Self-attestation may be convenient and a huge time-saver, but it may have some loopholes that could put your data in jeopardy if not executed properly. John Riley talks all about it with Valerie Cobb, Chief Revenue Officer of Omnistruct. Together, they discuss the legal actions one has to face after falsely self-attesting compliance and audit. They also explore the growing challenges of distinguishing reality from AI-generated content, the pitfalls of the “trust me” model, and the increasing shared responsibility for data protection.
—
Watch the episode here
Listen to the podcast here
The Dangers Of Self-Attestation With Valerie Cobb
We’re back, John and his beard and I. I don’t know what I am, a sidekick every once in a while?
Does the beard precede me? That’s very scary.
We don’t want to make it so that you can never shave your beard, but yes, we’re back.
I’m sorry. Marketing has already told me that they can’t do that. I’m well aware already.
It is a great person, but we’re here to talk about some serious, happy, and fun stuff all at the same time.
I’m going to start that with a story. He said, “Working for the government, you have to have a beard to be taken seriously.” Now, he’s in the process of transferring to commercial, and he goes, “With the beard, I’m not taking this seriously.” He had to shave. Maybe it’s time for me to shave. Anyways, let’s move on.
I don’t know. You are the president of a company. Are you going to start working for the government?
If we’re here to talk about CMMCs.
We’re here to talk about CMMC and all sorts of juicy stuff.
Fair enough.
I think you look quite distinguished.
Thank you.
A Case Study On False Self-Attestation
You already mentioned CMMC, so let’s go ahead. Let’s start with CMMC. I was reading a little story on LinkedIn and I’ll probably get it screwed up but I’m going to tell it anyways. You guys can go check your facts. I am not an attorney. I play one on TV, and then we’re going to ask John because he was at CQuest, and we’ll get into this.
There was an organization, and I won’t say what industry, because with the dib, it can be supported from many industries, and this is a $30 million company that declined getting help to get ready for an audit, self-attested. Trust me, self-attested, that always works. They said they would never get audited because they were too small. $30 million is too small. What do you think happened, John?
They got audited because that’s what’s going to happen.
What do you think is now going on with that organization, because you’re the smartest guy in the room, so let’s go there.
Since they self-attested, there are a lot of things that could happen. One is that they could be brought up for fraud, depending on how serious the connection is. Let’s be real, the whole reason for CMMC is that people were self-testing before. “We’re doing everything great. My spur score is this, and I’ve self-attested.” They were giving data away. The whole reason for the audits of the CMMC is because of self-attestation isn’t working.
The US government has to be the first one to do that. However, commercial businesses are doing it with questionnaires and third-party auditing, and anytime somebody shares their data, it’s becoming much more common. They require some sort of compliance requirements. If you’re sharing data, you’ve got to ask, “What are you doing with the data? How are you protecting it? Should I share my data with you?” That’s becoming more common.
Self-attestation or even technical attestation isn’t going to cut it anymore. It’s going to have to be somebody who is specifically doing audits and somebody who is focused and understands what an audit is, that’s been trained to do audits. I will say audits are emotionless. It’s a past failure. It’s doing the right things, and can you prove it? It’s not just, can you prove it for now? Can you prove it forever? It’s a consistent thing. Those are the things that people run up against and where they run into issues. That’s all fun and games until somebody loses data.
There’s one thing that I think about, too. As you were saying, you got to ask. I find that people got to want them and they don’t. This organization did. There is going to be legal action. I’m not going to get into the ins and outs of it, but I get it. It’s hard sometimes to know exactly, especially when you feel like you’re a small business, which $30 million is still classified as a small business. Sometimes, it’s hard to know how to sift through.
You and I have been in business long enough. Not every resource produces the same and equal amount that we want. I get that some don’t want to have to worry about this thing, but on the same token, this was a revenue opportunity. You’re selling into the dib and contracts now went from what to what with this organization.
I’m not sure what you’re asking on that one.
You got a contract with the Department of Defense. Where to go?
Now that the contracts are probably put on hold, they’re going to somebody else. If they can’t prove this, then that revenue is gone. Now the question is, how much of that one contract was that required? Again, self-attestation. We’ve had self-attestation out there for a long time now. The reason for CMMC is that in 2014, the F-22 or F-35 cockpit information got leaked. That’s what caused this issue, and no more self-attestation unless you’re dealing with very limited information. It’s coming. This has been coming since 2014.
The Dangers Of Self-Attestation
That’s a challenge. The cry wolf scenario. People don’t believe it, but now it’s happening, and now you have the catching of your tail for that thing. Let’s get into self-attestation. Let’s get into trusting me. From Valerie’s world, I love to use State Farm’s ad from 2012, the French model. Have I done that one? Have I talked about it?
