Protect Sensitive Data: Understanding Privacy and Security Certifications with Marie Joseph, Senior Security Solutions Engineer at Trava

Speaker 1: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. In this episode of The Tea on Cybersecurity, we're talking about privacy and security certifications, AKA, the badges of honor. But if you're anything like me, you probably think that these certifications are all the same. But I'm here to tell you that during my research I learned that they are not, and in this episode, we are going to talk about the differences between the two. We'll break down the differences between these certifications and why they matter in today's digital landscape. But as we know, I am not an expert, but I have one of my favorite experts with me today. Hey Marie.

Speaker 2: Hi Jara.

Speaker 1: How's it going?

Speaker 2: Pretty good. How have you been?

Speaker 1: Pretty good. All right. So for our new listeners, can you just give a brief introduction of yourself?

Speaker 2: Yeah, of course. I'm Marie Joseph. I'm a security solutions engineer here at Trava. I help a lot with different compliance engagements that our customers need.

Speaker 1: Fantastic. So before we dive into the difference between privacy and security certifications, let's discuss the difference between privacy and security in general.

Speaker 2: Security is all about the protection of your data, while privacy is determining how your data is being used.

Speaker 1: Privacy is about how data is being used. I honestly did not know that. Okay, so what is a privacy certificate?

Speaker 2: When it comes to privacy, that's not really a certificate that's necessarily that you're getting. It's more of an assessment, letter of attestation. In some cases it might be a certificate, but it's not usually what I see. So a lot of the ones you probably see are GDPR, which is the EU's version of privacy, and the bigger one in the US is California's, which is the CPA and CPRA is the newer one that just came out about a month ago, where it's updating the privacy laws. And another big one you also probably see is HIPAA.

Speaker 1: Awesome, awesome. Okay, so what is a security certificate?

Speaker 2: It's same as security that I mentioned before, how it's about protecting your data. So you get audited on that. That one is an actual certificate that you have to go through a third party official auditor to get that. Typically you'll hear ones in the SaaS world like SOC2 type one and type two, ISO 27,001, NIST, FedRAMP, CMMC. Just different ones, and those are decided by different governing bodies.

Speaker 1: Okay, cool. So I definitely understand the difference between privacy and security now, and I also understand that privacy isn't necessarily a certificate, but I also understand that people confuse these a lot. So what are the main differences between the privacy and then security certifications?

Speaker 2: So I always see when it comes to the security ones and privacy, privacy is part of security. If you're looking at it as a giant pie, privacy fits into that to make up all of security. It's just one of the different mechanisms that you can use security as a whole.

Speaker 1: Why do you think people confuse them or even interchange privacy and security?

Speaker 2: I think it's because they're just paired together so often. You don't really hear them split up in a way just because they go hand- in- hand together, and it just what makes up the cybersecurity aspect. You hear both in software, in tech talk all the time. So it's just really hard to differentiate the two because technically, you'll need both at some point.

Speaker 1: Okay, I got it, I got it. So I know you were talking about privacy things like GDPR, CCPA, and then CPRA. Are there any other general things in that category that most people would possibly hear?

Speaker 2: When it comes to privacy, typically, you might hear, because right now a lot of states are making their own state regulations when it comes to privacy. So Indiana just came out with their own about a month ago too. It's based off of California's. Most states' are based off California's. There's one for New York, there's one for Colorado, Virginia, and you just keep seeing more and more getting passed through their state legislation, but typically you don't hear too many other ones.

Speaker 1: Okay. So which one do you typically help customers with or that you have the most experience with?

Speaker 2: Equal for GDPR and CCPA.

Speaker 1: And CCPA is specifically for California?

Speaker 2: Yep, for California residents.

Speaker 1: California residents. Fantastic. So what are the most common security certifications available?

Speaker 2: The most common ones are SOC2 and ISO 27, 001. You see most SaaS companies go for those. Then there's other ones if you're going for more of a government certification. That's when you typically hear FedRAMP, CMMC, or NIST.

Speaker 1: FedRAMP, CMMC, and NIST?

