The Trump administration’s deregulation effort is causing underlying risks for the cybersecurity space. With compliance rules getting blurry across states, how can you protect your data from hackers and keep them private? John Riley and Valerie Cobb discuss how businesses can deal with data breaches, information processing, and confidential data management as deregulation is being rolled out. They also emphasize why compliance should be seen not just as a goal to be accomplished but as a never-ending journey of keeping up with the rapid pace of technology.

—

Watch the episode here

How Deregulation Raises Cybersecurity Concerns

We’re here on another episode of Navigating Cyber Risk. We have John Riley, President, who is the other counterpart, usually introducing Navigating Cyber Risk. Thank you, John Riley.

It’s my pleasure to be here. Maybe I should do an introduction here since it’s my normal show, but I wanted to see how you did at this time, so great. Thanks.

We can get into this, and we can even do the Jeopardy theme song. I think you and I chose the topic. It’s pretty paramount, it’s pretty risky, but you know what? We’re into risk, aren’t we? We’re into managing cyber risk. Mel sent this article to us on Yahoo Finance. The article was, “Don’t let deregulation fool you: Just because a compliance requirement disappears, it doesn’t mean the underlying risk does.”

What it comes down to is that the current administration is doing a ten-for-one sale of regulations, as we would say. If you want to do a new regulation, you’ve got to get rid of ten of the old ones. There’s nothing new to that. There are still laws in Arizona, for instance, about how to tie up your horse to the outside of the bar. There are all kinds of old regulations that are still in the books, and nobody goes back.

It’s the idea that nobody ever goes back to clean up those items. I can say in IT that that’s also one of the things that gets you in trouble. Everybody thinks, “I got that project done, and I’ll go back and fix it and harden it later.” Later never comes, except when the hackers come. There’s that underlying risk thing that we were talking about. Just tying it back together there.

What it comes down to is the deregulation. Does that mean that hackers are going to stop trying because now they’re not regulated? No, what it means is that they’re going to come out in droves even more. I think the other thing that means is that we’re trying to get rid of some of the federal regulations. What does that do for us as a business? It means that there are now going to be 50 different versions of those regulations from each state. Depending on how many states you do business in, you’ll have to pay attention to all of those. It’s going to get ugly.

Let’s try to dumb it down to Valerie World on this stuff. When I say dumb it down to Valerie World, we need to bring it down technically a notch for myself. Here is how I heard what you were saying. First of all, when we’re talking about deregulation, every country has its own set of regulations. Now, we’re talking about a United States regime change that everybody’s up in arms over. It happens every four years, and we all go blah, blah, blah. We do that. Whether we like it or not, okay. However, when we’re switching to that and we say 50, we’re talking primarily the United States. Let’s expand it. France, England, they all have their own sets of regulations. In discussing this now within the United States, there was already what? How many pending laws?

There are already 50 different breach notification laws across the states. There are about 36 different laws regarding information processing and privacy. Not all states have passed something there. Ultimately, 86 different laws and counting. California has two specifically for privacy. That’s not going to stop. As those roll in, it gets more complicated.

Let’s take the state of California alone. I originally am from California. Anybody who knows California, we used to affectionately call San Francisco the state of San Francisco, because it had its own laws. There are about 3,000 laws on the books. I think it is what someone told me last. Now, we’ve got each state that has some privacy hacking. What does that mean to a business owner? We’re not talking about the IT guy specifically. When we’re talking risk, risk is now far-reaching. It affects any of the C-suite. It affects the board. It affects everybody. Here you have an organization. Are they only selling in one state, typically nowadays?

It gets worse because if they look at California, there’s a sales tax. There’s the state sales tax. There’s the county sales tax. There’s the incorporated city tax. Depending on where you’re at in each one of those, it could be a different tax. I think there are something like 200 or 300 different taxes just in California. I’ve seen the CDTFA‘s long list. God forbid if you get it wrong, they will tell you that you were wrong, and they will come to collect.

It becomes a complication of where am I selling? If you multiply that out to different states, because I’m in Florida and we’ve got a similar thing, each state, county, and city can do their own thing on top of the state-based tax. It becomes extremely complicated from the sales tax standpoint. There are companies out there, Avalara, that specifically just do sales tax for you. Of course, there’s a cost to it, but it helps you stay in compliance, which keeps the people from knocking on the door. If things continue the way that they’re going, there’s going to need to be that same guide, the Sherpa, for compliance around that to help keep you out of the hot water of the different cities, states, counties, and nations.

