on this. It's a hundred 9 proof, hundred 9.2, and everything. And, yeah. It's, it's really good.
Rick:I really like it. Yeah. I think it's excellent.
Justin:So cheers, guys. Cheers. Yeah. We mentioned before, it has that, like, citrus Super citrus in front. And then it kinda goes into, like, a grainy I I picked up wheat the first time I I tasted it It's kinda settles out and everything like that.
Joe:You mentioned pepper and I maybe maybe that's why I'm tasting
Justin:a little pepper.
Joe:Probably get a little pepper.
Rick:On the back. Yeah. Yeah. It's really nice. I like this a lot.
Justin:Yeah. Cheers, guys. Alright. So next on the topic list, do you have that too?
Joe:Well, we were looking at how Marriott and Yeah. You know, the FTC Yeah. Came up with their consent order. So quick quick background on that. Marriott's been hit, by both a multi state and f t FTC settlement because of their breaches that started in 2029.
Justin:Out of 50 states sued them. Yeah.
Joe:Yeah. And, and it's because they had, breaches of over a 30,000,000 US customer guest records that went, some of it went undetected and trigger went undetected for four years in their network.
Justin:Yeah. And so it was three separate breaches. Yeah. It was 2014, '20 '18 and 2020. I Something like that.
Justin:Something like that.
Joe:Yeah. I think I just saw a news article post in the last day that talked about a service provider that they use having been breached. And I'm just waiting to find out. I don't I don't know the details, but now I'm wondering whether or not they're going to on the heels of so this is just December that this that these settlements, happened. So just a month ago.
Joe:And now all of a sudden, they I don't know if they're going to be involved in another thing. But one of the service providers that serve lots of hotels were just announced to have reached some data. So who knows? Maybe they'll have a Data. Interesting thing.
Justin:Now have you guys had the pleasure of working in the hospitality industry? I know you have. Yeah. I've been on engagement with
Rick:you a little bit. Yeah. Yeah.
Justin:I don't think now.
Joe:No. Tell me about it.
Justin:They, they're they're notoriously by the seat, and a lot of it is a lot is franchise out.
Joe:Mhmm.
Rick:Yeah.
Justin:So which they're just typically very bad in security. You know? Like, stuff stuffed in drawers, things left unlocked, you know, no password, or security post you notes on the the walls. Like, you know, the basically, the worst, you know, when you're going in from a a security perspective. We did, several, like, PCI stuff, and it was just sometimes a chain wreck, things and everything, And just getting them to understand that it's not, you know, the the three people in the back office doing all the orders, you know, for three hotel sites is you know?
Rick:Yeah. Well and it it's it's like in some ways, it can be like, you know, retail or anything else where, you know, there's sort of a mother ship, right, somewhere. And then there's just tons and tons and tons of physical locations that need all this, you know, care and feeding
Justin:Yep.
Rick:And have their own, you know, technology hopefully standardized, but maybe not if it was, you know, a per you know, a single owner hotel that, you know, got bought up by the conglomerate or whoever. So you end up with this very an industry that has a ton of m and a and Yep. But also all the challenges of, you know, trying to manage tons and tons and tons of physical locations from one place. So I I feel for the challenges, but that doesn't mean the challenges don't exist. Yeah.
Rick:Yeah. They're out there.
Justin:And there are some good ones out there. It just you know, I don't wanna castle an entire industry, but more times than not, there was wide open gaps. You know? And it Yeah. It's understandable.
Justin:I mean, these are people trying to run a small business, essentially, you know, a couple of site hotel. You know, it's not that big, you know, to the thing.
Rick:Yeah.
Justin:You know, it's but, yeah, at the end of the day, security is usually the last thing on their mind, you know, when it's coming to this. But, yeah, in this case, I I thought it was interesting. I I threw it in the the docket here. Their so they got sued out the wazoo. Like, they settled, like, over a hundred million dollars.
Justin:The UK sued them. Obviously, forty nine and fifty states. The 50 the multi state
Joe:one was 52,000,000.
Justin:Oh. Oh, okay. Yeah.
Rick:Which state didn't sue them?
Justin:I don't know.
Rick:Was it allowed? I I I'm trying to think.
Justin:I'm I'm so curious now. I was
Rick:we'll look it up later. Yeah.
Justin:We'll put it in the show notes. Yeah. Yeah. But, but, yeah, it it now they're being mandated. They settled with the FTC that they have to build a pretty robust, security program.
Justin:Some of it is not surprising, type of thing reading it. Mhmm. Some of it is you gotta have to be audited by an external party every single year, have to have that available for submission, all this stuff and everything.
Joe:Yeah. The multistate said that, and then the FTC also, said the same thing. So they're getting some of the same some of the both of these settlements are for the same mandates, the consents. And both of them said every other year, but what FTC added so every other year for an external party to audit Mhmm. But they need to send on an annual basis Right.
Joe:A compliance report of their security to the FTC. Right.
Justin:So
Joe:now they have an Including,
Rick:I think, asset state
Justin:attestation by their CEO. Yeah. Certification. Yeah. And to what
Rick:you said, the station by their CEO. Yeah. Certification.
Joe:Yeah. And to what you said, Rick, was interesting because one of the things that, they said they have to do and as I look at this list, I'm like, yes, people should do these things. Yeah. It's planned for performance security reviews before connecting new acquisitions into the network.
Rick:I know there was a lot of good hygiene stuff, but there were two things that, for whatever reason, stood out at me. And one of them was they seem to pay a lot of attention to the treatment of terminated users.
Justin:Oh, good.
Rick:And they seem to pay a lot of attention to m and a.
Justin:You know why they're terminated users? No.
Rick:I don't The last breach. Was it? Okay. I was
Justin:I was It was two employees, and they probably got into x that accessed Yeah. Millions of customer records. Well, I
Rick:I was thinking that, like, in the combination of breaches, it was it seemed likely to me based on the focuses of the language that something had to do with terminations and something that had to do with m and a.
Justin:Yeah. That was a 2020 breach, I believe. Yeah.
Joe:Well, let's let's unpack this. And one one of the complaints they said, Marriott and Star would deceive customers by claiming to have reasonable and appropriate data security when they, in fact, failed to deploy reasonable security to protect the consumer's personal information. And that's what they said resulted in three separate data breaches. So what's interesting about that is that, you know, the company you know, what company out there is claiming that they will not protect data?
