January 29, 2025 • 62 mins
On this episode of Cybernomics, Josh explores the Hidden Costs of Cybersecurity Regulations and conducts a cost-benefit analysis with Michael Nouguier, CISO at Richey May, and our guest co-host, Igor Volovich, former CISO at Invensys and Schneider Electric.
Hidden Costs of Regulating Cybersecurity:
- Compliance costs (audits, certifications, and technology upgrades).
- Administrative overhead (documentation, employee training, and legal fees).
- Reduced innovation due to diverted resources.
- Competitive disadvantage for small businesses.
- Market fragmentation from jurisdictional variations.
- Fines and penalties for non-compliance.
- Reputational damage from perceived over-regulation.
Hidden Costs of Deregulating Cybersecurity:
- Increased risk of breaches.
- Erosion of consumer trust.
- Economic impact of large-scale cyber incidents.
- Disparity between large and small businesses.
- Reactive costs post-incident.
- Reputation and brand damage.
- Regulatory whiplash creating inefficiencies.
- Global trade implications due to weak cybersecurity standards.
Join us as we speculate on how the incoming administration might reshape the regulatory landscape, referencing historical shifts and future trends.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:09):
Hello and welcome to another episode of Cybernomics,
where we talk about the hiddencosts of cybersecurity.
This is the week of January 27.
Before we jump into today'stopic, here's your latest update
on artificial intelligenceregulation, the impact of
DeepSeq on the US market andrecent developments in
(00:31):
cybersecurity research andleadership.
The Vatican has recentlyemphasized the need for
stringent oversight inartificial intelligence,
highlighting concerns over AI'spotential to spread
misinformation and cause socialinstability.
A document titled Antica etNova, approved by Pope Francis
(00:54):
himself, stresses the ethicalimplications of AI across
various sectors, including labor, healthcare and education.
The Vatican warns thatAI-generated deepfake media can
erode societal foundations,necessitating carefully
considered regulation to preventunintended consequences, such
(01:17):
as political polarization andsocial unrest.
In the United States, theregulatory landscape for AI
remains complex.
The US currently relies onexisting federal laws and
guidelines, but aims tointroduce specific AI
legislation and establish afederal regulatory authority.
(01:37):
Until then, developers anddeployers of AI systems must
navigate an increasing patchworkof state and local laws,
underscoring the challengesensuring compliance.
Chinese AI company DeepSeek hasrecently unveiled a model that
answers questions and solvesequations with the quality of
(01:59):
OpenAI's ChatGPT, but at afraction of the computing cost.
This development has caused astir in US markets, with NVIDIA
and other tech stocksexperiencing significant drops.
Analysts note that DeepSeekoperates more efficiently than
American counterparts likeOpenAI and Meta, utilizing
(02:20):
open-source technology tooutperform more expensive
proprietary models.
This has raised concerns aboutthe US losing its competitive
edge in AI.
The situation reflects theshifting dynamics in the AI
industry and the potential fordisruption from more
cost-effective and open-sourceinnovations.
(02:42):
Effective and open-sourceinnovations.
Crowdstrike Holdings' stock hita record high following a
cyberattack on the Chinese AIstartup.
The attack led to an increasein investor confidence in the
cybersecurity sector, withCrowdStrike's shares climbing
almost 10%, making it thetop-performing NasdaQ composite
(03:02):
stock.
Other cybersecurity companiesalso saw gains, including
Cloudflare, zscaler, cyberarkand Palo Alto Networks.
Crowdstrike's Falconcybersecurity platform received
a perfect score in ransomwaretests conducted by SE Labs,
achieving a top rating forstopping all threats without
(03:25):
false positives.
Good for them.
On the regulatory front, india'scentral bank has urged lenders
to tighten cybersecurityoversight.
Governor Sanjay Maholtraemphasized the need for robust
systems to prevent digital fraudand called for even greater
supervision of external serviceproviders to mitigate
(03:48):
technological risks.
This move underscores theglobal emphasis on strengthening
cybersecurity measures in thefinancial sector.
Jessica Rosenworcel, theoutgoing Democratic Chair of the
Federal CommunicationsCommission the FEC, as we all
know it has highlighted theimportance of maintaining strong
(04:11):
oversight in thetelecommunications industry
amidst cybersecurity concerns.
Under her leadership, the FCCintroduced new cybersecurity
requirements for telecomoperators and launched
initiatives to secure internetinfrastructure and enhance data
breach protocols.
However, these efforts faceopposition from the incoming
leadership.
Here.
(04:31):
To help us understand theimplications of such changes and
to share what he's seeing inthe state of Colorado is partner
and CISO at Richie Mae, michaelNugier.
Michael, welcome to Cybernomics.
Speaker 2 (04:44):
Thanks for having me on, josh, I really appreciate it
.
Speaker 1 (04:47):
Well, you've got a 10,000-foot view of this issue
and I'm not going to get toomuch into the politics of it and
I'm not going to share myopinions or what I think about
the administration, and it's nota political thing.
Here we're going to try tosimply look at the costs of
deregulation and regulation incybersecurity.
(05:10):
Is it a good thing?
Is it a bad thing?
It's really subjective, that'sgoing to be up to public opinion
.
But hopefully we can kind ofuntangle the mysteries of an
incoming administration and thechanges that they will bring
about and how those changesmight impact businesses.
And so we want to draw acontrast and bring real world
(05:33):
examples into what's happeningat the federal level, how those
changes might impact businesses.
But then use Colorado sort ofas a temperature gauge and maybe
apply that with maybe a broadof a too broad of a brush
perhaps, but apply that to otherstates and see how other states
may react and how they canadapt to those changes.
Speaker 2 (05:57):
Yeah, I mean.
I think it's important to notethat regulation comes from
multiple facets right.
It's not just the federalgovernment, it's, you know,
states.
It's even industry-ledpractices right, where
requirements are enforced notjust from the federal government
but states and evenassociations across the board.
(06:18):
And so the current freezethat's happening from a
regulatory perspective doesn'tmean that cybersecurity
regulation doesn't exist anymore.
It's just a matter of reviewingit to some extent.
And you know like, if anorganization's goal is to just
hit compliance right, there'severy security professional in
(06:41):
the world will tell youcompliance doesn't equal
security.
Compliance equals complianceright.
Compliance equals complianceright.
You're hitting what you need tohit.
The goal should be aiming forsecurity, and by hitting that
target you are complying withall regulations.
Speaker 1 (06:59):
Well, if we were to regulate, or if the government
or the state and local governingbodies or the regulatory bodies
wherever they're coming from,if they're looking at more
regulation or more complianceequals more security, do you
think that that would lead to aworld where they're trying to
(07:21):
aim for 100% security?
And if we're going in thatdirection, what do you think
that would do to businesses?
Speaker 2 (07:30):
Yeah, I think I mean regulation comes with a cost,
right, and it disproportionatelyimpacts business as you move
down from enterprise to smallbusiness to some extent.
And so, right, like enforcingregulation with the broad stroke
(07:51):
of a brush across all industryor in industry sectors let's
take financial services, becauseit's one of the more heavily
regulated, potentiallyover-regulated industries it
disproportionately impacts thesmaller businesses than it does
the larger, larger businesses,right, you see, economies of
scale come into place, as you're, as you're seeing these large
enterprise financial services,uh organizations hitting their
(08:14):
cybersecurity, right, they haveheftier budgets to purchase tool
sets, invest in people andprocess, whereas smaller
financial institutions, smallerbusinesses, lack the funding,
the budgeting and even thepeople power to do a lot of this
, and so it disproportionatelyimpacts it.
(08:36):
Regulation is there to setminimum standards, but I don't
think it's there really to buildresilience.
It's there to drive a basiclevel of security.
Right, and I just hope that thepeople in charge aren't
(09:04):
thinking prescriptive, asregulation can be Right, you can
take, like some stateregulations, like New York has
the Department of FinancialServices they're very
prescriptive.
It requires not necessarilynamed technology, but types of
technologies to be implemented,whereas, you know, as you get
more towards the federal level.
(09:24):
You lack that prescription andit's more just policies and
procedures and monitoring.
Right it's it's these loosewords for protection inside the
organization, but it doesn'tdrive resilience as much.
And so, yeah, to that pointyou're you're not regulating
(09:45):
security, you're regulatingminimum standards and there's no
guarantee that the standardsthat are put in right.
It basically comes down to doyou have a law degree and how
are you interpreting said legalprecedents?
Speaker 1 (10:21):
no-transcript.
Is it through frameworks?
Is it industry specific?
If I were a CIO and I realizedthat these changes might affect
my business, where do I go toget a general understanding of
how this impacts my business andwhat actions I need to take?
Speaker 2 (10:43):
Depending on what you do, you have to comply with a
different federal standard basedon the department of the
federal government you'reworking with.
So you'll understand thosestandards as you start to get
into working with thosegovernment entities.
Whether let's take mortgagebanking, for instance right, if
you're working with Jenny orFannie or FHA or HUD right,
(11:08):
depending on how you run yourmortgage, your independent
mortgage brokerage right, youmight be working with one of
those or all of those, andyou'll have to.
You'll get those specificrequirements from a
cybersecurity perspective,mostly just notifications of
incident based on how you'reinteracting with those different
federal rate uh organizations.
(11:28):
In healthcare, hipaa comes intoplay, but as a small business
it's kind of a for lack ofbetter words like the wild west,
right, if you're going to startbuilding a software that that
leverages uh PHI, right, you'llstart to get requirements for
(11:50):
either from your financialbackers or through contract
language, stating that you needto be compliant with HITRUST or
HIPAA or have a SOC 2 orsomething along those lines, and
so it's either driven by theinteractions you have from
licensing in those federalagencies or it's driven through
contracts that are requiring youto get certifications or have
(12:15):
bare minimum standards beforeyou can do business in those
areas.
Speaker 1 (12:20):
When you hear that there are going to be changes,
are you at the edge of your seatthinking you know, I have to, I
know there are changes that arecoming over the fence and I
this is going to affect us.
Or do you sort of do like await and see and understand that
(12:48):
, whether there's moreregulation or less regulation,
your day to day pretty muchremains the same?
You know, our, in other words,are security leaders constantly
monitoring this stuff, or is itjust sort of well, yeah, changes
come and go, but it's businessas usual changes in regulation
aren't always a surprise, right,and very rarely are they a
surprise, right.
Speaker 2 (13:02):
There's usually public comments.
They're garnering publicopinion and building these
regulations.
And let's take the SEC.
That was the big one thatrocked the last year, year and a
half or so.
That required notification of abreach through an 8K and a 10K
and you have X amount of hoursto notify.
That wasn't unknown to thesecurity industry.
(13:26):
A lot of us were opining on howit would impact organizations
and whether it was necessary orhow strict they should be.
And so when it did pass, Ithink that was the shocker like
oh, the cybersecurity regulationis actually passing, but not
all the things that we opined onand not all the things that we
wanted to be implemented wereimplemented in that.
(13:46):
And there's the shocker and solike it's easy to stay up to
date here and ultimately rightthese regulations.
They don't differ drasticallybetween you know, from
regulation to regulation, and soidentifying the most stringent
regulation that you have to becompliant with and implementing
that typically has atrickle-down effect.
(14:07):
To say, I am at.
You know, if I have multipleregulations and I hit the most
stringent, I hit or exceed therequest from this regulatory
body because I'm compliant withthis regulation or this
compliance framework orsomething along those lines.
Speaker 1 (14:25):
And what's typically the largest cost associated with
not being compliant.
Let's set aside security, right.
Let's just talk about are yougoing to go to jail if you're
not compliant?
Speaker 2 (14:40):
Are there going to be fees or that kind of stuff?
Yeah, and I mean, typicallyyou're not going to jail, right?
(15:06):
There have been instances whereCISOs or executives have been
grossly negligent, where theyhave faced some sort of criminal
penalty, to say the least.
Right, and so it has to begross negligence or borderline
fraud, right, misleadingregulators, something along
those lines, that that leads tothe criminal aspect of it,
rather than you know, I didn'timpose these, but I never lied
about it, that's fine.
So the the larger cost, you'reright, it is not necessarily
implementing, it's the lack ofimplementation where you're
saving money, but fines can comeinto play and the gross
(15:28):
negligence really plays in thosefines, right?
One instance of this is inCalifornia with the CCPA.
The Privacy Act in Californiaspecifies different level of
fines for gross negligenceversus actually preparing and
still being impacted, right andso and it's an exponential
(15:48):
difference in cost from notdoing anything to trying to do
something right there still maybe fines and that can still
impact you.
