Stop Making Nonsense: Cutting Through Compliance Complexity

So, thank you for attending. Um, I think it's just what you need at the end of the day, a guy talk keeping you from the pub talking about compliance. Um, but anyway, please bear with me. Um, I've got a little tape I want to play. Oh, I did have a tape. What happened there? Oh dear. Yes. compliance things go wrong.

Yes. Anyway,

So, hello everyone. My name is Matthew Kaplan. I'm a security adviser for Orange Cyber Defense. Um, and this presentation is built on the 3M's principle of movies, music, and mogis. Um, cyber security compliance can be a complex and daunting topic. uh with a little help of my friends talking heads other musical influences as well as my cats I hope to bring some clarity and to this somewhat confusing topic. So what is compliance? Well, it's an organization's adherence to applicable rules and regulations. Uh it could be a requirement by law in a particular country or a particular industry or for certification purposes um in certain industries um or just to meet contractual commitments. There are many

regulations these days to choose from and you may have to comply with multiple regulations. It's very likely that you will um and this creates additional headaches and uh workloads for your organization. The following short movie helps to introduce the topic of compliance.

You may find yourself. You may find yourself behind the wheel of a large automobile. You may find yourself in a beautiful house with a beautiful wife. You may ask yourself how did I get here

after

you ask yourself how do I ask yourself what is my joy mobile you may tell yourself this is not my beautiful myself. This is one sing.

You may ask yourself, what is that beautiful house? You may ask yourself what I go to. You may ask yourself, am I right? Am I wrong? And you may say to yourself, my god, what have I done?

Wherever you are in the world, uh you may find yourself bogged down with complex regulatory requirements and these can be difficult to understand as often written in complicated language with regulators seemingly speaking in tongues. Uh as a result, organizations may struggle to interpret and apply these regulations and it can be seen to be stifling innovation and slow down the operations of your organization. There are many regulations coming at you from all directions these days. Some of these are industry or situation specific such as Swift for the bank payments. Uh you now need to be compliant with a Swift cyber security program to use that service. STSAX for the automotive industry and its supply chain. Uh PCI

was recently updated to version 4 with new requirements for car payments. Uh TSA and IOSA for the airlines and airports. Uh Dora for finance and HIPPA for healthcare. And then there's more wide ranging regulations such as GDPR which seems like it's been around for a while now but hasn't gone away. And with seven out of 10 uh countries now having similar privacy regulations, there's no escaping wherever you are in the world. And then there's NIS 2 which came into effect last year uh aimed at strengthening the critical infrastructure and the security of the European Union. It's estimated that over 150,000 organizations are in scope for this uh wide ranging um regulation. I'll focus on three challenges uh which are

currently driving the compliance landscape all of which that overlap somewhat. Uh there's AI, digital sovereignty and supply chain. I'll start with artificial intelligence. Uh since you can't really do a talk these days without talking about AI that's me, myself and

So AI and automation no doubt has great benefits but it uh means uh it creates risks because uh it quite often means you're uh moving uh and transferring data outside your organization. The use of automation and AI is enabling cyber criminals to launch attacks at scale, increasing the frequency and the impact of those cyber attacks, but it's also helping to defend against those attacks. So, like a lot of technologies, AI is a double-edged sword. Um, uh, but and like all other technologies, it needs to be introduced with suitable controls and guard rails. With that in mind, the European Union has brought in the uh European Union artificial intelligence act, the EU AI, and this is aimed at

ensuring um protection of consumers uh by prohibiting harmful AI. Uh making those who create and distribute AI accountable and it's part of a trend focusing on third parties. Uh it takes a risk brace approach um and you could be in scope even if you're not in the European Union. There's always a potential for overregulation. Um and the intention actually was to uh promote innovation but uh because it places an unnecessary burden on artificial intelligence uh developers and smaller companies it could actually have the opposite effect. Uh there will be some enforcement challenges because of the broad definition certain terms like harmful AI are not that well defined and the global nature of AI means that uh

enforcing that could be difficult. Uh moving on to data sovereignty. Uh the control over data is becoming a battleground in 2025 and the principle of data sovereignty is that data stored within a country should follow that country's laws. Uh businesses are demand demanding more transparency and they want to know where their data is. Geograph geopolitical uncertainties means more and more questions being about asked about who has your data. And with this in mind, the cloud providers are already responding with localized cloud offerings. Talking of third parties, third party relationships continue to expand as organizations seek help to do what they cannot do for themselves and create new opportunities. And consequently, threat services are uh have expanded leading to more attacks on