Speaker 2: Yep.

Speaker 1: Got it. Are these all acronyms?

Speaker 2: Yes, they're all acronyms. Don't ask me what all of them mean because they just get jumbled up in my head.

Speaker 1: I won't ask you.

Speaker 2: Thanks.

Speaker 1: You're welcome. So you briefly touched on this, but how does all of this relate to cybersecurity?

Speaker 2: Basically all of these frameworks are putting cybersecurity best practices in a list. So it's the organizations that create them. It's a different governing body that creates each of these, and a different person that publishes these lists. So it's their own list of best practices that they think is the best standard that a company should go by. Every list is a little different. It's kind of like writing a paper in school. Everyone has to do it a little differently to not have plagiarism in a way. Some are more in depth, some are simpler in terms, but I mean, no certification is necessarily simple to get because it is a lot of work for any of them. But some of them can be pretty lengthy. So going back to that aspect of a pie, the privacy piece really fits in to security as a whole. So it's just what your company needs and that's how it relates to cybersecurity.

Speaker 1: Awesome. So that leads me to my next question. If I were a business owner, a startup founder, why would I need one of these certificates, and then what are the benefits of that?

Speaker 2: The biggest benefit and main reason you want it is for business prospects. You'll start getting bigger contracts and keeping larger clients as you get certifications, because your clients are taking on your own risks. When it comes to any third party vendor, you take on anything that you acquire and use, you take on that weakest link. So a lot of companies won't do business with you if you're not taking security and privacy seriously. Specifically security, a lot of people don't want to take on that risk of, because it's all about the customer data, so they don't want to risk losing it, or if you're going to be the weak link where you're both suspect to a breach, it's something they don't want to see.

Speaker 1: Definitely. So if I want to sell more, it's probably best that I have one of these certificates to prove that we are keeping everything safe and secure.

Speaker 2: Oh yeah.

Speaker 1: Awesome. All right, so you briefly talked about how these is a lengthy process. So what does the process look like? You can pick your favorite certificate and let's just go through that process.

Speaker 2: Okay. Yeah, it's honestly pretty general for any of them. So I'll just give you the high level perfect of what it looks like when I go through any of them. There's a time where you need to internally decide which one you want to focus on to begin with. So most people just focus on one at a time. Maybe two, but it's usually just good to start with one and then work your way to the next. Then once that's decided, you typically move to a readiness phase, and this can take about 3 to 18 months, and this is where you'll work on your policies, processes, and procedures, and implementing any technical controls that you need to do. And yeah, like I said, that'll take 3 to 18 months typically. Then there's the audit itself. So if it is one of those security ones where you'll need an official auditor to certify you, there's about three weeks of field work that an auditor will go through where they check all your policies and that you're doing your processes and procedures, and from after that field work, it'll take them a few weeks to draft that report and then give you that legal certificate badge that people like to put on their websites. That's the badge of success that you're mentioning. Then after that, you'll need to renew those certificates. There's times that'll be about a year that you will meet with the auditor again, just to make sure you're doing everything you're saying you're doing, and it's just a check- in point where you renew that.

Speaker 1: Awesome. Yeah, we definitely want our badge of honor on our website. What are typical issues or roadblocks that people see when they go through these processes of obtaining these certifications?

Speaker 2: I would say typical roadblocks is your own bandwidth within your company. Bandwidth is usually the biggest one I see. A lot of people think it's going to be super easy and a breeze to get through it, and it can just be one of the hats someone wears within their company, but it's really a full- time or part- time gig. It really becomes your job to make sure that you're setting the best standards for your company and then following them and continue to follow them. People don't realize that that takes a lot of time itself. And then the funding of it, audits are not cheap. They're pretty expensive, literally like five figures. So people don't realize they think it's just going to be something easy. You can sign up for online and it'd be a breeze, but those auditors really make sure that you're doing everything. So it's a lengthy and expensive process with which most people don't really think about.

