Podcasts about Compliance

Identity is at the core of today's increasingly complex security landscape. Credential theft is involved in most breaches, and lapses in proper cyber hygiene amplify risks for employees and organizations. This is why many organizations, including Microsoft, now consider identity to be the primary perimeter for security. Listen to this episode of Cyberspectives where Ann Johnson, Corporate VP of Security, Compliance & Identity at Microsoft, dives deeper into why and how network perimeters keep becoming more porous, ultimately causing perimeter defense to not be as effective as it was before the explosion of BYOD devices and cloud applications. Cyberspectives is brought to you by Microsoft. To learn more about our sponsor, visit https://microsoft.com/security

About ClintonClinton Herget is Principal Solutions Engineer at Snyk, where he focuses on helping our large enterprise and public sector clients on their journey to DevSecOps. A seasoned technologist, Clinton spent his 15+ year career prior to Snyk as a web software engineer, DevOps consultant, cloud solutions architect, and technical director in the systems integrator space, leading client delivery of complex agile technology solutions. Clinton is passionate about empowering software engineers and is a frequent conference speaker, developer advocate, and everything-as-code evangelist.Links:Try Snyk for free today at:https://app.snyk.io/login?utm_campaign=Screaming-in-the-Cloud-podcast&utm_medium=Partner&utm_source=AWS TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by my friends at ThinkstCanary. Most companies find out way too late that they've been breached. ThinksCanary changes this and I love how they do it. Deploy canaries and canary tokens in minutes and then forget about them. What's great is the attackers tip their hand by touching them, giving you one alert, when it matters. I use it myself and I only remember this when I get the weekly update with a “we're still here, so you're aware” from them. It's glorious! There is zero admin overhead  to this, there are effectively no false positives unless I do something foolish. Canaries are deployed and loved on all seven continents. You can check out what people are saying at canary.love. And, their Kub config canary token is new and completely free as well. You can do an awful lot without paying them a dime, which is one of the things I love about them. It is useful stuff and not an, “ohh, I wish I had money.” It is speculator! Take a look; that's canary.love because it's genuinely rare to find a security product that people talk about in terms of love. It really is a unique thing to see. Canary.love. Thank you to ThinkstCanary for their support of my ridiculous, ridiculous non-sense.  Corey: Writing ad copy to fit into a 30 second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days or weeks. Visit Qtorque.io today and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode features Clinton Herget, who's a principal solutions engineer at Snyk. Or ‘Snick.' Or ‘Cynic.' Clinton, thank you for joining me, how the heck do I pronounce your company's name?Clinton: That is always a great place to start, Corey, and we like to say it is ‘sneak' as in sneaking around or a pair of sneakers. Now, our colleagues in the UK do like to say ‘Snick,' but that is because they speak incorrectly. We will accept it; it is still wrong. As long as you're not saying ‘Sink' because it really has nothing to do with plumbing and we prefer to avoid that association.Corey: Generally speaking, I try not to tell other people how to run their business, but I will make an exception here because I can't take it anymore. According to CrunchBase, your company has raised $1.4 billion. Buy a vowel for God's sake. How much could it possibly cost for a single letter that clarifies all of this? My God.Clinton: Yeah, but then we wouldn't spend the first 20 minutes of every sales conversation talking about how to pronounce the company name and we would need to fill that with content. So, I think we're just going to stay the course from here on out.Corey: I like that. So, you're a principal solutions engineer. First, what does that do? And secondly, I've known an awful lot of folks who I would consider problem engineers, but they never self-describe that way. It's always solutions-oriented?Clinton: Well, it's because I worked for Snyk, and we're not a problems company, Corey, we're a solutions company.Corey: I like that.Clinton: It's an interesting role, right, because I work with some of our biggest customers, a lot of our strategic partners here in North America, and I'm kind of the evangelist that comes out and says, “Hey, here's what sucks about being a developer. Here's how we could maybe be better.” And I want to connect with other engineers to say, “Look, I share your pain, there might be an easier way, if you, you know, give me a few minutes here to talk about Snyk.”Corey: So, I've seen Snyk around for a while. I've had a few friends who worked there almost since the beginning and they talk about this thing—this was before, I believe, you had the Dobermann logo back in the early days—and I keep periodically seeing you folks in a variety of different contexts and different places. Often I'll be installing something from Docker Hub, for example, and it will mention that, oh, there's a Snyk scan thing that has happened on the command line, which is interesting because I, to the best of my knowledge, don't pay Docker for things that I do because, “No, I'm going to build it myself out of popsicle sticks,” is sort of my entire engineering ethos. But I keep seeing you in different cases where as best I am aware, I have never paid you folks for services. What is it you do as a company because you're one of those folks that I just keep seeing again and again and again, but I can't actually put my finger on what it is you do.Clinton: Yeah, you know, most people aren't aware that popsicle sticks are actually a CNCF graduated project. So, you know, that's that—Corey: Oh, and they're load-bearing in almost every piece of significant technical debt over the last 50 years.Clinton: Absolutely. Look at your bill of materials; it's there. Well, here's where I can drop in the other fun fact about Snyk's name, it's actually an acronym, right, stands for So, Now You Know. So, now you know that much, at least. Popsicle sticks, key component to any containerized infrastructure. Look, Snyk is a developer security company, right? And people hear that and go, “I'm sorry, what? I'm a developer; I don't give a shit about security.” Or, “I'm a security person”—Corey: Usually they don't say that out loud as often as you would hope, but it's like, “That's not true. I say that I care about security an awful lot.” It's like, “Yeah, you say that. Therein lies the rub.”Clinton: Until you get a couple of drinks in them at the party at re:Invent and then the real stuff comes out, right? No, Snyk is always been historically committed to the open-source community. We want to help open-source developers every bit as much as, you know, we're helping the engineers at our top-tier customers. And that's because fundamentally, open-source is inextricably linked to the way software is developed today, right? There is nobody not using open-source.And so we, sort of, have to be supporting those communities at the same time. And that fundamentally is where the innovation is happening. And you know, my sales guys hate when I say this, right, but you can get an amazing amount of value out of Snyk by using the freemium solution, using the open-source tooling that we've put out in the community, you get full access to our vulnerability database, which is updated every day, and if you're working on public projects, that's going to be free forever, right? We're fundamentally committed to making that work. If you're an enterprise that happens to have money to spend, I guess we'll take that too, right, but my job is really talking to developers and figuring out, you know, how can we reduce the amount of pain in your life through better security tooling?Corey: The challenging part is that your business, although I confess is significantly larger than my business, we're sort of on some level solving the same problem. And that sounds odd to say because I focus on fixing AWS bills and you're focused on improving developer security. But I'm moving up about six levels to the idea that there are only two big problems in the world of technology, in the world of companies for that matter. And the problem that we're solving is the worst one of the two. And that is reducing risk exposure.It is about eliminating downside. It's cost optimization, it's security tooling, it is insurance, et cetera, et cetera, et cetera. And the other problem, the one that I've always found, that is the thing that will get people actually excited rather than something they feel obligated to do is speeding up time to market, improving feature velocity, being able to deliver the right things sooner. That's the problem companies are biasing towards investing in extremely heavily. They'll convene the board to come up with an answer there.That said, you stray closer into that problem space than most security companies that I'm aware of just because you do in fact, speed up the developer process. It let people move faster, but do it safely at least is my general understanding. If I'm completely wrong on this, and, “Nope, we are purely risk mitigation, then this is going to look fairly silly, but it wouldn't be the first time I put my foot in my mouth.”Clinton: Yeah, Corey, it sounds like you really read the first three words of the website, right? “Develop fast. Stay secure.” And I think that fundamentally gets at the traditional alignment, where security equals slow, right, because risk mitigation is all about preventing problematic things from going into production. But only doing that as a stop gate at the end of the process, right, by essentially saying we assume all developers are bad and want to do bad things, and so we're going to put up this big gate and generate an 1100 page PDF, and then throw it back to them and say, “Now, go figure out all of the bad things you did and how to fix them. And by the way, you're already overshooting your delivery target.” Right? So, there's no way to win in that traditional model unless you're empowering developers earlier with the right context they need to actually write more secure code to begin with, rather than remediating after the fact when those fixes are actually most expensive.Corey: It's the idea of the people who want to slow down and protect things and not break are on the operation side of the world, and then you have developers who want to ship things. And you have that natural tension, so we're going to smash them together and call it DevOps, which at least if nothing else, leads to interesting stories on stages. Whether it actually leads to lasting cultural transformation is another thing entirely. And then someone said, “Well, what about security?” And the answer is, “We have a security department?” And the answer is, “Yeah, you know, those grumpy people that say no all the time whenever we ask if we could do anything.” “Oh, that security department. I ignore them and go around them instead.” And it's, “All right, well, we need help on that so we're going to smash them in, too.” Welcome to DevSecOps, which is basically buzzword-driven cultural development. And here we are. But there is something to be said for you can no longer be the Department of No. I would argue that you couldn't do that successfully previously, but at least now we're a little more aware of it.Clinton: I think you could certainly do that when you were deploying software a couple times a year, right? Because you could build in all of the time to very expensively and time consumingly fix things after the fact, right? We're no longer in that world. I think when you're deploying every few seconds or a few minutes, what you need is tooling that, first of all, runs at that speed, that gives developers insights into what risk are they bringing on board with that application once it will be deployed, but then also give them the context they actually need to fix things, right? I mean, regardless of where those vulnerabilities are found, it still ultimately is a line of code that has to be written by a developer and committed and pushed through a pipeline to make it back into production.And that's true, whether we're talking about application security and proprietary code, we're talking about vulnerabilities in open-source, vulnerabilities in the container, infrastructure as code. I mean, it used to be that a network vulnerability was fixed by somebody going into the data center, unplugging a Cat 5 cable and plugging it in somewhere else, right? I mean, that was the definition of network security. It was a hardware problem. Now, networking is software-defined. I mean [laugh]—Corey: Oh, the firewall I trust is basically a wire cutter. Yeah, cut through the entire cable, and that is the only secure firewall. And it's like, oh, no, no, there are side-channel attacks. It's not completely going to solve things for you. Yeah.Clinton: You know, without naming names, there are certainly vendors in the security space that still consider mitigation to be shutting down access to a workload, right. Like, let's remediate by taking this off of the internet and allowing it to no longer be accessible.Corey: I don't think it's come from a security standpoint, but that does feel like it's a disturbing proportion of Google's product strategy.Clinton: [laugh]. Absolutely. But you know, I do think maybe we can take the forward-looking step of saying there are ways to fix issues while keeping applications online at the same time. For example, by arming engineers with the security intelligence they need when they're making decisions about what goes into those applications. Because those wire cutters now, that's a line in a YAML file, right?That's a Kubernetes deployment, that's a CloudFormation template, and that is living in code in the same repo with everything else, with all of the other logic. And so it's fundamentally indistinguishable at the point where all security is really now developer security, except the security tooling available doesn't speak to the developer, it doesn't integrate into their workflow, it doesn't enable them to make remediations, it's still slapping them on the wrist. And this is why I think when you talk about—to invoke one of the most overused buzzwords in the security industry—when you talk about shifting left, that's really only half the story. I mean, if you're taking a traditional solution that's designed to slow things down, and shifting that into the developer workflow, you're just slowing them down earlier, right? You're not enabling them with better decision-making capacity so they can say, “Oh, I now understand the risks that I'm bringing on board by not sanitizing a string before I dump it into a SQL, you know, query. But now I understand that better because Snyk is giving me that information at the right time when I don't have to context switch out of it, which is, as I'm writing that line of code to begin with.”Corey: When I look at your website—and I'm really, really hoping that your marketing folks don't turn me into a liar on this one between the time we have recorded this and the time it sees the light of day in a week or so—it's notable because you are a security vendor, but you almost wouldn't know that from your website. And that is a compliment because at no point, start to finish, on the landing page at snyk.io do I see anything that codes to, “Hackers are coming to kill you. Give us money immediately to protect yourself.”You're not slinging FUD. You're talking entirely about how to improve velocity. The closest it gets to even mentioning security stuff is, “Ship on time with peace of mind.” That is as close as it gets to talking about security stuff. There is no fear based on this, and you don't treat people like children and say, “Security is extremely important.” “Thank you, Professor, I really appreciate that helpful tip.”Clinton: Yeah, you know, again, I think we take the very controversial approach that developers are not bad people who want to make applications less secure, right? And I think again, when you go into that 40-year trajectory of that constant tension between the engineering and the security sides of the house, it really involves certain perceptions about what those other people are like: security are bad and want to shut everything down; developers are, you know, wild cowboys who don't care about standardization and are just introducing a bunch of risk, right? Where Snyk comes in is fundamentally saying, “Hey, we can actually all live together in a world where we recognize there's pain on both sides?” And look, Corey, I'm coming to you after essentially waking up every day for 20 years and writing code of some kind or other, and I can tell you, developers are already scared enough, man. It is a fearful and anxiety ridden experience to know that you're not completely in command of what happens to that application once it leaves your IDE, right?You know at some point you're going to get that PDF dumped on you; you're going to have a build block, you're going to have a bug report come in from a very important customer at three o'clock in the morning and you're going to have to do something about it. I think every software engineer in the world carries that fear around with them. They don't have to be told you have the capacity to do bad stuff here and you should be better at it. What they need is somebody to tell them here's how to do things better, right? Here's not necessarily even why a cross-site scripting attack is dangerous—although we can certainly educate you on that as well—but here's what you need to do to remediate it. Here's how other developers have fixed that in applications that look like yours.And if you get that intelligence at the right point, then it becomes truly—to go back to your original question—it becomes about solutions rather than about problems, right? The last thing we ever want to do is adopt that traditional approach of saying, “You did a bad thing. It's your fault. You have to go figure out what to do. And then by the way, you have to do all the refactoring on top of that because we didn't tell you you did the bad thing until three weeks later when that traditional SaaS tool finally finished running.”Corey: Exactly. It's a question of how much can you reduce that feedback loop? If I get pinged 60 seconds after I commit code that there's a problem with it, great. I still have that in my head. Mostly. I hope. But if it's six months later it's, “Who even wrote this?” And I pull up git blame and, “Ah, crap, it was me. What was I possibly thinking back then?” It's about being able to move rapidly and fix things, I guess, as early in the process as possible, the whole shift-left movement. That's important. That's valuable.Clinton: Yeah, the context switching is so expensive, right, because the minute you switch away from that file, you're reading some documentation. You're out of that world. Most of the developer's time is spent getting into and out of different contexts. Once you're in there, I mean, you could rattle off 40 lines of code in a sitting and actually clear a ticket and you feel really good about yourself, right? The next day, when that comes back from QA saying you did something wrong here, that's the painful part of having to get back in.And by the time you've already done that, you've doubled the amount of time you've spent on that feature. So, it's all about integrating the right intelligence in the right context at the right time, and doing so in such a way that we're not throwing around blame, that we're not saying, “You should have known better.” We're saying, “We want to help you do this better because, you know, ultimately, you're going to write another SQL query. That's okay. We hope that maybe this will inspire you to sanitize those strings properly, and we're going to give you some suggestions on how to do that.”Corey: Yeah. Developer time is way more expensive than the infrastructure. That is, I think, a little understood facet of how this works from an engineering perspective because an awful lot of us came up in this industry considering our time to be free. Because we were doing this as a hobby in some cases, it was. When I was in my dorm room back many years ago, as I was basically in the process of being expelled from boarding school, it was very clearly my time was not worth a whole hell of a lot to anyone at that point.Speaking of expensive things, I want to talk for a minute about your pricing. And what I like about this is, let me be clear here. I am a big fan of taking shortcuts wherever I can, and one of the shortcuts I love doing—and I don't know if I've talked about it on this show before—is when I'm talking to a company and I need to figure out do they know what they're doing or are they clowns, I cheat and I go to the pricing page. And there are two big things that I look for, and you have them both.The first is that over on the far left side of the spectrum, it's do you have a free option? And yes, you do. And, “Click here to get started