Navigating Forward
Navigating Forward is a podcast hosted by Launch Consulting, an expert in AI transformation for businesses. Here, industry and domain leaders from around the world sit down to explore the ever-evolving world of technology, data, and the incredible potential of artificial intelligence.
Discover the stories behind the latest tech advancements and industry disruptors. Learn how to navigate the world of AI, cybersecurity, and the future of work as we collectively undergo the biggest tech transformation in our lifetimes. And get practical advice for what your company needs to do now to prepare for what’s next.
Follow Launch on LinkedIn and Instagram so that you never miss an episode. Let’s navigate forward together.
launchconsulting.com
Navigating Forward
Cybersecurity: Compliance doesn't have to be scary with Clement King
On this episode of Navigating Forward, Mike Halstead and Morganna Hodge from Launch Consulting are joined by Clement King, a risk management and compliance executive with extensive experience in the financial services industry, to discuss the compliance and regulatory aspects of cybersecurity. The trio chat about best practices, how they keep up with changes in the global regulatory environment, the importance of educating executives and the board about cyber risk, and how strong risk management practices can create a better customer experience and help an organization achieve its business objectives.
To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.
Follow Clement King at https://www.linkedin.com/in/clement-king-iii/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Morganna Hodge at https://www.linkedin.com/in/morganna-hodge-056b4b13b/
00:00:01:17 - 00:00:49:12
Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.
00:00:49:15 - 00:01:07:17
Mike Halstead
Hello and welcome to Launch Consulting's Navigating Forward podcast. I'm your host, Mike Halstead. We feature guests from industry and internal experts from Launch to help educate you on better ways to safeguard your organization. Today, we'll do a deep dive into regulatory and compliance, exploring why this is important to your organization. What are the benefits of being compliant?
00:01:07:19 - 00:01:28:19
Mike Halstead
But also, what are the consequences if you're not compliant and why this should remain a focus area for you. I'm pleased to be joined by our special guest, Clement King. Clement is a C-suite banking executive focused on risk management and controls, and Morganna Hodge, who is a Compliance Manager from Launch Consulting. A little bit on myself: at Launch Consulting I’m the Managing Director of Cybersecurity.
00:01:28:21 - 00:01:45:01
Mike Halstead
Prior to Launch, I had a long career at an international bank, most recently as a cybersecurity executive. My passion has always been to help explain to business what is real around the risks of cybersecurity and what does it mean. Morganna, a quick introduction on yourself, including your background and passion.
00:01:45:04 - 00:02:22:01
Morganna Hodge
Thanks Mike! I have worked for the last five years in various industries, from financial to tech to now consulting, really driving their compliance efforts in a variety of scoping and really hammering on the importance of audit when you're thinking about regulatory compliance and how that interacts with your business and your processes. So really driving home compliance with the scope of regulatory compliance attached to that and how we can do that in our processes and procedures across an organization level.
00:02:22:02 - 00:02:44:08
Morganna Hodge
So, I've been working for the last five years and audit and compliance initiatives and it's my passion to instill that to the teams I’m working with. I come into the organization, and I like to say compliance with compassion because it can be an interesting and scary adventure for some people. And I like to take the fear out of that.
00:02:44:10 - 00:02:49:14
Mike Halstead
Awesome. So, is there also an audit with compassion? Because I don't think Clement and I have experienced any of those.
00:02:49:14 - 00:03:06:26
Morganna Hodge
Yeah, absolutely. I think audit with compassion is in there, too. You know, you need the facts and the figures, but you know, there's always ways that you need to address it and establish it and create those plans when you know something's, something scary does arise.
00:03:06:29 - 00:03:11:26
Mike Halstead
For sure. Awesome. And then finally, Clement, our special guest, a little bit about your background and passion.
00:03:11:29 - 00:03:39:22
Clement King
Yes, I'm a senior banking executive. Me and Mike shared a similar organization for a couple of years, which was an amazing experience, really helping to educate the board on what cyber risk compliance meant, helping to educate our executives, and then also how to educate our customers when something actually went wrong. My passions are all about risk management and compliance, but not using those words.
