HITT- Understanding governance, risk, and compliance in business- Sep 23, 2024
This HITT discusses the importance of governance, risk, and compliance (GRC) was emphasized as a critical priority for businesses. Jeff Hathcote and Jason Kaufman, solutions architects in cybersecurity, highlighted the distinctions between compliance and security, stressing that compliance does not inherently ensure security. The session covered significant regulations like CMMC, HIPAA, and PCI, underscoring the necessity for organizations to understand and adhere to these frameworks. It was noted that GRC is a collective responsibility that involves all employees, not just IT, and that proper training and awareness are essential for compliance. The discussion concluded with an appreciation for participants and a commitment to future engagement.
Introduction to Governance, Risk, and Compliance (GRC)
But first up, I have our hit focus today. It is on governance, risk, and compliance or GRC.
These have become top priorities as businesses navigate the complex landscape of today’s digital world.
Today’s training will help you understand GRC, placing you in a better position to assist your clients in their responsibilities to ensure compliance.
Today, we welcome our solutions architect of cybersecurity, Jeff Hathcote, and also solutions architect of cybersecurity, Jason Kaufman.
So, Jeff, Jason, welcome back to the Tuesday call. I’m glad you can join us today. I’m happy to see you both together, and take it away.
Hey, Rachel. Thanks for having us. So, as you can tell, we’re not in our normal setting.
Jason and I are are in Atlanta, Georgia today.
We’re usually across the US from each other.
You’re usually he’s in Colorado. I’m usually in Colorado, but today we’re sitting right next to each other in, in Atlanta, in a partner advisory council. So, and and believe it or not, a lot of the conversations that we have deals with what we’re going to be talking about today. We’re not gonna take a lot of time and and because if you get either one of us talking about GRC risk management compliance, that conversation could go on for days Will be around days.
And days. So we’re not gonna do that to you. If you do wanna have a deep, deep conversation and really get in the weeds, call Jason because he loves to, he loves to do that. And then he’ll call me.
Right? Is that how that works?
Basically, you know, just the file.
But anyway so let’s let’s let’s go ahead and get started, everybody. If you have specific questions, feel free to drop them in the chat.
Understanding GRC Components
We won’t necessarily be seeing it, but, but Rachel and and her compatriots will be able to, to to let us know if there’s any deep burning issues. Some of the stuff, obviously, we’ll just have to take offline. Right? So what is GRC, Jason?
We get this question a lot. People call us and say, hey. We need risk management. We need a particular compliance.
This kinda spells it out. So GRC is just a a grouping of these terms. So governance. Right?
You can see on the on the screen is the rules, is the policies, the processes that we put in place to get that standard for, an organizational, behavior set. And then, obviously, we have risk management, which most people know. And you if you’ve ever been on a call with me, you know that risk that cybersecurity in and of itself really is risk management. It’s a level of risk management.
So that is going to help us determine those areas that are exposed. There’s potential risk, and and then the compliance piece, this is how well we as an organization adhere to the regulations and the standards and the policies and so forth.
So that’s that’s that’s a very high level definition, I guess you’d say.
So I do wanna ask a question, though.
Is compliance the same thing as security? No.
The reason Jason says that is because a lot of folks do get confused. So just because you are compliant does not mean that you are secure. Right? People think that they’re one in the same.
If you are secure, you’re probably closer to being compliant, but they are they’re they’re not the same thing. So do not get confused with what compliance and security mean to each other. They’re very important. All of these things are very important, and you will have the entire GRC categories within a cybersecurity architecture, your cybersecurity plan.
But if you say I’m compliant, that does not necessarily mean you’re secure. And if you say you’re secure, that does not necessarily mean you’re compliant either. So I know there’s probably gonna be a lot of questions on that, but feel free to reach out. Drop it in the chat, and we’ll get to you maybe offline.
Or you can always drop either one of us, Jason and I, a note, and we’ll we’ll we’ll help you out with the with the question.
So let’s I’d like to think sorry.
