Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Is Your Compliance Engagement Running You?
Quick Take
On this episode of Compliance Unfiltered, the CU guys talk candidly about the rigors of compliance management engagements, and how for many, it feels like the engagement is managing you. Adam calls on decades of experience in the space to share key factors for controlling your engagement in an efficient and replicable manner.
Curious how your approach could be harming your organization? Wondering how adding toolsets can help, or hurt? Trying to find a long-term plan for compliance management success?
Well, you won’t be disappointed! All these answers and more on this week’s Compliance Unfiltered.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the henna to your compliance barbera, Mr. Adam Gosling. How the heck are you, sir?
I am doing just comically today, Todd. How about yourself?
You know, it is a barrel of laughs over here myself. But you know what’s not a barrel of laughs, Adam, is today we’re actually going to be chatting about whether or not your compliance engagement is running you. And what I mean by that is that a lot of organizations struggle with running their compliance engagement, or unfortunately having that feeling as though their compliance engagement is running them. Lead us into this one, Adam.
So, you know, for most organizations, you know, they aren’t running their compliance engagement, they are definitely having it running them. You know, if you’re like most compliance teams, you know, you feel like your organization is getting dragged behind the engagement, you feel subservient to your engagement, you know, the act isn’t really serving the compliance needs. Instead, you get the joy of serving a tyrannical compliance program. And, you know, when your company took on its first compliance standard, you know, you did it because, you know, all these optimistic views, right? that’s more robust and more resilient and more attractive to clients and, you know, and, and, and. You know, that’s the way that a program should work. You know, it should serve the needs of the organization and help you with being more successful and more confident in your data protection. But, you know, for a lot of organizations, the complexity and demands of the compliance standards, the, you know, and certifications that they have to hit, you know, leave those teams, you know, hard pressed to keep up and they’re struggling with, you know, getting everything together for their, you know, for their annual assessment. And, you know, the chaos just gets exponentially worse when you’re tacking on additional compliance standards, you know, so maybe you got an organization that has to go through PCI, but now they also need to layer on a SOC 2 and a CSF, whatever, you know, you’re constantly feeling like you’re trying to keep up with multiple, you know, deadlines, there’s never breathing room. slightest hiccups, have major ripple effects, you know, etc. And that’s just not the way that, you know, the way that this stuff is really supposed to work.
Yeah, no doubt. Now, how can an organization’s approach to compliance actually be harming them?
Well, you know, at the end of the day, it does come down to your approach to compliance management. If you, if you’re an organization that doesn’t, you know, for a lot of companies that I’ve dealt with over the years, you know, I’ve seen this, you know, kind of sense that they don’t value compliance, they don’t value the benefits that the company is going to gain from the, you know, from the extravaganza, you know, and if that’s the case, nobody’s going to prioritize process or technology that’s going to make it easier. You know, if you put investment into your compliance management, then you’re going to reap certain benefits and rewards as a result. You know, a lot of organizations instead, you know, make endeavors to invest as little as humanly possible into their compliance, you know, because they, they look at the activity as nothing more than a cost center. And, you know, I often hear from, from organizations, you know, saying that, you know, they, you know, hey, how we’re doing it right now, it works fine, you know, and, you know, we managed to kind of figure it out and the team gets it done, you know, and whatnot.
But, you know, the, the, the reality is, is that it’s really, really easy for the, for the uppity ups within the organization to, you know, to sweep in and say, okay, guys, it’s compliance time, you know, and good luck. Let us know when you’re done. And then they won’t go ahead. And then, you know, they come back and it’s like, magically, you know, oh, the compliance just materialized. It’s finished. Okay, great. Good job. Let’s keep it moving. You know, type of a deal, but there is an absolute chasm of difference between surviving your, your, your annual compliance cycle. and being able to run it, you know, effectively and efficiently.
Well, what negative impacts can compliance tool decisions have?
