Compliance, Ethics, and Security Made Practical with Jose Costa & Mark Mandel

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_02 (00:00):
I think the prevalence of AI now is opening

(00:02):
people's eyes to that in somecases a little bit more because
they realize data is theunderpinning foundation to all
of this.
You can't do AI without data,and you can't do AI well without
good data.

SPEAKER_03 (00:23):
Welcome to another episode of Sell Me This Podcast.
This week we're joined by Joseand Mark from MHM Corporation,
who focuses on security andcompliance initiatives for small
media businesses across NorthAmerica.
The conversation dives intoeverything from compliance,
ethics, and security controlsand what business owners can do

(00:44):
to take the first steps insecuring their environments.
Enjoy.
Welcome to another episode ofSell Me This Podcast.
Today we are incredibly excitedto have Mark and Jose from MHM
with us.
We're going to be diving intothe wonderful world of
compliance.
I know something that everyoneis excited to hear about.
I think lots of questions.
And so we're going to dive rightinto things.

(01:05):
Why don't you both introduceyourselves?
Mark, if you want to go first, alittle bit about who you are,
where you came from, and maybethe overview of MHM.

SPEAKER_02 (01:14):
Sure.
So I'm Mark.
I uh started MHM in the middleof 2020 after a very lengthy
career at PwC, half in Toronto,half here in Calgary.
Hence the Blue Days jersey,which is my uh my home team,
shall I say.
MHM is really focused ondelivering security and

(01:36):
compliance audits to clients,mostly in the small medium
business space.
Our main goal is to deliver highquality at affordable pricing.
Um and sorry.
I forget.
And um yeah, so in terms of uhbackground, so I started my

(01:57):
career at Coopers and Librandactually in uh 1997 as a co-op
student before they'd evenmerged and became PwC.
Um and yeah, eventually decidedit was time to leave that world
and start my own thing, and umso I started MHM in uh 2020.
I love it.

SPEAKER_04 (02:15):
And what about yourself?
Yeah, so I'm José.
I um I joined MHM as a partner acouple of years ago now.
So uh uh before that, similar toMark, actually, I'm I moved to
Calgary uh from Barcelona aroundthe same time that Mark moved to
Calgary, so we we were togetherat PDBC for uh for a long time.

(02:35):
Um uh before that I was withErsan Young.
I'm I'm a computer engineer, butuh I um I you know I've been all
my life doing compliance and andsecurity work, right?
Um moved to Calgary because ofmy wife, uh girlfriend at the
time.
Oh excited.
That's that's why I'm here.
Change the beach for themountains, right?
And uh and the snow, right?

(02:56):
Um and yeah, um it's been twoyears, like we've we've
accomplished you know, like aton of things like Mara
mentioned about MHM, like we weare super proud of doing you
know what we're doing, right?
Like and offering these uhoutings and certifications, you
know, that are super specializedand a great price and really
focus on servicing our clients.

SPEAKER_03 (03:18):
I I love it.
So so how does one findthemselves walking down that
compliance path?
Because I I imagine that maybeuh you know a 15-year-old Jose,
did you imagine you were goingto get into compliance or what
um what brought you towards thisline of work?

SPEAKER_04 (03:32):
Not at all.
Yeah, that was long story.
I mean, I'll try to keep itshort.
We have time.
Yeah, yeah.
So it was uh it was one of thosethings.
I I I did um I finisheduniversity and it was after the
dot-com bubble.
I as I mentioned, I'm a computerengineer.
Um and I had a few jobs linedup.
I was interviewing, and youknow, things things were okay.

(03:54):
And and one of the one of myinterviews was with one of the
big fours and at EY, right?
And and all my interviews hadbeen with techie people.
They had been in basements,like, you know, scrappy people,
okay.
We're gonna do some coding,gonna work here, this is the you
know, and and that interview wasat a nice building with you know
beautiful views, like, you know,guys with a suit, right?

(04:16):
And it was like, hey, you'regonna travel the world, you're
gonna be talking to CFOs, CIOs,CAOs, right?
And that really, you know, likemaybe the wrong reason for
joining a job, right?
But really caught my attentionwhen I was young, right?
And uh, and yeah, I got intothis world um way back then,
right?
Like was the opportunity to toactually, you know, see what you

(04:37):
know businesses were doing, howthey were working, right,
instead of just focusing on theon the just making them work and
techy stuff and developingthings.
So that was the main reason.
And then after that, it was justlike a you know combination of
things.
I just love what I was doing.
I I I liked it and uh yeah, hereI am, right?
Yeah.

SPEAKER_03 (04:54):
So you were you were drawn in by the lifestyle and it
looked like a really cool job,and then the world kind of took
you by the wave kind of took youand you were left here.

SPEAKER_04 (05:02):
Yeah, I never would have guessed that I would have,
you know, ended up doing these,right, for a living, but here I
am, right?

SPEAKER_03 (05:08):
Well, there's so many people that I talk to as
well that um you know,especially when they're
exploring what to do, looking atthat consulting lifestyle gives
them the opportunity to almostget this PhD in other people's
businesses.
Where you get to see how manypeople and how how they all do
things differently and how theyget to approach business, and it
really can help you accelerateyour understanding of just how

(05:30):
the world operates.
Uh, what about you, Mark?
Do you have a similar upbringingstory or um kind of similar but
totally opposite?
Okay, I love it.

SPEAKER_02 (05:39):
I can see that.
So I'm a chartered accountant bytraining um and was always into
computers and technology.
I actually had my first computerwhen I was five years old, which
was a Commodore pet, that my uhfather, um, who was responsible
for introducing computers intouh school boards um just outside

(05:59):
of London, Ontario, um, broughtone home and started playing
with it and kind of had a knackfor it, shall I say.
Um, but accounting was kind ofthe path I went through
university and and started inwith a big firm and had two
thoughts.
One, I was figured joining a bigfirm would open up lots of
opportunity um to do lots ofdifferent things, and accounting
was a great way to get into thatenvironment.

