#340 - RSM & IDAC Present: Compliance & Digital Identity with Kia Smith

I think people hear the word compliance and they automatically think of a check the box activity or let me just throw a bunch of stuff at someone to see, you know, if it kind of sticks. But really when you start to step back and think about the whole reason for a compliance activity, in particular like a Sarbanes-Oxley, it's to be able to provide someone, and that's usually an external party, a level of comfort around how you're protecting something.

So it all comes back to protection, right? It all comes back to making sure that you have the appropriate kind of security and you have the appropriate rules and and kind of processes in place to really say that we are protecting this information or providing information with a good faith effort. You can apply just about any framework you want to validate that protection.

So you can do a NIST framework or you can have a GDPR really HIPAA, you know, most of that is kind of industry specific determine on which framework. But the whole compliance function or the audit IT audit functions that sometimes is referred to is really just about providing assurance around your tools and your processes. So if you are and I am professional and let's say you are managing or you are responsible for that, that are back or or whatever is that

piece of audit evidence. It may seem that it is one discrete piece of evidence, but really and especially an identity and access, it's really a key to how your organization is operating. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity

Epicenter podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great. I'm really excited for this episode. It's a continuation of that series that we started in the beginning of the year. And I talked to our friend and guest for the first episode, Ghazi. He told me today, and this is unprompted, right? He said he's still getting people who are watching the episode for the first time reaching out to him.

I think it's one of the great things about, you know, our show and like have and the guest that we have on is these episodes have a long tail. So we put on an episode, it could be a year ago or two years ago, it can still be completely relevant. I think the topic we're going to talk about today will be relevant. I mean, it's been relevant for the whole time I've been an IT and probably for the rest of our of my career as well. So, you know, I'm excited about this topic.

I'm excited about this series, and I'm excited by the fact that, you know, there's proof in the pudding that people are still reaching out to our guests a long time after they come on. Yeah. I mean, we have a long tail. We have great audience out there that listens. So we definitely appreciative of all that. And hey, new people are discovering all the time, which is pretty cool. It's on the Internet, so it'll live forever, theoretically. So, yeah, I think people

discover this. And I think you and I have talked about this and mostly you is like, this is like a time capsule, right? Of as of today or 2025 in March, as we're recording this, this is what this topic was like. So who knows, we might be in a history book in the future somewhere. It's like, all right, well, this is where, you know, some artifacts that people might look at. And with this being our 340th episode, there are certainly a lot of content that people kind

of pull through. But yeah, it's pretty cool.

I'm. I actually, I like this series that we were kind of working with RSM on and because I think this is important topic where we want to show well-rounded identity people, you need to know more than just 100% identity to get by in the digital identity space. So that means things like what we're going to talk about today, compliance, governance, that means cyber security at large. You know, there's we're probably going to talk about AI and the cloud, right? You don't need to be, I get it.

You and I are, you know, identity people, but we also need to be able to talk about other topics and be able to relate and have a more well-rounded knowledge around that stuff. So I guess that's a long way to say is I, I'm happy that we're doing this type of series because I always believe in sort of that well-rounded education to make sure that we can spread the gospel of digital identity in as many ways as we need to to people who maybe aren't what

they consider identity folks. Yeah, it's one of the reasons also that you can come from so many different backgrounds to be successful in this industry is that there's so many different types of angles you can take not only to get in, but even when you're in the industry, you know different areas you can focus on or be expert in and it makes up for maybe the areas that you don't have. So if you're not technical, you

might be a project manager. If you're neither 1, you might be a subject matter expert in something like compliance privacy, kind of like the the paper or the regulation side of the industry. All the, all those things are all important and they make up the big picture. Yeah. Or maybe you just have golden golden, you know, radio pipes and you do a podcast every week. That could also be it. Yeah, I don't think that's why we do the podcast every week, but I'll, we'll just go with

that. But I, you know, one other thing, and this will be my professional segue, like I've been trying to do, is the conferences, like just look at the conferences and nobody wants to say they have tracks anymore, right? They want to have themes or I don't know, because they, they want the idea that you can go to the conference and bounce between the tracks. But they're, they're still tracks, right?

And they, they vary from executive leadership to technical to, you know, other business regulations, standards, the whole 9 yards. And so I think conferences are a perfect way to, you know, continue that education and, and build yourself out. And if you're not an expert in compliance and regulation, you have two choices. 1, you can go to the conferences that will go over our discount codes. And 2nd, the other is come to the Identity Center Podcast and

listen to this episode. Yeah, We'll get you started and then you can continue on your discovery, your journey of discovery past that. But that was a very professional segue. Let's build on it.

We do have some conferences that we're going to be at as well as have discount code for. So the first one coming up here pretty soon, Jim, is the European Identity and Cloud Conference in Berlin. So that's put in my cup in your coal, that's May 6th to the 9th. And if you use the code ID AC25 MKO, you get 25% off. So I know you and I excited about getting out there for the first time and checking that out. So that's one that's coming up

pretty shortly. So hopefully, you know, we'll see some new friends and maybe some friends that we've seen come across the pond to us and Ideniverse, which we also have a code for. So if we want to talk about Identiverse that's in Las Vegas, that is June 3rd through the 6th, you and I will be there. We have some, I mean we have some things that we're going to be planning on there.

I don't know if now is the right time to mention it yet, but we will be part of the opening kind of ceremony type thing at the, I guess the opening night of the Expo hall and stuff like that. So I've kind of alluded to that over the last maybe several months, but it's official and now we're just working out the details of actually how to pull it off. But if you use that code IDV 2, five dash, IDAC 25I know it rolls right off the tongue. You get 25% off.

