Compliance Unfiltered is TCT’s new podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Consultants vs. Assessors
Quick Take
If you’re going through or about to go through a compliance engagement, you may be deciding what mix of help you needed to complete your compliance tasks — successfully, and as painlessly as possible.
We dive in depth to cover the differences between an Assessor-only approach versus. a Consultant + Assessor approach, and what each option can add to your compliance game-plan.
Which do you need? Can’t your IT Department figure this stuff out? If you already have an assessor, would you need a consultant? We walk through all these answers so you don’t have to guess!
In this episode, Adam and Todd discuss:
- What are your options? Can you choose either, or both?
- Why is the notion of a Consultant vs Assessor important?
- What if your company has great IT staff?
- Why consider a Consultant
- What to look for in a Consultant/li>
- What to look for in an Assessor
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Well, welcome back for another episode of compliance unfiltered I’m Todd Coshow alongside the compliance guru himself. Adam Goslin, Adam, how are you today?
Adam Goslin
I’m doing great Todd. How goes it?
Todd Coshow
It goes. It goes, which is most certainly better than the alternative. Today, we’ve got a very special episode that is actually, I’m sure very, very near and dear to your heart, given the amount of time that you spent in the consulting arena.
Todd Coshow
Today, we’re going to be talking about the use of consultants and assessors and consultants and assessors. And I’m excited to get your take on this Adam.
Adam Goslin
Sure.
Adam Goslin
So, I mean, the reality is that, you know, people have options whenever they’re going down one of these arenas. You know, certainly they, you know, they could go to loan with an assessor, they could choose to, you know, kind of fold a consultant into the mix.
Adam Goslin
And you’re right, I mean, I’ve been doing this now, you know, full -time for well over a decade and really positioned, you know, positioned in that space and again, I love helping people. And I knew early on, I didn’t want to be, I’ve got all the mad skills to be an assessor, but didn’t want to go there.
Adam Goslin
You know, I really like being in that position where I can just really help organizations navigate the waters and figure things out and all that fun stuff. So, I spent the better part of the last decade in that consulting arena and, you know, kind of helping organizations, some of which, you know, go through official assessments and some of which don’t.
Adam Goslin
So, it’s kind of been an interesting trail, if you will, experience kind of seeing it from many sides because I’ve been through compliance myself initially. You know, I’ve been a consultant to other organizations that have to go through compliance, you know, help them prep for audits.
Adam Goslin
I’ve worked alongside assessors, you know, helping them during the last 10 years. And I even spent a stint of about a year and a half or two, you know, working and doing kind of reporting quality assurance for a, you know, for a large firm.
Adam Goslin
So, you know, I’ve kind of seen compliance from a number of different directions.
Todd Coshow
Been through the ringer as they say.
Adam Goslin
Yeah. And I decided to land where I am.
Todd Coshow
Oh, there you go. That should tell you everything you need to do.. So, I mean, that actually is a great Segway here, Adam, is for those going through compliance, like folks, they have options, right?
Adam Goslin
Yeah, I mean, they can, you know, they can, they can go, they can go down the road of really, I suppose there’s several different, different modes of operation in this compliance arena, right? So you’ve got those, those either certifications, you know, or, or standards, which, you know, which don’t require anybody else, you know, you can go through and just do a self assessment, you know, is one side of it.
Adam Goslin
On the other end of the spectrum, you may have to go through a through a third party assessment proper and then, and then you’ve got the option of in both of those cases, whether you’re doing a self assessment, you know, layering on a consultant for an extra pair of eyes, or if you’re going through a third party assessment, lay around a consultant to, you know, to assist you with, you know, with the coordination, orchestration prep things along those lines. So, so yeah, there’s a lot of different choices that folks have in terms of how they go about doing it.
Todd Coshow
And so companies have IT folks, though. But before we get there, the notion of a consultant versus an assessor, it’s important, right?
Adam Goslin
Yeah, well, the biggest problem for a lot of organizations and kind of having worked with companies over the years, what I typically end , what I typically end up kind of walking into is that, the companies have all, many of them will just say, say screw it and give it a shot, right?
Adam Goslin
Try to go ahead and navigate the waters themselves and all that fun stuff. We’ll talk about the IT folks here in a minute. But, typically what I find is that, they’ve already burned through a bunch of time, a bunch of pain, a bunch of effort, maybe that the management is just getting frustrated with the fact that they would just need to get this done.
Adam Goslin
Sometimes the pressure’s coming out of the sales organization where they’re losing opportunities because they’re not fill in the blank compliant and or can’t prove it with some measure of effectiveness.
