Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: OWN Your Compliance Data
Quick Take
On this week’s episode of Compliance Unfiltered, Adam and Todd break down the importance of Owning Your Compliance Data, even when you work with an all-star Assessor. You’ll get a detailed overview about:
- Why it’s important to own your compliance data.
- Why it can be way more complicated than originally anticipated.
- What a company can do to take back control of their data.
Have questions about third-party data migration? No worries, we have you covered there too!
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the one and only venerable compliance guru himself. He does compliance problems in his sleep. Adam Goslin, how the heck are you? I’m doing good. I’m doing good, Todd. Sounds like you’re playing with marbles over there, just so you know. I’m happy.
We are gathered here today in Compliance Unfiltered land, to take back control of our compliance data. Talk us through it. Well, for a lot of organizations, and this is a topic that I’m passionate about, because I’ve been through assessments. I’ve been through it as an organization going through it. I’ve been through it as a consultant helping companies get there. I’ve sat alongside assessors and helped them do their thing. I even spent a couple of years doing QA work for a large international auditing firm. I’ve really seen it from all levels. The one thing that a lot of organizations miss, is the fact that whomever your chosen assessor may be, they’ve got their own way of doing things. And so in one case, it’s dump everything into some share location. In another case, they’ve spent years making their own proprietary system, so they have a competitive advantage over their competitors. At the end of the day, I get all of that. And for these assessors, being able to deliver their services in a manner that’s efficient for them, that works great for them.
What the problem is, is that it leaves the company going through it, in a position where they’re on their own to go ahead and get their information organized. A lot of times, the assessors will say, here’s a framework for storage locations, but it’s an entirely manual process. And the client going through it is left out in the cold. And so, it’s an arena where it’s cool to make their world awesome, but in the same sense, this is your compliance, your data, your information. When you get from this year’s engagement and you go to next year’s engagement, it’s almost like people are starting over, right? Oh gosh, we’ve got to go start this process again. And I get this ringing of like Groundhog Day in the back of my skull as they go through that process. And it’s like, man, just stop the insanity and take control. This is your damn data. To me, it’s the craziest notion, right? You’ve got to have a way to be able to manage your own stuff when it comes to these particular engagements.
Well, I guess what elements can complicate managing your data? Well, so we talked about the fact that you’ve got to store all of this stuff yourself, keep it all organized yourself. All of those same problems, for folks that sit in that middle ground spot of playing coordinator to the internal crew, coordinator to, in some cases, several people on the assessor side. So, there’s all of those complications that come into play. Not the least of which is, all of the channels through which those poor souls end up getting their information, right? You’ve got people that are emailing you stuff, sending you test messages while you’re in a meeting for something completely different. They go, oh yeah, by the way, I loaded the blah, blah, blah, blah, blah, and its like, so what, now you’re writing it down on a post-it note, or on a pad of paper, then you send yourself an email or whatever. It’s a nightmare. So you’ve got all of that. And then in addition, you’ve got another complicating factor, which is what happens if you’re dealing with multiple assessors? The reality is, that for many organizations, when they start out they picked a certification to start with. So whatever, we’re subject to PCI, so we’re going to start with PCI. And next thing you know, a client comes along and says, well, we need you to be SOC 2 compliant. Okay, let’s go throw that onto the mix. And then you go back to your assessor and say, hey, do you guys do SOC 2 as Well? No we don’t, but we know somebody that we can give to you as a referral. Now okay great, we have to fold a second assessor in for SOC 2. Fast forward a little bit further down the road and suddenly, some big client says hey We need you to be ISO 27001 compliant. So you go back to the two assessors that you’ve got now and you say, hey, can you guys do ISO 27001? Of course, they both say no, but now you’re going to go throw a third assessor into the mix. It’s like, now you’ve got the stream of complexity you had with the single assessor back in the day, when it was quote easier. Now it just got triplicated or quadrupled. And so, it’s tough as you go through that notion, to be able to hold everything together. The reality is, is that sometimes there’s reasons why people would go yeah, oh gosh, I don’t want to have to deal with three assessors, I need to bring this all in again.
