Cybersecurity and compliance: What's here, what's next?

Chris Sienko: We recently hit yet another huge milestone here at the Cyber Work Podcast, 25,000 YouTube subscribers. Thanks to all of you who watch and listen each week, to those of you watch the YouTube videos go live and chat with each other in the comments and everyone who is helping us to grow this great community.

To give back, we’re now giving you 30 days of team training for teams of 10 or more. Your Infosec skills account will help you and your entire team develop their skills and earn CPEs to a hundreds of IT and security courses, cloud-hosted cyber ranges, hands-on projects, skills assessments and certification practice exams. Plus, you can easily monitor, assign and track training progress with team admin and reporting features.

If you have 10 or more people who needs skills training, head over to infosecinstitute.com/cyberwork or click the link in the description to take advantage of the special offer for Cyber Work listeners. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.

On that note, I’ve got someone I’d like you to meet, so let’s begin the episode.

Welcome to another episode of the Cyber Work with Infosec Podcast, the weekly podcast in which we talk with a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry.

Today’s podcast episode is the audio from a webinar we released on March 3rd entitled Cybersecurity and Compliance: What’s here? What’s next? Compliance and regulation from CCPA to GDPR to numerous industry specific regulations have all been subjects on the podcast. Clearly, these are issues that are not going away anytime soon. It's been said that regulation never rolls backwards. Once passed and enforced, laws like the California Consumer Privacy Act or CCPA will ripple across the US state-by-state, until such regulations are universal.

Our speakers, Scott Madsen, the CEO of Cingo Solutions and Jeff Dennis, the Head of Privacy and Data Security with Newmeyer Dillion will provide expert advice to help you stay compliant in 2020, while also teaching practical theory that will help you to stay malleable and receptive for compliance regulations yet to come.

Learn how cybersecurity professionals can deal with the changing compliance landscape, including what organizations are affected by CCPA and equivalent laws, why IT and security pros need regulation, regulatory compliance expertise and how to build privacy and compliance into your overall cybersecurity strategy.

Now let's head over to the webinar with Scott Madsen, Jeff Dennis and moderator, Camille Raymond entitled Cybersecurity and Compliance: What's here? What's next?

Camille: We are very fortunate today to have this expert panel with us and excited to have them share their knowledge with you today regarding cybersecurity compliance and what you can expect in 2020 and beyond.

First, we have Scott Madsen and he's the CEO of Cingo Solutions. Cingo is a managed detection and response cybersecurity provider that has recently become SOC2 certified. Scott leads the organization with an emphasis on strategic process and integration. He's passionate about technical solutions, development, customer user experience, cybersecurity innovation and also, European automotive history.

We also have Jeff and Jeff Dennis is the Head of Newmeyer Dillion’s privacy and data security practice. As a certified graduate of Harvard X's cybersecurity risk management program and a holder of the esteemed certified information privacy professional/US private sector, also known as the CIPP US Designation, Jeff advises his clients on a multitude of privacy and cybersecurity related issues, including proper preparation, compliance, risk avoidance and breach response with the goal of advancing his clients’ business interests through the implementation of a strong privacy and data security governance structure.

Thank you all for joining us today and especially Scott and Jeff, who also graciously helped us prepare an informative document that can be found in the handout tab. Make sure you take a peek at that.

Let's go ahead and jump into discussing with our regulation expert. Jeff, why is regulation important when it comes to the management of personal data?

Jeff: Well first off, we would like to thank you and Infosec for having me today. Obviously, thanks to all the participants in the audience for spending a few minutes with us today to discuss regulatory frameworks in cybersecurity.

Regulation has become important in the wake of numerous high-profile data breaches. Frankly, with the absence of national framework, state governments have stepped in in an attempt to protect their own citizen’s personal information. Since businesses have not been able to get it done in the corporate world, regulation has become necessary and important to protect and manage personal data.

These regulations, what they do is they set forth the framework for protection and provide consequences if they are unfortunately necessary to punish those who lose individual’s personal data.

Now the key for businesses and the real important takeaway that you'll hear us say over and over again is that it's important for businesses to find resources, who are knowledgeable about the regulations, in whatever form and whatever state or governmental agency sets them forth, and assist companies with achieving compliance. Scott, what are your thoughts?

Scott: Yeah. Also, thank you to Infosec and Camille for having us on. This is such an important topic to discuss at this juncture. I think that it's a fairly uncommon thing to have any anybody in IT have any specialty over with compliance, so I appreciate Jeff as well being here to walk us through a couple of the things we're going to discuss today.

Really, what's happening if you look at privacy and data privacy specifically, is that the landscape is just continually shifting. It's getting more and more sophisticated. The threats are getting more and more sophisticated. Our defenses should by nature, become more and more sophisticated as well.

