Mind Shifting Cyber Risk from IT to the Boardroom with our guest Mathieu Gorge

Show Notes

Everyday organizations are constantly managing risk and as cybersecurity professionals, there's a struggle to get the board to understand that risk. Our guest today shares his insights of his 5 pillars of security framework to increase the effectiveness of the risk conversation to the board and engaging them to reduce risk and secure the organization.

"I'm very passionate about the topic, and specifically very passionate about building a culture of cybersecurity within enterprises. Anything that has to do with security awareness, making people more cyber aware, is something that's really close to my heart."

Mathieu Gorge is the CEO and founder of VigiTrust, a cybersecurity company with clients in 120 countries. Mathieu has over 20 years of IT security and risk management experience and is much-sought after for his expertise. As an authority on cybersecurity solutions, he has been asked to speak at conferences including RSA, ISSA and ISACA. Mathieu is a prominent member of the international cybersecurity community—due to VigiTrust’s continued success as well as its 5 Pillars of Security Framework™— and serves as president and chief security officer of the French Irish Chamber of Commerce. 

Mathieu has more than 15 years of experience in payment security, and works closely with the PCI Council in the US and EU. He is a renowned expert in  PCI DSS, GDPR, CCPA, HIPAA, VRM, and ISO 27001.

Mathieu Gorge
LinkedIn: https://www.linkedin.com/in/mgorge
Website: https://mathieugorge.com
The Cyber Elephant in the Boardroom (Amazon)

In this episode, you will learn the following:

1. The challenges of communicating cyber risk to the boardroom 
2. The importance of understanding how cyber security measures fit into the financial side of things 
3. The human impact of being a CSO, including the challenges of maintaining a work-life balance.

Show Links

1. NIS2 - https://www.nis-2-directive.com/
2. ENISA - https://www.enisa.europa.eu/
3. Privacy Laws - CCPA - https://oag.ca.gov/privacy/ccpa
4. Privacy Laws - GDPR - https://gdpr-info.eu/
5. Follow Me Printing Hacking Story - Forbes

KnowBe4 Resources

• KnowBe4 Blog: https://blog.knowbe4.com
• Erich Kron - https://www.linkedin.com/in/erichkron
• Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
• James McQuiggan - https://www.linkedin.com/in/jmcquiggan
• Javvad Malik: https://www.linkedin.com/in/javvad
• Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
• Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com

Chapters

• 0:00: Introduction
• 3:01: VigiTrust Global Advisory Board
• 6:39: 5 Stages of Cyber Grief
• 11:26: Mathieu's Second Book
• 15:26: COVID & the Workplace
• 17:46: How Mathieu Got into CyberSecurity
• 21:18: What are the biggest blind spots in Enterprise Security?
• 25:27: Reducing Risk with the Board
• 29:40: Security vs. Compliance
• 32:16: Closing & Episode 11 Teaser

Transcript

Mathieu Gorge: 0:00

So there are too many platforms in my humble opinion, that focus on"here's the best practice that we know very few people are gonna follow," unfortunately and what we are doing is we're trying to get people to talk about what doesn't work. I'm Mathieu Gorge. I'm the founder and CEO of VigiTrust.

Announcer: 0:20

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.

Jelle Wieringa: 0:31

Mathieu Gorge has over 20 years of IT and security risk management experience. He's the CEO and founder of VigiTrust, and it has been bestowed the French National Order of Merit with the rank of Knight from the French government.

Erich Kron: 0:46

Everyday organizations are constantly managing risk and as cybersecurity professionals, there's a struggle to get the board to understand that risk. Our guest today shares his insights of his 5 pillars of security framework to increase the effectiveness of the risk conversation to the board and engaging them to reduce risk and secure the organization.

