Video: Greg Sparrow and Evan Kirstel Talk Cybersecurity and Data Privacy

CompliancePoint President Greg Sparrow joined Evan Kirstel on a LinkedIn livestream for a wide-ranging conversation on cybersecurity and data privacy. In the interview, Greg explores:

• How startups can navigate the complexities of data stewardship
• The impact of the constantly changing data privacy regulatory landscape
• The challenges of managing PHI for healthcare organizations
• Lessons on vendor security from the CrowdStrike outage
• The importance of mitigating infosec risks for private equity firms
• Leveraging expertise to get the most out of security technology solutions

Transcript

Evan Kirstel: Hey everybody, fascinating and important topic diving into the world of privacy, security, compliance, and risk in today’s environment with the true industry thought leader.

Greg, how are you?

Greg Sparrow: I’m doing well, Evan. Thanks for having me today.

Evan Kirstel: Well thanks for being here. Really excited to dive into this topic. You know, 10 years ago this used to be so boring, you know, and now it’s on the front page of the Wall Street Journal every day. Really excited for your expertise.

Before all that, maybe introduce yourself and who is CompliancePoint?

Greg Sparrow: Yeah, so first of all I guess I’m Greg Sparrow. I’m president of CompliancePoint.

A little bit of background on me. I’ve started out really in a lot of e-commerce, high-end web development in the late 90s, early 2000s. We were deploying JD Edward systems and large-scale e-commerce systems on the infrastructure and software development side of things.

From there, really just went in and saw that there was a lot of issues around the security front and organizations really weren’t managing off of that. So just kind of fell into the security side of things and really took that and ran with that really for the last 25 years of my career. So a lot of experience really both on the technology and infrastructure side, but also the information security side.

From a CompliancePoint standpoint, really we’re a professional services firm that specializes in information security and risk management overall. But I would say we have really three pillars, core pillars to our organization of expertise and that’s basically information security, data privacy, and then regulatory compliance.

Evan Kirstel: Well, fantastic topics and I want to dive into each of them. You do a lot of work with the VC community, private equity, folks who are responsible for data stewardship. Some of the things top of mind on their minds these days.

Greg Sparrow: So as a company, I think we are involved quite often on the startup side of things. So we’re on the sales side from those organizations. We also are involved with PE firms that are holding a portfolio of companies that are also on the buy side. So we really see both sides of those types of transactions that are involved.

And really from the market perspective, what we’re seeing is organizations and particularly the PE firms being more focused on what we look at as data stewardship. And we break that down for our organization into a couple of different buckets.

But in essence, when you think about a startup or any organization today, you really have a couple of different risk buckets that you have to be addressing as you go through that maturity cycle. And in essence, when you engage the marketplace, and I can tell you from my personal experience, this is something I’ve actually had to learn over time. There are risks now. We talk about everybody focuses on the cyber risk and obviously that’s a big part of what we do.

But there are risks with how you engage the marketplace and your customers. So that forward facing marketplace engagement. There are risks with data security requirements internally with how you process that information. And then of course, as everybody’s acutely aware, as of recently, there are also downstream vendor risks with how you manage risk and who you give that data to or how you allow them access and ownership of your environment.

Evan Kirstel: Yeah, very, very hot topics. Let’s talk about the regulatory landscape.

Clients evolve so much over the past few years, tough to keep up and that will only increase the amount of change here. What are some of the trends that you’re tracking and help clients navigate?

Greg Sparrow: We kind of break down the regulatory environment into a couple of different areas. You have the federal regulations and state regulations that apply to organizations and a lot of that does deal with marketing compliance piece. So how you’re engaging the marketplace with things like TCPA, there’s CAN-SPAM, there’s a lot of different areas really. You can look at it almost from a channel perspective, whether you’re dialing, whether you’re emailing. There are regulations around how you do all of that and how you’re engaging the marketplace and or your customers. So there’s a lot of complexity there.

I’d say of late, what we’ve seen kind of since, you know, in the last few years, we’ve seen things evolve really on the data privacy side of things, right? Where it’s not just about how you contact people or what type of consent you might have, but it’s also about what you do with their information, that personal identifiable information once you actually have that. That trend, I would say, really started probably five to six years ago, largely in Europe under GDPR. There was a big scramble around 2018 for organizations to solve for that.

And then we’ve seen various iterations of that start to form out basically at the state level right now in the United States, particularly the state of California is really leading the way on the privacy front with that. But there are various other states that continue to pile on with that. So the complexity that organizations are facing around things like data privacy is ever-increasing.

