Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: TCT Portal Boosting Assessment Firm competitive advantage
Quick Take
On this episode of Compliance Unfiltered, Adam takes the time to breakdown how Assessment firms have gained a significant competitive advantage through the use of the TCT Portal.
As the Founder and CEO of Total Compliance Tracking, Adam has had the best seat in the house for this topic for the last decade! This discussion covers all the standard pitfalls of the average compliance assessment process, and shows step by step how the TCT Portal saves time and headaches at every juncture.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin..
Welcome in to another edition of Compliance Unfiltered.
I’m Todd Coshow alongside the triple shot of espresso in your compliance morning. Mr. Adam Goslin, how the heck are you, sir?
I’m doing good, Todd. How’s it going for you? I can’t complain. I truly can. I’ve had my triple shot of espresso, so you’re in a good spot today. I can’t tell. I’m going to chat a little bit about how the TCT portal helps boost assessment firms’ competitive advantages.
Now, given your experience interacting with numerous assessment firms over the years, what have you noticed at a high level about how these firms are approaching their engagements? Well, one of the things that I noticed when I was starting into doing compliance consulting was just how different all of the different assessors that I worked with would go about doing it.
The compliance standard didn’t change between client to client. However, each of these assessment firms, they had their own way of doing things that worked for them. For running their client engagement.
Really, you think about it, that process is the assessment firm’s secret sauce. It’s one of their competitive advantages that they can… that they can take advantage of and you know if you know if the listener is like most assessment firms then they you know they take pride in their you know in their proven process and you know they, they use it to stand out from their competition you You can bet that they’re probably on the phone talking to so and so as whoever it is, is evaluating and you know they are you know they’re kind of pointing out the pride that they take and how they go about doing things and why you know their experience and, and you know etc. all comes into play you know any, any compliance management tool you know that an assessment firm you know is leveraging it, it needs to not force you know that assessment firm into just a you know canned workflow we have one way to do this and you’re going to do it this way and good luck you know,
shoehorning your process into our tool, you know, and that’s, that’s one of the big reasons why, you know, TCT portal was it was designed, it was designed to be configurable, to be able to fit the needs, desires, capabilities of, you know, these different organizations that that, that way they can, you know, kind of preserve that secret sauce that they’ve, you know, that they’re so proud of that they’ve that they’ve leveraged,
you know, we realized from the beginning, you know, that you need to get the software you pick, it needs to enhance the competitive advantage, not, not dilute it. So, you know, that’s that was an important factor for, for us as we, you know, initially launched the, you know, the TCT portal back in 2015.
And, you know, then have spent, you know, what north of eight, nine, you know, eight to nine years, you know, just continuously making it better. Coming up on a decade, man. That’s wild. How do assessors starting out their various engagements, and your struggle, excuse me, starting out their various engagements, and how can TCT portal help?
Well, the one big, the one big differentiator for, for TCT is we’ve got customized, customized template capability. So you got to remember the, the TCT portal from its start was not it wasn’t built to be a PCI compliance system or a HIPAA system.
It was I named the company appropriately, I named it total compliance tracking. In other words, I wanted a system that would be able to handle any industry standard. And, you know, it’s part of the cool part about our capabilities is, as a result, we can do whatever the whatever the organization wants, you know, we’ve got these, what we call customized templates, you know, where it provides fully configured certification tracks that you know, allow organizations to hit the ground running, you know, with their compliance engagements. These, you know, these template, the, the templating capabilities that we have, it eliminates all of that initial setup activity that, you know, these assessment firms end up having to do for every single client engagement.
You know, the, the template, you know, also has kind of an added bonus of, you know, really improving the consistency across engagements. It’s one of the, it’s one of the, the, the kind of fun parts, kind of seeing the impact that TCT portal has had on these companies, you know, is I would hear them, you know, hear them griping about how even though they laid out this process, etc., everybody was just kind of doing their own thing or, you know, whatever it may be, you know, with the, with the customizable templates, you know, you can preset the starting points for each engagement. you can pre -populate assignments across the board. You can preload examples and guidance, giving, you can provide your assessors, sample or starting point report text to be able to start building out their report text from. And not only do you need a template for each certification, but depending on the organization and their choices around how they wanna structure their templating, they probably are gonna need multiple templates, which we can support as well.
