Episode 33: Special Edition: LinkedIn Live - Rethinking Compliance in 2025

Narrator:

Welcome to 9 0 9 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer at Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for 9 0 9 exec live. Auditors love it. Hackers laugh at it.

Den:

Well, everybody, welcome to our LinkedIn live session. Auditors love it and hackers laugh at it. Rethinking compliance in 2025 with my good friend and partner in crime, Mr. Aaron Wurthmann. Aaron. How are you today, man?

Aaron:

I'm doing great, by the way. I haven't seen that new intro. That was excellent.

Den:

I love, yeah, we got a bunch of them and I keep moving them around and trying other ones and shit. And we've got an outro at the end, which is kind of cool too. So let's go. Let's dig into this. So we spend a fair bit of time with some of our clients on compliance work, helping them get their SOC to and their ISO and all that good stuff. And actually you lead that charge for 9 0 9. You've got a better attention to detail than Mr. Jones has. So we figured it'd be good to put this session in place for people. So let's dig into this. Do you want to share with everybody what the topic is? What are we going to cover and then we can dig into it.

Aaron:

Yeah, I mean, the title pretty much says it all right. I think there's this view from, as a business operator's view of I need to go get compliance. I need to go get SOC two because my customers are asking me to, right? I need to go to ISO 27,001 because my customers are asking me to, or I need to go get GDPR, hipaa, so on and so on because my customers are asking me to. And it becomes very checkboxy for lack of a better term. And as a security practitioner, as a risk practitioner, I'll tell you, there's more to security than that. And I think a lot of business operators perhaps know that, or maybe they don't know that maybe they really think that security at the end of the day is a checkbox, or at least they treat it like that. And I'm here to tell you it isn't. And hackers outside adversaries, I certainly don't want to continue to use that word hackers, but external adversaries certainly know that if all you're doing is compliant compliancy that there's plenty of gaps in your security program.

Den:

And we've said this a lot to people, right? Compliance doesn't equal security and vice versa. I mean, it's a good indicator that you might have a decent security program, but it doesn't mean that you're not going to get breached. It doesn't mean that hackers aren't going to attack you. Now, one of the things is, and you and I, we talk a lot about this, which is checkbox security. And we like to think, we consider ourselves focused on pragmatic security where you want to reduce costs and risk and friction because people build security programs and the end users in these companies, they end up going through a lot of friction. So from a strategy perspective, I've spoken to a lot of startups over the years, and it's a case of you don't really want to spend money on compliance unless you're missing business or you're not getting the deals because you're not sucked to compliant and prospects or walk away. But what's the strategic advice that you give to clients when they're thinking about being compliant or getting SOC two or iso? What's that strategy?

Aaron:

Yeah, I mean, I advise looking at a roadmap. So just like you would a product roadmap, look at your security strategy, it were a roadmap. What's the investment that you're going to need to make in order to be compliant? Is there ROI, there mean you have a great number, which would you like to share the number that you tell people? Or if you don't, we can skip over it, but you use a number on don't try to be compliant unless X amount of revenue

Den:

Can be, as an example, like FedRAMP. If you're going to do FedRAMP, do you have a million dollar deal and a sponsor if you're going to do SOC two? I mean, I think when we work with clients, the average price of getting a SOC two, just from an external perspective, consultants, pen testers, auditors, I mean, you could be sitting thinking about 30, $40,000. I mean, it's not, obviously that depends on the size of the company, but it's not an inexpensive thing. So when you think of that roadmap, so from a strategy perspective, you're like, okay, so there's a roadmap here. We're going to calculate the ROI as the business to determine whether something is worthwhile or not. And for us, one of our clients, we started SOC two type one, and then you continued on to get their SOC two, type two. And I think my memory is getting faded as I'm older, but the SOC two type one, was that six week or eight week endeavor?

