S3 E13: Cybersecurity in an Era of Deregulation

Audio version

Cybersecurity in an Era of Deregulation

Transcript

Jordan Eisner: Hello, and welcome to Compliance Pointers. I’m your host, Jordan Eisner. And today, I’m joined by Milou Meier. We’re going to talk about cyber deregulation.

Milou Meier: I’m excited to be here.

Jordan Eisner: Yes. Good to have you on. I realize that’s the first time I’ve actually said your last name, Milou.

Milou Meier: You said it right.

Jordan Eisner: Did I pronounce it right?

Milou Meier: Yeah. It’s my married name. Yeah, Meier. So my maiden name is Lammers. Dutch by background, but German last name.

Jordan Eisner: Meier is easier for me, at least.

Milou Meier: It’s easier. Yeah.

Jordan Eisner: So Milou is an attorney. And on top of that, she served as a director of compliance in several organizations. She’s the founder of Compliance Counsel, of Cyber Counsel, also a podcast. What’s the name of your podcast, Milou?

Milou Meier: Socializing Security.

Jordan Eisner: Socializing Security. But her practices, Compliance Counsel and Cyber Counsel provide information security, data privacy, cybersecurity compliance and audit expertise for security assurance and trust programs for startups and technology companies. So a wealth of information here today on this special episode of Compliance Pointers. Thank you for joining.

Milou Meier: Thank you for having me. I think you did my spiel better than I do normally. I thank you. I’m probably going to know about that afterwards, but I’m really excited to be here today.

Jordan Eisner: Yes, we are. We’re excited to have you a real pro, real pro podcaster on here.

Milou Meier: I don’t know about that. A real amateur podcaster, but my co-host and I, Brian, we do have a lot of fun on the podcast. It’s a fun way to network with cool people about InfoSec, compliance, and privacy. Exactly what you just said in a different way than when I’m talking about work stuff. But today I’m going to try to wear more of my corporate hat as opposed to my podcaster hat.

Jordan Eisner: Got it. Got it. And I know you invited us too. This is sort of a home and away podcast. Have we already done that one?

Milou Meier: Not yet. Not yet. I think fingers crossed on Friday, but I might be making a little bit of a pit stop. I’m heading out to DC this week for… a bit of an unexpected work travel and I might be driving home from Virginia with a new family member. I am driving out to Virginia to meet a dog to adopt. So I’ll be passing by Atlanta.

Jordan Eisner: You said might be driving home a new family member, but let’s be honest, if you’re going to meet the dog, it’s probably 95% or higher.

Milou Meier: Yes. My husband might disagree with that, but yes, the percentage is quite high. She seems pretty special. I don’t want to get my hopes up though. You never know. I do have a service animal. And so she’s really the one that will dictate whether or not they’re the right fit. And then if she is, then, you know, she might get to train with me and be a new part of our family. So we’re pretty excited about it.

Jordan Eisner: Right. And I got to meet you and your service animal in person unexpectedly just a month ago. No, the beginning of this month, we’re still inside March. It feels like a year ago.

Milou Meier: It does feel like a year ago. I feel bad. I really haven’t done my follow -up from HIMSS is where we were at. We were at a security conference in Vegas. Small world was the first time you and I had known each other for a while, but it was the first time we ever got to see each other in person. And I think, yeah, I present relatively loud at events like this. So I think you actually found me just because of, what was it Kevin sent you my LinkedIn post or something?

Jordan Eisner: Kevin said, hey, guess what? Milou’s there. Yeah. It was good. It was meant to be.

Milou Meier: It was great. Yeah, it was really fun. Got to meet the whole CompliancePoint. Well, some of the sales team, right?

Jordan Eisner: The whole sales team.

Milou Meier: Which was awesome. Everybody was great.

Jordan Eisner: Good time. Big conference.

Here we are today talking cyber deregulation. So let’s start with your perspective. How is the cybersecurity landscape changing from a federal point under this new administration?

Milou Meier: It’s changing rapidly, which I think most of us in the community were expecting with this potential change, with this shift in administration. For any type of regulatory background, I think industry, if there’s a large change in honestly, not even just the US for any large major global player right it can have impact on global company regulation. I Personally, I’m having a hard time keeping up. And I think that’s what I’m hearing from my colleagues as well. It’s just like a lot of noise.