Don’t mind me interrupt real quick. I think I’d like to think of compliance as, like, a bare minimum of, you know, somebody set a standard. Somebody came in, they’re like, hey. This you need to hit these specific controls in order to hit our, you know, checkbox of here’s your attestation.
Yeah. And you’ll see this. Right?
So, you know, back in the day, I’ll I’ll use, like, cybersecurity insurance as an example. Back in the day, whenever I was I was young, you know, forty, fifty years ago, we would check boxes saying, yeah. We do this. We’re compliant.
Yes. We do this. Yes. We do this. And that was you saying that you do it.
In order to get the full the full impact of the GRC piece, you not only have to say it or or say you do it, you have to prove you do it. And so that’s one of the bigger pieces of of the entire GRC piece is not just checking a box, but ensuring that you’re checking the box because you are doing it and you can prove that you’re doing it. Make sense? Yep. Cool. Alright. Let’s roll to the next slide then.
Real-Life Examples of GRC
Let’s drop it into something we can all understand. We all have GRC in our lives. Right? We are all having to deal with compliance, and I use the I use the IRS or Jamie. This is something we do in the United States, just so you know, brother.
So we all have to pay taxes. We all have to spend time preparing our taxes. We actually pay taxes throughout the entire year.
We do, you know, we have the governance, which is the tax code telling us, you know, how taxes are prepared, how taxes are paid, when to pay them, how to pay them, and what to pay. Right?
Well, they know the amount. We have to guess what it is.
We have to guess what it is.
They have to make sure it matches up with what they know.
Right. And then the risk management piece is lowering our tax basis to the lowest level that we can legally. Mhmm. Right? And then the compliance is making sure that you’re doing, the right thing, that you’re paying your taxes, you’re filling out the forms correctly. Correctly being a big, a big word there because failure to do all of this makes for a really, really, really, really bad day, or week or month or decade.
So, we want to, understand that a lot of people say, well, I don’t have to worry about compliance. Well, no. You do. If you are a United States citizen, you do have to worry about compliance because you are a taxpayer.
And you every April fifteenth of every year, guess what? You’re going to have to prove out this is what I made, this is what I paid, this is what I owe in excess, or this is what you owe me. Right? Make sense?
So you say if I’m talking to a customer, if I’m performing risk management on my IRS taxes, I’m mitigating my risk as much as possible by how many write offs I can have. Right. And finally, legally. Legally.
Yeah. Keywords, legally. You can prove. Yep. And then finally, when I pay my taxes, that’s that’s me accepting that risk of whatever’s left there.
And I’m being compliant. Yep. Yeah. Okay. So, hopefully, that makes a little bit of sense.
I’ve been accused of not making sense sometimes, but that’s for another day. So let’s let’s let’s move on.
The Organizational Nature of GRC
So one of the one of the biggest hurdles that folks run into is I’ll get a phone call, for instance, that I will have a customer who is very, very IT centric, IT VP, CIO director, and they’re talking about the whole GRC complex.
Well, make sure that you understand as a as a technology adviser to make it very clear that this is not an IT project. This is an organizational endeavor. Right? And I just grabbed this is a fake org chart, so if anybody has one of these names, I apologize in advance. But understand that everybody in the organization from the executive layer down to line staff has a part to play in the entire governance, risk management, and compliance pieces of it. This is really no different than the the the the sermons that I preach and Jason preaches about cybersecurity.
Cybersecurity is not an IT problem. Cybersecurity is an organizational problem.
GRC is a component of that, and it is an IT endeavor. Or I’m sorry. It’s a organizational endeavor, not just focused on the IT folks.
Right? So you may get calls from from customers that are in the midst of this, and it it it could be the poor IT guy who’s the one IT person in the entire organization.
And somebody just walked into their office, said, here, you’re in charge now. You’re in charge of risk. You’re in charge of compliance. You’re in charge of whatever.
Right? And they get freaked out because it is a it’s a huge process. Right? And depend that on one person who may not have the the information necessary that you see in finance, that you see in human resources, that you see in the other areas of the organization.
Right? And that’s why we call it an organizational endeavor. Make sense, Jason?
Yep. Even I understood that.