third parties with over half of all uh security incidents now being third party related and 98% of organizations being connected to a third party that's been breached in the past few years. Regulations such as NIS 2 and DORA have increased the focus on third parties and one important principle here is that you cannot outsource uh liability. Whilst you have someone to blame when things go wrong, it still comes back and affects you and the regulators won't uh accept the excuse that we trust our vendor to take care of um um of things when services fail or data is compromised. And one good news is maybe uh is that your managers now could be liable for

infringements could end up in jail. These topics all converge um with compliance in the form of digital trust. And digital trust is the confidence that people have uh the ability of a organization to protect their data whilst upholding certain societal values. It helps people feel safe uh using uh an organization's product or services and it's about prioritizing security uh to protect data and it's about being open and honest and about how the data is collected and used. According to McKenzie a recent survey uh ethics trust um personal data is almost as important spending criteria as the traditional price quality and convenience. So with all of this in mind, what could possibly go wrong uh when an organization is not compliant?

Heat. Heat.

As you can see, non-compliance can lead to devastating consequences. But actually there are it's actually a healthy benchmark uh for good uh practice and an indicator of quality to interested parties and stakeholders. It's about achieving cyber resilience and ensuring the availability of services and the protection of information. With cyber crime estimated to cost 8 trillion pound uh trillion pounds uh currently and rising to over 15 trillion by 2027 data is now arguably the world's most valuable resource overtaking oil. So let's explore some of the consequences of non-compliance further. Uh services could be unavailable in the event of a data breach or systems might be offline for days or even weeks. Uh the this costs money. uh it's estimated that it

costs over4,000 uh pounds per minute uh and and that's for downtime and that cost could increase depending on your organization size and complexity. Uh the regulatory fines that you could be incurring also uh will cost you a lot of money if you're found to be non-compliant and these fines can vary depending on the severity and the nature of the extent of the non-compliance and you could also be facing multiple fines for breaching multiple compliance. Uh two of the largest fines issued to date was Chinese firm uh DD Global who uh paid 900 million in fines and Amazon uh 625 million in fines for data breaches and GDPR violations. The cost of the fines, the legal fees, the compensation,

all the remediation efforts uh cause a significant impact on your business uh as well as impacting future investments and your credit ratings. Non-compliance could tarnish your reputation and uh also damage your ability to attract new business. Uh could lead to loss of customers with PWC estimating that 80% of organizations will go to a competitor if they don't trust you to handle their data responsibly. And non-compliance can lead to restrictions on accessing accessing the market you operate in or expanding into new markets. And in the worst case scenario, regulatory authorities could revoke or suspend your licenses, meaning you can't operate at all, which is could face business closure closure.

So despite presenting the overwhelming uh case for uh for complying with regulations, I want to talk a little bit about the dilemma between compliance and non-compliance. Uh some of the benefits of compliance include enhanced security posture. Uh it helps build trust and credibility. Um it's improves uh operational efficiency with better processes and it could help you obtain cyber insurance if you that's a requirement of your business. Uh but on the flip side, 40% of organizations said that uh cyber insurance didn't cover them from all the costs when things did go wrong. And some companies have benefited from the freedom that non-compliance gives them. uh a fine uh and all the things that you have to put

in place could be the solutions could cost more. So it's actually worth uh a bit of cost versus benefit. Uh compliance can be seen as restricting innovation and it's risk versus reward. An example is Cambridge Analytica and Facebook. uh uh Cambridge Analytica used the data to assist uh the the 2016 presidential campaign of Donald Trump and that data misuse was disclosed in 2018. Facebook uh shares dropped as a result but they very quickly started to recover and despite paying 5 billion in fines uh for privacy violations. The total value of Facebook now is 1.6 trillion which is four times the amount it was worth before the scandal. Donald Trump has gone on to be president twice

despite some compliance issues of his own. So the traditional view is that non-compliance is bad. Uh and some organizations will do the absolute minimum uh and still benefit. But this depends nowadays on the industry that you operate in uh and with many traditionally being much freer than others. Um with more regulations coming in in more countries and more industries, it's getting harder to avoid. So like in my opinion, it's better to try to get things right. Compliance needs to be proven and it's impossible to discuss compliance without discussing or mentioning audit.

Nobody

Oh my love you.

You start talking but you're not saying anything to say something one One question. Do I feel like a bunker?

