CypherCon 2022

Hacking the Compliance Kernel

Kyle Hinterberg

Abstract:

Keeping up with regular compliance tasks can be draining and feel unrewarding, causing many to be overlooked or ignored. Ignoring these tasks can negatively affect our organizations and impact our job security. But if we don’t ignore them, we risk falling behind on other obligations and getting burned out.

Rather than ignore these tasks and risk burnout, we need to find the sources of compliance burdens and hack them.

What makes a hacker is not a hoodie, it is finding ways to accomplish tasks using creative and effort reducing methods. Hacking is not limited to the red-teamers of the world. Blue-teamers also need to hack the tasks preventing them from performing the more enjoyable parts of their workload. We can
hack compliance by doing the following:

• Use tools like the Unified Compliance Framework to create one control to rule them all.
• Put automation and calendar reminders to work doing your job for you.
• Spend time to understand requirements to avoid wasting time on controls that are not relevant.
• Stop making the perfect the enemy of the good; something is (almost always) better than nothing.
• Create enduring policies and dynamic procedures.
Putting in a little extra effort up front will pay dividends in time, resources, and reduced stress.

Kyle Hinterberg

Tries to Comply – No Hoodie Required

Kyle Hinterberg is a manager at LBMC where he specializes in Payment Card Industry (PCI) consulting and assessments. He started his IT career as a systems administrator which provided him hands-on experience with server administration, networking, software development and vulnerability
management. Over 10 years ago Kyle transitioned to security and compliance and became a certified PCI Internal Security Assessor (ISA). As the PCI subject matter expert for a Fortune 400 organization, he learned that compliance is as much political as it is technical. Eventually he decided to take his
experiences to the other side of the table to become a consultant. His experience beyond consulting has taught him to be curious, not judgmental and allows him to offer valuable insight to any client, especially those looking to implement scope reduction or data devaluation.