The Ballad Of Alex Pedersen: A Journey Of Compliance As A Techie

yes so hello everyone thank you uh for joining this afternoon um it's a pleasure to be able to speak to you um yeah and just trying to keep it light and nice and easy this afternoon so it won't be Death by PowerPoint or anything I've only got few handful of slides so let's dig into it so yeah as it says The Ballad of Alex pedison the journey um of compliance as a techie um effectively this is to be my story uh a little bit of a reflection and uh a way to impart uh some hard fought uh nuggets of wisdom over this previous year um we've gone through some audits at work um and I had to lead those

projects so yeah like I say it's a reflection on all that I've learn and the difficulties we went through so who am I um I'm now a 10 I've been in the industry for 10 years um I started off as a network and security support engineer um moved then onto a um and that was great I was doing firewalls proxies all that good stuff um SEC uh security product support 24/7 shift work so as you know always always the best for uh your sleep pattern uh moved from there over to uh Aerospace company uh where I was a it engineer senior it engineer but uh we were a small team so I managed firewalls all the way through

to clim under the desks and doing all that fun stuff um and like building hbcs and and really interesting things there so that was great was there for a number of years uh and then moved over to where I am now which is a company called featur space joined there as a security engineer um and then I've now become a senior platform security engineer so after uh lot at the start of the year we went into um we have a yearly audit uh because we work with the banks um so we work with mainly two Frameworks that is PCI DSS and sock 2 so if you're not aware of what those are uh PCI DSS is

our our key one uh because it's the EMA um sort of European um standard for banks so it's the payment card industry um and the data security standard is that subsection of um that or that specific framework within the PCI um organizational framework and then the other is sock which is the systems uh system and organization controls so all fun really uh catchy catchy names there um and just a little bit of context specifically around PCI DSS so it currently contains around 200 critical controls um there is version four that is right on the horizon uh which is another additional I think around 64 maybe a little bit more by the time it comes comes to

publication um and they need to be routinely and accurately executed so it's a yearly Cadence but you have your quarterly um you have to maintain it quarterly evidence it um and yeah like I say maintain it and make sure you're not doing anything naughty um and within that that's additionally policy process um ensuring it's being tested pen testing internal testing external testing everything across the board and effectively that means it is a comprehensive um it's very comp comprehensive and it's uh impacts almost every business uh every area of the business frankly um and then just to quickly highlight so it's covering security availability confidentiality processing integrity and privacy so they are the key sub sections within uh the audit

framework um yeah and just as a final Point many Frameworks will have fundamentally the same thing that they're trying to assess you on um really at the end of the day it's security it's best practice and what they're trying to do here is just give you the key away so that you can go through it and have a marking criteria the way i' I've thought about it um and we'll kind of delve further into it as we go in hopefully my slides will go there we go so yeah what's with the Western theme you might be all be wondering um frankly it's a metaphor it's a metaphor since I really started in this industry I I kind

of identified it quite quickly in my brain of it is the wild west out here it's obviously getting better but frankly in my opinion it has been a wild west um and that's just due to the nature it was a new it was completely new right back back in the day um it had to start somewhere and like the frontier it was all fresh it was all new um and again yeah that was kind of the idea I went with and I just want to roll through a few um words that I've used in the past um um that evokes some imagery from both security and really that Wild West theme um and those ident how that

works at least in my brain anyway so going through Independence the way I see it again Frontier every town had similar rules murder's bad all the you stealing you know your Ten Commandments right um and frankly we have the similar idea in in the industry everyone has the same understanding of what's bad but there is there hasn't been maybe we're getting there slowly but consistency across every country everywhere globally we have we're we're very isolated in that way yeah in fact that's why I have isolation there as well it's separate from Independence um every town wants their they think their rules are the best um and then the isolationism of um yeah it's it like I say it's getting

better in recent years and it's kind of been mentioned throughout the conference today that the sharing of information is limited I think is to say the least um like chat in house rules you've got your um different concepts for different things but there's no consistent framework not only with in security but for organizations for countries so I think there should be an effort to standardize a lot of that in my opinion crime I think that's fairly self-evident right I think it's the name of the game of the trade for us uh Wilderness I have Wilderness in here M for really anyway my my experience has been specifically around open source tools you know it can be a nightmare

when that thing breaks and trying to find a legitimate source of information that doesn't make you configure something that breaks the whole system unfortunately because it worked for them but it didn't work for you um and finally Adventure right excuse me Adventure why we do this I think it's uh it keeps it fun how quickly things change at least it is for me why I keep interested in this it's not stagnating it is changing almost daily right um so yeah that that's there again the my evoking imagery from uh both the wild west and what I see in the industry right now so Auditors asking you for evidence he's over your shoulder he's got you he's got you locked down you're

sweating the paes I should have used that other meme where it's the sweat coming down his face frankly all you need to do is just stay calm that's always the case right um you'll be hot under the collar but what it comes down to and I've talked about it today with other people just casually compliance is often thought about as the the way to build your product or the business says we need this compliance to be able to sell something that's the wrong way round we need to be frankly we should be building and doing these things with best practices and best practices feed into then the compliance to give you the opportunity to mark your homework and then you move