immediately.” Great because it's three in the morning, I need to get something done, I'm under a deadline, I do not have time for a conversation with sales, and as an engineer, I absolutely don't want to deal with that type of sales process because it feels weird to go and ask my boss to go ahead and sign off on something because I feel like my spending authority is capped at $20. Now that I have a little more context, I understand exactly why [laugh] my spending authority was capped at $20 back when I was an engineer.Clinton: Yeah, exactly right. And so it's not only that commitment to ensuring every software engineer in the world can have access to Snyk immediately by making one click because, you know, ultimately, we're committed to that community, right? There's 3 million developers using Snyk currently. That's about 10% of all engineers in the world. We're very proud of that number.We expect that to continue to grow and I think it shows that there is need out there, right? And if we can enable every engineer who's up at 3 a.m. faced with some security prospect to say, you know, it is as simple as getting a free account and getting a vulnerability report, getting the remediation advice, being able to sleep easier. I think we're successful as a company, regardless of what the bottom line is. But when you look at how to scale that into the enterprise, the way security solutions are priced, I mean, it's like throwing a bunch of wet noodles at the wall and seeing what sticks, right?Corey: Yes. And that's the other piece of your pricing that I like is a lot of people are going to be listening to that, what I'm saying right now about, “Oh, well, we have a free tier. Why do you think we're clowns?” It's, “Ah. Because the other end is just as important if not more so, which is there has to be an enterprise tier, and the price for that has got to be, ‘Click here to have a conversation.'” And the reason behind that is if you work in procurement, which is very often who's going to be reaching out on something like this, you are going to need custom contracts; you are going to want a long-term enterprise deal, and if the top tier is X dollars per thing that's already there, it reeks of unsophisticated vendor to a buyer in that position, and it makes the people a big blue chip companies think, “Oh, they don't know how to deal with someone at our scale.” Pricing his messaging, and I think people lose sight of that. You absolutely say the right things on both ends. I look at this, and there's nothing I would change or improve about your pricing page, which to be honest, is really rare.Clinton: I'm not sure all of our sales leaders would agree with you there, but I will pass that feedback along. Well, and the other thing I would add to that is, what everyone who's in a pricing conversation wants is predictability about what is this going to be in the future, right? And so we base our pricing on how many developers are in your organization, right? That's probably a number you know; that's probably a number that you can predict over time. We're not going to say, “How many CPUs are we using, right? What's the footprint of the cloud resources we're deploying to scan your stuff?” These are all things that you have very little control over and there is alchemy there that introduces a financial risk into that situation. And we're all about risk mitigation at scale, right?Corey: You don't pop up halfway through a cycle of, “Oh, you've gone on a hiring spree. Time to go ahead and pay us a bunch more money you didn't plan for or budget for.” I've had vendors pop up a quarter after I signed a deal—repeatedly—and it drives me up a wall because back in my engineering days, it was, great, now I have to spend time on this that I hadn't planned for; I have to go to my boss and ask for more money, never a great conversation, and as a cherry on top, I get to look like I don't know how to manage vendors for crap. It's just everyone is angry about those conversations. And even the salespeople reaching out had the decency to act a little sheepish about having to have that conversation with me.Clinton: The best ones do, at least. Well, and on top of that, you know, maybe that tool has been capped so that now your bills are breaking because you went one over your cap, right? So, I—Corey: Yeah. I love it. When I fail in production. That's my favorite thing. It's like, “All right, we're going to wind up not scanning for security stuff anymore. And if you go five beyond your cap, we're going to start introducing vulnerabilities.” It's, “That's awesome. Just, great plan.” But I'm kidding. I'm kidding. I want to be very clear, I have never heard a whisper of an actual vendor doing that, on purpose anyway.Clinton: Exactly. Right. And you know, look. We want to make it as easy as possible, and that's why, for example, we're on AWS Marketplace. You can use your existing EDP program to, you know, buy Snyk, just as—Corey: At 50% of your spend on Snyk then winds up counting toward your spend commit, which is always an interesting approach that some people are like, “Ooh. So, we can wind up transferring the money that we're spending on a vendor to count toward our commit?” But in many cases, it's how much are you spending on other third-party vendors in this space because you're getting excited about a few tens of thousands in most cases, and you have a $50 million annual [laugh] commit. What are you doing there, buddy? That's like trying to become a millionaire via credit card points. It doesn't usually pan out that way.Clinton: Fair enough. Yeah. And then look, we're very proud of that partnership with Amazon. And look if hey, if they can lock some of our customers into $15 million a year spend contracts, we'll take a few pennies on that, right?Corey: Oh, yeah, as a vendor, you'd be silly not too. It makes sense. But you're doing significantly more than that. As of this week being re:Invent week, you are—well, tell me about it.Clinton: Yeah, Corey, we are thrilled to announce this week that AWS is now integrating with Snyk's vulnerability database within Amazon Inspector. And this is going to bring the best-of-breed security intelligence with a curated vulnerability database, including all of our proprietary research around things like exploit maturity, reachability, vulnerable conditions, social trends on vulnerabilities, all available within Amazon Inspector to any developer utilizing it. We also have an AWS code pipeline integration that makes it easy for anyone utilizing AWS for your CI/CD to get immediate feedback on vulnerabilities in your applications as they move through that pipeline. And remember, we're never just going to say, “We've identified a vulnerability. Now, you need to figure out what to do with it.” We're always going to integrate the remediation advice because our audience at the end of the day is the developer whose job it is to make the fix and who has such a wide variety of responsibility these days, the best we can do is say to them, not just, “We found something wrong,” but, “Here's the solution that we think you should implement to get that secure code back out into production.”Corey: This episode is sponsored by our friends at CloudAcademy. That's right, they have a different lab challenge up for you called, “Code Red: Repair an AWS Environment with a Linux Bastion Host.” What does it do? Well, its going to assess your ability to troubleshoot AWS networking and security issues in a production like environment. Well, kind of, its not quite like production because some exec is not standing over your shoulder, wetting themselves while screaming. But..ya know, you can pretend in fact I'm reasonably certain you can retain someone specifically for that purpose should you so choose. If you are the first prize winner who completes all four challenges with the fastest time, you'll win a thousand bucks. If you haven't started yet you can still complete all four challenges between now and December 3rd to be eligible for the grand prize. There's only a few days left until the whole thing ends, so I would get on it now. Visit cloudacademy.com/corey. That's cloudacademy.com/C-O-R-E-Y, for god's sake don't drop the “E” that drives me nuts, and thank you again to Cloud Academy for not only promoting my ridiculous non sense but for continuing to help teach people how to work in this ridiculous environment.Corey: First, congratulations. It's neat to have a first-party integration like that with an AWS service, as opposed to, you know, their somewhat storied approach of, “Hey, it's an open-source project. We're just going to implement something that's API compatible ourselves, and irritate people.” Now, to be clear, my problem is not that you should expect to build anything and not face competition. My concern is a little bit more along the lines of, “Huh. Why is that same company always the first in line to compete with something.” Which is neither here nor there.Security is also one of those areas where I think competition is important. You want it continual background level of investment in the space because this stuff is super important. What I like about Snyk and a number of companies in this space is I know exactly where you stand. Let's contrast that for a second with AWS. You're integrating with Inspector, which is a great service, but you're not, I don't believe, integrating with their other security services such as [big breath in] Amazon Detective, the Audit Manager—if you want to consider that one of them—Amazon Macie, AWS Firewall Manager, AWS Shield, the Network Firewall, IoT Device Defender, CloudTrail, Config.Amazon Inspector is in one you're there, but not really Security Hub, or GuardDuty, or IAM itself. And I look at all of these services—I mean, IAM is free, of course, but the rest are very much not—and I do some basic arithmetic and I'm starting to realize that if I can figure all the various AWS security services together and what that's going to cost me, it turns out the answer is more than the data breach. So, on some level, it's one of those—at what point is it so confusing and it starts to look like a cross-sell deal between all of the different services, and turn them all on because you could ever have too much security, we still have to ship things eventually. And their security messaging has been extraordinarily confused for a long time. At some level, the fact that you are now integrating with them on the Inspector side means that for the first time, I think I understand what Inspector does now, which is more than a little messed up. But here we are.Clinton: Indeed. Well, the first thing I would say on that is, you know, stay tuned. As we move into the new year. I think you're going to see a lot more announcements both, you know, on the AWS side, but also kind of industry-wide and terms of integration with Snyk. That Vulnerability Database feed also, as you mentioned earlier, in use in Docker Hub, so anyone with Containers and Docker Hub can get advantage by scanning with our Snyk container tool.We have other integrations with Red Hat, for example. And there are actually many other companies utilizing that DB feed to, again, get access to that best in breed vulnerability data. When you talk about that model of, you know, being outcompeted on the security front, I think that's more difficult to do when you're actually talking about data, right? Like tooling, on some level—and I might get in trouble for saying this—but tooling is commodity, right? Somebody tomorrow is going to come out with a better tool to do a thing a little bit faster in a little bit more intuitive way. What can't be easily replicated is the data and intelligence behind that, right? And so that's why—Corey: Yeah, the secret sauce that makes you folks work is not the fact of, “Ah, we can fire off or catch a web hook, and then run the following command against the codebase.” That is—sure it's handy and it's useful and you're good at that, but that is not the reason that people become your customer.Clinton: Exactly right. Look, there's a lot of tools that can resolve the dependency tree within your open-source application, right? We can do that as well. We leverage a lot of open-source to do that, you know, we're very open with that. As I mentioned earlier, a lot of Snyk tooling is available on GitHub, you can see how it works, that code is public.Really the value we're providing is in that curated security research that our dedicated team is working on day in and day out and verifying public security data that's out in CVEs. Is this actually accurate? Do we agree with the severity rating? Might there be other factors that could modify that severity rating? What happens when you are scanning an application that might have some vulnerable conditions versus others? Don't you want to prioritize those vulnerabilities differently? What happens at runtime, right? If you're deploying an application to an EC2 instance with an OpenSSH ingress into your security group, that's going to make certain vulnerabilities a lot bigger risk than if you've got your IAC configured correctly, right? So, the really the overall mission of Snyk as we move into this broader, kind of, ASPM application, you know, security posture management space, is to say, how many different signals across the SDLC can we combine in intuitive ways for the developer to understand that risk at the right time with the right context and armed with the remediation advice to make a better decision as they're writing their code, you know, rather than after the fact? If I could sum it all up, kind of, that's the vision of where we are both today and ultimately where we're going.Corey: There also needs to be an understanding of who the customer is. If I go through the launch wizard and spin up in a brand new account, my first EC2 instance, and I spin up an instance by going through the wizard, the first thing it does is yell at me. Because, “Ah, that SSH port is open to the world.” Which you need to get into it, once it's there. So, it sets that up for me and yells at me all in the same breath. And it's, this is not a promising start; I kind of need that to get into it.Conversely, if you're not someone learning this stuff for the first time, and you're, oh I don't know, a production engineer at a bank, you care quite a bit differently in that use case about things like OpenSSH groups, it's security posture, et cetera, et cetera. An awful lot of the tooling is, “Ah, you're failing this benchmark, and this benchmark, and this benchmark,” from CIS and the rest of all these rules of, oh, you're not encrypting your data at rest. Well, it's in an AWS data center environment. Yeah, if someone could break in and steal the drives from multiple facilities and somehow recombine them together and get out alive, yeah, that's really not my threat model.But it's easy to turn it on and check a box and make an auditor go away. But that's not where I would spend the bulk of my energies if I'm trying to improve my security posture. And it turns into rote checklists super easily. The thing I've always appreciated about the stuff that you're tooling in the open-source world has highlighted is it's not nonsense. And I really can't understate just how valuable that is.Clinton: Absolutely. And that comes from a combination of signals across that SDLC, from the open-source, from the container, from the proprietary code, from the IAC, but then also what's happening at runtime, right? Like, how are those containers actually deployed onto EKS? What ports are open? What running binaries are on the container that might influence, you know, what packages you choose to upgrade, versus not?All of that matters, and what—you know, the issue I think now is getting that visibility to the developer at the right time so that they can make it actionable. And the thing about infrastructure as code, that I think that's really interesting and not super well understood is a lot of those defaults are really insecure. And developers have no idea, right? Like, they might not be aware that if you don't define that encryption for your S3 bucket, it'll happily deploy unencrypted, right? Yes, that's a compliance problem, but that's also potentially exacerbator have other vulnerabilities that might be in that application.But you only see those when you can combine and have a single pane of glass that gives you the runtime signaling plus everything that's happening in the application, armed with the correct information to actually remediate that at the time, and say, “Don't you think you wanted to add, you know, AES encryption to this bucket? Don't you think you wanted to close down port 22?” And also, combine that with your internal business logic, right? Like maybe for an internal only application that never transits beyond your VPC perimeter, sure, it's fine to have port 22 open, right? There's just going to be people within your zero-trust environment authenticating to it. But for your production web application, that might be a different story.Corey: There are other concerns, too. For example, I'm sitting here complaining about the idea of encrypting at rest in an AWS environment, but if you've signed customer contracts that state that you're doing it, you'd better freaking do it, as opposed to, “Well, I know what the actual security risk is and it's no big deal.” Yeah, don't make that decision. If you are contractually obligated to do a thing. Don't YOLO it; do what you say you're going to do. That's that whole integrity thing.Clinton: Oh, sure. And look in a battle between security and compliance. Compliance always wins, right? But from a developer perspective, I don't know that we on the front lines writing code actually differentiate, right? That certainly is a matter for the people defining the policies and, you know, creating their gating mechanisms in CI to figure out.What I want to know as a developer is, is my build going to succeed, right? Or am I going to get shut down and get the nastygram that says, you know, “We couldn't launch this for x, y, and z reason.” Now, everybody on my team hates me, my lead dev is on me, now there's a bunch of merge conflicts because my branch is behind. I want to get that out into production, but in order to do that, I need information on how are all these signals going to be compiled together in a way that, you know, creates that red light or green light on the risk dashboard later on. But up until I think, you know, relatively recently, I don't have visibility into that except to launch the commit, you know, start the build and see what happens, and then I have that context-switching problem, right, because it's hours or days later, that I finally get that signal back.So yes, I think we have a compliance story to tell from the Snyk perspective as well. A lot of those same issues, you know, we're detecting, especially with regard to infrastructure as code, but it ultimately is up to various parts of the organization to work together and say, “What balance do we want to strike between security and velocity,” right? Understanding that those are not mutually opposed. What we need is tooling and more importantly a culture that takes both into account and allows us to develop securely and fast at the same time.Corey: I want to thank you so much for taking the time to speak with me about all this. If people want to learn more, where can they find you? And for God's sake, please don't say in your booth at re:Invent.Clinton: [laugh]. I will not be at re:Invent this year. I've had a little bit too much of the Vegas Strip here recently.Corey: No, I hear you. Right now, the people going are those whose employers find them expendable, which is why I'm there.Clinton: I wouldn't say that Corey. I think you'll do great, and you know, just make sure to bank all your vacation for a couple weeks after. Look, come to snyk.io start a conversation, but more importantly, just start using it, right?I don't want to give you the sales pitch; I want you to see the value in the tooling, and the easiest way to do that as an engineer is just to start using it. And if there is value there, you want to bring it to your enterprise. I would love to have that conversation and move forward. But engineer to engineer, like, figure out if this is going to work for you: does it make your life easier? Does it reduce the pain and anxiety you feel before making that commit into the production branch? And if so, then yeah, we'd love to talk.Corey: I will, of course, put links to that in the [show notes 00:33:22]. Thank you so much for speaking to me today. I really appreciate it.Clinton: Thank you, Corey. Glad to do it.Corey: Clinton Herget, principal solutions engineer at Snyk. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment yelling at Snyk about how they're a terrible company because they continually refuse to patronize your side business down at the Vowel Emporium.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Insurance companies and others are forcing our clients to upgrade and audit their security. What is your firewall security checklist? How do you audit your firewall? I ask Michael Crean these questions and more… Website: https://solutionsgranted.com/ – Become a Partner ======= Sponsors & Affiliates: Presenting Sponsor – NetAlly: https://www.netally.com/ Live Video Sponsor – Computers Done […]

