Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Cutting Costs in Your Company? TCT Portal Helps You Do More With Less!
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd take an in-depth look at a topic that is plaguing many around the Cybersecurity and IT space – Organizational Cost Cutting. Trimming the fat, tightening the belt, lessening the load, whatever an organization calls it, the concept is an all too familiar one in the compliance world.
Curious about why companies are scrambling? Wondering about your organization’s wasted costs and how a compliance management system can save you time, and those all-important dollars? Then you’re in luck!
All these answers and more on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the chicken soup to your compliance soul, Mr. Adam Goslin. How the heck are you, sir? I am doing just fantabulous. I’m wondering when you’re going to run out of these intros. You haven’t done it yet. What is this, 120 something of these? So, I don’t know, wouldn’t hold your breath. Keep them coming. Well, today we’re actually going to talk about something else that keeps coming up, and that is the costs associated with running a company. And what we’re going to chat about today is, actually cutting costs within your company.
So, what kinds of things are going on these days causing companies to consider cutting costs? Well, generally speaking, I’m seeing a number of organizations kind of pulling in purse strings, and trying to do more with less. When I started looking at the numbers and started digging into this one. One of the things that I didn’t realize was that over the course of last year, Forbes was calling out job cuts totaling just north of 270,000 jobs in 2023, and that that had risen by almost 400% over 2022. And of those 270,000 jobs, 240,000 of them were in the tech sector. So, that rise was a 50% increase over the prior year. So, even in 2023 we were seeing this move toward increased layoffs, and things along those lines happening. Certainly seeing it just in terms of a general business environment, even when these numbers were put out by Forbes, it was five weeks into the year, they were saying that so far in 2024 we were closing in on about 25,000 layoffs that had been noted. And at that pace, that puts 2024 on track, if it keeps up to effectively match the rate of job loss in 2024, it all depends on how things roll out over the course of the year. So there’s prices going up, we’ve got inflation on the rise. It’s just tuning up to be an environment where we’ve got a lot of things going on in the market that’s really driving CISOs of organizations to tighten their budgets. And the funniest part about it is, not funny, but the difficult challenge if you will, is that CISOs are fighting their budgets, getting the screws put to them. Meanwhile, do you think that the demand internally is just that everybody takes their foot off of the gas? It kind of feels like you’re in an impossible situation. How can you do more with less? How do you shift the internal focus from, feeling like your department or your group is part of the problem, to really being part of the solution.
So when you’re looking at an organization that’s looking at trying to cut costs, you can really approach it in two major ways. You can try to cut spending, which seems to be everybody’s kind of knee jerk reaction, right? How do I lop this off, lop that off? And unfortunately, personnel is typically one of the biggest line items. So it becomes kind of an easy out for a lot of organizations, ah, let’s just go lop some heads type of an approach. But you’ve also got the opportunity to improve efficiency. Actually do more with less, to kind of right that imbalance that’s being perceived. And part of the challenge there is, when you’re talking about improving efficiency, it’s not as fast as the, I’m going to call it the easy button of, yeah, let’s just go launch some bodies and right the balance sheet if you will. There’s not an easy button? Yeah, yeah, no, not when it comes to efficiency improvement. I mean, you gotta take some time to be able to get them implemented, get those dialed in, get those actually being efficient. And then, most importantly is realizing some of the savings that you’ve now drilled in. So, it’s process. It’s a process. Indeed.
