Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Throwing Your Compliance Party
Quick Take
On this week’s Episode of Compliance Unfiltered, get an in-depth overview of everyone’s favorite moment in a compliance engagement, the end!
What is a compliance party? How do you get invited to one? What should you bring? All are valid questions!
Adam will give you a full breakdown on how to throw, attend, and clean up after YOUR compliance party, all on this week’s Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a guy who may know a thing or three about compliance, the one and only Adam Goslin. Adam, how are you today? Morning. No, I’m doing good. That’s great to hear. Up here in Michigan, I’m in the midst of like snowmageddon right now. So all the TV stations are like, oh, there’s going to be 48 inches of snow falling. So, yeah, we’re dealing with that. It’s all sorts of fun. Well, wherever you’re listening to this, I hope you are warm and dry. Goodness. Stay safe.
But today, we’re going to talk about something, Adam, that’s, I don’t know, more exciting, but definitely a little warmer than snowmageddon. And that’s a compliance party. Talk to me about what the hell a compliance party is, and how to properly throw one. All right. Well, we’ll start off with what the hell it is. So that’s what I call the celebration that you have once you finally made it through your initial compliance extravaganza. So, yeah, it’s basically the mark of we finally made it. And for anyone who’s ever been through a compliance engagement, Adam, gosh, the point of finally making it has to be such a relief.
So tell me, what leads up to Adam’s mystical compliance party? Well, I mean, really, this is more for the people that are contemplating going through it, because the people that have been through it, oh, it’s seared in, indelibly into your memory, if you’ve been through this process already. This is really for those that are in the midst of going through it, or their organization is contemplating heading down this path. The bottom line is that, what a lot of organizations don’t quite realize as they decide, you know what would be a good idea to do next week, let’s get fill in the blank compliant. And so, what they don’t understand is that, going through any of these particular standards or certifications, it could be, depending on where the company is at in the grand scheme of things, I mean, this literally could be either months or possibly years of hard work to get yourself through this process. The obvious statement is it depends, it depends on which standard or certification we’re talking about. It depends on how seriously the organization going through it is taking it, that type of thing. But, I’ve seen many companies where it’s literally months or years of hard work. They’re trying to figure out, what do all these things mean? What do I need to do? What vendors do I need to go string together? What things do I already have that I can leverage?. There’s a ton of trial and error going through that process. There’s a lot of wasted time, a lot of wasted money, especially for the uninitiated. A lot of long hours.
When I think back, part of the reason why I initially stepped into this space was that, in my first trip of getting the organization ready for and through compliance. That first trip for me really was life-changing, because it took us 18 just monstrously painful months to be able to make it from, hey, let’s think about going down the road of being PCI compliant, to actually getting there. It was 18 painful months. It was figuring out how and making several attempts, fail, try again, phone a friend, you know try some awful vendor solution. I mean, the one thing for the listeners to understand is when I was going through this for the first time, this was, we’ll call it back in the day. You know, maybe 15 year ago or so when I was first trying to go through it, there were a lot fewer solutions out there. There were a lot fewer vendors. There were a lot fewer organizations that were taking it seriously. And quite honestly, a lot of the vendor solutions out there were horrifying. And I know we made the decision to abandon ship, on trying to find a vendor for fill in the blank, and just figured it out ourselves. Because either the solutions were monstrously expensive at the time, or were inefficient and didn’t work.
So, I remember one of the solutions was for doing central logging. We were trying to pull a report of, whatever, a week’s worth of logs. And literally it would take over 24 hours to run the report, to go pull it back. And think about it, right? You’re in the middle of I need to see these logs. Well, I need to see these logs now. I’ve got something going on and I want to go ahead and take a look. Well, let me go ahead and start this on a miscellaneous Tuesday and we’ll get back around to it maybe Thursday. The world just doesn’t work that way. So it was just honestly very, very painful. And part of the reason why I decided to walk away from working full-time for somebody else, to stepping two feet into the security and compliance solution side, you know, was literally on the backs of the awful trip that I had just gone through. Man, that’s exhausting just listening to.
