Discussing GRC and Data Privacy With Alyssa Ahmann

TLDR;

  • The very first step in setting up a solid security program is to understand the scope and the current set up really well.
  • Documentation of the security process and organizational training are super important for the successful GRC setup.
  • When it comes to data privacy, there is no one size fits all approach. It always depends on various factors like industry, geography, regulations and anymore.

Transcript

Host: Hi, everyone. Thanks for tuning into another episode of Scale to Zero. I’m pushupam Cofounder and CTO of Cloudanix. Scale to Zero is a forum where we invite security experts to learn about their journey, discuss on security topics, and get answers to some of the questions that we have received from security professionals. So for today’s episode, we have Alyssa Ahmann.

Alyssa has has over 13 years of experience in risk management, security, compliance, and privacy. Previously, she has led the integration of multimillion dollar SAP implementation into an existing Socks framework, implemented and managed SoC One and SoC Two Attestation reporting, performed cybersecurity framework implementations and gap analysis. Also, she completed privacy and other regulatory compliance assessments and provided insights on process assurance for It systems and It dependent business processes. She’s also an active leader, and she’s part of Central Ohio Isaka chapter supporting networking and education opportunities for professionals responsible for information security and compliance across all industries. Alyssa, it’s wonderful to have you in the show. For our viewers who may not know you, do you want to briefly introduce yourself and share about yourself?

Alyssa: Sure. Puru. Thanks. It’s great to be here. I appreciate you having me on the podcast. I am a governance risk compliance specialist. So far in my career, like you said, I have about 13 years experience. About half of that was spent in audit, doing either compliance audits for Socks or stock reporting, or helping internal audit shops with their processes and goals. I’ve also done some risk management, working more with the business to identify solutions to gaps or risks that they have, and help implement process improvements or new processes to identify emerging gaps that might have been targeted for remediation. It’s really great to be here on the webcast. I really appreciate the chance to chat with you today.

Host: It’s lovely to have you here as well. So the way we do the podcast is we have two sections. The first section focused on the security question, and the second section, which is the fun one, is around Rapid Fire. So let’s start with the security questions.

So, like, you highlighted that you have worked a lot on GRC governance, risk management, and compliance. It’s often difficult to set up the security program, like set the foundation properly in an organization, and as the organization grows bigger, the difficulty also increases. Right.

So what are the challenges you have faced while working, let’s say, with multiple organizations to set up their security programs?

Alyssa: Now, that’s a great question. There’s a few common challenges that I’ve seen organizations struggle with in implementing a security program. And really, they’re kind of at the two ends of the process in my experience. So the first challenge I often see is making sure that a sufficient base understanding of the organization, the organization’s goals, what industry or regulatory requirements there might be contractual obligations, what’s the scope of need for this program? What are we trying to address as we implement a strong program for an organization and really understanding the scope of the goals of the program I think is an important step that can sometimes get overlooked a little bit and companies kind of want to jump right into, here’s our framework, here we go. Let’s hit the ground running. When having that basic understanding really helps set the ground for a strong program that meets the actual needs of the organization.

Yeah, go ahead. The other problem I generally see is kind of at the other end of the process, the program has been identified, a framework has been used to build policies and procedures. The processes are documented and understood. How does that information get out of the compliance group and to the entire organization? What training, what educational initiatives are undertaken to ensure that all that valuable effort is actually being utilized by employees in their day to day processes? Are policies and procedures really readily available? And have you thought about the audience of who you expect to comply with those? A lot of times it’s easy for an employee to find a policy, but does a client or a contractor who’s being held to that standard know where to look and what their expectations are and then really building in the security and compliance expectations to program development. So new initiatives that the company is bringing in or the organization is bringing into the fold are being designed with the expectation of those security requirements. And that GRC framework is part of the entire process so the programs can hit the ground running compliant and ready to meet the needs of the business.