However, doing something isbetter than doing nothing, and
we know that in thecybersecurity industry, right Is
implementing something isbetter than not nothing, and we
know that in the cybersecurityindustry, right Is implementing
something is better than notimplementing anything at all, as
(16:10):
long as you do it correctlyright.
I think it's the IBM cost of adata breach posts the cost
savings from a breach by doingimplementations of different
aspects right Testing a tabletoppolicy, doing employee training
, performing penetration testingor offensive security testing
in your environment Each andevery one of those comes with an
(16:32):
average decrease in the cost ofa breach.
And so if an organization isimpacted by a breach obviously
if it's ransomware right there'sa ransom payment that comes
along with that.
That's a hefty cost.
Hopefully you're covered byinsurance and you're doing your
due diligence to stay coveredthere.
But the unforeseens are theregulatory fines and the legal
(16:56):
costs that come from classaction lawsuits and potential
impacts to your user base toyour user base.
Speaker 1 (17:06):
It sounds like we're talking more to the small
business, since they'redisproportionately impacted by
these regulations and thesechanges.
So is there forgiveness forsmall businesses?
Let's say they try to do asmuch as they can to become
secure while making a profit.
Is there forgiveness in termsof foregoing fees or fines that
(17:30):
may be forgiven or overlooked Ifthey're genuinely doing the
best they can?
But if they were to doeverything that they're required
, perhaps they would not beprofitable.
They'll just go out of business.
So is there forgiveness for?
Do you get an A for effort, inother words, Boy, I wish.
Speaker 2 (17:51):
I think that comes down to legal interpretations
half the time, right?
And there are some regulationsout there between states that
define different regulationsbased on the size of the
organization, right?
And so I think there are.
There is context that's appliedto it, right?
(18:14):
Also, the amount of data that asmall business owns and is
risking or accepting risk forcollecting versus a large
organization is drasticallydifferent, so you would expect
to not see the fines be the samebetween the two, just based on
pure size and collection of data.
Speaker 1 (18:36):
I guess the question that I'm asking in a different
way, which you've alreadyanswered, but now I'm kind of
looking at it from a differentlens is really is there too much
of a regulatory burden on smallbusinesses?
Speaker 2 (18:48):
Yeah, I think.
I think that you know that'sthat's industry specific, but it
is.
There is a potential in a lotof industries that small
business can be over-regulatedand therefore create a burden to
that business.
And ultimately, right, thatcost has to be passed down
somewhere right.
If you're looking at having toperform a red team style
(19:14):
penetration test, which is moreadvanced than just a network pen
test, where somebody isscanning for vulnerabilities,
potentially exploiting them,right, they're coming at this
from a true adversarialperspective.
The costs differ dramaticallybetween the two and that cost
has to be passed down somewhereright.
A lot of people viewcybersecurity as an expense and
(19:37):
so, with that mindset, doingsomething that protects your
organization has to be appliedto the cost of goods sold
somewhere right.
Looking at cybersecurity as aninvestment in growth and sales,
in whatever your organizationdoes, building trust, goodwill
(19:58):
tends to have a betterperspective and tends to focus
the culture of that security tobeing more resilient for that
organization.
And organizations that tend tofocus on an investment in
cybersecurity rather than justit's an expense and we're going
to budget for it as a loss orwhatever, tend to create better
trust in their client bases.
(20:18):
So I ultimately looking atcybersecurity as a business
builder rather than a detractor,right from a regulatory
perspective or complianceperspective or whatever it is.
It's not a negative thing if ithelps build an edge for your
business to succeed.
Speaker 1 (20:59):
So those costs you're saying can be offset by the
long-term gains thatcybersecurity could provide in
terms of this?
Are you saying that, basicallythat the costs will be offset as
long as you're not putting toomuch of a burden up front?
Speaker 2 (21:18):
I mean, business is a dynamic study, if you will.
Is it dollar for dollar?
Perfect?
Probably not right, butorganizations that build trust
with their customers tend tohave a better, more engaging
customer base right.
They tend to have stand outright Versus, you know,
(21:41):
organizations that have hadmultiple breaches.
People don't want their data tobe exposed, as we know, and
there have been multiple studieswhere up to 80% of people will
say I won't use a company that'sbeen breached in the past,
which, at this day and age,every company has experienced
(22:01):
some sort of cybersecurityincident.
Every company has had to gothrough some sort of heart
attack, breach style engagement,and so it's not necessarily I
won't work with a company that'sbeen breached.
It's I won't work with acompany that's not proactive in
their cybersecurity stance andnot resilient.
(22:22):
You can be breached, you canexperience a cybersecurity
incident.
It's the organizations that areresilient that, I think, drive
a greater trust in theirindustry.
Speaker 1 (22:36):
SOC 2 compliance is a pretty good example of that,
where if you're working with asoftware company, they want to
see that you've got the boxeschecked.
From a SOC 2 perspective, cmmcis probably also the same.
Going out for governmentcontracts, it becomes a
competitive advantage.
(22:57):
So I think whenever I'mpointing to cybersecurity being
I know we don't think of it as arevenue driver, but at least
one that drives competitiveadvantage or at least that
drives some sort of monetarygain.
Soc 2, cmmc come to mind.
What do you think?
Speaker 2 (23:15):
Yeah, I mean they're marketable right To some extent
If you're competing in industrywhere your competitors don't
have a SOC 2, or if you're, ifyou know you're going after DOD
contracts, the CMMC aspect, andthat's more of a requirement in
order to work with the DOD.
But others would be like ISO27001.
(23:37):
Getting an ISO certificationsin that and calling them
certifications is rough.
Getting getting uh aligningwith iso is another way to to
interact internationally withorganizations.
Sock2 uh really does providesome competitive advantage and
really it comes down to theprocurement aspects of what
(23:58):
you're selling.
Right, if you are sellingsoftware and you don't have a
SOC 2, one of the firstcybersecurity questionnaire
questions that you're going toget is do you have a SOC 2 and
why you provide it to thepurchasing organization?
If you don't, they may look atthat contract and say, great,
we're going to move on to thisother company that does have a
SOC 2.
It's a marketable resource.
Speaker 1 (24:20):
To wrap up the regulation side, we'll talk
about deregulation next and howthat impacts businesses.
But to wrap up the regulationside, we'll talk about
deregulation next and how thatimpacts businesses.
But to wrap up regulationyou're seeing some unique things
in Colorado because Colorado isone of the first states I think
maybe one of the only statesthat's heavily regulating
cybersecurity and it's your neckof the woods.
(24:40):
You can just stick your headout the window and you probably
see at least two or threebusinesses that are probably
going to be impacted by this.
So what have you seen inColorado and how are
specifically small businessesreacting to the heavy
regulations?
I'll put heavy in quotationsbecause that's subjective.
What are you seeing out there?
Speaker 2 (25:01):
What are you seeing out there?
Yeah, I don't know ifColorado's heavily regulating
cybersecurity, but they were thefirst state to pass their
Artificial Intelligence ConsumerPrivacy Act.
Organizations, small throughlarge, to do something about the
(25:25):
use of artificial intelligenceand the data that they submit to
ai, and so it's basicallymaking organizations liable for
their use of ai, which, uh ishard right it's.
It's it's forcing smallbusinesses to perform security
reviews of the AI that they'releveraging, whether it's a third
(25:50):
party or built internally, andthat cost can can grow Right,
especially if you're talking anorganization that's leveraging
five, six, seven differentDifferent programs, different
software vendors that leverageAI, and now I'm taking on the
liability of that to make mybusiness more efficient.
(26:12):
And we talk about thatdisparity between small and
large business.
A large organization has thecapabilities and compliance arms
to align with these and do thedue diligence, whereas small
businesses haven't had that inthe past, and so the cost of
performing said reviews on AIand taking on that liability
(26:34):
might exclude small businessesfrom being able to leverage
artificial intelligence,creating an unfair competitive
advantage, if you will, forlarger organizations to drive
business towards them.
Speaker 1 (26:49):
I was talking to a friend of mine, jenna Gardner
Shout out to Jenna.
We were talking about AIconsulting.
She's built a business, or isbuilding a business, with great
success so far in helpingcompanies, especially kind of
legacy companies.
You know, let's say, the 50 to100 employee companies that a
(27:12):
large number of their employeebase may be near retirement or
sort of Gen X, baby boomer ageand their minds are blown
constantly when she's helpingthem to refine certain processes
and to do better using AI.
One of the concerns that I haveand I've talked to others on my
(27:36):
team about this is howreceptive would companies be to
implementing AI in theirenvironment from a security
perspective?
Because, especially thosecompanies that like, let's say,
(28:11):
accounting firms that are verysensitive, they're using a lot
of client data and clients maynot want their information going
on chat, gpt.
So even though these legacyusers are the ones that may
benefit the most, they also havethe most risk exposure from a
security perspective.
So what is your opinion aboutadvancing AI without?
(28:35):
Because I don't want a worldwhere every company has to be
super secure before they startusing AI.
I think that that would just bedetrimental to business.
I think AI is just like thebiggest.
It's the biggest boom since theinternet, right?
So everybody wants to get onthat bandwagon.
But I understand the hesitationto adopt such a technology.
(28:57):
It's scary number one becauseof the Terminator and whatever.
Everybody's afraid that therobots are going to come get us.
But even besides that, youdon't want to put your client
data in a database that's easilyaccessible by others, I mean,
even if they use that littlestring.
I was talking to Randy atCompliance Aid.
Shout out to Randy.
He was like well, there's alittle number that's behind the
(29:19):
link in a chat that you're usingin ChatGPT, and if somebody
were to grab that link and popit into their browser and they
go to that URL, they'll see yourchat.
At least they'll see some ofyour data.
Right, that's not super secure.
I don't think they're going tobe able to like that's not very
likely that it will happen.
But the point is there areexposures and there's a lot of
(29:41):
risk when it comes to that.
So do you think that businesses, small businesses, should go
ahead and kind of, now Iwouldn't say, disregard the
security stuff, but startimplementing AI and maybe think
about the security later?
Or is this what Colorado issaying?
No, think about security firstand privacy first when it comes
(30:04):
to AI data, and then later on,the businesses can adapt.
Do you see the trade-off there?
Speaker 2 (30:12):
Yeah, I mean it's undeniable that the benefits of
AI are there.
Right, like not using AI willprobably not exist in the future
.
Like you're going to have toleverage it at some point in the
near future, right.
So, drake, digging your heelsinto the ground and against the
use of ai is is a problem.
(30:34):
That being said, right, likediving in full bore without any
consideration of the coreaspects of your business, just
because you think it's going tosave a penny, is also probably
not the best way to go.
So, on a scale from no damageto Terminator, as you brought in
right, there's an equilibriumin there somewhere to hit, which
(30:56):
is doing so from a thoughtfulperspective, asking those
questions.
And if you don't know whatquestions to ask, I mean go to
Chad GPT and type in what do Iask?
No, don't do that.
Should I ask?
Speaker 1 (31:05):
Yeah, chad GPT and type in what do I ask?
No, don't do that.
Should I ask?
Yeah, chat, gpt will help youask it questions, yeah.
Speaker 2 (31:10):
Don't do that.
It's a self-serving prophecy.
Inside of chat, gpt, you know,like reach out to reach out to
some professionals, right, likereach out and ask right, like it
doesn't hurt.
Like what should I beconsidering when I'm
implementing AI into myorganization from a security
perspective?
Right, the data that you giveit it's going to use.
(31:31):
Right, unless you have tightcontracts and you own that data
and the models and and whereyou're putting that data.
And so it's an equilibrium.
You got to use AI in order toremain efficient.
Right, you can probably save acouple bucks somewhere along the
(31:52):
line by by implementing an aium tool set right, whether it
saves you man hours or peoplehours, or whether it saves you,
uh, from having to, you know,purchase costly other softwares
to do a single thing.
Right it's, the benefits arethere.
Let's just not forego thethoughtfulness that we owe our
(32:18):
consumers when we're dealingwith their data.
Speaker 1 (32:24):
So I'm an AI consultant.
I knock on your door, You're alaw firm or an accounting firm
and I say hey, I'm going to helpyou improve your processes with
AI and we're going to useChatGPT and we're not going to
use the secure version, butwe're just going to use the
regular version.
You're the CIO of thatorganization.
You say what?
Speaker 2 (32:44):
No, I say no, I say uh, right, like, our data needs
to remain our data, and so thereare enterprise versions of chat
, gpt where you can own right,not not.
I don't want to be theorganization and most people
shouldn't most small businesses,medium-sized businesses, even
large businesses shouldn't bethe organizations training these
(33:08):
models.
Right, there needs to be datathat can train them, and then
independent software vendorsbuilding this stuff need to find
that data and leverage it thecorrect way.