So despite this dismal view of audit, audit actually could be a healthy benchmark. Uh and it shows what a good job you do to your customers and to your own management. Um however, it's restricted by a lack of resources in house quite often and it's very time consuming with a third of all organizations say it takes over a month to produce the necessary audit evidence for a single audit and most organizations have multiple audits every year. The more audit failures you have um means more time and effort. And it's worth noting noting that an auditor is only as good as the responsiveness of those being audited and the quality and the timeliness of the evidence provided.

So you've got two choices. Do it far far far better or run away. So far I've talked about what compliance is and the consequences and the challenges. So let's move on to look at some solutions and how to simplify compliance.

Um, so it's very confusing with all these different regulations flying around. And rather than going into all the specifics, you wouldn't thank me cuz you're never going to get to the pub if I do. Um, note that each regulation has its own set of requirements, yet there's significant overlap between them. So, it's uh important to adopt a unified framework. Uh, this makes complying to multiple regulations easier. uh most compliance in fact all of them uh all of for risk management processes and governance uh the suitable organization in place controls such as identity access management there's a increased focus on supply chain um instant response to ensure timely detection containment and recovery uh it's worth aligning to uh standards such as ISO

27,035 and adapting those to your organization uh resilience testing is increasingly a part of all compliance with vulnerability scanning, pen testing, business continuity, and crisis management testing. And regardless of compliance, um it's actually healthy to do these things because uh it helps you know what's going on within your organization. Uh many organizations will tell you uh what to do but not how to do it. But they will all uh point towards adopting best practices such as ISO uh and list for more guidance. uh uh whilst PCI maybe is narrow in focus um and the scope and it's focused on the card data if you comply overall to a standard like ISO or list um it'll get you compliant

to the majority of PCI requirements and then you just need to focus on the specific extras. Simplifying compliance and complexity requires a systematic and strategic approach. Start by gaining an understanding of the regulations that apply to you and then focus on the key uh key areas that car carry the most risk to your business. Establish a governance structure uh to oversee the implementation of a GRC framework. Governance, risk, compliance to set objectives and provide strategic directions. And remember that compliance is not just for auditors and IT. It's uh risk management and compliance play a central role and the regulations touch all aspects of uh every organization. These days with business continu continuity, third party risk, instant

response all required uh they all require some coordination coordination across the business and all departments within a business. If you think it's someone else's job, uh chances are you're leaving gaps that the regulators and the attackers uh will notice and exploit. It's important to regularly uh employ uh do employee training and awareness uh with human error accounting for 80% of security breaches. Uh it's important to foster a culture of security awareness and compliance. Documentation is always an important part of every compliance. You need to have standard uh operating procedures and checklists. But it's important to write down what you actually do and follow it rather than writing down and saying what you think someone wants to

see. uh and then doing something different. And it's important to review that documentation regularly. Uh also, you'll be asked to prove whatever you say you do. So, be prepared to have the evidence to support it. Organizations can fail to see risk as an opportunity. And it's worth considering that risk is not the chance or probability of loss is the effect of uncertainty on objectives. And uncertainty is actually a positive if you built a resilient organization around yourself and you're prepared for change. So it's uh you need to implement a risk management framework based on a standard like ISO 27 bless 27,05. Uh conduct regular risk assessments to uh identify, evaluate and prioritize threats and vulnerabilities. Focus your

compliance efforts where they matter most to maximize your limited resources more efficiently. And any solutions that you put in must address a specific risk, otherwise you're just going out and buying toys um for the sake of it. and ensure that this actually applies to third parties as well. As mentioned previously, you cannot and should not put all your efforts into eliminating all risk. It's not when, but if. So, be prepared. Mitigate and manage the high risks uh to reduce the blast radius of any attack. As a great philosopher Rocky Bilbau said, it ain't about how hard you get hit, it's about how hard you can get hit and keep moving forward. If you rely on a single line of

defense, an attacker can always get through.

