Compliance Unfiltered is a Podcast Dedicated to Making Compliance Suck Less
Listen to episodes
60 recent
June 11, 202621 min
Audit Fatigue and How to Effectively Navigate It - Episode 220
Caught in a cycle of audit requests, evidence chaos, and burnout? Discover a way out in this episode. Compliance Expert Adam Goslin joins Todd Coshow to reveal the hidden causes of audit fatigue and share strategies to lighten your load. Learn why audit fatigue is intensifying and how fragmented compliance efforts fuel chaos. Uncover tactics to centralize evidence, reduce duplication, and implement improvements. Tune in to reclaim control over your compliance universe.
June 4, 202628 min
Identity is the New Perimeter (Zero Trust) - Episode 219
On this week's Compliance Unfiltered, discover why identity is the new perimeter in cybersecurity. This episode reveals how zero trust principles can protect your systems by continuously verifying user identity and behavior. Learn about the risks of traditional defenses, the evolution of compliance standards, and practical tactics for implementing context-aware verification. Perfect for IT leaders and security professionals ready to strengthen defenses and build a trustworthy digital environment. Listen now to stay ahead of threats.
Discover why compliance is now a boardroom priority, not just an IT task. In this episode, Todd Coshow and Adam Goslin reveal how outdated practices put organizations at risk. Learn about the shift towards real-time breach detection and the importance of translating risks into business impacts. Perfect for leaders eager to transform compliance into a strategic advantage. Tune in to stay ahead and secure your organization's future.
May 21, 202621 min
Will Your Compliance Software Vendor Protect Your Data? - Episode 217
Most companies overlook vendor vulnerabilities in compliance. On this episode, the CU Guys reveal hidden risks in vendor relationships, from breaches to vetting gaps. Discover tactics for evaluating vendor security, asking the right questions, and spotting red flags. Protect your data by understanding the stakes—data breaches, penalties, and reputation damage. This episode is essential for those managing compliance and security, offering actionable insights to safeguard your organization.
May 14, 202620 min
Data Has Borders: The New Rules of Compliance - Episode 216
Data compliance isn't just about protecting information anymore — it's about understanding where your data lives, how it moves, and how to stay compliant across borders. On this Episode of Compliance Unfiltered, The CU guys chat about how with regulations evolving faster than most organizations can keep up, knowing the difference between traditional data security and the new legal landscape is crucial. This episode uncovers why geographic location, data sovereignty, and continuous visibility could make or break your compliance efforts in today's complex data environment.Episode Transcript:Adam Goslin:Especially the stories about compliance hurricanes, generically, of course. We don’t want anybody violating any NDAs or anything along those lines.But if you can generisize it and share your pain, there may very well be things that people are experiencing that others are as well. So both the pain and any insights, oh my God, yeah, that’d be great.Todd Coshow:Absolutely. Reach out at complianceunfiltered@totalcompliancetracking.com.Well, Adam, today we’re going to talk about data. That’s right, the rules have changed. And I think it’s important that we have a chat about it.Does your company actually know where all of its data lives right now? Tell us more about this.Adam Goslin:There’s a lot of organizations that don’t really. They got a general idea, etc., but they couldn’t put their finger on, “This data’s here and that data’s there, and these are the processes.” It’s extremely complicated.There’s a lot of organizations that, quite frankly, haven’t put all of those pieces together. It’s certainly an onerous task for any organization.Todd Coshow:There’s definitely a shift in data regulations. Fundamentally, what is changing in data compliance right now?Adam Goslin:It’s not just about securing. A lot of people historically would think about protecting their environment and making sure they’re in compliance with fill in the blank, and just about protecting whatever it is that they’re responsible for protecting. That’s morphing.It’s turning more toward where is the data, how is it being used, who accesses it, for what purpose are they leveraging it, etc. There are a lot of rules, regulations, really legal agreements between organizations that govern the data access and usage. So it becomes very important to organizations to be able to have their finger on that pulse, if you will.Todd Coshow:Why is geography suddenly so important?Adam Goslin:Data is subject to the laws of the country or regions where it resides. There’s different rules and penalties. You’ve got agreements that you’ve made with different organizations. So there’s a myriad of layers that play in, but certainly where it’s at plays into it as well.Some organizations care about where their data resides, aka what country. Some don’t. So it gets extremely complicated very quickly, if you will.Todd Coshow:That makes sense. What is driving this?Adam Goslin:Globally, privacy laws have been popping up. We’ve been seeing it just in the US. In the US, we’ve got certain states that decide to put out certain edicts around privacy laws. California, namely, was the lead in terms of privacy law within the US. But the minute that they did it, now you’ve got different data and privacy laws picking up from different states within just the United States, let alone when you take it up to a federal level within the US.There’s other rules. Once you get international, countries have their own. So it’s a landscape that’s getting really complicated. It’s starting to remind me a lot of some of the complications that organizations would have with breach notifications. There were organizations that specialized in breach notification because of all of these layers of complexity.You bring it from the US stage to the international stage.