But I don't want our consumerdatabase to to be training
models for other organizations.
So I I'm I'm a little more fail, secure, like I want everything
(33:30):
to be mine in my organization.
I don't want it to be leveragedfor everybody else to some
extent.
Right, it's, it's the purposeof right, the contracts that we
have for data and a lot oforganizations haven't considered
this yet.
But as you're, as you'redealing with your consumers data
(33:50):
right in your customer base'sdata, if you haven't put
contract language in therestating that you're going to
leverage ai, uh, probably startconsidering that yeah, yeah, I
hadn't thought about that.
Speaker 1 (34:03):
I was just kind of thinking of like, just
gunslinging, let's do it, let'sjust do.
If it were up to me, everybodywould use ai, but I forgot about
wild west.
Now, yeah, yeah, I'm, I'm acowboy, maybe I like the wild,
wild west, I like the chaos, butyou raise a really interesting
point, which is you know theseare.
There are contracts, there areuser level agreements, there are
(34:24):
privacy agreements thatcompanies have with their
clients and their partners, andif you were to use AI just in a
sort of a cowboy shoot them upsort of way, you may be voiding
or you may be transgressingagainst your contracts with your
partners and your customers.
Speaker 2 (34:42):
Right, yeah, it's a simple terminology, right?
And if organizations don'tstate that, right, like, I'll be
honest, every meeting I've beenon to purchase something for my
firm, they're gung ho, sellingAI.
Everybody is right, like, oh,we've started implementing AI,
ai, this AI, that it's the newbuzzword, it's the cloud of 10
(35:04):
years ago.
Right, it's there.
And so, like the second thatthat term comes up, I
immediately go to my procurementprocess and I check the box for
AI.
And now I'm sending out an AIquestionnaire on how they're
leveraging AI so that I canunderstand that when I go to
make a decision to purchasesomething.
Speaker 1 (35:25):
Maybe that's the lesson here, maybe this is the
light at the end of the tunnel.
I can't believe that I'm sayingthis, but maybe regulating AI
in such a way that Colorado isdoing would have the effect of
raising awareness in such a waythat most businesses okay,
they're now aware of some of thethings that we're talking about
here where it may affect yourcontracts, your customers, your
(35:48):
partners and all that stuffthird-party risk, vendor risk.
So maybe the implication hereof the AI regulation in Colorado
is that everybody kind of doesbetter because there's more
trust among businesses,everybody's sort of working
under the understanding that ifyou're talking about AI, then
(36:11):
there are certain safeguardsthat are in place that are
enforced, whereas right now,since it's not enforced, you may
have to do a lengthy AI riskassessment, such as the one that
you've described.
Speaker 2 (36:23):
Right and, I think, right like you're beholden to
your consumer, right?
They're the ones paying thebills to some extent, and so if
you're going to leveragetechnology, you should be doing
your due diligence as anorganization to understand how
AI is going to be leveraged.
Right?
If I'm uploading all thepersonal information of my
(36:43):
consumer base to somebody else'sAI models, I should know that
I'm doing that and I should putsome restrictions around that.
Speaker 1 (36:54):
Now, without getting too political, I'm not going to
ask your political views and Iwill not let anybody know mine.
I'll keep that tucked right.
But I want to talk a little bitabout the Trump administration
coming in in 2025 andpotentially undoing.
I think he already undid somethings by putting a regulatory
(37:15):
freeze pending review.
But the Biden administration,at the end of Biden's term,
signed an executive order tostrengthen and promote
innovation in cybersecurity,which it sounds like the Trump
administration either wholly orpartly rejects, where they're
kind of like deregulateeverything.
(37:35):
That's very conservative, it'svery Republican Trump.
That's one of the few, I think,Republican adages that Trump
has sort of held on to right.
It hasn't really changed.
They're the party ofderegulation, less government.
So do you think that thederegulation of cybersecurity or
information security would leadto more business or better
(38:02):
business, more profits, and ifso, if it leads to more profits
and more prosperity, is thatworth scaling cybersecurity back
?
Speaker 2 (38:14):
I mean, you're talking to a serial
cybersecurity leader, right,like I've been in cybersecurity
almost my entire life, right,even when I was a little kid, I
was still hacking computers,like I I'll come back to what I
said at the beginning is isregulation, and compliance to
regulation does not equalsecurity in that, and so
(38:36):
deregulating it doesn'tnecessarily mean that we're
going to drop in cybersecurityposture.
Uh, depending on where we're at, and and this is a federal this
is from a federal perspective,not necessarily a state
perspective.
That being said, I don't Idon't foresee a, a massive
(38:57):
removal of cyber securitystandards.
Uh, right, because there arestill.
Right, like it's a bipartisanunderstanding that cybersecurity
is important.
Right, every time I gosomewhere and I run into people
and I talk to them and they askwhat I do, I say, oh, I work in
cybersecurity, and never once doI get somebody that says, ah,
that's a stupid career.
(39:18):
Right, they always say that'sso important.
What you, what you?
Right, protecting data,protecting companies, protecting
what's most critical now, right, the most expensive commodity,
I guess, at this point, is data.
It's surpassed oil and so, yes,it's important.
And I don't think that anybody,regardless of party, is going to
(39:40):
say we don't need cybersecurity.
I think the freeze that'simposed right now is really to
just review what's happening,because every department inside
of the federal government pushesdown cybersecurity standards on
different industries from theFTC, several financial federal
(40:01):
departments, gini, fannie,freddie, hud, fha, the SEC,
right, they all have regulationand I think like it's confusing,
right, you need a degree in,you need a law degree, just to
understand all the differentaspects of it.
You have to, you know, have noother hobbies outside of
(40:21):
reviewing all these regulations.
So I think there is thepotential for more consolidation
in regulations, maybe morealignment across different
departments, maybe in a betterunderstanding.
One thing that I think isimportant to note is that the
CMMC, which was bipartisanbacked, still has favor across
the federal government and we'reprotecting our defense,
(40:44):
essentially, and the data thatwe're leveraging from a defense,
this controlled, unclassifiedinformation.
Speaker 1 (41:10):
I don't see and I don't foresee cybersecurity
being deregulated completely Ithink there will probably be
more alignment towardsconsolidated standards and maybe
leveraging states to imposecybersecurity standards rather
than federal governments.
Michael, thanks for being sogracious with your time.
I appreciate you coming onCybernomics.
I'll see you next time, okay.
Former CISO at Invensis andSchneider Electric and the
founder of the ComplianceTherapy Podcast, our friend Igor
Volevich.
Igor, how are you doing, buddy?
I'm doing great.
Josh, how are you?
(41:31):
I'm doing great.
I'll give you a list of thecosts of regulating
cybersecurity and then I'll giveyou the hidden costs of
deregulating cybersecurity, andthen we'll just kind of go into
any of those things that maybejump out.
How does that sound?
Hit me All right.
The hidden costs of regulatingcybersecurity.
(41:52):
That's compliance right, makingsure that we adhere to the laws
.
What does that do to a business?
You've got compliance costsright, audits, certifications,
technology upgrades and so on.
Administrative overhead,reduced innovation due to
diverted resources, competitivedisadvantages for small
businesses, market fragmentation, fines and penalties and
(42:15):
reputational damage fromperceived over-regulation.
So those are the costs of thetypical costs of regulating
cybersecurity.
And here are the hidden costs ofderegulating cybersecurity.
With the Trump administrationcoming in in 2025 and freezing a
lot of what the Bidenadministration had done when
(42:35):
they were going out.
Then there's some talk aboutderegulating cybersecurity,
scaling back regulation in favorof small businesses, or at
least that's the idea.
So here are some of the costsassociated with doing that,
which many people may have notconsidered Increased risk of
breaches, considered increasedrisk of breaches, erosion of
consumer trust, disparitiesbetween large and small
(42:59):
businesses, reactive costs,reputation and brand damage.
So reputation and brand damagekind of comes up in both spheres
.
And regulatory whiplash creatinginefficiencies, global trade
implications due to weakcybersecurity standards.
Are you a big fan of regulatingcybersecurity?
(43:23):
Being the compliance doctorthat you are, you know you've
kind of hung your hat on helpingcompanies explore and wade
through the waters ofcybersecurity compliance.
Explore and wade through thewaters of cybersecurity
compliance.
But after all of those yearsthat you've spent helping
companies get compliant andunderstand compliance, are you a
fan of regulating cybersecurityand privacy or do you think
(43:48):
that we've overstepped and we'reoverregulated at this point?
Speaker 3 (43:55):
That's a great question, right, and there's a
lot there to unpack and so I'mgoing to put a couple of quick
notes there.
So to answer the immediatequestion, right, do I think the
cybersecurity is over-regulatedor under-regulated?
It really depends on yourperspective, right?
If you're a small companytrying to break into a regulated
industry, like you know,defense industrial base it can
(44:18):
seem insurmountable.
You know, with things like CMMCnow, in effect, folks are
freaking out and going.
You know, am I going to be outof business?
Is the compliance going to takeso much out of my hide that,
you know, the juice may not beworth the squeeze anymore?
Right, you know, if you'remaking some part that goes into
some.
You know fighter plane and youknow you've got 100 people
working for you.
It can seem like you know howdo I compete against Lockheed
(44:41):
Martin?
You know they've got all theseresources Raytheon, you know
Boeing, northrop Grumman, etcetera.
You know all the big defensecontractors.
But the truth is it doesn'thave to be this.
You know huge mountain that youhave to climb.
You look at what's applicableto you, you retain competent
firms that can help you, and itdoesn't have to eat up a ton of
your resources, right If youapproach it in a smart way.
(45:02):
Especially if you've seen thesethings coming down the pike,
you know, especially things like, specifically, cmmc.
We've been talking about it foryears and years and you know it
shouldn't be a surprise toanybody.
Now, if we look at it from avery high level and we say, okay
, well, any regulation is bad,any regulation is anti-business,
I don't believe that.
I think the word that I preferto use is really governance, and
(45:26):
I've been called the governanceman.
People have made memes with mein a Superman costume with a G
on my chest, because I talkabout governance a lot and it's
not so much a pivot right.
But I think there's a cognitivecoupling that needs to happen
in people's minds when I thinkabout compliance.
It shouldn't be considered itsown objective.
Right, the objective is not tojust check a bunch of boxes and
(45:48):
then file some paper that nobodyreads and then come back and do
it again next year.
The objective is to reallycreate a sense of control.
Right, and we say compliancecontrols or security controls.
Right, the overarching control.
How much control are you ableto exert over your own
environment?
Can you guarantee to a level ofcertainty that these controls
(46:08):
are in place, that they'reeffectively performing their
desired function, that they'recontrolling for the risk or
mitigating against the risk thatyou've identified, and that's
really the idea, right, kind ofat the general level.
So compliance is really, it's away to do this in a consistent,
repeatable manner.
It's really process and it'sprocess efficiency and that's
(46:30):
really what it's about, right,people think of compliance as
this you know giant exercisethat you get into and and you do
the audits and you do theassessments and you do control
frameworks and all that kind ofstuff.
And that is the how and thewhat.
And people tend to focus onthat a lot because it's a very
complicated field.
But the why of it, like why arewe doing it?
It's really to manage risk,right, and it's to exert a level
(46:56):
of control over ourenvironments, and that's really
it right.
So if you think of it that way,compliance can be an actual
driver of value.
It can be a driver of revenueeven, right, because your
competitive position canactually increase if you're
proactively compliant.
And I mean again, I'll go backto CMOC as an example A lot of
the DIP members, defenseindustrial base members, they
looked at it and kind of said,eh, you know who knows the final
rule hasn't happened.
(47:17):
We'll wait till it all shakesout.
It's like no, you could havebeen doing this stuff the entire
time.
You could have been gettingready.
And now, when you're competingfor DOD business, if you're
compliant and somebody elseisn't, and you go up on a bid
and the buyer asks you what'syour compliance posture and
what's your compliance roadmapand what's your compliance
(47:38):
timeline, you know like we'dlove to award you this business.
But you know, we got to knowwhen you're going to be
compliant.
If you're telling me ninemonths and somebody says, look,
we're compliant already, youwould not have the best product.
But you know what?
If you're selling a commodity,then yeah, it's going to go to
the compliant entity, right.
So I think people need to kindof have more of a strategic view
of what compliance is, and ifyou do it right, it can actually
(48:00):
be a bit of a superpower yeah,especially when it comes to
competitive advantage, if you'rethinking about stock too.
Speaker 1 (48:06):
you mentioned cmmc, uh, and I'm going to talk about
this a little bit more withmichael nougier later in the in
episode today and you know itreally does come down to are
your competitors out complyingyou?
