From security audits to privacy consulting: Building a GRC practice | Will Sweeney

[00:00:00] Chris Sienko: Today on cyber work, will Sweeney of Avit joins me to discuss data privacy, GRC and the future of privacy regulations. Avit has overseen complex information security audits for much of the Fortune 100 companies. We talk about everything from the split between the skills needed for security auditing.

Versus security implementation, whether privacy, regulatory frameworks will continue multiplying or begin a process of consolidation, as well as a key way to understand many different compliance frameworks at once. The tip is to focus on the security processes themselves, not the structure of the framework.

GRC, aspirants. There's a lot of tips to get you started here, so that's all today on cyber work.

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career.

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here.

Now let's get the show started

 

[00:01:36] Chris Sienko: Welcome to this week's episode of the Cyber Work Podcast. I'm your host, Chris Sanko. My guests are a cross section of cybersecurity industry thought leaders. Our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leaving you with some tips and advice for breaking in or moving up in the cybersecurity industry.

My guest today, will Sweeney is the founding and managing partner of Aviant. Before starting the firm in 2016, he held leadership roles at companies, including KPMG, Comcast and IBM, gaining valuable experience overseeing complex information security audits. Data privacy compliance for much of the Fortune 100 today will leads Ian's ever-growing team of data privacy and security experts who serve as trusted advisors to some of the nation's most prominent enterprises.

Will has been featured in the Philadelphia Business Journal. 40 under 40 and Titan 100 lists and is an active member of the Forbes Technology Council. Additionally, he is frequently published and quoted in the media for his ex industry expertise. When networking at aviant Will is involved in a number of community and philanthropic initiatives, including the Giorgio Foundation, Irish American Business Chamber Network, the Centennial Education Foundation, the Uncommon Individual Foundation.

And the Union League of Philadelphia's Legacy Foundation. So today we're gonna be talking data privacy and GRC and whatever else comes up today. So Will, thanks for joining me and welcome to Cyber work.

[00:03:03] Will Sweeney: Hey Chris, thank you so much for having me look forward to the conversation today.

[00:03:06] Chris Sienko: Absolutely. Same here. So, uh, so will, let's start, uh, about your early years. Do you remember what the initial spark was that got you excited about, uh, tech Cybersecurity?

[00:03:15] Will Sweeney: Yeah. So, um, I was really lucky at an early age for, um, my dad who, uh, knew nothing about computers. He was a, uh, HVAC and, and plumbing technician. Um, he, he knew that computers were gonna be important, so he, he went out and bought me a computer at a very early age.

[00:03:31] Chris Sienko: Hmm.

[00:03:31] Will Sweeney: I remember it being a Packard Bell computer and just kind of, you know, doing some initial experimentation with it and trying to learn. I think at that point we were on Windows 95, maybe, I'm not even a hundred percent sure, but,

[00:03:45] Chris Sienko: Hm.

[00:03:46] Will Sweeney: you know, had a chance to, to learn a lot about it and just getting used to the Windows environment and then just taking various courses at, um, both my middle school and in, in high school. Um, I can still remember I had a professor in, in middle school who, um, he made us memorize the keyboard and I can still, to this day, I know all of the keys on the keyboard and what order they go in.

[00:04:08] Chris Sienko: Yeah.

[00:04:09] Will Sweeney: and I also was really fortunate to have a, uh, a teacher in high school. Uh, Carolyn Fisher was her name,

[00:04:15] Chris Sienko: Hmm.

[00:04:15] Will Sweeney: who, uh, let me actually build the high, the, uh, website for our high school. Um, and uh, it was kind of the first, uh, website that the high school had and. You know, just really started to kind of pick things up from there.

And, um, going to college, I built my own computer and assembled the parts and things. And now that's kind of a trendy thing to do. I think a lot of people do that nowadays. But, um, back then it was, um, not, not as common.

[00:04:41] Chris Sienko: It was a leap of faith back then for sure. 'cause yeah, you were, you were just sort of putting all these pieces together and, and yeah. Even now there's still you, you know, doing little mismatches can really cause big problems down the line. So Yeah. That's a, that's a hard challenge now. Um, I I wanted to back up a couple of things there.

Uh, when you were, uh, asked to do the school's website, was it, were you already sort of learning HTML or was this like a real big leap of faith in terms of like, oh, I have to. I have to learn how to do this now, but they just sort of were like, you're a, you know, you're a computer guy. Why don't you do it?

[00:05:15] Will Sweeney: Yeah. Um, a little bit of both. Um, I did, I did spend some time learning about HTML and, um, you know, just some basic, um, tags and, and things like that and how to structure a website and, um, I took to that pretty quickly. Um, but back then we were using a product called, um, Dreamweaver,

[00:05:33] Chris Sienko: Oh, yeah. That's what I, that's what I learned on too. Nice.

[00:05:35] Will Sweeney: yeah,

[00:05:35] Chris Sienko: Mm-hmm.

[00:05:36] Will Sweeney: started building with Dreamweaver and then learned a little bit about, um, flash Script and I, I think it was called Action Script back then. so, you know, started learning about the action script language and then, um, the website from there. And like, looking back at it, I mean, you can go back on the, on the way back machine and see the website, what I created back then and,

[00:05:55] Chris Sienko: Yeah.