Adam Goslin
So they end up kind of finding out too late that the organization would have been better served having had somebody helping them navigate the waters and all that fun stuff. And they ended up wasting a bunch of time in this interim period before they finally call the consultant in.
Todd Coshow
And that costs so much money, right?
Adam Goslin
Well, It’s interesting, it’s money, it’s time, it’s your resources. I mean, if you think about it on any of these compliance style engagements, the most costly resource that they end up burning is really their own internal personnel time, right?
Adam Goslin
Going in circles and not making forward progress and losing opportunity. So that waste of time really starts to kind of eat into, eat into things. And for many of them, that’s the position they find themselves in.
Adam Goslin
I’ve had a couple that like, kind of saw the light and decided to just kind of pull in the assistance up front and kudos to them. But I’d call those folks the rare exception. Generally speaking, I’ll see people go give it a shot, do the waste of time and then start to see the light.
Todd Coshow
But I mean, and I alluded to this briefly, because the common response, the retort that you get is, well, listen, we’ve got our own IT folks, right? They know they’re stuck. You’re telling me that that’s not good enough.
Adam Goslin
Well, here’s the deal, is it really depends, okay? And this is kind of a hard one for, especially for the leaders of an organization to really kind of get their arms around. Because one of the biggest kind of misnomers or missteps that I’ll see, especially out of the business side of a particular organization, is they go under this guiding assumption that well, we have IT people.
And so the IT people must know how to do everything that’s IT. And I kind of covered this on a prior podcast, but I’ll relate it to like the medical field. You’re not gonna go to your general practitioner and just go in and mandate brain surgery, right?
You’re gonna end up having to go to a specialist that specializes in brain surgery. And so the leaders of these organizations, they need to look at it the same way, which is I can’t just go to my IT person and expect that they just omnipotently know everything about security.
Adam Goslin
Because by and large to the tune of, oh God, 85, 90% of the time, these people do not know. It was a really insightful learning experience, the first time that I had to go through one of these, it was very insightful because I was an IT leader and was faced with going through compliance for the first time. And once I got all the way through, one of the lessons learned that I really took away from that was just there were a couple of things, how little I knew as a leader and a practitioner in IT. And I’d been in that space for 10 to 15 years at that point in the game, leading teams of people doing day by day IT and systems development, designing systems and all sorts of fun stuff. And yet in retrospect, realizing just how little I knew about security and compliance, it was shocking for me. And even scarier was that I had these people in my IT department that were experts in administering firewalls and administering the network and administering the day by day machines and administering the servers and whatnot. And just how little those people knew about what they should be doing, that was probably the more startling piece. And so, one of the biggest missteps that I’ll see is these organization of, oh yeah, I got my IT people so they can just, whatever, Bob, Mary, whatever can go handle it, right?
Adam Goslin
And so, there’s that realm, which is while they may know how to do their jobs excellently, it’s less often that they’ll have the true real world experience to relate that world to the world of security and compliance.
Adam Goslin
Unless your organization’s been doing this for a long time, gone through years of audits and all that fun stuff, it’s very unlikely that the internal staff knows enough to be able to truly fulfill this properly and effectively.
Adam Goslin
The other challenge that you’ve got with the internal IT crew is that oftentimes they’re too close to it, right? So, we talked a minute ago about how the leadership within the organization looks to IT and says, well, you can spell IT, so you must know everything about security and compliance. And so, they walk in with this almost expectation. And the poor IT people, they’re trying to do their dance and whatnot and trying to navigate these waters, but they really don’t have the requisite experience.
Adam Goslin
So, what I often recommend, especially to the management layers within an organization is do not make that mistake. Don’t expect that these people just know this stuff. They’re gonna learn a lot as they go through the process, but it’s on you if you’re expecting this of them, you know? And it’s hard for those leaders to kind of connect that dot because really all they’re doing is they’re setting themselves up for failure, the company up for failure, their internal people up for failure.
Adam Goslin
And these poor people don’t wanna be either disappointing or pissing off their boss. And so, they just go and try to do the dance and navigate the waters and whatnot. And so, it really gets difficult because now these poor people that are expected to just know this stuff, you know, are now expected to be able to navigate the waters. And that puts them in a position of it being difficult for them to be objective, right? You know, they’re almost stuck in a position where they have to kind of try to shield themselves, you know, from the expectations of their bosses and all the way around.
Adam Goslin
It’s just a really bad mode. So, the last thing I’ll say in this, you know, kind of in this arena is that, you know, is that, you know, getting the headspace of the leadership set correctly is really important.