Well, what are some of the wasted costs on compliance engagements? Well years ago, one of the parts that would drive me crazy is just how much stupid waste of time that I would have on compliance engagements, and this was just when I was dealing with a single compliance engagement. I’ve spoken many times, about my not so fond memories of my first trip down the security and compliance path, as somebody doing it for an organization I worked for. There were lots of things that were happening. It almost felt like every time I was taking a step forward, then I was taking at least one step back. You’ve got somebody on the team submitting their evidence, but it wasn’t complete. You’ve got another person’s evidence that went up to the assessors getting rejected. You’ve got everything for, whatever, PCI compliance requirement one done, except for stuff we need from one particular individual, but they’re on vacation until next month. You’ve got people that have questions about their items, so what do they do? I’ve told this before, they sit around, they wait for the weekly meeting so they can go ask their question. Meanwhile, we’re dropping in the process, whatever, four calendar days, just while this person’s waiting for the freaking meeting. You’ve got time that you’re spending, going through all this stuff that’s coming at you, through a whole bunch of different channels.
Typically when you’re on a compliance engagement, you’ve got stuff coming at you through email, through text messaging, despite the fact that you told everybody where to put their stuff, they go and place it in umpteen billion locations. I can’t even tell you how many times over the years I’ve gotten a message similar to, I never could find where you wanted me to actually put my stuff, so I put it here. And then they just send you an email, right? I blopped it here type of thing, and now it’s sitting in some fricking folder on SharePoint or whatever. And sure enough, wherever they happen to drop it over on SharePoint, I don’t have permission to. And, it’s just a never ending bleed of just absolute stupidity. And, there’s manual labor that’s involved with having to manage and maintain your complicated spreadsheet that you have to maintain, just to know where in the hell things are at. So let’s say I’m getting ready for my weekly status meeting internally. I literally wouldn’t schedule the meetings until midday, because I needed to spend basically the morning trying to get some semblance of where the hell things were at. And because, it’s human nature, right? Oh my gosh, there’s a meeting coming. And I know if I go get on that meeting, I’m gonna end up with a black eye because my stuff’s not done. The majority of the people on the team, what do they do? They spend the morning before the status call, whipping crap over the wall, right? And so meanwhile, I as the compliance person, I’m trying to update the damn sheet, but I’ve got this fire hose of crap coming at me, because everybody’s trying to get their name off of a hot list. So I started updating it at 8:00 or 8:30 in the morning, so by the time I get to the meeting at 11 or noon, I’ve now got so-and-so markdown as well, I still need their stuff, right? Well meanwhile, they sent it in at 9:30, and then they get on to the freaking call, this is the part that used to really just drive me absolutely nuts, is that they go and they get on the call and you’re like, whatever, let’s say I’ll pick on Bob. Bob, I’m showing that you’ve still got four items open, and Bob indignantly is giving you the update on the call. Well, I’ve said that to you already type of thing. Meanwhile Bob just pulled it out of his arse at 9:30, flinging it over the wall. So, it’s just never freaking ending. We didn’t even talk about the fact that you’re spending time hounding people to finish their tasks.
These compliance engagements, they’re fraught with just a complete waste of time. And a lot of the problem is, a lot of that wasted time goes completely unnoticed. Everyone just kind of gets accustomed to the inefficiencies that they’ve got built into the way that they’re doing it. They do it the way they did it last time, and their going to go in and do it the same way again. A lot of people have this notion that well, the only person that’s really wasting time is just the poor soul that sat down last when the music stopped, that got nominated to be the center of the universe for compliance. It’s not just that person. Yes, that person is markedly more heavily burdened with time waste, but the waste of time is going across the entire team. Every single person that’s involved in the process is wasting time. The HR person, your person in legal or contracting, your people in IT, your software developers, whatever, everybody that’s producing evidence they’re all wasting time. And it’s not counted in minutes, we’re talking about hours. And when you start translating the hours of wasted time into dollars, you’re literally talking about tens of thousands of dollars every year that go straight down the toilet. It drove me nuts for a long freaking time.
Well, what are some of the ways that leveraging a compliance management system like the TCT Portal, or something along those lines can help with cost cutting? Well, the whole reason that we built the TCT Portal, number one, I kind of love our tagline of making compliance management suck less. I don’t think there’s a tool on earth that can make the process of compliance management completely not suck, but that’s why we say suck less. The reality is, the TCT Portal was literally built by people living and breathing compliance, trying to create a solution that will make life better for those that are involved in compliance related activities. There’s a lot of things that are built into it. We covered some of the problems earlier, but you look at things like streamlining your status checks.
