SPEAKER_02: 0:00

I think the prevalence of AI now is opening people's eyes to that in some cases a little bit more because they realize data is the underpinning foundation to all of this. You can't do AI without data, and you can't do AI well without good data.

SPEAKER_03: 0:23

Welcome to another episode of Sell Me This Podcast. This week we're joined by Jose and Mark from MHM Corporation, who focuses on security and compliance initiatives for small media businesses across North America. The conversation dives into everything from compliance, ethics, and security controls and what business owners can do to take the first steps in securing their environments. Enjoy. Welcome to another episode of Sell Me This Podcast. Today we are incredibly excited to have Mark and Jose from MHM with us. We're going to be diving into the wonderful world of compliance. I know something that everyone is excited to hear about. I think lots of questions. And so we're going to dive right into things. Why don't you both introduce yourselves? Mark, if you want to go first, a little bit about who you are, where you came from, and maybe the overview of MHM.

SPEAKER_02: 1:14

Sure. So I'm Mark. I uh started MHM in the middle of 2020 after a very lengthy career at PwC, half in Toronto, half here in Calgary. Hence the Blue Days jersey, which is my uh my home team, shall I say. MHM is really focused on delivering security and compliance audits to clients, mostly in the small medium business space. Our main goal is to deliver high quality at affordable pricing. Um and sorry. I forget. And um yeah, so in terms of uh background, so I started my career at Coopers and Librand actually in uh 1997 as a co-op student before they'd even merged and became PwC. Um and yeah, eventually decided it was time to leave that world and start my own thing, and um so I started MHM in uh 2020. I love it.

SPEAKER_04: 2:15

And what about yourself? Yeah, so I'm José. I um I joined MHM as a partner a couple of years ago now. So uh uh before that, similar to Mark, actually, I'm I moved to Calgary uh from Barcelona around the same time that Mark moved to Calgary, so we we were together at PDBC for uh for a long time. Um uh before that I was with Ersan Young. I'm I'm a computer engineer, but uh I um I you know I've been all my life doing compliance and and security work, right? Um moved to Calgary because of my wife, uh girlfriend at the time. Oh excited. That's that's why I'm here. Change the beach for the mountains, right? And uh and the snow, right? Um and yeah, um it's been two years, like we've we've accomplished you know, like a ton of things like Mara mentioned about MHM, like we we are super proud of doing you know what we're doing, right? Like and offering these uh outings and certifications, you know, that are super specialized and a great price and really focus on servicing our clients.

SPEAKER_03: 3:18

I I love it. So so how does one find themselves walking down that compliance path? Because I I imagine that maybe uh you know a 15-year-old Jose, did you imagine you were going to get into compliance or what um what brought you towards this line of work?

SPEAKER_04: 3:32

Not at all. Yeah, that was long story. I mean, I'll try to keep it short. We have time. Yeah, yeah. So it was uh it was one of those things. I I I did um I finished university and it was after the dot-com bubble. I as I mentioned, I'm a computer engineer. Um and I had a few jobs lined up. I was interviewing, and you know, things things were okay. And and one of the one of my interviews was with one of the big fours and at EY, right? And and all my interviews had been with techie people. They had been in basements, like, you know, scrappy people, okay. We're gonna do some coding, gonna work here, this is the you know, and and that interview was at a nice building with you know beautiful views, like, you know, guys with a suit, right? And it was like, hey, you're gonna travel the world, you're gonna be talking to CFOs, CIOs, CAOs, right? And that really, you know, like maybe the wrong reason for joining a job, right? But really caught my attention when I was young, right? And uh, and yeah, I got into this world um way back then, right? Like was the opportunity to to actually, you know, see what you know businesses were doing, how they were working, right, instead of just focusing on the on the just making them work and techy stuff and developing things. So that was the main reason. And then after that, it was just like a you know combination of things. I just love what I was doing. I I I liked it and uh yeah, here I am, right? Yeah.

SPEAKER_03: 4:54

So you were you were drawn in by the lifestyle and it looked like a really cool job, and then the world kind of took you by the wave kind of took you and you were left here.

SPEAKER_04: 5:02

Yeah, I never would have guessed that I would have, you know, ended up doing these, right, for a living, but here I am, right?

SPEAKER_03: 5:08

Well, there's so many people that I talk to as well that um you know, especially when they're exploring what to do, looking at that consulting lifestyle gives them the opportunity to almost get this PhD in other people's businesses. Where you get to see how many people and how how they all do things differently and how they get to approach business, and it really can help you accelerate your understanding of just how the world operates. Uh, what about you, Mark? Do you have a similar upbringing story or um kind of similar but totally opposite? Okay, I love it.

SPEAKER_02: 5:39

I can see that. So I'm a chartered accountant by training um and was always into computers and technology. I actually had my first computer when I was five years old, which was a Commodore pet, that my uh father, um, who was responsible for introducing computers into uh school boards um just outside of London, Ontario, um, brought one home and started playing with it and kind of had a knack for it, shall I say. Um, but accounting was kind of the path I went through university and and started in with a big firm and had two thoughts. One, I was figured joining a big firm would open up lots of opportunity um to do lots of different things, and accounting was a great way to get into that environment. And worst case, if all else failed, I could do people's books for a living. Not that that was overly exciting, but you never know. Um, the other thing was um I really at the time wanted to get into actually sports management. And the president of the Blue Jays, Paul Beeston, was a chartered accountant by training. And that got me thinking, it's like, well, geez, if he could do what he's doing from that start and actually started with Coopers and Library, then maybe I should go that path too. So at the time I chose Coopers because they were the auditors of the Blue Jays. So that's the firm I ended up starting my career with. Um, I was told after trying to get on that audit that it was one of the worst audits the firm had, not not to get on it. And another firm was actually taking it the following year anyway. So whatever. But it got me introduced to a couple of partners. They were like, hey, this seems like a young guy, you know, pretty ambitious. Um, got to work on some other cool clients, and then had the opportunity to do a data analytics and application controls project with a telco in Toronto, um, which was pretty cool. Um so took that, really loved that, ended up switching out of financial audit once I had my hours and focusing more on there, and one thing grew into another, ended up working with large the large telecoms in uh Canada and some globally doing Starbanes Oxley work, which then turned into PCI work, and that's kind of how my security uh career started. Amazing.