I think that’s a little bit scary from where I sit as somebody who advises companies, actually a lot of government companies, because like defense contractors are having a hard time staying abreast because, you know, at least in the US, a lot of them are the most regulated.

What we’re seeing, I think there’s a vibe culturally around the world that the US is relatively unregulated when it comes to technology. I don’t necessarily agree with that. I think we do actually have some excellent regulation. We have privacy laws in place. We’re seeing a progressive trend towards more regulation. I think Compliance Pointers talks about that a lot on the telemarketing side of the house, if I’m correct, Jordan.

Jordan Eisner: Yeah. I mean, it’s constantly changing on the marketing compliance side. That I will agree with.

Milou Meier: I think that area of the law it’s usual that there’s more rapid change. I think on the technology side, we’re a little bit behind on the marketing compliance side. So I think we’re picking up.
Because technology compliance, when we think about it, it’s been all over the news for years. Right. We’re all aware of massive data breaches. We’ve seen it on a very regular scale. For all of us it’s something that you know I have my neighbors asking me about password managers. I have my parents being like hey how can I change my cloud storage?

It’s something that’s talked about at home which means it shouldn’t be surprising that a new administration is potentially coming in and changing a lot especially if it’s something that people are talking about.

Jordan Eisner: So part of what we want to get into as well is the assumption is, it’s in the title, deregulation, that the government would be taking foot off the gas a little bit in some of these cybersecurity requirements and that some businesses might see it as an opportunity to back off. That sounds like a big, bad idea to back off of cybersecurity posture. But, you know, there’s a handful of things that go into it. and complying with certain regulations or frameworks is not exactly always equal security and vice versa and perhaps it removes some of the red tape and such policy and governance heavy requirements and allows them to maybe harden some more of the defenses from a technology standpoint. That’s really what I was getting at with the question, in your perspective, do you feel that it’s across the board deregulation or it’s just a mixed bag. Or you had almost even hinted that it’s progressing in some instances. So what’s your read that way? And where do you think as a follow-up to that, businesses are going to go based on whichever way you feel the landscape is moving?

Milou Meier: I think the second question you just asked is easier to answer. I think businesses will most likely invest less in security, which as a consumer, as a human being, as somebody who cares a lot about security compliance. That really scares me.

But also security is super expensive. It’s a really cost-prohibitive part of back end ops for businesses. So like there is some give and take to, you know, if you’re expecting mom and pop shops to have like a full blown InfoSec program, like probably unrealistic just because it is super expensive.

I will say, I think the deregulation space, I think that’s become very clear in the last couple weeks here, we’re talking in March of 2025, you know the US government came out and announced some pretty major changes to FedRAMP, which is a federal regulation that really applies to government contractors in the US, but it does have a trickle-down because generally FedRAMP is actually on a prime contract so it actually touches like every portion of the contract. So all of the subcontractors have to fall in line which is really hard sometimes. It’s a small marketplace. I think we’ve seen it very clearly in the last week, where the government is focusing on deregulation because they announced a new program which I’m not sure I’ve seen a couple of ways of it being announced it’s basically like the FedRAMP 20x program. It’s so new that I don’t even know what the lingo is. This is like before, you know, when the General Data Protection Regulation came out for months, we were saying that. Then suddenly we were like GDPR. It’s so new that I’ve heard FX20, I’ve heard FR20. Have you heard this yet of like what it’s being called?

Jordan Eisner: Nope. I’m still catching up with StateRamp being GovRamp now.

Milou Meier: I hadn’t even heard that one. See, again, it’s so hard for us as practitioners and technologists to keep up, which means because there’s such a high volume of change, which again is relatively normal for an administration change. It’s just it’s a lot quicker than we’ve normally seen. And so that’s the part of it that I’m having a hard time with of just seeing like, hey, FedRAMP, the new lighter version is going live I think in like two weeks normally there’s a request for comment period that’s like nine months.

This administration, from my understanding is pretty into efficiency and like making programs go quicker so like change is happening quickly. I am a little bit concerned about who will be supporting the change because they’ve also cut a lot of the internal staff. That’s actually like within the regulation body, right? So the regulatory bodies are now a lot leaner, which means if they’re suddenly seeing an influx of a ton of applications for a new cybersecurity standard. I feel for those employees specifically. That’s a beast.