May 8, 202629 min
AI Fraud, Deepfakes & the Death of Trust - Episode 215
On this week's Compliance Unfiltered, AI-driven fraud is escalating, with deepfake voices and synthetic identities posing new threats. This episode reveals how traditional security measures fall short against sophisticated scams, like a $25 million fraud in Hong Kong. Discover innovative detection techniques and why real-time monitoring is crucial. Perfect for security professionals and leaders, this episode is a wake-up call to adapt and protect your organization from AI-enabled deception.Episode Transcript:Adam Goslin:I’m doing good. It is today, Cinco de Mayo. So nicely done.Todd Coshow:Thank you, sir. Today we’re going to have a conversation up and down about fraud, but before we get there, I want to make sure that we say thank you to our listeners.We would love to hear from you. If you’ve got something that you’d like to share, if you have some suggestions or show ideas, please do not hesitate to reach out to us at complianceunfiltered@totalcompliancetracking.com. We’re excited to hear what you have to say.As I teased just a moment ago, today we are talking about AI fraud, deepfakes, and the death of trust. Let me ask you a kind of off-the-wall question, Adam: if your CEO called asking for a wire transfer, would you trust it? Obviously, in this instance, you are a CEO. In your past life, if you were to receive a call from your CEO, would you trust it?Adam Goslin:It’s becoming more and more difficult these days. I was going to say, if I got a call from me, then the cat would be out of the bag.Looking at it philosophically, it used to be that the bigger concern was somebody taking over an email account and passing you weird messages, or they’ve ghosted out the number and they’re sending texts to your phone from the appropriate number, or phone calls that would come in with somebody trying to mimic their voice or whatever. But nowadays, it’s not a safe assumption.AI can clone voices. You can clone identities well enough to trick. Let’s say you got a real strong training program and people are going through training not once a year, but twice a year, three times a year, monthly. It’s tough because when you’ve got the capability to mirror off faces, voices, etc., it becomes astronomically difficult to blindly trust.It’s the same mantra that we’ve had in this arena for quite some period of time. One needs to ask themselves, does what is happening right now feel right? Trust your gut and be a little skeptical because I would much rather have somebody coming in and saying, “Hey, I got this request. I’m coming through a back channel just to validate that this is actually legitimate.” I would rather answer those types of inquiries from my people a hundred times than take one opportunity for somebody to not bother or drop the ball or trust what they were hearing. It’s what these people need to do.There was a recent thing that happened out of Hong Kong, and this was just fascinating. It was a finance worker in Hong Kong where the fraudsters were using AI deepfake technology. They impersonated the company’s CFO and other colleagues on a video conference call. Initially, the employee was doubting the request, but was convinced when all these different participants in the video call appeared to be familiar staff members. They basically set up this multi-person video call with everybody where everybody except the finance guy was fake.They basically told them they needed to execute a confidential transaction. That’s why you hadn’t heard about this previously, etc. They convinced this dude on this call to go in, and they did 15 different transfers to five different local bank accounts totaling $25.6 million. They didn’t even figure out what the heck happened until later on, the employee checked the validation with the company’s UK-based headquarters. That’s when they ended up discovering, “No, you’ve just been had.”