Announcer: 1:09

This is episode nine. Mind shifting cyber risk from IT to the boardroom with our guest Mathieu Gorge

Mathieu Gorge: 1:16

I'm very passionate about the topic specifically. I'm very passionate about building a culture of cyber security within enterprises. Anything that has to do with security awareness, making people more cyber aware is something that I, that's really close to my heart. So as you can hear from my accent, I'm French., I've spent maybe 25 years , in Ireland. I also lived in Germany and right now I spend about 70% of my time in the U.S., developing our own U.S. activities. From a VigiTrust perspective where we're actually, the company is nearly twenty years old. The first fifteen years, we were a security assessors and trainers and then we pivoted into software and we have an amazing tool called VigiOne that allows people to prepare for validate and manage continuous compliance with about a hundred security standards and frameworks. On top of that, I'm the chair of the VigiTrust global advisory board. Which is a non-commercial think tank that brings together about eight hundreds members from 32 countries. I share with you that I'm actually in the process of writing my second book, which is about the life of CISOs and risk people.

Erich Kron: 2:31

​All right. So we are happy to have this conversation today with Mathieu and I also really like where he's talking about security culture, because we've talked about that before and how important that is within organizations.

Jelle Wieringa: 2:44

And when talking to Mathieu in today's episode, you'll hear that he's really passionate about changing people and creating that culture. And that's what I've truly love because that's what it's all about. It's not about that ticking a box. It's about actually making a change. So yeah, I'm really looking forward to this one.

Erich Kron: 3:01

And also this advisory board is a pretty cool thing as well. And he's talking about 800 people in this global advisory board. I'm really excited about this talk and I'm really impressed with the things I've seen so far. We wanted to get a little bit more information about that. So I asked him, what's the purpose of this advisory board?

Mathieu Gorge: 3:21

Generally speaking the members would be C-level so not just CISOs, chief risk officers, but also, , CEOs CFOs. The whole C-suite basically, as well as directors, we also have law enforcement,, FBI, Interpol, and NYPD, French police, Irish police , and a few others. And we also include a lot of members from academia, as well as independent subject matter experts, in compliance and security and we're not trying to replicate something that already exists. With our platform is really, based on the idea that we want to talk about what doesn't work in cyber as much as what works, right? So there are too many platforms in my humble opinion, that focus on here's the best practice that we know very few people are gonna follow, unfortunately and what we're doing is we're trying to get people to talk about what doesn't work. in other words, I'm going to tell James the mistakes that I've made so that he doesn't have to make them and hopefully he's going to share with me, the mistakes that he made so that I don't have to make them again. That's really the mission the advisory board. Right now, we talk a lot about, geopolitical risks, critical infrastructure protection, also with NIS 2 coming. We do a lot of work around protecting much younger, but also much older generations on the internet, which is something that very few people cover. We have a great diversity and inclusion program, where we try integrate as many cultures as we can into the cyber mix. We talk about talents and the shortage of talents. Where do we get the next generation of cybersecurity professionals? Do we get, as many women as men, if not, how can we address that? And we also talk about innovation in cyber and how you fund that innovation. So I have a global team of 25 people that work directly with me and the advisory board team to ensure that we cover not only global problems, but also regional problems, that our members can have. I just keep learning. That's one thing that is really key to what I do is I want to learn and I learn a lot from those 800 people, it's been a great privilege creating that platform.

Erich Kron: 5:34

Okay. I thought this was actually pretty cool and I really liked the angle of focusing on what doesn't work, Because it's always easier for us to discuss our successes than our failures even though we learn so much from failures. But if we're going to tackle the issues, let's go after the things that are not working, as opposed to making things that are already working, maybe work a little bit better.

Jelle Wieringa: 5:58

I think that it's a really good perspective to put yourself out there and be vulnerable by allowing yourself to be vulnerable by talking about the failures that you had, because it's those experiences that teach others most. whereas if you only talk about, as he states the best practices that you've had nobody's going to apply to us because every organization is different. Every organization faces different nuances and challenges. The challenges might be the same, but the organization isn't. So it's a good way to talk by talking about others by talking about failures, it's a good way to actually be able to apply that to your own organization, the own nuances that you have it's something that others should do too I think.