Technology is under the microscope, as are the behaviors of the people who develop and deploy it. As technology impacts virtually every aspect of society, it's use within the life sciences goes beyond traditional bioethical topics.  This creates a host of questions for people and businesses working at the forefront of health innovation. In this episode, hear Nick Bott, Global Head, Bioethics and Technology Ethics at Takeda as we discuss: What is being done to ensure that the decisions around the use of technology for our health and wellbeing are carefully considered and applied?  Whose job is it to address the ethical questions in the development of AI and ML algorithms?  How can life science companies lead the way in setting standards for ethical development? What can we learn from Tony Stark - otherwise known as Iron Man in the Marvel Cinematic Universe? What is a 'consequence scanning workshop'? What is the role of regulation in setting standards and principles? Episode Links and Resources: Learn More About Ethics and Compliance at Takeda Notre Dame-IBM Technology Ethics Lab Markkula Center for Applied Ethics at Santa Clara University About the Age of Ultron - a lesson in 'irresponsible innovation'? Hear the Coffee Talk about the Health Outcomes Observatory (H2O) Guest Host Links Connect with Nick Bott on LinkedIn Connect on Digital Health Today: Browse Episodes | Twitter | LinkedIn | Facebook | Instagram Connect on Health Podcast Network: Browse Shows | Linkedin | Twitter | Facebook | Instagram Digital Health Today is made possible by the support of our sponsors. Thank you to: Bayer G4A Roche Takeda