I think that anytime you have a regulation stepping in, whether it's state or federal, it is to deal with something that the market is not adapting to itself. I think the regulations regarding public safety are usually the least likely to be to be rolled back, or least likely to disappear over time. For those of us paying attention a couple of days ago, I think it was Monday, on the front page of Apple News, it talked about the Experian hack a couple years ago being linked to the Chinese military.

I think this is important for a few reasons. Historically, we've looked at cybercrime as individuals is not necessarily organized. 2019 was the first year that cybercrime surpassed trafficking and drug trafficking and human trafficking in profitability for organized criminals. I think that again, when you have the resources that the Chinese government has to start coming after American company as an American intellectual property, it's time that we start to put in a standard.

I think that for the general public, a lot of people just don't understand this stuff and they don't deal with them on a day-to-day basis. I think that these regulations while they're going to be tough, there's going to be a painful process of having to adapt, having to invest internally and your company to get these to meet the standard. I do think it's medicine we've been putting off. It's something we should have been dealing with probably quite a while ago.

Jeff: Yeah, Scott. I agree with you. I think it's important for listeners to understand that that we are really at the tip of the iceberg, if you will, in terms of privacy regulations. The other concept I wanted to comment for briefly on as you mentioned, the Chinese hackers and the Equifax breach, this is the whole concept of attribution, which as all of us know is one of the more complicated portions of defending against cybersecurity attacks, is trying to figure out who exactly is responsible for them. Why that's important is that if you can figure out who's responsible, you can figure out how to defend yourself better in the future.

Scott: Yeah. Yeah, exactly agree. I think that as this continues to get more and more sophisticated, it's not – I think a lot of people have a misconception that somewhere is a hacker in a basement that's constantly trying to get into your network, or to gain entry into your personal data. At this point, t's sophisticated enough where there's automated programming that's just looking for IPs that have any opening or exposure.

It's not people are able to use technology to leverage that that skill of trying to penetrate and it's something that people need to be aware of is happening 24/7. It's not they don't get tired, they don't take days off. It's just something that is the new normal for us as a business owners, as people who are maintaining and handling personal data. It's something we're going to be dealing with for the long term.

Camille: Absolutely. I think you touched on it briefly, but it's definitely also a consideration that you said. More people are learning, not necessarily how to be hackers, but there's just so much more opportunity for this to be happening. That leads into the next question, which organizations are affected by the CCPA-like laws? Or is there anyone that's more susceptible to needing to comply with this?

Jeff: Camille, I'll start with this one as well. I think it's important too to start – let's just start with the CCPA, the California Consumer Privacy Act, which has a three-prong test to determine whether or not you need to comply with the CCPA. The first is quite simply, are you a for-profit business? The second prong, are you doing business within the State of California?

Now the key here, the distinction on the second prong is that you do not actually need a physical presence in the state of California, as long as you are doing business with California residents. That's the second prong. The third prong is you must be one of three criteria, either one, your company does angel revenue in excess of 25 million dollars. Or two, you collect share, or possess 50,000 pieces or more of consumer, household or device information. The last criteria would be if you obtain 50% or more of your revenue from the sale of personal information and we won't get into it here, but the definition of sale under the CCPA is much broader than what one would naturally think it would be.

That's how the CCPA, that's how California has approached organizations that are impacted by the CCPA. Other states have similar standards, but they might differ. For instance, Nevada SB 220 applies to companies that operate websites for Nevada consumers. It doesn't have the same three-prong test. It's just a very straightforward simple standard.

There are numerous states, more than a dozen at this point which have pending privacy legislation in their books and in front of their rulemaking bodies. Although the states differ in their standards, there's always some combination of the impact on a specific states residence, the size of the company involved, the amount of personal information and what you do with that personal information and what your presence is in that particular state.

Every jurisdiction, which is going to either have a CCPA-like regulation or not, it's some combination of this. It's also important, Camille, you brought this up, there are other organizations and companies in the financial and health sectors that have additional regulations that they must meet in addition to laws like the CCPA. We're talking about HIPAA, or the Gramm-Leach-Bliley Act. There are a wide swath of organizations which are impacted by privacy regulations.

Scott: Yeah. I think what the CCPA does, so for those who are unfamiliar, the GDPR that was passed in the EU that started dealing with a lot of these privacy issues and then it ended up, the CCPA was the first one in the common US leads that I'm aware of. Jeff would be the better resource for this, where they're actually taking a stab at matching, or promoting a GDPR level solution.

I think that part of the difficult thing here is that there's going to be this new normal for a basic privacy protection for every single company no matter what state you live in, no matter where geographically you are. I think that a lot of people are unfamiliar with the portion of the law that requires companies who are domiciled outside of the state that are selling into the state of California to still meet the CCPA standard.