Wow. That’s that’s kinda awesome. That’s a gold star.
Any questions, make sure to throw them in the chat.
Key Regulations in GRC
Let’s let’s go to the next one and talk about a couple of the, what we’re hearing. Right? So Jason and I both, focus on cybersecurity.
But part of that and why we’re having this conversation is the the cybersecurity conversation always leads to risk management, to governance, to compliance, to all of those things. Right? And I just picked three. Right? There’s there’s way more than this, but but but I think the biggest ones that we hear are related to, the cybersecurity maturity model certification, better known as CMMC, and I’ve got a slide on that. And then the next one is HIPAA, which is the health insurance portability and accountability act. So dealing with health care.
A lot of regulations around that. And then another one is the PCI piece, which is the payment card industry. So anybody that takes credit cards, there’s certain things that we have to follow from a from a compliance perspective.
Again, tons more of these things. But I think the I think the most questions and conversations that that I get, Jason, you may get something completely different, are around these three. Primarily CMMC and HIPAA.
Yep. Definitely agree. I if there was an honorable mention, like, we had top five, I would definitely put SOC two type two and SOC two type two. The the privacy laws. Because the GRC tooling is paramount for all the changes in the privacy laws because you have a lot of the states that are coming into effect that are kinda copying the CCPA over in California, which is also copying an optimal smile, Jamie, GDPR.
Jamie’s got the GDPR piece. So So, no, just adhering to all the like, some states have minor changes on the other ones, but you still have to go through that process in order to align with everything specifically that they’re asking for to get that compliance certification.
So, you know, I’d say if we had the top five, those two would be next on there.
Yeah. Yeah. Good point. I just ran out of room on the slide. So, one of the things too to to remember, if a if an organization is not let’s say health care. I worked in health care for quite a while.
If if health care or if a health care organization, has a problem, has an issue, a compromise, and they’re not in it. They find out that the the HIPAA, part of their world is not being followed. There’s some massive, massive fines that come into play. Right?
Same thing with CMMC. And CMMC is one of those things that, typically an organization that wants to do business with the government, they’re gonna be required to hold CMMC.
And we’ll we’ll get into it here in a few minutes, but, it’s going through some changes. CMMC in and of itself can be very confusing to a lot of folks. So let’s go ahead and talk about that, Rachel. We’ll go to the next slide. So CMMC model one, this is something that a lot of people are familiar with.
Navigating CMMC Compliance
We’re moving into model two and, you know, because the government wants to do everything they can to help us, it’s, what they did to reduce the complexity, and I put the brain damage. Right? There’s still brain damage. There’s still complexity.
Right? But if you look at that model one, there were five levels of it. And, you know, it started at seventeen practices up to a hundred and seventy one. That’s been reduced in model two, which is still being worked.
Right?
But level one is what we call foundational. That’s where, organizations need to start. Right? I’ll I’ll have somebody call me and say, hey. We need CMMC. We need to be level three in the next week.
That’s gonna be hard. Right? Because as you can see, there’s over a hundred and ten, practices. And this is all based on the National Institutes of, standard standards and technology.
You may know it as eight hundred one seventy one. Government loves numbers. Government loves acronyms.
But you’ll know that the NIST CSF cybersecurity framework is what we call the gold standard, right, as far as frameworks.
So the level one is you do an annual self assessment. So this is part of checking that box. Right? Yeah.
We do that. We do that. We do and that’s where you need to start. You don’t build a house by starting with the roof.
Right? You start with the foundation.
And understand as we talk through this. Right?
And it there there’s some complexities to this that, I I had a call just the other day with an organization, very small organization. I think there were thirteen thirteen employees.
But they understood, hey. We’ve built a road map.
We know that we need to be at this level by this date and that it was a realistic date. It was, like, eighteen months down the road, and they were already starting down the path.
You don’t see that every day?
No. You really don’t. A lot of times, we’ll get that call. Hey. We need we need to be CMMC, you know, level two Yesterday.
By end of day. Yeah. Well, sorry.
But, again, this is one of the, there’s a this is a process.
And I will tell you upfront and, you know, Rich knows this. Jamie knows this.