Aaron:

Yeah, I think each one of these are, they tend to be six week endeavor just to make sure that we're going through their evidence, doing an internal audit just to make sure before we're, and while we're engaging with external auditors, then we go on and then we tend to, as we're engaging the external auditors, we're trying to look for the best auditor for that company. And if that company is a new startup who's never gotten their SOC two before or whatever that is, we're trying to pair them with an auditor that understands that and is going to meet their budget. So we're very good at that. We're very good at finding auditors that understand that and finding auditors that are going to match their budget.

Den:

And well, that's one of the interesting things is when I kind of think of this, we've got pen test firms that we partner with. We've got audit firms that we partner with. And one of the things I do like is if our client is under a time crunch, then having more of these firms in the toolkit is really important. And then from a pricing perspective, then we get to beat them up on price and really try and go back to our client with the best possible outcome there. When we think about the journey that people are going on, so we've got SOC two, type one, SOC two, type two, then ISO people talk to us about GDPR and HIPAA and all these other frameworks. So what does that journey look like? If you're talking to a typical client, what is the advice on what do you start first and then what do you buy off along that way?

Aaron:

Yeah. Well, we're seeing more and more from our, well, the US clients, US SaaS clients are always going to be gravitating towards a SOC two period. And so SOC two type one is almost always first. The advice that I would start to give folks is, sure, go get that SOC two type one first and maybe common criteria, which is the bare minimum. But as you're looking towards your SOC two, type two, start expanding that scope. So SOC two allows for availability, allows for privacy, allows for process, and these other things that broaden the scope. Those are great things to add, especially if your mindset is stuck in the security as compliance or compliance security mindset. So adding privacy to that is really going to help you build up your privacy program, which a lot of our customers customers are asking for. So we have seen some of our customers go and be HIPAA compliant that really aren't in the HIPAA business, they're not in the health business at all by default, but what they're trying to show to their customers are that they take privacy seriously. So they go and be HIPAA compliant, right? Well, what if you added that to your, if you added that to your SOC two, you added the privacy scope to your SOC two, that would give you some of the HIPAA controls. Sure. It would give you some of the GDPR controls as well. So thinking about broadening the scope and not doing the bare minimum of co compliancy is a strategy as well. And one that I recommend to our clients,

Den:

And I think this is the one thing as well, when you think of common criteria framework, that whole methodology, and it's really funny because at Adobe years ago, we'd done this common control framework and quite literally you're like, okay, we are 20 more controls and then we automatically could get this. And I kind of look at that from the strategy perspective, which is, okay, I'm going to start here. There's about 70 of these, and then I did 20 more, then I get this and I do 15 more. And I get that. And before long, you're building out this whole thing. I want to ask a couple of questions on mistakes. So we have also been into clients where I think sometimes they've made some mistakes along the journey. So what are some of the most common mistakes that you've seen?

Aaron:

Yeah, some of the most common mistakes we've seen are people going to go and get certifications that their customers weren't asking for is a way of showing their security posture. Those could be hipaa, those could be PCI, they could be whatever, and they're going and spending money towards that, or they're not realizing that there's an internal cost maybe on your SREs, maybe on your devs, maybe on your staff overall of going to go get some compliancy. So doing those sort of things, I would consider to be mistakes. You need to look at the ROI as a whole, not just your external cost of going to engage us auditor, pen tester, et cetera, but there's absolutely some soft cost that needs to be considered. And just sitting down, putting pen to paper, five, 10 minute exercise, or even using your favorite LLM, asking it on average, how much time is this going to take internally?

Just a rough number just so you have it and know it before going down that path. Because once you go by that module and in your GRC program, banta, dra, et cetera, you are sort of stuck with that for a year. That's sunk cost. So just be aware of the cost internal, external to go down a path before you it. And then the topic of this discussion compliancy is not necessarily security. And then I think what gets forgotten as well is that the audit process is a check in time or overtime to ensure that you are doing what you say you're doing. And I think that gets forgotten during the process. And so I've had to remind people, Hey, the auditors aren't the police. They don't care that you're not doing the thing you say you're doing. They're merely checking that you are doing what you say you're doing. You need to say what you're doing and then have evidence to back that up.