I think that it's something that you could really sneak up on a lot of businesses, realizing that even though they're not in that state, they still have to meet the requirements of law if they're selling into or doing business with people in the state of California. Also, that the other portion of this that I think is important to pay attention to is with the CCPA, there's an enforcement portion of this that's but that's unique, I think in certain ways to the CCPA.

It's not something that I'm aware of. Jeff, you please correct me if I'm giving incorrect information here, but in any other state, the privacy laws are more if you get caught with your hand in the cookie jar, meaning if your system is hacked, if you lose client data and you have to then notify the client base of what had happened, then you were responsible. What is different in the CCPA is that there will be an enforcement agency going out doing random audits make sure that people are meeting that standard.

Now if you have an enforcement agent show up at your shop and you haven't – you are wholly unaware of what the CCPA is referring to, or if you are wholly unprepared if you haven't taken action in any way to try and mitigate the potential for loss for your clients, then there's a very aggressive fee structure that's associated from the state in non-compliance. I think that for most organizations, that's something that's going to be unique to a lot of the other regulatory bodies that they may have to meet, like an annual audit, or an annual requirement.

I think that it's something that people are really going to need to be aware of. I think that it's a really important thing to find specialists, especially dealing with this who can help you think through your organization's solution to these problems, because it's going to be very unique to your way of doing business. There isn't going to be a one-size-fits-all solution. I think that you really need every organization really is going to need to find people who have the credibility and the history to really walk them through what's required and to be familiar enough with the CCPA to understand every potential issue that the company's going to be dealing with.

Jeff: Yeah, Scott. I agree with you. I think it is a very one-size-fits-one approach to regulatory compliance depending on a whole lot of factors, some of which we'll discuss a little bit later. Two points just to address a couple of issues; one, I think it's important for companies who may hear this and think, “Well, we don't do 25 million dollars in annual revenue. We don't need to worry about it.” You need to pay attention, because these laws and regulations will continue to evolve. It may be a 25 million dollar annual revenue standard today, but in two years, it may be much less than that. It's a word of caution to pay attention as these laws continue to evolve.

Secondly, on the enforcement point that Scott made, he is correct that the enforcement framework in California is somewhat unique. It's unique in this way. Or a technical privacy violation, a violation of one of the consumer rights set forth in the CCPA, the California Attorney General's Office actually has the sole enforcement authority to levy fines from $2,500 to $7,500 per violation.

However, there is also a private right of action which is scaring many companies who do business in California. There's a private right of action that consumers can bring if their data is breached, or somehow lost, stolen, acquired and maliciously used in any way.

The interesting thing under that private right of action is that you don't actually have to show or prove actual damages. It's a straight $100 to $750 penalty per piece of personal information that is that is stolen. The enforcement is a little tricky and it will continue to evolve and there's even talk of a CCPA 2.0 in California, where there will be a brand new agency created outside of the California Attorney General's Office, whose sole role will be to enforce the CCPA, which should give everyone a little bit of pause to consider.

Scott: Yeah. I think also, I mean, a lot of trends begin legally in California. I mean, cannabis, you see a lot of trends begin there that are state laws and then they influence what the federal government actually ends up enforcing. I think that looking at this is that this is an aggressive enforcement pattern that we haven't seen in any state as far as cybersecurity, or the responsibilities of an individual in the event of a breach.

It's something that I think if it goes the way that it typically has, you're going to start to see this as a trend in states of an actual enforcement agency being put out to try and identify and enforce compliance in this way. I think even if you're not in California, even if you are doing business in the State of California, it's just something to have on the radar.

Camille: Right. Now that transitions well to the federal level. We all are talking about the California Consumer Privacy Act, right? Because that's what's out there now. You had mentioned that maybe there's a dozen or so or more other states that are looking to do some type of similar regulation. I think there's a fear that that'll get pretty confusing if you have to follow the regulation of Wisconsin and the regulation of California and the regulation of Texas, or whatever it may be. If regulation is enacted on a federal level, how will organizations adapt?

Jeff: Well Camille, I think first of all, it really – the response depends on what those federal regulations look like and if and/or when they take effect. I will tell you, my belief is that as more and more states pass individual state regulatory frameworks, the pressure will grow on the federal government to set a standard, because as you correctly point out, imagine for instance having to comply with 50 different states privacy regulations, that would be a nightmare for any company who does business across state lines and in different jurisdictions.

There are a couple of key things to think about to adapt to federal regulations. First off, you need to retain help. You need good counsel and a technical expert, like Scott's team at Cingo, to guide you through whatever process the federal government might throw at corporate America. There are two real key issues that are going to be driving what the federal regulation looks like. One key question is will there be a private right of action as there is a partial private right of action in the state of California under the CCPA.

The second question is will federal law pre-empt existing or forthcoming state laws? That will be a fight between the states and the federal government and that will drive quite a bit of effort in terms of what companies need to do to get into compliance.