Justin:You know, and I I actually thought about this, like so that's always the FTC and some of the other things, like, you claim from a consumer basis that you're protecting everybody, but, obviously, you really suck at this.
Joe:Because you
Justin:got briefed. Because you got briefed. So, like, wouldn't it be funny if some company be like, we don't do that good of security.
Rick:You know?
Joe:That's what I was saying.
Justin:It's, you know, what Yeah. You're up to your own. Like
Joe:What company is out there saying, yeah. You know, we don't do that.
Justin:Yeah. Yeah.
Rick:Why am I I'm blanking on the legal term, but there's a legal term that's like, you know, it's it's essentially a reasonableness thing. It's like goodness of your fitness of purpose or something like that. And it's kinda like you're doing all the normal things that companies should do, including not breaking laws. Right? Like, these are, like, implied guarantees that every service
Justin:is sold out. Protection type stuff and everything. So, yeah, whether it's an implicit we do it and breaking Yeah. You can still get hit over the head for a reasonableness, you know. And it'll be lawyers arguing in court, you know, like, hey.
Justin:They didn't do this. And, you know, you know, NIST says this that they should be doing this and, you know, you know, whatever it is, you know?
Joe:Well, I also find it humorous that as part of the settlement, here's what they're prohibited from. They're prohibited from misrepresenting how they collect, maintain, use, delete, and disclose consumer personal information. So, yeah, they're not allowed to misrepresent how they treat your data.
Rick:I read that. I was like, yeah. You have to follow the law. Like, I was like, would
Joe:that be normal expectation? Yeah.
Rick:I mean, yeah. That's fine. The other thing that was really notable to me about it too was the time frames. Did you see that? There was a lot of references to twenty years.
Joe:That's not uncommon. Really? There's been, so I I worked for somebody who was brought into an organization before she was in our legal department at a previous company. Yeah. And she had worked at places that did did some health care stuff, twenty year consent.
Joe:This is like I haven't read years ago.
Rick:Read enough consent decrees. That's that's
Joe:so twenty years isn't uncommon. And typically, you know, those get awarded to these, like, the big, big four type companies.
Rick:Yeah. Yeah. I was I wrote that down, too. I wonder who does this award?
Joe:Oh, that, to a twenty year contract
Rick:Right.
Joe:To do the every other year
Justin:get to
Joe:that report and then send it.
Rick:That makes sense. Gotcha. And and I did also see
Justin:engage him in twenty year contract? Like, they're mandated by the consent degree, but why would you engage that twenty year contract? What if you didn't like them?
Rick:Well well, I'll tell you. The You probably changed. The commissioner, the FTC commissioner also gets, like, veto power on who gets to do these audits.
Joe:They would need to see the qualifications of the people who do their audit. That was explicit
Rick:in the document. It was
Justin:in there. I saw that. So do they have assist? I don't know. No.
Justin:Yeah. Yeah. I actually read that. I laughed at that. I'm like, how do you define qualifications?
Justin:You know, type of thing.
Joe:But you gotta figure it's a balance between, like, you read some of this stuff, like, we read it and we're like, okay. But then what's the purpose of it being written this way? Well, is somebody else who doesn't have ours or probably most of our audience who are cybersecurity experts, background in knowing what these things mean. And so they're overwritten out. And, the it's like, well, who is it?
Joe:Is it my you know, is it one of my family members who doesn't do cybersecurity who's gonna have to go to court and, like, be on a, a jury of this or what?
Justin:Right. Yeah. And we're
Rick:in and to even attest to the stuff. Right? I mean, these CEOs are not necessarily gonna be security experts in and of themselves, and they're gonna be helped. But, ultimately, you know, it's a pretty well indexed list of you have to do these hundred things or
Justin:whatever it is. But I also, like yeah. I saw a lot of the twenty year, and I thought the same thing. Yeah. Because I was thinking it's like, how is security gonna change in another twenty years?
Justin:You know, type of thing. Like Yeah. You know, Hippo is written 1996, and, we have it on
Joe:a document. We're gonna talk about it. Talking about reporting.
Justin:Been, like, antiquated for so long, you know? Like, it's a it's a small, you know, like, standard, you know?
Joe:Well, what I would hope that the, people auditing are gonna do is the same thing that any of us would do when we go and look at a program. We wanna look at the design. We wanna understand if this is reasonable. Are they doing proper risk assessments based on their situation? And then are they, applying controls to manage those risks?
Joe:And that will evolve as well.
Justin:But they also have to align to all the items in the consent decree as well, I would imagine. Yeah. So there are high level stuff into there, and there's also very specific stuff, you know, that they're in as well.
Joe:Well, they're gonna have to
Justin:do those things for twenty years.
Joe:Yeah. Yeah. And maybe another twenty if they, you know, have another problem.
Justin:Yeah. I wonder do they
Rick:wow. There's so so much parts of this law that I don't I'm not as close to. Like, do they renegotiate consent decree? Like, do they does that happen? Like I
Justin:imagine you could, but I've seen couple of years. Is is it worth it? I'd think definitely you're
Joe:out of business
Justin:Right.
Joe:And not have a finisher to send Right.
Justin:Consent decree. Right. Yeah. You shut down, sell off assets, start up a new Yeah. Start yeah.
Justin:But yeah. That's
Rick:all the same people in the new business.
Justin:Yeah. Mhmm. So technically legal, you know, if you do it right. Yeah. But Yeah.
Justin:That That's above our pay grade.
Rick:That was interesting, though.
Justin:Yeah. So do you think it's as a general question outside of the Marriott Starwood, stuff and everything, do you think this type of strategy where you kinda put mandates onto a company like this, is this a good way of dealing with kinda multiple repeater breach?
Rick:I don't know if it's good, but it feels better than a class action lawsuit where I get, like, a $1 credit to my account. You like You don't like
Justin:that $1? You gotta go out of the spending Well,
Joe:you might get that anyway, from those 50 Well,
Rick:that's true.
Joe:50, $2,000,000 payment they have to make to the states. Yeah. But
Justin:Yeah. So No. The states are gonna keep that.
Rick:But But then they don't tax me as much. Right? Yeah. Right.
Joe:Right? No. And, yeah. But I I do think that for these companies that have this kind of problem, and it becomes a little bit I mean, I love Marriott. I have lots of Marriott points.
Joe:Yeah. I'm not switching. Yeah. But, do I wanna see them improve? What's gonna cause them to improve?
Joe:Well, now they have to legally
Justin:Right. Improve. Right.