(06:20):
And worst case, if all elsefailed, I could do people's
books for a living.
Not that that was overlyexciting, but you never know.
Um, the other thing was um Ireally at the time wanted to get
into actually sports management.
And the president of the BlueJays, Paul Beeston, was a
chartered accountant bytraining.
And that got me thinking, it'slike, well, geez, if he could do

(06:41):
what he's doing from that startand actually started with
Coopers and Library, then maybeI should go that path too.
So at the time I chose Coopersbecause they were the auditors
of the Blue Jays.
So that's the firm I ended upstarting my career with.
Um, I was told after trying toget on that audit that it was
one of the worst audits the firmhad, not not to get on it.
And another firm was actuallytaking it the following year

(07:02):
anyway.
So whatever.
But it got me introduced to acouple of partners.
They were like, hey, this seemslike a young guy, you know,
pretty ambitious.
Um, got to work on some othercool clients, and then had the
opportunity to do a dataanalytics and application
controls project with a telco inToronto, um, which was pretty

(07:24):
cool.
Um so took that, really lovedthat, ended up switching out of
financial audit once I had myhours and focusing more on
there, and one thing grew intoanother, ended up working with
large the large telecoms in uhCanada and some globally doing
Starbanes Oxley work, which thenturned into PCI work, and that's
kind of how my security uhcareer started.

(07:48):
Amazing.

SPEAKER_03 (07:48):
And so so both of you have a technical background,
it sounds like, and so you bothkind of came from, you know,
maybe in different approaches,but the engineering side of
things.
Is that a requirement to getinto this type of work, or is
this just something, maybesomething the way that you're
wired or the way that you're umyou know, get motivated in the
morning that's gonna brought youtowards this?

SPEAKER_02 (08:07):
I think it's uh I think it's a yes and a yes.
Um having having an affinity fortechnology, having an
understanding of how technologyworks and how it's um one where
it's important is prettycritical.
Um but having a curiosity abouthow business works and how these
two things really tie together,how companies are using

(08:30):
technology and the risks thatcome with that, um, is is I
would say even more importantthan understanding all the deep
nuances of how the technologyactually works.
There's lots of people out therethat you would want to include
as part of your team that havethat capability, but not
everybody needs to have all thesame skills.

SPEAKER_03 (08:48):
Right.
What about from a um kind oftraining perspective?
Like what is it what does itlook like to actually become uh
an auditor in this spacespecifically?
Because you know, I I knowprobably enough to be dangerous
in this space, and if I was everauditing someone, they would be
in horrible, horrible uhtrouble.
But I think that I kind ofprobably have that base layer

(09:09):
understanding of what some ofthe certifications are, what
some of the kind of badges andthings like out for are.
But but how do you A, keep upwith it and and B, get to a spot
where you can really be theexpert that guides customers
through these things.

SPEAKER_04 (09:22):
I think that's I mean that's a good point.
I might was saying, right?
Like that intersection betweenthe business and the technology,
really understanding why, likethat's I mean, like you said,
right?
Like if you were to auditsomebody, you have enough
knowledge of technology that youprobably I mean you can spend
you can spend weeks.
I want to be clear, you don'twant to audit someone.
But but that's a you know it's agood point.
You you could spend weeks, youknow, trying to, hey, like look

(09:45):
for perfection almost, right?
Like this is what it should be,right?
Like uh spend, you know, any anyfacet of what we audit, right?
Because it's probably it's quitewide, right?
We went to an audit and we lookat security, security is like a
big, you know, like so you yougotta like that, finding the
right balance between going toodeep, not too deep, and really
understanding what the risks areso you know where to okay, this

(10:08):
is the areas of focus, right?
And and don't don't spin yourwheels, right?
Like looking for something thatyou know it's really not
important for you or for thebusiness that you're auditing,
right?
Um so yeah, that uh experienceum and and curiosity, right?
Like really it's it's more thana job, right?
It's more like okay, yeah, I'mjust gonna follow these steps,
one, two, three, four.
No, it's why, why am I doing it,right?

(10:29):
Like what what can go wrong,right?
What if this fails?
Right?
Is the thinking thinking alittle bit of you know, if this
fails, what what's the worstthing that can happen, right?
And thinking, do I have anythingelse that would catch it?

SPEAKER_03 (10:42):
Right?
So really understanding more ofthat system approach and saying,
you know, what are all thepieces that fit together?
I love that you brought up riskas well, because um, you know,
in a previous world I did a lotof world work in the security
space.
And you know, security you canput in place infinity controls,
but you can also have acounterbalancing risk that says

(11:02):
we put in too many controls andno one can do anything.
Is most of the discussion thatyou have around risk when it
when it comes to compliance?
I would say it is at our level,especially.

SPEAKER_04 (11:14):
Uh I I would say, yeah, we're most of our
conversations and and especiallywhen things get escalated to to
us or when Mark and I haveconversations, we always take
that risk-based approach, right?
Uh and I think you know clientsappreciate it.
Yes, I would say that's that's akey, you know.
Well, I I would considerourselves to be risk

(11:34):
professionals above anythingelse.

SPEAKER_02 (11:36):
Whenever we get introduced to new clients or
potential clients, um, the veryfirst thing we want to
understand is number one, whatdo they do?
Number two, who are they doingit with or for, and how critical
is that service they'reproviding, and what data is
being included as part of thatservice.
Um, at the end of the day, kindof all the systems in the world,

(11:59):
if you're dealing with data thatnobody really cares about, you
know, the level of security orthe level of risk that's
inherent in what you do is goingto be very different than if
you're dealing with data thatall your customers deem to be
absolutely critical to therunning of their business.

SPEAKER_03 (12:14):
That makes sense.
And so if I'm a business ownerand I'm doing that kind of
initial litmus test, are thereany things that pop out to you,
let's say you're in that firstmeeting and you're asking the
question, you know, what data doyou work with, what industries
do you work with?
Are there things where you youhear, you know, I work with the
Department of Defense, um, or Ihave this type of data where

(12:36):
it's like, okay, well, you needthese things immediately.
Um, are there kind of red flagsor checkboxes that go off in
your head for certain things?

SPEAKER_02 (12:42):
Yeah, I mean, certainly if you're working in
in regulated industries, thatthat plays a role.
If you're dealing with personalinformation, that that plays a
role.
Um, equally importantly topersonal information, if you're
dealing with any corporatelysensitive data, that definitely
plays a role.
And that that is one area thatwe find a lot of companies
neglect maybe is the wrong wayof putting it, but but

(13:04):
underappreciate the importanceof that.
Um, and that, you know, thatcould be as interesting a target
for a hacker as any personalinformation that may be
available in other places.
Um, what you have may be uniqueto them.
So though those are really someof the things that trigger us to
say, you know, hey, there'sthere's something interesting
about you that should lead youto want to better protect

(13:27):
yourself and demonstrate thatyou're doing that.