It it is a process that takes time. If you do it right, you don’t have to redo it. The problem is a lot of folks think you know? And and and, again, to go back to what I said earlier, they’ll hand this project to, you know, the IT guy.
And I’ve been that IT guy. You’ve been that IT guy. And it’s like, what do I do with this? And they have no idea where to start.
Or they will Google it and say, oh, we’ll we’ll do this. And they’ll start down a path, and then whenever it starts to become formalized, they realize that they’ve kinda gone the wrong direction. And so you have to undo some things and start and go right. So it’s better to, if if if you have customers that are that are going through, particular GRC components, it’s best to test them early.
Right? If that’s not possible, as early as possible, right, to make sure that we’re going down the right the right path. So that’s that’s kinda CMMC in a nutshell. Again, we could talk about this for four days.
And if you really, really want to, write me a note.
Happy to talk through it with you and and and and and give you some documentation.
I’m actually a a CMMC, registered practitioner. So I got a little bit of information. I I have access to some some data, and and we can definitely help you out. At least get you to the point of understanding what it’s going to take.
So when you get these customers that are wanting to do, you know, getting into that government work and there’s various aspects of government. I saw a comment pop up just now about ITAR. Right? ITAR is part of that is the government, but it’s dealing with the the export of, weapons materials.
We had I think Jason was on this call with me where we had a an individual company that was making parts for, that could be used in rockets.
Oh, yeah.
That was a member of the moment.
Yeah. A very, very small company.
And they realized, even though they were going down the path, they realized we can’t do business until we’re ITAR compliant.
Right? So they kinda got to the end of the road where they thought they were just gonna sign a piece of paper and and start selling their their rocket parts to the federal government. Or it was it wasn’t a federal gov it it was it was the space, space, not space force, NASA.
So it’s a it’s a key it’s a key component to understand what fits where. And then we also have customers that get confused because they feel that, like, they have to be at a level three in in CMMC land. They feel like they have to be at level three, but the reality is they can they can get by at a level one. So it’s that it’s that conversation that has to take place.
Understanding HIPAA Compliance
So I know there’s probably gonna be a lot of questions on that. Again, don’t hesitate to reach out and, and and and touch one of us. So let’s talk about, let’s talk about HIPAA. How’s that?
Next slide.
I think first and foremost, we should check out the spelling because there’s a lot of If you ever see if if a supplier and this is for for Rich and and and Jamie.
If you ever see a supplier that says that they know all about HIPPA and they spell it h I p p a, go the other direction.
If you can’t spell it, you can’t do it. And I see Rich laughing.
Because that that’s one of the jokes that that we on the engineering team have a lot of times. We’ll we’ll see a presentation and somebody will be talking about their their compliance practice and what they do, and they spell HIPPA, h I p p a.
And we’re like yeah.
Bad start.
Bad start. Bad start. So so this is kind of a breakdown, and I did see I did see a note that, will these slides be be made available, Rachel? I think that’s kinda up to you guys.
If you really, really want my piece of this, I’ll be more than happy to send that to you. Again, that’s just a that’s just an email request or or whatever.
The Importance of Correct HIPAA Spelling
So HIPAA is HIPAA is one of those things that has been around a while.
When it first became a big deal, it was really paid attention to.
Like anything else, it’s kinda people get used to it, but there’s if if you look at the headings, right, the technical protections, we gotta encrypt everything.
We control access to, you see that term, EPHI, electronic private health information.
One of the biggest targets that I see as a cybersecurity practitioner is medical records.
Right? A credit card number, a Social Security number go for, you know, pennies on the dollar on the dark web.
Electronic health records go for up to a thousand bucks record. There’s various reasons for that. Right? We we can get into that if you want.
But but that’s, that’s one of the biggest pieces. There’s technical protection. Make sure because we’re no longer just writing we’re no longer writing doctor’s notes, physician notes into a chart. They’re all electronic.
