Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Embracing Regulatory Compliance in Identity & Access

One Identity
04/12/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Regulatory compliance is not an exercise in being reactive in cybersecurity, it's an exercise in being proactive. I find it really interesting that from where I've been sitting it almost feels like society as a whole is trying to keep up with the rate of change in digital technology, how it enriches our lives, digital economy, e-commerce and so on. You look at the last 20 years, how quickly our lives have changed in the digital world. How long ago was it that we had Nokia 3310 phones and we were playing snake and now we're conducting our entire working lives in some cases from a mobile phone. The regulations of interest in my field, there are so, so many, it's very, very difficult to keep up with. PCI DSS in the finance space is quite well known, HIPAA in the healthcare space is quite well known. They're very vertical specific. Then you've got some more geographic ones. There's a review taking place right now I think out in North America where the US government is sort of taking stock of the cybersecurity risk to infrastructure. The European Union have had NIS and now NIS2, which is much around cybersecurity collaboration with member countries and looking at the infrastructure in each country and encouraging them, hey look, if your waterworks in country A and your waterworks in country B are collecting information about cyber risk, they should collaborate. They're even going so far as to proactively encourage them to use modern technologies like AI. They actually state it in what is being written in law, hey look, if AI is going to add value, please use it. But they also stipulate it's not good enough to be reactive, we need to be proactive. And then you take a step back a bit further and you get things like ISO 2701, various NIST papers of course, where you're given frameworks at very broad scale to actually certify your own cybersecurity practices. So it's interesting to see how you've got these broader compliance tool sets that then become regional and then become vertical specific. And the more specific they are, the more fines tend to be. There's jail time in some of them, Sarbanes-Oxley out of the whole Enron scandal, for example. You get less jail time for murder. I was really surprised by that. When you're looking at a seven-figure personal fine, when you look at the stats and you look at when Congress voted in things like legalizing marijuana or going to war in Iraq, there was like some numbers of people who were like, you know, I'm not sure. When it came to Sarbanes-Oxley, it was literally like two people didn't vote and that was it, like unanimous. So the point I'm making is that the world is starting to take cybersecurity very, very seriously. There are so many breaches now and governments are starting to write laws to enforce this stuff. My favorite one recently came out of the UK Telecommunications Security Act that comes into force for the telco sector. And the reason that I like that so much is two reasons. One is it's an example of a government recognizing that, hey, look, our national security actually relies on private sector telecommunications frameworks that we don't control. We kind of need to do something about that because if they're compromised, we're compromised. And so they started writing legislation, but very specific guidelines. You must do this. You must do that. Affecting the whole supply chain, you know, sooner or later, cybersecurity vendors may themselves end up being seen as critical infrastructure. Well, that's thinking, you know, imagine a world where cybersecurity vendors are actually seen as essential as internet providers or gas supply or traffic light systems or waterworks, you know, or electricity providers, because so much of our world relies on the digital estate that we've created. The security is a baseline requirement. It almost belongs on the Maslow Pyramid. So to approach compliance, what I recommend is that you have a team of people who are looking after the compliance in your world, because some are going to overlap, right? You might need to get yourself ISO 2701 certified to have that credibility with your customers. You might also be doing business out of North America, so Sibonzoxanine might come into play. You might be doing business out of Europe, okay? So various things out of Europe might come into play depending on the region. And then when you get more specific into your vertical, if you're in the finance sector, obviously PCI DSS and so on, the point I'm making is that you are not going to be beholden to one compliance framework and that's it. There's going to be several and they're going to overlap. Add to that the fact that big fine equals big risk. Your compliance frameworks are introducing a new risk in the form of penalty, okay? Whereas in the absence of them, your risk was simply the breach itself. But now that you have a compliance framework that's being enforced on you, you now have a new risk in the form of that fine, okay? So there's a double whammy on that. One other piece of advice I'd give is that if you've got a team of people looking after and tracking changes and updates in compliance frameworks and how to apply them in your organisation, there are a couple of people to be plugged into that process. One of them would be business analysts. The reason I say that is because you're going to be forced to put specific processes and specific risk controls in place. Some of them are going to resolve around technology, some of them are going to revolve around people, some of it's going to be very process focused. But if the business analysts are engaged, then they can look for opportunities as to where those can be streamlined and actually enable the business. As an example, okay, PCI DSS, HIPAA, NIST 2, the Telco Communications Act that came out of the UK, even ISO 2701 has a whole chapter, by the way, on privilege access management. All of those frameworks require PAM, privilege access management. When you implement a control like that, quite often you're introducing friction to the business in the form of, okay, well, whereas before I had credentials and easy access and I always had access to these high privilege accounts whenever I wanted them, now I've got to jump through hoops to get them and now it's only temporary access. Yes, that's part of the compliance requirements you're under, but you don't have to have that level of friction. Depending on what processes you have, depending on what technology you're working with, what vendors you're working with, what partners you're working with, and as a reminder, having the business analysts in that mix as well, you actually have all the right people in that mix to have a very business enabling compliance conversation rather than a business debilitating compliance conversation. There really is no need to tie your hands behind your back in order to be compliant. You can actually be compliant and increase revenue while doing it and be competitive with your competitors and take your business forward. Compliance is not something to be afraid of, it's something to be embraced. One thing that I think is often overlooked in compliance, and I've spent far too many hours of my life reading through a lot of this stuff, it's dry, very, very dry reading, trust me, but what also stood out to me is that the people who built these did a lot of research. Somebody didn't just sit down and go, how are we going to do PCI DSS then? Let's just make it off the top of my head. No, there's actually a framework of people sitting down, doing their research, blending that into the updates, and these compliance frameworks aren't just written and forgot about. You don't just go somewhere and download it and go, okay, well, this was made 10 years ago. Like 4.0 PCI DSS, it's versioned. That has come out in the last couple of years, I think, off the top of my head, and all these other frameworks that are surfacing are very, very well researched. The Telecommunications Security Act out of the UK, a lot of research was done by the National Cyber Security Center in order to put that framework together. A lot of it's based on that research. These are very, very well-researched frameworks, which means you don't have to do that research. You don't have to invest in doing that research. You can adopt these compliance frameworks in the confidence that somebody else has done a lot of work to go, this is why you need this stuff. Go get this stuff in place. But the trick is, it's down to you in how you implement it and continuously prove that compliance back, and that is where you can actually enable the business.