Erich Kron: 6:38

Absolutely. but He wrote a book and it's called the cyber elephant in the boardroom it's cyber accountability. I really like this. In it, he discusses the five stages of cyber grief. So I asked him to describe that so we understand what that means

Mathieu Gorge: 6:54

There is only two types of companies in this world those that have been hacked And those that don't know that have they've been hacked And so that's another concept actually that I I touch on in in my book the cyber elephant in the boardroom And it's that concept of the five stages of cyber grief and the first stage is denial So the board is in complete denial We're like that's not our job Our job is to create wealth for the shareholders to create employment to pay tax wherever we have to pay tax And that's it then comes the anger I have given you money to recruit a CSO I've given you money for managed services for security awareness training and so on Go and talk to the compliance and security folks They'll look after you then comes to bargaining and the bargaining is okay I can see our competitors are being hacked I can see the regulator is knocking on some doors I'm gonna hire a very reputable firm and we're gonna do an assessment and that will be my get out of jail card Of course it's a good start but it's not a get out of jail card at all then comes the depression Oh my God We have been hacked The regulator is in the lobby and they are asking to see the CSO and meeting the board We we are doomed and then eventually comes the acceptance And the acceptance is understanding that you're probably doing 60 to 70% of what you're supposed to do Probably not in a way that allows you to demo demonstrate it to the regulator or the enforcement body but you're doing enough that you can demonstrate that you have some accountability And then you just need to address the Delta And I think that going back to to to the question about the the CSO we need to make sure that CSOs can actually translate cyber risk into a business risk in the boardroom So if you go in with the three letter acronyms that we love we we lose the board very quickly If we go in with a business talk we're gonna tell you about a new risk to our business It happens to be cyber security and compliance it's a business risk and by the way because we buy assets to protect our environment Those assets can actually be on on Financial statements Once you put them on the financial statements the board has to see it every month They can no longer claim that we don't know that So it's a win-win you translate the complexity of cyber security and compliance with often complex and sometimes even contradictory frameworks Into a business risk that the board has a better chance to understand

Erich Kron: 9:26

I really liked the way he did that. I spoke at RSA on a panel about this back in 2016, and that is communication with the board and turning cyber risk into business risk as a conversation so that they understand what it is they're facing. And I think we still have a lot of challenges in that in today's world.

Jelle Wieringa: 9:47

I totally agree. Just want to add one little thing is we want to make sure communication is understandable from security practitioner to the board, but don't make it too simple. They're not idiots. And I do see this a lot actually where CISOs IT, admin security professionals go in and treat the board or treat the organization as if they have no clue of what's going on. And that's not the case by changing the language in which you talk and changing it from IT security to something where you actually talk about business risk and how security can add value to the business. You just simply change the language. You don't want to simplify it because it's not simple, but you, what do want to make it understandable? And that's something you really have to watch out for.

Erich Kron: 10:36

You don't want to underplay it. You don't want it to look too simple and you don't want it to seem like you're speaking to them at a level down or speaking down to them. That's true. I think what's important is being able to make that cyber risk translate into business.

Jelle Wieringa: 10:53

Yeah, and then it's just the same goes for understanding how cybersecurity measures actually fit into the books, the financial side of things. I personally from experience can tell you that, talk to the, talk to your CFO. Ask how you can actually get those assets on the books, can make it that the board actually sees this week after week and becomes directly, responsible for it.

Erich Kron: 11:15

So given this book The Cyber Elephant in the Boardroom accountability. I know he's working on a second book. So I asked him to tell us a little bit more about the second book he's writing.