SPEAKER_03: 7:48

And so so both of you have a technical background, it sounds like, and so you both kind of came from, you know, maybe in different approaches, but the engineering side of things. Is that a requirement to get into this type of work, or is this just something, maybe something the way that you're wired or the way that you're um you know, get motivated in the morning that's gonna brought you towards this?

SPEAKER_02: 8:07

I think it's uh I think it's a yes and a yes. Um having having an affinity for technology, having an understanding of how technology works and how it's um one where it's important is pretty critical. Um but having a curiosity about how business works and how these two things really tie together, how companies are using technology and the risks that come with that, um, is is I would say even more important than understanding all the deep nuances of how the technology actually works. There's lots of people out there that you would want to include as part of your team that have that capability, but not everybody needs to have all the same skills.

SPEAKER_03: 8:48

Right. What about from a um kind of training perspective? Like what is it what does it look like to actually become uh an auditor in this space specifically? Because you know, I I know probably enough to be dangerous in this space, and if I was ever auditing someone, they would be in horrible, horrible uh trouble. But I think that I kind of probably have that base layer understanding of what some of the certifications are, what some of the kind of badges and things like out for are. But but how do you A, keep up with it and and B, get to a spot where you can really be the expert that guides customers through these things.

SPEAKER_04: 9:22

I think that's I mean that's a good point. I might was saying, right? Like that intersection between the business and the technology, really understanding why, like that's I mean, like you said, right? Like if you were to audit somebody, you have enough knowledge of technology that you probably I mean you can spend you can spend weeks. I want to be clear, you don't want to audit someone. But but that's a you know it's a good point. You you could spend weeks, you know, trying to, hey, like look for perfection almost, right? Like this is what it should be, right? Like uh spend, you know, any any facet of what we audit, right? Because it's probably it's quite wide, right? We went to an audit and we look at security, security is like a big, you know, like so you you gotta like that, finding the right balance between going too deep, not too deep, and really understanding what the risks are so you know where to okay, this is the areas of focus, right? And and don't don't spin your wheels, right? Like looking for something that you know it's really not important for you or for the business that you're auditing, right? Um so yeah, that uh experience um and and curiosity, right? Like really it's it's more than a job, right? It's more like okay, yeah, I'm just gonna follow these steps, one, two, three, four. No, it's why, why am I doing it, right? Like what what can go wrong, right? What if this fails? Right? Is the thinking thinking a little bit of you know, if this fails, what what's the worst thing that can happen, right? And thinking, do I have anything else that would catch it?

SPEAKER_03: 10:42

Right? So really understanding more of that system approach and saying, you know, what are all the pieces that fit together? I love that you brought up risk as well, because um, you know, in a previous world I did a lot of world work in the security space. And you know, security you can put in place infinity controls, but you can also have a counterbalancing risk that says we put in too many controls and no one can do anything. Is most of the discussion that you have around risk when it when it comes to compliance? I would say it is at our level, especially.

SPEAKER_04: 11:14

Uh I I would say, yeah, we're most of our conversations and and especially when things get escalated to to us or when Mark and I have conversations, we always take that risk-based approach, right? Uh and I think you know clients appreciate it. Yes, I would say that's that's a key, you know. Well, I I would consider ourselves to be risk professionals above anything else.

SPEAKER_02: 11:36

Whenever we get introduced to new clients or potential clients, um, the very first thing we want to understand is number one, what do they do? Number two, who are they doing it with or for, and how critical is that service they're providing, and what data is being included as part of that service. Um, at the end of the day, kind of all the systems in the world, if you're dealing with data that nobody really cares about, you know, the level of security or the level of risk that's inherent in what you do is going to be very different than if you're dealing with data that all your customers deem to be absolutely critical to the running of their business.

SPEAKER_03: 12:14

That makes sense. And so if I'm a business owner and I'm doing that kind of initial litmus test, are there any things that pop out to you, let's say you're in that first meeting and you're asking the question, you know, what data do you work with, what industries do you work with? Are there things where you you hear, you know, I work with the Department of Defense, um, or I have this type of data where it's like, okay, well, you need these things immediately. Um, are there kind of red flags or checkboxes that go off in your head for certain things?

SPEAKER_02: 12:42

Yeah, I mean, certainly if you're working in in regulated industries, that that plays a role. If you're dealing with personal information, that that plays a role. Um, equally importantly to personal information, if you're dealing with any corporately sensitive data, that definitely plays a role. And that that is one area that we find a lot of companies neglect maybe is the wrong way of putting it, but but underappreciate the importance of that. Um, and that, you know, that could be as interesting a target for a hacker as any personal information that may be available in other places. Um, what you have may be unique to them. So though those are really some of the things that trigger us to say, you know, hey, there's there's something interesting about you that should lead you to want to better protect yourself and demonstrate that you're doing that.