I have to ask this because, I mean some people might be listening and wondering why is it important to throw a compliance party? Well I had mentioned earlier, I was talking about the long hours. It was something that I meant to mention when I was going through that. But going down this compliance path, it’s a hard road. It’s super easy for an executive sitting in their glass office, who just whimsically decides we’re gonna go get fill in the blank compliant, and assigns it to the underlings. But for those that actually have to go implement it, it’s a hard road, man, a lot of work. I remember as we were basically starting to dial up to the point where we were, ok, we’re about to go get through this audit, just trying to make sure I had everything with eyes dotted, and T’s crossed. I mean at that point in the game, I was normally working 50, 60 hours a week before I really started getting into the compliance path. But it started to escalate to the point where I was putting in 80 hours a week. I was putting in 90 hours a week. I kept having to work more just to pull everything together. It’s a ton of work. The team basically as you go through this process, the team in varying respects, they’re just bleeding as they go through this process to try to get there. At the end of the day, why is it important to throw the party? The people on your team have done just an astronomical amount of work. And often this work is quite frankly, unseen by the vast majority of the folks from middle management. That team really needs some type of a break or reward for, both the achievement of getting there, and as a thank you for all the hard work that they’ve done.
And any amazing now, safe for work, safe for children, whomever may be listening stories from a compliance party that you can share here? Yeah, actually, yeah, I’ll have to be, let’s see, I’ll have to be appropriate about my first compliance party. Because yeah, there was a good amount of excitement during that experience. So way back in the day, when you would go and kind of submit your paperwork into Visa saying, hey, we’ve done everything, we’ve checked all the boxes, and blah. Back in the day, they actually used to send you a letter. It would be a letter on Visa letterhead and whatnot. Congratulations for gaining fill in the blank compliance. You get this letter, and honestly, all the blood, sweat, and tears, months and years of effort, pain and hours, all culminates with this piece of paper. And so the first time that we got through that, actually, I took the piece of paper, the one pager, I went over the photocopier, I actually made copies of the piece of paper. And then you go to like, one of the kid’s birthday parties, and the kids have made pirate hats. I actually sat down and I, out of the copies of that paper, I basically made pirate hats for the team. And so I made arrangements, we were going to go up to the bar, going to have some food and drinks to just get a freaking break, and say congratulations, thank you so much, right? And so while we were sitting there and whatnot, threw the Visa pirate hats on our heads, and just walked it off, you know what I mean? It was honestly, of all of the compliance parties I’ve either experienced, or thrown since, I think all of them pale in comparison to the splendor of the first one. There’s just something special about it and whatnot. It was a really, really good time. Yeah, a lot of people had a really good time that evening. But no, it was well deserved. It was overdue. I think part of the reason why the party was, what’s the right word for it, received so vigorously, is that I mean we literally had just been through astronomical levels of pain. So yeah, it was quite the experience, the team certainly got it on that day.
Now Besides purchasing enough aspirin, what are some of the do’s and don’ts? For someone trying to throw their first compliance party. Okay, so a couple of things, and I’ve since had about another 10, 12, 13, 14 years since that initial party. So I’ve seen one or two go down in the interim. But the bottom line is, it’s like any event, right? I mean you ask anybody in the organization that does event planning, there’s a lot of planning that’s involved. So what I would suggest to folks is, put the time into that planning. The team certainly has put the time into your compliance. So, put some thought and time into a nice option. Depending on where you are, and what’s available in your area, depending on your organization, and the people involved. Think of something that would be fun for your team. I’ve seen all sorts of things, bowling evenings and going to a group movie dinner thing, going to the bar, Fowling, with is football bowling, paintball was another one. I forgot this one, everybody went out to the shooting range. So it’s just whatever’s the right speed for your crew, figure out something that they’re going to enjoy. The point is to reward them and be able to do something fun. I always like to try to pick out something that they wouldn’t normally do, that way it’s memorable and whatnot. It sounds odd to say this, but I’ve seen some organizations that didn’t. Make sure that the company’s actually paying for it. You don’t want everybody having to throw 20 bucks in to go have a get together. It just depends on your company, your corporate culture as well, but figure it out.