Jordan Eisner: So where do you think these organizations, like you said, if the regulations and everything’s rapidly changing so fast that the experts aren’t even really keeping up with, you know, today’s acronyms or today’s pass as going, you know, the companies are even going to be further than that. The ones that are seeking third-party support or advisory from the government. It seems like there’s going to be less guidance from the government. So where would you recommend businesses look to fill that void?

Milou Meier: What I’ve seen is the most inspiring is actually reaching out and relying to your partners. So what I’ve seen is I’ve actually had clients reaching out, being like, hey, our audit firm sent us this. Like, what do you think? Or like, hey, I heard this from a friend at a conference. I had a lot of conversations like that at HIMSS, which we mentioned earlier, where someone was like, oh, hey, like a buddy of mine works for so-and-so.

The cybersecurity community specifically is really small. It’s a really tight-knit group of people, which is also how you and I happened to bump into each other at one of the largest conferences in the healthcare space specifically. And we just bumped into each other because, again, the cybersecurity space was a smaller part of that conference.

And what I’m inspired by is the fact that clients, friends, community members, random strangers on LinkedIn are actually reaching out to people like me about being like, hey, I heard this article, like, could you weigh in on this? Or like, hey, so and so did this, you know, what do you think?

And so what I’m noticing is because there’s such rapid change from a government perspective, which is, again, I think what we all expected from there, I’m noticing kind of like a grassroots effort amongst friends, peers, colleagues of sharing information. Which that I’m all about.

Obviously we’re not sharing confidential information, I would never recommend that, but there is something about relying on your professional community your local community of actually asking like hey let me call my friend and ask for their advice as opposed to looking it up on the internet, which is new.

Jordan Eisner: That’s a good point So, well, how about this? Part of what I was going to get to with that question is, okay, federal is what it is. We’ve talked about that a good bit. What about an expectation at the state level?

You mentioned marketing compliance earlier. There was a ruling in the Facebook case. All of a sudden, the TCPA and what is an ATDS had a little bit less teeth to it, or at least perceived teeth to it. Class actions went. greatly down, but then states started popping up with many TCPAs. And so not asking you to comment on that, but from a cybersecurity standpoint, should we expect to see maybe more states start to put language and bills and legislation forward in that realm?

Milou Meier: Yeah, I think to the point on the TCPA side, I’ll just say as a consumer, I’m getting way more spam. Way more smishing, which is like, unsolicited text messages to my personal cell phone and my work device, right? And I’m proudly on the do not call list. Like, I’m proudly on, like, state-specific lists where it’s applicable and all that stuff, especially because I’ve learned a lot, actually, through CompliancePoint and my relationship with your firm.

As a consumer, I’ve noticed a really interesting shift in how like the volume of unsolicited messages I’m getting in my email, in my phone. I’m even getting voicemails and stuff like that. My phone is starting to feel like I’m like less safe place and the same way that I’m on social media. I’m getting like a lot of unsolicited messages.

So I’ll just speak as a consumer where I’m saying like I’ve noticed a really significant change from that over the last couple months, could be coincidental but could also just be that I think this there might be an error of feeling like cybercrime might be easier to follow through. This is like purely my own opinion here.

Jordan Eisner: It’s interesting to bring that up and some commentary I guess on what I’m seeing or what I think. There are two distinctions to make with that and that is, you know, the spamming or the spoofing or the smishing. Those are never legitimate telemarketers. Those are like the companies we represent at CompliancePoint when we work with. Like these are legal telemarketing, legitimate companies, B2C, you know, a lot of fortune companies even that are just trying to interact with their consumers. But the industry is so scrutinized because of a lot of bad agents, because a lot of historically bad practices that can come across as abusive. That’s where it’s important that these companies establish safe harbor and have defendable positions they can rely on because some mistakes happen.

On the smishing and that sort of front yeah absolutely I’ve seen a huge uptick in that. That’s the new route. I think phishing consumers are becoming a little bit more wise to, but the smishing campaigns are just outrageous. And I feel you on the phone just constantly.