Joe:And sometimes you just have to have to do that. There's lots of things you can do to avoid it. I remember even checking out, years ago the CISO job posting at Marriott. Yeah. And it was interesting.
Joe:And I'm just wondering, like, the controls weren't in place to be able to detect this stuff. We can have a whole separate conversation. I'm starting to think about how do you get yourself in this
Rick:Wow. Or and how do you get yourself out of it? Or, like, even if it's just, like, define like, to your point about, like, defining and articulating the risks and saying, well, I don't have the resources I need to do the job you want me to do, like, all those sorts
Justin:of things. Yeah. And I'm I'm with you guys here. So, you know, there's two thought processes. One, like, we've all met bad security executives Yes.
Justin:You know, type of thing. Kinda they like being in that power, but they're not very effective, you know, and everything. But I think I've seen way more just not being empowered, you know, into the position. Like, they're asking for resources. They're asking for tooling.
Justin:They're like, no. You've got nothing. You got basically, we haven't been breached yet. Just keep, you know, doing what you're doing. You got the same team members, you know, type of thing.
Justin:I've seen I think I've seen more of that.
Rick:More good people in bad situations than bad people in broad situations.
Justin:Yeah. Exactly. And it's more of a culture thing, you know, and executive management. And I feel bad for those CISOs, but at the same time, you should know when to leave before it becomes on your name. You know?
Justin:I mean, it's hard to do. You're probably getting a nice paycheck. You know? You're trying to keep the lights on and do as good as you can. But at the same time, how how many times have we seen in the news where the CISO gets the peg because, you know, of it?
Justin:And I guarantee going into it like, I still remember, was it Experian or, what was the other credit union when they got breached? Trading union? Yeah. I think it No. It was the other Equifax?
Justin:Equifax. Yeah. Whichever one got the the big breach and everything. Mhmm. The CEO came on at, like, a news station.
Justin:It was like, oh, it was the system admin that didn't I remember that. System. I remember that. Serious right now? Like, you're blaming That was a big bust
Rick:up here that poor person.
Justin:And then Yeah. Some type of thing. Yeah. Well, yeah, there's
Joe:a whole story there that, I've heard, and, it kinda makes makes a little bit more sense when you hear all the context.
Justin:But Yeah. Not bad.
Joe:In but back to this point, do these, do these decrees help? So if I was going to if you were looking to go get a security job at a company that's gonna have to invest in security
Rick:For twenty years?
Joe:Yeah. May maybe go look for the ones that have the consent decrees because I
Justin:don't know.
Rick:I'll look for those anyway because I'm not gonna be bored there.
Justin:Yeah. There's work to do. You'll get the budget. You get all that, but, honestly, I think you'll still have a culture issue. Like, you're looked at as a pariah because you're mandated to do it.
Justin:I don't know. I I don't know either. I'm making assumptions, you know, type of thing.
Rick:I could see it going either way. I could see there being some organizations that don't take the intent fully on board. Right. Right? And then I think there's probably some organizations like, yeah, okay.
Rick:This was a wake up call. We need to, like, really change how this is working.
Justin:It really comes down to the culture, you know, type of thing. But, yeah, I I worry about that aspect. It's not necessarily given that it's gonna be a good role, you know, typically.
Joe:And then there's probably thousands of employees there who have no idea any of this conversation is happening.
Justin:Mhmm.
Joe:Yeah. Right. So you're gonna really gonna you know, so if you have a good c suite who says, alright, we have to do this, we can't have another problem. That would be a problem. The risk of taking that job is one third party that they're using breaches all that data.
Joe:It's still breached, and it's still their responsibility. Yeah. So, you know, you have to you have to weigh your You
Rick:have to weigh it. Yeah.
Joe:Are you coming in as the,
Justin:but still, I think you've just shown due diligence to the regulators, I I think.
Rick:To the regulators and and even for yourself when you come in. Right? I think, like, the the entry path, we I think we've talked about this on a prior podcast, but, like, how do you get the lay of the land in a way that's adequate? And and some of that's gonna depend on, like, well, is there an existing consent decree? Like, you should probably know that before you, take that gig.
Rick:Right? Yeah. But, I mean, just getting a sense of, like, how things operate and and what's good and what's not so good. Right. And you gotta do that upfront.
Joe:Yeah. Do an assessment.
Justin:Yeah. Yeah. I talked to a lot of my clients when talking about third party. Again, go down rabbit holes. But I one of the big things to say, like, your third parties are gonna have an issue.
Justin:You need a plan for that. You know? I'm telling you, it's it's send them all the questionnaires, get all the attestation documents. It it doesn't you're basically just doing CYA at that point. Yeah.
Justin:You know, they will have an issue, and you need to put into some type of incident response planning methodology where you are now coordinating with them, making sure it gets fixed, communicating with your customers as appropriate, and everything like that.
Rick:Well and where you can, figure out ways to limit the blast radius if something goes wrong with those third parties.
Joe:Yeah. Right? So hot take, what's your thought on you go into the company that has the, consent degree. Yeah. They're hiring some type of probably big four or similar company that's coming in, doing their assessment for twenty years.
Joe:Mhmm. You they need a new CSO. That's you. You're coming in.
Justin:Mhmm.
Joe:Do you rely on the, audit that's happening that has to be done and given to the FTC, or do you bring in your own group and do your own separate audit with another group? So now you have two.
Justin:Definitely doing both. Yeah? Yeah. I mean, I like the idea of the both, but at the same time, it might be double cost with
Rick:it. It could be. But I think one to me, one of those I mean, as we see this all the time. Right? There can be security assessments and then there are, like, tailored compliance assessments.
Rick:Mhmm. Right? It just so happens this is a security related consent decree, but at the end of the day, and to your point about, like, twenty years with the same controls. Right? Mhmm.
Rick:I I'm pretty sure controls are gonna evolve over time. Like, I think in my from my perspective, you have effectively the security reviews being done by whatever, if it's a big four firm or whatever that is. That's effectively a compliance audit to make sure you're doing all the same security stuff. I want my internal telemetry and sensors and notes to make sure that things are staying on track, whatever the appropriate frequency is outside of that extra part.
Justin:And that's a %. I was thinking more to yearly audits or something like that. You're absolutely right. Like, the you there should be no surprises into that annual audit. And whatever you need to get to that point, tracking internally on a weekly, biweekly, monthly, like, there there's a lot of iterations in that.