SPEAKER_03 (13:30):
Yes.
So from a personal informationstandpoint, and this is a
question that I feel like a lotof people don't still quite
understand in terms of whatactually is personal
information.
Um and I can see you laughingalready.
And and maybe I'm opening up acan of worms here, but but how
how do you define what's what'spersonal and what's just kind of
a line of business that looklike information around someone?

SPEAKER_04 (13:50):
I mean, personal information is anything that can
identify a person.

SPEAKER_03 (13:54):
Yeah.

SPEAKER_04 (13:54):
And uh that could be that could be anything from an
IP address, potentially, right?
Because you could trace it tothe person that's using that
address, right?
To you know, your typical heyname, address, right?
And and some more sensitivestuff, right?
Like health information or andso on, right?
There's different levels of ofyou know personal information
and and you know, more criticalinformation, less critical.

(14:15):
But yeah, anything that canidentify a person, it's
considered personal information.

SPEAKER_02 (14:20):
So we actually got into a uh a debate with a client
once, of course, right?
There's always there's alwaysalways debates and discussions.
Um uh this was a uh wastemanagement company um in the US,
and they were dealing with a lotof contractors.
And a lot so a lot of thecompanies they were dealing with
were individuals that ownedgarbage trucks or or similar

(14:41):
types of vehicles.
And in a lot of cases, thecompany was in the name of, you
know, it wasn't Mark Mandel youwere working with, it was Mark
Mandel Inc.
Right that you were workingwith.
And the debate was, well, isthat actually personal
information or is that businessinformation?
It's a company you're workingwith, but the name of the
company is actually the name ofthe individual.
Um I don't honestly rememberwhere we landed on that one, but

(15:04):
but there was at least half adozen conversations around how
do we actually treat this andwhat do we need to do to protect
it at the end of the day.

SPEAKER_03 (15:12):
Yeah, well, and I think you bring up a really good
point, and even when it comes tosome of the corporate
information, you know, there'sbeen a handful of um articles
that have come out recentlyaround um within Canada the risk
of corporate espionage, the riskof trade secrets, the risk of um
your own IP getting out there.
Do you feel like this issomething that, and I recognize
this is a fairly broadpaintbrush here, um, but do you

(15:35):
think organizations take thisseriously seriously enough with
for the most part with the onesyou're working with?
I think in most part they do.

SPEAKER_02 (15:43):
Um I think where you see some of the disconnect is
not even necessarilyunderstanding all the data you
have access to.
Um now, in a company that'sproviding a specific service to
another organization, I thinkit's well understood.
For a company that is simplyproviding a software tool that

(16:04):
other companies are using, uminherently they don't
necessarily know or understandwhat is included in that in that
tool.
And they shift it off to be theresponsibility of their
customers to say, well, it's upto you to decide what to put in
this platform or not.
But at the end of the day, Istill think you bear a certain
amount of responsibility forwhat's there and even understand
what are the kinds of thingsyour customers might be using

(16:25):
this for.

SPEAKER_04 (16:27):
No, I I would agree.
I think people are in generalare trying to do the right
thing.
I don't think anybody's doing,you know, anything to to you
know misuse that data or dosomething wrong with it.
In fact, like a lot of theissues come from people trying
to do the right thing too much.
Right.
A lot of a lot of the attacks, alot of the phishing attacks, a
lot of the you know, it it'speople that are trying to be
helpful, right?

(16:48):
They get an email, they need to,you know, rash into doing
something, or they are doingsomething with data that, well,
if I do this and this, right,and connect those services, I'm
gonna be able to do somethingbetter.
Like, you know, it's it's allthere's a lot of human error.
It's not any I wouldn't saythere is any, you know, like
wrong in general, right?
Like really like people try todo the right thing.

SPEAKER_03 (17:09):
Yeah, like I I always say that also people make
the you know decisions with thebest information they have
available.
And and I think you're this isexactly what you're saying,
which is they just might nothave the right information yet,
and they might not fully know orunderstand or comprehend.
So, how if I'm a business owner,how would I um take some of
those first steps to start tounderstand what like where my

(17:31):
risk is, what where do I um sitfrom that risk profile
standpoint, and and where arethe tick and time bombs in my
environment?

SPEAKER_02 (17:39):
I think the the two very best places to start is
number one, what what data doyou have, what data are you
collecting, um, and are youdoing anything with that data,
even with the intent of beingtrying to be helpful that maybe
outside of the core system thatis housing that data.
Um alongside that, I thinklooking at the agreements you

(18:02):
have with your customers,particularly if they are
agreements that are on yourcustomer's paper.
So if you're dealing with largerenterprise clients, there's
there's a lot of that goes on.
And we find a lot of smallercompanies don't necessarily
appreciate what they're signingup for by dealing with these
large companies and are probablycommitting to things that um

(18:25):
they don't know they'recommitting to.
And I think looking at thecombination of those two things
is is a great place to start tounderstand what does your risk
profile look like, and you know,if something bad were to happen,
what what could be theramifications of that?

SPEAKER_04 (18:40):
That makes sense.
Yeah, I know I would agree.
I mean, maybe to add one thing,I would look at um these these
data and age, I would look atthe vendors.
If you're a small business, youprobably have more vendors that
you can imagine and askingyourself, where is my data?
Yeah.
Um just in addition to what dataI have, where is it?
Do you know?
And and you know, what happensif this you know disappears or

(19:04):
there's a problem withavailability of that vendor of
integrity, right?
Or suddenly I can't rely on thisdata, right?
And and you can imagine theamount of vendors you'll have
and SaaS applications and datamaybe in in countries you may
not even know about, right?
Read those contracts.
I know nobody does it in reallife.
Everybody sees the wall of text,right?
When we you know open a phone, Iagree, agree, agree.

(19:26):
If you have a business, readthem, right?
Like that's there's a lot inthere, right?

SPEAKER_02 (19:31):
And that's a and that's a that's an interesting
point, um, Jose, because I thinkwe've seen the explosion in SOC
2 and ISO 27001 and the need andthe demand for these services a
lot because large enterprisecompanies are working with so
many service providers now fortechnology, for other types of
services, and everybody'sworking with somebody down the

(19:52):
street.
So this whole ecosystem has justgotten so much larger that
everybody is reliant on somebodyelse somewhere to do what they
need to do.
And understanding you know whothose people are, what your risk
is with them, what yourcommitments are with them, what
their commitments are to you,um, to make sure the entire
chain of custody from start tofinish is critical.

