The following is a podcast recorded by Scott Maurice. Listen here, or read the full transcript below!
Hi, my name is Scott Maurice. I am managing partner and cofounder of Avail partners in Seattle. We’re a technology business and consulting practice that specializes in helping clients and business leaders achieve their strategic objectives. We leverage the technologies that are available to us in this new cloud age to do that.
What we’re going to be talking about today is compliance in the cloud world; some of the challenges and some of the opportunities that are presented with the advent of utility computing and the cloud economic model. We’re going to be talking about how compliance is different than security, and we’ll also be talking about how to think about and leverage compliance as a competitive advantage and as a strategic objective as opposed to a burdensome program that you are susceptible to.
The cloud presents new challenges with respect to compliance. However, it also presents certain very strategic opportunities. One of the most difficult things to deal with when faced with regulatory compliance is establish that, one, I am compliant at a point in time, and that’s easily facilitated with an audit, typically, and two, which is more challenging, how do I maintain a state of compliance for an ongoing period, and how am I assured that compliance is in fact in place? In other words, how to I ensure that I’m compliant with the law without having some defined audit period and going back and proving that, at certain snapshots, whether that is annually or biannually or semiannually, that I am compliant at that juncture, or have been compliant over an audit period.
In terms of risk mitigation and data protection, you really do want to ensure that you are consistently compliant. In other words, the first time you fail to be compliant with a datum, you know about, can remediate it quickly, and prove that you’ve restored your compliance. So the cloud presents challenges in that regard because some of the traditional quick and dirty methods for ensuring compliance of data and data protection is simply by saying, “Hey, I secured the entire storage subsystem because it’s all under my control, or the entire server is under my control.” Those paradigms do not translate directly into a computing utility environment or a cloud environment.
That’s the challenge. How do I ensure compliance in something that is not under my direct control? The opportunity, however, is a lot more satisfying. One, you have to realize that fact that it is rare to find enterprises, especially in the mid market, that have the expertise in-house and the wherewithal and resources to continually ensure that data is protected, that permissions are enforced, that policies are enforced. It is a full time job. It can be very daunting, and it can be very expensive. So I guess the first part of the opportunity is realizing that, even if I do have all of the assets under my direct control, I’m not necessarily in the best position to ensure ongoing or continuing compliance because I don’t have the expertise, the resources, or it may not be in my financial best interests. That may be a deal killer. Upon that realization, opportunities present themselves with cloud providers and utility computing providers, where there are individuals that are dedicated to just that function.
Along with that, because they are service providers in that regard and not enterprises where they’re running this as part of a cost center, there are economies of scale that can be garnered from leveraging that kind of service. They have streamlined and optimized their service particularly, for one set of compliance regulations or another. There are specific data protection practices and rules that they can set up and enforce. And they have the capability to hire, retain, and provide training for human capital resources to be dedicated to that work. And so, when you share that burden across multiple organizations, it does represent an economy of scale, especially in the mid market to be able to facilitate an ongoing if not complete information security and protection program. That is a rare opportunity that has only surfaced since we’ve been in this cloud environment.
That’s a little bit about the challenge and the opportunities that’s available to us by leveraging some of these third parties that are dedicated specifically to security compliance.
Any organization can take steps to onboard a third party or organization that can help them ensure compliance. Some of those steps involve understanding what compliance regulations they are susceptible to. Many organizations are not immediately aware of the fact that they have a compliance issue or may have miscategorized the compliance that they fall under. Step one is understanding what rules, what compliance you’re striving for. Two, which is equally as important, is understanding the value of such compliance. Often, in regulated industries, it is highly competitive. Because it is so daunting to effectively manage a compliance program, being able to onboard one quickly and effectively can be a strategic advantage. So, to what extent are you advantaged by having an information security compliance program instituted very quickly and with complete professionalism. Understanding that is the second step.
The third step is going through a market intelligence process and a reevaluating process to determine which of the many third parties that are out there can help you accomplish your mission most directly. Often, there are several good candidates, and the differentiation between those parties with respect to any given organization, is really more about the cultural fit, how to work together. Compliance is largely a human, capital-driven exercise so you do have to work well with that third party. That has everything to do with one, your corporate objective, and two, your corporate culture. That third step in terms of really evaluating the different providers and the different options there can be daunting, but it does go back to having a singular focus on your objective, your mission, and what provides a strategic advantage in your industry and how it helps you drive your corporate objective, whether that’s revenue attainment or improving patient outcomes or public policy, etc. So those are three solid steps.
The third one can be fairly daunting because there are a lot of providers out there, but there’s also a lot of information to help you make that evaluation quickly and succinctly. And as a final step, I think that oftentimes we are just human beings. We are reluctant to relinquish control of things that we are accustomed to controlling. So for any organization that is not either born in the cloud or willing to undertake a transformation, if you have an environment that’s been around for some period of time and has been working, and you haven’t had an exposure yet, it can be daunting to let some of those things go. But that fourth step is really evaluating those things that can be done better, faster, cheaper, more completely by a third-party organization as opposed to retaining it in house.