Milou Meier: There’s just more cyber abuse is what it seems like. That’s just as a cybersecurity lawyer, that’s what I’m noticing as a consumer, which makes me nervous for people that are less trained up on, is this real? Is this a phish, right? Is this a real text?

But I took us on a little bit of a tangent. So I’ll go back to your question about state regulation. I think for practitioners, we are going to see a lot of noise on the state side. And I think it will be, I do think it will be, feel relatively political of which states fall in line versus which don’t. I think we’ll see more of a trend on the blue side versus the red side. I think there will be a different. landscape which is really hard for businesses to comply with especially like US businesses that operate in multiple states.

Generally right when you’re building like an infosec or privacy program or honestly any compliance program it’s generally best to figure out what is the like right line strictest standard and just filter that down through your company as opposed to like cherry picking individual states. That’s usually what I recommend for my clients and you know friends peers that I work with and advise it’s generally just like you know when we saw the GDPR right, I mentioned it already earlier, certain companies it was actually easier for them to just implement a global privacy program that just aligned up with the entire GDPR. That doesn’t work for everybody. The GDPR applies to mostly like EU and UK and it’s stricter than what we have in the U.S. privacy law, but for certain companies they decided to being like hey, for marketing practices, it’s easier.

Other companies are like, no, actually, there are certain things that we do in the EU that’s different than what we do in the US, which is different than what we do in Japan and China and Brazil. There’s so many different global regulations at play at the moment.

But when we’re talking about deregulation potentially on the federal side, it now means that the states will probably have to act more as their own individual bodies and create their own legislation. That will impact U.S. businesses that work in multiple straits dramatically because, say, they work, you know, I live in Texas, so we can pick on Texas. You know, they’re founded in Texas, but then, you know, they do business in California and then they do business in Rhode Island and Colorado and Alabama and Arkansas. And that’s it. And they all have different state regulations on information security and cyber. It’s going to be hard to figure out who to follow, especially if there’s not a lot of guidance on the federal level.

Jordan Eisner: Yeah, you got to adopt a standard somewhere, right? A framework that takes into account, I think, perhaps state nuances here and there, but just has an organizational, foundational privacy program, cyber program. Something of that tune that you can pivot, but it’s not so cost-prohibitive to have this hodgepodge program that’s based on all these different states. You’ve got to have a baseline that you build off of.

Milou Meier: Yeah, I think we will also see if we’re seeing potential deregulation on the technology side, whatever that really means for U.S. companies is a little tricky to really pigeonhole just because it could be infosec, it could be privacy, just any type of like technology compliance.

What I think is we’ll see companies shoring up providers. I think they will look at who they’re spending money on and with. I hope that they look at which cybersecurity providers they’re looking at and figuring out, is this still the right fit for us if we need more regulatory support? If suddenly we do need… you know, to phone a friend more often.

For example, I’m doing a lot of like compliance program benchmarking, which is tricky because they’re static, right? You know, what makes sense for the company in what Q1, Q2, 2025 versus the end of Q4, 2025 might be really different from a regulatory perspective in the US this year. And so I’m having to do a lot of like carving out with clients about being like, hey, this makes sense right now. Let’s think about how we feel from a risk perspective. We believe that this will make sense in three months, in six months, 12, 15, 18, three years, five years. I’ve never had to go out that far. Normally, it’s very much like, okay, we think this will be valid for one year.

We do a compliance program like benchmarking analysis where we look at all their regulatory touch points and we think through. you know, what are the sales verticals they want to go after? Like, what are the deals? Like, who are they? Are they targeting government? Are they going to go in healthcare finance? You know, those are the types of projects that I really work on with clients when they’re building out a compliance program or preparing for a large regulatory change or a new contract requirement. Like, Hey, we need FedRAMP.

It’s now requiring significantly more bench, like more touch points of let’s reevaluate in three months, six months, nine, which. is also frustrating because it’s more expensive for them right like if you’re bringing on consultants and they now suddenly have to weigh in not only like once a year but every six months that does cost the businesses more money.