SPEAKER_03 (20:14):
So, at what level does that stop then?
So if I'm looking downstream atour own um software ecosystem,
and you know, to your point,there is, you know, I put data
in platform A, platform A has aservice provider that goes
downstream over here.
Um, you know, that data goesover into this CRM, and all of a
sudden, you know, you'reprobably five, six, seven layers

(20:37):
down the line.
Um, you know, where does thatstop?
And I I just I can't even wrapmy head around how I start to um
govern that.
So so what where does that lineend and and what can I even
practically do to have somesemance of control over that?
Because it just seems reallyoverwhelming to me.
Yeah.
It I mean, it doesn't stop.

SPEAKER_04 (20:58):
Like they really answer I was looking for.
No, no.
Like if you just I mean itdoesn't stop.
Now that doesn't mean that youhave to go down and get
assurance over like, you know,that nth vendor, right?
Because what you are pushingdown the chain is hey, I'm
giving you my data, I want youto control this data at the same
level of you know, security,privacy, confidentiality, right?

(21:21):
Whatever it's important to me.
So I I'm assuming or I want youto treat that data and push that
requirement down to yourvendors, right?
So you push it down that way.
It's not that you go down andyou start asking for the
contract of the contract of thecontract, right?
You you stopped at that firstlevel, right?
But reality is that you're youknow pushing your vendors to

(21:42):
have that you knowresponsibility, right?

SPEAKER_03 (21:44):
And so making sure that you're kind of creating
enough downstream risk andyou're saying, okay, I'm I'm
going to pay very specialattention to this first layer of
contracts.

SPEAKER_02 (21:51):
Yeah.
And and understanding who arethose vendors and partners, what
do you share with them?
Why do you share it with them?
Um, do you have an idea of thatby the nature of their business
what else they might be doingwith that data?
Um one of the things uh so oneof the controls that we get a
lot of pushback in our audits ishow to assess vendors.

(22:15):
And especially if you're workingwith uh a cloud provider for,
for example, you know, one ofthe things we're looking for is
have you assessed AWS as anexample?
Well, you Keith, you're notgonna go in and do an audit of
AWS.
You know, they're never gonnalet you in the front door, let
alone to actually do anything.
But they have an audit report.
So our expectation is that youare at least going to get that

(22:36):
audit report, you're gonna readit, you're gonna say, does it
cover what I'm using this vendorfor?
And does it look like there'ssuitable controls over that
that's been audited by a thirdparty?
I mean, that to me is doing yourdiligence in conjunction with
being able to understand whatare you using them for.
But a lot of times we get thepushback to say, well, it's AWS,

(22:59):
they're fine.
Well, maybe.
Um, and maybe that's a badexample.
But what if it's a serviceprovider that's a bit less known
in the market?
Um, do you want to just assumewhat they do and how they do it?
No, I think I think you need todemonstrate you're doing enough
diligence to get comfortablethat you've made the right
decision and you're kind ofkeeping on top of the nature of

(23:21):
that relationship.

SPEAKER_04 (23:22):
I've seen uh even large organizations, I've seen
uh ERPs that have differentmodules, and people get the
report from the ERP, big names,right?
Well, yeah, I got it.
I got the big name, yeah, I'mfine.
Well, yeah, but you you're usingthese this software provider for
their HR module, and guess what?
That's not included in your youknow, it's a completely
different sub, you know,completely different technology.

(23:45):
You don't even this is thisdoesn't cover the service,
right?

SPEAKER_02 (23:48):
So we actually used to see that a lot with with
Microsoft Azure and Google andGoogle when you know the various
subservices were all in separateaudit reports before.
So for example, somebody wouldbe using Google Cloud and they
would show us, yeah, yeah, Ireviewed the Google Workspace
SOC 2 report.
It's like, okay, well that thatthat's good and that's helpful,
but that's not Google Cloud.

(24:08):
So why don't you get that reportand do a review of it also?

SPEAKER_03 (24:12):
And so I've seen that before.
And is that a common practicewhere, you know, because I have
seen organizations and they'llhave the, you know, whether it
be their SOC 2 or their ISO fora specific part of their
organization or a specificenvironment.
But they you know, maybe to thegeneral public, they pass it
off.
It's like, hey, I have thecertification over here, don't
worry, trust me.
But to your point, there's allof this other stuff that orbits

(24:33):
around the outside that thatisn't part of that audit, it
isn't part of um any of the thechecks and balances.
Is that a common practice?

SPEAKER_02 (24:41):
It comes it comes and goes, uh, I would say.
So we see sometimes they startoff segmented and they come
together over time.
Okay.
Um, sometimes they start offtogether and they they split
over time.
Um when when we advise clientsof that, and and we have some
clients where we do multipleaudits and they have multiple
reports, even though it's thesame company, but the nature of

(25:02):
the service or product is verydifferent, and the nature of
their client base is verydifferent.
So if if you were using productA and didn't know or care about
product B, do you want to read areport that kind of commingles
all of that together?
It almost might be moreconfusing than not.
So there's definitely rationalefor keeping it separate.

(25:22):
Um, but companies also don'tknow what they don't know.
So when they go to Google, forexample, and say, give me this,
Google gives them that.
Or in this case, they probablyjust go download it themselves.
Maybe not even realizing whatthey're getting isn't what they
necessarily need.
So it can add some confusion uminto the process.

SPEAKER_04 (25:39):
Yeah, and the other thing I would I would say is
look look at look at thecontract, do your risk
assessment.
You're responsible for your ownrisk and your own data, right?
So so take it, take a step back.
The report is you know what yougot at the end to to verify, do
you do your due diligence, butyou know, going back to the
conversation we had at thebeginning, right?
Like, what does the contractsay?
What type of data are wepushing?

(26:00):
Do we need to push all this datathat way, right?
Like go back to that, right?
And am I comfortable, right?
And then the report is like kindof like at the end, right?
I'm gonna get the report, I'llvalidate it, right?
But but don't, you know, look ateverything, right?

SPEAKER_03 (26:13):
That makes sense.
And so there's so many people aswell that I think are building
on these big um you knowhyperscalar cloud platforms
right now.
And you know, it's probablysomewhat of a given that
Microsoft has you know a fairlystrong handle on compliance, you
would still want to check it.
Um Google, uh AWS, you know,they they're going to have their

(26:34):
compliance suites, but there'sso many people that are building
on that kind of first layer ofit as well, and saying, don't
worry, I've built on platform X.
Um, we're secure, we're umhappy, we're you know, trust us,
we're good.
What should people be lookingfor when they're looking at that
kind of first layer of SaaSplatforms that are trying to
piggyback um off the complianceof the big hyperscalers without

(26:57):
having done their own kind ofchecks and balances themselves?

