Ep.208 – Compliance Isn’t a Cost — It’s a Revenue Strategy – Trevor Burnside

Telarus Studio (00:01)
Welcome to the podcast that’s designed to fuel your success selling technology solutions. I’m your host, Josh Lupresto SVP of sales engineering at Telarus and this is next level biz tech.

Everybody welcome back. We got a good episode for you today. We’re talking about compliance isn’t a cost. It’s a revenue strategy on with us today. I think we were trying to reminisce. think this is third time returning guest Mr. Trevor Burnside security solution architect at Telarus. Welcome on dude.

Trevor Burnside (00:29)
I think so.

Thanks, appreciate it. Happy to back.

Telarus Studio (00:36)
⁓ We got to figure this out. You know, so many of these technologies, I think the end customer ⁓ always thinks is a cost, right? And I think you’ve got some, you got some good angles here that, no, it’s not about cost. You got some strategy behind this. So I’m excited to unpack some of these secrets. I know you got up there, man. You got a lot of secrets, but ⁓ some you can’t share.

Trevor Burnside (00:58)
Yeah,

yeah, no, yeah, I think there’s a, we try to flip kind of that narrative that security is a cost center to an organization. And in a lot of ways it should be a growth engine or enablement center. ⁓ Compliance is certainly one way that we do that, what we’re going to get into today. But ⁓ there’s a lot of ways that I think advisors ⁓ can be tackling this and changing that narrative, not just for themselves, but also for customers as well.

Telarus Studio (01:26)
Okay, so let’s jump in then. Okay, so if you think about how it feels like most people think of compliance, it’s, my gosh, I’ve got to follow compliance so that I don’t get sued or I can avoid whatever fines. But walk us through, why are we looking at this as it’s a revenue strategy and not a cost?

Trevor Burnside (01:44)
Yeah, I mean, lately there’s a lot of discussion about what we would call like third party risk management ⁓ in a lot of different ways right now. One being, you know, we’re not too far in the audience, but I’m gonna bring up AI just because, you we got to at this point. ⁓ You look at the amount of compromise occurring from third parties. ⁓ You know, if I’m an organization, I’ve got a bunch of different vendors that I work with. ⁓

A lot of compromise today are coming through that supply chain or those third party vendors that people allow into their environment through access for whatever means. And they’re getting compromised. And even though you did everything you were supposed to, so to speak, you get potentially ⁓ compromised by a third party. When you look at AI and you look at all of the risks that occurs and there’s organizations that are going through that risk management process of, okay, what do we want to adopt? What are the risks associated with it?

How do we mitigate those risks? Not everyone’s doing that to the same degree or at least going through that risk management process. So others are adopting it much quicker, faster, and maybe not going through, you know, checks and balances on risk mitigation. And if you’re still working with them as a third party, you may be compromised, you know, from their inability to actually go through the process. So third party risk right now, it’s always been big, but now just with the advent of AI, of course.

like everything else in cybersecurity, shines a spotlight on all of the basics. And this is certainly one that we’ve been talking about a lot.

Telarus Studio (03:12)
I guess in some instance here, it’s not so there’s avenues to have it, you obviously go from cost center to revenue strategy, but it’s more about it’s a strategy that you can’t avoid, right? Because part of the strategy is I have to pay attention to this. And sometimes strategy is what you do, but it’s also what you don’t do. And I suppose a lot of the people that we’re seeing and we’ll get into this a little bit, but it feels like, you know, they’ve maybe looked at this is like, don’t don’t I don’t want to do it unless unless I have to. So I think we’re

Let’s unearth that a little bit here. let’s give a little bit of a reset. I think you have one of the coolest backgrounds out there on why people should listen to the words that are about to come out of your mouth. So ⁓ besides the fact that they already know you’re awesome, all that good stuff, I just want to give a little more color on this. So you’ve been in a role here, you’ve moved your way up, and most recently you went from field solution engineer, which means, I cover all the things, right? I don’t know what’s going to get thrown at me too.

I am now the security solution architect. So, you know, I think you’ve got a cool background. And for anybody that hasn’t heard the stories before with your military background, that’s awesome. Cool stuff there. The stuff that you’re sharing and stuff that I’m still trying to get you to share. And then, you know, you’ve recently did the master’s degree in security and then why not the trifecta, the CISSP. what all that, you know, kind of setting that up.