00:03:39:24 - 00:04:03:17
Clement King
And what I mean by that is, it's helping the business achieve their objectives, but making sure we do that with risk management and compliance on our forefront. And it's also all about people and culture. So, separate to the banking world, I'm also a board member of two nonprofits. The reason why I bring that up is because what we're going to talk about today doesn't just apply to the financial industry.
00:04:03:19 - 00:04:18:01
Clement King
It can apply anywhere. Having a good compliance program, impacts your customers, your stakeholders, and everything that works with it. And it goes back to what Mike said at the beginning. It's about how do we make it simple for people to understand it and then execute.
00:04:18:03 - 00:04:48:16
Mike Halstead
Awesome. Thanks for that Clement. Clement, it's been quite an interesting time in the last few months with a number of banks failing, with the crypto hit, with FTX failing, AI, ChatGPT, Microsoft Copilot coming into play, a lot of uncertainties in the market and in our future. And I guess, you know, what I'd like to do first and we can dig into that a little bit is to talk about how do you define regulatory compliance?
00:04:48:19 - 00:05:35:13
Clement King
So, I was thinking about how to answer this question before, and I thought would be interesting to think about where regulatory compliance falls in an organization. In certain companies, regulatory compliance will fall into the legal department; in certain companies, regulatory compliance will fall under the risk management; and in other companies, regulatory compliance is standalone. I’m a risk professional. I think about risk every single day, even in my personal life. When I think about regulatory compliance, it's very focused on understanding what are the laws, what are the regulations, what are the guidelines specific to the business process.
00:05:35:15 - 00:06:10:25
Clement King
Since I come from the banking industry, some of the people that set those rules, regulations are the Federal Reserve Bank, otherwise known as the FRB, the Federal Deposit Insurance Corporation, the SEC, and the OCC. And when I was looking up the definition, one thing it didn't contain was what are the expectations of our customers and stakeholders? So, me and Mike have been on the forefront where even though there's not a specific rule or regulation, there's an expectation and that's expectation we need to adhere to.
00:06:10:27 - 00:06:35:21
Clement King
So, when I think about regulatory compliance, it's about how do we make sure our organization is adhering to the laws, regulations, guidelines, and standards, but doing so in a way that helps the business achieve their objectives. Regulatory compliance is also not binary, have we complied with this law or not? It's very much being focused on what are we doing today and what are we doing tomorrow.
00:06:35:23 - 00:06:56:06
Clement King
The other way I think about this is, in ten years if I have to stand in front of a judge, the decisions I made, will those make sense? And the reason why I say that is because regulatory compliance, law, standards, rules do change over time. So, you can't just be focused on what's happening today.
00:06:56:12 - 00:07:04:12
Mike Halstead
How do you keep up with the all the changes that are happening in that environment? What is the best way to do that?
00:07:04:15 - 00:07:32:13
Clement King
Yeah, so there's a couple of ways I do that and I'm an extrovert, so I love talking to people. I love networking and socializing. So, number one, it's talking to my consultant firms, right? Mike works at a great firm. They have a tap on the industry, what's going on. The second is to speak to the regulators. The regulators can often give you a view on what are their priorities, what are they focused on, and what are they changing.
00:07:32:16 - 00:08:02:06
Clement King
And I’ve worked in London, U.S., and Canada and all jurisdictions are the same. If you ask regulators what are their priorities, they'll tell you, and sometimes that priority will turn into regulation in the future. The third, stay on top of the industry and news and I think this is probably one of the biggest things, and me and Mike have experienced in our career is something hits the newspaper, and our regulators call us and say, how are you prepared for that?
00:08:02:09 - 00:08:30:21
Clement King
What's going to happen next? The other thing which ties into operation risk management is look at external events. You don't always need to learn from your own mistakes. You can look at what's happening to other banks. In a recent example in the last few years is, some of the banks have been fined large dollars. It's looking at those specific banks, and think could that happen to us, and not just say no or yes, but really do a forensic.
00:08:30:24 - 00:08:57:09
Clement King
And those are a couple of ways to stay on top. But it's really about speaking to people, staying on top of the news, and not just accepting the status quo because things change very often. The last thing, if I can mention, is stay on top of the news in other jurisdictions. And the reason why I focus on this is in the UK and Europe, they introduced the General Data Protection Regulation.