-Vols Get A Basketball Win -Oklahoma Is Salty - Your Phone Calls

If it sounds too good to be true, it probably is. As a board-certified orthopedic surgeon, today's guest, Dr. Dominique Nickson has learned to zoom in on the details when presented with a business opportunity. Tune in as we share specific compliance actions to consider in your next health care transaction. Visit our website www.byrdadatto.com to learn more and to subscribe to the ByrdAdatto newsletter. Follow us on social media to stay up-to-date on the ByrdAdatto family. Finally, subscribe to our YouTube channel for short videos on breaking developments and interesting business and health care compliance topics.Visit https://byrdadatto.com/podcast/dont-play-with-fyre-with-dominique-nickson-md/ to read the episode's transcript which has been edited for readability. Facebook: https://www.facebook.com/ByrdAdatto/Twitter: https://twitter.com/ByrdAdattoInstagram: https://www.instagram.com/byrdadattolaw/LinkedIn: https://www.linkedin.com/company/byrdadattoYouTube: https://www.youtube.com/channel/UC6VSOw0W5lrrj4iIl1HxTbg

Let's be honest – GRC (Governance, Risk Management, and Compliance) gets a bad rap. Your credit union team members don't break for lunch and say, “Hey! Let's play GRC bingo!” But…maybe they should. Ok, that's a stretch. But the truth is, this topic is massively important when it comes to your financial institution. And no one can offer better insights around it than Amanda Cohen, Director of GRC Products at Resolver and my guest expert this week on CRMNEXT's Banking on Experience. Topics we covered include:Why Amanda is passionate about GRCShifting mindsets: how your CU can (and should) Biggest GRC challenges for credit unions Your frontline + GRC: top tips on making them besties Better ways your CU can leverage the GRC Team How data appliesThe Impact of GRC on Member ExperienceAnd more Stay in touch with Banking on Experience by listening on Apple Podcasts, Spotify, or our website.Listening on a desktop & can't see the links? Just search for Banking on Experience in your favorite podcast player.