That's a great thing.
Speaker 3 (48:25):
I love that.
Speaker 1 (48:27):
Yeah, I mean, if you were able to turn anything in
cybersecurity or privacy orcompliance or governance into
sort of a revenue driver andsort of make a case from a
revenue standpoint, I feel likeyou become the hero.
The CISO or the privacy officeror the compliance officer
becomes more accepted into thefold, right?
Because when the businesspeople hear security, oftentimes
(48:50):
they just see costs, right,they see money.
It's like when my dad atChristmas time you know I'm
having a good time and I want togo see Santa Claus and I just
see Christmas everywhere but mydad's got a different lens on
and so he's looking at all thesethings that I'm seeing the toys
and the lights and all thiscrazy stuff.
I'm having the time of my lifeand my dad just sees dollar
(49:11):
bills.
Like literally at Christmastime, he's looking around and
he's just like I just see allthe money that I have to spend.
So if I was a C, if I were a CEOor a CTO or a business owner
who may need to comply, but youknow what, like, I think I'm
small potatoes I don't thinkthat I'm going to get fined, I
don't think that I'm going toget breached to get fined.
(49:37):
I don't think that I'm going toget breached.
What do you say to me toconvince me that the costs of
being compliant are ultimatelyworth it?
And let's set aside thecompetitive advantage?
We already know?
That that's let's say I don'teven buy that.
What are some other things thatyou would say to me to convince
me that you know what?
We should at least have acompliant or a baseline, a
(49:58):
baseline of compliance, in oursecurity program?
Speaker 3 (50:02):
Well, I think you said it yourself just now
compliance as a baseline, right?
So a lot of folks look atcompliance as kind of the end
all be all.
You know, like, I got to getcompliant because that's the
cost of doing business.
Right, I have to be, you know,compliant with certain
frameworks because that's whatmy customers are asking, or
that's what the regulators in myindustry are asking.
Right, you know, if you'regoing to be a healthcare
provider, you're going to haveto deal with HIPAA and HITECH
(50:29):
and HITRUST.
Right, if you're you know, ifyou're a merchant, you're going
to have to deal with FedRAMP andNIST and HANA 53, and on and on
it goes.
So there are certain thingsthat you just have to do because
that's the business that you'rein.
You're going to be a defensecontractor, you're going to have
to deal with CMMC.
But once you get past this,here's the minimal threshold we
have to cross.
Here's what we have to meet asour obligations on the contracts
(50:54):
and regulation.
You're building a program thatrequires you to take hold of
your environment, assess itsposture on a continuous basis
right, understandably, controlsare pretty much on a daily basis
now.
Right, be able to detectfailures of those controls
proactively, remediate thoseproactively and basically manage
(51:15):
this risk on a continuous basis.
Right Even in the federalenvironment, we have things like
it's called Cato right, whichis the continuous authority to
operate.
Even there we've evolved tothis thinking of like.
This stuff has to happen on anongoing, continuous basis, not
take these snapshots every sixmonths or a year because the
threats don't wait for the auditright.
The breach is the ultimateaudit and I think I've coined
(51:37):
that term years ago and I'vebeen using it ever since.
The breach is the ultimateaudit.
Consider that, understand that.
Speaker 1 (51:41):
Yeah, it's like the ultimate pen test Exactly A real
world pen test.
Speaker 3 (51:46):
You don't want to go through that exercise.
So that happens on a continuousbasis, 24-7, 365.
You are doing an audit or anassessment once a quarter, once
every six months.
Like you get to that continuousposture.
That's not just an aspirationalgoal, that's a smart way to run
.
And when you think about itfrom a risk perspective, if you
can converge on this complianceand security and risk model, if
(52:12):
you can bring these all togetherand say, look, I'm using pretty
much the same telemetry to domy security management that I do
with my compliance management,so why are we doing these
separately?
Right, so you can talk aboutconversions.
I've been a big proponent ofconversions.
I've created this term Converge, continuous Compliance and
that's something that's beenaround for a couple of years now
(52:32):
.
You know this is my zero trust.
Call it that right, somethingthat's been around for a couple
of years now.
You know this is my zero trust.
Call it that right.
It's a philosophy, it's an idea, it's a strategy, it's a vision
.
Right, it's a vision forunderstanding this space from a
different perspective.
So it's not just like I got todo compliance, you do right.
But if I'm going to do it, whydon't I do it smart?
Why don't I do it in a way thatallows me to actually
(52:52):
cross-pollinate between mysecurity function, my risk
function and my compliancefunction.
And if it sounds a little bitlike I'm talking about kind of
preaching GRC in a classic senseof what it was supposed to be,
in a way, yes, right, but likethe pure GRC, not what it became
.
You know a bunch of platformsthat are really difficult to
manage, that are basically abunch of spreadsheets with fancy
front ends that are verycumbersome and you have to have
(53:14):
certifications and engineers togo implement them and it takes
years and years and years.
I'm not talking about thatright.
I'm talking about whatever youhave now in hand today
compliance that you're doingtoday already, and looking at
your security program that youalready have on hand, that you
have to have right, and seeingwhere these two things can
converge right.
They can cross-pollinate, youcan get those.
You know some economicadvantages there.
(53:35):
You can maybe converge.
Just start converging on thethinking first right and then go
from there.
So you look for those two-fers.
Speaker 1 (53:47):
Don't look at it at every part of GRC or the
compliance program or security,even as these disparate,
unrelated parts, but when yourealize that doing one activity
or one task or covering onedomain can also cover two or
three other things that you'retrying to accomplish, that's
kind of a way to circumventthose costs.
Speaker 3 (54:03):
In the end, it's the same thing, right?
Look, whether you look at acontrol from a compliance or
from a risk, or from a securityperspective right that control
is there in place.
So the compliance framework isgoing to guide you and it's
going to give you a way tomeasure your posture right.
It's a consistency model.
Speaker 1 (54:21):
Yeah, and an efficiency model as well.
You know, looking at this froma certain Potentially right.
Speaker 3 (54:27):
If you're not doing these things separately in their
own silos, like compliance isover here, full stop, security
is over there, full stop, thenrisk is somewhere else, doing
their weird threat models andrisk models and talking to
business, you know, doinganalytics and stuff, and never
the three shall meet right.
That's the way that peoplemostly run their organizations.
Speaker 1 (54:46):
And.
Speaker 3 (54:46):
I've seen it many, many times and I've been around
many organizations, manyenvironments, big and small,
right, and the bigger they are,the more that divorce seems to
be the effect.
Right, they tend to separatethese functions.
They don't think of them, asyou know, having this kind of
convergence or the synergybetween them, and I think that's
a critical failure.
And I think compliance hasbecome so complex because it's
(55:10):
also very manual.
Still, despite all the advances, all the you know, great
software we have in place, itstill tends to be very much a
manual activity.
And so, automating that to thedegree possible and enabling
automation Look, if we thinkabout all the automation that
we've done on the security sideyou know the SIMs and you know
XIMs and all these kinds ofthings that we have.
Now the compute power hasbecome finally, it's gotten to
(55:34):
the point where we can convergeall this data, we can bring all
these data telemetry pointstogether, we can make a
correlation happen on the flyand do it smart, and that we've
got AI helping us, right.
And look, there is aconversation that we have to be
had separately about you knowwhere machine learning and AI
are.
Separate things, differentthings, right, and you apply
them differently to these usecases, right?
(55:55):
If somebody tells me I'm doingAI for SIM, I'm probably going
to show them the door.
Right, because those are notthe kinds of data sets, right?
Machine learning, definitely AI, no, right, so check your
buzzwords at the door, but we'vegot a lot of capability in hand
, right?
Like it's not like we have togo and wait.
(56:15):
You know, it's like I remember.
You know who was it?
The guy who did Terminator,right?
Speaker 1 (56:23):
Arnold Schwarzenegger .
Or the guy who actually createdthe.
Speaker 3 (56:26):
James Cameron right.
So, James Cameron, sorry, I hadto brainstorm.
Speaker 1 (56:29):
Wait, James Cameron did the Terminator I did not
know that.
Speaker 3 (56:32):
Yeah, he did Terminator and then he did
Titanic and he did Avatar.
So he actually he had the ideafor Avatar like 20 years before
he ever did it, because he knewthe technology did not exist to
do all that stuff that he wantedto do, to create those effects
and to shoot it the way hewanted to shoot it.
Like he had to invent his owntechnology and he had to wait
for that to mature in order todo that right.
(56:53):
So he had to sit on this idea.
We're not in that space incompliance and security.
We have all the technology.
We have too much technology, infact.
Richard Steenan, whom you knowright, he's now tracking what
4,200 vendors.
Speaker 1 (57:06):
Yeah.
Speaker 3 (57:06):
That are active in cybersecurity.
We are not in any way deficientin the diversity or the power
of the technology at ourdisposal.
We are pretty deficient, Iwould posit, on the strategy
front, like there is not enoughstrategy.
There's a lot of product, tonsof features, lots of people
throwing money at the problemand lots of people asking for
your money to help you quoteunquote with your problem.
(57:31):
That strategic thinking it'spretty hard to come by, and it's
not that I'm sitting here andgoing, hey, look, I happen to be
a strategist, so I'm going topitch strategy, right.
But the idea is we do reallyneed to think about these things
in these global kind ofstrategic macro terms.
And I'm going to go back towhat we talked about before we
hit the record button an idea ofcybernomics, right, thinking
(57:53):
about it from an economicperspective and understanding
the economic angle ofcybersecurity and risk and
compliance, and not justfocusing on the costs and
opportunities.
We're really thinking about howthese things interplay right,
and looking for synergyopportunities, looking for ways
to converge on some of thesethings and understand that some
of these functions are verysimilar and very close to one
(58:14):
another and the ability tocross-pollinate between them.
It's just inherent and it needsto be on board.
We need to stop separating andtreating, you know, compliance
folks, like some you know oldfolks with you know, like
accountants, like we think ofcompliance as kind of like an
accounting function, almostright, because that's where it
(58:34):
came from, and so we think of itthat way, like audit.
You know we're going to look atit once in a while and that
it's very reactive.
It's not proactive, it's notreal time, it's sort of you know
we come back after the fact oh,a control failed, what are we
going to find out?
Well, after it failed, we don'thave to live that way.
We can actually shift left incompliance as well.
Right, when you get proactivewith compliance, it gets cheaper
(58:55):
, the effects become much moreprofound and it can have a very
positive effect on the business.
And I know it's like it's crazy, it sounds like I'm eating
crazy pills here, right, but thereality is, if you do
compliance smart, if youinvested it early and if you
think of it as a proactive riskmanagement function, not a
reactive capture, you know thething after it happened,
(59:17):
function, right, you can reallychange your perspective on what
it means, how you pay for it,potentially in your environment
right and how it can actuallydrive revenue.
So think about this, right, theidea of where compliance fits in
your sales and procurementcycle.
Just that, if you're a vendorselling to anybody, you've
gotten those vendor riskmanagement forms, and it's not
(59:39):
just a matter of filling themout faster, because a lot of
people are in that business too,like we'll fill out your forms
faster.
It's not the point.
What's in those forms?
Getting insurance, that'sanother thing.
If your business is notinsurable, that's a business
breaker, right.
So how do you talk to yourinsurance carrier?
How do you talk to yourinsurance broker?
How do you get a policy thatactually pays for something?
(01:00:00):
God forbid, bad things happenand they ultimately will.
Right?
How do you determine what yourposture is?
How do you communicate yourposture to an outside party that
you have to to a potentialclient, to a regulatory entity,
to an insurance carrier right?
There's a lot of people youhave to talk to about your
posture.
If you're doing this inseparate ways, every time you
talk to a different audience,that's going to be very
(01:00:21):
expensive.
So consider that as a cost,right?
So you look at, there are manyopportunities hidden in
compliance if you do it right.
Wow.
Speaker 1 (01:00:30):
I wanted to talk about the whole deep seek thing
but we're out of time and we'regonna have to cover that on
another episode.
But I do want to get your takeon deep seek and what that's.
This has almost nothing to dowith cyber security it kind of
goes into the privacy area butincredible insights about the
hidden costs of regulating andderegulating cybersecurity.
(01:00:54):
Ultimately, I think you'reright.
What we're talking about here isGRC, and you know the way it
was meant to be yeah, yeah, andif I can summarize everything
that you've said, it's hey, beefficient with it.
Have these things converge andyou can save yourself to quote
Donald Trump a lot of money.
(01:01:15):
It can be huge, it can be huge,it can be huge.
You can save a lot of money.