[00:05:56] Will Sweeney: um, very rudimentary. But, um, you know, it was, it was exciting, you know, it was something that I, I'd never done before and I, I was given a really nice opportunity to do it.

[00:06:04] Chris Sienko: That, that is really cool. And, uh, yeah, I, I'm in full agreement that, uh, I think, uh, of all the things I learned in high school learning, uh, touch typing and knowing where all the keys on the keyboard are. Nothing else has served me in life quite like that has

[00:06:17] Will Sweeney: Right.

[00:06:18] Chris Sienko: absolutely cornerstone at this point. So,

[00:06:21] Will Sweeney: Yeah.

[00:06:21] Chris Sienko: so I wanna go a little forward into some of your, your key career roles.

You started strongly in roles around it, but your interest in focus, uh, over the past many years has been, I. Uh, specifically around data security, data privacy, regulation, uh, was this a, a a, an interest pivot or an opportunity pivot? Did you, did someone sort of get you, uh, you know, into these type of roles, or did, was this like more interesting to you than the sort of ITIS stuff?

[00:06:48] Will Sweeney: You know, I, I kind of, kind of stumbled my way in. To, um, data security compliance, starting at, um, KPMG, doing a lot of Sarbanes Oxley and IT general control testing. Um, and then spent some time doing, um, FSMA and fiscam reviews for the federal government. Um, so that was mostly kind of audit experience.

And then later when I worked for IBM, um, I was in their data security and privacy, uh, practice and helping companies actually sit on the other side. So not doing the audits, but actually doing. Uh, implementations and consulting engagements to help companies to comply with a variety of,

[00:07:22] Chris Sienko: Okay.

[00:07:23] Will Sweeney: you know, primarily information security frameworks.

So SOC two, iso, nist, that kind of thing. Um, and, and, um, of out of the blue, one of the partners and I were talking a little bit about, um, GDPR, which, um, at the time was a, an emerging data privacy regulation that nobody really knew very much about. Um, and she said to me, she said, Hey, listen, we think that this is gonna be a big thing.

We we're not really sure, but we'd like for you to go kind of learn about it. Um, and I started really going out there and just initially just reading and understanding the text around the GDPR and what, what the article

[00:07:55] Chris Sienko: Mm-hmm.

[00:07:56] Will Sweeney: And I pretty quickly realized that, you know, this was gonna be a huge problem for companies, that they were gonna have to comply with this regulation. It was kind of a, its first of its kind, which carried very significant fines for noncompliance. So,

[00:08:09] Chris Sienko: Yeah.

[00:08:10] Will Sweeney: um, you know, I knew that they were gonna have to do something and. also baked in a lot of, uh, in addition to the data privacy requirements, it baked in a lot of information security requirements as well, which I had a strong background in. Um, so, you know, honestly I think I spent probably about a year really, you know, gaining a, a really strong understanding of the GDPR and then shortly after, um, started Zian and went out to market thinking like maybe this is an area where we can, we can help some companies. And, um, I always tell people, I think I drastically underestimated the. Amount of work that was out there and the, uh, the opportunity around helping companies comply with these, um, these requirements. It really was just opportunistic.

[00:08:50] Chris Sienko: Thanks. Uh, okay. So, um. Because a lot of, uh, the listenership of this show is, is sort of trying to figure out what types of work they want to do later on. Can you draw a distinction in terms of like, the actual day-to-day tasks between someone who's doing the, uh, the sort of audit versus doing the implementation?

Obviously, I, I, I realize they're sort of related, uh, and obviously one's a lot more hands on than the other, but, uh, what, what, what, what's the difference between the two?

[00:09:20] Will Sweeney: Yeah, so when you're doing an audit, and, and one of the things that I, I did not really like about audit was, um, you, you would go in and conduct these assessments of these organizations and. You would issue a report. Here are where all of your problems are. Right? And, and really that's what the audit's meant to do.

It's to, um, yeah, we obviously want to give credit for the good things that you're doing, but we wanna point out more

[00:09:42] Chris Sienko: Like that.

[00:09:43] Will Sweeney: right? So that you can go out and start actually remediating those gaps in preparation for getting a clean audit opinion in the future. Um, you know, in a consulting, in, in, in a consulting engagement, you're still doing that assessment to understand where the gaps are. you know, what I really liked about it was then taking those gaps and actually solving those problems for, for customers, right? Where the audit

[00:10:06] Chris Sienko: Hmm.

[00:10:07] Will Sweeney: You know, what I didn't really like about it was, um, in, in my experience, a lot of times it wasn't that these companies didn't understand that they had problems.

It, that they didn't really understand how to fix the problems. So, going into that consulting setting was, you know, not only were we calling out the, the issues, we were actually helping this to solve 'em and. I think that's the big difference between the two is in a consulting engagement, you're really hands-on sitting with the company and, and, and, uh, and helping to fix the issues that you've, you've identified.

[00:10:34] Chris Sienko: Mm-hmm. Mm-hmm. And I, I, I imagine that requires a little, a lot different background in terms of like your skills or, or are, are, or can you sort of start from the same and sort of diverge into the two different roles?