I think that’s the perfect example, because if I’m a business owner, that resonates with me. Let’s say that I am maybe a business owner of one, which I am, and then I’m a business owner of several. At the end of the story, we have business owners. They could be 10 employees, they could be 100 employees, or they could be 10,000 employees. Here’s the thing. It still applies, and it’s still chaos.

You didn’t even mention Massachusetts. I was in tax and accounting. You didn’t even mention Massachusetts and all its townships. The tax law was the craziest thing on the planet across the states. We’ve got this weird dynamic of you have to pay to make sure that you’re okay, just in taxes. Why would it be any different in privacy?

Privacy or data. There needs to be management in all of those things. There needs to be an understanding. Especially, it’s still fairly new. We’ve all had the internet for years. In the grand scheme of things, that’s still fairly new.

Maybe it was a little longer, but we just didn’t know about it.

DARPA was around before that and everything. When it became commercially viable, I guess it was only around 25 or 30 years ago. I remember some of the original web browsers. Anyways, that data and the data creation are so new, especially when it comes to photos, the number of photos that are being created, and different types of data. It’s overwhelming. There’s honestly no way for the regulations themselves to keep up. How long did it take us to get seatbelts in place for vehicles?

I’m still mad about that one. Why do we have to have a lot? Aren’t we just common sense? Wear something to save yourself. I don’t know.

I’m in the great state of Florida, where you don’t have to wear a helmet if you’ve paid for your motorcycle. Anyways, data is still new in the grand scheme of things, and it’s moving faster than the regulations can keep up, the politicians, and everything else. If we look at the politicians at the federal level, some of them are not even used to having a computer or a phone. Let’s just put it that way. To have them try to regulate some of the new things and the applications that go into them is a change. The iPhone’s only been out for 16, 17, 18 years or something like that. They were the first ones to have smartphones. That is a very short period of time. That’s from a privacy standpoint.

The amount of data, privacy, and things that we trust in these devices and everything is overwhelming now. People are still learning it, and businesses are still trying to understand it, the SaaS providers, and everything else. The reason that SOC 2 is permeating throughout the SaaS environment is that there had to be some standard to say, “I’m going to provide you something, but at the same time, I’m going to be this secure.” There had to be a baseline.

If you’re buying a SaaS product and it’s not SOC 2 certified or has had a full audit, not just parts of the audit, but to do it, you’re taking that risk. You personally are taking that risk. Now, you’re also putting your company’s data at risk by maybe utilizing AI or uploading your patient data to AI to see what trends are in it. Those are all things that nobody has done a whole lot of, but we’re learning as we go. How do you build compliance around that and the risk? All of those are risks, and the risks change daily. It’s going to take more than just compliance laws or anything else.

It takes people to think about what this data is. What am I doing with this? How do I protect this? Would I want my data to go here? Ultimately, what it comes down to is trust. Who can you trust and who can’t you? As you said, administrations come and go, laws come and go, executive orders come and go, whatever. How much trust do you put into each one of those? There are some people who believe that the best governments are the ones that govern the least.

I think what happens is we get into this mode of skirting the real issue. I like how you’ve gone through and explained the real issues. If we want to put a Band-Aid on and say it’s a government problem, good. The challenge in the United States is that we are hopefully conscientious capitalists. At the end of the day, we have trade and commerce. Because we have trade and commerce across lines, it is chaotic to keep people’s data private, intellectual property private, and whatever is classified as that. With the emerging state laws, as well as some of the additional laws that have already been there, many do not realize that they are already at risk. I can’t think of any that aren’t interconnected.

A lot of them aren’t interconnected when it comes to privacy laws. The New York law stands on its own versus the CPRA, California law, which stands on its own. They’re all dealing with data, but they all deal with it differently. There are different requirements for each one, and then there are different penalties for not following those. If you’re just doing business, you’ve got your laundromat in one place, you’re collecting coins, and you know what those are, great. If you’re doing business on the internet and you’re trying to win customers somewhere else outside of your own district, as soon as you make that leap outside of your city, that’s the point. That’s when you’ve got to start taking a look at all these complications.

When I said interconnected, now you’re the laundromat that takes credit cards.

You’ve got some regulations there, too.

There are not so many. I meant connected across state lines, that there are not many that are not connected anymore to either some type of processing internet, whatever, however it goes across. As you’ve noticed, even the laundromats now take credit cards instead of coins and debit cards instead of coins. There aren’t many in the United States that aren’t somehow online some way, somewhere, somewhat, but that’s a very true statement. I loved what you said about New York and having its laws, and no, they’re not connected. There’s some standardization between California, and something might satisfy the same law, but you have to know that to understand that.

