[MUSIC PLAYING] My name is Alan Radford. I am a field strategist at One Identity. Regulatory compliance is not an exercise in being reactive in cybersecurity. It's an exercise of being proactive. I find it really interesting that from where I've been sitting, it almost feels like society as a whole is trying to keep up with the rate of change in digital technology and how it enriches our lives, digital economy, e-commerce, and so on.
You look at the last 20 years, how quickly our lives have changed in the digital world. How long ago was it that we had Nokia 3310 phones and we were playing snake? And now we're conducting our entire working lives, in some cases, from a mobile phone. The regulations of interest in my field-- there are so many. It's very, very difficult to keep up with.
PCI DSS in the finance space is quite well-known. HIPAA in the health space, quite well-known. They're very vertical-specific. Then you've got some more geographic ones. There's a review taking place right now, I think, out of North America, where the US government is taking stock of the cybersecurity risk to infrastructure.
The European Union have had NIS and now NIS2, which is much around cybersecurity, collaboration with member countries, and looking at the infrastructure in each country, and encouraging them. Hey, look-- if your waterworks in country A and your waterworks in country B are collecting information about cyber risk, they should collaborate.
And they're even going so far as to proactively encourage them to use modern technologies like AI. They actually state it in what is being written in law. Hey, look-- if AI is going to add value, please use it. But they also stipulate it's not good enough to be reactive. We need to be proactive.
And then you take a step back a bit further, and you get things like ISO 27001, various NIST papers, of course, where you're given frameworks at very broad scale to actually certify your own cybersecurity practices. So it's interesting to see how you've got these broader compliance tool sets that then become regional and then become vertical-specific. And the more specific they are, the more the fines tend to be. There's jail time in some of them-- Sarbanes-Oxley out of the whole Enron scandal, for example.
You get less jail time for murder. Right? I was really surprised by that. And you're looking at a seven-figure personal fine. Like, when you look at the stats and when Congress voted in things like legalizing marijuana or going to war in Iraq, there was some numbers of people who were like, you know, I'm not sure. When it came to Sarbanes-Oxley, it was literally like two people didn't vote, and that was it, like unanimous.
So the point I'm making is that the world is starting to take cybersecurity very, very seriously. There's been too many breaches now, and governments are starting to write laws to enforce this stuff. My favorite one recently came out of the UK Telecommunications Security Act that comes into force for the telco sector. And the reason that I like that so much is two reasons.
One is it's an example of a government recognizing that, hey, look-- our national security actually relies on private sector telecommunications frameworks that we don't control. We kind of need to do something about that because if they're compromised, we're compromised.
And so they started writing legislation but very specific guidelines. You must do this. You must do that, affecting the whole supply chain. Sooner or later, cybersecurity vendors may themselves end up being seen as critical infrastructure. Let that sink in.
Imagine a world where cybersecurity vendors are actually seen as essential as internet providers, or gas supply, or traffic light systems, or waterworks, or electricity providers, because so much of our world relies on the digital estate that we've created. The security is a baseline requirement. It almost belongs on the Maslow pyramid.
So to approach compliance, what I recommend is that you have a team of people who are looking after the compliance in your world, because some are going to overlap. You might need to get yourself ISO 27001 certified to have that credibility with your customers.
You might also be doing business out in North America, so Sarbanes-Oxley might come into play. You might be doing business out of Europe. So various things out of Europe might come into play depending on the region. And then when you get more specific into your vertical, if you're in the finance sector, obviously PCI DSS and so on.
The point I'm making is that you are not going to be beholden to one compliance framework and that's it. There's going to be several, and they're going to overlap. Add to that the fact that big fine equals big risk. Your compliance frameworks are introducing a new risk in the form of penalty. OK? Whereas in the absence of them, your risk was simply the breach itself.
But now that you have a compliance framework that's being enforced on you, you now have a new risk in the form of that fine. OK? So there's a double whammy on that. One other piece of advice I'd give is that if you've got a team of people looking after and tracking changes, updates, and compliance frameworks and how to apply them in your organization, there are a couple of people to be plugged into that process. One of them would be business analysts.
The reason I say that is because you're going to be forced to put specific processes and specific risk controls in place. Some of them can revolve around technology. Some of them can revolve around people. Some of it's going to be very process-focused. But if the business analysts are engaged, then they can look for opportunities as to where those can be streamlined and actually enable the business.
As an example, PCI DSS, HIPAA, NIS2, the telecommunications acts that came out of the UK-- even ISO 27001 has a whole chapter, by the way, on privileged access management. All of those frameworks require PAM, Privileged Access Management. And when you implement a control like that, quite often you're introducing friction to the business in the form of, OK, well, whereas before I had credentials and easy access and I always had access to these high-privileged accounts whenever I wanted them, now I've got to jump through hoops to get them, and now it's only temporary access.
Yes, that's part of the compliance requirements you're under. But you don't have to have that level of friction depending on what processes you have, depending on what technology you're working with, what vendors you're working with, what partners you're working with. And as a reminder, having the business analysts in that mix as well, you actually have all the right people in that mix to have a very business-enabling compliance conversation rather than a business-debilitating compliance conversation.
There really is no need to tie your hands behind your back in order to be compliant. You can actually be compliant and increase revenue while doing it, and be competitive with your competitors, and take your business forward. Compliance is not something to be afraid of. It's something to be embraced.
Well, one thing that I think is often overlooked in compliance-- and I've spent far too many hours of my life reading through a lot of this stuff, and it's dry. Very, very dry reading. Trust me. But what also stood out to me is that the people who built these did a lot of research. Somebody didn't just sit down and go, how are we going to do PCI DSS then? Let's just make it up off the top of my head.
No. There's actually a framework of people sitting down doing their research, blending that into the updates. And these compliance frameworks aren't just written and forgot about. You don't just go somewhere and download it and go, OK, well, this was made like 10 years ago. 4.0 PCI DSS, like it's versioned-- that has come out in the last couple of years, I think, off the top of my head.
And all these other frameworks that are surfacing are very, very well-researched. The telecommunications security act out of the UK-- a lot of research was done by the National Cyber Security Center in order to put that framework together. A lot of it's based on that research. These are very, very well-researched frameworks, which means you don't have to do that research.
You don't have to invest in doing that research. You can adopt these compliance frameworks in the confidence that somebody else has done a lot of work to go, this is why you need this stuff. Go get this stuff in place. But the trick is it's down to you in how you implement it and continuously prove that compliance back. And that is where you can actually enable the business.
[MUSIC PLAYING]
08:59