Rick:And if that means external expert
Justin:that you
Rick:have to put in your budget Yep. Then great. And if it's, you know, it just build and help you
Justin:turn into a program that you're getting all the stats on a daily basis, essentially, on the status of your program. That's really what you're looking at. And then just the validation of, like, yep. You're collecting all the evidence internally and your dashboards are
Rick:Yep.
Justin:Exactly spot on what it do. Like, that's what I'd want. And part
Rick:of the other thing is, like, I yeah. I want proactive ammo. I mean, look. You you gotta you gotta tell the truth with this stuff. Right?
Rick:But not every auditor gets everything right every single time. Mhmm. Right? And if the sort of compliance assessment auditor happens to be getting something wrong, I definitely want some ammo in my back pocket. It's like, well, either I've been looking at this and this is a new recent change.
Rick:Right? So let's limit the scope of what went wrong and how quickly we found it. Or, no. I disagree with you on the merits of this point. Now how much that actually buys you, I don't know.
Rick:But at least opens the door for a conversation as opposed to you just being
Justin:I just had a conversation with somebody just got thrown into the PCI compliance chair. Oh. Never did it before in her life and everything.
Rick:Good luck.
Justin:Whoever you are. I was I I was giving her some tips. I was like, anytime they say it's an issue, come back to them, ask them what, requirements specifically they're talking about. Yeah. Look at the verbiage.
Justin:Start talking about like, if they're saying that it's an issue, ask them specifically, why is it an issue? What is it gonna take to make it not an issue? Like, it just get you know, a lot of people get afraid, you know, in that. And it's like, I have to do exactly what they say. And most people have never run an operational side of that being the otters.
Justin:I've seen. People forget
Rick:the goal is to get
Justin:Exception in this room, but, like, some of the people I've hired at the end of the program, you know, like, they're like, you must do this. You know, it's like, have you ever run a program ever? You know? People fit. The goal is to get
Rick:to the truth and a plan to a reasonable plan to resolve the issues that occur.
Justin:Mhmm.
Rick:Right? That's typically not and shouldn't be a one way conversation. Right.
Joe:Yeah. I agree.
Justin:Yeah.
Joe:So and I like your, I like your your take on my, my question. And I didn't really go into it thinking about what you were saying with the, every two year
Justin:Yeah.
Joe:Just being a compliance audit. But, essentially, that's what That's
Rick:essentially what it is. Yeah.
Joe:And then what do you have to do in the meantime? When you get a deep dive into those risk areas
Justin:that
Joe:you're really worried about and, you know, make sure that your op operational security is actually covering the the stuff.
Rick:Yeah. Yeah. And if it isn't, treat it head on. Right? Define your risks.
Rick:Tell everyone you need these resources to fix these things, and and get it as far as you can with what you have. Yeah. And any risks they don't
Justin:Yep. Any
Rick:any risk you don't have resources for, get someone else to sign off on that.
Joe:Right. Great. Next topic. Yeah. So, so I brought this up just, just yesterday, and, you know, I'm thinking, or you all thought this might be a good topic to bring up?
Joe:AI note takers. And there's lots of them out there. There's all these different ones that are getting created. Some of them, you get the AI note taking that joins your Zoom or your Teams call, and it's a side effect of you buying some other AI tool. Some of them are very good.
Joe:They do summaries. They give action items. End of the day, it's really easy and cheap to sign up, and they'll auto join your calls.
Justin:Mhmm.
Joe:So I've been I've been on calls
Justin:not auto join, but, like, some of the native ones actually have, like Zoom. Oh, yeah.
Joe:I'm, like,
Justin:built in. Yeah. Yeah. Zoom. Teams.
Justin:Google. Yeah. Yeah. Yeah. What does Teams have an AI component?
Joe:Their Copilot self is getting in.
Justin:Copilot is getting in. Okay. I haven't had experience with that. But, yeah, Gemini is has can go into Meet and all that stuff and everything.
Joe:I didn't realize that. Yeah. Yeah. So my question was, you know, when your hot take on what are the risks and what third party vendor risk management activities should GRC teams or whoever's responsibility is be doing?
Justin:Well yeah. There you go.
Rick:So, I mean, I one of the things that I thought about when you brought up this topic was, really thinking about, like, bringing it back to almost a data classification thing.
Justin:Mhmm.
Rick:Like, okay. At the end of this, a file or a summary is gonna be generated, and it's gonna have information. That information is what you talked about. Okay. What's the classification level of that information?
Rick:Right? And how do you typically need to treat those things? And so it could be wildly different if you're on a conversation with your general counsel, right, versus if it's HR, but not necessarily, you know, client privilege protected, versus if it's an analyst on your team. You know? And and so I think understanding really clearly the topics and the nature and to some extent, like, going in and to some extent being able to pivot on that if the conversation veers into a direction you don't expect.
Rick:I think there's a whole a whole set of things to think through there.
Joe:Right. So, I like where you went with that. You you started talking about data. Mhmm. And if you trace where the data goes with this system that you subscribe to for sometimes a free trial for two weeks and then Yeah.
Joe:$12 a month or whatever, you have conversations that are happening. Who are you having them with? Well, maybe it's internal meetings. Maybe it's customer meetings.
Rick:Right.
Joe:What are they talking about? Where does it go? Who's clouds it in? What what kind of review have you? I mean, it's a walking through a risk scenario here.
Joe:What kind of assurance do you have that that third party AI tool Right. Where is their data being stored?
Rick:Right. How does it handle data on international citizens?
Justin:Are you helping them train their data? Right.
Joe:Yeah. So all these risks
Justin:Yeah. That come up. I mean, that's just natural. I mean, as we talk about, like, governance and AI, the those are just natural risk that go into just AI and in
Joe:general. General. Yeah.
Justin:And there's been a bunch of write ups. But, yeah, I think the the biggest danger to that is data leakage, you know, how they're treating the data, are they selling the data. I always recommend, like, opting out of, training their data models, you know, just because there's no benefit for the organization, you know, and there's more risk that it brings. So there's really nothing, you know, that you're gaining from that, you know, type of thing. So I think that's and then, obviously, doing your normal due diligence, you know, into there.
Justin:That's about all you can do from an AI perspective, you know, from that.
Rick:I think there's probably some training in terms of, like, use of it from a hygienic perspective with, like, the business units and stuff like that.