It’s 50 different solutions to the same problem.

That’s what we’re going to call this episode: 50 Different Solutions to Solve This Problem, but except for the problem with SEO. They’ll probably be more, don’t let deregulation fool you. What would you do to fix it? What are we doing to fix this problem, John?

This is the reason that we have the whole purpose of our governments, of the state and federal governments. The 50 states are an experiment and can be a way of trying out these different laws. When you find one that works and does well, then generally that law should become a federal government or a federal regulation that we all accept and we can understand, because then it takes away some of the complexity. Are we going to get there anytime soon? Probably not because we keep making changes on the technology side and running at the speed of technology.

At some point, some of the older items, maybe we could put to bed as far as the differences between them, and some of the penalties for not doing these things. All of those things that are complicated should roll up into the federal government. Is it going to happen under this administration? No, it’s not. We’re going to have a lot of confusion in the next few years, however long, until it does boil up and become something that the federal government wants to try and tackle again. They’ve tried to tackle it a couple of different times, but it hasn’t been a big enough issue yet to make it through. I think that complication is still going to be there for quite a while.

You’re going to need that Sherpa for a while, or dedicate a bunch of internal resources that understand it and can tackle that for you. Again, it is a bear. Sales taxes and everything else on top of it. The question is, do you do your own sales tax right now for the entire US, or do you outsource it? I think that’s probably one of the big questions that you ask as a business owner. I think it’s going to be very similar to the same thing from a cybersecurity compliance standpoint. It’s much better to trust an expert who has to do it once for hundreds of thousands of customers, versus trying to keep track of it yourself for all of the different districts.

I like how you said this administration, probably not, because we’re moving at the speed of technology. There’s another title for this episode, Moving at the Speed of Technology, but there is reaching out to consultants to help you with those state laws. They are a moving target. I’m going to warn this audience. It’s a moving target as well. It’s moving at the speed of technology. That’s the problem. People feel like compliance is a destination, and it’s not.

It is a continuous thing. The Cybersecurity Maturity Model Certification. The reason for its maturity is that it is continuously changing. The iPhone is still in its teenage years. Having the idea that it’s a teenager and still needs maturity is probably a pretty decent way of looking at it. The data, the data collection, all of those things, we still need to mature as a country, as a people, as a business. It is not one and done.

I don’t think that it ever will be one and done. Even in maturity, even when somebody claims they’re an expert, it’s the same thing. You’re not really an expert if you claim it. I’m claiming I’m an expert. I’m just kidding. At the end of the day, I like how you use that analogy because a lot of business owners think that they can hire a consultant.

Yes, they can set it up, but the changing dynamics, the continual changing and updating, AI is a perfect example, means that you’re needing to prepare as an organization for the chaos that it is. You want to put your finger on it, get ready for the legal and regulatory impacts of when those things happen. It’s a constant battle. It’s not stopping. It’s constantly happening. Consulting will help you get through that extremely fast, but you’re going to have to maintain it.

The other side of that is that all businesses are either growing. Nobody today is staying in the same business for 30 years. You’ve got a constant change of employees, outlooks, views, and ways of doing things. There’s got to be training. There’s got to be a number of things, and hopefully, your business is growing. As it grows, each person you add to your organization increases your risk because any one of them could make that mistake.

If they can, and this has been a fabulous episode, like it, love us, put us down in the like, love, don’t love, kick Valerie off the show next time moment.

I’m going to say 50,000 likes, and I’ll shave. I’m just kidding.

I have never known John without a beard, but I have seen a shorter beard. Maybe it should be 50,000 likes, and you’ll wear your Christmas beard things for a year, your ornaments.

I know I’d have to change that up a little bit, but all right, we’ll figure something out. 50,000 likes, then we’ll figure out something cool to do. How’s that?

That is very cool. All right. Until next time. We’ll talk soon.

Good chatting with you.

Important Links

About Valerie Cobb

Revealing why people buy to drive revenue. Valerie Cobb is an award-winning leader with over 25 years’ experience, and is passionate about growing revenue.

She has mastered getting to the root of the buying-and-selling dysfunction that is often common in organizations on the path to consistently producing high-performing sales. As Chief Revenue Officer of Omnistruct, she is instrumental in aligning sales, marketing, and the client experience.