SPEAKER_02 (27:01):
Um that's a very complicated uh question to to
answer.
Um and there seems to be more ofthose out there in the market,
and and the approach they takeis becoming more um more
different than it used to be interms of how they're all
approaching that.
At the end of the day, I thinkyou really need to try to get a
handle on what is the primarycloud provider, you know, the

(27:24):
AWS or Google or or Azure of theworld, what do they hold
responsibility for, and whatdoes the the one layer up hold
responsibility for?
Um the best way to do that is togo to AWS's compliance portal,
for example, and and look attheir responsibility matrix and
say, okay, here's what AWS does,and here's what everybody else

(27:45):
should be doing.
And you almost need to assumethat the one level up is a
client of AWS.
It's not AWS, it's notassociated with AWS, it's
somebody using AWS.
Even though they're building onit in a slightly different way,
they're still a client oftheirs, no different than you're
a client of AWS.
Um, and I think that would atleast give you a bit of uh an

(28:06):
idea of where to start thatconversation.
Um, we do see, unfortunately, alot still in the market of
organizations that are claimingwe're secure because we rely on
this.
Um and getting a handle on well,what do they do and what do you
need to do?
Um, I don't think it'scomplicated, but it's definitely
a critical piece of the puzzle.

SPEAKER_04 (28:27):
Yeah, no, I agree.
I mean, this goes back to whatyou were saying about the end,
you know, vendor, right?
Like, okay, there is alwayssomebody responsible.
The other thing to think aboutis, you know, not only from a
data, hey, where is my datapoint of view, but what are you
doing, right?
A lot of these organizationsthat are using cloud providers
have a service that they'reoffering.
What is it, right?
If I if you know, my if I'moutsourcing my payroll to a

(28:51):
company, right?
Like I am, I expect that theyfollow, you know, whatever that
the taxes, the, you know, andthat my employees get paid, you
know, on time correctly, right?
Like what AWS is just providingthe hosting service, right?
Like that other company is doingall the other you know payroll
things that I expect them to do.
So that's what I would like tosee in that report, right?
It's uh, you know, soundssimple, sound like that, but

(29:14):
it's not even clear, right?
Right.
It's and it really depends.

SPEAKER_02 (29:17):
I think if you take if you take some of the
fundamental controls around whohas access to my data, who can
make changes to my application,and how how am I doing that, um,
how am I ensuring those changesare secure, um, those are
generally things that are withinyour sphere of responsibility.
Where you start getting into,you know, is my database layer

(29:37):
encrypted, for example, I thinkbecomes a little more difficult
because that could be somethingthat your service provider is
doing for you.
But I think if you look at justsome of those fundamental areas,
you'd almost by default justsay, Look, I I need a way of
tackling this, irrespective ofwhat service provider happens to
be sitting underneath my serviceat the end of the day.

SPEAKER_03 (29:57):
That makes sense.
And so we had someone on thepodcast, uh That should come out
probably a couple of weeksbefore this one.
And and they really talked aboutthe idea of data fluency and
data literacy.
So there's a lot of people thatI think have come up to this
level where they kind of they'restarting to talk the little bit
of the language of data.
They understand the importance.

(30:17):
But there's this next level,which is data fluency, which is,
you know, if I'm you know, if Ilearn French and I, you know,
have my Duolingo and I um youknow learn my words and I can
kind of figure out what to do,and then all of a sudden I you
know go to France and realizethat I'm not conversational.
Those are two very differentspectrums of you know knowing
French in a textbook and thenbeing able to um order dinner at

(30:40):
a restaurant in Paris.
The same I think is comingthrough with data, where there's
there's a little bit ofknowledge of what's going on,
but it sounds like the languageof data in terms of um the what
you're both describing still hasa long ways to go in terms of
how businesses are looking atit.
Is that a fair statement?

unknown (30:59):
Could be.

SPEAKER_04 (31:00):
I mean, I think it's getting better.
I I think you know, going backto people trying to do the right
thing, a lot of it is awareness.
You know, like I well, Iremember when I started my
career and we were auditing, youknow, some clients and and just
the concept of passwords waslike they push back, people push
back, right?
I remember the MFA, rememberthese pushback on MFA

(31:22):
originally.
Still, still but you know, yeah,but originally, right?
Like right people are used tothe pins, right?
The banking, like people aremore used to those things, but
the pushback was horrible,right?
Like it was or or the concept ofthe cloud, and it's like
absolutely not.
I'm never putting my data on thecloud, right?
Um I think I I think it takes alittle bit of time.
There is an awareness.

(31:42):
But I I wouldn't I don't know.
I I I don't think there is youknow data illeacy or you know, I
don't know how to do that.
How you called it, right?
I don't think people arecompletely like, you know, uh
unaware of the risk.
I think in their in their headthey know they know it, they've
they feel it, right?
It's just sometimes they don'tknow how to approach different
things.
But I I don't know if it's asbad as you portray it.

SPEAKER_02 (32:05):
Yeah, um I do find though in my experience there
there are still a lot ofassumptions that are that are
made.
So again, I don't I don't thinkit's it's with intent or it's
with maliciousness, but I thinkthere are a lot of assumptions
about my data is protected acertain way.
Or, you know, if I give accessto it to somebody, they're only
gonna use it for what they saythey're gonna use it for.
Well, but how do you how do youknow?

(32:27):
And how critical is it ifsomebody uses something in a way
they're they didn't tell youabout beforehand or that you
didn't agree to?
What is it gonna mean at the endof the day?
That's I think the level ofliteracy where we're at now.
It's it's getting that biggerpicture of what does it mean at
the end of the day.
And if something bad happens, A,what is bad?
Right?

(32:47):
How how do I even even put someparameters around good versus
bad?
And then what are theimplications if bad were to
materialize?
Um, I think I think theprevalence of AI now is opening
people's eyes to that in somecases a little bit more because
they realize data is theunderpinning foundation to all
of this.
Um you can't do AI without data,um, and you can't do AI well

(33:10):
without good data.
Um but good data also means youhave a reasonable amount of
control over what it is, whereit's coming from, where it's
going.