My best guess is that we will have something akin to a hybrid of the CCPA. There will be some similar requirements, privacy policies will need to be updated. Consumers will be given some level of control and/or choice about how their personal information is collected and used. There will be a strong to protect data. I think that's absolutely going to happen.

Businesses are really going to have to implement wide-ranging changes to meet any federal regulations in two different arenas. You're going to have on one side, you need the regulatory and privacy update, which needs to occur. Two, there's a very clear technical cybersecurity component of these laws that will also need attention, which is why regulation becomes really an enterprise-wide exercise. It's not solely an IT issue. It's not a legal issue. It's not a risk issue. It involves an entire organization.

The interesting thing and what we will now wait and see is what will the timing be on a federal regulation? Now that the impeachment process is come to a close, will the federal government turn towards privacy regulations and take it more seriously, or will there be another issue that that consumes their time? We will wait and see. It's an open-ended question.

Scott: Yeah, I agree. I think that the question isn't if it's enacted. The question is when and how they're going to make that work again with the states. I think that Jeff is exactly right. At Cingo, we are unique in a way, because we specialize in dealing with compliance issues, as well as cybersecurity, which means we have to deal with a lot of different compliance and regulatory agencies on a state level and on a federal level.

I can tell you that most of the state regulatory agencies we work with disagree in certain parts of the law, certain portions of the law with federal. The question really comes down constantly. Luckily, I'm not an attorney. I've got somebody like Jeff who can come in and help walk through exactly where the company needs to be in those areas of disagreement between the state and the federal government.

I think that whenever you have broad sweeping laws like this, it's going to be a mess for a few years. I think that you're going to have a lot of people who end up having to take the states to court and may end up going to the federal courts and what actually holds up in court is what's going to dictate precedents from there on out.

I think that it's where companies are stuck in really weird moment here, until we find out exactly what laws are going to be enforceable, what states are going to adopt, what the federal government's going to adopt. I think that again, the goal here is to try and understand the framework of where we are and you can get a trajectory for where it's going to lead to.

I think the important thing right now for companies to consider is number one, be an early adopter. Don't wait on everything. Figure out how to become compliant early, because again, that's what creates a bulwark between you and being caught unaware in the future. We always talk about as you can control – you can actually budget your expenditures if you're looking forward-facing. If you get in a situation where you're caught in non-compliance, you have no control over the fees and over what that's going to do to your company and your budget.

Early adopting is going to be key here as the regulatory framework starts to shift and adapt to the reality of what it's going to be in the future. Figuring out how to get your business on the right track early on it's going to be really important.

Jeff: I completely agree, Scott. I've been cautioning clients for 18 months since the CCPA was initially passed, that they needed to get going, but that's not human nature. We wait till the last moment and which means that it was incredibly busy in October, November, December of last year. As I cautioned my clients and you make a good point, without a whole lot of – without any really legal doctrines, or case law rulings coming down, we are all in this together. This is a team sport in which we're really going to have to wade through if, you will, the quicksand of privacy regulation in this country.

Until we figure out exactly what it's going to look like, because it's going to continue to change, again, people need to become comfortable with the fact that one, it's not going away and two, we're just going to have to wade through it and take it as it comes.

Scott: Agree.

Camille: Now looking ahead, I know we touched on this in the last slide here, that adaptive approach to we can expect change. Should we ignore the minimum requirements and use an adaptive approach to changing the regulatory frameworks, or do you have a different recommendation in that space?

Scott: Well, I think as a quick answer, no. Look, the difficult thing about cybersecurity is that no one thinks it's going to happen to them. I think to that is the continual message that in our efforts to, because it's not even about going in and necessarily selling cybersecurity. It's about educating the public on the fact that it's a reality in their life. I think that that is the number one effort that I think most cybersecurity companies are putting out there is just educating the public on awakening them to the dismal reality we all live in, which is that we haven't taken this seriously. There are a lot of people, a lot of even again, the Chinese government is endorsing this.

That's a very big deal that they actually linked it to that, because what it shows is that you have open checkbooks from nation states that are trying to siphon the IP of countries like the United States and to steal the intellectual property, to steal our research and development, to try and better themselves and I think it's something you really have to start taking seriously. I think that when we talk about the minimum requirements, the question to me is usually what's – instead of what the minimum requirement is, why don't we ask what it's going to take to keep our intellectual property safe, or what it's going to take to ensure your business is going to be functioning long-term, and that you have the bulwark again in place to protect yourself against these threats?

The statistics show there's a great document that you can look up. Tt's called the net diligence survey that we look at as a company every year. It’s actuarial data about breaches and these aren't just claimed breaches or things where people have gotten into a situation. These are breaches that have actually gone through the insurance payout process and they've been collected by insurance companies that's I think is based on five major insurance providers in the in the US.