So, maybe on a PCI engagement, you’ve got a bunch of different scenarios you’re dealing with. So you’ve got clients that do or don’t have physical locations, you do or don’t have wireless, POS, POI devices and a bevy of other possibilities. The TCP portal allows the organization to create multiple templates that they can tailor for each of their client situations. It makes it supremely easier on the organization to be able to maintain their way of doing things while simultaneously being able to implement those in a consistent manner across the board.
For sure. Now, how does the assessor experience relate the guidance they wish to provide on their engagements? Well, they’ve got the guidance section within TCP portal. It allows for generation of your own directional guidance for specific requirements or line items that gives the clients tailored instructions or explanations.
Look at the guidance section within TCT portal. This is the capability for the firm to leverage their knowledge, their expertise, things that they would normally, under normal circumstances, in advance of using the system, they literally would have had to explain over and over and over and over again to every single client that asked the same question. And so, you know, what I what I typically will, will, you know, tell the, the assessment firms to do, implementing the tool, it’s an act of, you know, kind of internal, you know, configuration setup, adoption, but training as well. So train the clients when they are starting out their engagements to refer to the guidance that’s contained within the TCT portal. Now you have a scenario where your clients are able to self -serve. They can go in and they can get answers on their own. They’re not waiting till the next weekly meeting, etc., to go ask the same question you’ve already gotten eight, 10, 15 times before. It also helps because now you have less interruptions for your own assessor staff. The clients are more capable of being able to do what they need to do and still receive the directional guidance from your team. And the best part is, however you’d like. You want it in plain English. You want it uber -technical. Write it however. It doesn’t matter. And as a result, we see assessment firms that have accelerated engagements. And customers are generally seeing a greater level of value out of the interaction between them and their assessment firm.
Now what about assessment firms with a very specialized approach to data collection, such as like leveraging a request list? Well, we talked a little bit ago about the custom certifications. And you think about PCI, right?
It’s pretty overwhelming for most organizations that are trying to eat the elephant, if you will. To make things simpler for their clients, there are a lot of firms that they don’t want to just dump the full breadth of the PCI DSS to their client. But instead, they’ve created some type of a data information collection list. Maybe they call it a document request list. It basically boils down. the multiple hundreds of potential items from PCI and boils it down to whatever, 135 things, right? That we need from the client. The cool part is, is that when the firms have put this together, so most of these assessment firms that take this style of an approach, they’ve typically done it in whatever Excel or whatever it may be. And they’ve written it however it makes sense for their engagements based on their experience, in a way that the clients can understand. The TCT’s custom certifications, effectively are a collection list of line items that you’ve created yourself. You can share that list with your clients instead of this full blown PCI DSS40 track, and just focus on the collection of the 135. you know, since the TCT portal has the ability for cross mappings between various certifications, you can automatically link the client evidence that’s coming into your information request list out to the various destination, you know, destination locations across the- That’s gotta be critical,
man. Target certifications. That’s gotta be- It’s absolutely huge. You know, you look at, you look at the, so this is the one, I love giving this example, but, you know, let’s say the client has an overall information security policy. Well, in PCI, that overall information security policy, dude, that’d be connected to, what, 120 to 150 different line items across, you know, across PCI, at least. You know, and the coolest part about it is, is that the client goes in, they fill it, they attach their, you know, overall information security policy in one spot, and meanwhile, the assessment firm that’s, you know, kind of sitting over on the PCI track, instantly they now have that security policy is now splayed out across the 120 to 150, you know, different locations. Oh, it’s automatic. It is so freaking cool because now you can really go in, use that, you know, kind of request once, use many, you know, style notion, you know, and, you know, the better part is, the assessment firm also, you know, will do it however they want, right? But they’ve got choices, they can use the, they can only expose the request list to the client and the assessors can see both the request list and their, you know, PCI track, you know, etc., But, you know, that way, you know, that way they can go ahead and, you know, they can go ahead and leverage it how they see fit, number one, number two, and this is kind of a common question that we’ll get.
there’s a difference between a general industry standard certification, you know, NIS CSF 2 .0 or PCI DSS V4, whatever. Those are industry standard certifications, which would then be accessible to any user of the TCT portal. When we go in and create the document request list, which is really that assessment firm’s secret sauce, it is their competitive advantage, etc. etc., that’s only leveraged then for engagements with that particular organization. It’s not publicly accessible. It’s not shared with anybody else other than your clients, you know, but, you know, that way the assessment firm doesn’t have to worry about it. They can set it up and configure it however they wish, you know, and they’re able to gain that, you know, increased consistency across their, you know, their various engagements as they go through the year.