SPEAKER_03: 13:30

Yes. So from a personal information standpoint, and this is a question that I feel like a lot of people don't still quite understand in terms of what actually is personal information. Um and I can see you laughing already. And and maybe I'm opening up a can of worms here, but but how how do you define what's what's personal and what's just kind of a line of business that look like information around someone?

SPEAKER_04: 13:50

I mean, personal information is anything that can identify a person.

SPEAKER_03: 13:54

Yeah.

SPEAKER_04: 13:54

And uh that could be that could be anything from an IP address, potentially, right? Because you could trace it to the person that's using that address, right? To you know, your typical hey name, address, right? And and some more sensitive stuff, right? Like health information or and so on, right? There's different levels of of you know personal information and and you know, more critical information, less critical. But yeah, anything that can identify a person, it's considered personal information.

SPEAKER_02: 14:20

So we actually got into a uh a debate with a client once, of course, right? There's always there's always always debates and discussions. Um uh this was a uh waste management company um in the US, and they were dealing with a lot of contractors. And a lot so a lot of the companies they were dealing with were individuals that owned garbage trucks or or similar types of vehicles. And in a lot of cases, the company was in the name of, you know, it wasn't Mark Mandel you were working with, it was Mark Mandel Inc. Right that you were working with. And the debate was, well, is that actually personal information or is that business information? It's a company you're working with, but the name of the company is actually the name of the individual. Um I don't honestly remember where we landed on that one, but but there was at least half a dozen conversations around how do we actually treat this and what do we need to do to protect it at the end of the day.

SPEAKER_03: 15:12

Yeah, well, and I think you bring up a really good point, and even when it comes to some of the corporate information, you know, there's been a handful of um articles that have come out recently around um within Canada the risk of corporate espionage, the risk of trade secrets, the risk of um your own IP getting out there. Do you feel like this is something that, and I recognize this is a fairly broad paintbrush here, um, but do you think organizations take this seriously seriously enough with for the most part with the ones you're working with? I think in most part they do.

SPEAKER_02: 15:43

Um I think where you see some of the disconnect is not even necessarily understanding all the data you have access to. Um now, in a company that's providing a specific service to another organization, I think it's well understood. For a company that is simply providing a software tool that other companies are using, um inherently they don't necessarily know or understand what is included in that in that tool. And they shift it off to be the responsibility of their customers to say, well, it's up to you to decide what to put in this platform or not. But at the end of the day, I still think you bear a certain amount of responsibility for what's there and even understand what are the kinds of things your customers might be using this for.

SPEAKER_04: 16:27

No, I I would agree. I think people are in general are trying to do the right thing. I don't think anybody's doing, you know, anything to to you know misuse that data or do something wrong with it. In fact, like a lot of the issues come from people trying to do the right thing too much. Right. A lot of a lot of the attacks, a lot of the phishing attacks, a lot of the you know, it it's people that are trying to be helpful, right? They get an email, they need to, you know, rash into doing something, or they are doing something with data that, well, if I do this and this, right, and connect those services, I'm gonna be able to do something better. Like, you know, it's it's all there's a lot of human error. It's not any I wouldn't say there is any, you know, like wrong in general, right? Like really like people try to do the right thing.

SPEAKER_03: 17:09

Yeah, like I I always say that also people make the you know decisions with the best information they have available. And and I think you're this is exactly what you're saying, which is they just might not have the right information yet, and they might not fully know or understand or comprehend. So, how if I'm a business owner, how would I um take some of those first steps to start to understand what like where my risk is, what where do I um sit from that risk profile standpoint, and and where are the tick and time bombs in my environment?

SPEAKER_02: 17:39

I think the the two very best places to start is number one, what what data do you have, what data are you collecting, um, and are you doing anything with that data, even with the intent of being trying to be helpful that maybe outside of the core system that is housing that data. Um alongside that, I think looking at the agreements you have with your customers, particularly if they are agreements that are on your customer's paper. So if you're dealing with larger enterprise clients, there's there's a lot of that goes on. And we find a lot of smaller companies don't necessarily appreciate what they're signing up for by dealing with these large companies and are probably committing to things that um they don't know they're committing to. And I think looking at the combination of those two things is is a great place to start to understand what does your risk profile look like, and you know, if something bad were to happen, what what could be the ramifications of that?

SPEAKER_04: 18:40

That makes sense. Yeah, I know I would agree. I mean, maybe to add one thing, I would look at um these these data and age, I would look at the vendors. If you're a small business, you probably have more vendors that you can imagine and asking yourself, where is my data? Yeah. Um just in addition to what data I have, where is it? Do you know? And and you know, what happens if this you know disappears or there's a problem with availability of that vendor of integrity, right? Or suddenly I can't rely on this data, right? And and you can imagine the amount of vendors you'll have and SaaS applications and data maybe in in countries you may not even know about, right? Read those contracts. I know nobody does it in real life. Everybody sees the wall of text, right? When we you know open a phone, I agree, agree, agree. If you have a business, read them, right? Like that's there's a lot in there, right?

SPEAKER_02: 19:31

And that's a and that's a that's an interesting point, um, Jose, because I think we've seen the explosion in SOC 2 and ISO 27001 and the need and the demand for these services a lot because large enterprise companies are working with so many service providers now for technology, for other types of services, and everybody's working with somebody down the street. So this whole ecosystem has just gotten so much larger that everybody is reliant on somebody else somewhere to do what they need to do. And understanding you know who those people are, what your risk is with them, what your commitments are with them, what their commitments are to you, um, to make sure the entire chain of custody from start to finish is critical.