Mathieu Gorge: 11:27

So I'm interviewing a hundred CSO and risk people and asking them unusual questions. So of course, I'm going to ask them, what regulations do they look after? What certifications do they have that I'm asking them about their private life. Do they manage to have a private life? Do they wake up at night, are they stressed that there's gonna be a legal burden on them? Are they thinking of themselves as being a sacrificial lamb? Have they been a few times before? Do they know of their peers that has been sacrificed? And how has that impacted their life? I know of CISOs that lost their jobs because of hacks and actually went on to do something completely different. And we looked at the security industry, lost some very good people, some great expertise, because we were like, why am I taking that risk? What's in it for me. so I, I add value. I do my best something goes wrong and I'm the first to go. It's not exactly fair, but I do take the points that somebody has to be held accountable. The reality is there it's always the security and compliance people, but it should be the board. At the end of the day, have to deal with any type of risks. Sometimes I'm also a bit annoyed that when people say, oh, but the board doesn't understand risks, they understand risk. They deal with risks everyday financial HR, geopolitical, political, it's just another risk. We just need to translate it. So what I'm hoping to achieve that the Cyber Elephant in the Boardroom a book about getting the attention of the board, getting them to understand that we're not the enemy. Yes. We may be the "Department of no" from time to time, but it's for very good reasons we should understand those reasons and we need to translate that for them. And now what I'm trying to do with the other book is to say, okay now that we've got the attention of the board, let's talk about you. How you're going to engage with those guys. And what does it mean for you? And can you still have a life? Can you walk into the office knowing that if has been a hack you'll at least get a fair hearing, and you can demonstrate what you done and your right, there's no silver bullets. And another point is that I think that security people had, a major awakening with COVID because immediately the attack surface went from something known to something that was completely unknown with personal devices used from home with holes, dug into firewalls, get people, to get access to systems that you would never have given access to before remotely. And now that we've learned to live with it, we see a lot of organizations having like a COVID or tele working policy that is fully updated, but what happened that data within was 18 months and all those holes that we put into those firewalls and those systems that they shouldn't become legacy. They should be dealt with and they should be removed. And so all of us security people had no choice, but to say, yes, okay, I'll open the firewall because otherwise the company is going to close. We need to work. We need to do business. and, if something goes wrong it's on their head again. And it's not really fair, you know?

Erich Kron: 14:24

That was a, that was pretty cool. And I like the angle of asking the unusual questions for the CISOs. I get the whole captain goes down with the ship sort of thing, but think far too often they are made a sacrificial lamb.

Jelle Wieringa: 14:37

It's really cool that he's looking at the human side of things as well. I like how it impacts their home situation, et cetera. And you're absolutely right. Eric, if you cycle through CISOs, if you just toss them aside they are as security experts, you don't fire the expert. If something goes wrong, you actually make him work to fix it. That's his job. So if you take away to fixer, well that won't really take away the problem will it? So you don't want to fire your CISO. Actually you don't really want to fire anyone at that point. You first want to deal with the situation. That's the first thing you do. Don't fire anyone. So I hate the idea of cybersecurity professionals becoming sacrificial lamps or scapegoats. It's one of the reasons why we've got cybersecurity burnout going on, where we see people leaving the industry, even though there's an immense shortage of cybersecurity professionals.

Erich Kron: 15:26

In this he talked a little bit about COVID and I thought it was interesting because COVID has changed so many things. He mentioned the technical debt that happened there. We opened up firewalls and we, did all that kind of stuff out there that a lot of that we know has not necessarily been closed up. I thought it was interesting as a CEO and a founder of an organization. we wanted to ask him what impact did COVID and the whole work from home thing happen on him and VigiTrust.

Mathieu Gorge: 15:54

Absolutely. And that risk surface somewhat unmanageable at this stage. we take the example of VigiTrust. We find it really hard to get peoples come back to the office And of course, as the CEO, I can put in a rule that everybody has to come back to the office, but the reality is, we've actually had our best year during COVID because we started working in a different way that turned out to be much more effective. So I don't necessarily want bring everybody back, but I do want people to be able to see each other. And on a regular basis, we're getting people back to the office is complicated. sure it's the same in your own firms. But it's you know, we have to learn, how to empower people to work from home, but also to come into the office it's, maybe different systems, but completely safe, both ways you know.

Erich Kron: 16:41

So many things have changed with COVID and getting people back to the office. And I think it's, he's accepting the fact that the world has changed and they realized that hold on a second, this actually can work. Now it's not always perfect, but I can tell you right now from going from working in the office every day to working at home, I find that in a lot of ways I'm more productive here at home and I'm more creative at home there's a lot of people that have discovered that in a lot of leadership, that's discovered that as well.

Jelle Wieringa: 17:09

There is a downside to working from home though. And that's something that I don't see many organization addressing, and that's the people aspect behind it. The fact that people, we as humans are social beings, we need that social interaction. And that's what I see happening is people want to work from home companies say, okay, go right ahead work from home. But they forget that the aspect that we need to make sure that people still are engaged with other people, that they have that social interaction, that they don't lose touch with the organization and the other people in the organization, and I think that's really important. That's one of the things that some organizations are kind of failing at the moment

Erich Kron: 17:46

Fair enough. Now the next question we had was a fun one and I always find this interesting when we talk to people are in the cybersecurity industry, especially the leaders, the people that are doing like brave new things. And that is, I wanted to know Mathieu got into the cybersecurity industry.