You wouldn't believe it asmoney like you'd never, never,
never believe Just so much money.
All right, igor, thank you somuch.
I know you got to run and I'malways so happy to talk to you
on the show Thanks for having meon again.
Speaker 2 (01:01:37):
Yeah, and enjoy the rest of your day, you too.
Speaker 1 (01:01:39):
We'll catch you in the next one.
Absolutely All right.
Bye.
Thank you, Josh.
If you're interested in whatBruning Media does and how we
help tech companies achievethought leadership, check us out
at bruningmediacom.
B-r-u-i-n-i-n-gcom.
Josh out.
Hello and welcome to another episode of Cybernomics,
where we talk about the hiddencosts of cybersecurity.
This is the week of January 27.
Before we jump into today'stopic, here's your latest update
on artificial intelligenceregulation, the impact of
DeepSeq on the US market andrecent developments in
(00:31):
cybersecurity research andleadership.
The Vatican has recentlyemphasized the need for
stringent oversight inartificial intelligence,
highlighting concerns over AI'spotential to spread
misinformation and cause socialinstability.
A document titled Antica etNova, approved by Pope Francis
(00:54):
himself, stresses the ethicalimplications of AI across
various sectors, including labor, healthcare and education.
The Vatican warns thatAI-generated deepfake media can
erode societal foundations,necessitating carefully
considered regulation to preventunintended consequences, such
(01:17):
as political polarization andsocial unrest.
In the United States, theregulatory landscape for AI
remains complex.
The US currently relies onexisting federal laws and
guidelines, but aims tointroduce specific AI
legislation and establish afederal regulatory authority.
(01:37):
Until then, developers anddeployers of AI systems must
navigate an increasing patchworkof state and local laws,
underscoring the challengesensuring compliance.
Chinese AI company DeepSeek hasrecently unveiled a model that
answers questions and solvesequations with the quality of
(01:59):
OpenAI's ChatGPT, but at afraction of the computing cost.
This development has caused astir in US markets, with NVIDIA
and other tech stocksexperiencing significant drops.
Analysts note that DeepSeekoperates more efficiently than
American counterparts likeOpenAI and Meta, utilizing
(02:20):
open-source technology tooutperform more expensive
proprietary models.
This has raised concerns aboutthe US losing its competitive
edge in AI.
The situation reflects theshifting dynamics in the AI
industry and the potential fordisruption from more
cost-effective and open-sourceinnovations.
(02:42):
Effective and open-sourceinnovations.
Crowdstrike Holdings' stock hita record high following a
cyberattack on the Chinese AIstartup.
The attack led to an increasein investor confidence in the
cybersecurity sector, withCrowdStrike's shares climbing
almost 10%, making it thetop-performing NasdaQ composite
(03:02):
stock.
Other cybersecurity companiesalso saw gains, including
Cloudflare, zscaler, cyberarkand Palo Alto Networks.
Crowdstrike's Falconcybersecurity platform received
a perfect score in ransomwaretests conducted by SE Labs,
achieving a top rating forstopping all threats without
(03:25):
false positives.
Good for them.
On the regulatory front, india'scentral bank has urged lenders
to tighten cybersecurityoversight.
Governor Sanjay Maholtraemphasized the need for robust
systems to prevent digital fraudand called for even greater
supervision of external serviceproviders to mitigate
(03:48):
technological risks.
This move underscores theglobal emphasis on strengthening
cybersecurity measures in thefinancial sector.
Jessica Rosenworcel, theoutgoing Democratic Chair of the
Federal CommunicationsCommission the FEC, as we all
know it has highlighted theimportance of maintaining strong
(04:11):
oversight in thetelecommunications industry
amidst cybersecurity concerns.
Under her leadership, the FCCintroduced new cybersecurity
requirements for telecomoperators and launched
initiatives to secure internetinfrastructure and enhance data
breach protocols.
However, these efforts faceopposition from the incoming
leadership.
Here.
(04:31):
To help us understand theimplications of such changes and
to share what he's seeing inthe state of Colorado is partner
and CISO at Richie Mae, michaelNugier.
Michael, welcome to Cybernomics.
Speaker 2 (04:44):
Thanks for having me on, josh, I really appreciate it
.
Speaker 1 (04:47):
Well, you've got a 10,000-foot view of this issue
and I'm not going to get toomuch into the politics of it and
I'm not going to share myopinions or what I think about
the administration, and it's nota political thing.
Here we're going to try tosimply look at the costs of
deregulation and regulation incybersecurity.
(05:10):
Is it a good thing?
Is it a bad thing?
It's really subjective, that'sgoing to be up to public opinion
.
But hopefully we can kind ofuntangle the mysteries of an
incoming administration and thechanges that they will bring
about and how those changesmight impact businesses.
And so we want to draw acontrast and bring real world
(05:33):
examples into what's happeningat the federal level, how those
changes might impact businesses.
But then use Colorado sort ofas a temperature gauge and maybe
apply that with maybe a broadof a too broad of a brush
perhaps, but apply that to otherstates and see how other states
may react and how they canadapt to those changes.
Speaker 2 (05:57):
Yeah, I mean.
I think it's important to notethat regulation comes from
multiple facets right.
It's not just the federalgovernment, it's, you know,
states.
It's even industry-ledpractices right, where
requirements are enforced notjust from the federal government
but states and evenassociations across the board.
(06:18):
And so the current freezethat's happening from a
regulatory perspective doesn'tmean that cybersecurity
regulation doesn't exist anymore.
It's just a matter of reviewingit to some extent.
And you know like, if anorganization's goal is to just
hit compliance right, there'severy security professional in
(06:41):
the world will tell youcompliance doesn't equal
security.
Compliance equals complianceright.
Compliance equals complianceright.
You're hitting what you need tohit.
The goal should be aiming forsecurity, and by hitting that
target you are complying withall regulations.
Speaker 1 (06:59):
Well, if we were to regulate, or if the government
or the state and local governingbodies or the regulatory bodies
wherever they're coming from,if they're looking at more
regulation or more complianceequals more security, do you
think that that would lead to aworld where they're trying to
(07:21):
aim for 100% security?
And if we're going in thatdirection, what do you think
that would do to businesses?
Speaker 2 (07:30):
Yeah, I think I mean regulation comes with a cost,
right, and it disproportionatelyimpacts business as you move
down from enterprise to smallbusiness to some extent.
And so, right, like enforcingregulation with the broad stroke
(07:51):
of a brush across all industryor in industry sectors let's
take financial services, becauseit's one of the more heavily
regulated, potentiallyover-regulated industries it
disproportionately impacts thesmaller businesses than it does
the larger, larger businesses,right, you see, economies of
scale come into place, as you're, as you're seeing these large
enterprise financial services,uh organizations hitting their
(08:14):
cybersecurity, right, they haveheftier budgets to purchase tool
sets, invest in people andprocess, whereas smaller
financial institutions, smallerbusinesses, lack the funding,
the budgeting and even thepeople power to do a lot of this
, and so it disproportionatelyimpacts it.
(08:36):
Regulation is there to setminimum standards, but I don't
think it's there really to buildresilience.
It's there to drive a basiclevel of security.
Right, and I just hope that thepeople in charge aren't
(09:04):
thinking prescriptive, asregulation can be Right, you can
take, like some stateregulations, like New York has
the Department of FinancialServices they're very
prescriptive.
It requires not necessarilynamed technology, but types of
technologies to be implemented,whereas, you know, as you get
more towards the federal level.
(09:24):
You lack that prescription andit's more just policies and
procedures and monitoring.
Right it's it's these loosewords for protection inside the
organization, but it doesn'tdrive resilience as much.
And so, yeah, to that pointyou're you're not regulating
(09:45):
security, you're regulatingminimum standards and there's no
guarantee that the standardsthat are put in right.
It basically comes down to doyou have a law degree and how
are you interpreting said legalprecedents?
Speaker 1 (10:21):
no-transcript.
Is it through frameworks?
Is it industry specific?
If I were a CIO and I realizedthat these changes might affect
my business, where do I go toget a general understanding of
how this impacts my business andwhat actions I need to take?
Speaker 2 (10:43):
Depending on what you do, you have to comply with a
different federal standard basedon the department of the
federal government you'reworking with.
So you'll understand thosestandards as you start to get
into working with thosegovernment entities.
Whether let's take mortgagebanking, for instance right, if
you're working with Jenny orFannie or FHA or HUD right,
(11:08):
depending on how you run yourmortgage, your independent
mortgage brokerage right, youmight be working with one of
those or all of those, andyou'll have to.
You'll get those specificrequirements from a
cybersecurity perspective,mostly just notifications of
incident based on how you'reinteracting with those different
federal rate uh organizations.
(11:28):
In healthcare, hipaa comes intoplay, but as a small business
it's kind of a for lack ofbetter words like the wild west,
right, if you're going to startbuilding a software that that
leverages uh PHI, right, you'llstart to get requirements for
(11:50):
either from your financialbackers or through contract
language, stating that you needto be compliant with HITRUST or
HIPAA or have a SOC 2 orsomething along those lines, and
so it's either driven by theinteractions you have from
licensing in those federalagencies or it's driven through
contracts that are requiring youto get certifications or have
(12:15):
bare minimum standards beforeyou can do business in those
areas.
Speaker 1 (12:20):
When you hear that there are going to be changes,
are you at the edge of your seatthinking you know, I have to, I
know there are changes that arecoming over the fence and I
this is going to affect us.
Or do you sort of do like await and see and understand that
(12:48):
, whether there's moreregulation or less regulation,
your day to day pretty muchremains the same?
You know, our, in other words,are security leaders constantly
monitoring this stuff, or is itjust sort of well, yeah, changes
come and go, but it's businessas usual changes in regulation
aren't always a surprise, right,and very rarely are they a
surprise, right.
Speaker 2 (13:02):
There's usually public comments.
They're garnering publicopinion and building these
regulations.
And let's take the SEC.
That was the big one thatrocked the last year, year and a
half or so.
That required notification of abreach through an 8K and a 10K
and you have X amount of hoursto notify.
That wasn't unknown to thesecurity industry.
(13:26):
A lot of us were opining on howit would impact organizations
and whether it was necessary orhow strict they should be.
And so when it did pass, Ithink that was the shocker like
oh, the cybersecurity regulationis actually passing, but not
all the things that we opined onand not all the things that we
wanted to be implemented wereimplemented in that.
(13:46):
And there's the shocker and solike it's easy to stay up to
date here and ultimately rightthese regulations.
They don't differ drasticallybetween you know, from
regulation to regulation, and soidentifying the most stringent
regulation that you have to becompliant with and implementing
that typically has atrickle-down effect.
(14:07):
To say, I am at.
You know, if I have multipleregulations and I hit the most
stringent, I hit or exceed therequest from this regulatory
body because I'm compliant withthis regulation or this
compliance framework orsomething along those lines.
Speaker 1 (14:25):
And what's typically the largest cost associated with
not being compliant.
Let's set aside security, right.
Let's just talk about are yougoing to go to jail if you're
not compliant?
Speaker 2 (14:40):
Are there going to be fees or that kind of stuff?
Yeah, and I mean, typicallyyou're not going to jail, right?
(15:06):
There have been instances whereCISOs or executives have been
grossly negligent, where theyhave faced some sort of criminal
penalty, to say the least.
Right, and so it has to begross negligence or borderline
fraud, right, misleadingregulators, something along
those lines, that that leads tothe criminal aspect of it,
rather than you know, I didn'timpose these, but I never lied
about it, that's fine.
So the the larger cost, you'reright, it is not necessarily
implementing, it's the lack ofimplementation where you're
saving money, but fines can comeinto play and the gross
(15:28):
negligence really plays in thosefines, right?
One instance of this is inCalifornia with the CCPA.
The Privacy Act in Californiaspecifies different level of
fines for gross negligenceversus actually preparing and
still being impacted, right andso and it's an exponential
(15:48):
difference in cost from notdoing anything to trying to do
something right there still maybe fines and that can still
impact you.
However, doing something isbetter than doing nothing, and
we know that in thecybersecurity industry, right Is
implementing something isbetter than not nothing, and we
know that in the cybersecurityindustry, right Is implementing
something is better than notimplementing anything at all, as
(16:10):
long as you do it correctlyright.
I think it's the IBM cost of adata breach posts the cost
savings from a breach by doingimplementations of different
aspects right Testing a tabletoppolicy, doing employee training
, performing penetration testingor offensive security testing
in your environment Each andevery one of those comes with an
(16:32):
average decrease in the cost ofa breach.
And so if an organization isimpacted by a breach obviously
if it's ransomware right there'sa ransom payment that comes
along with that.