SPEAKER_03: 20:14

So, at what level does that stop then? So if I'm looking downstream at our own um software ecosystem, and you know, to your point, there is, you know, I put data in platform A, platform A has a service provider that goes downstream over here. Um, you know, that data goes over into this CRM, and all of a sudden, you know, you're probably five, six, seven layers down the line. Um, you know, where does that stop? And I I just I can't even wrap my head around how I start to um govern that. So so what where does that line end and and what can I even practically do to have some semance of control over that? Because it just seems really overwhelming to me. Yeah. It I mean, it doesn't stop.

SPEAKER_04: 20:58

Like they really answer I was looking for. No, no. Like if you just I mean it doesn't stop. Now that doesn't mean that you have to go down and get assurance over like, you know, that nth vendor, right? Because what you are pushing down the chain is hey, I'm giving you my data, I want you to control this data at the same level of you know, security, privacy, confidentiality, right? Whatever it's important to me. So I I'm assuming or I want you to treat that data and push that requirement down to your vendors, right? So you push it down that way. It's not that you go down and you start asking for the contract of the contract of the contract, right? You you stopped at that first level, right? But reality is that you're you know pushing your vendors to have that you know responsibility, right?

SPEAKER_03: 21:44

And so making sure that you're kind of creating enough downstream risk and you're saying, okay, I'm I'm going to pay very special attention to this first layer of contracts.

SPEAKER_02: 21:51

Yeah. And and understanding who are those vendors and partners, what do you share with them? Why do you share it with them? Um, do you have an idea of that by the nature of their business what else they might be doing with that data? Um one of the things uh so one of the controls that we get a lot of pushback in our audits is how to assess vendors. And especially if you're working with uh a cloud provider for, for example, you know, one of the things we're looking for is have you assessed AWS as an example? Well, you Keith, you're not gonna go in and do an audit of AWS. You know, they're never gonna let you in the front door, let alone to actually do anything. But they have an audit report. So our expectation is that you are at least going to get that audit report, you're gonna read it, you're gonna say, does it cover what I'm using this vendor for? And does it look like there's suitable controls over that that's been audited by a third party? I mean, that to me is doing your diligence in conjunction with being able to understand what are you using them for. But a lot of times we get the pushback to say, well, it's AWS, they're fine. Well, maybe. Um, and maybe that's a bad example. But what if it's a service provider that's a bit less known in the market? Um, do you want to just assume what they do and how they do it? No, I think I think you need to demonstrate you're doing enough diligence to get comfortable that you've made the right decision and you're kind of keeping on top of the nature of that relationship.

SPEAKER_04: 23:22

I've seen uh even large organizations, I've seen uh ERPs that have different modules, and people get the report from the ERP, big names, right? Well, yeah, I got it. I got the big name, yeah, I'm fine. Well, yeah, but you you're using these this software provider for their HR module, and guess what? That's not included in your you know, it's a completely different sub, you know, completely different technology. You don't even this is this doesn't cover the service, right?

SPEAKER_02: 23:48

So we actually used to see that a lot with with Microsoft Azure and Google and Google when you know the various subservices were all in separate audit reports before. So for example, somebody would be using Google Cloud and they would show us, yeah, yeah, I reviewed the Google Workspace SOC 2 report. It's like, okay, well that that that's good and that's helpful, but that's not Google Cloud. So why don't you get that report and do a review of it also?

SPEAKER_03: 24:12

And so I've seen that before. And is that a common practice where, you know, because I have seen organizations and they'll have the, you know, whether it be their SOC 2 or their ISO for a specific part of their organization or a specific environment. But they you know, maybe to the general public, they pass it off. It's like, hey, I have the certification over here, don't worry, trust me. But to your point, there's all of this other stuff that orbits around the outside that that isn't part of that audit, it isn't part of um any of the the checks and balances. Is that a common practice?

SPEAKER_02: 24:41

It comes it comes and goes, uh, I would say. So we see sometimes they start off segmented and they come together over time. Okay. Um, sometimes they start off together and they they split over time. Um when when we advise clients of that, and and we have some clients where we do multiple audits and they have multiple reports, even though it's the same company, but the nature of the service or product is very different, and the nature of their client base is very different. So if if you were using product A and didn't know or care about product B, do you want to read a report that kind of commingles all of that together? It almost might be more confusing than not. So there's definitely rationale for keeping it separate. Um, but companies also don't know what they don't know. So when they go to Google, for example, and say, give me this, Google gives them that. Or in this case, they probably just go download it themselves. Maybe not even realizing what they're getting isn't what they necessarily need. So it can add some confusion um into the process.

SPEAKER_04: 25:39

Yeah, and the other thing I would I would say is look look at look at the contract, do your risk assessment. You're responsible for your own risk and your own data, right? So so take it, take a step back. The report is you know what you got at the end to to verify, do you do your due diligence, but you know, going back to the conversation we had at the beginning, right? Like, what does the contract say? What type of data are we pushing? Do we need to push all this data that way, right? Like go back to that, right? And am I comfortable, right? And then the report is like kind of like at the end, right? I'm gonna get the report, I'll validate it, right? But but don't, you know, look at everything, right?

SPEAKER_03: 26:13

That makes sense. And so there's so many people as well that I think are building on these big um you know hyperscalar cloud platforms right now. And you know, it's probably somewhat of a given that Microsoft has you know a fairly strong handle on compliance, you would still want to check it. Um Google, uh AWS, you know, they they're going to have their compliance suites, but there's so many people that are building on that kind of first layer of it as well, and saying, don't worry, I've built on platform X. Um, we're secure, we're um happy, we're you know, trust us, we're good. What should people be looking for when they're looking at that kind of first layer of SaaS platforms that are trying to piggyback um off the compliance of the big hyperscalers without having done their own kind of checks and balances themselves?