May 1, 202620 min
How and Why to Vet Vendor AI Software Use for Security Risks - Episode 214
On this week's Compliance Unfiltered, unlock the hidden risks driving AI security nightmares, and learn how proactive vendor vetting can save your organization from irreversible breaches. As AI integration accelerates across industries, many organizations are blindly rushing in, unaware of the lurking dangers that could compromise sensitive data and even their reputation. The CU Guys expose the critical gaps in vendor vetting practices and offers a clear roadmap to protect your business in the age of AI.Episode Transcript:Now, everybody's looking for a better, more efficient way to do everything.And in 2026, that usually includes AI. How is this kind of a topic that should be on the forefront of everybody's mind?Well, I mean, the, the, the advent of AI has, you know, fairly quickly, um, may have taken a front row seat in a lot of organizations in, in just about every industry. Um, you know, there's third party, you know, third parties that are integrating, you know, AI engines, chatbots into basic subscription packages, whether you're wanted or not. And, you know, AI is getting packaged into, you know, office products, search engines, employees are using them without even, you know, a consideration for any of the potential security implications. So, you know, as, as AI permeates the workspace, uh, it's not going away anytime soon, so, um, and that, that poses an issue for organizations.They, they, AI presents some unique security challenges that, you know, most organizations aren't fully prepared to address, um, let alone that, you know, depending on the organization security stance, you need to be able to consider, you know, locking down software so that, you know, your folks can't inadvertently share inappropriate data with, you know, with third parties. So, um, you know, you need, you need a couple of different, you know, elements, um, to, to be able to, to be able to, to bring into play, um, you know, kind of a framework, if you will. So, um, you know, including your, you know, kind of your AI policy or approved software lists, your, you know, vendor vetting, you know, we already did, did a fair amount with, uh, you know, kind of AI, AI policies and approved software lists. So, you know, today we'll, we'll focus in on, uh, you know, on the, you know, kind of the vendor vetting, you know, leg of the stool, if you will, and, you know, how to, how to go about, you know, going through vetting vendors, et cetera.So good times.Good times indeed. Now, where should an organization start?Well, as you're, as you're going in, first and foremost, just to kind of gloss over it, certainly every organization needs to have policies that are, you know, kind of governing the use of their, of their artificial intelligence. If you don't, if you don't have a standard for your organization, then people, people are, they're just going to paint whatever they want to paint. And that typically means outside the line. So that's not good for anybody.But, you know, it's, it's going to introduce security risks for the organization that they, you know, they, they aren't even prepared for. So, you know, before you can go through deciding to vet any vendors, you need to make sure internally you've kind of done the, the, the forethought and thought leadership around, you know, how is our organization going to approach the, the advent of AI. You know, defining, you know, acceptable uses for AI, what constitutes sensitive data within the organization, you know, these are, these are kind of critical first steps where, you know, you want a well communicated standard. So that you can, you know, have a, have a shot at ensuring that your proprietary or protected data, you know, you know, doesn't end up in the, in the hands of an AI, AI system DB. So it's, it's kind of a good first step for organizations as they're starting to, you know, starting to pin things together.