Mathieu Gorge: 18:02

by mistake, I guess I was studying languages with marketing and law. and I tired to get jobs in France and they would have been 25, 30 years ago at this stage. And at the time, to get a job in France, you needed to be 25 with 10 years, experience, speak five languages and have five, degrees and a PhD. So I didn't exactly meet the marketer. And so got a job in Ireland, selling project management training, and I didn't exactly enjoy it. And I applied to many, many IT companies and I got lots of job offers and one of which was with a company called Anthropy, which at the time was doing a TCP IP, stuff and network security, content security and I got into that and I really liked the idea of securing systems. I developed very quickly a passion for data protection and training around data privacy and so on, which was quite novel back then. yeah, I started VigiTrust soon after that and, I've been in cyber since. I'm very lucky. I got to be, an independent expert for the European Union, for some of the old funding frameworks over the years, I'm an independence subject matter experts with ENISA. I've done a lot of work with the PCI council. I've presented at them PCI events and so on. And I believe that you can never learn enough, right? Because as we've already explained we did the risks surface, the attacks, they change all the time. So , I don't think we're ever going to be out of business here, and it's not actually a compliment to our industry. It's just a realization that the bad guys are out there. They actually, by the way, collaborate a good bit more than we do. They only need to get it right once we need to get it right all the time. And it's it's not always easy, we also need to understand that, whereas twenty years ago you needed to be super technical to hack. Today I can hack anybody. I want, I don't have a technical bone in me, and because essentially I can just buy a ransomware kits. I actually get customer service, which will be better than customer service with my antivirus provider. It's become so easy to be the bad guy. Why wouldn't you?

Erich Kron: 20:17

Yeah, that's an interesting point that you don't necessarily have to be super technical to be insecurity these days. And that's that's something that holds a lot of people back from getting into it, but in the interviews that we've done, I always find it fascinating how these people come from different backgrounds. Some of them are from sales. Some of them from totally different industries like insurance.

Jelle Wieringa: 20:40

So back in the day when he started out and people were looking for certifications and work experience and stuff, and if you're starting out in any job, you don't have that stuff. We've heard it a lot from a lot of different people that we've interviewed and that we spoke to. I don't think there's anybody out there that actually came into this field by choice. We all stumbled into this. It came along and it was really cool. and I also think you're absolutely right. It's the type of person that makes you, or what type of person you are that makes you suitable for cyber security, not so much what you studied in school or the degrees that you have. It's those soft skills that, that really do make a difference nowadays.

Erich Kron: 21:19

So given, Matthews knowledge and experience and just the people that he's run across and talks to on a regular basis on this global side of things, I thought it would be interesting to ask him what he thought the blind spots currently were within enterprise security.

Mathieu Gorge: 21:40

Absolutely. And one of them that are, that I've done a lot of work and research on is, multifunctional printing security, where you have a multifunctional device that can print scan to fax scan to email has the memory of the laptop that I had three years ago. The Memories never purged and yet you can have multifactor authentication on the printer. have follow me printing where if I go to New York and I want to carry the confidential information, it's actually waiting on the printer encrypted for me. And I attempt to locate with a card or with a token, and nobody else has seen it. And the minute I printed it, it's gone off the device. why aren't we doing that? I think it's because. we've become a little bit complacent and what I was talking earlier on about the department of no where you have what's more important, like the ability to do work faster and more effectively, or is it security and compliance? and also, , I think when one of the questions that, that we were going to discuss was what's more important security or compliance. Generally speaking, it should be security because if you have good security, compliance would fall out of it. So it will be driven by it. but from time to time, we just, as companies, if we need to be in compliance with some regulation or some framework, like ISO, or whatever, in order to get a big contract, we'll focus on compliance for that contract and we'll do the scope of compliance for that scope. Meanwhile, we are creating blind spots somewhere else. It's a moving target and I always say that security is a journey and not a destination. You have a few pit stops along the way where you can breathe and you can start again, but it's continuous. You always go back to the beginning where's my scope, what assets do I have? What risks, likelihood, impact, safeguards, controls. At the end of the day, I end up with a residual risk and it was only, there's only a few things you can do with risk. You can ignore risk, which you shouldn't do. You can try to transfer the risk, which you can probably do operationally, maybe with some cyber insurance, but not legally. You still own the risk. you just accepted the residual risk. And you have to control it on a regular basis. That's the only things you can do with risk.