You look at the statistical data for how companies are getting hit with this. The statistical data shows that once every five years that any company who does under, I think it's 200 million in revenue is going to be directly targeted for breach. Now when you start to think about that, it's not a question of if, it's a question of when. I can tell you, my dad used to tell me when I was a kid, used to joke around about this – we’d camp a lot. He said, “If you see a bear, you don't have to run faster than the bear. You just got to run faster than the guy next to you.”

In cybersecurity, it's very similar because people are going to look for the easy score. They're not going to want to go up against people who have taken the precautionary measures who have put the bulwark and who have created a boundary and a difficult scenario for people to hack. They're going to look for people who are wide open, who haven’t taken the precautionary steps and are just extraordinarily exposed for breach.

I think again, you can take the minimum requirements, but do so at your own risk. It's going to be more expensive long term, because the adaptation you're going to have to make is going to be more as your company gets more entrenched and that's PNP. You’re going to have to go back and make pretty severe changes. You just need to approach it with a wider scope.

Also lastly, regulation is adaptive. That's something I think Jeff could probably speak for an entire hour on himself as how regulation, it gets put out and then it litigates and then it amends, then it litigates and it amends. Slowly, it grows into and morphs into a completely different scenario than it may start with. Setting a one-size-fits-all, or one-solution-fits-all approach is not going to give your company the security, I think that it needs and you're not going to be within compliance if you just take it one year approach. I'm just looking at the current stuff on the books and then I'm going to develop till we hit that point and then stop.

Jeff: Now Scott, I think you're right. To me the answer to this question isn't should I ignore them in requirements? The question for me is how far beyond the minimum requirements should you go? We certainly should not do less. I think the answer to the question I posed depends on a number of factors that are again, specific to each individual business; questions such as how much personal information do you collect? How sensitive is that personal information? What are you doing with the personal information? Are you just keeping it? Are you selling it? Are you protecting it? How long do you keep the personal information? Then what's your appetite for risk?

Every company has a different appetite for risk in the cybersecurity space, which is what you would expect. The best advice and the simplest advice that I can give and maybe it's not so simple, but the advice is easy to give, is to find a regulatory framework that matches up well with your needs and works well with your business model and operational structure.

There are a number of frameworks out there. NIST has a new standard that came out a few weeks ago. There's the old ISO 27001, CIS controls, the SEC published some guidance and practices a week or two ago. There are a lot of frameworks out there. I think the key is to choose one that works for your business and attempt to get there.

Nobody expects that overnight, you will suddenly be NIST compliant. That doesn't exist. You need to be working toward something, because I think that's what the regulators are going to look for if they come knocking at your door.

Scott: Agree.

Camille: Now, I think this brings light to the next question. Who's going to take care of this? Who's going to take care of all this compliance? Would you say that IT and security pros need to be well versed in compliance? Or who should be your resource for that?

Scott: I think ideally, they would be. Again, I think that in IT, if you say you work in IT, somehow everything gets thrown into the same basket, where everybody assumes that you have specialization and you've studied the disciplines in every facet of IT. Jeff and I were speaking a few days ago and he brought up a good point where he said, when it comes to legal advisors, you don't go to a divorce attorney for a TNE question, or for like Jeff, a privacy question.

There are really specific specializations that people hone and craft throughout their entire career. I think it's the exact same in IT. To imagine that you're going to have an IT professional, or an in-house IT person that is going to understand cybersecurity, that the difference between those two disciplines is vast. A cybersecurity expert could maybe do a fair portion of the in-house IT and the in-house IT could maybe do a fair portion of the cybersecurity.

At the end of the day, it's a discipline that requires a lot of effort and a lot of years of experience in order to hone. I think compliance, I mean, it's very rare for an IT person to understand compliance at all, except for maybe the compliance that the company needs to deal with if there's a standard, or a regulatory audit. I think again, it's something that we need to change in our mindset to realize that people, if you're dealing with something like this, something like the CCPA, you need to find people who understand it.

That doesn't mean that your in-house IT, or in-house legal can wrap their arms around it, but it doesn't mean that – it would be a great asset to the company, a great assets your people to help them have a backstop for understanding and for developing out systems internally, to verify and to check their approach with people who do this on a daily basis.

Jeff: Camille, I believe that not only do your IT and security pros need to be well versed in compliance, but other aspects in areas and divisions in your business do as well. As mentioned earlier, this is really an enterprise-wide team sport, if you will. All of these different groups need to be working in harmony to the best that they can, to ensure that compliance is achieved and that these privacy regulations are met.

Camille: Absolutely. I'll just round that out with saying that I think a lot of people outside of the technology sector, or the technology departments of a company, I think they really do loop IT and the security and compliance. I think they loop that as one specific group, where those are really three specific departments that each have their own specialties, as you mentioned.