You also need to figure out how to do this safely. A lot of it comes down to risk for the organization. People drink and drive. So certainly account for things like transportation, accommodations, how you’re going to get everybody into the same arena. Think about the fact that you got people from out of town. So you’ve got things like people that need to fly in, people that need to get from the airport over to wherever you’re putting them up. It’s a lot easier these days. Public transportation has been around for a while, but the Ubers and Lifts certainly are helpful. Think about maybe renting a party bus, so you can get everybody around safely and whatnot. You put it into the planning, then that’s cool. The one other thing is in some way, shape, or form, the event is cool, but do something for these guys, these guys and girls helped you get it there, whether it’s a gift card, or no strings attached bonus. I’m a much bigger fan of, go give everybody a $500 gift card that they don’t need to have show up on their taxes type of thing. It kind of takes a little bit of the luster out of it when you’re like, well, we’re gonna give you a thousand bucks but you’re gonna have to pay like $400. So just figure it out so you’re actually just giving them something.
Put some thought upfront into the fact that you’re gonna have some expenses, especially if you’ve got people coming in from out of town and whatnot, they’re gonna have traveling expenses and things along those lines. So, account for that in your planning. But I’d also recommend to folks, you can put all the thought that you want into trying to plan something fun, and try to make sure everybody’s safe and has a good time. But put a little bit of thought into, what are we gonna do if things get out of hand? Just have a game plan in mind. You don’t wanna be trying to figure it out on the fly, but that’s more of a what if? Bottom line is that the people on your team, if you do a good job with planning out whatever event you’re gonna go throw, then they’re gonna appreciate it. Everybody’s gonna have a good time. They’re gonna feel better about it. Is one party and a gift card going to truly repay them for all the blood, sweat and tears? Probably not. But hey, at least it’s a decent awesome gesture. I can tell you that the folks that go through that experience of getting compliant and then have that kind of surprise, something at the end of the rainbow that you pop on them, is definitely something that I’ve seen the teams really genuinely appreciate. And I think it’s certainly something that the leadership of the organizations, don’t really put as much, or enough, thought into what that team’s been through. So, give them a little bit of reward on the backend.
Okay, so anyone who knows about throwing parties at all, or has thrown one in their life, understands the peril that comes when you wake up the morning after the most amazing party you’ve ever had. And I can’t imagine in the compliance realm that it would be any different. So, okay, Adam, we’ve had a party. Now what? Actually you brought up a good point, which is what day of the week do you do this on? So you’re like, yeah, I woke up the next day. Yeah, you don’t want to plan the party on Sunday, okay? Just saying, Friday night is probably best if you plan it appropriately. Worst case, Saturday, do not throw the party on Sunday. That usually doesn’t work out well.
Once you’ve gone in and you’ve had the actual party, the one thing that a lot of organizations, especially those that are going down this path for the first time, I’ve seen it repetitively. They have this notion of, oh my God, we made it, we finally made it.
We’ve been griping and moaning, trying to get people to finish things, and diving through fire hoops, whoo, we’re there, right?
And they go, ah, now we can just kick back. Oh, no, because once you’ve gotten to the point where you’ve proved out, yep, we’re doing everything under the sun, we’ve got everything in place once, right? Well, now you actually need to go maintain this compliance. You don’t want to put in all of that work and effort, only to go walk off and lose tasks that are supposed to be done. Because on these various compliance standards or certifications, there’s going to be things that need to be done every day, every week, every month, every quarter, twice a year, once a year, and also things that are triggered based on circumstances.
