Defense in Depth: Technical vs. Compliance Professionals

Do we have a Monitgue/Capulet rivalry between technical and compliance professionals? Why is this happening, and what can be done to improve it? Does it need to be improved?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Linda White, director of InfoSec, Axiom Medical.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, NetFoundry

NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules.

Full transcript

[David Spark] Do we have a Montague, Capulet rivalry between technical and compliance professionals? Why is this happening, and what can be done to improve it? Does it need to be improved?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode is the former CISO for Levi Strauss, Steve Zalewski. Steve, the sound of your voice is something like…

[Steve Zalewski] Hello, audience.

[David Spark] It sounds just like that. Let me mention our sponsor. It’s NetFoundry. Now, NetFoundry SaaS is built upon OpenZiti. It’s an open source programmable network overlay and associated edge components for application-embedded zero trust networking. We’re going to talk more about NetFoundry, SaaS, and OpenZiti later in the show. But first, let’s talk about this topic we have today. Steve, it comes from Chris Hughes, who is the CISO of Aquia. And he talked about the contentious relationship between technical and compliance professionals, and he summed it up… And I’m going to be really, really general. I don’t want any hate mail towards me because this is a very broad stroke here. But he summed it up that neither side really appreciates or recognizes the value of the other side. He said, “You can differentiate yourself by striving to be competent in both areas.” And I love that line. So, I’ll start asking you this, Steve – how big is the divide between the groups, and how much do they know about each other? And how much do they have to learn?

[Steve Zalewski] Yeah, so I would describe it as are they best friends or annoying siblings, and who’s the lawyer that’s going to try to adjudicate between them.

[David Spark] I would think more the parent to adjudicate between them. [Laughs]

[Steve Zalewski] Yes. Okay, I think lawyer. But parent to adjudicate between them is probably right. And the reason why I say that is, look, they can be best friends, but siblings often times are sometimes best friends and often times worst enemies because they each have their own views. And the question is how good are we as CISOs at being able to look at the two and get the best out of both of them.

[David Spark] That’s what we’re going to discuss on the show. And the person that’s going to help us in this discussion is the director of information security over at Axiom Medical, Linda White. Linda, thank you so much for joining us.

[Linda White] It’s great to be here, David, and nice to meet you, Steve. Thank you for having me.

[David Spark] And I understand you have somewhat of a connection to Steve. And what is that?

[Linda White] I do. Steve is unaware of this as I speak. Steve, as a former CISO of Levi Strauss, I supplied Levi Strauss with a wealth of cotton over the last 30 years, having run a 1,500 acre cotton farm in the panhandle of Texas.

[Steve Zalewski] That’s amazing.

[David Spark] That’s pretty darn cool.

[Steve Zalewski] That is so cool. Well, I didn’t know we were related.

[Laughter]

[Steve Zalewski] I learn something new every day.

[Linda White] We are. We are connected.

This problem won’t change on its own.

3:14.179

[David Spark] Sudarshan Chakraborty or Epsilon said, “The problem is the technical folks and the compliance folks both preach their own agenda, and often security falls into no man’s land. Both sides must understand that they have a common problem to address.” And Sujoy Kundu of Transurban said, “The technical guys are never given the big picture, and they always play the second lead, being directed by the compliance frameworks regulations.” And lastly, Katoria Henry of Salesforce said, “To your point, you can’t enforce compliance if you don’t understand the architectural makeup of a product or service.” So, this goes into pretty much the theme we’re talking about – is that I don’t think they really appreciate what the other side does. What do you think, Steve?

[Steve Zalewski] Here’s how I’d say it if I was looking at it as two siblings – audit points out the problems only. Somebody else has to fix it. Right? If I look at it again, the engineers would say, “Audit is boring to engineering because it’s repetitive and punitive. It’s doing the same things over to be able to show what they did last time is what they did this time. There’s nothing interesting.” So, to the engineers, they don’t get it. It’s like make the problems go away, and the audit team is like, “But it’s important that we show compliance, and you guys got to fix the problems.” So, talk about the ultimate in sibling rivalry.

[David Spark] Linda, when we first chatted, this topic really struck home with you. I want to know what has been your experience with the two parties in terms of their appreciation or lack thereof.