Well, the ROM tools are going to haunt you. Right. You know, the technology side, I mean, if you’re relying on what I’ll call primitive tools, like spreadsheets, you don’t have a prayer of being able to gain control of your compliance management. You know, I like to use a euphemism, which is, it’d be akin to trying to build a house, but you make the decision that you’re going to use rocks to drive the nail gun instead of hammers. Can you do it? Well, yeah, technically you could. Is it saving you money? Yeah, I suppose it’s eliminating a one-line item from your budget, you know, but why on earth would you not invest in a pneumatic nail gun? Um, you know, it’s just, you know, It just makes sense, you know?
And similarly, you know, you need the right tools for running compliance engagements. You know, there’s a, yeah, there’s an investment, but it’s a necessary one that will pay off in spades. You know, it keeps your people sane. You’re free actively freeing up hours, hours and hours and hours of time. You’re eliminating the need for compliance, pushing people into overtime. You know, it’s streamlining your activity. It puts you in control of your compliance management. You know, at the end of the day, the overall costs are lowered. You’re freeing up the time of your most valuable commodity, which is your resources. You know, your personnel, you know, that’s where you end up just getting eaten alive when you’re not doing these compliance engagements properly and effectively. You know, you end up with a more successful compliance program. And overall, your company is a hell of a lot more productive as a result.
Now, that makes total sense. Now, what effect do tooling decisions have on the person L actually involved in compliance? I mean, these are the people that are working with this stuff every day.
Yeah, well, you know, for a lot of organizations, the annual compliance run is, it’s like a fire drill. You know, the bell goes off, everybody’s grabbing their fireproof jackets, its hoses, air tanks, and hustling out to put the fire out. You know, it’s this once a year, you know, mad-ass scramble that, you know, it feels just like a freaking emergency. You know, it’s a lot of times how it feels. And, you know, the compliance endeavor is really driving the organization, not the other way around. You know, and they don’t have any choice in the matter because this needs to get done every year. It’s unbelievably stressful. You know, when compliance is running you, you know, it takes unnecessary drain on the organization.
Overall you’ve got people putting in more work and more effort than they need to you know we talked about the notion of overtime before you know for the for the people that are going through it you know without gaining any sense of relief it’s constantly grinds on them it constantly you know if you ask anybody in the security and compliance space you know if their organization has taken that kind of fire drill approach you know they, they will tell you they’re they are burned out on the engagement long before they can even see the finish line you know of the engagement they’re exhausted mentally physically emotionally you know it’s months of full-time stress urgency you know and often you know coupled with putting in good doses of overtime you know there’s countless many fires to put out along the way that I can’t I can’t even articulate to the listener how stressful compliance engagements can be, especially for that group that’s at the center of it all. For the uppity -ups within any organization, do yourself a favor and go have a conversation with these people. Go find out what the hell they’re going through. Go find out just how challenging it is to keep track of all of this stuff. If you’re managing compliance with a spreadsheet, you might as well be using rocks to build the house, to put the nails in for the house, is quite literally what it’s like.
The other corollary piece to this is I’ve seen a high level of turnover with core compliance teams. Even when you have the right tools, it’s not like compliance is just stress -free type of day, but it’s a hell of a lot less stressful. When you’re losing the people that are at the center of your compliance program, you’re losing just invaluable organizational knowledge that you will not uncover quickly. This is organizational knowledge that these people have built over years of experience with the organization, years of experience with knowing what happens on your compliance engagements, etc.
Earlier today, in fact, we were looking at the Ponymon Institute had put out their recent annual cost of a data breach report. They were saying that most organizations, about at least 25% of organizations were struggling to get the right people into those slots for the security and compliance rule. It’s a widening skill gap that it’s just been growing, and that means that it takes you longer to be able to fill those empty positions, and you make it worse by the fact that now we’ve lost, you know you’ve lost this person, you know, but your deadline for your for your compliance engagement isn’t going to shift as a result. That’s just a deadline that keeps marching towards you got to get it done and you know you could find yourself in a really bad spot. You know I had a, I had one organization you know that I that I knew about where they’re literally their core central compliance person left the company suddenly and it was four months before their annual and annual engagement. Literally the only damn thing that saved them is that they were using tooling you know that allowed them tot, to bypass a lot of the levels of pain they otherwise would have felt.