And then at some point, we do think that we will see some level of federal regulation to essentially standardize those requirements and in some ways level that playing field. I think the federal view of that is not necessarily a bad thing. I think it actually can help simplify some of the complexities that you face right now versus the state level regulations.

Evan Kirstel: And a lot of industry-specific compliance requirements that go quite deep. I know a fair amount about the healthcare industry. It’s kind of amazing when you peel back the onion. How do you look at compliance across industries? And how do you navigate industry sectors now given the massive regulations that are out there?

Greg Sparrow: So PHI data, the regulated data set in the healthcare industry is a bit unique and there are unique requirements that come out of that from an industry perspective. We actually had developed as an organization, that is one of the industry verticals we’ve specialized in is actually the healthcare industry. There’s just a nomenclature and an approach there that is unique, that is needed for that industry.

I will say actually in a lot of the other areas when you’re dealing with more general PHI, personally identifiable information or rather PII, that is really what we consider to be a horizontal problem. We look at a lot of those challenges as not being industry-specific, but something that we are solving for across the board and that many organizations really are facing the same challenges around.

Evan Kirstel: It’s going to get even more challenging, I think.

And we’re in the midst or the tail end hopefully of the meltdown, the great blue screen of death meltdown, I guess. What are some of the takeaways, insights from your point of view, your unique point of view on what’s happened and what people should be thinking about next in terms of mitigating these kinds of disasters?

Greg Sparrow: So I think when you look at the CrowdStrike issue, you have a couple of different things that pop into mind and I think this really goes back to the vendor network, right?

Who are you introducing into your ecosystem that represents risk and does that represent a single point of failure?

There’s been obviously a trend to go to the cloud to standardize on providers really and how the infrastructure is hosted, right?

We’re basically outsourcing much larger chunks of that information system stack, right? And I think there are advantages to that, certainly from an expertise and specialization standpoint, but I think there are also risks that are presented on the other side of that coin, right?

In essence, you’re also outsourcing someone’s ability to solve or fix or solution for whatever problem might pop up and you’re also looking at more wide-scale single points of failure. And I think that’s really been illustrated in the last few days that you can have when a problem occurs at a very fundamental level where there’s such a large deployment. This represents really a risk beyond just an organization, but almost a systemic risk across the industry. And you’ve seen essentially the airline industry be shut down in large part for the last few days.

So I think you have to be smart about how you’re applying this. I think certainly also to some extent in their credit, it speaks to their position, their dominant position in the marketplace from a provider standpoint. But with that, I think you have to also look at from an organizational perspective, how do you continue to deliver services?

How do you do that in a way where you’re minimizing some of these downside risks where you do have a single point of failure?

Evan Kirstel: Yeah, really great points. And when it comes to your practice, obviously you’re a professional services firm, but how do you see tools and technologies and platforms being used or how do you use them in your business to kind of help clients?

Greg Sparrow: So I think the way we like to look at it, and I think this is kind of back and forth in the industry as we see it throughout the years, there are absolutely great technology solutions out there. What we feel like we’re solving for in the industry is really the lack of knowledge or expertise in how to maybe apply or manage the information that comes out of those tools and technology. So that is something that we really focus on and feel like that we bring to the table is that we’re bringing expertise to the table.

Oftentimes when we go into organizations, whether it may be post-breach or post-incident, whatever is going on, there is actionable information, actionable tools that are in place, but people don’t really know what to do with the information that are being presented.

So I think when you’re looking at building out programs to help mitigate risk, whether it’s regulatory risk, data security risk, or data privacy, all of those pieces, it’s a good program in our mind, is a combination of tools, technology, and expertise. And we are trying to solve really for that core bucket of providing the expertise side of that.

Evan Kirstel: And you work a lot with private equity who increasingly are taking giant chunks out of the tech marketplace, in particular telecom, where I do a lot of work. How do you view risk in that world and what should those stakeholders focus on first?

Greg Sparrow: Yes, so I think the way we look at ourselves organizationally, so if you’re on the startup side of things, I think the benefit for us, from us, is really about how do we help you accelerate your maturity in these areas, right? And I think that gives these organizations a couple of different things.

So from the startup side of it, I think we can help you accelerate how you mature your programs out, whether that’s information security or data privacy. We also can help you reduce the friction on the sales cycle.

A lot of the security side of things, the compliance side of things, these are very important in deal-making, particularly in larger deals, depending on who you’re selling into. So I think we really accelerate things on that side of it.