And so anything that’s electronic is accessible from elsewhere. So we have to make sure that we’re encrypting, that we’re authenticating into those systems so the right person is accessing the right information. There’s the physical protections, you know, physical access, managing the workstations. How many of you have gone to your doctor and, you know, I’ll give a good example. You walk in and you’re at a orthopedic, clinic, and somebody else’s X-ray is up on the screen. I’ve done it several times.
So the physical protections are also not just that, but I can remember an example of being in a doctor’s office, sitting in the little room, you know, where you wait for however long it takes to wait.
And there was another physician right outside, and he was dictating, notes, you know, verbally dictating notes.
He listed the patient name, the patient’s date of birth, the address, the diagnosis, the prognosis, the prescriptions out loud, and I’m sitting there listening to it. My doc came in, and I had to tell him. I’m like, look. Just so you know, that’s a HIPAA violation. If you and he’s the executive vice president of that practice.
And I said, you you you can’t do that. And he’s like, well, but HIPAA, that’s just for that’s just for records and stuff. I’m like, yeah. Electronic records, written records, and verbal records.
HIPAA Compliance Challenges
I could be I could cause a huge problem for you. So, pay attention. If you run into that, if you’re at a physician’s office, and you hear that, that could be an opportunity for you to talk to that that practice and say, you really need some controls around your HIPAA compliance. Let me help you with that.
Let’s let’s get you shored up. Right?
Did they at least comp your parking for the information?
No.
And I bought the doctor a new boat. So administrative protections, obviously, risk management, you know, blocking that unauthorized access. Train your staff. Again, HIPAA is not just for the doctor.
It’s not just for the nurse. It’s for the front desk personnel. It’s for, you know, the medical records people. It’s for all of them.
So that document security pieces.
And then the privacy rules, you know, how you respond to patient requests, how you get permission to use their, their stuff. And, again, training staff. Now you know these days when you go into a physician’s office or a hospital even just to get an x-ray, you fill out you sign multiple, multiple forms. And most of those are because they’re trying to be compliant. Right?
I went and and I had to get an x-ray or or whatever. And the lady’s like, sign here, sign here, sign here. And it wasn’t even a physical piece of paper. It was just one of those electronic signature blocks.
And I told her, I said, no, ma’am. I’m not signing that. I don’t know what I’m signing because I said, I want you to print those documents and let me see them before I sign that. And so it kinda it kinda caused her to be a little gruff with me, but nonetheless.
Breach Notification Requirements
The breach notification. If there is a breach, if there is a compromise, if there is a, you know, your medical records are released, you must promptly, and promptly means very quickly, notify patients. Hey. Your stuff has been, your stuff has been compromised.
There is a, you know, government, fines. Right? The media is gonna find out.
Your reputation is gonna definitely be at risk, and your, notification has to have all of the all of the pieces of this. And then one of the other one of the other expenses outside of the reputation hit, outside of the fines, outside of the, you know, just the bad press that you’re going to get, you’re also going to be required to pay for each record a certain amount of identity theft protection. And at last count, that was about, what, two hundred and fifty bucks a person?
I think I got a record of those right now that I’m watching online.
I actually have a lot of those too because I’ve been involved not necessarily with, with a HIPAA breach, but with various compromises that have occurred.
Organizational Responsibility in HIPAA Compliance
But taking it back to, like, one of the original slides on just noticing that GRC is not just an IT function. I mean, you name like, just in this one use case alone, you’ve talked about all the different roles and responsibilities within a small health care practice. So there’s gotta be some form of ownership across all the different, all the different employees there. And that’s why it’s organizational or not.
And if you look if you look at this this slide on the right, you know, train staff, train staff, train staff, update privacy policies. You know, you’ve got trained staff on all of those. That’s the one thing people miss, excuse me, is if you work in a any function within a medical environment, you need to understand what the risks are. So there’s that risk management piece.
Right? You need to understand how to be compliant. Right? What’s that governing authority where you’ve got it in front of you.
Right? If you don’t know what to do, that’s that’s the biggest thing. And this we run into this with cybersecurity all the time. You know, I don’t necessarily worry about Betty or the, you know, the bad guys in China or North Korea.
I worry about Betty over in accounts payable who just clicks on every little email that comes by. Right?