TL;DR

  • Regulatory compliance frameworks are proliferating globally, with governments writing increasingly specific laws that carry severe penalties including seven-figure fines and jail time for non-compliance.
  • Organizations face overlapping compliance requirements from broad frameworks (ISO 27001, NIST), regional regulations (NIS2, UK Telco Security Act), and vertical-specific mandates (PCI DSS, HIPAA) that must be managed holistically.
  • Compliance should be viewed as an opportunity rather than a burden—frameworks represent extensive research that organizations can leverage, and controls like privilege access management can be implemented in business-enabling ways.
  • A strategic approach involves dedicated compliance teams working with business analysts to identify where required controls can streamline operations and increase competitiveness rather than create friction.

The Evolving Compliance Landscape

This presentation examines the rapidly expanding regulatory compliance landscape in cybersecurity, tracing how governments worldwide are responding to digital transformation with increasingly stringent requirements. The discussion covers major frameworks including PCI DSS for finance, HIPAA for healthcare, and geographic regulations like the EU's NIS2 directive and the UK Telecommunications Security Act. A key observation is how compliance frameworks are becoming more specific and enforcement-focused, with penalties ranging from seven-figure fines to potential jail time under regulations like Sarbanes-Oxley. The speaker emphasizes that compliance represents a shift from reactive to proactive cybersecurity, with governments now recognizing that national security depends on securing private sector digital infrastructure.

Strategic Implementation Approach

The video outlines a practical framework for managing overlapping compliance requirements across multiple jurisdictions and industry verticals. Organizations typically face requirements from broad frameworks like ISO 27001 and NIST, regional regulations, and vertical-specific mandates simultaneously. The recommended approach involves establishing a dedicated compliance team that includes business analysts to identify opportunities for streamlining controls and enabling business operations rather than creating friction. Using privilege access management (PAM) as an example—required by PCI DSS, HIPAA, NIS2, and ISO 27001—the speaker demonstrates how compliance controls can be implemented in ways that enhance rather than hinder business productivity. The emphasis is on leveraging the extensive research already embedded in these frameworks rather than reinventing security practices.

Chapters

0:00 - Introduction and Compliance Philosophy
0:46 - Major Compliance Frameworks Overview
2:25 - Enforcement and Penalties
3:19 - UK Telecommunications Security Act
4:34 - Building a Compliance Team
6:06 - Business-Enabling Implementation
7:27 - Leveraging Framework Research

Key Quotes

0:09 "Regulatory compliance is not an exercise in being reactive in cybersecurity, it's an exercise in being proactive."
2:36 "There's jail time in some of them, Sarbanes-Oxley out of the whole Enron scandal, for example. You get less jail time for murder."
3:35 "Our national security actually relies on private sector telecommunications frameworks that we don't control. We kind of need to do something about that because if they're compromised, we're compromised."
7:21 "You can actually be compliant and increase revenue while doing it and be competitive with your competitors and take your business forward. Compliance is not something to be afraid of, it's something to be embraced."

Categories:
  • » Cybersecurity » Compliance & GRC
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Compliance & Governance
  • Identity & Access
  • Best Practices
  • Thought Leadership
  • Regulatory Compliance
  • Identity and Access Management
  • Privilege Access Management
  • Cybersecurity Frameworks
  • Risk Management
  • ISO 27001
  • PCI DSS
  • HIPAA
  • NIS2 Directive
  • Sarbanes-Oxley
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Embracing Regulatory Compliance in Identity & Access

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies in Data Protection and Privacy Management
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies in Data Protection and Privacy Management

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version