Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: How to avoid getting in hot water with your Assessor

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this episode of Compliance Unfiltered, Adam and Todd have an in-depth conversation about some of the common pitfalls companies can face when going through an assessment, specifically as it pertains to engaging their assessor.

This nuanced discussion will go over all the finer points to winning favor with your assessor, and how to avoid hitting those unwanted notes along the way. Don’t miss out on this week’s edition of Compliance Unfiltered!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin. 

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Maraschino Cherry, on top of your hot fudge Compliance Sunday Mr. Adam Goslin.

How the heck are you, sir? I am doing very, very well. You are giving me flashbacks of my kids raiding the cherry jars at innumerable restaurants. And those were fruitful pursuits, as one might say. 

Today, we’re going to talk a little bit about how to avoid getting in hot water with your assessor. Now, it can’t be fun getting into issues, aka hot water, with folks in their shoes. Tell us more about this topic, Adam. Sure, there’s a reason why organizations do get nervous when their annual PCI compliance cycle comes around every year, or fill -in -the -blank compliance cycle comes around every year. You know, it’s no fun to be in that position of feeling like I’m on the hot seat with the QSA. And if you don’t have it together, then that’s kind of what you’re in for. There’s a lot of organizations, they’ll find themselves in that hot seat more often than not, but it doesn’t really need to be that way. Most of the QSAs aren’t necessarily interested in playing bad cop type of thing, but they do have a job to do. You got to remember it’s their reputation that at the end of the day is on the line. You want to make sure you’re avoiding the hot water, if you will. It’s not challenging in the grand scheme of things, but you do need to have some commitment and discipline and a good compliance management system in hand to be able to prep you for and navigate those waters to keep you on the straight and narrow, if you will. 

Now, what can organizations do to take things more seriously? Well, in a lot of cases, the motivation for getting PCI compliance, just use PCI compliance for the sake of this discussion, but this would really apply to any industry standard compliance, but the motivation for getting PCI compliant, in many cases, it’s not, oh, gosh, we suddenly woke up on this miscellaneous Wednesday and now care about security and compliance. More often than not, some important client says you need to do it, or they’re chasing down a big whale of a prospect that says, thou shalt get PCI compliance. And because you feel effectively obligated to get it done, executive leadership is looking to just check boxes, etc. And if all you’re wanting to do is get past it and move on, then you’re motivated to take all manner of approaches to get that done, including cutting corners. So as a result, you’re not going to be as open and transparent with the assessor, and you’re going to try to give them as little as you possibly can, because you think that it’ll shield you from any additional exposure. And the challenge there is it’s hard to keep up the appearance. PCI DSS has hundreds of line items, and they all need to line up with one another. So this notion that, wow, we can just whitewash this and toss some stuff over the wall, etc., and have this be easy peasy lemon squeezy is not usually doable, shall we say. You know, you think about it, right? It’s like a kid trying to, you know. trying to keep up with a really, really, you know, complicated fabrication that they’ve, they’ve peeled out over, you know, a multitude of people, etc. You know, you’re, you’re it’s hard to keep the story straight, you know, over, over that many items. You know, it’s really difficult to pull off the it’s not going to take your QSA long for to sniff it out. And pretty fast, you end up finding yourself busted. And guess what, guess what, what the temperature your seat just became. So, you know, an experienced assessor, they know pretty quickly that they’re not getting the whole story. And at that point in the game, the assessor will now start asking more questions, right? You know, they’re, they’re, they walk and typically walk in with this notion of, you know, everything’s cool. But the minute that they start smelling that something’s off, you know, they’re going to start digging in. They dig deeper, ask for more evidence, additional evidence, start doing additional comparisons of evidence. At the end of the day, the PCI assessment becomes a much more painful process to go through as the assessor is following their intuition and starting to tighten screws, if you will, to make sure that they’re doing their due diligence. Again, I talked earlier about how it’s their name that’s on the line. What do the assessors want? The assessors want to see that the company cares about security and compliance and has it together. They want to work with organizations that have that level of care, doing things appropriately and correctly. That’s their goal and their objective and their dream clients as well. I’ve experienced some organizations in the past where there were people that were quite literally fabricating evidence to support their objective of box checking and found themselves don’t work with them anymore, but fabricating stuff to go pass up to an assessor and getting caught in it. you don’t ever want to enable this culture of checkbox compliance. I’ve seen too many snake oil systems out there with, just go use this and poof, you too can be compliant type of a thing. It’s not quite that easy, although people will make you think it is. You don’t enable a culture of not caring about the stuff. If you care about security and compliance at all levels of the business, that will then show through in how you’re approaching your compliance and rolling down and into the relationship. with the assessor. 