That don’t have the tooling you know got the, the sheer joy of experiencing. Yeah. You know the, the organizational knowledge was preserved in the you know in the tooling. the tasks were easily redistributed. There were clear instructions that were easy to find. The workflow status, etc., that was all being updated in real time, gave them a valid, accurate, real time picture of hey, here’s where we’re at and here’s what needs done and who needs to do it, etc.
And as you go through and you shift the assignments, it was an orderly process to be able to roll those new assignments out, the team making the adjustments, and the sudden vacancy didn’t turn into what otherwise, for most organizations, would have been literally catastrophic to them.
Yeah, that’s wild. So let’s shift to solutions here, okay? What are some recommendations to take charge of your compliance engagements?
Well, you know, you want to mitigate the chaos in your compliance. You know, total compliance tracking, we created the company with the purpose of making compliance management suck less. We built, from the ground up, an workflow compliance management system called TCT Portal. And it really transforms that compliance experience. You know, companies that have been run by their engagements are now running them. Chaos is mitigated. They’re in control of their programs. You know, they know what they’re doing. Their workflows are streamlined so well that there’s little overtime that’s needed to specifically support the program. You know, they’re ready for their annual assessments and walk into their assessments with confidence, knowing that they’ve got it all together. You know, the organizations that used to be continually blindsided with, you know, awkward conversations in front of their assessors, around certain things that should have been done, and where’s your evidence, and who did this, etc., they’re now acing those annual assessments.
So the TCT Portal provides a number of key elements. One, it’s a central repository for your evidence. The TCT Portal, it’s a compliance management tool that automatically organizes and maintains that central repository of all of your information and your evidence for your annual program. And it’s game changer, because you know exactly what your engagement status is. Your evidence is always at your fingertips. You’re not frantically searching through dozens of potential ways that people sent stuff to you. We’ve talked about that on several pods, where evidence is often coming into these teams. in a myriad of ways, you know, somebody will tell you and update as they’re walking by you in the hallway, they call you on the phone, they tell you in the middle of a meeting, they send you a text message, they leave you a voicemail, they drop their stuff wherever, they decided to go drop it onto the network, and then go ahead and send you an email with, oh, by the way, I put the email in there, so, you know, now you’re searching. It’s literally, it is absolutely chaotic when you don’t have the organization.
So, you know, the portal also allows the elimination of duplicate work. So, you know, we allow through the TCT portal to load up the evidence once, and then automatically populate it to the line items that it belongs to. So as an example, the overall information security policy for an organization on a PCI DSS engagement is very likely to be tied to 150, 180 different, you know, requirement line items. So you can go in, load it up once, and then link it to all of the other areas that you, you know, that you have to. You know, the maintaining of organizational knowledge, we talked about that, you know, a bit earlier. You know, with TCT portal, you have a clear historical repository. Who did what? Even in your previous years, right? You know, when that key employee moves on or gets promoted or whatever, there’s not this vacuum of organizational knowledge because you’ve got a rock solid repository of exactly what happened, who did what, what evidence did they provide, who did it, you know, all of that, it’s right there. You know, you’re not staring at a spreadsheet, which if you think about it, right, a spreadsheet’s literally just a snapshot in time entirely based on the quality of, you know, whoever was the last person to go update the spreadsheet. God help you if they inadvertently. blast a whole bunch of cells within that sheet. You know, the bottom line is, is that you don’t have to scour, you know, countless locations for evidence and try to, you know, play detective to put together all the breadcrumbs of where is, you know, where is stuff. You know, instead, new employees that are joining your team, they know exactly what they need to do and they’re basing it on what happened before. You know, we talked about, you know, the chaos elements, you know, the portal eliminates those annual fire drills and puts you in command of your compliance program. You know, as soon as you start using it, your organization is able to reach a new level of compliance maturity just because of the fact that the engagement is automatically ordered, you know, and clarified.