I think that you gave some great tips for finding who is the best resource for those and whether that be an outside source, or whether that be someone who can do it all. If you have someone who can do it all, you should be paying them big bucks, because those are certainly all different job roles.

Jeff: Yeah, absolutely.

Camille: How could you tell if people on your team are capable of making those needed changes? I know we got into this a little bit as is figuring out who your specialists are. Real briefly, do you want to just give a couple of tips for how to tell?

Scott: Well, I think it would be very difficult for somebody, at least and I can only speak to the IT side, but it'd be very difficult for someone who doesn't have a very high specialty in IT to evaluate anybody in IT, which again is difficult when you're an executive trying to make a decision, especially when you're faced with something like compliance, that there's a lot of nitty-gritty, there's a lot of research and things that need to be done.

I think again, regulations they change and requirements change to stay compliant. I think that ongoing training is difficult for companies to be able to get in front of. I think it's an unfair thing to imagine that just because there's a compliance requirement and there's an IT aspect to it, you can throw it at your team and they're going to understand it.

I think, probably the number one thing that I think is going to be give you the best value is to just have your team evaluated, to find somebody who has the expertise to come in and help train them, help them get up to a standard that where they feel confident in what they're doing, they feel confident in the solutions they're employing. I think absolutely use external specialists, whether it's a you hire them for a one-time deal as a consultant, or if you engage them in a longer-term relationship.

Again, I would just warn companies and managers about trying to expect and load too much on the IT department in specializations they don't understand, because I think that again, you're setting somebody out for failure. Even worse, you're setting the company up for when you may believe that you're within compliance and you end up getting an audit. That confidence goes away really quickly when you start to look at the fact that maybe your people misinterpreted, or misunderstood what the regulation or the – what's calling for.

Jeff: Scott, you're absolutely right. I mean, having an internal IT team is fantastic, but it does not mean that you are necessarily covered in the cybersecurity realm. I think that the issue goes beyond just capability. It goes to one of available time and resources, that you need to really look at where you are in implementation on a whole variety of areas to see what resources and time your IT, or cyber team has available to implement these regulatory frameworks and make sure you're in compliance. There's this balance between the need to support your ongoing business operations, versus the need to implement security changes.

Let's be honest, there aren't a whole lot of IT team members, or cybersecurity pros that have an extra 40 hours in their week to implement these privacy regulations. You may need to go get outside help to fill in these gaps and I encourage you to do so.

Camille: Perfect. Now before we hop to our last question before we get to our audience question and answer session, I just wanted to remind the audience, feel free to start submitting those, because we will get to your specific questions. We'll get to as many as we can. Feel free to start submitting those in the Q&A panel.

Scott and Jeff, I know you're both in this space. How do you find a professional service, or professional service providers who are competent in advising the company?

Jeff: Well Camille, I believe you can just hop on an Infosec webinar and find those people you need. No, I'm kidding. A joke. I think it's important to look for a number of things, right? In the privacy compliance space, you need to look for experience. You either look at knowledge base, professional certification. You don't want to retain somebody to help you in the privacy world who doesn't have that experience.

A lot of us have cut our teeth understanding regulations like the CCPA, developing efficient strategies to comply with those. It's important for businesses to find someone who understands that each individual business has its own appetite for risk, has its own business model and will require specialized attention.

An off-the-shelf product typically does not work very well for privacy and compliance, because every business is a little bit unique. Look for a service provider who really connects with you. You're going to spend quite a bit of time with these people and they need to understand your business in order to develop the right privacy policies and framework for you.

In the cybersecurity technical realm, again it's finding those folks who have been down this road and have done this. There are a whole host of companies out there. You need to find a great one, like Cingo, who really can come in and work very closely with your team to make it work. Cost on the other hand is also another issue. These regulatory compliance projects can spin out of control from a cost standpoint without some clear guidance and posts, if you will, lamppost to guide you along the way.

Can you find a service provider who's willing to work for a flat fee, or some sort of arrangement where you will have particular milestones, where you'll hit a flat fee to a milestone, you'll sit down, you'll discuss where you are and then let's start again and figure out what the next arrangement will be. Again, just a way to control costs, but those are the folks that I would look for.

Scott: Yeah, and I agree. I think something that's and I can speak from experience here, because I have to take my own medicine. I have to find vendors and people that I can work with, who especially as working in the intersection of cybersecurity and compliance, I have to have a legal opinion that matters, that people can rely on. I think that again, it's a very difficult thing to find people with specific specialization.

Jeff and I have known each other off and on through for a while now. I've at Cingo Solution, we've gone out and tried to find somebody who could really help us understand compliance in a way that is again, it has a deep history, you have really specific specializations in Jeff and his training in privacy. The reason why we ended up moving and looking at a relationship with them was because of how unique that specialization is.