[00:10:46] Will Sweeney: You know, I, I think what's interesting is I think I probably started more so on the, I. Technical side of things and some of my, my colleagues who are auditors and I think that they, the auditors, um, are typically very good at understanding the requirements and how to apply them, but they may not have the technical acumen to actually go out and fix those gaps.

[00:11:05] Chris Sienko: Right.

[00:11:06] Will Sweeney: So I kind of started more on the technical side and then did the audit, and then moved into the consulting. So I would say you're right, there's very similar skillset there, but I

[00:11:14] Chris Sienko: Got it.

[00:11:15] Will Sweeney: it can be difficult for an auditor to bridge that gap.

[00:11:19] Chris Sienko: Good to know. So, uh, you mentioned that, you know, the, these, these particular types of, uh, job roles. Uh, basically moved you into where you are now with, with Zian Consulting. Can you talk about your current role as, as managing partner? 'cause uh, obviously this is a pretty, uh, big role and a pretty big jump up and you've, you know, helped a lot of big time companies with their compliance and security posture.

So what is, what is the work like now in, in the sort of managing partner space as as opposed to the implementation that you did before? Yeah.

[00:11:49] Will Sweeney: Yeah. So yeah, now I'm, I'm really, um, my focus is really on, you know, making sure that the team, uh, understands, um, the services that we're going to market and that we're providing, making sure that we're bringing the best possible delivery to our clients. I. Um, going out and finding new opportunities, um, with, with, with new, new clients. Um, and, you know, my role has really shifted, right? So I'm not as hands-on with the delivery of the service as I once was. Although I love doing the delivery of the service now, I'm really focused more on kind of scaling and growing a business and in my capacity as a managing partner here. Um, but in order for me to be successful in that role, I still need to be able to talk to the clients. Understand the problems that they're having, understand the regulations that they're having to comply with. Uh, I'm still working very closely to make sure we have stakeholder buy-in across the various levels of the business, including in the C level, um, communicating across different, you know, jurisdiction is in different operating entities. Um, so that, that,

is kind of shifted is, I would say more, uh, communication heavy and stakeholder heavy. Um. That, that's kind of the big difference now is I'm not as hands-on with the delivery as I once was. And, and I'm very fortunate because my team is, is really, you know, there, there's some really good experts on our team who are really probably at this point better than I am at, at doing the delivery.

I.

[00:13:18] Chris Sienko: Um, without, uh, you know, obviously, uh, you know, listing out specific problems that certain clients have, but can you gimme an example of some of the types of challenges that you're being asked to. Solve in these particular situations. Can you sort of give me some of the, like the, the top level, most common, uh, you know, security regulation problems or whatever that ENT is, is working on?

[00:13:43] Will Sweeney: A lot of, a lot of what we're doing is helping companies to come. Comply with things like the GDPR and the US State Privacy Laws, um, helping to build out third party risk management programs, um, helping companies to comply with things like the CMMC or ISO 27,001. Um, and I think kind of the, the common theme there amongst those requirements is, again, just going back, I think you really need stakeholder buy-in and support across the

[00:14:11] Chris Sienko: Yeah.

[00:14:11] Will Sweeney: of the, of the organization. Um, and you know, one of the things I'm doing quite regularly is helping just kind of navigate the complexity of all of those requirements and how they relate to each other and how they differ. and coming at it from kind of a, a programmatic point of view to say, you know, maybe if we do these five things for GDPR compliance, it also helps us, for us state privacy law compliance.

[00:14:33] Chris Sienko: Mm.

[00:14:34] Will Sweeney: I would say those big themes are the, the, uh, data privacy laws and the,

[00:14:38] Chris Sienko: Yep.

[00:14:38] Will Sweeney: party risk programs and information security requirements.

[00:14:42] Chris Sienko: What are the most common hindrances to buy-in? Because I, you know, I, I, you would think maybe it's, it's money, but it's not money because they're, they're hiring you to get this thing done. So is it just. The complexity of it, is it people don't want to change? Is it, uh, general exhaustion with having to sort of like, figure out all these new sort of compliance regulations?

Where, where, where's the, the friction happening usually?

[00:15:06] Will Sweeney: It. I think a lot of it is. You know, a knowledge gap. And I think a lot of it is a resource gap. So, you know, a, I think a lot of people really don't understand, you know, exactly how to go about solving these issues. And then B, even if they do understand it, a lot of times they don't think they, they have the, the either the right resources or the number of resources that they need to deal with these problems.

Because the reality is that, you know, complying with these requirements. can be very, um, resource intensive and time intensive. It's, it's not something that you just do one time. You have to do it, and then you have to maintain it on an ongoing basis. So it, it is very resource and time intensive.

[00:15:48] Chris Sienko: Yeah. Does that, I mean, do those resources involve just adding more sort of work to the workflow, more people to the pipeline or sort of throwing money at the problem or just sort of a combination of all those things?

[00:16:01] Will Sweeney: Yeah, I would say it's a combination of, of all of those things. Um. But you know, you the pro, one of the other issues I would say is you can't take someone who's really good at network engineering and have them help with, you know, complying with the GDPR or building out a data map or building out a privacy

[00:16:20] Chris Sienko: Right.

[00:16:20] Will Sweeney: two very different skillsets. You

[00:16:23] Chris Sienko: yeah.

[00:16:23] Will Sweeney: as much as we can't go do network engineering and administration or

[00:16:27] Chris Sienko: Right.

