[SOUND] Compliance is reported to occupy a lot of time and resources available for cyber security efforts at major organizations. How much of your overall cyber security effort is related to compliance? >> I think the first thing to recognize is compliance doesn't necessarily mean security. Again, you can check something off, make it sure you've looked at a list and made sure that you're compliant, but you may not be secure. But if you think about compliance another way, you realize it's a set of standards universally shared by organizations that may be different than you. And if you embrace them that way, you actually can realize that trying to be complaint and looking at laws and regulations and guidance that may emerge as ways of coming up with commonality across multiple industries and multiple economic sectors and can be very useful in setting a baseline for safety and security. Sure, we have to do things to administer those things, to be proved to an outside entity, whether it be a federal requirement or state requirement, that you're meeting the spirit of the law. And that's an administrative task, and you do have to put energy into it, but if you embrace it more broadly, about what's it's purpose is, it's really a good thing. >> Is there anything you can share from what you've learned about compliance to external requirements such as laws, regulations, standards for others who may be wrestling with similar issues? >> I think the key when you're looking at compliance is first understanding what the spirit of the compliance regulation or requirement is and build your controls and procedures in the way that you can map them back to the compliance requirement. If you have the requirement say, not to break the speed limit, you better have a speedometer that you can measure against. Building your controls, your metrics and things like that, to map against your external requirements is the key to making sure you're actually doing those things. Frankly, meeting the spirit of safety. >> So I'm curious, because you hear this a lot, compliance is not security, and for most people, I think we think that compliance is necessary but not sufficient, that it's a minimal standard. But you've been doing this for a few years. Have you ever encountered a case where you felt like compliance actually led to a lesser amount of security? >> It's hard to think of the specific example, but a big challenge with compliance is that usually, compliance regulations and rules lag reality. Bad guys are very inventive and are usually racing ahead of you trying to figure out what's next, how they can beat your control systems. The biggest risk with any kind of compliance effort though is if they don't have a risk based approach, you could end up either over-putting resources into something that you wouldn't normally worry about, or under-investing in something that you should be concerned about. Those are the big challenges, to make sure that your compliance framework is both risk based and that you're mapping it to your control environment, so you know whether or not you're meeting those minimal standards or not, and then overlaying that with a threat intelligence function and an active security program to make sure you're staying ahead of the bad guy. Compliance will typically lag reality, and unfortunately, we live in a world of reality. >> So I think that's a really interesting, a piece in there that's very interesting that maybe hasn't been elaborated enough and that is I think, if we think about compliances, the baseline for such strategy, we may let compliance drive what we do, and it could lead us to looking at things in a way that skewed for our reality, is that what you're saying? >> You should never look at compliance as being sufficient by itself. >> Right. >> It's something that's important and you need to make sure you're doing that really is just a component of it. You have to have an active security program populated with professionals looking at external threats, looking at external standards, measures, and frankly, it's being inventive as the bad guy. Compliance is important and requires a level of administration. You need to do it. And it is important to participate in any business activity, but you have to have a balanced program that looks at all risk factors and actively moves to meet them. >> Right. So, I think what I'm trying to process is that what you know for your industry and your environment to be necessary compliancesShouldn't be the framework, though, on which you build security, but a better, more holistic understanding of your environment should be the framework and then compliance gets fed into it. >> Absolutely, it has to be holistic. Compliance is just a component of it, and you have to look at what your business realities are, the inherent risk in what you're trying to do, what bad guys are doing from a threat intelligence perspective, and knitting it all together. Every component, just like the legs on a stool, is vital to having a complete information security program. >> Wonderful. All right, well thank you so much. >> Thank you. [MUSIC]