I'll have both of those codes in our show notes and they're always on our homepage at idacpodcast.com. So if you just Scroll down, you'll see the codes we've got there active. I'm sure we'll get some others as you go throughout the year. So check back and you know, if you've reached out with questions and things like that about the kind of stuff, check back. We would generally will try to get something for all the major conferences or as much as we can so.

You know, one of the main things I'm happy about is that the conference code, that conference codes that we give out are not case sensitive because if they were, this would get really confusing. Not case sensitive. And typically we strive to get like the best code that we possibly can so we're not in like an awkward position of like, oh, I heard this code and there's a better one over here.

So typically we try to make it make sure that at least it might be a tie, but at least you shouldn't find anything better. So hopefully we become the one stop shop for those types of codes and you've done a lot of work on that. Yeah, no, I, I, I insist on that. Like, if we're going to go ahead and give out these codes, we want to make sure that they're not usurped by a better code somewhere else. So feel confident to use the codes that you find here on the podcast.

Yep. OK, enough preamble. Let's get to our guest. She's been patiently waiting on. She's put up with a whole lot of our stuff getting set up and prepared for this. I want to introduce Kia Smith. She's a director in R Sims security and privacy risk consulting practice along with us. Jim, welcome to the show, Kia. Thank you so much for having me. I'm very, very excited to have this conversation. I'm humbled to be invited. I have listened to a lot of your

distinguished guests. So I I hope I can continue maybe to contribute to the discussion in the discourse that you guys have here on, on this great platform. Well, I have no doubt that you will. That's why you're here. You're an expert in this space. And so why not pull in some of the smart people that we work with the talks on these topics? I guess the first thing that I

always like to get into is backgrounds of people. Jim alluded earlier that people come from like kind of all kinds of backgrounds. It was a bartender before I got into IT, so. And I don't drink. So figure that one out, folks. But there's always interesting stories and I'd love to hear how you got into the cybersecurity space. And then I guess, do you consider yourself a cybersecurity person, a compliance person, both, something else? Tell me a little bit about your journey.

Yeah, that's a great question. And and Jim was spot on. I think myself, like most people have that very non traditional kind of journey to get here. I always say, you know, cybersecurity and compliance IT audit was my side hustle all through school. So I went to school and did a lot of school because I was, I went to grad school and I went to law school and I was a public policy major.

And then I went to law school and I thought I was going to do education law and I was working on a lobbying firm, writing a his briefs and doing all the things law. And the whole time I was doing that, I was an IT auditor in the federal government and that was my side hustle. And so in the government then they just wanted someone to kind of learn this cyber and compliance things.

I didn't really know what any of them meant, but I always said yes to all the trainings, to all the opportunities. And it's just something that a career that kind of developed in and of itself. And throughout all of my education and all of my experience on the legal side, I always kept coming back to my experiences that I had in

working in the field. And so I really felt that this is where it spoke to me. It, you know, much to everyone's chagrin, that was like what, you know, like what was all of that about for law school and LSAT and everything. But I certainly think it helped give me some good perspective.

And there's certainly lots of transferable skills that I took from my education, but I truly have decided and determined that I'm really more of like a cyber professional that just happens to focus on a lot of compliance and governance things. So let's. Talk a little bit about that law background, because I think we've had actually a couple people, Jim, if I remember that have sort of law backgrounds that have moved into the space of cyber.

What was that transition like? And I guess was it like flipping a switch and make, oh, now I'm this or it was like a gradual transition? I guess talk to me a little bit more about that. Yeah. So I think there is particularly between law and where I specialize most Times Now, which is a lot of compliance work.

Most of the compliance that I deal with is regulatory legal, so big, you know, documents and lots of critical analysis and interpreting of statutes and terms and contractual kind of clauses, all which are things I did in law school and I learned to kind of interpret and investigate. So I think that piece of it for me was a little bit more of a natural fit, but really it was just kind of interesting.

I distinctly remember I was AGS, nothing in the government working on this kind of, you know, very generic IT governance audit that they were just trying to literally build. They didn't really even know what it was. And I was talking to an administrative law judge who for those that don't know administrative law judges, they, they practice law on behalf of the government. It's great way to, you know, simplify it.

And she suggested that maybe I position myself to do the work that I'm doing, but within the Office of Inspector General, because that had more executive oversight, had a little bit more congressional leaning, lot more statutes, thought it would lend itself more to what I would be interested in being with my law background and public policy and all of that. So that's really where I found my home.

And it kind of just merged all of these skills that I've been honing, you know, my critical analysis, my ability to kind of read and understand and apply laws to facts that we were being presented. The facts were cyber and technological, but they still were facts nonetheless. So I think there's lots of synergies there. That's why you tend to see, you know, some retired lawyers and others of us hiding kind of in the mix in the cyber, cyber sphere. Well, their loss is our gain.

Being one of our colleagues, it's always great to hear from you. For people who aren't familiar

with what a director in a consulting practice does right, it's kind of somewhat of a generic of a title. What is your day-to-day like? Like what would you say you do around here? Oh, what do I do around here? Sometimes I ask myself that as well. There's, there's lots of things that you do, you know, and in any firm that you you have, there's a lot of an industry and education component. I think where I'm at as a director, I see that as probably one of my most important roles

that I play. And the education is both internal to our teams, to our our junior colleagues and folks that we're trying to train up. And really, I know Ghazi was on your show before, spoke about our apprentice model that we have. It really is an apprenticeship. That's how I learned really growing up how to apply and what are some techniques and how to interact with clients. So that's a big part of my job is the training and the education and kind of in that apprenticeship.

