"How should I be thinking about cybersecurity?” Part 5

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, "How should I be thinking about cybersecurity?” Part 5. The summary for this episode is:

Speaker 1: You had mentioned earlier about security requirements being mandated by customers, potential customers. You mentioned it here again. The question is, what changes do you foresee in security requirements in 2022, perhaps maybe from the government or at the federal level?

Speaker 2: It's a really good question. And it's like... How do I want to say this? People seem to object to the government. And I don't just mean the US government, any government, worldwide organization. The World Economic Forum is trying to pass cyber security standards. People seem to object to that. They object to regulations. And yet, at the same time, they're not necessarily stepping up on their own to doing it. And there aren't necessarily industry standards. One of the most interesting examples of this that we could throw out is the payment card industry took it upon themselves to come up with security standards because they didn't want the government, any government coming in and telling them how to secure their business. And so the payment card industry came up with the PCI standard. Many people don't know that's not a government mandated standard, it's an industry developed standard. So to your point, what do I see happening in 2022? On the more government side, the places like the United States Department of Defense are getting real strict about what are called CMMC security standards. So even as I mentioned before, if you're a tier three or a tier four manufacturer provider for the Department of Defense, you will have to be CMMC certified to some level or another here very shortly. What's also going to happen is, I think in our space in the software as a service or the SAS industry, you're going to see more and more expectations of what's called SOC 2 or ISO 271 certification. There's only two motivations for investing in a security program. I shouldn't say only two, but there's two primary ones. One is you have a business motivation. And the other is you have a regulatory obligation. So either there's a key contract that you want to get a big breakthrough customer. And they're saying you need to meet this standard. Or it's a government regulation saying because of the business in, you must meet this standard. I do see increasing regulations, increasing requirements, increasing mandatory standards. But at the end of the day, I do think it's still going to be up to the individual business owner, whether they choose to invest or not.