[Linda White] Well, first of all, I’ve been on both sides, so I can kind of speak a little bit to both sides of the equation – first on technology and later on in compliance. And I like to view both of them as a puzzle where they nicely fit in together. I like to think of compliance as the foundation of everything, and then technology fits into the compliance piece. However, I also feel like this is changing in a sense. I feel like it’s kind of like two gears fitting together. If we could get those cogs in the gears like in a tractor… If the gears are properly aligned, it’s perfect. You have success.

[David Spark] Maybe give us one example where you got just two cogs connected in this sort of [Inaudible 00:06:01] of the technical and compliance parties.

[Linda White] This is pretty basic, but with good leadership. That old school top down approach. When technology feels like they have skin in the game, and they know it’s a strategic goal at the company, and they are helping the company achieve its goals, I think that makes a huge difference because they have ownership.

[David Spark] And I think that’s true for many roles, not just that. what about you, Steve? Have you had just sort of another example of how you got a couple of the cogs to link together?

[Steve Zalewski] So, the way I looked at this one time was I said compliance is say what you do, do what you say. So, I often would look at the compliance people, and I say, “I want you to crisply come to terms with the key policies that the engineering team has to comply with.” Because the goal is not to comply to everything. When an auditor comes in and does an assessment, their responsibility is to look at your policies and see that you’re following your policies – no more, no less. They may not like your maturity. But as long as you’re following what you wrote down, you pass. So, part of it for me was to simply put to both teams compliance, you cannot just ask for the world. What is it that we actually have to minimally do? And then I look to engineering, and I say, “As much as you can automate that is going to reduce your pain.” And that was an example of how I put the two teams together and get them to understand how each of them has a responsibility to each other. Because then engineering can say, “Hey, compliance, you keep changing the rules.” Well, that’s because compliance really isn’t doing their job then. And if compliance says, “This is the minimum.” And engineering does a whole lot of manual evidence generation, well, that’s on engineering to find better ways to automate.

Where are we falling short?

7:54.704

[David Spark] Michael Dennehy of Change Healthcare said, “In my experience, being compliance does not assure a low-risk environment. However, being out of compliance does assure a high-risk, less secure environment.” So, it’s interesting to hear the flipside of that because we’ve heard many times compliance doesn’t equal security, but I like the opposite of that. And Keyaan William of Cyber Leadership & Strategy Solution, “All the above needs to understand the risk context of their work. Whether you are technical, compliance, audit, or governance.” Let me get to a question for both of you on this, and I’ll start with you, Steve. Often when I heard security professionals and compliance people talk about dealing with auditors, it’s very much a two-way street in that the auditors are trying to learn. And often the security professionals are trying to say, “Maybe we should change this because what you’re auditing on is not actually being helpful. Let me show you more what we’re doing.” How much of that is changing the sort of compliance and audit process have you seen, Steve? Or is that not happening?

[Steve Zalewski] Okay, I’ve got two responses to that. The first one is you’re not there to teach the auditors. The auditors, in my experience, have very set rules around what they want to see that they will say is good enough. Because all the auditors get together, and they’re trying to figure out what it is. None of them wants to stand out and make a decision that is outside the norm of the other auditors because that puts them at risk. So, going in expecting to be able to show the auditor why they’re wrong, or why they don’t have enough information, or why the technology has changed, that’s kind of a losing battle because you’re putting the auditor in an awkward situation that he’s not going to tell you, “I don’t care. I just want to see this evidence so I can pass you.” And that’s why what I say is say what you do, do what you say. Talk to the auditor and the auditor’s role. Get through it, so both sides can be helped. Afterwards, when there’s a debrief opportunity, there’s an opportunity for you to be able to say, “Hey, auditor, you might want to talk to the auditors. And you guys need to go to class and learn about a little bit of some of the technology shifts that are going on because the evidence that you’re asking for is going to start to change.” That, to me, nuts and bolts, is what you really have to do because you have to understand each other. And really the auditor is in the driving seat.

[David Spark] So, does that move things, that kind of conversation?