Justin:There's some access control. Like, I know there's some, like, you know, instead of treating it as, like, one big blob of data when you give, like, all the training data of all the financials and all that stuff. Some of those might not be public yet, you know, and you have to know which parts that are internal internally publicly accessible, like internal accessible versus, you know, just publicly accessible. Yeah. Like, if we're talking about what a company did last quarter compared to this quarter, but our call is in three days.
Justin:You know? Right.
Joe:And it's so easy when you do these recordings. You get the summary. It goes in email.
Justin:Mhmm.
Joe:And depending on how you have it set up, it'll go in an email to all the people that were on the meeting invite. Yeah. And then it's really easy for any of those people to click on the link and then they click the button that says, oh, I need I need the link because they give it give it to somebody. Mhmm.
Justin:So
Joe:now you have a shareable link. Now, how easy is it? And I don't know how easy it is to brute force that link to be able to say, well, what if I change some parts of the link?
Rick:Oh, right.
Joe:Will I be able to get somebody else's link? And is it available?
Justin:Right.
Joe:And so now what data do I have? So these are all the things that I think about. Like Mhmm. How could the data be exposed? Well,
Justin:and I thought it was really interesting. You brought up the legal aspect to that. Oh. And Yeah. Now I I didn't I never really thought about that.
Justin:And, hopefully, they're they're smart enough to be wary of things recording, but that's discoverable now in a way that Absolutely. You know, it's wasn't before.
Joe:And plus, has everybody been notified on the meeting, or are they aware that they're being recorded because now you have wiretap.
Rick:Yep. Yep. You have wiretap stuff. And and you even have, theoretically, some privacy loss stuff in terms of, right, the note taker and saying, oh, Justin said this. Well, if Justin happens to be a citizen in the EU, now is there GDPR stuff that applies to Right.
Rick:Potentially because there's identifiers about who Justin is and
Justin:whatnot. And, I mean, I don't think we've seen any, like, stuff with this. I I just had, a Bible study yesterday, and we're part of like, did a Zoom call because somebody was promoting in. And my account had three people on one side, and then one person was on the other side. But all and I I left the AI on.
Justin:I I didn't know about it, and then I got an email afterwards. Everything on this side of the fence was talk about about Justin. And what if somebody said something and all of a sudden it came to me?
Rick:Oh, yeah. We didn't
Justin:talk about anything criminal. It was a bible study. But I was just thinking, like
Rick:Yeah.
Justin:Now that it's discoverable and Justin said this in the notes, you know,
Rick:type of thing It's all transcribed. Yeah. Exactly.
Joe:Oh, I see.
Justin:Do, like, an invest, you know, somebody saw it on
Joe:Repentiation, not repudiation.
Justin:Yeah. Like, if there was an email, you know, freeze on the company and it got swept up, but it was part of the collection of evidence Absolutely right. And they saw, like, Justin was joking around on, you know, tax evasion or whatever. Oh, look at this, you know, type of thing. And just another thing that the, you know, defense or prosecutor the the other side would just send along, like, hey.
Justin:She just said here that, you know, he's doing a crime. You know? Have you had So
Joe:let let's get
Justin:some Mhmm.
Rick:Sorry. I don't have these notetaker apps had to respond to, like, any requests from the CIA or FBI yet? And, like, like because, I mean, like, FBI and Apple have to, but there's potentially a lot of information there, actually.
Joe:And and we would never know.
Rick:Right. Of course. Right.
Joe:Yeah. I never thought of that either.
Rick:How would they treat, you know, government requests for information?
Joe:Right. Yeah. That's very interesting. So what should, so GRC persons listen to this. They're like, you know what?
Joe:My company has give up. Give up. Yeah. There there's a I saw a job out at Sheetz,
Rick:do the whole,
Justin:what's that movie American Beauty? He's like, I just want the least amount of responsibility.
Joe:Yeah. You're overqualified for
Justin:me, sir.
Joe:So but, you know, what are what are your takeaways or tips for, GRC teams that have to worry about, well, is it Fireflies or Fathom or any of the other, tools that are doing it or even evaluating, like, Zoom or Google or Microsoft's.
Rick:Yeah. I think they do. The best one I have is roll it out slowly. Like, on the
Joe:Not that part. What about the, what about the analysis in order to give approval to the company to use that product?
Rick:Well, that's what I'm saying. Like, I don't know that you give approval to the company in one swing.
Joe:Oh, I see what you're saying.
Rick:I think you give approval. Okay. We're gonna start with this specific team be and and then you start to understand, to some extent, the nature of the conversations that team has. Because I I don't know that you can treat every combination between every two individuals the same when it comes to that stuff. I mean, two executives talking is very, very different potentially than two analysts talking.
Rick:Right? And what happens to that data? Who can analyze it? How it's searchable? How do you make it so that Copilot doesn't accidentally pick it up in its summaries?
Rick:Like, there's probably stuff there. So, that my my gut tells me I didn't think there's you have to do all the right vendor stuff. You know,
Justin:all that different stuff. Yeah.
Rick:And I think there's a lot there too. But from a rollout perspective, I almost alternate for like, many of these tools are probably okay in specific situations. And so if you evaluate those specific situations, like, that's probably, to me, more the thing because
Joe:So acceptable use
Rick:for the product.
Justin:Yep. Yep. And a lot of times, yeah, you can't even say no. You say, like, whether it's okay or not. Usually the business has already made up the mind.
Justin:So It's already purchased. From a security perspective, we're trying to just minimize the risk of it rolling out and
Joe:I see. Some companies are like that. We've, recently seen some companies where when security says they can't do it
Justin:Yeah.
Joe:They can't do it. Yeah. It gets denied, and there's just no
Justin:I don't even think that's the security responsibility there. Security is, in my opinion, to to identify the risk and let business decide. Yeah. You know, type of thing. Because, you know, we talk about two executives, you know, talking maybe that's just an awareness and training thing, like, you know, hey, executives, if you wanna have a private conversation, you know, and By default, it's off.
Justin:You have
Rick:to turn or whatever that is.
Justin:Yeah. By default, it's off. You have to turn it on. Or if it's default on, maybe you just call each other. Like and, again, that's more of a training thing.
Justin:You know? Like, that's you know? Again, you know? Yeah.
Rick:But data sovereignty is gonna get complicated, I think.
Justin:Mhmm.
Rick:So, like, where is the data stored? How is it stored? I think is huge. The access stuff is huge. Right?
Rick:Because, I mean, I don't know. I haven't evaluated any of these vendors, but do they work kinda like your big, your big cloud providers where, you know, oh, no. Like, our your data is none of our business type thing.