Host: Okay, so I like the two points that you highlighted it.One is understanding clearly what is the scope. And the second thing is how do you educate your whole organization? Also external vendors, if you are working with anyone, right? So with those challenges that you have noticed, how did you overcome them and what advice do you have for future security leaders who might be going through it right now?

Alyssa: Yeah, definitely the initial challenge of understanding the goals I think can be addressed best by setting it as a step in the process. If the organization has a goal to implement a strong security program, step one should be obtaining that base understanding and making sure that the goals that are trying to be addressed are well documented and communicated across the project team. Once that base is established and everybody’s working off the same set of information and the goals and decisions that are being made are directly tied back to the expectations of the company or organization can really help drive value through the program throughout its initiation and implementation.

On the other end, it’s keeping that long tail going, making sure that once the project has been wrapped up, there has been sufficient effort put to that implementation. It’s sometimes good to get to the end. You know, you’ve done your assessment, you know what’s expected and then you wrap up the project. Everybody’s ready to move on to the next phases of their career, their next goals, competing priorities, but really ensuring resources are dedicated to that implementation, to communicating and building the program out throughout the organization and supporting questions and training and educational opportunities through part of the program goals to make sure that nothing’s lost or overlooked as the program is really wrapped up and a new phase is moved into.

Host: So there are two things that you highlighted, right? One is to document and share it with the team, with the organization. And the other thing that you highlighted is once the first phase is done, most folks, because of priority shifts, they move to other projects or something like that. And one of the primary factors to that is the cost impact. Right?

And I think folks recently reported, I think for a mid size business, it’s expected to send up to from 4 million to almost 8 million for a proper TRC system and on employees per year. Right, and that sounds a lot.

So in that case, how should organizations get started and set the foundation properly for a full proof TRC program?

Alyssa: I think it’s very important that that budget is really recognized and allocated appropriately.

Like you said, organizations plan to spend a large amount of money on GRC programs and I think it’s important for leadership to recognize that investment and the value they expect to receive from it. I look back to the OCEG, the Open Compliance and Ethics Group’s definition of GRC and they define GRC as the collection of capabilities that enable an organization to reliably achieve its objective, address uncertainty and act with integrity.

And when you look at GRC programs in the lens of that definition, I think it’s really easy to see the value and the reason that these are being prioritized so strongly by companies. So recognizing that investment, understanding that it is significant and maybe a large portion of an expenditure budget, maybe even more than the organization would ideally like to budget towards that. But the value that comes out of having that strong program in place allows the company or organization to meet its expectations, to continue functioning successfully. And what greater value can a company have than the ability to continue to provide for its customers or the organizations that depend on it? So that lens of investment, I think, is key. And then ensuring that the investment is upfront and that the project is resourced sufficiently, do you have the expertise, the knowledge to identify the business needs to understand the myriad of frameworks that are available for an organization to base a GRC program off of? There’s common ones like your NIST Cybersecurity framework or Risk Management framework that are pretty widely implemented by businesses across industries and size, in my experience.

But they’re not always the best fit for every industry or every organization. It’s not a one size fits all approach. So what industry specific frameworks or even regulatory or compliance required frameworks are out there that your organization needs to consider in its implementation of a strong GRC program? And then how are those actually going to be put in place? Do you have the resources to design, develop, implement, manage, document all of these new processes and all of this new information? Really recognizing the value of that budget, of that resource and utilization you’re putting towards the project and then ensuring that you give the necessary tools as a leadership of an organization for the success of the program?

Host: So a follow-up question to that is how should organizations move away from outdated methods of GRC and what’s the best way to implement GRC if somebody is starting today?

Alyssa: Yes. So I think there’s really kind of twofold to that. Maybe starting with the fresh implementation of a new GRC program is the resource and investment and identification of the framework that best fits the organization’s needs or contractual requirements and then the effort to perform a baseline over that framework. So understanding where the organization stands today in regards to the framework is going to be the foundational step to implementing a strong framework. What is already being done? Well, what’s already documented? Well, that tends to be maybe the least amount of items.