[00:16:29] Will Sweeney: you know, they cannot go, do, you know, the same things that we can do around, um, the compliance requirements. So.

[00:16:34] Chris Sienko: Okay.

[00:16:35] Will Sweeney: say there's a big kind of, um, you know, to my earlier point, I think there's a, there's both a resource issue from like a number of resources, but a really an expertise standpoint.

And,

[00:16:45] Chris Sienko: Interesting.

[00:16:45] Will Sweeney: that's an industry wide problem where I think across the industry, we just don't have enough folks who really understand, um, how to deal with these problems.

[00:16:55] Chris Sienko: Yeah. Now, uh, I'm assuming that most of the, uh, the companies you work with, their solution is not, well, let's hire someone who is an expert in that area, but is sort of like, let's upskill the people we have now. Is, I mean, do you have a, any thoughts on that? Like, like, I know we're trying to solve the, the primary problem around cybersecurity right now, but, um, you know, I mean, we're also seeing.

You know, contractions of, of, of SOX and security teams, you know, due to budgets, due to, uh, economic circumstances or whatever. So a lot less people are asking to be done, asking to, to do a lot more. So, uh, where, where do you see this going? Uh, you know, a lot of the expertise that you need for privacy regulation or GDPR or what have you, I assume is, is almost a completely different.

Person rather than, like you said, the, the, the network engineers and things like that. So, um, do what do, what do you think? Is this a, is this a, uh, a contractor thing? Is this like a temporary services thing? Uh, what, what, what do you think?

[00:18:02] Will Sweeney: So I, I think, first of all, I would say that the song. Software that practitioners and experts use for GRC have improved drastically in the past,

[00:18:13] Chris Sienko: For sure.

[00:18:13] Will Sweeney: five years, you know, so it's gotten a lot more efficient for people like me to be able to do my job, and there's much better tools that we can deploy with Chev. A lot more automation, right? So like

[00:18:26] Chris Sienko: Mm-hmm.

[00:18:27] Will Sweeney: happening. Which is, which is great. And it, I think it makes, you know, the practitioners much more efficient. They can focus on the problems that maybe software isn't able to solve. I. Um, so I, I think that's a big part of, of what we're seeing happen. Um, and then to be honest, and maybe this sounds, you know, kind of self-fulfilling here, but I really believe that, um, you know, if this is not a core competency for you or your team, I think you should outsource it. Um,

[00:18:52] Chris Sienko: Mm-hmm.

[00:18:53] Will Sweeney: something where I think you can upskill someone to the extent that they can help maybe project manage it or act as like a liaison

[00:19:01] Chris Sienko: Right?

[00:19:01] Will Sweeney: and the, and the, um, the subject matter expert.

But

[00:19:04] Chris Sienko: Mm-hmm.

[00:19:05] Will Sweeney: it's very unlikely that. Someone who is not, you know, making this, their core focus on a daily basis is gonna

[00:19:12] Chris Sienko: Yes.

[00:19:14] Will Sweeney: Um, so I happen to believe that, you know, again, maybe this is self-fulfilling, but I do believe that outsourcing it to a firm who has a lot of subject matter expertise in this space, I just think is more cost, cost and time effective.

[00:19:28] Chris Sienko: Yeah, I think, yeah, I think, I think that's probably, uh, gonna be the case, uh, for the foreseeable future. Obviously, uh, skills gap is not being solved anytime soon here. So,

[00:19:36] Will Sweeney: Agreed.

[00:19:37] Chris Sienko: your opinion, will are the most challenging data security and data privacy issues happening in the moment? I mean, obviously, you know, uh, what the regulations say the big ones are, but from a big picture, big stroke.

Uh, perspective, what are some looming threats that organizations are turning to Will Sweeney and others to address?

[00:19:53] Will Sweeney: So I think, you know what, what we're seeing is there's a lot more compliance requirements that are coming along. I think you, you pointed that out earlier. So now we

[00:20:01] Chris Sienko: Mm-hmm.

[00:20:02] Will Sweeney: you know, CMMC, we've got the SEC cyber rules, we've got. Um, you know, the FTC now investigating, you know, contracts law to make sure that if companies are representing that they're compliant with something that they actually are. Um, you've got, you know, breaches where companies, you know, previously, you know, represented that they were protecting data that were not, and now they're being, you know, they're on the receiving

[00:20:26] Chris Sienko: Yeah.

[00:20:26] Will Sweeney: fines for, for that. Uh, and I, I think that this additional complexity around the compliance requirements is gonna conti continue to grow. and I think we're gonna continue to see more enforcement, not less. Um, I,

[00:20:39] Chris Sienko: Yeah.

[00:20:39] Will Sweeney: that, you know, that's something that companies are gonna have to navigate and, um, one of the challenges that I, I think comes along with that is, uh, having to implement software that can actually go out and find and classify data in the environment, um, and determine whether or not it is in scope for some sort of, um, compliance requirement or data privacy law. I think that that's, that's an, a challenge that companies have. I think they're. And have not had really good governance around their data and, and had a good understanding of, um, where that data was. And that's, that's extremely important for complying with any, um, data privacy law. And if you don't know where your data is, there's no way that you can implement the appropriate security controls to protect that data.