Well, what types of prep work can be done in advance? Well, you don’t want to go into the engagement partially ready to go. You want to have all of your evidence generated. You want to make sure that it’s all up to date. You want to make sure that you have all of the hundreds of line items with the right stuff, ready to go, et cetera. There’s a lot of reasons that companies aren’t ready or prepared for their engagement. Maybe it’s their first run into PCI, maybe some type of a corporate level disaster struck, which threw things off track. More commonly, it’s because the target organization attempting to go through compliance didn’t lack planning. They assumed that compliance could be managed between other stuff, you know, et cetera. You know, and you wanna have a good idea of the, you know, kind of the cost of what it’s gonna take to get through that compliance journey. You wanna plan appropriately for the time that it’s gonna take for internal personnel to complete their work. You don’t wanna be in a situation. I’ve been on numerous engagements where I almost felt like, you know, the client was trying to make these very difficult decisions, right? Because they viewed, because of the fact that they viewed compliance as something extra that could be done in my free time, you know, type of a thing, versus something that needed some dedicated hours towards it, you now almost find yourself in like hostage negotiation, trying to figure out how am I gonna get the time to be able to get the stuff done that I need done in order to meet this goal of achieving compliance. It’s a tough situation. So, you know, you don’t wanna find yourself, you know, desperately trying to materialize evidence, you know, right in front of your freaking assessor. You know, it’s impossible to try to address the QSA’s inquiries when you’ve only got, you know, partial completion or partial storage, you know, that type of thing. It’s too hard to wing it. But I’ve seen several companies over the years, especially those that are new to the, you know, security and compliance arena or, you know, they’ve never really, I’ll put you this way, they’ve never really done it with somebody that’s been there before, you know, or every time they’re walking into their engagements, it always just feels like a shit show, you know, type of a thing. 

Those are the key indicators that, you know, that, you know, I really, it’s freaking stressful, man. You don’t, you do not wanna be going through, going through that, you know, all that mumbo jumbo. 

You definitely organized in advance though, right? Like that’s the focal point. Yeah, you know, you don’t want things to go quickly from frustrating, you know, from friendly to frustrating when the assessor, you know, is live realizing that they’re, you know, they have this client that’s just living in chaos. You know, I’ve seen organizations that’ll set up the onsite visit, but then the people that are needed to facilitate it are there, aren’t available. They didn’t think through backups for, you know, for people. And so the assessor’s time is getting wasted. You know, you want to make things smooth and easy for the assessor. You want them to maintain that, you know, kind of sense of organization and calm throughout. You know, it gets uncomfortable when the target organization is struggling to have things at their fingertips. You know, the assessors don’t like it when the client feels, you know, when the feel is that the client is unprepared or can’t readily produce documents. There’ve been some pretty uncomfortable experiences in the past where, you know, the assessor’s saying, hey, I’d like to see blah, blah, blah. And, you know, everybody’s looking right. And, you know, and you can kind of see it on their faces, right? Everybody’s like, oh crap, where is that? Who did that? You know, who did that? Where did we put it? You know, blah, blah, blah. They can’t even put their fingers on the stuff that the assessor’s asking for. And, you know, it’s, you know, what’s the confidence level of the assessor, you know, that this organization’s gonna be able to operate in a compliant manner if they can’t even put their fingertips on evidence that they’re supposedly living by, you know? 