So one big trigger in the PCI arena is like a major change, right? So, if I decided to rewrite our main application, or I decided to swap out the primary firewall for a different brand or whatever, and we’ve got to rebuild it from the ground up. Those are the things that would fit into that major change bucket, and those will have their own series of triggers, based on circumstances or events that occur with it during the audit period. And so, the one thing that these organizations will very often not handle elegantly is that transition from, we made it, to now we need to maintain it. So, that’s the really the big thing that organizations need to do quickly, either in advance of actually getting there, or immediately following getting there, is knowing that now we need to go in and actually maintain this thing
So, certainly doing things like leveraging a compliance management system to be able to assist with those kind of proactive tasks through the period is astronomically helpful. Part of the reason why, gosh, I did this back in like 2015, like seven years ago. I was tired of showing up to the to the annual compliance review for an assessment, and of course the clients sitting there going oh geez, Mary forgot to do this, and Fred forgot to do that. Now we’re answering tough questions, or scrambling for evidence. And maybe there were things that either weren’t done, or weren’t done properly through the period. We built in something that we call operational mode, which basically takes the existing certification, and dials it on in a different mode. That operational mode will trigger, hey, each quarter we’re going to make sure all of these elements are on track. Of course when you get to quarter two, it’s the same timing as your semi annuals, plus anything that you needed to do quarterly or more often. And so using a systematic approach where the folks on the team are being triggered to go in and take care of fill in the blank, or show their evidence. The beauty of it is that we’re using a systematic approach. If you’re depending on a manual approach, now you’re depending on human beings, you’re depending on people making sure they have all of the right tasks. You’re dependent on them remembering to do it. That you’re remembering to do it in a timely fashion, things along those lines. There’s all of that propensity for things to go sideways or be forgotten. Now whatever it may be, all of that is greatly mitigated when you’re leveraging some form of a system, or a systematic approach. And it’ll just help you to keep things on track for the organizations that go from the compliance party, into their first annual cycle, for their compliance standard or certification.
Yeah, I’ve seen a lot of problems here. One, with people forgetting to do things, or didn’t do this on time and whatnot. So that’s something that at least, if you’re using a systematic approach, even if somebody dropped the ball and wasn’t tracking their things that they need to do daily, it’s like, hey, at least you’re catching it in the first quarter of your four quarters, right? Right. That’s something that I can go back to. And I can now go back to the assessor and say, Fred dropped the ball and Fred forgot da, da, da, but we caught it at the end of Q1. We’ve made all of these and sundry modifications and adjustments. And I can now show you three solid quarters where Fred had it completely together. And now I’ve got something that I can bring to the assessor, and make a good case for these guys. Yes, they’re taking it seriously and whatnot. On the other side of the coin, in many cases, it’s funny. I know the assessors, they’re going to be chuckling. They know when they go walk into their annual engagement, they know there’s going to be some measure of fit that hit’s the shan, in terms of forgetting’s and ball drops. And yet, those that have organizations using that systematic approach, that are on top of it through the year. They have regular weekly meetings surrounding their compliance, and make sure they stay on track. It’s so much easier when you get to the back end. But the assessors are used to, especially in year one, it being a crapshow for a lot of organizations.
So, you know, I’ve seen many of them breathe a sigh of relief, when they know that the organization has some type of a system they’re leveraging to help keep them on track. For a lot of the organizations out there, especially those that are trying to get there for the first time. An absolutely common approach is, companies will underestimate just what it’s going to take to get there in the first place. I mean, just trying to get there in the first place often is dramatically underestimated. And most of that underestimation is a combination of things. It’s a combination of out-of-pocket dollars that need to be spent on various solutions, vendor solutions, whatever it may be. And then, also the one area that a lot of organizations really don’t account for from a monetary perspective, is the amount of the internal labor loss cost. A lot of organizations have this notion of, well, we’re paying so-and-so’s salary, so who cares if it takes us a little bit longer. Well, at the end of the day, it’s just an opportunity cost for having them neck deep buried, burning themselves out, and or burning the midnight oil, and lack of productivity on what they should be doing day by day. So those are the two main areas where they’ll underestimate. And then the other piece is, a lot of them just go, oh, we made it, but then completely underestimate what is this actually gonna take to do ongoing? What are our ongoing costs? What’s our ongoing labor investment that we need to go put into this? So yeah, I’ll see a lot of organizations, especially as they get through that first year or two are, I’ll call it, the shakier ones. But, certainly as they start getting a couple of quarters under their belt, the rest of their first year goes a lot smoother. And certainly by the time they get to year two, it’s now flowing a lot easier, especially those that are using some type of a systematic operational mode style approach to maintain their compliance.
So have a plan and party responsibly. You got that right. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
