An interview on compliance with Eric Ratcliffe, Director of Compliance Strategy at 360 Advanced: “compliance is just a first step in the journey toward thwarting cyberattacks”
Nowadays, more and more organizations fall into the trap of hackers. And with the pandemic affecting a lot of people’s health, cyber criminals are working overtime, increasingly clogging the cyber world with threats.
Some of the worst reputation-threatening attacks enterprises can experience are data breaches and ransomware. Not only can a company lose sensitive information, but such threats can also disrupt business operations, reduce profits and customer trust.
To avoid data breaches and their complications, organizations can invest in various cybersecurity solutions and regular compliance audits.
Since your start in 2004, how has 360 Advanced evolved? What were your major milestones?
Back in 2004, it was a very different landscape. Most organizations still managed their own infrastructure, and we only offered SAS 70, PCI, and HIPAA as our main services. SaaS and cloud were new words and new concepts back then. Fast forward to where we are today, most organizations outsource many key components of their services, and SaaS companies are exploding all over the world. With this new way of doing business and reliance on others, the compliance industry has also exploded. We now offer 20+ services, and I can see it increasing with the rise in new privacy laws.
Can you introduce us to what you do?
Most of my week consists of having conversations with new prospects as well as clients about how to manage compliance requests or demands. The majority of our clients are B2B service providers, and their customers need to have comfort in how secure they are as a company and how they ensure the data that they handle on behalf of their clients is protected. One of the biggest challenges is that many of them provide services to multiple regulated industries, so the goal is to leverage what you can and try to satisfy the compliance requests in a cost and time effective manner.
How are tailored compliance strategies developed?
Tailored strategies are developed by gaining an understanding of the short and long-term business objectives. Good compliance programs take time and an understanding of a business’s goals. What industries may you expand into, what markets or territories, and what new regulatory requirements will you encounter? These questions need to be addressed so a strategy can be developed over time. A good security and compliance program doesn’t happen fast – it takes planning, budget, and executive support.
You describe 360 Advanced as a relationship-focused company. Would you like to tell us more about your vision?
My career has been built around relationships, and to me, I am not here to make a transaction. I want to get to know my clients, understand their needs, and work hard at making life easier for them. It is our daily goal to avoid a transaction and become part of the team by developing trust, value, and a return on investment. We truly become an extension of their team while remaining 100% independent. We are a client focused organization, our most successful clients understand that and will leverage myself and the rest of the 360 Advanced team to help establish and maintain the compliance/ cybersecurity program on an ongoing basis.
It seems like the pandemic challenged cybersecurity worldwide. In your opinion, what are the main takeaways?
Wow, has it ever. I see how it exposed risks that were difficult to imagine. The pandemic greatly expanded the reliance of key vendors and applications/technologies as well as employee trust. Simple things such as connectivity, how to use virtual meeting solutions, and understanding the data risks these changes expose was overwhelming. The organizations that were best prepared had great communications, leadership, the ability to assess risks, and implement change rapidly. We all have learned so much and it exposed many risks that were considered unlikely and low-impact. I think the pandemic drastically changed the way we think about cybersecurity.
What issues can an organization run into if it doesn’t have appropriate compliance certifications in place?
Other than the obvious potential systematic flaws that may lead themselves to cyber hacking and ransomware demands, the biggest issue that I see are loss of revenue or sales opportunities. More now than ever, companies are raising the bar on their outsourced providers related to third party assessments. Since achieving these require investments in both time and money, often times if you are not ahead of the curve, some companies are left behind. It may even create a lower valuation during a potential investment or acquisition. Certain projects such as HITRUST and ISO may require large budgets, time commitments, and can take anywhere from 12 to 24 months.
In your opinion, why do certain companies still fail to recognize the necessity of regular compliance audits?
In most cases, it seems to be an executive support issue. This means a lack of funding, people, or old technology. A close second is the lack of enforcement by their customers. Some wait until they are pushed or penalized for non-compliance. It is critical to have a top-down approach across an organization, as compliance is just a first step in the journey toward thwarting cyberattacks.
Additionally, what would you consider to be the worst cybersecurity habits that are widely prominent nowadays?
Some of the worst cybersecurity habits that I have noticed are:
- The lack of funding
- No risk assessment or an old risk assessment
- No security awareness training for all employees
- No Penetration testing or vulnerability scans
- A perception that accomplishing a compliance or assessment is the end of the journey. The efforts should not be seen as a periodic ‘project.’ They need to understand that they are here to stay and need to figure out how conduct compliance related activities as part of the normal course of business.
Talking about personal cybersecurity, what safety measures would you recommend to every Internet user?
A Zero Trust approach! Zero Trust is a mindset or a process rather than a product. Look for any online security awareness training and think before you click on any attachment or link. When possible, pick up the phone- and call-in order to verify an individual, especially when it comes to financial transactions. The biggest issue is typically a human problem and not a system problem.
Would you like to share what’s next for 360 Advanced?
We’ve just made some larger investments to expand our Penetration Testing services in anticipation of increased client needs. We make decisions based on being ‘built to last’ and with that are also heavily investing in our team members to ensure we continue to provide excellent experiences for our clients. Not long ago, cybersecurity and IT compliance were an afterthought, and now they are typically the things that keep IT, and the C-Suite, up at night. We’re doing our best to help people sleep better.