00:08:57:11 - 00:09:15:18
Clement King
Although that regulation may be called something different in Canada, the U.S., it's the same thing. It's privacy. It's really focused on how do we protect the customer, how do we conduct risk and permissions. So don't just focus on your specific industry or country. Think about it more global and more broad.
00:09:15:21 - 00:09:43:15
Morganna Hodge
Yeah, Clement, and I want to hit on something that you said that I think really applies to the consulting world as I've seen it. It's not just the expectations of your industry, it's expectations of your clients and their industries, as well as your ballooning out and working and trying to figure out, okay, as a consultant and doing this work, what am I beholden to, working for an energy company or working for these various other entities that are regulated by various, you know, structures?
00:09:43:15 - 00:09:59:04
Morganna Hodge
And you have to get in there and dig deep and think about not just what are we beholden to, but what could our clients be and what are their expectations when we're delivering so that you know that you're factoring in that regulatory mindset not just at your level but at theirs as well.
00:09:59:06 - 00:10:35:13
Clement King
Yeah. One important, so in November 2021, a few of the regulators in finance, the OCC, Federal Reserve Bank, FDIC, they actually published a rule on security incident notification. The reason why I mention that, because it required the banks to no later than 36 hours report it to the regulators. That same premise applies more broadly to any industry. If you have a cyberattack, how do you inform your customers?
00:10:35:16 - 00:10:58:18
Clement King
The other point is not just focus on if you have an attack, what happens if your suppliers, your third parties? Do you have a process already embedded? And I think this is where a firm like Mike's can really help you dissect that, because sometimes you may have the best potential for cyber internally, but you're not thinking about more broad.
00:10:58:20 - 00:11:27:27
Clement King
And this is why this is such an interesting conversation is pointing out cyber risk. It actually ties to many other risks, such as data privacy, third party risk, and the regulators are now much more focused on those. How are you handling that? The other thing, when I think about cyber risk, and it's a debate me and Mike have had a lot, is how much does your CISO own your kind of cyber, versus other parts of the organization.
00:11:27:29 - 00:11:55:26
Clement King
In addition to that, what’s the responsibility of your board? So, I sit on two nonprofits now and I presented to boards. The board actually has an accountability to understanding cyber and not just at a high level, at a more granular. So, this is where Mike, his firm, can help say what are the self-assessments you have, what are the metrics your board needs? How do we see what's changing in the overall industry?
00:11:55:28 - 00:11:59:03
Mike Halstead
Yeah, those are great points. Morganna were you going to say something?
00:11:59:05 - 00:12:03:10
Morganna Hodge
I was going to say, bring it back to that audit with compassion, right?
00:12:03:12 - 00:12:26:01
Mike Halstead
Yeah, you both hit on some really great points in there and I think that one of it is that we're all part of this bigger ecosystem, right? So, we in our world, maybe, or organization, may feel they're compliant, but if they're, if you say either clients aren’t compliant and/or, you know, vendors aren’t compliant, that's an impact.
00:12:26:01 - 00:12:45:11
Mike Halstead
And Clement, you know, many times that we would have our vendors get hit by ransomware events. And the first thing the next day the regulators were asking us about do we have any impact and how do we ensure that we weren't impacted? And we are very much connected in this digital world.
00:12:45:14 - 00:13:10:03
Clement King
I think the other thing that when I think about compliance, everything we do is focused on the customer. So, I've worked on the trading floor for years and I always think about how do we increase our revenue and focus on our customers by investing in a strong compliance program upfront, you'll save a significant amount of cost at the end.
00:13:10:06 - 00:13:44:18
Clement King
If the regulators give you a fine, that fine can go into $400 million territory, if not more, and especially as executive, you may even have personal liability. So, this is where having compliance risk management at the forefront every single day is super critical. And also educating people on what is cyber risk, what is ransomware, because these are complicated terms, but it is something that your board, your executives, need to understand how it impacts them.
00:13:44:21 - 00:14:09:25
Mike Halstead
That's part of it needs to be part of the DNA and enterprise risk management, would then include, of course, regulatory compliance side for an organization. Just moving forward here, and we touched on it a little bit, and as far as the regulatory landscape and change, what are some of the triggers Clement that changes the regulatory environment and what is the impact of that?