I’ve found a lot of times working through assessments that processes are strong and there are significant controls that provide comfort over a security risk, but nothing’s really written down or clearly communicated. So really understanding where there’s gaps in processes and something new needs put in place versus something needs formalized or recorded so that it can be consistently operated against. But at the underlying level, the foundation is there. The process is already operating the way you expect. So understanding that baseline where you are and then what gaps exist, what can be done better to address deficiencies or ineffective processes compared to the framework? And where’s the highest priority for those? What’s your quick wins? Maybe a moderate or a high risk, but it’s lower budget, lower effort to implement versus really high risk. Keys to the kingdom. This is what our business relies on.

It has to be effective and available, but it’s a significant investment to address a gap that’s identified and really focusing on those two areas to get some quick wins and increase that overall security platform framework and then also put the effort in the value that the company will get out of it, securing the most important aspects of the organization. So that’s a great way to start if you’re fresh. But what if you’re walking into an organization and there’s already some stuff there, but you don’t really know what it is or how it’s working or if it’s even right? You kind of have to take that step back to the beginning again and say, is the framework that was initially used the appropriate framework? Or should we be using a different benchmark against which the organization is measured? And once you’ve confirmed which framework best fits the current needs and goals of the organization, you’re really back to that same step of how well are we doing against it, and what should we prioritize in addressing gaps or ineffective processes that will increase our security posture.

Host: Makes sense. So I think the understanding that I get from what you’re saying is understanding the current setup and the scope of the program helps a lot in setting the right GRC program.

Alyssa: Yes, I think that key piece, along with understanding the organization’s goals or their responsibilities or contractual obligations to make sure that the effort to address any deficiencies or differences between what is in the organization and what the ideal framework would suggest, that’s kind of where the key is for me. Not just in here are all the places where we’re not aligned with the framework, but in regards to our goals, which are the most important misalignments, where should our effort be dedicated to move towards a more compliant framework? I’ve, at this point, never seen an organization that fully meets every expectation of any framework. They all have something where the risk, the goals, and the structure of the organization, it’s irrelevant or it’s not financially significant to warrant addressing. So making sure those resources are going to the best purpose to address those gaps once you do know where you currently stand.

Host: So I want to pivot to data privacy a little bit. There are many data privacy-focused regulations, right? Like GDPR in Europe, CCPA, which is in California, and then something is coming up for Canada as well. And many organizations who are doing business, let’s say in the US. And catering to EU customers or organizations operating in California, you have to be compliant with these rules, right? Otherwise you end up paying massive fines.

What’s your recommendation for organizations that are aiming to adhere to these compliance regulations?

Alyssa: Yeah, I think privacy regulation landscape is such a complicated and complex topic. There’s so much change and new regulations either being developed or discussed or coming into effect in the short term that it’s a very hard area to comply with. One of the early pieces of advice I always have in privacy discussions is to understand what expectations are on the organization, what are you required to be compliant with? And there’s three main ways privacy requirements can come into scope for an organization. There can be regulations specific to where your operating locations are.

So the state you’re in may have a specific requirement for how data is collected or stored. When it’s considered personal, private data, the industry that you’re operating in may have specific requirements.

The big one that usually comes up here is HIPAA, if you’re in the healthcare space and ensuring that you understand your regulatory requirements to healthcare related data. And then the last, which is really the modern privacy regulation lens, in my opinion, is data subject based privacy regulation. So these aren’t based on what you do or where you operate or what industry you’re in. They are the right of an individual to their private data, and they apply to anyone collecting data for an individual under that regulation. So this is where a company operating in the US may need to adhere to GDPRs requirements for EU citizens, even if they have no physical location in the EU. And that’s really a shift in privacy regulation expectations that I think GDPR initiated. And you’re seeing with CCPA in California, and there’s a number of other states that are looking to implement similar data subject right based legislation across the US. And countries across the world.

