Webinar Recap: Overcome Compliance Challenges
Failing to meet legislative compliance could cost your business millions in fines. Worse still, failure to meet regulatory compliance could trigger an operational standstill.
Without a dedicated team of compliance professionals, it can be difficult to keep up with constantly evolving standards. And they’re impossible to avoid.
Whether you’re seeking new professional partnerships, forging vendor relationships, entering a new industry, expanding to a new region, qualifying for cyber insurance, or simply looking to obey the law, your business will be up against new and increasingly stringent measures.
For help tackling this high-stakes topic, we invited three compliance and security professionals for a conversation. We discussed:
What compliance is, how it can be achieved, and what its chief benefits are.
Predictions about the future of compliance and what businesses should know now to prepare.
And finally, their best advice overall on how to get and stay on track to meet compliance standards.
Below, find a recap of the conversation moderated by researcher and writer at NordPass, Zoë MacDonald, with:
Alexis Robinson, head of U.S. government security & compliance, AWS
Amber Pearson, head of U.S. security engagement, AWS
Nicole Klatt, security assurance compliance lead, AWS
Ty Brush, divisional vice president of sales, A-LIGN
Or listen to the conversation in full, here.
What is compliance?
Compliance means following the rules. And the governing body of those “rules” determines the terms.
Legislative compliance means obeying the law. One example is the GDPR, which applies to all businesses offering goods or services to clients located in the European Union.
Recently, both the US and Canada have drafted similar data privacy legislation, the American Data Privacy and Protection Act (ADPPA) and Consumer Privacy Protection Act (CPPA) respectively.
If passed, the former will be the first federal privacy bill regulating use of consumer data in the US. The latter will replace the outdated Personal Information Protection and Electronic Documents Act (PIPEDA) with an important amendment. Under CPPA, individuals have the right to sue businesses for violations.
Regulatory compliance may also include legislation but usually refers to guidance that applies to organizations in certain industries.
PCI DSS, GLBA, and HIPAA are all examples of regulatory compliance. PCI DSS has a global application for all entities that “process, store or transmit cardholder data.” GLBA and HIPAA pertain to American organizations in the financial and healthcare sectors correspondingly.
The third category of compliance relevant to this conversation is certifications compliance. These certifications are voluntary in the sense that they aren’t mandated by law. However, increasingly, they are popping up in vendor agreements and considered a necessary component for building trust.
SOC 2 and ISO 27001 are two examples of certification compliance. Both concern data handling and security.
Brush defines the umbrella of corporate compliance succinctly:
What we always tell our customers and people we’re speaking with is that compliance is really following an agreed upon best practice.
- Ty Brush
Divisional Vice President of Sales, A-LIGN
Though best practices for different contexts vary, through-lines exist. At the heart, you will find the handling of “sensitive data.”
But which data is considered sensitive? That depends.
According to Robinson, “sometimes it’s subjective, but sometimes it’s going to be very prescriptive.”
For different industries it’s very clear what data is [considered sensitive]. Obviously for financial institutions, personal information and payment card information is considered highly sensitive information. From a government perspective, it can be a little bit more subjective.
- Alexis Robinson
Head of U.S. Government Security & Compliance, AWS
The Department of Defense considers military strategy and plans sensitive. For the healthcare industry, it’s medical records.
In all cases, “sensitive” suggests that the data has high value and should be protected, the specific manner in which is detailed in the relevant regulations.
Risks of non-compliance
We can look at the consequences of compliance failures in two different ways. One is the punitive damage that comes from not following the rules. That might mean a steep fine, or in a so-called “comply-to-play” scenario, an inability to do business at all.
The other is what might happen as a result.
Brush uses the speed limit as an analogy. The speed limit is the law. You can assess your compliance with your car’s speedometer.
The punitive damage for violating the speed limit is a speeding ticket. But even if you’re not caught in the act, you may have worse consequences in store. The risk of putting yourself, other drivers, or pedestrians in danger is the unwanted outcome this law was written to prevent.
Playing fast and loose with personal data is recklessly fast driving. A data breach is the ensuing car wreck.
A leak of protected health information (PHI) due to improper handling violates HIPAA but also has personal consequences to the individuals whose data is exposed.
Robinson’s summary of non-compliance risk includes another factor: reputational loss. Pearson agrees, and stresses that the impact of this should not be underestimated. The notoriety that often comes with a public mishap can result in a loss of trust that’s difficult to rebuild.
Beyond “checking the box”
Understanding the severity of the risks, the experts described a more holistic approach to compliance. Ideally, being compliant involves obeying the spirit of the law as much as the letter of the law — as a complement to a coherent security program.
In fact, according to Klatt, prioritizing security without compliance could leave businesses with blindspots.
You can go a little farther in the security space by remaining compliant: you can find things that you maybe didn't see.
- Nicole Klatt
Security Assurance Compliance Lead, AWS
How NordPass Business can help
The “yin and yang” relationship between security and compliance comes, in part, from the shared goal of data protection. Steps to safeguard it will improve your business’ posture for both.
On how businesses can do that, Pearson said:
There's many tools out there available to help you categorize that data and learn how to better protect it.
- Amber Pearson
Head of U.S. Security Engagement, AWS
One such tool is NordPass — which offers end-to-end encryption for the secure storage and sharing of passwords, payment information, and notes.
NordPass makes strong, hard-to-hack credentials seamless for your business and offers multi-factor authentication — two common regulatory compliance standards. You’ll find one or both mentioned in HIPAA, GLBA, PCI DSS, NIST guidance, and CIS benchmarks.
More broadly, NordPass Business helps businesses to improve access controls — ensuring unauthorized users are kept out. In the compliance space, this is a common recommendation under the overarching principle of data confidentiality.
And this principle is one that holds true across industries and global regions. In a report published this year by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom on “Weak Security Controls and Practices Routinely Exploited for Initial Access,” the suggestion to “control access” tops the list.
In it, of the ten most exploited vulnerabilities identified, four can be helped or resolved entirely by a robust password manager.
Where it’s not suggested outright, given that almost half of all breaches depend on stolen credentials, storing them securely is an essential step in preventing a leak that may lead to non-compliance.
Finally, cybersecurity software that reduces your business’ risk profile will improve your candidacy for cyber insurance.
Password security for your business
Store, manage and share passwords.
30-day money-back guarantee
Get advice from compliance professionals
Want to learn more about compliance? Listen to the conversation in full to learn how to:
Foster a culture of compliance in your organization.
Ensure compliance standards are met when dealing with outside vendors.
Prepare for the future of regulatory and legislative compliance guidelines.
To listen to the conversation in its entirety, check out the full recording of the webinar.
Subscribe to NordPass news
Get the latest news and tips from NordPass straight to your inbox.