Not great. Yeah, it all comes back to the organizational prep. You know, when you walk into the engagement, you wanna make sure everybody knows what’s expected of them, you know, anticipating what. the assessor’s requesting, you know, having, you know, having backup plans, you know, at the ready. You know, I’ve been, I’ve been on, on sites where quite literally, somebody got, you know, somebody got in an accident on the way in and had to, you know, wasn’t able to make it, you know, type of a thing. It’s like things happen, people get sick or whatever it may be. So, you know, have that all kind of thought out. You want to, you want to show that, that assessor that you’ve really got your shit together when you’re going through these engagements. You know, the difference in that assessment experience, it’ll literally be, be night and day. 

Yeah, I can only imagine now. it is true some organizations will use a strategy of drawing out the on -site time, right? Like it’ll, oh yeah, yeah, yeah, that’s right over here, give us just a sec, then not just a second, a little longer than maybe a second. Well, I’ve seen honestly more than a handful of engagements where the target organization that’s getting assessed believes they can just game the system in their favor. And the way I’ll typically see it play out is that they will make deliberate attempts to slow down the on -site visit. So the client organizations under this belief that the less that they show or get to the assessor while they’re on site, then well hey, that’s just the fewer things they could possibly find. And so it’ll make things easier all the way around because we didn’t, you know, we didn’t show them stuff that otherwise could have got us in trouble. And basically just, you know, it’s a fine exercise in wasting the assessor’s time. Yeah, they’ll throw in a bunch of, a whole bunch of, yeah, yeah, yeah, don’t waste my time. So they’ll throw in a bunch of breaks and, you know, you know, magically people aren’t getting back when they’re supposed to and gosh, I guess we’re gonna have to move on to the next requirement and, you know, and all sorts of crazy approaches, you know, and all the, all you’re doing at the end of the day, all you do is sitting there, you’re poking the bear, you’re poking the bear, you’re poking the bear, you know, and the assessor’s just getting, you know, continuously increasingly frustrated. You’ll love this one. 

I was on an engagement one time, the company had picked a place to go to lunch, right? Sounds like a good idea. The place they picked 35 minutes away and the restaurant was serving a multi -course meal. And we, quite literally, the total time away from the office is about three and a half hours, like literally half the day. was evaporated with this game plan they had for lunch. These companies, they think that they’re rigging the system, and what they don’t get is just because you delayed, I’m sure the assessor enjoyed the drive, I’m sure they enjoyed their nice long lunch, but basically, you’re just delaying things. You’re wasting the assessor’s time during the on -site visit. It’s not reducing any exposure. In fact, when assessor sees stuff like this, again, it brings them back to they’re going to want more. They’re going to start digging in. They’re going to sense that there’s an issue. You know, things along those lines. The assessor is going to either possibly schedule a completely separate second on -site visit where, you know, and they’ll keep coming back and doing on -site visits until they get through what they need to, you know, type of a thing. I saw one assessor do that. It was actually, it was pretty funny, but on the client side, they end up having to pay for this assessor to, you know, fly back, fly back out, you know, more, more hotels and meals and blah, blah, blah. It’s just such an atrocious waste of time. Or the more often than not, the assessor will schedule additional remote working sessions with screen sharing. You know, the thing that these organizations got to understand, the assessors aren’t idiots. They’ve been down this path before. They’ve seen all of the, all these various games. And so, you know, you, you know, doing these tactics is literally lighting, you know, lighting flares, you know, toward the box that says we didn’t do what we were supposed to do type of thing. You know, it’s, it’s, it’s unreal. So, you know, you, you don’t want to, you don’t want to end up shooting yourself in the foot, you know, and getting, you know, more pain and getting the, the interest of your assessor, you know, dialed up just for, you know, just for kicks and giggles. 