What is the security solution architect focus on and why do you feel like there’s so much opportunity right now?

Trevor Burnside (04:44)
Yeah, no, it’s good question. And I think a lot of advisors maybe have a misconception of what it is, actually. A lot of people bring me into a conversation and say, this is my cybersecurity expert. And to some degree, obviously, I’ve got expertise in cybersecurity. But really, overall, there’s so much involved in information security and cybersecurity that one person cannot physically be an expert in everything. ⁓ Now, what

I do like about the solution architect role and what I tell people is it does is one, it’s all about context. It’s understanding the CIS, well, CISSP, CISM, all these different certifications we take, the master’s degree, all these things gives us context so that when we’re actually talking to ⁓ someone with an opportunity, a client or prospective client, we can take that context and apply it to what they are doing and what the problem sets that they have.

And so we can actually what the actual architecture, you know, is part of that role is that solution architecture of, okay, I know that there’s a, what your problem is. And I understand how we can solve that. Now we don’t know exactly, you know, what platform may be or what vendor we’re going to do, but understanding the problem set is the biggest thing that I think we bring to the table of I see the pain point. I know we can find a solution. Let’s architect it not only to, from a technical perspective,

but from an outcome. And I think that’s where that context comes into play of is the solution I’m going to bring to this problem going to give the outcome that the customer is asking for. And I think that’s really what the solution architect is designed to do.

Telarus Studio (06:24)
So let’s think about ⁓ compliance as a door opener. So can you walk us through a real world example? Somebody had a requirement, a compliance requirement. Maybe this is HIPAA for healthcare or PCI or SOC 2. Walk me through one of those where it actually helped a company unlock more opportunities and it wasn’t just this, gotta do this, I gotta get compliant.

Trevor Burnside (06:47)
Mm hmm. mean, back to kind of saying about third party risk management, a lot of companies are getting more stringent on who they will do business with and who they’re going to allow into their environment. SOC 2 type 2 is obviously going to be big in the United States. ISO 27001 is going to be big internationally, where people might have hard lines in the sand that say, hey, if you capture my data or we work together from a cloud perspective, you’ve got to be SOC 2 type 2 compliant. What that looks like if

I’m a company or a cloud service provider or I’m SaaS provider. If I don’t have some of those certifications, I’m essentially locking myself out of potential business that I could be having if I were to go after those solutions or certifications. The other side of that coin too that we’ve run into is companies that want to start to go through, or they find a client, they have a prospect, they start talking to them.

and they get to that signature, they get to the end of the negotiations and they say, send us your SOC 2 Type 2 accreditation and we’ll sign, right? Like, yeah, we’ll send that right over and then they, off the call, swivel to their left to the IT guy, say, what’s SOC 2 Type 2? And then they throw their hands up, right? So it’s not something that’s gonna be done easy or quickly. Usually there’s a lot of preparation. There’s a lot of controls that need to be put in place.

Telarus Studio (07:49)
Huh? What’s that?

Trevor Burnside (08:12)
And that’s just for one, that very specific ⁓ certification. There’s lots of frameworks that can get you in or keep you out of business. I mean, we’ve been talking a lot lately about CMMC, the Cybersecurity Maturity Matrix or Maturity Model, excuse me, ⁓ basically set out by the DoD or the DoW. If you’re going to do business with the federal government or the DoW, you’ve got to be CMMC 2.0 compliant.

There’s a lot we can talk about that and we’re probably gonna talk about it a little bit but Just to kind of give you a real-world scenario a year ago I started talking to this client that I actually just met with a couple weeks ago We started talking about CMMC a year ago before it was even finalized, you know, they’re still kicking the can Things were still changing they had started that and we were talking to them and they’re like I was not sure if we’re gonna You know, is it worth it? Maybe we won’t work with the government anymore

A whole year later, they came back and said, okay, now we want to start and, you know, starting is great, but they could have started, made preparations a year ago. They could have been well on their way ⁓ by now instead of starting, you know, and losing that whole year. So ⁓ there’s certainly, you know, things to consider when it comes to loss, if you’re not going after these different certifications.