Well, how could the assessment firms leverage TCT Portal’s API to generate various synergies? Well, the TCT Portal API, it really allows for both the import and export of data between the compliance management software and other systems. So, what we’ve seen for some organizations is that they’ve got whatever. They were struggling internally and they had built up certain dashboards that are being leveraged internally. They’re integrated not only into the compliance stuff, but maybe they’ve got 18 other realms of data and information they present to their various assessors from a variety of systems and they use the dashboarding on their end just to consolidate it all down into a single pane. Instead of making them, well, sorry, you’re going to have to go to the TCT Portal interface to be able to see any of that information. The API could be leveraged for a couple of different things. They could certainly pull statistical data information, status information, etc., over to their already existing customized dashboards and reporting tools, but they can also take that and integrate it with various other platforms. So, some of the automation of tasks via the API could include integration of compliance data with analytics reporting for tracking purposes, displaying the status of the client compliance tracks on dashboards that you use internally and possibly already are sharing with other third parties.
You can use it to view summary information about each of the engagements, pulling the task and status information into your internal ticketing system such as JIRA. You know, making the compliance tasks as complete within your system and then setting a trigger to load up explanations, evidence, and etc. And you can mark it done through the API. So there’s really a lot of capabilities that will have the potential to help the assessment firm be able to, again, customize their experience for compliance management in a way that makes sense for them. That’s one of the main key goals that we had for the platform is I wanted a platform that everybody would be able to take advantage of their way of doing things and yet do it on a consistent singular system.
Absolutely. Now, finally, one of our most revered capabilities. Tell us more about reporting. You just broke out, but tell you more about one -click reporting, no problemo. So the one -click report generation, it’s always fun when we see the organizations that, you know, start having the light bulbs go on about this capability, you know, especially with, you know, PCI DSS before, you know, we’ve got the ability to automatically generate the upbound reporting. So, you know, for a lot of the assessors out there that I think they would rather extract their fingernails with pliers than, you know, go through all of the manual labor for every single freaking ROC, SAQ, you know, AOC, etc. You know, the coolest part about the TCT portal is it automates the entire process. So for, you know, on our platform, and it depends again on the client’s preferences, right? You know, if the client’s integrated, the end customer is leveraging the system for provisioning evidence and explanations, those flowing up to the assessor, you know, they’ve got the capability to take the platform and basically workflow it from the client to the assessor straight through quality assurance team and move it over into a completed state.
Really, we can customize up the workflow however they want. But that’s more than more often than not, that’s the kind of the typical workflow. But the cool part is, is that then they can, you know, they can template out their report text, you know, starting points as I discussed earlier, customize it up for that particular client engagement, go through the review process with QA and move it into that completed bucket. And then at whatever point in the game, they’re ready to generate reports that literally just go to the top of the screen, say, hit the button and you know, allow the reports to generate, and poof, all of the information from the engagement that’s now been configured in is automatically put onto the, you know, onto the templates that the council requires, requires for people.
All right, is it like a Word doc, or is it PDF? Is it editable? Like, how does that work? Yeah, so by default, it goes into the Word doc. So the organization still could, you know, could do additional customizations to it if they want, but the, like, whatever, 99% of the pain is now just eliminated with. the button click, you know, we’re talking about PCI here, you know, so PCI is a standard where they have, you know, kind of prescribed, you know, report reporting templates, prescribed, you know, kind of attestation templates, etc. But even, even still, TCT portal has the capability for, you know, again, in terms of serving, you know, serving our clients, you know, we’ve got the ability to integrate even custom reports. So where we’ve got an organization going up against, you know, a standard that doesn’t have a, you know, pre prescribed, thou all shalt use this template, you know, type notion, like, I don’t know, SOC, you know, NIST, whatever, you know, it allows those organizations to generate, you know, to use or leverage their own, you know, customized reporting templates, we could do the same thing really with any standard, you know, and put it onto, you know, onto their own, we kind of, you know, custom reporting templates, etc.