SPEAKER_02: 27:01

Um that's a very complicated uh question to to answer. Um and there seems to be more of those out there in the market, and and the approach they take is becoming more um more different than it used to be in terms of how they're all approaching that. At the end of the day, I think you really need to try to get a handle on what is the primary cloud provider, you know, the AWS or Google or or Azure of the world, what do they hold responsibility for, and what does the the one layer up hold responsibility for? Um the best way to do that is to go to AWS's compliance portal, for example, and and look at their responsibility matrix and say, okay, here's what AWS does, and here's what everybody else should be doing. And you almost need to assume that the one level up is a client of AWS. It's not AWS, it's not associated with AWS, it's somebody using AWS. Even though they're building on it in a slightly different way, they're still a client of theirs, no different than you're a client of AWS. Um, and I think that would at least give you a bit of uh an idea of where to start that conversation. Um, we do see, unfortunately, a lot still in the market of organizations that are claiming we're secure because we rely on this. Um and getting a handle on well, what do they do and what do you need to do? Um, I don't think it's complicated, but it's definitely a critical piece of the puzzle.

SPEAKER_04: 28:27

Yeah, no, I agree. I mean, this goes back to what you were saying about the end, you know, vendor, right? Like, okay, there is always somebody responsible. The other thing to think about is, you know, not only from a data, hey, where is my data point of view, but what are you doing, right? A lot of these organizations that are using cloud providers have a service that they're offering. What is it, right? If I if you know, my if I'm outsourcing my payroll to a company, right? Like I am, I expect that they follow, you know, whatever that the taxes, the, you know, and that my employees get paid, you know, on time correctly, right? Like what AWS is just providing the hosting service, right? Like that other company is doing all the other you know payroll things that I expect them to do. So that's what I would like to see in that report, right? It's uh, you know, sounds simple, sound like that, but it's not even clear, right? Right. It's and it really depends.

SPEAKER_02: 29:17

I think if you take if you take some of the fundamental controls around who has access to my data, who can make changes to my application, and how how am I doing that, um, how am I ensuring those changes are secure, um, those are generally things that are within your sphere of responsibility. Where you start getting into, you know, is my database layer encrypted, for example, I think becomes a little more difficult because that could be something that your service provider is doing for you. But I think if you look at just some of those fundamental areas, you'd almost by default just say, Look, I I need a way of tackling this, irrespective of what service provider happens to be sitting underneath my service at the end of the day.

SPEAKER_03: 29:57

That makes sense. And so we had someone on the podcast, uh That should come out probably a couple of weeks before this one. And and they really talked about the idea of data fluency and data literacy. So there's a lot of people that I think have come up to this level where they kind of they're starting to talk the little bit of the language of data. They understand the importance. But there's this next level, which is data fluency, which is, you know, if I'm you know, if I learn French and I, you know, have my Duolingo and I um you know learn my words and I can kind of figure out what to do, and then all of a sudden I you know go to France and realize that I'm not conversational. Those are two very different spectrums of you know knowing French in a textbook and then being able to um order dinner at a restaurant in Paris. The same I think is coming through with data, where there's there's a little bit of knowledge of what's going on, but it sounds like the language of data in terms of um the what you're both describing still has a long ways to go in terms of how businesses are looking at it. Is that a fair statement?

unknown: 30:59

Could be.

SPEAKER_04: 31:00

I mean, I think it's getting better. I I think you know, going back to people trying to do the right thing, a lot of it is awareness. You know, like I well, I remember when I started my career and we were auditing, you know, some clients and and just the concept of passwords was like they push back, people push back, right? I remember the MFA, remember these pushback on MFA originally. Still, still but you know, yeah, but originally, right? Like right people are used to the pins, right? The banking, like people are more used to those things, but the pushback was horrible, right? Like it was or or the concept of the cloud, and it's like absolutely not. I'm never putting my data on the cloud, right? Um I think I I think it takes a little bit of time. There is an awareness. But I I wouldn't I don't know. I I I don't think there is you know data illeacy or you know, I don't know how to do that. How you called it, right? I don't think people are completely like, you know, uh unaware of the risk. I think in their in their head they know they know it, they've they feel it, right? It's just sometimes they don't know how to approach different things. But I I don't know if it's as bad as you portray it.

SPEAKER_02: 32:05

Yeah, um I do find though in my experience there there are still a lot of assumptions that are that are made. So again, I don't I don't think it's it's with intent or it's with maliciousness, but I think there are a lot of assumptions about my data is protected a certain way. Or, you know, if I give access to it to somebody, they're only gonna use it for what they say they're gonna use it for. Well, but how do you how do you know? And how critical is it if somebody uses something in a way they're they didn't tell you about beforehand or that you didn't agree to? What is it gonna mean at the end of the day? That's I think the level of literacy where we're at now. It's it's getting that bigger picture of what does it mean at the end of the day. And if something bad happens, A, what is bad? Right? How how do I even even put some parameters around good versus bad? And then what are the implications if bad were to materialize? Um, I think I think the prevalence of AI now is opening people's eyes to that in some cases a little bit more because they realize data is the underpinning foundation to all of this. Um you can't do AI without data, um, and you can't do AI well without good data. Um but good data also means you have a reasonable amount of control over what it is, where it's coming from, where it's going.