on and it's that iterative cycle where best practice feeds compliance Frameworks and the Frameworks can feed into the best practice and it's that ever evolving cycle um and really oh has it come up or is it Frozen um yeah and that's all I'm trying to say here is that it feeds to one another um so like anything it comes what's my advice it's do your homework right it's check your technology and do your due diligence before making the leap or that guarantee you will get that compliance for your company or whoever it might be um and little tips Gap analysis before you even start I understand what that challenge looks like um I've got so much uh emot uh so my next line

here is comprehensive document repository that was a huge Learning lesson for me this year um I can I'm happily to talk happy to talk about it after this um we had nothing thankfully and there was a big we well I should we had some things and it just in my brain I couldn't quite wrap my head around it I threw it all into G into a gitlab repo it's change controlled and you can track everything and as long as you got file directory structure it works like you don't need to buy a ,000 10,000 tool to help you there are cheap ways to get around this right now if you're struggling so yeah just start off with a

comprehensive documentary repository and that could just be as simple as the file directory structure um change management and exception tracking this is really really key exception tracking uh is huge because the main thing the Auditors are looking for is just you have an understanding of what you have and where those risks are um and that you're proactive rather than reactive you don't want to be finding the all these things and these issues out while you're in the audit never a good thing right um You Want To Be Prepared um another thing obviously policies and procedures but again it's kind of going back to doing your homework make sure you've got those things in place or you've at least read

them through and you understand it before you present it to the aitor right um and then finally really and kind of what I've said throughout these bullet points is just understand the compliance understand what you're doing H have a look at it and read through what you're actually looking to achieve here because often the Auditors won't necessarily understand what your product does they may say that they do but you are the expert you are that subject mattera act expert and so it's your responsibility to present that to them um and be honest about where you know where those gaps are but then in that Honesty to show where you're being proactive and saying look we've got this Gap we know it's

there this is how we're accepting it right now and this is how we're going to fix it in you know the month six months year and Beyond um that's all they're looking for and coming back to that image it's not someone over your shoulder it's meant to be collaborative so finally these takeaways right how do you become the fastest drawer in the west and what do you need to know really like I've said it comes down to a lot of hard work so that's the discussion you need to have with your management or whomever it might be is it worth it is it worth it for your team is it worth it for the organization in

general to make try and leap this hurdle um and the investment because there will be critical investment at some point do it as a team it's never relying on one person it's a big big challenge to get any form of compliance and like I said earlier it affects every aspect of that business so don't depend on one person share the load share it with all the people within your business who know what they're doing um because they're they're the experts it won't be just that one person who have to know everything and mistakes are going to be made in all honesty whether it's your first time your third time your fifth time into the future you know people

change the business changes the Technologies change the product you're selling might change and it's iterative you'll keep changing you'll make mistakes you'll learn those mistakes accept it be brave be bold and iterate and finally yeah learn your lesson from it cool that's everything thank you very much I'm happy to take some

questions got any questions the the isolation Point sit on there story think about yes yeah absolutely what would be some strategies you've learned the past year gosh see I'm maybe not the best person around strategies but I completely agree with you right it's and it kind of comes back to that my statement about going to all the experts within your business so that's maybe the first Port of Call is to identify those people again before you jump make the leap into starting an ordit make sure you have those guys identified you bring them into a room you'll walk through the audit together and bring everyone onto that same page before you even start and that's and from there you have a

baseline you then move on you create a working group you communicate that's all that needs to happen I don't think it's that complicated but people shell up they have their responsibility and then they won't share but if you break that cycle right at the beginning you're good and I think and then it's just about maintaining it and you're not Reinventing the will Midway through a project or three years down the line and you realize oh actually we should have talk to them because they know more than us so yeah that's that's all I would say to that I think so yeah yeah whether it's regular you know build your own Cadence whatever is comfortable that's down to that working

group but as long as it's consistent yeah I would agree with that any more for anymore please yeah please same issue done through me personally one man B going out all time go it's impossible going so what I did was I moved my processes to the left as far as possible so um one of the main areas for me one main project so works I um and with get new clinical systems coming with no consideration ons levels on all the stuff you're going to be ask they were they weren't baked in at the end sub sign off we to to release it and let it what I did get invol pre ability product thing my

team as far became my tend spread across the organization as opposed to just being a little block the department and by doing that those conversations and going into those into those projects and saying your responsibilities on this are I need to see this and you I need to see this month you I need to see have written for the from the Geto and what you'll find is exactly you posi is that that will grow organically over your three months doing it six months doing it your second year of doing it your already through standards do change we accept that you will have you have to go we haven't got that here the risk and this so sorry no no absolutely I can

agree with you more and it's moving from that on the back foot mentality and and yeah being proactive getting like you say getting into their pipelines and not being an external party you're all but you've got your finger on the pulse and you know what's happening exactly exactly yeah no thank you questions are you g do you be I know I should side hust all right well next time you might see me with the STS in as well so oh yeah yeah brilliant thank you very much okay