Jordan Eisner: Well put in terms of the uncertainty and the unprecedented of times that that we are in and I like that what’s what’s somebody needs to do now, Q1 2025 could be drastically different than the second half of the year. So it’s a lot of wait and see. I think we see a lot of companies just sitting on sidelines. And that was sort of the root of what we were talking about earlier. Hey, do you think businesses are going to do less around cybersecurity, which you thought they would? Are we going to see more states step up, especially in blue states, to add regulations?

Milou Meier: I feel that cybersecurity will be very political this year, which is interesting because generally it hasn’t necessarily been that. It’s usually been a relatively like topic where there’s been bipartisan support from my understanding.

So if I were a compliance practitioner and I was trying to figure out what am I supposed to do in this particular moment? I would really lean into the company’s risk management framework. And if there isn’t a good one, I would probably invest in just some resources of figuring out which risk management framework you want to align to.

Is it NIST Cybersecurity Framework? Is it ISO 31000? Is it some other like bespoke custom blend that works for your company? I think everyone’s a little bit still on hold right now because they’re just trying to just like hold on and just like wait and see a little bit from there.

So I think this would be a really good time to do like your annual risk review or every six-month review. Ideally, if you’re kind of like going for the gold standard is to like, look at your risks even better if it’s quarterly, but like, depending on, you know, I say that, but like, I’ve been a team of me, myself and I at many startups and you know, once a year was all we could do because we had so many standards to keep afloat.

From there, I would really think about, is there any opportunity for trimming the fat on the company’s compliance program? But be strategic about it. I would reach out to your partners, your vendors that you work with, such as a CompliancePoint, have them weigh in on just being like, hey, I do think that there’s going to be a pretty big push for cost cutting on the corporate side. I think that’s kind of in line with…

Jordan Eisner: It has been for a long time.

Milou Meier: Yeah. I think we talked about this at the conference when we were just like, oh, hey, what are you seeing? And I think that’s something I’ve already seen for a while. I mean, technology startups specifically, they’ve been on hold for like two years because of the potential administration change, because of the economic uncertainty with getting investment. And so for a lot of them, startups are failing, which is so sad just because they’re running out of money because they’ve been burning on fumes for so long that it is a little bit sad because suddenly we’re seeing a huge rapid pace of change. But then, as we’ve said, compliance programs are expensive to spin up. They’re seen as cost centers, which is a bummer. I disagree with that. I think there’s a way to do it proactively, which can make it more valuable for You know, your company, your stakeholders, your customers.

If you start to like I personally am a big advocate of investing in compliance and security as a market differentiator and trying to figure out how do we use, you know, a SOC 2 audit ISO 27001 or, you know. FTC and like telemarketing compliance as like accolades that we can celebrate so that we build trust with our consumers. I think when you start to put a proactive mindset on compliance and security, whatever industry you’re in, it can start to become the thing that sets you apart from your competitors. And I think that’s probably something that a lot of companies specifically in the technology side should be thinking about right now.

Just because suddenly with the new administration, we’ll also probably see a huge influx of new technology and new companies, which is huge and also exciting. But it means there might be more competition.

Jordan Eisner: Yeah. Well put, Milou. Lance, we got our 90-second video we’re going to put. We’re going to capture that last 90 seconds, Milou, and that’s what’s going to be the ad for this podcast.
Well, it’s been great having you. How can our listeners and watchers get a hold of you if they want to talk to you about Compliance Counsel or Cyber Counsel?

Milou Meier: LinkedIn is the best place to reach me at the moment. I am currently in the hustle phase of growing three different companies at the same time, which is super exciting. And I’m very fortunate. I’m getting good movement from a community. So definitely, again, keep reaching out to your friends. Also, if there’s any way that I can help individuals on their journey, reach out to me on LinkedIn. Milou Meyer, you can find me there.

Or again, you can go to my website too, is ComplianceCounsel.com.

Jordan Eisner: Alright. And your tagline, right? This is today’s Compliance Counsel.

Milou Meier: This is today’s Compliance Counsel. Yes.

Jordan Eisner: Very nice. Okay. Well, it’s been great having you on. And for our listeners and watchers, you should know where to find CompliancePoint at this point, but compliancepoint.com or email us at connect@CompliancePoint.com. We’d love to have a conversation as well and can also do a pass through intro to Milou and her group if need be.

So until next time, we’ll talk about all the state cyber law that’s coming into effect. See you, Milou.