What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Telecom/5G and more!
What's Up with Tech?
Mastering Data Privacy and Risk Management: Insights on Compliance, Security, and Industry Challenges
Interested in being a guest? Email us at admin@evankirstel.com
Unlock the secrets of mastering privacy, security, compliance, and risk management in today's fast-paced business world with industry expert Greg Sparrow, President of CompliancePoint. Discover how Greg's extensive background in e-commerce and information security is helping organizations navigate the complexities of data stewardship, especially for startups and private equity firms. Gain valuable insights into the evolving regulatory landscape, including the significant impacts of GDPR and U.S. state-level data privacy laws. We also touch on the unique compliance challenges in managing PHI data within the healthcare sector, a must-listen for anyone responsible for safeguarding sensitive information.
Join us as we delve into the intricate dynamics of managing risk in the tech industry, focusing on vendor networks and cloud infrastructure. Learn how systemic issues can cause widespread disruptions, similar to those faced by the airline sector, and the importance of a pragmatic approach to risk management. Greg shares practical strategies for startups to accelerate their maturity in information security and data privacy while minimizing sales cycle friction. We also explore how private equity firms can effectively manage portfolio risk, ensuring smooth deal flow and protecting valuations from regulatory or cyber threats. This episode is packed with actionable insights and expert advice that businesses of all sizes can't afford to miss.
More at https://linktr.ee/EvanKirstel
Hey everybody, fascinating and important topic diving into the world of privacy, security, compliance and risk in today's environment with the true industry thought leader, greg. How are you?
Speaker 2:I'm doing well, Evan. Thanks for having me today.
Speaker 1:Well, thanks for being here Really excited to dive into this topic. You know, 10 years ago this used to be so boring, you know, and now it's on the front page of the Wall Street Journal every day, so really excited for your expertise. Before all that, maybe introduce yourself. And who is CompliancePoint?
Speaker 2:Yeah, so first of all I guess I'm Greg Sparrow. I'm president of CompliancePoint. A little bit of background on me. I've started out really in a lot of e-commerce, high-end web development in the late 90s, early 2000s. We were deploying JD Edwards systems and large-scale e-commerce systems on the infrastructure and software development side of things. From there I really just went in and saw that there was a lot of issues around the security front and organizations really weren't managing off of that. So just kind of fell into the security side of things and really took that and ran with that really for the last 25 years of my career. So a lot of experience really, both on the technology and infrastructure side, but also the information security side From a compliance point standpoint. Really we're a professional services firm that specializes in information security and risk management overall. But I would say we have really three pillars, core pillars to our organization of expertise, and that's basically information security, data privacy and then regulatory compliance.
Speaker 1:Well, fantastic topics and I want to dive into each of them. And you do a lot of work with the VC community, private equity. You know folks who are responsible for data stewardship. What are some of the things top of mind on their minds these days?
Speaker 2:Yeah, so as a company, I think we are involved quite often on the startup side of things, so we're on the sell side right from those organizations.
Speaker 2:We also are involved with PE firms that are holding a portfolio of companies that are also on the buy side.
Speaker 2:So we really see both sides of those types of transactions that are involved and really, from the market perspective, what we're seeing is organizations, and particularly the PE firms, being more focused on what we look at as data stewardship and we break that down for our organization into a couple of different buckets.
Speaker 2:But, in essence, when you think about a startup or any organization today, you really have a couple of different risk buckets that you have to be addressing as you go through that maturity cycle. And, in essence, when you engage the marketplace and I can tell you from my personal experience, this is something I've actually had to learn over time there are risks. Now we talk about everybody focuses on the cyber risk and obviously that's a big part of what we do, but there are risks with how you engage the marketplace and your customers right, so that forward-facing marketplace engagement. There are risks with data security requirements internally, with how you process that information and then, of course, as everybody's acutely aware, as of recently, there are also downstream vendor risk with how you manage risk and who you give that data to, or how you allow them access and ownership of your environment.
Speaker 1:Yeah, very hot topics. Let's talk about the regulatory landscape. It's evolved so much over the past few years tough to keep up and that will only increase the amount of change here. What are some of the trends that you're tracking and help clients navigate?
Speaker 2:Yeah, so there are always. I think we kind of break down the regulatory environment into a couple of different areas. You have the federal regulations and state regulations right that apply to organizations, and a lot of that does deal with the marketing compliance piece. So how you're engaging the marketplace with things like TCPA. There's CAN spam. There's a lot of different areas really. You can look at it almost from a channel perspective. Whether you're dialing, whether you're emailing, there are regulations around how you do all of that and how you're engaging the marketplace and or your customers. So there's a lot of complexity there.