Welcome to a special five-part podcast series on how to unlock the gold in your program, hosted by Tom Fox with guests Gio and Nick Gallo from ComplianceLine. One of the ongoing questions in compliance is to demonstrate the Return on Investment (ROI) in your compliance program, by demonstrating the extended value of compliance literally across your entire company. When overlaid with an ESG component, you can begin to see the gold in your compliance hills. In addition to showing how you can unlock the gold in your own compliance hills, Gio and Nick walk you through how demonstrate ROI for your internal budgeting process which can provide to you the financial resource to strengthen and improve your compliance program.  Join us for the full 5 episodes and learn to see your compliance program in an entirely new light. In this Part 1, we consider how compliance can be seen as a corporate ROI multiplier by looking at the impact of compliance across your entire organization.  Some of the highlights of this episode include:  ·      The financial principles in unlocking the ROI of compliance.  ·      Why the alignment of compliance with other disciplines in your organization is not only critical but a key to unlocking compliance gold.  ·      Compliance budgeting is not simply about a cost center mentality. It requires a different type of discussion.  ·      Frameworks for improving your thinking about compliance.  ·      Building a complex and transparent case to OPEN the discussion about your assumptions rather than only including unobjectionable assumptions Resources Gio Gallo on LinkedIn Nick Gallo on LinkedIn ComplianceLine

In this episode, CSS's team of cybersecurity experts E.J. Yerzak and Mike Farrell recap the 2021 cybersecurity landscape and predict what's next for 2022.  

In this Episode of the FCPA Compliance Report, I visit with Irene Kaushansky, Associate Director of Compliance and Operational Integrity at Global Fund to End Modern Slavery. Irene is passionate about the fight against Modern Slavery and Human Trafficking. She talks about the Fund and its mission in this podcast. Highlights of this podcast include: What is the Global Fund to End Modern Slavery? What is the problem of of modern slavery? How does the organization accomplish this mission? Why is the private sector so critical to fighting this international scourge? How does the organization work with the private sector? What is some of the impact the Global Fund has achieved? How to get involved with the Global Fund. Resources Global Fund to End Modern Slavery Irene Kaushansky on LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

Tom Fox is a leader in the ethics and compliance field. He is regularly referred to as the "Compliance Evangelist."Tom recently just released the Second Edition of The Compliance Handbook, a comprehensive review and guide to the elements of an effective ethics and compliance program. Tom is known for his practical and efficient approach to difficult ethics and compliance issues. His new Handbook is a must-have for ethics and compliance professionals but more importantly for business leaders and managers who understand the importance of implementing an effective ethics and compliance program.In this Episode, Michael Volkov interviews Tom Fox about the Second Edition of The Compliance Handbook and the important issues addressed in the Handbook.

As we all know, supply chains are a complex system, and one of the most complex parts of it is global trade management and trade compliance. And none of it is getting any easier either. What's changed or different today with trade compliance? Why is conducting a self audit important? What's involved with a self ... Read more[Video] Why You Should Conduct A Trade Compliance Self-Audit The post [Video] Why You Should Conduct A Trade Compliance Self-Audit appeared first on Talking Logistics with Adrian Gonzalez.

It is 2021! Get Caught Trying to Make the World Better! Best Safety Podcast, Safety Program, Safety Storytelling, Investigations, Human Performance, Safety Differently, Operational Excellence, Resilience Engineering, Safety and Resilience Incentives... Give this a listen. Thanks for listening and tell your friends.  See you on Audible...all my books are up on there.  One of them is read by a British dude - it is like a Harry Potter book!  Have a great day as well. 

Scaling Up Nation, I cannot wait to introduce you to today's guest, Larry Pond. Larry is an expert in Compliance and Quality Assurance at IWC Innovations. Today, Larry and I are going to discuss how to prevent Legionella and other water-borne pathogens by having a good water management plan in place for each of your clients. Larry is a great communicator and my hope is that he inspires you to have the ‘water management plan conversation' with your clients today. One of the things I admire most about Larry is his seemingly effortless ability to ask soft questions to his clients so he can set up the right water management plan specifically catered for their facility. Some of the questions he gently asks his clients are: Do you have a water management plan? How do you protect your system and people? What risk factors do you have? Are your current measures adequate for these protections? After asking those questions to his clients (and many more), he then gives them the additional metaphors and stories they need to hear in order to drive home the importance of analyzing their risk factors and preventing outbreaks. If you are a water treater, you are going to love today's episode.    Bottom line: Larry Pond is going to tell us why having a water management plan is important. Your roadside friend, as you travel from client to client.   -Trace    Timestamps:  James' Challenge: “Test pH of condensate immediately and then an hour later on the same open sample.” [05:50] Introducing Larry Pond of Innovative Water Consultants [09:03] Water treatment from an end user's perspectives [10:38] Having the ‘water management plan conversation' with your clients [17:43] Risk factors [26:28] The importance of learning  [28:58] Testing positive for Legionella [33:58] Advice to other water treaters [40:57] Learning from our mistakes [44:24] Lighting round questions [48:29]   Quotes: “The art comes in seeing their perspective, and learning how to gently say that it's screwed up without saying it's screwed up.” - Larry Pond “If their answers are blank stares, that's your opportunity for teaching.” - Larry Pond “A water management plan is key to identifying your risks; to mitigate them through proper control measures” - Larry Pond “A water management plan is the cheapest, conceivable form of insurance that gets you off the hook.” - Larry Pond “The conversation should be geared towards putting yourself in somebody else's shoes, not just your own. “It's not just a job, it's not just a paycheck. ” - Larry Pond “Complacency is not a path for resolution”.  - Larry Pond “When we all do the same things over and over and over and over again, it gets boring. We get complacent. And we almost resent going back to the same accounts because it's boring.” - Trace Blackmore “When we push the limits, we're leaning.” - Trace Blackmore “If you are intimidated by any topic, that is your sign that you need to go out and learn as much as you can about that topic.” - Trace Blackmore “If people are allowed to make mistakes, that is where the true learning is.” - Trace Blackmore “A rising tide raises all ships, but a bigger ship can hold more people.” - Trace Blackmore   Connect with Larry Pond: Email: larry@iwcwater.net Website: iwcinnovations.com Social: @IWCINNOVATIONS   Books Mentioned: Boiler Water Treatment - Colin Frayne The Selfish Gene - Richard Dawkins Hannibal - Tom Harris   Links Mentioned: 083 The One About Water Management Plans Centers For Disease Control And Prevention: Toolkit 205 The One To Listen To If You Want To Hear How Rewarding A Career In Water Treatment Can Be    

In this forth installment of Keepin' It Secure, our hosts Rob Barnes (Devops Rob) and Adeel Ahmad (DevOps Adeel) welcome the show's first guest Jamie Barrett. We discuss the view point of the Risk and Compliance discipline on security and controls. HCP Vault: cloud.hashicorp.com/ HashiCorp Sentinel: www.hashicorp.com/sentinel HashiCorpLive Instagram: www.instagram.com/hashicorplive/

In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, “Techniques, Tools and Tirade about Retail Technology and E-Commerce. The founder of the column, Evan Schuman, is a veteran journalist who has covered a wide range of technology, privacy and legal issues over the past three decades. Evan will give us his take on many of the issues facing the connected world -past, present, and future. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw96

Today we visit r/MaliciousComplianceVisit us on YouTube! https://www.youtube.com/karmacommentchameleonFor business enquiries please contact karmacommentchameleon@gmail.com

In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, “Techniques, Tools and Tirade about Retail Technology and E-Commerce. The founder of the column, Evan Schuman, is a veteran journalist who has covered a wide range of technology, privacy and legal issues over the past three decades. Evan will give us his take on many of the issues facing the connected world -past, present, and future. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw96

This week on Serious Privacy, Paul Breitbarth welcomes K Royal, the recently-approved PhD graduand (yes, it's a word) fresh from her dissertation defense on Privacy Complaince in US Universities. Many of our listeners likely participated in the nearly-anonymous Delphi Method part of her research, where privacy professionals around the world answered a series of questions to determine critical parts about privacy in the university setting. These included triggers, program elements, and risk factors. Her PhD is in public affairs, a fitting match for privacy law, from the University of Texas at Dallas, the School of Economic, Political, and Policy Sciences.Join us as we discuss the substance of privacy law at US universities, some common misperceptions, but also the difference in the PhD process between the US and Europe. Some of your favorite topics come up, such as CCPA, GDPR, and HIPAA. Also, her research involves the complexity of managing privacy law in a complex environment, bringing in Complexity Theory as a framework. Complex Adaptive Systems was used in terms of privacy law by Zhang and Schmidt when considering China's privacy law back in 2015 in their paper Thinking of data protection law's subject matter as a complex adaptive system: A heuristic display.As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion.