Yeah. Now, a lot of these organizations, Adam, will, will, will nominate or, or, or and tell somebody, as I like to say, to, to go get this taken care of, won’t they? Just like one lamb to the slaughter. Yeah, they, more often than not, they, they go ahead and hand it to some, some poor soul in IT. You know, is typically the way they’ll go. Either IT or sometimes they’ll pick somebody in, you know, kind of the finance arena, because they’re used to do it. That’s the, that’s the funnier part. They’ll pick somebody in the, in the accounting arena, because they’re used to doing audits. So they must be able to do an IT security audit, right? It’s like, you know, it’s one of the biggest myths. about compliance, especially in the IT space, is that because your personnel can do IT stuff, that they just magically must know what they’re doing in the security and compliance arena, right? It’s the same kind of connection that I would wish that, you know, that the leadership at these organizations would get. Hopefully, it connects when I say, because your accounting people are doing financial audits, doesn’t mean that your accounting people should be doing your security and compliance audits, just because it has the same word in the phrase, you know. You know, in IT, most of them are generalists. They are fantastic at what they do. You know, they know how to operationally make things work, make them function, do their job well. But it doesn’t mean that they necessarily know how to do that in a secure, compliant manner. And it’s one of the repetitive, biggest mistakes I’ll see companies make is nominating, I like the ball and told, the IT person. It’s a double -edged sword. The leadership has this notion that the IT people just know how to do it. And so they go and ball and pull somebody. And it forces the internal IT crew to have to kind of, they almost feel like they want to carry out the ruse. And the biggest problem is, you’ve got to remember, IT people at this point in the game are very used to going, Googling things, figuring out things for themselves, solving problems. They’re kind of like the MacGyvers, if you will, right? Digital MacGyvers. Yeah, I mean, they’ll go and they’ll frickin’ figure it out, right? And so what do they do? They don’t go and fess up to the boss, who is like, you do know how to do this, right? They don’t go back to them and say, no. Instead, they go and try to technology MacGyver it. And when management’s coming up and telling the IT crew to navigate the company through this stuff, the IT people, they’re proud. They want to step up and show the boss they can do the job, etc. And so as we go and we look at a security and compliance engagement, we’re talking about expertise across hundreds of line items that cover everything from your scope of your engagement to networking to firewalls. 

Yes, so all the technical arenas that would fall into the IT space. But you’re also talking about HR, background checks, legal requirements, contracts, accounting, and there’s hundreds of things. that these, these people need to be able to know walking you know walking into these engagements and you know if you walk into the engagement the assessor uh you know and, and you’ve you know volunteered the, the poor soul in in it you know it’s a no -win situation you’re you’re, you’re setting the you’re setting your it people up for a really rough ride uh you are setting your assessor up for a long painful engagement um you know that that’s going to take longer than it far longer than it should um you know and it it really becomes a different story you know when you’re relying instead on a seasoned compliance consultant that’s been you know around the block multitude of times uh that knows how to lead organizations through this stuff that is prepared you know, organizations across years, many years, across many industries, you know, etc., it’s a huge freaking difference. The assessor can then immediately see the difference in terms of the way the engagement’s flowing. And it really allows them to feel a completely different tone as they go through, go through the engagement. 

Parting shots and thoughts for the folks this week, Adam. Well, I mean, you’re not gonna be going into your annual assessment and, you know, kind of, you know, clapping your hands together. Like, I can’t wait for this to start. It’s unusual that that would be the case. Some people may call a bus with some padded walls for you, you know, that type of thing. You know, so nobody’s walking in, you know, you know, fist pumping as they’re going into the process. But you can certainly avoid getting yourself in hot water with your, you know, with your QSA. You know, for the organizations, take your compliance seriously. Do your due diligence. Be well prepared. Use a compliance management system to put all of your stuff into. Do not nominate the poor soul in IT. You know, and you do those things and you have a hell of a lot better shot of making your assessor a real true ally. Not only that, but your compliance engagement is gonna go smoother and it’s gonna go quicker for you. And now right there, that’s the good stuff. 

Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less. 

Remember to follow us on LinkedIn and Twitter!

KEEP READING...

You may also like