SPEAKER_04 (33:19):
Yeah, I had a the this weekend I had an
interaction with a with a formercolleague of mine, and he we
used to work together in adifferent company, but we had a
different role, so he doesn'thave the the training and
background that we have.
Uh, but just you know, he was inthe same space, right?
So he was saying uh he just wentgolfing to drum heller this
summer with with a friend, andand and there was a guy, because

(33:40):
apparently drumheller goes upand down with the so you can you
can wreck the car very easily.
So apparently they they theymake you ride the the credit
card on a piece of paper, um,just you know, before you you
grab that golf cart, right?
And um yeah, the guy was like,Well, where is this?
What are you doing with this?
Like, that's not very secure.
Where is my data, right?
Like, what are you like, hey, Idon't know with the story at the

(34:02):
end of the day?
Okay, how do I know?
Uh and funny, like he wassaying, I would have never asked
those questions if uh before weworked together because it
wouldn't it wouldn't havecrossed my mind, right?
You made an assumption that Imean if they're taking your
credit card, they're gonna youknow, but imagine, right?
Like the moment you startthinking about it, it's like,
okay, is it gonna be insomebody's drawer, right, with

(34:22):
all the other credit cards,right?
Like what's what's happeninghere, right?

SPEAKER_02 (34:25):
There's a lot, just in general, I mean, in their
it's a it's a good example, butin our day-to-day lives, even we
see a lot of somebody says, Ineed this for a reason.
Okay, and you believe thereason.
And the reason may be valid,whether it makes sense or not is
a different is a differentthing.
Whether it's necessary or not isa different thing.
But there is a lot of peoplesharing things just because

(34:48):
somebody says share it.
Yeah.
And and it's not it's not alwaysa um something that you're doing
intentionally, it's somethingyou're almost just doing because
it's there.
And and that's I think where youcan lose control over that
pretty quickly, because thenthat's probably something you're
not even thinking about afterthe fact.
And you may not even realize Ishared this with somebody

(35:08):
because it was one off.
They said they needed it, theysaid we don't do anything with
it, but yeah.
How do we know in your case theyou know the golf place doesn't
have a drawer with thousands ofcredit card and expiry date and
CVBs on it?
Right, right.

SPEAKER_03 (35:21):
Imagine, right?
Right.
But but I think to your pointearlier, the the intent is
there, right?
You know, the person at thefront desk probably says, Hey,
you know what, I want to makesure we're controlled, um, but I
also want to make sure that Idon't have to bug you if
something happens and I want tocreate a good customer
experience so we don't want tokeep having to come back.
And and what comes from a placeof how do I create the
experience I want from ourcustomer might expose them and

(35:43):
and um your friend to moreunnecessary risk.

SPEAKER_02 (35:46):
Right.
And that and that that's athat's a a big dichotomy when it
comes to security.
Yes, there's malicious actorsout there, there's people who
wanting to cause you harm,there's people who wanting to
profit off of it.
That's always been there, that'salways gonna be there.
You know, um, I just watchedCatch Me If You Can.
The movie was on TV on theweekend again, which is which is
a great movie, and you know,check fraud, and it's like,

(36:06):
yeah, check fraud probablydoesn't exist now, but there's
bank fraud all over the place,right?
You know, people are alwaysgonna find a way.
I I think you need to treat thataspect in in a certain way.
Um, but the other aspect is itlike we talked about earlier,
people try to be helpful.
But sometimes people try to behelpful means you loosen the
rules just a little bit to goout of your way to do something

(36:28):
you know helpful to somebodywithout necessarily realizing
what is that now exposing on theother side, either for you as a
company or for the individualyou're trying to help, and and
what risk are you exposing themto that they're that they're not
even aware of?

SPEAKER_03 (36:44):
So I think this is a really good segue then to the
role of compliance.
Um and so at a very high level,why would an organization go and
get their um whether it be theirtheir SOC, whether it be their
ISO, like what's the purpose ofthem doing that?

SPEAKER_02 (37:02):
So the the main the big one we see, which I don't
know if we always agree with,but the big one we see is I want
to do business with somebody andthey have told me I need this.
Okay.
Okay.
So so that's a great startingpoint if if if needed.
Um I think at the end of theday, the the real good answer is
I want to understand what I needto do better.

(37:23):
I want to understand how wellI'm doing today, and I would
like somebody, a third party, tocome in with some standard to be
evaluating me against, say, howhow well do I understand what my
obligations are?
How well am I actually executingagainst those obligations?
And then do I have a way ofdemonstrating that to people to

(37:45):
promote myself as being, hey, Itake this seriously and I'm
gonna do the right thing for youall the time?

SPEAKER_03 (37:51):
So that makes sense.
And so how do I choose then?
So um, if I'm doing it, like ifI'm not part of the one where
I'm responding to bid and see,okay, well, I need my SOC2 um
over here, but I I'm reallycoming from that altruistic
wanting to understand how tooperate better in the world, how
do I choose between thedifferent um compliance
standards?

SPEAKER_04 (38:13):
Well, I mean I would look for the which one is the
the most likely that my clientsare gonna ask me for because you
want to make it somehow useful.
If you're gonna go through this,right?
Because again, right, likesecurity, you know, and
compliance, in a way, they'redifferent, right?
Compliance how you demonstrateit to the world, right?

(38:34):
Uh but um yeah, which one whichone it's more useful for me and
depending on what I'm doing,right?
Like which one I'm am I gonna beable to use, right?
I would I would go with thatone.
Generally speaking, and it'schanging a little bit, but if
we're talking about the big thebig two that we've been
mentioning in this pocket,there's more, right?
But we're talking about we'vebeen talking about SOC2 and ISO
SOC2 seems to be the standard inNorth America.

(38:56):
That's what people know, peopleare used to, that's what they
ask.
ISO uh 27001 is the certificatethat's being asked in the rest
of the world.
Okay.
Uh they are different.
I'm not gonna get into thedetails here.
Uh because then you know we'llrun out of time.

SPEAKER_03 (39:10):
Oh, all of a sudden this becomes a two-hour episode.
Exactly.
Yeah.

SPEAKER_02 (39:13):
You know, you know, there are there are also
differences in each of thestandards, both in terms of what
their areas of focus are, um,the nature of reporting.
So, ISO, for example, you get uha nice certificate that you can
show to people, and there's verylittle detail other than your
statement of applicabilityunderneath that.
In SOC 2, it's a very largedetailed report, but there's no

(39:35):
certificate.
So sometimes people get confusedabout what the differences and
similarities are, but dependingon what level of detail you
think your clients are going tobe asking you for, may also help
play a role in terms of what'sthe best answer for you.
Um we're seeing moreorganizations now adopting
multiple standards.
So if we look at SOC2 and ISO,for example, because people want

(39:58):
to be operating globally,they've got customers in
different countries, um,especially in some of the more
regulated industries, um, one orthe other is no longer good
enough.
Um both is now what people areasking for.
Um so that lets you cover boththe product level at a bit of a
deeper, deeper view, but alsothe organization as a whole.