But another big part is doing things like this. Actually, it's thought leadership, it's participating, being a force in the industry, making sure that we're sitting at the table that we're staying up on, particularly in my field, regulatory and compliance type changes that have happened, that we understand trends and that we're really, you know, working with our clients to meet them with what they need.

And that takes a listening ear. It takes a lot of educating me, educating them on what I'm seeing as a practitioner and then educating me on what what they're feeling needing and what the market is kind of demanding. So that's what a lot of my job is. I mean, I could go through all the minutia which you know about with, you know, billable hours and, and all of the other things.

And obviously we're doing reports and all the things that you would immediately contribute to professional services firm. But I really think that's my my main charge kind of as a director at this point. And in my role and in the firm, it's really kind of being that that interval education piece, internal and external to really promote us for to make sure that we're, we're really bringing the best power and the best minds and talent out in the market to, to meet our clients needs.

So Kia I, I think back to, well, First off, I think that the listener base of this podcast are the I am practitioners of the world, Those people throughout the career journey, people who are just starting out, just getting their arms around cyber and identity all the way up to the most senior people. But I think back to the early days of my career and it was right around the time that Sarbanes-Oxley became law, right?

And it was like everything you could do to justify a project was like we're solving these Sarbanes oxy problems. They really didn't have context for what was happening or why that was relevant from a cyber perspective. So I was wondering if you kind of, you know, think thinking about that person who's maybe implementing the controls or trying to align their projects to these frameworks that are set

up with the the regulations. How does somebody think about what the parts and pieces are and how that affects organizations and how they do IT and cyber? That's a great question and it's something that I wish I too, when I was maybe first starting out, had a better appreciation. I think people hear the word compliance and they automatically think of a check the box activity or let me just throw a bunch of stuff at someone to see, you know, if it

kind of sticks. But really when you start to step back and think about the whole reason for a compliance activity, in particular like a Sarbanes-Oxley, it's to be able to provide someone, and that's usually an external party, a level of comfort around how you're protecting something. So it all comes back to protection, right?

It all comes back to making sure that you have the appropriate kind of security and you have the appropriate rules and and kind of processes in place to really say that we are protecting this information or providing information with a good faith effort. You can apply just about any framework you want to validate that protection. So you can do a NIST framework or you can have a GDPR really HIPAA, you know, most of that is kind of industry specific

determine on which framework. But the whole compliance function or the audit IT audit functions that sometimes is referred to is really just about providing assurance around your tools and your processes. So if you are and I am professional and let's say you are managing or you are responsible for that, that RBAC or or whatever is that piece of

audit evidence. It may seem that it is one discrete piece of evidence, but really and especially an identity and access, it's really a key to how your organization is operating. It's really a key. It really, it really displays to anyone that's looking at what is your general kind of stance in terms of security and protection. So it's oftentimes we get lost and especially when you start to hit audit season, it just seems that maybe you're getting hit by multiple external parties.

And sometimes it can be kind of hard to decode which audit means for what, right? Because there's all these different external kind of parties asking questions. But just know that the evidence that you provide rolls up into a bigger picture that makes a statement about your environment. So it's always important to really know that all all of it matters and telling the complete story of kind of how your organization is is running itself. Yeah.

And I feel like the word compliance and security sometimes get mixed up and some people think that, oh, we're, we're just chasing after being compliant with these regulations, we should focus on security. But the same time, you know, usually the end goal of of a regulation is to get you to be more secure in certain areas, right? So. I'm sure you've run into this question or this conundrum before. How do you think about it?

Yeah. So, and, and that is something that I think a lot of times we will start an engagement, right, a compliance engagement or, or let me start with this. I think compliance, when you think about it, compliance is, I think more of a reactive, right, process. Compliance is usually an external somebody or something that's asking you to, to validate or show what you've done, right? So it's a, it's a view of what you've been doing, right? A reactive or a post.

It's in the past. Show me what you've been doing. Governance, though, is really a proactive kind of activity, right? Like that's the behaviors, that's how you want to be, how you want the how you want your organization to run. And within both governance and compliance, you can't decouple either from security, right? So I think they're not mutually exclusive. I don't think that you're either a really secure or a very

compliant. I think that you're secure first or most organizations should be secure 1st and then you may need to change how you're demonstrating that security to align with that compliance framework, but they shouldn't be decoupled or thinking of AS2 separate. So if I'm going to be very secure, I can't be compliant

because you're absolutely right. At the end of the day, that compliance is really about sharing and showing and demonstrating that you have a level of a level of security around your your organization or around your processes. So I, I, OK, just from my perspective, Sarbanes-Oxley and

PCI, those are kind of like the OG regulations for me, you know, and throughout, throughout, I'd say quite a bit of my career, it was like, oh, these are your socks and PCI application. So those are the things you chase after. But it seems like today there's a much more complex regulatory environment. And I'm wondering, like, have you seen that shift as well? And you know, when you think about that, what are kind of some of the most significant

drivers of that shift? Yeah, there definitely has been a shift. And I think a lot of the shift is due to organizations, businesses and governance heavily relying on third parties, right. And what the advent of third parties, cloud service providers and and quite a few other kind of organizations bringing into the mix of how companies and businesses go about their their work. They have extended them into kind of the regulatory framework of regulatory pool, for example,

right. I'll I'll use the government, for example, the government is one of the bigger consumers of third parties. That's either, you know, a managed service providers, they leverage a lot of cloud service providers, a lot of tools that are third party custom off the shelf tools for vital reasons, for efficiencies, for cost and you know, cutting and just for, you know, best practices really,

right, best in class. Well, those might not be traditionally tools or organizations or third parties that would normally be subjected to compliance because they're not a government thing. But now because they have entered into the government ecosystem either by being a third party vendor or by being a third party provider, they now find themselves subjected to some sort or at least, you know, casually related to some sort of compliance or regulatory

activity. So you see all kinds of different actors now that are being subjected to maybe DoD type compliance regulations because they are a fourth or an NTH party provider to a subcontractor. And now all of a sudden they're starting to see, you know, contractual language or things that are requiring them to meet regulatory, you know, regulatory requirements in a way that they never would have or they generally don't have to because they don't really play in that space traditionally.