The workflows automated, live engagement statuses are immediately viewable by every single person on the team. You know, you know what needs to be done, who needs to do it, when do they need to have it finished? You know, are we there yet, you know, etc. So, you know where your evidence is located. You know which items are still outstanding. You can even tell if you’ve got your assessor involved in the workflow, then you know what items they’ve gone through and reviewed, what they passed up to their QA, which items did they reject, etc.
You know, before you know it, you are really absolutely on top of and in control of your compliance engagement. It’s game changer.
Well, speaking of that, how can an organization stay in control once they validated annual compliance? Well, what I recommend to folks with the TCT portal is once you get through that first compliance cycle on the TCT portal, go ahead and take advantage of what we call operational mode. You know, we’ve had that on the platform, God, I think since 2016, you know, type of a thing. You know, it keeps your program on track. It allows you to be in control for the long run. You know, your second year, but, you know, all the benefits you gain from the tooling, you know, etc., and the organization kind of adopting, you know, the right compliance tooling. Now you can take year two and make it even more streamlined than year one. So depending on which, you know, cert or standard you’re going up against, you know, there are ongoing compliance tasks that need to be done every day, every week, every month, every quarter, twice a year, once a year.
You know, in operational mode allows you to keep on track with all of those periodic elements that need to be done throughout the year. You know, you’ve got the added benefit of automated reminders that it sends reminders out to the right people at the right time. You know, it’s not telling you, well, by the way, in three months from now, you’ve got these, you know, 50 items you have to go do, but instead a couple of weeks before they’re due, it’ll start a alerting the team and saying, hey, you got these items that are coming, type of a thing. That way, back in the day, I used to try to get people to line up their time as to on their calendar, block it off so that they had time, etc.. This is a way to help with reminding them. What I found is most of the people didn’t actually block the time off and then it turned into a shit show. But the automated reminders help people be able to plan. Couple weeks out, oh yeah, yeah, gotta go get this stuff done. So you’re able to proactively alert the team members of the responsibilities, confirm their tasks are getting done and all of that fun stuff. That operational mode, another arena that’s a benefit. So we talk about all of those tasks that need to be done throughout the year. As you start to mature your program with operational mode, then you can move into also. spreading out your annual tasks out over the course of your compliance cycle. So as an example, if you wanted to schedule your security testing or penetration testing in compliance quarter ones, you had plenty of time to make any fixes, corrections, etc., then you can go ahead and schedule that in Q1. If you wanted to make sure you were doing your security awareness training in your compliance Q3, then you could go ahead and get that one scheduled there. You’ve also got that ability to kind of spread that load out so that you’re moving away from the annual fire drill moment and now you’re really taking control and command of what you’re doing with your compliance engagement.
Don’t make any mistake. I mean, I actually am not a fan of the organizations that will kind of pop up and say, oh, all you gotta do is use this system or whatever and poof, all your problems just go away. But that’s not what I’m saying. I don’t want anybody to think that that’s where I’m going with this. Is it work? Sure it’s work, but the more investment that you go and put into your compliance program, the more that you pay attention to seasoning it as you go from year one to year two, year two to year three, year three to year four, et cetera, the better and better and better it starts to get. And it is a process to be able to really mature your program with the use of the technology. You know, it’s really a process to go through, but it’s a process that’s worthwhile.