Justin:Mhmm.
Rick:Or is it, well, no. You know, we're a small start up. We're pretty agile. Our admins can definitely look into your transcription to help identify issues and That's
Joe:a good checklist item to understand. Yeah. Would you, would you expect these companies to have, like, a SOC two at a station or a certification or something?
Justin:Yeah. I mean, they have to have some due diligence. That's The more they have
Rick:to do diligence again. Yeah.
Joe:Yeah.
Justin:Against them. You know? You can't just take the word that say, like, we're good from security. Now we could argue and probably get a whole discussion of how much that's worth it. And I already mentioned today, assume that you're gonna have vendors breach, you know, at this at the end of the day.
Rick:But you still do have to clear a bar to get it.
Justin:Exactly. You know? So they should have something.
Joe:So what you said is pretty good for people to think about is let's just assume that the vendor your your favorite vendor for your AI note taking publishes that they're breached tomorrow. How does that affect you? And should you be talking about that as you're deciding whether you wanna use this tool?
Rick:That's why I wanna why I wanna know very specifically who in my organization has been approved to use this yet.
Justin:You said, you're not moving from Marriott, yet they've been breached three times. So You
Joe:know, I still shop at Target.
Justin:Yeah. Yeah. I mean, at this point, you know, it it depends on the organization. But sometimes I look at the organization. If they've been breached, they're probably better at security than they were before.
Justin:You know?
Joe:Because they had a twenty year descent, consent decree.
Justin:Well, not even that. Like, hopefully, if they've got a wake up call and had to deal even with some of the legal aspects of it that they're saying, we don't want to do this again, you know, type of thing.
Rick:But I like, recordings of potentially every particularly in, like, remote work situations, like recordings of potentially every conversation that happens. I mean, is it that different than email or Right. I'm or whatever? Well, not really, but how much of that is, like, on prem or with providers that are, like, very well vetted? I think what part of the concern here is there's tons of these note taking providers, and I don't know how thoroughly, they've been put through the ring.
Joe:More likely to be startup y.
Rick:Yeah.
Joe:Especially the ones that have the really cool features that you want to get. Right. And what's the first thing you have to do in order to have these really cool features work? Well, you have to give it access to your inbox. You have to, you know, give it all this permission.
Rick:Right.
Joe:And then
Justin:Do you have to give it access to your inbox?
Joe:Not for AI notetakers.
Justin:Oh.
Joe:But there's this one AI notetaker that the AI notetaking is a side effect of something they also do. But the main thing I found very interesting about them, and I need to look into them more, just search for me to tell me about it, is that it will go in and look at all your email. It'll look at all the new ones. It'll actually generate responses that you can almost just click on for each email that you have in your inbox that
Justin:you're looking for. Right now. Gemini, I think if you turn it on, does that right now, type of thing. Like, the Apple Intelligence, they're moving that out right now Yeah. And give summaries and all that stuff, you know, type of thing.
Justin:Is that
Rick:all local?
Justin:I don't I don't know all the Okay. It can't be all local. Yeah. I was gonna say process. Yeah.
Justin:Yes. Like But
Joe:the Apple one, I would be like, you know what? It's an Apple thing. Yeah. They're pretty good. Pretty good now.
Justin:Go with that. But if it's
Joe:the, new startup that's looking to get, couple million dollars in VC in order to move their stuff forward
Justin:Yeah. I don't know. It's weird.
Rick:And and and they they might
Justin:be great. They might be better than
Rick:the big players because they started with that in mind. But, like, yeah, they're gonna take it on a case by case basis. Yeah. Yep. That's a great topic.
Justin:So we may have time for one more here.
Joe:Which one do you wanna do?
Justin:Let's do HIPAA.
Rick:Yeah. I like that one.
Joe:Yeah. So well, you said this. Certainly brought this up earlier, Justin.
Justin:Yeah.
Joe:What year was it that, HIPAA went into effect? Nineteen
Justin:ninety six.
Joe:Nineteen '90 '6. And this is the first time there really
Justin:well there was high-tech. Yeah.
Joe:But this is the first like major HIPAA overhaul. And so, and you brought up something else because then we're we're kinda at the mercy of the administration right now that just went into place.
Justin:Yep.
Joe:And, the administration may be looking to is looking to pull back certain, regulatory
Justin:Yeah. They put a moratorium on all regulatory stuff pending review Right. Type of thing. And they just I mean, new administration, they're they're they're kinda freezing everything until they get their own people in and clear it out. I'm not sure I think this is a cross, cross, political party item.
Justin:Okay. And I don't see this being a a show stopper. But, again, it comes down to priorities. Right. Either which way, one of the things first off, and I'm follow the you know, I I being in governance, you've learned to, see how the rules are passed and all that stuff.
Justin:One of the things that first, like, caught my eye is, like, how is it that they're gonna update this law when this was passed by Congress? You know, like, HSS is gonna update the law. Apparently, I think it was in 02/2009, there's a reasonability nest, you know, type of thing that any as long as they're sticking within the spirit of it, they can update laws to stay current and everything.
Rick:And that's actually the intent across a lot of departments really because, like, the the intended approach was, oh, congress doesn't have to be an expert in everything everything. You rely on certain departments to do the things. So I think
Justin:And it's become, like, over the twenty, twenty five years, it's gotten more
Rick:It's gotten complicated.
Justin:You know, where they're pushing it more to the executive branch to make up their own rules Yeah. And everything. And we could argue plus and minuses onto that. But in this case here, HIPAA does need a refresh. Oh,
Joe:yeah. Oh, there's so many things that are antiquated in the, first version that I really like what they're fixing.
Justin:Mhmm.
Joe:And so well, just some other facts, though, is, is this could go into effect as early as the end of twenty twenty five or early twenty twenty six?
Rick:I saw that. I can't imagine.
Joe:Well, right now it's, Request for comment. Yeah. And and that is, expiring in March. Yep. And then there's a, sixty day period.
Joe:So once a once that's done, then there's some unknown time and then the final one.
Rick:And then it's, like, a hundred day for a
Justin:day or a hundred eighty for a month.
Joe:Days until it goes into effect after being, published. And then you have a another hundred and eighty days in order to, for most places to be able to
Justin:And they could do another iteration of like, every department does a little bit of like, CMMC, like, see how long that's taken to go out. Like, I remember following when they did the second amendment to the New York DFS, Yeah. Cybersecurity standard, reg 500. They took three, requests for comment.
