“The whole is greater than the sum of its parts.”
This axiom provides a familiar sentiment and rings true here at Armor. As we often preach, cybersecurity is everyone’s responsibility, and our teams work hard every day to take on that responsibility. From the researchers in our Threat Resistance Unit (TRU) team, to engineers, developers, compliance professionals, and anyone in between, we are committed to ensuring cybersecurity for both ourselves and our clients.
Today, we continue our A Day in the Life at Armor series by talking to Nancy Free, Chief Compliance and Data Privacy Officer. Nancy is a diverse leader, overseeing a number of teams and services. Specifically, Nancy focuses information assurance, helping her clients navigate the complexities of numerous regulations and audits while doing what’s right for their business and data owners.
What does your role at Armor entail?
I’m responsible for our Governance, Risk, and Compliance teams, Vulnerability/Threat Management, Internal Audit, and Data Privacy.
What does your day-to-day look like in terms of what you do for Armor?
Every day is a blend of the familiar with a shot of something brand new. I regularly meet with resources across our engineering and security teams to provide guidance on privacy and compliance requirements and the impacts that various regulations and industry frameworks have on our products. These touchpoints help us keep up with changes in our technology stacks and business processes which are critical to the success of our GRC programs. Time is spent understanding new requirements or regulations on the data privacy and compliance fronts, and reading up on breaches that are occurring, to stay abreast of cybersecurity issues and impacts to businesses. My team and I address customer questions and provide assurance support for their due diligence needs. We work with third-party audit firms to perform assessments for PCI, HITRUST, AICPA SOC2, ISO-27001, and Privacy Shield, and in conjunction with those efforts, we implement internal controls to assure we are doing all the right things to stay compliant. I also oversee the Internal Audit, Vulnerability/Threat Management, and Quality Assurance programs, each of which provides unique insights into the risks we face as an organization. Beyond that, I write blogs and give webinars on a variety of topics, and speak about compliance and privacy at events across the country.
What one word would you use to describe your job? Why?
I wear a lot of hats in my position and each one requires I provide, instill, and/or exude assurance for our customers, internal and leadership teams.
As it relates to data privacy, I implement controls and business processes that protect the data of individuals, providing customers with assurance that their data is safe with Armor.
In terms of risk management, I help our leadership understand the risks facing our business, giving them a complete picture so they can make decisions for clients and our own organization with confidence.
Regarding compliance, I provide assurance to our customers and shareholders that we operate in a compliant manner for all relevant regulations and standards.
What pain points do a lot of your customers have?
My customers have two specific pain points that they’re addressing: audits and third-party due diligence.
How do you address those pain points?
When our customers are going through their compliance audits or assessments, they look to Armor as their trusted third-party service provider to address a fair amount of their security controls. My team facilitates all of Armor’s internal control execution and external audits, maintaining Armor’s stringent compliance with regulatory requirements and industry standards. We act in a consultative role helping customers understand their own control requirements and know what auditors will be expecting of them.
Even when they are not actively being assessed, our customers need to perform risk assessments of key vendors and service providers. My team provides vital information to our customers to ensure our good standing within their organizations.
What are some pain-points in your day-to-day? How do you address/overcome them?
We live in an imperfect world where information assurance and risk management can feel Sisyphean at times. With every control you implement, or risk you investigate, there is potential to identify larger or more complicated issues, and you may start to wonder where it all will end—what’s next?! However, that is entirely the point. It’s in the moments when you identify new risks and issues that you are truly making a positive impact on an organization. You can’t fix the problems you’re blind to, and you can’t make strategic decisions without understanding how these risks impact your business. So we power through and fight for the greater good. The impact of the work we do is visible in all parts of the business and that is gratifying.
How is your role evolving as the threat landscape and/or cloud landscape evolves?
With so many breaches occurring every day, more and more regulations and industry standards are coming into play and rising in importance, especially as it relates to data privacy. In the wake of GDPR, individual states and countries are creating new laws to protect the privacy of their citizens. Take that in stride with changes to technology, cloud migration, and the increase in cyberthreats overall, and you’ll see that change is not only constant, but rapid. It will take significant effort to stay ahead of it all.
This rapid evolution also highlights the need for roles like mine, which allow for dedicated resources to focus on the regulatory and compliance perspectives, understanding newly implemented technologies and how they fit within the overall architecture of an organization, and management of risk across the business. While it is a lot to manage, it is a significant part of a successful strategy and can be a competitive advantage when performed effectively.
Where do you see the industry in 5 years from now?
5 years is a lifetime in this industry. Technology will continue to grow and change. Significantly more companies will have adopted the cloud. I suspect we will see numerous states implement new privacy regulations and hopefully, significant progress on federal policy that becomes the overarching standard for privacy in the US.
For existing regulations and standards, I expect to see more fines for non-compliance, with cyberinsurance carriers denying claims when non-compliance or non-conformance with regulations or industry standards is identified. We are already seeing a trend where these carriers are looking to partner with security firms to improve the security hygiene of the companies they cover. For audit and assurance practices, with improvements in data analytics and automated testing strategies, I expect we’ll see audit firms taking a holistic approach in their engagements, performing 100% testing rather than relying upon sampling methodologies. Less focus “reasonable assurance” and more validation that security practices are sound and effective.
Nancy’s role at Armor is just one of many that makes it possible for Armor customers to be successful in their own businesses. Stay tuned as we continue this blog series and learn more about how other members of our team are playing a critical role in our organization and in customer environments as well.