So I think as the world and business has continued to kind of expand and kind of merge across various different industries and use, use and leverage products differently, you've really seen kind of the expansion of the regulatory landscape. And I think a lot of external compliance and regulatory authorities have really recognized that. And so you started to see the shift in the last really three to five years of a heavy focus on supply chain or sometimes it's called supplier risk

management. But really it's the idea of understanding that now the way businesses perform is a lot of services are outsourced. And so if services are being outsourced, our companies also outsourcing risks that they should or shouldn't be, right. And so there's been a lot of

focus in continuing movement towards really having strong third party processes and supplier risk management processes just because that regulatory and compliance landscape has now gone outside and maybe the primary business and stretched into vendors and and other parties. So I think it's something that that I deal with it quite often.

I, I can't tell you how many companies or organizations will reach out to us to talk about a certain thing and they'll start the conversation with saying, I don't even understand, Like we're, we don't work with the government.

I don't even understand how this came into my contract or why do I need to do this or why, you know, why do I have to, you know, do the specific way of split tunneling, like, you know, very specific kind of technical things that are kind of specific to the government, but it's really through those contractual relationships and that and they're we're just, you know, we are, we are grouping and working differently than what we were

even 1015 years ago. Yeah. It's just what you said there really something that I've always wondered. So you talked about do you, are you outsource, you're outsourcing a function, are you outsourcing the risk? So let's take a sample of ACRM

system. You outsource it to a client or to a company and they have sock 2, they have all the, you know, check boxes checked and then they have a breach like, I mean, is that company now I you may have shifted the work, but really you're the one who suffers from that breach, right? Correct. So. Spot on. OK, yeah, that's I guess the way I've always thought about it. But yeah, what else can you do other than check for those things, right?

Yeah. And so a lot of what a compliance, a lot of the compliance frameworks that we deal with in this kind of move is they kind of recognize that, right? They recognize that the way businesses were interconnected in ways that we weren't previously, right. There's lots of different actors and providers across industries that are bringing best in class services, you know, in a way that we maybe hadn't thought of.

So a lot of compliance frameworks have been really developing and putting additional kind of focus on. So what are you doing around that SoC two? OK, great. You get a SoC 2 that says they use least privilege or that says, you know, everything is in AWS or that says whatever, right. But what are you, the organization that's, you know, contracting them? Did you validate that? Did you do a spot check? Are you, you know, looking at that on a regular cadence to confirm that nothing has

changed? Do you have contractual language that requires them to notify you if they're changing something? Are you making sure that their cyber risk posture is in alignment with your cyber risk posture? Maybe you align to a certain framework or certain sticks? Are you ensuring that those clients and those companies that you're partnering with because they are providing services on behalf or for you that they're really operating in a way that

you find appropriate? So it's really putting a lot of focus and onus on. We understand that third party and service providers is really kind of how we operate in the world and in business, but we don't outsource risk. We outsource processes and services. So since you can't outsource risk, what are you going to do?

What is your governance again? What is your internal kind of business behaviors and processes going to be to really make sure that you're managing and in monitoring that relationship, you didn't just like kick over the function and be like, good luck to you. Hope you know, hope nothing fails. You're actively involved in it. So I think this is a super timely question to ask because I feel like this is the new, well, maybe not new, but supply chain

attack. It's not just like physical goods of things, it's also the services that every company relies on from others. And I guess, you know, you talk about some of the controls or layers of control that you might put in like legal language within a contract. Who's responsible for that sort of language? Is that something that lawyers for the company should be thinking about? Is it something that maybe a risk officer or AC so should be thinking about?

I mean, should an identity person be thinking about those sorts of things and say, hey, have what is our repercussion of this? Because there's a lot of SAS services that are used by identity people, right? A lot of companies are moving their products, that sort of thing. I guess we know this is going to happen, right? It's just a numbers game and say, OK, someone's going to get breached. There's going to be some sort of issues. Humans are going to human, right?

Mistakes will be made. What do I do about it though? If I, let's say I don't have the, the legal language, is it, do I have a control within my organization? It says this is what we do to check up on our suppliers. It's sort of like a third party risk management type thing, you know, what can I do as a customer of these sorts of things? Because like you said, you can't outsource the risk. At the end of the day, I'm responsible to you as my customer to make sure whatever

I'm doing meets your needs. If something behind the scenes is having a problem, that's my problem, not yours. I can't just pass the bug and say, well, it's not my problem. You know Microsoft did something that's not going to work in the real. World, right? And really, you know, in, in a true consultant answer, it's all of the above, right? But it's, it's amazing

sometimes. And again, I always deal in like the contract area because a lot of what I do from a compliance standpoint is contractually enforceable or regulatory, you know, bestowed upon groups or organizations. So we always end up in like a document of some sort. And so it's, it's funny because we'll often in those conversations, I'll say, well, can I have your security folks on the line? Can I have your legal? Can I have your procurement? And everybody's like, what do

you like? Why, Why would my security like, why would my security people be be here? And I'm like, well, what is your security clauses say, right about how you expect them to behave and identity and access, no matter what compliance framework that you're looking at, it's really kind of at the cornerstone of kind of security 101. Do I know who has access right?