Entrepreneur and revenue cycle management expert, Jamie Vasquez shares her mission to help practices be financially successful from the ground up. Tune in as we discuss the differences between billing in-network vs. out-of-network and key takeaways for your medical practice to focus on in the new year. Visit our website www.byrdadatto.com to learn more and to subscribe to the ByrdAdatto newsletter. Follow us on social media to stay up-to-date on the ByrdAdatto family. Finally, subscribe to our YouTube channel for short videos on breaking developments and interesting business and health care compliance topics.Facebook: https://www.facebook.com/ByrdAdatto/Twitter: https://twitter.com/ByrdAdattoInstagram: https://www.instagram.com/byrdadattolaw/LinkedIn: https://www.linkedin.com/company/byrdadattoYouTube: https://www.youtube.com/channel/UC6VSOw0W5lrrj4iIl1HxTbg

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.  For some people, working in ethics and compliance is a destination, and for others, it is a stop on the journey.  How do you figure that out?  In today's bonus episode, Lisa talks with Kris Brown, who is the President of Brady, which is the leading advocacy group in the United States to end gun violence.  Prior to joining Brady, she was the Chief Legal Officer at gategroup, and also worked at a large law firm. If this sounds a little familiar, that is because Kris is a colleague and mentor to Lisa, and in fact, got Lisa started on her career in compliance.  So Lisa and Mary thought that it would be good to share Kris's journey into -- and out of -- compliance. They discuss how Kris found herself in compliance, and how a significant fraud situation impacted her role, and was the backdrop of building a global compliance program.  She talks about what she has learned from that experience and how it applies to her day-to-day work and how what we do in E&C can transcend our roles. She also discusses what she sees as key attributes for a compliance officer in her view as she has transitioned out of a traditional legal role and into her current one. The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We've Learned from Great Women in Compliance” (CCI Press, 2020). If you've already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?   As always, we are so grateful for all of your support and if you have any feedback or suggestions for our line up or would just like to reach out and say hello, we always welcome hearing from our listeners.  You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast. Join the Great Women in Compliance community on LinkedIn here. 

The Cloud Pod: Oh the Places You'll Go at re:Invent 2021 — Episode 144 On The Cloud Pod this week, as a birthday present to Ryan, the team didn't discuss his advanced age, and focused instead on their AWS re:Invent predictions. Also, the Google Cybersecurity Action Team launches a product, and Microsoft announces a new VM series in Azure. A big thanks to this week's sponsors: Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. JumpCloud, which offers a complete platform for identity, access, and device management — no matter where your users and devices are located.  This week's highlights

Host Catherine Short welcomes Sheba Vine, Attorney and Senior Manager in the Global Privacy Office at Exact Sciences Corporation, on the topic of “Recent Developments in Health Information Privacy: HIPAA Right of Access.” Sheba reviews recent developments including OCR Enforcement Highlights, HIPAA Right of Access & Ciox Health Decision, NPRM, and 21st Century Cures Act Information Blocking Regulation. To stream our Station live 24/7 visit www.HealthcareNOWRadio.com or ask your Smart Device to “….Play HealthcareNOW Radio”. Find all of our network podcasts on your favorite podcast platforms and be sure to subscribe and like us. Learn more at www.healthcarenowradio.com/listen

Design for compliance separates GSS from its competitors. Host Carrie Charles introduces Steve Blazenko, the CEO at GSS, and Alexander Novak, the General Manager at GSS. Steve and Alexander explain how GSS does everything in-house, starting with site acquisition. With other acquisition firms, they'll have to outsource environmental compliance. So if you want a seamless experience, go for the GSS way. Join in the conversation to discover more about GSS and its family-oriented culture. Tune in!Love the show? Subscribe, rate, review, and share! http://broadstaffglobal.com/

Rob Turk, aka the Modern Day Tape Enthusiast provides us with a brief history of the use of tape, who the players are that's still in the game of the tape industry, and some advice on utilizing tape to combat ransomware.

Ransomware; being held hostage from your own information and your own data. It's in the news every day, generally large businesses, and banks, but it happens to every type and size of business every day. With complex schemes, malicious deception, various access points, complex research, and impersonation- ransomware is a worldwide threat that often funds nefarious dealings like terrorism, oppressive government and even the development of more ransomware. Today Jeff Hedges, the Pharmacy Compliance Guide and owner of R.J. Hedges & Associates and Nick Dorazio, Present of LVTech and technology expert are going to talk about what ransomware is and how it happens, put some context around the shear cost of this type of event happening to your business, we'll go over some terminology and solutions for your business and even how you can prevent this from happening to your system.  https://www.rjhedges.com/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Consumers are increasingly becoming aware of how detrimental it can be when companies mismanage data.  This demand has fueled regulations, defined standards, and applied pressure to companies.  Modern enterprises need to consider corporate risk management and regulatory compliance. In this interview, I speak with Terry O'Daniels, Director of Engineering (Risk & Compliance) at Instacart. Sponsorship The post Risk and Compliance with Terry O'Daniel appeared first on Software Engineering Daily.

Consumers are increasingly becoming aware of how detrimental it can be when companies mismanage data.  This demand has fueled regulations, defined standards, and applied pressure to companies.  Modern enterprises need to consider corporate risk management and regulatory compliance. In this interview, I speak with Terry O'Daniel, Director of Engineering (Risk & Compliance) at Instacart. Sponsorship The post Risk and Compliance with Terry O’Daniel appeared first on Software Engineering Daily.

Today's Ritter On Real Estate Guest is Bill Neville. Bill Neville joined The Entrust Group eight years ago through his initial role as Manager of Operations for the company's franchise program. When the program was discontinued, Bill stepped up to the task of managing the Compliance and Internal Audit departments. With a keen eye for detail and gaining valuable insights into the IRA industry, Bill kept Entrust's educational programs and internal processes in line with industry regulations. Bill actively takes pride in the company's growth and success and is currently the Business Development Manager for Entrust's San Francisco Bay Area office.""Bill Neville joined The Entrust Group eight years ago through his initial role as Manager of Operations for the company's franchise program. When the program was discontinued, Bill stepped up to the task of managing the Compliance and Internal Audit departments. With a keen eye for detail and gaining valuable insights into the IRA industry, Bill kept Entrust's educational programs and internal processes in line with industry regulations. Bill actively takes pride in the company's growth and success and is currently the Business Development Manager for Entrust's San Francisco Bay Area office. Welcome to the podcast Bill! Key Points From The Episode: How Bill got his start in managing/recovery auditing/financial advising.What Entrust Group is and isn't. Custodian & record keeper for individuals.The definition of self-directed retirement planning.The freedom included with self-directed retirement accounts.Why most financial advisors limit their investment opportunities for consumers.Roth IRA & 401K transfers, rollovers, brokerage changes explained.The benefit of self-directed IRA's.What potentially disqualifies your self-directed IRA.IRA's owning assets, how it works.Books Mentioned: Sapiens: A Brief History of Humankind by Yuval Noah Harari

In this special episode, CSS's Director of Retail Wealth Manager Services, Korrine Kohm and William R. Carrigan, Deputy Commissioner, Securities Division of the Vermont Department of Financial Regulation discuss the latest news for registered investment advisers, including what will be required in 2022 surrounding continuing education requirements, the implementation of the new Marketing Rule and what's next for Form CRS.

