Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Should Organizations Hire Fractional Security and/or Compliance Consultants?
Quick Take
On this episode of Compliance Unfiltered, the CU guys chat about the nuances within the compliance consulting realm. They chat about why this topic is a major pain point for some. Adam talks at length about how companies can go about addressing these weaknesses with some help.
Curious about the ongoing value of compliance consulting? Wondering what can expect from fractional consulting? All these answers and more on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Alfred to your compliance, Bruce Wayne. Mr. Adam Goslin, how the heck are you, sir? Ha, ha, ha, I’m doing good. I need one of those. I know, right? Sign me up. Ha ha ha ha. Well, let’s see, you know, talking about somebody in a consultative position, right? Today, we’re actually going to be chatting about, you know, whether or not organizations subject to compliance should hire fractional security and or compliance consultants.
Now, why is this topic a point of consideration for organizations going through compliance, Adam? Well, I mean, if you think about it, the, you know, the one big miss that a lot of organizations have in terms of their thought process is they go into this guiding assumption. And I call it one of the biggest bad assumptions that companies make. And that is that, you know, they believe that they’ve got network administrators and developers and other IT personnel, and that, you know, that these people are providing cybersecurity and compliance expertise. And, you know, the reality is, is that the vast majority of them are not. It’s okay, because, you know, IT and cybersecurity They’re, they’re different arenas There’s a big difference between you know, keeping the network going and doing it securely So, you know the one recommendation that I that I have for organizations is don’t expect your IT folks to you know Get you security expertise. It’s, it’s a different realm. It’s like it’s like expecting your you know, kind of your, your payroll Officer to be providing full-scale accounting services, you know, yeah They’re, they’re, they’re kind of they’re good with numbers, you know, doesn’t mean that they can do all of those functions You know, but you know you, you sure as hell better get a security compliance cyber security, security and compliance expertise into your organization and and do it soon Because you know most organizations, you know, unfortunately Come to the realization about just how little their people know when they’ve basically got, got the proverbial, you know kind of gun at their temple Um, you know something’s gone wrong and now you’re you know, now you’re needing to, to go into holy crap mode And you know, they’ve got this assumption that all their people just know what they’re doing and blah, blah, blah and it’s like man you can’t You know a client, you know a client that you can’t afford to lose is, is ready to you know Ready to walk away because you’re not meeting their security requirements Um, you’ve got maybe some game-changing opportunity, you know, but you, you don’t meet the compliance standards. There’s a lot of scenarios Um, you know kind of that can that can play out and you do you do not want to be figuring this out when uh, you know your help desk phone tree basically lights up like a Christmas tree because your company ended up with its name and lights on google Uh with a public, you know with a public breach. It’s just uh, it’s, it’s not a uh, it’s not a warm fuzzy feeling Shall we say? Uh, you know being in that position And so I’m really trying to trying to drive organizations to thinking this through before they’re In in the unfortunate circumstance that you know, that means they need to take action quickly.
Absolutely. Well, I guess how can companies go about filling their security expertise? Gap, I guess you could say well You know if you’re proactive then, you know, you’ve got the opportunity to close this gap up And get things resolved before you have that, you know, kind of holy crap moment where I need input answers, you know What not now? Um, you know hiring, uh, you know hiring a security and compliance expert You know that can help you with meeting your security demands of your business Um, and especially as your company’s needs evolve Uh, you know is a really, you know is a really, really good a good idea the unfortunate part is that Bringing on so, so you know most people’s response, right? Oh, I need a plumber I’m just gonna go call a plumber, you know type of deal. Well in today’s day and age You know just going over to you know to you know, whatever monster indeed where you know linked in etc and going Yeah, I’m just gonna go pick up a you know, I’m gonna go pick up a security compliance expert They’re not sitting around They’re not sitting around they’re not wondering what to do They’re in astronomically high demand right now And so, you know, the choices that organizations face is, you know, that demand for these people is high, the field isn’t keeping pace and that cybersecurity skills gap is just constantly widening. So those, you know, hiring somebody on as an internal, you know, internal personal and staff, most, number one, you’re gonna pay a pretty penny, you know, for having that level of expertise at your organization. I would whip a dart and say that, you know, readily, you know, your normal run-of-the-mill, you know, kind of IT person, you can expect to pay at least, you know, triple what you would pay somebody like that just because that’s what the market is going to, you know, is going to drive.
