Hi, everyone. This is Ed Amoros. And I want to talk to you about a topic known as Security Compliance in this video. Now, if you want to stop cyber attacks in your business, there's four things that you need to do. The first is you're going to need a Baseline Compliance Program and we'll talk a little bit more about that in a minute. On top of that compliance program, you need a Technology Program, you need to have firewalls and intrusion detection systems and cryptography and so on, and you can sort of think of this as building a higher and higher fence like a compliance fence might be a foot high or whatever metric you use to measure, and then two feet would be compliance plus technology. On top of technology, there's a layer called Architecture. How were you set up? What is your architect, you're using a perimeter, you're adding cloud? What is your configuration? If you do that well, I'd say maybe that's a third foot in the fence. And then finally, there's an Operational Layer. Do you operate your systems properly? Are you patching? Are you properly attending to situational awareness and real time security? You do all those four things, you're probably doing pretty good job. You can build security height that you could argue is required to prevent cyber attacks. And now, that brings us back to the first piece of that fence, that base, first piece called Compliance. The Height Provided by Compliance is not sufficient to stop cyber attacks. It builds a base on which you can create a program that will stop cyber attacks. Now why is this so important? It's so important because just about every business in government in the world has signed so much way to compliance. If you get attacked publicly and a lot of different countries, your business, your cyber attacked, there may be a government agency that's going to impose a financial penalty on you and also an operational penalty meaning, they may give you a new compliance requirement and a framework that they want you to demonstrate that you meet, on the theory that the reason you got attacked is because you weren't attending to compliance properly. Now look, that is possible. It is possible that the base of your four foot fence is just terrible. You may have a bad compliance program in which case that is the right way to rectify your situation. Fix the compliance. But another possibility is that the compliance program is great. That you do everything it needs to be done, the right password length, the right access requests, all the different requirements that exist in a business, you do them and you do them well and you've had them attested to by a third party. You do assessments, you do audits, you have the paperwork right, it might be perfect. But let's say you have terrible tools that you're using and you just have ineffectual cyber security technology which doesn't work. You're supposed to have a firewall, check, I've got it. What did I put? I bought a bad firewall as opposed to a great one. I got attacked. Is the problem compliance? No. The problem is you've got a crappy firewall. So, this idea that we can solve problems by just attending to stronger, greater, more fine tuned compliance is not right. But like I said, it could be the problem, but it isn't necessarily the problem. If we look at the four layer model, it can any of them, Compliance, Technology, Architecture, Operation, could be any of those problems, or all of them. And if you just decide that compliance is the only way we can fix ourselves after a cyber attack then we've got an issue. I suspect some of the people who are with us, watching this video, some of you may be decision makers in government, and I would beg you to rethink this idea that when there's an issue, it is always a compliance fix that's most appropriate. That is not true. Doing some investigation, trying to determine what the root cause of particular problem is, and then deciding, perhaps, there's a compliance issue, that's a different story. But if the compliance looks good, there ought not to be additional compliance burden put on a business because what does that do? It just creates paperwork, it's not going to change things much and in theory, could be viewed as actually weakening the security of the group that you're actually trying to help. So think that through, let's be a little more mature, more thoughtful about the way we use compliance before, during and after a cyber attack. Now I got a little quiz here and the answer is in fact D. I think one of the reasons people do gravitate toward compliance as a response to cyber attack is for all the reasons they just laid out, they're familiar, they're easy, they can be written down. Doesn't mean that it's going to actually change things, but they tend to be easy to deploy. So let's keep all of that in mind and let's make sure that we understand the difference between compliance and security. I think it will make us better as cyber security technologists and experts. I'll see you in the next video.