00:14:09:27 - 00:14:40:16
Clement King
So, what are some the triggers. One is new technology, so new technologies like cryptocurrency, cloud. I hate to say this is new, but it's actually something that the regulators, banks and other industries are still trying to understand. So, some organizations have their data centers still off the cloud. So, what does it mean when you move to cloud? What does that mean to the services you offer to your customers.
00:14:40:19 - 00:15:09:04
Clement King
Outside of new and emerging technologies, there's also a social aspect, and I say a social aspect, climate risk. How are companies thinking about climate risk? And you could, wait, we’re having a conversation about cyber risk and compliance. Why am I bringing in climate risk? Well, actually, climate risk, the banks have specific thresholds and targets they need to adhere, and actually more and more regulations are going to come in that space.
00:15:09:07 - 00:15:42:16
Clement King
So those are just two triggers, which is new technologies. The second is as we talk about the social. And then the third is, I'll phrase it as big industry events. What I mean big industry events, if you think about 2008, the financial crisis, that spurred new regulation. Again, this year, when we think about SVB or Signature Bank failing, when we think about Credit Suisse, UBS come together, even though that's a very different event.
00:15:42:18 - 00:16:10:00
Clement King
In my opinion, we may not need new regulation, but what it does show is those banks had risk management to some degree and there'll be a full forensic, it'll be discovered. But if I go back to the basics of risk management, even in business school, is it's interest rate risk. How we measure our interest rate risk. Same with operational risk, is how we think about anything go wrong, system, process, technology, compliance risk, and credit risk.
00:16:10:02 - 00:16:37:03
Clement King
What has tended to happen for the past years is we focus on one of them and not all of them collectively, holistically together. And to Mike’s point about the ecosystem, we have to manage all these risks together in a way where we're not just narrowly focused on one. The other element, I'd say, especially this year, and this is just a gut, we're going to have to focus on execution risk.
00:16:37:06 - 00:17:08:23
Clement King
And what that means is how do we continue to invest in technology and cyber risks when we're actually cutting costs. And that's where execution risk very much comes in, is we still have to have the best of technology, we still have the best security because the fraudsters, there's a lot more of them and their spending is unlimited. So just because our revenues may not be what we want, we can't stop investing today.
00:17:08:25 - 00:17:30:09
Mike Halstead
Yeah, you're spot on. And you bring up a good point around the environmental, social, and I think government side of it, that's the new kind of where it seems like a lot of the regulation will be focused on and a lot of organizations having to focus on that and what it means and defining that.
00:17:30:09 - 00:18:17:18
Morganna Hodge
Yeah, I think, Mike, it's interesting to see this governance piece is starting to really bubble up and it is it goes back to that CISO conversation that we kind of were having before. How much responsibility are you putting on individuals and where individual pieces of technology and what are they really doing for you in assessing, again, that risk component. To be compliant isn’t to be risk free. It's to be understanding of your risk atmosphere in your and your environment and how much you can manage and who is managing it. And I think it's really important to think about that step is really driving that compliance, it starts with a risk evaluation, and it has to start that way so that you can evaluate who's handling it and why and how and where it's being addressed.
00:18:17:18 - 00:18:40:21
Morganna Hodge
And is that the most effective way to do it? And that's where you come into the audit, into play. And you look in all those areas of, okay, this person is managing this and at what frequency and when and is that appropriate. But I think that that CSO conversation is a very large conversation that's happening in our world about how much responsibility are we placing for this governance. And I think it's a really important one.
00:18:40:23 - 00:18:56:02
Mike Halstead
Right. And who owns the risk? Who owns the cyber risk, which is, Clement said we've had debates on that and essentially it’s the business, right. As they're the ones who, it’s their business risk appetite. But good point, Morganna. Clement, you were going to say something?
00:18:56:04 - 00:19:38:12
Clement King
Yeah, I think whenever something goes wrong, the first question is who made that decision and who knew about it? And the question that we might possibly get from regulators is, did your board know about it or did your executives know about it? And I think we will see over time with some of the recent failures is how much did the board know and when. And when Morganna was talking about the cyber risk assessments, the other important piece of that is understanding where are you on your maturity curve, because that also dictates how much you need to spend and when. You don't need to be an industry leader in everything, but you definitely don't want to be a laggard.