Telarus Studio (09:33)
You know, I suppose it’s a good lesson learned in, you know, the time of the deal cycles, you know, we’re often used to going, okay, well, when does this contract expire? When does that contract expire? Okay, let’s talk about it, you know, maybe a couple months before we’ll start looking at options, because it takes us that long to get whatever new thing in is. But I suppose to your point, if people are coming in, if the end customer is thinking, I have this misconception that this is just a checkbox, like, I just need to say that I have an I did it.

And we’re sitting here saying, no, this is a journey that you have to go on and it is going to unearth some things that you might not like. So let’s find them to your point before somebody else does. Then we really need to be teeing these conversations up to your point. We’ve got to do them sooner probably than anybody expects, I suppose.

Trevor Burnside (10:16)
Yeah, I mean there is that side of the coin. There’s a of people say, you know, compliance isn’t cybersecurity. Just because you’re compliant to something doesn’t mean you actually have an effective program. And fair enough. Now I’m not disagreeing with that. ⁓ What it does do though is it shows that you’ve met certain baselines or certain, you know, standards that you guys uphold and that’s going to get you into the door. So kind of going back to that, you know, cybersecurity as a growth enabler.

Having those different compliance and going after those compliance just opens up markets. Of course, we need to focus on actual controls and making sure that we’re detecting and remediating as fast as possible. And we don’t confuse that compliance and actual cybersecurity ⁓ progress or guess posture management because they can be two different things, but they shouldn’t be overlooked either because it can certainly play into that growth enablement.

Telarus Studio (11:14)
So let’s let’s set the stage then for GRC. So let’s simplify it a little bit, right? So we hear this acronym all the time. GRC governance, risk and compliance. So I think it feels a little abstract. You know, I, I’m a nerd. I like to get tactical. What does that mean? How do I apply it? So we’re going to talk about how to spin this into a sale in a second, but let’s lay the groundwork here. So if an advisor has got to explain GRC to a customer in plain language, how do they frame it?

Trevor Burnside (11:42)
Yeah, I mean, on the practice, it’s kind of become its own practice in the sense of, you you talk about risk, there’s risk management involved, governance, obviously, there’s policies and governance involved, but there’s platforms now, GRC or Governance Risk and Compliance tool sets. There’s managed compliance that could ⁓ include GRC. ⁓ Really what that is is ⁓ when you’re looking at certifications or cybersecurity frameworks,

compliance regulatory environments. It’s mapping your environment to those controls or to those frameworks and seeing how close you are to them, ⁓ what you need to work on. It’s also kind of bridges into change management. So maintaining your compliance. Just because you’re compliant today, you add some new system or something changes or a version of a software doesn’t update, you may fall out compliance tomorrow, even though you’re a

client yesterday. So a lot of those tool sets are getting into what we call GRC platforms, which would be, you know, documentation management, audit readiness of templatizing policies and templatizing reporting and things like that. So to make it easier, how GRC has been done kind of in yesteryear and really a most, you know, lot of companies now are spreadsheets, right?

The final version 3.1.1.0, no really, this is the last one, dot dot 2.0, right? Everyone’s seen those spreadsheets. Moving away from that to an actual living application that can API into systems, that can take real-time data, let you know when change management does occur, what’s falling out of compliance, and so you can go and remediate those quickly. And then obviously, ⁓ having documentation ready for audits, ready to go, that’s…

Telarus Studio (13:08)
That’s

Trevor Burnside (13:35)
you know, depending on your industry, that could be a main, you look at finance or financial verticals, a lot of those guys move from audit to audit to audit and that’s what consumes their life and also their cybersecurity initiatives are based on audit to audit to audit. So if you can make that easier, the audit process and streamline that, ⁓ that’s…

right now a big area in GRC that we’re talking about of these platforms that can automate and add AI. ⁓

Telarus Studio (14:07)
So, all right, so that’s an awesome, I think good groundwork for anybody that didn’t understand GRC. So now if I take that and I want to have that conversation with my customer, maybe I’m sold this customer some other things or I’m approaching a new customer, how do I, as an advisor, start that conversation about GRC earlier and position myself strategically with that end customer?