That's a hefty cost.
Hopefully you're covered byinsurance and you're doing your
due diligence to stay coveredthere.
But the unforeseens are theregulatory fines and the legal
(16:56):
costs that come from classaction lawsuits and potential
impacts to your user base toyour user base.
Speaker 1 (17:06):
It sounds like we're talking more to the small
business, since they'redisproportionately impacted by
these regulations and thesechanges.
So is there forgiveness forsmall businesses?
Let's say they try to do asmuch as they can to become
secure while making a profit.
Is there forgiveness in termsof foregoing fees or fines that
(17:30):
may be forgiven or overlooked Ifthey're genuinely doing the
best they can?
But if they were to doeverything that they're required
, perhaps they would not beprofitable.
They'll just go out of business.
So is there forgiveness for?
Do you get an A for effort, inother words, Boy, I wish.
Speaker 2 (17:51):
I think that comes down to legal interpretations
half the time, right?
And there are some regulationsout there between states that
define different regulationsbased on the size of the
organization, right?
And so I think there are.
There is context that's appliedto it, right?
(18:14):
Also, the amount of data that asmall business owns and is
risking or accepting risk forcollecting versus a large
organization is drasticallydifferent, so you would expect
to not see the fines be the samebetween the two, just based on
pure size and collection of data.
Speaker 1 (18:36):
I guess the question that I'm asking in a different
way, which you've alreadyanswered, but now I'm kind of
looking at it from a differentlens is really is there too much
of a regulatory burden on smallbusinesses?
Speaker 2 (18:48):
Yeah, I think.
I think that you know that'sthat's industry specific, but it
is.
There is a potential in a lotof industries that small
business can be over-regulatedand therefore create a burden to
that business.
And ultimately, right, thatcost has to be passed down
somewhere right.
If you're looking at having toperform a red team style
(19:14):
penetration test, which is moreadvanced than just a network pen
test, where somebody isscanning for vulnerabilities,
potentially exploiting them,right, they're coming at this
from a true adversarialperspective.
The costs differ dramaticallybetween the two and that cost
has to be passed down somewhereright.
A lot of people viewcybersecurity as an expense and
(19:37):
so, with that mindset, doingsomething that protects your
organization has to be appliedto the cost of goods sold
somewhere right.
Looking at cybersecurity as aninvestment in growth and sales,
in whatever your organizationdoes, building trust, goodwill
(19:58):
tends to have a betterperspective and tends to focus
the culture of that security tobeing more resilient for that
organization.
And organizations that tend tofocus on an investment in
cybersecurity rather than justit's an expense and we're going
to budget for it as a loss orwhatever, tend to create better
trust in their client bases.
(20:18):
So I ultimately looking atcybersecurity as a business
builder rather than a detractor,right from a regulatory
perspective or complianceperspective or whatever it is.
It's not a negative thing if ithelps build an edge for your
business to succeed.
Speaker 1 (20:59):
So those costs you're saying can be offset by the
long-term gains thatcybersecurity could provide in
terms of this?
Are you saying that, basicallythat the costs will be offset as
long as you're not putting toomuch of a burden up front?
Speaker 2 (21:18):
I mean, business is a dynamic study, if you will.
Is it dollar for dollar?
Perfect?
Probably not right, butorganizations that build trust
with their customers tend tohave a better, more engaging
customer base right.
They tend to have stand outright Versus, you know,
(21:41):
organizations that have hadmultiple breaches.
People don't want their data tobe exposed, as we know, and
there have been multiple studieswhere up to 80% of people will
say I won't use a company that'sbeen breached in the past,
which, at this day and age,every company has experienced
(22:01):
some sort of cybersecurityincident.
Every company has had to gothrough some sort of heart
attack, breach style engagement,and so it's not necessarily I
won't work with a company that'sbeen breached.
It's I won't work with acompany that's not proactive in
their cybersecurity stance andnot resilient.
(22:22):
You can be breached, you canexperience a cybersecurity
incident.
It's the organizations that areresilient that, I think, drive
a greater trust in theirindustry.
Speaker 1 (22:36):
SOC 2 compliance is a pretty good example of that,
where if you're working with asoftware company, they want to
see that you've got the boxeschecked.
From a SOC 2 perspective, cmmcis probably also the same.
Going out for governmentcontracts, it becomes a
competitive advantage.
(22:57):
So I think whenever I'mpointing to cybersecurity being
I know we don't think of it as arevenue driver, but at least
one that drives competitiveadvantage or at least that
drives some sort of monetarygain.
Soc 2, cmmc come to mind.
What do you think?
Speaker 2 (23:15):
Yeah, I mean they're marketable right To some extent
If you're competing in industrywhere your competitors don't
have a SOC 2, or if you're, ifyou know you're going after DOD
contracts, the CMMC aspect, andthat's more of a requirement in
order to work with the DOD.
But others would be like ISO27001.
(23:37):
Getting an ISO certificationsin that and calling them
certifications is rough.
Getting getting uh aligningwith iso is another way to to
interact internationally withorganizations.
Sock2 uh really does providesome competitive advantage and
really it comes down to theprocurement aspects of what
(23:58):
you're selling.
Right, if you are sellingsoftware and you don't have a
SOC 2, one of the firstcybersecurity questionnaire
questions that you're going toget is do you have a SOC 2 and
why you provide it to thepurchasing organization?
If you don't, they may look atthat contract and say, great,
we're going to move on to thisother company that does have a
SOC 2.
It's a marketable resource.
Speaker 1 (24:20):
To wrap up the regulation side, we'll talk
about deregulation next and howthat impacts businesses.
But to wrap up the regulationside, we'll talk about
deregulation next and how thatimpacts businesses.
But to wrap up regulationyou're seeing some unique things
in Colorado because Colorado isone of the first states I think
maybe one of the only statesthat's heavily regulating
cybersecurity and it's your neckof the woods.
(24:40):
You can just stick your headout the window and you probably
see at least two or threebusinesses that are probably
going to be impacted by this.
So what have you seen inColorado and how are
specifically small businessesreacting to the heavy
regulations?
I'll put heavy in quotationsbecause that's subjective.
What are you seeing out there?
Speaker 2 (25:01):
What are you seeing out there?
Yeah, I don't know ifColorado's heavily regulating
cybersecurity, but they were thefirst state to pass their
Artificial Intelligence ConsumerPrivacy Act.
Organizations, small throughlarge, to do something about the
(25:25):
use of artificial intelligenceand the data that they submit to
ai, and so it's basicallymaking organizations liable for
their use of ai, which, uh ishard right it's.
It's it's forcing smallbusinesses to perform security
reviews of the AI that they'releveraging, whether it's a third
(25:50):
party or built internally, andthat cost can can grow Right,
especially if you're talking anorganization that's leveraging
five, six, seven differentDifferent programs, different
software vendors that leverageAI, and now I'm taking on the
liability of that to make mybusiness more efficient.
(26:12):
And we talk about thatdisparity between small and
large business.
A large organization has thecapabilities and compliance arms
to align with these and do thedue diligence, whereas small
businesses haven't had that inthe past, and so the cost of
performing said reviews on AIand taking on that liability
(26:34):
might exclude small businessesfrom being able to leverage
artificial intelligence,creating an unfair competitive
advantage, if you will, forlarger organizations to drive
business towards them.
Speaker 1 (26:49):
I was talking to a friend of mine, jenna Gardner
Shout out to Jenna.
We were talking about AIconsulting.
She's built a business, or isbuilding a business, with great
success so far in helpingcompanies, especially kind of
legacy companies.
You know, let's say, the 50 to100 employee companies that a
(27:12):
large number of their employeebase may be near retirement or
sort of Gen X, baby boomer ageand their minds are blown
constantly when she's helpingthem to refine certain processes
and to do better using AI.
One of the concerns that I haveand I've talked to others on my
(27:36):
team about this is howreceptive would companies be to
implementing AI in theirenvironment from a security
perspective?
Because, especially thosecompanies that like, let's say,
(28:11):
accounting firms that are verysensitive, they're using a lot
of client data and clients maynot want their information going
on chat, gpt.
So even though these legacyusers are the ones that may
benefit the most, they also havethe most risk exposure from a
security perspective.
So what is your opinion aboutadvancing AI without?
(28:35):
Because I don't want a worldwhere every company has to be
super secure before they startusing AI.
I think that that would just bedetrimental to business.
I think AI is just like thebiggest.
It's the biggest boom since theinternet, right?
So everybody wants to get onthat bandwagon.
But I understand the hesitationto adopt such a technology.
(28:57):
It's scary number one becauseof the Terminator and whatever.
Everybody's afraid that therobots are going to come get us.
But even besides that, youdon't want to put your client
data in a database that's easilyaccessible by others, I mean,
even if they use that littlestring.
I was talking to Randy atCompliance Aid.
Shout out to Randy.
He was like well, there's alittle number that's behind the
(29:19):
link in a chat that you're usingin ChatGPT, and if somebody
were to grab that link and popit into their browser and they
go to that URL, they'll see yourchat.
At least they'll see some ofyour data.
Right, that's not super secure.
I don't think they're going tobe able to like that's not very
likely that it will happen.
But the point is there areexposures and there's a lot of
(29:41):
risk when it comes to that.
So do you think that businesses, small businesses, should go
ahead and kind of, now Iwouldn't say, disregard the
security stuff, but startimplementing AI and maybe think
about the security later?
Or is this what Colorado issaying?
No, think about security firstand privacy first when it comes
(30:04):
to AI data, and then later on,the businesses can adapt.
Do you see the trade-off there?
Speaker 2 (30:12):
Yeah, I mean it's undeniable that the benefits of
AI are there.
Right, like not using AI willprobably not exist in the future
.
Like you're going to have toleverage it at some point in the
near future, right.
So, drake, digging your heelsinto the ground and against the
use of ai is is a problem.
(30:34):
That being said, right, likediving in full bore without any
consideration of the coreaspects of your business, just
because you think it's going tosave a penny, is also probably
not the best way to go.
So, on a scale from no damageto Terminator, as you brought in
right, there's an equilibriumin there somewhere to hit, which
(30:56):
is doing so from a thoughtfulperspective, asking those
questions.
And if you don't know whatquestions to ask, I mean go to
Chad GPT and type in what do Iask?
No, don't do that.
Should I ask?
Speaker 1 (31:05):
Yeah, chad GPT and type in what do I ask?
No, don't do that.
Should I ask?
Yeah, chat, gpt will help youask it questions, yeah.
Speaker 2 (31:10):
Don't do that.
It's a self-serving prophecy.
Inside of chat, gpt, you know,like reach out to reach out to
some professionals, right, likereach out and ask right, like it
doesn't hurt.
Like what should I beconsidering when I'm
implementing AI into myorganization from a security
perspective?
Right, the data that you giveit it's going to use.
(31:31):
Right, unless you have tightcontracts and you own that data
and the models and and whereyou're putting that data.
And so it's an equilibrium.
You got to use AI in order toremain efficient.
Right, you can probably save acouple bucks somewhere along the
(31:52):
line by by implementing an aium tool set right, whether it
saves you man hours or peoplehours, or whether it saves you,
uh, from having to, you know,purchase costly other softwares
to do a single thing.
Right it's, the benefits arethere.
Let's just not forego thethoughtfulness that we owe our
(32:18):
consumers when we're dealingwith their data.
Speaker 1 (32:24):
So I'm an AI consultant.
I knock on your door, You're alaw firm or an accounting firm
and I say hey, I'm going to helpyou improve your processes with
AI and we're going to useChatGPT and we're not going to
use the secure version, butwe're just going to use the
regular version.
You're the CIO of thatorganization.
You say what?
Speaker 2 (32:44):
No, I say no, I say uh, right, like, our data needs
to remain our data, and so thereare enterprise versions of chat
, gpt where you can own right,not not.
I don't want to be theorganization and most people
shouldn't most small businesses,medium-sized businesses, even
large businesses shouldn't bethe organizations training these
(33:08):
models.
Right, there needs to be datathat can train them, and then
independent software vendorsbuilding this stuff need to find
that data and leverage it thecorrect way.
But I don't want our consumerdatabase to to be training
models for other organizations.
So I I'm I'm a little more fail, secure, like I want everything
(33:30):
to be mine in my organization.
I don't want it to be leveragedfor everybody else to some
extent.
Right, it's, it's the purposeof right, the contracts that we
have for data and a lot oforganizations haven't considered
this yet.
But as you're, as you'redealing with your consumers data
(33:50):
right in your customer base'sdata, if you haven't put
contract language in therestating that you're going to
leverage ai, uh, probably startconsidering that yeah, yeah, I
hadn't thought about that.