How can diversity help make Compliance functions more effective? My guest, Mary Shirley is a compliance professional who has been working to promote women in compliance. She's the co-host of The Great Women in Compliance podcast and the co-author of a book called Sending the Elevator Back Down: What We've Learned from Great Women in Compliance.One of the ways we can mitigate human risk is to have a more diverse range of opinions involved in decision-making. And that's arguably even more important when it comes to the people in functions responsible for managing human risk. Because if you're going to effectively influence employees to do the right things and not do the wrong ones, you're going to need a broad range of insights into what those employees might get up to.Mary and I both presented at the recent European Ethics & Compliance Conference. You can see those presentations here:Mary's presentation on what it takes to be a great woman in Compliance - https://www.youtube.com/watch?v=c4AXJUPQyjk & mine on what Compliance has to do with Ethics - https://youtu.be/AYDzfQGesKEIf, like me, you thought Compliance was a male-dominated discipline, but as Mary explains, the ratio of men to women is above average, but for reasons you might not expect. And, that doesn't mean that there isn't work to be done.During our discussion we explore:Mary's LinkedIn profile - https://www.linkedin.com/in/iheartcompliance/The Great Women In Compliance podcast — https://www.corporatecomplianceinsights.com/great-women-in-compliance/It's available on all the major podcast platforms
Sending The Elevator Back Down book - https://amzn.to/3qUWElUOrganisational Psychologist Adam Grant - https://www.adamgrant.net/The Great Women In Compliance LinkedIn Group - https://www.linkedin.com/groups/12156164/The Activision Blizzard Story - https://www.pcgamer.com/uk/activision-blizzard-lawsuit-controversy-timeline-explained/Gucci's Shadow Committees - https://www.wmagazine.com/story/gucci-millennials-shadow-committee-alessandro-micheleThe episode of this show featuring a sexologist - https://www.humanriskpodcast.com/sexologist-dr-jill-mcdevitt-on/A brief note on audio quality — I recorded my part of the show while travelling and the audio quality at my end isn't as high as it usually is. My apologies. Fortunately, Mary's audio, like her content, is of a very high standard.

Today we visit r/MaliciousComplianceVisit Us On YouTube! https://www.youtube.com/karmacommentchameleonFor business enquiries please contact karmacommentchameleon@gmail.com

Folks they are coming after Remnant Call. We are looking at another platform. Please listen in and don't miss this episode.

In this episode, Woolf McClane's Chad Hatmaker shares: What he's seen employers and management teams do right (or wrong) since the pandemic hit on the employee relations front Specific aspects of emerging employment law that were brought to bear significantly in the past 20 months and that should be tracked going forward, in order for companies to remain compliant yet competitive How employee / front-line team expectations have now changed  Why staying proactive is so important for companies -- in order to avoid much larger problems later Ways in which communications challenges arise throughout workforce-management issues, like vaccinations And much more...  Links: Follow the #MsInterPReted hashtag Follow Chad Hatmaker of Woolf McClane Twitter: @JChadHatmaker Chad Hatmaker's blog, “Tennessee Employment Law” LinkedIn View insights from members of the Fletcher Team on WBIR's special news segment on "The Big Quit".  Discover Fletcher Marketing PR Follow Fletcher Marketing PR on Twitter: @FletcherPR  Follow Kelly Fletcher on Twitter: @KDfletcher  Follow Mary Beth West on Twitter: @marybethwest 

One challenge of banking with a digital-only bank is making cash deposits. With no branches, it can be tough on a consumer who wants to make cash available for digital spending. Visa has been doing this for years for prepaid card holders by allowing them to make cash deposits at retailers and ATMs through its ReadyLink Network. Now, the company has expanded that access to debit programs, providing an opportunity for neobanks, other fintechs, and even traditional financial institutions potentially to offer deposit capabilities at a broad range of locations. In this episode, Lauren Fulmer, the director of U.S. Prepaid Product at Visa, talks about how the network works and what the future might hold now that it has expanded beyond prepaid cards.

“When starting a business, subject matter expertise makes all the difference and it gives you credibility.”  - Simone Zacharias, USAFA ‘12  Simone Zacharias is an Acquisitions Officer in the U.S. Space Force and COO and Co-Founder of GoBeagle, Inc, a company that helps business owners conquer corporate compliance by helping them keep all their legal entities in good standing. She graduated from the U.S. Air Force Academy in 2012 and obtained her MBA from UCLA Anderson School of Business Management this year. Simone excels at problem-solving and thrives in her job roles at GoBeagle, Inc. and in the U.S. Space Force. We learned a lot from talking to Simone and we're honored to be her first podcast appearance. In this episode, we discuss: What Go Beagle does and why Simone started the company Why legal entity management is important to every business The ramifications of falling behind with corporate compliance Why business owners need to take responsibility for legal entity management How the U.S. Air Force Academy contributed to Simone's success Simone also shares the story behind the name of GoBeagle, Inc. and tells us why real estate investors, lawyers, accountants and paralegals are her top clients. She also explains how businesses can become non-compliant without realizing it, why you can't afford not to maintain your legal entities, and shares some of her favourite client success stories. We loved hearing how motherhood connected Simone to her business partner and enjoyed learning more about her job in the U.S. Space Force. We're inspired by her story and hope it empowers you too! Connect with Simone:  LinkedIn GoBeagle, Inc.  If you found this episode valuable, please share it with a friend or colleague. If you are a Service Academy graduate and want to take your business to the next level, you can join our supportive community and get started today. Subscribe and help out the show: Subscribe on Apple Podcasts Also available on Google Podcasts, Spotify & Stitcher Leave us a 5-star review! Special thanks to Simone for joining me this week. Until next time! - Scott Mackes, USNA '01

Welcome solo and group practice owners! We are Liath Dalton and Roy Huggins, your co-hosts of Person Centered Tech. In our latest episode, we're talking about The PCT Way.  We discuss how we developed The PCT Way; simplifying HIPAA compliance needs; minimizing financial cost as well as time, energy, anxiety, and cognitive overhead; meeting your practice needs and client needs in a way that's efficient and reliably HIPAA compliant; systems vs. frameworks; solo vs. group practice needs; system bloat; the five primary steps of The PCT Way (service selection, HIPAA training, device security, risk analysis, and building your HIPAA security compliance manual); new features on the Person Centered Tech website; why HIPAA compliance is optional; and being proactive with the PCT Way.  Listen here: https://personcenteredtech.com/group/podcast/ Stay tuned for future episodes! For more, visit our website. Resources The PCT Way for Group Practices - a system for making your *whole* practice work. Learn more, and start for free. Group Practice Care: PCT Way is the system. Practice care is the service that supports you through it. Celebratory Launch + Black Friday + Cyber Monday Sale. Save up to 25% on Group Practice Care (annual) *and* role-based staff HIPAA, ethics, and teletherapy trainings (CE for clinical staff trainings). Build Your Team -- add your team and assign and track their HIPAA Security Tasks, including: Our nationally respected, role-based HIPAA and privacy ethics training built for mental health staff (CE for clinical staff) Vital, relevant security awareness training Personal device securing (BYOD) and registration Automate kind reminders when needed Track your team's progress and completion status Manage your team with separate, revocable logins, assigned content, and detailed training logs so you can stay on top of your team's HIPAA compliance tasks — without the drama.

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.  Michelle Dewarrat has been incorporating corporate social responsibility into her Compliance program long before many of us started bandying about the term ESG. As today's guest, Mary seeks Michelle's advice for how to make a start thinking about the ESG topic for Compliance Officers grappling with introducing the concept into their workload. Currently, Michelle is Head of Compliance at CSG and has recently been building out her team after starting in her new role earlier this year.  She discusses the recruitment challenge of hiring during the Great Resignation and in light of there being very high demand for candidates, as well as how she has succeeded through the challenge. Michelle has climbed the corporate ladder while also raising her son as a single mum.  She talks about some of the lessons from the motherhood experience and how they've informed her approach in the office.   As they round up the episode, Michelle's sharing of her music tastes leads Mary to reveal a secret shame.   The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We've Learned from Great Women in Compliance” (CCI Press, 2020). If you've already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?   As always, we are so grateful for all of your support and if you have any feedback or suggestions for our line up or would just like to reach out and say hello, we always welcome hearing from our listeners.  You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast. Join the Great Women in Compliance community on LinkedIn here. 

Taryn Vogel joins The Great Battlefield podcast to talk about her career in politics and doing compliance for Obama, Clinton and the DNC and founding her own compliance firm BlueBird Consulting.