SPEAKER_04: 33:19

Yeah, I had a the this weekend I had an interaction with a with a former colleague of mine, and he we used to work together in a different company, but we had a different role, so he doesn't have the the training and background that we have. Uh, but just you know, he was in the same space, right? So he was saying uh he just went golfing to drum heller this summer with with a friend, and and and there was a guy, because apparently drumheller goes up and down with the so you can you can wreck the car very easily. So apparently they they they make you ride the the credit card on a piece of paper, um, just you know, before you you grab that golf cart, right? And um yeah, the guy was like, Well, where is this? What are you doing with this? Like, that's not very secure. Where is my data, right? Like, what are you like, hey, I don't know with the story at the end of the day? Okay, how do I know? Uh and funny, like he was saying, I would have never asked those questions if uh before we worked together because it wouldn't it wouldn't have crossed my mind, right? You made an assumption that I mean if they're taking your credit card, they're gonna you know, but imagine, right? Like the moment you start thinking about it, it's like, okay, is it gonna be in somebody's drawer, right, with all the other credit cards, right? Like what's what's happening here, right?

SPEAKER_02: 34:25

There's a lot, just in general, I mean, in their it's a it's a good example, but in our day-to-day lives, even we see a lot of somebody says, I need this for a reason. Okay, and you believe the reason. And the reason may be valid, whether it makes sense or not is a different is a different thing. Whether it's necessary or not is a different thing. But there is a lot of people sharing things just because somebody says share it. Yeah. And and it's not it's not always a um something that you're doing intentionally, it's something you're almost just doing because it's there. And and that's I think where you can lose control over that pretty quickly, because then that's probably something you're not even thinking about after the fact. And you may not even realize I shared this with somebody because it was one off. They said they needed it, they said we don't do anything with it, but yeah. How do we know in your case the you know the golf place doesn't have a drawer with thousands of credit card and expiry date and CVBs on it? Right, right.

SPEAKER_03: 35:21

Imagine, right? Right. But but I think to your point earlier, the the intent is there, right? You know, the person at the front desk probably says, Hey, you know what, I want to make sure we're controlled, um, but I also want to make sure that I don't have to bug you if something happens and I want to create a good customer experience so we don't want to keep having to come back. And and what comes from a place of how do I create the experience I want from our customer might expose them and and um your friend to more unnecessary risk.

SPEAKER_02: 35:46

Right. And that and that that's a that's a a big dichotomy when it comes to security. Yes, there's malicious actors out there, there's people who wanting to cause you harm, there's people who wanting to profit off of it. That's always been there, that's always gonna be there. You know, um, I just watched Catch Me If You Can. The movie was on TV on the weekend again, which is which is a great movie, and you know, check fraud, and it's like, yeah, check fraud probably doesn't exist now, but there's bank fraud all over the place, right? You know, people are always gonna find a way. I I think you need to treat that aspect in in a certain way. Um, but the other aspect is it like we talked about earlier, people try to be helpful. But sometimes people try to be helpful means you loosen the rules just a little bit to go out of your way to do something you know helpful to somebody without necessarily realizing what is that now exposing on the other side, either for you as a company or for the individual you're trying to help, and and what risk are you exposing them to that they're that they're not even aware of?

SPEAKER_03: 36:44

So I think this is a really good segue then to the role of compliance. Um and so at a very high level, why would an organization go and get their um whether it be their their SOC, whether it be their ISO, like what's the purpose of them doing that?

SPEAKER_02: 37:02

So the the main the big one we see, which I don't know if we always agree with, but the big one we see is I want to do business with somebody and they have told me I need this. Okay. Okay. So so that's a great starting point if if if needed. Um I think at the end of the day, the the real good answer is I want to understand what I need to do better. I want to understand how well I'm doing today, and I would like somebody, a third party, to come in with some standard to be evaluating me against, say, how how well do I understand what my obligations are? How well am I actually executing against those obligations? And then do I have a way of demonstrating that to people to promote myself as being, hey, I take this seriously and I'm gonna do the right thing for you all the time?

SPEAKER_03: 37:51

So that makes sense. And so how do I choose then? So um, if I'm doing it, like if I'm not part of the one where I'm responding to bid and see, okay, well, I need my SOC2 um over here, but I I'm really coming from that altruistic wanting to understand how to operate better in the world, how do I choose between the different um compliance standards?

SPEAKER_04: 38:13

Well, I mean I would look for the which one is the the most likely that my clients are gonna ask me for because you want to make it somehow useful. If you're gonna go through this, right? Because again, right, like security, you know, and compliance, in a way, they're different, right? Compliance how you demonstrate it to the world, right? Uh but um yeah, which one which one it's more useful for me and depending on what I'm doing, right? Like which one I'm am I gonna be able to use, right? I would I would go with that one. Generally speaking, and it's changing a little bit, but if we're talking about the big the big two that we've been mentioning in this pocket, there's more, right? But we're talking about we've been talking about SOC2 and ISO SOC2 seems to be the standard in North America. That's what people know, people are used to, that's what they ask. ISO uh 27001 is the certificate that's being asked in the rest of the world. Okay. Uh they are different. I'm not gonna get into the details here. Uh because then you know we'll run out of time.

SPEAKER_03: 39:10

Oh, all of a sudden this becomes a two-hour episode. Exactly. Yeah.

SPEAKER_02: 39:13

You know, you know, there are there are also differences in each of the standards, both in terms of what their areas of focus are, um, the nature of reporting. So, ISO, for example, you get uh a nice certificate that you can show to people, and there's very little detail other than your statement of applicability underneath that. In SOC 2, it's a very large detailed report, but there's no certificate. So sometimes people get confused about what the differences and similarities are, but depending on what level of detail you think your clients are going to be asking you for, may also help play a role in terms of what's the best answer for you. Um we're seeing more organizations now adopting multiple standards. So if we look at SOC2 and ISO, for example, because people want to be operating globally, they've got customers in different countries, um, especially in some of the more regulated industries, um, one or the other is no longer good enough. Um both is now what people are asking for. Um so that lets you cover both the product level at a bit of a deeper, deeper view, but also the organization as a whole. So it gives you the breadth and the depth that you know the best of both worlds of compliance, shall we say.