Speaker 1 (34:03):
I was just kind of thinking of like, just
gunslinging, let's do it, let'sjust do.
If it were up to me, everybodywould use ai, but I forgot about
wild west.
Now, yeah, yeah, I'm, I'm acowboy, maybe I like the wild,
wild west, I like the chaos, butyou raise a really interesting
point, which is you know theseare.
There are contracts, there areuser level agreements, there are
(34:24):
privacy agreements thatcompanies have with their
clients and their partners, andif you were to use AI just in a
sort of a cowboy shoot them upsort of way, you may be voiding
or you may be transgressingagainst your contracts with your
partners and your customers.
Speaker 2 (34:42):
Right, yeah, it's a simple terminology, right?
And if organizations don'tstate that, right, like, I'll be
honest, every meeting I've beenon to purchase something for my
firm, they're gung ho, sellingAI.
Everybody is right, like, oh,we've started implementing AI,
ai, this AI, that it's the newbuzzword, it's the cloud of 10
(35:04):
years ago.
Right, it's there.
And so, like the second thatthat term comes up, I
immediately go to my procurementprocess and I check the box for
AI.
And now I'm sending out an AIquestionnaire on how they're
leveraging AI so that I canunderstand that when I go to
make a decision to purchasesomething.
Speaker 1 (35:25):
Maybe that's the lesson here, maybe this is the
light at the end of the tunnel.
I can't believe that I'm sayingthis, but maybe regulating AI
in such a way that Colorado isdoing would have the effect of
raising awareness in such a waythat most businesses okay,
they're now aware of some of thethings that we're talking about
here where it may affect yourcontracts, your customers, your
(35:48):
partners and all that stuffthird-party risk, vendor risk.
So maybe the implication hereof the AI regulation in Colorado
is that everybody kind of doesbetter because there's more
trust among businesses,everybody's sort of working
under the understanding that ifyou're talking about AI, then
(36:11):
there are certain safeguardsthat are in place that are
enforced, whereas right now,since it's not enforced, you may
have to do a lengthy AI riskassessment, such as the one that
you've described.
Speaker 2 (36:23):
Right and, I think, right like you're beholden to
your consumer, right?
They're the ones paying thebills to some extent, and so if
you're going to leveragetechnology, you should be doing
your due diligence as anorganization to understand how
AI is going to be leveraged.
Right?
If I'm uploading all thepersonal information of my
(36:43):
consumer base to somebody else'sAI models, I should know that
I'm doing that and I should putsome restrictions around that.
Speaker 1 (36:54):
Now, without getting too political, I'm not going to
ask your political views and Iwill not let anybody know mine.
I'll keep that tucked right.
But I want to talk a little bitabout the Trump administration
coming in in 2025 andpotentially undoing.
I think he already undid somethings by putting a regulatory
(37:15):
freeze pending review.
But the Biden administration,at the end of Biden's term,
signed an executive order tostrengthen and promote
innovation in cybersecurity,which it sounds like the Trump
administration either wholly orpartly rejects, where they're
kind of like deregulateeverything.
(37:35):
That's very conservative, it'svery Republican Trump.
That's one of the few, I think,Republican adages that Trump
has sort of held on to right.
It hasn't really changed.
They're the party ofderegulation, less government.
So do you think that thederegulation of cybersecurity or
information security would leadto more business or better
(38:02):
business, more profits, and ifso, if it leads to more profits
and more prosperity, is thatworth scaling cybersecurity back
?
Speaker 2 (38:14):
I mean, you're talking to a serial
cybersecurity leader, right,like I've been in cybersecurity
almost my entire life, right,even when I was a little kid, I
was still hacking computers,like I I'll come back to what I
said at the beginning is isregulation, and compliance to
regulation does not equalsecurity in that, and so
(38:36):
deregulating it doesn'tnecessarily mean that we're
going to drop in cybersecurityposture.
Uh, depending on where we're at, and and this is a federal this
is from a federal perspective,not necessarily a state
perspective.
That being said, I don't Idon't foresee a, a massive
(38:57):
removal of cyber securitystandards.
Uh, right, because there arestill.
Right, like it's a bipartisanunderstanding that cybersecurity
is important.
Right, every time I gosomewhere and I run into people
and I talk to them and they askwhat I do, I say, oh, I work in
cybersecurity, and never once doI get somebody that says, ah,
that's a stupid career.
(39:18):
Right, they always say that'sso important.
What you, what you?
Right, protecting data,protecting companies, protecting
what's most critical now, right, the most expensive commodity,
I guess, at this point, is data.
It's surpassed oil and so, yes,it's important.
And I don't think that anybody,regardless of party, is going to
(39:40):
say we don't need cybersecurity.
I think the freeze that'simposed right now is really to
just review what's happening,because every department inside
of the federal government pushesdown cybersecurity standards on
different industries from theFTC, several financial federal
(40:01):
departments, gini, fannie,freddie, hud, fha, the SEC,
right, they all have regulationand I think like it's confusing,
right, you need a degree in,you need a law degree, just to
understand all the differentaspects of it.
You have to, you know, have noother hobbies outside of
(40:21):
reviewing all these regulations.
So I think there is thepotential for more consolidation
in regulations, maybe morealignment across different
departments, maybe in a betterunderstanding.
One thing that I think isimportant to note is that the
CMMC, which was bipartisanbacked, still has favor across
the federal government and we'reprotecting our defense,
(40:44):
essentially, and the data thatwe're leveraging from a defense,
this controlled, unclassifiedinformation.
Speaker 1 (41:10):
I don't see and I don't foresee cybersecurity
being deregulated completely Ithink there will probably be
more alignment towardsconsolidated standards and maybe
leveraging states to imposecybersecurity standards rather
than federal governments.
Michael, thanks for being sogracious with your time.
I appreciate you coming onCybernomics.
I'll see you next time, okay.
Former CISO at Invensis andSchneider Electric and the
founder of the ComplianceTherapy Podcast, our friend Igor
Volevich.
Igor, how are you doing, buddy?
I'm doing great.
Josh, how are you?
(41:31):
I'm doing great.
I'll give you a list of thecosts of regulating
cybersecurity and then I'll giveyou the hidden costs of
deregulating cybersecurity, andthen we'll just kind of go into
any of those things that maybejump out.
How does that sound?
Hit me All right.
The hidden costs of regulatingcybersecurity.
(41:52):
That's compliance right, makingsure that we adhere to the laws
.
What does that do to a business?
You've got compliance costsright, audits, certifications,
technology upgrades and so on.
Administrative overhead,reduced innovation due to
diverted resources, competitivedisadvantages for small
businesses, market fragmentation, fines and penalties and
(42:15):
reputational damage fromperceived over-regulation.
So those are the costs of thetypical costs of regulating
cybersecurity.
And here are the hidden costs ofderegulating cybersecurity.
With the Trump administrationcoming in in 2025 and freezing a
lot of what the Bidenadministration had done when
(42:35):
they were going out.
Then there's some talk aboutderegulating cybersecurity,
scaling back regulation in favorof small businesses, or at
least that's the idea.
So here are some of the costsassociated with doing that,
which many people may have notconsidered Increased risk of
breaches, considered increasedrisk of breaches, erosion of
consumer trust, disparitiesbetween large and small
(42:59):
businesses, reactive costs,reputation and brand damage.
So reputation and brand damagekind of comes up in both spheres
.
And regulatory whiplash creatinginefficiencies, global trade
implications due to weakcybersecurity standards.
Are you a big fan of regulatingcybersecurity?
(43:23):
Being the compliance doctorthat you are, you know you've
kind of hung your hat on helpingcompanies explore and wade
through the waters ofcybersecurity compliance.
Explore and wade through thewaters of cybersecurity
compliance.
But after all of those yearsthat you've spent helping
companies get compliant andunderstand compliance, are you a
fan of regulating cybersecurityand privacy or do you think
(43:48):
that we've overstepped and we'reoverregulated at this point?
Speaker 3 (43:55):
That's a great question, right, and there's a
lot there to unpack and so I'mgoing to put a couple of quick
notes there.
So to answer the immediatequestion, right, do I think the
cybersecurity is over-regulatedor under-regulated?
It really depends on yourperspective, right?
If you're a small companytrying to break into a regulated
industry, like you know,defense industrial base it can
(44:18):
seem insurmountable.
You know, with things like CMMCnow, in effect, folks are
freaking out and going.
You know, am I going to be outof business?
Is the compliance going to takeso much out of my hide that,
you know, the juice may not beworth the squeeze anymore?
Right, you know, if you'remaking some part that goes into
some.
You know fighter plane and youknow you've got 100 people
working for you.
It can seem like you know howdo I compete against Lockheed
(44:41):
Martin?
You know they've got all theseresources Raytheon, you know
Boeing, northrop Grumman, etcetera.
You know all the big defensecontractors.
But the truth is it doesn'thave to be this.
You know huge mountain that youhave to climb.
You look at what's applicableto you, you retain competent
firms that can help you, and itdoesn't have to eat up a ton of
your resources, right If youapproach it in a smart way.
(45:02):
Especially if you've seen thesethings coming down the pike,
you know, especially things like, specifically, cmmc.
We've been talking about it foryears and years and you know it
shouldn't be a surprise toanybody.
Now, if we look at it from avery high level and we say, okay
, well, any regulation is bad,any regulation is anti-business,
I don't believe that.
I think the word that I preferto use is really governance, and
(45:26):
I've been called the governanceman.
People have made memes with mein a Superman costume with a G
on my chest, because I talkabout governance a lot and it's
not so much a pivot right.
But I think there's a cognitivecoupling that needs to happen
in people's minds when I thinkabout compliance.
It shouldn't be considered itsown objective.
Right, the objective is not tojust check a bunch of boxes and
(45:48):
then file some paper that nobodyreads and then come back and do
it again next year.
The objective is to reallycreate a sense of control.
Right, and we say compliancecontrols or security controls.
Right, the overarching control.
How much control are you ableto exert over your own
environment?
Can you guarantee to a level ofcertainty that these controls
(46:08):
are in place, that they'reeffectively performing their
desired function, that they'recontrolling for the risk or
mitigating against the risk thatyou've identified, and that's
really the idea, right, kind ofat the general level.
So compliance is really, it's away to do this in a consistent,
repeatable manner.
It's really process and it'sprocess efficiency and that's
(46:30):
really what it's about, right,people think of compliance as
this you know giant exercisethat you get into and and you do
the audits and you do theassessments and you do control
frameworks and all that kind ofstuff.
And that is the how and thewhat.
And people tend to focus onthat a lot because it's a very
complicated field.
But the why of it, like why arewe doing it?
It's really to manage risk,right, and it's to exert a level
(46:56):
of control over ourenvironments, and that's really
it right.
So if you think of it that way,compliance can be an actual
driver of value.
It can be a driver of revenueeven, right, because your
competitive position canactually increase if you're
proactively compliant.
And I mean again, I'll go backto CMOC as an example A lot of
the DIP members, defenseindustrial base members, they
looked at it and kind of said,eh, you know who knows the final
rule hasn't happened.
(47:17):
We'll wait till it all shakesout.
It's like no, you could havebeen doing this stuff the entire
time.
You could have been gettingready.
And now, when you're competingfor DOD business, if you're
compliant and somebody elseisn't, and you go up on a bid
and the buyer asks you what'syour compliance posture and
what's your compliance roadmapand what's your compliance
(47:38):
timeline, you know like we'dlove to award you this business.
But you know, we got to knowwhen you're going to be
compliant.
If you're telling me ninemonths and somebody says, look,
we're compliant already, youwould not have the best product.
But you know what?
If you're selling a commodity,then yeah, it's going to go to
the compliant entity, right.
So I think people need to kindof have more of a strategic view
of what compliance is, and ifyou do it right, it can actually
(48:00):
be a bit of a superpower yeah,especially when it comes to
competitive advantage, if you'rethinking about stock too.
Speaker 1 (48:06):
you mentioned cmmc, uh, and I'm going to talk about
this a little bit more withmichael nougier later in the in
episode today and you know itreally does come down to are
your competitors out complyingyou?
That's a great thing.
Speaker 3 (48:25):
I love that.
Speaker 1 (48:27):
Yeah, I mean, if you were able to turn anything in
cybersecurity or privacy orcompliance or governance into
sort of a revenue driver andsort of make a case from a
revenue standpoint, I feel likeyou become the hero.
The CISO or the privacy officeror the compliance officer
becomes more accepted into thefold, right?
Because when the businesspeople hear security, oftentimes
(48:50):
they just see costs, right,they see money.