Joe:Yeah. So that's another sixty days, another sixty
Justin:days, whatever.
Rick:Like, at
Justin:the end, they were just like their comments coming in, they were like, yeah. We're doing it our way. Yeah. We're doing our like, it was just very short, like, yeah. We're not doing.
Justin:Yeah. Like, they just got but, yeah, they took three. Yeah. Again, like, not knowing the time line. You know?
Justin:Well, sure.
Joe:So at some at some point, it'll be finalized. Yeah. And it was, published in the Federal Register, and that's what becomes the official time clock for the sixty days. And just give a context. You can go look this thing up.
Joe:It's a short, only 125 page, three columns, a small print
Justin:Yeah.
Joe:Document. But it's summarized, really nicely on the HHS website
Justin:Yeah.
Joe:With I don't know. It looks like a couple dozen main categories of things. And, well, my question to you guys is even if it doesn't go into effect, did you see anything in it that's not worth doing? And we can talk about what what they're talking about.
Rick:No. I liked it.
Justin:But they're I I really wanna see how they're gonna deal with because they talk about, like, smaller organizations. Yes. Yeah. You know, type of thing. And, like, some of the stuff is, like, you know, they need, essentially a CMDB and inventory systems that it's all under scope with that.
Justin:That's one thing that HIPAA didn't have. And when I do HIPAA assessments, we I generally recommend, 800,
Rick:96.
Justin:Yeah. 66. And they added a few additional things outside HIPAA, one of it being inventory. They're like, do a risk assessment across your HIPAA environment. But right before they're going, identify what your HIPAA environment is How
Joe:can I secure it if you don't know your
Justin:health care? Exactly. You know? So these are all good stuff, but, you know, when you're talking about, like, a a five site Yeah. Dental site or, you know, a single practitioner's office, you know, or something like that.
Joe:Some of these are gonna be a little tough and they're a little bit, like, I don't think they're wrong and they should be doing them. Right. But I don't expect it to be reasonable. So I have something else I want to go back to. But for those, Von scanning every six months and a pen test annually for most organizations, they should be doing vault scanning, at least on a continuous model.
Joe:What does continuous mean? To me, it's like, would you have a monthly cycle to get things done, and do a pen test every year? It seems to make sense. But I've talked to companies that have been in existence for five years. They're coming on as new customers, and they've never done a pen test.
Joe:And then we get into the point of one of the things we do is, well, they just want us to run their security program for a VGRC perspective. So because they want to be able to be audit ready for that SOC two or something. We'll just throw in. You get a pen test. Right.
Justin:Every
Joe:year you just get a pen test. Yeah.
Justin:But
Joe:we don't want to pay for the pen test. Can you reduce our cost now? It's no nothing extra.
Justin:Yeah.
Joe:We'll do a pen test. We'll do a tabletop exercise, which is another thing I think they said you need to do is, you know, be able to test your response or your recovery.
Justin:Yep. But, yeah, they have it in the requirement that you have to do, a full blown security, assessment and everything. And they give, they don't say it has to be external, but they say you have to evaluate essentially the capabilities of who will do it internally. Yep. You know, type of thing.
Justin:So kind of hinting to say, like, if you don't have a security team, like You need
Joe:a you need somebody qualified.
Justin:Yeah. Right. Exactly. Yeah. But, again, like, we all come down to this and we're like, I don't disagree with that, but I I think of the little guy.
Justin:You know? And how are they gonna what line are they gonna draw in the sand? How are they gonna put a reasonability into this? You know?
Joe:Well, this applies not just to hospitals, but to business associates. Well
Justin:Yeah. Yeah. And the associates and the associate.
Rick:Like It's a follow the day. Yeah. Like, all that. It's a follow the data.
Justin:And you have to give a certification every single year to each one of that pathways.
Rick:I I yeah. My my take on this
Justin:is Or not certification. A claim that you're Yeah. Yeah, essentially doing.
Rick:It's all good stuff. I like that they're reducing the complexity of, like, the required versus addressable.
Justin:Oh, yeah. We didn't mention that. Yeah.
Rick:I like that that's I like that it's gone.
Joe:Well, what does that mean? For anybody who doesn't understand the difference between what was there before with addressable versus now required.
Justin:Well,
Rick:I mean,
Justin:it's Do I make up?
Rick:Yeah. Why don't you go? I
Justin:so it essentially wasn't too different, to it. So they labeled a whole bunch of required ones and said every organization had an SDS. The addressable ones, if you look at a lot of the HSS, they said, if your environment is applicable to this, you still have to put it into four.
Joe:Address it.
Rick:It's a great question. Essentially put out of it is how I always kinda thought about it.
Justin:But but you could you still had to put the control in if it was applicable within your environment. So a lot of the controls were, like, wireless or, you know, or something along that line.
Joe:What would people do instead? They would start to claim it's not addressable
Justin:Right.
Joe:And wouldn't really do it.
Justin:Yeah. But you have to look at, again, whether it's applicable to your environment. You didn't have the option to say no if it it had an impact into your environment, technically, as the reg was written. But a lot of people
Rick:would use to talk around it.
Joe:They would take advantage of the fact that it says addressable Right. And then not do anything. Right.
Justin:But now it's it's essentially just, will be a list of requirements. And there might be nonapplicable stuff, but that's how you would explain it away, you know, type of thing. Like, I I don't know what it would be, but, you know, if you didn't have any PHI at rest, then you don't have to do encryption at rest because you didn't have any PHI. You know? You know?
Justin:Or
Rick:something like that. You know? Intentionally flexible. Right? But to your point, people would take advantage of it.
Rick:So I like that it's simpler from that perspective. But to your guys' point about the little guy, I mean, there's so many very small organizations that deal with legitimate health data. Right? And even just, like, not for profits and stuff like that. Right?
Rick:Yeah. I mean, they don't necessarily have big budgets. They don't you know, in marshaling the resources to do some of these things is gonna be problematic. I'm not here to defend CMMC, but, you know, I do think I think the potential for some leveling here might might make some sense That's
Joe:very interesting.
Rick:Whether it's across the controls or at a minimum in terms of, like, the implementation case.
Justin:Well, and I like how so I think it should be on the amount of records that they deal with. Because when we're looking at kind of impact, I think that should be where the bar is no matter kind of size, you know, type of thing. Like, if if you're a small organization, most likely you're gonna do with less records.