So understanding the three main ways privacy regulation compliance can be expected from a company and which ones of those are applicable is the first big hurdle. And then trying to assess compliance with them, I think, is the next hurdle. A lot of times you’ll find regulations are contradictory, even within a very small scope. With EU. For GDPR, GDPR doesn’t talk about data retention related to private data. It defaults to the country’s data retention expectations. And some countries require you to keep employee data indefinitely, and some countries require you to dispose of it as quickly as possible. So there’s an internal struggle of regulations being so disparate and individually implemented that it’s very difficult to set a baseline to apply to. So the company really needs to invest effort into understanding what regulations they are expected to adhere to and what their current status is in adhering to those.

Host: It sounds like there are multiple layers to it, right? Like as you highlighted, let’s say, as an example, right, GDPR doesn’t talk about data retention. Then you have to sort of adhere to whichever country you are doing your business in.

So when there are so many complications or complicated parts, rather, how should organizations stay compliant to these regulations? Any advice that you have?

Alyssa: Yeah, I definitely think that it’s possible to obtain compliance to the regulations, although it is a very new and evolving area. The first thing is to understand and document what those expectations are, what requirements you’re trying to be compliant to, and where there are conflicting or disagreements between regulations that you’re trying to comply with, generally looking towards the most restrictive. So if one regulation says that you should only store data for 120 days, and one regulation says it should be 180 days, you can be compliant with both of those by having it stored for 120 days or less. So where you can find overlaps and efficiencies in having compliance with the most restrictive requirement, that can help alleviate some of those differences. I think the other most difficult piece of adhering to these regulations, in my experience, organization space, is knowing what data they collect, when they collect it, why they collect it, what they do with it, and where it’s stored.

It’s incredibly difficult, especially with GDPR or CCPA’s views on data privacy, to meet the regulations requirements unless you have an incredibly strong understanding of the private data that is being collected, stored, processed, shared in GDPR, particularly, how do you respond to a data subject or an individual saying, I want all of my data to be deleted? Do you know where all of their data is or where all of it can be stored? To even effectively do that, in my experience, it takes organizations the whole 60 days of compliance, they have to remove the data to even figure out where all of it is. And that is a big obstacle to compliance. So in organizations where data is well documented, understood, and processing is very well defined, all of the compliance requirements for privacy in the privacy space are much easier to comply with.

Host: Yeah. So I hear a recurring theme in your advice, right. That understanding the core principles, let’s say, in this case of regulatory compliance properly and then understanding your systems better so that you know where the data is getting captured, how is it being shared and stuff like that, so that you can sort of be compliant or work towards a compliance. Your foundation has to be right in a way, right?

Alyssa: Yes, definitely. Every time I’ve been brought into a project that’s already underway and I ask those basic questions and they can’t be answered, the frustration level of making everybody take that step back to the beginning and starting with that strong foundation is always very high. But it’s invaluable to the actual success of the program to take that step back to make sure you understand the foundation. And time and time again, in all of the regulatory or compliance spaces I work, I’m taking that step back to make sure I know what I’m doing and why before I try to actually implement or help fix anything.

Host: Yes, I can totally understand. Right. Like, in order to move fast, you have to have your basics. Right. The way you explain. Right. And that makes a lot of sense. I want to dig a little deeper on the third part that you highlighted. Right. The data subject or the personal information.

And this is considered as one of the most sensitive information, right, like the PII data.

So considering there are many viewers of the podcast or new or new to the space security space altogether, can you quickly explain how the laws regarding data privacy apply to PII data?

Alyssa: Yeah. So for this question, in my mind, I go to these more modern regulations very quickly. A lot of pregdpr privacy regulation was a lot easier to understand and implement because it was very much focused on protecting the data from threat actors rather than reassigning the rights to the data to the data subject. And that’s where APR really changed the landscape, in my opinion. When you’re thinking about private data rights, the data subject owns their data. It doesn’t matter if they give you access to it or allow it to be used in certain ways. At the end of the day, it is still owned by that individual. They have the rights to how the data is stored, processed, controlled, or even if it’s available.