Adam Goslin
And whenever I have a new organization that’s walking into this area for the first time, is that just to tell them upfront, your people don’t know everything about security and compliance. Yes, they’re gonna learn a ton. Yes, they’re probably great at what they do day by day, but they’re gonna learn a lot as we go through this process together. So, you know, it’s kind of setting that expectation out of the gate tends to help all the way around because now it really is the pressure on the internal folks, the management, you know, notion is set correctly and it really helps all the way around.
Todd Coshow
Well, what if you have an assessor, like why consider the consultants?
Adam Goslin
Well, there’s a couple of, there’s a couple of, you know, kind of on good things, challenges, etcetera, around the assessor only model, right?
Todd Coshow
Okay.
Adam Goslin
And it depends, it depends on the assessor, but generally speaking, of course, the assessor’s there to try to help their clients get through the waters and all that fun stuff.
Adam Goslin
And yet, their job, their primary job, if you think about it, is their job is to come in and assess. Are they going to give you some directional guidance and answer some questions and, you know, and whatnot around key elements?
Adam Goslin
Yeah, that’s probably folded into what they do. But in the same sense, the assessor’s primary role is not to be internal coordinator of your compliance function, right? Their job is to come in and do the assessment.
Adam Goslin
So while they’ve got some time set aside mentally for doing the consulting and whatnot, there’s a big difference between that and active management of a compliance program and, you know, kind of hearding the cats internally of, you know, who needs to get what and supply this evidence and hunting them down, reminding them they need to get stuff and, you know, and all that fun stuff.
Adam Goslin
So, you know, there’s a big difference there. The other challenge that organizations will face when it comes to their relationship with an assessor is, well, let’s just pretend for the sake of this discussion that you don’t quite have fill in the blank in place, right?
And so now you’re faced with what? Having an open dialogue with the person that’s supposed to be coming in to do the assessment of the fact that you have this stuff in place and now talk to them about the fact that you don’t really have it in place.
Adam Goslin
I mean, it just puts everybody in an awkward position.
Todd Coshow
Conflict of a variety of different interests.
Adam Goslin
Yeah, well, it puts it puts everybody in a bad position, you know, it puts the assessors now got to kind of, okay, well, I sort of didn’t hear that, you know, that type of thing. And, you know, and then you got the company trying to dance through the hoops and, you know, and all that fun stuff.
Adam Goslin
You know, so, you know, so, you know, you’ve kind of got that kind of conflict of interest, you know, arena as well, you know, and realistically, you know, the consultant’s role in these organizations is really to be, is to be that middle, it’s almost like being the middleware, right, to a compliance engagement, where, yes, you’ve got the assessor on the one end, but then you got the company on the other side,
Adam Goslin
and their job is almost to, you know, to go through and assist the organization with, you know, identifying what do we have? What do we not? What are our options for how to clear it? And the best part about the consultant role is that it gives the organizations an opportunity for just open dialogue.
Adam Goslin
The consultant’s not there to judge, well, they shouldn’t be, the consultant’s not there to judge, the consultant’s there to help. And so, you know, they’ll help you get prep up the audit, they’ll help with audit coordination, they’ll help you with options for remediation.
You can have a right open dialogue with that consultant about, hey, here’s where we’re at right now, and we know we need to get this thing done for the audit, so, you know, what are, what are my choices and all that fun stuff?
Adam Goslin
And now you’re not revealing, you know, all of the, you know, kind of these deep secrets and whatnot to the assessor. At the end of the day, yeah, most of the assessors are, you know, are, you know, even keeled and, you know, and whatnot, but some of them, some of them will kind of mentally hold it against people if they’re discovering holes and gaps and problems, and it just makes them ask more questions,
Adam Goslin
you know what I mean?
Todd Coshow
And it makes me want to ask a question, Adam, and that is, is that quite certainly not all consultants are created equal. So what should people very much be looking for in a consultant?
Adam Goslin
Well, there’s, in a consultant itself, you know, you want to, certainly you want somebody that’s got, that’s got a good breadth of experience. And not just, you know, not just length of time, but, you know, ask them, ask them a bunch of questions.
Adam Goslin
I mean, how many engagements have you, you know, how many engagements have you worked on? How many, how many different styles of certifications have you, you know, kind of have you worked on? You know, have they gone up against, you know, related certifications to what, you know, to what your organization is about to go through?
Adam Goslin
Do they have experience across the breadth of them? Have they worked in a bunch of different industries? You know, do they have experience in, you know, with different delivery models and platforms, you know, that type of thing?
Adam Goslin
The more, the more that they kind of they’ve done, that they’ve seen, the more certs, the more types of companies, the more delivery models of those companies, etc., gives you a kind of a broader spectrum of, you know, kind of how well they’re going to be able to position themselves for going and getting through the, you know, your engagement.