00:19:38:15 - 00:19:47:27
Mike Halstead
For sure. Question for you, Morganna. So, I know we talked about it a little bit, but could you elaborate around why is regulatory compliance important?
00:19:47:29 - 00:20:19:19
Morganna Hodge
Yeah, so I think we've kind of hit upon a bunch of little pieces here, but really it's to avoid those legal and financial ramifications of not being compliant, having those regulators come down on you for the noncompliance or inadherence and so it's to avoid those penalties and fines, even up to some licensure revocations as well, and potential lawsuits and settlements that can come as a result of, you know, not handling your data or handling your environment appropriately.
00:20:19:21 - 00:20:44:27
Morganna Hodge
And then also, like Clement said, like at the end of the day, you want to instill confidence with your customers to drive that possibility home. And that's what regulatory compliance does. It signals to your customers and your partners that you understand your business, you understand your landscape, and you're a good place to invest it as well as, you know, protect from cyber-crime as we've discussed and create system and operational effectiveness.
00:20:45:04 - 00:21:00:17
Morganna Hodge
If you know what your processes and procedures are against those regulations, it makes it really easy and, not really easy, but it makes it easier to address them and drive your policies and processes to a place that you know that you can attest to for your regulators.
00:21:00:20 - 00:21:05:29
Mike Halstead
Great. Clement, anything you want to add on that maybe, focusing in on the benefits of regulatory compliance?
00:21:06:01 - 00:21:37:20
Clement King
I'd say the first benefit is your customers have a better experience If you always have compliance in the back of your mind, the client experience will be better. To use examples, your clients won't experience data privacy breaches, and if they do, because naturally they could still occur, at least you have a good process of informing them, having traceability on where data is. So, the first one is absolutely the customer.
00:21:37:23 - 00:22:12:28
Clement King
The second, especially in today's environment where we're focused on cost, having a strong compliance program means you won't have to pay the large fines that Morganna talked about. And the third, it's kind of a non-negotiable. If you don't have strong regulatory compliance background, you lose your license, you lose credibility, your stock tanks, so regulatory compliance isn't something that's optional. It's more a matter of how you do it in the most effective way and how you ensure the governance is have those right conversations.
00:22:12:29 - 00:22:29:25
Mike Halstead
Excellent. Thank you for that. So regulatory compliance, it varies around industry, right? There's different regulators. Of course, banking is very heavily regulated. What are some examples of kind of differences as we go across industry?
00:22:29:27 - 00:23:04:04
Clement King
Let’s talk about the similarities first. If we think about data privacy globally, in Europe, they have GDPR. That may look and feel different, but most countries and industries have something similar. So as an example, even if you go to healthcare, there's rules about privacy. What can doctors share about patients? So, there are actually certain similarities. I would say though, finance in particular is more heavily regulated and it’s the area I’m probably most familiar with.
00:23:04:06 - 00:23:27:28
Clement King
But even within finance, it's a bit tricky because you have multiple regulators, some that are just focused on the consumer retail aspect and some that are focused on investment banking. And in some cases, the regulators are competing with each other a little bit and they might have experiences where when we had a cyberattack or cyber threat, we had to inform all of them at the same time.
00:23:28:01 - 00:23:59:11
Clement King
And if we informed one but not the other, they would say, why didn't you inform us? So, I would just say, finance is heavily regulated, naturally so. The banks hold deposits, really are impactful for customers. One area, though that's not regulated enough, in my opinion, is the third parties. So, it's not the banks, but it's the third parties where the banks use services for, whether that's telecom, whether that's even a consulting company you might use.
00:23:59:11 - 00:24:38:20
Clement King
So, the other aspect where in my opinion, I think the regulators have increased the pressure on banks because they know that's where the money flows and they use the banks to help ensure that their third-party contracts, their third-party suppliers are more heavily regulated. So that's why when you think about this whole ecosystem, it's important to understand where you fall, but not just focus on your particular area, because especially a bank, there's so many interconnectivities, even your payroll vendor, that if they are caught in a cyberattack, how would that impact your payroll to your customers?