On the private equity side of things, the dynamic that we see in the marketplace is that there were these huge valuations that were out there a few years ago, a lot of deal making going on. And frankly, a lot of that has slowed down, which means that these middle-market PE firms that are basically holding a portfolio of companies are now having to hold that portfolio for longer, which means that the likelihood of some material event occurring around these areas is higher, right? And so they need to be thinking about how they’re managing that portfolio risk. And so we’ve really helped them to come in and make sure that the portfolio of companies isn’t presenting some major event that might occur either regulatory or from a cyber perspective.

And we’re seeing real meaningful impact on the exit side of this. Where there is material impact now in these events on the buy side. If someone sees a major breach, that is impactful to valuation at this point, and organizations have to stay focused on that.

And so making sure that you’ve got the right pieces in place to essentially, we look at it as we’re trying to help facilitate deal flow to reduce friction in that exit. So that as these questions come up, there are good responsible programs and answers in place that basically minimize that becoming a bigger issue.

Evan Kirstel: Yeah, fantastic approach.

And when it comes to startups and their early stage investors, how do you view the startup life cycle? I see so often privacy security compliance is sort of an afterthought with either moving at a thousand miles an hour. So what should they focus on first?

Greg Sparrow: Yeah, I mean, I think the way we try and approach things is to be very practical and pragmatic with startups. We understand that they’re fighting for their lives, right? I mean, I’ve been there as an entrepreneur myself and understand what it means to get a business off the ground and to have a minimum viable product and all those things.

And so what we’re trying to do really is appropriately manage the level of risk relative to the impact or the reach that they have in the marketplace, right? So at the very beginning, that might be somewhat minimal, right? And we’re trying to figure out what is the basic fundamental food and shelter pieces that they need in place to simply deliver their product or service to the marketplace in an effective way, right? So that might not be too complicated at the beginning, right?

But then as you have more customers, a larger customer base, a bigger brand that’s represented in the marketplace, bigger reach into the marketplace, all of those things scale up, right? As that accelerates through that life cycle and they get into those later growth stages, then we’re really talking about how do we mature those programs to effectively manage off of that risk, either for the data that they’re storing or how they go out to market, all of those things become much more important with the scale and size of the business.

And I think applied correctly, a lot of what we do helps those organizations mature in ways that they normally would not otherwise or would take much longer from an internal process perspective.

Evan Kirstel: Yeah, fantastic approach.

As you look out across the landscape, what are some of the big potential roadblocks, challenges you see out there into the next couple of years? What keeps you up at night?

Greg Sparrow: I think there’s a couple of things I would highlight with that. I think as I’ve talked about, we really organizationally are trying to solve for the knowledge gap, bringing expertise and people to bear on these problems.

When you take a step back and look at the industry as a whole, I think we have a huge shortage of qualified experts in this industry, whether it’s around information security or things like data privacy. These are very fundamental things that we’re going to have to solve for. And we’ve got to figure out how as an industry as a whole, do we bring more people into these fields to provide this level of expertise, right?

I think you’re seeing a similar scenario play out in the AI world, right? Where there’s just not enough qualified people out there to provide all of the services and expertise that’s needed. So I think figuring out how do we, you know, as an industry, educate people, provide formal training, getting this in the university systems to where we are supplying the demand that is needed out there in the industry overall. That is a big problem to solve for in my mind.

The other side of this, I think it goes back to the data privacy side of things, right? I think you’re going to see continued regulations in those areas. I think you’re seeing it at the state level and it’s evolving out in kind of this hodgepodge scenario.

And I think, frankly, that’s tough for businesses to handle. In some extent, it’s good for us. Its complexity and as a consulting and professional services firm, complexity is a good thing. But I think from an industry perspective, it’s hard to deal with those state-level laws, particularly where there might be even conflicts from a regulatory perspective. So how do you navigate all of those things on a state-by-state basis? And I do think that that’s really where from a data privacy standpoint, you know, we need to look at how do we, in a meaningful sense, provide some type of federal regulation around this levels that playing field as I’ve talked about earlier.

Evan Kirstel: Well, it’ll be interesting to watch our friends in the government trying to help, right? It’s the old joke, I’m from the government, I’m here to help. So we’ll see how that works out.

So you’re down in Atlanta. I see you’re an avid golfer. Do you get out on 100-degree days or do you look for mornings and evenings?

Greg Sparrow: Usually, early mornings and then I quit about halfway through. It’s pretty tough right now to actually make that happen.

Evan Kirstel: Well, come up to New England, we have some great golfing and it’s nice and cool by the water.

Thanks so much, Greg, really insightful, informative work. I appreciate the content, the educational awareness that you put out. And thanks so much for joining.

Greg Sparrow: Thanks Evan. Appreciate you having me.

Evan Kirstel: Likewise, thanks so much, everyone. Thanks for listening. Thanks for watching.