Den:

To back that up. Yeah. And from the ROI perspective, I mean I think one of the things you mentioned there is just there's a bunch of hidden costs. I mean, depending on where you are in your journey, you're going to have to be thinking of internal process changes, maybe a lot of policy documents that don't exist. And I even think, I mean from just our time alone to help a client through this, I mean, we can be like a hundred hours pretty easily on a client working with a client. And for us, that's us creating policy documents and us doing a lot of that heavy lifting for the client. But if you think us spending a hundred hours, that means internally the client is going to have to spend at least I'm going to say something equal to what we're spending. So depending on the company, right?

Aaron:

Yeah. I think there's another misconception that vantaa, et cetera have these really great templates that you can just get away with.

Most auditors are aware of these templates. They know exactly the language in these templates. And so a good external auditor will recognize that this is template and will recognize that there was a possibility that whoever filled out this template just simply added what they needed to add and moved on. And so a good auditor will then double down into it and say, okay, you've provided this policy document. It looks like a template. Now I want to see extra evidence into it. Now they won't for the SOC two type one, of course, but as you get further and further down into further certifications, they absolutely will. So something to keep in mind that a template, it is pretty recognizable,

Den:

And I think that's the difference, right? Between the SOC two type one, but then you get to type two, then if you go further and you're doing ISO 27,001 or any of the other ISO ones, it starts to get pretty intense from an evidence gathering.

Aaron:

It absolutely does. Yeah. There's more controls, and again, there's some margin for custom ability or you can customize some of this, right? But you just need to be able to demonstrate that you do what you say you do. So that goes to the policy as well. So if you're just using the template, you're doing yourself a disservice as well because you should be opening that template and saying, you know what? This doesn't apply to me. Let me remove it.

So Some of our work is exactly that. It's going through, maybe we're engaging with someone who's already tried this themselves, has already has Vanta Ora and has already started down filling out policies. Well, we have to go through those policies and say, you know what? Actually this doesn't apply to your business at all. Don't even mention it in your policy and then remove it from the policy, because again, you have to do what you say you do.

Den:

Yeah. Now we're 16 minutes in. We've got some live audience members here. So if you're sitting there watching along and you've got some questions for ar, I please feel free to add them in the comments. Otherwise I'll keep asking and ar and I'll talk about random nonsense. One of the things, so there's two things. One is you've mentioned a couple of tools and technology, so I want to get to the tools and tech in a minute, but one of the things that I've heard from you before is avoiding conflicts and redundancies in policies. So you're four or five things in, so we've got SOC two, we're doing iso, but at some point there's a bit of overlap, right? So can you talk a little bit about how to look out for and avoid some of these conflicts and redundancies?

Aaron:

Yeah, I'd say we do a lot of that. We do a lot of ensuring that policies don't overlap or pointing back to a policy that is meant to be the master policy for a particular area. A great example of that might be a policy that dictates what the desktop or laptop policy or hardening for a desktop or laptop is. So that could be mentioned in three or four different policies. So there's this risk of having conflicting information across those three or four different policies. Well, in good security, professional knows this, recognizes this in just points back to that one policy, the workstation policy. A lot of the templates do not recognize that they will allow you to have a conflict and have conflicting information throughout the policies. Again, because templates and they don't know that you're filling out all three of these different policies, they just know you're filling out this one and they want to make sure that they get you to pass the audit or whatever. The hacker on the other hand, or the attacker on the other end doesn't care about any of that at

Den:

All. They don't give a shit. And this is the one thing. So when we talk to clients that have, sometimes they'll try and do this themselves and then they realize it's a lot more intense than they expected. So they'll bring us in and then we turn up and we look at some of the work they've been doing. And if they've only done a SOC two type one, the risk of the redundancy isn't there. But if they then suddenly start to go on and they're doing iso, then all of a sudden they're getting into a position where there's a lot of wasted time. And I think that's one thing for us is we have the ability to run into a client and actually help not waste their time. And I think that it's fair to say that what they're really paying for is the experience. So we can go in there and we can be more efficient with their time because we've seen it, we've done it. Now let's talk about technology. So there are a lot of tools and technologies out there that really help and some might hinder. So why don't you talk about a couple, maybe the top two tools. You've already mentioned them, so why don't you share a little bit about why these ones are these ones getting more press and getting more market share?