I don’t think so. Tell me about it.
It’s the onslaught of the digital deluge, like when we went from 2008. We had that shift with the economic downturn, and people started to buy differently because of the iPhone. You started to see how they started to search online more. You fast forward a few years, and you have the rise of Google and all of these things, and State Farm does this brilliant ad, and it’s like 90 seconds. I use it all the time because it elaborates the point so well for self-attestation.
There’s this woman there talking to a State Farm agent, and the State Farm agent says, “I’ve got a date with a French model.” He says, “How do you know?” She said, “It’s because Google told me so.” We all know fast forward search engines and all these databases. It must be true, and then, this actor. I don’t want to characterize people, whether he is homely or not, but he was supposed to be homely. He walks up and he puts his arm around her and says, “Bon jour.” At the end of the day, we’re moving forward into AI and have been moving into AI. AI has been around forever, so that part is not it, but the reason for the escalation of it now. Talk about stuff about attestation against what we were saying.
I’m a French model in that case. Anyways, self-attestation. I’m knitting out to you. That’s your own self-attestation. Those are working out, I suppose. What we’ve come to is that the trust me model, that I’m doing all the right things. I am 6’5”, in finance, and six figures or whatever. Those are the trust me factors. There are all these things that we just say, “Trust me.” With AI, and even before the days of AI, but now with AI, it’s even worse.
I can’t tell you how many articles I read. I was watching a video about how Disney is moving Disneyland from Anaheim to Las Vegas. I was like, “I don’t believe it.” I went and searched for it. I found the same article from the same video, but then other things were like Anaheim’s expanding, this, and that. I’m like, “Why? I’m not sure what people are doing with sending out false information, but making it believable and everything else.”
You have to take the rose-colored glasses off and do your own research. Find out what’s going on because you can’t read anything anymore. You can’t watch anything and go with it. I would say we have to be in a life of critical thinking, more so now. That self-attestation is the same thing. As a business owner, you can say, “Trust me. I’ve got all these things in place,” but nobody is going to believe you anymore.
If I have to fact-check a 30-second video, I’m going to be fact-checking the fact that you’re doing cybersecurity and that you’re protecting data that’s critical to their defense industrial base, or even the PII data or any other type of data that we find important, like HIPAA data. I don’t want my HIPAA data out there. I don’t want my Social Security numbers out there, and all these things. Now, some of it already is. My information has been hacked.
I was going to say pre-Amazon. They can probably clone me. I’m not sure. I saw these great deep fakes. I shared it on LinkedIn because it showed how you can chat with this AI video production, and it will create actual humans, and it does look like humans. They’re saying, “Will you prompt something else instead of me dying in this scene and everything?” It’s all these sensational scenes, and it was incredible. I don’t think that this is so far from our realm of thinking.
Star Trek had holograms and all sorts of things that worked exactly in that realm of thinking and fantasy, and all those things. Now, we’re pitted head-on with some of this stuff. I swear it’s not like Alcoholics Anonymous. It’s going to be AI anonymous because kids are growing up and don’t have any idea of what’s real and what’s not real anymore, because all technology is so good and so bad at exactly the same time. Explain how you can work on some of that, John.
It’s still bad enough now that you can still tell the difference. My concern is that in 2, 3, or 5 years from now, as fast as things are moving, it very well could just be a year. The interviewers or all of the things that are video-wise happening, like being able to have your avatar be your person. There are some interesting things afoot that there may need to be that Federal Regulation that comes in that says, “Maybe it’s a little AI in the corner or something that every AI company has to produce.” Who knows?
Who knows what that’s going to look like? That’s for somebody who has a much higher pay grade than I. It is going to take a lot of critical thinking, so it’s going to take a lot of people understanding that what they see may not be true. There have always been strange videos that popped out. Back in the very beginning, the days of the internet, the dancing baby. I’m sure everybody has seen that.
That was disturbing to me.
That was the first viral video that circulated on the internet. If you think about what they did with that back then, it’s still pretty amazing that they were able to make that technology back then, and where we’re at now. As I said, video avatars and full-on interviews. Scam interviews, maybe. Who knows?
How To Handle Compliance The Right Way
How do you prove it? That brings me to the compliance portion of this. Compliance is never one and done. You’re seeing yourself attesting, but there is going to be some time where you’re going to have to say, “Here’s the proof of what I was doing.” The court of law doesn’t love it when you try to self-attest to your own proof. Even if it wasn’t a court of law, other organizations are going to require it because they put themselves, reputationally, at risk. That’s why all the questionnaires. Are you going to see more questionnaires? Of course, you’re going to see more questionnaires.