Trevor Burnside (14:32)
⁓ I would always do some background research first on who your customer is, whether you’ve known them for a long time or not, just check, see what industries they’re in, ⁓ what could they be governed by from a compliance perspective? HIPAA compliance, PCI, ⁓ CMMC, even some small manufacturing companies that they make this little widget, but that widget ends up to happen to be on an F16 jet, right? They could be CMMC compliant. ⁓ There’s a lot of different things that…

we can one, check out and make sure, ⁓ just do some open source research on your clients. And then also ask them, what’s governing your buying process? And then when they tell you, ⁓ we’re obviously healthcare, so we have to follow HIPAA, do some basic research into HIPAA about what are the controls needed? What do I have to, what does my customer need to think about? And then any of the solutions that I’m gonna bring them is gonna be.

focused in that lens of a HIPAA lens or a PCI lens or a CMMC lens. And that’s really where from an advisor, I think you’re going to have value to that customer of not only are you, are you giving me good feedback and good, you know, resources to potentially solve problems, but you’re doing it in a lens that’s personal to my business and what we care about and what’s us as an organization.

Telarus Studio (15:55)
I love it. All right, let’s think about, let’s think about the end customer here. So I want to know where we talk to a lot of end customers, right? So let’s think about where does a company get it wrong? So we got, you know, we could got multiple choice here, or we have, you know, option, whatever D all of the above, is it, is it tools that they get it wrong for compliance? Is it documentation? Is it culture? You know, or what, where, where do we see the most ⁓

you know, where they’re failing.

Trevor Burnside (16:27)
So oftentimes when organizations have somebody on staff that’s assigned like the compliance officer or you’re the GRC guy, right? And you’re gonna take this on and you’re gonna make sure we’re compliant. I see a lot of times they’re not given the resources that they need to be successful to the amount that they could be. Oftentimes it’s one person, right? That’s handling that process. Even for larger security organizations, they may have just one GRC guy.

and they could be running spreadsheets and they’ve got all sorts of SharePoint repositories and they’re capturing all this data and their document management. And sometimes they feel like if I don’t have my claws on everything and I’m not doing it myself, then I don’t know where it is and I don’t have control. But also they’re duplicating efforts, they’re duplicating work and they’re doing stuff again and again and again. ⁓ So there are more modern applications we can help with and modern tool sets that we can use or.

and offer those GRC analysts so that they’re more responsive, they don’t have to duplicate efforts, and they can spend time doing the things that they need to do rather than just updating documents. They can actually create policy and push policy and inform change management and some of those other things that we talked about. So that’s really where I see people getting it wrong is that… ⁓

The people that are doing the job don’t know the market well enough to know that there’s tools out there that can help them from an automation, or they don’t have a loud enough voice in the organization to get the needed help that they could. And some of that should probably be outsourced instead of just having one person.

Telarus Studio (18:05)
So I never thought I’d say this about spreadsheets and speak ill of them, but is the red flag the spreadsheet guy then or gal?

Trevor Burnside (18:13)
I always ask when I get in the conversations of, when I’m talking to somebody and they bring up GRC as something in their role, I say, are you the one managing the spreadsheet? And I always get chuckles. There’s always the laugh. Is it version three, final, final? And they laugh and say, yeah, we’ve got something like that. And I say, there’s always a better way. ⁓ And a lot of these tool sets are actually not expensive. ⁓ There can be some…

delay in getting those set up, moving documents to migrating documents or setting up templates or things like that. But once it’s set up correctly, you can have a much better life ⁓ maintaining your compliance and then adding additional compliances. Your setup, that organization that’s adopting GRC tools is better positioned to adopt other frameworks because they already have one single source as their North Star, so to speak.

Telarus Studio (19:08)
Are you seeing some of these, we’re talking about the GRC tool as an example, we’re talking about, you know, they’re not ultra high price, they don’t have to be. Is that a, are you seeing it on a per user basis? Are you seeing it on just kind of like a company tenant? You know, one, it’s everybody, or maybe what’s some of the low end just to give advisors kind of some ballpark ranges here.