You know, sure. Another alternative option is, you know, instead of bringing somebody in that has this compendium of expertise already at their fingertips, well, let me go ahead and grab somebody that’s just straight out of college and, you know, learning on the job. Yeah, okay, you’re gonna save somebody upfront, but you’ll be, you know, spending, you know, as much, if not more, than that same kind of full-time resource we were talking about earlier, but getting very little for it, you know, and in the end, you know, you’re overpaying while you’re getting less protection for, you know, for your organization. You know, one of the biggest issues, especially with security and compliance folks is that because there’s such a high demand right now, there are a lot of them that are, you know, staying in an organization for a little bit, that leave for greener pastures. Now you’re having to bring on higher train, you know, retrain, retrain, you know, people, you know, which are astronauts. So, you know, the other option is, you know, to bring in, bring in a security compliance consulting firm to, you know, to kind of assist with fulfilling the, you know, kind of that gap, if you will.
Now, how would you articulate the ongoing value of security of a security slash a consulting firm? I’ve been like, that’s ultimately what people are going to ask is, thanks for helping me get to this point, but then what do you do from here? Yeah, exactly. Well, the, you know, the security compliance firm, the big difference with them is that, you know, they’re not, well, unless your needs are… tremendously high. You know, they’re gonna be able to provide assistance on a fractional basis. So, you know, with a fractional, you know, security consultant, you’re getting the full expertise that you need, but you’re getting it at a, you know, at a reasonable and or affordable cost. You know, the fractional consulting firm can, you know, can help you understand your current requirements for security compliance, identify gaps, help with giving you sound advice on, you know, on how you need to go about filling those gaps, remediating them, et cetera, you know, and, you know, kind of best steps for how to move forward, you know, with those various items. The other cool part about the value of the, of having somebody like that with that level of experience is that, you know, they they’ve had experience out in the field.
They’ve seen different organizations. They’ve seen, you know, different organizations, how they, how they do things, work with a number of vendors in the space, et cetera, can recommend, you know, good vendors to, to bring in for fulfilling, you know, the gaps that are identified, you know, and the bottom line is, is that the chances are that an organization is not going to need some full-time security compliance consultant, you know, a person on staff, nor will they need a full-time consultant, you know, but, you know, you need, you need access to that level of capability, you know, periodically throughout the year, you know, especially if you’re, as your organization is making the transition from, okay, we’ve finally gotten fill-in-the-blank compliant, and now we need to move this into an operational mode.
You know, that fractional, you know, fractional approach is really an ideal, an ideal arrangement, because it’s giving you the access that you need at a price point that’s, you know, at least tolerable.
Absolutely, now. What are the types of things an organization should expect with fractional consulting? Well, in general, the fractional consulting engagement can operate in a couple of different ways. One is you bring them on in a limited term engagement, where the security expert comes in, says, hey, here’s where we’re at, gives you some recommendations, and then walks away. I really would not recommend that style of an arrangement. Yes, it’s true. It’ll save you cost by being able to get them to come in, do their thing, and walk away. But I’ll use it as a finger air quote, saves you cost. Because then you can go off, you could implement these things on your own, you know, etc. But the biggest problem is, is that, that person’s evaluation is only as good as that. precise moment in time, they made the recommendation. So the minute they walk away, things start changing, right? What happens if you add a new service? Change your hosting locations or need to make a vendor change, etc. What if a major client is coming and saying, hey, we’ve got these new security compliance certifications that you need to now comply with? There is no business, generally speaking, that just stays static. The security and compliance profile of the organization is continuously needing to evolve, just like the business needs to evolve. So in the long run, you’ll end up spending a lot more money, getting less for it, wasting a bunch of time with having these consultants coming in in rounds.