April 23, 202624 min
Best Practices for Handling Compliance Obligations Related to Incident Response - Episode 213
Join Todd Coshow and Adam Goslin as they help listeners transform their compliance management during incident response chaos into a streamlined, proactive system. Discover how intelligent automation and continuous evidence collection can enhance compliance readiness and reduce audit risks. Learn to shift from reactive, paper-based tracking to a strategic advantage, turning compliance into a competitive asset. This episode of Compliance Unfiltered offers practical strategies for making compliance a strength, not a burden.Episode Transcript:Today, we're going to talk about better ways to manage your compliance obligations as related to incident response. Now, for everybody at home, how does a typical organization track and manage their incident response today? Well, I mean, it depends on the organization and they're, you know, kind of the tooling that they've got, et cetera, you know, certainly some folks could be using some form of a system. But generally speaking, you know, a lot of incident response is kind of handled through, you know, handled through ticketing systems, you know, supported by a lot of, you know, manual tracking sheets and things along those lines.So in some cases, it's exclusively, you know, a manual process. So there's a, you know, kind of a tracking sheet for the list of the incidents. For each of the incidents, you've got a, you know, a particular set of documentation that you have a form or a template that you go and you fill out for as you're going through your incident response so that you make sure you're filling out the right paperwork and all that fun stuff. But, you know, the vast majority of the time, it's just a, you know, kind of manually managed, primarily sometimes there's a little bit of systematic in the mix and far less frequently have I seen any form of real, you know, kind of a real systematic solution for it. It's generally a manual process. Well, how does, well, I guess how can technology and automated intelligence help an organization to step up their overall compliance program, including IR? Well, when you're going through compliance, there's obviously between hundreds and thousands of things that need to get tracked, managed, and all of that fun stuff. So certainly for the uninitiated leveraging, tooling like the Total Compliance Tracking's TCT portal is a far better way to organize your engagement.Certainly the capabilities that exist within the compliance tooling will help with making sure that the organization is checking the various boxes that they've got. But in many cases, it's funny for the folks that are whitewashing it, if you will, they have this notion of, oh, do we have incident response? Yep, check, move on, mentally move along, right? Similar notion where they go in and they do that with active antivirus. It was the one I love to throw around every now and then, it's like, yeah, we got antivirus, sweep it under the rug, and meanwhile, there's whatever, there's dozens of line items that you need to validate, prove out, et cetera, against these various compliance topics. So especially for the folks that are kind of newer to the continuum, or maybe going through their, call it the annual compliance scramble, certainly they, it's kind of like Groundhog Day and a lot of whitewashing that goes over it, and then all of a sudden they figure out, oh, well, these are all the things we really need to do. And unfortunately, there's organizations that kind of find out those details too late, if you will, in the game, in that they are sitting there, sitting at their audit and realizing that the assessor's asking for stuff that they hadn't put together, organized and kind of contemplated prior to sitting right there in front of the assessor. So that makes things a little awkward. No doubt.
April 16, 202643 min
Overcome Your Draining Compliance Process - Episode 212
In this episode the CU Guys explore how automation can streamline compliance processes, cutting costs and time. Discover strategies to reduce manual efforts by up to 50% using a dynamic ROI calculator. Perfect for compliance officers and IT leaders in organizations, this episode reveals how to transform compliance from a drain into a growth advantage. Tune in to learn actionable insights and empower your team with technology-driven solutions.Episode Transcript:Today, we're going to talk about organizations that go through compliance and are asking the question, why is our compliance program so draining? What are some of the basics that organizations need to consider in terms of improving their posture, Adam? Well,When you're talking about organizations going through it and, you know, for the listeners that aren't informed, you know, my first background in security and compliance was literally doing exactly what these companies are struggling with, but it was 20 years ago. And you know, leveraging compliance automation, you know, on your compliance engagements is a huge step forward. A lot of folks are dealing with, oh, God, it's a myriad of things. Dealing with spreadsheets. Somebody gets, somebody, typically somebody, either somebody in IT or somebody in leadership, you know, get some, you know, bug up their ass and they're like, oh, you know, we could just go ahead and build a system that could handle all this stuff. And so they somehow concoct some homegrown thing. I don't know. I've seen it all, man. I've seen access databases. I've seen, you know, you know, coding teams that coded something together to try to hold it all together. I've seen combinations of systems with, you know, drop zones, et cetera. I mean, I've seen it all. And at the end of the day, you know, if you're in the one thing I get to hear from folks is, well, that doesn't, that quote, that doesn't cost us anything. Well, it does. Even if I'm just using spreadsheets, I mean, I'm pissing away and asked on a time that I could, that I could otherwise reclaim, you know, so that's money down the drain.The other thing you'll think about, they're like, well, we pay for our devs anyway. So, you know, who cares if they're going and doing this? Well, are you, are you more cost effective to have them spending time doing management maintenance on internal systems every time your compliance, you know, compliance standard changes, or are we better off to have them focusing that very valuable time on, oh, I don't know, products and product improvements and things along those lines? I'm pretty sure that your, that your head of, head of product will probably disagree with management on that one, you know, but, you know, that's, that's one of the things that, you know, that's one of the things that, you know, that happens. The, the other side of it is, and, and, and this is just a kind of a different root problem, is it, it, it, it's striking how many folks that are in middle and upper levels of management in an organization that they don't, they just don't know, they don't understand how much, just how much time is getting blown on, you know, blown on engagement. So it's, it's, it's also, you know, it, it, it is a fervent desire to finger air quotes, not spend cash, tends to drive part of it. Meanwhile, the system's actually costing them money. And the other side is just how much, you know, time we're, you know, kind of just pissing down the drain every time that we've got to go through and do, do our compliance stuff. So those are a couple of the, you know, a couple of the basics that, you know, that folks need to, need to be considering when they're looking at their own compliance. Yeah, as it relates to that, um, so we actually put together a tool.I'm going to, I'm going to kind of walk, walk folks through it.