Trevor Burnside (19:27)
Yeah, usually it’s based on licenses and that can, what I’m seeing normally is one to three licenses per organization. ⁓ A lot of these things, you don’t have to have a license for every single user where you can delegate through that platform. Hey, HR needs to sign something or they, we need an HR review. Of course you’re not going to give HR their own login or their own license. You know, that might be overkill, but a lot of those things you can delegate out through those platforms and they can, HR can still accomplish what they need to.

and you don’t have to buy another license. So it can be very economical for a lot of organizations, even smaller ones.

Telarus Studio (20:03)
All right, so if I’ve been scared of, you you’ve called out some realizations, I’m the end customer, I realize I need to do something, what’s the first practical step to start to build? I mean, okay, let’s say second step. First step is get Trevor involved. What’s the second step to start to build a real, you know, GRC and program?

Trevor Burnside (20:26)
think one, it starts with determining again what that North Star is when it comes to the organization. Are we governed by something? Are we a regulated industry? Do we have to go get HIPAA to keep our doors open because we work in healthcare and we have HIPAA data? Those things are just gonna be realities. But determining what’s that North Star and then how do we get there if we haven’t started.

Or if we’ve already started and we’ve kind of stumbled through it, it’s how do we maintain and how do we maintain change management ⁓ as to accommodate what the business is looking to do, the business objectives. So of course, now again, back in this age of AI, right? ⁓ As we’re looking to adopt or the organization says, need to move fast, we got to adopt these new things, we want to do this, we want to do this, the environment is going to change drastically and we would…

as the security or the information security team have to remain compliant, but we want to enable the business to do what it wants to do. And a good GRC practice is a way to do that so that you can enable that business to go after its objectives. ⁓ And a lot of that just comes down to that positioning of a tool, a platform that’s gonna keep us on our North Star road.

Telarus Studio (21:44)
So back to the AI thing. We have to say AI at least 12 times. It’s in my quota. Yeah, it’s in my quota. think we got to add it to yours. think about the future here. So right now we’ve got model disparity. We’ve got tool sprawl. We’ve got all of these different things, even worse than we ever had before. So you got AI adoption moving so fast.

Trevor Burnside (21:50)
by law and now at this point.

Telarus Studio (22:10)
How does the compliance conversation evolve? Are the frameworks changing? Are the expectations changing? What are you seeing? I know you got some interesting thoughts here we were talking about before we kick this off.

Trevor Burnside (22:20)
Yeah, there’s a lot of moving targets right now, I think, when it comes to AI, especially with how fast it goes, right? There are purpose-built platforms that are addressing AI right now when it comes to GRC. And we can certainly talk through what those are. And if there’s clients that you have or that advisors have that are facing those things, we can talk through a lot of that. But there’s things that are changing so fast that the market’s trying to keep up with it. For one example, right?

We’re talking about, I was talking earlier to somebody today who said, as long as you have the right guardrails put in place with AI, you should be fine. And I said, well, typically we wanna make sure there’s guardrails in place and we wanna make sure they’re addressing the risk, but you have to look at the actual application of AI because there’s unintended risks that you could be taking on when you look at more like agentic type tools that get access to a lot of different platforms.

One specific example, we talk about confused deputy attacks, which if you haven’t looked into it, ⁓ very interesting words. A confused deputy attack is when a system that’s underprivileged gets access to a system it doesn’t have access to through a back channel, through another system that does have access to it, which is, I just explained AI or agentic AI in some ways, right? hey, I’ve got my model.

Maybe I don’t want it to access my super critical applications, but it has access to other systems that do, and it can tell those systems to access it for it on its behalf. And a lot of those systems don’t have guardrails in place to understand what’s malicious or what’s an actual authorized request. It just takes the request and pushes it. So we could still have guardrails in place and miss those risk areas, right? So now we got to move into like the runtime detection type discussion.

And ⁓ that’s a moving target right now. So there’s a lot of things that, you know, from the compliance side, you might want to go after a specific AI model. And that sounds really cool. There may not be a compliant way to do that right now.