It’s the data at risk. What does that look like? The more data that’s at risk, the more questionnaires you’re going to see. If you look at today’s society, two things I’ll say. It’s a data-driven society still, since the internet has been here. We’ve been saying that for years. I’ll say the new part of it, though, is that it’s now also a trust-driven society. If you can’t build that trust, it always has been. You can go back to How to Win Friends and Influence People, one of the original books of relationships, which was all about building trust. That’s going to be the way that it is. We’re humans. Even though the technology changes and everything else, we’re still human. Those principles don’t change.
Sometimes, it makes it a little harder. You’re part of a ProVisors group. How are they dealing with some of this?
ProVisors is an interesting organization. They are mostly lawyers. It’s all about know, like, trust, and refer.
That’s why I brought it up. Know, like, and trust.
That is their motto. The other piece of that. As I said, it’s mostly lawyers. Lawyers are very good about staying in their lane. If you ask a divorce attorney to do your patent, he’s probably going to tell you no, or here’s somebody else, because they’re very specialized in what they do. We’re finding that more and more with technology and with compliance. You have to have a compliance specialty. You can’t just have the guy who’s good at routers be your compliance anymore. Only because he’s great at getting a packet from point A to point B, or stopping a packet from getting from point C to point D, doesn’t mean that he’s great with the complaints, and that’s part of it.
We say, “Hire brother Bob and train him up. Ten years from now, he might be there.”
I come from an MSP background. I look back and see my own errors in this, so I’m speaking this from my own experience. You’ve been successful in business, and so you think you’re smart. I’ve built a business, and I’ve got 10, 15, or 20 employees, and you’re telling me that I need to have somebody else do this stuff for me? No, I don’t.
I’ve been able to figure it all out to this point. Even though I’m buying software and these other services and everything else, I can figure out complaints and make it work within my own organization because I’m smart. Yes, you may be, but then you’re auditing yourself. There’s no way that you can just go, “I’m going to have ethics. I’m going to hire somebody that has ethics to be able to audit themselves and not have that question of, ‘We screwed up on that? I’ve got to tell the client. How do I fix it?’” It doesn’t work.
When you said they might be smart, I don’t know. Smart has nothing to do with wisdom.
They’re extremely smart. The people that I’ve run into who own MSPs are extremely smart. They’ve learned that technology, the business, and a number of things. They’ve survived, and that’s why I say they start to get a little full of themselves because they haven’t failed. They’ve been able to pull it through on everything else. When it comes to compliance, they’re a little bit fearless when it comes to that.
Navigating The Complexities Of AI
That’s why I wanted to bring that subject up of AI, because at the end of the day, do you want to take a drug that hasn’t been tested? We just came through COVID, and there were ups and downs on that one. Everybody was so desperate for something, but you don’t with a drug that has not been tested for many years. It’s that square little thing, whether it’s machine learning or if it’s able to learn and grow on its own. You can train it to be the evil overlord. It can be Voldemort if you want it to be.
When we’re talking about compliance and merging, that’s maybe with the AI policy discussion. Your AI feeds into so many things that are going into any of the other frameworks that are happening. That’s one part of protecting the data. Especially without app developers and everything else, you don’t know the outcome of the drug.
You talked about that a little bit earlier, because what we talked about was that students are now using AI to do their homework and do these things.
That’s another discussion. Where are you the first headed with all of this? Keep going.
Self-Attestation: With more and more technology innovations happening, you need to have a compliance specialty.
When I was a child and I had my Mac back in the day. My dad restricted how much time I could spend on that computer, as it was harming my brain or whatever.
I could see that.
It did. Don’t get me wrong but also, but I also became very good at doing those things. The more time that I spent on it, the more learning that I learned and the more I understood computers. There were lots of good things that came out of that, but from his perspective and from his generational side of things, it was a waste of time. There were a lot of things. He bought the computer and did a lot of things to help foster that.
What I’m saying is that I’ve lived most of my adult life with computers. What’s going to happen is we’re going to have these people who come out with AI, and mostly, they’re going to start to live most of their adult life with AI. When my dad told me not to use the computer, I was still using the computer for whatever reason. What’s going to happen, though, is when children turn into adults and they’re told not to use AI, they’re going to be like, “That old fart over there told me not to do it. I’m going to do it anyway because that’s how I get stuff done.”
The problem that’s going to come is what data they are feeding into that. Is it classified data or HIPAA data? Is it something that we old people understand that shouldn’t be shared, but we’re just old, so they think, “We can do it anyway?” That’s where it’s going to get interesting. It’s being able to try and control that with either policy and explain, so there’s that critical thinking that goes along with it for them to understand that there are reasons, because I never thought that there was a reason for me not to be on the computer. That’s going to be the next challenge. It’s understanding that for the next generation.