Train your staff. And if you do make a mistake, raise your hand and say, I did this. So you can start that notification process. And then if you get if you get a situation that you don’t necessarily know what to do, ask.
Transitioning to PCI Compliance
And if you can’t find the answer to that, keep going up the food chain until you get that answer. So fair enough? Well, I think we beat HIPAA HIPAA. Let’s talk about PCI for a minute. PCI is one of those things that, I think a lot of folks are compliant with PCI, anybody that has a a point of sale system, anybody that takes credit cards.
But a lot of folks don’t necessarily understand the various levels that are involved with with PCI. And here we kinda spell them out. And it’s it’s, based on the number of transactions.
Right? So if you are a company that you you go to a a flea market, for instance, and you take credit card, you do you do all that, you’re less than twenty thousand, transactions a year. You’re at that level four. If you’re over six million transactions a year, if you’re doing them online, that’s another thing that a lot of folks don’t think about is used to be because I’m old enough to remember the old credit card machines where you, you know, had to swipe it and, like, where are you laughing at?
I remember that too. No. You’re not. Yeah. You slap it on there.
Has the ink on it, No. You don’t. You don’t.
But, this is online stuff too. A lot of folks are are doing, like, Etsy shops. A lot of folks are taking credit cards, because they’ve set up some side hustle from where you still gotta abide by the PCI, DSS compliance.
So And they’re very strict on it as well because it’s self regulated.
It is. It absolutely is. And there’s there’s there’s some nuances to all of these things. Right? We’re not gonna be able to get into every teeny tiny detail as we talk through this.
Laurie just said crunk crunk. The sound that she remembers from the, from the credit card. Crunk crunk. Yeah.
I’m with you, Laurie. I I remember that too. Now we go to a a gas station. We put our credit card in the machine.
Right?
We never have any idea what’s going on behind the scenes. So let’s roll to the next slide, and, I’ll get out of your faces. Here this is twelve requirements.
Right? And you can read those to yourself, but it’s everything I mean, if you look at number twelve, right, it’s a policy. It’s a policy that addresses the information security for employees, and contractors. Right?
So they’re very strict guidelines. And like Jason said, right, they’re they’re they’re strict. Right? And if if you, don’t pay attention to these, you will get caught. No ifs, ands, or buts. Right? And getting caught is not fun regardless of what it is that you’re doing.
So I would guess, and I I could be wrong because we have a lot of people on this call, that of the calls that you get or the opportunities that you have with your with your clients, your customer base are probably gonna fall within you you mentioned the top five, but you’re gonna hear CMMC.
Overview of Compliance Frameworks
You’re gonna hear HIPAA. You’re gonna hear some PCI.
You mentioned a couple of other ones. Right?
Yeah.
SOC two, type two is completely type two, and then what was the All the privacy act.
All the privacy act. So this came the privacy came from it started really with GDPR, which is our EU friends.
And then California said, hey. We can do one better. So we’re gonna make, we’re gonna make a a a standard, but it’s gonna be even tougher than that. The state of Georgia, state of New York, so various states have these privacy components.
The key that I like to tell people is not to worry about it if they’re doing the right thing. If you are taking privacy seriously, if you are doing everything that that should be done, not everything that you think should be done, but everything that should be done. And if you don’t know how to do it, you are getting help to do it. So you’re protecting your question you’re you’re protecting your customers.
You’re protecting your data. You’re protecting your organization. And one of the things that just just popped up, I just saw the a a a brief hit there is there’s been a change with auto dealerships.
FTC Regulations for Auto Dealerships
You know? Guess what? The Federal Trade Commission now considers a a car dealership as a financial organization.
Anybody that’s ever bought a car and financed, it goes in and talks to the the FNI guy. Right? The finance and insurance person. Well, the FTC said, we’re gonna regulate that. So you’ve got safeguards that you need to put around all of that financial information, which they never had to really do before because they’re like, hey. We just sell cars. If If you’re a car dealership, you’ve got some GRC, components that you really need to pay attention to.