So, I was talking about how it would take me hours, to put together an outdated version of where we were at by the time I would get to the weekly meetings. That’s just wasted hours down the effing toilet. In the TCT Portal, you’re seeing an immediate, accurate, live view of exactly what’s going on. So when Bob is busy flinging his deliverables at 9:30 the morning of the meeting, it doesn’t matter. I’m not sitting there, blowing my time from 8:00 or 8.30 in the morning, trying to put all these pieces together. Instead, you can transition into a world where you can legitimately go log into the TCT Portal, go look at the live status, and see exactly what’s going on. I can see that Bob just submitted his stuff at 9:30, but it’s live. It shows it’s up in my hands now. So not only are you not blowing time in prep, but you have an absolutely clear line of sight to know who did what, and when did they do it.
We talked earlier about, how some of the members of the team will sit around and wait for the weekly meeting to ask their questions. When you’re using an automated compliance management system, the personnel don’t have to sit around and wait till the meeting happens. They can instead submit their questions. And it’s available 24/7 365. So if Sally is in, and happens to decide to take some time on a Saturday evening to go in and look at something, but she’s got a question, don’t wait until the meeting next week Thursday. Instead she could just go put her question down into the portal, send it up to their compliance manager, and guess what? She’s probably going to have an answer, bare minim by Monday morning at some point. Now I’ve saved all day Monday, Tuesday, and Wednesday, and she can be off and working away on this stuff. You’ve got questions that come up from the team about what do I have? That’s a popular one. What all do I have? Well, guess what? You’ve got that information as a participant in the compliance process, you have that literally in hand. Go log into the system and poof, I can see everything that’s in my hands. Some of the automation of the mundane tasks, that gets to happen. So it would depend on where I was at in the compliance continuum for an organization, but there would come a point where literally every day I was putting together, what I still didn’t have, and had to compose emails to these people saying, hey, yeah, I got these three items, but you still got eight left. Constantly churning, sending people emails and asking for their stuff and nagging them. In an automated compliance management system, all of that happens by default out of the system.
So, the best part is, it’s absolutely accurate. So, that’s a huge difference. I mean, let’s say I spent three or four hours trying to put my status thing together, and then start sending emails. Meanwhile, so-and-so sent me their evidence at 9:30 that morning. That disconnect doesn’t happen when you’re sending the automated reminders straight off of the system, because the system knows. Have they moved that item up? Yes or no? They didn’t? Okay, cool. The next piece, if you will, about ways that it makes it better is, you get into an opportunity where you are staged to be able to build on efficiencies year over year. So when you’re in this manual notion, the wheels start creaking, and you start pulling out your spreadsheets again, and basically it’s like Groundhog’s Day from a compliance perspective. You’re going back to the same old damn spreadsheet, doing it the same old way, and deal with all the same problems. But when you move into a compliance management tool, you’re now in a world where you have a rock solid repository of what happened last year, who did what last year, what evidence did they supply last year, and, and, and. So when you’ve got that solid repository and you’re going into year two, now instead of it being, let’s say, nine months or 10 months since Bob had to go produce fill-in-the-blank evidence, now Bob can go log in and readily reference, this is exactly what I needed to provide last year. Hell, they can go in and look in one spot to look at last year’s track, and see exactly what they produced. They can just go in and grab the updated stuff.