It's like when my dad atChristmas time you know I'm
having a good time and I want togo see Santa Claus and I just
see Christmas everywhere but mydad's got a different lens on
and so he's looking at all thesethings that I'm seeing the toys
and the lights and all thiscrazy stuff.
I'm having the time of my lifeand my dad just sees dollar
(49:11):
bills.
Like literally at Christmastime, he's looking around and
he's just like I just see allthe money that I have to spend.
So if I was a C, if I were a CEOor a CTO or a business owner
who may need to comply, but youknow what, like, I think I'm
small potatoes I don't thinkthat I'm going to get fined, I
don't think that I'm going toget breached to get fined.
(49:37):
I don't think that I'm going toget breached.
What do you say to me toconvince me that the costs of
being compliant are ultimatelyworth it?
And let's set aside thecompetitive advantage?
We already know?
That that's let's say I don'teven buy that.
What are some other things thatyou would say to me to convince
me that you know what?
We should at least have acompliant or a baseline, a
(49:58):
baseline of compliance, in oursecurity program?
Speaker 3 (50:02):
Well, I think you said it yourself just now
compliance as a baseline, right?
So a lot of folks look atcompliance as kind of the end
all be all.
You know, like, I got to getcompliant because that's the
cost of doing business.
Right, I have to be, you know,compliant with certain
frameworks because that's whatmy customers are asking, or
that's what the regulators in myindustry are asking.
Right, you know, if you'regoing to be a healthcare
provider, you're going to haveto deal with HIPAA and HITECH
(50:29):
and HITRUST.
Right, if you're you know, ifyou're a merchant, you're going
to have to deal with FedRAMP andNIST and HANA 53, and on and on
it goes.
So there are certain thingsthat you just have to do because
that's the business that you'rein.
You're going to be a defensecontractor, you're going to have
to deal with CMMC.
But once you get past this,here's the minimal threshold we
have to cross.
Here's what we have to meet asour obligations on the contracts
(50:54):
and regulation.
You're building a program thatrequires you to take hold of
your environment, assess itsposture on a continuous basis
right, understandably, controlsare pretty much on a daily basis
now.
Right, be able to detectfailures of those controls
proactively, remediate thoseproactively and basically manage
(51:15):
this risk on a continuous basis.
Right Even in the federalenvironment, we have things like
it's called Cato right, whichis the continuous authority to
operate.
Even there we've evolved tothis thinking of like.
This stuff has to happen on anongoing, continuous basis, not
take these snapshots every sixmonths or a year because the
threats don't wait for the auditright.
The breach is the ultimateaudit and I think I've coined
(51:37):
that term years ago and I'vebeen using it ever since.
The breach is the ultimateaudit.
Consider that, understand that.
Speaker 1 (51:41):
Yeah, it's like the ultimate pen test Exactly A real
world pen test.
Speaker 3 (51:46):
You don't want to go through that exercise.
So that happens on a continuousbasis, 24-7, 365.
You are doing an audit or anassessment once a quarter, once
every six months.
Like you get to that continuousposture.
That's not just an aspirationalgoal, that's a smart way to run
.
And when you think about itfrom a risk perspective, if you
can converge on this complianceand security and risk model, if
(52:12):
you can bring these all togetherand say, look, I'm using pretty
much the same telemetry to domy security management that I do
with my compliance management,so why are we doing these
separately?
Right, so you can talk aboutconversions.
I've been a big proponent ofconversions.
I've created this term Converge, continuous Compliance and
that's something that's beenaround for a couple of years now
(52:32):
.
You know this is my zero trust.
Call it that right, somethingthat's been around for a couple
of years now.
You know this is my zero trust.
Call it that right.
It's a philosophy, it's an idea, it's a strategy, it's a vision
.
Right, it's a vision forunderstanding this space from a
different perspective.
So it's not just like I got todo compliance, you do right.
But if I'm going to do it, whydon't I do it smart?
Why don't I do it in a way thatallows me to actually
(52:52):
cross-pollinate between mysecurity function, my risk
function and my compliancefunction.
And if it sounds a little bitlike I'm talking about kind of
preaching GRC in a classic senseof what it was supposed to be,
in a way, yes, right, but likethe pure GRC, not what it became
.
You know a bunch of platformsthat are really difficult to
manage, that are basically abunch of spreadsheets with fancy
front ends that are verycumbersome and you have to have
(53:14):
certifications and engineers togo implement them and it takes
years and years and years.
I'm not talking about thatright.
I'm talking about whatever youhave now in hand today
compliance that you're doingtoday already, and looking at
your security program that youalready have on hand, that you
have to have right, and seeingwhere these two things can
converge right.
They can cross-pollinate, youcan get those.
You know some economicadvantages there.
(53:35):
You can maybe converge.
Just start converging on thethinking first right and then go
from there.
So you look for those two-fers.
Speaker 1 (53:47):
Don't look at it at every part of GRC or the
compliance program or security,even as these disparate,
unrelated parts, but when yourealize that doing one activity
or one task or covering onedomain can also cover two or
three other things that you'retrying to accomplish, that's
kind of a way to circumventthose costs.
Speaker 3 (54:03):
In the end, it's the same thing, right?
Look, whether you look at acontrol from a compliance or
from a risk, or from a securityperspective right that control
is there in place.
So the compliance framework isgoing to guide you and it's
going to give you a way tomeasure your posture right.
It's a consistency model.
Speaker 1 (54:21):
Yeah, and an efficiency model as well.
You know, looking at this froma certain Potentially right.
Speaker 3 (54:27):
If you're not doing these things separately in their
own silos, like compliance isover here, full stop, security
is over there, full stop, thenrisk is somewhere else, doing
their weird threat models andrisk models and talking to
business, you know, doinganalytics and stuff, and never
the three shall meet right.
That's the way that peoplemostly run their organizations.
Speaker 1 (54:46):
And.
Speaker 3 (54:46):
I've seen it many, many times and I've been around
many organizations, manyenvironments, big and small,
right, and the bigger they are,the more that divorce seems to
be the effect.
Right, they tend to separatethese functions.
They don't think of them, asyou know, having this kind of
convergence or the synergybetween them, and I think that's
a critical failure.
And I think compliance hasbecome so complex because it's
(55:10):
also very manual.
Still, despite all the advances, all the you know, great
software we have in place, itstill tends to be very much a
manual activity.
And so, automating that to thedegree possible and enabling
automation Look, if we thinkabout all the automation that
we've done on the security sideyou know the SIMs and you know
XIMs and all these kinds ofthings that we have.
Now the compute power hasbecome finally, it's gotten to
(55:34):
the point where we can convergeall this data, we can bring all
these data telemetry pointstogether, we can make a
correlation happen on the flyand do it smart, and that we've
got AI helping us, right.
And look, there is aconversation that we have to be
had separately about you knowwhere machine learning and AI
are.
Separate things, differentthings, right, and you apply
them differently to these usecases, right?
(55:55):
If somebody tells me I'm doingAI for SIM, I'm probably going
to show them the door.
Right, because those are notthe kinds of data sets, right?
Machine learning, definitely AI, no, right, so check your
buzzwords at the door, but we'vegot a lot of capability in hand
, right?
Like it's not like we have togo and wait.
(56:15):
You know, it's like I remember.
You know who was it?
The guy who did Terminator,right?
Speaker 1 (56:23):
Arnold Schwarzenegger .
Or the guy who actually createdthe.
Speaker 3 (56:26):
James Cameron right.
So, James Cameron, sorry, I hadto brainstorm.
Speaker 1 (56:29):
Wait, James Cameron did the Terminator I did not
know that.
Speaker 3 (56:32):
Yeah, he did Terminator and then he did
Titanic and he did Avatar.
So he actually he had the ideafor Avatar like 20 years before
he ever did it, because he knewthe technology did not exist to
do all that stuff that he wantedto do, to create those effects
and to shoot it the way hewanted to shoot it.
Like he had to invent his owntechnology and he had to wait
for that to mature in order todo that right.
(56:53):
So he had to sit on this idea.
We're not in that space incompliance and security.
We have all the technology.
We have too much technology, infact.
Richard Steenan, whom you knowright, he's now tracking what
4,200 vendors.
Speaker 1 (57:06):
Yeah.
Speaker 3 (57:06):
That are active in cybersecurity.
We are not in any way deficientin the diversity or the power
of the technology at ourdisposal.
We are pretty deficient, Iwould posit, on the strategy
front, like there is not enoughstrategy.
There's a lot of product, tonsof features, lots of people
throwing money at the problemand lots of people asking for
your money to help you quoteunquote with your problem.
(57:31):
That strategic thinking it'spretty hard to come by, and it's
not that I'm sitting here andgoing, hey, look, I happen to be
a strategist, so I'm going topitch strategy, right.
But the idea is we do reallyneed to think about these things
in these global kind ofstrategic macro terms.
And I'm going to go back towhat we talked about before we
hit the record button an idea ofcybernomics, right, thinking
(57:53):
about it from an economicperspective and understanding
the economic angle ofcybersecurity and risk and
compliance, and not justfocusing on the costs and
opportunities.
We're really thinking about howthese things interplay right,
and looking for synergyopportunities, looking for ways
to converge on some of thesethings and understand that some
of these functions are verysimilar and very close to one
(58:14):
another and the ability tocross-pollinate between them.
It's just inherent and it needsto be on board.
We need to stop separating andtreating, you know, compliance
folks, like some you know oldfolks with you know, like
accountants, like we think ofcompliance as kind of like an
accounting function, almostright, because that's where it
(58:34):
came from, and so we think of itthat way, like audit.
You know we're going to look atit once in a while and that
it's very reactive.
It's not proactive, it's notreal time, it's sort of you know
we come back after the fact oh,a control failed, what are we
going to find out?
Well, after it failed, we don'thave to live that way.
We can actually shift left incompliance as well.
Right, when you get proactivewith compliance, it gets cheaper
(58:55):
, the effects become much moreprofound and it can have a very
positive effect on the business.
And I know it's like it's crazy, it sounds like I'm eating
crazy pills here, right, but thereality is, if you do
compliance smart, if youinvested it early and if you
think of it as a proactive riskmanagement function, not a
reactive capture, you know thething after it happened,
(59:17):
function, right, you can reallychange your perspective on what
it means, how you pay for it,potentially in your environment
right and how it can actuallydrive revenue.
So think about this, right, theidea of where compliance fits in
your sales and procurementcycle.
Just that, if you're a vendorselling to anybody, you've
gotten those vendor riskmanagement forms, and it's not
(59:39):
just a matter of filling themout faster, because a lot of
people are in that business too,like we'll fill out your forms
faster.
It's not the point.
What's in those forms?
Getting insurance, that'sanother thing.
If your business is notinsurable, that's a business
breaker, right.
So how do you talk to yourinsurance carrier?
How do you talk to yourinsurance broker?
How do you get a policy thatactually pays for something?
(01:00:00):
God forbid, bad things happenand they ultimately will.
Right?
How do you determine what yourposture is?
How do you communicate yourposture to an outside party that
you have to to a potentialclient, to a regulatory entity,
to an insurance carrier right?
There's a lot of people youhave to talk to about your
posture.
If you're doing this inseparate ways, every time you
talk to a different audience,that's going to be very
(01:00:21):
expensive.
So consider that as a cost,right?
So you look at, there are manyopportunities hidden in
compliance if you do it right.
Wow.
Speaker 1 (01:00:30):
I wanted to talk about the whole deep seek thing
but we're out of time and we'regonna have to cover that on
another episode.
But I do want to get your takeon deep seek and what that's.
This has almost nothing to dowith cyber security it kind of
goes into the privacy area butincredible insights about the
hidden costs of regulating andderegulating cybersecurity.
(01:00:54):
Ultimately, I think you'reright.
What we're talking about here isGRC, and you know the way it
was meant to be yeah, yeah, andif I can summarize everything
that you've said, it's hey, beefficient with it.
Have these things converge andyou can save yourself to quote
Donald Trump a lot of money.
(01:01:15):
It can be huge, it can be huge,it can be huge.
You can save a lot of money.
You wouldn't believe it asmoney like you'd never, never,
never believe Just so much money.
All right, igor, thank you somuch.
I know you got to run and I'malways so happy to talk to you
on the show Thanks for having meon again.
Speaker 2 (01:01:37):
Yeah, and enjoy the rest of your day, you too.
Speaker 1 (01:01:39):
We'll catch you in the next one.
Absolutely All right.
Bye.
Thank you, Josh.
If you're interested in whatBruning Media does and how we
help tech companies achievethought leadership, check us out
at bruningmediacom.
B-r-u-i-n-i-n-gcom.
Josh out.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com