I guess what are some of the reasons you’ve seen for changing? Well, from the change perspective, there’s a lot of various things that will come into play. There’s all sorts of different scenarios that come into play. So, we were just talking about the fact that I went from one cert one assessor, to two certs and two assessors, to three certs and three assessors, right? At some point in the game, you get to the point where you don’t want to have all this coordination, with all these freaking people. So that’s certainly one notion for a lot of organizations. There’s a certain measure of comfort in retaining the same assessor that you had the prior year. Why? I mean if you think about it, it just makes everything easier. They already know your organization, they already know what you do. Instead of coming in and trying to get their arms around the company, and figure out what you do and how. Now they just have to go in and figure out what things have changed since last year. Even in that case, let’s say you have this favorite assessor, Bob. Bob has been the assessor for the last three years. Bob retired. Especially in this day and age with the competition for warm bodies, and the lack of resources in the security compliance arena, there’s a lot of them just getting picked off, hawked by competition. For whatever reason, Bob isn’t there. They’ve now replaced your ideal assessor, Bob, and they’ve replaced Bob with somebody else. They aren’t Bob. They aren’t as good as Bob, they don’t have the same background as Bob. In many ways, you’re almost starting over. Maybe they don’t have the same personality as Bob. It’s tough. There’s a lot of various reasons. Some organizations will simply say to themselves, we want to have different organizations come in and do our assessments. I’ve seen some organizations that will flip-flop their assessors every two years, every three years. Why? Just because they don’t want things to get stagnant and stale. There’s a good number of reasons why people will go down that path.
Well, I guess the logical question here is, what are the impacts to data of that change? Well, going back to that scenario of the internal organization struggling to get their world organized, you’ve got everything into it. Now I’m three years in. Let’s pretend I’m three years in with Bob. I’m three years in with Bob and everything, and we finally have all the kinks worked out. It’s usually how long it takes. By that third compliance cycle with some stability, things start to settle down. All of a sudden, for whatever reason, you’ve got to go make the change. Think about it. Maybe your new assessor has some new proprietary system that they need to use, or some new approach that they need to go in and do, or some new way that they organize their information and data. Your prior assessor would line everything up to the physical requirements. Your new assessor takes a different approach of like a request list type of thing. So, when you’re going in and you’re making those modifications, well, now you have to re-gut your way of doing things, your internal tracking. There’s a lot of elements that will come into play around making those data changes. Because now, you’ve got to not only adapt your own internal system to the new assessor, but in addition, you now have to placate to whatever process or approach that they need to go ahead and put in. It’s a pretty disruptive event when organizations need to go through and make that change. For sure.
And I guess, well, that leads me to wondering, like, what should companies be considering, regarding the control of their compliance data? Well, at the end of the day, the one thing to remember is this is your data. It’s your data. right? This is your information, your data, you’re the one that needs to maintain it, and manage it through the year. You’ve got to have something that works. It’s got to be a two-way street. We’ve got to have it working for the organization going through the process, as well as facilitating the requests and needs of the assessor. And so I look at it as a two-way street, but at the end of the day, this is your information, your data. You need to be able to streamline your own arena. You want to be able to make storage of this information convenient and effective for you, the company that’s going through it. As these organizations go through their compliance, it’s one thing to say, hey, I’m going to go and I’m going to try to achieve PCI for the first time ever. Well, that’s more of an act of trying to line up the several hundred line items of PCI, and just trying to get them over the finish line once, right? But the minute that happens, now the organization actually needs to maintain their compliance posture. And so at TCT, we call that operationalizing your compliance, which is making it a part of your day-by-day operations for what you need to be doing, and when you need to do it. They’ve got to have a mechanism to be able to go in and manage that, all the way through the year.