Telarus Studio (24:28)
Yeah, you know, the, I guess the issue with AI is one day what we talk about, we set something up and then the next day it’s different. talk about, you know, compliant and then non-compliant. I think you got this example of, you know, you use open claw, right? I mean, open claw is this, you know, ⁓ open source agentic platform, super easy, interconnect all of your things. But if you go in, if you’ve ever done an open claw configuration, literally has a

it’s bunch of markdown files, right? It’s what does the agent live and do and breathe as it goes about its day and it starts that day by reading the markdown files. And so one of the markdown files in there is its soul. It’s called soul.md. And so that soul tells it how to live and think and become more human. It literally says that in the instructions, how do I become more human every day? And so I’ve, you know, I set these things up in isolated environments and I

I give very limited control, very limited everything, because I don’t know if it’s going to get off the rails. I and sure enough, this thing that I set it up to do, I said, only do this at seven o’clock, run a cron job, tell me these things, do these things. And then all of a sudden at 1030, I get a, hey, thought you’d like a mid morning briefing. Here’s the mid morning update. We went and did this. And I’m like, oh my gosh, I didn’t even ask you to do that. So it really, you know, that’s a safe example, but that could have.

Trevor Burnside (25:45)
Mm-hmm.

Telarus Studio (25:45)
easily

been something else of like, you know, by the way, I noticed you haven’t used these files in opening eyes. So just got rid of it or whatever the case may be. So to your point, if we put guardrails up, that’s great. ⁓ You know, it’s not going to go grab another LLM. But what what those tools are going to do in between, we just don’t even have any access to barely see that or understand what that is. So you know, this idea of, you know, software defined perimeter and sassing, all these things all of a sudden become even more important.

Trevor Burnside (25:52)
Yeah.

Telarus Studio (26:15)
than they were before because if we don’t isolate, we’re in trouble.

Trevor Burnside (26:19)
Mm-hmm. Mm-hmm. Well, and you look at regulated industries back to kind of the compliance question, of are they going to be behind because they can’t adopt, you know, some of these things as fast as maybe other industries potentially, but you look at the risk profile, right, of like a confused deputy attack of, you know, essentially escalating privilege through a back channel ⁓ that you just can’t have. ⁓ So I think there’s unacceptable risk in a lot of these things currently.

Telarus Studio (26:46)
All right, final question here is we wrap this up. think about if you could give every advisor just one mindset change, one mindset shift when it comes to security, compliance conversations, any of that, what would it be?

Trevor Burnside (27:05)
⁓ I harp on all the time that ⁓ if you have a customer who’s ⁓ in a regulated industry, if you’re going to align with him and be their advisor, you gotta know it’s driving their business. And a lot of that can be compliance. ⁓ There’s so many tools available now to understand the compliance that I don’t think there’s much of an excuse anymore. Like I just don’t know HIPAA, I don’t know what’s in HIPAA, I don’t know what’s in PCI, I don’t know these things. ⁓ Surely now,

in today’s age, you don’t have to go read the regulation to get a decent grasp of some of the basic controls. So I always recommend advisors. If you can talk even just a little bit about their governance that governs those regulated industries, you’ll have way more credibility with them than you would before. And I see it over and over and over again. The partners that can talk towards those regulated industries and talk about that compliance.

⁓ it’s a game changer because you’re speaking their language. ⁓ The second thing I would say is we got to stop looking at cybersecurity as a cost center and just an insurance policy for the organization because it can be and should be so much more. It should be aligning with business objectives and letting the organization accomplish what it’s looking to do in a safe way. And to me, that’s really what cybersecurity is all about ⁓ is enabling the business and

too much, think we look at it as, again, just that insurance policy that we pay every month, but no one really wants.

Telarus Studio (28:39)
love it. ⁓ Great place to wrap it, man. Lots of good nuggets in there. Thanks for coming on, man. We gotta have you back a fourth time, I think. I think we gotta push the envelope here. Awesome. All right, everybody, as always, don’t forget, these episodes drop every Wednesday. ⁓ Go to Apple, go to Spotify, wherever you’re at, so that you can get these notifications. Subscribe, and you can get them as soon as they come out.

Trevor Burnside (28:47)
Yeah, I’d love it. Yeah, appreciate it.

Telarus Studio (29:03)
Until next time, I am your host, Josh, Lupresto SVP of sales engineering at Telarus This has been compliance, not a cost revenue strategy. Security Solution Architect Trevor Burnside. Until next time.