SPEAKER_03: 40:25

And and do those map neatly to each other? Like if I've gone through the process of certifying our organization on um SOC2, and then I decide to undertake ISO, is it uh equal lift, or can I piggyback off one of the work that I did the first time around?

SPEAKER_04: 40:41

Yeah, you you can piggyback. They they do overlap quite a lot. Uh they're a little bit different conceptually, right? Like Mar was talking about uh the the ISO is looking at your processes, the ISMS, right? Your your information security management system overall, right? Like so the processes to maintain it and manage it, and right. Uh SOC2 is more, you know, the controls, right, that are that are in place to sustain it. But there there is overlap. I would say, you know, I mean, you know, eighty eighty percent similar, right? Like they're very similar. At the end of the day, they're covering some of the same things and aspects and concepts. Yeah.

SPEAKER_03: 41:16

And and if I'm an organization that's looking to undertake um getting the certification, what do I need to look for in a partner to guide me through that? Because I I know both of you have uh you know big four experience. I know that you have a a very um distinct value proposition right now as well, but you know, there's probably everything in between too. Like what do I look for if I'm starting to find that partner to guide me through it? Because I imagine it's a fairly intimate process to work through that.

SPEAKER_02: 41:48

It can be. Um I think the the first place to start would be an auditor that that's that's reputable, um, that's willing to offer, you know, you'd have discussions with with clients, you know, as reference checks and such. But I think even more importantly than that, an auditor that that can demonstrate they're willing to spend the time to understand your business, how you do things, why you do things a certain way, um, and have a certain flexibility within the realm of like what is required, but how do we how do we apply that to your particular situation? Um, we see a lot in the market right now where there's a lot of you know factory-based audits, shall I say, where you know there's limited to no discussion with with clients, there's no understanding of um how they work, what data they hold. Um, and you read some of these reports, and you would you would have no idea what a company actually does based on reading their sunset report. Um, so I know that's not always an easy thing to gauge in an in an early discussion, um, but it's an important factor. If you want a partner that's gonna be there with you longer term, that's gonna help you uh define what is necessary and and help you know give you guidance along the way when you have questions about how does this apply? Does this apply? Um, I'm thinking of making this change to our, you know, the way we do system development, for example. Um, what does it mean to be from a from a compliance perspective? Um, somebody that can help you answer those questions um is critical for long-term success.

SPEAKER_03: 43:24

So you brought up a really interesting point around the um I think you call it the cookie cutter uh factory audit. Factory, yeah. So does that cheapen some of these audits? And I say that very respectfully, but uh if it if I remove the barrier, if everyone can get their stock to, then it no longer becomes that marketing differentiator, but it also I don't think is the intent of what the certification is looking to do. So so how does that create downstream problems for some of these certifications?

SPEAKER_02: 43:54

It's um uh it's a bit of a self-fulfilling prophecy, if I could if I could use that cliche. Um in some ways it's it's been tremendous because I think it's opened up awareness and the opportunity for a lot of organizations to do something that they weren't able or weren't able to access before. Um so that's the positive side of it. I think the negative side of it is it does run the risk of diminishing the value because it's harder to differentiate what is a good company from a not as good company, serious company from not as serious, good auditor from not as good an auditor. Um I think it really comes down to the ability for the organizations that are asking for these compliance reports, evaluating the compliance reports to take a leadership role in assessing like who and what do we want to see things from? Um beyond just the checkbox exercise that says, yeah, they gave me a SOC 2 report, I'm happy. Like, what are you actually looking for? And are and are you getting the answers to the questions that you had? Um, if you go to LinkedIn now, it's a very hot topic on there around auditor quality, around bundling of services, around all kinds of things, and a lot of that point is pointing to well, the regulators need to do a better job of regulating. Um, to a degree, that's that's probably true. But I I'm I'm a firm believer that as soon as you do that, now you're putting in other people's hands to decide what is and isn't appropriate. Um, I think the industry as a whole needs to really take a hard look at itself. And this includes the organizations asking for these audit reports and say, what do we really want out of this? And and what is the best way we think of getting the information we're looking for? And I think that will help naturally start to create some more differentiation um amongst all the players that are in the space. That makes sense.

SPEAKER_04: 45:42

Do you have anything you want to add to that? No, no, I would agree. I think you know, hopefully the market's gonna fix itself, right? Um users of the report, that's you know, what we call them, they are using them, they are reading them, hopefully. Yeah, put a lot of work into them, right? Uh and they are the ones that need to, you know, push back if they have to, but it it it's hard, right? Because um like uh like we said before, right? Like we're so used to that accept, accept everything, right? Look at everything. The moment you get a sub to, okay, yeah, they they are it done, right? So uh you know, read it, make sure it meets what you need. And if it doesn't ask and push back, there is there is alternative, right? Until that happens, I think we're just gonna keep saying some of this, right?

SPEAKER_02: 46:27

I I mentioned to clients when when we get this question sometimes, I said, look, at the end of the day, there's two sections at the beginning of a SOC 2 report. One is the management assertion and one is the auditor's report. The auditor's report we sign, and that says here here's what we did, and here's our opinion at the end of the day. And the management assertion is you, as whoever the responsible party in the company is, signing off to say, this report represents my company and the controls we have. So, and this is a document that you're going to be giving to people. So, do you want something that has my name on it, your name on it, that's making certain statements? Do you want that to not really be true? And that that does give some people pause for thought a little bit to say, yeah, okay, we we maybe really should take this seriously. Um, and I think that's uh at least a starting point to to make them aware of, yeah, what are you actually saying by having this report issued?