Speaker 2:I'd say, of late, what we've seen kind of since you know, in the last few years, we've seen things evolve really on the data privacy side of things right, where it's not just about how you contact people or what type of consent you might have, but it's also about what you do with their information, that personal identifiable information, once you actually have that.
Speaker 2:That trend, I would say, really started probably five to six years ago, largely in Europe under GDPR. There was a big scramble around 2018 for organizations to solve for that and then we've seen various iterations of that start to form out, basically at the state level, right now in the United States, particularly state of California is really leading the way on the privacy front with that, but there are various other states that continue to pile on with that. So the complexity that organizations are facing around things like data privacy is ever increasing. And then at some point we do think that we will see some level of federal regulation to essentially standardize those requirements and in some ways level that playing field. I think the federal view of that is not necessarily a bad thing. I think it actually can help simplify some of the complexities that you face right now versus the state level regulations.
Speaker 1:Great point. There are a lot of industry specific compliance requirements that go quite deep. I know a fair amount about the healthcare industry. It's kind of amazing when you peel back the onion, how do you look at compliance across industries and you know how do you navigate, you know industry sectors.
Speaker 2:now, given the you know massive regulations that are out there, yeah, so PHI data the regulated data set in the healthcare industry is a bit unique and there are unique requirements that come out of that from an industry perspective we actually had developed as an organization that is one of the industry verticals we've specialized in is actually the healthcare industry. There's just a nomenclature and an approach there that is unique that is needed for that industry. I will say, actually in a lot of the other areas, when you're dealing with more general PHI personally identifiable information, or rather PII that is really what we consider to be a horizontal problem. Right, we look at a lot of those challenges as being not being industry specific, but something that we are solving for across the board and that many organizations really are facing the same challenges around.
Speaker 1:Yeah, it's going to get even more challenging. I think your unique point of view on what's happened and what people should be thinking about next in terms of mitigating these kind of disasters- yeah.
Speaker 2:So I think when you look at the crowd strike issue, you have a couple of different things that pop into mind and I think this really goes back to the vendor network right. That pop into mind and I think this really goes back to the vendor network right. Who are you introducing into your ecosystem? That represents risk and does that represent a single point of failure? There's been obviously a trend to go to the cloud, to standardize on providers really in how the infrastructure is hosted, right. We're basically outsourcing much larger chunks of that information system or solution for whatever problem might pop up.
Speaker 2:And you're also looking at more wide scale single points of failure, and I think that's really been illustrated in the last few days that you can have a when a problem occurs at a very fundamental level, where there's such a large deployment, this represents really a risk beyond just an organization but almost a systemic risk across the industry. And you've seen essentially the airline industry be shut down in large part for the last few days. So I think you have to be smart about how you're applying this. I think certainly also to some extent in their credit. It speaks to their position, their dominant position in the marketplace from a provider standpoint, but with that I think you have to also look at from an organizational perspective. How do you continue to deliver services? How do you do that in a way where you're minimizing some of these downside risks, where you do have a single point of failure?
Speaker 1:Yeah, really great points. And when it comes to your practice, obviously you're a professional services firm, but how do you see tools and technologies and platforms being used, or how do you use them in your business to kind of help clients?
Speaker 2:So it's, you know, I think there's the way we like to look at it and I think this is kind of back and forth in the industry as we see it throughout the years.
Speaker 2:You know, there are absolutely great technology solutions out there. What we feel like we're solving for in the industry is really the lack of knowledge or expertise in how to maybe apply or manage the information that comes out of those tools and technology. So that is something that we really focus on and feel like that we bring to the table is that we're bringing expertise to the table. Oftentimes when we go into organizations whether it may be post-breach or post-incident, whatever's going on you know there is actionable information, actionable tools that are in place, but people don't really know what to do with the information they're being presented right. So I think when you're looking at building out programs to help mitigate risk whether it's regulatory risk, data security, risk right or data privacy all of those pieces, it's a common, a good program in our mind is a combination of tools, technology and expertise right, and we are trying to solve really for that core bucket of providing the expertise side of that.
Speaker 1:Yeah, fantastic. And you work a lot with private equity who, increasingly, are taking giant chunks out of the tech marketplace, in particular, telecom, where I do a lot of work. How do you view risk in that world, and what should those stakeholders focus on first, yes, so I think the way we look at ourselves organizationally.
Speaker 2:So if you're on the startup side of things, I think you know the benefit for us from us is really about you know, how do we help you accelerate your maturity in these areas? Right, and I think that gives these organizations a couple of different things. So from the startup side of it, I think we can help you accelerate how you mature your programs out, whether that's information security or data privacy. We also can help you reduce the friction right on the sales cycle. A lot of the security side of things, the compliance side of things these are very important in dealmaking, particularly in larger deals, depending on who you're selling into. So I think we really accelerate things on that side of it.