So what types of comments do you hear TCT customers telling you about their experience? Well, generally speaking, the folks that leverage the TCT portal as they’re tooling to alleviate their compliance management pain, you know, they experience generally a… tremendous sense of relief from using the portal. You know lower stress levels far less over time in general certainly not over time associated with the overall program. You know that maybe there’s things that are happening in the business that you know cause them to,to you know have these you know bumps in the road but it’s not directly related to their compliance. You know they, they experience a you know kind of an orderly march toward their you know toward their annual assessments a much better relationship with their assessor. You know we had one organization that was subject to compliance. You know they, they were telling me that the using that using the portal was the only way. that they could have stayed sane and kept everything organized as they were going through their engagement. One of our assessor clients was indicating that without the TCT portal, they easily would have at least doubled their reporting time. One of the clients that was using the TCT portal said that it’s so much less stressful for them now and that TCT portal has been game changer. So it’s really about bringing the tooling to these organizations, giving them the opportunity to go through and experience those benefits.
And really those are benefits, like I said, that are gained year over year and several years down the road. You almost look back at how we used to do it. I’ve actually had this conversation with a couple of different organizations where we’ll be whatever, three or four years into assisting with helping them run their program. And they’ll literally say, I’ll just ask them out of the blue, hey, do me a favor. You’ve been away from how you used to do it for quite some time. Think back to what it was like before you started, started this process, started using the tooling of the TCT portal to make your compliance management suck less. How was it? And they literally will say, I can’t believe the way that we used to do our compliance. You know, is the generality of the response, because it really, it does. It makes a gigantic difference for companies that decide to make that investment. And for many of them, they kind of question, and well, why in the hell didn’t we do it sooner?
Parting shots and thoughts for the folks this week, Adam. So, you know, just for a moment, just imagine, you know, we’re gonna use a Zen moment here. You know, imagine that you’re going into your annual compliance assessment, you know, and you’re feeling confident. You’ve got all of your ducks in a row. You know, you’ve got all of your compliance evidences right at your fingertips. You can find everything quickly. you know when the assessor says hey can you show me fill in the blank boom you’ve got it you know for those organizations that are you know that are lucky enough to have an assessor that can be directly bolted into their workflow within the TCT portal you know imagine that the items were coming from your front -liner evidence was coming up to your compliance team or consultant you know and from there were flowing straight into the hands of your assessor right within the same tool and by the way if you you know if that’s not a reality for your organization with your assessor by all means reach out to TCT we’ll be happy to connect you with with an assessor that would readily leverage the TCT portal and be part of you know your tool you know etc but just imagine you know knowing you’re not going to get blindsided by you know by awkward questions and unforeseen issues as you’re going through your assessment you know you chuckle but the reality is is that these companies that everybody that’s listening to this that’s not using your compliance management system is is nodding in acknowledgment because they’ve been through everything that I’m saying oh no I chuckle because that like that that pit of the stomach feeling when you get asked that question and you caught and you’re caught flat -footed like I think everybody can appreciate like the certain areas of one’s anatomy where sweat starts to form immediately like I definitely understand really thought I can remember I can clearly remember numerous, numerous cases back before we built the TCT portal when I was just it when I was a what I was a compliance consultant and it was running those engagements I can remember many occasions where basically I had to almost kind of step up and, and tap dance you know in front of the assessor to try to you know to try to navigate the waters to you know so that the client you know wasn’t feeling like such a heel because they couldn’t put their fingers on fill in the blank and block I always have to just jump in front of it and either buy them time to be able to locate it or I’d be busily doing the tap dance while kind of chatting with them through text or something and having them say, hey, look, you’re gonna need to put this one on the back burner, da -da -da, and I was almost like running interference. It was, it is not fun, man. It is not fun. So when you’re using something like the TCT portal, I mean, you are running your compliance engagement with confidence and competence and it’s no longer running you. You know, the reality is it is game changer once you step into this arena.
And the last thing that I wanted to say, and you and I don’t get, don’t say this often enough, but you know, I just, I wanted to thank the, I wanted to thank the listeners for listening to this pod. We really, really appreciate you guys, you know, being such staunch supporters of TCT and do us a favor and, you know, if you think that we’re pretty cool, all that fun stuff, tell a couple of friends about Compliance Unfiltered. Tell them about TCT. We would love to make new friends in the space. We do it all day, every day, and we’d love to meet yours.
Absolutely, and that right there, that’s good, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