SPEAKER_03: 47:25

That that makes a lot of sense. And I think that from what you're both saying, there is an opportunity for the market to kind of drive some of these changes as well. So if I'm if I'm looking um uh on the other side of it, and so I'm an organization that requires some of these compliances, and and I'm getting you know the buffet of different reports from the you know kind of the fast food version to something that's a lot more in-depth. Is there specific things that I should be looking for? Like is all sock created equal or or or what should I be looking for to kind of separate out um the good from the bad there?

SPEAKER_04: 48:00

I think um I mean if I don't think there is anything specific that I can call you and say, hey, you know, if you look at this page here, you'll see that this is a bad one, right?

SPEAKER_03: 48:09

All about page seven, it's yeah.

SPEAKER_04: 48:11

Exactly, right? Like look at look at these page and you'll find it. I mean I would say, you know, apply a little bit of logic. Like we talked before, what service am I buying, you know, from these from these from this, you know, vendor and these people. We we received a report. And if you read it and see if, you know, one on one equals two, right? I mean, I just recently, like recently this week, and I'm talking to them on Friday again, um, got a prospect that's wants to change auditors and and they have a report that they um share with me with the controls. And and this is uh an MSP, a services company. They have controls in there that talk about you know software development, they have controls that talk about uh having a data center, you know, environmental controls. They don't have any of that. But they are in the report, right? So I I mean I I caught it very quickly. I mean that's what I do is my job. But you I mean you would imagine somebody somebody reading these reports over and over should be able to write to make those connections, right? Because that's so it's not in your face, it's hard. Right. But but you can catch it, you can you can see it, right?

SPEAKER_02: 49:11

Yeah, you what you also need to look at, um at least in the SOC, it's a little bit harder in in ISO, but in the SOC 2 um lens, you can look at section four, which is the details of controls against the requirements and the actual procedures that were executed. Um and and take a look and see are there is there actually work being performed, or is it all we asked the client about something or we read a policy? Well, yeah, policies are important, but policies are one piece of the puzzle at the end of the day. And doing an audit that is predominantly we read the policies and we were okay with those isn't really telling you an awful lot. So can you demonstrate there's actual work being done? Um the other thing I think from a from a company evaluating these, and we we hear this from from our clients a lot, that the expectation is, well, if I do so if I give a SOC 2 report, that's going to either eliminate or at least shorten the questionnaires that I that I get. In some cases that's absolutely true. In other cases, the company says, Well, thank you very much, but here's my 175-page questionnaire anyway. So I think being able to look at it and say, if I get a SOC 2 that has this in it, that covers these questions, and having almost a bit of a variable third-party assessment platform where you can say, okay, here's what I still really need to understand because it's not covered, and go back to the service provider and say, I need to get more information on this. But to just ask them to repeat everything they've already done an audit to provide you on almost makes them question, well, why am I doing this in the first place if it's not really buying me anything at the end of the day.

SPEAKER_04: 50:49

If you're gonna do it, do it well, right? I mean, if you're gonna spend the time doing it, right? Like, why do it halfway and then you're gonna get additional questions, and you're gonna get, you know, it it's half truths in there, right? Like just do it well, right? Like you're gonna go through this compliance approach, you know, you're gonna have to do you know whatever is required. Yeah, you were not formalizing before potentially, or write these policies, just write them well, right? Do do them write the right the and and then you'll you'll have a good story to tell your clients. You're gonna feel good about you know the services and your level of uh security, right?

SPEAKER_02: 51:20

And I don't want to sound cliche with this, but but it really is a partnership. Like you know, you have the be you know be between the companies providing the services that are willing to be audited, the organizations that are performing those audits, and the organizations that are the recipients of those reports that are evaluating the companies and and the audits. And yeah, while they can't all be in cahoots with each other, but they all need to be working to a similar objective to really make this as powerful as it as it can be.

SPEAKER_03: 51:48

I love it. And I feel like there's probably 300 more questions that I have for both of you. Um if you were to to wrap up with one final thought around the the importance of this, where the world is going around um compliance, is there anything else you wanted to share with our listeners?

SPEAKER_02: 52:05

Um I think as much as you can look at it from the lens of you are you are trying to engage in a trusted relationship with with people. And how can you get them comfortable with what you do and how you do it and use that as an enabler to do business together? I love it.

SPEAKER_03: 52:25

It's a high bar there.

SPEAKER_04: 52:27

Yeah, dude. Um I I don't I don't know. I don't know what what else I could on the other hand. What he said. I prepared in advance.

SPEAKER_03: 52:36

There we go. Perfect. I I only gave him the questions in advance. No, it's been an absolute pleasure um to both of you. Thank you so much for coming on the show. Um if someone wanted to pick your brain further, if someone um wanted to kind of start the front end of those conversations, um, if they wanted to get to know you both a little bit better, what's the best way for them to get in touch with you?

SPEAKER_04: 52:57

Yeah, I mean they can check our website um or uh send us an email at mhm at mhmcpa.ca. Oh, perfect. That'd be uh that that'd be the best way to reach out to us.

SPEAKER_03: 53:08

I I love it. Thank you so much. This has been a blast. Thank you for having us.

SPEAKER_04: 53:12

Yeah, thank you.

SPEAKER_03: 53:13

Perfect. If you've made it this far, like and subscribe on YouTube or follow and leave a review on your favorite podcasting platform so you don't miss any future episodes.