And with my clients, what we’ve experienced is that often, the tradeoff between relinquishing that control is the immediacy of accomplishing a goal. Many compliance regulations have an audit period that looks back. That lookback period can be six months to a year, maybe longer, and often there are multiple domains for which that period is enforced. Accomplishing that lookback period and audit for multiple domains can lead to higher levels of attestation, where you can have it attested to that you are more completely secure or compliant with a set of regulations the further back you look and the more domains you can incorporate. For an organization just starting out, they may not have been prepared for an audit period that goes back six months. They may not have been ready six months ago, or a year ago. Often, third-party organizations have environments that are prebuilt, in which they host or manage a client’s workloads, especially with the utility computing advantageous in the cloud environment.
And they can provide that lookback period, even though you may not have been a client at that time, by immediately moving your workloads, moving your data, moving that information, to a compliance-ready environment, can immediately provide a lookback period for certain for all of the domains that are compulsory for your compliance regulations. There’s definitely a distinct advantage to leveraging that very quickly and saying, “I don’t have to wait another six months or a year before I can make the attestation of compliance a competitive advantage for me. Because I’ve moved my workloads and migrated into a compliance-ready environment that already has the attestation, I can begin to use it very very quickly.” So the advantage can be realized sooner rather than later.
The future of third party organizations and their evolution as they continue to adapt to continue to serve clients as compliance changes and as the business landscape changes are multiplicative. They necessarily have to differentiate themselves within either a vertical or industry or with respect to that specific compliance or an aspect of that compliance. Oftimes, there are things that are very daunting that a third party organization has the resources to tackle with great aplomb and also for the huge benefit of their clients. The evolution of these things is better accomplished by these third party organizations because of the resources that they can bring to bear, but in no small part due to the research and development of new technology.
So, a lot of the buzzwords we hear bandied about like “artificial intelligence” or “blockchain” when it comes to encryption and security, these are things that require a lot of time, a significant amount of expertise, and they do require financial resources in order to bring them to bear. These third parties are often in a much better position to be able to do that very quickly and vet those things across a broad spectrum of clients than any given enterprise, especially in the mid market. So I think what we’ll see is early adoption by a lot of these third party organizations that are providing that compliance and providing that data protection. We’ll see that early adoption from them, and it will be more stable as they roll it out. They’ll incorporate those technologies into packaged solutions for data protection in a specific use case.
For example, in the medical field, if you’re under HIPAA regulations but would like to provide instant messaging between medical professions and have sensitive data passed through that messaging platform, that can be a huge issue. It’s such a huge issue that most enterprises in the healthcare space don’t provide instant messaging. But that is something where a product with a specific utility where a benefit can be realized very quickly; a doctor or nurse can exchange sensitive data over a secure messaging platform and ensure that that data is not being compromised. Technologies like artificial intelligence that apply fuzzy logic to know when to take out sensitive pieces of information and when to leave them in. Things like blockchain, to be able to validate that data was not compromised when in transit. Encryption technologies, to ensure that the data while it rests and in flight, was secured and not compromised, these are technologies that are difficult to research as an enterprise and develop together. When you apply it to a broad spectrum of clients and have that offered as a singular product, it becomes far more feasible.
So I think that’s what we’ll see. They’ll evolve to incorporate those new technologies everyone is talking about more rapidly than the enterprises will be able to do. And they’ll do it more completely, so they’ll be able to offer a utility that is functional for the end user, as opposed to a set of technologies that then have to be rolled into a larger infrastructure or application architecture.
The last thing that I would like to say, just to round things out, is that clients and security are often conflated. That can be a huge distraction. Keeping something secure inherently means limiting access to it. Compliance is not about limiting access, it’s about ensuring the access to information is well regulated. I would be careful, for any mid market organization or any organization at all, not to conflate security and compliance. Often, we use security measures to ensure compliance, and to ensure that data is protected as it is being shared and that it’s being shared appropriately. We can validate that there is good behavior and catch bad behavior and remediate it quickly. Certainly, a lot of security tools are leveraged for that, but simply leveraging security or implementing security practices or security toolsets without a specific goal, the framework of the compliance regulations, can be a fruitless endeavor, be incredibly expensive, and ultimately, if there is no specific goal, it can lead to a lack of differentiation and competitive advantage.
I would just caution anyone who is faced with a compliance situation not to conflate compliance with security; they’re not the same thing. Pursue a compliance program as a strategic initiative, a differentiator in your industry or market, and as a competitive advantage against competitors. There’s certainly not a faster way, in my experience, to do that than to leverage the cloud environment and a team of experts that are available on demand from a third party and provide attestation sooner rather than later.