(40:18):
So it gives you the breadth andthe depth that you know the best
of both worlds of compliance,shall we say.

SPEAKER_03 (40:25):
And and do those map neatly to each other?
Like if I've gone through theprocess of certifying our
organization on um SOC2, andthen I decide to undertake ISO,
is it uh equal lift, or can Ipiggyback off one of the work
that I did the first timearound?

SPEAKER_04 (40:41):
Yeah, you you can piggyback.
They they do overlap quite alot.
Uh they're a little bitdifferent conceptually, right?
Like Mar was talking about uhthe the ISO is looking at your
processes, the ISMS, right?
Your your information securitymanagement system overall,
right?
Like so the processes tomaintain it and manage it, and
right.
Uh SOC2 is more, you know, thecontrols, right, that are that

(41:03):
are in place to sustain it.
But there there is overlap.
I would say, you know, I mean,you know, eighty eighty percent
similar, right?
Like they're very similar.
At the end of the day, they'recovering some of the same things
and aspects and concepts.
Yeah.

SPEAKER_03 (41:16):
And and if I'm an organization that's looking to
undertake um getting thecertification, what do I need to
look for in a partner to guideme through that?
Because I I know both of youhave uh you know big four
experience.
I know that you have a a very umdistinct value proposition right
now as well, but you know,there's probably everything in

(41:37):
between too.
Like what do I look for if I'mstarting to find that partner to
guide me through it?
Because I imagine it's a fairlyintimate process to work through
that.

SPEAKER_02 (41:48):
It can be.
Um I think the the first placeto start would be an auditor
that that's that's reputable,um, that's willing to offer, you
know, you'd have discussionswith with clients, you know, as
reference checks and such.
But I think even moreimportantly than that, an
auditor that that candemonstrate they're willing to
spend the time to understandyour business, how you do

(42:10):
things, why you do things acertain way, um, and have a
certain flexibility within therealm of like what is required,
but how do we how do we applythat to your particular
situation?
Um, we see a lot in the marketright now where there's a lot of
you know factory-based audits,shall I say, where you know

(42:32):
there's limited to no discussionwith with clients, there's no
understanding of um how theywork, what data they hold.
Um, and you read some of thesereports, and you would you would
have no idea what a companyactually does based on reading
their sunset report.
Um, so I know that's not alwaysan easy thing to gauge in an in
an early discussion, um, butit's an important factor.

(42:53):
If you want a partner that'sgonna be there with you longer
term, that's gonna help you uhdefine what is necessary and and
help you know give you guidancealong the way when you have
questions about how does thisapply?
Does this apply?
Um, I'm thinking of making thischange to our, you know, the way
we do system development, forexample.
Um, what does it mean to be froma from a compliance perspective?

(43:16):
Um, somebody that can help youanswer those questions um is
critical for long-term success.

SPEAKER_03 (43:24):
So you brought up a really interesting point around
the um I think you call it thecookie cutter uh factory audit.
Factory, yeah.
So does that cheapen some ofthese audits?
And I say that veryrespectfully, but uh if it if I
remove the barrier, if everyonecan get their stock to, then it
no longer becomes that marketingdifferentiator, but it also I

(43:45):
don't think is the intent ofwhat the certification is
looking to do.
So so how does that createdownstream problems for some of
these certifications?

SPEAKER_02 (43:54):
It's um uh it's a bit of a self-fulfilling
prophecy, if I could if I coulduse that cliche.
Um in some ways it's it's beentremendous because I think it's
opened up awareness and theopportunity for a lot of
organizations to do somethingthat they weren't able or
weren't able to access before.
Um so that's the positive sideof it.
I think the negative side of itis it does run the risk of

(44:16):
diminishing the value becauseit's harder to differentiate
what is a good company from anot as good company, serious
company from not as serious,good auditor from not as good an
auditor.
Um I think it really comes downto the ability for the
organizations that are askingfor these compliance reports,
evaluating the compliancereports to take a leadership

(44:39):
role in assessing like who andwhat do we want to see things
from?
Um beyond just the checkboxexercise that says, yeah, they
gave me a SOC 2 report, I'mhappy.
Like, what are you actuallylooking for?
And are and are you getting theanswers to the questions that
you had?
Um, if you go to LinkedIn now,it's a very hot topic on there
around auditor quality, aroundbundling of services, around all

(45:01):
kinds of things, and a lot ofthat point is pointing to well,
the regulators need to do abetter job of regulating.
Um, to a degree, that's that'sprobably true.
But I I'm I'm a firm believerthat as soon as you do that, now
you're putting in other people'shands to decide what is and
isn't appropriate.
Um, I think the industry as awhole needs to really take a

(45:22):
hard look at itself.
And this includes theorganizations asking for these
audit reports and say, what dowe really want out of this?
And and what is the best way wethink of getting the information
we're looking for?
And I think that will helpnaturally start to create some
more differentiation um amongstall the players that are in the
space.
That makes sense.

SPEAKER_04 (45:42):
Do you have anything you want to add to that?
No, no, I would agree.
I think you know, hopefully themarket's gonna fix itself,
right?
Um users of the report, that'syou know, what we call them,
they are using them, they arereading them, hopefully.
Yeah, put a lot of work intothem, right?
Uh and they are the ones thatneed to, you know, push back if
they have to, but it it it'shard, right?

(46:03):
Because um like uh like we saidbefore, right?
Like we're so used to thataccept, accept everything,
right?
Look at everything.
The moment you get a sub to,okay, yeah, they they are it
done, right?
So uh you know, read it, makesure it meets what you need.
And if it doesn't ask and pushback, there is there is
alternative, right?

(46:23):
Until that happens, I thinkwe're just gonna keep saying
some of this, right?

SPEAKER_02 (46:27):
I I mentioned to clients when when we get this
question sometimes, I said,look, at the end of the day,
there's two sections at thebeginning of a SOC 2 report.
One is the management assertionand one is the auditor's report.
The auditor's report we sign,and that says here here's what
we did, and here's our opinionat the end of the day.
And the management assertion isyou, as whoever the responsible

(46:49):
party in the company is, signingoff to say, this report
represents my company and thecontrols we have.
So, and this is a document thatyou're going to be giving to
people.
So, do you want something thathas my name on it, your name on
it, that's making certainstatements?
Do you want that to not reallybe true?
And that that does give somepeople pause for thought a

(47:12):
little bit to say, yeah, okay,we we maybe really should take
this seriously.
Um, and I think that's uh atleast a starting point to to
make them aware of, yeah, whatare you actually saying by
having this report issued?