Adam Goslin
You certainly want to find somebody that is, has a good personality, that has kind of a good cultural fit with the organization. I love using the word, you know, non -PETA, standing for pain in the ass.
Adam Goslin
You know, the bottom line is, is that, is that, you know, this world, especially the, especially the, the IT space, the IT space, the IT consulting and the assessor space, you know, the reality is, is that it’s flush with a number of folks that are, you know, that are, you know, can be rigid, that, you know, that can be painful to deal with it, you know, have much more personality that, you know, you know, that aren’t flexible. So, you know, I like to use the word non -PETA for, you know, for finding the right one. You know, you want somebody that’s reliable as well.
Todd Coshow
that’s a good way to put it. Reliable, not over whelmed, not under water.
Adam Goslin
Yeah. And what I mean by the, like the not underwater part is do they have enough availability to actually go hand, go, go handle your engagement, or are they just going to sloppy into the, you know, into the mad scramble day by day mess and, you know, and blah, not really have enough time for your organization and serve your needs, that type of thing.
Adam Goslin
Um, you know, you want, you want somebody that has a greater kind of breadth of capability than just your basic needs. Right. Um, and, and, and honestly, going back to that experience arena, ask a bunch of questions of the, you know, kind of, of that, of that consultant, because that’s, uh, that’s kind of a really important arena to, uh, to keep your eyeball on.
Adam Goslin
Uh, and then organizationally, um, you want to make sure that that consultant has, um, you know, has the, the requisite organizational skills to be able to hold all of this together, um, you know, at the end of the day, you know, we’ve talked about it in a, in a couple of the other podcasts is the, you know, kind of the breadth of some of these, some of these certifications that these companies have to go up against.
Adam Goslin
I mean, this could be hundreds to thousands of various line items that they, you know, that they need to go in, uh, go in and get handled. So, um, you know, they’ve got to have the ability to be able to kind of hold all of this together and do their part for the organization.
Todd Coshow
Well, from the assessor side though, like I know, cause there’s some folks that are going to be listening to this podcast right now that say, Hey, you know what? Like I appreciate that very much. I’m really interested in an assessor right now.
Todd Coshow
So for those seeking an assessor, what are they looking for?
Adam Goslin
Well, the assessor arena, you know, one of the biggest things, the non -PETA comment would kind of apply here too. You know, the assessors of the world, it’s actually one of the most interesting group of people that I’ve ever had the opportunity to kind of face and interact with, just because, you know, it does. It takes a whole bunch of different skills. But one of the biggest things that I would typically recommend to folks is, you know, is the last thing on earth that you want in your assessor is somebody that is literally going to go in and look at the, you know, the language of a particular control or requirement and be very black and white about it. Well, it says that you need to blah, blah, blah, blah, blah. And so they go over here and they look and they, did you blah, blah, blah, blah, blah? No, you know, you don’t, you don’t want that. What you want is you want an assessor that has the capability to go in, look at the nature of these controls, look at the natures of the requirements, look at the, look at the any instructional guidance from the governing body,
Adam Goslin
And then be able to go look at your situation and make sure that you’ve met the essence of what that requirement is seeking or desiring from, you know, from the target organization so that you’ve got that ability to kind of work with your assessor to be able to make it work for, you know, to make sure that you’ve met the, you know, met whatever the requirements are, but have enough flexibility so that it’s not rigid.
Adam Goslin
You know, certainly the compliance for the, not the compliance, but the assessment firms that are out there, you know, they’re, they’re of all sorts of kind of different sizes and scales, which kind of fits into the, you know, the general culture.
Adam Goslin
So generally speaking, you know, especially back in the day, you know, most of the assessment firms were these just behemoth organizations, right? They pretty much had a lock on, you know, on the, you know, the audit and assessment world. And, and it’s nice because there’s a lot more organizations now in this mix. And so it’s not just these big giant, you know, giant, you know, kind of firms that are out there. And so, you know, you’ve got some various options, you certainly want to look at kind of the cultural fit and how do they, you know, how do they work?
Adam Goslin
A lot of those, you know, a lot of those, you know, kind of fit, cultural fit with your organization, how they treat things and whatnot. Those are all really important, important elements to go through as well.
Adam Goslin
And then for the, for the kind of the broader experience that that organization has, you know, with, you know, likely additional certifications that they would go and kind of layer on to the, layer on, we do want to make sure that we’ve got, you know, a broad experience with, with other certs.