Is there access appropriate? And am I doing something to monitor, remove or, you know, completely authenticate and make sure that it is who it's supposed to be when it's supposed to be, right? That is a tenant that is in every single compliance framework, no matter which industry, whether you're talking socks or, you know, CCMMC or FISMA Fed ramp, it, it really, it literally doesn't matter. HIPAA, all of them have a huge set. It's always the largest group of access and identification

controls. IA controls AC and IA, right? And they go hand in hand, you know, like best friends that they are. So when you really start to think about how do we set our program up to make sure that we organization understand what our suppliers, our vendors, our partners are doing, usually it is the most enforceable way is through that contract vehicle, right? That's how you get legal. You can apply legal repercussions, right? I am agreeing the service you

agreed to do X and the X really should be a combination of your security folks and your IE folks say, hey, we don't allow, you know, group accounts, right? So whatever you do, you can't have a group account. We have, we run quarterly access reviews. We expect you to run monthly reviews and report to us quarterly. We exercise least privilege. Like those are things that

should be set out. If that is the cyber security and your security posture and your organization, it should be passed along and it should be detailed.

And so you started to see, even with a lot of like cloud service offerings, there are a lot of kind of frameworks are body of evidence, as they'll sometimes call it. So sometimes you'll see, you know, cloud service offerings will say, well, we're not fed ramp, you know, authorized, but

here is our Fed ramp equivalent. And essentially it's just how they're performing against all the controls so that that organization can look and see, you know, is there identity and access management like the way they're managing, you know, they're, they're very they're very high administrators. Does that match what what we think administrators should be or is everybody an administrator? Does everybody have access to every single thing all the time,

right? Or if you are providing a service for us, how are they, how are you restricting and making sure that a person for my company only has access to my company and right, they're not able to dip in, you know, across three different companies and put my information somewhere that it shouldn't. Like where are those rights? Where are those group policies? Those are things that should be included and should be thought of. And to do that, you need practitioners.

So that's not something that generally a procurement officer can just detail out themselves. The procurement should

absolutely be working with their security specialists. They should be working what folks that are administering their I am to understand, hey, what is our access policies and what do we expect, you know our vendors to be doing? And since we're reviewing what what would you need to see right so that that language is codified and put in to contractual or rules or mammogram them, whatever is going to dictate, you know Sops how you were going to interact

and behave with one another. So I think you answered the follow up question. I was going to ask to say where does this start? Is it, is it legal? Is that really where it starts is to have that teeth behind a

contract to say, look, these are security requirements that our organization has and make sure that language is in the contract. What concerns me sometimes is, are the right people looking at the contract to make sure that that's in there, which you just talked about? Yeah. And maybe it's I, I, I don't know where that information comes from because it's just experience. Is there are there sources

online that people get it? Is it, hey, drop a note to key on LinkedIn and ask her for if I sent it right? That kind of thing. But I feel like sometimes there is a pressure also to say, well, they don't do that. So we're just going to have to accept the risk in case something happens. Talk to me about how the

business gets involved with making that decision. And how do you how do you make sure that that, you know, people who are listening to this, people who are in identity and cybersecurity are saying, OK, we've got we're doing our best to protect our environment. But every once in a while you get the business. It's just like, just do it. Right. Right. How do you how do you help manage that discussion?

Yeah, I, I do think it's a, it's a measure of a collective group in the procurement and contracting process, right. So I think it starts with, obviously sometimes it's your lawyers and it's your procurement specialist, but I think it is going to your, your cyber, your security folks and literally asking what is it that we do here is.

And, and oftentimes when you partner with a third party, they provide you kind of like there's their customer shared responsibility matrix or customer responsibility matrix, whatever it may be, right? They, they have different terms. Basically they'll say, here's all the things we agree we're going to do and these are the things we're not going to do. It's on you, right? And so I think the first thing

that I see a lot of times is organizations will get that kind of a standard paper, but it's not really reviewed. And, and the folks that are reviewing it are usually not the folks in security. And you should be having your security folks review it because the security folks are the ones that can say, hey, they don't really practice any type of, you know, maybe they use all group accounts for everything they do

or system accounts. They have no real, you know, identification or authentication methods at all. It's kind of like the wild, Wild West. Somebody like you work there, you get everything right, and you need somebody, but only a security person is going to be like, hey, we don't want that, and here's why we don't want

that, right? That's that risk we're talking about. So then when that executive says we're going to accept the risk, they actually understand what the risk is, they're accepting it, and it should be documented. That should still be documented, right? Like the idea to not act should be documented the same way as how you do ACT when you're thinking of governance. Again, this is that proactive kind of behavior. We've decided that we are going to continue this relationship

with this third party. We're going to, you know, accept their procedures or their security. Security basically as it is. We've accepted that these, you know, 10/15/20 things that they say that they're not responsible for. We've accepted the risk of of managing it or not managing that. That should be a proactive, documented decision. It just shouldn't be a decision by, you know, almost by neglect, right? Like we, we don't really know

what it means. So we're just going to sign it anyway, right, Because that's still not making the decision. That's just kind of, you know, moving along and and the whole point is, again, governance is the behaviors you want, it's internal, it's who we want to be, right. And so all organizations should and usually have a goal and security to have very strong governance practices.