And the other element that organizations need to keep in mind is, when you’ve got assessors in the mix, the reactions out of the companies going through it are wide and varied, right? There’s a lot of, oh, boy, this is the assessor, type of thing, and everyone bows as they walk through, right? That’s the sense that I get about how the company’s reacting about the process. And here’s the funniest part, the assessor works for you, just like a plumber works for you, but nobody’s running around bowing at the feet of the plumber right? Just keep that in mind, unless they fix some really large water issue or sewage issue. But the reality is, just like any vendor, the assessor works for you. They’re a vendor, they’re not the be all end all. Assessors are awesome. And I’ve got a ton of assessors that I know amazingly well, that I’m amazingly good friends with. But at the end of the day, they’re working for you. And so it can’t be a one-way street, with anybody that you’re going to go bring in, to go do work for your organization. You want it to be amenable, where you feel like it’s a partnership, where it’s working on both sides, not just for one of us, right? And so, companies just need to keep that aspect in mind. I think a lot of them lose sight of the fact that they’re just trying to get through their annual assessment process. They seem to lose sight of the fact that, hey, man, at the end of the day, the assessor’s just a vendor to your organization, not unlike any other vendor that you’ve got, keep it in perspective. Yes, got a lot of respect for the assessor. At the end of the day, they’ve got to go in and assess your organization, but there’s a limit, you know what I mean? Absolutely.
So I guess we’re coming here to the crux of this episode, Adam. And I have to ask you the $100,000 question here, what should a company do to take control of their data? Well, there’s several different things. Part of the reason why we do what we do, is we try to make managing compliance suck less, That’s the way we put it at TCT. And, you want to make sure as the organization going through it, that you’ve adopted the right size, right fit, compliance management system for your company. This is a process, a solution, an approach. It needs to work for you, that’s the first part of it, right? So making sure that you go through, you look at what are our needs? What are our challenges? I mean, you have companies that are dealing with this today. As I go through and give all of the examples of, all of the various directions that things are flinging at you, right? Think about what problems do we experience? Why is it so challenging, or why does managing your compliance suck? And then, think about what you can do to go ahead and address those things. So, I’ve got data and information flying at me from 18 directions. It would be great if I had one place to go ahead and put everything, instead of having it coming at me from 18 different directions, across 20 to 30 different people. If there’s one spot that you can go and use, great, now you start hearing the angels singing. Following up with people on your team, you can stop nagging them about, hey, get your stuff done, get your stuff done. It’s hilarious when the execs come by. They think it’s just an easy question, they say, hey, where are we at? What’s the status, right? And they think you should be able to just go and spit the answer out. Well, the bottom line is the poor person that’s manually managing all this stuff, with all these various people, with evidence in various states of, I’m waiting for it, I got it, I need to review it, it’s good. It’s not always reject, getting it up to the assessor. Is it good on their side, reject, and it’s coming back with additional questions. It’s an unimaginably complicated question to answer when everything is getting tracked manually. However, astronomically easier when you’re using a system. So I’d recommend folks go through, look at all of the challenges that they’ve got, and figure out, how do I go ahead and size my needs to an appropriate system that’s going to be cost effective and address what we need to go do.
The second element of this, and bar none, this entire last stream is a very strong recommendation to companies to stop trying to write their own compliance system, stop trying to manage all of this manually, stop enduring all of this pain. Unless your business is making compliance management systems, in that case then you’re all set. But beyond that, if your job is to sell stuff, or be an e-commerce platform, or be a hospital, or be a law firm, then go do what you’re good at, and get a tool to take care of the rest. At the end of the day, you need something that’s going to work for you, and then you need to figure out okay now that I’ve got my world sorted out, what is it that my assessor needs? So a lot of organizations get a little bit antsy about, oh do we really want to have this conversation with our assessor, the revered assessor, we can’t possibly piss them off. Guess what? It might feel a little bit intimidating to go in and engage in the conversation, but respectfully go up, have a conversation with your assessor, and say look we need to make improvements in our operational compliance efficiency. Your system that you’ve got over here, it may work wonderfully for you. But the bottom line is, is that we need it to work for us too. So how do we make all of this come together? More often than not, what I’ve seen out of the assessors, while sure they have their system, they’re also generally amenable to having conversations around, okay, how can we play in the sandbox together, make this work for everybody, make it more efficient. It’s going to take a little bit of adjustment, a little bit of give and take on both ends to find out where that middle ground is. But more often than not, assessors get it. They set up their systems to make their business efficient, but they didn’t set their system up to make your business efficient. So, have those conversations and see if you can work through it and figure it out. Generally speaking, the assessors are pretty good with being able to have those dialogues, have those discussions, make adjustments.