The vole of questions coming from people goes way down. The quality of what you receive coming up the workflow is substantively higher. It’s life altering when you move from the manual world, into a world where you’re using tooling and technology to your benefit. Where it’s especially helpful is when you have turnover on your team, that’s probably one of the biggest benefits. Because you think about it right? In that manual world, where last year it was Angela that was doing this, but Angela left the company, and now you’ve got Frank that’s stepping in to go take over. Frank needs to go run into all the same frickin’ walls that Angela ran into, maybe some more. He doesn’t have any clue what the hell Angela did last year, and he’s gotta go learn it all over again. And so instead of either, that’s been so long since the person did it last time, or it’s literally a brand new person, in either case they have an absolutely clear repository of what Angela did last year, and what Angela provided. You can literally mirror the assignments from last year to this year. Everywhere where it says Angela, I’m going to switch it to Frank. Frank can see everything Angela did. Dude, it’s fun. It’s absolutely fun watching companies go through that process, and begin seeing all the light bulbs twinkling as they’re starting to connect the dots.
The other element of leveraging a compliance management portal, for example. We’re in the process as we speak of transitioning from PCI 3.2.1., and now we need to move from PCI 3.2.1 over to PCI 4.0. All of these compliance standards have periodic changes that will occur. And what we’ve got is when you’re doing it manually, now I get the added joy of, okay, now I need to go in and I’m going to need to core and gut my tracking sheet, so that it matches all of the 4.0 requirements. Basically that, and however you were attempting to get people to store their information, you have to redo your whole repository for that as well. In a compliance management system, you’ve got a couple of different benefits that come into play. One is, if you’re in a position where your compliance has changed from prior year to this year. With the TCT Portal, somebody that did a 3.2.1 last year, they can effectively migrate their existing engagement over to 4.0, and the system will help take care of it for you, you can readily reference with mappings. The 3.2.1 to 4.0 transition, when I’m on a 4.0 engagement, I don’t need to retool at all when I go and I move into a PCI 4.0 engagement, because all the work’s done, you’re leveraging the system, you’re not blowing your time rebuilding your internal process.
For those organizations where they’ve got a lot of compliance requirements. I actually watched this unfold with one particular organization. They started with HIPAA, then they layered on SOC, then they layered on PCI, then they layered on ISO, then they layered on more. And at one point in the game, just because of the capabilities of the first assessor they picked. They layered on these additional certifications, and ended up needing to fold in a second assessor, and then a third assessor. Eventually after several years, it got to the point where they said, now let’s bring this all together again. So, then they started collapsing it down. Instead of having the multiple assessors across the various frameworks, with a whole bunch of wasted time. They folded it all down to a single assessor that could take care of everything. That said, when they moved into that world, there comes another capability of a compliance management system like the TCT Portal. What they did is, they had the assessor effectively put together, we’ll call it a request list, a consolidated list. Instead of collecting the list of things for PCI, and the list of things for HIPAA, and the list of things for ISO. Instead, what they did is they had the assessor put together one concise list of the stuff, and then had mappings to which certifications these requests were going to clear. Effectively, they could bring it down from an arena that was just a gigantic jumble of redundant requests on different certifications, down to one list. But there were mappings that we then put into play that basically said, off of the single list, now I’ve got the mappings that’ll map out the list of the evidence over to HIPAA and over to PCI. That just sounds so much easier. Oh yeah, it’s a bajillion times easier. So basically, on the client side, it made it way easier for them. Because now, instead of having a track for each of these various certifications, or tracking spreadsheets, they had one list that they could go in and just collect against. And that’s all they needed to focus on. So that made it a hell of a lot easier.
Even when you’re leveraging a compliance management system, we talked about the organization that now needs to layer on another certification. Because of the fact, that a good quality compliance management system is going to enable your organization to take advantage of things like certification mappings. For folks that are using TCT Portal, if they’re already doing PCI and HIPAA, and now decide to go layer on ISO 27001, it’s not the same burden that it used to be. I don’t need to go and spend weeks mapping items manually myself. Every single organization that needs to do this would have to do it themselves in the old world. Welcome to the new world, now you can just basically go in, layer on an ISO engagement, and take advantage of the mappings that are already there. You’re getting answers quickly of, all right, so how does my stuff map over to this new standard? What items are leftovers that I’m not really currently covering properly? You’re able to take advantage these just myriad of efficiencies that otherwise these organizations wouldn’t be able to take advantage of.