I think that's something you really have to be aware of, because if people can't discuss with authority and break down sophisticated requirements to you and communicate with you, that's a red flag for me. Even in IT, it's something that I think IT companies and IT people have gotten away with for a lot of years, as we just try to use acronyms and tech speak and we get people lost in translation to where they just say, “Fine. Here's the check. Get it figured out. I don't understand. I don't want to understand it.” We've done a disservice to ourselves in doing so.

I think as we go out and look for people who can help us to deal with these requirements, the important thing that we deal within and something that we do in our vendor diligence to Cingo is we adhere to a concept we call SHAC, which is specialization, history, accountability and certification. You need to find somebody who has the specialization. You have to find somebody who's accredited, who has that in their history, they can clearly demonstrate the capacity to do so and perform. You need to look for the history and how long you've been doing this, what is what is the demographic, or what are the specific services that you can provide.

Accountability, you need to know that if you get caught in a tough situation that you can get – you can pick up the phone and get to somebody who can help you make good decisions in the moment. That is extraordinarily important. You don't want to be on a ticket and with a 40-day return. You want to get people on the phone right away to make sure that you're making the right decisions.

Then the last one is certification. You need to find somebody who's willing to especially if you're looking at cybersecurity, no cybersecurity company worth their salt is going to trade on their clients’ names, because again, it puts their – privacy is the name of the game. It puts their clients at risk, even when you – if people know that you are affiliated with them, it puts them out there as this is their type of security solution that they have in place. Again, it puts them on a radar.

Those third-party certifications are really important. For Cingo, we have our SOC2. It's something that we try to do to make sure that our clients are aware that every year, we get audited, we undergo a rigorous privacy policy audit and that we take that very seriously and we get through that.

I think, interview people, call as many people as you can, because there are going to be standouts and people who just understand this stuff to the core and that's going to give you the confidence in moving forward.

Camille: Sure. Those are definitely some great tips that I think, you do have to be cognizant of all the different providers out there. There is a lot to understand, so definitely look for those for those specialties. Really some great information you guys provided today and we really appreciate it. Thank you to all who have submitted questions so far.

We will dive into some of those. There's some great questions. We're going to get to as many of them as we can. Let's go ahead and start, regarding the value of privacy training and certifications for IT pros. This was a question that was submitted. Do you think that if you get some people on your team hooked up for privacy certifications, will that equip them to help with your compliance? I know Jeff, I believe you have a certification.

Jeff: I do. Obviously, I'm not an IT pro and I don't pretend to be. I believe that if your ITT team is investing in cybersecurity, privacy, certifications, I think that will help. Obviously, it can't hurt. The more your team knows, the more you can work from your internal knowledge base, I think the better off you are.

You also ask about the value of privacy training to take that and spin it a little bit differently. Privacy training is required under the CCPA. Every company that it must be in compliance with the CCPA must train their people. I'm in the midst of a whole host of training sessions this month and next month, because folks understand that the easiest way to comply with these regulations is to make sure that what is widely seen as your weakest link, your people are up to speed on what they need to do.

Scott: Yeah. I absolutely agree. I think that if you're looking at it as a employee, or as someone who is a IT professional looking at creating value in yourself, specializations are always what commands money. It commands the better paying jobs. You get put and you're usually the first one picked for management positions. It just shows an intent and a dedication to your craft. I think that anything you can do to try and figure out which area of IT that you're going to specialize in, it helps employers and respective employers understand where your strengths and weaknesses are and to be able to help put you in places and in positions that are going to help you grow as an individual, but also help the company by adding quite a bit of value.

Again, the longer that you stay in those positions, the more certs you obtain, the more you can use to go back to your management team and negotiate better rates. Again, it's a it's a win overall. I think if companies aren't doing that, if they don't have programs internally to help their IT staff gain additional certifications and different specialties, then I would invest, I would recommend investing in yourself if you're an employee. I mean, just take the time to build your craft, to build your offering. It's going to help you find those jobs that are high-paying and specialized and it'll help your career move forward.

Camille: Perfect. There's a follow-up question from Henry asking about a particular certification for compliance and regulations. I'll hop on to that question and just say that there are several different certifications, some based in the US, some based outside of the US. The International Association of Privacy Professionals has several different certifications, the IAPP, and offer some of those certifications here. If you'd like to discuss a specific interest, we'd be happy to help you out with that and point you in the right direction on that.

Following to the next question that I'd like to touch base on here, so this one is from Ross and he's talking a little bit about different elements that share common branding and how does that meet the other three elements regarding the security 1798 legislation. It said, it mentioned earlier the three elements in the AB 1355 that will determine if the entity is subject to the CCPA.