Adam Goslin
Because that choice for an assessment firm is really an important one. Because what I see, especially with the, you know, kind of the industry progression of different certifications, new certifications coming up and whatnot, you want to look for an assessment firm that’s willing to expand their footprint, pick up those new additional certifications, service your needs, but walk in with a pretty broad,
pretty broad scope of capabilities out of the gate. That’s important because what I’m seeing with more and more companies is that, you know, they, they go in, they start out and, you know, they, they decide that they’re going to hit, you know, ISO 27001 or PCI or, you know, CMMC, whatever.
Adam Goslin
And then lo and behold, you know, one of their clients says, Oh, but we need you to be fill in the blank compliant. Well, you don’t want to be in the position of having to retool, retool and retool or, and or layering on multiple assessors. Yeah, that, that world gets painful. So if the assessment firm that you picked has a pretty broad range of capabilities, it’s, it’s far more likely that they’re going to be able to kind of grow with your, the needs of your organization.
Adam Goslin
And finally, the, you know, the notion of how long they’ve been in this space, it’s not just a lot of folks will just look at the company, right? And just because the company has been out there, this is, this is going to kind of cover a couple of different, different arenas as I go through this.
Adam Goslin
But, you know, there’s, there’s the length of the time that the company’s been around. And then there’s the length of time that their assessors have been in the space. And sometimes it makes for an interesting mix, because the one of the entertaining parts is for some of the large, you know, one, some of the large, you know, large assessment firms that are out there, they end up really scraping a lot of their, you know, kind of their new talent comes straight out of, you know, the kids are straight out of college, right? And so they’ve got this mix of, I don’t know, 50, 60, 70% of their staff, if you will, is, you know, relatively short time, you know, college kids, etc., with some oversight from some, you know, far more experienced folks.
Adam Goslin
And yet you could go and go and get with a firm that’s only been around for three years. And yet, they’ve sucked up a bunch of assessors that have, you know, a decade plus of experience. So looking at a combination of how long has the firm been around?
Adam Goslin
You don’t want somebody that just, you know, started last week, you know, type of thing, you want to make sure they’re going to be there for your engagement next year, that type of thing. But also looking at the, you know, just the general 10, 10 year and experience of their assessors is also a, you know, an important notion.
Todd Coshow
That’s a great point, Adam, and you know, we’ve done a lot of heavy lifting in this space today, so let’s take a minute here just to reset and kind of give the folks some of your closing thoughts as we look back over what they need to know from our conversation today.
Todd Coshow
What really sticks out?
Adam Goslin
Well, as folks go into this arena of evaluating, picking, deciding to change their consultants, assessors, etcetera. One of the best recommendations I would give to people is that it’s not like there’s a Yelp page, right? Or I need to go, hey, let’s go look up ratings for consultants and assessment firms. It doesn’t quite work that way, and somebody else’s experience, thoughts, and whatnot are going to be different. So, you know, go to people that, you know, talk to other people that you know in business. That maybe people that are in a similar space as you, maybe have to go up against the same certs as you. But talk to people that you know and trust that are going to give you, you know, give you some open feedback.
Adam Goslin
You know, ones that have had to go through this before. You know, and find out, you know, who would you use and how were they and what were the things you liked and whatnot. That’s a good realm of, you know, a good realm for being able to find people.
Adam Goslin
You know, honestly, as I’ve been going through the, you know, the security compliance arena for the last decade plus, I can’t even underscore the importance of, you know, talking to folks around you, making friends, you know, and, you know, helping others and providing them with insight.
Adam Goslin
You know, it’s been really, really cool kind of seeing that all unfold. You know, the bottom line is that if you get stuck with the wrong consultant or assessor, and does that suck? Oh, it sucks. It sucks so bad.
Adam Goslin
And the problem is, is that, you know, now you got these pressures, but you’re dealing with, you know, dealing with, you know, so -and -so or such -and -such to, you know, to be able to get through it.
Adam Goslin
And it’s just a nightmare. Nobody’s happy with it. You know, so doing your upfront legwork, making sure that you, as best you can, you kind of pick out somebody that’s good, you know, and whatnot, because, yeah, getting stuck with the wrong one, that’s awful.
Adam Goslin
And then finally, certainly, you know, I’ve been in the space, and we’ve been in the space for a while. You know, if you want to, if you ever want to come hit up TCT, you know, ask us to, you know, to give you a recommendation to somebody that doesn’t suck to deal with, then, yeah, we’d be happy to, you know, happy to go ahead and do that, know a bunch of people in the space, and oftentimes we’ll give people referrals to others.
Todd Coshow
Well, excellent. Adam, I really do appreciate it. That is all the time we have today, folks. I’m Todd Coshow.
Adam Goslin
And I’m Adam Goslin, hope that we help get you fired up to make your compliance suck less.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin
I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks.