Aaron:

Yeah, I think Vanta and Dread are really running the market here. There are others, and I'm not purposely leaving them out, I'm just mentioning the ones that our customers gravitate towards. I think the reason why they're really picking up the steam these last few years is they have the ability to be external facing as well. And again, they're not alone, but they have the ability to be external facing as well. What I mean by that is our customer's customers can go to a trust site that is ran by Vanta Ora, and then look at the compliancy or frameworks that our customers adhere to or have been certified for or the controls that they adhere to or are certified for. And in some cases ask questions in a chat box and say, are they HIPAA compliant? Are they GDPR compliant? How close to GDPR compliant are they? And they'll get an AI response to that. As our customers pay for more modules, there's even the possibility of adding security questionnaires into the trust center as well, which really help out our customers customers. So all of these things are newer and these two companies are really out front.

Den:

Yeah. How do you see, so you mentioned AI responses within these technologies, right? So how do you see AI changing the landscape of compliance?

Aaron:

Yeah, I don't yet see AI replacing an auditor, right? I mean, it's certainly possible, right? Sorry, auditors certainly possible. I don't see it, right? We haven't seen that yet in the financial sector yet. I think once we see it there, that's when as security auditors, we all need to be concerned, but we haven't seen it yet. To my knowledge. If I'm wrong, feel free to say so in chat and engage, but I haven't seen it yet.

Den:

We should see things like the creation of policies, and there's a lot of that legwork that I think you could leverage AI for now, right? You've seen that.

Aaron:

So a lot of what you can and should do today are things like compare your policies, look for conflicts, have ai write a better policy for you, have it look for holes in your policies today. And you are seeing a little bit of that in these platforms, but typically speaking, you're taking it out of these platforms, taking the policy out of the platform, putting it into your favorite LLM, and then asking it for improvements or saying to it, Hey, the auditor identified a gap or the auditor mentioned that there could be some improvements in this area. How might that look in my policy? And then there's a response back from,

Den:

And that's the one thing I know internally with us, we're jumping around AI trying to figure out how and where is this going to help or hinder, and not from a hacker or defender perspective, but just general doing business, especially when it comes to things like compliance or frameworks and or reviewing existing information. I mean, that's like what you just mentioned there, I think is going to be great. Also, I see security questionnaires. I think all of that is going to be all AI led in the future because it is so low hanging fruit for Thetas and Vanta of the world to enable a client to go and submit questions for the client, well, the client to the vendor in this scenario. So it's so easy, I think for AI to take over that whole business. I mean, what do you see that

Aaron:

Yeah, absolutely. With those two platforms and then another two platforms, which I won't mention here, but we've absolutely seen that and we've looked at them as well for either some of our customers or you and I for our past companies.

Den:

And as we we're going to wrap up in the next five minutes, I want to make sure we give a little time onto when clients reach out to us, let's talk through the process of what they would expect in a typical engagement. So do you want to just share, I mean the last engagement we've done without naming the client, but do you want to just share how did that flow? What did the client get from us and how did we lead them through and what was their experience?

Aaron:

Yeah, so one of these last ones, it was an understanding of what their goals were, what are your goal, which typically end up a lot of the times it's their revenue goals and they're not, typically, we want to be more want process goals. These typically are startups that need to remain nibble, that don't need us getting in the way of productivity. So we try to understand those goals. We try to understand their timeline and then lay out options for them. And it's very much a dialogue. It's a very much a collaborative effort. We give them our opinions on how it is to do this and then listen to their response. And sometimes they'll come back and say, no, we want to move faster than that. Can you move faster to that? And we go, absolutely. We can move as fast as you want to move.

We can engage auditors right now today, and we can find you the quickest auditor to come in and we can review all of your policies over the weekend or whatever. We will put in the hours to make sure that you get the effort that you're looking to get. We'll do that work for you, but this is the cadence that we think is going to work best for your company. And sometimes we do what the customer says. The customer says, we need it in three weeks, need it in six weeks. We do it. That's who we are here.