Joe:Unless you're a small organization that's a software as a service Right. Who's servicing that huge big
Justin:to a higher standard of that. Huge hospital. Because, again, we're looking at impact if you were breached. So if you have more records, you should be held to a higher standard, you know, into that. And I don't I don't know where that bar would be, but that's essentially where I'm thinking, like, you need the next level of security if you're over 5,000,000 PHI records, you know, individual PHI records or something like that.
Justin:Like, if you're dealing that much, then, hey. You get the full gambit. If you're less than that, like a, you know, a mom and pop, you know, general practitioner office, okay. You know, you probably have a thousand clients or 1,500 or whatever it is. You know?
Rick:PCI really did a number on you.
Justin:Well, PCI, and but that's, you still have to do the full gambit is
Rick:Oh, that's true.
Justin:How much you're measured.
Rick:That's true. Yeah. That's fair. Well, was that a potential option as well?
Justin:I mean, maybe. Yeah. I think that should also be into there because I they're they're also gonna put in that they're gonna do more regular audits. Like, that was, some of the stuff. It's not in the law here, but
Joe:Oh, that just came out as a yeah.
Justin:Yeah. That they want to do regular audits, and they've been very sporadic. It's like Oh, yeah. You know, they paid, what, PWC one year to do a whole bunch of audits. And it was it's It was
Joe:about three years ago or so.
Justin:Yeah. And they split up between BAs and covered entities. Like, it was, like, was it one fifty covered entities and 50 BAs or, like, one twenty five or something like that. It was, like, 200 total scope, and they basically said go and do the audit.
Joe:Do you think they'll, under this new administration, get the funding in order to do that, or do you think that's one of the things that they're
Rick:trying to
Justin:That's a that I'm not a
Joe:I have no I have no idea either.
Justin:Yeah. I mean, we'll see how it shakes out.
Rick:But there I mean, I I can I don't know how people are gonna take sides, but politically, I do expect there to be battles because the cost to implement is gonna be high, and people are going to be looking to figure out how that impacts them on, you know, how how it impacts people's political futures if they're impacting a bunch of small business owners or whatever that looks like? Yeah.
Joe:Yeah. And so just there's like, I wrote down a list of, like, 15 or 10 of these items that I thought were interesting. You hit on a couple of them. One, some other ones I think would be interesting for just people to know about. Not only should they put the asset inventory together, but it's also the part of that requirement is to put in a data flow diagram together about how flows across the network.
Joe:And, and then you also have to do your annual compliance audits against the security rule requirements.
Rick:Yeah.
Joe:So what does that mean? It means take a look at the actual law and do your gap assessment. So somebody comes typically, people have done I've seen this done wrong a lot of times. People would say, well, I need to do my assessment. What does that mean?
Joe:They went through the HIPAA rules. Yeah. And they said, yes, I'm doing these or no, I'm not. And what are they doing? And then that's different than the risk.
Rick:The risk is otherwise totally different.
Joe:Is asset based on your, you know, your threats and your vulnerabilities. Yep. And And so you got to handle that.
Rick:And they clarified a lot of the risk assessment stuff in this. Right?
Joe:They did.
Rick:And I and I like those clarifications.
Joe:They increased the requirements for them too. So you need to get yourself aware of those. And then business partners must confirm every year in writing that they have the required security measurements to protect, exactly. I'm gonna skip a couple of these. They're, they're in there, but one thing I like requiring MFA.
Joe:Yeah. You can't get enough MFA. That's multifactor authentication if you didn't know.
Justin:See. Could there be exceptions into that? I didn't see if there was.
Joe:I didn't see exceptions to MFA. I didn't see any exceptions to that written in there.
Rick:Gonna get funky with some
Justin:old I know with technology. DFS and everything. It was essentially, like, the same requirement, but the CISO could, authorize exceptions.
Joe:Right.
Justin:Type of thing, which I think is appropriate because there might be a situation. You know, when you're dealing with a critical SaaS that you just can't get rid of or something like that. Yep.
Joe:Yeah. That's it. I don't know. You know,
Justin:I type it in. Unfold. Yeah.
Joe:Well, maybe that'll come out in the comments to get clarified.
Justin:Mhmm.
Joe:And then some other ones, require network segmentation. What does that mean? That was it's so simple. Require network segmentation.
Justin:Well, what I've done multiple calls on HIPAA segmentation on that. And I was like, yeah. It's not required, but now it is. Now it is.
Joe:So, you know, and and shameless plug, Amar, our website, we just did a blog post on this
Rick:Oh, did you?
Joe:Summarizing the rules. We have a checklist of things you can go do.
Justin:Awesome. We'll do that in the show notes.
Joe:Yeah.
Justin:Yeah. That's right. There.
Rick:Yeah. Network's not I but network segmentation is one I see organizations get wrong a lot because you'll have infrastructure teams being like, yeah, we put everything in, like, buckets of IP addresses. And they're like, okay. You restrict any traffic between them? I go, no.
Rick:Why would we do that? Yeah.
Justin:It's on a different VLAN. Yeah. It's segment. Yeah.
Joe:So yeah. And and how's that gonna work? Right. Especially for a small organization, like, one it's segmentation, if you're small enough, is one segment. What you got is all you need.
Joe:Right. So Yeah.
Rick:Yeah. It gets weird.
Joe:Anyway, I think we beat up, the new HIPAA Yeah. Item, pretty well. It's out there. It's new. It's not in place yet.
Joe:It might be in place. Late twenty twenty five, early '20 '20 '6.
Rick:Comment on the past.
Justin:We'll have another episode on it on what the actual Yeah.
Rick:That's fair.
Justin:I I yeah. Yeah.
Rick:I think that'd be good.
Justin:Yeah. But definitely And,
Joe:you know
Rick:Directly, I like it. I just don't know what it's gonna do to a small Yeah.
Justin:It'll be interesting. So, I I hope some version of it does pass, type of thing. And, hopefully, it's reasonable enough that it includes, like, considerations for smaller organizations. If that's that would be my perfect scenario if that all happened. I think
Rick:that's right.
Joe:Otherwise, we'll see a lot of, new twenty year consent decrees.
Justin:Yeah. Right? Yep. So Yeah. They like dishing out the fine.
Justin:So hey, gentlemen. Cheers, guys.
Rick:Yeah. Keep your
Justin:time. And everything. Thank you all, for joining us. Don't forget to like, comment, and subscribe, and join us next month as we do episode 10. Thanks all.
Justin:Bye.