So the idea that you are proactively acknowledging and accepting risks, security or otherwise, should be something that should be involved with multiple parties, legal executives and and security. I'm always a fan of bringing our security practitioners to those conversations because the insight that they provide make the words make sense, right? A lawyer that's reading it has no idea half the time why any of that matters. What you know, what tools they're using, even why that matters?

You can. You're going to need a practitioner to die. Digest that for you. You know, as I'm sitting here listening to you, I'm thinking I'm learning so much. This is awesome. And like Jeff, I had a question queued up. I think you answered it, but it made me think of one thing I did recently. And I'm sure this was regulation driven. I went to my doctor like, oh, we have all these things for you to accept. And it was like 10 pages of small 10 point font text.

And I was like sign, sign, sign, I, that's a whole other episode, right? But kind of the question I was getting toward is, you know, we do a lot with the middle market at RSM. We don't maybe have the middle market maybe doesn't have the weight all the time to go to a SAS vendor and kind of put them through the paces, right. If you're $1,000,000 client, they'll run through the paces to win your business, but they might more or less send you to a

website is what I'm thinking. But here's the the thing I was getting ultimately getting at was there are certain services now. That are almost like you can't run them on site or only you know, nobody would run them on site. So I'm just thinking of like authentication. You know, very few organizations want to run their own external authentication system on Prem right? They just get a cloud.

And you know, the thing that you mentioned that really stuck to me was, you know, they might not have the form that you're looking for to say we're Fedramp compliant, but they might be able to show you that their processes exist. You might be able to look at those processes and say they're better than our own processes. So from a risk evaluation standpoint, it's not just to check the box exercise, it's an evaluation. Hey, they do all these things as

well as we do them. They've actually got them documented. Maybe your organization doesn't. So that that was my thought. I wanted to get into that conversation, but I also wanted to just shift.

So let me shift to another discussion around kind of which you talked about a lot of different regulations so far during the episode. And I wanted to get like the most impactful, but I think there's two types of impact. 1 is what regulations are having the biggest impact across all

industries. And you know, I'll put my vote out there for GDPR because I keep running into it where organizations, especially over the last 10 years have had to, you know, make that a major requirements impact in terms of deployment of identity systems. Now I think the other most impactful could be where does a, a single regulation hit an industry especially squarely in the eyes and say this completely impacts our identity access management.

And so I have experience working with utility clients. They have a nerk SIP body of regulation, right? And it requires that there's an air gap. And so for people who don't know an air gap is it's a complete separation of the network between corporate and power generation, especially nuclear. And so you know, you can't, when you have a completely separated network, you can't have IM systems with one foot on both sides. You're basically duplicating your identity systems as well.

So I've seen that is like a huge impact on that. You know those companies are hit squarely with that one. So I'll turn it over to you and kind of the where do you see that like the broad and the narrow?

Yeah. I mean there, there's some, I, I would definitely say one that is disrupting lots of industries. So I will say this goes across industries. Is the cybersecurity maturity model certification, CMMC and in its ruling or in its stated purpose, you would think it has a pretty narrow scope because it is written to impact the defense industrial base, but the defense industrial base is huge.

It is organization. So just think about you, you have a prime, so the big primes of the world, think about any of the major aerospace or you know, aerospace engineering, our defense contractors, right? But it's everybody in that defense supply chain, all the companies in their supply chain are also impacted by CMMC and it has no, it takes no consideration of size or profit share, right, And who it

impacts. Literally the mandate is that anybody in the defense industrial base supply chain will maintain a certain standard of cybersecurity. And much like the air gap you're talking about in CMMC, there is no commingling of information. So this information that it's targeting or CUI that it's important, it has to be solely and completely separate from anything else in the

environment. So this is where I say I start to have these interesting conversations with, I had, I was on a call with the maintenance company, right? They, they do lawn care and maintenance and they are subjected to CMC and they're like, why am I talking to you? Right? Like we, we do maintenance, but because they support, you know, DoD locations and other places that are considered to be sensitive and they're in the DoD

supply chain. Now, granted, they're probably like 15 down the supply chain, but they're in the supply chain. They find themselves subjected to these, you know, regulations that have specific kind of so they're like, so you're telling me I now need to find a way to segment my whole environment. So I have my whole commercial environment, but because I do these, I have these, you know, four or five, whatever contracts, it puts me into the defense industrial based supply

chain. And now I find myself having to create a separate enclave or a whole separate environment just to manage those contracts, right? So it starts to have huge implications and, and really we've been seeing it across every industry. It's impacting, you know, healthcare providers, like I said, maintenance, huge manufacturing implications.

Think about people that make small bolts that might autumn, you know, ultimately end up on some kind of jet or some sort of, you know, or some sort of DoD equipment, right? They, they may not even, they, a lot of them didn't even know they were in the supply chain until they started seeing all of these things flow down. And so it's completely disrupting how, you know, they are delivering and how they're

providing their business. And, and in a lot of those cases, when we go and talk to them, like, OK, we need to make sure that only appropriate people have access to this information. Show me, you know, your role, role based access or show me your RBAC or show me what you're doing. They're like, well, there's three of us, So what would you like us to show you, right? Like we all have access, we all do everything, We all can see everything. Is that a problem, right.

And we're like, oh, let's dive into that a little bit, right? And see for this environment, you may have to do something slightly different because it does require you to do least privilege and it may require you to set up slightly different kind of access permissions and things like that. So I definitely think CMMC is one it, the rule has been meandering for the past, you know, 10 years or so since the idea came, came about, but it went final in December.