It is the one side of it. The other pitfall of this is that these people aren’t sitting around waiting to wonder on what to do. So even if you decide to go with this limited engagement approach, the reality is that these folks are going to be busy. It might take you two, three, six months to get on the calendar. And now you’ve got these herky-jerky delays between who I need and I’m getting. The way that I would suggest or recommend to organizations to approach it is more of an ongoing engagement. Get a consultant that’s going to come in, do that initial assessment, provide the recommendations, et cetera, but then stick around being part of the solution. Look for somebody that can help resolve your issues and offer the ongoing proactive experience and expertise as your operations are evolving. So that ongoing fractional security consultant can provide ongoing presence for answering of questions, helping to resolve issues. internal audits, you know, helping with any changes or modifications that may come about, preparation for annual audit alongside you while you’re going through your audit, you know, that actually brings a tremendous sense of peace of mind for most of the organizations that, you know, they head down this path, you know, offering that ongoing guidance as you’re, you know, as you have these things popping up and modifying and morphing, you know, piece of mind that you’re, that you’re staying on top of what you’re supposed to be doing from a security and compliance perspective.
You know, one of the big benefits of that ongoing relationship with the security compliance consultant is you’ve got that, you know, kind of third-party, you’ve got that third-party objective view of your organization that they can, you know, kind of give you, you know, give you the brass tacks about what’s going on. The other benefit is if you have that kind of long-term partner that knows your company, you know, well enough to be able to provide you with this, you know, kind of customized expertise, you know, et cetera, is that, you know, they’ve developed an affinity or a knowledge of, you know, of your organization. They know what you’re doing, why and how. You know, they can give you sound advice. You’re not having to hit the, you know, it’s like Groundhog Day every time I want to have a conversation around security and compliance. So, you know, you’re basically getting a ton of, you know, a ton of kind of capability, you know, at your fingertips. And, you know, those security compliance consultants can often, you know, help you, you know, steer clear of, you know, problems, pitfalls, wasted time, wasted effort, integrating, you know, a vendor that they already know won’t work, that type of thing.
Absolutely. Well, what are some of the things to look out for in a security and compliance consultant? Like I always say, like, it’s not just what you can do, it’s how you do it. Relationships matter. Right. Well, with any important role for the organization, you need to make sure you’re getting the right fit. It’s more than just skills. So, there’s plenty of, you know, folks out there that have experience, but, you know, you want somebody that, you know, that’s going to fit the organization, that’s going to, you know, that understands your business at the same time. So, you know, look for somebody that’s been in the space for years. They’ve been battle-tested. They, you know, they, you know, even if you only have a couple of security standards to comply with now, pick somebody that has a wide range of experience with different certifications. You know, it can be helpful to hire somebody that has that range of expertise, you know, just because you don’t have any idea what’s coming down the, you know, what’s coming down the floor. pipe, what new requests and requirements are going to come your way, you know, certainly asking colleagues and contacts that you have for referrals to, you know, two good consulting organizations, you know, ask them as well, you know, for any lessons learned when they when they did their own engagements with consultants, what things to look out for, questions to ask during the vetting process, etc. You know, they can be a great resource for, you know, providing you some, you know, some good, good information, you know, because the reality is, is that, you know, security and compliance, you know, isn’t, you know, it isn’t a one time thing, it’s something that is, you know, should be part of the organization’s DNA, you know, and something that you’ll, you know, that you both grow together on. Thank you.
Indeed, parting shots and thoughts for the folks this week, Adam. Well, you don’t want to leave your, we used the example earlier, but you don’t want to leave your company’s accounting health to your internal payroll person, just like you don’t want to leave your cybersecurity in the hands of your internal IT personnel. So, retain that expertise that you need to get your company set on solid footing for ongoing cybersecurity capability. Certainly, TCT has been providing security and compliance consulting to organizations for over a decade. And we can also recommend folks that would be good connection. So, I’d recommend to organizations, you want the peace of mind, that your company’s in good hands. So, start that conversation around your security and compliance consulting needs. Certainly, reach out to TCT as it would be helpful.
Absolutely. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