Den:

And I think it's fair to say that during the life of the engagement, we really try to act as their fractional cso, right? So we are playing the role of the cso, we'll engage with the pen testers, we'll engage with the auditors if we need configuration changes or policy changes. We're good to change policies and documents and processes, but we avoid taking admin level access and making configuration changes. But fair to say, we'll guide the client's team through configuration changes if we are skilled in that area. And if we're not, then we can bring staff in as an additional cost. But I think one of the things I look at from a security and liability perspective is I don't really want admin access. I don't want our team to be admins on a client's environment.

Aaron:

We'll add one more to that, that we're seeing more of, and that is good white hat external adversaries contacting our customers and saying, Hey, I found a bug. Hey, I found a vulnerability. We've been engaging with those folks and making sure that it is legit vulnerability and running, lack of a better term, a mini bug bounty program, not necessarily bug bounty program, more like a disclosure program, more like an unofficial disclosure program, if you will. We've been doing that lately because let's face it, there are a lot of security researchers out there reaching out to whoever they can in order to get paid. And a lot of our customers don't necessarily know whether or not it's legitimate. And so they're looking for us to help with that. And so we are absolutely helping with that where we can.

Den:

Yeah. Yeah, and it's interesting as well, right? The minute people start going down this path of becoming compliant and certified, then I think there's a couple of things as well. One is how do we give them guidance on the marketing opportunity? And think of it from the ROI, okay, so you've spent all this money to get SOC two, okay, well, have you updated your website? Have you boasted about it on LinkedIn? Is it in your monthly newsletter? So even just from a marketing perspective, I think some companies miss the opportunity to basically share and boast they've done this because it really is. If it's part of your go-to market strategy, then I think this is, once you've got your certification, then you got to jump heavy on how do you get that word out and let people know that you've accomplished it. It's just another thing to try and get your brand out there. Anything else, Aaron? Right? We're kind of up on time. There's no funny questions. Nobody's making fun of me or you. So let's wrap this up. What is one piece of advice you'd give to a startup before they give us a call?

Aaron:

Yeah, so I'd say again, think about compliance as a journey. Think about it as a roadmap, as a layered approach. Your SOC two type one is not going to be your first and only certification. There's going to be more than that. And even your SOC two, your auditor is going to have notes on how your program can be improved upon. So yeah, your customer may be asking for it today, but it's going to iterate all things. It's going to iterate. And so it's a journey. It's not a checkbox. So the adversaries out there know that hackers out there know that. Keep that in mind. It's a journey.

Den:

And I think the one thing I would just add to that is this is money really. At the end of the day, you're in business to make money. So the amount of money you spend as an expense on security on it and all these things as a CEO, as a founder, you're trying to spend less money on the expense side of the house and you're trying to bring money in, and this is the one area where spending the money to do this, right, actually can accelerate your go to market. It can bring in more revenue, it can open the door to more customers. So I think there's a huge misunderstanding for a lot of startups that don't want to spend 50 grand because they're like, oh, that's a lot of money. It's like, yeah, that's a lot of money, but if 50 grand unlocks that $250,000 deal or a million dollar deal, then this is goodness. So it's really, you mentioned it earlier, it's all about the ROI and you're not doing compliance to improve the security of your company. That might be one of the benefits. You're reducing the risk, but it's a money game, really. Right.

Well, arn, thank you very much for your time, man. Appreciate it. I hate to drag you away from the clients, but I feel this was a great opportunity just to share with people the kind of good work we're doing in this space. Everybody please reach out. We'll be posting this on the website and on the usual channels, so we'd love you to engage with us. And if you thought this was valuable, please drop us a line too. If you've got feedback that helps improve it, we'd love to hear that. And also like subscribe, share, and do all that fancy random nonsense. Thank you very much. Thanks Aaron, and I will catch you later, man.

Narrator:

Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts, and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.

‍