And I think a lot of people thought it was going to roll back and it's full steam ahead and its requirements and certifications. And so it's requiring lots of organizations across lots of different industries to really figure out how and what they're going to do to implement it. And and I will say one of the tricky things is that identity and access management piece of it because the whole cornerstone is that only the appropriate people have access to the

information. And when now you have to set up to your .2 separate environments and you can't swivel chair or you can't figure out what do you do? Do you have two totally different kind of directories and policy and you're totally managing two different like how do you do that in a way that makes sense? And so that's what we're constantly kind of working on with some of these regulations. So I think that's a big one.

And then I think your second question is what is maybe a more smaller or one that we're also seeing. I think there has been in the in the last few years with GDPRI think some of the healthcare in expansion of some of those have also started to find the way across. Not just a specific kind of usually used to be just like hospitals or medical facilities, but you're starting to see the advent of more like medical devices.

Companies are being pulled into certain compliance things they've, they've technically or have always been with the kind of maybe HIPAA or HPA, but now they're starting to see high trust and GDPR and some other things because they often have international manufacturing places. And so that opens them up kind of in a way that they didn't expect. So I think it can, for me, it gets kind of exciting when you kind of see how everything

starts to really intertwine. But it certainly can provide challenges because most businesses are not set up to only respond or be organized in a way that compliance frameworks, you know, speculate right there. They are designed to run their business. So it's always very interesting in working with clients to kind of figure out how to right size their footprint or right size their processes to fit their business needs, but more importantly, their governance aligns with their compliance.

So again, it really goes back to what are the proactive behaviors that they can put in place so that compliance is just a thing that kind of checks on their governance. It's not a different thing that they actually have to do. So you've got me thinking now, Kia, the supply chain of, you know, all the different parts of the especially for like government type stuff. You mentioned CNC, Is this podcast supposed to be seen MC client?

Because I know that we're on podcast players in some of those environments. So I don't know if we have to. I don't know, it depends. I've seen some really strange things come into scope in some of these assessments, right? I mean, as long it depends on what you start talking about and what you start recording and what you start, you know, and that's where a lot of the theoretical conversations come

in at, right? Like what really should be considered sensitive or what really in the DoD space, what should be considered CUI, controlled, unclassified. So the idea that there's this whole body of information that is sensitive enough, it needs to be protected more than just regular information. But it's not like top secret things, right? But it does require some additional layers and effort there.

So, you know, you may be somebody might be reaching out to you and want to know, you know, kind of like where's fed ramp or where you know, some of these compliance things on your road map because they want to be able to use your podcast in their environment and their environment is fully compliant. You're knocking them out of compliance. Well, air gap will, you know, you'll have to buy an A tape cassette player. There you go.

Record us a tape and put us in a room and just put us on a speaker and that's the way we'll cover that. I know where I, I want to like be cognizant at a time. And I have one more question I want to ask you because I feel like we've set a record, Jim, in the last year where we've gone over 45 minutes without mentioning really AI.

And so I want to get Kia's, Kia's thoughts on where do you see AI really impacting sort of the space between compliance and some of the things that people in the digital identity and cybersecurity space you really need to start to think about? Yeah, I think when you think about AI, right and and its usefulness, it's really used to kind of advance or make

processes more efficient. There's certainly a lot of routine and kind of either governance and security type things that you could use AI to really help you check on a regular basis. And again, I think from a governance standpoint, that's very powerful and really maturing your cybersecurity posture for it, right?

Being able to use these where there's a little bit of a temperance is, is that at the core, right of most compliance is understanding and always being able to know exactly where things are coming from, who specifically is doing it. And if somebody's reviewing it, right? So it's still putting back that human element that kind of the whole purpose of AI is to kind of remove some of that, right?

So I think there's a little bit of a pull right now and a little bit of a hesitation from a compliance standpoint and really how to evaluate the use of AI in environment. Now there are like for example, ISO, I know I think A to LA is

coming out with statements. I know there's different kind of governing bodies that are starting to put out more literature, more guidance around acceptable off like acceptable use cases of digital identity or other type of like control activities or even data, a lot of data gathering activity.

So for if you think about AI in a financial industry and how can be used to kind of aggregate large quantities of data reporting, there's a lot of questions and maybe some controls and frameworks coming around on how to validate the inputs so that you can rely on the outputs that are generated

from whatever AI tool. I think that's going to continue to expand because it's not going away and and people want to use it. I just think as everything technology is light years ahead of, you know, laws and regulations. So that's nothing new to anyone that's there, but I think organizations, again, from a risk perspective, and again, we're cyber, I'm a cyber risk practitioner at heart, right? Everything to me always comes back to risk. Again, you never can outsource

your risk. So no matter what you're using, tool or otherwise, as a cyber risk practitioner, I'm always going to question, OK, but how do you get comfort of validate that what you're doing is appropriate? And that may mean spot checks, that may mean that you you use AI in a limited fashion over certain areas where the risk or the impact is less in your environment versus others. But I certainly think it will be continued to be pulled in more

from a compliance perspective. But I think we're just they're just behind and really evaluating how it's going to be acceptable within the frameworks as they exist today. I feel like we could talk for hours and hours and hours on this, but I don't want to do that to you. So I think this is probably a good spot where we kind of start to wrap things up. I've learned a lot just in the last, you know, hour or so that we've been talking and I think there's so much more we can cover.

So hopefully we'll come back and continue to educate us on on some of the things that might be changing in the world and things that we started thinking about, right? It's OK to get smarter. I think it's that's one of the things that we should always be cognizant of is like, OK, hindsight's 2020, what can we do next time to be better?