Jeff: Okay. If I'm understanding Ross's question, we're talking about companies which sound, which share common elements. For example, you may have a parent company which has six or seven subsidiaries, all of which share a common brand and the like. There hasn't been any clarification per se at this point from the California Attorney General, or the case law to give us a whole lot of guidance.

My suggestion is that if you are sharing common branding that you're most likely going to be looked at as being all of the same entity. For example, if you have a parent company with seven subsidiaries, each of whom does five million dollars in annual revenue, but you do share these common elements, common branding, common looks, themes, maybe names, I believe you're going to fall under the same umbrella and probably be seen as having a 35 million dollar annual revenue stream.

Again, my suggestion, my approach with all of my clients is to be conservative in this regard. I think there are some very simple straightforward things that can be done for in a very efficient manner and for not a whole lot of money, that will protect you from opportunistic plaintiffs attorneys in the State of California, elsewhere who may try to take advantage of these laws.

I would encourage folks to be conservative until we're told otherwise, because the last thing that you want to do is subject yourself to any of these privacy violation fines. They can be fairly very substantial.

Camille: Sure. Thank you. Thanks for clarifying that question. The way you worded it was a little better than myself. I think that that helps to answer that question is the parent company may meet the regulations about what do those smaller companies have to do. As Jeff just mentioned, just be cautious. It's better to be more prepared than less in that situation. Thanks for taking that question on.

We have time for just one or two more here before we select our skills winner and wrap-up. Let's go with the last question to be here. Tips on justifying the expense and how to measure what the expense might be of becoming compliant. That's a question here from Mike. Could either of you touch on what you can expect if you need help to become compliant, or what that cost might look like?

Scott: Right. I can only speak to how Cingo, how we've solved that problem here. What we've done is we tried to create a solution that takes into account our cybersecurity solution where we document things the way that we map the data and everything else. What our solution does is it actually adheres to every compliance requirement, or every regulatory requirement that we've run into. We've found that it's far easier to just create the solution, or to adapt the solutions to the highest requirement and then just have that trickle down to people who don't necessarily require it on a daily basis.

I think again, there's an expense in onboarding, there's an expense that you're going to have upfront in just instituting and converting to a new system, whether that’s from us or someone else. Then the long term though is that it just becomes a budgetary item. I think that Newmeyer does the same thing, where they basically amortize out over a year the way that we do the solutions, so that if in the next year – the one benefit to that is as the regulatory requirements adapt the solution is adaptive as well. Meaning that for us, Cingo is going to be taking into account any changes in the regulatory requirement for the environment you work in and we’ll be updating the systems to be compliant throughout.

I think with Newmeyer as well, having someone who is constantly getting that, continuing education is up with the case law, is up with the judgments that are happening. That's going to be imperative in again, maintaining that compliance long-term.

I’m sorry, I didn't answer your question. It depends on how large of the size of the company. It depends on how many desks, how many workstations that you guys employ. We have a flat fee for that. Most people, I think that a lot of the providers are going to have a similar scenario on the IT side.

Jeff: From the regulatory compliance side, again there are a whole host of factors that go into it. I will say that we developed a 90-day CCPA compliance program, which became a 30-day compliance program on December 1st of last year and continued to become a shorter time period. It is a flat fee arrangement. It's one where we go in and we sit down with the clients. We show them the wide range of options that they have and it certainly becomes a choose-your-own-adventure based on need and cost.

It is flexible. It's one of the nice things about our firm is that we're not a massive big law firm. We're a midsize firm that has a lot of experience in this area, and so we're able to devise a solution for each specific company at the price that works for them.

Again, it varies from – could be fairly inexpensive to quite expensive, depending on exactly what you need and what you want. Again, one of the challenges I know in IT, in the IT world is justifying the expense, showing ROI. Because when I was a managing partner of the firm, I always used to tell my partners that the times that I knew our IT team was doing their finest work was with the time that we never heard from them.

It's very coward counterintuitive in the business world to spend a lot of money for a team, or a program, or a device that you just don't hear a lot about. I can also tell you that it's much less expensive to incur the front-end expense, than get down the road and be facing a whole host of violations, fines, lawsuits. That's when things get really expensive.

Chris: I hope you enjoyed today's webinar episode. Just as a reminder, many of our podcasts also contain video components, which can be found at our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and other webinars. As ever, search Cyber Work with Infosec in your podcast app of choice for more episodes.

For a limited time only, the Cyber Work Podcast is offering listeners one free month of our Infosec skills learning platform. To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills, or click on the link in the episode description. Sign up for an individual subscription as you normally would and then in the coupon box, type the word ‘cyberwork’, no spaces, no capital letters and use it to claim your free month.

Thanks once again to Scott Madsen and Jeff Dennis and thank you all for listening. We will speak to you next week.