But one thing to note, like, if if you look at all these different controls and requirements for each one of these, we went over CMMC, we went over HIPAA, PCI. We mentioned a few others. There’s a lot of similarities here between them. Encryption, you know, firewalls just figured and updated, physical access controls, you know, zero trust, least privilege You know, point one seven monitor.
Yeah. Point one seven monitoring. A lot of this stuff is blended across all of them to where there’s a lot of similarities, and that’s where the importance of the GRC tool comes in. Yeah.
Because you select which, you know, which compliances and which, you know, regulation frameworks you wanna adhere to. And, like, let’s say you you’re going by one and all of a sudden you need to go buy another one, it will pull all that data that is is shared between them and you’re already you know, you’re start you’re not starting at zero anymore. Right. You could be starting at what?
Ninety percent depending on if you’re already following this CSF, you know. Good. So, I mean, it’s it’s one of those things that could save you a lot of time and effort just by having all that data organized in a fashion that a normal Excel spreadsheet or a pen and paper doesn’t do.
Perfect.
So I know there’s probably some questions. So let’s let’s let’s roll and see what we’ve got.
Engaging Clients on Compliance Topics
And we’re running out of time too.
You’re like, we’re not we’re gonna run out of time.
That’s that’s the way I go. So, any questions, put them in the chat, and then I don’t know, Rachel, if you’re gonna ask the questions or if you’re gonna open it up, or what does that look like?
Yeah. I actually took some notes, some questions that came in. So you had a lot of acronyms you talked through, HIPAA, PCI. Some other ones in the chat we just noticed were AI governance, pen testing, and that CHRI.
Right? Jason, how those maybe similarities that all fit in, but if you wanna speak to that.
So, really, if you start looking at compliance, and Jason just mentioned this. Right? They are all very related. There’s it’s almost like a, it’s almost like a Venn diagram. Right? You got some outliers, but most of them have core components that are that are required.
You’re gonna see the encryption pieces. You’re gonna see the access pieces, you know, understanding who has access, what do they have access to, how we’re protecting that data.
So they’re they’re all very closely related. If you are in a conversation with a with a potential customer, an existing customer, and you start hearing, you know, keywords, privacy, data integrity, things of that nature, that’s a good key that you can probably get into a GDRC conversation with them. Maybe, maybe not, but that’s why I always recommend and it’s not it’s not because of us. It’s just because this is something that we do that your Telarus resources are here for is to deepen that conversation, understand exactly what we are, what we’re looking for. So I don’t know if that answered your question, but, that was the best I could do.
Yeah. That leads to another great question.
Some question of how to discover questions to ask your clients or, you know, next steps in learning and possibly engaging with our teams and our tools.
Jason is is is brilliant at this. Right? We’ll we’ll get a conversation going, and it’ll be leading one way. But as we dig into it, right, and Jason does this all the time, uncovering other realities of the business problem we’re trying to help that customer solve.
Yeah. Most of the time, I get on a call and somebody wants to say, hey. We wanna my AI. I saw somebody ask about AI governance.
Data Protection in AI
You know, the the first part of any of that is protecting the data, not only from, you know, malicious actors coming trying to come in, but, you know, you’re building a bot that only knows as good as you program it. It can share your data without, you know, your your proprietary data without you even knowing it or personal identifiable health information, all that stuff. So those AI conversations, and I know I know Jamie and Rich can attest to this because we’re doing a lot of AI stuff with them. The first part of that conversation is, okay.
What data are we using? Is it classified? How are you protecting it? So it does kinda turn into a GRC conversation because in order to do this effectively and securely, you have to start out with that conversation.
Regulatory things that we talk about. It it’s changing all the time. AI is something that, again, there’s going to be regulation. There’s going to be compliance. There’s going to be all of those things related to AI in various aspects. So absolutely.
Transitioning to Next Topics
Alright. Thanks, Jason and Jeff. There were some more questions in the chat. I am going to wrap them up and move on with our next section, but I’m sure you’ll have a lot of connections in your inbox coming shortly after this call. So, again, thank you for your tremendous You bet.
Thank thanks. Thank everybody. Thanks, everybody, for your time.