And so I think back to like where we started, maybe the conversation run contracts and legal if that language isn't there now when it's up for renegotiation, maybe that's a good time to start thinking about it, right? So there's continuous improvement and you know, from that standpoint. So let's go ahead and leave it

there for right now. I do want to end a lighter note because we were talking and sort of preparing for the show and you totally blew my mind with the concept of a pickle pop. I am not a pickle fan. I will go on a on a platform and a hard stance, a hard opinion of I do not like Pickles. And so the idea of a pickle pop really, I find personally, I hate to say it, but a little bit revolting. So tell me about a pickle pop. What is it, why is it, and who

is it? The pickle popsicles are a delicious in from Jim's input, a nutritious, apparently snack that one can enjoy any time of the year. No, it is really frozen pickle juice goodness in a popsicle. And so either on a stick or in like the little old school, you know, plastic little push pop push ups, you can get them

anywhere. As I explained to you, they are I'm not a, you know, a population of one and enjoying pickle pops, but they're just delicious treats and you can do all kind of variations with them out. If we didn't go this far, but you know, in certain areas of the South, people may put certain types of seasoning on top of their pickle pops. Teejan is one that's pretty popular kool-aid or sugar sometimes.

So you have a little bit of that, that sweet with that salty like dill pickle bite that you get with that sour pickle juice. It's just a refreshing kind of treat. I I suggest everyone should try one. I will try anything at least once. So what is if I'm going to go out and look for a pickle pop, what is the one? You're like, Jeff, I know you don't like Pickles, but you've got to try this. Like what's the flavor or whatever that I should?

I am very old school. I like the best plain dill pickle pickle pop. There are some zesty ones. I do kind of like a little spice sometimes so I'll get the spicy ones. But since you're just getting started and you don't really know, you're very unsure about it, I would go. Be careful, I'm a newbie in the pickle. World yeah. I don't want to scare you. I don't want to do too much too soon. So I think you just start with the plain dill pickle pickle pop, OK.

And usually they're green, they're long, you know, and they have like a little pickle picture on top of it. It's like a pickle, like a pickle man with a hat or something. It's, it's just a, it's a, it's a delightful treat. I think it's a surprising treat and it gives you that salty. So especially if you're a savoury person, I feel like it gives you a little bit of that salty, but it's it's frozen. So it's kind of refreshing. Jim, have you ever had a pickle pop?

I have. So Kia pointed out something that I said. They were nutritious. So I'm a baseball nut. And by the way, when we're recording this opening day is tomorrow. Shout out to my friend Arturo. We're going to be following. We're going to be texting, but it's a game that starts in spring, goes all the way through the summer.

The World Series is in October. End of October is very cold, but there's that point in the middle from Memorial Day to Labor Day, especially in July where you're out there in the sun playing baseball. You get dehydrated. That's what the pickle pop. What I thought it was invented for was getting those electrolytes and getting your water at the same time. Now I want to point something out because I'm a big pickle fan. I also like olives is the only type of Pickles aren't the color

of Kia's background? You can also pickle things like garlic cloves, carrots, and my favorite which is pickled. What are those things called? Cauliflower. Pickled cauliflower is like heaven on earth. I don't even know what to say at this point because I, I don't, I don't, I don't, I don't know how we can top pickle pop talk. My wife used to run marathons. I, I, I'm going to have to ask her about this. I'm like, Hey, have you heard

about this? Because she's always been talking about like, you know, like she has these gels and electrolytes, right? And all that stuff that for endurance running and etcetera. But I've never heard of pickle pop. And now you're starting to say that there's other pickle or other pops like cauliflower, I mean. Are these just my vegetables? Yeah, I know. That's the most delicious other than frying broccoli, which is like fried broccoli is awesome.

But if you pickle things, things that you didn't like before, you might like now you don't like Pickles, so probably not. But pickle cauliflower is pretty awesome because cauliflower is like doesn't really have much of A flavor, so you just get the pickling flavor. So what I need is like a pickled chocolate chip cookie. That's kind of what I'm looking for. If they make that, then I will definitely try that. So I'm going off the rails here

at the. End that that is that I don't know about that one, but I I am a fan of olives. I'm a fan of most things that are pickled and I, I agree wholeheartedly with Jim's sentiment that you pickle something and it it almost automatically tastes better. I don't know, it's something about the process or infusing it. It just gives it a different kind of flavor. But the pickle pops, I'm sure you're going to come back and be like, you know what?

That was surprisingly tasty. All right, I'll give it a shot. I pulled up this. Will be known from here here for it as the Pickle Pop episode. The Pickle Pop episode never covered it. Before I even I picked. I chose a background for you because of that, right? A little subliminal advertising. I got you. Obviously. All right, we're going to go ahead and leave it there for this week. Kia, thank you so much for sharing the time with us.

I'm sure there's so much more we can get into, and like I said, hopefully we'll come back and have another conversation. I'm going to have your LinkedIn profile and our show notes for people to check out in case they have questions about compliance or if they have a favorite pickle pop flavor that you want to try. Either way, yeah, let's talk about it. So yeah, with that, we'll go ahead and leave it for this week. You can find us on the web, idacpodcast.com.

Check out our YouTube channel, idacpodcast.tv. We'll take it right there. Do all those cool fun things that helps Jim and I out. Get great guests like Kia on, like subscribe, share with friends, share with enemies, doesn't matter. As long as people are listening, that's all we really care about. So with that, we'll go ahead and leave for this week. Thanks everybody for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center.

We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.