00:24:38:22 - 00:25:02:10
Mike Halstead
Yeah, it's almost gone from know your customer to know your third party, right? Intimately right, and update your contracts so that you know should there be a breach, or should there be a zero day vulnerability that they're communicating with you? Right. And I think that that's one of the things that hark back to that ecosystem discussion that we had.
00:25:02:12 - 00:25:15:06
Mike Halstead
There's a lot of different elements to it, probably. We're going to unpack that in a different podcast on third parties, but certainly relevant to regulatory and compliance. Morganna, from your perspective, anything that you wanted to highlight?
00:25:15:08 - 00:25:37:28
Morganna Hodge
Yeah, I think what is also interesting is you have things like FISMA, who like the Federal Information Security Management Act, who it impacts U.S. federal agencies. But from that you get this whole compliance framework structure of NIST and ISO that drive out from that. And how does that impact your company, even if you're not a U.S. federal agency yourself?
00:25:38:01 - 00:26:04:20
Morganna Hodge
Are you working with any clients that get funding from federal agencies or state agencies? And you have to roll that into your ecosystem and look at it that way. And I think it's really interesting when you start looking at, you know, those kinds of structures and the base of them and then how they roll out into the compliance world that we're seeing and how you have to circulate that back into your business in the event that you do take on that client work.
00:26:04:23 - 00:26:15:19
Mike Halstead
Great. Thank you. Just moving on to a different question. Clement, it’s for you. So how would an organization measure the regulatory compliance? What's the best way to do that?
00:26:15:21 - 00:26:43:22
Clement King
So, number one, it's not about coming up with 100 metrics. I know sometimes people do do that. Well, one of the things that we've done work together in the past was looking at what are the cyber threats, but by severity. So, what are like the critical attacks that have brought down specific systems or applications? So, severity is like a big thing.
00:26:43:24 - 00:27:09:26
Clement King
The second thing that we measured was phishing attacks. So, this is very simple, but how are your employees educated on cyber risk and phishing attacks is a really good way to measure if are your employees just clicking on any link? The third thing we did was we had a lot of projects that are always going to improve our cyber capabilities.
00:27:09:29 - 00:27:58:28
Clement King
So how do we measure are those projects going on track, are they off-track and how are they actually demonstrating the value that we would expect? The other thing that we looked at a lot was data privacy. What's happening for data privacy perspective in terms of regulatory compliance? The other aspect, and this is a micro level, but I think it's actually pretty important is to understand your access management for all of your systems, have the right access standards in terms of whether it's two-factor authentication, multi-factor authentication, how are you looking at are the access rights really relevant by system?
00:27:59:00 - 00:28:24:01
Clement King
The other interesting one that I think is really important to be measured is your talent. When I say talent is if you have a head of cyber as an example, do you have the right succession plan? What's your retention of staff? And I think that's important because retention of staff can show, do you have a problem culturally or not? What's the experience of your team?
00:28:24:01 - 00:28:54:12
Clement King
So just thinking about really from a culture standpoint, how are you looking at talent? The other aspect, which isn’t obviously a measurement but ties together, is where are you reporting information on breaches? Is that to your executive committee on a monthly basis? Is that to your board on a quarterly basis? And just overall thinking about how do we measure this?
00:28:54:14 - 00:29:34:12
Clement King
In the rare case there's an actual cyberattack thinking about how do we monitor that almost on an hourly, daily basis until it's actually resolved. And this big one, let’s talk about patching. So, when something goes wrong, how are we patching, how are we upgrading on a regular basis? And then thinking a little bit more proactive because it's not just about looking back, it is also looking very proactive as new upgrades are available for whatever software or hardware you have, are you actually deploying it in a certain timeframe according to your policy?
00:29:34:14 - 00:30:06:14
Mike Halstead
Yeah, there’s a number of things there. But certainly, we know that the regulators are very interested around access management credentials are stolen every day. Right. And so, the bad guys have our credentials, which is usually user ID and passwords. But what they don't generally have is your biometrics. And so, there's a big push around MFA, which is multifactor authentication, but it's also are you going into your systems, and do you know where privilege access is granted and should that individual have it?