Speaker 1: Yeah, I had no idea that they were that expensive. So of course you want to make sure that everything is in order and that you don't add on any extra costs. You were talking about how if I'm the SaaS founder and I want to work... someone wants to work with me, they take on my risks and everything as a third party. So I want to flip that and I want to work with a company. How do I verify that they have a privacy and or security certificate aside from the badge of honor on their website? How do I verify that?

Speaker 2: So there's different ways you can go. It's published in different places online. Usually a quick Google search, you can find it and you can go through auditor websites themselves and you can look them up by their company name and it'll prove that they have that. Or you can also just ask the company to send you their report themselves and they'll send a summary, the summary of the audit, or a letter of attestation if it's not something that's published online.

Speaker 1: Okay, cool. I believe you've already answered this question previously while you're answering another question, but I'm just going to ask again so it's nice and clear. How do privacy and security certifications relate to compliance with regulatory frameworks like GDPR, HIPAA, or CCPA?

Speaker 2: They all have some security best practices within their frameworks. Those specific ones mainly focus on privacy. So it's about protecting your data and determining how your data is being used so it falls into that bigger security piece. HIPAA is a good mix of both security and privacy and focusing on those different controls, and HIPAA is also a lot more serious when it comes to how it's regulated. You'll hear that one a lot more often since it's the private health data. So that's its own different realm, honestly. And then I would say GDPR and CCPA, those are both very privacy- focused obviously, and they deal with how your data is being viewed and used, and goes deeper into if you're a processor of that data or a sub- processor of that data, it will also change how you are regulated.

Speaker 1: Cool. So important. And yeah, HIPAA is definitely that framework I feel like most people have knowledge of. Just in your general lives, everyone has heard of HIPAA at some point.

Speaker 2: Oh yeah. I feel like you go to the doctor's office and hear HIPAA probably every time.

Speaker 1: Yeah, and there's HIPAA signs and stuff everywhere.

Speaker 2: Oh yeah.

Speaker 1: All right. So what advice would you give someone working to obtain privacy and security certificates?

Speaker 2: The best advice I could give is to be patient with the process of becoming compliant. It's not something that just magically going to happen overnight, and you could get literally the next day, no matter how skilled you are in the area. So I would say take the simple steps of getting there, take each step going up the stairs, because you're putting in policies, processes, and procedures that your company is going to go by probably for a long time, and probably only tweak a little bit per year. So they're very important and you want to make sure it's something your company can actually do, because it's going to be your everyday life.

Speaker 1: Yeah, for sure. Wow. All right, Marie. Well as always, I definitely appreciate your knowledge, but before I let you go, do you have any other advice that you would like to give someone advice about cybersecurity in general?

Speaker 2: I'll emphasize the being patient with the process in general of putting any cybersecurity or privacy into place, it is not easy, and like I mentioned before, this is something that's going to be really important to your company internally. You know your employees the best. Are they going to be capable of doing this every day? Because you're going to be audited on it. Someone's going to be coming in and checking that you're going to be actually doing these things. And yeah, patience is key.

Speaker 1: Patience is key. Okay, listener, I hope you learned as much as I did. That wraps up the episode on privacy and security certificates. Now that we've spilled the tea, it's time to go over the receipts, and the tea was definitely hot when it comes to these badges of honor. So the first receipt that I have is what is the difference between security and privacy? So security is all about the protection of data, and privacy is about how the data is being used. The next thing I took away is that privacy really isn't about receiving a certificate, but you can receive a letter of attestation that just proves that you meet these privacy needs. Another receipt that I have is that bandwidth and funding are common roadblocks in this process. If you are a SaaS founder and you're wanting to get these privacy and security certificates, you may want to make sure that your funding is in order and that you actually have the bandwidth to go through the process. It doesn't mean necessarily hiring an extra team member at this time, but it could be partnering with a cybersecurity expert company or something along those lines. The final thing that I took away is getting this certificates is a lengthy process. So you also need to be aware, and don't think it'll happen overnight. It may take a couple of months to a year to even be able to say that you are certified and that you received everything you need to say that you are complying with privacy and security measures. I hope you learned as much as I did in this episode. That wraps another episode of The Tea on Cybersecurity. And that's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.