I was on a call with somebody who said, and I hear this all the time, “It’s in the cloud.” My organization doesn’t need to verify or do anything. We say trust but verify scenario. We don’t have to do anything. We don’t have to follow any programs because it’s under Microsoft. How many things hook into that? Think about all the agents that hook into that and the shadow technology.
It’s even more than that. If you look at the underlying contract that you clicked through during your Microsoft sign-up process, it says, “We’re providing this as a service. You are configuring it. There are still requirements for you to configure it correctly. They’re still turning on multi-factor authentication. We can make suggestions. We’re going to do these things to try and help you out, but ultimately, if you choose to leave yourself insecure, there is nothing that we’re going to do about that.” You are liable for those changes and those needs. Saying that things are in the cloud is great.
It’s easy. I’m done. Check it off the list.
Which is a great way to do it because I come from the days when we installed software on big servers and ran it from our own place, then you had four guys in an IT room that we’re supposed to be running 10, 15, or 30 different applications for our multi-million-dollar company. They’re doing all the desktop. It was a huge change. Now with Microsoft, you’ve got 100 security engineers or 500 security engineers that are better watching this stuff. You wouldn’t be able to afford it if you’re trying to run your own IT. That’s the good part of it. The bad parts are if you don’t understand what you did and what you signed up for. You’re still in a world of hurt, even if you’ve outsourced it to somebody else.
You don’t know what you don’t know. It’s like there’s legal Zoom and then there’s talking to an attorney then there’s talking to ChatGPT. “What are you going to do here?”
I’m going to get my legals in the contract. I’m going to upload a ChatGPT and ask for their assistance, then I’m going to send it to the lawyer for the actual, real-life.
It’s exactly my steps, too. Sometimes I even bypass the legal Zoom and do it, then send it to my attorney to look at it. If you ask ChatGPT, it will say, “Please don’t put any details in here that could be identifiable.” That’s how simple that can be. You can link something that simple, and we love it. I love it, and we all know that we love it. It’s a great tool. It’s fascinating. It’s like this addictive drug. You’re like, “I’ll just ask ChatGPT to tell me how wonderful I am because nobody else says.”
I haven’t tried that yet. I have to do that. I will say that I did run my facial piece through some AI to see what it would come back with because they’re like, “We can give these great profile pictures.” I will tell you that when it had the beard, but I shared the pictures with you.
You did and I did the same thing. It came back, and I’m like, “There are some anatomical features that I wish I had that came out in those.”
The beard disappeared. It was quite an interesting perspective on what I would look like. Again, they’re going to learn how to do that better. They’re going to learn how to deal with the facial parts of it, and already, audio-wise. I had a friend of mine who was hacked with the virtual audio doing a voice authentication with the bank for a $300,000 transfer of money. We’re already at that point. If you can’t trust audio, video, and written, then we’re going to figure something else out.
Episode Wrap-up And Closing Words
That’s a good end to this show. Honestly, there are lots of resources out there that everybody can tap to get help with making sure you have your blueprint to start with and checking against the blueprint. Omnistruct has adopted that. If you want to contact us for that, that would be fabulous because we’re good at it.
More if you need that attestation. If you think, “I can’t do this self-attestation,” or if you’re an MSP and you go, “I’m providing the technology. Maybe that’s a little bit of a conflict, and I need somebody else to do a third-party audit for me besides some software piece,” that’s a good time to call us.
It is. What’s also great about Omnistruct is that it’s not an organization that’s just trying to get you into something. They’ll tell you, “You don’t need this. Have a good day,” or refer you to something else. If you’re just wondering, check us out. If you loved this episode or hated it or are in between or want to comment or like it, that’s what we would prefer, the comment and like, but we answer everything. Please drop a comment down below. John gets to say the final word.
We said a lot of it already, but don’t do this alone. There are great technology people out there. There are not a lot of great compliance people out there, the risk, and the other pieces. You don’t want to be in a situation where you’re having to call an attorney and cover your butt later. Don’t run outside naked unless you’re ready to be on camera somewhere doing it. Cover before you go out. That’s the idea of what we do. Let’s get you covered and let’s do it together. Let’s make sure that things are buttoned up and ready to go.
That’s a great way to end the show. Thanks, everybody.
Important Links
About Valerie Cobb
Revealing why people buy to drive revenue. Valerie Cobb is an award-winning leader with over 25 years’ experience, and is passionate about growing revenue.
She has mastered getting to the root of the buying-and-selling dysfunction that is often common in organizations on the path to consistently producing high-performing sales.
As Chief Revenue Officer of Omnistruct, she is instrumental in aligning sales, marketing, and the client experience.