[Steve Zalewski] It moves things because what you do right up front is you set the baseline for both sides. Because now I, as the CISO or that I’m doing, I’m like, “Look, auditors, I understand that you have outside influences that predicate what you’re allowed to see for evidence and what you’re going to say yes to. Because I realize you are not in control. You are simply the implementor of policy that is a group decision of all the auditors to be able to say you’re SaaS compliant.” So, right away, what I’ve done is explained that I understand their rules, and I’m not going to try to change the game on them. And so therefore if there are situations where I can’t provide that evidence anymore, I will call it. But I try to make that as small as possible to allow the auditor to get us to a good outcome.

[David Spark] All right, Linda, just quickly, have you had this sort of two-way engagement with the auditor in that you’re trying to move them towards a more sort of secure environment that what they’re asking for is really not being helpful to yourself and to sort of the greater community?

[Linda White] The answer to that question is yes. I have had the experience of auditors going down the wrong path because they didn’t understand the SaaS solution as they thought they did. Even though we had communicated it.

[David Spark] Could you be a little more detailed? Explain what they did that was wrong, and you had to kind of steer them in the right direction.

[Linda White] Maybe looking within a certain system for some… And this is a while back. So, for some passwords or some admin privileges. I’ll go back to admin privileges. And they were doing it… And I hate to say this, but I’m going to say it. They were doing it wrong. They were looking in the wrong system. Once they had their head down into where they were going to progress, it was difficult for primarily the junior auditors to listen. They just knew their plan. They had their lesson plan, and they just went through. They didn’t have the ability to take a step back and listen, and use that active listening to understand our solution better.

[Steve Zalewski] So, let me chime in here. I’ll offer one, too. Because if you asked Linda, “Give me examples,” it’s only fair that you ask Steve the same way.

[David Spark] Give me an example, too, Steve.

[Steve Zalewski] Because that was a really hard question, so I’m going to take one. Here’s an example that I had. When I worked at PG&E, and I had to worry about critical infrastructure protection, NERC CIP, we had a situation where our data centers were all virtualized. They were all virtual servers. And my door access systems, the systems that were controlling access to the critical infrastructure, so to the substations and everything else, were on two virtual servers. Perfectly legitimate, isolated zones to meet everything so that I could meet the requirements. The NERC CIP auditors came in. They looked at me, and they said, “They have to be physical servers. You cannot have virtual servers.” And I looked at them, and I said, “I don’t have any physical servers. Our data centers are totally virtualized. There’s no concept of a physical server.” That was where a conundrum [Inaudible 00:13:59] because he simply said, “The rules state it has to be a physical server. I cannot approve virtual servers. I’m not going to go back and do it.”

[David Spark] That’s your dated response. There you go.

[Steve Zalewski] That’s the dated response. Well, in that case I simply said, “That’s crazy. It’s going to cost us six months to be able to go buy a couple of physical servers, put them in, get the operations teams to do this.” And we took a six-month hit. But in that case I realized the auditor could not change…

[Crosstalk 00:14:27]

[David Spark] Well, so you actually had to do this?

[Steve Zalewski] Yes, actually had to do this and took a six-month hit in order to be able to accommodate that. But then took it back and said, “Can you please take this back? Because this is going to be more and more often.” And I took the hit in building the relationship. But for them to understand you’re asking for an impossible. And on my side, people were really upset with the auditors that they went through this because they’re saying, “This is ridiculous.” And I was the one adjudicating to a certain extent and saying, “Yes, it’s going to take six months. And it’s totally ridiculous. But the right thing to do is get a couple servers in, put them in. We’ll take six months. In the meantime everything is working.” Because while the auditors then passed us with a note that this was an issue, we were still able to meet the spirit and intent of the assessment, and the assessor was able to say, “Okay, I’ll give you six months to replace it, and I can pass you.” And that literally actually happened.

Sponsor – NetFoundry

15:26.599

[Galeal Zino] In a digitally transformed hyper connected world, bolted on is clearly no longer good enough.

[Steve Prentice] This is Galeal Zino, founder and CEO of NetFoundry, whose platform enables CISOs and security professionals to eliminate the [Inaudible 00:15:42] and replace it with secure by design networking.

[Galeal Zino] We seek to end the tug of war between security and business velocity. And historically we need to trade off one for the other if we want stronger security. It would mean less automation, agility, business velocity, or vice versa.

[Steve Prentice] This, he says, is in how it can all fit together.