Yeah, it’s a it’s a really frickin big deal. And I think in a lot of cases, you know, part of the part, part of the challenge is that, you know, these organizations, they’ve been doing this for a week or three, right? You know, they’re just there, it’s almost like they’ve become used to the pain. And it’s really, really fun. When you see the light bulbs go on, they, you know, go in and they give it a shot. They may, they enforce, hey, we’re going to use this tool, etc. They gain that consistency. They have all of this information available at their fingertips year over year. They’re automagically generating reports coming straight off of the system and an end and end. And it’s usually, you know, it’s usually, you know, they’ll, they’ll look back when they’re, you know, a couple of years down the road. If they’ve gone and done the implementation, work properly, etc. They’ll, they’ll take a look back and it’s kind of fun as they reminisce about all of the 18 dimensions of hell that they used to go through. It’s fun when they make that connection. Absolutely.
Parting shots and thoughts for the folks this week, Adam?
Well, I mean, any compliance management tool that’s forcing you to use their way of doing things, it diminishes your competitive advantage, period. Like I said, we built the TCT portal from the ground to help you preserve those advantages, preserve your experience, etc. So you can bring them to your engagements. That’s, in my mind’s eye, that’s part of our job, is to do that for our clients. You know, not only does it allow organizations to set themselves apart from competition, but they’ll be able to gain, you know, the efficiencies that will continue to, to separate you from your, you know, from your competition, if you will, especially because you’re talking about being able to build in those efficiencies regardless of personnel. Yeah, yeah. And the consistency you get, I mean, it was just and, and ,and there’s just, there’s a ton of freaking benefits. I mean, I’ve said it before on the on the pod that the generation of the TCT portal literally was the tool, I wished that I’d had when I first had to go through this process of going through compliance, you know, as an organization subject to it and seeing the struggle that the assessor had to go through on that, you know, kind of on that first engagement. It’s literally the tool I wished I had. And so, you know, the, you know, I said it earlier I kind of I kind of fluffed by it, if you will, but, you know, I can’t underscore the benefits that come in for the organization as they’re going into year two, year three, etc.
You know, you think about it right there’s, there’s for any given client and the assessors that are there listening to this are busy chuckling to themselves as I’m saying this. But, you know, you go into year two and all of a sudden it’s like you’re, you know, some of the people that you’re working with or maybe even all the people you’re working with last year. They’re not part of the engagement this year, you know, and it’s like Groundhog Day, you know, Bill Murray and I’m hitting the alarm clock. You know, the bottom line is, is that is that it’s brutal, man, it, you’re explaining the same stuff you’re answering the same questions you’re over here, the clients are even the clients that were on the engagement last year, right. If they don’t remember, it was what, 11 months ago when they submitted this evidence, they’re not gonna fricking remember what they did. So having last year’s stuff, everything, immediately referenceable for your customers, immediately referenceable for your assessors. It is absolutely enormous how big of a deal it starts to make in the overall efficiency. And this is really efficiency. It’s not just efficiency for the assessment firm, but this is efficiency for your customers as well.
Dude, that’s a big fricking deal. And the last thing that I would say about, kind of about the notion of the leveraging of TCT Portal, is really when we started this and we lost, I think the portal was, it was ready for prime time in. probably Q3 of 2014, but we opted to wait till January because a lot of the assessors were real busy trying to get through the end of the year. But from day one, when we first launched this thing in 2015, ever since then, one of the big key differentiators is that we have a policy with our clients that, hey, if you think you’ve come up with a cool idea, some type of a feature you’d like to see on the platform, whatever it may be, go ahead and submit it. Because at this point in the game, each of our functional releases easily, our 95 plus percent is client requested functionality at this stage of the game. And the other side of it that’s a huge benefit is that for the folks that are just dipping their toe into this space now, guess what? They get to leverage a platform that’s had eight plus years of suggestions, recommendations from folks that have been dealing with and assessing compliance out in the marketplace. They’re able to take advantage of all of that benefit.
And I strongly encourage every single client to actively participate in those suggestions and recommendations. It’s a really, really big deal. And it’s something that I really love about what we’ve built here at TCT.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