Speaker 2:On the private equity side of things, the dynamic that we see in the marketplace is that there were these huge valuations that were out there a few years ago, a lot of deal making going on and, frankly, a lot of that has slowed down, which means that these middle market PE firms that are basically holding a portfolio of companies are now having to hold that portfolio for longer, which means that the likelihood of some material event occurring around these areas is higher right and so they need to be thinking about how they're managing that portfolio risk and so we've really helped them to come in and make sure that the portfolio of companies isn't presenting some major event that might occur, either regulatory or from a cyber perspective, and we're seeing real meaningful impact on the exit side of this right, where there is material impact now in these events on the buy side right, if someone sees a major breach that is impactful to valuation at this point and organizations have to stay focused on that and so making sure that you've got the right pieces in place to essentially, you know we look at it as we're trying to help facilitate deal flow, to reduce friction in that exit so that as these questions come up, there are good, responsible programs and answers in place that basically minimize that becoming a bigger issue.
Speaker 1:Yeah, fantastic approach. And when it comes to startups and their early stage investors, how do you view the startup lifecycle? And I see so often privacy, security, compliance is sort of an afterthought, with either moving at a thousand miles an hour, so what should they focus on first?
Speaker 2:first yeah, I mean I think you know the way we try and approach things is to be very practical and pragmatic with startups.
Speaker 2:We understand that they're fighting for their lives, right.
Speaker 2:I mean, I've been there as an entrepreneur myself and understand what it means to get a business off the ground and to have a minimum viable product and all those things.
Speaker 2:And so what we're trying to do really is appropriately manage the level of risk relative to the impact or the reach that they have in the marketplace, right, so at the very beginning that might be somewhat minimal, Right, and we're trying to figure out what is the basic fundamental food and shelter pieces that they need in place to simply deliver their product or service to the marketplace in an effective way.
Speaker 2:Right, so that might not be too complicated at the beginning, right. But then, as you have more customers, a larger customer base, a bigger brand that's represented in the marketplace, bigger reach into the marketplace, all of those things scale up, right, as that accelerates through that life cycle and they get into those later growth stages. Then we're really talking about how do we mature those programs to effectively manage off of that risk, either for the data that they're storing or how they go out to market. All of those things become much more important with the scale and size of the business and, I think, applied correctly, a lot of what we do helps those organizations mature in ways that they normally would not otherwise or would take much longer from an internal process perspective.
Speaker 1:Yeah, fantastic approach. You know, as you look out across the landscape what are some of the big potential roadblocks, challenges you see out there.
Speaker 2:you know, as I've talked about, we really organizationally are trying to solve for the knowledge gap, bringing expertise and people to bear on these problems. When you take a step back and look at the industry as a whole, I think we have a huge shortage of qualified experts in this industry, whether it's around information security or things like data privacy. These are very fundamental things that we are going to have to solve for and we've got to figure out how, as a industry as a whole, do we bring more people into these fields to provide this level of expertise? Right, I think you're seeing a similar scenario play out in the world to where we are supplying the demand that is needed out there in the industry. Overall, that is a big problem to solve for in my mind, the other side of this, I think you know to me it goes back to the data privacy side of things. Right, I think you're going to see continued regulations in those areas.
Speaker 2:I think you're seeing it at the state level and it's evolving out in kind of this hodgepodge scenario and I think, frankly, that's tough for businesses to handle. In some extent, it's good for us. It's complexity and, as a consulting and professional services, firm complexity is a good thing. Firm complexity is a good thing, but I think from an industry perspective, it's hard to deal with those state level laws, particularly where there might be even conflicts from a regulatory perspective. So how do you navigate all of those things on a state by state basis? And I do think that that's really where, from a data privacy standpoint, you know, we need to look at. How do we in a meaningful sense provide some type of federal regulation around this that levels that playing field, as I've talked about earlier?
Speaker 1:Well, it'll be interesting to watch our friends in the government trying to help, right? It's the old joke I'm from the government, I'm here to help, so we'll see how that works out. So you're down in Hotlanta. I see you're an avid golfer.
Speaker 2:Do you get out on 100-degree days or do you look for mornings and evenings Usually early mornings, and then I quit about halfway through. It's pretty tough right now in the suburbs to actually make that happen.
Speaker 1:Well, come up to New England. We have some great golfing and it's nice and cool by the water, so good stuff. Thanks so much, greg. Really insightful, informative work. I appreciate the content, the educational awareness that you put out and thanks so much for joining.
Speaker 2:Thanks, evan.
Speaker 1:Appreciate you having me All right Likewise. Thanks so much everyone. Thanks for listening, Thanks for watching. Take care.