[Galeal Zino] The beauty of changing from this bolted on LAN [Phonetic 00:16:05] infrastructure model to built in security is you actually end that tug of war. You move to a software world. You shift to the left such that you get stronger security and better business velocity by eliminating all that bolted on infrastructure. We think that’s incredibly important because we believe that the businesses that win are the ones who are fast or agile, who are hyper focused on delivering an awesome customer experience to their customers. Those type of companies, they cannot afford to have this tug of war between security and business velocity. They need both. NetFoundry enables them to have both by replacing the bolted on LAN infrastructure paradigm with a secure by design networking platform.

[Steve Prentice] For more information visit netfoundry.io.

What needs to be considered?

17:03.843

[David Spark] Andrew Alaniz of Freddie Mac said, “Our frameworks have also not kept up with the technology shift. And so not only do we need technologists in risk and compliance functions, we need people who are capable of talking to all manner of audience tech – board, risk, compliance, executive – and steering the conversations away from the paper framework and towards business outcomes and business value. So, I can see a framework that says, “You need a physical server.” That’s not good. Jacob Horne of Summit7 said, “Compliance needs to embrace automation to every extent possible to free up time for the interdisciplinary suffer fest of cyber security governance.” So, I will start with you, Linda, on this. Are frameworks not keeping up with the times?

[Linda White] No, they take too long. Technology is explosive, as we all know. And it’s out there before we even know sometimes, and the frameworks are slow to catch up. It would be great if we had a more proactive approach to building up compliance in parallel to the technology. I don’t see that ever happening. But it would be great if it could be a joint effort and run in parallel. And in regards to… If I can just comment real quick on the automation. I’m a key fan, as everyone in my opinion should be, on automation. Because any time you can create efficiencies, it’s always a win. If we had truly… And I can already tell I’ve done a little bit of different audit work than Steven has. If we could truly have automation throughout the entire fiscal year with our auditors so that we could have a checks and balances… Kind of like going to the doctor. And then being sent to a specialist or something like that. And we could have regular health checks on our audits and our evidence, we could alleviate a lot of the strenuous work later. I think that sometimes we make the auditing process more difficult than it needs to be as humans. It’s kind of like we’re running this…we have this marathon to prepare for, but we need to be working on it daily or weekly to prepare for it. Because procrastination always loses when it comes to compliance. And then another thought, too – if we really did start to go that way with some innovative audit tools, would they be audited? And maybe there’s a tool out there. I don’t know if the innovators are listening, but maybe there’s one out there. I don’t know. But should they be audited.

[David Spark] New tools to be audited. That’s always a treat. [Laughs] Steve is making a face.

[Steve Zalewski] I’m going to say… So, the question was what needs to be considered. And my comment is folks, the game is about to change. It is not about auditors and engineers for PCI, and SOCs, and everything else. Welcome to consumer data privacy. Welcome your favorite lawyer into the room who is now responsible for that whole aspect of audit and compliance against GDPR and others. And they have no interest in any of the conversations you had around business data. They care about consumer data. And now I say guess what? My best friend is my lawyer, and my engineering and my auditors are not my two younger, annoying siblings. Because I got to make the lawyer happy. Welcome to a new game, and we’ve got to figure out how to do that.

How do we determine what’s most important?

20:49.454

[David Spark] Shinesa Cambric of Microsoft said, “Learning both sides helps to support a diverse and inclusive mindset when thinking through risk and security controls.” That I think is key. And Laura Rodgers of North Carolina Military Business Center said, “An optimal solution simply cannot be achieved without buy in and collaboration. Both will reduce the cost of compliance, the time involved in achieving compliance, and will result in better solutions.” So, I’ll start with you, Steve, on this, is that essentially learning from either side gets a net better result and working together. Essentially what we were discussing. And so how did you learn better the other side yourself? I’ll ask that, Steve.

[Steve Zalewski] What I would say is my ah-ha moment was compliance is a state of mind, not an end state. So, you have to be in the compliance state of mind to know what is appropriate at this point to provide evidence so that you can get through the process until the next time. So, the more I understood the perspectives of each of my stakeholders, I was able to look up at them and said, “Hey, you compliance people, it’s incredibly important to you to do this.” But compliance is a state of mind. Every business vertical has a framework that is very similar to every other – PCI, SOCs, GDPR. They’re all slightly different. They’re all trying to do the same thing. So, can we acknowledge say what you do, do what you say? Compliance is a state of mind, that we want to be good enough to be able to demonstrate that for assessment and move on to the next year. And let’s try to automate what we can and move with the business.