So, you know, I think that those things are gonna continue to, to be important. Um, I think another area where I think everybody is talking about it is, um, you know, the, the advent of AI and what that's gonna mean for business. And I think a lot of companies now are trying to find new ways to implement AI technology and do it in a way where they're maintaining security and, uh, compliance and avoiding data loss. Um, I think, you know, there's gonna be a continued emphasis around, uh, around that and I think, um. I think there was a moratorium, uh, put in place either this week or last around states introducing their own ai, ai uh, laws at the state level so that the Fed can kind of preempt those, those laws. And we've got the EU AI Act.

And, you know, I think that that's gonna be something where, um, you know, I, I, I'm, I think there's gonna be a lot more, um, emphasis placed on, on, on those types of things. So, I. I, I think with, with AI specifically, um, some of the technology you could argue runs counter to the data privacy laws where, uh, individuals are given the right to consent to the processing of their data while have those AI technologies, um, gather that data in a way that's lawful and in compliance with law.

I'm not sure, um. If someone has, you know, wants to exercise their right for an organization to go through and actually delete the data, how do we actually pull that out?

[00:22:53] Chris Sienko: Mm-hmm.

[00:22:54] Will Sweeney: I'm not sure if that, if that's, if we're able to do that. Um, and so, you know, I think this kind of, there's gonna, there's a little bit of, kind of a juxtaposition happening with, um, you know, these emerging AI tools and the consumption of data that they need to run, be effective.

[00:23:10] Chris Sienko: Oh yeah.

[00:23:10] Will Sweeney: what the data privacy laws say that you have to do as an organization when you're processing data. So I think those are the big themes that I see happening now and I think will continue to be really important. Um, in the next, you know, 12 to 24 months. I.

[00:23:24] Chris Sienko: Yeah. Now, uh, you mentioned, you know, you need to know where your date is, to know how to secure it and, and, and, and, and stuff. Do you, I. Have, are there any commonalities of things that you see a lot of companies need improving that, that kind of surprise you like, like really, you know, what you would think of as like blind spots in terms of their security posture?

Are, are there things that a lot of companies just aren't doing or aren't thinking to do?

[00:23:50] Will Sweeney: Yeah, and I, I think, you know, some of the basics, right? So doing phishing training, having multifactor authentication in place, making sure that, you know, standard users don't have excessive privileges, like they're not local administrators or have other special privileges within the environment. having a lot of service accounts with a, a shared password, you know, stuff like that.

I think a lot of those things seem, seem very basic, but they, they very often get overlooked. And,

[00:24:21] Chris Sienko: Mm-hmm.

[00:24:22] Will Sweeney: you know, fixing those particular issues, that goes a very long way into, you know, maturing your, your po, your security posture.

[00:24:30] Chris Sienko: Oh yeah, absolutely. Yeah. No, it seems wild to me that that that multifactor is not sort of like standard practice at this point, but it's still not for a lot of people. It's very weird.

[00:24:40] Will Sweeney: I think I, I think the statistic is something like 60 to 70% of security incidents are as, as a result of, you know, a phishing attack.

[00:24:49] Chris Sienko: Yeah.

[00:24:50] Will Sweeney: these, you know, I think everyone has this misconception that it's, you know, really sophisticated attackers sitting in a, a room somewhere launching zero day exploits. it's, it's kind of brute force phishing attacks that lead to the majority of security incidents

[00:25:04] Chris Sienko: Mm-hmm.

[00:25:04] Will Sweeney: a ransomware event or something like that. So it's, it's, it's shocking, but you're, you know, you're right. It, it, it's a lot of the basics.

[00:25:12] Chris Sienko: So for listeners who wanna get into the work of, of data privacy and the sort of work that you do, what, what should they be working on now to make themselves more appealing to potential employers? Because like, like you said, I know there's a lot of new factors entering, you know, AI tools and, and things are pretty disrupted at the moment.

Like, what, where should they be focusing their, their talents and interests at the moment to sort of hit this field running?

[00:25:36] Will Sweeney: I, I think spending time actually researching and learn, learning the background of the data privacy regs, um, what's happening in that space. I think also spending time, um, learning around about something like SOC two or ISO 27,001 and understanding those concepts. I think that's a good basic understanding. Um. I would say spend some time learning the very, the basic things that comprise those requirements.

[00:26:02] Chris Sienko: Mm-hmm.

[00:26:03] Will Sweeney: understand what a data mapping is. Understand what's important about privacy notices and consent management.

[00:26:09] Chris Sienko: Yep.

[00:26:10] Will Sweeney: you know, there's a lot of really good, uh, information out there on the web, and although it's very dense, I would say, you know, actually sit down and read what's in those requirements and just kind of familiarize yourself with it conceptually. Um, I think that's a good place to start and, and, um, and do some, you know, and, and learn a good bit about this.

[00:26:29] Chris Sienko: Yeah, I. You know, I, I not, not to sort of flatten all of these, these big, you know, privacy, uh, platforms down, you know, too excessively. I imagine there's really kind of 10 or 20 sort of core things you need to understand and that a lot of those kind of repeat almost verbatim from, from, uh, you know, re re regulatory, you know, framework to another.

Is that, is that the case? Mm-hmm. Mm-hmm.