I'd like to stress that no cats were harmed in the making of this video or any of my other videos. Uh, one cure is the defense in depth, a blend of preventative, detective, and corrective controls such as multiffactor authentication encryption segmentation. You need the threat intelligence to know what's going out there to anticipate slippery people uh and monitoring to detect when there has been a problem and a processes in place to respond and recover quickly and effic effectively uh when it does. It's about taking a layered approach that doesn't stop your organization's perimeter and must go beyond uh into the supply chain. One such control I think possibly the most crucial control of all uh is

identity and access management is it covers the whole life cycle and it's uh critical for ensuring regulation uh adhering to regulations and security standards because it's about uh making sure that whoever's authorized individual individuals have the necessary uh permissions required we won't go into all the different compliances it helps but for GDPR it could help you with data subject access controls by managing who has access to personal data and for what purpose. Compliance based on complicated systems and processes is doomed to failure. I want to use the example of the Gothic horror novel uh picture of Dorian Gray. Um and although it was written in the 19th century and seemingly not that relevant uh to the modern IT world, it's

a great cautionary tale for poor IT infrastructure. In the in the novel, Dorian Gray chooses to sell his soul uh asking for a portrait of himself to age and fade rather than him uh growing old and fading. And in this sense uh this reflects our horrific systems and processes uh like the painting getting ugly and hidden away in the basement whilst we attempt to portray ourselves as the beautiful Dorian gray to the outside world. Audit outcomes simply reflect your u mess and are a mirror of your own madness. Get your documentation, your processes, and your systems in shape, and then compliance will naturally follow. A lack of or complicated processes contribute to negative audit outcomes

and poor business efficiency. And when processes are complicated, people will bypass them simply to get their job done. But this causes um more security issues and more compliance consequences. Having many poorly implemented controls is not better than having a few solid ones. and tracking thousands of risks that you can't mitigate doesn't help uh any more than solvingly the 10 key risks that you can fix. There's always this idea that we'll miss something if we don't try and cover everything. But you're probably missing things already. You just don't notice it or the extra noise that you make means you can't see the wood for the trees. The biggest obstacle the biggest obstacle to cyber resilience is complexity of IT

infrastructure. uh the more complex an organization's infrastructure is, the harder it is to maintain uh resilience because uh you have more unnecessary failure points. By simplifying your architecture and minimizing attack services, you can improve your ability to prevent, detect, and respond whilst achieving and maintaining compliance. Think of it like a kitchen. Um uh you'll be asked for a meal, for example, an omelette. A good chef has the ingredients ready, the eggs, the milk, the onions, the cheese, um, and the necessary equipment to cook with. The regulations are the core ingredient. Uh, regulations change, but the core ingredients stay the same. And you can make small changes to the recipe. Add a tomato, use a blender, whatever. But

it's all about uh preparation. The ingredients, the controls, the evidence, the process, the recipe, the menu is the audit uh scope. The core audit questions uh and answers usually stay the same. Uh but you can make variations on the same theme. You have the base ingredients and you just need to serve up those variations meal to whoever asks. Uh you just need to get your kitchen in order first. Um and then you're cooking on gas ideally without burning down the house. I just want to talk a little bit quickly about the role of systems and technology to enable better compliance. Technology creates risks but it also is a key driver for achieving compliance. uh implementing compliance management

software GRC tools uh can help you automate tasks like data collection and reporting minimalizing manual efforts and streamlining processes. Technology will also help you manage multiple frameworks uh has capacity to continually monitor and be proactive. Uh but technology solutions will only help if you simplify your processes and your infrastructure. Otherwise, you're simply automating a mess leading to a faster mess. and GRC GRC solutions, they don't work out of the box despite what salespeople will tell you. Um you still need um a human to adapt them and to maintain them and interpret the outcomes. So uh just finally really not uh compliance is not a one-time effort. Uh compliance isn't static. The regulations are changing as are the threats. Um and

even if you are compliant to a particular certification or or or regulation, you have to um show noticeable improvement in order to um reertify and and maintain that compliance. So this requires ongoing uh assessment and adjustment in order to uh stay ahead of the vulnerabilities and the changes and it requires proactivity and and continued improvement. So in conclusion, stop viewing compliance as a mere checklist dictated by external authorities. Understand the requirements and integrate them into a cohesive proactive strategic framework. It's not if, but when. So be prepared. Adopt an effective layered defense in depth approach makes you more responsive and resilient. Compliance is not a once in a-lifetime event. So regularly review your cyber security measures and

practices. Remember the goal of cyber risk management is not to achieve perfection. uh but to be aware of your weaknesses and strengthen them. Efficient processes means less time and valuable resources wasted. Uh plus it's easier to audit the demonstrating compliance much easier. Invest the time in the early stages cuz this saves complexity and issues downstream. And overall be transparent uh proactive. Work with your auditors. Don't be tense and nervous. Relax. Stay positive. All

right.