While security and compliance aren’t new topics for government agencies and departments, understanding how to implement better processes and integrate AI into those practices is a top concern. In the latest Government Roundtable Series Webinar, CORE’s SVP of of Development—Alan Pyrz, SVP Development & Engineering—Justin Leapline, Founder at Episki—and Shash Cates, VP of Marketing at CORE, discuss frameworks for security and compliance, best practices for adopting AI, and limiting PCI scope for your organization.
To listen to the full discussion, click here.
Check out six of the top takeaways from the discussion:
Tip 1: Where possible, look for ways to blend security and compliance.
For some agencies and departments, the simplest answer can be managing each framework separately. “If there are disparate systems and there’s not much duplicate work, then that can be a good answer for some businesses,” said Justin. “But if your need is more complex, it’s time to start looking at a generic framework to help you align and get one measuring stick in place.”
Justin suggested a few options: the NIST cybersecurity framework, ISO 27,001, and SOC 2. When you find a general framework that works for your organization, you can align external interest—PCI, HIPAA, etc.—with internal controls. “And you can blend and mix and match, but still have one place to measure success,” said Justin.
Alan shared, “It’s easy to look at a lot of these activities as something you need to just check the box for, but it’s important to look at how you can make this part of your daily life. And that involves training, awareness, code, reviews, testing, etc.” Alan warned listeners that without a holistic look at security and compliance, too many areas can be missed when they aren’t connected.
The bottom line: with a single framework, you can marry both internal and external interests for safer, more compliant work.
Tip 2: Integrate security into every possible process.
“As you mature as an organization, the best way to integrate security into your organization is to integrate it next to the processes themselves,” said Justin. He shared an example for organizations that write code. When you implement automatic checks before you commit code, you give developers an opportunity to fix problems in real-time. “When it’s integrated, it’s best for the organization,” said Justin.
When security isn’t implemented into every process—like a coding process—security becomes a lower priority. “For the coding example,” said Justin,” you might lag down and won’t get patches on your dependencies.”
The bottom line: look for ways to implement security checks into all of your processes.
Tip 3: Focus on what you’re good at and outsource what you need help with.
Many organizations try to take on as much of their security and compliance tasks as possible, but Justin and Alan advised webinar attendees to focus on what you’re good at and outsource what you need help with.
“If you don’t have the expertise to stand up a data center and manage servers, then you should be going into the cloud,” said Justin. “You might spend a little more money, but if you don’t have that big uplift of bringing in box metal servers, setting it up, patching, etc. you can have a strategy where you’re not doing it as much and you rely on other teams to do it for you.”
The bottom line: it can save your team time and make your security and compliance processes safer if you outsource the right tasks to experts.
Tip 4: Look for free security and compliance resources.
Justin shared several free resources for companies to use that need more support on their journey to more secure and compliant processes. “There are so many free resources for you to use,” said Justin. “One agency I found will fly you out, pay for your hotel, and get you trained on a variety of security areas. You submit an application and if you are accepted, they train you.” He suggested listeners look into CISA, ISAC, and other peer groups to help with information sharing.
The bottom line: you don’t have to hire a big agency to get trained on foundational security and compliance concepts—look for free resources and start there.
Tip 5: Think through how you’re using AI.
“From a security perspective, you are using AI whether you know it or not,” said Justin. He shared examples like Notion and Microsoft 365—both applications use AI and the end user doesn’t necessarily know that AI is built-in to the product. “AI is built into a lot of the products we use to help us be more efficient,” said Justin.
But when it comes to security, Justin and Alan agree—it really depends on how you’re using AI. “With marketing, you might generate an image you would use on LinkedIn or ask for bullet points on a specific topic that’s already public,” said Justin. For this application, you don’t need to worry.
“But if you’re exposing your datasheets or any type of sensitive, intellectual property, there are ways to cordon that off,” said Justin.
The bottom line: as you integrate AI into your work, consider how you’re using it to ensure security and compliance.
Tip 6: Include AI in your acceptable use policy.
Many businesses believe they need to create a separate policy to manage their AI interactions and processes. But Justin advises against this. “I would not create a separate AI policy,” said Justin. “It’s not a new concept.”
Instead, Justin recommends baking how you share data into your acceptable use policy. “Separate policies are just more work to maintain,” said Justin.
The bottom line: consider how AI will use the data you have available and get clear on how AI can use that data in your acceptable use policy.
Catch the entire episode and all of the tips and best practices from Alan and Justin here.