And organizations shifting to this sort of mindset is a big change in the privacy space. Instead of understanding where data is and how it’s protected from external actors, the organization has to be prepared to answer, why did you process my data in that way? Or how did I get this marketing email when all I did was give you my email to address a support question? That processing and use of the data after it’s obtained and understanding what you’re legally allowed to do with that data and when additional consent or an additional basis for how the data is processed needs to be identified is one of the key thought shifts that I think GDPR and the regulations coming since It have really put on companies.

Host: Yeah. So I like how you put it right. That the data subjects are the owners of their data. Organizations are legally allowed for some time that they can use it for marketing or other activities, but you don’t own that data. Right. In a way, at the end of the day, it’s the data subject who has the right to ask for that data anytime or ask you to delete that data anytime that they want. Right.

So the ownership has sort of shifted to the data subjects from the organizations, at least in GDPR’s case.

Alyssa: Yeah, GDPR. And I would definitely say CCPA really carried that torch forward with their legislation as well. Specifically with the Article 24 editions that were made more recently where the ability to profit off of somebody’s data without their consent has been really reined in. And there’s a lot more considerations that need to be put in place of the data that you’re using and how it’s being used, especially when it qualifies as PII in any way.

Host: Right? Yeah, that makes a lot of sense. Thanks for adding that context as well. So we have one last question on this, and we received this question from a first time CSO in a security program set up. Compliance is one of the pillars right.

For a mid-sized organization, what’s the right time to invest in security certification? Say, HIPAA, if you are catering to healthcare, healthcare industry or SOC2?

Alyssa: Yeah, that’s a great question, and one that organizations are often sometimes a little surprised with my answer to, especially given the lens that I am a consultant, generally trying to perform more work in these security certification spaces. In my opinion, the best way to know if you should obtain one of these security certifications is to look at your legal or contractual obligations. Many of them are required based on specific factors the organization may or may not have a publicly traded company, or a company with certain kinds of public debt needs to be Socks 404 compliant.

A company that processes credit card data in any way or handles credit card data in any way needs to be PCI compliant. GDPR or CCPA with privacy regulations, although there isn’t a certification for those.

But really, what are your requirements? What do you need to get as an organization to meet your regulatory and contractual obligations? Is the first and most important question, in my opinion. Some of those stock report, the System and Organization Controls Reports, or ISO certifications, those really come into play more in the contractual requirements. If you’re a company that provides a service to other organizations in any way, there may be a requirement in the contracts you sign that you provide that organization with the System and Organization Controls report. SoC Two covers security in most instances, and it can include some other considerations like a HIPAA Plus or some additional items that can be built into SOC2 reports. Sock One reports are usually financially focused for organizations that provide a service to Socks compliant type organizations and where there aren’t contractual obligations or regulatory requirements. There’s a fairly limited set of scenarios where I think an organization would benefit from the investment of a service security certification. If the organization is providing a service of some kind.

A web app, maybe. And they don’t have a contractual requirement to provide a stock report, but they’re inundated with questions about how they’re securing or caring for that particular. Application, then a stock report may be worthwhile for the organization because it can help address many of those questions without the vendor compliance questionnaires and back and forth meetings with your customers. So those are the scenarios, really, where I suggest a security certification is beneficial. For organizations where none of those are relevant, then it’s oftentimes, in my opinion, the best use of the organization’s resources to focus on that GRC or security program internally.

Make sure that you have a strong Nest or ISO framework identified and assessed against so that if a scenario arises where a security certification is contractually required or relevant for the organization, you’re ahead of the game on having the processes and procedures and documentation in place to ensure that you can attain that certification.

Host: Yeah, that will help you in getting the certification faster as well, right, because you have the foundation already. The takeaway that I got from this answer is that it depends. It depends on the industry. It depends on your contractual obligations. So there are many factors. There is no direct answer that, hey, go do HIPAA or go to SOC2, right? It depends on your organization, your contractual obligations, and stuff like that.