[00:27:14] Will Sweeney: policy, have an access management policy, implement controls, make sure those controls are in place and that they're operating effectively o over a certain period of time. So a lot of those core concepts, um, regardless of what the regulation or compliance framework is,

[00:27:28] Chris Sienko: Mm-hmm.

[00:27:29] Will Sweeney: you know, to your point, they're very, very similar across the board.

[00:27:32] Chris Sienko: Yeah, no, I, that's, that's interesting because I, you know, I think it would be easy enough to wanna become, you know, a master of one if, especially if you think you're gonna work for a European company or you're gonna work for someone in California, and you just targeted on that. But if you spend more time maybe just understanding the core concepts that unite them all, then it gets.

You, you sort of like diversify your skillset by being able to kind of zigzag between these and say, okay, well this one requires this six things. This one requires these 12 things, but six of them are same, you know, from here to there. And I suppose that really makes you a lot more flexible as a potential candidate, right?

[00:28:06] Will Sweeney: Yeah, exactly. And when you're talking to, you know, organizations that have to deal with those problems, you can talk about them even at a very high level, right? A conceptual level. Like I

[00:28:15] Chris Sienko: Mm-hmm.

[00:28:15] Will Sweeney: what those things are and.

[00:28:16] Chris Sienko: Yeah.

[00:28:17] Will Sweeney: think that in itself is a really good starting point for a conversation.

[00:28:21] Chris Sienko: Yeah, yeah, yeah. You know, I've, I've met some pretty amazing guitarists over the years, and the ones that say they just learned every single chord in the chord book, you know, I think get a lot further than those that, uh, just keep playing the same song over and over until they, they master it or whatever.

So it's, uh, yeah, I think that's awesome advice in terms of, uh, understanding sort of the, the building blocks of these. Uh, so, um, pulling back a little bit, uh. You know, not to add a whole bunch of new people to your, uh, to the slipstream here. Do you have any advice for people going into data privacy regulation or GRC consultancy?

So for like, for listeners who might have an entrepreneurial itch, are there hidden challenges to getting a consultancy practice like this off the ground and taking it to a new level?

[00:29:01] Will Sweeney: You know what I, I think I really, um, everyone talks about going out and starting their own business and

[00:29:08] Chris Sienko: Mm-hmm.

[00:29:08] Will Sweeney: consulting firm and, and all those kinds of things. I think what people often underestimate is I. know, to really be successful, you need to be able to demonstrate to a client or a potential client your expertise in that particular space, right?

So that's obvious. You need to be really good at what you're doing. And then the other thing is you really need to be able to build a team, right? So once

[00:29:29] Chris Sienko: Yeah.

[00:29:30] Will Sweeney: one client or two client, maybe you get to five or 10 clients. You need to be able to build a team to be able to go out and execute on those engagements. So you need to also be able to attract people to your business to come help. You know, those clients, right? So, um, that's probably a hidden challenge. I, I always say, you know, um, I think, you know, hiring your first person or your second person is probably one of the hardest things you'll, you'll ever do when you start a business.

At least for me it

[00:29:58] Chris Sienko: Hmm.

[00:29:59] Will Sweeney: um, and doing it at the same time as actually going out and executing on,

[00:30:03] Chris Sienko: Yeah.

[00:30:04] Will Sweeney: delivery of the service. It is very, very challenging. but I, I think if you're willing to, you know, spend the time, really gain that expertise, um, provide that thought leadership and, and kind of differentiate, differentiate your, differentiate yourself to, you know, you know, clients about what it is that you're able to bring to the table and why it's important.

I think that resonates with people. And I think that, um, from there it's really just kind of following through and executing at a very high level and making sure your customers are, are, are happy on a continuous basis with the work that you're providing them.

[00:30:37] Chris Sienko: Okay. You said the magic word there, uh, the, the, the hardest job you'll have to do. Can you talk about what the, the challenges are or any advice you have around hiring your first employee if you're starting a, a, a consultancy like that? 'cause that's, that sounds like, uh, something people really are gonna need to watch out for.

'cause that's like, that's where you start. So, uh, what, what, what are some of the pitfalls in involved in that?

[00:30:58] Will Sweeney: Um. Don't hire friends. I would say that

[00:31:01] Chris Sienko: Yeah.

[00:31:01] Will Sweeney: an obvious one.

[00:31:02] Chris Sienko: Sure.

[00:31:03] Will Sweeney: try not to hire, hire friends if you can avoid it. Obviously you don't want to, um, know, mess up a personal relationship. That's not good.

[00:31:10] Chris Sienko: Mm-hmm.

[00:31:11] Will Sweeney: and obviously you need to be also able to provide difficult feedback to people if they're not performing at the level that you need them to.

[00:31:18] Chris Sienko: Mm-hmm.

[00:31:19] Will Sweeney: Um, and it's not really nice to do that with a friend. Uh, so that's a, that's a common issue. Um, I would say, you know, you also need to be in a position where you can compensate someone, you know, equal to or above where the market says that they should be being

[00:31:34] Chris Sienko: Yeah.

[00:31:35] Will Sweeney: If you can't do that, then you're gonna have to probably offer them some sort of equity in the business.