Really what drives me crazy with this space is, that if you think about it, every single one of these organizations are all blowing this time. Meanwhile, in one consolidated system, it’s got the capability to cure the problem for all of these organizations. It’s really something that obviously I’m passionate about. I got into this space to help people make the management of their compliance suck less. Trying to get the light bulbs twinkling, that’s really what it’s all about for me. Most assuredly.
Now, it’s all well and good, but can you give me some real numbers? Like, what are we actually talking about when it comes to saving? Well, you’re not going to just save a handful of hours when you go to something like the TCT Portal, a real compliance management system that consolidates your engagement into that single location. You’re not saving a handful of hours, you’re saving literally a ton of time. The man hours will start to add up fast. At a high level, I’ll get into some of the details here in a minute. But, you’ve got the capability to take advantage of 65% savings of the time that you’re putting into your engagements when you make this switch. And 65% sounds great, but we’ll talk a little bit more about, kind of an example scenario for an organization just to drill it home. But this is no BS. This is time that people are actually saving. And, as a result of freeing up hundreds of man hours or potentially, depending on the scale of the engagement, thousands of man hours. This is huge for organizations that are going through cost cutting initiatives, because with the investment into the tooling, you have the capability to make a major impact on the company bottom line, which we’ll talk about here in a minute. Not only is it reducing the wasted expensive personnel, that are dumping wasted time, but it frees them up for other stuff to do. It allows you to make more effective use of those resources that you already have. And like we were talking about before, this enables your personnel to become more productive, delivering more results for your company, helping you gain traction in the marketplace.I’d much rather have people not blowing 10 to 20 hours a week on useless crap, and being able to put that to making a real difference within the organization.
I’m going to take this from the perspective of a company going through compliance first. In fact, I think I’m going to take it from that perspective for the sake of this discussion. Because really, at the end of the day, it’s the companies going through the compliance that have the capability to save a ton. Certainly the assessors and auditors out there, depending on what they’re leveraging, especially if they’re on spreadsheets, they can save even more. But I’m going to keep this to a company going through it. So we talked about, kind of the investments annually, kind of first creating how we’re going to store and manage our system. In this manual world, you’re probably talking about weeks and weeks of time spent, initially building this thing, even when it comes to tweaks or modifications I want to make in year two plus. You’re still talking about probably at least a week’s worth of time, sanity checking, double checking. I’m going to call this a relatively small engagement. And I’m doing this because the bigger the engagement or company gets, the more people that are involved, the more that you’re able to actually save. So, I want to take it from a small perspective, just so that I’m not blowing the numbers.
This is all readily attainable by most organizations going through compliance. So, you figure that maybe there’s one to two people involved in the compliance management style activities. Maybe there are, on average four people that’ll show up to the weekly internal meetings on compliance. And maybe there’s a total of six people that are provisioning evidence for your particular engagement. But, you go and you spread those numbers out against the various things that happen on a compliance engagement, such as initially making all of the task assignments, telling people about them, and people working on their evidence, and the wasted time collecting garbage from all these various locations, maintaining this tracking sheet, holding your internal meetings, and prepping for internal meetings. All of these various and sundry tasks, including sending these items up through workflows, to get them into the right people’s hands that are next in line. And with that scenario, with the numbers of people I was talking about, we’re talking about for a small organization under a manual system. You’re talking about investing over 1,500 hours into you’re building, an execution of your compliance management. Now keep in mind, this is going under a guideline assumption the engagement is taking you three months. If it takes longer the numbers are even bigger. So keep that in mind. So, you’re talking about 1,500 hours for your year one. And even if I then go and integrate some manner of efficiencies, and I don’t need to rebuild the whole system from scratch. You’re still talking about, in year two plus, over 1,300 hours for doing it in this manual world. And we talked about earlier, the savings of 65%, it’s not a joke. When I go and I put that into TCT Portal world, that year one number North of 1,500 hours, is under 500 hours when all is said and done. Your year two plus manual world of 1,300 hours, is more like 300 hours when you get to year two plus in a compliance management system.