One follow up question to that is, what is the right time? Like, how do organizations know that, hey, six months after we started or a year down the line, we have to do the certification? Is there an indicator which organizations can look for to determine that, hey, it’s time to get certifications?

Alyssa: Yeah. In a lot of cases it’s outside of the organization’s hands. If you’re publicly traded or subject to HIPAA or another industry specific security requirement than now, now is the best time. Because it’s a requirement. It’s something that you will need to provide to continue to operate in the way that you’re operating. Where it’s less clear. When there is not a contractual or there’s not a legal regulatory requirement, then there’s a little bit more of that it depends factor to it. If you have a contractual requirement, a lot of times the expectation is that by the time you sign the contract that security certification is available. But that’s not always true.

And a lot of times there can be some ability to postpone or initiate a readiness assessment, which is one way an organization can understand how close they are to obtaining a security compliance is either internally or bring in an external group to assess against the current state and identify gaps that should be remediated prior to actually working towards that security certification.

And when you’re not really held to any regulatory or contractual requirements, when there’s no push towards getting this in place very quickly, I almost always think a readiness assessment is the best first step. It will let you know before you invest a large amount of resources. Can we even obtain this? Will the report be something we find beneficial to share? If you have seven or eight gaps, if it’s a qualified or has no opinion attached to it, then it’s probably not worth much. Even if you do go through the process to obtain it.

Host: Makes sense. And I love that how you said it’s now versus a month down the line and it makes sense, right? It always depends on which stage the company is in, if you are public traded, which industry you cater to and stuff like that. So yeah, that makes a lot of sense and that’s a great way to end the security question section as well. So, thank you for sharing your learnings and insights with us.

Host: Let’s go to the rapid fire section.

Rapid Fire:

Host: So the first question is what advice would you give to your 25 year old self starting in security and why?

Alyssa: Awesome. So the advice I would give to my 25 year old self and. You mentioned it sort of tangentially at the beginning that I’m involved in our local I Soaka chapter, which is an educational and networking organization. But identifying a networking opportunity that is consistent and structured in some way outside of your corporation or organization you’re employed by, I think is the most specific piece of advice I would give my early self. Build a network and a support system that can follow you throughout your career rather than one that’s tied to where you might be at a specific point in your career.

Host: Makes a lot of sense. The next question is what’s the biggest lie you have heard in cybersecurity?

Alyssa: The biggest lie in cybersecurity? Well, I’m not going to get hacked because I don’t have anything worth stealing. That’s maybe my favorite.

Host: Yeah, that spot on, like most folks think that way. So, yeah, makes a lot of sense.

The last question is, if you were a superhero of cybersecurity, which power would you choose to have in you?

Alyssa: Well, I’m an auditor at heart, and I spent most of my career there so far, and if I picked a superpower, I think it kind of kind of aligns to that underlying part of my personality. I would have the superpower to accurately know the risk of any situation as soon as I learn about it.

Host: All of us want that power, don’t we? Yeah.

So that’s a great way to end the episode. Thank you, Alyssa, for sharing your learnings insights and looking forward to learn more from you in future. For folks who may not may have more questions or want to connect, what’s the best way to reach out to you?

Alyssa: The best way to reach out to me is definitely my email, and I can provide that if you can add it into any description or anything, but it’s alyssa amen@craftcompliance.com definitely feel free to reach out with any questions or insights or comments you might have on what we discussed. And I appreciate so much having me on this podcast. It’s really been great chatting with you today.

Host: Yeah, same here. Thank you so much for coming as well. There were quite a few things which I learned as part of this conversation as well, so thank you so much for joining for our viewers, thank you for watching. Hope you have learned something new. If you have any questions around security, share those at scaletozero.com. We’ll get those answered by an expert in the security space. See you in the next episode. Thank you.