And, you know, people probably, you know, people view that differently. Some people are okay with that idea and some people are not. Um, you know, my particular case, my feeling was I wanted to be able to go out and, and justify a hire based off of, um, the revenue that existed in the business and not have to, um, start, you know, introducing, you know, equity into the conversation.

'cause I, I thought that that was gonna be even more confusing. Um, and, you know, I, I think just. Being very specific about what your expectations are on both sides of the table. What does this person want to get out of the job and

[00:32:15] Chris Sienko: Yep.

[00:32:16] Will Sweeney: need to get, um, out of the person who's, who's coming into your business and hopefully helping you grow the business?

I.

[00:32:22] Chris Sienko: Nice. Okay. That's, uh, yeah, excellent advice. Um, so. Looking to the years coming, do you, what, where do you see the state of GRC going? I mean, we mentioned AI LLMs, uh, do you see more privacy frameworks mushrooming up or maybe more consolidating of the existing ones? What do you think the landscape's gonna look like in, in say, five or 10 years?

[00:32:46] Will Sweeney: I think in the US we're, we're probably, I think it's unlikely at this point that we'll see a, the. Federal privacy law, maybe it will happen. I'm not sure, but I think it's unlikely. Uh, I think last week it, I think Massachusetts introduced a new privacy law, so I think we're up to somewhere around 20 plus US states with their own individual privacy laws.

[00:33:06] Chris Sienko: Hmm.

[00:33:06] Will Sweeney: that that trend is gonna continue. Um, I know Australia right now is working on updates to its privacy protection law, um, and we've got a myriad of other privacy regs across, you know, Europe. Um, Canada and Latin America, and even India and, and, and Asia and China and so on. Uh, so I, I think that this kind of, um, this kind of dispersion of, of different requirements is gonna continue kind of be the same going forward.

I think as it pertains to, um, AI protection laws, I think that we'll probably see a more unified front on, on that side of things. At least in the us I think the US. Probably recognizes that, uh, the approach for pri US privacy law was maybe not the best one. And I think they're trying to get ahead of putting more sensible requirements in place around ai.

And I think that's, that's, that's also, you know, representative of how we're viewing the risk around ai. Uh, which I think is a good thing.

[00:34:05] Chris Sienko: Mm-hmm.

[00:34:05] Will Sweeney: specific to, uh, you know, the GRC role in general, I would say that the role is gonna continue to evolve. I think I. Uh, what's helpful is the software tools have, have really, really drastically improved over the past several

[00:34:18] Chris Sienko: Oh gosh, yes.

[00:34:19] Will Sweeney: a lot more, tools that we can use to help deliver solutions to customers and even manage those requirements internally. I think that that's, that's very helpful. And I, I would say probably even in these GRC tools, you'll start to see the adoption of some sort of AI technology or AI agent that will help facilitate the. Uh, ongoing maintenance of, of controls and, uh, requirements. I think that will help reduce the burden and, and introduce some additional efficiency, uh, to GRC. and I would say, um, you know, there, there's gonna continue to be this issue around just a resource deficit. I think that AI is gonna eliminate certain jobs. but I think it's also going to, I think we're gonna wind up in a very similar situation we are in now where you're going to need, uh, practitioners and subject matter experts who will really understand those tools to even be able to implement them and manage them, right?

So

[00:35:18] Chris Sienko: Mm-hmm.

[00:35:18] Will Sweeney: I don't see that shifting and going away. I think this GRC function as a whole, uh, continues to be more important in the coming years. Um, and I, I think with, with new tools, there's always gonna need to be folks who are really well read up on how to leverage those, uh, software products to help us, um, be successful in this area.

[00:35:37] Chris Sienko: Yeah. Now, uh, as we wrap up here, we're, we're getting close to the end of our, of, of our, of our time here. Uh. One of the sort of archetypes that you know, or people who, you know, write to us with comments and so forth is, is the, you know, the person who feels they're stuck in a help desk role or a very low level SOC role, and they don't quite know what they need to do to move into more specialized areas and like Yeah, like you said, I think the next 10 years it's gonna be all specialization, it's gonna be all, um.

Knowledge, you know, based, you know, and, and a lot less sort of brute, uh, you know, rote work and so forth, that, that goes with those type of roles. Uh, do you have any sort of, um, strategies for helping someone to, uh, sort of get out of these, these sort of lower level, uh, grunt roles into something more substantive?

[00:36:26] Will Sweeney: Yeah. You know, first of all, I, I would say a, a SOC job or a help desk job is a great entry into this space.

[00:36:33] Chris Sienko: Mm-hmm.

[00:36:34] Will Sweeney: and if

[00:36:35] Chris Sienko: Oh yeah.

[00:36:35] Will Sweeney: in one of those roles, I would say if there's a GRC function within the organization, if it's, if it's a, um, it's an indu industry that you're working in, I would say reach out to those folks and understand, you know, what they're doing, and try to get involved as much as you can. If you're working for an MSSP or some sort of MSP and you want to kind of pivot into more of this GRC and compliance space, go out and, and find those free resources that are out there on Google and LinkedIn and, and read about them. Um, we, we have someone on our team who, um, spend about 30 years working in the fitness industry. Decided that he no longer wanted to work in the fitness industry. Um, started spending a lot of time, um, learning and, and reading resources on Google and LinkedIn. And then he went out and got a, a master's in cybersecurity from, from an online university. And he's phenomenal. I mean,

[00:37:27] Chris Sienko: Mm-hmm.