[David Spark] All right, Linda, I’m going to let you have the very last comment on this, and that is how did you learn about the other side yourself?

[Linda White] Empathy, active listening, interpersonal skills, soft skills, emotional intelligence. All of those things packaged up together. [Laughs]

[David Spark] So, really the basics.

[Linda White] They are the basics. It’s people skills. And being able to communicate transparently.

[David Spark] Did you have an ah-ha moment?

[Linda White] Yes.

[David Spark] What was it?

[Linda White] Let’s see.

[Steve Zalewski] That it’s a cotton picking problem.

[Laughter]

[Linda White] It is. Thank you. The moment that I remember being in a data center in the basement with an auditor and a network admin. And I just was very transparent, and I said what I said. I didn’t know if it would generate an exception in a SOC2 report. I didn’t know, but I just said it. And that was exactly what he needed to hear. And did we generate an exception note? Yes, we did. But we remediated it before the audit was over. Had I not said that, I think that it would have not been remediated. It would have been a finding for sure. That’s what I remember – always be honest and transparent. Speak up. Don’t be afraid.

[Steve Zalewski] A material finding can be your friend in the right circumstances.

[Linda White] It could be. Agreed.

Closing

24:22.776

[David Spark] That’s actually a good way to close this conversation out. Thank you so much, Linda White. Thank you so much, Steve Zalewski. And also let me thank our sponsor. That’d be NetFoundry. For more from NetFoundry, go to their website. netfoundry.io is their web address. Now it comes to the end of our conversation where I ask both of you what was your favorite quote, and why. And I will start with you, Linda. Which quote was your favorite, and why?

[Linda White] Well, I had two. Not one. I had two.

[David Spark] So greedy.

[Linda White] [Laughs] The first one was from Michael Dennehy from Change Healthcare. He said, “In my experience, being compliant does not assure a low-risk secure environment. However, being out of compliance does assure a high-risk less secure environment.” I love this because we all love to provide our customers assurance that we have this compliance, this compliance, and so forth. But just because we’ve adhered to a regulation or we’re compliant with GDPR for example doesn’t necessarily mean we’re more secure. I think it’s a security blanket, so to speak. But we definitely… It’s the opposite. Yes, you are high-risk and less secure if you have nothing. But it’s all perception. You could be compliant to one regulation and be more secure than a company who has three. The other quote that really spoke to me was from Shinesa Cambric at Microsoft. “Learning from both sides helps to support a diverse and inclusive mindset when thinking through risk and security controls.” And through life. It’s all about that emotional intelligence – being able to lean in, listen, really listen to the other side, being able to communicate it back to the other side, having buy in from both sides. And then you agree to disagree, and you move forward because you both have ownership.

[David Spark] Excellent. I love that. Steve, your favorite quote and why?

[Steve Zalewski] Well, this time I am going to go with Linda, which is I think Shinesa Cambric from Microsoft, “Learning from both sides helps to support a diverse and inclusive mindset when thinking through risk and security controls.” At the end of the day, you’re siblings. And so the more willing that you are open to listening first before speaking is the better you’re going to understand. And that diversity and inclusion, that’s it. The more you understand, the more you really are then looking at the risks versus the controls. So, I think in her simple statement she really brought in three or four key concepts we talked about here and nailed it.

[David Spark] Awesome. All right, let’s wrap this whole darn show up. Thank you very much, Steve. Thank you, Linda. Linda, I always ask our guests… And I don’t believe you are. You are not hiring now, or are you hiring?

[Linda White] Not at this time.

[David Spark] Not at this time. That’s totally okay. And, Linda, just if someone wants to find you and wants to know more about Axiom Medical, please give us a quick 411. What are you doing over there?

[Linda White] Sure. Axiom Medical, we provide health and safety solutions and services in the workplace. If you’ll follow us on LinkedIn, you’ll get a lot of good content about health and safety management in the workplace, and also some best practices for employers.

[David Spark] Thank you very much, Linda, for joining us. Thank you, Steve, as well. And thank you to our audience as well. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.