SPEAKER_03 (47:25):
That that makes a lot of sense.
And I think that from whatyou're both saying, there is an
opportunity for the market tokind of drive some of these
changes as well.
So if I'm if I'm looking um uhon the other side of it, and so
I'm an organization thatrequires some of these
compliances, and and I'm gettingyou know the buffet of different
reports from the you know kindof the fast food version to

(47:47):
something that's a lot morein-depth.
Is there specific things that Ishould be looking for?
Like is all sock created equalor or or what should I be
looking for to kind of separateout um the good from the bad
there?

SPEAKER_04 (48:00):
I think um I mean if I don't think there is anything
specific that I can call you andsay, hey, you know, if you look
at this page here, you'll seethat this is a bad one, right?

SPEAKER_03 (48:09):
All about page seven, it's yeah.

SPEAKER_04 (48:11):
Exactly, right?
Like look at look at these pageand you'll find it.
I mean I would say, you know,apply a little bit of logic.
Like we talked before, whatservice am I buying, you know,
from these from these from this,you know, vendor and these
people.
We we received a report.
And if you read it and see if,you know, one on one equals two,
right?
I mean, I just recently, likerecently this week, and I'm

(48:31):
talking to them on Friday again,um, got a prospect that's wants
to change auditors and and theyhave a report that they um share
with me with the controls.
And and this is uh an MSP, aservices company.
They have controls in there thattalk about you know software
development, they have controlsthat talk about uh having a data
center, you know, environmentalcontrols.
They don't have any of that.

(48:52):
But they are in the report,right?
So I I mean I I caught it veryquickly.
I mean that's what I do is myjob.
But you I mean you would imaginesomebody somebody reading these
reports over and over should beable to write to make those
connections, right?
Because that's so it's not inyour face, it's hard.
Right.
But but you can catch it, youcan you can see it, right?

SPEAKER_02 (49:11):
Yeah, you what you also need to look at, um at
least in the SOC, it's a littlebit harder in in ISO, but in the
SOC 2 um lens, you can look atsection four, which is the
details of controls against therequirements and the actual
procedures that were executed.
Um and and take a look and seeare there is there actually work
being performed, or is it all weasked the client about something

(49:33):
or we read a policy?
Well, yeah, policies areimportant, but policies are one
piece of the puzzle at the endof the day.
And doing an audit that ispredominantly we read the
policies and we were okay withthose isn't really telling you
an awful lot.
So can you demonstrate there'sactual work being done?
Um the other thing I think froma from a company evaluating

(49:56):
these, and we we hear this fromfrom our clients a lot, that the
expectation is, well, if I do soif I give a SOC 2 report, that's
going to either eliminate or atleast shorten the questionnaires
that I that I get.
In some cases that's absolutelytrue.
In other cases, the companysays, Well, thank you very much,
but here's my 175-pagequestionnaire anyway.
So I think being able to look atit and say, if I get a SOC 2

(50:19):
that has this in it, that coversthese questions, and having
almost a bit of a variablethird-party assessment platform
where you can say, okay, here'swhat I still really need to
understand because it's notcovered, and go back to the
service provider and say, I needto get more information on this.
But to just ask them to repeateverything they've already done
an audit to provide you onalmost makes them question,

(50:41):
well, why am I doing this in thefirst place if it's not really
buying me anything at the end ofthe day.

SPEAKER_04 (50:49):
If you're gonna do it, do it well, right?
I mean, if you're gonna spendthe time doing it, right?
Like, why do it halfway and thenyou're gonna get additional
questions, and you're gonna get,you know, it it's half truths in
there, right?
Like just do it well, right?
Like you're gonna go throughthis compliance approach, you
know, you're gonna have to doyou know whatever is required.
Yeah, you were not formalizingbefore potentially, or write

(51:10):
these policies, just write themwell, right?
Do do them write the right theand and then you'll you'll have
a good story to tell yourclients.
You're gonna feel good about youknow the services and your level
of uh security, right?

SPEAKER_02 (51:20):
And I don't want to sound cliche with this, but but
it really is a partnership.
Like you know, you have the beyou know be between the
companies providing the servicesthat are willing to be audited,
the organizations that areperforming those audits, and the
organizations that are therecipients of those reports that
are evaluating the companies andand the audits.
And yeah, while they can't allbe in cahoots with each other,

(51:42):
but they all need to be workingto a similar objective to really
make this as powerful as it asit can be.

SPEAKER_03 (51:48):
I love it.
And I feel like there's probably300 more questions that I have
for both of you.
Um if you were to to wrap upwith one final thought around
the the importance of this,where the world is going around
um compliance, is there anythingelse you wanted to share with
our listeners?

SPEAKER_02 (52:05):
Um I think as much as you can look at it from the
lens of you are you are tryingto engage in a trusted
relationship with with people.
And how can you get themcomfortable with what you do and
how you do it and use that as anenabler to do business together?
I love it.

SPEAKER_03 (52:25):
It's a high bar there.

SPEAKER_04 (52:27):
Yeah, dude.
Um I I don't I don't know.
I don't know what what else Icould on the other hand.
What he said.
I prepared in advance.

SPEAKER_03 (52:36):
There we go.
Perfect.
I I only gave him the questionsin advance.
No, it's been an absolutepleasure um to both of you.
Thank you so much for coming onthe show.
Um if someone wanted to pickyour brain further, if someone
um wanted to kind of start thefront end of those
conversations, um, if theywanted to get to know you both a
little bit better, what's thebest way for them to get in
touch with you?

SPEAKER_04 (52:57):
Yeah, I mean they can check our website um or uh
send us an email at mhm atmhmcpa.ca.
Oh, perfect.
That'd be uh that that'd be thebest way to reach out to us.

SPEAKER_03 (53:08):
I I love it.
Thank you so much.
This has been a blast.
Thank you for having us.

SPEAKER_04 (53:12):
Yeah, thank you.

SPEAKER_03 (53:13):
Perfect.
If you've made it this far, likeand subscribe on YouTube or
follow and leave a review onyour favorite podcasting
platform so you don't miss anyfuture episodes.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Compliance, Ethics, and Security Made Practical with Jose Costa & Mark Mandel

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

All Episodes

Compliance, Ethics, and Security Made Practical with Jose Costa & Mark Mandel

Stuff You Should Know