[00:37:28] Will Sweeney: he's one of the best, uh, folks on our team and we're, we're very fortunate to have 'em. Um, so, you know, but you've gotta be willing to roll your sleeves up and do that work and go out and learn and talk to people and. Um, go out and re-skill and, and there's a lot of great free resources out there that are, I would say again, Google and LinkedIn have, have a lot of those.

[00:37:46] Chris Sienko: Mm-hmm.

[00:37:47] Will Sweeney: you need to go back and pursue, uh, another degree, I would say, um, it can certainly be worth it if you can, uh, find yourself in even an entry level role in GRC.

[00:37:56] Chris Sienko: Yeah. Yeah. No, yeah, we, that's, that's another big part of our, our demographic is people pivoting later in life. And I, yeah, I suppose that's probably the, kinda the best advice you can give is, you know, sort of just learn your way into it. You know, it's, you're not, you're not necessarily gonna have experience, but you will have, I.

I suppose some advantage over, you know, an entry level, you know, or a student trying to apply for a, a job like that because people know you can do work. You know, that

[00:38:23] Will Sweeney: Mm-hmm.

[00:38:23] Chris Sienko: years in the fitness industry means, you know, I know how to come to work every day. I know how to, you know, finish a task and so forth.

And I think that's, I think that's, that's as, as valuable as anything. So, uh, so one, yeah. As, as we wrap up, what, what's, uh, what's the best piece of career advice or advice in general you ever received? I.

[00:38:42] Will Sweeney: Um, my dad had all, all these like very basic maxims that, um, you know, I told you earlier he was a HVAC and plumbing,

[00:38:49] Chris Sienko: Yeah.

[00:38:50] Will Sweeney: plumbing guy, and. I just remember working with him when I was in high school on jobs, and he would always tell me like, just do the job, right? Um, he would tell me, Murphy's Law, whatever can go wrong, is gonna go wrong. Um, he would say never get too excited about the highs or too upset about the lows. Uh, so, you know, those were some very basic maxims that he gave me that have always stuck with me through the years.

[00:39:12] Chris Sienko: Mm-hmm.

[00:39:12] Will Sweeney: And, um, you know, a, an, an opportunity to watch my dad who, who ran his own, uh, plumbing business up close. always treated the customers right? Even if they were difficult, he was always going out of his way to make sure that they were happy. And in certain cases, he wouldn't charge them for work that he did, just because he felt like this was someone who was gonna continue to be a good customer for him in the long term.

Right? So

[00:39:37] Chris Sienko: Mm-hmm.

[00:39:38] Will Sweeney: that that's, that's really important is, um, you know, some of those very basic maxims that he shared with me and, um. making sure that you're treating customers extremely well and doing the best possible job you can.

[00:39:50] Chris Sienko: Yeah, great, great advice. All around, they're, they're called maxims for a reason. They stick around for a reason. They, they are always useful. So, uh, as we wrap up, tell our listeners more about, about Zian and, and the work you do.

[00:40:02] Will Sweeney: So Zavian is a data security and privacy consulting firm. Uh, we help our clients navigate complex security compliance requirements and data privacy laws. I. we do that by building programs, processes and procedures, and by implementing GRC software to support their business requirements, uh, we specialize in things like third party risk management, uh, SOC two and uh, GDPR compliance.

[00:40:26] Chris Sienko: Nice. All right. And one last, uh, request here. Tell our listeners where to find more Will Sweeney and and ENT online.

[00:40:33] Will Sweeney: You can find us@zian.com and uh, I'm on LinkedIn. I spend a lot of time on LinkedIn and we also, uh, our

[00:40:39] Chris Sienko: Great.

[00:40:39] Will Sweeney: on LinkedIn as well, so follow us on there.

[00:40:42] Chris Sienko: Fantastic. Well, we'll will thank you for your insights and all this great privacy talk. It was a lot of fun.

[00:40:46] Will Sweeney: Thank you so much, Chris. It was nice talking to you today.

[00:40:48] Chris Sienko: And, uh, thank you to everyone who watches, listens, and writes into the podcast with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop 'em in the comments, uh, or make use of our YouTube community tab. We're trying to get that a lot more active, or, Hey, uh, stop by our TikTok channel info sec.

Edu Uh, before we go, don't forget, InfoSec institute.com/free is a place where you can get a whole bunch of free and exclusive stuff for cyber work listeners, including our free cybersecurity Talent Development Playbook, which, uh, contains in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager eight.

The secure coder ICS, professional and more. If you wanna know how much a career in cybersecurity pays, get our free cybersecurity salary guide for the latest data on popular certifications and their related roles. There's also security awareness posters, eBooks, and you can sign up for a hundred plus free courses, uh, for a month.

In our InfoSec skills platform. You can learn incident response, forensic security architecture, and more. Uh, all of that is@infosecinstitute.com slash free, and the link is in the description below. One last time. Thank you to Will Sweeney and Aviant, and thank you all for watching and listening. Uh, this is Chris Sanko signing off.

Until next time, make sure to learn something new every day. Keep one step ahead of the story. And don't forget, don't forget to have a little fun along the way. All right, bye for now.