As I look at these numbers, and let’s just take your first year numbers and run with those. If I look at it, that’s saving the company over 1,000 hours in that first full year when you’re leveraging a compliance management system. Putting this in perspective, one full-time resource is approximately 2,000 hours in a normal year. This is a half a body, this is literally a half a body over the course of an entire damn year that you’re able to now regain by heading down this path. You figure if the average cost of the people involved in my engagement, if that cost of those people would average $60 an hour. Now I’m talking about with that 1,000 hours, I’m talking about personnel cost savings of $65,000 in that year. It’s kind of the net equivalent of what I’m talking about here. Even when you go and put the investments into acquiring the base package of TCT Portal, you’re still clearing $58,000.
And the flip side of this, and the part that kind of drives me nuts about the folks that look at this problem. Just looking at the cost side is, if they would put on their let me think about this a little bit more hat. Let’s say that if I was able to effectively make use of my saved time from the resources that I’ve got, and let’s say as an organization, I’m able to monetize their time at a rate externally of $180 an hour. Well, effectively, with just the same time that I now have, I can go ahead and realize revenue to the tune of closing on $200,000, with that same time that I’ve now saved, as a result of making the investment in the system. So, this is where I would challenge the folks that are struggling with, hey, we need to do more with less. Look at it differently, change the equation. This isn’t just about lopping heads. This is about far more than that when you get down to the bottom line. Indeed. Indeed.
Parting shots and thoughts for the folks this week, Adam. Well, we’re in the process of making, as we speak, literally making some pretty substantive updates to our ROI calculators on the TCT website. So if you go to our website, it’s easy to get there by going to gettct.com. Click on resources on the top nav, and go into compliance guides. There is a detailed guide on making the case for the compliance management system. It’s kind of like a more detailed walkthrough, that basically helps to arm the folks that are struggling with compliance management work through, how can I make the case for this? But as we roll out, I would expect, probably within the next couple of weeks, we’ll have the updated ROI calculators out on the website. Those are also available straight through the website. Keep an eyeball out for those. Those ROI calculators will be a very good companion to making the case for a compliance management system. What I would implore you to do is, look deeper than just looking at costs slashing and lopping heads. Sometimes it makes sense. Sometimes you do have bodies that are superfluous, or you may have reasons you’re doing it, but don’t look there by knee jerk. Look at other ways that you can go through and basically right the equation that your company is currently facing. you’ve got the opportunity to reduce costs, but also look at those optimization opportunities. The numbers that we’re talking about here with leveraging a compliance management system, they’re not smoke and mirrors horseshit. They’re actually real realized savings that companies can really take advantage of. This reduction in cost means more available time. And if you capture that time, then that’s the important part, right?
I’ve seen in many organizations, they do things to optimize it, but leadership doesn’t feel like we really gain anything through that process. And that’s really where I would encourage a strong partnership between those in the organization going through compliance, whether they’re generating evidence, or whether it’s the core compliance team themselves. But, I would encourage a greater partnership between them, and the other leaders of the organization, so that collectively as a team, they can really take advantage of what do we wanna do with the time that we’re going to save here. Let’s put a plan together so that it just doesn’t evaporate into the ether. You go walk into this with intention, you’ll have the ability to free up hundreds of hours that could be leveraged to do whatever you want. You could be increasing revenue. You could improve the quality of your internal support. You could put more time into internal projects that are necessary. Whatever you want to do with the time, it’s up to you. But look at it from a perspective of, use the investment of that efficiency to help out your top line, and to accomplish your goal that you set out of the gate, just accomplish it indirectly.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