CEO of Parameno Health and former NFL athlete, Keith Gray joins us to share his expertise on running a compliant medical laboratory. Tune in as we dive into CLIA, EKRA, genetic laboratory testing, and key operational processes to ensure your business remains compliant. Visit our website www.byrdadatto.com to learn more and to subscribe to the ByrdAdatto newsletter. Follow us on social media to stay up-to-date on the ByrdAdatto family. Finally, subscribe to our YouTube channel for short videos on breaking developments and interesting business and health care compliance topics.Facebook: https://www.facebook.com/ByrdAdatto/Twitter: https://twitter.com/ByrdAdattoInstagram: https://www.instagram.com/byrdadattolaw/LinkedIn: https://www.linkedin.com/company/byrdadattoYouTube: https://www.youtube.com/channel/UC6VSOw0W5lrrj4iIl1HxTbg

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Today, Matt and Tom take a the recently filed lawsuit by Shaquala Williams against JPMorgan for alleged retaliation for her internal whistleblowing. Williams was in a compliance function at the bank and claimed she was terminated for raising the issues that JPMorgan was not living up to its reporting requirements under a DPA.Some of the issues we consider are: Facts of the claim? Made in the context of an ongoing DPA. The lack of lack of documented policies and procedures. Siloed nature of compliance functions. Inconsistency in risk assessments. Why is a single source of truth so critical? Resources Matt in Radical Compliance, That Lawsuit Against JP Morgan Learn more about your ad choices. Visit megaphone.fm/adchoices

The small firm community, those firms with 150 or fewer registered financial professionals, came together in October to discuss and engage on key areas of concern at the Small Firm Conference. On this episode, we're taking you behind the scenes of this year's event with an abridged look at the fireside chat with FINRA CEO Robert Cook and Executive Vice President Greg Ruppert, moderated by FINRA's head of Member Relations Kayte Toczylowski.Resources mentioned in this episode:Trusted Contact ResourcesRacial Justice Task Force2021 Report on FINRA's Examination and Risk Monitoring ProgramCybersecurity Resources

In the final episode of the season, co-hosts Bill Mariano and Rob Hellewell review a New Yorker piece by Kyle Chayka about the beauty and uncanniness of AI-created images delivered by the Twitter handle @images_ai.The co-hosts then bring on Thora Johnson of Orrick for a riveting discussion about the rise in wearable devices and the personal data they're collecting. They discuss the fascinating innovation in health-related technology and apps and the significant data compliance, privacy, and cybersecurity issues that are accompanying it. Some key questions from their conversation include: Beyond the more well-known wearable devices and health-related apps, what others are out there and what types of data are they collecting?The proliferation of data these devices and apps are generating have created a unique set of intersecting compliance, security, and privacy challenges—what are some of the most critical to understand?How can teams mitigate the risk of a cyber breach? And in the event it does happen, what are best practices in terms of responding to a breach?What should attorneys and legal teams know about the FTC's recent announcement that it plans to “vigorously” enforce its 2009 Health Breach Notification rule?What regulatory issues related to apps collecting genetic information that people should be aware of?The season ends with key takeaways from the guest speaker section. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage, rate us on Apple and Stitcher, and join in the conversation on Twitter.Related LinksBlog Post: AI and Analytics: New Ways to Guard Personal InformationBlog Post: Cybersecurity Defense: Biden Administration Executive Order a Great Start Towards a More Robust National FrameworkPodcast: Reducing Cybersecurity Burdens with a Customized Data Breach WorkflowTwitter: https://twitter.com/images_aiAbout Law & CandorLaw & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, visit the podcast homepage.

Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss a framework for building accountability into AI from an article in Harvard Business Review by Stephen Sanford.In this episode, Bill and Rob are joined by James Hart of Lighthouse. They discuss this critical component of Microsoft 365 and its important role in maximizing the effectiveness of ediscovery workflows and mitigation strategies. Key questions from their conversation include: What are unindexed items and how critical are they to efficiency in ediscovery workflows?After identifying unindexed items, what is the next step and how do you approach it?What are some key strategies for handling unindexed items?How are different organizations approaching unindexed items from a policy perspective?What are best practices for approaching this unique issue in Microsoft 365?In conclusion, our co-hosts end the episode with key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage, rate us on Apple and Stitcher, and join in the conversation on Twitter.Related LinksBlog Post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance ConsiderationsBlog Post: Making the Case for Information Governance and Why You Should Address It NowWhite Paper: The Impact of Schrems II and Key Considerations for Companies Using M365Podcast: Keeping Up with M365 Software UpdatesAbout Law & CandorLaw & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, visit the podcast homepage.

For more updates, visit: http://www.brighteon.com/channel/hrreport NaturalNews videos would not be possible without you, as always we remain passionately dedicated to our mission of educating people all over the world on the subject of natural healing remedies and personal liberty (food freedom, medical freedom, the freedom of speech, etc.). Together, we're helping create a better world, with more honest food labeling, reduced chemical contamination, the avoidance of toxic heavy metals and vastly increased scientific transparency. ▶️ Every dollar you spend at the Health Ranger Store goes toward helping us achieve important science and content goals for humanity: https://www.healthrangerstore.com/ ▶️ Sign Up For Our Newsletter: https://www.naturalnews.com/Readerregistration.html ▶️ Brighteon: https://www.brighteon.com/channels/hrreport ▶️ Join Our Social Network: https://brighteon.social/@HealthRanger ▶️ Check In Stock Products at: https://PrepWithMike.com

LifeBlood: We talked about financial compliance services, the regulatory challenges of emerging technologies like crypto assets, blockchain and fintech companies, why compliance is mundane but not intuitive, the reasons why people outsource it, and how it's better to ask permission than seek forgiveness when it comes to this space with Todd Cipperman, Founding Principal of Cipperman Compliance Services.  Listen to learn why it's essential to not be married to our ideas and what we think is true! For the Difference Making Tip, scan ahead to 17:50! You can learn more about Todd at Cipperman.com, Twitter and LinkedIn. Thanks, as always for listening!  If you got some value and enjoyed the show, please leave us a review wherever you listen and subscribe as well.  You can learn more about us at MoneyAlignmentAcademy.com, Twitter, LinkedIn, Instagram, Pinterest, YouTube and Facebook or you'd like to be a guest on the show, contact George at Contact@GeorgeGrombacher.com.

For more updates, visit: http://www.brighteon.com/channel/hrreport NaturalNews videos would not be possible without you, as always we remain passionately dedicated to our mission of educating people all over the world on the subject of natural healing remedies and personal liberty (food freedom, medical freedom, the freedom of speech, etc.). Together, we're helping create a better world, with more honest food labeling, reduced chemical contamination, the avoidance of toxic heavy metals and vastly increased scientific transparency. ▶️ Every dollar you spend at the Health Ranger Store goes toward helping us achieve important science and content goals for humanity: https://www.healthrangerstore.com/ ▶️ Sign Up For Our Newsletter: https://www.naturalnews.com/Readerregistration.html ▶️ Brighteon: https://www.brighteon.com/channels/hrreport ▶️ Join Our Social Network: https://brighteon.social/@HealthRanger ▶️ Check In Stock Products at: https://PrepWithMike.com

0:00 Intro 3:48 Crazy News 23:35 Other News 30:50 Finance 57:50 Vaccines For more updates, visit: http://www.brighteon.com/channel/hrreport NaturalNews videos would not be possible without you, as always we remain passionately dedicated to our mission of educating people all over the world on the subject of natural healing remedies and personal liberty (food freedom, medical freedom, the freedom of speech, etc.). Together, we're helping create a better world, with more honest food labeling, reduced chemical contamination, the avoidance of toxic heavy metals and vastly increased scientific transparency. ▶️ Every dollar you spend at the Health Ranger Store goes toward helping us achieve important science and content goals for humanity: https://www.healthrangerstore.com/ ▶️ Sign Up For Our Newsletter: https://www.naturalnews.com/Readerregistration.html ▶️ Brighteon: https://www.brighteon.com/channels/hrreport ▶️ Join Our Social Network: https://brighteon.social/@HealthRanger ▶️ Check In Stock Products at: https://PrepWithMike.com

For show notes, links and complete description, visit www.HagmannReport.com/videosThe Hagmann Report is brought to you by EMP Shield - www.EMPshield.com/hagmannUse Promo Code HAGMANN for $50 OFF!IMPORTANT LINKS:DONATE: (www.HagmannReport.com/donate)HAGMANN COFFEE: (www.HagmannStore.com)The Hagmann Report provides news and information based on a combination of exclusive investigative work, proprietary sources, contacts, qualified guests, open-source material. The Hagmann Report will never be encumbered by political correctness or held hostage to an agenda of revisionist history.Join Doug Hagmann, host of the Hagmann Report, Weekdays @ 7 PM ET.ON THE GO? SUBSCRIBE TO HAGMANN'S PODCASTiTunes: (https://podcasts.apple.com/us/podcast/hagmann-report/id631558915?uo=4)Spotify: (https://open.spotify.com/show/376mkckQHCPYTJssQN794g)iHeart: (https://www.iheart.com/podcast/256-hagmann-report-30926499/)Spreaker: (https://www.spreaker.com/show/hagmann-report)Email: studio@hagmannreport.comFOLLOW HAGMANN AT:Parler: (www.parler.com/profile/DouglasHagmann)Gab: @DougHagmannTwitter: Twitter is garbage