The other side of it is in some cases, the assessor may already be working on a platform, which will be readily able to facilitate both sides of that. It just depends. The important part about that notion, with the assessor side systems. If the model for how it works is giving you the capability to effectively take control of the licensing for whatever they’re using. If they’re using a third party system, not their own internal proprietary thing. Some of the third party systems have the ability to cater to folks going through it, and the assessors of the world. So, maybe it’s just a simple licensing switch. That said, the other thing to keep in mind about using something like the TCT Portal, is that it was originally set up for both companies going through it, and assessors on the other end of the spectrum. In our case, if the assessor originally works with us and gets a client on, but now the client ends up departing, and the client wants to basically take over the licensing for the portal, it’s really easy to switch the license over to the client, and they can continue using the same system that they’ve been using all along. The more interesting part is that we’ve seen many organizations start using the portal, and they start having conversations with their assessor about it, and the assessor gets jazzed and says, yeah, I’m not enamored with our existing internal process, it can use some improvement, or I’m tired of maintaining it. And so, they’ve got the ability to just use the TCT Portal for doing that as well.
So, there’s a lot of options that you’ve got out there for going down that path. At the end of the day, for the company going through it, make your own damn business more effective, and more efficient. For the folks that are the managers, middle management, executives, they probably don’t have any clue just how much pain their internal people are going through, and how much time, complication, and pain they could save their internal personnel, with a systematic shift to being able to manage it better. After that conversation of figuring out your own system, trying to figure things out with your existing assessor, you may run into a situation where the assessor basically says, no, you either use our system, or move on, right? And so if the company has to go ahead and make the switch, companies could burn more internal time than they spend on the assessment. So, you’ve got to look at it from the operational efficiency of your own company and think, how can we make it better? There’s tons of ways. I mean, the assessor world’s like anything else, right? There’s ones that are fantastic to work with, there’s ones that are awful to work with. But bottom line, if it’s not working out, then move on if you have to.
Certainly, if folks are looking for a change, or looking for recommendations, TCT knows a ton of great assessors out there that happen to be using an amazing compliance management platform, and we can connect them up with folks. When I get those types of inquiries, it’s important to me because, every assessment firm has a different feel or culture. They do. That’s true. Yeah. And they approach things differently. Some of the organizations, they’re easy going. Some of them are just check the box type of organizations, it’s their
Some of them are extremely prim, proper, and they’re very rigid. Some of them are prim and proper, but they’re a little more flexible in approach. So what I like to do when I got those requests is, I like to learn a little bit about the target organization, a little bit about their internal culture, so when I go ahead and connect them up with an assessment firm, I’ve got a pretty good sense that the connection is going to be a good one. I hate making recommendations to people, and have it end up not working out, you know what I mean? Sure. No, that makes a ton of sense to me.
Any other parting shots or thoughts on this topic? Well, bottom line is, this is your data. It’s your freaking data. Own it. Own your own data, own your own process. Stop putting your internal personnel through 18 dimensions of hell when they’re trying to get through their compliance thing. Here’s the sickest part about the whole thing, right? It does not need to be this painful. It doesn’t have to be. And so do yourself a favor, seriously. Go have a conversation with whoever’s that eye of the compliance hurricane in your organization. Just go take them to lunch. Just sit down and ask them, how much does this suck? What are the problems that you’re running into? What are some of the challenges that you have? How hard is this? What are some of the painful things for you to be able to tell us when we’re just coming in and asking innocent questions? Ask them that stuff, because you’re actually going to learn a lot about how much it sucks for everybody in that compliance arena, especially when it’s not a systematic based approach. You’re actually going be floored at just how many things they end up coming up with, if they sit down and open their mouth. A lot of them quite frankly, it depends on the culture of the organization, but many of them are scared to gripe, they’re scared to complain. They don’t want to be seen as a problem. If you go to them and you start asking, because you wanna help, you may be surprised at how much they open up, and how much they start sharing with you. And, you may be shocked at just how much wasted time is being burned on the inside of your organization. You could systematically streamline the process, and do it more effectively, efficiently and immediately.
That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