Erich Kron: 23:52

I don't even know if you can buy a home printer, like an inkjet home printer that doesn't have a wifi connectivity these days. If you remember and now it's like , you can't get something that isn't smart. And in enterprises, he brings up a really good point. We have follow me, printing all over the place. These things have hard drives. We've seen stories about that. But it's cool a thought that he had was the multifunction devices, like the printers.

Jelle Wieringa: 24:19

They are so embedded in what we do that. I think most people don't even stop and think about the security aspect of it because you're using it every day. Nevermind that you travel around the world and still want to print it on another device in another location of your organization. Hey, it's still all secure. And especially now IOT, because a printer is quickly turning into something where you can just, ah, look, the cartridges are now more expensive than the actual printer is and security is not something that's high on the list, not for, people at home, but organizations will tend to forget these they can be really important. Cause, as Mathieu already mentioned, we have to get it right all of the time and hackers just need to get it right once to get in a printer is a perfect stepping stone to get into your network. And that's the thing with security. It's such a broad field. You can't do it all. And that's where the accepted risk, except the accepted residual risk comes in. You need to accept that you can't do it all. You just need to figure out what's the most important thing you need to fix and do that first and then go down the list and reassess that list every time

Erich Kron: 25:27

and speaking of which, we were talking about this, asked them security professionals, working for organizations with the board of directors may not always realize the risk it presents to the organization. They may not always realize that. So we asked what are the, some of these risks and how can a CSO or an InfoSec manager really work to reduce that risk.

Mathieu Gorge: 25:49

There's a lot of risks that I think are, missed, we talked about some of the technical blind spot, like a document capture environment and printing environment. The main risk, I think right now is misunderstanding consent for holding data or acquiring data. So if you look at consent under GDPR, it basically says that unless I've explicitly given you consent, you don't have the right to do anything with my data. And even if I give you the right to do something with the data, you need to keep it up to date. And if there's a potential secondary purpose, you need to let me know. CCPA is different in that it's basically. Nearly the opposite saying, unless I tell you not to use it, you can use it, but you can only use it for XYZ in this manner. And I think the danger here is, organizations that are multinational organizations misunderstanding the type of consent they need to get in which jurisdiction. Think consent is really a pivotal part of any security strategy. Before you even put in the technical security around it, you need to understand like, I always say, like, if you don't need the data, don't take it. That data is a burden because it can kill the organization. It can result in fines and so on. So if you don't need the data, why do you have it? Because if you have it, you need to secure it and then you probably need to comply with another two or three different regulations. So why would you want it to don't take the data, and if you have. Meta data everywhere and you're not aware of it. And you have unconstructed data that potentially is yet again, another risk. You need to understand what to do with that. So the best thing to do is to start by saying, okay, what data do I actually need? Why do I need it? Is there a business justification for having it? And then what kind of rules apply to that? To consent for that data. And generally speaking, GDPR is a good framework to work on. Because it's actually quite restrictive, So you take let's not allow anything and then we block everything. Now let's one by one let the data trickle in and secure it and comply it. And I love the rule in PCI. That's a, in Requirement One that says. If you've got a rule on your firewall, you need a business justification for the rule, because if you don't have a business justification, why did you open firewall up? It's common sense yet it's not always done.

Erich Kron: 28:09

That's an interesting thought here and the whole metadata issue. Look at the information that you can fair it out of things like that. And as security professionals, if we don't understand the legalities behind saying, Hey, you know what? We were provided this information for X, we can't use it for Z. Then we could find ourselves in a lot of trouble. And I know that's a bigger issue, I think, or a large issue in Europe, or as he mentioned with global organizations, as opposed to one say over here in the U S that are just US centric.