April 9, 202628 min
Q2 Security Insights 2026 - Episode 211
On this episode of Compliance Unfiltered, join the CU Guys as they give you the blueprint for Q2 2026, on how to transform compliance chaos into a manageable, continuous process. This episode reveals how shifting from a reactive, annual sprint to ongoing, automated oversight can reduce stress, enhance productivity, and fortify your security posture. Learn practical steps to automate routine tasks, manage evidence proactively, and turn compliance into a strategic business asset. Ideal for security teams and leaders eager to embed security into their company’s DNA and eliminate last-minute audit stress.Episode Transcript:Adam, the security reminder as we look at it for this quarter reduce compliance management to bite sized chunks help the folks chop it up.So, you know, this is a topic, it doesn't matter whether you've been doing, you know, doing compliance for a decade already, you're brand new to the game. You know, it really doesn't matter. You know, there's a lot of organizations that will kind of approach their compliance event as this like once a year extravaganza. And so it's almost like, oh, it's, you know, I feel like I'm back in the day aging myself of course with, you know, duck season, rabbit season. You know, it's compliance season, right? You know, everybody goes from their normal day jobs into kind of compliance mode. We put our heads over into the compliance stuff frantically for some period of time, the typically last months for some of the folks on the team. And then everybody just goes back to their normal day job, you know, type of a deal until they, you know, until the bell goes off to go do it all over again.You know, it's like a real bad episode of Groundhog Day. But, you know, the purpose of, here's what's lost in a lot of organizations is that, okay, are there some companies that they go in, they're there to check the box and get their piece of paper and, you know, be able to prove to third parties that they've done these things. Sure, there's some that carry that notion. I would strongly recommend, look at your program differently if that's the way that, you know, that it's being, you know, kind of being operated. You know, really you need to look at security and compliance as this is an active measure to help to protect the company, protect the organization, protect the stakeholders, protect the clients, protect all of the people, whether it's, you know, personnel or vendors, you know, that depend on, you know, this company. You know, make it part of your DNA, you know, for the organization. You know, it's not compliance season for three months of the year. It's compliance season every fricking minute every day. And so, you know, kind of on a normal compliance engagement, there are things that are supposed to be happening, you know, that are done every day, every week, month, quarter, twice a year, and once a year. You know, but a lot of organizations will kind of pop up at that once a year moment and then try to gather everything for the year. You know, and, you know, realistically, those periodic tasks, those are the ones that, you know, really are assisting with the active protection of the company, you know. So, you know, if you're only going in and, you know, dusting these things off once a year, you're not running a security and compliance program. You're just surviving an audit, so. Sure, that makes sense. Yeah, I mean, so as you go from, you know, compliance season over to, you know, something different, which is, you know, kind of more a regular recurring rigor, you know, et cetera, at TCT and literally, when we created the portal back in 2015, I believe it was 2016 is when we jammed in operational mode. And, you know, this will spread out those tasks. And, you know, I've had a lot of folks go, well, geez, you know, why a decade ago did you, you know, did you go and turn on operational mode? Well, why?
Is this your show?
Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.