00:30:06:16 - 00:30:28:17
Mike Halstead
Because when the bad guys get in, that's what they look for. They look for opportunities to escalate privilege, and that's the way they maneuver around. So good point there in measuring that. Okay. Coming to the last question here and I'll ask both of you, maybe give me two or three best practices that organizations can implement around regulatory compliance.
00:30:28:19 - 00:30:56:11
Clement King
The first one is keep your stakeholders educated and informed. This is one of the easiest things you can do, but it’s critical. So, I remember what Mike did and it was actually one of the most valuable meetings out of the hundred I would have a month, was he would have a session just to teach us about cyber risk, but he'd use real examples and make it very simple and easy for us to understand.
00:30:56:13 - 00:31:28:17
Clement King
So, it's all about keeping your stakeholders educated and informed. Second, and it goes to the point we've been talking about all today is governance. Be very clear on what information your board and your executives need and make sure that they understand it. And then the third, and it's something that I’ve seen work well for me and Mike’s organization is give training to your executives and board on a regular basis, even if it just means doing a cyber credit check on them.
00:31:28:24 - 00:31:40:14
Clement King
Mike can give you the exact term. But it's very interesting when they did a profile for me, and said Clement, how does he look on LinkedIn, how do all my passwords look. Mike what was that called again?
00:31:40:21 - 00:32:00:05
Mike Halstead
Digital footprint, and executives are the most targeted because what the access that they have and so that's where the bad guys are, they’ll focus their phishing emails or social engineering around that and so digital footprint tells you what do you look like to the outside and helps you clean that up.
00:32:00:07 - 00:32:22:09
Morganna Hodge
Yeah. So, I think you hit on some really good points and I'm, couple of points I’d like to make is making sure that you're driving accountability through that audit atmosphere and through those streams of communication with your board. Make sure that you know that communication is documented and is known because at the end of the day, that's what your regulators are going to look for.
00:32:22:14 - 00:32:48:25
Morganna Hodge
And then also make sure that you're creating strong partnerships with your compliance teams and your risk management teams. I think so often those teams are, you know, the scary bad guys, but they don't have to be. If you get us and get them involved in the beginning, it makes the process so much easier. So, driving accountability and driving strong partnership with your, you know, your compliance office and risk office is going to get you so much farther than, you know if you fill them in in the back.
00:32:48:27 - 00:33:06:29
Clement King
I love that because especially as teams build new products, new systems, new processes, getting your risk compliance officer engaged in the beginning, means you can just develop a much better solution rather than adding controls on at the end.
00:33:07:01 - 00:33:31:00
Morganna Hodge
Exactly, especially when you when you’ve built like, if you're working on a framework as heavy as NIST can be and you're trying to figure out how to make all these controls work after the fact for something new, it really makes the process more difficult. And if the compliance manager can come in and say, hey, this is new and this is kind of how we're doing it here, and this is the control that we're meeting here, let's meet it here.
00:33:31:03 - 00:33:54:03
Morganna Hodge
And like I said, driving it back to those frameworks are all coming down from massive regulations about how we need to handle certain kind of data and that data privacy that you hit on earlier, Clement. And I think that's what's important is understanding that those partnerships, that accountability in that audit sphere is all driven from the fact that we want to make sure that we're protecting ourselves and protecting our clients.
00:33:54:09 - 00:34:18:11
Mike Halstead
So, establishing that baseline is critically important, right, whatever framework you use of having a framework. Also, the deltas and oh, by the way, all of these trigger events out there changes the landscape. And you know, what does that mean to you and your controls? So, this been a great podcast, very informational, and I thank you both for your time.
00:34:18:13 - 00:34:18:24
Clement King
Thank you Mike.
00:34:18:24 - 00:34:20:19
Morganna Hodge
Yeah, thank you.
00:34:20:22 - 00:34:41:09
Mike Halstead
Thanks everyone for joining us for today's episode of Navigating Forward, the Cybersecurity Series. Come back next week to get pointers for next steps on your cyber roadmap. And just a reminder that cyber security is 80% good habits and hygiene, but to start improving your health, you need a baseline. To learn more about how to develop your organization's future state of cyber security, go to launchconsulting.com/cyber.