Jelle Wieringa: 28:41

We've got GDPR, we've got people in China, which is actually based on GDPR, partly. We've got a California law. It's fundamentally all about providing more rights to the end user and what we do if they that. If you're in marketing actually you want to know everything about that user. The fact that you, as an organization know just about everything from your user, know everything about your prospect, that's where business and security will collide. And that's something where I think that it's our job as security practitioners to reach out, to marketing, to reach out to data sciences and departments like that, and go hang on. We don't want to say no, we understand the evolution that your department and your role in job is going through, get us at the table early so we can help you decide what you need. We can help you discover new ways of working with data in ways that still makes us compliant or still keeps us compliant in ways that are future proof.

Erich Kron: 29:40

So an interesting question I always have when we're talking about compliance and security and from being on both sides of the coin, I'm always interested in the answer and the view from leaders like, him and that is when security and compliance collide, which is more important?

Mathieu Gorge: 30:00

would say it's security, because you need to be secure at all times. Of course, the regulators will tell you, you need to be compliant at all times. And technically you do, but you could be out of compliance. Without opening a huge hole in your security strategy. Whereas the other way doesn't work. You can't reverse it. Security is an ongoing thing and it needs to be on it at all times. Compliance by design is made to be assessed on a regular basis. Security is every day, So define regular regular basis. Again, I look at PCI it's, every three months you do, a scan. You need to do wear a pen test. Every time you make a major change you need to have a vulnerability management program, but at the end of the day, you file your SAQ or your ROC once a year. You still need to be secure throughout that year because if you, in fact, if you're hacked and it's found that you weren't in compliance at the time of the hack, you will be held liable. I think you need to be secure security and compliance collide all the time. But as I said earlier on, sometimes the business will demand that you're in compliance with regulation XYZ in order to grow and I will take precedence and I understand that from a business perspective and if that's a risk that organizations sometimes need to take but security has to be done at all times

Erich Kron: 31:17

Yep. That's that's kinda how I see it as well. They're not necessarily the same things. We all know this, right? Compliance as much more of a binary type of thing. It's either yes or no. Now there's gray area in there when you're arguing with the auditor, but they either end up checking the box or they don't check the box at the end of the day where security is a lot more ambiguous.

Jelle Wieringa: 31:39

So this is your typical chicken and egg question that we all ask in security, right? What's more important. What came first? The reason for it is that it'll depends on the risk that you have at that current moment in your organization or the opportunity that you have in your organization. Sometimes security will prevail. Sometimes complete compliance will prevail. It depends. It shouldn't be a set parameter security shouldn't always, overule compliance and compliance shouldn't always overrule security. Actually, if you have that view, if you can actually see what risky you run, you're doing okay, you have visibility and then you can decide what you need to do at any given time.

Erich Kron: 32:16

So, this has been a fantastic discussion with Mathieu here. I think it's been wonderful to hear about these things, to learn about these things from somebody that's done so much in the industry. If you would like to contact Mathieu, find out a little bit more about him, reach out to him and chat with him yourself, the information will be in the show notes here that you can reach out to him on LinkedIn through email or through other social media stuff. Or you can even find out more about the advisory board that we talked about earlier. Again, all in the show notes. And thank you for joining us for this episode of security masterminds. I hope you have enjoyed it. I hope you've learned some things and we really appreciate you listening to us. Let us know if you have ideas of other people you want us to talk to or other topics you'd like us to address, please feel free to reach out to us on social media as well.

Jelle Wieringa: 33:10

And if you liked this podcast and you haven't subscribed yet, do please. And let us know what you think about it. You can leave a review on your favorite platform, but it'd be Apple or Spotify or whatever you using. Share with us, what you think, what we can change, what we can do better.

Announcer: 33:26

Coming up on our next episode of security masterminds.

Jean-Michel Azzopardi: 33:29

So like keeping it as simple as possible a blockchain is a networked database with multiple instances of the same data stored in different physical locations. And once and on all of those locations are directly connected and once cannot be changed individually without changing them all. It's imutable it's checkable and it is secure.

Announcer: 33:56

We welcome you to join us with our guest Jean Michelle Azzopardi You've been listening to the security masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshn. We invite you to share this podcast with your friends and colleagues. And of course you can subscribe to the podcast on your favorite podcasting platform. Come back next month. As we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.